Electronic Communications with Citizens Guidance (Updated 5 January 2015)

Transcription

1 Electronic Communications with Citizens Guidance (Updated 5 January 2015) Overview - Activities Outside Of The Scope Of The Policy And This Guidance Requests To Use /SMS Outside The Scope Of The Guidance - The Risks And Appropriate Use Reasonable Adjustments Overview SMS/Texting When And How To Use SMS Retention Of SMS Information Overview - This guidance supports the DWP Policy on use of and SMS with citizens and defines the circumstances and controls which are necessary when using and SMS for these purposes. Staff must continue to follow existing DWP Security Guidance on the Security Portal, the Electronic Media Policy and the Standards of Behaviour Policy. Staff are reminded that potential breaches or inappropriate use will be investigated and could result in disciplinary action. Following this guidance will manage some of the risks associated with and SMS texting, for citizens, staff, and the Department. This guidance: helps staff to understand the risks so that they can explain them to citizens, helps staff to make best use of the communication tools they have available to them (such as Microsoft Outlook),

2 describes best practice and gives examples of the types of messages staff can use as part of initial and ongoing conversations with citizens, particularly but not only in relation to work search activity, creates a firm, clear, consistent message to citizens that DWP will never ask them to send passwords/pins, or personal, medical or financial information by , Suggests how businesses should use one-way and two-way address boxes to better manage these communications. Where possible use shared mailboxes when contacting citizens, as amongst other things, this approach helps to protect staff identities. Activities Outside Of The Scope Of The Policy And This Guidance Where /sms activity is already part of business processes and does not comply with this guidance, these activities should be reviewed. A compliant process should be introduced or permission to continue sought via an exception request whilst the business moves, over time, to a more secure solution. Requests To Use /SMS Outside The Scope Of The Guidance An Exceptions Board will consider requests from within the Department to use /sms in ways other than those set out in the policy and this guidance. However, it will not permit any new activity which encourages citizens to send personal information to the DWP via these means, pending the introduction of a secure communications solution, or set aside any binding legal agreements. Requests should be made either by or on behalf of the Business Process Owner, and on a template provided for that purpose. - The Risks And Appropriate Use s are targeted by criminals and foreign intelligence agencies, and the threats and risks are real. communication over the internet is inherently insecure - messages can be captured and data stolen or amended without the knowledge of the sender or recipient, and an can be used to carry threats such as malware and viruses. There are also risks that s can be inadvertently sent to one or many incorrect recipient(s). Once SEND is pressed the information is no longer in a secure environment, and cannot easily be recalled or recovered. GOV. UK provides advice from DWP to citizens on protecting their data, you can read this by clicking the link at the end of this guidance. Where members of the

3 public requires general advice or wishes to report phishing please make them aware of the document. In addition DWP must operate within the legislative framework and follow our business processes including records management. Our legacy systems were not created with electronic communications in mind. Electronic communications in relation to claims must be lawful. correspondence must be carefully managed, and follow this guidance. can be used to communicate routine business information. For other authorised exchanges see the list of circumstances which have been approved. must not be used for the inward or outward exchange of personal information with citizens. Never Date of birth, bank account details, information on family members, pension and health/medical details. Checklists have been provided to help. Only include the minimum amount of contact information without which such communication would not be possible (for example claimant s name, National Insurance number - where a reply is required - and address). Information supporting work search activity (such as C.Vs) is an approved exception. If an is received with a NINO in the subject line, or body of the message, it is acceptable to a reply to the sender, including those details. Phishing and malware attacks often rely on recipients clicking on s containing live web links and attachments and entering personal information. For example, MoJ, DVLA and HMRC have all had their identities spoofed (copied by criminals) who have then sent citizens s asking them to click links, and divulge passwords or other sensitive information. Adding attachments and links provide or direct people to specific information, much of our activity supporting people into work relies on the fast and direct electronic transfer of information. As a result the Department allows the use of attachments and links provided: Attachments to s to citizens should only be included where the citizen has requested the information or has been informed in advance to expect it (for example in the case of a CV exchange or request for a blank form), Staff using links or attachments in should consider whether these are really necessary to deliver the business requirement,

