• No results found

Policy and Code of Conduct

N/A
N/A
Protected

Academic year: 2021

Share "Policy and Code of Conduct"

Copied!
14
0
0

Loading.... (view fulltext now)

Full text

(1)

1 | P a g e

Email Policy and

Code of Conduct

UNIQUE REF NUMBER: CCG/IG/011/V1.2

DOCUMENT STATUS: Approved by Audit Committee 19 June 2013

DATE ISSUED: June 2013

(2)

2 | P a g e AMENDMENT HISTORY

VERSION DATE AMENDMENT HISTORY

V1 June 2013 Version approved by Audit Committee 19 June 2013 AC/IG/011/V1.1 December

2013

Addition of branding and formatting changes in line with Policy for Development of Policies

AC/IG/011/V1.2 February 2014 Addition of unique reference number prior to publication REVIEWERS

NAME DATE TITLE/RESPONSIBILITY VERSION

Donna Dallaway June 2013 CSU Information Governance Manager V1

Matthew Hartland June 2013 Chie Finance Officer V1

Julia Dixon June 2013 Staff Side Representative V1

APPROVALS

This document has been approved by:

NAME DATE TITLE/RESPONSIBILITY VERSION

CCG Audit Committee

19 June 2013 Delegated authority from Board V1

NB: The version of this policy used on the intranet must be a PDF copy of the approved version. DOCUMENT STATUS

This is a controlled document. Whilst this document may be printed, the electronic version posted on the intranet is the controlled copy. Any printed copies of the document are not controlled. RELATED DOCUMENTS

These documents will provide additional information: REFERENCE

NUMBER

DOCUMENT TITLE VERSION

AC/IG/013 Information Governance Policy AC/IG/023 Internet Usage Policy

Password Management Policy AC/IG/020 Safe Haven Policy

Systems Access Request Change Form APPLICABLE LEGISLATION

Data Protection Act 1998

Common Law Duty of Confidentiality

Privacy and Electronic Communications Regulations Regulation of Investigatory Powers Act

Human Rights Act

The Law Business Practice Regulations Computer Misuse Act 1990

GLOSSARY OF TERMS

TERM ACRONYM DEFINITION

(3)

3 | P a g e alive and deceased), which should be kept private.

(4)

4 | P a g e

CONTENTS PAGE NO

POLICY OVERVIEW

5

1.0 Introduction 5

2.0 Purpose 5

3.0 Who this Policy applies to 5

4.0 Legal Considerations 6

THE POLICY

6

5.0 Personal Use 6

6.0 Sending of Patient or Personal Confidential Data 6 7.0 How an Email with Personal Confidential Data should be 7

Structured

8.0 Improper Content of Emails 7

9.0 Unacceptable Use 8

10.0 Preventing the Spread of Malicious Software (Viruses) 9

11.0 Monitoring Arrangements 9

12.0 Infringements and Complaints 9

13.0 Unauthorised Email Access by IT Staff 10

14.0 Legal Consequences of Misuse of Email Facilities 10

15.0 Good Practice 11

16.0 Consideration for Other Users 11

17.0 Consideration for the System 11

18.0 Staff Absence 12

19.0 Closing Email Accounts 12

20.0 Emailing Patients/Service Users 13

21.0 Helpdesk Contact Numbers 13

22.0 Monitoring Compliance 13

(5)

5 | P a g e

POLICY OVERVIEW

The purpose of this policy is to provide NHS Dudley CCG (Dudley CCG) staff with a framework with regard to the use of emails.

The policy has been developed and reviewed in line with developments within the information governance agenda.

1.0 Introduction

1.1 The Email Policy provides guidance about acceptable use of any IT facilities for the purpose of sending or receiving email messages and attachments, including hardware, software and networks, provided by Dudley CCG. The Policy also describes the standards that users are expected to observe when using these facilities for email, and ensures that users are aware of the legal consequences attached to inappropriate use of the facilities. 1.2 The Policy establishes a framework within which users of these email facilities can apply

self-regulation to their use of the facilities.

