and Internet Policy

(1)

E-Mail and Internet Policy

Document reference

Title: E-Mail and Internet Policy

Product ID:

Version Number: 8.0

Status: Live

Distribution / Issue date: 12 November 2014

Author: K. Fairbrother

Review Period: 2 Years

Owner / Owning entity: HBL ICT Services

Approver / Approval entity: IT Security Forum / SMT / Information Governance Committee

Authoriser / Authorisation entity:

(2)

Document control and revision history

Version Revision date Details of Amendment Amended by Checked by

Draft Sept 2007 Initial Draft John Hepburn 1.0 October 2007 V1 Live John Hepburn 2.0 April 2010 V2 Review John Hepburn 3.0 May 2010 Organisational Change / Formatting John Hepburn 4.0 Sept 2012 Amendments Keith Fairbrother 5.0 October 2012 Amendments Keith Fairbrother 6.0 May 2013 Amendments Keith Fairbrother 7.0 June 2013 Amendments Martin Wallis 8.0 October 2014 Organisational Change / Formatting Keith Fairbrother 8.0 November 2014 HBL ICT SMT Approval HBL ICT SMT 8.0 January 2015 Minor amendments following ENHCCG

IG Forum David Hodson

Enclosures

Enclosures 1. None. Embedded files 1. None.

Distribution

External

Action: IG Reference Groups (HCT, HPFT, ENHCCG, HVCCG, BCCG, LCCG)

Information:

Internal

Action: None

(3)

1. Executive Summary

The E-Mail and Internet Policy sets out the commitment of the Trust/CCG (The Organisation) to preserve the confidentiality, integrity and availability of electronic communications and to ensure that such electronic communications are effectively and lawfully managed.

The Policy aims to ensure that:-

o The E-Mail and internet services used by the organisation are secure and are operated in accordance with NHS Guidance, to industry standards and current best practice;

o Confidentiality and integrity of information communicated electronically is maintained at all times

o Staff are aware of their responsibilities and adhere to the provisions of the policy;

o Procedures are in place to detect and resolve possible security breaches and to prevent a recurrence.

This policy applies to:

o All E-Mail and internet services used by the organisation and the information communicated electronically, processed or stored using these services;

o All staff employed by the organisation, contractors, seconded staff from other organisations and any other persons used by the organisation or engaged on the organisation’s business; o Any other persons granted access to the organisation’s E-Mail and internet services;

o All locations from which the organisation’s E-Mail and internet services can be accessed.

Application of the policy will assist in compliance with the organisation’s Information Security Policy, information related legislation, NHS Information Security Standards and NHS Information Governance Standards.

(6)

2. Introduction

o The organisation is committed to ensuring that diversity, equality and human rights are valued. We will not discriminate either directly or indirectly and will not tolerate harassment or victimisation in relation to gender, marital status (including civil partnership), gender reassignment, disability, race, age, sexual orientation, religion or belief, trade union membership, status as a fixed-term or part-time worker, socio - economic status and pregnancy or maternity.

o The organisation works to a framework for handling personal information in a confidential and secure manner to meet ethical and quality standards. This enables National Health Service organisations in England and individuals working within them to ensure personal information is dealt with legally, securely, effectively and efficiently to deliver the best possible care to patients and clients.

o The organisation, via the Information Governance Toolkit, provides the means by which we can assess our compliance with current legislation, Government and National guidance.

o Information Governance covers: Data Protection & IT Security (including smart cards), Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality, Freedom of Information Regulations and Information Quality Assurance

(7)

3. Terms / Acronyms Used

DH = Department of Health

EU = European Union

HSCIC = Health and Social Care Information Centre

ICT = Information and Communications Technology

IM&T = Information Management and Technology

IT = Information Technology

NHS = National Health Service

PCD = Personal Confidential Data

PCs = Personal ComputersSIRO = Senior Information Risk Owner

(8)

4. Purpose and Scope

4.1 Purpose

The E-Mail and Internet policy sets out the commitment of the organisationto preserve the confidentiality, integrity and availability of electronic communications and to ensure such electronic communications are effectively and lawfully managed.