4 Wherever possible avoid sending concealed, clickable links, because these can sometimes take the recipient to inappropriate websites. Wherever possible, business areas should work to propose blank forms and templates to be placed on the gov.uk website, direct citizens, there rather than using to send individual copies to them. All s must have appropriate disclaimers which make clear that DWP will never ask citizens for usernames, passwords, personal, health/medical or bank account information via . Where is to be used to communicate with a claimant, the Department s limitations on its use should be discussed at an early stage of the customer journey so as to manage and create the right expectations and raise awareness of the risks of using . Citizens must be informed DWP will never ask you to send usernames or passwords, or personal, medical or financial information by . This is because unencrypted is the equivalent of putting the information on a postcard in a public place. If you this type of information we will not take any action until we have contacted you to confirm the message and that you sent it. This may delay our ability to deal with your . Only routine information can be sent using an insecure channel. Reasonable Adjustments Two way can be used as a Reasonable Adjustment where it is necessary for an individual disabled citizen. Requesting communications via must be for a valid reason which relates to the individual s disability, for example they find it more difficult or are unable to communicate and use our services through usual communication and contact routes, for example, written letters because they are blind or partially sighted. The customer must be advised of the risk of their data travelling over the unsecure network and being seen by third parties, and provide confirmation that they accept this risk. The Use of as a reasonable adjustment guide details how to agree and arrange the request. Check with the Equality team if you have any doubt on the course of action to take to agree the use as a way of communicating with a disabled claimant. Staff of the independent case examiner will continue to follow previously agreed business guidance when dealing with complaints from customers.

5 Citizen Awareness Provided on Gov.UK Any security queries should be discussed with your local Security Business Partner (SBP) or the Security Advice Centre. Overview SMS/Texting This guidance provides more detail as to under what circumstances and with what controls they can use SMS texts to communicate with citizens. HTK remains the Department s safest and mandated method of SMS communication. Business mobile phones may be used for texting in limited circumstances, subject to sign off by the Exceptions Board sign off will not be given where it is possible to use HTK., Staff must continue to follow existing DWP Security Guidance on the Security Portal and the Standards of Behaviour policy. Staff are reminded that potential breaches or inappropriate use will be investigated and could result in disciplinary action. For your protection and for legal reasons, personal mobiles must never be used for texting citizens or their representatives. When And How To Use SMS SMS messaging can be a useful way of sending short reminders or updates to citizens. The use of SMS is appropriate when it is being used to give citizens routine non-personal business information and reminders. SMS/texting must not be used for the inward or outward exchange of personal information with citizens. This includes date of birth, bank account details, pension, information on family members and health/medical information. This excludes the minimum amount of contact information without which such communication would not be possible (for example name, telephone number), or to confirm receipt of sensitive information, such as a Fit for Work note. Business areas wishing to make use of routine notification SMS communications with citizens must use template responses which have been agreed by the OED External Communications team. When sending text messages via HTK the SMS protocols must be followed.

6 There may be some circumstances where it would be useful to send text messages but the HTK system is not available/appropriate. This may be possible with the relevant Exceptions board approval in limited circumstances, for example: 1. An outreach setting (where HTK is not available) - Previous experience has shown that customers regularly respond to and send text messages to their outreach adviser as a preferred form of communication, 2. An area of the Department where HTK is not (yet) available, 3. A requirement for two way communication (not possible through HTK). Where a business need for use of DWP mobile phones for SMS is identified, an exceptions request must be prepared by the business area for decision by the Exceptions board working with the OED External Communications Team, who will take it through the Security Governance if necessary. SROs cannot take risk acceptance decisions on this subject. Exceptions requests for SMS/texting from DWP mobiles should generally only support one-way communication from DWP to citizens. If a business case requires two-way communication via DWP mobile phones this must not invite any personal information and the protocols for records management of such communication chains must be clearly established and followed. SMS should only be sent to mobile phone numbers and not to land lines, as land lines are more likely to be a shared resource. Any use of DWP business mobile phones must apply the following protocols in order to maintain a professional relationship and not risk compromising staff personal safety or citizen information: As the authorised holder of the DWP mobile phone it is your responsibility for how it is used and safeguarding of the equipment and when using it, you must adhere to the Electronic Media Policy, Face to face/telephone conversations or written correspondence must always be used for anything that goes beyond a basic keep in touch, or reminder basis, Under no circumstances should messages include inappropriate material; jokes of any kind or text speak such as LOL,

7 If a citizen replies to an SMS message providing or requesting personal information the standard response should be - Sorry I am unable to answer your text for security reasons, please ring XXXX / I will call you on (date and time) or we can discuss at your appointment on XXX, You should not strike up conversations through texts with citizens. Your relationship with the citizen is one of a professional nature, and extending the boundaries could compromise your position, All data on a DWP mobile phone is held on the device in an unencrypted form so you should ensure messages contain minimal information and never capture full contact details in the address book. Retention Of SMS Information Use of SMS must comply with the Records Management Policy on supporting and ephemeral data. Contact details must be deleted immediately once you no longer have a business reason to retain them. All SMS communication and records management processes must take into account any requirements for mandated recording for information that has sanctionable consequences. Any security queries should be discussed with your local Security Business Partner (SBP) or the Security Advice Centre.