MOBILE DEVICE MANAGEMENT POLICY
Policy Title: Executive Summary: MOBILE DEVICE MANAGEMENT POLICY To formalise the requirements for all staff when utilising mobile devices (either personal or trust-owned) to ensure that all Trust information is secured. Supersedes: n/a Description of New policy Amendment(s): This policy will impact on: All staff - Clinical practices, administrative practices, employees, corporate decision making. Financial Implications: Policy Area: Corporate Document Reference: Version Number: Version 1 Effective Date: March 2014 Issued By: Director of Corporate Review Date: March 2017 Author: APPROVAL RECORD Affairs & Governance Information Governance Manager Impact Assessment Date: Oct 2013 Consultation: Approved by Committees: Approved by Director: Committees / Group Information Governance & Records Group Information Governance & Records Group Director of Corporate Affairs & Governance Date 25/3/14 25/3/14 25/3/14 East Cheshire NHS Trust Page 2 of 22
Content 1. PURPOSE... 4 2. SCOPE... 5 3. GUIDANCE... 5 4. REFERENCES AND BIBLIOGRAPHY... 9 5. ASSOCIATED DOCUMENTS... 9 APPENDIX 1 List of Trust-Owned Approved Devices... 10 APPENDIX 2 List of approved Applications to be used in connection with business... 11 APPENDIX 3 Trust-Owned Mobile Device Acceptance of Use Declaration - Issue of Mobile Media Agreement... 12 APPENDIX 4 Staff-Owned Mobile Device Acceptance of Use Declaration... 14 East Cheshire NHS Trust Page 3 of 22
1. PURPOSE This document details the requirements for the use of portable mobile devices and removable media by East Cheshire NHS Trust staff, and details the requirements that must be in place for the secure operation of such devices. East Cheshire NHS Trust recognises the advantages in the utilisation of portable devices and other handheld devices provided for staff during the performance of their daily duties. As such, this document provides guidance on the use of such devices within the Trust s environment. It is also recognised that Remote Access is a valuable method for employees to connect to the Trust s network resources, when away from Trust premises. This document covers the use of all portable computing storage devices and remote access by East Cheshire NHS Trust staff, both Trust-owned and Staff-owned devices. This Policy forms part of staff member s contractual obligations and code of conduct. It is accepted that technology may make significant advances during the lifetime of this policy and to this end, Appendix 1 (list of approved devices) and Appendix 2 (list or approved applications) should be consulted as to whether a device or application is approved for use as these lists will be updated on a regular basis when appropriate. This policy ensures that any use of a portable device, mobile communications or remote access working adheres to the following principles: To provide secure access to the Trust s information systems To preserve the integrity, availability and confidentiality of the Trust s information and information systems To manage the risk of serious financial loss, loss of patient and public confidence or other serious business impact which may result from a failure in security. In order to comply with all relevant regulatory and legislative requirements (including Data Protection laws) and to ensure that the organisation is adequately protected under computer misuse legislation. As part of the provision of Information Management and Technology services (IM&T) to staff within the organisation, staff may purchase their own portable computing equipment for use, on an ad hoc basis, on Trust business. As such, it is essential that such devices are covered by appropriate security controls in compliance with Principle 7 of the Data Protection Act 1998 and ISO27001: Code of Practice for Information Security. Note: All Mobile Media is to be used for Corporate Information only and NOT for storing or processing Clinical Information, this with the exception of approved apps only. East Cheshire NHS Trust Page 4 of 22
2. SCOPE This policy applies to all staff employed by East Cheshire NHS Trust, including bank, agency and locum staff, students, voluntary staff, contractors and trainees on temporary placement, as well as those staff holding honorary contracts. 3. GUIDANCE 3.1 Portable Devices For the purpose of this document, a Portable Device is defined as any device that may synchronise with another computer, and may be any of the following items: Laptop and notebook computers IPads / Tablets Smart Phones including iphones and any other mobile system that may fall into this category, including Blackberry s Webcams USB memory sticks, (only for temporary storage of information, information to be transferred to secure server as soon as practicable and deleted from USB stick) MP3 players (including ipods), (must not be used at any time for storing personal or commercial information) CD s, DVD s Any other item that may be utilised to store or transport data. This list is not to be considered exhaustive. Any portable device used in connection with the organisation must be encrypted to a minimum of 256bit encryption. There are no exceptions. Further guidance may be obtained from the Information Security Manager in relation to what is defined as a portable media device and encryption. 3.2 Use of own devices The use of staff members own devices is permitted according to the following guidelines: - staff will only be allowed access to the Trust s WiFi network; there will be no access to the Trust s secured drives; - Staff will undertake NOT to save/store confidential or patient identifiable information on their personal devices East Cheshire NHS Trust Page 5 of 22
