NHS ISLE OF WIGHT
CLINICAL COMMISSIONING GROUP
IT ACCEPTABLE USE POLICY
IT Policy代写 This Policy sets the ‘ground rules’ for the acceptable use of Information Technology systems and services owned and ···
AUTHOR/ APPROVAL DETAILS
|Document Author||Authorised Signature|
|Written By: Isle of Wight Trust
Adopted and adapted by Isle of Wight CCG
Date: 9 March 2016
|Authorised By: Helen Shields
Date: 16 February 2017
ICT Service Provider
16 February 2017
Clinical Executive 16 February 2017
16 February 2017
VERSION CONTROL IT Policy代写
|0.1||23/01/17||CCG adapted IW NHS Trust policy|
|0.2||16/02/17||Trust policy adopted by Clinical Executive|
|0.3||17/02/17||Amended references to IWNHST as policy adopted by the CCG Clinical Executive|
DOCUMENT HISTORY IT Policy代写
(Procedural document version numbering convention will follow the following format. Whole numbers for approved versions, e.g. 1.0, 2.0, 3.0 etc. With decimals being used to represent the current working draft version, e.g. 1.1, 1.2, 1.3, 1.4 etc. For example, when writing a procedural document for the first time – the initial draft will be version 0.1)
|Date of Issue||Version No.||Director Responsible for Change||Nature of Change||Ratification / Approval|
|08 Feb 15||0.1||Transformation and Integration||Initial Draft|
|26 Feb 15||0.2||Transformation and Integration||Post Seniors Comments|
|23 Mar 15||0.3||Transformation and Integration||Post IGSG Comments|
|01 Apr 15||0.4||Transformation and Integration||Incorporated comments from Ambulance, Comms and IM&T DG|
|29 Nov 16||0.5||Director for Strategy and Planning||Minor updates|
|08 Dec 16||0.5||Director for Strategy and Planning||For ratification||Information Governance Steering Group|
|13 Dec 16||0.5||Director for Strategy and Planning||For Approval||Corporate Governance & Risk Sub-Committee|
|21 Dec 16||0.6||Executive Director Strategy and Planning, ICT and Estates||Incorporate minor comment from staff side representative||Corporate Governance & Risk Sub-Committee|
|21 Dec 16||0.6||Executive Director Strategy and Planning, ICT and Estates||Out on Voting buttons for Approval||Corporate Governance & Risk sub-Committee|
|10 Jan 17||1||Executive Director Strategy and Planning, ICT and Estates||Out on Voting buttons for Approval||Corporate Governance & Risk sub-Committee|
Contents IT Policy代写
1. ExecutiveSummary ————————————— 4
2.Introduction ————————————— 4
3.Definitions ————————————— 4
4.Scope ————————————— 5
5.Purpose ————————————— 5
6.Rolesand Responsibilities ————————————— 6
7.Policydetail/Courseof Action ————————————— 7
8.Consultation ————————————— 18
9.Training ————————————— 18
10.MonitoringCompliance and Effectiveness ————————————— 18
1 EXECUTIVE SUMMARY IT Policy代写
This Policy sets the ‘ground rules’ for the acceptable use of Information Technology systems and services owned and operated by Isle of Wight CCG. It applies to all the CCG’s staff, together with those working for or on behalf of the Trust, including sub-contractors.
This policy describes the responsibilities and acceptable use of IT and Information assets within the CCG.
The policy covers the following areas for acceptable use:
- Responsibilitiesand use of IT assets
- Useof e-mail and Internet
- Useof mobile devices, removable media and remote access
- Networkusage (Including passwords/user access control)
All staff will be required to read this policy as part of their mandatory Information Governance training. And be appropriately authorised by their manager prior to gaining access to the IT network. Visiting and other temporary staff will be required to read and sign a copy of the policy before being given account credentials. All updates to the policy will be communicated to staff by login banner and via the Intranet.
Access to the National NHS network and National applications including the NHSmail will also be subject the NHS terms and conditions of use and their acceptable use policy.
3 DEFINITIONS IT Policy代写
Information Asset: Information assets are definable information resources owned or contracted by an organisation. That are ‘valuable’ to the business of the organisation.
Confidentiality: Ensuring that personal, sensitive and/or business critical information is appropriately protected from unauthorised access. And can only be accessed by those with an approved need to access that information.
Integrity: Ensuring that information has not been corrupted falsely altered or otherwise changed such that it can no longer be relied upon.
Availability: Ensuring that information is available at point of need to those authorised to access that information.
