NHS HIGHLAND AND INTERNET POLICY

Transcription

1 NHS HIGHLAND AND INTERNET POLICY ehealth Department Policy Reference: Date of Issue: August 2007 Prepared by: A Fraser Date of Review: August 2009 Lead Reviewer: Version: 2 Area Information Security Manager Authorised by: Date: February 2005 ehealth Steering Group Distribution All staff Method CD Rom Paper Intranet

2 and Internet Policy Introduction 1. This Policy contains important rules covering and access to the Internet. Many of the rules apply equally to NHS Highland s other methods of external communications such as letter, fax and telephone. 2 This Policy explains how and Internet access should be used. It explains what you are allowed to do and what you are not allowed to do. 3 The Policy starts with some general rules covering dos and don ts. Six areas have been identified where legal problems might arise for you and for NHS Highland. These areas are: harassment, defamation, copyright, entering contracts, pornography, and confidential and personal information. Under each section there is an explanation of the potential legal problems and some rules to help avoid those problems. 4. Failure to comply with the rules set out in this Policy: a) may result in legal claims against you and NHS Highland; and b) may lead to disciplinary action being taken against you, including dismissal. 5. When sending external s the system automatically includes the following disclosure statement: This and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this in error please notify the system manager. This footnote also confirms that this message has been swept by.. for the presence of computer viruses. 6. It is very important that you read this Policy/Code of Conduct carefully. If there is anything you don t understand, it is your responsibility to ask your line manager/supervisor or contact the NHS Highland Helpdesk who will log a call and pass it to an appropriate person for advice. Page: 2 Date of review: August 2009

3 General Rules: Must, Must Not, Should and General Advice General Advice The NHS Highland system is primarily for business use. Occasional and reasonable personal use is permitted in your own time and provided that this does not interfere with the performance of your duties/other staff s business requirements or have an impact on the performance of the network. may be received by individuals or organisations which are not intended recipients. No use or reliance on the contents of the should be made by any party who is not an intended recipient. All is stored and the organisation may audit (including personal ) without notice. Use of is subject to monitoring for security and/or network management issues. Staff should be aware that they neither own the documents that they or their colleagues create, nor have intellectual property rights thereto. Ask yourself before sending an , how would you feel if your message was read out in court. messages may have to be disclosed in litigation. attachments to a large number of staff can cause problems on the NHS Highland network. The correct method of dealing with this type of communication is to publish the document on the Intranet and all recipients with the relevant link to the file. Should you have any problems accessing this link you should contact Helpdesk. MUST Must keep all passwords secure - do not share with anyone. MUST NOT Must not impersonate any other person when using or amend messages received. Must not leave your PC logged on and unattended if you have access. If anyone uses the PC while logged on it will appear that the actions were carried out by you and you will be held accountable for any misdemeanour that they may commit. Must not create congestion by sending trivial messages or personal messages or by copying s to those who do not need to see them. Chain Mail, if received, should be deleted. Page: 3 Date of review: August 2009

4 MUST NOT Must not send any sensitive information, whether business, staff or patient data, to or from a non-nhs account. A non-nhs account is defined as an address that does not end with either nhs.net or nhs.uk. The exception to this is that s can be securely exchanged between accounts that end with nhs.net or nhs.uk and those which end in gsx.gov.uk or gsi.gov.uk. SHOULD Should report any received by you which is regarded as illegal or offensive to your manager, the NHS Helpdesk and the Human Resources Department. It should not be forwarded onto anyone else. Should obtain confirmation of receipt for important s sent. Should make and keep hard copies of important s sent and received. Should reply promptly to all messages requiring a reply. Where a prompt detailed response is not possible, send a short acknowledging receipt and giving an estimate of when a detailed response will/should be sent. Should enable the Out of Office facility if you are to be away for more than one day. Page: 4 Date of review: August 2009

5 INTERNET General Advice All Internet sites accessed are stored and monitored and the organisation audits this activity routinely. Use of Internet is subject to monitoring for security and/or network management issues. Access to certain websites is prevented as they are deemed to be inappropriate for business use. The following are examples of the categories which are blocked: Adult/Sexually Specific Gambling Criminal Skills Hate Speech Violence Weapons Glamour & Intimate Apparel Remote Proxies Drugs, Alcohol & Tobacco Hacking Don ts Do not access the Internet (World Wide Web) during working hours for purposes other than those for which you were employed. Outside working hours the web may be accessed for personal purposes but this must be within the requirements and constraints of this policy document. In particular personal use of NHS Highland s Internet facilities must not interfere with the performance of your duties/other staff s business requirements or have an impact on the performance of the network. If you access the Internet remotely, you should not use the Internet for personal purposes without the permission of your Head of Department as this may incur costs. Do not deliberately visit, view or download any material from any web site containing sexual or illegal material or material which is offensive in any way Do not download software onto Trust systems. This includes software and shareware available for free on the Internet. Do not divulge your password to anyone. Do not leave your PC logged on and unattended if you have Internet access. If anyone uses the PC while logged on it will appear that the actions were carried out by you and you will be held accountable for any misdemeanour that they may commit. To log off the Internet you must close down Internet Explorer. Page: 5 Date of review: August 2009

