1 Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author /08/ /08/2016 Executive Director Finance Procedure/Policy number: Procedure/Policy type: Chief Information Security & Governance Officer Chief Information Security & Governance Officer IM0037_v1 Information Security & Governance Date of Equality & Diversity Impact Assessment: Low Policy Title: Use Of Personal Mobile Devices Policy Page 1 of 13
2 I. Document Information and Amendment Record Document Number: IM0037.V1 Document Title: Executive Lead: Use Of Personal Mobile Devices Policy Executive Director of Finance Date Amendment Details Responsibility Amendment No Policy Title: Use Of Personal Mobile Devices Policy Page 2 of 13
3 Table Of Contents I. Document Information and Amendment Record Introduction Equality, Diversity and Human Rights Statement Purpose Aim Scope Policy Statement Relevant Policies and Guidance Definitions Responsibilities Acceptable Use Unacceptable Use Access to Trust Data User Acceptance Device Authorisation Permitted Devices Device Security Losses and Breaches of Confidentiality / Security Device Monitoring and Auditing Policy Review, Audit & Monitoring Appendices Policy Title: Use Of Personal Mobile Devices Policy Page 3 of 13
4 1 Introduction 1.1 South Tyneside NHS Foundation Trust, herein after referred to as the Trust, is highly reliant on information that is captured, stored, processed and delivered by computers and their associated communication facilities. 1.2 This policy addresses the security and confidentiality of Trust data that will be accessed using mobile devices that are the property of staff members. 1.3 Such information plays a vital role in supporting business processes and customer services, in contributing to operational and strategic business decisions and in conforming to legal and statutory requirements. 1.4 Accordingly the information and the enabling technologies are important assets that will be protected to the level commensurate with their value to the organisation. Special care will be taken to ensure that Person Identifiable and business/corporate confidential information is not compromised. 1.5 Nothing in this policy affects the Trusts ownership of corporate information, including all work-related intellectual property created in the course of business using a personally owned device. 1.6 The Trust will continue to provide organisation owned and managed devices as necessary for work purposes. There is no compulsion for anyone to use a personally owned device for work purposes. 1.7 Throughout this document, sentences that contain the verb MUST indicate that the requirement is mandatory. Sentences that contain the verb SHOULD indicate that the requirement may be adapted for local need. 2 Equality, Diversity and Human Rights Statement 2.1 The Trust is committed to promoting human rights and providing equality of opportunity not only in our employment practices but also in the way we provide services. The Trust also values and respects the diversity of our employees and the communities we serve. In applying this policy, the Trust will have due regard for the need to: Promote human rights Eliminate unlawful discrimination Promote equality of opportunity Provide for good relations between people of diverse groups Consider providing more favourable treatment for people with disabilities This policy aims to be accessible to everyone regardless of age, disability (physical, mental health or learning disability), gender (including transgender) race, sexual orientation, religion or belief or any other factor which may result in unfair treatment or inequalities in health or employment. Policy Title: Use Of Personal Mobile Devices Policy Page 4 of 13
5 3 Purpose 4 Aim 5 Scope 3.1 The purpose of this policy document is to ensure that all staff are aware of their individual responsibilities in relation to the security and confidentiality of Trust data that may be accessed using devices that they own. 3.2 To establish the rules in relation to the use of personally owned mobile devices when using them to access Trust networks, systems and data. 4.1 To ensure that the Trust meets its legal and NHS obligations in relation to the protection of person identifiable information and Trust confidential information. 5.1 This policy applies to the use of devices that are owned by staff and used to access Trust systems and data. 5.2 This Policy applies to all parties authorised by the Trust together with their staff (including temporary workers, locums and staff seconded or contracted from other organisations who may use personal devices to access Trust systems and data). 5.3 Any breach of or refusal to comply with this policy is a disciplinary offence which may lead to disciplinary action in accordance with the Trust Disciplinary Policy, or other appropriate action. 