Policy Document. IT Computer Usage Policy

ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY

Author IT Services Manager

Version 4.1

Issue

Issue Date Nov 2011

Review Date July 2014

Status Approved

Approved by Caldicott and Information Governance Committee Approved by Date Dec 2011

Ratified by Trust Management Committee Ratified by Date 20.01. 2012

Document Number IG0009

BHT Pol No 059

Lead Director Director of Finance & IT

EIA July 2010

Location BHT Intranet/Trust Polices/IT Polices CHB folder/PCT Intranet

Policy Document

IT Computer Usage

Policy

IG0009 IT Computer User Code of Conduct Information Governance

Approval and Authorisation

Completion of the following detail signifies the review and approval of this document, as minuted in the senior management group meeting shown.

Version Authorising Group Date

1.0 ISG 07/02/2005

2.0 Caldicott & Information Governance Committee 12/12/2007

3.0 Caldicott & IG Committee June 10

3.0 Trust Management Committee 02.07.10

4.0 Caldicott & Information Governance Committee Dec 11

4.0 Trust Management Committee 20.01.12

Change History

Version Status Reason for change date Author

3.0 Approved _{Caldicott &IG Committee Chairman‟s action June 2010 Dave Morgan} 3.0

issue 2

Draft _{Addition of new section 16 Monitoring and} Auditing of Confidential Information. Update of appendix B,C and D forms

Nov 2010 Dave Morgan

V3 issue 3

Draft Addition of new section 12 – Portable Media. Addition to section 13 - Access to Personal Identifiable Information in line with IG0008 Confidentiality Code of Practice. Moved section 14 – Secure use of Trust Information to section 3. New section 14 – Portable Media New section 18 – Loss or Theft of IT Equipment

Nov 2011 Dave Morgan

V3 issue 3

Draft _{Circulated to Caldicott & IG Committee for} comment

Dec 2011 Dave Morgan 4.0 Approved _{Chairman‟s action Dec 2011 Dec 2011 Dave Morgan}

4.1 Replacement of App. B form, new combined

version

Feb 2013 Dave Morgan

Document References

Ref # Document title Document

Reference

Document Location

1 IT Computer User Access Management Policy IG0031 Intranet

2 Virus Control Procedure IG0044 Intranet

3 IT Laptop Policy IG0085 Intranet

4 Policy for the Procurement or Implementation of New IT Systems, Databases and Information Flows

IG0025 Intranet 5 Confidentiality Code of Practice for All Employees IG0008 Intranet

IG0009 IT Computer User Code of Conduct Information Governance

Ref # Document title Document

Reference

Document Location

7 IT Security Laptop Policy IG0085 Intranet

8 Trust Incident Reporting Policy and Procedure

Table of Contents

1. Background ... 5

2.

Purpose and objectives ... 5

3.

Secure Use of Trust Information – key statements ... 5

4.

Inappropriate Use of Computers ... 6

5. Danger from Viruses ... 7

6. Access to Computer Systems ... 7

7. System Access ... 7

8. Password Disclosure ... 7

9. Password / PIN Number Management ... 8

10. Logging into Computer Systems ... 8

11.

Removal of System Access ... 9

12. Portable Media ... 9

13. Access to Person Identifiable Information ... 9

14. IT Remote Working ... 10

15. Software Licences ... 10

16. Installing Software and Creating Systems ... 10

17. Use of Non-Trust Computer Processing Equipment on the Trust Network ... 11

18.

Loss or Theft of Trust IT Equipment ... 11

19. Monitoring and Auditing Access to Confidential Information ... 11

20. Breach of Policy ... 11

21.

Monitoring the Policy ... 11

22.

Review of This Document ... 12

23.

Glossary/Definitions ... 12

Appendix A Key Roles and Contact Details ... 13

Appendix B - Request for Access to Computer Systems ... 14

Appendix C - Request for Access to the Internet only via the Trust Network

(for non-employees only) ... 17

Appendix D – IT Remote Working – Person Identifiable, Confidential or

Sensitive Data ... 18

1. Background

Buckinghamshire Healthcare NHS Trust recognises the considerable potential for the

use of information and communications technology and will work positively to facilitate

appropriate development and innovation. Computer facilities are provided to support

staff in fulfilling the responsibilities of their roles.