6 USE OF NEW NHS SYSTEM All use of the NHSmail system must be in accordance with this policy and the National Acceptable Use Policy which you agreed to when registering for an NHSmail account. Access to NHSmail services from Non-NHS Highland sites must be in accordance with the relevant policies eg Working From/At home Policy Home Computer policy Mobile Devices Policy Removable Media Policy NHS Scotland Acceptable Use Policy The following sections discuss the legal obligations of NHSiS organisations and their staff, this includes NHS Highland. Note that the sections are not meant to be either exhaustive or definitive and there may be other legislation in addition to that discussed below. Page: 6 Date of review: August 2009

7 Harassment What is harassment? The Institute of Personnel and Development define harassment as, unwanted behaviour, which a person finds intimidating, upsetting, embarrassing, humiliating or offensive. It can take many forms and may be directed at one person or a group of people. The intention of the perpetrator is irrelevant: it is the impact on the individual, which determines whether harassment has taken place. (Ref PIN Guidelines - Dignity at Work 2.2.1) What you must not do You should not download from the Internet or include in your s any material which contains text and/or images which can be construed as causing fear, stress or anxiety to any individual or group of individuals in the organisation. What are the consequences of not following this Policy? Unless the organisation can show that it has taken action necessary to discourage harassment, it can be held liable for the conduct of its staff and may be subject to court action leading to a substantial penalty. Individuals responsible for harassment may be subjected to appropriate disciplinary action. Further detail can be found in the PIN Guideline - Dignity at Work. Page: 7 Date of review: August 2009

8 Defamation What is defamation? Any false or malicious representation, written, printed or spoken, which hurts the reputation of a person; exposes that person to hatred, ridicule or contempt; injures that person in his or her occupation; or damages the organisation he or she works for eg financially, reputation. What you must not do As a general rule you must not include in s any statement about a person or organisation which is untrue ie cannot be proved. There are, however, certain defences to allegations of defamation. One such defence is that of qualified privilege. This applies to certain situations such as where, in the discharge of a duty, a statement would be protected if honestly made by a person in the discharge of a public or private duty of some kind or in his own affairs in a matter where his interest is concerned. In such a situation a person against whom an allegation of defamation has been made will have a defence unless it can be shown that the statement was motivated by express or actual malice. There are however some circumstances in which even if a statement is true if a person is maliciously abused or held up to public ridicule or contempt causing him loss or hurt to his feelings damages may be recoverable. What are the consequences of not following this Policy? Under the law of defamation you and/or NHS Highland could be taken to court and sued by the subject of the defamatory statement. Page: 8 Date of review: August 2009

9 Copyright What is copyright? A number of laws relating to publication are pertinent to the provision of information via the Internet. These include the Copyright, Designs and Patents Act 1988 which protects the intellectual property of individuals. In general, this Act requires that the permission of the owner of the intellectual property must be sought before any use is made of it whatsoever. This includes storage and display on a website or other electronic information service. The law of copyright still has to be clarified in relation to use of the Internet. Given the nature of the Internet, it seems highly probable that a person who puts material on a website is consenting to its being accessed by users of the system thereby nullifying the infringement by reproduction which would otherwise arise under UK law. If, however, the website contains a notice expressly prohibiting copying, contravention of the notice may constitute a copyright infringement. Copyright is infringed by any person who copies, or who authorises for copy, copyrighted material without the owner s consent. What you must not do Unless you have requested and received formal approval from the owner, you must not attempt to copy, print or download any material from the Internet where there is an explicit notification that the material is protected by copyright. What are the consequences of not following this Policy/Code of conduct? The penalty on summary conviction under the Law is a maximum of six months imprisonment and/or a fine not exceeding 5,000. The penalty on conviction on indictment is a fine or imprisonment for a term not exceeding two years or both. Page: 9 Date of review: August 2009

