Mobile Working Policy

Similar documents
Mobile Computing Policy

Information Handling and Classification Table

ICT Portable Devices and Portable Media Security

INFORMATION SECURITY AND RISK POLICY

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

INFORMATION ASSET MANAGEMENT POLICY

Mobile Computing Policy

Data protection. 3 April 2018

INFORMATION GOVERNANCE. Caldicott Approval Procedure

Employee Security Awareness Training Program

Date Approved: Board of Directors on 7 July 2016

Company Policy Documents. Information Security Incident Management Policy

BSO CLEAR DESK AND SCREEN POLICY (version 1.0)

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

Data protection policy

Identity Theft Prevention Policy

Castle View Primary School Data Protection Policy

PS 176 Removable Media Policy

Institute of Technology, Sligo. Information Security Policy. Version 0.2

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Information Security Policy

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Data Handling Security Policy

Information Security Policy for Associates and Contractors

Remote Working & Mobile Devices Security Standard

Enviro Technology Services Ltd Data Protection Policy

Data Encryption Policy

UWTSD Group Data Protection Policy

INFORMATION SECURITY POLICY

Name of Policy: Computer Use Policy

PS Mailing Services Ltd Data Protection Policy May 2018

Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice

Bring Your Own Device (BYOD) Policy

AUTHORITY FOR ELECTRICITY REGULATION

Information Security Controls Policy

Data Protection Policy

ISC10D026. Report Control Information

GDPR Draft: Data Access Control and Password Policy

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Personal Communication Devices and Voic Procedure

EA-ISP-009 Use of Computers Policy

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

ACCEPTABLE USE ISO INFORMATION SECURITY POLICY. Author: Owner: Organisation: Document No: Version No: 1.0 Date: 10 th January 2010

INTERNATIONAL SOS. Information Security Policy. Version 2.00

Ulster University Policy Cover Sheet

INFORMATION TECHNOLOGY SECURITY POLICY

Information Security Management Criteria for Our Business Partners

Safe Haven and Information Sharing Policy

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

A practical guide to IT security

NHS South Commissioning Support Unit

UKIP needs to gather and use certain information about individuals.

SAFE USE OF MOBILE PHONES AT WORK POLICY

IT ANTI-VIRUS POLICY Version 2.5

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

REPORTING INFORMATION SECURITY INCIDENTS

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

Network Security Policy

Information Technology Standards

Data Protection Policy

Virginia Commonwealth University School of Medicine Information Security Standard

Information Governance Incident Reporting Policy

PCA Staff guide: Information Security Code of Practice (ISCoP)

Mobile Working Policy. Item 15.3

Information Governance Policy

Policies, Procedures, Guidelines and Protocols. John Snell - Head of Workforce Planning, Systems and Contributors

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Subject: Kier Group plc Data Protection Policy

St Bernard s Primary School Data Protection Policy

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Policy General Policy GP20

Acceptable Usage Policy (Student)

GM Information Security Controls

Data Protection Policy

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Media Protection Program

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

University of Liverpool

Information Security Strategy

Information Security BYOD Procedure

April Appendix 3. IA System Security. Sida 1 (8)

Frequently Asked Question Regarding 201 CMR 17.00

Department of Public Health O F S A N F R A N C I S C O

Credentials Policy. Document Summary

Access Control Policy

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Physical and Environmental Security Standards

Remote Working Policy

PROCEDURE Cryptographic Security. Number: G 0806 Date Published: 6 July 2010

Data Protection Privacy Notice

Nine Steps to Smart Security for Small Businesses

Server Security Policy

Made In Hackney Data Protection Policy Last Updated:

Privacy Policy Wealth Elements Pty Ltd

2017 HSC Information and Digital Technology Networking and Hardware Marking Guidelines

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

INFORMATION SYSTEMS SECURITY POLICY (ISSP)

Writer Corporation. Data Protection Policy

Ulster University Standard Cover Sheet

SDHS Security Policy v5.3, revised March 2015

Transcription:

Mobile Working Policy Date completed: Responsible Director: Approved by/ date: Ben Westmancott, Director of Compliance Author: Ealing CCG Governing Body 15 th January 2014 Ben Westmancott, Director of Compliance Review date: Amended: Mobile Working Policy Version 2.2 Page 1 of 10

Mobile Working Policy For more information on this document, please contact: Director of Compliance, Ben Westmancott, CWHH CCGs Collaborative 15 Marylebone Road, London NW1 JD E-mail: ben.westmancott@inwl.nhs.uk Version History Version Date issued Brief summary of change Owner s name 1.0 July 2013 Amended to reflect CWHH procedures Ben Westmancott 2.0 August 2013 Circulated to local CCG IT Committee for Comment Ben Westmancott 2.1 September 2013 Amendments from IT Strategic Lead Farid Fouladinejad 2.2 November 2013 Version for committee consideration NB, will also apply to Ealing CCG following adoption by governing bodies. Ealing CCG will need to be added to references to CCGs throughout. Ben Westmancott Document Imprint Copyright Central London, West London, Hammersmith & Fulham, Hounslow, and Ealing Clinical Commissioning Groups, 2013: All rights reserved Re-use of all or part of this document is governed by copyright and the Re-use of Public Sector Information Regulations 2005. SI2005 No 1515 Information on re-use can be obtained from: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative Tel: 020 3350 4313, E-mail: ben.westmancott@inwl.nhs.uk Mobile Working Policy Version 2.2 Page 2 of 10

