Internet Use Policy and Code of Conduct

Transcription

1 Internet Use Policy and Code of Conduct UNIQUE REF NUMBER: AC/IG/023/V1.1 DOCUMENT STATUS: Agreed by Audit Committee 18 July 2013 DATE ISSUED: July 2013 DATE TO BE REVIEWED: July P age

2 AMENDMENT HISTORY VERSION DATE AMENDMENT HISTORY V1 July 2013 Version approved by Audit Committee 18 July Addendum required to include use if ipads. AC/IG/023/V1.1 December 2013 Addition of branding and formatting in line with Policy for Development of Policies AC/IG/023/V1.2 March 2014 Addition of unique reference number prior to publication REVIEWERS NAME DATE TITLE/RESPONSIBILITY VERSION Donna Dallaway June 2013 CSU Information Governance Manager V1 Matthew Hartland June 2013 Chief Finance Officer V1 Julia Dixon July 2013 Staff Side Representative V1 APPROVALS This document has been approved by: NAME DATE TITLE/RESPONSIBILITY VERSION CCG Audit 18 July 2013 Delegated authority from the Board V1 Committee NB: The version of this policy used on the intranet must be a PDF copy of the approved version. DOCUMENT STATUS This is a controlled document. Whilst this document may be printed, the electronic version posted on the intranet is the controlled copy. Any printed copies of the document are not controlled. RELATED DOCUMENTS These documents will provide additional information: REFERENCE NUMBER AC/IG/008 AC/IG/010 AC/IG/011 AC/IG/013 AC/IG/014 AC/IG/016 AC/IG/020 AC/IG/002 DOCUMENT TITLE Corporate Records Policy Data Protection Policy Policy and Code of Conduct Freedom of Information Policy Information Governance Policy Information Governance Toolkit Policy Information Security Policy Password Management Policy RA (Smartcard) Policy Safe Haven Policy Staff Code of Conduct on Confidentiality VERSION APPLICABLE LEGISLATION Data Protection Act 1998 Human Rights Act 1998 Freedom of Information Act 2000 Access to Health Records Act 1990 (where not superseded by the Data Protection Act) Computer Misuse Act 2 P age

3 Copyright, Designs and Patient s Act 1998 (as amended by the Copyright Computer Programs Regulations 1992) Crime and Disorder Act Regulation of Investigatory Powers Act 2000 Electronic Communications Act 2000 Common Law Duty of Confidentiality National Health Service Act 1977 GLOSSARY OF TERMS TERM ACRONYM DEFINITION 3 P age

4 CONTENTS PAGE NO POLICY OVERVIEW Introduction Purpose Who this Policy applies to 5 THE POLICY Responsibilities Code of Conduct Acceptable Internet Usage Unacceptable Internet Usage (Prohibited Use) Use of Social Networking Sites Blocked Websites Accidental access to inappropriate Material Examples of Acceptable Use Security Guidelines System Monitoring Obtaining Internet Access Monitoring Compliance 10 Appendix 1 NHS Network Code of Connection User Authorisation 4 P age

