Clinical Quality and Safety Committee. 3 Years or dependent on change in legislation

Transcription

1 Title: Procedural Document Type: Reference: CQC Outcome: Policy & Procedure Policy & Procedure IT-P20 Version: V 1.1 Approved by: Ratified by: Outcome 6E Professional Practice Forum Date ratified: 22 January 2015 Freedom of Information: Name of originator/author: Name of responsible team: Review Frequency: Clinical Quality and Safety Committee This document can be released IT Security/IG Manager Information Governance Review date: 22 nd January 2018 Target audience: 3 Years or dependent on change in legislation All staff, volunteers and contactors working on behalf of PCH 1. Summary The purpose of this policy & procedure is to aid the effective and appropriate use of to reduce the risk of adverse events by: Setting out the rules governing the sending, receiving, and storing of , including patient identifiable and commercially sensitive data. Establishing PCH and user rights and responsibilities for the use of the system. Promoting awareness of and adherence to current legal requirements and NHS information governance standards. Defining actions to be taken in the event of an incident. 2. Related Organisation Policies Records Management Policy & Procedure Incident Management Policy Acceptable Use Policy Disciplinary Policy IT Security Policy Mobile IT Security Policy Policy Page 1 of 26

2 Confidentiality Code of Conduct for Employees Anti Fraud and Bribery Policy Whistleblowing Policy 3. Related legislation and national guidance The Data Protection Act 1998 The Human Rights Act 1998 Common law duty of confidentiality The Computer Misuse Act 1990 Caldicott Principles NHS Care Record Guarantee Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 ( Lawful Business Regulations ) Bribery Act Training Requirements It is not anticipated that training will be required, however practical support and assistance can be obtained through Cornwall IT Services (CITS) service on Tel: Equality Impact Assessment The organisation aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others. The Equality Impact Assessment Tool is designed to help you consider the needs and assess the impact of your policy. 6. This document replaces: Version 1 7. Process for monitoring compliance and effectiveness This will be done by ensuring that the system and its contents are appropriate as described in this policy. Any information held or passing through the system is the property of the Organisation. All used on local NHS systems is monitored for viruses. content is automatically scanned for potentially offensive content and will be blocked if it has been identified as containing restricted words. Policy Page 2 of 26

3 Inbound s are automatically scanned and blocked/quarantined if they are considered to be potentially unsolicited s (i.e. SPAM). All (incoming and outgoing) on local NHS systems is logged automatically. Monitoring logs are audited periodically. The use of is not private. The content of is not routinely monitored, but the Organisation reserves the right to access, read, print, or delete s at any time. Accounts may be accessed as part of a formal investigation of a suspected breach of Organisation policies or in the prevention and detection of crime. Any monitoring or interception of communications will be carried out in accordance with legislation such as the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Data Protection Act 1998, the Human Rights Act Element to be monitored Lead Tool Frequency Reporting arrangements Acting on recommendations and Lead(s) Change in practice and lessons to be shared Outgoing s are recorded automatically to logs recording who sent the , to whom, Subject title and attachment information. IT Security Team (CITS shared service) Detailed information on the content can be retrieved from Groupwise or backup tape if necessary. Logs are created atomically when s are sent and received. Detailed information on the content of s are only accessed as part of an authorised investigation (IG Lead) or to resolve maintenance issues with the permission of the user. Breaches of this policy will be reported to the IG Lead and may be passed to the appropriate line manager, Personnel Dept. or Counter Fraud Specialist as appropriate. IT Security Team Required changes to practice will be identified following changes in legislation, Department of Health IG Toolkit requirements and as a result in any investigations. Changes will be recommended to the Information Governance Sub Committee for adoption and this will be disseminated to staff via the Document Library and staff bulletin as appropriate. Policy Page 3 of 26

4 Version Control Table Version Changes Made by Date Summary of Changes No (Name and Job Title) June Adopted policy Alan Gerrish June Updated in accordance with Countywide policy and to include actions to be taken in the event of a breach of confidentiality Gina Matthews, IG Manager (Interim) This document is to be retained for 10 years from the date of expiry. Policy Page 4 of 26

