Email, Internet & Social Networking Policy Version 3.0. 5 th December 2014

Similar documents
Services Policy

Human Resources Policy and Procedure Manual

Internet Use Policy and Code of Conduct

Use of the Internet and Policy

COMPUTER USAGE -

Conditions of Use. Communications and IT Facilities

Usage Policy Document Profile Box

Faculty/Staff/Community Mountain Home School District Computer and Network Appropriate Use Policy

Acceptable Use of ICT Policy For Staff

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES

ICT Student Usage Policy

Rules for the use of the IT facilities. Effective August 2015 Present

Recommendations. That the Cabinet approve the withdrawal of the existing policy and its replacement with the revised document.

Policy and Code of Conduct

INTERNET AND POLICY

Electronic Communications Guidance for School Staff 2013/2014

INTERNET, USE AND

Dundalk Institute of Technology. Acceptable Usage Policy. Version 1.0.1

Computer Network & Internet Acceptable Usage Policy. Version 2.0

Data Protection Division Guidance Note Number 10/08

Internet, Social Networking and Telephone Policy

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

EMPLOYEE COMPUTER NETWORK AND INTERNET ACCEPTABLE USAGE POLICY

HAZELDENE LOWER SCHOOL

UNIVERSITY OF ST ANDREWS. POLICY November 2005

Acceptable Usage Policy

ACCEPTABLE USE POLICY

SOCIAL MEDIA POLICY. Introduction

Acceptable Use Policy

DIOCESE OF DALLAS. Computer Internet Policy

City of Boston Department of Innovation and Technology Policy Title: Information Technology Resource Use Policy Effective Date: April 1, 2011

APPROPRIATE USE OF INFORMATION TECHNOLOGY SYSTEMS INFRASTRUCTURE RESOURCES

INTERNET ACCEPTABLE USE POLICY

Student use of the Internet Systems is governed by this Policy, OCS regulations, policies and guidelines, and applicable law.

ITU Computer Network, Internet Access & policy ( Network Access Policy )

Policy. Version: 1.1. Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual:

Acceptable Use Policy

Acceptable Usage Policy

The City reserves the right to inspect any and all files stored in private areas of the network in order to assure compliance.

Virginia Commonwealth University Police Department

Notice: Page 1 of 11. Internet Acceptable Use Policy. v1.3

Hull Teaching Primary Care Trust INTERNET USE POLICY

Broadband Acceptable Use Policy

Acceptable Use Policy

Information Security and Electronic Communications Acceptable Use Policy (AUP)

West Lothian College. and Computer Network Responsible Use Policy. September 2011

Acceptable Use Policy

ICT POLICY AND PROCEDURE

Organizational Policy

Information Services. Regulations for the Use of Information Technology (IT) Facilities at the University of Kent

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & POLICY AND CODE

Policy and Procedure for Internet Use Summer Youth Program Johnson County Community College

13. Acceptable Use Policy

POLICY NO September 8, 2015 TITLE: INTERNET AND USE POLICY

Acceptable Use of Information Technology

INTERNET, AND COMPUTER USE POLICY.

BUCKEYE EXPRESS HIGH SPEED INTERNET SERVICE ACCEPTABLE USE POLICY

Acceptable Use of Information. and Communication Systems Policy

OFFICE OF THE POLICE & CRIME COMMISSIONER IT, Communications, Internet and Social Media Policy

Dene Community School of Technology Staff Acceptable Use Policy

Embedded Network Solutions Australia Pty Ltd (ENSA) INTERNET ACCEPTABLE USE POLICY

POLICY ON USE OF INTERNET AND

Information Systems Acceptable Use Policy for Learners

Policy No: 2-B8. Originally Released: Date for Review: 2016

MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY

section 15 Computers, , Internet, and Communications

How To Use A College Computer System Safely

ACCEPTABLE USAGE PLOICY

Insert GNIS Logo Here. Acceptable Use Policy & Guidelines Information Technology Policies & Procedures. Guangzhou Nanhu International School

