Usage Policy Document Profile Box

Transcription

1 Document Profile Box Document Category / Ref QSSD 660 Version: 0004 Ratified by: Governance and Risk Committee Date ratified: 12 th January 2012 Name of originator / author: Name of responsible committee / individual: Date issued: May 2012 Review date: Target audience: Document owner: Approved by : IT Systems Manager / Information Governance Manager Information Governance Working Group 2 years from issue date All staff Director of Finance and Development

2 Version Control Version Release Date Author Status Comments Dec 2009 Steven Pratt Draft No changes post initial review period Dec 2009 Steven Pratt Live Sept 2011 Rahima Hoque Draft Renamed and Internet Policy from Usage Policy Full content review under all sections Oct 2011 Rahima Hoque / Steven Pratt Draft After discussion, agreed should be separate from Internet Policy. Definitions section added Nov 2011 Rahima Hoque Draft Following review by the IGWG: Changes to Appendix A & B Nov 2011 Rahima Hoque Draft Following comments from Policy Review Group: Formatting changed from 1.5 line spacing to 1. Trust logo updated. 9 Updated. Appendix A only relevant to office based staff. Appendix B includes standard footer Jan 2012 Rahima Hoque Final Ratified by Governance and Risk Committee. Did you print this document yourself? Please be advised that the Trust discourages the retention of hard copies of policies and can only guarantee that the policy on the Trust website is the most up-to-date version. Document Location The source of the document will be found in the Trust Quality System. Freedom of Information Act 2000 Access This document will be available via the NEAS Publication Scheme. North East Ambulance Service NHS Trust

3 Contents Section Page 1. Introduction 1 2. Purpose 1 3. Scope 1 4. Definitions 1 5. Responsibility and Accountability 2 6. Legal and Professional Obligations Monitoring 5 9. Equality and Diversity Statement Consultation, Approval and Ratification Process Review and Revision Arrangements Dissemination and Implementation Document Control Including Archiving Arrangements Monitoring Compliance With and the Effectiveness of Procedural 6 Documents References 7 Appendix A: Out of Office Guidelines for Staff 8 Appendix B: Signature Guidelines for Staff 9 North East Ambulance Service NHS Trust

4 Page Introduction 1.1. The Electronic Mail ( ) system is provided by the North East Ambulance Service (NEAS) to support staff in undertaking their duties All Trust employees have been provided with access in accordance with NEAS 76 PC User Account Pack which governs access to the Trust s information technology infrastructure The system must not be used to exchange any information, data, software, which could bring the Trust into disrepute or result in exposure to litigation or prosecution, by regulatory bodies The North East Ambulance Service (NEAS) reserves the right to monitor and record all communications sent or received via the service s network or computer equipment for violations of this policy. 2. Purpose 2.1. The aim of this policy is to govern the expected and appropriate usage of within the Trust business operation, whilst ensuring that the Trust is not exposed to additional security risks or threats. This will be achieved by complying with appropriate law and detailing expected standards / key deliverables that must be observed To do this NEAS will: Ensure availability - ensure that the system is available for users. Preserve integrity - protect the system from unauthorised or accidental modification ensuring the accuracy and completeness of the Trust s assets. Preserve confidentiality - protect assets against unauthorised disclosure. 3. Scope 3.1. This policy covers all sites utilised by NEAS. The policy applies to any individual employed, in any capacity, by the Trust Any breach of the policy is considered to be an offence and in that event, NEAS disciplinary procedures will apply. As a matter of good practice, other agencies and individuals working with the Trust, and who have access to the service, will be expected to have read and comply with this policy. 4. Definitions 4.1. Anti-Virus is a software program which helps protect a computer against being infected by a virus Encryption is the process of converting information into a form unintelligible to anyone except holders of a specific key or password Malware is a form of computer program designed with malicious intent. The intent may be to cause annoying pop-up ads with the hope you click on one and generate revenue, or forms of spyware and viruses that can be used to steal your identity or track your activities NHS Mail is the and directory service specifically designed to meet the needs of NHS staff which allows to be sent in an encrypted form. It is the only Department of Health (DoH) approved NHS service for securely exchanging personal data between NHS approved organisations but needs to be used by both sender and recipient in order to be secure Personal data is data which relate to an individual who can be identified from those data or from those data and other information which is in the possession of, or likely to come into the possession of the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any person in respect of the individual. Personal information includes name, address, date of birth, or any other unique identifier such as NHS Number, hospital number, national insurance number etc. It also includes information which, when presented in combination, may identify an individual e.g. postcode etc.