5 Table of Contents Version Control Table Introduction Scope Definitions/Glossary Ownership, responsibilities and rights Duties Roles of the Manager: Roles of the Individual User: Role of Cornwall IT Service Standards of Practice Managing s Use of s Legal requirements Security Personal use Forwarding Misuse of the system Sending attachments Sending confidential information by Patient level, sensitive or confidential information NHS Mail Assistance Retention and Destruction Breaches of this Policy Liability Appendix 1: Encryption Decision Tree Appendix 2: Sending & Receiving Encrypted s Procedure Policy Page 5 of 26

6 1. Introduction is an established method for day to day internal and external communication by NHS organisations. It can be of great benefit to the NHS when used appropriately. Its use, however, also exposes the Organisation and individual users to risks. This includes the risk of legal action due to breaches of, for example, data protection, and confidentiality requirements, threats to IT and information security, and ineffective communication. If these risks materialise either the Organisation or the individual employee are at risk of prosecution, can have a negative impact on the reputation of the Organisation and can lead to financial penalty following legal action. Care must therefore always be given to ensure that the is to the intended recipient and that the content is appropriate to be sent as an . is not always the best way to communicate information as messages can often be misunderstood. The pure volume of messages can also be prohibitive to effective communication as a result of overload. s should be treated with the same level of attention that is given to drafting and managing formal letters and memos. As well as taking care over how messages are written, s should be managed appropriately after they have been sent or received. This policy clearly sets the Organisation s expectations of staff, managers and the CITS organisation in the use and management of the system, including accessing non-work accounts on Organisation systems. Staff should ensure that they are familiar with the content of this policy and use it as a point of reference when dealing with messages. 2. Scope This policy applies to all users and their use of: NHS accounts (*.nhs.uk and *.nhs.net) for business and personal use on Organisation and non-organisation premises including from home, internet cafes and via portable media. Personal accounts (webmail) accessed from Organisation equipment. 3. Definitions/Glossary Cornwall NHS managed network the N3 and local networks and IT systems connecting the Organisations and partner organisations in Cornwall for the delivery of NHS services managed by CITS. Partner organisations Royal Cornwall Hospitals Trust, Cornwall Partnership Foundation Trust and Kernow Clinical Commissioning Group. Policy Page 6 of 26

7 User Any person who uses the Cornwall NHS managed network (including, but not limited to, all staff, non-executive directors, trainees, GP s, contractors, temporary staff, students, researchers, trainers and consultants) CITS Service Desk The IT helpdesk which provides IT support and administration functions as well as a central point to report IT related incidents. The service desk can be contacted by calling ext (if dialling from an internal phone, otherwise call ), CITS.Servicedesk@cornwall.nhs.uk of fax Ownership, responsibilities and rights The Organisation provides access to systems to employees and authorised non-organisation employees only for use in their: Work duties Work related educational purposes Work related research purposes The Organisation allows communications of a personal nature but this should be restricted to break times and not conducted during your contracted hours. Personal use does not include writing to statutory bodies or other formal establishments, as this could indicate that the views and opinions are that of the Organisation and not of the individual. This does not restrict the communication to utilities etc. No one has a right of access to an account. The inappropriate use or abuse of may result in access being withdrawn or amended. The Organisation reserves the right to remove or amend access to the system at any time in order to protect and preserve the integrity and confidentiality of the system. 5. Duties 5.1 Roles of the Manager: All managers are responsible for ensuring that the staff they manage have read and understood their responsibilities as described in both the Policy and Procedure and the Code of Connection, which encompasses confidentiality and security. They should ensure that their staff are equipped to fulfil those responsibilities; this will include covering it at their local induction and by identifying and meeting specific and generic training needs through personal development plans. Managers have specific responsibilities at each stage of a staff members employment: Policy Page 7 of 26