Contents 1.0 Purpose... 3 2.0 Definitions... 4 3.0 Scope... 5 4.0 Policy Summary... 5 5.0 Physical Security/access control... 6 5.1 Usage in any public accessible area... 6 5.2 Usage in areas not generally accessible to the public... 6 5.3 Home Usage... 6 5.4 Supplied equipment... 6 5.5 Staff owned equipment... 7 5.6 Teleworking... 7 6.0 Authorisation to remove data... 8 7.0 Sending Email from home... 8 8.0 Connection to the Network... 8 10.0 Disaster recovery/major incidents... 9 11.0 Termination of Employment... 9 ` Mobile Working Policy Version 2.2 Page 3 of 10

1.0 Purpose This policy has been developed to promote best practice with regards to information handling outside the boundaries of Central London, West London, Hammersmith and Fulham, Hounslow, and Ealing Clinical Commissioning Groups premises (including working at home). The policy is aimed at enabling and supporting employees who intend to use and transfer manual and electronic person identifiable records between home, the work place and the community. The security issues in this policy relate to and include physical security of IT equipment, confidentiality of manual and electronic data, and implications for the security of CCG office systems and network. This policy must be used in conjunction with similar policies of the NWL Commissioning Support Unit or any other future provider of IT services for the CCG. 2.0 Definitions 2.1 Data devices This includes any device that can store data, images and other information required for the CCG s operational business. Typically this includes laptops, tablets, personal digital assistants (PDAs), blackberries but also includes digital audio and visual recording/playback devices (such as dictaphones, digital cameras and mobile phones). 2.2 Media This includes any physical item that can store data, images and other information and requires another device to access it. For example: CD, DVD, Floppy disc, tape, digital storage device (flash memory cards, USB disc keys, portable hard drives). 2.3 Person Identifiable Data Person identifiable information can include one or more of the following: Surname Forename Address/Postcode Telephone Number Occupation Gender Date of Birth Ethnic Group NHS Number NI Number Mobile Working Policy Version 2.2 Page 4 of 10

Photo 3.0 Scope This policy applies to all employees of the CCG, other workers who may not be directly employed by the CCG (e.g. agency workers, contractors, selfemployed consultants, authorised 3 rd party suppliers and duly authorised visitors), who at any time remove records and other information in any form, from CCG owned premises, where it is usually stored. The authorisation procedure only relates to staff who need to use mobile computing facilities, either on or off-site (including staff homes), or transfer information between computer systems via physical media. Staff should only use storage media provided by the CCG or its IT service providers. These must ensure that the organisation meets all its information governance and information security obligations. The authorisation procedure is not required for the transfer or off-site usage of paper records. Specific procedures around authorising the access, use and tracking of clinical records are detailed within the CCG s Records Management Policy. 4.0 Policy Summary Users of information will: Keep usage to a minimum in public areas Only use information off-site/at home for work related purposes Ensure security of information within the home Not connect any privately owned equipment to the CCG s network or IT hardware unless approved by the CCG s IT service provider. Scan any media used to transfer data for viruses using a fully up to date anti-virus scanning software Not send person identifiable or confidential data to home (internet) email addresses. If PID is to be transferred via email this can be done via nhs net email only and in full compliance of information governance policies. Keep equipment and files locked out of sight during transit and during storage. If leaving equipment on and unattended to ensure that it is locked down with password protection. Ensure equipment/files are adequately packaged in transit to prevent damage or tampering Not dispose of any media (including paper) off-site. Mobile Working Policy Version 2.2 Page 5 of 10

5.0 Physical Security/access control 5.1 Usage in any public accessible area The use of information in these areas should be kept to an absolute minimum, due to the threats of overlooking and theft. Any member of staff choosing to use information and/or devices in these areas that results in any related incident will be required to state why the usage was required in that situation and the efforts they made to protect the information and any equipment. Equipment in use will not be left unattended at any time. 5.2 Usage in areas not generally accessible to the public (other organisational premises) Staff are responsible for ensuring that unauthorised individuals are not able to see information or access systems. If equipment is being used outside of its normal location and might be left unattended, the user will secure it by other means. 5.3 Home Usage Only authorised members of staff are allowed access to information being used at home in any form, on any media. No family members are allowed access to the equipment or data. Use of any information at home must be for authorised work purposes only. Staff must ensure the security of information within their home from theft as well as ensuring that unauthorised individuals are not able to see information or access systems. Where possible it should be stored in a locked container (filing cabinet, lockable briefcase). If this is not possible, when not in use it should be neatly filed and stored away. 5.4 Supplied equipment Where the CCG has supplied any form of data device, only the member of staff themselves is authorised to have access to it. Any member of staff allowing access to an unauthorised person, deliberately or inadvertently, may be subject to disciplinary proceedings. The CCG s IT service provider is responsible for ensuring that access to supplied equipment requires a username and password and that anti-virus software and encryption is installed. For supplied equipment that is not classed as portable (i.e. a supplied desktop PC), the IT department are responsible for ensuring anti-virus software is regularly updated. This will require the return of equipment therefore staff must return supplied equipment for updating and checks by the IT Department when requested. Mobile Working Policy Version 2.2 Page 6 of 10

