. . .
Customer and Technical Services
Acceptable Use Policy
OVERVIEW ______________________________________________________ 4 IT RESOURCES USAGE POLICY _______________________________________ 4
1. Trust Property _______________________________________________ 4 2. Inappropriate Use ____________________________________________ 5 3. Identification Codes and /Log-ons _______________________________ 5
EMAIL USAGE POLICY ______________________________________________ 6
1 Granting of access _____________________________________________ 6 1.1 New User of Email ____________________________________________________ 6 1.2 External Email _______________________________________________________ 6 1.3 Sensitive Patient Data__________________________________________________ 7 2 Trust Access to Emails___________________________________________ 7 3 Personal Use of Email ___________________________________________ 8 4 Misuse of Email _______________________________________________ 8 5 Termination of Email Accounts ____________________________________ 9
INTERNET USAGE POLICY ___________________________________________ 9
1 Overview ____________________________________________________ 9 2 Purpose of the Internet Usage Policy ______________________________ 10 DETAILED INTERNET POLICY PROVISIONS___________________________ 10 3 General _____________________________________________________ 10 4 Technical ____________________________________________________ 13 5 Security ____________________________________________________ 14 Policy Compliance ________________________________________________ 14 Glossary of Terms ________________________________________________ 14 Covered Individuals ______________________________________________ 15 Related Policies and Legislation _____________________________________ 15
For approval/amendment Distribution
Trust Executive Internet users IT Technical Services Team Leader Email Users
Date Version State Nature of Change 1st July 2000 2.0 Draft
10th August 2000 2.1 Draft Amendments 22nd November 2000 3.0 Final Draft Amendments 13th November 2001 4.0 Final Release Updates Authors: Chris Allen Customer Services Manager
ACCEPTABLE USE POLICY
(Including Information Technology Resources,
Internet and Email Use)
This policy defines appropriate use of the Trust's IT systems and resources so that: (1) productivity levels are not reduced due to non business-related use of the Trust's systems, equipment and infrastructure;
(2) the Trust is not exposed to unnecessary risk by individuals accessing non business-related Internet sites or sending inappropriate communications via electronic mail, or by a breach in security, which could result in unauthorized access to the Trust's business and patient information; and
(3) individuals in our workplace are not exposed to inappropriate images or communications.
The Trust will monitor use of it’s computer resources and, if appropriate, review individual usage patterns. Non-compliance with the Trust's policy may result in disciplinary action, up to and including the termination of an individual's employment, as per the Trust’s already established disciplinary procedures.
IT RESOURCES USAGE POLICY
The Trust's has made considerable investments in Information Technology resources, necessary to operate effectively in today’s marketplace. Use of this technology comes with responsibilities that have security, compliance, productivity and ethical implications:
The following policy addresses three areas: Trust property, inappropriate use, and identification codes/logons.
The Trust's Information Technology resources are intended solely for use in conducting Trust business and may not be used for non business-related purposes; including non business-related communications (see email policy – personal email). All emails, files and documents that are composed, stored or transmitted, over our internal and external networks, are the property of The Trust and will be monitored at the Trust's discretion.
Similarly, the movement of all Trust IT equipment must be done in accordance with the Trust IT procurement and movement policy. (This also gives guidance on the purchase and installation of hardware and software onto Trust PC’s including licensing, ownership of software, and registration of all newly purchased IT equipment with the IT Directorate.)
• The Trust's information technology resources should not be used to create
documents, transmit messages or access Internet sites that:
- disparage individuals on the basis of race, color, religion, gender, national origin, citizenship, age, marital status, disability or sexual orientation;
- are not consistent with, or violate the Trust's Staff Support Policies (inc. Equal Employment Opportunity policy) or any other policy contained in the Trust's Code of Conduct; or
- are not consistent with or violate any other Trust policies.
- The viewing, downloading, transmitting or accessing of sexually oriented material or offensive speech is strictly prohibited.
• The Trust's IT resources may not be used:
- for personal gain or profit;
- to establish a personal public presence (i.e., "Web Sites") on the Trust's systems; or
- for non business-related purposes.
• Electronic communications should comply with all applicable laws and
regulations, including laws :-
- governing the import and export of technology, software and data; - restricting the use of telecommunications technology and encryption; - governing the transmission of private data;
- governing the content and supervision of communications with the public; and
- relating to the protection of copyrights, trademarks and trade secrets.
