Information Technology Acceptable Use Policy

Transcription

1 Information Technology Acceptable Use Policy (IT Resources, and Internet) Version 1.2 October, 2002

2 Contents OVERVIEW 4 IT RESOURCES USAGE POLICY 4 1. Trust Property 4 2. Inappropriate Use 5 3. Identification Codes and /Log-ons 5 USAGE POLICY 6 1 Granting of access New User of External Sensitive Patient Data 7 2 Trust Access to s 7 3 Personal Use of 8 4 Misuse of 8 5 Termination of Accounts 9 INTERNET USAGE POLICY 9 1 Overview 9 2 Purpose of the Internet Usage Policy 10 DETAILED INTERNET POLICY PROVISIONS 10 3 General 10 4 Technical 13 5 Security 14 Policy Compliance 14 Glossary of Terms 14 Covered Individuals 15 Related Policies and Legislation 15 Circulation List For approval/amendment Trust Executive IT Technical Services Team Leader Chair Intranet Steering Group Distribution Internet users Users All Users of Trust IT Equipment Bill Gordon Page 2 of 15 Version 5.0

3 Document Revisions Date Version State Nature of Change 1 st July Draft 10 th August Draft Amendments 22 nd November Final Draft Amendments 13 th November Final Release Updates Authors: Chris Allen Customer Services Manager Bill Gordon Assistant Director Bill Gordon Page 3 of 15 Version 5.0

4 Overview ACCEPTABLE USE POLICY (Including Information Technology Resources, Internet and Use) This policy defines appropriate use of the Trust's IT systems and resources so that: (1) productivity levels are not reduced due to non business-related use of the Trust's systems, equipment and infrastructure; (2) the Trust is not exposed to unnecessary risk by individuals accessing non business-related Internet sites or sending inappropriate communications via electronic mail, or by a breach in security, which could result in unauthorized access to the Trust's business and patient information; and (3) individuals in our workplace are not exposed to inappropriate images or communications. The Trust will monitor use of it s computer resources and, if appropriate, review individual usage patterns. Non-compliance with the Trust's policy may result in disciplinary action, up to and including the termination of an individual's employment, as per the Trust s already established disciplinary procedures. IT RESOURCES USAGE POLICY The Trust's has made considerable investments in Information Technology resources, necessary to operate effectively in today s marketplace. Use of this technology comes with responsibilities that have security, compliance, productivity and ethical implications: The following policy addresses three areas: Trust property, inappropriate use, and identification codes/logons. 1. Trust Property The Trust's Information Technology resources are intended solely for use in conducting Trust business and may not be used for non business-related purposes; including non business-related communications (see policy personal ). All s, files and documents that are composed, stored or transmitted, over our internal and external networks, are the property of The Trust and will be monitored at the Trust's discretion. Bill Gordon Page 4 of 15 Version 5.0

5 Similarly, the movement of all Trust IT equipment must be done in accordance with the Trust IT procurement and movement policy. (This also gives guidance on the purchase and installation of hardware and software onto Trust PC s including licensing, ownership of software, and registration of all newly purchased IT equipment with the IT Directorate.) 2. Inappropriate Use The Trust's information technology resources should not be used to create documents, transmit messages or access Internet sites that: - disparage individuals on the basis of race, color, religion, gender, national origin, citizenship, age, marital status, disability or sexual orientation; - are not consistent with, or violate the Trust's Staff Support Policies (inc. Equal Employment Opportunity policy) or any other policy contained in the Trust's Code of Conduct; or - are not consistent with or violate any other Trust policies. - The viewing, downloading, transmitting or accessing of sexually oriented material or offensive speech is strictly prohibited. The Trust's IT resources may not be used: - for personal gain or profit; - to establish a personal public presence (i.e., "Web Sites") on the Trust's systems; or - for non business-related purposes. Electronic communications should comply with all applicable laws and regulations, including laws :- - governing the import and export of technology, software and data; - restricting the use of telecommunications technology and encryption; - governing the transmission of private data; - governing the content and supervision of communications with the public; and - relating to the protection of copyrights, trademarks and trade secrets. No employee may knowingly infect the Trust IT facilities to propagate any virus, worm, Trojan horse, or trap-door program code. All due care must be taken to prevent the accidental infection of the aforementioned code. This includes scanning of disks brought into the Trust from elsewhere or disabling the installed Anti-Virus software whether on or desktop. All PC s connected to the Trust network must have the Trust s approved Anti-Virus software installed and activated. 3. Identification Codes and /Log-ons All individuals who have been allocated network and/or system access are required to: Bill Gordon Page 5 of 15 Version 5.0