Some requirements specific to staff-owned devices may differ to those contained within this document. This policy concentrates on Trust-owned devices, however where requirements relating to Staff-owned devices differ, staff should refer to the section identified within the text. 3.3 Working Procedures All mobile devices issued by the organisation are issued to a named individual only and must not be shared or used by anyone who is not recorded as the asset owner, this for audit purposes and to comply with the Data Protection Act 1998. The exception to this requirement will be when a Business Group provides a generic business group device and the information security requirements in these instances is the responsibility of the assigned user at any one time. Business Groups are to implement a signing-in/signing-out log which is to be completed each time the device changes hands. Transfer of any device between staff members must only be done via the IT Servicedesk. Transfer of Mobile phones to be done via the Telecommunications manager. All laptop s, notebooks, USB Pens, IPads, Blackberrys and other Smartphones must be encrypted. Staffowned devices must have the password facility activated. Use the minimum information necessary removing as much identifying data as possible. Do not copy documents containing personal or commercial data from the organisations servers without express permission of Information Governance Do not allow information to be seen by individuals who do not need to see it. Only use the equipment in a public area if you absolutely have to. 3.4 Asset Management Any business related software applications on mobile media devices must be approved, appropriately licensed and recorded on the Cheshire & Merseyside Commissioning Support Unit IT (CMSCU IT) licence asset register. The CMCSU IT Department will maintain a software application asset list to ensure licensing conditions are not breached. Procurement of additional software for business must adhere to Information Governance procedures, including the potential for a Privacy Impact Assessment to be completed. Mobile devices must not be readily identifiable as belonging to, or associated with East Cheshire NHS Trust. If the device can be associated with the Trust or the NHS, this may increase the impact (e.g. risk) to Trust s reputation in the event of loss or theft. However, all Trust-owned mobile devices must carry asset identification. 3.5 Security Staff are personally responsible for the security of the mobile media device in their possession at all times whether this is on Trust premises, the premises of other organisations, in the car, on public transport or at home and will be liable for any cost resulting from the loss or accidental damage of the device as a result of carelessness. Where a device has been stolen, and on production of a Police Crime Report, the Trust will be liable. East Cheshire NHS Trust Page 6 of 22
Where staff are using their own device, it is the Trust position that where this is the choice/decision of the member of staff concerned, all responsibility and liability for the device in terms of loss/damage will remain with the member of staff. Each device is issued on a personal, individual basis only (with the exception of Business Group generic devices) and mobile devices will be recorded on the Trust s Information Asset Register. Do not leave the equipment unattended unless it is in a secure position. Devices can be secured by leaving in a locked drawer within a locked / secure office or by being stored out of sight at home. When transporting the equipment in the car it should be stored correctly and out of site i.e. a mobile media devices such as a laptop should be placed in its case and stored in the locked boot. If possible, the device must be returned to your office for storage before you go home. You must not leave any mobile media device in a vehicle overnight. It must be stored securely in the house or in a locked drawer in a secure office. Do not give anyone the password to your device. Your password must be changed regularly. Never download or install any software to the device. Any requests for software should be forwarded to the CMCSU IT department who will handle such requests where these are deemed necessary. The above requirement relates to Trust-owned devices only. For Staff-owned devices, staff are required to ensure that an antivirus programme and firewall is operational and up to date. Make a note of the asset number of each device you are issued with. The Trust s Information Asset Register will record you as the sole person responsible for the device. If your device is lost or stolen you must report it immediately to the Information Security Manager via the IT service desk on 0844 800 9982 and the, via the Datix Incident Reporting System, according to the Trust s Incident Reporting Policy (see Section 5). This requirement is applicable to both Trust-owned and Staff-owned devices. 