Acceptable Use Policy

Acceptable Use Policy Recommending Committee: Approving Committee: Information Governance Steering Group Patient Safety & Experience Council Signature: Designation: Chief Executive Date: Version Number: 01 Date: January 2011 Review Date: July 2014 Responsible Officer: Information Governance Manager

Revision History Version Action Author/reviewed by Date 01 Original document Created Craig Walker Jan 11 01 Circulated to IG Board for IG Steering Group comments approval Jan 11 01 Circulated to Assistant Director of Assistant Director of Operation s for comments Operation s Feb 11 01 Presented to IG Board for approval Craig Walker after comments Feb 11 01 Document Approved IG Steering Group Feb 11 01 Equality Impact Assessed Human Resource Department 01 Document Ratified Patient Safety and Experience Council Feb 11 March 11

Content Page 1. Introduction 2 2. Scope 2 3. Authorisation 2 4. Responsibilities 4 5. Privacy 5 6. Definitions of Unacceptable/Acceptable Usage 6 7. Internet Access Principles 6 8. Internet Access Monitoring 7 9. E-mail Principles 8 10. E- mail Monitoring 9 11. Sensitive Information & Encryption 10 12. Instant Messaging Software 11 13. Social Networking Sites 11 14. Removable Media 12 15. Protection from Malicious Software 13 16. Business Portable Devices 13 17. Personal Portable Devices/Personal Information 13 18. Software Access Controls 14 19. Staff Access Controls 14 20. Physical Access Controls 14 21. Application Access Controls 14 22. Acceptable Personal Use & Disciplinary Procedures 14 23. Reporting of Incidents 15 Appendix A: Trust Related Policies 16 Appendix B: Relevant Legislation 16 1

1. Introduction St Helens & Knowsley Teaching Hospitals NHS Trust (referred to hereafter as the Trust) seeks to promote and facilitate the proper and extensive use of Information Technology and encourage the use of these facilities to develop the skills and knowledge of the workforce to benefit the organisations business objectives. The Acceptable Use Policy will provide a framework for such use of the Trusts IT resources. It applies to all computing, telecommunication, and networking facilities provided by the Trusts Health Informatics Service (H.I.S). It should be interpreted such that it has the widest application, in particular references to IT Services should, where appropriate, be taken to include departmental or other system managers responsible for the provision of an I.T. Service. This policy encompasses new and developing technologies, as well as those that are older and more established. It is the responsibility of all users of Trust IT services to read and understand this policy. 2. Scope The Trust`s I.T. resources are provided to facilitate a member of staff s essential work as an employee or other role within the Trust. Staff must not jeopardise the integrity, performance, confidentiality or reliability of computer equipment, software, data and other stored information. The integrity of the Trust`s computer systems is put at risk if users do not adhere to this policy. 3. Authorisation Access to the Trust network will only be authenticated by user name, password and some occasions Registration Authority (R.A) Card. Accessing the Trust network is conditional upon, compliance with the Acceptable Use Policy, for which a signature of acceptance is required on commencing work for the Trust and acceptance is deemed to have been renewed annually by completing mandatory training. The lack of a signature does not exempt an individual from any obligation under this policy. The registration process grants authorisation to use the core IT facilities of the Trust. Following registration, a username, password and e-mail address will be 2

