, Internet & Social Networking Policy Version th December 2014

Transcription

1 , Internet & Social Networking Policy Lead executive Name / title of author: Chief Nurse Colin Owen, Information Governance and Data Security Lead Date reviewed: October 2014 Date ratified: 5 th December 2014 Ratifying Committee: Information Governance Committee Target audience: Policy Summary: All users of Trust and internet services To set out the Trust s standards for the use of , internet and social media to help support management with the delivery of Trust services and for communicating with partner organisations and stakeholders. Both Internet and services are to be used primarily for Trust business, but are available for appropriate general use providing the use is deemed reasonable with the Trust s standards set out in this policy. Equality Impact Statement: Training impact and plan summary: University Hospital of South Manchester NHS Foundation Trust ( UHSM ) strives to ensure equality of opportunity for all service users, local people and the workforce. As an employer and a provider of health care, UHSM aims to ensure that none are placed at a disadvantage as a result of its policies and procedures. This document has therefore had an initial assessment, in accordance with the equality impact proforma incorporated in the Checklist for Review and Ratification of UHSM-wide Documents, to ensure fairness and consistency for all those covered by it regardless of their individuality. This initial impact assessment indicated that the potential discriminatory impact is very low, and therefore no further assessment was necessary. The Policy is part of the IG Mandatory Training Programme. Outline plan for dissemination: Dissemination lead: name / title / ext n o Available by the Intranet Colin Owen Information Governance and Data Security Lead. This version n o V3.0 Date published: 04/03/2015 This version (v3.0) December 2014 Page 1 of 16 Next review December 2016

2 Version number Version Control Schedule Issue Date Revisions from previous issue Date of ratification by Committee 24/02/2010 V1.0 20/10/2009 NA V2.0 V2.1 19/11/2013 Modifications to the rules for personal internet use to reasonable use. V3.0 07/11/2014 Change of title, minor changes and clarifications for private use of personal mobiles. HCGC March /11/ /12/2014 Summary of consultation process Control arrangements [Review usually every 3 years, but more frequently if required ] Document Control Reviewed by all Information Governance Committee members, reviewed by Communications Manager and put out to consultation by all staff. Information Governance Committee is tasked with monitoring this policy and all related material that might prompt revision. It is the role of the IG Lead/HR Manager to update as appropriate. Audit of Compliance will be made in the form of a report to IGG twice per year by the IG lead/hr Manager. The policy will be revised every two years in line with Trust Policy, or sooner should a change in guidance dictate. There is an associated IG action plan reviewed annually in line with IG toolkit results, and monitored and developed by the Information Governance Committee. Associated documents IT security Policy, Confidentiality Code of Conduct Policy. References Document Compliance Monitoring Arrangements Process for monitoring Responsible individual / group/ committee Information Governance Committee This version (v3.0) December 2014 Page 2 of 16 Next review December 2016

3 Frequency of monitoring Role responsible for preparation / approval of report and action plan Committee responsible for review of results / approval of action plan Individual / group / committee that is responsible for monitoring of action plan Two yearly Information Governance and Data Security Lead Information Governance Committee Information Governance Committee This version (v3.0) December 2014 Page 3 of 16 Next review December 2016

4 Contents SECTION PAGE 1 Introduction Policy Statement Legal Issues Use of Services Monitoring of User Activity Process for monitoring the effectiveness of the Policy Dissemination, Implementation and Access to this Document Review, Updating and Archiving of this Document References and Bibliography Associated Documentation Duties APPENDICES 12 APPENDIX A - PLAN FOR DISSEMINATION This version (v3.0) December 2014 Page 4 of 16 Next review December 2016

