MOBILE COMPUTING & REMOTE WORKING POLICY AND PROCEDURE Documentation Control Reference GG/INF/020 Date Approved 13 Approving Body Directors Group Implementation date 13 Supersedes Not Applicable Consultation undertaken Information Governance Committee Date of Completion of September 2010 Equality Impact Assessment Target Audience NUH staff Supporting Procedure Information Security Procedure Review Date September 2013 Lead Executive Director of Health Informatics Author / Lead Manager Information Security Adviser Further Guidance/ ICT Information Security Ext 59756 Information Mobile Computing & Remote Working Policy 1
CONTENTS Paragraph Title Page 1. Aim and Scope 3 2. Definitions 4 3. Information Risk 5 4. Management Responsibility 7 5. Staff Responsibility 9 6. General policy statements 11 7. Incident Reporting 13 8. Termination of employment 13 9. Disposal of Media and Equipment 13 10. Equality and Diversity Statement 13 11. Equality Impact Assessment Statement 14 12. Environmental Impact Assessment 14 13. Implementation and Monitoring plan 15 14. Review 15 15. Associated Documentation 15 16. We Are Here For You 16 Appendix A Appendix B Appendix C We Are Here For You Toolkit 17 Equality Impact Assessment Report 20 Employee Record of Having Read the Policy 21 Mobile Computing & Remote Working Policy 2
1. Aim and Scope 1.1 This policy is aimed at all NUH staff who access and use Trust information by connecting remotely to secure servers by using dial-in technology or by using mobile devices. NUH staff includes temporary workers, locums and staff seconded or contracted from other organisations, as well as permanent staff, who have access to and use NUH information. 1.2 The Trust is required to have appropriate procedures for ensuring that mobile and teleworking are conducted in a secure manner in order to satisfy statutory and mandatory standards of information security. This is a key Information Governance requirement (Ref 8-314). 1.3 Any information that is related to and can identify a living individual, is personal data protected by the principles of the Data Protection Act 1998 (DPA). The 7 th DPA principle states that Appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to personal data 1.4 The confidential and business sensitive Trust information that warrants protection by adherence to this policy includes any information concerning patients and staff and any other information that would cause commercial or reputational harm, if it was exposed to somebody who should not see it. 1.5 This policy covers: Connection to the Trust network remotely The processing of Trust information away from Trust premises The processing of Trust information on mobile devices 1.6 This policy is designed to mitigate the information risks of loss, misuse and unauthorised access, to confidential or sensitive Trust information when it is accessed and/or removed from the secure systems or premises. 1.7 NHS Policy says there shall be no movement of identifiable personal information without encryption (David Nicholson Gateway Ref: 9424) 1.8 Adherence to this policy will ensure that the Trust meets legal obligations and national standards in information security. It sets the rules that all staff must follow to ensure Mobile Computing & Remote Working Policy 3
that confidentiality of personal and business data is maintained and ensures that patients, staff and visitors have confidence in the Trusts standards in information management and security. 1.9 Failure to comply with the requirements of this policy may result in an individual being forbidden to work remotely and may lead to disciplinary action. In some circumstances loss of Trust data can result in prosecution. 1.10 The scope of this policy does not include the health and safety risks of working from home environment or associated insurance, taxation, mortgage or lease conditions or any other aspect or Trust policy that managers need to take into consideration when agreeing to home working. 2. Definitions 2.1 Mobile devices, (also called Portable Computer Devices) This includes any equipment that can store information independently from the Trust s fixed secure network servers and transport it to any location, in particular away from NUH premises. Typically this will include laptops, notebooks, tablet PCs, palmtops, personal digital assistants, but also includes digital devices such as dictaphones and mobile phones. 2.2 Removable Media or Data Storage Media Any physical item that can store digital information and requires another device to access it. For example, CD, DVD, floppy disc, tape, flash memory cards, USB data sticks and portable hard drives. Essentially anything that you can copy and save and/or write data onto which can then be taken away and restored onto another computer. 2.3 Remote Working Accessing trust data whilst working away from your normal fixed place of work, via any of the following means: Mobile Computing - Working at any location, using mobile devices and/or removable media (listed above) Teleworking and home working - Working at home or any location other than your normal work base requiring periods of access to NUH Information systems. Mobile Computing & Remote Working Policy 4