allocated. Authorisation for other services may be requested by application to the Health Informatics Service Help Desk. All individually allocated usernames, passwords and e-mail addresses are for the exclusive use of the individual to whom they are allocated. The user is personally responsible and accountable for all activities carried out under their username. The password associated with a particular personal username must not be divulged to any other person. Attempts to access or use any username or e-mail address which is not authorised to the user, are prohibited. No one may use, or attempt to use, IT resources allocated to another person. All users must correctly identify themselves at all times. A user must not masquerade as another, withhold their identity or tamper with audit trails. A user must take all reasonable precautions to protect their resources. In particular, passwords used must adhere to current password standards and best practice. 4. Responsibilities The Chief Executive has ultimate responsibility for this policy. 4.1 Organisational Responsibilities To establish adverse incident and investigation procedures for the reporting of all breaches of this policy through the appropriate management channels To ensure that line managers understand their responsibilities for the implementation of this policy within their business or clinical area and that their managed staff adhere to the principles To provide appropriate training on the acceptable use of e-mail and the Internet To ensure that controls are in place within the physical environment to prevent unauthorised access to the computer systems To ensure compliance with section 46 of the Freedom of Information Act Code of Practice on Records Management with relation to disclosure of e- mails To define acceptable and unacceptable use of computer systems 4.2 Caldicott Guardian Responsibilities To ensure that the organisation is aware of key legislation relating to this policy To ensure that systems are in place to investigate breaches of this policy To guide the organisation on the transfer or disclosure of service user/employee person identifiable information by e-mail and the Internet 3

4.3 Line Managers Responsibilities Line Managers must ensure that permanent/temporary staff, students, trainees and contractors working in their departments are aware of: this policy and related policies the acceptable personal use of Trust hardware and software how to access advice and guidance acceptable use the security of the physical environment within their department how to report breaches or potential breaches of this policy 4.4 HIS Responsibilities To review this Policy in line with changes in legislation/guidance/standards To provide, manage, and maintain Trust systems and access To monitor and audit access To support the investigation of reported incidents To comply with legitimate requests for access to mailboxes To train staff on the acceptable and unacceptable use of Trust systems To provide username and password management To provide virus control To report incidents and inappropriate use to the Trust Board through the information Governance Steering Group To reporting on issues raised To disseminate this policy in the organisation To act as a source of help, advice and guidance on the acceptable/unacceptable use of Trust systems and the content of this policy 4.5 Information Security Officer The Information Security Officer must perform all monitoring actions and act upon findings as and when required. Users must: 4.6 Users Responsibilities comply with this Policy at all times including any use of the service whilst off duty report any incidents such as inappropriate use or security breaches or virus infection to their line manager 4

Must ask for advice and guidance on the content of this Policy or the use Information Technology from line managers or the Health Informatics Service Helpdesk if unsure of the content. 5. Privacy It should be noted that systems staff, who have appropriate privileges, have the ability, which is occasionally required to access all files, including electronic mail files, stored on any computer which they manage. It is also occasionally necessary to intercept network traffic. In such circumstances appropriately privileged staff will take all reasonable steps to ensure the privacy of users. Staff with such privileges will only use this access in the course of their authorised work. The Trust fully reserves the right to monitor e-mail, telephone and any other electronically-mediated communications, whether stored or in transit, in line with its rights under the Regulation of Investigatory Powers Act (2000). Reasons for such monitoring may include the need to: ensure operational effectiveness of services, prevent a breach of the law, this policy, or other Trust policy, investigate a suspected breach of the law, this policy, or other Trust policy, monitor standards. Access to staff files, including electronic mail files, will not normally be given to another member of staff unless authorised by the Director of IT, or nominee, who will use their discretion, in consultation with a senior member of Trust staff. In such circumstances the Head of Department or Service, will be informed, and will normally be consulted prior to action being taken. Such access will normally only be granted in the following circumstances: where a breach of the law or a serious breach of this or another Trust policy is suspected, when a documented and lawful request from a law enforcement agency such as the police or security services has been received, on request from the relevant Head of Department or Section, where the managers or co-workers of the individual require access to e-mail messages or files, which are records of a Trust activity, and the individual is unable, e.g. through absence, to provide them. The Trust recognises staff privacy as desirable but not as an absolute right, staff should not expect to hold or pass on information, which they would not wish to be seen by members of staff responsible for their work. Once a member of staff leaves the Trust, files which are on any computer system owned by the Trust, including servers, and including electronic mail files, will remain the property of the Trust. When leaving the Trust, staff should make arrangements to transfer to colleagues any e-mail or other computer-based 5