5 1 Introduction 1.1 University Hospital of South Manchester NHS Foundation Trust (UHSM) recognises that Internet and services have the potential for enormous benefit to employees. 1.2 The facilities bring tremendous potential to support the management and delivery of Trust services, and for communicating with partner organisations and stakeholders. It is Department of Health policy, adopted by the Trust that all NHS staff have the facility of internet and access available in their workplace. Both Internet and services are to be used primarily for Trust business, but are available for appropriate general use providing the use complies is deemed reasonable with the Trust s standards set out in this policy. 1.3 Social networking sites such as Twitter and Facebook are popular and used by many staff and some approved departments with the organisation, but misuse of these can lead to breaches of confidentiality or bring the reputation of the Trust. 1.4 Again, however, UHSM also recognises that these services can be misused, and thus the associated risks and pressures, including litigation and security concerns, confidentiality breaches, legal and regulatory compliance and productivity of staff must be addressed. 2 Policy Statement 2.1 The objectives of this policy are to: Clarify Trust policy regarding acceptable and unacceptable use of internet and services and social networking Reduce or avoid security threats by increasing awareness and disseminating good practice. Encourage effective use of Trust resources. Protect the Trust against potential liability. Ensure confidentiality of staff/patients is maintained at all times. 2.2 This policy applies to all individuals (employed or otherwise) having the facility to use the Trust s and internet services, on Trust equipment or other devices (where the Trust has approved) or plus anyone granted access to the Trust network whilst engaged in work for the Trust at any Trust occupied location, and/or on any Trust owned or Trust approved computer, including those with remote or smart phone access. In terms of social networking, as a Trust employee, representative or anyone working on behalf of the Trust has a reasonable expectation that staff will not bring the Trust into disrepute, and therefore this policy is extended to the staff members social media use. Staff must not use their phones for personal reasons whilst undertaking clinical practice or where near patients and keep personal use to a minimum and emergency situations. 2.3 The policy also covers Trust web gateways, direct , web mail, instant messaging, and NHS Mail accessed from Trust equipment (or other approved devices) This includes staff conduct both on and off site, whilst using such services and therefore this policy is extended to the staff members personal use. 2.4 The principles of this policy also apply to staff that have been granted access to internet and services remotely from home or via a device for Trust business The policy also provides guidelines for staff in creating s and managing their mailboxes. This version (v3.0) December 2014 Page 5 of 16 Next review December 2016

6 2.5 The Trust will at all times seek to act in a fair manner and respect staff rights for privacy of their personal data under the Human Rights Act 1998 and the Data Protection Act Legal Issues 3.1 The Trust owns the network over which and internet services are provided. This means that the communications over the network can not be classed as private and the Trust reserves the right to monitor activity if this is prompted. This may lead to a formal investigation under Trust disciplinary procedures. 3.2 However the Trust is not compelled to initiate an investigation. 3.3 All staff using internet and resources should clearly understand the legal issues involved from both their own perspective and from that of the Trust. The laws of defamation, obscenity, discrimination and harassment, copyright and confidentiality all apply to staff use of and internet services 4 Use of Services 4.1 General All network services including and internet access are provided primarily for Trust business, but are available for general use providing the use complies with Trust policies Staff must not: Use the network or services for personal financial gain, or for Personal or private advertising. Use another staff member or party s username or password to access the network, or allow another user to use his/hers. Attempt to introduce and transmit material (including but not restricted to computer viruses, Trojan horses and worms) designed to be destructive to computer systems, or to try to get round precautions designed to prevent such material. Access or display any pornography or other sexually explicit images or documents, or any other images that are discriminatory, including screen savers. Delete other users files or interfere in any way with the contents of their directories, particularly if given temporary or shared access. Remove computer software such as desktop icons, wallpaper or screensavers from its location or tamper with it in any way. 4.2 Internet The Trust Internet use is monitored. The Trust allows a reasonable amount of personal browsing time in non work time Access to non business sites will be monitored staff should refrain from using the internet for personal use, even on their own mobile devices, for example smartphone or tablet, when they This version (v3.0) December 2014 Page 6 of 16 Next review December 2016