5 POLICY OVERVIEW 1.0 Introduction 1.1 Dudley CCG recognises that access to the Internet is a useful means of communication, a valuable resource and essential to support NHS business. The Internet is primarily for business use. 1.2 Employees are permitted to use the Internet for occasional and reasonable personable use, subject to the terms in this policy and provided it does not interfere with the performance of their duties or the operation of the network. 1.3 Occasional and reasonable personal use of the Internet is a privilege and not an entitlement which can be withdrawn at any time if excessive use is proven which is not of a business nature. Employees will be informed prior to access to the Internet being denied. 1.4 All Internet usage is monitored by IT Security and Information Governance. 1.5 When you are not using the Internet you must ensure that you close your Internet Explorer browser. 2.0 Purpose 2.1 The purpose of this policy is to ensure the security of Dudley CCG s Internet system and to outline the acceptable use of the Internet and ensure staff awareness and ownership of issues pertaining to internet issues. 2.2 This policy defines the Internet Use Policy for Dudley CCG. The Internet Use Policy applies to all types of on-line services accessed through Dudley CCG s communication systems. These services include Dudley CCG s Intranet system, extranet system and the Internet. This policy also extends to the use of any mobile computing equipment owned by Dudley CCG. 2.3 The Internet is a general term that covers access to numerous computers and computer systems worldwide that are accessed electronically. Such systems include the World Wide Web (www), (please refer to the Policy and Code of Conduct), File Transfer Protocol (FTP), newsgroups, Gopher, social networking sites etc. Dudley CCG uses NHSNet to access these systems. 2.4 To ensure proper use of Dudley CCG s NHS Internet system and makes users aware of what Dudley CCG deems as acceptable and unacceptable use of its Internet System. By following the guidelines in this policy, the Internet user can minimise the legal risks involved in the use of the Internet. If any user disregards the rules set out in this Internet Use Policy, the user will be fully liable and may be subject to disciplinary action by Dudley CCG. 2.5 This policy is to establish user responsibilities for Dudley CCG s Internet system. 2.6 The policy sets out Dudley CCG s policy for the protection of the confidentiality, integrity and availability of the Internet system. 3.0 Who this Policy applies to 3.1 This policy applies equally to all members of staff employed by Dudley CCG. It also applies to secondees, volunteers, agency, apprentices and consultancy staff using the resources of 5 P age

6 Dudley CCG including contractors and any others working on behalf of Dudley CCG, including Commissioning Support Unit staff. THE POLICY 4.0 Responsibilities 4.1 Dudley CCG will ensure that all users are properly trained before using the Internet system. Dudley CCG will take all reasonable steps to ensure that users of the Internet service are aware of policies, protocols, procedures and legal obligations relating to the use of the Internet. This will be done through training and staff communications at departmental level and organisational wide. Dudley CCG will ensure all users are offered training. 4.2 The IT Security Manager and Head of Information Governance and Records will monitor the network for unacceptable use, will remove any offensive material found and take appropriate action against those involved. The IT Security Manager in conjunction with the Head of Information Governance and Chief Finance Officer will block Internet access to inappropriate sites. Students using the Internet must be supervised at all times. 4.3 All users should take reasonable precautions to prevent viruses or other unacceptable material from finding its way on to Dudley CCG s network. They must not download programmes or other materials (other than documents) for use on Dudley CCG s equipment without prior consent. 4.4 Staff and those who are authorised to publish information on the Intranet and extranet pages are entirely responsible for the content of their information. They are also responsible for the legality and accuracy of the information contained in the pages accessed through hyperlinks in their own information. They must ensure that, both their personal pages and the information accessed through them are accurate and up to date and meets acceptability standards and legal requirements. 4.5 Dudley CCG will not be held liable for any financial or material loss to an individual user in accessing the Internet for personal use. 5.0 Code of Conduct 5.1 Staff will be required to sign a Code of Conduct before they are provided with Internet access. Specifically, the Code of Conduct requires staff to commit to the following: To identify themselves accurately and honestly in any communications with other Internet users Not to use the Internet facilities provided by Dudley CCG for any purpose which is illegal or in violation of Dudley CCG policies Not to pass identifiable personal information about staff or patients across the Internet Not to use Internet facilities for the importation, handling, storing or retrieval of sexually explicit images; misappropriation or theft of material, or intellectual property rights Not knowingly violate the laws of any nation in the use of Internet facilities and services 5.2 Information submitted to Internet pages will be considered public statements, and staff are expected to comply with accepted Dudley CCG policies if or when using such pages. 6 P age