6 - ensure the integrity and confidentiality of their unique user identification codes and passwords. Any suspected breach or suspected security threat to the Trust's systems should be reported immediately to the Information Systems department or the Trust Security Officer ; - prevent access to unauthorized users when leaving systems unattended, including use of password protected screensavers where appropriate; and - comply with all of the security mechanisms on the Internet, such as logon controls or fire-wall barriers. See also the Trust Security Policy for further details and regulations on System Security 1 Granting of access 1.1 New User of USAGE POLICY All requests for new accounts need to be requested using the appropriate application form (Appendix A.1) This form will need to be authorized by the Users Line Manager. The User will collect the relevant passwords from the IT Customer Services Helpdesk, including copies of this policy and training documentation. Upon collection the user will need to sign the User Agreement form to confirm their agreement with this Policy. 1.2 External With effect from implementation of this policy, the ability to send and receive , from and to external organizations will, on request, be given to all new accounts at no extra charge. The user or users manager will complete the application to indicate whether the account is to be for internal only or to include the external facility. Upon receipt of the request form, the account will be set up within the time frame specified by the relevant Service Level Agreement and the user notified of account details, and referred again to the Trust & Acceptable Use Policy. The Information System Department may need to restrict the use of External , should there be an increased risk of Virus infections. All users would be notified of Bill Gordon Page 6 of 15 Version 5.0

7 this and in exceptional one-off circumstances arrange for alternative methods of receipt for urgent business purposes. All external s are to be suffixed with the following text message, as approved by the Trust s Legal Services Department:- This is confidential and may well also be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person: to do so could be a breach of confidence. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of the Trust. Thank you for your co-operation. Access to both Internal and External is at the user s line manager discretion at all times. 1.3 Sensitive Patient Data s containing sensitive Trust data, as defined by existing data security policy e.g. patient data, are deemed to be secure as long as the recipient is also on the NHSnet (i.e. has a nhs.uk suffix on the address). Any Data such as this should not be sent outside of the NHSnet unless encrypted. Even if a patient authorizes of data to themselves this also is not acceptable unless encrypted These s should also be marked as confidential via the security flag, which will ensure that any delegated recipients other that the directly addressed recipient, will not be able to read the if forwarded. 2 Trust Access to s The Trust reserves the right to retrieve the contents of an for legitimate reasons, such as to find lost messages, to comply with investigations of wrongful acts or misuse, or to recover from system failure. The monitoring of individual communications, is limited to investigations that have been authorized by the Chief Executive, Director of Information Systems or Director of Human Resources, or as may be required to meet requirements of a Court of Law. The Trust has content analyzing software, which alerts the IT department to inappropriate language within s. The author will be promptly notified after the event that s have been accessed, and the reasons why this has happened. In the case of investigations of wrongdoing, notification will take place upon completion of the investigation. Users of the system should also note that deletion of an from a mailbox does not guarantee that the message has been fully erased. Only the tag that identifies the file is erased and therefore all s written should be taken to be permanent. Bill Gordon Page 7 of 15 Version 5.0

8 3 Personal Use of Personal use of by Trust employees is allowable but should be minimized and not interfere with, or conflict with business use. Employees should exercise good judgment regarding the reasonableness of personal use. Personal notices not relating to Trust business (i.e. "for sale", "for rent", "looking to buy", etc.) should be placed on the Intranet message Board, and not on the system. Use of is limited to employees and authorised temporary staff, or contractors. Employees and authorised users are responsible for maintaining the security of their account and their password. 4 Misuse of Examples of misuse of includes the following: the transmission of obscene, profane or offensive material over any Trust communication system. This includes, for example, erotic & pornographic materials and obscene language, which is monitored by the Internet Message Inspector. Messages, jokes, or forms which violate the Trust harassment or discrimination policy or create an intimidating or hostile work environment are prohibited. Use of company communications systems to set up personal businesses or send chain letters is prohibited. Trust confidential messages should be distributed to Trust personnel only. Forwarding to locations outside is prohibited, unless authorized or required within the confines of the NHS. Accessing copyrighted information in a way that violates the copyright is prohibited. Breaking into the system or unauthorized use of a password/mailbox is prohibited. Broadcasting unsolicited personal views on social, political, religious or other non-business related matters is prohibited. Solicitation to buy or sell goods or services or using the network for commercial purposes is prohibited. 4.1 Statements of Facts Untrue Statements of facts, which damage the reputation of the person or company, are considered libelous. These need not be insulting but may be that another organization is in financial difficulty), or Bill Gordon Page 8 of 15 Version 5.0