5 Page Spam the use of mailing lists to blanket forum groups or private boxes with indiscriminate, unsolicited messages of a promotional nature. 5. Responsibility and Accountability 5.1. All staff, including temporary agency workers and students, are personally responsible for ensuring that they are aware of and compliant with this policy. By signing either the PC User Account pack or Network Authorisation Form, staff have agreed to this policy and its guidelines and should be aware that a breach of this policy may be regarded as serious misconduct which would lead to disciplinary action or dismissal in accordance with disciplinary procedures. Staff should also be aware that usage will be monitored and any unacceptable usage will be acted upon Line Managers have a responsibility to ensure all current, new and temporary staff are instructed in their responsibilities in relation to the use of and work in a manner consistent with this Policy The Information Governance Working Group (IGWG) is responsible for developing, maintaining and implementing this policy The Information Governance (IG) team have a responsibility to: Monitor usage in conjunction with IT and reports to managers where breaches in security are identified Work with line managers and risk management leads in the investigation of potential breaches of this policy Implement secure processes to protect personal information transferred electronically 6. Legal and Professional Obligations All users shall comply with the relevant legislation. This includes the following: 6.1. Data Protection Act 1998/Freedom of Information Act Any information which the Trust holds is potentially disclosable to a requester under one of these pieces of legislation. This includes s too Users need to be sure that they are not breaching any data protection when they write and send s. This could include but is not limited to: Passing on personal information about an individual or third party without their consent. Keeping personal information longer than necessary Sending personal information to a country outside the EEA The Trust will ensure that any transfers of personal information outside of the European Economic Area are only completed when sufficient security exists within the receiving country The Trust will undertake or commission regular audits to assess its compliance with legal requirements Computer Misuse Act 1990 This Act makes it an offence to try and access any computer system for which authorisation has not been given Defamation Act 1996 Under this Act it is an offence to publish untrue statements which adversely affect the reputation of a person or group of persons Terrorism Act 2006 This Act has makes it a criminal offence to encourage terrorism and/or disseminate terrorist publications Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations This allows for any organisation to monitor or record communications (telephone, internet, , and fax) for defined business related purposes.

6 Page Introduction is an important means of communicating quickly and easily to support the business needs of the organisation. However can be used inappropriately, either deliberately or otherwise. Remember that any , sent or received, may have to be disclosed in litigation or in an internal or external investigation or following an access to records request or a request under the Freedom of Information Act Within the Trust, is established for business purposes. It is recognised that s may be occasionally used for non-work purposes, however this should be limited and should only be carried out in your own time. Remember that the content of any may be disclosable Key Principles / Standards Always consider whether is the most appropriate means of communicating and whether other forms of communication e.g. a telephone call might be more appropriate. is one method of communication and does not replace other forms of communication Never hold or send by anything which may be illegal or offensive e.g. obscene or pornographic messages or comments which could discriminate on grounds of age, gender, race, ethnic origin, religion, belief or sexual orientation. should not be used to access or pass on unsuitable material such as pornography or offensive or inappropriate jokes. Regard with suspicion s from addresses you don t recognise. Do not open attachments unless you are confident the is genuine Any sent from a personal internet account, e.g. john.smith@yahoo.co.uk containing business information cannot be classed as official business communication from the Trust sent externally from the Trust must contain an appropriate legal disclaimer and statement of confidentiality. Mail containing personal views must be clearly labelled as being representative only of the views of the sender, not of the Trust, and is not authorised or sent on behalf of the Trust and is the personal responsibility of the sender. It is the sender s responsibility to ensure that confidential s are sent via the appropriate secure medium and you should not forward on any confidential s without the permission of the originating author Many employees of the Trust will have private external accounts that are provided by Internet Service Providers (ISP s), which may be accessible via the Web, e.g. Hotmail accounts etc. These accounts must under no circumstances be used to transfer / forward confidential Trust information or for the transfer of confidential patient information. No s containing such information are to be sent to or from these accounts. The Trust strictly prohibits the automatically forwarding of any work s to personal accounts or devices Retain originals of all s likely to have evidential value in current or future legal proceedings (see Archiving and Retention Policy to be developed) Be aware of the Data Protection Act particularly the section which states Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. (Principle Five) Do not use the facility to send out attachments to a large group of staff such as Headquarters, NEAS Everyone or even A&E Team Leaders. Where information needs to be communicated via an attachment/s to more than twenty members of staff please ensure that you contact the Communications Department by ing the details to PublicRelations@neas.nhs.uk or telephoning who will advise you on how to post the document on the Intranet and will set up a suitable link out to the intended audience on your behalf NHS Mail Organisations within and aligned to the Trust have signed a Code of Connection to NHSnet, and therefore have the ability to send messages and documents to other NHS / Public sector organisations that are also connected. Organisations must comply with the rules of connection to NHSnet at all times. s sent via the NHSnet do not pass outside of the NHS Network,