7 should be working, members of staff abusing this privilege may be disciplined in accordance with the Trust Disciplinary Procedure The Trust blocks a number of websites that have been classified as inappropriate use. If it is thought a site needs to be reclassified, staff should contact the IT department for approval Users must not: exceed a reasonable amount of internet browsing time for Non Trust business access on Trust or own equipment.in non working time. express opinions over the internet that purport to represent the views of the organisation or reflect negativity on the organisation, not use the internet in such a way that interferes with the productivity of their department. access inappropriate, offensive or sexually explicit sites. (Should staff inadvertently navigate on to such a site, they must exit immediately, making a note of the URL, and report it to the IT service desk on requesting a log number from IT). use the internet in such a way that interferes with Trust business use i.e. media streaming which takes up a lot of space on the network, and slows the internet down for legitimate business use. Use non-work related chat-rooms or similar services. Play computer games across the Trust network and/or the internet on a Trust PC or laptop This list is not exhaustive, but indicates the types of activity that may be regarded as misconduct. Staff should always bear in mind that they may be called upon to justify the use of internet and to their manager, both in terms of time and content Unacceptable use of internet and services includes any action which could bring the Trust into disrepute, interfere with the Trust s business, its reputation or jeopardise the security of data, networks, equipment or software or cause harm to recipient s patients or staff. Inappropriate web sites are subject to restriction by the Trust s web content management process The service provided by the Trust is primarily for business use and is owned by the Trust, as a result the Trust has a responsibility to ensure that this service is used appropriately and not for illegitimate or illegal activity The Trust reserves the right to routinely or intermittently monitor activity and usage, and to investigate further if prompted to do so. 4.4 At all times the Trust will seek to act in a fair manner and respect staff rights for privacy of their personal data under the Data Protection Act This version (v3.0) December 2014 Page 7 of 16 Next review December 2016

8 4.5 However staff should be aware that no communication sent over Trust owned networks can be truly private, and should seek other methods of transfer should they wish to communicate in a private setting. 4.6 The Trust will employ Information Commissioners Office guidance in the event of an investigation into a member of staffs account, and this will be done in conjunction with Human Resources Where appropriate the staff member will be informed that this type of investigation will be taking place, unless this would jeopardise a criminal investigation Acceptable Use Staff should: Ensure that the identity of the receiving recipient s address is correct, and that messages or data sent by Trust or NHS mail do not cause distress or offence to the receiving recipient, including chain mail messages, and jokes. Guard against accidental breaches of confidentiality by entering a wrong address or forwarding a message to inappropriate recipients. Note that the senders name in the From box within an is not always reliable and could be used maliciously by other internet/ users. Initiate the Out of Office assistant on the Trust service giving details of alternative contacts or arrangements for planned periods of absence. Set up shared accounts and calendars, for managers/consultants and their secretaries through the Local Service Desk, rather than sharing usernames and/or passwords. If this is not done then a line manager may authorise the IT department to make this available in times of need by giving authorisation to access the employees account. The user should be informed by the line manager on return as to the reason for access and the user will require a new password via the IT department. Use the sensitivity categories on carefully (normal, personal, private, confidential) where appropriate. Clearly state to the recipient when material is private and confidential. Include private within the title of the in private s (i.e. non-trust business). These s will not be opened, unless they contravene other rules of the monitoring software or providing they do not contain profanity or for other good reasons such as being involved within a specific investigation. Staff should note marking an as private will not negate the need to investigate that in the event of a complaint or if an investigation is initiated (see above) Inform their line manager if unsolicited offensive or sexually explicit s are received, who will be responsible for deciding whether further investigation or disciplinary action is appropriate Unacceptable Use Staff must not: This version (v3.0) December 2014 Page 8 of 16 Next review December 2016