9 unprofessional in their conduct can be libelous statements. (e.g. Western Provident Association v Norwich Union 1999, resulted in settlement of over 450k for libelous statements. Users of the systems must also take great care in what is said in an message, so that binding contracts are not inadvertently agreed upon, as an can be used as a legally binding document as in paper correspondence Restrictions - The Information Systems Directorate reserve the right to prohibit and block, attachments of certain types i.e. video, Exe files, as these are commonly game type files and also pose a greater risk to the organization of infection by viruses etc. File sizes may also be limited at the discretion on the Technical Services Department, as large files can impact on the efficient operation of the Trust or NHS network. 5 Termination of Accounts 5.1 There is a security risk of staff who leave the trust abusing the Trust s system. Therefore arrangements have been made with the Human Resource Department to provide list of leavers each month. For each leaver. access and their Network log-on will be disabled for a period of 1 month from the notification of their departure. This provides a safeguard against accidental deletion. After one month the account will be permanently deleted. 5.2 Any account that has not been accessed for 3 months, will be suspended and the user s manager will be given 1 month notice of the deletion of that account. 5.3 When members of staff leave the Trust, his or her personal account will be deleted and access cannot be granted to that account to anyone. It must not be assumed when an individual leaves the Trust, that their account can continue to be used and accessed by other people. The only exception to this is where an account is set under a department name e.g. legalservices@chelwest.nhs.uk or craniofacial@chelwest.nhs.uk. This account may be accessed by another person in that department under the authorisation of the Department Head. The day-to-day users of that account are to be made aware of this situation, when the access is granted. 1 Overview INTERNET USAGE POLICY The Trust provides access to Internet to help staff perform their job and be well informed. This Internet usage policy is designed to help users understand the Trust s expectations for the proper use of these Internet access facilities. Bill Gordon Page 9 of 15 Version 5.0

10 2 Purpose of the Internet Usage Policy 2.1 Appropriate Use - The Internet is a business tool, provided at significant cost and staff should use the Internet only for Business/Trust related purposes, i.e., to communicate with colleagues and suppliers, to research relevant topics and obtain and disseminate useful business & clinical information. 2.2 Conduct Users should conduct themselves professionally on the Internet, and respect the copyrights, software licensing rules, property rights, privacy and prerogatives of others, just as in any other business dealings. All existing Trust policies on staff conduct still apply to conduct on the Internet, especially (but not exclusively) those that deal with intellectual property protection, privacy, misuse of Trust resources, sexual harassment, information and data security, and confidentiality. Unnecessary or unauthorized Internet usage causes network and server congestion. It slows other users, takes away from work time, consumes supplies, and ties up printers and other shared resources. Unlawful Internet usage may also garner negative publicity for the Trust and risk exposure to significant legal liabilities. 2.3 Trust Corporate Image - The newsgroups and on the Internet give each individual Internet user an immense and unprecedented ability to propagate Trust messages. Because of that power we must take special care to maintain the clarity, consistency and integrity of the Trust s corporate image and posture. Anything that an employee writes in the course of acting for the Trust on the Internet could be taken as representing the Trust s corporate posture. That is why we expect users to forego a measure of their individual freedom when they participate in chats or newsgroups on Trust time, as outlined below. 2.4 Security - While our connection to the Internet brings enormous potential benefits, it can also open the door to some significant risks to our data (clinical & financial) and systems if we do not follow appropriate security discipline. As presented in greater detail below, that may mean preventing machines with sensitive data or applications from connecting to the Internet entirely, or it may mean that certain users must be prevented from using certain Internet features like file transfers. The overriding principle is that security is to be everyone s first concern. Trust employees can be held accountable for breaches of security or confidentiality. DETAILED INTERNET POLICY PROVISIONS 3 General 3.1 The Trust has software and systems in place that monitor and record all Internet usage. Our security systems are capable of recording (for each and every user) each World Wide Web site visit, newsgroup or message, and each file transfer into and out of our internal networks, and we reserve the right to do so at any time. No employee should have any expectation of complete privacy as to his or her Internet usage. Bill Gordon Page 10 of 15 Version 5.0