information held under their personal account, as this will be closed on their departure. 6. Definitions of Acceptable & Unacceptable Usage The following sections highlight what the Trust deems to be acceptable and unacceptable uses of its services. Staff should be aware that the Chief Executive has a legal right to monitor usage of e-mail and Internet access using the least intrusive method available. The IT Department will carry out audits on behalf of the Trust to monitor compliance with this policy. 7. Internet Access - Principles Access to the Internet or external web resources will be authenticated by user name and password. Users must not access the Internet using another employee s login. It is totally unacceptable to adopt a colleague s identity on any Internet site. Section 22 states the time frame that the Trust considers appropriate for personal use of the Internet. Employees must be informed and understand the extent of that use. The time of day that employees may use the Internet for reasonable personal access should be agreed with their line manager following the stipulation in section 22. Where an employee orders personal good from an Internet site they must not arrange for them to be delivered to any Trust premises Users must not download, upload, access or distribute any material whose subject matter is: unlawful, objectionable causes offence, - examples of which are material which is libelous or pornographic or that includes offensive material relating to gender, race, sexual orientation, religious or political convictions, disability. This includes incitement of hatred or violence or any activity that contravenes the Law or the Trust Policies (listed in Appendix A) Inappropriate sites have been blocked to prevent accidental access. If an employee accidentally accesses material of the type referred to in the previous paragraph or other material which may be considered offensive, they should note 6

the time and web site address, (exit from the site) and inform their line manager who will instigate the Trusts reporting procedures Users must not sell or provide substances or conduct unauthorised business via Trust provided Internet access If an employee is in doubt as to whether it is appropriate for them to access a site, they should speak to their line manager before doing so. Only those staff who are specifically authorised to give media statements on behalf of the organisation may write or present views, concerning the Trust and its business, on the Internet. Internet users must be aware that the Internet is inherently insecure and confidential information in relation to the business of the Trust and/or service user/another employee s identifiable information must never be disclosed or placed on Internet sites or chat rooms. Although the IT Department has put anti-virus defenses in place, staff must take great care when using the Internet. The Helpdesk should be informed where any suspicion of virus infection arises; the incident will be dealt with in accordance with information security procedures. Downloading or distribution of copyrighted material without permission of the copyright holder, or of software for which the user does not have a legitimate license is forbidden, this applies to any download for work or personal use. The installation of downloaded software onto Trust computers, including laptops, is not permitted. Information downloaded for personal use must not be stored on the Trust Network or personal computers. The use of peer-to-peer systems to download software is forbidden as is the installation of any such system on Trust computers. Peer to peer systems are computers that are not linked to the same network. 8. Internet Access Monitoring Access to the Internet is authenticated and logged on a user basis. Details such as the date and time of access, and the site visited, are recorded and the information is retained for one month and then archived. Further reports will be available for use when investigating an incident; these reports will only be disclosed upon receipt of a written request from the Service Director in question. The IT Department will only respond to a request for access to individual s internet records, when they have received in writing a request from the Service 7

Director of the Trust area in question, requests must be to the IT Service Desk and a response will be provided from the Assistant Director of ICT. 9. E-mail - Principles The amount of time that an employee may use the e-mail system for reasonable personal use should be agreed with their line manager following the stipulation in section 22. Copyright in all documents created via e-mail is the property of the organisation and not the individual user. E-mails sent by a Trust employee are the organisations property. Unless such e- mails are marked Personal in the Subject Field they may be opened by the Trust. E-mail (unless marked Personal in the subject field) is considered corporate correspondence and as such is accessible under the Freedom of Information Act 2000. It is therefore important to save e-mails that have been used to formulate corporate decisions, policy, or procedure, as they may be subject to a request. These e-mails should be referenced, saved and retained to appropriate record retention periods following advice from the organisations Information Governance Manager. Employees must not share their password and user name with any other person and should not leave their computers unattended whilst logged on, as they will be held responsible for any activity, which takes place using their account. Unauthorised use of someone else s identity to send or intercept e-mail is strictly forbidden and will result in disciplinary action. Employees must not distribute any material by e-mail which is: unlawful, objectionable causes offence, examples of which include but is not limited to offensive material relating to gender, race, sexual orientation, religious or political convictions, or disability contains material which is libelous or pornographic includes incitement to commit a crime, hatred and violence or any activity that contravenes any of the Trust s Policies including Equal Opportunities Policy. material that could be abusive, indecent, obscene, menacing; or in breach of confidence, copyright, privacy or any other rights. 8