E Safety Policy. 6 th March Annually. 26 th February 2014

Online Communication Services - TAFE NSW Code of Expected User Behaviour

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

POLICY: INTERNET AND ELECTRONIC COMMUNICATION # 406. APPROVAL/REVISION EFFECTIVE REVIEW DATE: March 2, 2009 DATE: March 10, 1009 DATE: March 2014

Social Media Policy. Policies and Procedures. Social Media Policy

1. Computer and Technology Use, Cell Phones Information Technology Policy

& Internet Policy

Sample Employee Network and Internet Usage and Monitoring Policy

REGION 19 HEAD START. Acceptable Use Policy

B. Privacy. Users have no expectation of privacy in their use of the CPS Network and Computer Resources.

TRUST POLICY AND PROCEDURES FOR THE USE OF SOCIAL NETWORKING SITES (INCLUDING ACCESS VIA MOBILE DEVICES) Status: Final. Version Date Author Reason

PROGRAM R 2361/Page 1 of 12 ACCEPTABLE USE OF COMPUTERS NETWORKS/COMPUTERS AND RESOURCES

THE RICE MARKETING BOARD FOR THE STATE OF NEW SOUTH WALES RESPONSIBLE COMPUTING POLICY

Delaware State University Policy

AVON OLD FARMS SCHOOL COMPUTER AND NETWORK ACCEPTABLE USE POLICY

Acceptable Use of Information and Communication Systems Policy

Medford Public Schools Medford, Massachusetts. Software Policy Approved by School Committee

School policies and Security Risks

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION SYSTEM GENERAL USAGE POLICY

Acceptable Use and Publishing Policy

City of Venice Information Technology Usage Policy

Computer, Network, Internet and Web Page Acceptable Use Policy for the Students of the Springfield Public Schools

Forrestville Valley School District #221

Acceptable Use Policy

Information Governance Policy

Ventura Charter School of Arts & Global Education Board Policy for Acceptable Use and Internet Safety

The Bishop s Stortford High School Internet Use and Data Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February Title: Information Security Policy

Angard Acceptable Use Policy

Transcription:

Email, Internet & Social Networking Policy Lead executive Name / title of author: Chief Nurse Colin Owen, Information Governance and Data Security Lead Date reviewed: October 2014 Date ratified: 5 th December 2014 Ratifying Committee: Information Governance Committee Target audience: Policy Summary: All users of Trust email and internet services To set out the Trust s standards for the use of email, internet and social media to help support management with the delivery of Trust services and for communicating with partner organisations and stakeholders. Both Internet and email services are to be used primarily for Trust business, but are available for appropriate general use providing the use is deemed reasonable with the Trust s standards set out in this policy. Equality Impact Statement: Training impact and plan summary: University Hospital of South Manchester NHS Foundation Trust ( UHSM ) strives to ensure equality of opportunity for all service users, local people and the workforce. As an employer and a provider of health care, UHSM aims to ensure that none are placed at a disadvantage as a result of its policies and procedures. This document has therefore had an initial assessment, in accordance with the equality impact proforma incorporated in the Checklist for Review and Ratification of UHSM-wide Documents, to ensure fairness and consistency for all those covered by it regardless of their individuality. This initial impact assessment indicated that the potential discriminatory impact is very low, and therefore no further assessment was necessary. The Policy is part of the IG Mandatory Training Programme. Outline plan for dissemination: Dissemination lead: name / title / ext n o Available by the Intranet Colin Owen Information Governance and Data Security Lead. This version n o V3.0 Date published: 04/03/2015 This version (v3.0) December 2014 Page 1 of 16 Next review December 2016