1.3 The Policy is designed to advise users that their use of email facilities will be monitored and recorded. The Policy is also linked to the local disciplinary policies for staff, and usage of email facilities in breach of the Policy may lead to appropriate disciplinary action being taken.

1.4 The Policy also specifies the actions that Dudley CCG will take in the investigation of complaints received from both internal and external sources, about any unacceptable use of email that involves Dudley CCG IT facilities.

2.0 Purpose

2.1 All emails held on Dudley CCG’s servers or servers held on behalf of Dudley CCG are the property of Dudley CCG. Employees should note all emails held on organisational servers can be accessed at all times by IT staff subject to the Head of Information Governance, Chief Finance Officer and IT Security Manager’s approval (Human Resources advice may be required in some occasions); no authorisation, warning or permission from the user of the mailbox is required. An individual’s email content will only be opened and read by approved staff if there is a legitimate cause for concern that an abuse of the email system or other Dudley CCG policies has occurred.

2.2 Dudley CCG’s email system is intended to support Dudley CCG’s business requirements. All use of email within Dudley CCG and from Dudley CCG email addresses is subject to Dudley CCG’s regulations.

2.3 The objective of this Policy is to supplement Dudley CCG regulations by: • Highlighting legal issues relating to the use of email

• Explaining the application of Dudley CCG’s regulations to email • Outlining Dudley CCG’s Policy on the monitoring of email • Providing guidance on good working practice

3.0 Who this Policy applies to

(6)

6 | P a g e 4.0 Legal Considerations

4.1 This Policy complies with the requirements of the Regulation of Investigatory Powers Act, The Data Protection Act, Human Rights Act and the Lawful Business Practice Regulations. Dudley CCG is legally entitled to monitor employee email without consent to meet its business objectives and where such monitoring is consistent with impact assessment. 4.2 Employees should expect no level of privacy to emails sent or received via Dudley CCG

IM&T services. Any sensitive email such as human resources issues, trade union actions and any personal mail should be clearly marked in the subject heading as such. The content of these emails will only ever be investigated should a serious concern be raised and following human resources, IM&T, the Chief Finance Officer and the Head of Information Governance consultation.

4.3 To meet legislative requirements staff will be annually reminded of the nature and existence of email monitoring by Dudley CCG via Governance newsletters, training events and global emails. Any queries about the monitoring should be directed to the Information Governance Team.

THE POLICY

5.0 Personal Use

5.1 The main purpose for the provision by Dudley CCG for email is for use in connection with business communication, research and approved business activities of Dudley CCG. Dudley CCG permits the use of its email by employees and other authorised users for personal use, subject to the following limitations:-

• A level of use that is reasonable and not detrimental to the main purpose for which the facilities are provided

• Priority must be given to the use of resources for the main purpose for which they are provided

• Personal use must not be of a commercial or profit-making nature, or for any other form of personal financial gain

• Personal use must not be of a nature that competes with Dudley CCG in business • Personal use must not be connected with any use or application that conflicts with an

employee's obligations to Dudley CCG as their employer

• Personal use must not be connected to any purpose or application that conflicts with Dudley CCG’s rules, regulations, policies and procedures

• Personal use must comply with Dudley CCG policies and regulations, in particular the Email Policy

• Employees can expect no level of privacy to personal emails sent using Dudley CCG’s email systems

6.0 Sending of Patient or Personal Confidential Data

6.1 Email is an effective mechanism for transferring data; however, email is not secure by design. There are further steps which must be taken in order to protect the contents of an email before it is acceptable to transmit over a public medium such as the internet.

6.2 Data which should be encrypted before transit should include but are not limited to:- • Data containing personal information of one or more patients or staff

• Data containing medical information of one or more patients

(7)

7 | P a g e • Data which may cause detriment to Dudley CCG if it were to be exposed.

6.3 There are a number of considerations to take into account when sending any type of data of a sensitive nature via email. Personal confidential data (PCD) should not be written into the body or subject of any email regardless of its destination either inside or outside of Dudley CCG unless the email has been fully encrypted.