11 The Information Systems Directorate will review Internet activity and analyze usage patterns, and may choose to disclose this data to assure that Trust Internet resources are devoted to maintaining the highest levels of productivity. The Trust has installed Internet Content Analysing Software. This software has several useful functions, to assist in managing the usage of the Internet within the Trust. i) Prohibit undesirable sites - Key words e.g. those of an adult or frivolous nature (nude, xxx, games etc) can be defined within the software and thus sites containing these words are blocked. ii) iii) Surf Time statistics Reports will be run routinely detailing the usage time of each user or workstation. Excessive time spent on line by a particular user can be identified and corrective measures taken. This will also identify potential misuse of the password, where an ID may be shared with other members of staff to use the World Wide Web. Sites Visited reports will be run of sites visited by users, and the most frequently visited sites. A list of web links will be provided on the NHSweb access page of the most frequent or most relevant sites to the Trust personnel e.g. Medline or Cochrane We reserve the right to inspect files stored on PC s or servers connected to the Trust network in order to assure compliance with policy. 3.3 The display of any kind of sexually explicit graphical image or text document on any Trust system is a violation of the Trust policy on sexual harassment. In addition, sexually explicit material may not be archived, stored, distributed, edited or recorded using any device connected to the Trust s network. 3.4 The Trust uses independently supplied software to identify inappropriate or sexually explicit Internet sites. Access will be blocked from within our networks to all such sites that we know of (see i above). If you find yourself inadvertently connected to a site that contains sexually explicit or offensive material, you must disconnect from that site immediately, regardless of whether that site had been previously deemed acceptable by any screening or rating program and report the incident to the ISSD Helpdesk The Trust s Internet facilities and computing resources must not be used to violate any laws of the EU or UK. Use of any Trust resources for illegal activity is deemed to be gross misconduct in accordance with Trust Human Resources policy and thus may be grounds for immediate dismissal. The Trust will cooperate with a Court of Law with regard to compliance to this policy Any software or files downloaded via the Internet into the Trust network become the property of the Trust. Any such files or software may be used only in ways that are consistent with their licenses or copyrights and with Trust business 3.7. No employee may use Trust facilities to download or distribute pirated software or data. Bill Gordon Page 11 of 15 Version 5.0

12 3.8. No employee may use the Trust s Internet facilities to knowingly expose the Trust to risk of any virus, worm, Trojan horse, or trap-door program code No employee may use the Trust s Internet facilities to disable or overload any computer system or network, or to circumvent any system intended to protect the privacy or security of another user Each employee using the Internet facilities of the Trust shall identify himself or herself honestly, accurately and completely (including one s Trust affiliation and function where requested) when participating in business related chats or newsgroups, or when setting up accounts on outside computer systems No Employee should set up a personal or departmental web presence, which pertains to be officially sanctioned by the Trust, or representing the Trust in a official capacity, without consultation of the Trust Website Editorial committee. Likewise use of the Trust or NHS logo should not be used without approval of the Trust Corporate Communication department Only those employees or officials who are authorized to speak to the media, to news analysts or at public gatherings on behalf of the Trust may speak/write in the name of the Trust to any newsgroup or chat room. Other employees may participate in newsgroups or chats in the course of business when relevant to their duties, but they do so as individuals speaking only for themselves. Where an individual participant is identified as an employee or agent of the Trust, the employee must refrain from any political advocacy and must refrain from the unauthorized endorsement or appearance of endorsement by the Trust of any commercial product or service not provided by the Trust. Only those managers and Trust officials who are authorized to speak to the media, to news analysts or in public gatherings on behalf of the Trust may grant such authority to news-groups or chat room participants The Trust retains the copyright to any material posted to any forum, newsgroup, chat or World Wide Web page by any employee in the course of his or her duties Employees are reminded that chats and newsgroups are public forums where it is inappropriate to reveal confidential Trust information, identifiable patient data, trade secrets, and any other material covered by Trust confidentiality policies and procedures. Employees releasing such confidential information via a newsgroup or chat whether or not the release is inadvertent will be subject to the sanctions provided in Trust policies and procedures Use of Trust Internet access facilities to commit infractions such as misuse of Trust assets or resources, sexual harassment, unauthorized public speaking and misappropriation of intellectual property are prohibited and will be sanctioned under the relevant provisions of the Human Resources Policies Because a wide variety of materials may be considered offensive by colleagues, customers or suppliers, it is a violation of Trust policy to store, view, print or redistribute any document or graphic file that is not directly related to the user s job or the Trust s business activities. Bill Gordon Page 12 of 15 Version 5.0

