SMS and Texting - A Guide to the Future

Similar documents
NHS Commissioning Board: Information governance policy

IG Toolkit Version 8. Information Security Assurance. Requirement 322. Detailed Guidance on Secure Transfers

SMS Text Messaging to Service Users Policy

Privacy and Electronic Communications Regulations

Clause 1. Definitions and Interpretation

Recommendations for companies planning to use Cloud computing services

Informatics Policy. Information Governance. Network Account and Password Management Policy

Governance. Information. Bulletin. Welcome to the nineteenth edition of the information governance bulletin

PRINCIPLES FOR HIGH QUALITY INTERPRETING AND TRANSLATION SERVICES

Data Protection Act Guidance on the use of cloud computing

Risk Management Policy

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Use of Social Networking Websites Policy. Joint Management Trade Union Committee. ENDORSED BY: Consultative Committee DATE: 14 February 2013

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Information Governance Policy

Financial Services Guidance Note Outsourcing

An Approach to Records Management Audit

CODE OF PRACTICE FOR ASSESSMENT OF COMPETENCE IN RELATION TO PAY

Information Governance Policy

DATA AND PAYMENT SECURITY PART 1

Requirements made under the Intermediaries Byelaw

Information Governance Policy

SFS SYS 7 (SQA Unit Code - H4GL 04) Audit electronic security systems

Article 29 Working Party Issues Opinion on Cloud Computing

Public Health England, an executive agency of the Department of Health ("We") are committed to protecting and respecting your privacy.

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Aberdeen City Council IT Security (Network and perimeter)

Information Governance Strategy & Policy

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

Guidance for Access to Health Records Requests

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

MRS Guidelines for Online Research. January 2012

Information Governance Plan

INFORMATION GOVERNANCE HANDBOOK

DRUG AND ALCOHOL ABUSE POLICY AND PROCEDURE

Job Description. contribute to the development and successful implementation of ATM s plans.

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Policy and Code of Conduct

Public Consultation regarding Data Sharing and Governance Bill. Contribution of Office of the Data Protection Commissioner

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Statement of Guidance: Outsourcing All Regulated Entities

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Internet, and SMS Texting Usage Policy Group Policy

Council, 14 May Information Governance Report. Introduction

INFORMATION GOVERNANCE POLICY

The NHS Foundation Trust Code of Governance

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

Banking Supervision Policy Statement No.18. Agent Banking Guideline

General Practice Extraction Service (GPES)

Our Commitment to Information Security

DATA PROTECTION POLICY

Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000

Newcastle University Information Security Procedures Version 3

Information Security Policy. Chapter 12. Asset Management

HomeCare Rehab and Nursing, LLC (HCRN) (DBA - Baker Rehab Group) Notice of Privacy Practice

Code of Ethics for Pharmacists and Pharmacy Technicians

Informatics: The future. An organisational summary

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

Review of compliance. Redcar and Cleveland PCT Redcar Primary Care Hospital. North East. Region: West Dyke Road Redcar TS10 4NW.

Appendix A. Call-off Terms and Conditions for the Provision of Services

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September Information Governance Manager

Networking and Social Media Policy

Use Policy. All Staff Policy Reference No: Version Number: 1.0. Target Audience:

Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25

Data controllers and data processors: what the difference is and what the governance implications are

Data Encryption Policy

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

GENOA, a QoL HEALTHCARE COMPANY, LLC WEBSITE PRIVACY POLICY

Information sharing. Advice for practitioners providing safeguarding services to children, young people, parents and carers

University of Sunderland Business Assurance Information Security Policy

Transcription:

NHS Information Governance: Information Risk Management Guidance: Short Message Service (SMS) & Texting Department of Health Informatics Directorate April 2010 1

