NHS Ayrshire & Arran Organisation & Human Resource Development Policy. Appropriate Use of IT Facilities Policy

Transcription

1 NHS Ayrshire & Arran Organisation & Human Resource Development Policy Appropriate Use of IT Facilities Policy Version: 1.5 Date Approved: Author: Dept O&HRD, IT Security & Review date: Information Governance Approved by: Information Governance Operational Delivery Group/HR Policy Review/ APF Document uncontrolled when printed

2 DOCUMENT CONTROL SHEET Key Information: Title: Appropriate Use of IT Facilities Policy Document Status: Approved Document Type: Policy Version Number: 01.5 Document location: AthenA Author: Dept O&HRD / IT Security / Information Governance Owner: Dept O&HRD / IT Security / Information Governance Approved By: Information Governance Operational Delivery Group Date Effective From: Updated Approved Review Frequency: 2 years Next Review Date: Contact: Marianne Brown (IT Security) / Liz Bacon (Dept O&HRD) Revision History: Version: Date: Summary of Changes: Responsible Officer: Approvals: this document was formally approved by: Name/Title/Group Date: Version: Information Governance Operational Delivery Group HR Policy Review Group Area Partnership Forum Dissemination Arrangements: Intended audience: Method: Date Version: All NHS Ayrshire & Arran staff AthenA & Stop Press Linked Documentation: Document Title: Document File Path: NB. This document is uncontrolled when printed. The contents of this document are subject to change, any paper copy is only valid on the day of printing. To ensure you have the most up to date version of this document please use the link to access the document directly from AthenA. Document uncontrolled when printed Page: Page 2 of 12

3 Table of Contents 1 Introduction Related Policy, Guidance and Legislation Authorisations of Access Personal Use Specific Obligations Mobile Devices and Removable Media Secure Destruction Network Connection and Remote Access Expectation of Privacy Information Security Breaches...11 Document uncontrolled when printed Page: Page 3 of 12

4 1 Introduction Members of staff are provided, where appropriate, with access to IT facilities including and internet facilities to assist them in carrying out their duties. All IT facilities are the property of NHS Ayrshire and Arran and as such are to be used only for legitimate business purposes and limited personal use, in accordance with section 4 of this policy. NHS Ayrshire & Arran must abide by the policies in relation to connecting to the NHSScotland network. All users must comply with this policy and all of the associated policies listed in section 2. All users must ensure that their actions: - Are consistent with the law - Do not bring NHS Ayrshire & Arran into disrepute or place it in a position of liability - Do not cause damage or destruction to NHS Ayrshire & Arran s systems or business - Do not violate any provision set out in this policy or any other NHS Ayrshire & Arran policy or standard of conduct. Staff should be aware that any material e.g. documents, spreadsheets etc that they create or store on NHS Ayrshire and Arran IT facilities are viewed as corporate records and are the property of NHS Ayrshire & Arran. 2 Related Policy, Guidance and Legislation 2.1 Local NHS Ayrshire & Arran Secure Storage, Communication and Transportation of Personal Information Policy NHS Ayrshire & Arran Management of Employee Conduct Policy Reporting and Managing an Information Security Breach Social Media Policy 2.2 National HDL (2006) 41 NHS Scotland Information Security Policy Document uncontrolled when printed Page: Page 4 of 12

5 CEL 31 (2010) Updated Records Management: NHS Code of Practice (Scotland) CEL 25 (2012) NHS Scotland Mobile Data Protection Standard Data Protection Act 1998 Freedom of Information (Scotland) Act 2002 Caldicott Principles Protecting Patient Confidentiality NHS Scotland Code of Practice Information Commissioners Office Employment Practices Code Computer Misuse Act Authorisations of Access Access to NHS Ayrshire & Arran IT facilities including system access, internet or access will only be granted on receipt of an appropriately completed and authorised System Access Request. All users must use their own unique username and password to access NHS Ayrshire & Arran IT facilities. Gaining access by using another employee s username and password constitutes a breach of organisational policy. Sharing passwords or allowing another member of staff to use your PC or access a system while you are logged on constitutes a breach of organisational policy. For the purposes of shared laptops encryption passwords can be shared with other members of staff where required. This password does not provide access to any sensitive information and is used only to allow the laptop to start up. 4 Personal Use IT Facilities are made available to staff for business purposes to support them in undertaking their role and fulfilling their duties and responsibilities. Staff are permitted to use IT Facilities for non work related matters where it does not intrude with the users work, colleagues, patients or the environment; does not appear to have been sent on behalf of the organisation; does not bring NHS Ayrshire and Arran into disrepute; and does not contravene this policy or any of the policy, Document uncontrolled when printed Page: Page 5 of 12