Version number Version Control Schedule Issue Date Revisions from previous issue Date of ratification by Committee 24/02/2010 V1.0 20/10/2009 NA V2.0 V2.1 19/11/2013 Modifications to the rules for personal internet use to reasonable use. V3.0 07/11/2014 Change of title, minor changes and clarifications for private use of personal mobiles. HCGC March 2010 19/11/2013 05/12/2014 Summary of consultation process Control arrangements [Review usually every 3 years, but more frequently if required ] Document Control Reviewed by all Information Governance Committee members, reviewed by Communications Manager and put out to consultation by all staff. Information Governance Committee is tasked with monitoring this policy and all related material that might prompt revision. It is the role of the IG Lead/HR Manager to update as appropriate. Audit of Compliance will be made in the form of a report to IGG twice per year by the IG lead/hr Manager. The policy will be revised every two years in line with Trust Policy, or sooner should a change in guidance dictate. There is an associated IG action plan reviewed annually in line with IG toolkit results, and monitored and developed by the Information Governance Committee. Associated documents IT security Policy, Confidentiality Code of Conduct Policy. References Document Compliance Monitoring Arrangements Process for monitoring Responsible individual / group/ committee Information Governance Committee This version (v3.0) December 2014 Page 2 of 16 Next review December 2016

Frequency of monitoring Role responsible for preparation / approval of report and action plan Committee responsible for review of results / approval of action plan Individual / group / committee that is responsible for monitoring of action plan Two yearly Information Governance and Data Security Lead Information Governance Committee Information Governance Committee This version (v3.0) December 2014 Page 3 of 16 Next review December 2016

Contents SECTION PAGE 1 Introduction... 5 2 Policy Statement... 5 3 Legal Issues... 6 4 Use of Services... 6 5 Monitoring of User Activity... 11 6 Process for monitoring the effectiveness of the Policy... 13 7 Dissemination, Implementation and Access to this Document... 13 8 Review, Updating and Archiving of this Document... 13 9 References and Bibliography... 13 10 Associated Documentation... 13 11 Duties... 13 APPENDICES 12 APPENDIX A - PLAN FOR DISSEMINATION... 16 This version (v3.0) December 2014 Page 4 of 16 Next review December 2016

1 Introduction 1.1 University Hospital of South Manchester NHS Foundation Trust (UHSM) recognises that Internet and Email services have the potential for enormous benefit to employees. 1.2 The facilities bring tremendous potential to support the management and delivery of Trust services, and for communicating with partner organisations and stakeholders. It is Department of Health policy, adopted by the Trust that all NHS staff have the facility of internet and email access available in their workplace. Both Internet and email services are to be used primarily for Trust business, but are available for appropriate general use providing the use complies is deemed reasonable with the Trust s standards set out in this policy. 1.3 Social networking sites such as Twitter and Facebook are popular and used by many staff and some approved departments with the organisation, but misuse of these can lead to breaches of confidentiality or bring the reputation of the Trust. 1.4 Again, however, UHSM also recognises that these services can be misused, and thus the associated risks and pressures, including litigation and security concerns, confidentiality breaches, legal and regulatory compliance and productivity of staff must be addressed. 2 Policy Statement 2.1 The objectives of this policy are to: Clarify Trust policy regarding acceptable and unacceptable use of internet and email services and social networking Reduce or avoid security threats by increasing awareness and disseminating good practice. Encourage effective use of Trust resources. Protect the Trust against potential liability. Ensure confidentiality of staff/patients is maintained at all times. 2.2 This policy applies to all individuals (employed or otherwise) having the facility to use the Trust s email and internet services, on Trust equipment or other devices (where the Trust has approved) or plus anyone granted access to the Trust network whilst engaged in work for the Trust at any Trust occupied location, and/or on any Trust owned or Trust approved computer, including those with remote or smart phone access. In terms of social networking, as a Trust employee, representative or anyone working on behalf of the Trust has a reasonable expectation that staff will not bring the Trust into disrepute, and therefore this policy is extended to the staff members social media use. Staff must not use their phones for personal reasons whilst undertaking clinical practice or where near patients and keep personal use to a minimum and emergency situations. 2.3 The policy also covers Trust web gateways, direct email, web mail, instant messaging, and NHS Mail accessed from Trust equipment (or other approved devices) This includes staff conduct both on and off site, whilst using such services and therefore this policy is extended to the staff members personal use. 2.4 The principles of this policy also apply to staff that have been granted access to internet and email services remotely from home or via a device for Trust business The policy also provides guidelines for staff in creating emails and managing their mailboxes. This version (v3.0) December 2014 Page 5 of 16 Next review December 2016