It is an essential legal prerequisite of connection of any NHS organisation to the

NHSnet, that the organisation establishes and operates an effective policy for the use of

computers within that organisation. This is designed to protect the wider community of

NHS organisations from unauthorised and inappropriate access and use of sensitive

information and to ensure the security and confidentiality of identifiable patient and staff

data.

This policy has been developed from relevant legislation including the Data Protection

Act 1998 and the Computer Misuse Act, and from NHS guidance contained primarily in

the Caldicott requirements and from “Ensuring Security and Confidentiality in NHS

Organisations” – the NHS IM&T Security Manual. They are therefore requirements that

the Trust is obliged to follow.

2. Purpose and objectives

This policy document sets out a Code of Conduct that applies to all staff who use

computer facilities provided by the Trust and/or who require to carry out any IT remote

working e.g. home, off-sites.

It explains the behaviour and obligations expected of staff when using any of the Trust

computer systems.

Key roles referred to in this Code and their contact details are identified in Appendix A.

Key objectives of the policy:

Confidentiality – data access is confined to those with specified authority to view the

data within the remit of their job function, on a need to know basis and a need to use

basis to ensure confidentiality of business sensitive information and protect personal

data held on the system.

Integrity – all system assets are operating correctly according to specification and in

the way the current user believes them to be operating. A logical access allocation to

application systems should be implemented to restrict access to authorised users.

Availability – information is delivered to the appropriate individual where and when it

is required

3. Secure Use of Trust Information – key statements

It is essential that staff comply with Trust policy in relation to secure information

handling. Please refer to the Trust Confidentiality Code of Practice - Appendix 1

Information Handling Responsibilities (see ref [5]) for more detailed information.

3.1

For the continued confidentiality of patient and staff data it is generally expected

that no patient or staff identifiable data will be taken for use outside Trust

locations or legitimate places of work.

3.2

For most purposes, fully anonymising or pseudoanonymising the data will allow it

to be used without compromising confidentiality, for research for example.

3.3

It is recognised however, that in exceptional circumstances there may be a need

for legitimate removal. In these cases the individual must understand the risks

involved and must make the decision whether or not to remove patient

identifiable data or to take the safer and more secure form of anonymised or

pseudoanonymised option.

3.4

Personally owned IT equipment must not be used for the processing or storage of

person identifiable, confidential or sensitive data

3.5

All donated or loaned IT Equipment to the Trust e.g. personal computers, laptops

must be risk assessed, approved, registered and encrypted with the IT Services

Department prior to any use.

3.6

ALL portable IT media e.g. laptops, DVD‟s, CD‟s, USB devices/memory sticks or

keys containing person identifiable data, regardless of its use must be secured

using approved industry standard AES 256 encryption software. Exceptions can

only be made by the Senior Information Risk Owner (SIRO).

3.7

No Trust computing hardware or software may be removed from Trust premises,

other than for the purpose of transportation between Trust sites or other places of

work, without prior written permission from the line manager.

4. Inappropriate Use of Computers

Trust resources or facilities must never be used to assist or support any illegal activity.

For example, to create, edit, access or disseminate pornographic, sexist, racist material

or any other material likely to cause offence to staff, patients and visiting members of

the public, via e-mail, Internet or any other method.

Under the provisions of the Computer Misuse Act, unauthorised access to computers

(hacking) is illegal and must never be undertaken.

Storage of personally owned files such as music and photographs e.g. wedding and

holidays on Trust file servers is forbidden. Any such files will be deleted without notice.

If such files must be shared with colleagues then it is suggested that these should be

stored on memory sticks or CD‟s, these devices must be fully virus checked before use.

(see section 14 for procedures on Secure Use of Trust Information).

Trust computers and IT equipment are provided to support the Trust‟s legitimate

business requirements.

a) Use is kept to a reasonable level and does not interfere with the normal

performance of the users duties. An example of this might be, but is not limited

to, study purposes or research that is work related.

b) It is not used for commercial purposes and for the supplying and selling of goods

and services. An example of this might be, but is not limited to, trading on Ebay

or other such sites, offering personal skills for hire etc.

