NOTTINGHAM UNIVERSITY HOSPITALS NHS TRUST MOBILE COMPUTING & REMOTE WORKING POLICY. Documentation Control

Transcription

1 NOTTINGHAM UNIVERSITY HOSPITALS NHS TRUST MOBILE COMPUTING & REMOTE WORKING POLICY Documentation Control Reference Approving Body GG/INF/020 Directors Group Date Approved 24 Implementation Date 24 Summary of Changes from Previous Version Responsibilities for mobile computing devices/data, risks and how to prevent them. Supersedes and Procedure Version 1, October 2010 Consultation Undertaken Information Governance Committee Date of Completion of Equality Impact Assessment Date of Completion of We Are Here for You Assessment Date of Environmental Impact Assessment (if applicable) Legal and/or Accreditation Implications Target Audience Review Date September 2016 Lead Executive 26th September 2013 see separate template attached at Appendix 1 26th September 2013 see separate template attached at Appendix 3 26th September 2013 see separate template attached at Appendix 2 Potential non-compliance with Data Protection Act 1998 The Computer Misuse Act 1990 ISO27001: 2005 NUH staff that use mobile computing and remote working devices. Director of ICT Services 1

2 Author/Lead Manager Name: Femi Famodile Job title: Information Security & Risk Manager Extension: Further Guidance/Information Name: Femi Famodile Job title: Information Security & Risk Manager Extension:

3 CONTENTS Paragraph Title Page 1. Introduction 4 2. Executive Summary 4 3. Policy Statement 5 4. Definitions / Glossary 5 5. Roles and Responsibilities 6 6. Policy Requirements 8 7. Training, Implementation and Resources Impact Assessments Monitoring Matrix Relevant Legislation, National Guidance 19 and Associated NUH Documents Appendix (1) Equality Impact Assessment 20 Appendix (2) Environmental Impact Assessment 23 Appendix (3) Here For You Assessment 25 Appendix (4) Certification Of Employee Awareness 27 3

4 1.0 Introduction 1.1 Mobile computing and remote working makes information available whilst working on the move or at alternative locations; however there are risks associated with information moving around various locations on a variety of devices and through several communication channels and it is imperative that the Trust implements robust information security arrangements where this is used. 2.0 Executive Summary 2.1 Mobile computing and remote working can improve the patient care experience and contribute to the improvement of the working lives of NUH staff and the Trust has the responsibility for enabling and supporting employees who use mobile computing and remote working facilities. Given the nature of some of the information that may be moved around, and the adverse consequences if it is lost or stolen, it is important that staff are aware of these risks and how to prevent them. Do. ensure mobile equipment (including manual files) used in support of clinical and operational work of the Trust is safe and secure at all times and any personal data or business critical information used is kept to a minimum report any incident/breaches including the loss or theft of mobile computing equipment Don t. misuse Trust resources provided for mobile computing undermine security measures (including encryption), intended to protect information on mobile computing devices 4

5 3.0 Policy Statement 3.1 The Trust will provide secure access for and promote good information security practices for staff making use of mobile computing and remote working facilities outside the boundaries of Nottingham University Hospitals NHS Trust premises (including working at home) by: providing secure working practices for employees who intend to use and transfer manual and computer files between home, the office and the community ensuring the security of computer systems and the information they contain is not compromised in any way ensuring anyone who accesses and uses Trust information by connecting remotely to its servers or using mobile devices does so securely 4.0 Definitions 4.1 Remote Working Accessing trust data whilst working away from your normal fixed place of work, via any of the following means: Mobile Computing - Working at any location (non-fixed), using mobile devices and/or removable media Teleworking and home working - Working at home or any location other than your normal work base requiring periods of access to NUH information systems Remote connection - Authorised staff can access data held on the Trust s secure server remotely using a VPN (Virtual Private Network) Client. The system allows access from any Internet connected PC referred to as the Host PC. Mobile Devices Typically this will include laptops, notebooks, tablets, smart phones, but also includes digital devices such as dictaphones and mobile phones. 5