If staff have been supplied with IT portable equipment (i.e. a laptop or tablet device), they are responsible for ensuring that it is regularly connected to the CCG s network on-site for upgrade of anti-virus software. All CCG IT portable equipment must be encrypted before any information is stored. Person identifiable data files should have additional protection against unauthorised access (for example an additional password). When equipment is returned or the data is no longer needed the data must be removed. This is the user s responsibility. The CCG is responsible for the safety testing of supplied equipment and annual PAT testing of this equipment. Staff who use the equipment are responsible for ensuring that these checks are undertaken. 5.5 Staff owned equipment The use and storage of person identifiable or confidential data on staff owned equipment is strictly forbidden. Staff may only use a CCG supplied encrypted USB data key for this purpose. Staff must not use their own computer for work related activities, unless as part of an agreed and authorised process. For advice on suitable products, please consult the IT Service Desk. For prevention of viruses and related security risks, staff must not connect any personally owned devices to the CCG network unless otherwise authorised by the IT service desk. 5.6 Teleworking Teleworking is defined as a member of staff whose main office is their home. The decision as to whether a member of staff is a teleworker will be taken by their line manager, based on the frequency of work being done from home and the equipment required to support it. Any teleworker will apply all elements of this policy, but in addition will ensure: Sensitive information (person identifiable or organisationally sensitive) is locked away when not in use and only accessible by the member of staff. Any controlled document (e.g. staff record) they have will be traceable to their location and that any procedure to note the location of a file required by the organisation will be rigidly applied by them. Their house and content insurance covers them for the loss of any equipment provided by the employing organisation. Any staff that are defined as a teleworker are responsible for ensuring that their work conditions at home comply with health and safety regulations and Mobile Working Policy Version 2.2 Page 7 of 10

CCG policies and procedures. Staff must undertake a display screen equipment risk assessment as detailed in the Display Screen Equipment Policy (DSE) and a copy of this assessment must be retained on their personnel file. Staff are responsible for ensuring that the assessment is reviewed following any change in their work environment at home. 5.7 Transfer or sharing of equipment Where equipment has been transferred from one staff member to another on a permanent/long term basis then the IT service desk needs to be informed to amend the asset register. Where equipment is issued on loan or a temporary basis, a log book needs to be kept of who currently has the equipment. 6.0 Authorisation to remove data All staff who work with person identifiable or organisationally sensitive data on a PC at home must complete an authorisation form (Appendix A). 7.0 Sending Email from home This is covered in the CSU s Acceptable Use Policy for IT. following points directly apply to mobile working: However the 7.1 E-mail Electronic mail containing person-identifiable and confidential information may not be sent to or from home email accounts. Non person-identifiable or information that is deemed not confidential may be sent via email. 8.0 Connection to the Network Staff may connect to the network via the secure method following a process of authorisation by the IT Department. 9.0 Transport/storage When staff remove equipment, files and data from CCG premises, they are responsible for ensuring its safe transport and storage. Equipment should be password protected whenever possible and not left unattended e.g. in vehicles. Equipment must be transported in a secure, clean environment. Mobile Working Policy Version 2.2 Page 8 of 10

Appropriate packaging should be used to prevent physical damage (sealed envelopes etc.) Where a courier service is used to transport packages containing sensitive information tamper proof packaging will be used 10.0 Disaster recovery/major incidents In the event of a major incident or disaster, the organisation may recall all equipment on loan to provide core services. 11.0 Termination of Employment On leaving the employment of the organisation, all equipment, software and information must be returned. The CCG will take the necessary action to reclaim all equipment, software and information that has not been returned by the member of staff (e.g. by means of final salary payment) Mobile Working Policy Version 2.2 Page 9 of 10

Appendix A Mobile Working Authorisation Form Name: Job Title:.. Department/Directorate:.. Contact Number: Please detail the work you are undertaking: I (name)... have read and understood and will abide by the terms of the Mobile Working Policy. I understand that any violation of this policy could result in disciplinary action and possible dismissal or criminal prosecution. Signed: Date: Authorisation: Name: Job Title: Contact Number: Signed:. Date:.. For ICT Services Use Only - Authorised by: Name:.. Signed:.. Date: Mobile Working Policy Version 2.2 Page 10 of 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback