Electronic Communications Monitoring Policy



Similar documents
Information Governance Policy

Information Security Policy

Use Policy. All Staff Policy Reference No: Version Number: 1.0. Target Audience:

UNIVERSITY OF ST ANDREWS. POLICY November 2005

Policy. Version: 1.1. Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual:

Policy and Code of Conduct

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Sample Employee Network and Internet Usage and Monitoring Policy

Internet Use Policy and Code of Conduct

Data Protection and Privacy Policy

John Leggott College. Data Protection Policy. Introduction

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

Information Services. Regulations for the Use of Information Technology (IT) Facilities at the University of Kent

How To Protect Your Personal Information At A College

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY

Access Control Policy

INTERNET, USE AND

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

DATA PROTECTION POLICY

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Corporate ICT & Data Management. Data Protection Policy

How To Ensure Network Security

Data Protection Policy June 2014

Information Governance Framework. June 2015

Services Policy

Internet, Social Networking and Telephone Policy

Information Governance Policy

DATA PROTECTION POLICY

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

The Manitowoc Company, Inc.

The term Broadway Pet Stores refers we to the owner of the website whose registered office is 6-8 Muswell Hill Broadway, London, N10 3RT.

DATA PROTECTION AND DATA STORAGE POLICY

Scottish Rowing Data Protection Policy

Policy. London School of Economics & Political Science. Application Control. Jethro Perkins Information Security Manager IMT

How To Ensure Information Security In Nhs.Org.Uk

Network Security Policy

LINCOLNSHIRE COUNTY COUNCIL. Information Security Policy Framework. Document No. 8. Policy V1.3

Recommendations. That the Cabinet approve the withdrawal of the existing policy and its replacement with the revised document.

INFORMATION SECURITY POLICY

Human Resources Policy documents. Data Protection Policy

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé

Policy: Accessing Legal Advice

HUMAN RESOURCES EQUAL OPPORTUNITIES POLICY

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Trust Operational Policy. Information Security Department. Third Party Remote Access Policy

Personal use of computers

Use of Social Networking Websites Policy. Joint Management Trade Union Committee. ENDORSED BY: Consultative Committee DATE: 14 February 2013

ACCEPTABLE IT AND COMPUTER USE POLICY GUIDE FOR STAFF

Data Protection Act Bring your own device (BYOD)

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Computer Network & Internet Acceptable Usage Policy. Version 2.0

The Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8

COMPUTER USAGE -

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Birmingham City Council Internet Monitoring Standard

AlixPartners, LLP. General Data Protection Statement

Human Resources Policy No. HR46

NETWORK SECURITY POLICY

Information Governance Policy

Acceptable Use of Information Technology Policy

Privacy Policy. Approved by: College Board, 01/12/2005 Principal from 14/02/2014

NHS Commissioning Board: Information governance policy

Data Protection and Data security Policy

Version: 2.0. Effective From: 28/11/2014

Data Protection Policy

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

Service Schedule for Business Lite powered by Microsoft Office 365

Information & ICT Security Policy Framework

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

MANAGEMENT OF PERSONAL FILES POLICY

How To Protect Decd Information From Harm

Acceptable Use of Information Systems Standard. Guidance for all staff

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE STRATEGY

Information Governance Policy (incorporating IM&T Security)

Transcription:

Electronic Communications Monitoring Policy Printed copies should not be considered the definitive version DOCUMENT CONTROL POLICY NO. 79 Policy Group Information Governance and Security Author Andrew Turner Version No. 1.2 Reviewer Medical Director Implementation Date Aug 2013 Scope (Applicability) Board wide Next review date Aug 2015 Status Final Last review date N/A Approved By Graham Gault Kelly Kennedy Angus Cameron Neil Kelly

Contents 1. Overview... 3 2. Key points... 3 3. Policy Aims... 3 4. Scope & Applicability... 4 5. Monitoring of Communications by NHS Dumfries & Galloway... 4 6. Scope of Monitoring... 4 7. Access to email accounts... 4 8. Virus scanning... 5 Appendix 1 Policy Approval Checklist... 6 Appendix 2 - Document Status... 7 Appendix 3 - Action Plan for Implementation... 8 Page 2 of 8 Pages