The Policy aims to ensure that:-

o The E-Mail and Internet services used by the organisation are secure and are operated in accordance with NHS Guidance, to industry standards and current best practice;

o The information contained in or processed by these systems is kept secure; o Confidentiality, integrity and availability are maintained at all times;

o Staff are aware of their responsibilities and adhere to the provisions of the policy;

o Procedures are in place to detect and resolve security breaches and to prevent a recurrence.

4.2 Scope of the Policy

This policy applies to:

o All E-Mail and Internet services used by the organisation and the information communicated electronically, processed or stored using these services;

o All staff employed by the organisation, contractors, seconded staff from other organisations and any other persons used by the organisation or engaged on the organisation’s business.

o Any other persons granted access to the organisation’s E-Mail and Internet services; o All locations from which the organisation’s E-Mail and Internet services can be

accessed.

4.3 Local Variation

Variation to some parts of the policy may be allowed where local conditions do not permit full implementation. Applications for such variation must be made to the Head of Infrastructure and must be approved by the Director of HBL ICT Services (To ensure the security of shared infrastructure and to ensure meeting Information Security requirements) and, should the assessed level of risk warrant it, the Information Governance Sub Committee before being introduced.

(9)

4.4 Legal Framework

This policy is compliant with relevant legislation, Department of Health and NHS regulations and guidance and the policies and procedures of partner organisations; principally:-

 UK and EU legislation, including :

o Data Protection Act (1998),

o Freedom of Information Act (2000); o Human Rights Act (1998)

o the Computer Misuse Act 1990,

o Communications Act (2003) & Electronic Communications Act (2006) o Regulation of Investigatory Powers Act (2000)

o Copyright, Designs and Patents Act (1988) o Health and Social Care Act 2012

o Caldicott 2 Review o Care Act 2014

 Department of Health and NHS Regulations and Guidance, including : o Guide to Confidentiality in Health and Social Care

o NHS IM&T Security Manual,

o NHS Information Governance Standards o NHS Statement of Compliance

 Standards for Information Security Management ISO27001 & ISO27002

 Policies and procedures including:

(10)

5. Electronic Mail and Internet Services

E-mail and Internet services are provided solely for the conduct of official organisation business and are subject to the organisation’s Information Security Policy.

These services and the associated systems and information are the property of the organisation. This includes all hardware, software and all data that are stored within the systems, any messages, attachments and downloads.

6. Permissible Uses of Electronic Mail and Internet

6.1 Authorised users

Staff will be given a username and/or a smartcard and a password to access the systems they are authorised to use. These will identify the user to the system.

Contractors and other persons working on behalf of the organisation may be given authority to use these services in accordance with the organisation’s policies and subject to appropriate authorisation.

6.2 Purpose and use

The use of any E-Mail and Internet resources must be related to the legitimate business activity of the organisation and its partners. This includes authorised professional and academic

pursuits.

Incidental and occasional personal use of E-Mail and Internet may be permitted at the discretion of the appropriate senior manager. Any personal use will also be subject to the provisions of this policy

6.3 Transmission of Confidential Information

All personal confidential data (PCD) must be encrypted, in accordance with DH standards, before or during transmission. Refer to Appendix 3 of this document and policy document [Guidance on the use of E-Mail when sending PCD] for further information

All exchanges or transmission of unencrypted PCD must have the prior authorisation of the organisation’s Caldicott Guardian and/or SIRO.

(11)

6.4 Prohibited uses of e-mail and internet

o Use of another person’s identity (username/password or smartcard) to access E-Mail and Internet services;

o Use of E-Mail and Internet resources for personal monetary gain or for commercial purposes that are not directly related to the organisation’s business;

o Personal use that creates a cost or inconvenience for the organisation;

o Intercepting or opening E-Mail or electronic files addressed to another recipient without their permission (except for authorised employees in the course of the organisation’s business);

o Use of E-Mail to harass or intimidate others or to interfere with the ability of others to conduct the organisation’s business;

o Disguising an E-Mail identity in an attempt to deceive the recipient of the source or identity of the sender;

o Use of electronic mail systems for any purpose restricted or prohibited by law or regulations;

o Inclusion of the work of others into E-Mail in violation of copyright laws. Employees have a responsibility to ensure that copyright and licensing laws are not breached when composing or forwarding E-Mails and E-Mail attachments;

o Unauthorised access or attempted access to E-Mail or attempted breach of any security measures on any systems;

o Viewing, distributing or contributing to illegal or inappropriate materials on the internet, including material that might be offensive to others;

o The distribution of chain letters, inappropriate humour, explicit language or offensive images or material;

o Downloading of any files that could jeopardise the security and integrity of the organisation’s networks or systems;

o Injudicious use of work time and facilities for private purposes that impinges on working.

