USE OF PERSONAL MOBILE DEVICES POLICY



Similar documents
Information Governance Policy

Information Governance Policy

Bring Your Own Device (BYOD) Policy

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

Policy Document Control Page

Policy. Social Media Acceptable Use Policy. Executive Lead. Review Date. Low

CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY. December 2014

INFORMATION GOVERNANCE POLICY

NHS Commissioning Board: Information governance policy

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

IS INFORMATION SECURITY POLICY

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE POLICY

Information Governance Strategy

How To Ensure Network Security

BYOD Policy for [AGENCY]

Remote Working and Portable Devices Policy

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

Information Governance Policy (incorporating IM&T Security)

HERTSMERE BOROUGH COUNCIL

DATA PROTECTION POLICY

NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group. Information Governance Strategy 2015/16

How To Protect Your Personal Information At A College

JOB DESCRIPTION. Information Governance Manager

Network Security Policy

Information Governance Policy

Mobile Security Standard

Remote Access Policy

Internet Use Policy and Code of Conduct

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

NETWORK SECURITY POLICY

Policy Document Control Page

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Governance Policy

MOBILE COMPUTING & REMOTE WORKING POLICY AND PROCEDURE. Documentation Control. Consultation undertaken Information Governance Committee

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

DATA PROTECTION AND DATA STORAGE POLICY

Information Governance Policy

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Information Governance Policy

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

Terms and Conditions of Use - Connectivity to MAGNET

Little Marlow Parish Council Registration Number for ICO Z

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Conditions of Use. Communications and IT Facilities

Mobile Devices Policy

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION SECURITY POLICY

Information Sharing Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

How To Understand The Bring Your Own Device To School Policy At A School

USER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

Bring Your Own Device Policy

Information Security Policy

ULH-IM&T-ISP06. Information Governance Board

Informatics Policy. Information Governance. Network Account and Password Management Policy

NHS Business Services Authority Information Governance Policy

How To Ensure Information Security In Nhs.Org.Uk

INFORMATION GOVERNANCE POLICY

HORIZON OIL LIMITED (ABN: )

RISK MANAGEMENT STRATEGY

Information Governance Policy

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Information Governance Strategy

INFORMATION GOVERNANCE POLICY & FRAMEWORK

Policy Checklist. Directorate of Performance and Reform. Stephen Hylands, Head of Information Technology

DATA PROTECTION POLICY

Information & ICT Security Policy Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

INFORMATION GOVERNANCE POLICY

Mobile Phone and Remote Access Policy

Caedmon College Whitby

Security Incident Management Policy

CCG: IG06: Records Management Policy and Strategy

[BRING YOUR OWN DEVICE POLICY]

Transcription:

Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014 01/08/2016 Executive Director Finance Procedure/Policy number: Procedure/Policy type: Chief Information Security & Governance Officer Chief Information Security & Governance Officer IM0037_v1 Information Security & Governance Date of Equality & Diversity Impact Assessment: 01.02.2014 Low Policy Title: Use Of Personal Mobile Devices Policy Page 1 of 13

I. Document Information and Amendment Record Document Number: IM0037.V1 Document Title: Executive Lead: Use Of Personal Mobile Devices Policy Executive Director of Finance Date Amendment Details Responsibility Amendment No Policy Title: Use Of Personal Mobile Devices Policy Page 2 of 13

Table Of Contents I. Document Information and Amendment Record... 2 1 Introduction... 4 2 Equality, Diversity and Human Rights Statement... 4 3 Purpose... 5 4 Aim... 5 5 Scope... 5 6 Policy Statement... 5 7 Relevant Policies and Guidance... 7 8 Definitions... 7 9 Responsibilities... 8 10 Acceptable Use... 8 11 Unacceptable Use... 8 12 Access to Trust Data... 9 13 User Acceptance... 9 14 Device Authorisation... 10 15 Permitted Devices... 10 16 Device Security... 10 17 Losses and Breaches of Confidentiality / Security... 10 18 Device Monitoring and Auditing... 11 19 Policy Review, Audit & Monitoring... 11 20 Appendices... 11 Policy Title: Use Of Personal Mobile Devices Policy Page 3 of 13