Remote connection - Authorised staff can access data held on the Trust s secure server remotely using a VPN (Virtual Private Network) token. The system allows access from any Internet connected PC referred to as the Host PC 2.4 Encryption Encryption is mandatory on mobile devices to ensure the security of confidential information. 2.5 Unauthorised use and unauthorised access Unauthorised use is when any individual who is not the staff member responsible for the security of that data, mobile device, portable equipment or the password holder and who does not have any right or justification (authority) to have that data gains access to data, including sight of data, accidentally or deliberately. Such access is referred to as unauthorised access. Unauthorised access to personal data is illegal. 3. Information Risk This policy is designed to provide direction to NUH staff to mitigate the risks of loss, misuse and unauthorised access, to confidential or sensitive Trust information when it is accessed remotely or removed from the secure systems or premises on a mobile device or removable media. The risks to information in these circumstances are specified below and staff and managers should be aware of these risks and know how to manage them: 3.1 Theft, loss or damage of equipment Equipment and data in transit is at particular risk of being damaged, lost or stolen. Precautions should be taken to ensure equipment and data is not left unattended in public areas and exposed to unauthorised access an/or theft. Mobile Computing & Remote Working Policy 5
3.2 Unauthorised access to data Unauthorised access to data is possible in a number of ways. Staff must not leave equipment or media containing confidential data in places where it may be seen, accessed or used by unauthorised individuals. Unauthorised individuals may attempt to gain access to data through technical means such as sniffing or through guessed passwords. Encrypted data on media or encrypted transfer of data e.g. by email, strong access controls and user identification/authentication and strong wireless networks are essential information security protections necessary to reduce the risk of unauthorised access to Trust data. 3.3 Malicious and unauthorised mobile code All mobile devices and removable media should have their anti-spyware components regularly updated to protect against these types of attacks. 3.4 Data backups Mobile devices such as laptops should be configured so that data processed on them is synchronised to the Trust s secure network and must be connected to the servers on a regular basis. Only the minimum amount of data required must be carried in mobile devices at any one time to reduce the risk of the potential impacts of unforeseen events. 3.5 Working environment The location for teleworking and homeworking must be risk assessed and should cover: Physical security, for example, the risks of home burglary and loss of equipment may need to be mitigated through the use of physical security devices such as Kensington locks or anchorpad encasements. Compliance with Display Screen Equipment regulations, if appropriate. For example, having a workstation with an adjustable chair and suitable lighting. Mobile Computing & Remote Working Policy 6
Environmental conditions, for example, ensuring that NUH equipment or data is not held in an area where heat, cold, water or dampness could cause damage. Measures to remove or minimise risks shall be implemented as necessary. 3.6 Equipment ownership NUH is responsible for ensuring that staff have the necessary facilities and equipment in order for them to do their job. The use of employee owned equipment for Trust business purposes introduces additional risks to the security of information that may not be obvious and beyond the control of the organisation. For example, accidental unauthorised access to data by other family members using the same equipment and/or accidental disclosure of confidential information through inadequate security protection or insecure disposal of redundant equipment, loss and/or inaccessibility of data to the Trust, illegal data processing. Trust data must not therefore be downloaded and held on personal equipment. The two approved secure options for accessing data when working remotely are either: a) Use of official Trust issued mobile devices to hold and access trust data from an encrypted hard-drive or to download and read data held on encrypted portable media b) By secure token dial-in access to data held on Trust servers via the Virtual Private Network (VPN). 4. Management Responsibilities Mobile working and remote working must be authorised and controlled by managers. The NHS structured approach to information risk management has been implemented within NUH as follows: Accountable Officer (AO) Chief Executive Senior Information Risk Owner (SIRO) Director of ICT Information Asset Owners (IAO) Clinical and Corporate Directors Mobile Computing & Remote Working Policy 7