9 Use to engage in activities or to transmit content that is harassing, discriminatory, menacing, threatening, obscene, defamatory, or in any way objectionable or offensive. This includes disparagement or defamation concerning race, religion, colour, sex, sexual orientation, national origin, age, or disability, and incorporates sending, receiving, soliciting, printing, copying or replying to such messages. Assume that copying in individuals means that the receiver has read or agreed with the content of the . Express personal views in such a way that they are likely to be interpreted as being the official policy/view held by the Trust. Use personal software/webmail (for example, hotmail) for Trust business. Send patient identifiable information or sensitive information externally via an message on the Trust system. NHS.net should be used instead. For further information see the Information Security Policy. Send or forward on unwanted (junk or unsolicited marketing material commonly, known as SPAM), chain letters and offers, hoax virus warning, amusing animations and graphics, unsolicited mail or communication lists via the Trust s system, as these can impact systems and disrupt services. Commit the Trust to purchasing or acquiring goods or services without correct authorisation in line with the Trust s Standard Financial Instructions. Use their own disclaimer on messages sent to recipients outside of the Trust without approval by the IG and Data Security Lead. The Trust has a legal disclaimer which is automatically attached to all external messages as they leave the Trust network. Deliberately release confidential information. This is a disciplinary offence, as set out in this policy and the Trust Confidentiality Code of conduct. Use services to forge signatures. Initiate a SPAM attack from within the Trust, using Trust or own equipment For messages internal to the Trust, minimal patient details should be contained in the body of the and preferably an attachment, which is password protected or via a link to a secure intranet page. For messages containing clinical information going outside the Trust, NHS Mail must be used, as this provides adequate security by encryption. Alternatively use to securely exchange files with other NHS and non-nhs organisations over the internet. Inappropriate messages going out of or coming into the Trust will be subject to quarantine and removal by the Trust s message content management process. 4.7 Social Networking, Discussion Forums and News groups A social network service focuses on the building and verifying of online social networks for communities of people who share interests and activities, or who are interested in exploring the interests and activities of others. This version (v3.0) December 2014 Page 9 of 16 Next review December 2016

10 4.7.2 Most social network services are primarily web based and provide a collection of various ways for users to interact, such as chat, messaging, , video, voice chat, file sharing, blogging, discussion groups Standards for individuals (employed or otherwise) who are engaged by the Trust will not maintain any site that contains personal identifiable information of Trust patients, or relatives, whilst they are a patient at the Trust. This does not preclude staff from having pictures of relatives on their site, as long as they are not in situ as a patient of the Trust. will not maintain a site that contains photographs of Trust patients and/or their relatives. will not maintain a site that contains person identifiable information of another Trust employee in relation to their employment including judgements of their performance and character. will not maintain a site that contains photographs of another Trust employee taken in the work situation or in their working uniform. will not maintain a site that contains defamatory statements about University Hospital of South Manchester, its services or contractors. must not express opinions in the above forums that purport to represent their own views on the organisation, whether from the Trust network or home. must never post a comment on the organisation that purports to represent the views of the Trust, without first consulting the Communications team As a Trust employee the Trust has a reasonable and lawful expectation that staff will not bring the Trust into disrepute, this is extended to the home environment as well. Any grievance with the organisation should be channelled through procedures and policies already in place and dealt with within the work environment 4.8 Instant Messaging Staff must not: Use Instant messaging, e.g. via MSN (Microsoft network) for internal business use, or private use at work or over the Trust network. Instant messaging is a way of communicating from one user to another and differs from in that the conversations happen in realtime. 4.9 Streaming Media Staff must not: Use streaming media on the Trust site for personal or private use. Media that is distributed over a data network can be streamed such as radio or television or non-streamed such as video or audio. The user does not have to wait to download a large file before seeing the video/tv programme or hearing the sound, because it is sent in a continuous stream that is played as it arrives. This uses a great deal of bandwidth, potentially affecting other Trust business use of the internet. This version (v3.0) December 2014 Page 10 of 16 Next review December 2016