5. Danger from Viruses

Computer viruses can be extremely harmful to computer systems and all reasonable

precautions to prevent their spread must be taken. E.g. never open an email attachment

from an unknown source; do not load data from a floppy disk or any other external

memory device without first running virus checking software.

For further guidance read the Trust Virus Control Procedure (see ref [2]).

6.

Access to Computer Systems

Requests for access to the Trust computer systems must be made by completion of the

request of Access to Trust Network form, Appendix B.

Appendix C is for use by non-employees who require to attach non-Trust computer

equipment to the Trust network for the purposes of accessing the Internet only.

7.

System Access

7.1

Access to corporate systems will only be given once adequate training has been

received and competence levels have been reached, as determined by the

trainer/system manager.

7.2

Where systems are not under the control of IT (Locally implemented and

maintained) training must be administered by the local management.

8. Password Disclosure

8.1

Staff will ensure that all personal passwords held, remain strictly personal to that

member of staff, and are not disclosed in any form.

8.2

They must not be relayed verbally, written down or otherwise revealed to any

other individual, either within or outside the Trust.

8.3

If any person accesses information through the use of another person's

password, then both individuals may be subject to action in accordance with the

Trust‟s disciplinary policy.

8.4

The wilful or negligent disclosure of confidential information whether written or

computerised could be seen as a gross misconduct under the Trust's Disciplinary

Policy and may lead to dismissal.

8.5

In some instances, it may be necessary for IT to know a user‟s password in order

to fix a problem with a PC. At such times IT will arrange with the user to change

the password on completion of the task.

9. Password / PIN Number Management

9.1

Any system capable of using passwords/ PIN numbers must have the facility

enabled.

9.2

Length of password/ PIN numbers and characteristics are system dependent and

are therefore defined by reference to the appropriate System Manager.

9.3

Passwords must include a combination of alpha and numeric characters, in any

order.

9.4

Passwords/ PIN numbers must be unique to the system i.e. not be used for

access to other systems.

9.5

Passwords/ PIN numbers must not be shared with or disclosed to anyone.

9.6

Frequency of password / PIN number change is system dependent and

passwords MUST be changed at the frequency defined in a table in Appendix 1

appropriate to the system. The default is 60 days (30 days for system

administrators).

9.7

Passwords/ PIN numbers must be changed if security is believed to have been,

or actually has been, breached.

9.8

Passwords must not be a combination of characters that is likely to be guessed

such as a family name, nickname, DOB, car registration or consecutive

characters e.g. ABC123.

9.9

Passwords/ PIN numbers must be something memorable so that it doesn‟t need

to be written down. Passwords are encrypted (coded) when applied, and

therefore cannot be seen by the system administrators

10. Logging into Computer Systems

Staff may have use of a variety of methods to login to a computer system, for example

this may be your user name, swipe card or biometrics (use of thumbprint or retinal

scan). All of these methods are for personal access only and must not be used to

provide third party access. Care must be taken to ensure that login methods are kept

secure at all times. Loss of swipe cards must be reported immediately to the RA

Manager and reported as an incident in accordance with the Trust Incident Reporting

Policy.

Staff have an individual responsibility to ensure that they log themselves out of systems

after use or if leaving a system unattended for any period. Only authorised staff may

view data and it is essential that staff understand that no one else, except themselves,

should have the opportunity to add, amend, view or delete data under their personal log

in access rights.

11.

Removal of System Access

11.1 System Administrators/Managers are empowered to remove/suspend access to

systems in the event of any breach or potential breach of this policy.

11.2 System access will be removed under the terms of the IT user Account and Email

Usage Policy (see ref [6]).

12. Portable Media

All portable media/device for use on/with information systems owned or operated by the

Trust are covered by this policy. This includes: PDA‟s, Smart devices, e.g. smart

phones, USB Memory Sticks, tapes, removable or external hard drives and discs, DVD‟s

and CD-Rom, Laptops. The Trust has a separate IT Laptop Security policy, IG0085

(see ref [7]).

All portable media capable of storing Trust information including PDA‟s (by receiving an

email for example) must be encrypted. The IT department will be able to provide advice

on this.