Any member of staff who receives e-mail containing material which is in breach of this policy should inform their line manager immediately, who will institute the organisations incident reporting procedures. Distribution of such material may result in legal action and/or disciplinary procedures. The Trust reserves the right to monitor e-mail usage. Where a member of staff receives e-mails from unsolicited sources the sender should be added to their personal Blocked Sender List. (Contact the Helpdesk for information. Where there is any doubt about the origin of an email or its attachments staff must contact the Help Desk for advice as viruses can be spread through e-mail and the opening of suspect attachments may result in loss of or damage to the Trust IT systems. Users should exercise caution when disclosing their work e-mail address to commercial organisations, as this information may be passed to other 3 rd party organisations generating junk mail. Employees must not use the organisations e-mail system to conduct any personal business enterprise It is inappropriate to forward or create chain letters to other e-mail users either within the organisation or externally. If a user receives a chain letter that has inappropriate content they must inform their line manager who will instigate the organisations reporting procedures. To avoid inappropriate content being circulated users should not set their e-mail to auto forward (Contact the helpdesk for information) Only those employees who are specifically authorised to give media statements on behalf of the Trust, i.e. the Communications Department, may write or present views, concerning the Trust and its business, via e-mail 10. E-mail - Monitoring The IT Department retains copy of all internal and external e-mail which is received or sent. The Department will not use this facility to monitor individual employees e-mail traffic without written permission or unless they have a justified need to monitor or investigate an employee s e-mails. The IT Department will investigate inappropriate activity on behalf of the Trust under the following circumstances: 9

a report of or concern raised about the contents of a computer a report of inappropriate or unreasonable personal use of e-mail or the Internet routine monitoring identifies potential inappropriate use This list is not exhaustive. The IT Department reserves the right to carry out detailed inspection of any IT equipment without notice, where inappropriate activity is suspected. A more detailed investigation may involve further monitoring and examination of stored data including employee deleted data held on servers, disks, drives or other historical/archived material. Access to the content of an employee s mailbox in their absence, other than for the monitoring purposes already referred to, will only be granted on submission of a written request from the Service Director of the Trust area concerned to the IT Service Desk for approval by the Assistant Director of ICT. This request must identify the business need for the access requested and indicate the mail message(s) required. Where such a request is granted, access will be made by the Information Security Officer who will provide the required e-mails to the Service Director. In most cases the Assistant Director of ICT or designated deputy will notify the Service Director about the access, at the earliest possible opportunity. In the event of a user being absent from work for an extended period of time, access to their inbox may be granted to their line manager. The IT Department has a structured level of governance regarding granting access to e-mail records. Ultimate responsibility for this lies with the Assistant Director of IT, when absent this responsibility is passed to the IT Development Manager. The IT Department will only initiate a request for access to an individual s mailbox when a request for this access has been made in writing from the Service Director via the IT Service Desk to the Assistant Director of ICT. 11. Sensitive Information & Encryption Sensitive personal information that identifies a service user or member of staff, or commercially sensitive information must not be sent by e-mail (.nhs.uk) unless it is encrypted to NHS standards. Users can encrypt any outgoing mail by typing the word ENCRYPT in squared brackets like so [ENCRYPT]. Guidance on this can be found on the Trusts Intranet site under Help section at http://nww.sthk.nhs.uk/pages/itservices.aspx?ipageid=5557 10