2.5 The Trust will at all times seek to act in a fair manner and respect staff rights for privacy of their personal data under the Human Rights Act 1998 and the Data Protection Act 1998. 3 Legal Issues 3.1 The Trust owns the network over which email and internet services are provided. This means that the communications over the network can not be classed as private and the Trust reserves the right to monitor activity if this is prompted. This may lead to a formal investigation under Trust disciplinary procedures. 3.2 However the Trust is not compelled to initiate an investigation. 3.3 All staff using internet and email resources should clearly understand the legal issues involved from both their own perspective and from that of the Trust. The laws of defamation, obscenity, discrimination and harassment, copyright and confidentiality all apply to staff use of email and internet services 4 Use of Services 4.1 General 4.1.1 All network services including email and internet access are provided primarily for Trust business, but are available for general use providing the use complies with Trust policies 4.1.2 Staff must not: Use the network or services for personal financial gain, or for Personal or private advertising. Use another staff member or party s username or password to access the network, or allow another user to use his/hers. Attempt to introduce and transmit material (including but not restricted to computer viruses, Trojan horses and worms) designed to be destructive to computer systems, or to try to get round precautions designed to prevent such material. Access or display any pornography or other sexually explicit images or documents, or any other images that are discriminatory, including screen savers. Delete other users files or interfere in any way with the contents of their directories, particularly if given temporary or shared access. Remove computer software such as desktop icons, wallpaper or screensavers from its location or tamper with it in any way. 4.2 Internet 4.2.1 The Trust Internet use is monitored. The Trust allows a reasonable amount of personal browsing time in non work time 4.2.2 Access to non business sites will be monitored staff should refrain from using the internet for personal use, even on their own mobile devices, for example smartphone or tablet, when they This version (v3.0) December 2014 Page 6 of 16 Next review December 2016

should be working, members of staff abusing this privilege may be disciplined in accordance with the Trust Disciplinary Procedure. 4.2.3 The Trust blocks a number of websites that have been classified as inappropriate use. If it is thought a site needs to be reclassified, staff should contact the IT department for approval. 4.2.4 Users must not: exceed a reasonable amount of internet browsing time for Non Trust business access on Trust or own equipment.in non working time. express opinions over the internet that purport to represent the views of the organisation or reflect negativity on the organisation, not use the internet in such a way that interferes with the productivity of their department. access inappropriate, offensive or sexually explicit sites. (Should staff inadvertently navigate on to such a site, they must exit immediately, making a note of the URL, and report it to the IT service desk on 2820-.requesting a log number from IT). use the internet in such a way that interferes with Trust business use i.e. media streaming which takes up a lot of space on the network, and slows the internet down for legitimate business use. Use non-work related chat-rooms or similar services. Play computer games across the Trust network and/or the internet on a Trust PC or laptop. 4.2.5 This list is not exhaustive, but indicates the types of activity that may be regarded as misconduct. Staff should always bear in mind that they may be called upon to justify the use of internet and email to their manager, both in terms of time and content. 4.2.6 Unacceptable use of internet and email services includes any action which could bring the Trust into disrepute, interfere with the Trust s business, its reputation or jeopardise the security of data, networks, equipment or software or cause harm to recipient s patients or staff. Inappropriate web sites are subject to restriction by the Trust s web content management process. 4.3 Email 4.3.1 The email service provided by the Trust is primarily for business use and is owned by the Trust, as a result the Trust has a responsibility to ensure that this service is used appropriately and not for illegitimate or illegal activity. 4.3.2 The Trust reserves the right to routinely or intermittently monitor email activity and usage, and to investigate further if prompted to do so. 4.4 At all times the Trust will seek to act in a fair manner and respect staff rights for privacy of their personal data under the Data Protection Act 1998. This version (v3.0) December 2014 Page 7 of 16 Next review December 2016