6 guidance and legislation detailed in Section 2.0. Non work related activity must be limited to non working time. 4.1 The facilities must not be used for personal gain e.g. running a business from work or selling personal items. 4.2 Personal use of mobile devices e.g. laptops, ipads and iphones exposes the device and the organisation to increased risk when the device is in use outwith the security of the NHS Ayrshire & Arran network. Therefore personal use of mobile devices must comply with the same conditions as if the device was used on the NHS Ayrshire & Arran network and adhere to the requirements in Section 5 of this policy. 4.3 Users must not store personal files (not business related, such as photographs, music or documents) on NHS Ayrshire and Arran systems, e.g. within or on H:, C: or shared drives. Personal use of IT facilities during work time is not appropriate, and any such misuse may be considered a disciplinary matter. 5 Specific Obligations All users must ensure that they familiarise themselves with and comply with the related policy, guidance and legislation listed in Section 2.0 to ensure that individual s rights to confidentiality are respected and the integrity and security of information systems and IT facilities are maintained at all times. 5.1 Users must not knowingly - Produce, send, view or access defamatory material - Send, view, access or post communications that knowingly cause distress or offence to another user, or that are intended to annoy, harass or intimidate another person - Send, view, store, access or transmit any files of an illegal, hateful, sexually explicit, obscene, pornographic or otherwise objectionable nature - Attempt to introduce viruses. The transmission or propagation of any virus, worm or malicious code is expressly forbidden - Purchase, install or download any unapproved or unlicensed software or applications. Contact should be made with the ehealth Service Desk for all software installation enquiries - Save, view or access material which breaches copyright such as music or movie files - Attempt to remove or bypass any security systems in place - Connect any non NHS Ayrshire & Arran device to the NHS Ayrshire & Arran network or systems - Send persistent unwanted communications to an individual Document uncontrolled when printed Page: Page 6 of 12

7 - Register their NHS address for non work related communication/websites 5.2 Users must not: - waste resources by sending or inviting large amounts of unnecessary e.g. you must not register your nhs provided address on non work related sites - forward chain mail, joke s or other frivolous - use the system for excessive personal use - use any IT facility for personal gain e.g. running a business External business s MUST include the following statement: The information contained in this is confidential and is intended only for the named recipient(s). If you are not the intended recipient you must not copy, distribute or take any action on or place any reliance on it. If you have received this in error, please notify the sender. Any unauthorised disclosure of the information contained in this is strictly prohibited. Staff should be aware that s generated within the NHS Ayrshire & Arran system are viewed as corporate records and may legitimately be requested under the Freedom of Information (Scotland) Act s which contain personal information can also be requested by the subject of the information under the Data Protection Act 1998, for example if a patient is discussed by , that patient has a right to get access to personal information relating to them contained within the , unless any exemptions apply. All s entering the organisation or originating from the organisation are automatically filtered to ensure that the system is secure and used appropriately. s containing the following content are automatically blocked by the system as they present an increased risk to the Information Systems within the organisation: Files: -.exe files - spam attachments Keywords which fall within the following categories: - offensive language - spam - chainmail Subject lines as appropriate From senders as appropriate Document uncontrolled when printed Page: Page 7 of 12

8 Virus or malware infected IT Security continually reviews and amends the categories of content blocked within s to ensure the integrity and security of the system. s which include blocked content will then be viewed by the IT Security Team to ensure that the has been appropriately blocked. IT Security will also highlight possible defamatory material. An incident report will be raised when individuals have been identified as sending s containing the content from the above categories. This will initially be brought to the attention of an HR Manager who will contact the employee s line manager thereafter and if required managed in accordance with the procedures detailed in Reporting and Managing an Information Security Breach. 5.3 Internet Users must not: - Knowingly visit internet websites which contain illegal, sexually explicit, pornographic, obscene, hateful or otherwise objectionable material - Publish or post comments or material that knowingly cause distress or offence to another user, or that is intended to annoy, harass or intimidate another person - Publish or post comments which breach the Social Media Policy - Download software unless instructed to do so by ehealth & Infrastructure Services - Download or access material such as video, music, games, screensavers for non-work related purposes - Use web proxies to gain access to blocked websites, or try to bypass internet filters in any other way. NHS Ayrshire & Arran denies access to the following categories of websites: adverts gambling hate and discrimination offensive & tasteless dating gaming hacking Unlawful activity pornography & adult material radio stations proxy avoidance Non approved weblog & social interaction SMS mobile & telephony services Non authorised instant messaging streaming media & media downloads violence weapons Document uncontrolled when printed Page: Page 8 of 12