Information Asset Assistants (IAA) Directorate managers nominated by and provide support to the IAO 4.1 Clinical and Corporate Directors As IAOs, Directors are responsible for the management of information risk within their Directorate and in particular are responsible for ensuring their staff are aware of the information risks identified within this policy and take responsible action to mitigate them. IAOs must ensure procedures are in place within their Directorate to enable the identification and assessment of information risks of mobile computing and remote working and the implementation of control measures, including staff training and awareness to mitigate the risks. IAOs must ensure all mobile and teleworkers are appropriately approved and authorised. This should include a procedure to ensure that mobile computing and removable media devices used are approved Trust equipment that has been encrypted. Equipment holding Trust data is an information asset and must be recorded on the Trust s Information Asset Register Regular audits should be undertaken to ensure all users are approved, that mobile devices issued can be accounted for and that assurance can be given to the SIRO that identified risks are adequately controlled and managed. 4.2 Managers Managers are responsible for ensuring that all their staff have read and understood this policy prior to authorising remote working and mobile computing arrangements. They must ensure that staff work in compliance with this policy and other appropriate legislation and Trust policies. This includes the responsibility for ensuring that risk assessments are or have been carried out and that suitable controls are put in place and remain in place to either eradicate or minimise any identified risks to the security of NUH information. Mobile Computing & Remote Working Policy 8
4.3 SIRO The Director of ICT, as the Trust s appointed SIRO, is responsible for ensuring that identified information security risks are managed through an assurance framework. The SIRO will ensure specialist advisory support is provided to the IAOs and IAAs to assist them to carry out their responsibilities, including advice on the interpretation and application of this policy where required. 5. Staff Responsibilities 5.1 All staff, whether permanent, temporary or contracted, must be aware or their own individual responsibilities for the maintenance of confidentiality, data protection, information security management and information quality and understand they are duty bound and legally required to comply with this policy. 5.2 Failure to comply with this policy may result in disciplinary action being taken, which may result in the withdrawal of authorisation and facility to work remotely. 5.3 Staff shall inform their manager if they have any concerns about any issues that would constitute an information risk. This covers not only risks to resources or confidentiality of data, but also personal risk, risk to others and risk to the Trust s reputation. 5.4 Staff need to demonstrate to their line manager that they have read and understood this policy and are aware of their responsibility for the protection and security of the Trust information they have access to and use. They must agree with their managers exactly how they will ensure that this policy is fully met when working away from NUH controlled premises. 5.5 Staff who are authorised to work remotely, or from home, shall only access the Trust information that they need in order to do their job by either: Remote VPN connection, or Use of an encrypted mobile device issued by the Trust 5.6 Holding personal data on anything other than Trust equipment is a breach of the Data Protection Act 1998. Staff Mobile Computing & Remote Working Policy 9
are not permitted to hold person identifiable data or any other Trust sensitive data on personally owned equipment, in particular home PCs. This includes, for example, uploading Trust data from removable media directly onto the hard-drive of a personally owned PC at home, or bypassing the secure encryption methods by emailing confidential or sensitive Trust information to their personal email accounts. 5.7 Holding other commercially or business sensitive Trust data on personal equipment would breach Trust policies concerning information security and records management. 5.8 Staff who regularly work remotely should access information directly from the Trust s systems via the VPN to avoid having to transport information and to mitigate the risk of accidental loss of data and equipment. 5.9 Where the Trust has supplied any form of mobile device or media, only appropriately authorised members of staff are allowed to have any access to it. Staff must not allow an unauthorised person to use and/or access information held on the device, e.g. a member of their household, either deliberately or inadvertently. 