8 Starters Managers should ensure ALL new staff have reviewed and understood the Code of Conduct for Employees in Respect of Confidentiality. This must be completed prior to giving an employee access to the network or Organisation information systems. This is essential as failure to comply by an employee may lead to disciplinary action (the requirement to sign the manager s checklist declaration applies to ALL staff who work in the Organisation and not only those with network access). Managers are required to countersign this declaration to indicate that they have checked that the member of staff has read the relevant information governance policies and has had an opportunity to ask questions about anything they do not understand. Movers/Leavers Managers should ensure that when staff leave, or change role, that information stored within their accounts (including the s, contacts and documents) is moved to either an appropriate person or shared work area, for purposes of business continuity. It is also important that all patient and organisationally sensitive information is deleted from the account (unauthorised access to confidential information is a breach of the Data Protection Act and could lead to a fine of up to 500,000). If a staff member moves from one organisation to another within Cornwall Healthcare Community, it will be standard practice that the account moves with them from old to new organisation, in line with the principles of the NHS mail system but with the following safeguards in place: If a user account is of corporate significance, a process will be followed to remove all but personal s and contact details from the account prior to the person leaving. One option for this is to create a role based account e.g. Information Governance Lead that the leaving post holder moves/copies all non personal to the role based account. An alternative option is to rename the current account to the role based name, set up a new user account and to copy all personal from the role based account to the new individual account The CITS IT Security team should be contacted to agree a handling strategy in such situations. In the event of an exceptional circumstance or request by the current organisation, the account will not move to the new organisation. In this case the existing account will be renamed to an agreed account name, and a new account set up for the user should they ever be employed by another Cornwall Healthcare organisation. The organisation that the employee is leaving from will have ultimate control and decision making on what happens to an employee s account when moving from one Cornwall community organisation to another. Policy Page 8 of 26

9 Senior managers should ensure that managers within their Service are aware of their responsibilities in relation to informing staff about acceptable standards of information governance. 5.2 Roles of the Individual User: All employees with access to are responsible for: Complying with this policy and ensuring that they are aware of the requirements and standards of behaviour as described in section 6. Standards of Practice. Failure to do so could result in the removal of access and/or disciplinary action. Reporting information incidents and near misses, including breaches of this policy, in line with the Procedure for Reporting IM&T Security Incidents. See section 8 for what to do in the event of a breach of confidentiality. Ensuring that during periods of planned absence, they have made arrangements for third party access to their account by a relevant individual to ensure business continuity. If the absence is due to unforeseen events (such as illness), it may be necessary for an employee s line manager to request access to an employee s account (and documents) for the purposes of business continuity. Ensuring that any personal s (and documents) are saved in a separate folder to clearly distinguish them from work based information (e.g. labelled as Private, Confidential or Personal ), so that in the event that third party access is granted to the account, this information should not be accessed. In the event that third party access has been granted as a result of a period of absence or for the purposes normal collaborative working, only work based information should be accessed based on a specific need basis. Information clearly marked as private must not be accessed. If personal/private information is unintentionally accessed it must not be further disclosed. 5.3 Role of Cornwall IT Service To provide an system capable of compliance with the Department of Health IG Toolkit standards. While it is recognised that compliance can only be achieved at an individual s level, the core application must have the functionality for a person to be able to comply with NHS, local and national standards (e.g. securing information in transit). To administer the system (i.e. create and suspend accounts) in accordance with local procedures and to provide support in the use of the system. To provide guidance on use to ensure compliance with NHS Standards, Organisation Policies and UK Law. Policy Page 9 of 26

10 To ensure that there are monitoring facilities in place to ensure compliance with the Organisation s policies and UK Law. To provide information from an individual s account when requested to support a disciplinary investigation. 6. Standards of Practice This policy & procedure is based on current law, NHS Information Governance standards, and accepted standards of good practice; your duty to handle Organisation and person identifiable information appropriately arises out of common law, legal obligations, staff employment contracts, and professional obligations. Any breaches of this policy & procedure may result in your employment or your association with the Organisation being terminated. It may also bring into question your professional registration and may result in disciplinary, civil, or criminal proceedings. If there is anything that isn t clear or which you do not understand in this policy & procedure you must contact your line manager, in the first instance, or the Information Governance Manager for further information. 6.1 Managing s is a communication tool and not a records management system. Where the content of an may be needed in the future it is the responsibility of the user to ensure it is stored appropriately (archived) within the corporate records system. Where the content of an or attachments forms part of a record e.g. the patient record, it is the responsibility of the user to ensure it is added to, and becomes part of, that record whether held in hard copy or electronic format. Attachments can be saved to folders and where the content of an needs to be saved (i.e. evidence of comments from various sources forming a conclusion or action), it can be printed either to hard copy or electronically (PDF). s and attachments that do not relate to work activities or do not need to be kept as part of a record must be deleted as soon as possible after receipt. Storage space for s is limited to a maximum allocation, determined on available storage, backup facilities and maximum file sizes determined by the application. Exceeding the allocated space could result in the corruption and loss of your s and/or attachments. 6.2 Use of s Users should use only when it is appropriate to do so and not as a substitute for verbal communication. Policy Page 10 of 26