It is also acceptable to exchange person identifiable information between the Informatics Service managed email accounts listed in the table below through the N3 connection as long as it is sent from and to an appropriate NHS sited computer in any of these organisations @sthk.nhs.uk @5bp.nhs.uk @knowsley.nhs.uk @hsthpct.nhs.uk Local GP s who are linked to the COIN (ask the Helpdesk) NHSmail (nhs.net) can be used to send identifiable information as it encrypts data between email accounts to standards approved by Connecting for Health. It is acceptable to exchange sensitive information via NHSmail (nhs.net) accounts as long as checks are made to ensure that the recipient also has an NHSmail account and it is sent from and to an appropriate NHS sited computer. Guidance on how to apply for an NHSmail account can be obtained from the Helpdesk. Guidance on sending person identifiable information should be sought from the Helpdesk 12. Instant Messaging software The use of unapproved non-corporate deployed Instant Messaging (IM) clients and connectivity is strictly prohibited as it may leave the IT infrastructure open to potentially harmful software or virus attack via file transfer. 13. Social Networking Sites Access to Personal Blogs and social networking sites, examples of which are Facebook, MySpace, Twitter, Linkedln, Digg and Bebo (this list is not exhaustive) is strictly prohibited from Trust owned/managed computer equipment unless approval has been given by the Trust Editorial Board to utilise social networking sites for the purpose of either communications or public information. Access to social networking sites will only be considered for approval once a request has been made in writing from the Service Director via the IT Service Desk to the Assistant Director of ICT. Staff must be aware that social networking sites make personal information publicly accessible, allowing people to upload to a profile with personal details, photos, videos and notes and to then link with their friends profiles. This raises immediate concerns about privacy. 11

Although individuals may believe they have restricted access of their profile to their friend list, the High Court ruled that all postings to social network sites are regarded as being in the public domain and as such potentially accessible to all. Personal use of social networking sites may: Bring the organisation into disrepute by the posting of damaging remarks whether about the Trust, service users, colleagues or other 3rd parties. Give rise to risks of legal claims against the organisation, which is generally vicariously liable for the actions of its staff. As a consequence of inappropriate use of social networking sites staff might find themselves: In breach of this Policy (Internet, Intranet and Email Acceptable Use Policy). Damaging the organisation s reputation in such a way as to constitute a breach of individual s employment contract, leading to disciplinary action and possible dismissal. Breaching confidentiality, data protection, employment contract or professional Code of Practice Staff who access or are members of social networking sites in a private capacity must not post images that have been taken inside of, in the grounds of, or of Trust premises, or place misleading, malicious, or derogatory comments or references that would damage the reputation of, or misrepresent the Trust, or cause distress to its service users or any other employee. 14. Removable Media/User Disks/USB Devices Removable media can be defined as any portable device that can be used to store and move information. Media devices can come in various formats, including: Universal Serial Bus (USB) memory sticks (also known as flash disks or flash drives) Floppy disks Compact disks (CD) Digital Versatile Disks (DVD) USB Hard Disk Drives Secure Digital Cards MP3 / MP4 players i.e. ipods or any other brands 12

PDA (Palm Top Computer) Some mobile phones and digital cameras Dictation Devices The Health Informatics Service Desk must be contacted to clarify the use of any other media devices not listed above Anything you can copy, save and/or write information to which can then be taken away and transferred or read on another computer, must NOT be used on Trust equipment. Unless prior authorisation from the Health Informatics Service Desk has been given. The above access and monitoring of such devices will be managed by the application of Trust Safend software 15. Protection from Malicious Software The HIS will use software countermeasures and management procedures to protect itself against the effects of malicious software. All Partner Organisations must co-operate fully with this requirement. Users must not install any software on the HIS managed equipment without permission from the HIS Head of IT. 16. Business Portable Devices Business Portable devices such as Laptops with connection to the organisations network, mobile phones, Blackberry phones, digital cameras, portable devices with internal/external memory, external hard drives PDA s etc for business will not be able to connect to the Trust Network unless explicit approval has been granted from the Head of IT. 17. Personal Portable Devices / Personal Information Personal portable electronic devices (laptops, mobile phones, digital cameras, MP3/MP4 players, USB sticks, portable devices with internal/external memory, external hard drives, ipods, PDAs etc) must not be connected to the Partner Organisations IT equipment or network. Desktop PCs; Laptop computers, USB s, are provided as business tools for the support of business processes, therefore personal Files and Folders (pictures, music files, personal documents etc) must not be stored on computers or servers. Any use made of a personal digital camera or personal portable device capable of taking a photograph to record information contained within any of the Partner 13