3.6 Passwords / Security Staff must employ whatever security initiatives are available with the device for example utilising the device PIN code and, where supported, Face Recognition. In addition to the individual device security features, each device will require a password to access it (and this requirement applies to staff-owned devices). You are not permitted to give that password to anyone else under any circumstances. Each device has a different protocol for passwords. East Cheshire NHS Trust Page 7 of 22
All staff using Trust-owned devices must choose a unique password utilising the criteria outlined below. Staff using their own mobile devices are strongly advised to follow the criteria for Trust-owned devices. You are advised to change your device password every 6 weeks and in terms of creating your new password, you the following applies: The password must NOT contain the user's account name or parts of the user s full name that exceed two consecutive characters. The password must be at least eight characters in length. The password must contain characters from three of the following four categories: 1. Capital letters 2. Lowercase letters 3. Numbers 4. Non-alphabetic characters (e.g.!, $, #, %) NOTE: Device Lockout for USB Pens Trust-purchased encrypted USB Safesticks (the only type acceptable for use on Trust premises) have a lock-out feature if the password is incorrectly entered 10 times the device is locked and the information contained will be deleted. Staff should be aware that should they forget their password, there is no way to retrieve the information. If you have any queries about setting your password or experience any problems, please contact the CMCSU IT Service Desk on 0844 800 9982 3.7 Implementation/Compliance Staff given a Trust-owned encrypted mobile device will be required to sign a declaration that they have read, understand and accepted this policy, and the conditions of use before using the device (See Appendix 3). Where a generic Business Group device is provided, all staff having access to the device will be required to sign the declaration. Upon leaving the organisation all mobile media devices must be handed back and signed for by your line manager. Failure to hand the mobile media device back at the end of your employment will be viewed as theft and may result in legal action being taken against you to recover the item. It is the responsibility of the Line Manager to ensure staff within their department are aware of and follow the conditions of use set out within this Policy including the return of mobile media devices upon termination of an employee s contract. Failure to follow these guidelines may lead to disciplinary action and/or legal action being taken again those involved, which could ultimately lead to dismissal and/or criminal proceedings. Staff using their own mobile device will be required to sign the declaration at Appendix 4. East Cheshire NHS Trust Page 8 of 22
4. REFERENCES AND BIBLIOGRAPHY Information sources that the author has referred to or quoted from shall be referenced as an appendix in the document. This Policy has been written to meet the requirements of: The Computer Misuse Act 1990 The Data Protection Act (DPA) 1998 The Data Protection (Processing of Sensitive Personal Data) Order 2000 The Electronic Communications Act 2000 The Human Rights Act 1998 The National Health Service Act 2006 The Privacy and Electronic Communications (EC Directive) Regulations 2003 The Regulation of Investigatory Powers Act 2000 Other obligations placed on NHS organisations The Department of Health Information Governance Toolkit Sir David Nicholson s letter to NHS CEO s dated September 2008 (Gateway ref 10509) ASSOCIATED DOCUMENTS Document Link to be added Title Information Governance Policy Information Security Policy Email Policy Data Protection & Code of Confidentiality Policy Record Management Policy Incident reporting policy Mobile phone Policy East Cheshire NHS Trust Page 9 of 22
APPENDIX 1 List of Trust-Owned Approved Devices 1. Apple ipad 2 2. Apple ipad 3 (new) 3. Apple iphone 3GS 4. Apple iphone 4 5. Apple iphone 4S 6. Apple iphone 5 7. Apple Ipad mini Date updated March 2014 This list is not exhaustive will be reviewed periodically. Staff should ensure that they refer to the most up to date version of the Policy located on the internet. If you have any queries please contact Information Governance East Cheshire NHS Trust Page 10 of 22