1. Overview a. Access to the Board Intranet and the wider Internet is provided to allow staff to undertake their normal business functions. It is important that all users of our Intranet and Internet provision understand exactly what is considered fair usage. b. This paper lays out our Acceptable Use Policy for the Intranet and the external Internet. c. This policy sets out clear guidance for users on what is and is not allowed. It also sets the boundaries as to when personal use is allowed and not allowed. The overarching purpose is to ensure that appropriate access to the Intranet and Internet is available to staff with a legitimate business purpose at all times and this access is not hindered by non-business related activities. d. It demonstrates management support for, and commitment to, the provision of an internet capability through issuing this policy for user acceptance and compliance, as well as any related policies, procedures and guidelines, including user education and awareness across NHS Dumfries & Galloway. The purpose of this policy is to protect all NHS Dumfries & Galloway users from threats, internal or external, deliberate or accidental. 2. Key points All business telephone, email and internet traffic may be monitored for specific business purposes (see para 6a). All incoming and outgoing emails will be scanned for virus or other malware content. emails may be monitored and access provided to appropriate staff where necessary due to sickness or other absences from work (see para 7b). emails not marked Personal or stored in a Personal folder will be assumed to be business correspondence. Audit logs of times of access and internet sites visited may be provided to Senior Managers. Audit logs of accesses to information systems containing sensitive personal information will be monitored. Suspected cases of inappropriate access will be investigated. This may result in disciplinary procedures being started which, in extreme cases, may lead to dismissal and possible criminal proceedings. 3. Policy Aims a. This policy aims to: i. Provide guidance on the acceptable use of the Intranet and Internet whilst using the NHS Dumfries & Galloway provided networks. ii. It details the roles and responsibilities and supporting organizational monitoring arrangements for ensuring that access for normal business use is maintained. iii. It provides a framework under which NHS Dumfries & Galloway can ensure compliance with all relevant legislation and policies. Page 3 of 8 Pages

4. Scope & Applicability a. This policy applies to accesses to web based services as provided by NHS Dumfries & Galloway in any format and is intended to be fully consistent with the Information Security Policy and Standards of NHS Scotland. b. This policy applies to all users who undertake work for NHS Dumfries & Galloway or use any part of the IT infrastructure, whether as an employee, a student, a volunteer, a contractor, partner agency, external consultant or 3 rd party IT supplier. c. It is a management requirement that all NHS Dumfries & Galloway accesses to the Intranet and Internet for legitimate business use goes un-hindered. 5. Monitoring of Communications by NHS Dumfries & Galloway a. NHS Dumfries & Galloway is ultimately responsible for all business communications but subject to that will, so far as possible and appropriate, respect your privacy and autonomy while working. 6. Scope of Monitoring a. NHS Dumfries & Galloway may monitor your business communications for reasons which may include but is not restricted to: i. providing evidence of business transactions; ii. ensuring that NHS Dumfries & Galloway s business procedures, policies and contracts with staff are adhered to; iii. complying with any legal obligations; iv. monitoring standards of service, staff performance, and for staff training; v. preventing or detecting unauthorised use of NHS Dumfries & Galloway s communications systems or criminal activities; and vi. maintaining the effective operation of NHS Dumfries & Galloway s communications systems. b. NHS Dumfries & Galloway will monitor telephone, email and internet traffic data (i.e. sender, receiver, subject; non-business attachments to email, numbers called and duration of calls; domain names of websites visited, duration of visits, and files downloaded from the internet) at a network level (but covering both personal and business communications) for the purposes specified at item 6a. c. For the purposes of your maintenance of your own personal privacy, you need to be aware that such monitoring might reveal sensitive personal data about you. For example, if you regularly visit websites which detail the activities of a particular political party or religious group, then those visits might indicate your political opinions or religious beliefs. d. By carrying out such activities using NHS Dumfries & Galloway s facilities you consent to our processing any sensitive personal data about you which may be revealed by such monitoring. 7. Access to email accounts a. Sometimes it is necessary for NHS Dumfries & Galloway to access your business communications during your absence, such as when you are away because you are ill or while you are on holiday. Unless your mailbox settings are such that the individuals who need to do this already have permission to view your inbox, access Page 4 of 8 Pages