6 Policy Statement 6.1 It is the policy of the Trust to ensure that Trust information: Is protected against unauthorised access. Confidentiality of information is maintained and assured. Integrity of information is maintained. Regulatory requirements and legislation are complied with. Information technology systems are used in a manner that prevents the release of information (by accident or deliberate/criminal act), ensures their safe use and avoids damage to the specific system or any other system to which it is connected. Information that can be used to identify a person including confidential information about that person, business information and confidential business information is restricted to authorised users only and that such information remains legally admissible. All breaches of information security, actual or suspected, will be reported to and investigated by appropriately trained individuals within the Trust, and notified to the Trust Chief Information Security & Governance Officer. Policy Title: Use Of Personal Mobile Devices Policy Page 5 of 13
6 6.2 The lawful and correct treatment of personal information is very important to the successful delivery of health care services and to maintaining confidence in the organisation as a whole. To this end all staff will adhere to the Principles of the Data Protection Act 1998 Caldicott Recommendations, NHS guidelines, Human Rights act and all other relevant legislation, this policy document and any relevant professional codes of practice. 6.3 The Data Protection Act Principles state that personal information: MUST be processed and used fair and lawfully. MUST not be further used in any manner incompatible with the purpose for which it has been obtained. MUST be adequate, relevant and not excessive in relation to the purpose or purposes for which they are used. MUST be accurate. MUST not be kept for longer than is necessary. MUST be used in accordance with the rights of the individual. MUST be protected against unauthorised disclosure and destruction. MUST not be transferred to a country or territory outside the European Economic Area with inadequate levels of protection for the rights and freedoms of the person in relation to their information. 6.4 The Caldicott 2 report outlines seven principals that should be applied to the handling of patient identifiable information: Principle 1 Justify the purpose(s) for using confidential information. Principle 2 Only use it when absolutely necessary. Principle 3 Use the minimum that is required. Principle 4 Access should be on a strict need-to-know basis. Principle 5 Everyone will understand his or her responsibilities. Principle 6 Understand and comply with the law. Principle 7 The duty to share information can be as important as the duty to protect patient confidentiality. In addition it recommends that the NHS number should be substituted for patient identifiable data wherever possible and that where patient data is transferred it should be reduced to the minimum required for the purpose. Policy Title: Use Of Personal Mobile Devices Policy Page 6 of 13
7 6.5 NHS Guidelines Information Security Management NHS Code of Practice (gateway ref 7974), Records Management Parts 1 & 2 NHS Code of Practice (gateway ref / /2) Confidentiality NHS Code of Practice (gateway ref 1656) In addition care will be taken, particularly with confidential clinical information, to ensure that the means of transferring it from one location to another are as secure as they can be. Safe Havens will be used wherever possible. 7 Relevant Policies and Guidance 7.1 Individuals who use personal devices to access Trust systems and data MUST comply with current legislation and NHS policies regarding the use and retention of Person Identifiable Information. 7.2 Policies and guidance that are relevant to this policy include, but are not limited to: 8 Definitions Data Protection Policy (IM0030) Records Management Policies (IM0006, IM0007,IM0021) Internet Acceptable Use Policy (IM0029) Acceptable Use Policy (IM0009) Social Media Acceptable Use Policy (IM0033) NHS Records Management Code of Practice NHS Confidentiality Code of Practice NHS Information Security Code of Practice NHS Information Governance Toolkit 8.1 Throughout this policy the term 'Personal device ' is defined as, an electronic mobile device that is not owned or issued by South Tyneside NHS Foundation Trust. 8.2 Throughout this policy the term 'device is used to cover the following mobile devices: Tablet computers (Such as ipads, and Android devices etc) Smart phones (Such as iphones, Windows Mobile or Android Phones) 8.3 Throughout this policy the term Mobile Device Management (MDM) is used to cover the software applications that the Trust has in place to manage the connection of mobile devices to its networks and their access to Trust systems and data. Policy Title: Use Of Personal Mobile Devices Policy Page 7 of 13