4.5 However staff should be aware that no communication sent over Trust owned networks can be truly private, and should seek other methods of transfer should they wish to communicate in a private setting. 4.6 The Trust will employ Information Commissioners Office guidance in the event of an investigation into a member of staffs email account, and this will be done in conjunction with Human Resources Where appropriate the staff member will be informed that this type of investigation will be taking place, unless this would jeopardise a criminal investigation. 4.6.1 Acceptable Use Staff should: Ensure that the identity of the receiving recipient s email address is correct, and that messages or data sent by Trust or NHS mail do not cause distress or offence to the receiving recipient, including chain mail messages, and jokes. Guard against accidental breaches of confidentiality by entering a wrong address or forwarding a message to inappropriate recipients. Note that the senders name in the From box within an email is not always reliable and could be used maliciously by other internet/ email users. Initiate the Out of Office assistant on the Trust email service giving details of alternative contacts or arrangements for planned periods of absence. Set up shared email accounts and calendars, for managers/consultants and their secretaries through the Local Service Desk, rather than sharing usernames and/or passwords. If this is not done then a line manager may authorise the IT department to make this available in times of need by giving authorisation to access the employees email account. The user should be informed by the line manager on return as to the reason for access and the user will require a new password via the IT department. Use the sensitivity categories on email carefully (normal, personal, private, confidential) where appropriate. Clearly state to the recipient when material is private and confidential. Include private within the title of the email in private emails (i.e. non-trust business). These emails will not be opened, unless they contravene other rules of the monitoring software or providing they do not contain profanity or for other good reasons such as being involved within a specific investigation. Staff should note marking an email as private will not negate the need to investigate that email in the event of a complaint or if an investigation is initiated (see above) Inform their line manager if unsolicited offensive or sexually explicit emails are received, who will be responsible for deciding whether further investigation or disciplinary action is appropriate. 4.6.2 Unacceptable Use Staff must not: This version (v3.0) December 2014 Page 8 of 16 Next review December 2016

Use email to engage in activities or to transmit content that is harassing, discriminatory, menacing, threatening, obscene, defamatory, or in any way objectionable or offensive. This includes disparagement or defamation concerning race, religion, colour, sex, sexual orientation, national origin, age, or disability, and incorporates sending, receiving, soliciting, printing, copying or replying to such messages. Assume that copying in individuals means that the receiver has read or agreed with the content of the email. Express personal views in such a way that they are likely to be interpreted as being the official policy/view held by the Trust. Use personal email software/webmail (for example, hotmail) for Trust business. Send patient identifiable information or sensitive information externally via an email message on the Trust system. NHS.net should be used instead. For further information see the Information Security Policy. Send or forward on unwanted email (junk email or unsolicited marketing material commonly, known as SPAM), chain letters and offers, hoax virus warning, amusing animations and graphics, unsolicited mail or communication lists via the Trust s email system, as these can impact systems and disrupt email services. Commit the Trust to purchasing or acquiring goods or services without correct authorisation in line with the Trust s Standard Financial Instructions. Use their own disclaimer on email messages sent to recipients outside of the Trust without approval by the IG and Data Security Lead. The Trust has a legal disclaimer which is automatically attached to all external email messages as they leave the Trust network. Deliberately release confidential information. This is a disciplinary offence, as set out in this policy and the Trust Confidentiality Code of conduct. Use email services to forge email signatures. Initiate a SPAM attack from within the Trust, using Trust or own equipment 4.6.3 For messages internal to the Trust, minimal patient details should be contained in the body of the email and preferably an attachment, which is password protected or via a link to a secure intranet page. For messages containing clinical information going outside the Trust, NHS Mail must be used, as this provides adequate security by encryption. Alternatively use https://uhsm.sendfilesafely.net/ to securely exchange files with other NHS and non-nhs organisations over the internet. Inappropriate email messages going out of or coming into the Trust will be subject to quarantine and removal by the Trust s message content management process. 4.7 Social Networking, Discussion Forums and News groups 4.7.1 A social network service focuses on the building and verifying of online social networks for communities of people who share interests and activities, or who are interested in exploring the interests and activities of others. This version (v3.0) December 2014 Page 9 of 16 Next review December 2016