will be granted only with the permission of one of the persons authorised to grant such access [in accordance with our policy "email Acceptable Use Policy"]. b. Any emails which are not stored in your "Personal" folder in your mailbox and which are not marked PERSONAL in the subject heading will be treated, for the purpose of availability for monitoring, as business communications since we will have no way of knowing that they were intended to be personal. Therefore you must set up a rule to automate the routing of personal email to your personal folder ask IT Support for guidance on how to do this. Furthermore, there is a risk that any person authorised to access your mailbox may have their own preview pane option as a default setting, which would reveal the content of any of your personal email not filed in your "Personal" folder, whether or not such email are marked PERSONAL. It is up to you to prevent the inadvertent disclosure of the content of personal email by filing your personal email in accordance with this policy. In particular, you are responsible to anybody outside NHS Dumfries & Galloway who sends to you, or receives from you, a personal email, for the consequences of any breach of their privacy which may be caused by your failure to file your personal email. c. In certain very limited circumstances we may, subject to compliance with any legal requirements, access email marked PERSONAL. Examples are when we have reasonable suspicion that they may reveal evidence of unlawful activity, including instances where there may be a breach of a contract with NHS Dumfries & Galloway. 8. Virus scanning a. All incoming emails are scanned by the organisation contracted to operate the NHSMail service on behalf of the NHS and therefore on behalf of NHS Dumfries & Galloway using virus-checking software. The software will also block unsolicited marketing email (spam) and email which have potentially inappropriate attachments. If there is a suspected virus in an email which has been sent to you, the sender will automatically be notified and you will receive notice that the email is not going to be delivered to you because it may contain a virus. Page 5 of 8 Pages

Appendix 1 Policy Approval Checklist NHS DUMFRIES AND GALLOWAY POLICY APPROVAL CHECKLIST This checklist must be completed and forwarded with the policy to the appropriate approval group POLICY TITLE Electronic Communications Monitoring Policy POLICY NO.. EXECUTIVE LEAD Dr Angus Cameron Why has this policy been developed? Has the policy been developed in accordance with or related to legislation? Please give details of applicable legislation. Has a risk control plan been developed? Who is the owner of the risk? Who has been involved/consulted in the development of the policy? Has the policy been assessed for equality and diversity in relation to:- Race/Ethnicity Gender Age Religion/Faith Disability Sexual Orientation Does the policy contain evidence of the Equality & Diversity Impact Assessment Process? Is there an implementation plan? When will the policy take effect? If the policy applies to partner agencies, please explain the reasons for this and how they will be informed of their responsibilities Compliance with Board Information Assurance Strategy CEL 26/2012 Data Protection Act 1998 Electronic Communications Act 2000 Computer Misuse Act ehealth Lead and staff, Dr Cameron, Internal Audit, Staff side representative Has the policy been assessed for Equality and Diversity not to disadvantage the following groups:- Minority Ethnic Communities Women and Men Religious & Faith Groups Disabled People Young People L, G, B & T Community YES YES Immediate Not applicable Page 6 of 8 Pages

Appendix 2 - Document Status Title Electronic Communications Monitoring Policy Author Andrew Turner Approver Graham Gault Document reference Version number 1,3 Document Amendment History Version number Edited by Edit date Topics covered 0.1 Pinsent Nov 2007 Exemplar document Mason Solicitor 1.0 Andrew 26 th June 2013 1 st Draft for peer review Turner 1.1 Andrew 30 th June 2013 2 nd Draft for IA Committee. Turner 1.2 Andrew 11 th July 2013 Final draft following review and amendments as Turner recommended by Information Assurance Committee Key Points added 1.3 Andrew 8 th August 2013 Final for recommendation to APF for approval Turner 2.0 3.0 Distribution Name Version number Responsibility Board Secretary 1.3 Place on policy register Communications Team 1.3 Place on Intranet and in latest news Board Management Group 1.3 Dissemination to all staff through line management IM&T Department 1.3 To all staff Staff side representative 1.3 For comment prior to presentation to APF Associated Documents ISO/IEC 27002 The Code of Practice for Information Security Management CEL26/2012 NHS Scotland Information Security Policy NHS Dumfries & Galloway Information Assurance Strategy NHS Dumfries & Galloway Information Assurance Policy NHS Dumfries & Galloway Information Systems Procurement, Development and Implementation Policy NHS Dumfries & Galloway Information Security Policy NHS Dumfries & Galloway Access to Information Policy NHS Dumfries & Galloway Mobile Devices Policy NHS Dumfries & Galloway email Acceptable Use Policy NHS Dumfries & Galloway Internet and Internet Acceptable Use Policy NHS Dumfries & Galloway Communications Monitoring Policy Page 7 of 8 Pages

Appendix 3 - Action Plan for Implementation Name Responsibility Timeframe Place on policy register Board Secretary Immediate Place in latest news Place on Intranet Dissemination to all staff through line management Communications Team Communications Team Board Management Group Immediate Immediate On going continual process Routinely issue to all staff IM&T Department Continual process Update staff contracts HR Department Immediate Page 8 of 8 Pages

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information