7 Page i.e. they do not pass across the open Internet. At the present time although sent between NHSnet accounts is reasonably secure, there are no guarantees of confidentiality. Care should be taken when transferring person / patient identifiable information using this network and further information can be found in QSSD 610 Transfer of Personal Information Policy Through connection to NHSnet via N3, the Trust has the ability to send messages and documents globally across the Internet. being transmitted across the Internet is completely insecure without encryption. No patient identifiable / confidential information should be sent over the Internet without the use of an approved encryption certificate. At present, the Trust does not have encryption in place Managing your Ensure you manage your s appropriately. Do not keep messages unnecessarily. s containing information that needs to be kept should be removed from the Inbox for ease of retrieval and stored in a separate folder or an appropriate location on the network When you are out of the office for more than 24 hours ensure you adhere to the corporate standard on use of out of office functionality (see Appendix A) Users may need to set up systems to allow line managers to access an individual s s e.g. when off sick or on leave, and the content may be needed for patient/service user care. If a user agrees that this is appropriate they should seek guidance from the Information Governance Department on the best way of doing this Only attach files if really necessary. All papers for meetings should be contained within a shared folder with appropriate security and access. The organiser or individual delegated with responsibility may then send out an to all members of the group advising them of when papers are available utilising the hyperlink facility, possibly via the meeting request. Group members will then be responsible for accessing and performing any other actions such as printing etc. This ensures all members do not have their own personal copies therefore reducing and duplication and assisting with retention / storage policy / governance Use the group distribution lists appropriately, ensuring the distribution list represents your target audience Before sending, check that the correct address has been typed or chosen correctly. Messages can be addressed to the wrong person by mistake e.g. recipient with a similar name, automatic completion of an address by the system Don t use the reply to all functionality unless it is necessary for all copy recipients to know your response. Only use the delivery and read receipts available in Outlook if you need to know that an has been received and opened If you are sending an which is time related (for example section currently closed or applications for training received by ) please use the expiry function which automatically strikes through the message and removes any attachment to save space Content and style of Careful consideration should be given to the content and style of s. Staff should consider the consequences of their s, and avoid sending messages that may reflect badly on them or the Trust e.g. angry, rude, abusive or unconstructive messages Do not use capital letters throughout s (some people regard this as "shouting") Do not enter into contractual commitments by unless authorised to do so. Ensure you follow relevant Trust contracting procedures Use the agreed standards for format of s. Utilise the standard Trust signature identifying the sender and other contact details (telephone number, address, fax number) in s (Appendix B) In line with the Caldicott principles, when sending s ensure that the recipient is only sent the information that they need Subject headings must always be used, clearly defining the subject matter of the . Make clear whether the is sent for action or information and what the recipient(s) are being asked to do and by when. The expectation is that s sent to people are for action but s cc to people are for information. Don t assume the message will have been read, understood, agreed with or acted upon just because you have sent it. With the sheer