5.10 Staff must not, under any circumstances, disclose their network user name, or password, or personal PIN number to anyone or allow anyone to use their VPN token to gain access to trust data. 5.11 Staff must not connect any Trust supplied equipment to any phone line, internet connection (including WiFi) or other computer, unless they have been given written authority by the Trust s Information Security Adviser and access to either the NHS network or the Trust s network via a secure remote link. 5.12 Where staff have been supplied with a mobile device they are responsible for ensuring that it is regularly connected to the Trust s network on-site for upgrade of anti-virus software and other licensing requirements. 5.13 Staff working remotely by using portable devices or removable media must keep equipment, files and media locked out of sight during transit, and must also ensure any equipment is not left unattended or insecure when off site to prevent accidental loss and unauthorised access at all times, Mobile Computing & Remote Working Policy 10
including within their home. Particular care must be taken when media and equipment are taken on to public transport. 5.14 The use of personal information in public areas must be kept to an absolute minimum, due to the threats of overlooking and to discourage theft. 5.15 Authorisation must be obtained from the individual s line manager before any patient or staff or confidential information is taken away from your normal work location. Trust information must only be used for Trust related purposes in connection with your work. 5.16 Staff are responsible for ensuring that unauthorised individuals are not able to see any confidential Trust information or access Trust systems. Only members of staff are allowed access to information being used at home in any form, on any media. 5.17 Establishing support arrangements for software on non-trust Host PCs e.g. personal PCs at home, necessary to access Trust data via VPN is the responsibility of the staff member/user. No support is provided by the ICT department or helpdesk. 5.18 All users are required to understand and abide by the principles laid down in this policy document. Users must treat Remote Access and Mobile Computing systems as if they were using Trust systems from their desk based on-site. 5.19 Staff must ensure that removable media must not be used to store inappropriate images or files, and the content of all information stored on mobile devices and media is in line with Trust policy. 6. General Policy Statements 6.1 The Trusts approved method of remote connection is the virtual private network (VPN) managed by ICT Services. This system requires access via a hardware token which generates a random identification number. The user then needs to input username and password which ensures strong authentication in line with Department of Health requirements. Access to desktop email, diary and some of the Trusts clinical systems is possible using the VPN. This system uses: Mobile Computing & Remote Working Policy 11
automatic encryption (256 bit) Cisco Secure Desktop technology Users will be required to sign a declaration before VPN access is granted. 6.2 Trust owned mobile devices and media must be encrypted if they contain person identifiable information (PID) or other sensitive data. Any sensitive data sent to or from that device should be encrypted during transit. 6.3 Mobile phones and similar devices used for email access must have the security PIN number enabled. 6.4 Mobile phones must not be used to take photographs of patients 6.5 In accordance with the NHS Statement of Compliance, only NUH owned or managed equipment is to be connected to the Trust s network. This includes all mobile devices. 6.6 Person identifiable data, or other confidential Trust data must not be stored permanently on mobile devices or media. Where possible information should be transferred to the Trust s secure network and deleted from the device as soon as possible. 6.7 Unauthorised software must not be installed onto Trust mobile devices 6.8 Anti virus scanning software must be installed and regularly updated. 6.9 Redundant Trust equipment must be returned to ICT for secure disposal. 6.10 Confidential and sensitive business information held as paper format must be similarly protected against loss, damage, misuse and/or unauthorised access at all times. 6.11 Confidential and sensitive information must be held in a lockable secure container for transportation, including transportation from one hospital campus to the other. 6.12 Patient Medical Records must not be held at home unless there are exceptional circumstances and authorised by a manager following an assessment and assurance that adequate security is in place to protect those records off site. A record of their location and a contact number must be Mobile Computing & Remote Working Policy 12
