Electronic Communications Monitoring Policy

Transcription

1 Electronic Communications Monitoring Policy Printed copies should not be considered the definitive version DOCUMENT CONTROL POLICY NO. 79 Policy Group Information Governance and Security Author Andrew Turner Version No. 1.2 Reviewer Medical Director Implementation Date Aug 2013 Scope (Applicability) Board wide Next review date Aug 2015 Status Final Last review date N/A Approved By Graham Gault Kelly Kennedy Angus Cameron Neil Kelly

2 Contents 1. Overview Key points Policy Aims Scope & Applicability Monitoring of Communications by NHS Dumfries & Galloway Scope of Monitoring Access to accounts Virus scanning... 5 Appendix 1 Policy Approval Checklist... 6 Appendix 2 - Document Status... 7 Appendix 3 - Action Plan for Implementation... 8 Page 2 of 8 Pages

3 1. Overview a. Access to the Board Intranet and the wider Internet is provided to allow staff to undertake their normal business functions. It is important that all users of our Intranet and Internet provision understand exactly what is considered fair usage. b. This paper lays out our Acceptable Use Policy for the Intranet and the external Internet. c. This policy sets out clear guidance for users on what is and is not allowed. It also sets the boundaries as to when personal use is allowed and not allowed. The overarching purpose is to ensure that appropriate access to the Intranet and Internet is available to staff with a legitimate business purpose at all times and this access is not hindered by non-business related activities. d. It demonstrates management support for, and commitment to, the provision of an internet capability through issuing this policy for user acceptance and compliance, as well as any related policies, procedures and guidelines, including user education and awareness across NHS Dumfries & Galloway. The purpose of this policy is to protect all NHS Dumfries & Galloway users from threats, internal or external, deliberate or accidental. 2. Key points All business telephone, and internet traffic may be monitored for specific business purposes (see para 6a). All incoming and outgoing s will be scanned for virus or other malware content. s may be monitored and access provided to appropriate staff where necessary due to sickness or other absences from work (see para 7b). s not marked Personal or stored in a Personal folder will be assumed to be business correspondence. Audit logs of times of access and internet sites visited may be provided to Senior Managers. Audit logs of accesses to information systems containing sensitive personal information will be monitored. Suspected cases of inappropriate access will be investigated. This may result in disciplinary procedures being started which, in extreme cases, may lead to dismissal and possible criminal proceedings. 3. Policy Aims a. This policy aims to: i. Provide guidance on the acceptable use of the Intranet and Internet whilst using the NHS Dumfries & Galloway provided networks. ii. It details the roles and responsibilities and supporting organizational monitoring arrangements for ensuring that access for normal business use is maintained. iii. It provides a framework under which NHS Dumfries & Galloway can ensure compliance with all relevant legislation and policies. Page 3 of 8 Pages

4 4. Scope & Applicability a. This policy applies to accesses to web based services as provided by NHS Dumfries & Galloway in any format and is intended to be fully consistent with the Information Security Policy and Standards of NHS Scotland. b. This policy applies to all users who undertake work for NHS Dumfries & Galloway or use any part of the IT infrastructure, whether as an employee, a student, a volunteer, a contractor, partner agency, external consultant or 3 rd party IT supplier. c. It is a management requirement that all NHS Dumfries & Galloway accesses to the Intranet and Internet for legitimate business use goes un-hindered. 5. Monitoring of Communications by NHS Dumfries & Galloway a. NHS Dumfries & Galloway is ultimately responsible for all business communications but subject to that will, so far as possible and appropriate, respect your privacy and autonomy while working. 6. Scope of Monitoring a. NHS Dumfries & Galloway may monitor your business communications for reasons which may include but is not restricted to: i. providing evidence of business transactions; ii. ensuring that NHS Dumfries & Galloway s business procedures, policies and contracts with staff are adhered to; iii. complying with any legal obligations; iv. monitoring standards of service, staff performance, and for staff training; v. preventing or detecting unauthorised use of NHS Dumfries & Galloway s communications systems or criminal activities; and vi. maintaining the effective operation of NHS Dumfries & Galloway s communications systems. b. NHS Dumfries & Galloway will monitor telephone, and internet traffic data (i.e. sender, receiver, subject; non-business attachments to , numbers called and duration of calls; domain names of websites visited, duration of visits, and files downloaded from the internet) at a network level (but covering both personal and business communications) for the purposes specified at item 6a. c. For the purposes of your maintenance of your own personal privacy, you need to be aware that such monitoring might reveal sensitive personal data about you. For example, if you regularly visit websites which detail the activities of a particular political party or religious group, then those visits might indicate your political opinions or religious beliefs. d. By carrying out such activities using NHS Dumfries & Galloway s facilities you consent to our processing any sensitive personal data about you which may be revealed by such monitoring. 7. Access to accounts a. Sometimes it is necessary for NHS Dumfries & Galloway to access your business communications during your absence, such as when you are away because you are ill or while you are on holiday. Unless your mailbox settings are such that the individuals who need to do this already have permission to view your inbox, access Page 4 of 8 Pages