Any personal mobile phone which have the capability to access NHSmail and download

documents and files which may contain person identifiable and sensitive information fall

under the category of portable media. Since they are not supplied or approved by the

Trust and will not be encrypted by the IT Services department they must not be used in

this way under any circumstances.

Any procurement for portable media must be made through the IT Services Department.

No item of portable media should be served as primary source of data. The Trust‟s

network drives should be the original source of data to act as a back up in the event of

loss or theft.

Trust staff or contractors are not permitted to introduce or use any portable media other

than those provided and explicitly approved by the Trust.

Portable media supplied by the Trust is either owned or managed by the IT Services

department and must appropriately security marked to indicate this.

Under no circumstances should person identifiable or sensitive information be

downloaded on to portable media that is unencrypted.

All portable media must be securely transported and protected against loss, damage

and misuse and locked away when not in use.

Tampering to an item of portable media in order to by pass encryption security in not

permitted.

13.

Access to Person Identifiable Information

Person identifiable information should only be accessed on a "need to know" basis and

only by authorised individuals.

for a member of staff to access their own personal staff or health records or the

records of colleagues, family, friends or others where there is no legitimate

business relationship or access is deemed inappropriate or is not authorised as

a specific Trust purpose.

To disclose/ share confidential information where there is no legitimate business

relationship or specific business purpose/or is not on a “need to know basis”

e.g. selling of information for personal gain, general indiscretion or “gossip”

14. IT Remote Working

Explicit authorisation from both the appropriate Asset Manager and IT Services

Manager must be obtained prior to any remote working and will only be authorised once

appropriate risk assessments have been satisfied. Personally owned IT equipment

must not be used for the processing or storage of person identifiable, confidential or

sensitive data e.g. home working, off site. Refer to Appendix D - IT Remote Working

Policy for further guidance and request form.

15. Software Licences

All software must be used in accordance with the licences agreed when purchased and

described in the copyright statement in those licences. Further copying of software is

illegal and copying of software should never be undertaken without express permission

from the Information/IT Security Manager.

Modified versions of licensed software must only be incorporated in programs written by

users with the express written permission of the licensor.

Reverse engineering or de-compiling of licensed software must only be undertaken with

the express written permission of the licensor.

All copies of software loaned must be removed and returned from any computer owned

by an employee at the end of the period of employment, or when requested to do so.

16. Installing Software and Creating Systems

Software must not be installed on any Trust computer system which forms part of, or

can be connected to, any Trust departmental, specialty or corporate computer system

without the prior written permission of the System Manager(s) or IT Security Manager.

Communications equipment must not be installed on Trust computing resources without

prior written approval from the Trust Information/IT Security Manager.

The creation, installation or introduction of any computer based information software

system for the purpose of storing or processing patient identifiable data or staff data,

requires notification and prior approval from the Trust‟s Caldicott Guardian and the

Information Security officer. The notification form can be found in the Trust's Policy for

the Procurement or Implementation of New IT Systems, Databases and Information

Flows (see ref [4]).

17. Use of Non-Trust Computer Processing Equipment on the Trust

Network

Any non-Trust computer processing device may only be used for the purposes of

accessing the internet and access to Trust resources is strictly prohibited.

The user must ensure that the equipment has Anti-Virus software installed and has the

latest definitions file applied. Additionally, the Operating System must have at least the

same level of security patches installed as currently in use in the Trust.

The user is responsible for ensuring the above is adhered to and that Appendix C is

completed and authorisation received.

18.

Loss or Theft of Trust IT Equipment

Any loss or potential loss including theft or damage of Trust IT equipment must be

reported immediately to the IT Services Department, to the member of staff‟s line

manager and via an IR1 incident form in accordance with the Trust‟s Incident Reporting

Policy & Procedure (see ref[8]). Theft of IT equipment must also be reported to the

Trust Security Office and the police and a crime number obtained.

19. Monitoring and Auditing Access to Confidential Information

The Trust has overall responsibility for monitoring and auditing access to confidential personal

information. Responsibility for this will be delegated to an appropriate senior staff member, e.g.

IT System Manager, Information Asset Owner IG/IT Security Lead or equivalent.