Amendment History Version Date Amendment History 1.0 First published version 2

Introduction This Information Governance (IG) guidance provides NHS organisations with a general awareness of the associated risks of Short Message Service (SMS) and texting that may potentially affect the effectiveness of local services. It is not a technical specification for SMS that use standard communications protocols and may operate across a range of network types. Terms used: Short Message Service (SMS) is an easy to use, standardised, mobile communications service for the exchange of short alphanumeric text messages, usually between mobile telephone devices. Texting is the most widely used data application globally allowing mobile phone users to send and receive short text messages of up to 250 characters on their phones. SMS Service Providers may provide commercial internet based services that use SMS for a range of purposes including, marketing and bulk texting. They may also provide hosted services to offer text users the opportunity via the web or mobile device to forward messages that may be relevant to another user. Why use SMS? The highly accessible and easy to use nature of SMS makes it an attractive technology for the communication of short messages quickly. Examples of potentially justifiable NHS business uses of SMS may include: Reminders to patients about appointments previously made Bulk notifications of changes to premises opening times or contact details Information to subscribed patients about the availability of a new or changed care service Alerting staff to system errors or urgent messages Information Governance Issues Whilst there are undoubted values of SMS as a business tool, there are also legal obligations, and potential dangers and pitfalls to be managed. Inappropriate or careless use of SMS by staff or service provider of an NHS organisation may expose that organisation and its patients to information risks capable of impacting business and care processes and are likely in breach of data protection legislation. Messaging errors or modifications can occur and messages may not reach their intended recipients. SMS messages stored on NHS owned systems are subject to the same data protection and FOI obligations as other NHS information assets. NHS Information Asset Owners must therefore ensure these aspects are fully considered and risk assessed when designing and implementing a local SMS service. The following examples of potential risks are for illustration only and are not exhaustive of all possibilities: Implementing SMS without proper planning may adversely impact upon other information services of the organisation eg. reduced bandwidth and performance, and SMS uses that are inappropriate; Insufficient testing may result in systems interoperability problems and exploitation constraints. Pilot projects will help in deploying any SMS solution: 3

Not planning for training and education can lead to poor use, support and maintenance of SMS facilities that may adversely impact on patient care and the reputation of the organisation; No SMS policy is likely to lead to security and confidentiality breaches occurring through unauthorised or uncontrolled use of SMS facilities; Insufficient planning for potential SMS service disruptions may lead to missed patient appointments, data losses and ineffective recovery processes Avoiding problems with SMS A number of considerations and checks may be applied that will help NHS organisations and their employees avoid problems: 1. Plan for your organisation s SMS solution, not after the solution has been deployed. Early risk assessment will help with the development of a properly justified and risk mitigated solution; 2. Verify if the organisation has a relevant policy for SMS use and the extent to which this applies within the organisation and for other stakeholders; 3. Ensure that SMS risks and legal obligations are considered within the overall approach to information governance risk assessment, management and assurance; 4. When considering the potential use of a commercial SMS service to support local business processes, understand what you are contracting for, the potential sensitivity of the information that will be involved, and importantly what service provider guarantees and security and confidentially claims, undertakings, standards applicable, assurances and evidence that exist. These should include Data Protection Act considerations and in particular the Principle 7 concerning technical and organisational controls of the provider. Ensure also that a Service Level Agreement exists for all contracted SMS services that rely upon service availability and the timeliness of information transmission; 5. Be aware of sub-contracting arrangements that may potentially require the disclosure of patient data to a third party. A separate risk assessment will be necessary for any subcontracting arrangements; 6. Consider what safeguards are available to verify the integrity of messages to ensure they are communicated as intended and have not been modified; 7. Ensure the consent of participating patients is obtained, and that patients are able to opt in and opt out of SMS service arrangements according to their personal needs and choices; 8. Ensure staff who may use SMS receive appropriate training and are aware of expected SMS good practice, personal accountabilities and professional codes of conduct where these exist. It is essential to avoid unnecessary sharing of patient details or discussion of patients or staff by SMS. 9. Use professional reasoning and judgement when contacting patients by SMS. Withhold personal information that is unnecessary to the meaning of a message 10. Avoid sending text messages that could be embarrassing or distressing to the intended recipient. Remember it is possible that others could intercept a message or inspect the contact list on a mobile phone for entries of interest; 11. Examine carefully any text messages received as these may be unreliable or contain errors. Word abbreviations and other acronyms are commonly used within SMS messages as a means to maximise message content within limited text space. However, abbreviations easily understood by the author may be prone to mistyping and misinterpretation by the recipient; 12. It is good practice for SMS service participants to delete messages from their mobile phones when they are no longer required. However, and exceptionally, care will be 4

necessary to ensure that any message retention requirements and implications thereof for SMS service participants are addressed within appropriate patient service registration agreements; 13. Consider potential IG requirements and legal obligations for the transmission and storage of data sent to service providers including those whose services may operate outside England. Such considerations will include the data protection implications and safeguards of SMS services that may operate outside the EEA. These will also include the audit trail, review and monitoring capabilities of service providers; 14. Consider the possible use of SMS facilities within NHSmail. Guidance on how to use such facilities is available at https://web.nhs.net/public/help/generaluser/nhsmail_help.htm. Further guidance on the potential uses of NHSmail should be available from your Local Organisation Administrator (LOA). 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information