o The sending and receiving of NHS related information, especially PCD using public E-Mail systems (Gmail, Hotmail, Yahoo, Facebook, Twitter etc.) other than in compliance with Appendix 3 of this document and policy document [Guidance on the use of E-Mail when sending PCD].

6.5 Restrictions on Internet Sites

Restrictions will be placed on access to any internet site that could be regarded as a threat to services, systems and resources, that interferes with the use of the network or other services or to any site that is considered inappropriate.

This will include, (but is not limited to):

(12)

 Sites containing information that is inappropriate, offensive or unlawful, (such as pornography, racial bias, gambling and games)

 Downloads or data transfers that threaten or interfere with network or other resources ( such as executable files)

 Sites that provide ‘cloud-based’ storage functionality (such as huddle, SkyDrive, iCloud, Dropbox, etc.) except where explicitly approved

Variation/s to this policy must be made to the Head of Infrastructure and must be approved by the Director of HBL ICT Services (To ensure the security of shared infrastructure and to ensure meeting Information Security requirements) and, should the assessed level of risk warrant it, the Information Governance Sub Committee before being introduced.

Restrictions may be changed or introduced without notice or consultation to preserve the confidentiality, integrity and availability of critical network resources.

6.6 Contents of messages and internet material

Messages and Internet material must not contain anything that may be considered offensive or disruptive to the organisation or their stakeholders. Offensive content would include, but would not be limited to, sexual comments or images, illegal or unauthorised software, racially biased materials, gender-specific comments or any comments/material that would offend someone on the basis of his or her age, sexual orientation, religious or political beliefs, national origin, or disability. Messages and internet material must not contain anything which could be regarded as libellous.

6.7 Inappropriate or offensive inbound E-Mail

Inbound E-Mails may contain inappropriate or offensive material that is beyond the control of the organisation. Receipts of such E-Mails should be reported to the ICT Service Desk.

6.8 Unsolicited or ‘junk’ mail

This is E-Mail received from senders you do not know or companies you do not do business with. Examples are unsolicited advertising for goods or services or warnings of supposed new viruses. As soon as these E-Mails are detected they should be deleted. Do not forward or reply to such E-Mails or visit sites contained in such E-Mails.

6.9 Privacy and confidentiality

The nature and technology of electronic communication means that the privacy of an

individual’s use of the E-Mail system, or the confidentiality of messages, cannot be ensured. Messages may be received or monitored by someone other than the intended recipient.

(13)

All reasonable efforts will be made to maintain the integrity and availability of the organisation’s electronic communications systems. However, the organisation’s systems should not be relied upon as a secure medium for the communication of sensitive or confidential information.

7. Access and disclosure of electronic communications

7.1 General Provisions

To the extent permitted by law, the organisation reserves the right to access and disclose the contents of any electronic communications without the consent of the user. This right will be exercised when there is believed to be a legitimate business reason to do so including, but not limited to, those listed in Paragraph 7.2 and 7.3 below and with the authority of a Director of the organisation.

The E-Mail systems should be treated like a shared filing system, i.e., with the expectation that communications sent or received may be made available for review by any authorised

employee for purposes related to the organisation’s business.

E-Mail may constitute “personal records” and be subject to the provisions of the Data Protection Act 1998 and the Access to Health Records Act. The data subject has the right to access any such records.

Any user who sends or receives communications using non-standard encryption devices to restrict or inhibit access must provide access to such encrypted communications when requested to do so by the Director of HBL ICT Services or Head of Infrastructure.