11 4.10 Private Use Staff should use internet facilities primarily for Trust business but private use is allowed within a reasonable personal browsing time, Employees must never allow use of the facilities to interfere with their job performance or work responsibilities. Staffs who abuse this privilege will be subject to disciplinary action Similarly, staff may use occasionally and not excessively for personal use e.g. to communicate with family members, but this personal use should be limited to lunch or other breaks, or after normal working hours and be absolutely necessary protecting identifiable data in line with the requirements of the Trust Information Security Policy Personal use should not include operating a business, campaigning for political causes or candidates, or promoting or soliciting funds for a religious or other personal cause, and must comply with the provisions of this policy It is not permissible to use the Trust s address for private correspondence, or for delivery of goods purchased over the internet. (other than those staff who have resident accommodation on site) Out of hours usage does not lessen the Trust s legal responsibility regarding inappropriate material and/or harassment, misrepresentation and other issues, and thus the principles of this policy apply to private use as well as business use Where an is identified as private in its header, the message content will not be accessed, unless that message is suspected to contravene good employment practice or unlawful activity. Where an employee is suspected of abusing the privilege of private use of , the volume of misuse will be the major focus of investigation. However, if the Trust suspects an employee of engaging in criminal activity in the workplace and reasonably believes that this may involve the sending or receipt of s, the Trust will have a right to access the contents of messages marked as private. 5 Monitoring of User Activity 5.1 Routine Monitoring of Internet usage A series of random dates will be selected by the SIRO / Caldicott Guardian when user reports will be made available by the IT department for routine retrospective internet monitoring. A small working group will be established with a HR Lead, IG Lead and an IT Manager to analyse audit logs and forward any concerns to the relevant manager of the individual. 5.2 Ad Hoc Monitoring (Internet and s) A senior manager who suspects there has been a breach of policy by an individual(s) for which they are responsible should make an approach to the HR Lead and the IG Lead for copies of audit /usage reports The Information Governance and Data Security Lead will request an activity report detailing internet or use. This will be made available if an HR manager or a Director has authorised it It is the responsibility of the IT Services Department and the Information Governance and Data Security Lead to undertake more in depth investigation where appropriate. This can involve the This version (v3.0) December 2014 Page 11 of 16 Next review December 2016

12 reading of business and personal contents and attachments to verify the validity of the content. A similar process is undertaken to assess and categorise web pages and web mail. However this will always be done in accordance with the law, and take in to account ICO guidance. 5.3 The following tools are implemented as described Anti-virus Is implemented on: Client and server machines. Dedicated server. gateways. This means that all staff s and outside connections will be scanned for viruses as a normal part of network security Mail Content Is implemented on: gateways This software scans incoming and outgoing s for inappropriate material such as language, images, and certain file types. It also places restrictions on file size and file type, and adds the authorised Trust disclaimer on outgoing messages Messages found to be in contravention of the rules set up within the software are quarantined, and assessed for release or deletion in line with the IT Services operational procedures. Ad-hoc processes are also carried out as requested via the IT Service Desk Web Filtering Prohibits access to sites with offensive material. Monitors access to all permitted sites. Can audit and report on all sites permitted and prohibited. Filtering and reporting can be implemented on specific machines, staffs, departments, websites, and categories Anti-spam Is implemented on: Dedicated server. gateways These services trap, quarantine/remove incoming mail that appears to be spam. This version (v3.0) December 2014 Page 12 of 16 Next review December 2016

13 5.4 Breach of Policy If a breach of this policy should occur individuals should contact their line manager in the first instance if it is appropriate to do so. It is possible such a matter may be resolved locally, although HR would act to support line managers if this was not the case and further action needed to be taken. If staff are found to have contravened this policy disciplinary sanctions, up to and including dismissal can occur. 6 Process for monitoring the effectiveness of the Policy 6.1 The policy will be monitored by staff as outlined in section 3 of the policy. The standards set out will be reviewed by the Information Governance Committee to ensure it is up to date with relevant guidelines and associated good practice. 6.2 Internal audit will review the processes attached to this policy in association with IT security monitoring. 7 Dissemination, Implementation and Access to this Document 7.1 This policy will be available via the Intranet, and the publication scheme on the internet. Staff will be notified of it s presence via global , and Trust induction. Staff will be informed of the necessity to read this policy during mandatory training and team brief. 8 Review, Updating and Archiving of this Document 8.1 This policy will be available via the Intranet, and the publication scheme on the internet. Staff will be notified of it s presence via global , and Trust induction. Staff will be informed of the necessity to read this policy during mandatory training and team brief. 9 References and Bibliography Computer Misuse Act 10 Associated Documentation Information Security Policy Code of Confidentiality for Staff 11 Duties 11.1 Duties within the Organisation The Chief Executive also known as the Accountable Officer is responsible for ensuring that the Trust has effective policies to assist staff and control risks Caldicott Guardian is responsible for ensuring that Information Governance policies are in place, and the Trust Board is aware of any related Information Governance issues arising from policy implementation Senior Information Risk Officer is responsible for ensuring the accountable Officer is made aware of any information risks associated with this policy, and acts as an advisor to the Board. This version (v3.0) December 2014 Page 13 of 16 Next review December 2016