The following are examples of events that the Trust may audit:

failed attempts to access confidential information;

repeated attempts to access confidential information;

successful access of confidential information by unauthorised persons;

evidence of shared login sessions/passwords;

Investigation and management of confidentiality events will be in line with the Trust Incident

Reporting policy and procedure. Dependent on the severity and circumstances of the incident,

staff may be subject to disciplinary procedures resulting in suspension, supervised access to

systems, re -training, termination of employment/ contract or criminal charges.

20. Breach of Policy

All incidents or information indicating a suspected or actual breach of this policy must be

reported as soon as possible to the immediate line manager and where appropriate the

Information Security officer in accordance with the Trust Incident Reporting Policy and

Procedure (see ref [8]). Staff may be subject to disciplinary procedures if this policy is

not adhered to.

21. Monitoring the Policy

Ensuring that all staff requiring access to IT systems or a requirement to work

electronically on Trust business remotely have access to and understand the

requirements of the Policy.

Regular review of reported information security incidents

22. Review of This Document

This document will be formally reviewed every 3 years.

This document will be subject to revision when any of the following occur:

The adoption of the standards highlights errors and omissions in its content

Where other standards / guidance issued by the Trust conflict with the

information contained

Where good practice evolves to the extent that revision would bring about

improvement

23.

Glossary/Definitions

The following terms/acronyms are used within the document.

ISO

Information Security Officer

System

Any computer or other electronic device where software accesses or

otherwise carries out functions on information held electronically – for

example Personal Computer, Server, PDA.

Appendix A Key Roles and Contact Details

Information Security Officer

Anne Chilcott

Amersham ext 4039

IT Security Officer

Dave Morgan

Stoke Mandeville ext 6558

IT Service Desk

Stoke Mandeville ext 5904

Caldicott Guardian

Mr Bruce James

Appendix B – IT System & Data Access Forms

1. New User Setup

I would like to apply for access to the Trust’s computer systems. I have read and agree to abide by the Trust’s Policies and Codes of Practice and understand my responsibilities to safeguard the organisation regarding:

Computer Usage Policy Internet Access Policy

User Account and Email Usage Policy Confidentiality Code of Practice

Procedure for the Release of Person Identifiable Data

I understand that failure to comply with the above documents may result in the Trust taking disciplinary action in accordance with the Trust’s Discipline Policy.

I understand and accept that these documents will be subject to periodic review by the Trust and agree to

not unreasonably withhold my agreement to any proposed changes.

I understand and agree that my use of computing facilities within the Trust may be subject to detailed audit by duly appointed Trust staff and where necessary the Trust’s agents, at any time without prior notification.

New User Details

Title : ……… First Name : ………

Middle Name : ……… Surname : ………

Job Title : ……… Department : ………

Site : ……… Tel. No : ………

Are you Temporary Staff? YES/NO Leaving Date : / /20 *** A leaving date must be provided for all temporary staff before a login can be issued.***

Signature : ……… Date : ………

Mandatory Information Governance Training (Data Protection & Confidentiality) needs to be completed within 2 months of start date. If already completed please provide the completed date, if this has not been completed please tick to confirm you and your manager agree to complete within 2 months of start date.

Completed Date: / /20 Agree to complete within 2 months from start date (please tick)

2. Request for Access to System

Member of Staff to be given access to System

Name : ……… Username : ………

Job Title : ……… Department : ………

Site : ……… Tel No : ………

Please tick which system you require access to:

System √

1.1 System 1.2 √

Antibiotics_Admin Other (Please state)

………... Antimicrobial Maintenance Utility

Arcadia Bloodspot Costar Cressex

Diana (Please provide PC Number) DOC Gen

DOC Gen Admin LAPP Administrator

LAPP Administrator – Read Only LAPP Approver LAPP User Lilie - GUM MI Databank PMS User PMS - Report Review

Pandemic Flu Report VIP (Outpatients) Winpath

3. Share Access Request

PLEASE COMPLETE ALL DETAILS IN BLOCK CAPITALS Share Details

Full name of Share and Server: (e.g WARDS$ ON „BHTFILE01‟ (N:)) ……….

Members of Staff to be given Access to Share (Please list staff members below)



Add



Remove Name : ………... Username : ………...



Read Only



Modify Job Title : ………... Department : ………

Site : ………... Tel No: ………



Add



Remove Name : ………... Username : ………...