7.2 Monitoring of communications

To the extent permitted by law, all electronic communications and their content will be monitored for purposes of:

 Maintaining the integrity and effective operation of systems managed or supported by the organisation;

 Ensuring compliance with the organisation’s policies and procedures and compliance with legislation and statute law.

The organisation retains the right to access, review, copy and delete any material created, stored or transported on its systems. This includes but is not limited to messages sent, received or stored on the e-mail system and any material accessed or downloaded from the internet.

(14)

Volumes of electronic communication will be monitored routinely including the source, destination and subject of the communication.

7.3 Inspection and disclosure of communications

The organisation reserves the right to inspect and disclose the contents of electronic communications:

 To discharge legal obligations and legal processes and any other obligations to employees, clients, patients, customers and any third parties (in particular, when disclosure is requested under provisions of the Data Protection Act(1998) or the Freedom of Information Act(2000)).

 To locate substantive information required for the organisation’s business that is not readily available by other means.

 To safeguard assets and to ensure they are used in an appropriate manner.

 In the course of an investigation into alleged misconduct.

7.4 Special procedures for monitoring and disclosure.

Prior approval must be obtained from the appropriate Director to gain access to the contents of electronic communications or data stores, and disclose information gained from such access.

(15)

8. Disciplinary Action

Breach of any aspect of this policy will be subject to disciplinary action in line with the organisation’s disciplinary policies. Serious breaches will be regarded as gross misconduct and may result in dismissal.

9. Compliance

Compliance with this policy will be monitored both electronically and by means of audits and spot check.

10. References

(16)

11. Related Policies and Documents

Records Management Policy

Standing Financial Instructions

Data Quality Policy

Information Security Policy

Guidance on the use of E-Mail when sending Personal Confidential Data (PCD)

Mobile Device Security Policy

Telecommunications Policy

Information Governance Policy

Serious Incidents Requiring Investigation Policy

(17)

12. Appendix 1 – Equality Impact Assessment Stage 1 Screening

1. Policy EIA Completion Details

Title: E-Mail and Internet Policy Proposed

Existing

Review Date: October 2015

Date of Completion: 31 October 2014

Names & Titles of staff involved in completing the EIA:

Keith Fairbrother – Head of Infrastructure

2. Details of the Policy. Who is likely to be affected by this policy?

Staff Patients Public

3. Impact on Groups

Probable impact on group? High, Medium or Low

Please explain your answers Positive Adverse None

Race, ethnicity, nationality,

language etc.

Gender (inc. transgender)

Disability, inc. learning

difficulties, physical disability, sensory impairment etc.

Sexual Orientation Religion or belief Human Rights Age Other:

No impact on any of the groups above.

(18)

4. Which equality legislative Act applies to the policy?

Human Rights Act 1998 Sex Discrimination Act Race Relations Act

Disability Discrimination Act Gender Recognition Act 2004 Mental Health Act 1983 Equality Act 2006

Mental Capacity Act 2005

Age Equality Regulations 2006 Equal Pay Act

Sexual Orientation Regulations 2003 Religion or Belief Regulations 2003 Health & Safety Regulations Part time Employees Regulations Civil Partnership Act 2004

5. How could the identified adverse effects be minimised or eradicated?

Not Applicable

6. How is the effect of the policy on different Impact Groups going to be monitored?

(19)

13. Appendix 2 – Privacy Impact Assessment Stage 1 Screening

1. Policy PIA Completion Details

Title: E-Mail and Internet Policy Proposed

Existing

Review Date: October 2015

Date of Completion: 31 October 2014

Names & Titles of staff involved in completing the PIA:

Keith Fairbrother – Head of Infrastructure

2. Details of the Policy. Who is likely to be affected by this policy?

Staff Patients Public

Yes No Please explain your answers Technology

Does the policy apply new or additional

information technologies that have the potential for privacy intrusion?

(Example: use of smartcards)

Application of the policy will minimise potential for privacy intrusion.

Identity

By adhering to the policy content does it involve the use or re-use of existing identifiers, intrusive identification or authentication?

(Example: digital signatures, presentation of identity documents, biometrics etc.)

Application of the policy will ensure integrity of information.