Organisations systems will be considered gross misconduct by that Organisation and subject to their disciplinary procedures 18. Software Access Controls The Head of IT will authorise appropriately trained members of HIS staff to install or modify software as appropriate 19. Staff Access Controls Partner Organisations must restrict system access to staff that have an identified requirement to the information. Access controls must follow the guidance in the Caldicott principles until such times as the Role Based Access process under Connecting for Health are established in each of the Partner Organisations The management and issue of Smart Cards will be controlled by each Partner Organisation. 20. Physical Access Control Access to computer hardware must be restricted to employees that have an agreed requirement to use them which will be established by the Partner Organisation. 21. Application Access Control Access to data, system utilities and program source libraries will be controlled and restricted to authorised staff. Authorisation to use an application will depend on the availability or purchase of a licence from the supplier. 22. Acceptable Personal Use & Disciplinary Procedures The Trust allows limited personal use of the e-mail and Internet system. The Trust considers that employees may browse the Internet or use e-mail within the boundaries of this policy for their own personal use prior to or after their normal working hours or during their lunch break. Where there is a necessity to conduct such activities within working hours this should be agreed with your line manager. Staff who break this Acceptable Use Policy will find themselves subject to the Trust's disciplinary procedures. The Trust reserves its right to take legal action against individuals who cause it to be involved in legal proceedings as a result of their violation of licensing agreements and / or other contraventions of this policy. 14

23. Reporting of Incidents All suspected information security incidents concerning inappropriate access, damage to or use of network systems must be reported to the HIS Head of IT via the IT Security Engineer. These security incidents will be investigated to establish their cause, operational impact, and business outcome and will be reported back to through the appropriate channels. These may involve any risk to the integrity of computer systems or data risk to the availability of computer systems adverse impact, such as:- legal obligation or penalty financial loss disruption of activities Examples of possible breaches will include:- virus infections introduction of spy ware / Malware hacking copying and using unauthorised or unlicensed software inappropriate use of the Internet or e-mail storing personal data The responsible senior member will then take the appropriate action within the Trust's disciplinary framework, in conjunction with other relevant departments within the local health economy. IT Services staff will also take action when infringements are detected in the course of their normal duties. Actions will include, where relevant, immediate removal from online information systems of material that is believed to infringe the law. The Trust reserves the right to audit and / or suspend without notice any account pending any enquiry. Where necessary, this will include the interception of electronically mediated communications. This policy is not exhaustive and new social and technical developments will lead to further uses, which are not fully covered with this policy. In the first instance staff should address questions concerning what is acceptable to their line manager. Where there is any doubt, the matter should be raised with the Trust`s Information Governance Department via the confidential hotline number which is available on the intranet. 15

Appendix A: Trust Related Policies Information Security Policy Freedom of Information Policy Information Governance Policy Removable Media Policy Records Management Policy Disciplinary Procedures Policy Equality and Diversity Policy Harassment at Work Policy Safe Haven Policy Appendix B: Relevant Legislation Users will be obliged to comply with legislation as appropriate including: The Data Protection Act 1998 (including the relevant specific codes of practice e.g. Employment Practices) Freedom of Information Act 2000 (FOI) The Computer Misuse Act 1990 Human Rights Act 1998 Regulation of Investigatory Powers Act 2000 Health & Social Care Act 2000 Children Act 2004 Public Interest Disclosure Act 1998; Audit & Internal Control Act 1987; National Health Service Act 1977; Prevention of Terrorism (Temporary Provisions) Act 1989; Regulations under Health & Safety at Work Act 1974. Copyright, Designs and Patents Act, 1988 (as amended by the Copyright (Computer Programs) Regulations, 1992; Crime and Disorder Act, 1998; Much of the relevant legislation is available on the following Internet link http://www.legislation.hmso.gov.uk/. 16