6 Removable Media Removable media refers to storage media which is designed to be removed from the computer without powering off the computer and often used to transport or store data; examples include optical discs (Blu-ray discs, DVDs, CDs), memory cards, USB flash drives, external hard disk drives etc. Encryption Encryption means converting information using a code that prevents it being understood by anyone who isn t authorised to read it. To read an encrypted file a key or password must be used to decrypt it. Information Asset Refers to data held by the Trust in any form. This data may be held electronically by software in computer systems and transferred between users across a network, or on paper, in files, transferred by post. 5.0 Roles and Responsibilities Committees Information Governance (IG) Committee The IG Committee is responsible for ensuring that this policy is implemented, including any supporting guidance and training deemed necessary to support its implementation. The committee will ensure that the standards and requirements for information governance and security (including mobile computing) are understood across the Trust whilst also ensuring that appropriate and effective mechanisms are in place for the identification, reporting and mitigation of risks relating to mobile computing using established Trust procedures. The IG Committee reports to Directors Group (Quality) Individual Officers Chief Executive The Chief Executive as Accountable Officer for the Trust has overall accountability and responsibility for Information Security in the Trust. 6

7 Implementation of, and compliance with this Policy is delegated to the SIRO, Information Security & Risk Manager and to the members of the Information Governance Committee Senior Information Risk Owner (SIRO) The Senior Information Risk Owner (SIRO) will act as an advocate for information risk on the Board and in internal discussions. This will include any risks relating to mobile computing, records or data on mobile devices. These risks will be identified, assessed and reported using the established organisational risk management processes and overseen by the Information Governance Committee. These duties will be disseminated and discharged through clearly designated, suitably qualified and experienced members of staff Clinical / Corporate Directors As IAOs, Directors are responsible for the management of information risk within their Directorate and taking responsible action to mitigate them. IAOs must ensure procedures are in place within their Directorate to enable the identification and assessment of information risks of mobile computing and remote working and the implementation of control measures, including staff training and awareness to mitigate the risks. Managers All managers within the Trust have responsibility for ensuring that the Trust standards and policies for mobile computing and remote working are actively promoted, adhered to, and that all staff are aware of their personal responsibilities for information security and Data Protection. Information Security & Risk Manager The Information Security & Risk Manager is responsible for the implementation and enforcement of the Information Security Policy and other supporting policies, ensuring that risks to mobile computing and remote working are identified and adequate controls applied to ensure the security of NUH data. 7

8 5.2.6 All Staff All NUH employees and anyone working for NUH (e.g. agency staff, honorary contracts, management consultants etc.) who use mobile computing and remote working resources and have access to Trust personal information must understand their responsibilities for data protection and confidentiality. Each member of staff shall be responsible for acceptable use of the Trust s information systems and data. 6.0 Policy Requirements 6.1 As the use of mobile technology and computing devices grows, it is vital that the data held on them is not compromised by poor security practices. Mobile technology and devices are vulnerable to both being mislaid and to theft. It is important therefore that all users of laptops, tablets, mobile phones and other mobile / removable devices that may be used for remote working are aware of the inherent risks associated with their use, particularly away from the work place. The Trust is required to have appropriate procedures for ensuring that mobile computing and remote working are conducted in a secure manner in order to satisfy statutory and mandatory standards of information security. 1 The use of mobile devices creates additional risks for information assets, and this policy is intended to mitigate the information risks of loss, damage, misuse and unauthorised access, to confidential or sensitive Trust information when it is accessed and/or removed from the Trust s secure systems or premises. The portability and ability to connect and transfer data in multiple ways increases virus, malware, hacking vulnerabilities, licensing problems and increased support requirements Working Environment The physical and logical controls that are available within the Trust s network and physical environment are not automatically 1 See the Mobile Computing Guideline: 8

9 available when working outside of that environment. Therefore, mobile computing and remote working locations must be risk assessed and should cover: Physical security, for example, the risks of home burglary and loss of equipment and records may need to be mitigated through the use of physical security devices such as Kensington locks or locked cabinets for paper records not in use. Compliance with Display Screen Equipment (DSE) regulations is recommended for example, having a workstation with an adjustable chair and suitable lighting. Environmental conditions, for example, ensuring that NUH equipment or data is not held in an area where heat, cold, water or dampness could cause damage. Personal and sensitive information must not be stored on a personal home PC. The use of Information Assets in public areas should be kept to an absolute minimum; due to the threats of overlooking and theft (staff must not connect mobile computing devices to unsecured public Wi-Fi networks). All measures to remove or minimise risks shall be implemented as necessary. Remote workers are responsible for ensuring their home and content insurance covers them for the loss of any mobile computing and remote working equipment provided by the Trust Equipment Ownership NUH is responsible for ensuring that staff have the necessary facilities and equipment in order for them to effectively do their job. The use of employee owned equipment for Trust business purposes introduces additional risks to the security of information that may not be obvious and beyond the control of the Trust. For example, accidental unauthorised access to data by family members or friends using the same equipment and/or accidental disclosure of confidential information through inadequate security protection or insecure disposal of redundant equipment, loss and/or inaccessibility of data to the Trust, illegal data processing. Trust data must not therefore be downloaded and held on personal 9