APPENDIX 2 List of approved Applications to be used in connection with business 1 Access to Go 2. Airwatch 3. EMIS mobile 4. BNF Date updated March 2014 This list is not exhaustive will be reviewed periodically. Staff should ensure that they refer to the most up to date version of the Policy located on the internet. If you have any queries please contact Information Governance East Cheshire NHS Trust Page 11 of 22
APPENDIX 3 Trust-Owned Mobile Device Acceptance of Use Declaration - Issue of Mobile Media Agreement East Cheshire NHS Trust operates a system where mobile media devices (e.g. Laptops, ipad, iphone or Blackberry) are issued to an individual staff member. It is the responsibility of that individual staff member to ensure the security of the device that has been issued and abide by policies relevant to such device(s). Staff remain responsible until the device is returned to their Line Manager when accountability can be signed over. Staff/User Agreement I agree to ensure the security of the mobile media I have been issued in accordance with the Trust s Mobile Device Management Policy and all other relevant policies. I understand that any breach of this policy may be dealt with by the Trust s Disciplinary Policy. Brief description of equipment TAG/Mobile/ID No. of device Name Signature Department /Business Group Base Location (full address) Date East Cheshire NHS Trust Page 12 of 22
Line Manager s Name & Title Line Manager s confirmation that Asset has been recorded on the Business Group s Information Asset Register Date Added: Please complete above and send to Information Governance within 7 days East Cheshire NHS Trust Page 13 of 22
APPENDIX 4 Staff-Owned Mobile Device Acceptance of Use Declaration East Cheshire NHS Trust operates a system where staff-owned mobile media devices (e.g. Laptops, ipad, iphone or Blackberry) may be used on Trust-business, via the Eastmobile WiFi network (i.e. no access to the Trust s Networked drives). It is the responsibility of each member of staff wishing to use their own devices to ensure that the contents of this Policy are strictly adhered to. Staff are aware, and accept, that Cheshire & Mersey Commissioning Support Unit IT Department are not responsible for the maintenance and upkeep of the device and any technical problems experienced by the user CANNOT be referred to the ICT Helpdesk for resolution. Staff/User Agreement I agree to ensure the security of the information contained on my mobile device and will abide by the Trust s Mobile Device Management Policy and all other relevant policies. I understand that any breach of this policy may be dealt with by the Trust s Disciplinary Policy. Brief description of equipment MAC address of device Name Signature Department /Business Group Base Location (full address) Date Line Manager s Name & Title Please complete above and send to Information Governance within 7 days East Cheshire NHS Trust Page 14 of 22
Equality Analysis (Impact assessment) Please START this assessment BEFORE writing your policy, procedure, proposal, strategy or service so that you can identify any adverse impacts and include action to mitigate these in your finished policy, procedure, proposal, strategy or service. Use it to help you develop fair and equal services. Eg. If there is an impact on Deaf people, then include in the policy how Deaf people will have equal access. 1. What is being assessed? Mobile Device Management Details of person responsible for completing the assessment: Name: Jean King Position: Team/service: Corporate Affairs & Governance State main purpose or aim of the policy, procedure, proposal, strategy or service: (usually the first paragraph of what you are writing. Also include details of legislation, guidance, regulations etc which have shaped or informed the document) To provide a framework for the secure use of portable devices on Trust business taking into account the requirements of the Data Protection Act (1998) 2. Consideration of Data and Research To carry out the equality analysis you will need to consider information about the people who use the service and the staff that provide it. Think about the information below how does this apply to your policy, procedure, proposal, strategy or service 2.1 Give details of RELEVANT information available that gives you an understanding of who will be affected by this document The population of Cheshire as at the 2005 mid year figures (Cohesia Report 2008) is 684,400. Age: 17.8% (30,500) of the population in Cheshire East is over 65 compared with 15.9% nationally. This results in a high old age dependency ratio, i.e. low numbers of working-age people supporting a high non-working dependant older population. The percentage of older or frail old is also considerably higher, with 2.3% (8,200) persons 85 and over compared to 2.1% nationally. Cheshire East has the fastest growing older population in the North West. By 2016, the population aged 65+ will increase by 29.0% (8,845) and the population aged 85+ by 41.5% (3,403). This will have an impact on the number of patients being managed by ECT and the complexity of the health and social care issues that the older person is experiencing. In addition the staffing profile of ECT will change to include an increasing number of staff over 65 in the workforce. East Cheshire NHS Trust Page 15 of 22