7.0 How an Email with Personal Confidential Data should be structured

7.1 TO: should always be validated before any form of PCD is sent SUBJECT: should not contain any form of PCD

BODY: should contain the minimum amount of PCD ATTACHMENTS: should contain the minimum amount of PCD data.

7.2 Dudley CCG emails can now be fully encrypted via any encryption software or solution locally available. If there is a need to send PCD via email either in the body of the email or within an attachment the user must encrypt the email by setting the message settings sensitivity to confidential. Please note that no PCD should be entered into the subject line of the email as only the attachments and the body of the email is encrypted.

7.3 The responsibility of encrypting emails falls on the user. Determining whether the nature of the information being sent should be encrypted the following test may be performed:

• Should the contents of an email fall into malicious hands; could the identity of one or more patients and/or staff be identified were encryption not applied?

• Identity can be either from any one field which is unique to an individual, payroll number or NHS number being two examples of identity fields.

7.4 Should there be any question as to whether email should be encrypted, advice can be sought from the IT Helpdesk/Information Governance Team.

7.5 Failure to encrypt email or to follow the correct procedure with password handling will result in disciplinary action being taken. All members of staff are responsible for ensuring that patient and staff details are secure regardless of their position.

7.6 If sending an email containing PCD or confidential information to an external NHS Dudley CCG NHSmail (NHS.Net) should be used. It is important to note that NHSmail is only secure if the email is sent from an NHS.Net account to an NHS.Net account. Please contact your local IT Helpdesk for advice on setting up an NHS.Net account.

8.0 Improper content of Emails

8.1 Any email message which lays the sender and/or Dudley CCG open to civil or criminal proceedings may also result in disciplinary action by Dudley CCG (Dudley CCG may be jointly liable, as employer, for any infringements by staff). An email message is, for legal purposes, treated as a publication, and is therefore subject to all the normal legal restrictions on publication. In addition, there are some types of content that contravene Dudley CCG regulations and policies.

8.2 It is a disciplinary offence to send an email message that is: • Defamatory

(8)

8 | P a g e • Sexist

• Threatening

8.3 Or which:-

• Constitutes racial or sexual harassment, or • Might cause unnecessary distress to the recipient

8.4 Since email is regarded as a form of publication, it is unacceptable to copyright material in an email message without the permission of the copyright holder.

9.0 Unacceptable Use

9.1 The term "unacceptable use" is used here, as with other institutions and organisations providing email facilities, to refer to any use, which could lead to disciplinary action.

9.2 The following constitute unauthorised forms of access to the facilities and are subject to disciplinary action:-

• Permitting anyone else to send email using the username or email address you have been given

• Sending email using another user’s username or email address

• Attempting to disguise the email address from which your message is sent or the identity of the sender

• Sending malicious emails or viruses, worms, executable files (.exe) designed to disrupt the work of the CCG or recipients of such email

• Private commercial use of Dudley CCG’s facilities

• Sending unsolicited mail to multiple recipients, except where it relates to the administrative activities of Dudley CCG

• The creation or transmission (other than for properly supervised and lawful research purposes) of any offensive, obscene or indecent images, data, or other material, or any data capable of being resolved into obscene or indecent images or material

• The creation or transmission of material which is designed or likely to cause annoyance, inconvenience or needless anxiety

• The creation or transmission of material that is abusive or threatening to others, or serves to harass or bully others

• The creation or transmission of material that either discriminates or encourages discrimination on racial or ethnic grounds, or on grounds of gender, sexual orientation, marital status, disability, political or religious beliefs. Dudley CCG is committed to fostering a working environment free of discrimination where everyone is treated with dignity and respect

• The creation or transmission of defamatory material

• The creation or transmission of material that includes false claims of a deceptive nature • The forwarding to others the text of messages written on a confidential one-to-one

basis, without the prior express consent of the author

• The creation or transmission of material which brings Dudley CCG into disrepute

9.3 The first two of these also render the user liable to prosecution under the Computer Misuse Act 1990.

(9)

9 | P a g e 9.5 Any disciplinary action regarding the unacceptable use of emails will be undertaken in

conjunction with local disciplinary policies.