4.7.2 Most social network services are primarily web based and provide a collection of various ways for users to interact, such as chat, messaging, email, video, voice chat, file sharing, blogging, discussion groups. 4.7.3 Standards for individuals (employed or otherwise) who are engaged by the Trust will not maintain any site that contains personal identifiable information of Trust patients, or relatives, whilst they are a patient at the Trust. This does not preclude staff from having pictures of relatives on their site, as long as they are not in situ as a patient of the Trust. will not maintain a site that contains photographs of Trust patients and/or their relatives. will not maintain a site that contains person identifiable information of another Trust employee in relation to their employment including judgements of their performance and character. will not maintain a site that contains photographs of another Trust employee taken in the work situation or in their working uniform. will not maintain a site that contains defamatory statements about University Hospital of South Manchester, its services or contractors. must not express opinions in the above forums that purport to represent their own views on the organisation, whether from the Trust network or home. must never post a comment on the organisation that purports to represent the views of the Trust, without first consulting the Communications team. 4.7.4 As a Trust employee the Trust has a reasonable and lawful expectation that staff will not bring the Trust into disrepute, this is extended to the home environment as well. Any grievance with the organisation should be channelled through procedures and policies already in place and dealt with within the work environment 4.8 Instant Messaging 4.8.1 Staff must not: Use Instant messaging, e.g. via MSN (Microsoft network) for internal business use, or private use at work or over the Trust network. Instant messaging is a way of communicating from one user to another and differs from email in that the conversations happen in realtime. 4.9 Streaming Media 4.9.1 Staff must not: Use streaming media on the Trust site for personal or private use. Media that is distributed over a data network can be streamed such as radio or television or non-streamed such as video or audio. The user does not have to wait to download a large file before seeing the video/tv programme or hearing the sound, because it is sent in a continuous stream that is played as it arrives. This uses a great deal of bandwidth, potentially affecting other Trust business use of the internet. This version (v3.0) December 2014 Page 10 of 16 Next review December 2016