Race: The 2005 mid year estimate (Cohesia Report 2008) show that the majority of the population in Cheshire (94.6%) is White British, with 5.4% non White British. The Cheshire 2007-10 Local Area Agreement identified that minority ethnic communities account for around 3% of the population. Issues for BME communities include lack of knowledge of services, access to services, access to translation/interpretation, cultural differences, family values. Many people from BME communities experience poverty, poor housing and unemployment which make it difficult for them to lead healthier lives. 4180 migrant workers registered in Cheshire in 2006/07 and comparison to the mid- year population estimates for Cheshire in 2005 strongly suggests that Cheshire s migrant worker population is larger than every individual BME group other than the White-Other White group. Gypsies and travellers at the last count (July 2006) the highest number was recorded in the Borough of Congleton (125). 42% of gypsies and travellers report limiting long term illness compared to 18% of the settled population, with an average life expectancy 10-12 years less than settled population. 18% of gypsy and traveller mothers have experienced the death of a child compared to 1% in the settled population. Disability: There are over 10 million disabled people in Britain, of whom 5 million are over state pension age. Nearly 1 in 5 people of working age (7 million, or 18.6%) in Great Britain have a disability. Hearing loss: 1 in 4 has a hearing problem. Sight problems: There are 2 million people with sight problems in the UK. Learning disabilities: There is quite a high proportion of people with learning disabilities in the local area due to there being a number of residential homes/institutions in the area. Problems encountered can be lack of staff awareness, communication issues, information requirements. Dementia Approximately six in 100 people aged over 65 develop dementia and this rises to around 20 in 100 people aged 85 or over. Dementia affects 750,000 people in the UK. East Cheshire NHS Trust Page 16 of 22
Carers Around 6 million people (11 per cent of the population aged 5+) provided unpaid care in the UK in April 2001. While 45% of carers were aged between 45 and 64, a number of the very young and very old also provided care. By 2037, it is anticipated that the number of carers will increase to 9 million. Gender On average in Cheshire, 49% of the population are male and 51% are female Transgender: No local data available, national trends show: 1/12,000 males, transgender from male to female 1/33,000 females, transgender from female to male Specific issues around access to services, specific services for men or women, and single sex facilities. In terms of the transgender population, GIRES (Gender Identity Research and Education Society ) gives an estimate of 600 per 100,000. If these figures were applied to the Cheshire East community based on the 2005 mid year estimates, there may be around 2,100 trans people in the area. East Cheshire NHS Trust Page 17 of 22
Religion/Belief In the Cheshire East area: Christian - 80% Sikh - 0.05% Buddhists - 0.16% Other religion - 0.15% Hindu - 0.15% No religion - 11.84% Jewish - 0.12% Not stated - 6.67% Muslim - 0.36% The Muslim population has the highest levels of ill health amongst faith groups this includes higher smoking rates amongst men and higher rates of coronary heart disease and diabetes. Sexual Orientation Lesbians, gay men and bi sexual people (LGB) make up to 5-7% of the UK population (Dept of Trade and Industry, 2003). 13% of Gay men and 31% Lesbian women are parents (Morgan and Bell, First Out: Report of the findings of Beyond the Barriers national survey of LGB people) The experience and health needs of gay men and women will differ. However, both groups are likely to experience discrimination, higher levels of mental ill health and barriers to accessing health care National Health Inequalities data shows that lesbian, gay, bisexual and transgender (LGBT) people are e 2001 census showed: significantly more likely to smoke, to have higher levels of alcohol use and to have used a range of recreational drugs than heterosexual people. They are also at greater risk of deliberate self-harm. Although most LGBT people do not experience poor mental health, research suggests that some are at higher risk of mental health disorder, suicidal behaviour and substance misuse 2.2 Evidence of complaints on grounds of discrimination: (Are there any complaints or concerns raised either from patients or staff (grievance) relating to the policy, procedure, proposal, strategy or service or its effects on different groups?) There have been no complaints raised with regard to the use of portable devices Does the information gathered from 2.1 2.3 indicate any negative impact as a result of this document? No negative impact 3. Assessment of Impact East Cheshire NHS Trust Page 18 of 22