10 Entering Contracts What is a contract? A contract is a legally enforceable agreement in which two or more people or organisations commit to certain obligations in return for certain rights. Contracts may consist of no more than a single page, an exchange of faxes or even an oral agreement. The words contract and agreement have the same meaning and tend to be used interchangeably. The most important element required for a valid contract is the need for agreement to have been reached on all the essential conditions of the contract. With the exception of certain types of contract which have to be in a certain form, agreements are usually valid as long as the essential elements for creating a contract are met. Rules for contracting by The contract must be agreed to by someone in the organisation who is lawfully capable of agreeing to contracts (sometimes called the capacity to contract ). An exchange of faxes or will normally be valid provided there is agreement on the essential conditions, and intention and authority to create a contract. There could, however, be difficulties in proving the terms of an agreement. Where a contract is of any significance it is wise to back up electronic exchanges (eg fax, ) with a formal agreement or letter. What are the consequences of not following this Policy/Code of Conduct? If as an employee of NHS Highland you enter into a contract you must have the correct authority to do so. Where no such authority exists the contract may be invalid or you as the individual may be held personally liable for that contract. Should NHS Highland appear to have given an individual the authority to enter into a contract it may find itself bound into that contract. It is therefore essential that NHS Highland has control and supervision of staff with access to . Users of need to be aware that exchange of s may be interpreted by suppliers as a contract. users must therefore ensure that the wording and content of their does not mislead the supplier. Page: 10 Date of review: August 2009

11 Pornography What is pornography? Pornography relates to the use of sexually explicit material ie in writings, films or images. Laws on pornography are embodied in the following legislation: The Protection of Children Act 1978, Criminal Justice Act 1988 and Obscene Publications Act 1959 and 1964 have either limited application or do not extend to Scotland. Relevant legislation in Scotland is embodied in the Civic Government (Scotland) Act 1982, Sections 51 and 52. Section 52 of the 1982 Act relates to indecent photographs of children. Photograph is said to include: Data stored on a computer disk, or by electronic means which is capable of conversion into a photograph. Under Section 52, a person commits an offence if he or she: distributes or shows an indecent photograph or pseudo-photograph; has in his/her possession such an indecent photograph or pseudophotograph with a view to its being distributed or shown by him/her or others. A person is said to be regarded as distributing an indecent photograph or pseudophotograph if he/she parts with possession of it to, or exposes or offers it for acquisition by, another person. A defence to the above is provided by stating: Where a person is charged with an offence under sub section (1)(b) or (c) above, it shall be a defence for him/her to prove - that he/she had a legitimate reason for distributing or showing the photograph or pseudo-photograph or (as the case may be) having it in his/her possession; or that he/she had not him/herself seen the photograph or pseudophotograph and did not know, nor had any reason to suspect, it to be indecent. The Telecommunications Act 1984 provides that it is an offence to send by means of a public telecommunications system, a message or other matter that is grossly offensive or of an indecent, obscene or menacing character. What you must not do You must not include in any , or download from the Internet, information in the form of text or images which could be regarded as indecent or obscene. You must not ignore any incident where pornographic material is discovered in your organisation. If you or your staff happen upon a website which contains pornographic material or receive an which contains indecent or obscene text, audio or graphic images, the proper reporting procedures should be followed to allow Page: 11 Date of review: August 2009

12 appropriate investigation and resolution to take place. Reporting should initially be to your Head of Department and the Head of Information Services. What are the consequences of not following this Policy/Code of Conduct? Possession/storage and distribution/transmission of child pornography is a criminal offence which carries a prison sentence. Any staff found storing or distributing pornographic material will be subject to disciplinary proceedings and may be dismissed. Page: 12 Date of review: August 2009

13 Confidential /Personal Information What is confidential information? Confidential information includes (a) data relating to identifiable individuals eg patients, staff or practitioners and (b) commercially sensitive data eg financial, contractual. Confidential information can be held on a document, microfiche, CD or other magnetic or optical medium such as disk or tape and can be in hand-written, typewritten or in machine readable form. Individuals may be identified by name, address, postcode, unique reference number eg CHI number. Other, less obvious, data items may also identify individuals eg date of birth, rare diagnosis. The primary legislation relating to confidentiality of information is the Data Protection Act 1998 which deals specifically with the treatment and use of personal data held both in computer and in manual form. Detailed guidance on the Act is to be made available in the NHSiS Data Protection Manual. What you must do and what you must not do All systems containing data from which individuals can be identified should be registered with the Data Protection Registrar/Commissioner. If you are responsible for processing personal information, you must ensure that you are aware of the requirements of the Act(s) and of any additional local confidentiality rules covering disclosure. Any staff who deliberately disclose personal or confidential information to unauthorised individuals or organisations will be subject to disciplinary action. If in doubt, seek advice from your line manager or contact the NHS Highland Helpdesk who will log a call and pass it to an appropriate person for advice. What are the consequences of not following this Policy? Organisations/individuals who contravene the terms of the 1998 Data Protection Act can be prosecuted by the Data Protection Registrar/Commissioner or an offended party. Any staff who knowingly disclose personal or confidential information to unauthorised individuals or organisations will be subject to disciplinary action and my be subject to prosecution that could lead to a fine of up to 5000 and/or up to 6 m onths imprisonment Amendments NHS Highland may amend this Policy at any time. Page: 13 Date of review: August 2009