1 Introduction 1.1 South Tyneside NHS Foundation Trust, herein after referred to as the Trust, is highly reliant on information that is captured, stored, processed and delivered by computers and their associated communication facilities. 1.2 This policy addresses the security and confidentiality of Trust data that will be accessed using mobile devices that are the property of staff members. 1.3 Such information plays a vital role in supporting business processes and customer services, in contributing to operational and strategic business decisions and in conforming to legal and statutory requirements. 1.4 Accordingly the information and the enabling technologies are important assets that will be protected to the level commensurate with their value to the organisation. Special care will be taken to ensure that Person Identifiable and business/corporate confidential information is not compromised. 1.5 Nothing in this policy affects the Trusts ownership of corporate information, including all work-related intellectual property created in the course of business using a personally owned device. 1.6 The Trust will continue to provide organisation owned and managed devices as necessary for work purposes. There is no compulsion for anyone to use a personally owned device for work purposes. 1.7 Throughout this document, sentences that contain the verb MUST indicate that the requirement is mandatory. Sentences that contain the verb SHOULD indicate that the requirement may be adapted for local need. 2 Equality, Diversity and Human Rights Statement 2.1 The Trust is committed to promoting human rights and providing equality of opportunity not only in our employment practices but also in the way we provide services. The Trust also values and respects the diversity of our employees and the communities we serve. In applying this policy, the Trust will have due regard for the need to: Promote human rights Eliminate unlawful discrimination Promote equality of opportunity Provide for good relations between people of diverse groups Consider providing more favourable treatment for people with disabilities This policy aims to be accessible to everyone regardless of age, disability (physical, mental health or learning disability), gender (including transgender) race, sexual orientation, religion or belief or any other factor which may result in unfair treatment or inequalities in health or employment. Policy Title: Use Of Personal Mobile Devices Policy Page 4 of 13

3 Purpose 4 Aim 5 Scope 3.1 The purpose of this policy document is to ensure that all staff are aware of their individual responsibilities in relation to the security and confidentiality of Trust data that may be accessed using devices that they own. 3.2 To establish the rules in relation to the use of personally owned mobile devices when using them to access Trust networks, systems and data. 4.1 To ensure that the Trust meets its legal and NHS obligations in relation to the protection of person identifiable information and Trust confidential information. 5.1 This policy applies to the use of devices that are owned by staff and used to access Trust systems and data. 5.2 This Policy applies to all parties authorised by the Trust together with their staff (including temporary workers, locums and staff seconded or contracted from other organisations who may use personal devices to access Trust systems and data). 5.3 Any breach of or refusal to comply with this policy is a disciplinary offence which may lead to disciplinary action in accordance with the Trust Disciplinary Policy, or other appropriate action. 6 Policy Statement 6.1 It is the policy of the Trust to ensure that Trust information: Is protected against unauthorised access. Confidentiality of information is maintained and assured. Integrity of information is maintained. Regulatory requirements and legislation are complied with. Information technology systems are used in a manner that prevents the release of information (by accident or deliberate/criminal act), ensures their safe use and avoids damage to the specific system or any other system to which it is connected. Information that can be used to identify a person including confidential information about that person, business information and confidential business information is restricted to authorised users only and that such information remains legally admissible. All breaches of information security, actual or suspected, will be reported to and investigated by appropriately trained individuals within the Trust, and notified to the Trust Chief Information Security & Governance Officer. Policy Title: Use Of Personal Mobile Devices Policy Page 5 of 13

6.2 The lawful and correct treatment of personal information is very important to the successful delivery of health care services and to maintaining confidence in the organisation as a whole. To this end all staff will adhere to the Principles of the Data Protection Act 1998 Caldicott Recommendations, NHS guidelines, Human Rights act and all other relevant legislation, this policy document and any relevant professional codes of practice. 6.3 The Data Protection Act Principles state that personal information: MUST be processed and used fair and lawfully. MUST not be further used in any manner incompatible with the purpose for which it has been obtained. MUST be adequate, relevant and not excessive in relation to the purpose or purposes for which they are used. MUST be accurate. MUST not be kept for longer than is necessary. MUST be used in accordance with the rights of the individual. MUST be protected against unauthorised disclosure and destruction. MUST not be transferred to a country or territory outside the European Economic Area with inadequate levels of protection for the rights and freedoms of the person in relation to their information. 6.4 The Caldicott 2 report outlines seven principals that should be applied to the handling of patient identifiable information: Principle 1 Justify the purpose(s) for using confidential information. Principle 2 Only use it when absolutely necessary. Principle 3 Use the minimum that is required. Principle 4 Access should be on a strict need-to-know basis. Principle 5 Everyone will understand his or her responsibilities. Principle 6 Understand and comply with the law. Principle 7 The duty to share information can be as important as the duty to protect patient confidentiality. In addition it recommends that the NHS number should be substituted for patient identifiable data wherever possible and that where patient data is transferred it should be reduced to the minimum required for the purpose. Policy Title: Use Of Personal Mobile Devices Policy Page 6 of 13