8 Page volume of messages that staff have to cope with it may have been missed Before sending an it should be checked for spelling and grammar and to make sure that nothing which is being written is ambiguous or open to misinterpretation. 8. Monitoring 8.1. Monitoring use Whilst the Trust accepts that each employee has the right to privacy, it reserves the right to check if it believes that an employee has been abusing that privilege e.g. using for commercial purposes outside of the Trust s business s clearly marked as personal, will not be accessed by the Trust unless there are clear grounds for suspecting misuse or illegal activity on the behalf of the user. Personal s sent or received using Trust systems must be clearly marked as personal in the subject line. If not marked in this way, they will be considered to be business communications and may be accessible by the Trust The monitoring software also has an monitoring element included within it. The software is used to capture traffic to scan for any content contained within the that may cause offence to staff, and to protect the staff and organisation by blocking the receiving of inappropriate s The software blocks s that contain material considered by the software dictionary to be inappropriate or any that is classed as spam or that contains a virus. These are placed in a quarantine area in their own category Ad hoc reporting In addition to regular reports, specific issues in Internet or usage may be highlighted by other means for example, a user s line manager. These would be reported to the Information Governance Team. In such a case, no information would be provided to the line manager, unless a clear breach of policy had been identified and then in line with the investigation process The line manager would be informed if the reports indicated that no specific issue had been highlighted by the monitoring system. Requests for investigation can only by authorised by a Director. 9. Equality and Diversity Statement 9.1. The Trust is committed to providing equality of opportunity, not only in its employment practices but also in the services for which it is responsible. As such, this document has been screened, and if necessary an EIA has been carried out on this document, to identify any potential discriminatory impact If relevant, recommendations from the assessment have been incorporated into the document and have been considered by the approving committee. The Trust also values and respects the diversity of its employees and the communities it serves. In applying this policy, the Trust will have due regard for the need to: Eliminate unlawful discrimination. Promote equality of opportunity. Provide for good relations between people of diverse groups. For further information on this, please contact the Equality and Diversity Department. 10. Consultation, Approval and Ratification Process This document has been produced by the author on behalf of the IGWG. This group was consulted upon and their comments added to the document as appropriate The Trust Policy Review Group is the committee with the authority for the review of this document. The Governance and Risk Committee have responsibility for ratification of this document.

9 Page The IGWG has carried out a full and proper consultation and has considered the content of the document in terms of current best practice, guidelines, legislation and mandatory and statutory requirements, in considering the document for approval the committee also took into account the results of the recommendations of the EIA. 11. Review and Revision Arrangements The document will be reviewed annually or when appropriate after changes in or guidance. The document owner will be responsible for this review. legislation 12. Dissemination and Implementation Dissemination This policy is available for all staff to access via the Trust Quality System. Staff without computer network access should contact their line manager for information on how to access policies All staff will be notified of new or revised documents via internal communications systems This document will also be included in the Publication Scheme for NEAS in compliance with the FOI Act Implementation This policy will be implemented in the following ways: Regular communications to staff on new policies and procedures through Information Governance circulars. Regular audit of IG processes undertaken in line with policies and procedures in key areas i.e. records management, confidentiality, information security, FOI and data quality. Monitoring through the Information Governance Toolkit (IGT) Training Training will be regularly assessed and refreshed in order that staff may remain appropriately skilled / knowledgeable over time Broad IG training will be included in the Trust induction programme. Additional training can be requested at the discretion of a manager, or by an individual wanting personal development along with mandatory yearly update training Further guidance and information relating to data protection issues will be distributed periodically via various media including the intranet site, The Pulse (monthly service journal) and via Document Control Including Archiving Arrangements Register / library of procedural documents All documents shall be held within the Trust Quality System and will be managed in line with quality standards Archiving arrangement Archiving of documents will be in line with QSSD 1315 Records Management Policy. 14. Monitoring Compliance With and the Effectiveness of Procedural Documents All staff must adhere to this policy and comply with applicable UK legislation. Failure to follow this policy and related IG policy and procedures may lead to disciplinary, criminal or civil action being taken against the staff member Any monitoring of usage by the Trust will be undertaken within the constraints of the Regulation of Investigatory Powers Act 2000 and the Lawful Business Practice Regulations, The Data Protection Act 1998 and the Human Rights Act The lawful business practice