10 equipment. The two approved secure options for accessing data when working remotely are either: a) Use of official Trust issued mobile computing devices to hold and access Trust data from an encrypted hard-drive or to download and read data held on encrypted portable media b) By secure token dial-in access to data held on Trust servers via the Virtual Private Network (VPN). All mobile devices and media used for storing or transferring Trust data off site must be encrypted. In exceptional circumstances it may be necessary for staff to use personal equipment for Trust business purposes (e.g. the storage and transfer of personal data or business critical information 2 ). In these instances care must be taken to ensure that any person identifiable, commercially or business sensitive Trust data is removed from the device at the earliest opportunity Paper Records The following principles apply to offsite working for paper based records containing person identifiable information or Trust sensitive information. Paper records must only be taken off-site where a line manager has identified an authorised business need. It must be recorded what has been taken, why, where to and by whom. Patient case-notes, including photocopies, must never be taken out of the hospital unless authorised by the Health Records Manager or an existing reciprocal/information sharing agreement is in place. Records must be transported in sealed containers e.g. secured envelope, locked briefcase or transit bag. Not carried loosely. If staff are required for business purposes to transport records in their vehicle, they must be kept out of sight in a locked boot and not left in the vehicle overnight. The person handling the records holds the responsibility for 2 See the Storage of Information on Shared Network Drives and Removable Media guidance: 0Shared%20Network%20Drives%20and%20Removable%20Media.doc 10

11 their safety and ensuring they are kept secure at all times. Patient Medical Records must not be held at home unless there are exceptional circumstances and authorised by a manager following an assessment and assurance that adequate security is in place to protect those records off site. A record of their location and a contact number must be provided to ensure the availability of those records 24/7 if they are required in an emergency Internet Connections, Wireless and Other Cordless Connectivity Any mobile computing device owned by the Trust, which has internet connectivity, must be used in accordance with the Trust s Internet Usage and Monitoring Policy and the Information Security Policy. Particular attention should be paid to the provisions relating to access to unsuitable material and activities which may compromise network security. Technological developments in the area of wireless connectivity (e.g. wireless internet connectivity and Bluetooth) have significantly increased the risks of unauthorised interception of a signal and of unauthenticated links being made to other devices. Staff should ensure these communication modes are switched off when not in use. As visitors, staff may be given permission to connect Trust laptops to another organisation s network in order to acquire internet access at the discretion of that organisation. As a guest you must agree to use the connection in accordance with the aims and policies of that organisation and for no other purpose Storing Information on Mobile Computing and Removable Devices Mobile devices are not the best means of storing patient information and care must therefore be taken to ensure that the security, integrity and confidentiality of Trust information are not compromised. The storage of patient identifiable, commercially or business sensitive Trust data on mobile devices for the purpose of mobile computing and remote working must be kept to a minimum and when the data is no longer needed it should be removed; mobile devices and removable media should never be used as the primary source of data. The source data should reside on the Trust s 11

12 managed central servers where the backup and security of this can be controlled Access Control (Passwords/Pin Codes) Staff must not, under any circumstances, disclose their network user name, or password, or personal PIN number to anyone or allow anyone to use their VPN Client to gain access to Trust data (ICT staff members will never ask you for your PIN). Staff should adhere to the password guidelines when selecting passwords and should not attempt to circumvent this or any other security controls. 3 Mobile phones and similar devices (either Trust or personal devices) used for access must have either password or security PIN number enabled as a minimum. Under no circumstances should staff permit the use of their remote access connection by any third party including colleagues, friends and family. The authorised user is responsible for all activities performed using their account. Security of Mobile Computing Equipment and Data Staff are responsible for ensuring the safe transport and storage of Information Assets in their care ensuring that; Information assets are not stored in places where they can easily be stolen Information assets are not left visible in cars when travelling between locations, ideally they should be in a locked or sealed bag or brief case and kept in the boot; when travelling by public transport, they should be in locked or sealed bags and kept in sight at all times. Information assets are not left unattended in a car or public place at any time. Staff must treat Remote Access and Mobile Computing systems as if they were using Trust systems from their desk based on-site. Staff who regularly work remotely should access information 3 See Password Guidelines: 12