14 They are responsible for ensuring any information assets associated with this policy are managed appropriately by an Information Asset Owner Head of IT Operations is responsible for The availability of IT Services. Managing the IT Services infrastructure and staff. Ensuring compliance to external standards and policies, e.g. Connecting for Health (CfH). Ensuring the availability of internet and services and their supporting infrastructure Managing the security and integrity of data, via anti-virus, mail content, and web filtering and content and anti-spam products. Managing the internet filtering and content by testing the integrity of web sites and categorisation of sites not yet categorised by the Barracuda Web Filter product Managing the mail store, and the establishment and maintenance of shared mailboxes and calendars Managing and monitoring the quarantine area and releasing appropriate messages. Undertaking programmed and ad hoc monitoring arising out of internet and security products. Maintaining the Microsoft Active Directory for the NHS Mail Directory Connector Service. Maintaining the currency of Trust employees in appropriate sources (starters and leavers). Producing documentation and reports on internet and usage and misuse. Reporting non-compliance to this policy and other security violations via the Trust risk management procedure. Managing the IT Services infrastructure and staff. Ensuring compliance to external standards and policies, e.g. Connecting for Health (CfH) Reporting non-compliance to this policy and other security violations via the Trust risk management procedure Information Governance and Information Security Lead is responsible for Assisting HR and Managers in providing guidance to support their investigations. Advising the IG Committee of any breaches occurring under this policy. Reporting non-compliance to this policy and other security violations via the HIRS Keeping the policy under review in light of incidents and legislation. Advising on the security of personal data under Data Protection legislation Raising initial awareness of the policy at the corporate Trust induction and mandatory IG Training via the IT Training department Line Managers are responsible for: Monitoring staff compliance of the policy (see monitoring section) Monitoring staff time spent on personal use of the internet and services.(see monitoring section) Instigating further investigations arising out of suspected misuse. Taking action regarding misuse in accordance with the Trust s Disciplinary Policy. Reporting non-compliance to this policy and other security violations via the HIRS All users of Trust and Internet services are responsible for Reading and complying with this policy and associated guidelines. Reporting non-compliance to this policy and other security violations via HIRS. Ensuring compliance with guidelines for the records management of boxes. E.g. regularly deleting items no longer needed. This version (v3.0) December 2014 Page 14 of 16 Next review December 2016

15 Adhering to the NHS Mail Acceptable Use Policy when using NHS Mail. Ensuring they do not engage in activity contrary to this and other related policies This version (v3.0) December 2014 Page 15 of 16 Next review December 2016

16 12 APPENDIX A - PLAN FOR DISSEMINATION Title of document: , Internet & Social Networking Policy Date finalised: Previous document already being used? Yes Dissemination lead: Print name and contact details Colin Owen If yes, in what format and where? Via the Intranet Proposed action to retrieve outof-date copies of the document: Not applicable. Describe the plans for dissemination of the document to specific people / groups in specified formats and if appropriate with relevant training IG Committee via Dissemination Record - to be used once document is ratified. Date put on register / library of policy or procedural documents 04/03/2015 Date due to be reviewed 31/03/2017 Notes This version (v3.0) December 2014 Page 16 of 16 Next review December 2016