• No employee may knowingly infect the Trust IT facilities to propagate any
virus, worm, Trojan horse, or trap-door program code. All due care must be taken to prevent the accidental infection of the aforementioned code. This includes scanning of disks brought into the Trust from elsewhere or disabling the installed Anti-Virus software whether on email or desktop. All PC’s connected to the Trust network must have the Trust’s approved Anti-Virus software installed and activated.
Identification Codes and /Log-ons
• All individuals who have been allocated network and/or system access are
- ensure the integrity and confidentiality of their unique user identification codes and passwords. Any suspected breach or suspected security threat to the Trust's systems should be reported immediately to the Information Systems department or the Trust Security Officer ;
- prevent access to unauthorized users when leaving systems unattended, including use of password protected screensavers where appropriate; and
- comply with all of the security mechanisms on the Internet, such as
log-on clog-ontrols or fire-wall barriers.
See also the Trust Security Policy for further details and regulations on System Security
EMAIL USAGE POLICY
1 Granting of access
1.1 New User of Email
All requests for new Email accounts need to be requested using the appropriate application form (Appendix A.1)
This form will need to be authorized by the Users Line Manager.
The User will collect the relevant passwords from the IT Customer Services Helpdesk, including copies of this Email policy and training documentation. Upon collection the user will need to sign the User Agreement form to confirm their agreement with this Email Policy.
1.2 External Email
With effect from implementation of this policy, the ability to send and receive email, from and to external organizations will, on request, be given to all new email accounts at no extra charge.
The user or users manager will complete the application to indicate whether the account is to be for internal email only or to include the external facility.
Upon receipt of the request form, the account will be set up within the time frame specified by the relevant Service Level Agreement and the user notified of account details, and referred again to the Trust Email & Acceptable Use Policy.
The Information System Department may need to restrict the use of External Email, should there be an increased risk of Virus infections. All users would be notified of
this and in exceptional one-off circumstances arrange for alternative methods of email receipt for urgent business purposes.
All external Emails are to be suffixed with the following text message, as approved by the Trust’s Legal Services Department:-
This e-mail is confidential and may well also be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person: to do so could be a breach of confidence. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of the Trust.
Thank you for your co-operation.
Access to Email both Internal and External is at the user’s line manager discretion at all times.
1.3 Sensitive Patient Data
1.3.1 Emails containing sensitive Trust data, as defined by existing data security policy e.g. patient data, are deemed to be secure as long as the recipient is also on the NHSnet (i.e. has a nhs.uk suffix on the email address). Any Data such as this should not be sent outside of the NHSnet unless encrypted. Even if a patient authorizes email of data to themselves this also is not acceptable unless encrypted. 1.3.2 These emails should also be marked as ‘confidential’ via the email security flag, which will ensure that any delegated recipients other that the directly addressed recipient, will not be able to read the email if forwarded.
2 Trust Access to Emails
The Trust reserves the right to retrieve the contents of an email for legitimate reasons, such as to find lost messages, to comply with investigations of wrongful acts or misuse, or to recover from system failure.
The monitoring of individual communications, is limited to investigations that have been authorized by the Chief Executive, Director of Information Systems or Director of Human Resources, or as may be required to meet requirements of a Court of Law. The Trust has Email content analyzing software, which alerts the IT department to inappropriate language within emails.
The author will be promptly notified after the event that Emails have been accessed, and the reasons why this has happened. In the case of investigations of wrongdoing, notification will take place upon completion of the investigation.
Users of the email system should also note that deletion of an email from a mailbox does not guarantee that the message has been fully erased. Only the tag that identifies the file is erased and therefore all emails written should be taken to be permanent.
3 Personal Use of Email
Personal use of E-mail by Trust employees is allowable but should be minimized and not interfere with, or conflict with business use. Employees should exercise good judgment regarding the reasonableness of personal use. Personal notices not relating to Trust business (i.e. "for sale", "for rent", "looking to buy", etc.) should be placed on the Intranet message Board, and not on the email system.
Use of E-mail is limited to employees and authorised temporary staff, or contractors. Employees and authorised users are responsible for maintaining the security of their account and their password.
4 Misuse of Email
Examples of misuse of email includes the following:
• the transmission of obscene, profane or offensive material over any Trust communication system. This includes, for example, erotic & pornographic materials and obscene language, which is monitored by the Internet Message Inspector.
• Messages, jokes, or forms which violate the Trust harassment or
discrimination policy or create an intimidating or hostile work environment are prohibited.