Now that you have looked at the purpose, etc. of the policy, procedure, proposal, strategy or service (part 1) and looked at the data and research you have (part 2), this section asks you to assess the impact of the policy, procedure, proposal, strategy or service on each of the strands listed below. East Cheshire NHS Trust Page 19 of 22
RACE: From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect, racial groups differently? Yes No Explain your response: The policy relates to the use of portable devices and the security of information contained on the device. This security relates to all information, regardless of race GENDER (INCLUDING TRANSGENDER): From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect, different gender groups differently? Yes No Explain your response: As above, any information held on a portable device is required to be secured to the same high standards there is no differentiation on security levels due to gender DISABILITY From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect, disabled people differently? Yes No Explain your response: Portable devices may be used only under certain security considerations it relates to the secure storage of all information, regardless of disability. AGE: From the evidence available does the policy, procedure, proposal, strategy or service, affect, or have the potential to affect, age groups differently? Yes No Explain your response: All Trust information is required to be held securely especially when the use of portable devices increases. The security aspects of this policy does not discriminate on the basis of age. Were there to be any discrimination, it could be argued that there may be a discrimination on age, but positively (in the case of Safeguarding children) LESBIAN, GAY, BISEXUAL: From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect, lesbian, gay or bisexual groups differently? Yes No Explain your response: The Trust is duty bound to secure information to a high standard and there is no discrimination on the basis of sexuality RELIGION/BELIEF: From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect, religious belief groups differently? Yes No East Cheshire NHS Trust Page 20 of 22
Explain your response: The Trust is required to store information to the same standard regardless of its content. There can be no discrimination in this policy on the basis of religion/belief. CARERS: From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect, carers differently? Yes No Explain your response: The content of this policy relates directly to the Data Protection Act (1998) which requires that a person s information is secured against disclosure to third-parties. This could have an impact on Carers, however the Policy is in place to secure information and the DPA will be the over-arching legislation followed. The policy itself does not discriminate. OTHER: EG Pregnant women, people in civil partnerships, human rights issues. From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect any other groups differently? Yes No Explain your response: The content of the policy provides a framework for the security of information and it covers all information, for all patient and staff groups. 4. Safeguarding Assessment - CHILDREN a. Is there a direct or indirect impact upon children? Yes No b. If yes please describe the nature and level of the impact (consideration to be given to all children; children in a specific group or area, or individual children. As well as consideration of impact now or in the future; competing / conflicting impact between different groups of children and young people: c. If no please describe why there is considered to be no impact / significant impact on children The policy is in place to secure information. The Trust regards all information equally and there are no additional requirements put in place specifically aimed at children. The safeguarding of children will not be affected by this policy. 5. Relevant consultation Having identified key groups, how have you consulted with them to find out their views and that the made sure that the policy, procedure, proposal, strategy or service will affect them in the way that you intend? Have you spoken to staff groups, charities, national organisations etc? There has been no consultation with any stakeholder groups however the policy has been reviewed by the Corporate Affairs & Governance Managers. 6. Date completed: 08/10/13 Review Date: 08/10/16 East Cheshire NHS Trust Page 21 of 22
7. Any actions identified: Have you identified any work which you will need to do in the future to ensure that the document has no adverse impact? Action Lead Date to be Achieved 8. Approval At this point, you should forward the template to the Trust Equality and Diversity Lead lynbailey@nhs.net Approved by Trust Equality and Diversity Lead: Date: 8.10.13 East Cheshire NHS Trust Page 22 of 22