10.0 Preventing the spread of Malicious Software (Viruses)

10.1 Users of Dudley CCG IT facilities must take all reasonable steps to prevent the receipt and transmission by email of malicious software e.g. computer viruses.

10.2 In particular, users

• must not transmit by email any file attachments which they know to be infected with a virus

• must ensure that an effective anti-virus system is operating on any computer which they use to access Dudley CCG IT facilities, this facility must not be changed or altered from its standard settings without prior IT authorisation

• must not open email file attachments received from unsolicited or untrustworthy sources 11.0 Monitoring Arrangements

11.1 Dudley CCG will maintain appropriate monitoring arrangements in relation to all email and related services and facilities that it provides, and Dudley CCG will apply these monitoring arrangements to all users.

11.2 These arrangements may include checking the contents of, and in some instances recording, email messages for the purpose of:-

• Establishing the existence of facts relevant to the business

• Ascertaining or demonstrating standards which ought to be achieved by those using the facilities

• Preventing or detecting crime

• Investigating or detecting unauthorised use of email facilities • Ensuring effective operation of email facilities

• Determining if communications are relevant to the business - for example where an employee is off sick or on holiday.

11.3 Dudley CCG will, at its discretion, apply automatic message monitoring, filtering and rejection systems as appropriate, and deny transmission of messages with content that is unacceptable in the terms of this Policy.

11.4 These monitoring arrangements will operate on a continual and continuing basis, with the express aim of monitoring compliance within the provisions of the Email Policy and IT regulations and for the purposes outlined above as permitted by The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.

11.5 Any deleted email can still be recovered by IT following authorisation from the Chief Finance Officer, IT Manager and the Head of Information Governance.

12.0 Infringements and Complaints

12.1 Any use of email, which appears to be unacceptable in the terms of this Policy or which in any other way appears to contravene Dudley CCG regulations may give rise to disciplinary action.

(10)

10 | P a g e IT Security Manager (following human resources advice), IT reserves the right to stop and or monitor all emails and email accounts without requesting permission from the user of the email account if they are suspected or have been reported to the IT Security Manager as causing any breaches of Dudley CCG procedures or regulations.

12.3 Dudley CCG does not read the content of email messages of all users as a matter of course. If, however, possible misuse is reported, or if there is reason to suspect any use of email which contravenes this Policy or any other Dudley CCG regulation, or which seems to represent a threat to the security of the facilities, Dudley CCG reserves the right to examine email messages without authorisation from sender or recipient. This will only be done following approval from the Chief Finance Officer, Head of Information Governance and IT Security Manager (having sought human resources advice).

12.4 An individual’s email content will only be opened and read by security staff if there is a legitimate cause for concern that an abuse of the email system or other Dudley CCG policies has occurred.

12.5 Where appropriate, the IT Security Manager will refer the matter to the appropriate Head of Department to consider disciplinary action under the relevant Dudley CCG procedures. 12.6 If you receive email from outside the Dudley CCG, which you regard as offensive or

potentially illegal, you should also report the matter to your section Head or the Chief Finance Officer. The IT Department will take up the issue with the management of the site from which the email was sent.

13.0 Unauthorised Email Access by IT Staff

13.1 IT staff are not allowed to access other staff’s email accounts or email information without prior written permission of the Chief Finance Officer, Head of Information Governance and IT Security Manager. If a member of IT is found to be accessing email without the correct authorisation they will be subject to disciplinary action. All IT staff are subject to this policy and its requirements.

14.0 Legal Consequences of Misuse of Email Facilities

14.1 In a growing number of cases involving the civil or criminal law, email messages (deleted or otherwise) are produced as evidence in a permanent written form.