7 6.0 Acceptable Internet Usage 6.1 The Internet is an important tool in the management and delivery of Dudley CCG services and this is its main purpose. 6.2 Personal use of the Internet by users is permitted providing this does not interfere with work, and: Personal use is made only outside normal working hours and for limited periods (lunchtime is allowable). Users do not run private businesses using Dudley CCG s facilities 6.3 Regular and extensive personal use of the Internet will normally result in disciplinary action. 7.0 Unacceptable Internet Usage (Prohibited Use) Deliberately viewing any pornographic, obscene, indecent or non-clinical sexually explicit material Deliberately viewing any illegal material Deliberately viewing any offensive, sexist, racist, hateful or otherwise offensive/ discriminatory material For any commercial activities (e.g. running a business) To perpetrate any form of fraud or criminal activity To send offensive or harassing material to others Bring Dudley CCG or a colleague into disrepute Any form of defamation Any form of discrimination Any form of harassment or bullying Where it interferes with the work of the individual that is using the Internet Where it interferes with the work of a colleague Where it interferes with the work of a department Where it interferes with the business of Dudley CCG For illicitly distributing any patient or business confidential material For hacking or gaining access to unauthorised areas To deliberately waste network resources For the deliberate introduction of viruses, spyware or malware Streaming video or audio for non-work use Any form of instant messaging (e.g. messenger, Facebook) Any gambling websites Creating, downloading or transmitting (other than for properly authorised and lawful research) any obscene or indecent images, data or other material, or any data capable of being resolved into obscene or indecent images or material Creating, downloading or transmitting (other than for properly authorised and lawful research) any defamatory, sexist, racist, offensive or otherwise unlawful images, data or other material Creating, downloading or transmitting material that is designed to annoy, harass, bully, inconvenience or cause needless anxiety to other people Creating or transmitting junk mail or spam. This means unsolicited commercial webmail, chain letters or advertisements Using the Internet to conduct private or freelance business for the purpose of commercial gain Creating, downloading or transmitting data or material that is created for the purpose of corrupting or destroying other user s data or hardware 7 P age

8 Downloading streaming video or audit for entertainment purposes Downloading or transmitting any copyrighted material without the copyright owner s explicit consent 8.0 Use of Social Networking Sites 8.1 Social networking sites, like Facebook and Twitter are blocked for personal use. However, should anyone have a legitimate business need to access these sites they should contact the Chief Finance Officer, Head of Information Governance or the IT Security Manager. 9.0 Blocked Websites 9.1 A number of websites are automatically blocked. Attempts to access these sites will display an access denied page. 9.2 Access to social networking sites is blocked for the safety of the organisation s Internet service as this is both resource intensive and can compromise the security of Dudley CCG s Internet service. 9.3 If you do require access to a site that is blocked for legitimate business reasons you can contact the Chief Finance Officer, Head of Information Governance or the IT Security Manager who can allow access for a limited period only Accidental Access to Inappropriate Material 10.1 If inappropriate material is accessed accidentally users should immediately report this to the IT Department so that this can be taken into account in monitoring. Employees should also report any such incidents to their line manager Examples of Acceptable Use 11.1 When considering acceptable use you will need to consider:- Your area of work The impact on your department s service delivery The time of day Duration that you are using the Internet Morale with your colleagues if you appear to be on the Internet when they are working 12.0 Security Guidelines 12.1 Access to the Internet will be provided through a controlled network gateway for any users who can demonstrate a legitimate reason for access. No other access points will be permitted (e.g. using modems) Dudley CCG will monitor Internet access centrally and has the right to inspect any messages, files, images or software sent or received by users. IT equipment will be randomly audited in connection with this. Dudley CCG will use software to block access to unauthorised sites and will monitor all connection attempts made in this respect Detection of any sexually explicit or otherwise offensive material being accessed by staff will result in Internet access being removed from that user and disciplinary action being taken. 8 P age