Read Only



Modify Job Title : ………... Department : ………

Site : ………... Tel No: ………



Add



Remove Name : ………... Username : ………...



Read Only



Modify Job Title : ………... Department : ………

Site : ………... Tel No: ………



Add



Remove Name : ………... Username : ………...



Read Only



Modify Job Title : ………... Department : ………

Site : ………... Tel No: ………

Share Owner/Manager Requesting Access to be provided to the above:

Name : ……… Job Title : ………

Department : ……… Tel No : ………

Signature : ……… Date : ………

Please contact the IT-Service Desk on 01296 315904 with any queries when completing this form.

Once complete, please return to the IT Service Desk

by Fax on 01296 316988

via Internal post to the IT Service Desk, IT Department, Ward 21, SMH

IT Use Only

Appendix C - Request for Access to the Internet only via the Trust Network

(for non-employees only)

I would like to apply for access to the Trust’s computer systems. I understand my responsibilities to safeguard the organisation and understand that Buckinghamshire Healthcare NHS Trust has in place an IT Internet Access Policy that I agree to abide by.

I certify that, to the best of my knowledge, the equipment I am requesting to be connected to the Trust Network is virus free and the operating system has the relevant security patches as currently defined by Microsoft.

I understand and agree that my use of computing facilities within the Trust may be subject to detailed audit by duly appointed Trust staff and where necessary the Trust’s agents, at any time without prior notification.

New User Details

Title : ……… First Name : ………

Middle Name : ……… Surname : ………

Job Title : ……… Department : ………

Site : ……… Tel. No : ………

Data Protection Course - Attended/Booked Date of Course: / /20 Are you Temporary Staff? YES/NO Leaving Date : / /20 *** A leaving date must be provided for all temporary staff before a login can be issued.***

Signature : ……… Date : ………

Manager’s Authorisation

Name : ……… Job Title : ………

Department : ……… Tel No : ………

Signature : ……… Date : ………

Please contact the IT-Service Desk on 01296 315904 with any queries when completing this form.

Once complete, please return to the IT Service Desk

by Fax on 110 6988 or

via Internal post to the IT Service Desk, IT Department, Ward 23, SMH

IT Use Only

Appendix D – IT Remote Working – Person Identifiable, Confidential or

Sensitive Data

1

Introduction

1.1 Buckinghamshire Healthcare NHS Trust, herein after referred to as „the Trust‟ have a duty to ensure that appropriate arrangements and controls are in place to manage IT remote working undertaken by staff.

1.2 The Trust recognises that IT remote working should be available to staff where this is significant to their job role and appropriate but it also recognises that this should be done so in a safe and secure manner to reduce the risks to Trust information being shared or accessed inappropriately to the lowest possible level.

2

Purpose

2.1 This document applies to all staff employed by the Trust and all bank and contractor staff authorised to use person identifiable, confidential or sensitive data.

2.2 The document has been developed to manage IT remote working including the applications made by staff, the suitability for remote working and to reduce the level of risk posed by IT remote working to the lowest possible level.

3

Definitions and key statements

3.1 For the purposes of this document the following definition will apply -

Remote working is a form of organising/performing work, using information technology, where work, which could also be performed at the employer‟s premises, is carried out away from those premises. Normally this is carried out securely via a telecommunication link to their organisation. This can be carried out either at home or other place that provides access to the internet or via a 3G connection if the laptop has that facility.

For the purposes of the policy, all work carried out away from the office base, whether temporary or on a longer term basis will be referred to as „remote working‟.

Managers have a duty to identify and authorise roles that require IT remote working

Staff have a duty to inform their manager of any requirement to carry out IT remote working or changes in their current requirements to carry out IT remote working and seek the necessary authorisation before doing so

All staff have a duty to ensure that:

Only Trust provided/ approved IT equipment will be used

Encryption security will be applied to all IT equipment including any use of IT portable media e.g. USB memory keys, laptops, CD‟s used to transfer any authorised person identifiable data

When using Trust provided laptops they have signed and adhere to the Trust IT Laptop Policy IG0085 (see ref [4])

All donated or loaned IT Equipment to the Trust e.g. personal computers, laptops must be risk assessed, approved, registered and encrypted with the IT Services Department prior to any use.