14.2 There are a number of areas of law, which apply, to use of email and which could involve liability of users or the Dudley CCG. These include the following:-

• Intellectual property. Anyone who uses email to send or receive any materials that infringe the intellectual property rights of a third party may be liable to that third party if such use is not authorised by them

• Obscenity. A criminal offence is committed if a person publishes any material which is pornographic, excessively violent or which comes under the provisions of the Obscene Publications Act 1959. Similarly the Protection of Children Act 1978 makes it an offence to publish or distribute obscene material of a child

(11)

11 | P a g e • Data Protection. Processing information (including photographs) which contains

personal data about individuals requires the express written consent of those individuals. Any use of personal data beyond that registered with the Information Commissioner will be illegal

• Discrimination. Any material disseminated which is discriminatory or encourages discrimination may be unlawful under the Sex Discrimination Act 1975, the Race Relations Act 1976 or the Disability Discrimination Act 1995 where it involves discrimination on the grounds of sex, race or disability.

15.0 Good Practice

15.1 The recommendations in this section do not constitute formal regulations, but are rather recommendations of good working practice. However, staff in particular are encouraged to follow these recommendations.

16.0 Consideration for other Users

16.1 You are not expected to cause offence to others by your use of Dudley CCG’s email system. Some forms of offence are serious enough to be subject to legal sanctions or covered by Dudley CCG regulations or policies. The following guidelines offer advice on avoiding some of the most common ways of inadvertently causing offence:

• You should take care that the tone of your messages is clear - irony and humour, for example, may not be clear to your recipient unless it is someone who knows you well • You should ensure the tone of your message is respectful to recipients regardless of

their role and status

• You should take particular care with remarks that are or might appear to be critical of the recipient or another person - these can often come across as much stronger than you intended, and might, in some instances, be considered defamatory

• To avoid any misunderstanding about who has sent your message, put your name at the foot of the message (not all email systems transmit the sender’s real name)

• If you are forwarding a message, it is often sensible to check that the originator of a message does not mind it being circulated before you pass it on to a third party - it could cause serious offence or embarrassment if you pass a message on against the wishes of the originator (it is advisable to state it explicitly if you yourself do not wish a particular message of yours to be forwarded to others).

17.0 Consideration for the System

17.1 Every email message uses system resources, and all users are expected to ensure that these resources are not wasted. While the drain on the system of an individual unnecessary sending an email message may be slight, the cumulative effect of such behaviour by many users can seriously degrade the system performance and inconvenience all users:-

• Do not send unnecessary copies of messages OR send attachments unless absolutely necessary

• When replying to a message that has been sent to a number of recipients, do not send your reply to all these people if your reply is relevant only to the sender

• When replying to a message, do not quote the whole of the original message unless there is a need to. This is particularly important when the original message itself includes previous correspondence

(12)

12 | P a g e • Delete any messages you have saved but which are no longer needed

• In particular, you should regularly delete any messages with attachments. If you need to keep attachments you can save them as normal files in your directories and then delete the mail message (or delete the attachment from the message and replace it with a reference to the saved file name). This should significantly reduce the space required for your email files if you receive and need to retain a large number of messages with attachments.

• Remove unwanted messages from your sent-mail or out folder on a regular basis; If you subscribe to any mailing lists, ensure than you know how to suspend the receipt of messages from them, and remember to do this if you are not going be reading your email for more than about two weeks

• Do not forward virus warnings to others unless you receive them from IT services - any virus warning you receive from outside Dudley CCG is almost certain to be a hoax. If you forward hoax email or pyramid email you could be subject to disciplinary procedures. If in doubt call the IT Helpdesk for advice.

17.2 The printing of email messages is largely unnecessary.

17.3 You should not, of course, destroy any messages that there may be a need to refer to in future, that is, anything that, if you had received it on paper, you would have filed. In this case, you can either print the message out or delete it, or you can store/ archive it on the email server. In the case of archiving, this should be undertaken on a regular basis, at least once per month.

17.4 If you have emails which need to be kept in line with the records retention period these can be saved within a folder on your departments shared area and deleted from your email inbox. You then must delete the saved emails in line with Dudley CCG’s records retention periods and destruction schedules.

18.0 Staff Absence

18.1 Staff are expected to make arrangements for their email to be read while they are away from work, in the same way as they would make arrangements for their mail on paper. 18.2 It is possible for any user to arrange automatic forwarding of all their mail to another email

address. It is also possible for staff to allow others to access their inbox by adapting the settings to the mailbox; the IT Helpdesk will be able to help with this process.