13 3.17. In the interest of keeping employees well informed, use of news briefing or discussion groups or mailing lists services like Topica are acceptable, within limits that may be set by each directorate s management team, or as advised by the information systems department Employees with Internet access may download only software with direct business use, and must arrange to have such software properly licensed and registered. Downloaded software must be used only under the terms of its license and installation of this software on Trust equipment must be authorised by the IT department Employees with Internet access may not use Trust Internet facilities to download entertainment software or games, or to play games against other opponent Employees with Internet access may not use Trust Internet facilities to download images, music or videos unless there is an express business-related use for the material Employees with Internet access may not upload any software licensed to the Trust or data owned or licensed by the Trust without the express written authorization of the software supplier or manager responsible for the software or data. 4 Technical 4.1. Network User IDs and passwords help maintain individual accountability for Internet resource usage. As always, users must keep that password confidential. Trust policy prohibits the sharing of user IDs or passwords assigned for access to Internet sites. After use Users must log out of the PC s or Internet Browser where they have been accessing the Internet. Users will be held responsible for misuse of the Internet facilities undertaken with their user ID and password Employees should schedule communications-intensive operations such as large files transfers, video downloads, mass ings and the like for off-peak times Any file that is downloaded must be scanned for viruses before it is run or accessed. 5 Security 5.1.As part of the Trust connection to NHSnet, the Trust has installed an Internet firewall to assure the safety and security of the Trust s networks. Any employee who attempts to disable, defeat or circumvent any Trust security facility will be subject to misconduct proceedings under the Trust Human Resources disciplinary policies. Bill Gordon Page 13 of 15 Version 5.0

14 5.2. Files containing sensitive Trust data, as defined by existing corporate data security policy e.g. patient identifiable data, that are transferred in any way across the Internet, outside of the NHSnet must be encrypted Only those Internet services and functions with documented business purposes for the Trust will be enabled at the Internet firewall. Policy Compliance The Trust's equipment, and Internet access facilities by the Information Systems Directorate s to determine whether their use is in accordance with this policy, and to investigate claims of wrongdoing and inappropriate use. All employees are responsible for ensuring adherence to these policies and for taking appropriate steps, including notifying their manager or their business unit Human Resources Department, if they believe that a violation of this policy has occurred. Violations of this Policy on Appropriate Use of the Trust's Information Technology may result in disciplinary action, up to and including the possible termination of an individual's employment as per the Trust s Disciplinary Policy and Procedures. Glossary of Terms Certain terms in this policy should be understood expansively to include related concepts:- Trust includes our affiliates and subsidiaries, Document covers any kind of file that can be read on a computer screen as if it were a printed page, including HTML files read in an Internet browser, any file meant to be accessed by a word processing or desk-top publishing program or its viewer, (including Microsoft Office Documents) or the files prepared for the Adobe Acrobat reader and other electronic publishing tools. Graphics includes photographs, pictures, animations, movies, or drawings. Display includes monitors, flat-panel active or passive matrix displays, monochrome LCDs, projectors, televisions and virtual-reality tools. Technology - includes, but is not limited to, all of the Trust s processing hardware (mainframe, servers and desk top computers), software (applications that support business processes, operating Systems, utility software), networks and networking applications, PDAs, phone systems, voice mail, electronic mail, facsimile machines), and data systems. Bill Gordon Page 14 of 15 Version 5.0

15 Covered Individuals This policy applies to all users of Chelsea and Westminster Healthcare IT services and systems, whether the users are Trust employees, agents, individuals working through temporary agencies or consultants, regardless of whether the user is utilizing the Trust s technology at the office or from a remote location. Related Policies and Legislation Computer Misuse Act (1990) Data Protection Act (1984) Human Rights Act (1998) Chelsea and Westminster IM&T Security Policy Chelsea and Westminster Human Resource Policies General Policies and Staff Code of Conduct Staff Support Policies Employee Relations Procedures Chelsea and Westminster IT Equipment Procurement & Removal Policy. Legal Guidance Notes #29 Use of National Computing Centre This policy is intended as an addition to the above mentioned policies and Acts and does not supercede or intend to conflict with them. Bill Gordon Page 15 of 15 Version 5.0