• Use of company communications systems to set up personal businesses or send chain letters is prohibited.
• Trust confidential messages should be distributed to Trust personnel only. Forwarding to locations outside is prohibited, unless authorized or required within the confines of the NHS.
• Accessing copyrighted information in a way that violates the copyright is
• Breaking into the Email system or unauthorized use of a password/mailbox is prohibited.
• Broadcasting unsolicited personal views on social, political, religious or other non-business related matters is prohibited.
• Solicitation to buy or sell goods or services or using the network for commercial purposes is prohibited.
4.1 Statements of Facts Untrue – Statements of facts, which damage the
reputation of the person or company, are considered libelous. These need not be insulting but may be that another organization is in financial difficulty), or
unprofessional in their conduct can be libelous statements. (e.g. Western Provident Association v Norwich Union 1999, resulted in settlement of over £450k for libelous statements. Users of the email systems must also take great care in what is said in an email message, so that binding contracts are not inadvertently agreed upon, as an email can be used as a legally binding document as in paper correspondence.
4.2 Email Restrictions - The Information Systems Directorate reserve the right to prohibit and block, email attachments of certain types i.e. video, Exe files, as these are commonly game type files and also pose a greater risk to the organization of infection by viruses etc. File sizes may also be limited at the discretion on the Technical Services Department, as large files can impact on the efficient operation of the Trust or NHS network.
5 Termination of Email Accounts
5.1 There is a security risk of staff who leave the trust abusing the Trust’s email system. Therefore arrangements have been made with the Human Resource Department to provide list of leavers each month. For each leaver. Email access and their Network log-on will be disabled for a period of 1 month from the notification of their departure. This provides a safeguard against accidental deletion. After one month the account will be permanently deleted.
5.2 Any email account that has not been accessed for 3 months, will be suspended and the user’s manager will be given 1 month notice of the deletion of that account. 5.3 When members of staff leave the Trust, his or her personal email account will be deleted and access cannot be granted to that account to anyone. It must not be assumed when an individual leaves the Trust, that their account can continue to be used and accessed by other people.
The only exception to this is where an account is set under a department name e.g. email@example.com or firstname.lastname@example.org. This account may be accessed by another person in that department under the authorisation of the Department Head. The day-to-day users of that account are to be made aware of this situation, when the access is granted.
INTERNET USAGE POLICY
The Trust provides access to Internet to help staff perform their job and be well informed. This Internet usage policy is designed to help users understand the Trust’s expectations for the proper use of these Internet access facilities.
2 Purpose of the Internet Usage Policy
2.1 Appropriate Use - The Internet is a business tool, provided at significant cost
and staff should use the Internet only for Business/Trust related purposes, i.e., to communicate with colleagues and suppliers, to research relevant topics and obtain and disseminate useful business & clinical information.
2.2 Conduct – Users should conduct themselves professionally on the Internet, and
respect the copyrights, software licensing rules, property rights, privacy and prerogatives of others, just as in any other business dealings. All existing Trust policies on staff conduct still apply to conduct on the Internet, especially (but not exclusively) those that deal with intellectual property protection, privacy, misuse of Trust resources, sexual harassment, information and data security, and confidentiality.
Unnecessary or unauthorized Internet usage causes network and server congestion. It slows other users, takes away from work time, consumes supplies, and ties up printers and other shared resources. Unlawful Internet usage may also garner negative publicity for the Trust and risk exposure to significant legal liabilities.
2.3 Trust Corporate Image - The newsgroups and e-mail on the Internet give each individual Internet user an immense and unprecedented ability to propagate Trust messages. Because of that power we must take special care to maintain the clarity, consistency and integrity of the Trust’s corporate image and posture. Anything that an employee writes in the course of acting for the Trust on the Internet could be taken as representing the Trust’s corporate posture. That is why we expect users to forego a measure of their individual freedom when they participate in chats or newsgroups on Trust time, as outlined below.
2.4 Security - While our connection to the Internet brings enormous potential benefits, it can also open the door to some significant risks to our data (clinical & financial) and systems if we do not follow appropriate security discipline. As presented in greater detail below, that may mean preventing machines with sensitive data or applications from connecting to the Internet entirely, or it may mean that certain users must be prevented from using certain Internet features like file transfers. The overriding principle is that security is to be everyone’s first concern. Trust employees can be held accountable for breaches of security or confidentiality.