11 s should be worded with care because voice inflections cannot be picked up and it can be difficult to interpret the tone of a message. is a formal method of communication and should be treated the same as if writing a letter. messages must not include anything that would offend or embarrass any reader or would embarrass the Organisation if it found its way into the public domain. Write ALL s on the assumption that they may be read by others, particularly people who do not normally work for the Organisation such as temporary staff. is easily forwarded on and may be read by unintended recipients. is disclosable under the Data Protection Act, if relevant to the request for personal information. Limit the number of recipients the is sent too only as many recipients as is absolutely necessary. All users have a responsibility to not overload other staff with irrelevant s and not to put pressure on recipients by copying in people with authority unnecessarily. A concise and meaningful title must be put in the subject heading of every to indicate its content. This will assist the recipient in prioritising the opening of and aids the retrieval of opened messages. Users should not use as the only method of communication if an urgent response is required. Users must access regularly and respond to messages in a timely manner. Users should indicate when they are not able to read their (for example, when on annual leave) by using the tools within the system (such as an out of office notification). Inappropriate use may result in poor communication, impede the function of the Organisation s network system, impede the effective functioning of , or compromise the security of the system. Users must only use a disclaimer that has been authorised. Users must only use a signature in the correct format; surname forename job title Policy Page 11 of 26

12 organisation name in full user base address base telephone number work mobile telephone number fax number Peninsula Community Health is a not-for-profit Community Interest Company delivering NHS adult community health services in Cornwall and the Isles of Scilly 6.3 Legal requirements The use of must comply with the law such as the Data Protection Act 1998 and adhere to Organisation rules, codes of conduct, policies and procedures e.g. Acceptable Use Policy Users must comply with any licence conditions and copyright for any software they have access to. Users must not use for any purpose that conflicts with their contract of employment. messages have the same legal status as other written documents and must be disclosed in legal proceedings if relevant to the issues. The content of any s may be disclosable under the Data Protection Act Therefore, the author must ensure the content, style and language used is appropriate, as any data subjects mentioned may legally request access to the s under the Data Protection Act Improper statements may result in the Organisation and/or user being liable under law. 6.4 Security Passwords: All passwords and log in details for systems must be kept confidential (no member of staff should ever ask you to divulge your password). Sharing passwords or log in details will be considered misconduct. Where necessary, users can give proxy access to their account. This should normally be read access but may allow full access depending on the relationship. There is no right for a manager to demand access to a member of staff s account unless there is a legitimate business continuity, disciplinary reason, disciplinary investigation or request under the Data Protection Act that requires such access. In all cases this needs to be agreed by the Information Governance Lead. Policy Page 12 of 26

13 passwords should be changed regularly (at least every 3 months) and should be complex in nature, e.g.: Minimum length of 8 characters containing numeric and/or special characters Must not be easy to guess never use family members or pets names, telephone numbers, car registration number/make or model, etc. Must not be a recognisable word (these are vulnerable to automated dictionary hacks). If a tablet or smartphone has been set up to access work s, you must either password protect the device (preferable) or change the settings on the application to force the password to be entered each time s are accessed (i.e. turn off remember my password feature). Password protecting a device usually has the added advantage of encrypting the device. Organisation password security is particularly important as s are accessible via the internet using Webmail and therefore username and password are the only security safeguarding the information stored within a user s system. Users must lock their terminal when not at their computer, for example, to make a cup of tea, to attend a meeting or to go for lunch. Portable devices, including mobile and smart phones, used to store s must be encrypted. When accessing via a portable device or via webmail, it is the users responsibility to ensure that the is not viewable by any other person. Similar care should be taken to any printed s with confidential information. Printed s containing confidential information must be stored and disposed of securely. Business related s received into the Organisation system must not be forwarded onto personal accounts, non-nhs accounts or personal portable devices. 6.5 Personal use The personal use of the system is not discouraged providing that personal use is brief, is not used to store attachments, is carried out in the user s own time, does not detract from the user s work duties and does not disrupt the work of others. Personal s should be stored in a folder marked personal. Policy Page 13 of 26