6.5 NHS Guidelines Information Security Management NHS Code of Practice (gateway ref 7974), Records Management Parts 1 & 2 NHS Code of Practice (gateway ref 270422/1 270422/2) Confidentiality NHS Code of Practice (gateway ref 1656) In addition care will be taken, particularly with confidential clinical information, to ensure that the means of transferring it from one location to another are as secure as they can be. Safe Havens will be used wherever possible. 7 Relevant Policies and Guidance 7.1 Individuals who use personal devices to access Trust systems and data MUST comply with current legislation and NHS policies regarding the use and retention of Person Identifiable Information. 7.2 Policies and guidance that are relevant to this policy include, but are not limited to: 8 Definitions Data Protection Policy (IM0030) Records Management Policies (IM0006, IM0007,IM0021) Internet Acceptable Use Policy (IM0029) Email Acceptable Use Policy (IM0009) Social Media Acceptable Use Policy (IM0033) NHS Records Management Code of Practice NHS Confidentiality Code of Practice NHS Information Security Code of Practice NHS Information Governance Toolkit 8.1 Throughout this policy the term 'Personal device ' is defined as, an electronic mobile device that is not owned or issued by South Tyneside NHS Foundation Trust. 8.2 Throughout this policy the term 'device is used to cover the following mobile devices: 8.2.1 Tablet computers (Such as ipads, and Android devices etc) 8.2.2 Smart phones (Such as iphones, Windows Mobile or Android Phones) 8.3 Throughout this policy the term Mobile Device Management (MDM) is used to cover the software applications that the Trust has in place to manage the connection of mobile devices to its networks and their access to Trust systems and data. Policy Title: Use Of Personal Mobile Devices Policy Page 7 of 13

8.4 Throughout this policy the terms Person Identifiable Information or Person Identifiable Data are defined as; data from which a living individual may be identified. 9 Responsibilities 9.1 This document comprises the Use of Personal Mobile Devices Policy, as supplied by the South Tyneside NHS Foundation Trust 9.2 Overall responsibility for the enforcement of this policy lies with the Chief Executive, or any individual identified by them as having responsibility in this area. Enforcement of policy has been delegated to the Chief Information Security & Governance Officer. 9.3 It is the responsibility of the delegated individual to implement the policy within the Trust. 9.4 It is the responsibility of Heads of Service and departmental Managers to ensure that the policy is implemented within their areas. 9.5 Authorised employees of the Trust are responsible for the implementation of this policy in relation to the use of devices owned by them and used to access Trust networks or systems. 9.6 All Staff are responsible for demonstrating that they have completed, and passed, annual Information Governance training. 9.7 Managers are responsible for ensuring that staff have undertaken the required information governance training and have also received appropriate training in accessing Trust systems and data using personal devices. 9.8 The Trust Information Services department is responsible for managing the security of corporate data and configuring and securing authorised personal devices using the Mobile Device Management software. 10 Acceptable Use 10.1 The following is a list of acceptable 'business only' uses for personal mobile devices: 11 Unacceptable Use Access to business e-mail Access to business calendars Transport, viewing and editing of meeting papers Access to the Trust Intranet 11.1 The following is a list of unacceptable uses of personal mobile devices, it is not comprehensive: Use of the device for business purposes outside of those identified at 10.1 above are prohibited. Storing Trust data on the devices internal or removable storage. Storage of contact details for patients within the native personal address book of the device. Policy Title: Use Of Personal Mobile Devices Policy Page 8 of 13

12 Access to Trust Data Use of the device s camera or other recording functionality for business purposes or to capture business information 12.1 Trust data / information / systems may only be accessed, stored, created or communicated on personally owned devices through use of the Trusts chosen Mobile Device Management or Collaboration solutions. 12.2 This may be downloaded to any application enabled device, identified within Appendix C, however access to Trust information will only be enabled following appropriate line manager authorisation and approval. 12.3 Once the user has been appropriately authorised they will be issued with a unique PIN and instructions on how to enable the application to connect to the Trust systems. 12.4 Users must comply with all relevant Trust policies when accessing Trust data and systems using a personally owned device. 13 User Acceptance 13.1 Staff wishing to use personally owned devices to connect to Trust networks and systems MUST agree to the following: The device MUST be registered in the Trusts mobile device management (MDM ) software. This will be completed automatically once the user device connects to the Trust systems. Where requested, MUST allow IT staff to audit their mobile device to ensure compliance with policy. This may entail accessing personal data. MUST allow the Trust to remotely wipe Trust data from the device should it be lost. This will not impact on a user s personal information stored on the device. MUST accept full liability for any data breach should they fail to comply with the terms of this policy. The Trust will not reimburse any costs associated or incurred by the users through the use of the device for business purposes. The Trust will not be held liable for any loss of personal data the user may incur, either through the installation of the application on their device or as a result of actions taken by the Trust to ensure the security of Trust data, such as wiping, should the users device be lost. 13.2 Staff MUST sign the acceptance agreement at Appendix A (Part 1) Policy Title: Use Of Personal Mobile Devices Policy Page 9 of 13