8 8.4 Throughout this policy the terms Person Identifiable Information or Person Identifiable Data are defined as; data from which a living individual may be identified. 9 Responsibilities 9.1 This document comprises the Use of Personal Mobile Devices Policy, as supplied by the South Tyneside NHS Foundation Trust 9.2 Overall responsibility for the enforcement of this policy lies with the Chief Executive, or any individual identified by them as having responsibility in this area. Enforcement of policy has been delegated to the Chief Information Security & Governance Officer. 9.3 It is the responsibility of the delegated individual to implement the policy within the Trust. 9.4 It is the responsibility of Heads of Service and departmental Managers to ensure that the policy is implemented within their areas. 9.5 Authorised employees of the Trust are responsible for the implementation of this policy in relation to the use of devices owned by them and used to access Trust networks or systems. 9.6 All Staff are responsible for demonstrating that they have completed, and passed, annual Information Governance training. 9.7 Managers are responsible for ensuring that staff have undertaken the required information governance training and have also received appropriate training in accessing Trust systems and data using personal devices. 9.8 The Trust Information Services department is responsible for managing the security of corporate data and configuring and securing authorised personal devices using the Mobile Device Management software. 10 Acceptable Use 10.1 The following is a list of acceptable 'business only' uses for personal mobile devices: 11 Unacceptable Use Access to business Access to business calendars Transport, viewing and editing of meeting papers Access to the Trust Intranet 11.1 The following is a list of unacceptable uses of personal mobile devices, it is not comprehensive: Use of the device for business purposes outside of those identified at 10.1 above are prohibited. Storing Trust data on the devices internal or removable storage. Storage of contact details for patients within the native personal address book of the device. Policy Title: Use Of Personal Mobile Devices Policy Page 8 of 13
9 12 Access to Trust Data Use of the device s camera or other recording functionality for business purposes or to capture business information 12.1 Trust data / information / systems may only be accessed, stored, created or communicated on personally owned devices through use of the Trusts chosen Mobile Device Management or Collaboration solutions This may be downloaded to any application enabled device, identified within Appendix C, however access to Trust information will only be enabled following appropriate line manager authorisation and approval Once the user has been appropriately authorised they will be issued with a unique PIN and instructions on how to enable the application to connect to the Trust systems Users must comply with all relevant Trust policies when accessing Trust data and systems using a personally owned device. 13 User Acceptance 13.1 Staff wishing to use personally owned devices to connect to Trust networks and systems MUST agree to the following: The device MUST be registered in the Trusts mobile device management (MDM ) software. This will be completed automatically once the user device connects to the Trust systems. Where requested, MUST allow IT staff to audit their mobile device to ensure compliance with policy. This may entail accessing personal data. MUST allow the Trust to remotely wipe Trust data from the device should it be lost. This will not impact on a user s personal information stored on the device. MUST accept full liability for any data breach should they fail to comply with the terms of this policy. The Trust will not reimburse any costs associated or incurred by the users through the use of the device for business purposes. The Trust will not be held liable for any loss of personal data the user may incur, either through the installation of the application on their device or as a result of actions taken by the Trust to ensure the security of Trust data, such as wiping, should the users device be lost Staff MUST sign the acceptance agreement at Appendix A (Part 1) Policy Title: Use Of Personal Mobile Devices Policy Page 9 of 13
10 14 Device Authorisation 14.1 Staff wishing to use their own devices for business purposes MUST complete the Use of Personal Mobile Device Request form at Appendix A The use of personal devices MUST be specifically authorised by the users Line Manager / Head Of Service / Trust Director at Appendix A (Part 2) 14.3 Connection of any personally owned devices must also be authorised for connection to Trust networks and systems by the Head of Information Systems / IT Manager or an individual delegated by them to provide such authorisation. 15 Permitted Devices 15.1 Only devices that have been specifically authorised by IT will be allowed to connect to Trust systems The mobile device MUST have an operating system of ios 6 or above / Android 4.3 or above / Windows Phone 8 or above. No other devices will be permitted to connect to Trust Systems / Access Trust data Devices that have had their operating systems modified (i.e. Jailbroken or Rooted) MUST NOT be connected to Trust networks. The Trust Device Management Software will prevent the connection of such devices Where it is identified that a user has connected / attempted to connect a device that has had its operating system modified, their access will be terminated and Trust information will be wiped from the device. The user will also be barred from future use of personally owned devices for business purposes. 