4 Roles and responsibilities

4.1

Information Asset Managers

4.1 Information Asset Managers will support and enable the Operational Clinical Leads and Managers to fulfil their responsibilities and ensure the effective implementation of this policy within their divisions.

4.2

Operational Clinical Leads/Managers

Operational Clinical Leads/Managers must ensure that –

Job roles that require IT remote working are identified and managed in accordance with this policy 4.4.1 Staff within their responsibility need to apply for the ability to remote work prior to any work

commencing and provide all appropriate information within the documentation required. Further information and copies of appropriate forms to be completed can be found in appendices D1 and D2.

4.4.2 They review their staff members‟ applications to remote work appropriately and sign all relevant documentation as required. Copies of all relevant forms must be retained in the staff member‟s personal file. Where they feel an application of remote working is not appropriate, this must be discussed with the individual and it must be documented that the application has been declined by completing the appropriate form as set out in appendix 1. 4.4.3 Staff complete their requirements in terms of reading the relevant Trust documentation and understanding their responsibilities therein. Further information can be provided by the IG and IT departments.

4.4.4 All Information Governance incidents are investigated appropriately and the information is shared with the relevant services within the Trust where required.

4.4.5 Copies of all appropriate documentation relating to the technology for remote working are retained by the IT department for reference.

4.4.6 When a staff member leaves the organisation or changes to a department where remote working is not required the necessary steps are taken to retrieve any remote working access and that this is shared with the appropriate services within IT.

4.4.7

4.3

Information Governance Manager

The Information Governance Manager will ensure that –

4.6.1 They provide information, support and advice (where applicable) to staff/IT on remote working.

4.6.2 They provide incident investigation advice where requested.

4.4

IT Services Manager

The IT Services Manager will ensure that –

4.7.1 Adequate resources are available and appropriate people are identified within their department to ensure that all remote working applications are monitored and actioned in a timely manner.

4.7.3 Where appropriate, software and upgrades to Trust PC equipment is provided to ensure the equipment meets all security requirements.

4.7.4 Appropriate training is provided to the individual on how to use the equipment given to them to remote work and that they are given time to ask any questions where necessary. The trainer will ensure that the appropriate agreement form is filled in and signed as set out in appendix 4 before the individual is provided with the necessary equipment to remote work.

4.7.5 The Laptop and VPN Register is kept up to date with information relating to users with laptops and VPN tokens so that records can be updated and assets can be monitored.

4.5

All Staff

All staff will ensure that –

4.8.1 They apply to remote work via the appropriate methods as set out in Appendix D1and provide honest information within this documentation.

4.8.2 Whilst remote working, they abide by all appropriate Information Governance policies and procedures specifically within this policy and within the Trust‟s Laptop Security Policy. 4.8.3 They read the relevant Trust documentation and understand their responsibilities therein.

Further information can be obtained from the IG and IT departments.

4.8.4 Where required, they implement all further control measures requested by IG and IT before their application for remote working is approved. Where these measures cannot be met, this information must be then provided to the IG and IT Managers and their Operational Clinical Lead/Manager for further discussion.

4.8.5 All Information Governance incidents including lost or stolen IT equipment must be reported via the Trust‟s Incident Reporting Policy.

5

Working remotely

5.1 All staff wanting to work remotely must make an appropriate application to do so via the documentation as set out in Appendix D1. This then must be submitted to the individual‟s respective Line Manager for approval then sent to the IT department for processing.

5.2 The Operational Clinical Lead/Manager may, at this stage, reject the application to remotely work. If so, the reason for this rejection must be documented and provided to the member of staff. If the member of staff wishes to contest this decision, this must be done so via the approved HR processes.

5.3 Remote working is only possible using Trust provided/ approved PC hardware, using a VPN token if access to the Trust network is required. Other hardware, for example, that provided by third party companies or personally owned equipment, must not be used.

5.4 Whilst remote working, staff members must ensure that they are aware of their responsibilities to store information safely, to protect it from loss, destruction or damage. This requires storage that is secure against theft and damage, and the protection of systems from computer fraud and virus attacks.