By adhering to the policy content is there a risk of denying anonymity and de-identification or converting previously anonymous or de-identified data into identifiable formats?

Application of the policy will ensure integrity of information.

Multiple Organisations

Does the policy affect multiple organisations? (Example: joint working initiatives with other government departments or private sector organisations)

Policy applies to organisation only. All other NHS organisations have similar policy based on the same standards.

(20)

Data

By adhering to the policy is there likelihood that the data handling processes are changed? (Example: this would include a more intensive processing of data than that which was originally expected)

Application of the policy will ensure integrity of information during processing.

If Yes to any of the above have the risks been assessed, can they be evidenced, has the policy content and its implications been understood and approved by the department?

(21)

14. Appendix 3 – E-Mailing Personal Confidential Data

The details within this Appendix are to be used as a supplemental guide to the document ‘Guidance on the use of E-Mail when sending PCD’.

14.1 Introduction

The Secretary of State for Health has directed that all E-Mails containing personal confidential data must be encrypted unless there is some substantial reason that overrides or modifies the confidentiality due to the person - see Paragraph 14.6, below. This applies both to information in the body of the E-Mail or in any attachments to the E-Mail.

The organisation has 2 methods available for sending encrypted E-Mail and these are described below.

14.2 NHSMail Service

The NHSMail service is provided by the NHS nationally and available to all NHS staff. It is the only nationally approved method of sending PCD relating to patients.

NHSMail addresses take the form: [email protected]

The important part is the .nhs.net suffix which identifies it as an NHSMail address. (The organisation’s standard E-Mail addresses have a suffix .nhs.uk. It is not an NHSMail service.)

Using the NHSMail service you can send E-Mails containing PCD to:

 Other NHSMail addresses i.e., with the suffix: .nhs.net

 To the secure E-Mail services with the following addresses:

o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected]

You cannot send E-Mails containing PCD from your NHSMail account to any other address. (If you do not have an NHSMail account you can enrol yourself at www.nhs.net or contact the ICT Service Desk)

(22)

14.3 Limited Facility on the Trust’s Outlook Service

The organisation’s standard Outlook E-Mail service has an address in the form: o @hchs.nhs.uk o @hertspartsft.nhs.uk o @hpft.nhs.uk o @enhertsccg.nhs.uk o @hertsvalleysccg.nhs.uk o @lutonccg.nhs.uk o @bedfordshireccg.nhs.uk

Please refer to document ‘Guidance on the use of E-Mail when sending PCD’ for further details.

When using Outlook encryption you need to be aware of the following limitations and take the recommended action:

 Outlook will warn you if it cannot encrypt the E-Mail. This can happen for a variety of reasons: the recipient cannot read encrypted E-Mail, it is being sent to a group address etc. You will need to use an alternative means of sending the person identifiable information.

 Encrypted Outlook E-Mails can only be read by the addressee and cannot be read by any delegates nominated by the addressee. You must address the E-Mail to all the people who need to read it.

 Encrypted E-Mails will not always be found when searches are performed for Data Protection Act or Freedom of Information Act requests. Encrypted E-Mails must be saved outside the Outlook system either by:

o exporting them to a file and storing them on the appropriate place on SystmOne or a shared network drive;

o or by printing them and filing the paper copy in the data subjects file.

As a general rule, Caldicott principles must be applied when sending E-Mails containing PCD. Such E-Mails should only be addressed to individuals who have a right to see the information; such E-Mails must never be addressed to a circulation list.

(23)

14.4 E-Mailing information to Patients/Service Users

PCD may be sent to the patient/service user it relates to by E-Mail provided the person has given their consent.

This consent and the E-Mail address must be obtained in writing – not by E-Mail – and the E-Mail address verified before personal information is sent.

Please refer to document ‘Guidance on the use of E-Mail when sending PCD’ for further details.

14.5 Exceptions to the Encryption Rules

There will be circumstances when the need to send information quickly is of greater importance than maintaining confidentiality, e.g. in the best interests of the data subject. You must seek the advice of the organisation’s Caldicott Guardian in these circumstances. Exception can be made on a case by case basis or for a specific regular information exchange. Such exception will be recorded in the Trust’s Caldicott Issues Log.