provided to ensure the availability of those records 24/7 if they are required in an emergency. 7. Incident Reporting Staff and Managers are responsible for reporting any incident related to the loss, damage, accidental disclosure or unauthorised access of Trust data in accordance with the Trust s incident reporting procedures. Such incidents should also be reported to the Information Security Officer, ICT via the ICT Helpdesk ext 69000. 8. Termination of Employment 8.1 On leaving the employment of the Trust, all equipment, software and information must be returned to the line manager. 9. Secure Disposal of Media and Equipment 9.1 The disposal of media containing personal identifiable or Trust sensitive information must only take place at the Trust in line with on-site confidential waste and disposal procedures. Staff with such media to dispose of, are responsible for returning it to the site and following the confidential waste procedures for the campus. 9.2 Redundant IT equipment must be returned to ICT for secure disposal that ensures total and unrecoverable destruction of drives holding confidential data. 10. Equality and Diversity Statement All patients, employees and members of the public should be treated fairly and with respect, regardless of age, disability, gender, marital status, membership or non-membership of a trade union, race, religion, domestic circumstances, sexual orientation, ethnic or national origin, social & employment status, HIV status, or gender re-assignment. Mobile Computing & Remote Working Policy 13
All trust polices and trust wide procedures must comply with the relevant legislation (non exhaustive list): Equal Pay Act (1970 and amended 1983) Sex Discrimination Act (1975 amended 1986) Race Relations (Amendment) Act 2000 Disability Discrimination Act (1995) Employment Relations Act (1999) Rehabilitation of Offenders Act (1974) Human Rights Act (1998) Health & Safety at Work Act 1974 Trade Union and Labour Relations (Consolidation) Act 1999 Code of Practice on Age Diversity in Employment (1999) Part Time Workers - Prevention of Less Favourable Treatment Regulations (2000) Fixed Term Employees - Prevention of Less Favourable Treatment Regulations (2001) Employment Equality (Sexual Orientation) Regulations 2003 Employment Equality (Religion or Belief) Regulations 2003 Employment Equality (Age) Regulations 2006 Equality Act (Sexual Orientation) Regulations 2007 11. Equality Impact Assessment Statement NUH is committed to ensuring that none of its policies, procedures, services, projects or functions discriminate unlawfully. In order to ensure this commitment all policies, procedures, services, projects or functions will undergo an Equality Impact Assessment. Reviews of Equality Impact Assessments will be conducted inline with the review of the policy, procedure, service, project or function. 12. Environmental Impact Assessment Following the initial screening of this policy, a full impact assessment is not required at present as the policy does not create any environmental impact. Mobile Computing & Remote Working Policy 14
13. Implementation and Monitoring Plans The Directors Group are responsible for the ratification of this policy. The Directors, as IAOs, are responsible for the implementation of this policy within their respective directorate. Regular audits should be undertaken to ensure all users are approved, that mobile devices issued can be accounted for and that assurance can be given to the SIRO that identified risks are adequately controlled and managed. Adherence to this policy will be monitored via the investigation and analysis of information security incidents reported to the Information Governance Committee by the Information Security Adviser. The SIRO and reported to the Directors Group by the SIRO. 14. Review The Information Governance Committee is responsible for the review of this policy. 15. Associated Documentation Internet Usage and Monitoring Policy. Information Security & Data Protection Policy. Information Security & Data Protection Procedure. Information Sharing Protocol. Records management policies Disciplinary policy Email policy Mobile Computing & Remote Working Policy 15
16. We Are Here For You This Trust is committed to providing the highest quality of care to our patients, so we can pledge to them that we are here for you. This Trust supports a patient centred culture of continuous improvement delivered by our staff. The Trust established the Values and Behaviours programme to enable Nottingham University Hospitals to continue to improve patient safety, outcomes and experiences. The set of twelve agreed values and behaviours explicitly describe to employees the required way of working and behaving, both to patients and each other, which would enable patients to have clear expectations as to their experience of our services. Mobile Computing & Remote Working Policy 16