14 Special care should be taken when using the Organisation s system to send personal s as these s will inherently carry the Organisation s signature and therefore may be, incorrectly, assumed to be sent on behalf of the Organisation rather than of a non-work and personal nature. This is of particular importance when sending s to statutory bodies or formal establishments where it would be easy to misinterpret the as a formal communication from one organisation to another. Only use your Organisation address to register with authorised social media sites when you have been approved to be acting on behalf of the Organisation. Entering into a Forum or a Blog and making informal suggestions or giving advice using the Organisations address could be perceived as formal NHS advice from the Organisation. In general, when registering for social media sites (Facebook, twitter, etc.) use a personal address, these can easily be created by signing up to Hotmail, Yahoo mail etc. When using personal webmail (Hotmail, Yahoo, etc.) you must never attach or send any Organisation or patient information. To do so would be a breach of NHS standards and the Data Protection Act and this will lead to disciplinary action. If you know that another user is sending information using this type of system, it should be reported immediately to the CITS Service Desk (ext. 1717) or direct to your IG Lead. 6.6 Forwarding Users must not automatically forward from their Organisation account or send confidential or sensitive Organisation information to non-nhs accounts. Examples of non-nhs accounts include Hotmail, Yahoo, AOL, and services provided by internet service providers. 6.7 Misuse of the system Users must not: Use the Organisation s to conduct private or freelance work for the purpose of commercial gain. Create, hold, send or forward s that have obscene, pornographic, sexually or racially offensive, defamatory, harassing or otherwise illegal content. (If you receive such a message you should report it to the CITS Service Desk immediately.) Create, hold, send or forward s that contain statements that are untrue, inaccurate, misleading or offensive about any person or organisation. Access and use another user s account without permission. If it is necessary to access another user s account then contact the CITS Service Desk for details of the necessary procedure. (Users should be Policy Page 14 of 26

15 aware that access to their account by authorised individuals may be necessary in periods of absence for business continuity reasons.) Send messages from another member of staff s account or under a name other than your own, unless for example Personal Assistants and other nominated staff are delegated access by their manager. In this instance the signature must clearly indicate that the message is being sent on the managers behalf. Send global s to ALL staff. There are processes that must be followed for such communications. Contact the Communications department who will ensure it is sent via approved routes (e.g. Bulletin). Send unsolicited s (spam) to large numbers of users unless it is directly relevant to the recipient s work. Send or forward chain letters or other similar non-work related correspondence. Use for political lobbying. Knowingly introduce to the system, or send an or attachment, containing malicious software, for example, viruses. Forge or attempt to forge messages, for example, spoofing. 6.8 Sending attachments Consider alternative ways of making large work documents available to colleagues such as placing documents on the intranet or server and ing a link. Alternatively, use file compression, for example, zip files, or other methods of file transfer, for example, FTP or FTPS. (Ask the Cornwall IT Service Desk for advice). 6.9 Sending confidential information by Confidential or sensitive information, including information about patients/service users and staff, must not be sent by , even if it is encrypted, unless it is part of an approved workflow process authorised by a senior manager and with the associated risk assessment signed off by the Information Asset Owner. Safe haven procedures must be used when routinely sending confidential or sensitive information by to external organisations. Confidential or sensitive Organisation information when accessed from non-nhs equipment must be done so in a secure manner. You should not download sensitive information to a non-organisation device. (Arrangements for working outside of this policy require prior approval from the manager who should seek advice from the Information Governance Lead). Policy Page 15 of 26