16 Device Security 16.1 The mobile device MUST be protected with a PIN that is known only to the user of that device. The Trust MDM software will force the use of a passcode if not present The mobile device MUST NOT be used or accessed by any other individual when connected to Trust systems Anti-virus software MUST be properly installed and running on the device. 17 Losses and Breaches of Confidentiality / Security 17.1 The following incidents MUST be reported to the IT department immediately by the owner of the device: The device is lost The device is stolen The device is taken without the owner s permission The device become infected with a virus or other mal ware Policy Title: Use Of Personal Mobile Devices Policy Page 10 of 13
11 The PIN or any password security for the device is compromised The device owner has any reason to believe that confidentiality of data held on the device has been compromised in any way 17.2 Should the staff member lose their device or have it stolen, its loss MUST be reported to the IT Helpdesk immediately and the incident recorded within the Trust Datix reporting system Losses that occur outside of normal business hours MUST be reported to the On Call IT Support Technician and an incident recorded within the Trust Datix reporting system as soon as possible Any device reported as lost will, where possible, be immediately wiped of Trust data by the IT department Any actual or potential breach of confidentiality or the security of the device MUST be reported to the Trust Information Governance Team Where a user specifically requests it, IT will, where possible, wipe the device of all data. This will be completed at the users risk and with no residual liability on the Trust 18 Device Monitoring and Auditing 18.1 The Trust MDM software will hold details of all devices permitted to access the Trust networks and systems The MDM software will hold a record of all applications that are stored on such devices Should an application that is deemed to be a threat to the Trust networks or systems be installed on a device, the device will be blocked from accessing the network by the system Staff personal devices will not be routinely monitored or audited by members of the IT or IG Teams, however where requested, staff MUST permit IT / IG staff to examine the device Where a staff member refuses to allow reasonable access to their device, the device will be wiped (to ensure no Trust data remains on the device) and it will be De-authorised. 19 Policy Review, Audit & Monitoring 19.1 The policy will be reviewed twenty four (24) months from its date of final approval and dissemination within the Trust The policy will be audited at the time of review to determine effectiveness. 20 Appendices A. Use of Personal Mobile Device Request Form. B. Policy Signature Sheet Policy Title: Use Of Personal Mobile Devices Policy Page 11 of 13
12 Appendix A. South Tyneside NHS Foundation Trust Authorisation to Use a Personal Device for Trust Business Part 1 (All items to be completed by the person who will be using the Device) Job Title Location / Base Telephone No / Extension Network Login (Username) Surname Forename Trust address I agree that I have read and understood the Trust policy for using personal mobile devices for business purposes and agree to abide by the terms of the policy. I understand that I will be held liable for any breach of confidentiality caused by my failure to follow the terms of the Use Of Personal Mobile Devices Policy. I understand that failure to comply with the requirements of the policy will result in my authorisation to use my device for business purposes being revoked and if authorisation is revoked the device will be remotely wiped by the IT department. Signed: Date: Part 2 (All items to be completed by Head of Service / Executive Director) Job Title Location / Base Telephone No / Extension Network Login (username ) Surname Forename Trust address I approve the use of a personally owned device by the individual who has been named in part 1 of this document. I confirm that the use of a device not owned or issued by the Trust is necessary for business purposes. Signed: Date: Policy Title: Use Of Personal Mobile Devices Policy Page 12 of 13
13 Appendix B. Use Of Personal Mobile Devices Policy This sheet should be used to record the names of staff members who have read and understood the above policy document. Name (please print) Job Title Date Signature Policy Title: Use Of Personal Mobile Devices Policy Page 13 of 13
Version 2.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
Information Security Policy The purpose of this Policy is to describe the procedures and processes in place to ensure the secure and safe use of the federation s network and its resources and to protect
Poplar Street Primary School ICT Security and Acceptable Use Policy E-Safety policy 2013/14 Working Together Aiming High! 1 Contents 1. Introduction... 3 2. Policy Objectives... 3 3. Application... 3 4.