18.3 In cases where unexpected absence makes it impossible for the individual staff member to make suitable arrangements for forwarding, the IT Helpdesk should be contacted to set up forwarding or other arrangements, as appropriate.

19.0 Closing Email Accounts

19.1 It is important to ensure the email account for a member of staff is closed once they leave employment. The Line Manager is responsible for ensuring an email account is closed. This can be done by contacting the relevant IT Helpdesk.

(13)

13 | P a g e 20.0 Emailing Patients/Service Users

20.1 It is recognised that email can be an efficient communication method between staff and a patient/service user. The form in Appendix 1 should be used when emailing patients. The risks associated with emailing patients include but are not limited to:-

• Email to public internet email address (e.g. Julie@googelmail.com) is not secure at any point

• A virus could spread this personal and sensitive email to other individuals

• If an attachment is used then a ‘cached’ copy of this file will reside on the computer that the email is opened on (the patient/service user) and can be accessed by others who have access to their computer.

21.0 Helpdesk Contact Number

Dudley CCG IT 01384 322000

22.0 Monitoring Compliance

22.1 Staff are expected to comply with the requirements set out within the Email Policy and Code of Conduct and related policies. Compliance will be monitored via Manager and Information Governance Team reports of spot checks, completion of staff questionnaires, incidents reported, electronic audit trails and submission of the Information Governance Toolkit.

(14)

14 | P a g e Appendix 1 Emailing Patients – Dudley CCG

Request for Dudley CCG to contact Patient via Personal Email Address

Dudley CCG is committed to open working and efficiency in providing services. To ensure that services are as tailor made as possible to the requirements of its patients Dudley CCG recognises that with advancing technology, current and routine forms of communication may not be convenient or possible with some patients. To this end Dudley CCG will be willing to undertake email correspondence with the patient under the following conditions.

This agreement is entered into at the request of the patient.

The patient understands that Dudley CCG has no responsibility for information that leaves authorised NHS networks at the request of the patient and as such cannot guarantee the security of such information.

The patient understands that Dudley CCG has no responsibility for equipment used by the patient to send or receive email.

The patient has satisfied themselves that access to their own system is secure and is aware of shared email accounts, shared computers etc.

To minimise the risk of ‘human error’ in writing email addresses, the patient will send an email to XXXXXXXXXXXXXXXX in the first instance. This will give Dudley CCG their preferred email contact address and will be used to correspond with them. A test email will be returned by Dudley CCG to indicate safe receipt and the sent address will be the one used to correspond with the patient.

Dudley CCG reserves the right to terminate this agreement if there is any virus or other such technical threats to its internal systems as a result of external email traffic.

By signing below the patient indicates they have read an understood the conditions given above. The patient also understands they are able to review or cancel this arrangement at any time in writing.

Name ______________________________________________________ Address ______________________________________________________ Signature ______________________________________________________

Agreed on behalf of Dudley CCG

References

Related documents

This shows the channel shadowing or fading effect in terms of radio maps, shadowing standard deviation and some estimated path-loss exponent n and apparent transmit

The proposed converter combines a variety of design techniques: (1) judicious optimization of DAC settling with variable DAC switching circuit and optimized SAR

Unfinished downloads and your express free atms not to make smarter security benefits to your lyft direct debit or your itin.. Appears on atm fees for more about how to verify your

This article focuses on a set of syntactic phenomena, which have been related to the Null Subject Parameter (NSP) (Chomsky 1981; Rizzi 1982), and that can be found in Chinchano

Approach: In the study, we wish to develop a robust Byzantine Fault-Tolerance Replication (BFTR) technique for peer-to-peer content distribution systems which contains fault

Most of the studies were based on the financial impact of the ICT on the business practices, in depth exploration of management perceptions about change and through focus

In order to solve this problem a Virtual Preschool using Virtual Reality Technology was developed to help the preschooler getting familiar with the school environment, gain