Mobile Working Policy

Transcription

1 Mobile Working Policy Date completed: Responsible Director: Approved by/ date: Ben Westmancott, Director of Compliance Author: Ealing CCG Governing Body 15 th January 2014 Ben Westmancott, Director of Compliance Review date: Amended: Mobile Working Policy Version 2.2 Page 1 of 10

2 Mobile Working Policy For more information on this document, please contact: Director of Compliance, Ben Westmancott, CWHH CCGs Collaborative 15 Marylebone Road, London NW1 JD Version History Version Date issued Brief summary of change Owner s name 1.0 July 2013 Amended to reflect CWHH procedures Ben Westmancott 2.0 August 2013 Circulated to local CCG IT Committee for Comment Ben Westmancott 2.1 September 2013 Amendments from IT Strategic Lead Farid Fouladinejad 2.2 November 2013 Version for committee consideration NB, will also apply to Ealing CCG following adoption by governing bodies. Ealing CCG will need to be added to references to CCGs throughout. Ben Westmancott Document Imprint Copyright Central London, West London, Hammersmith & Fulham, Hounslow, and Ealing Clinical Commissioning Groups, 2013: All rights reserved Re-use of all or part of this document is governed by copyright and the Re-use of Public Sector Information Regulations SI2005 No 1515 Information on re-use can be obtained from: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative Tel: , ben.westmancott@inwl.nhs.uk Mobile Working Policy Version 2.2 Page 2 of 10

3 Contents 1.0 Purpose Definitions Scope Policy Summary Physical Security/access control Usage in any public accessible area Usage in areas not generally accessible to the public Home Usage Supplied equipment Staff owned equipment Teleworking Authorisation to remove data Sending from home Connection to the Network Disaster recovery/major incidents Termination of Employment... 9 ` Mobile Working Policy Version 2.2 Page 3 of 10

4 1.0 Purpose This policy has been developed to promote best practice with regards to information handling outside the boundaries of Central London, West London, Hammersmith and Fulham, Hounslow, and Ealing Clinical Commissioning Groups premises (including working at home). The policy is aimed at enabling and supporting employees who intend to use and transfer manual and electronic person identifiable records between home, the work place and the community. The security issues in this policy relate to and include physical security of IT equipment, confidentiality of manual and electronic data, and implications for the security of CCG office systems and network. This policy must be used in conjunction with similar policies of the NWL Commissioning Support Unit or any other future provider of IT services for the CCG. 2.0 Definitions 2.1 Data devices This includes any device that can store data, images and other information required for the CCG s operational business. Typically this includes laptops, tablets, personal digital assistants (PDAs), blackberries but also includes digital audio and visual recording/playback devices (such as dictaphones, digital cameras and mobile phones). 2.2 Media This includes any physical item that can store data, images and other information and requires another device to access it. For example: CD, DVD, Floppy disc, tape, digital storage device (flash memory cards, USB disc keys, portable hard drives). 2.3 Person Identifiable Data Person identifiable information can include one or more of the following: Surname Forename Address/Postcode Telephone Number Occupation Gender Date of Birth Ethnic Group NHS Number NI Number Mobile Working Policy Version 2.2 Page 4 of 10

5 Photo 3.0 Scope This policy applies to all employees of the CCG, other workers who may not be directly employed by the CCG (e.g. agency workers, contractors, selfemployed consultants, authorised 3 rd party suppliers and duly authorised visitors), who at any time remove records and other information in any form, from CCG owned premises, where it is usually stored. The authorisation procedure only relates to staff who need to use mobile computing facilities, either on or off-site (including staff homes), or transfer information between computer systems via physical media. Staff should only use storage media provided by the CCG or its IT service providers. These must ensure that the organisation meets all its information governance and information security obligations. The authorisation procedure is not required for the transfer or off-site usage of paper records. Specific procedures around authorising the access, use and tracking of clinical records are detailed within the CCG s Records Management Policy. 4.0 Policy Summary Users of information will: Keep usage to a minimum in public areas Only use information off-site/at home for work related purposes Ensure security of information within the home Not connect any privately owned equipment to the CCG s network or IT hardware unless approved by the CCG s IT service provider. Scan any media used to transfer data for viruses using a fully up to date anti-virus scanning software Not send person identifiable or confidential data to home (internet) addresses. If PID is to be transferred via this can be done via nhs net only and in full compliance of information governance policies. Keep equipment and files locked out of sight during transit and during storage. If leaving equipment on and unattended to ensure that it is locked down with password protection. Ensure equipment/files are adequately packaged in transit to prevent damage or tampering Not dispose of any media (including paper) off-site. Mobile Working Policy Version 2.2 Page 5 of 10