9 Accessing internet sites containing the content noted under Section 5 constitutes a breach of this policy and will be managed in accordance with the procedures detailed in Reporting and Managing an Information Security Breach document. Users should be aware that NHS Ayrshire & Arran has software capable of recording the internet history of all users. 6 Mobile Devices and Removable Media All users must adhere to the NHS Scotland ehealth Mobile Data Protection Standard. This standard applies to all mobile devices such as laptops, PDAs, ipads, iphones, Blackberrys etc and removable media such as usb memory sticks, cds/dvds, floppy disks, backup tapes, external hard drives etc All mobile devices must: - have appropriate security controls regardless of the sensitivity of the information stored - be kept physically secure and locked away when not in use - be registered and allocated to an owner, the device must be returned when an owner leaves post - Only have approved software or apps installed. You must not purchase, install or download any unapproved or unlicensed software or applications. Contact should be made with the ehealth Service Desk for all software installation or upgrade enquiries. 6.1 Mobile Devices NHS Ayrshire & Arran mobile devices must have full disk encryption applied. This software will be installed by IT Security. Where devices cannot be fully encrypted a risk assessment must be carried out by the department requesting the mobile device for approval by IT Security and Information Governance. NHS Ayrshire & Arran equipment must only be used by anyone other than the employee of NHS Ayrshire & Arran. 6.2 Removable media - NHS Ayrshire & Arran approved media must be used - Port blocking software is installed on all devices to ensure that only approved removable media can be used - All removable media must be encrypted. IT Security can advise on this - A risk assessment must be carried out by the requestor of any device that is required to store any Personal/Patient Identifiable Information or sensitive Business Information Document uncontrolled when printed Page: Page 9 of 12

10 - Where removable media cannot be encrypted, a risk assessment must be carried out by the department requesting the device for approval by IT Security and Information Governance - Approved removable media are provided for work purposes only. The use of removable media is logged centrally and is regularly audited. Inappropriate use will be reported to the relevant Director. 6.3 Use of mobile devices on Non NHS Premises NHS Ayrshire & Arran devices can be connected to non NHS networks including home networks providing the following is adhered to: - Access has been agreed with your line manager and ehealth & Infrastructure Services have been notified - Antivirus software is up to date prior to connection - All security patches are up to date (e.g. windows updates) - Mobile devices are returned to NHS Ayrshire & Arran workplace at least once per month and connected to the network to allow all patches/updates to be applied. - Devices must be appropriately secured at all times in line with the NHS Ayrshire & Arran Secure Storage Communication & Transportation of Personal Information Policy 7 Secure Destruction All IT related hardware such as PCs, laptops, pdas, Blackberrys, iphones and all removable media such as CDs, disks, memory sticks or backup tapes must be disposed of by ehealth & Infrastructure Services. The ehealth Service Desk will uplift and arrange for secure destruction of all media and devices. Contact the ehealth Service Desk to arrange for secure destruction. 8 Network Connection and Remote Access To ensure that the information, systems and network within NHS Ayrshire & Arran remains safe and secure the following rules are essential: Do not connect any device (computer, laptop, printer, PDA, router, modem, wireless network, etc) to the NHS Ayrshire and Arran network unless the device is owned by NHS Ayrshire & Arran. Personally owned equipment must not be connected to the NHS Ayrshire & Arran s network for any purpose. Document uncontrolled when printed Page: Page 10 of 12

11 All systems and devices provided by the Organisation are subject to the same conditions of use whether they are used remotely (at home) or on an NHS Ayrshire and Arran site. NHS Ayrshire & Arran may disable or remove without warning any device detected on the network that has not been authorised and securely installed by ehealth & Infrastructure Services. 9 Expectation of Privacy NHS Ayrshire & Arran has software and systems in place capable of recording activity for all users, transactions and messages using the NHS Ayrshire & Arran network. NHS Ayrshire & Arran IT facilities are provided for business purposes although limited personal use is permissible. No user of NHS Ayrshire & Arran IT facilities should have any expectation of privacy as to his or her use of the IT facilities. NHS Ayrshire & Arran may review any activity and analyse employee usage patterns, it may choose to publicise those data in an anonymous format to ensure that IT resources are devoted to maintaining the highest levels of business productivity. NHS Ayrshire & Arran is bound by the terms of the: - Data Protection Act Human Rights Act 1998 Any investigation into an employee s use of IT Facilities will be conducted in compliance with the above Acts, and the Information Commissioner s Office Employment Practices Code. 10 Information Security Breaches Information Security Breach refers to an incident or situation where personal identifiable information entrusted to the organisation is made substantially susceptible to or is: Unlawfully processed Unlawfully disclosed Accidentally lost, destroyed or damaged, or Where the NHS Ayrshire & Arran Appropriate Use of IT Facilities (this policy) or NHS Scotland Information Security Policy has been breached Document uncontrolled when printed Page: Page 11 of 12

12 All information security breaches must be reported to the IT Security Team or the Information Governance Team via Datix Incident Reporting System. Managers should refer to Reporting and Managing an Information Security Breach Procedure Document uncontrolled when printed Page: Page 12 of 12