4.10 Private Use 4.10.1 Staff should use internet facilities primarily for Trust business but private use is allowed within a reasonable personal browsing time, Employees must never allow use of the facilities to interfere with their job performance or work responsibilities. Staffs who abuse this privilege will be subject to disciplinary action. 4.10.2 Similarly, staff may use email occasionally and not excessively for personal use e.g. to communicate with family members, but this personal use should be limited to lunch or other breaks, or after normal working hours and be absolutely necessary protecting identifiable data in line with the requirements of the Trust Information Security Policy 4.10.3 Personal use should not include operating a business, campaigning for political causes or candidates, or promoting or soliciting funds for a religious or other personal cause, and must comply with the provisions of this policy. 4.10.4 It is not permissible to use the Trust s address for private correspondence, or for delivery of goods purchased over the internet. (other than those staff who have resident accommodation on site) Out of hours usage does not lessen the Trust s legal responsibility regarding inappropriate material and/or harassment, misrepresentation and other issues, and thus the principles of this policy apply to private use as well as business use. 4.10.5 Where an email is identified as private in its header, the message content will not be accessed, unless that message is suspected to contravene good employment practice or unlawful activity. Where an employee is suspected of abusing the privilege of private use of email, the volume of misuse will be the major focus of investigation. However, if the Trust suspects an employee of engaging in criminal activity in the workplace and reasonably believes that this may involve the sending or receipt of emails, the Trust will have a right to access the contents of messages marked as private. 5 Monitoring of User Activity 5.1 Routine Monitoring of Internet usage 5.1.1 A series of random dates will be selected by the SIRO / Caldicott Guardian when user reports will be made available by the IT department for routine retrospective internet monitoring. A small working group will be established with a HR Lead, IG Lead and an IT Manager to analyse audit logs and forward any concerns to the relevant manager of the individual. 5.2 Ad Hoc Monitoring (Internet and Emails) 5.2.1 A senior manager who suspects there has been a breach of policy by an individual(s) for which they are responsible should make an approach to the HR Lead and the IG Lead for copies of audit /usage reports. 5.2.2 The Information Governance and Data Security Lead will request an activity report detailing internet or email use. This will be made available if an HR manager or a Director has authorised it. 5.2.3 It is the responsibility of the IT Services Department and the Information Governance and Data Security Lead to undertake more in depth investigation where appropriate. This can involve the This version (v3.0) December 2014 Page 11 of 16 Next review December 2016

reading of business and personal email contents and attachments to verify the validity of the content. A similar process is undertaken to assess and categorise web pages and web mail. However this will always be done in accordance with the law, and take in to account ICO guidance. 5.3 The following tools are implemented as described 5.3.1 Anti-virus Is implemented on: Client and server machines. Dedicated email server. Email gateways. This means that all staff s email and outside connections will be scanned for viruses as a normal part of network security. 5.3.2 Mail Content Is implemented on: Email gateways. 5.3.2.1 This software scans incoming and outgoing emails for inappropriate material such as language, images, and certain file types. It also places restrictions on file size and file type, and adds the authorised Trust disclaimer on outgoing messages. 5.3.2.2 Messages found to be in contravention of the rules set up within the software are quarantined, and assessed for release or deletion in line with the IT Services operational procedures. Ad-hoc processes are also carried out as requested via the IT Service Desk 5.3.3 Web Filtering Prohibits access to sites with offensive material. Monitors access to all permitted sites. Can audit and report on all sites permitted and prohibited. Filtering and reporting can be implemented on specific machines, staffs, departments, websites, and categories. 5.3.4 Anti-spam Is implemented on: Dedicated email server. Email gateways. 5.3.4.1 These services trap, quarantine/remove incoming mail that appears to be spam. This version (v3.0) December 2014 Page 12 of 16 Next review December 2016

5.4 Breach of Policy 5.4.1 If a breach of this policy should occur individuals should contact their line manager in the first instance if it is appropriate to do so. It is possible such a matter may be resolved locally, although HR would act to support line managers if this was not the case and further action needed to be taken. If staff are found to have contravened this policy disciplinary sanctions, up to and including dismissal can occur. 6 Process for monitoring the effectiveness of the Policy 6.1 The policy will be monitored by staff as outlined in section 3 of the policy. The standards set out will be reviewed by the Information Governance Committee to ensure it is up to date with relevant guidelines and associated good practice. 6.2 Internal audit will review the processes attached to this policy in association with IT security monitoring. 7 Dissemination, Implementation and Access to this Document 7.1 This policy will be available via the Intranet, and the publication scheme on the internet. Staff will be notified of it s presence via global email, and Trust induction. Staff will be informed of the necessity to read this policy during mandatory training and team brief. 8 Review, Updating and Archiving of this Document 8.1 This policy will be available via the Intranet, and the publication scheme on the internet. Staff will be notified of it s presence via global email, and Trust induction. Staff will be informed of the necessity to read this policy during mandatory training and team brief. 9 References and Bibliography Computer Misuse Act 10 Associated Documentation Information Security Policy Code of Confidentiality for Staff 11 Duties 11.1 Duties within the Organisation 11.1.1 The Chief Executive also known as the Accountable Officer is responsible for ensuring that the Trust has effective policies to assist staff and control risks. 11.1.2 Caldicott Guardian is responsible for ensuring that Information Governance policies are in place, and the Trust Board is aware of any related Information Governance issues arising from policy implementation. 11.1.3 Senior Information Risk Officer is responsible for ensuring the accountable Officer is made aware of any information risks associated with this policy, and acts as an advisor to the Board. This version (v3.0) December 2014 Page 13 of 16 Next review December 2016