13 directly from the Trust s systems via the VPN to avoid having to transport information and to mitigate the risk of accidental loss of data and equipment Authorisation Only authorised staff are issued with appropriate mobile computing or remote working devices/data to enable them to carry out their duties, as such any arrangements for remote working must be approved by the authorising line manager. Members of staff may have their connection usage monitored. ICT services will also undertake regular audits of mobile computing and remote working devices to ensure that assets can be accounted for. On leaving the employment of the Trust, all equipment, software and information must be returned to the line manager. Line managers will be responsible for making sure that this is done and that where necessary, the device(s) is returned to ICT services Digital Imaging and Videoing Photographs of service users are increasingly required for clinical or non-clinical reasons. Photographic recording techniques include photographic film, digital images, video and mobile phones. Any photographs or images are included within the scope of the Data Protection Act and attract the same levels of security and confidentiality. Personal devices, e.g. ipads and smartphones used in exceptional circumstances to capture and store patient images, e.g. photographs, video and digital recordings must be deleted once the data has been transferred to a secure location. 4 Compliance and Support Arrangements Where staff have been supplied with a mobile device they are responsible for ensuring that it is regularly connected to the Trust s network on-site for upgrade of anti-virus software and other 4 See the Photography and Video Recording of Living Patients Policy: 20Patients%20-%20Confidentiality,%20Consent,%20Copyright%20and%20Storage%20Policy.doc 13

14 licensing requirements. Anti-virus scanning software must be installed and regularly updated and Trust owned devices must be connected to the network at least once a month to allow updates to be installed; where a mobile computing device has not been connected to the network for over a month and a critical software release is required, ICT services reserve the right to disable the device until it is updated as this may compromise the security of the Trusts network and information resources. It is important that where mobile computing devices are not connected to the network regularly either because they are deployed elsewhere or offsite for extended periods of time, then the authorised user should notify ICT services of this. Establishing support arrangements for software on non-trust Host PCs e.g. personal PCs at home, necessary to access Trust data via VPN is the responsibility of the staff member/user. No support is provided by the ICT department or helpdesk. Unauthorised software must not be installed onto Trust mobile computing devices. Trust owned mobile computing devices in need of repair should be logged with the ICT helpdesk. Negligence in the care of portable devices or failure to report loss or damage at the earliest opportunity may result in disciplinary action being taken against the staff member concerned Incident Reporting Staff and Managers are responsible for reporting any incident related to the loss, damage, accidental disclosure or unauthorised access of Trust data in accordance with the Trust s incident reporting procedures. Such incidents should also be reported to the Information Security & Risk Manager, ICT via the ICT Helpdesk Ext Where the loss or theft of mobile phones or tablets used for communicating Trust business is reported, ICT services will endeavour to wipe the device once informed. Secure Disposal of Media and Equipment The disposal of media containing personal identifiable or Trust sensitive information (including paper) must only take place at the 14

15 Trust in line with on-site confidential waste and disposal procedures. Staff with such media to dispose of, are responsible for returning it to the site and following the confidential waste procedures for the campus. Redundant IT equipment must be returned to ICT for secure disposal that ensures total and unrecoverable destruction of drives holding confidential data. Third Party Remote Access To NUH Information Systems In order to provide support services to a number of information systems, the Trust via ICT services may grant 3rd party suppliers remote access to its systems/network. All 3rd party access sessions must be logged as a call with the ICT service desk by the individual who will be managing that particular access session and in the event that the access request is received by the service desk, a call will be raised and passed to the appropriate team for action. In all cases, access will be granted for the duration of the approved session and all appropriate change management procedures must be adhered to. Any Third Party access session MUST only occur when prior approval has been provided by the Trust and unauthorised access may result in further action being taken against the third party in question. Remote access by 3 rd parties to the Trust will be supervised by the appropriate team and the Trust reserves the right to terminate any remote access session without prior notice. Access may also be terminated if an unauthorised session is detected; these sessions will be terminated as soon as it is established that there will be no adverse impact upon the system that is currently being accessed. 7.0 Training and Implementation 7.1 Training 15

