, Calendar and Messaging Services Good Practice Guideline

Transcription

1 , Calendar and Messaging Services Good Practice Guideline Programme NPFIT Document Record ID Key Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG Prog. Director Mark Ferrar Status 1.0 Owner Tim Davis Version Approved Author Phil Benn Version Date 13/10/2006 , Calendar and Messaging Services Good Practice Guideline Crown Copyright 2006

2 Amendment History: Version Date Amendment History /10/2005 First draft for comment /10/2006 Approved Forecast Changes: Anticipated Change When Reviewers: This document must be reviewed by the following: Name Signature Title / Responsibility Date Version Malcolm McKeating IG Security Team Manager 0.1 Approvals: This document must be approved by the following: Name Signature Title / Responsibility Date Version Malcolm McKeating Tim Davis Distribution: IG Security Team Manager 1.0 Head of Information Governance NHS CFH Information Governance Team and FileCm NHS CFH Cluster Technical Architects NHS CFH Website NHS CFH External FileCm Document Status: This is a controlled document. Whilst this document may be printed, the electronic version maintained in FileCM is the controlled copy. Any printed copies of the document are not controlled. Related Documents: These documents will provide additional information. Ref no Doc Reference Number Title Version 1 NPFIT-SHR-QMS-PRP-0015 Glossary of Terms Consolidated.doc Crown Copyright 2006 Page 2 of 10

3 Glossary of Terms: Term Acronym Definition SMTP SMTP Simple Mail Transfer Protocol MTA MTA Message Transfer Agent Crown Copyright 2006 Page 3 of 10

4 Contents 1 Introduction Purpose Scope Assumptions Objectives Background Target Disclaimer Services Users of NHS systems should: Users of NHS systems should not: Calendar Services Directory Services Fax Services SMS Services Use of the Services for sensitive information...10 Crown Copyright 2006 Page 4 of 10

5 1 Introduction 1.1 Purpose The purpose of this document is to provide guidance on: The minimum best practice standards which should be applied to the use of , Calendar and Messaging Services. The procedures and mechanisms for the controlled use of , Calendar and Messaging Services in an NHS or other Healthcare environment. 1.2 Scope This document describes best practice guidelines for the use of , WebMail, Calendar and Messaging Services within an NHS or other Healthcare environment. It does not cover public access messaging systems, or external messaging infrastructures. 1.3 Assumptions This text assumes the reader has a broad familiarity with SMTP, MTA s and applications in general use. 1.4 Objectives This document provides guidance as to good practice for organisations and their users who wish to use , Calendar and Messaging Services, in an NHS or other Healthcare environment. Following reading this document, readers will be able to relate the practice detailed herein to their local organisation s operating practice and procedures. 1.5 Background This document offers guidance on the best practices to be considered when using E- mail, Calendar and Messaging services. It must be noted that whilst being private, N3 is not a secure network and therefore network level encryption is generally not available. This document offers guidance on the correct use of , Calendar and Messaging Services in such environments. 1.6 Target This document is intended for use by the following: NHS Connecting for Health National Network Service Providers NHS Healthcare Providers Non-NHS Healthcare Providers Crown Copyright 2006 Page 5 of 10

6 1.7 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NHS Connecting for Health. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. NHS Connecting for Health shall also accept no responsibility for any errors or omissions contained within this document. In particular, NHS Connecting for Health shall not be liable for any loss or damage whatsoever, arising from the usage of information contained in this document. Crown Copyright 2006 Page 6 of 10