16 Users must not set up their Organisation account to automatically forward s to non-nhs accounts. Examples of non-nhs accounts include Hotmail, Yahoo, AOL, and services provided by internet service providers. Users must not forward any from their Organisation account that could be considered spam, contains offensive material or is a chain letter sent on by others. Using an NHS address gives the receiver the impression that the content of the is endorsed by the NHS Patient level, sensitive or confidential information The most common cause of unauthorised disclosure of confidential information within the NHS is s sent to the wrong recipient. It is essential, when sending s with patient identifiable information, that you ensure that the address is correct. If you are not 100% certain that you know the correct address you must use the GroupWise Address Book and select the person/destination address. If the intended recipient is not in the address book, you must find another way to confirm the address. To ensure that the Organisations address book is searched first for contacts please ensure that is selected as the highest priority in settings. You can do this by: Opening GroupWise Clicking on Address Book In the Address Book window, select File and then Name Completion Search Order Ensure that under the pane entitled Selected books: that Novell GroupWise Address Book is first in the list. This can be achieved by selecting this entry and clicking the Up button. The only other Address book that should be contained within the list is Frequent Contacts and, if used, should always be below Novell GroupWise Address Book. You must include the phrase Patient Information in the Subject Field; this ensures that the message is clearly identifiable to the authorised addressee. If sending containing sensitive information outside of the Organisation you must first establish if it is legal to do so. Sharing information without Policy Page 16 of 26

17 consent could be a breach of the Data Protection Act 1998(if in doubt, please contact the Information Governance Department for advice). You should type [Encrypt] in the subject header, this will ensure appropriate security measures are applied before it leaves the Organisations server but only using GroupWise. Further advice on when to encrypt s can be found in Appendix 3. If the is being sent to another NHS (or Government) organisation, establish the details of their NHS.net (or gsi.gov.uk) account and use your own NHS.net account to send as this is the NHS preferred method of ing patient and confidential information. There may be occasions when you are sending particularly sensitive information and do not wish to use information that will identify the individual within the body of the text. In these cases we recommend that you speak to the person you are going to be sending the information to and agree a secret password/pseudonym that will identify the person between you. Type in the information you wish to into the body of the message or send it in an attached document. To ensure that your attachment can only be read by the intended recipient you may wish to consider password protecting the document and, additionally, informing them of the password verbally. You must not save this information, or your GroupWise Archive, to a local drive (c:, d:, etc) on your computer. You must save this information to a network drive on a server (h:, s:, etc) NHS Mail NHS Mail account holders details can be obtained by looking on the search facility, link: Many organisations have now migrated to NHS Mail. If you need to send and receive confidential data from these organisation contact CITS to set up an NHS Mail account Assistance If you need any assistance in using please contact the CITS Support Service Centre on Tel: If you have any queries about the confidentiality aspects with the information you are sending you should contact your Caldicott Guardian or Information Governance Manager. Policy Page 17 of 26

18 7. Retention and Destruction The Organisation reserves the right to retain as required to meet its legal obligations. s do not form part of the corporate record and s that are required as part of the corporate record system should be saved in line with the corporate records policy (i.e. to a network drive). accounts will be retained for a period of 6 months following a user leaving a post. 8. Breaches of this Policy In the event of a breach of confidential information i.e. where an is sent to the wrong recipient, staff are required to take the following actions:- If sent to a groupwise address; If the has not been opened delete from the recipients mailbox and report as a near miss. If the has been opened it can only be deleted by either the recipient or Cornwall IT Services and report as a breach of confidentiality. Outside of Groupwise report as a breach of confidentiality and contact the recipient to obtain assurance that the has been destroyed and that the has not been forward, shared or backed up. The Organisation will: Investigate breaches of this policy, actual or suspected, in accordance with Organisation procedures. Where there is a breach of confidentiality the line manager will be required to send an apology letter explaining how the incident took place, what data was breached, to whom and what actions have been taken to ensure that this does not happen again Where appropriate, invoke the Organisation s disciplinary procedure for breaches of this policy. Where appropriate, make a complaint to an individual s employing organisation and co-operate fully into any investigation of that complaint where breaches of this policy are committed by users who are not employees of the Organisation (such as staff on secondment to the Organisation, Honorary Contract holders and users given access to systems). Where appropriate take legal action (that is, criminal or civil proceedings) in respect of this policy. Policy Page 18 of 26