16 All staff issued with mobile computing devices will be given training appropriate and relevant to the device and its intended business use. 7.2 Implementation A copy of this policy and relating policies and procedures will be posted on the Governance section of the Trust s policy board. The requirements identified in this document will be subject to regular monitoring with random audits conducted by Internal/External auditors, to ensure compliance and identified breaches/noncompliance will be dealt with accordingly. 7.3 Resources No additional resources are required. 8.0 Trust Impact Assessments 8.1 Equality Impact Assessment An equality impact assessment has been undertaken on this draft and has not indicated that any additional considerations are necessary. 8.2 Environmental Impact Assessment An environmental impact assessment has been undertaken on this draft and has not indicated that any additional considerations are necessary. 8.3 Here For You Assessment A Here For You assessment has been undertaken on this document and has not indicated that any additional considerations are necessary. 16

17 17

18 9.0 Policy Monitoring Matrix Minimum requirement to be monitored Responsible individual/ group/ committee Process for monitoring e.g. audit Frequency of monitoring Responsible individual/ group/ committee for review of results Responsible individual/ group/ committee for development of action plan Refer to section 6 to identify key policy and/or procedural requirements and list here. See example below. Undertake Directorate level risk assessment Individual Managers Monitoring of Risk Register Formal review annually Monitoring bimonthly via ORC Directorate Governance Forum IG Toolkit evidence for requirement 314 Adherence to Information Security policy and guidelines in nominated Directorate Information Security & Risk Manager Evidence collection against national standard Annually IG Committee Information Security & Risk Manager EMIAS Audit Annually IG Committee Information Security & Risk Manager Responsible individual/ group/ committee for monitoring of action plan Directorate Governance Forum / ORC quarterly IG Committee Audit Committee/IG Committee 18

19 10.0 Relevant Legislation, National Guidance and Associated NUH Documents 10.1 List all of the following which are relevant: Legislation Data Protection Act 1998 Computer Misuse Act 1990 Human Rights Act 1998 National Guidance ISO/IEC 27001:2005 ISO/IEC 27002:2005 Information Security Management: NHS Code of Practice NHS Confidentiality Code of Practice 2003 Associated NUH Documents Information Security Policy Mobile Computing & PDA/Smartphone Guidelines Information Security Guidelines Information Governance Policy Internet Usage & Monitoring Policy 19

20 Equality Impact Assessment (EQIA) Form (Please complete all sections) APPENDIX 1 Q1. Date of Assessment: 26 th September 2013 Q2. For the policy and its implementation answer the questions a c below against each characteristic (if relevant consider breaking the policy or implementation down into areas) Protected Characteristic a) Using data and supporting information, what issues, needs or barriers could the protected characteristic groups experience? i.e. are there any known health inequality or access issues to consider? b) What is already in place in the policy or its implementation to address any inequalities or barriers to access including under representation at clinics, screening c) Please state any barriers that still need to be addressed and any proposed actions to eliminate inequality The area of policy or its implementation being assessed: Race and None Not applicable Not applicable Ethnicity Gender None Not applicable Not applicable Age None Not applicable Not applicable Religion None Not applicable Not applicable Disability None Not applicable Not applicable Sexuality None Not applicable Not applicable 20

21 Pregnancy and None Not applicable Not applicable Maternity Gender None Not applicable Not applicable Reassignment Marriage and None Not applicable Not applicable Civil Partnership Socio-Economic None Not applicable Not applicable Factors (i.e. living in a poorer neighbour hood / social deprivation) Area of service/strategy/function Q3. What consultation with protected characteristic groups inc. patient groups have you carried out? Not applicable Q4. What data or information did you use in support of this EQIA? Not applicable Q.5 As far as you are aware are there any Human Rights issues be taken into account such as arising from surveys, questionnaires, comments, concerns, complaints or compliments? Not applicable Q.6 What future actions needed to be undertaken to meet the needs and overcome barriers of the groups identified or to create confidence that the policy and its implementation is not discriminating against any groups Not applicable What By Whom By When Resources required 21