DETAILED INTERNET POLICY PROVISIONS
3.1 The Trust has software and systems in place that monitor and record all Internet usage. Our security systems are capable of recording (for each and every user) each World Wide Web site visit, newsgroup or e-mail message, and each file transfer into and out of our internal networks, and we reserve the right to do so at any time.
employee should have any expectation of complete privacy as to his
or her Internet usage.
The Information Systems Directorate will review Internet activity and analyze usage patterns, and may choose to disclose this data to assure that Trust Internet resources are devoted to maintaining the highest levels of productivity.
The Trust has installed Internet Content Analysing Software. This software has several useful functions, to assist in managing the usage of the Internet within the Trust.
i) Prohibit undesirable sites - Key words e.g. those of an adult or frivolous nature (nude, xxx, games etc) can be defined within the software and thus sites containing these words are blocked.
ii) Surf Time statistics – Reports will be run routinely detailing the usage time of each user or workstation. Excessive time spent on line by a particular user can be identified and corrective measures taken. This will also identify potential misuse of the password, where an ID may be shared with other members of staff to use the World Wide Web.
iii) Sites Visited – reports will be run of sites visited by users, and the most frequently visited sites. A list of web links will be provided on the NHSweb access page of the most frequent or most relevant sites to the Trust personnel e.g. Medline or Cochrane.
3.2. We reserve the right to inspect files stored on PC’s or servers connected to the Trust network in order to assure compliance with policy.
3.3 The display of any kind of sexually explicit graphical image or text document on any Trust system is a violation of the Trust policy on sexual harassment. In addition, sexually explicit material may not be archived, stored, distributed, edited or recorded using any device connected to the Trust’s network.
3.4 The Trust uses independently supplied software to identify inappropriate or sexually explicit Internet sites. Access will be blocked from within our networks to all such sites that we know of (see i above). If you find yourself inadvertently connected to a site that contains sexually explicit or offensive material, you must disconnect from that site immediately, regardless of whether that site had been previously deemed acceptable by any screening or rating program and report the incident to the ISSD Helpdesk.
3.5. The Trust’s Internet facilities and computing resources must not be used to violate any laws of the EU or UK. Use of any Trust resources for illegal activity is deemed to be gross misconduct in accordance with Trust Human Resources policy and thus may be grounds for immediate dismissal. The Trust will cooperate with a Court of Law with regard to compliance to this policy.
3.6. Any software or files downloaded via the Internet into the Trust network become the property of the Trust. Any such files or software may be used only in ways that are consistent with their licenses or copyrights and with Trust business 3.7. No employee may use Trust facilities to download or distribute pirated software or data.
3.8. No employee may use the Trust’s Internet facilities to knowingly expose the Trust to risk of any virus, worm, Trojan horse, or trap-door program code.
3.9. No employee may use the Trust’s Internet facilities to disable or overload any computer system or network, or to circumvent any system intended to protect the privacy or security of another user.
3.10. Each employee using the Internet facilities of the Trust shall identify himself or herself honestly, accurately and completely (including one’s Trust affiliation and function where requested) when participating in business related chats or newsgroups, or when setting up accounts on outside computer systems.
3.11 No Employee should set up a personal or departmental web presence, which pertains to be officially sanctioned by the Trust, or representing the Trust in a official capacity, without consultation of the Trust Website Editorial committee. Likewise use of the Trust or NHS logo should not be used without approval of the Trust Corporate Communication department.
3.12. Only those employees or officials who are authorized to speak to the media, to news analysts or at public gatherings on behalf of the Trust may speak/write in the name of the Trust to any newsgroup or chat room. Other employees may participate in newsgroups or chats in the course of business when relevant to their duties, but they do so as individuals speaking only for themselves. Where an individual participant is identified as an employee or agent of the Trust, the employee must refrain from any political advocacy and must refrain from the unauthorized endorsement or appearance of endorsement by the Trust of any commercial product or service not provided by the Trust. Only those managers and Trust officials who are authorized to speak to the media, to news analysts or in public gatherings on behalf of the Trust may grant such authority to news-groups or chat room participants.
3.13. The Trust retains the copyright to any material posted to any forum, newsgroup, chat or World Wide Web page by any employee in the course of his or her duties.
3.14. Employees are reminded that chats and newsgroups are public forums where it is inappropriate to reveal confidential Trust information, identifiable patient data, trade secrets, and any other material covered by Trust confidentiality policies and procedures. Employees releasing such confidential information via a newsgroup or chat — whether or not the release is inadvertent — will be subject to the sanctions provided in Trust policies and procedures.