19 9. Liability The Organisation will not be liable for any financial or material loss to an individual when using for personal use or when using personal equipment to access work . Policy Page 19 of 26

20 Appendix 1: Encryption Decision Tree Sending information via is a very efficient way of providing information. However, due to the ease and speed of creating and sending s, it is important that you do not forget that s are a very poor substitute for a conversation. If something needs to be discussed or explained it would be far better to pick up the phone or talk face to face. Does the contain any personally identifiable data or organisationally sensitive information? No does not need to be encrypted. Yes Can all personal information be anonymised before ing? i.e. removing names and identifiers Yes does not need to be encrypted. No Is the being sent within the Cornwall NHS Community? No Yes does not need to be encrypted. s that stay within GroupWise (Cornwall.nhs.uk) are secure. s to Cornwall Council or any other external body are not secure, including nhs.net. Be sure to check the address as there are several staff members with the same, or very similar, names. ALWAYS CHECK THE ADDRESS MUST be ENCRYPTED. Enter [Encrypt] in the Subject line. As a failsafe, the Cornwall NHS Community has an electronic encryption system that scans s for: NHS Number (including the spaces) i.e. xxx xxx xxxx Payroll Number NI Number Patient Information in the subject line. It is best practice to manually encrypt s rather than rely on an electronic system. Policy Page 20 of 26

21 Appendix 2: Sending & Receiving Encrypted s Procedure 1. Any containing personal or sensitive information that is being sent to a non NHS address must be encrypted. This is to comply with the initial directive in 2008 by David Nicholson, NHS Chief Executive, and is a subsequent requirement for all public sector organisations set by the Cabinet Office. 2. Before any encrypted s can be read, the recipient must complete a registration process to set up an account which is used to be able to log in to view the encrypted information. The registration process only has to be completed once, and when the account has been created the recipient will only need to provide a password to view the . Therefore, it is important in the first instance, that you notify the intended recipient that you are about to send personal/sensitive information that will be encrypted and that to view the information they will need to complete a registration process you may wish to send them the attached instructions Encryption using Secur to aid them through the process. 3. To encrypt an enter [Encrypt] in the s subject line. Don t forget to include the square brackets, usually found to the right of the letter P on the keyboard. You must include some text in the body of the message but it is recommended that no person identifiable data is included at this stage. You may like to ask the recipient to confirm when they have completed the registration successfully. You do not need to register unless the recipient replies to an encrypted message. 4. If the recipient is unable to register for encrypted s (organisation policy, technical policy limitations) you will be unable to send person identifiable to them via . Consider anonymising any information before sending, the use of a Safe Haven fax, registering for an NHS.net address or recorded/registered post. 5. If the recipient replies to an encrypted message from within WatchGuard (the Secur encryption service) you will receive a notification in your GroupWise Mailbox informing you that you have received a secure message. Simply follow the procedure for registration process outlined in Encryption using Secur section Policy Page 21 of 26

22 Encryption Using Secur 1. Sending an encrypted 1.1 Launch GroupWise and create and address a new message 1.2 In the subject include the phrase [Encrypt] 1.3 Type the message as usual and include any attachments before sending it in the normal way 2. Receiving an encrypted 2.1 The recipient will receive a message from you with the following content and should follow the instructions to view this secure message Policy Page 22 of 26

23 2.2 They will be presented with the following message and should click Read Message: Policy Page 23 of 26

24 2.3 A one time registration will be required per address receiving an encrypted When presented with the following screen, they should enter their full name and choose and retype a suitable password before clicking Continue Policy Page 24 of 26

25 2.3.2 The following screen will now be displayed The recipient should open the Identity Verification message when it arrives and click on the link provided Your message will now be displayed Policy Page 25 of 26

26 2.4 Further s can be accessed by entering their password after Read Message is selected from paragraph Policy Page 26 of 26