Information and ICT Security Policy Care Excellence Partnership Updated May 2011 Due for review July 2012 Senior Information Risk Owner (SIRO) P. Tilson I:drive/Policies/Information and ICT Security Status
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Isuz Ltd. trading as Schoolcomms
Records Management: NHS Code of Practice Part 1 DH INFORMATION READER BOX Policy HR/Workforce Management Planning Clinical Document Purpose Estates Performance IM & T Finance Partnership Working Best Practice
April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1 Models of IT Security Security Rules & Regulations: An Interpretation Dines Bjørner Fredsvej 11, DK 2840 Holte, Denmark Presented at Humboldt
Version: 1.1 Ratified by: NHS Bury CCG IM&T Steering Group Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual: Greater Manchester CSU - IT Department NHS Bury
Risk Management Policy and Process Guide Status: pending Next review date: December 2015 Page 1 Information Reader Box Directorate Medical Nursing Patients & Information Commissioning Operations (including
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
Jefferson County School District Information Technology Policies and Procedures 575 S. Water Street Monticello, FL 32344 (850) 342-0100 www.jeffersonschooldistrict.org June 2014 Table of Contents 1.0 Overview...
Data Security Policy Member of Staff Responsible ICT Team Author: Sunil Pindoria Dated 03/02/2015 Date of next review 03/02/2016 Page 1 CONTENTS INTRODUCTION... 3 MONITORING... 4 BREACHES... 5 DATA SECURITY...
Information Technology Policies and Procedures Wakulla County School District March 2014 Table of contents TABLE OF CONTENTS... 1 1.0 OVERVIEW... 2 2.0 PURPOSE... 2 3.0 SCOPE... 2 4.0 ACCEPTABLE USE POLICY...
Code of Conduct It s always the right time to do business the right way www.ardaghgroup.com Contents Contents Appendices Our Policy 3 Our Core Values 4 Corporate Social Responsibility 5 Personal Ethics
The Guide to Data Protection Contents Introduction 1 Key definitions of the Data Protection Act 4 The Data Protection Principles 19 1. Processing personal data fairly and lawfully (Principle 1) 20 2. Processing
CODE OF ETHICS & BUSINESS CONDUCT 1 FOREWORD Dear Employees, Dear Officers, As representatives of the European Olympus companies (all European companies belonging to Olympus Europa Holding GmbH, Olympus
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
Marist College Information Security Policy February 2005 INTRODUCTION... 3 PURPOSE OF INFORMATION SECURITY POLICY... 3 INFORMATION SECURITY - DEFINITION... 4 APPLICABILITY... 4 ROLES AND RESPONSIBILITIES...
School Information Security Policy Created By: Newport Education Service Date Created: 22 December 2009 Version: V1.0 Contents Background... 3 IT Infrastructure... 3 IT Access... 3 Acceptable use policy...
Delgado Community College Information Technology Security Policy Approved: *November 5, 2010 ) Delgado Community College IT Security Policy Page 2 *November 5, 2010 Table of Contents Title Page 1.0 Introduction
CUSTOMERS BANK ONLINE & MOBILE BANKING ACCESS AGREEMENT 1) Scope of Agreement 2) Definitions 3) Terms and Conditions of Online Banking A. Requirements B. Online Banking Services - General C. Electronic
Service Schedule 6 - Overriding provisions All quotations are made and all orders are accepted subject to these conditions ( these Schedule Terms ) and our Active Support Contract Framework Terms. In the
December 2009 www.riotinto.com The way we work Our global code of business conduct 01_02 Rio Tinto Rio Tinto is a world leader in finding, mining and processing the Earth s mineral resources. The Group