14 Device Authorisation 14.1 Staff wishing to use their own devices for business purposes MUST complete the Use of Personal Mobile Device Request form at Appendix A. 14.2 The use of personal devices MUST be specifically authorised by the users Line Manager / Head Of Service / Trust Director at Appendix A (Part 2) 14.3 Connection of any personally owned devices must also be authorised for connection to Trust networks and systems by the Head of Information Systems / IT Manager or an individual delegated by them to provide such authorisation. 15 Permitted Devices 15.1 Only devices that have been specifically authorised by IT will be allowed to connect to Trust systems. 15.2 The mobile device MUST have an operating system of ios 6 or above / Android 4.3 or above / Windows Phone 8 or above. No other devices will be permitted to connect to Trust Systems / Access Trust data. 15.3 Devices that have had their operating systems modified (i.e. Jailbroken or Rooted) MUST NOT be connected to Trust networks. The Trust Device Management Software will prevent the connection of such devices. 15.4 Where it is identified that a user has connected / attempted to connect a device that has had its operating system modified, their access will be terminated and Trust information will be wiped from the device. The user will also be barred from future use of personally owned devices for business purposes. 16 Device Security 16.1 The mobile device MUST be protected with a PIN that is known only to the user of that device. The Trust MDM software will force the use of a passcode if not present. 16.2 The mobile device MUST NOT be used or accessed by any other individual when connected to Trust systems. 16.3 Anti-virus software MUST be properly installed and running on the device. 17 Losses and Breaches of Confidentiality / Security 17.1 The following incidents MUST be reported to the IT department immediately by the owner of the device: 17.1.1 The device is lost 17.1.2 The device is stolen 17.1.3 The device is taken without the owner s permission 17.1.4 The device become infected with a virus or other mal ware Policy Title: Use Of Personal Mobile Devices Policy Page 10 of 13

17.1.5 The PIN or any password security for the device is compromised 17.1.6 The device owner has any reason to believe that confidentiality of data held on the device has been compromised in any way 17.2 Should the staff member lose their device or have it stolen, its loss MUST be reported to the IT Helpdesk immediately and the incident recorded within the Trust Datix reporting system. 17.3 Losses that occur outside of normal business hours MUST be reported to the On Call IT Support Technician and an incident recorded within the Trust Datix reporting system as soon as possible. 17.4 Any device reported as lost will, where possible, be immediately wiped of Trust data by the IT department. 17.5 Any actual or potential breach of confidentiality or the security of the device MUST be reported to the Trust Information Governance Team. 17.6 Where a user specifically requests it, IT will, where possible, wipe the device of all data. This will be completed at the users risk and with no residual liability on the Trust 18 Device Monitoring and Auditing 18.1 The Trust MDM software will hold details of all devices permitted to access the Trust networks and systems. 18.2 The MDM software will hold a record of all applications that are stored on such devices. 18.3 Should an application that is deemed to be a threat to the Trust networks or systems be installed on a device, the device will be blocked from accessing the network by the system. 18.4 Staff personal devices will not be routinely monitored or audited by members of the IT or IG Teams, however where requested, staff MUST permit IT / IG staff to examine the device. 18.5 Where a staff member refuses to allow reasonable access to their device, the device will be wiped (to ensure no Trust data remains on the device) and it will be De-authorised. 19 Policy Review, Audit & Monitoring 19.1 The policy will be reviewed twenty four (24) months from its date of final approval and dissemination within the Trust. 19.2 The policy will be audited at the time of review to determine effectiveness. 20 Appendices A. Use of Personal Mobile Device Request Form. B. Policy Signature Sheet Policy Title: Use Of Personal Mobile Devices Policy Page 11 of 13

Appendix A. South Tyneside NHS Foundation Trust Authorisation to Use a Personal Device for Trust Business Part 1 (All items to be completed by the person who will be using the Device) Job Title Location / Base Telephone No / Extension Network Login (Username) Surname Forename Trust e-mail address I agree that I have read and understood the Trust policy for using personal mobile devices for business purposes and agree to abide by the terms of the policy. I understand that I will be held liable for any breach of confidentiality caused by my failure to follow the terms of the Use Of Personal Mobile Devices Policy. I understand that failure to comply with the requirements of the policy will result in my authorisation to use my device for business purposes being revoked and if authorisation is revoked the device will be remotely wiped by the IT department. Signed: Date: Part 2 (All items to be completed by Head of Service / Executive Director) Job Title Location / Base Telephone No / Extension Network Login (username ) Surname Forename Trust e-mail address I approve the use of a personally owned device by the individual who has been named in part 1 of this document. I confirm that the use of a device not owned or issued by the Trust is necessary for business purposes. Signed: Date: Policy Title: Use Of Personal Mobile Devices Policy Page 12 of 13

Appendix B. Use Of Personal Mobile Devices Policy This sheet should be used to record the names of staff members who have read and understood the above policy document. Name (please print) Job Title Date Signature Policy Title: Use Of Personal Mobile Devices Policy Page 13 of 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information