3.15. Use of Trust Internet access facilities to commit infractions such as misuse of Trust assets or resources, sexual harassment, unauthorized public speaking and misappropriation of intellectual property are prohibited and will be sanctioned under the relevant provisions of the Human Resources Policies.
3.16. Because a wide variety of materials may be considered offensive by colleagues, customers or suppliers, it is a violation of Trust policy to store, view, print or redistribute any document or graphic file that is not directly related to the user’s job or the Trust’s business activities.
3.17. In the interest of keeping employees well informed, use of news briefing or Email discussion groups or mailing lists services like Topica are acceptable, within limits that may be set by each directorate’s management team, or as advised by the information systems department.
3.18. Employees with Internet access may download only software with direct business use, and must arrange to have such software properly licensed and registered. Downloaded software must be used only under the terms of its license and installation of this software on Trust equipment must be authorised by the IT department.
3.19. Employees with Internet access may not use Trust Internet facilities to download entertainment software or games, or to play games against other opponent.
3.20. Employees with Internet access may not use Trust Internet facilities to download images, music or videos unless there is an express business-related use for the material.
3.21. Employees with Internet access may not upload any software licensed to the Trust or data owned or licensed by the Trust without the express written authorization of the software supplier or manager responsible for the software or data.
4.1. Network User IDs and passwords help maintain individual accountability for
Internet resource usage. As always, users must keep that password
confidential. Trust policy prohibits the sharing of user IDs or passwords assigned for access to Internet sites. After use Users must log out of the PC’s or Internet Browser where they have been accessing the Internet.
Users will be held responsible for misuse of the Internet facilities undertaken with their user ID and password.
4.2. Employees should schedule communications-intensive operations such as large files transfers, video downloads, mass e-mailings and the like for off-peak times. 4.3. Any file that is downloaded must be scanned for viruses before it is run or accessed.
5.1.As part of the Trust connection to NHSnet, the Trust has installed an Internet firewall to assure the safety and security of the Trust’s networks. Any employee who attempts to disable, defeat or circumvent any Trust security facility will be subject to misconduct proceedings under the Trust Human Resources disciplinary policies.
5.2. Files containing sensitive Trust data, as defined by existing corporate data security policy e.g. patient identifiable data, that are transferred in any way across the Internet, outside of the NHSnet must be encrypted.
5.3. Only those Internet services and functions with documented business purposes for the Trust will be enabled at the Internet firewall.
• The Trust's equipment, email and Internet access facilities by the Information
Systems Directorate’s to determine whether their use is in accordance with this policy, and to investigate claims of wrongdoing and inappropriate use.
• All employees are responsible for ensuring adherence to these policies and
for taking appropriate steps, including notifying their manager or their business unit Human Resources Department, if they believe that a violation of this policy has occurred.
Violations of this Policy on Appropriate Use of the Trust's
Information Technology may result in disciplinary action, up
to and including the possible termination of an individual's
employment as per the Trust’s Disciplinary Policy and
Glossary of Terms
Certain terms in this policy should be understood expansively to include related concepts:-
“Trust” includes our affiliates and subsidiaries,
“Document” covers any kind of file that can be read on a computer screen as if it were a printed page, including HTML files read in an Internet browser, any file meant to be accessed by a word processing or desk-top publishing program or its viewer, (including Microsoft Office Documents) or the files prepared for the Adobe Acrobat reader and other electronic publishing tools.
“Graphics” includes photographs, pictures, animations, movies, or drawings.
“Display” includes monitors, flat-panel active or passive matrix displays, monochrome LCDs, projectors, televisions and virtual-reality tools.
“Technology” - includes, but is not limited to, all of the Trust’s processing hardware (mainframe, servers and desk top computers), software (applications that support business processes, operating Systems, utility software), networks and networking applications, PDAs, phone systems, voice mail, electronic mail, facsimile machines), and data systems.
This policy applies to all users of Chelsea and Westminster Healthcare IT services and systems, whether the users are Trust employees, agents, individuals working through temporary agencies or consultants, regardless of whether the user is utilizing the Trust’s technology at the office or from a remote location.
Related Policies and Legislation
Computer Misuse Act (1990)
Data Protection Act (1984)
Human Rights Act (1998)
Chelsea and Westminster IM&T Security Policy
Chelsea and Westminster Human Resource Policies
General Policies and Staff Code of Conduct Staff Support Policies
Employee Relations Procedures