They are responsible for ensuring any information assets associated with this policy are managed appropriately by an Information Asset Owner. 11.1.4 Head of IT Operations is responsible for The availability of IT Services. Managing the IT Services infrastructure and staff. Ensuring compliance to external standards and policies, e.g. Connecting for Health (CfH). Ensuring the availability of internet and email services and their supporting infrastructure Managing the security and integrity of data, via anti-virus, mail content, and web filtering and content and anti-spam products. Managing the internet filtering and content by testing the integrity of web sites and categorisation of sites not yet categorised by the Barracuda Web Filter product Managing the mail store, and the establishment and maintenance of shared mailboxes and calendars Managing and monitoring the email quarantine area and releasing appropriate messages. Undertaking programmed and ad hoc monitoring arising out of internet and email security products. Maintaining the Microsoft Active Directory for the NHS Mail Directory Connector Service. Maintaining the currency of Trust employees in appropriate sources (starters and leavers). Producing documentation and reports on internet and email usage and misuse. Reporting non-compliance to this policy and other security violations via the Trust risk management procedure. Managing the IT Services infrastructure and staff. Ensuring compliance to external standards and policies, e.g. Connecting for Health (CfH) Reporting non-compliance to this policy and other security violations via the Trust risk management procedure 11.1.5 Information Governance and Information Security Lead is responsible for Assisting HR and Managers in providing guidance to support their investigations. Advising the IG Committee of any breaches occurring under this policy. Reporting non-compliance to this policy and other security violations via the HIRS Keeping the policy under review in light of incidents and legislation. Advising on the security of personal data under Data Protection legislation Raising initial awareness of the policy at the corporate Trust induction and mandatory IG Training via the IT Training department. 11.1.6 Line Managers are responsible for: Monitoring staff compliance of the policy (see monitoring section) Monitoring staff time spent on personal use of the internet and email services.(see monitoring section) Instigating further investigations arising out of suspected misuse. Taking action regarding misuse in accordance with the Trust s Disciplinary Policy. Reporting non-compliance to this policy and other security violations via the HIRS. 11.1.7 All users of Trust email and Internet services are responsible for Reading and complying with this policy and associated guidelines. Reporting non-compliance to this policy and other security violations via HIRS. Ensuring compliance with guidelines for the records management of email boxes. E.g. regularly deleting items no longer needed. This version (v3.0) December 2014 Page 14 of 16 Next review December 2016

Adhering to the NHS Mail Acceptable Use Policy when using NHS Mail. Ensuring they do not engage in activity contrary to this and other related policies This version (v3.0) December 2014 Page 15 of 16 Next review December 2016

12 APPENDIX A - PLAN FOR DISSEMINATION Title of document: Email, Internet & Social Networking Policy Date finalised: Previous document already being used? Yes Dissemination lead: Print name and contact details Colin Owen 0161 291 3756 If yes, in what format and where? Via the Intranet Proposed action to retrieve outof-date copies of the document: Not applicable. Describe the plans for dissemination of the document to specific people / groups in specified formats and if appropriate with relevant training IG Committee via email Dissemination Record - to be used once document is ratified. Date put on register / library of policy or procedural documents 04/03/2015 Date due to be reviewed 31/03/2017 Notes This version (v3.0) December 2014 Page 16 of 16 Next review December 2016

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information