7 2 Services 2.1 Users of NHS systems should: Identify themselves honestly, accurately and completely when setting up accounts on any NHS service, and keep such details accurate and up to date. Choose an appropriate address which reflects that the service is to be used for business purposes. Operate under organisational policies (where these are provided) when using the services. 2.2 Users of NHS systems should not: Attempt to use any aspect of the service for private gain or advertising. Route external communications in a manner that deliberately attempts to bypass any system logging or audit functionality. Attempt to disguise themselves or their sending address when they use the service in order to misrepresent any aspect of a communication. Use the services to disable or overload any computer system or network, or to circumvent any system intended to protect the privacy or security of another user. Attempt to introduce computer viruses via messages or attachments. Forward chain mail or other frivolous material. Use the service to violate the laws and regulations of the United Kingdom. Attempt to send persistent communications to an individual or mailing list when, as a result of any complaint, a warning has been issued that further communication are not wanted. Send defamatory material by , or send communications which knowingly cause distress or offence to another user, or transmit any files of an obscene or pornographic nature. If, in exceptional circumstances, there is a business necessity to transmit sexually explicit images or documents for a valid clinical reason, then the user should justify and obtain the permission of the local Caldicott Guardian and inform the National Programme for IT that they intend to use the national system for this purpose before they start doing so. Crown Copyright 2006 Page 7 of 10

8 Additionally, users of NHS services have a responsibility to: Ensure that the identity of the recipient to whom they are sending an is correct. Reasonably understand copyright, trade-mark, libel, slander and public speech control laws, so that their use of the service does not inadvertently violate any laws which might be enforceable against the National Programme for IT, local Trust or organisation. Ensure that should it be necessary for Patient Identifiable Data to be transferred through the Service, the obligations detailed in the section of the document titled Use of the Services for sensitive information are adhered to. The primary use of the services by the authorised user should be related to the business of Health and Social Care, and for the purpose which the user is employed by their employing organisation. As such the user should not have an expectation of personal privacy in the use of the services. Clinicians should use the services in relation to the treatment of private patients in accordance with their professional codes of conduct; however, such use would be at the risk of the user. Crown Copyright 2006 Page 8 of 10

9 3 Calendar Services It is the responsibility of the user to: Ensure that Patient Identifiable Information is not held within the details of any appointment when that appointment is visible to another user who may not be directly involved in the care of that patient. Ensure that should Patient Identifiable Information be visible to another user, such information is commensurate with that user s access privileges to NCRS. 4 Directory Services It is the responsibility of the user to ensure that their details accessible through the directory services are correct and, should they require updating, are done so without undue delay. The user should not use the directory services to identify individuals or groups of individuals to send unsolicited material which is unrelated to their job role or responsibility. The user should not use the directory services to identify individuals or groups of individuals to send advertising material, or unnecessary or other frivolous material, either on their own account or on behalf of a third party. 5 Fax Services It is the responsibility of the user to assure the destination of any message sent through Fax Services such that it can be ensured that Patient Identifiable Data is not obtained by an unauthorised individual. 6 SMS Services It is the responsibility of the user to assure the destination of any message sent through the SMS Service such that it can be ensured that Patient Identifiable Data is not obtained by an unauthorised individual. Crown Copyright 2006 Page 9 of 10

10 7 Use of the Services for sensitive information Some services such as Contact provide encryption of interpersonal messages during transmission. This encryption ensures that the message cannot be intercepted and read or tampered with during transmission. Users should ensure that local policies and procedures are in place to protect privacy and confidentiality of all personal and sensitive information. Such sensitive information includes all Patient Identifiable Data. Note that the Contact system was created to be acceptable for this purpose. Patient Identifiable Information should not be transmitted where encryption is not available either within the services or the client application being used. Users should check with local IT support for further information. It is the responsibility of the user to ensure that should it be necessary to send Patient Identifiable Data through Electronic Mail Services, such information shall be no more than the individual receiving the needs to know to perform the function which the Sender intends the individual to perform with the Data, and that such necessity is endorsed by the Caldicott Guardian for the Sender. The user should not send clinical information as an attachment between recipients unless it is part of a process between Health Care Professionals who have agreed to such an exchange, such agreement to take place in advance of any communication. It is best practice for the user to seek acknowledged receipt of such information. The user should ensure that they are satisfied as to the identity of any other party with whom they correspond on clinical and confidential matters, and/or send sensitive information to. The user should ensure that any clinical information sent conforms to the Caldicott principles in a manner endorsed by the local Caldicott Guardian. Crown Copyright 2006 Page 10 of 10