5.6 Staff must ensure that they are aware of their responsibilities when using sensitive data e.g. Patient Identifiable data, Personal identifiable data, see Appendix D2. Further information is available from the IG and IT departments. (We need a reference here to the one that discusses the requirement for senior manager approval)

6

Virtual Private Networks (VPN)

6.2 VPN is a connection made between one network and another. VPN is used to securely connect to the Trust‟s network in order for an individual to work remotely. A VPN token is part of the remote access system and provides a unique number every 60 seconds. This number is used as part of the process to remotely work alongside a password provided to the individual.

6.2 If a successful application for remote working is made, staff members will be provided with the appropriate software and VPN token to connect to the Trust‟s electronic systems remotely. Connection must be done so in accordance with listed policies.

Appendix D1 - Request for IT remote Working

IT Remote Working – conditions of use:

1. I will keep all equipment secure including the Laptop. VPN token, USB stick etc at all times. 2. Where I will use a Trust provided laptop for home/remote working, this must be encrypted. 3. I will use only an approved Trust provided encrypted USB stick.

4. I will not write down any passwords and will keep the VPN token separate from the laptop (i.e. not the same bag)

5. I will not carry out any electronic transfer of information between NHS systems and privately managed personal computer resources.

6. I will report any changes to my home/remote working environment to my Line Manager and IT Service Manager

7. I will return to IT all equipment issued to me for the purpose of remote working should this be no longer required or on termination of contract.

8. I understand that failure to observe and maintain this home/remote working agreement may result in the home/remote working facility being withdrawn.

Requester Details

Name : ……… Job title : ………

Department : ……… Site : ………

Tel. No : ……… Directorate: ………

Usage Details

Will Person Identifiable Data (PID) be processed? YES/NO Reason why Home\Remote working is Required and what work would be completed whilst Home\Remote Working?

………... ………... I confirm that I have read and understand the above conditions of use. I also confirm that the information that I have provided above is true and correct:

Signature : ……… Date : ………

Type of Access Required

IT will contact you further with costs and further authorisations required

 3G  Blackberry  VPN Token

 Encrypted USB Memory Stick  Trust Laptop Manager’s Authorisation

Name : ……… Job Title : ………

Department : ……… Tel No : ………

Signature : ……… Date : ………

Please contact the IT-Service Desk on 01296 315904 with any queries when completing this form. Once complete please retain a copy, provide your manager with a copy and return a copy to IT Service Desk by fax on 110 6988 or via internal post to the IT Service Desk, IT Dept, Ward 23, SMH

Appendix D2 Data Protection Considerations when Remote Working

All staff should adhere to Trust policy when using Trust records/information for remote working purposes.

In addition, consideration should be given to the following: Manual records (paper records)

Staff should avoid taking patient records home whenever possible, and where this cannot be avoided, procedures for safeguarding the information should be made i.e. locked securely in a briefcase, kept under your supervision at all times or locked in a secure cupboard with only your access, until they are returned to work

Confidential/Sensitive information should not be left where it might be looked at by unauthorised persons i.e. family and friends and should not be left in insecure areas

Records must not be left in the car. During transportation these should be locked in the boot of the car and removed immediately on arrival at home and kept secure as above.

Records must be properly booked out from their normal filing system i.e. tracing and tracking system

Records must be returned to the filing location, as soon as possible Electronic records

Always log-out of any computer system or application when you have finished working or leaving your work station for a period of time

Ensure passwords are kept safely and not accessible to friends and family Use a password protected screen saver to prevent casual viewing of information

Do not store patient information on a USB stick unless you have been authorised to do so and it is a Trust standard encrypted USB stick. The data must be wiped from the memory stick once it has been copied to its destination.

Do not download person identifiable/sensitive information from your NHSmail account onto your home PC or any other non Trust provided equipment

Key Risks to working on personally owned equipment

You cannot guarantee adherence to the Trust‟s Security Policies by members of your family or friends

You would be unable to guarantee virus protection to the Trust‟s standard

Even if you delete any Trust data from your home PC, this is still retrievable from the hard drive by an expert or with the right software

IT equipment is vulnerable to theft and loss and any data stored on personally owned equipment that does not meet the Trust‟s strict security requirements are at a significantly higher risk.