5 will be granted only with the permission of one of the persons authorised to grant such access [in accordance with our policy " Acceptable Use Policy"]. b. Any s which are not stored in your "Personal" folder in your mailbox and which are not marked PERSONAL in the subject heading will be treated, for the purpose of availability for monitoring, as business communications since we will have no way of knowing that they were intended to be personal. Therefore you must set up a rule to automate the routing of personal to your personal folder ask IT Support for guidance on how to do this. Furthermore, there is a risk that any person authorised to access your mailbox may have their own preview pane option as a default setting, which would reveal the content of any of your personal not filed in your "Personal" folder, whether or not such are marked PERSONAL. It is up to you to prevent the inadvertent disclosure of the content of personal by filing your personal in accordance with this policy. In particular, you are responsible to anybody outside NHS Dumfries & Galloway who sends to you, or receives from you, a personal , for the consequences of any breach of their privacy which may be caused by your failure to file your personal . c. In certain very limited circumstances we may, subject to compliance with any legal requirements, access marked PERSONAL. Examples are when we have reasonable suspicion that they may reveal evidence of unlawful activity, including instances where there may be a breach of a contract with NHS Dumfries & Galloway. 8. Virus scanning a. All incoming s are scanned by the organisation contracted to operate the NHSMail service on behalf of the NHS and therefore on behalf of NHS Dumfries & Galloway using virus-checking software. The software will also block unsolicited marketing (spam) and which have potentially inappropriate attachments. If there is a suspected virus in an which has been sent to you, the sender will automatically be notified and you will receive notice that the is not going to be delivered to you because it may contain a virus. Page 5 of 8 Pages

6 Appendix 1 Policy Approval Checklist NHS DUMFRIES AND GALLOWAY POLICY APPROVAL CHECKLIST This checklist must be completed and forwarded with the policy to the appropriate approval group POLICY TITLE Electronic Communications Monitoring Policy POLICY NO.. EXECUTIVE LEAD Dr Angus Cameron Why has this policy been developed? Has the policy been developed in accordance with or related to legislation? Please give details of applicable legislation. Has a risk control plan been developed? Who is the owner of the risk? Who has been involved/consulted in the development of the policy? Has the policy been assessed for equality and diversity in relation to:- Race/Ethnicity Gender Age Religion/Faith Disability Sexual Orientation Does the policy contain evidence of the Equality & Diversity Impact Assessment Process? Is there an implementation plan? When will the policy take effect? If the policy applies to partner agencies, please explain the reasons for this and how they will be informed of their responsibilities Compliance with Board Information Assurance Strategy CEL 26/2012 Data Protection Act 1998 Electronic Communications Act 2000 Computer Misuse Act ehealth Lead and staff, Dr Cameron, Internal Audit, Staff side representative Has the policy been assessed for Equality and Diversity not to disadvantage the following groups:- Minority Ethnic Communities Women and Men Religious & Faith Groups Disabled People Young People L, G, B & T Community YES YES Immediate Not applicable Page 6 of 8 Pages

7 Appendix 2 - Document Status Title Electronic Communications Monitoring Policy Author Andrew Turner Approver Graham Gault Document reference Version number 1,3 Document Amendment History Version number Edited by Edit date Topics covered 0.1 Pinsent Nov 2007 Exemplar document Mason Solicitor 1.0 Andrew 26 th June st Draft for peer review Turner 1.1 Andrew 30 th June nd Draft for IA Committee. Turner 1.2 Andrew 11 th July 2013 Final draft following review and amendments as Turner recommended by Information Assurance Committee Key Points added 1.3 Andrew 8 th August 2013 Final for recommendation to APF for approval Turner Distribution Name Version number Responsibility Board Secretary 1.3 Place on policy register Communications Team 1.3 Place on Intranet and in latest news Board Management Group 1.3 Dissemination to all staff through line management IM&T Department 1.3 To all staff Staff side representative 1.3 For comment prior to presentation to APF Associated Documents ISO/IEC The Code of Practice for Information Security Management CEL26/2012 NHS Scotland Information Security Policy NHS Dumfries & Galloway Information Assurance Strategy NHS Dumfries & Galloway Information Assurance Policy NHS Dumfries & Galloway Information Systems Procurement, Development and Implementation Policy NHS Dumfries & Galloway Information Security Policy NHS Dumfries & Galloway Access to Information Policy NHS Dumfries & Galloway Mobile Devices Policy NHS Dumfries & Galloway Acceptable Use Policy NHS Dumfries & Galloway Internet and Internet Acceptable Use Policy NHS Dumfries & Galloway Communications Monitoring Policy Page 7 of 8 Pages

8 Appendix 3 - Action Plan for Implementation Name Responsibility Timeframe Place on policy register Board Secretary Immediate Place in latest news Place on Intranet Dissemination to all staff through line management Communications Team Communications Team Board Management Group Immediate Immediate On going continual process Routinely issue to all staff IM&T Department Continual process Update staff contracts HR Department Immediate Page 8 of 8 Pages