22 Q7. Review date September

23 Environmental Impact Assessment APPENDIX 2 The purpose of an environmental impact assessment is to identify the environmental impact of policies, assess the significance of the consequences and, if required, reduce and mitigate the effect by either, a) amend the policy b) implement mitigating actions. Area of impact Waste and materials Soil/Land Water Air Environmental Risk/Impacts to consider Is the policy encouraging using more materials/supplies? Is the policy likely to increase the waste produced? Does the policy fail to utilise opportunities for introduction/replacement of materials that can be recycled? Is the policy likely to promote the use of substances dangerous to the land if released (e.g. lubricants, liquid chemicals) Does the policy fail to consider the need to provide adequate containment for these substances? (e.g. bunded containers, etc.) Is the policy likely to result in an increase of water usage? (estimate quantities) Is the policy likely to result in water being polluted? (e.g. dangerous chemicals being introduced in the water) Does the policy fail to include a mitigating procedure? (e.g. modify procedure to prevent water from being polluted; polluted water containment for adequate disposal) Is the policy likely to result in the introduction of procedures and equipment with resulting emissions to air? (e.g. use of a Action Taken (where necessary) Not applicable Not applicable Not applicable Not applicable 23

24 Energy Nuisances furnaces; combustion of fuels, emission or particles to the atmosphere, etc.) Does the policy fail to include a procedure to mitigate the effects? Does the policy fail to require compliance with the limits of emission imposed by the relevant regulations? Does the policy result in an increase in energy consumption levels in the Trust? (estimate quantities) Would the policy result in the creation of nuisances such as noise or odour (for staff, patients, visitors, neighbours and other relevant stakeholders)? Not applicable Not applicable 24

25 APPENDIX 3 We Are Here For You Policy and Trust-wide Procedure Compliance Toolkit The We Are Here For You service standards have been developed together with more than 1,000 staff and patients. They can help us to be more consistent in what we do and say to help people to feel cared for, safe and confident in their treatment. The standards apply to how we behave not only with patients and visitors, but with all of our colleagues too. They apply to all of us, every day, in everything that we do. Therefore, their inclusion in Policies and Trust-wide Procedures is essential to embed them in our organization. Please rate each value from 1 3 (1 being not at all, 2 being affected and 3 being very affected) Value Score (1-3) 1. Polite and Respectful 1 Whatever our role we are polite, welcoming and positive in the face of adversity, and are always respectful of people s individuality, privacy and dignity. 2. Communicate and Listen 1 We take the time to listen, asking open questions, to hear what people say; and keep people informed of what s happening; providing smooth handovers. 3. Helpful and Kind 1 All of us keep our eyes open for (and don t avoid ) people who need help; we take ownership of delivering the help and can be relied on. 4. Vigilant (patients are safe) 1 Every one of us is vigilant across all aspects of safety, practices hand hygiene & demonstrates 25

26 attention to detail for a clean and tidy environment everywhere. 5. On Stage (patients feel safe) 1 We imagine anywhere that patients could see or hear us as a stage. Whenever we are on stage we look and behave professionally, acting as an ambassador for the Trust, so patients, families and carers feel safe, and are never unduly worried. 6. Speak Up (patients stay safe) 1 We are confident to speak up if colleagues don t meet these standards, we are appreciative when they do, and are open to positive challenge by colleagues 7. Informative 1 We involve people as partners in their own care, helping them to be clear about their condition, choices, care plan and how they might feel. We answer their questions without jargon. We do the same when delivering services to colleagues. 8. Timely 1 We appreciate that other people s time is valuable, and offer a responsive service, to keep waiting to a minimum, with convenient appointments, helping patients get better quicker and spend only appropriate time in hospital. 9. Compassionate 1 We understand the important role that patients and family s feelings play in helping them feel better. We are considerate of patients pain, and compassionate, gentle and reassuring with patients and colleagues. 10. Accountable 1 Take responsibility for our own actions and results 11. Best Use of Time and Resources 2 Simplify processes and eliminate waste, while improving quality 12. Improve 1 Our best gets better. Working in teams to innovate and to solve patient frustrations TOTAL 13 26

27 APPENDIX 4 CERTIFICATION OF EMPLOYEE AWARENESS Document Title Mobile Computing and Remote Working Policy Version (number) 2 Version (date) 24 I hereby certify that I have: Identified (by reference to the document control sheet of the above policy/ procedure) the staff groups within my area of responsibility to whom this policy / procedure applies. Made arrangements to ensure that such members of staff have the opportunity to be aware of the existence of this document and have the means to access, read and understand it. Signature Print name Date Directorate/ Department The manager completing this certification should retain it for audit and/or other purposes for a period of six years (even if subsequent versions of the document are implemented). The suggested level of certification is; Clinical directorates - general manager Non clinical directorates - deputy director or equivalent. The manager may, at their discretion, also require that subordinate levels of their directorate / department utilize this form in a similar way, but this would always be an additional (not replacement) action. 27