10 Page regulations identify a number of purposes for which Trusts may monitor or record communications on their systems without the consent of the individual these are: To establish the existence of facts relevant to the business, such as keeping records of communications where it is necessary or desirable to know the specific facts of the conversation. To ascertain compliance with regulatory or self-regulatory practices or procedures relevant to the business, such as monitoring to ensure that the Trust Internet policy is being complied with. To ascertain standards which ought to be achieved by persons using the system. Quality control or staff training. To prevent or detect crime. To investigate or detect the unauthorised use of the system. To ensure effective operation of the system. For the purpose of determining whether or not they are communications relevant to the business Where the Trust intends to intercept communications without consent, the regulations require that all reasonable efforts are made to inform every person who may use the system that communications may be intercepted. This policy advises users that use of these systems is monitored, and by accessing these systems users have consented to this monitoring taking place. 15. References Department of Health NHS IG Guidance on Legal and Professional Obligations NHS Connecting for Health IG Toolkit NHS North of Tyne Policy No: NoT IG&T04, and Internet Acceptable Use Policy

11 Page Appendix A: Out of Office Guidelines for Office Based Staff The out of office function has now been adopted as a corporate standard across the Trust. Whenever you are planning to be out of the office for ½ a day or more you will need to use the Microsoft Outlook out of office function - please see information below for guidance on how to use it. This function allows you to send an automatic response to the person who has ed you. For Microsoft Outlook 2010: 1. Click the File tab, and then click the Info tab in the menu. 2. Click Automatic Replies (out of office). 3. In the Out of Office Assistant dialog box, select the Send Automatic Replies check box. 4. If you want to specify a set time and date range, select the Only send during this time range check box, set the Start time, and then set the End time. 5. In the Inside my organization tab, type the message that you want to send within your organization, and in the Outside my organization tab, type the message that you want to send outside your organization. 6. Click Apply. For Microsoft Office Outlook 2007 and earlier versions: 1. On the Tools menu, click Out of Office Assistant. 2. In the Out of Office Assistant dialog box, click I am currently Out of the Office. 3. In the Auto Reply only once to each sender with the following text box, type the message that you want to send while you are out of the office. Your out of office message must provide information on When you will return to the office Who to contact if the enquiry is urgent A sample message is provided below: Example standard message Thank you for your . I am out of the office until [insert date]. If your enquiry is urgent please contact [insert appropriate contact including and telephone number], alternatively I will deal with your on my return. Thank you Name Title/ job designation Contact details including telephone, and work mobile telephone

12 Page Appendix B: Signature Guidelines for Staff A standard footer will automatically be included in all outgoing s: NEAS accepts no responsibility or liability for the contents of this or any changes made after the original . Any views or opinions presented are solely those of the sender and do not necessarily represent those of NEAS NHS Trust unless otherwise specifically stated. If you are not the intended recipient (or responsible for delivery) of this and its attachments, please notify the sender and delete the and any copies made. The confidentiality of this cannot be guaranteed unless the contents are exempt from the FOI Act The signature function has now been adopted as a corporate standard across the Trust. Whenever you send an internally to a colleague or to an external recipient an signature with your contact details must be included. You will need to use the Microsoft Outlook signature function - please see information below for guidance on how to use it. This function allows you to send an automatic signature with your message. 1. Open a new message. On the Message tab, in the Include group, click Signature, and then click Signatures. 2. On the Signature tab, click New. 3. Type a name for the signature, and then click OK. 4. In the Edit signature box, type the text that you want to include in the signature. 5. To finish creating the signature, click OK. Example standard signature Name Job title The North East Ambulance Service NHS Foundation Trust Address 1 Address 2 Address 3 Town County Post code Phone Mobile phone Fax