9 12.4 The downloading of legitimate material is subject to the risk of importing viruses and/or infringing copyright and/or intellectual property rights. Any material imported must be checked for viruses by virus scanning software provided through the IT Department. Downloaded material must be used in ways and purposes that are consistent with licensing and copyright arrangements. Users are reminded that any legitimately downloaded material becomes the property of Dudley CCG and not of the individual Any updates to software already in existence in Dudley CCG should be approved by the IT Department prior to installation by the user from the Internet. Any new software downloaded (including browser plug-ins) must not be installed without prior approval of the IT Department No Dudley CCG user will knowingly download or distribute illegally copied or unlicensed software via Dudley CCG s Internet facilities Any suspected breach in security or misuse of a connection will result in removal of access rights Dudley CCG will comply with all reasonable requests from Law Enforcement and Regulatory Agencies investigating an individual s Internet activities System Monitoring 13.1 All Internet traffic is logged automatically (each site a user visits is included in the log, with the time visited and pages viewed) to ensure that damaging code or viruses do not enter Dudley CCG s network or systems Dudley CCG also uses software that prevents users visiting sites that may contain illegal or pornographic material. The Head of Information Governance audits these logs periodically. If there is evidence that you are not adhering to the guidelines set out in this policy, Dudley CCG reserves the right to take disciplinary action, which may lead to a termination of contract and/or legal action Obtaining Internet Access 14.1 Users wishing to have Internet access must request it from the IT Department (Appendix 1). The request must be countersigned by the user s Head of Department and returned to the IT Department Upon logon to the Internet system the user will be required to electronically accept the Code of Conduct. The user will be then be issued with an individual logon code and password. These logon codes and passwords are individual and must not be shared Independent modem connections to the Internet are not allowed and should be reported to the IT Department, who will ensure they are terminated. If access is still required for that user/machine, then service will be provided via Dudley CCG s controlled network gateway Individual Internet Service Providers (ISP) accounts must be terminated. Personally held ISP accounts will not be used for official Dudley CCG business Users will be issued with a copy of this policy for reference. 9 P age

10 15.0 Monitoring Compliance 15.1 Staff are expected to comply with the requirements set out within the Internet Use Policy and Code of Conduct and related policies. Compliance will be monitored via the Chief Finance Officer and Information Governance Team reports of spot checks, completion of staff questionnaires, incidents reported, electronic audit trails and submission of the Information Governance Toolkit Non adherence to the Internet Use Policy and Code of Conduct and related policies will result in local Disciplinary Policies being implemented. 10 P age

11 Appendix 1 NHS Dudley CCG (Dudley CCG) NHS Network Code of Connection User Authorisation I/we the undersigned understand: That I/we have legitimate and useful purpose for connection to the Internet/NHS network and any of the services that are to be used. I/we shall not divulge the Internet authentication access login and password to any other individual. I/we shall agree that any existing connection to the Internet being used will be removed before connection to the Internet/NHS network and its services. I/we understand that Internet/NHS network access will be centrally monitored. I/we understand that attempted security breaches that are detected and adjudged to be a true violation, will be reported to the Head of IT to decide any action that will be taken against the offending party. I/we understand that all computer systems currently available for use on a local computer connected to the Internet /NHS network must have adequate security procedures in place. These procedures must satisfy any requirement of the Data Protection Act 1998 and Dudley CCG s Network and Server Security Policy. I/we understand anything that is downloaded from the Internet must be checked for viruses using the virus checker provided by the IT Department. I/we understand that downloading of offensive and illegal material will be considered a breach of Code of Conduct and will result in action being taken by the Organisation. I/we agree to let the computer that is connected to be audited at random intervals, without warning, by the IT staff. I/we have received a written copy of Dudley CCG s Internet Use Policy and Code of Conduct and fully understand its terms and conditions. I / we have read the above and agree to be bound by its terms. Signed (user) Date Block Capitals (user) Date. Signed (Head of Department) Date. Block Capitals (Head of Department) Date. Signed (Head of IT).. Date 11 P age