6 5.0 Physical Security/access control 5.1 Usage in any public accessible area The use of information in these areas should be kept to an absolute minimum, due to the threats of overlooking and theft. Any member of staff choosing to use information and/or devices in these areas that results in any related incident will be required to state why the usage was required in that situation and the efforts they made to protect the information and any equipment. Equipment in use will not be left unattended at any time. 5.2 Usage in areas not generally accessible to the public (other organisational premises) Staff are responsible for ensuring that unauthorised individuals are not able to see information or access systems. If equipment is being used outside of its normal location and might be left unattended, the user will secure it by other means. 5.3 Home Usage Only authorised members of staff are allowed access to information being used at home in any form, on any media. No family members are allowed access to the equipment or data. Use of any information at home must be for authorised work purposes only. Staff must ensure the security of information within their home from theft as well as ensuring that unauthorised individuals are not able to see information or access systems. Where possible it should be stored in a locked container (filing cabinet, lockable briefcase). If this is not possible, when not in use it should be neatly filed and stored away. 5.4 Supplied equipment Where the CCG has supplied any form of data device, only the member of staff themselves is authorised to have access to it. Any member of staff allowing access to an unauthorised person, deliberately or inadvertently, may be subject to disciplinary proceedings. The CCG s IT service provider is responsible for ensuring that access to supplied equipment requires a username and password and that anti-virus software and encryption is installed. For supplied equipment that is not classed as portable (i.e. a supplied desktop PC), the IT department are responsible for ensuring anti-virus software is regularly updated. This will require the return of equipment therefore staff must return supplied equipment for updating and checks by the IT Department when requested. Mobile Working Policy Version 2.2 Page 6 of 10

7 If staff have been supplied with IT portable equipment (i.e. a laptop or tablet device), they are responsible for ensuring that it is regularly connected to the CCG s network on-site for upgrade of anti-virus software. All CCG IT portable equipment must be encrypted before any information is stored. Person identifiable data files should have additional protection against unauthorised access (for example an additional password). When equipment is returned or the data is no longer needed the data must be removed. This is the user s responsibility. The CCG is responsible for the safety testing of supplied equipment and annual PAT testing of this equipment. Staff who use the equipment are responsible for ensuring that these checks are undertaken. 5.5 Staff owned equipment The use and storage of person identifiable or confidential data on staff owned equipment is strictly forbidden. Staff may only use a CCG supplied encrypted USB data key for this purpose. Staff must not use their own computer for work related activities, unless as part of an agreed and authorised process. For advice on suitable products, please consult the IT Service Desk. For prevention of viruses and related security risks, staff must not connect any personally owned devices to the CCG network unless otherwise authorised by the IT service desk. 5.6 Teleworking Teleworking is defined as a member of staff whose main office is their home. The decision as to whether a member of staff is a teleworker will be taken by their line manager, based on the frequency of work being done from home and the equipment required to support it. Any teleworker will apply all elements of this policy, but in addition will ensure: Sensitive information (person identifiable or organisationally sensitive) is locked away when not in use and only accessible by the member of staff. Any controlled document (e.g. staff record) they have will be traceable to their location and that any procedure to note the location of a file required by the organisation will be rigidly applied by them. Their house and content insurance covers them for the loss of any equipment provided by the employing organisation. Any staff that are defined as a teleworker are responsible for ensuring that their work conditions at home comply with health and safety regulations and Mobile Working Policy Version 2.2 Page 7 of 10

8 CCG policies and procedures. Staff must undertake a display screen equipment risk assessment as detailed in the Display Screen Equipment Policy (DSE) and a copy of this assessment must be retained on their personnel file. Staff are responsible for ensuring that the assessment is reviewed following any change in their work environment at home. 5.7 Transfer or sharing of equipment Where equipment has been transferred from one staff member to another on a permanent/long term basis then the IT service desk needs to be informed to amend the asset register. Where equipment is issued on loan or a temporary basis, a log book needs to be kept of who currently has the equipment. 6.0 Authorisation to remove data All staff who work with person identifiable or organisationally sensitive data on a PC at home must complete an authorisation form (Appendix A). 7.0 Sending from home This is covered in the CSU s Acceptable Use Policy for IT. following points directly apply to mobile working: However the 7.1 Electronic mail containing person-identifiable and confidential information may not be sent to or from home accounts. Non person-identifiable or information that is deemed not confidential may be sent via Connection to the Network Staff may connect to the network via the secure method following a process of authorisation by the IT Department. 9.0 Transport/storage When staff remove equipment, files and data from CCG premises, they are responsible for ensuring its safe transport and storage. Equipment should be password protected whenever possible and not left unattended e.g. in vehicles. Equipment must be transported in a secure, clean environment. Mobile Working Policy Version 2.2 Page 8 of 10

9 Appropriate packaging should be used to prevent physical damage (sealed envelopes etc.) Where a courier service is used to transport packages containing sensitive information tamper proof packaging will be used 10.0 Disaster recovery/major incidents In the event of a major incident or disaster, the organisation may recall all equipment on loan to provide core services Termination of Employment On leaving the employment of the organisation, all equipment, software and information must be returned. The CCG will take the necessary action to reclaim all equipment, software and information that has not been returned by the member of staff (e.g. by means of final salary payment) Mobile Working Policy Version 2.2 Page 9 of 10

10 Appendix A Mobile Working Authorisation Form Name: Job Title:.. Department/Directorate:.. Contact Number: Please detail the work you are undertaking: I (name)... have read and understood and will abide by the terms of the Mobile Working Policy. I understand that any violation of this policy could result in disciplinary action and possible dismissal or criminal prosecution. Signed: Date: Authorisation: Name: Job Title: Contact Number: Signed:. Date:.. For ICT Services Use Only - Authorised by: Name:.. Signed:.. Date: Mobile Working Policy Version 2.2 Page 10 of 10