Appendix A We Are Here For You Policy and Trust-wide Procedure Compliance Toolkit The We Are Here For You service standards have been developed together with more than 1,000 staff and patients. They can help us to be more consistent in what we do and say to help people to feel cared for, safe and confident in their treatment. The standards apply to how we behave not only with patients and visitors, but with all of our colleagues too. They apply to all of us, every day, in everything that we do. Therefore, their inclusion in Policies and Trust-wide Procedures is essential to embed them in our organization. This toolkit has been designed for Policy Owners to assess the compliance of their Policy or Trust-wide Procedure in light of the We Are Here For You values. It is now mandatory for all Policies and Trust-wide Procedures to incorporate the We Are Here For You Values and undergo this compliance assessment. Please complete the grid below to assess your Policy or Trust-wide Procedure. The toolkit will then advise Policy-owners on the steps they need to take to become We Are Here For You compliant. To what extent is your Policy or Trust-wide Procedure affected by the following We Are Here For You values? Please rate each value from 1 3 (1 being not at all, 2 being affected and 3 being very affected) 1. Polite and Respectful Whatever our role we are polite, welcoming and positive in the face of adversity, and are always respectful of people s individuality, privacy and dignity. 2. Communicate and Listen We take the time to listen, asking open questions, to hear what people say; and keep people informed of what s happening; providing smooth handovers. 3. Helpful and Kind All of us keep our eyes open for (and don t avoid ) people who need help; we take ownership of delivering the help and can be relied on. 1 2 1 Mobile Computing & Remote Working Policy 17
4. Vigilant (patients are safe) Every one of us is vigilant across all aspects of safety, practices hand hygiene and demonstrates attention to detail for a clean and tidy environment everywhere. 1 5. On Stage (patients feel safe) We imagine anywhere that patients could see or hear us as a stage. Whenever we are on stage we look and behave professionally, acting as an ambassador for the Trust, so patients, families and carers feel safe, and are never unduly worried. 1 6. Speak Up (patients stay safe) We are confident to speak up if colleagues don t meet these standards, we are appreciative when they do, and are open to positive challenge by colleagues. 7. Informative We involve people as partners in their own care, helping them to be clear about their condition, choices, care plan and how they might feel. We answer their questions without jargon. We do the same when delivering services to colleagues. 1 1 8. Timely We appreciate that other people s time is valuable, and offer a responsive service, to keep waiting to a minimum, with convenient appointments, helping patients get better quicker and spend only appropriate time in hospital. 2 9. Compassionate We understand the important role that patients and family s feelings play in helping them feel better. We are considerate of patients pain, and compassionate, gentle and reassuring with patients and colleagues. 1 10. Accountable Take responsibility for our own actions and results 1 Mobile Computing & Remote Working Policy 18
11. Best Use of Time and Resources Simplify processes and eliminate waste, while improving quality 2 12. Improve Our best gets better. Working in teams to innovate and to solve patient frustrations 1 TOTAL 15 Mobile Computing & Remote Working Policy 19
Appendix B Equality Impact Assessment Report Outline 1. Name of Policy or Service Mobile Computing and Remote Working Policy & Procedure 2. Responsible Manager Andrew Fearn 3. Name of Person Completing Assessment David Cadwell 4. Date EIA Completed 29 th July 2010 5. Description and Aims of Policy/Service (including relevance to equalities) The aim of this policy is to ensure that the statutory and mandatory standards concerning confidentiality and security of information are maintained when NUH staff access Trust information remotely i.e. from somewhere off-site or take work away from site using mobile devices such as laptops or removable media devices such as USBs. 6. Brief Summary of Research and Relevant Data See policy 7. Methods and Outcome of Consultation INFORMATION GOVERNANCE COMMITTEE Mobile Computing & Remote Working Policy 20
8. Results of Initial Screening or Full Equality Impact Assessment: Equality Group Age Gender Race Sexual Orientation Religion or belief Disability Dignity and Human Rights Working Patterns Social Deprivation Assessment of Impact No Impact Identified No Impact Identified No Impact Identified No Impact Identified No Impact Identified No Impact Identified No Impact Identified No Impact Identified No Impact Identified 9. Decisions and/or Recommendations (including supporting rationale) Following the initial screening of this policy, a full impact assessment is not required at present as the policy relates to records management. 10. Equality Action Plan (if required) N/A 11. Monitoring and Review Arrangements (including date of next full review) Every three years, unless legislation or NHS Information Security and Governance requirements change Mobile Computing & Remote Working Policy 21
Appendix C EMPLOYEE RECORD OF HAVING READ THE POLICY MOBILE COMPUTING & REMOTE WORKING POLICY AND PROCEDURE I have read and understand the principles contained in the named policy. PRINT FULL NAME SIGNATURE DATE Mobile Computing & Remote Working Policy 22