Malware: Software intended to cause harm or disruption to computers or networks. There are many classifications of Malware (MALicious softWARE) but as a general term it deals with all forms of viruses, spyware, Trojans and other software designed with malicious intent.
Spam: Mass unsolicited electronic mail received from an un-requested source which attempts to convince the user to purchase goods or services. SPAM consumes valuable network resources while delivering no business benefit.
Blogging or Tweeting: This is using a public website to write an on-line diary (known as a blog) or sharing thoughts and opinions on various subjects. Blogs and Tweets are usually maintained by an individual with regular entries of commentary, descriptions of events. And may include other material such as graphics or video Examples of blogging websites include Twitter.com and Blogging.com.
‘Social Media’ is the term commonly given to web-based tools which allow users to interact with one another in some way. By sharing information, opinions, knowledge and interests online. As the name implies, social media involves the building of online communities or networks to encourage participation and engagement. There are a large range of social media platforms available:
Social networking – e.g. Facebook
Professional networking – e.g. LinkedIn
Video blogging – e.g. YouTube
Microblogs – e.g. Twitter
Blogs – e.g. Wordpress
Social media can include; blogs, audio, video, images, podcasts and other multimedia communications.
This is the use of interactive web based sites or social media sites, allowing individuals on-line interactions that mimic some of the interactions between people with similar interests that occur in life. Popular examples include Facebook.com and Linkedin.com.
Social Engineering or Blagging: This is the method whereby an attacker uses human interaction (social skills) to deceive others to obtain information about an organisation and its information assets including personal data. An attacker may potentially masquerade as a respectable and plausible person claiming bona fide interest in the information concerned e.g. posing as a member of the organisation’s staff or maintenance contractor etc.
4 SCOPE IT Policy代写
This policy applies to Isle of Wight CCG, referred to as the ‘CCG’, and includes all services managed by the CCG.
This policy applies to all those working for the CCG, in whatever capacity. A failure to follow the requirements of the policy may result in investigation and management action being taken as considered appropriate.
This may include formal action in line with the Concerns policy for CCG employees; and other action in relation to other workers, which may result in the termination of a contract, secondment or agreement. Non-compliance may also lead to civil or criminal action being taken.
This policy sets out the responsibilities and acceptable use of ICT and information assets within the CCG.
6 ROLES AND RESPONSIBILITIES IT Policy代写
6.1 Senior Information Risk Owner (SIRO):
The SIRO has overall responsibility for all The Trust’s Information assets and for ensuring that information risks are mitigated effectively. And as such is responsible alongside the IW NHS Trust Director with responsibility for ICT for ensuring that this policy is in place and adhered to.
The CCG’s Senior Information Risk Owner (SIRO), takes ownership of the risk management of information assets and reports as appropriate to the Governing Body.
6.2 Information Asset Owners (IAO’s):
IAO’s are operationally responsible at senior level for all information assets within their business areas. IAO’s should understand and address the levels of risk in relation to the business assets they own and provide assurance to the SIRO on the security and use of those assets on at least an annual basis.
6.3 Information Asset Administrators (IAA’s):
IAA’s work at local business/departmental level and ensure that system administration and security procedures are in place for all information assets. And that these are followed, recognised and report actual and potential security incidents. Liaise with the IAO on incident management and ensure the information asset register is accurate and up to date.
6.4 The IW NHS Trust Deputy Director of Information Management & Technology:
The Deputy Director of Information Management & Technology is responsible for reviewing this policy and ensuring the effective implementation of this policy and, for the management of the security of Information assets.
6.5 IW NHS Trust ICT Service:
The ICT services department is responsible for maintaining the hardware and software components of the ICT infrastructure and, implementing all necessary technical and physical security controls.
6.6 IW NHS Trust Information Communication Technology Programme Group:
The Information Communication Technology Programme Group is a formal working group to oversee. And coordinate the technical and organisational security measures that need to be place for all the key Information assets to ensure the confidentiality. Integrity and availability of information in line with the ISO 27001 Information Security Standard.
6.7 All CCG Managers:
All managers are directly responsible for implementing policies and procedures within their business areas.
6.8 All CCG Staff:
It is the responsibility of each employee to adhere to policies and procedures and undertake information governance training on an annual basis via the CCG mandatory training and e- learning.
7. POLICY DETAIL/COURSE OF ACTION IT Policy代写
7.1 Acceptable Use of Assets
Staff may only use assets, which are specifically authorised by their line manager, in accordance with this policy.
Unauthorised use, modification, removal of information assets is strictly prohibited. Where assets are needed to be removed off-site, management approval for the removal of such assets must be obtained (this applies to paper, hard copy and other forms of media)
Records stating management approval for the removal of assets will need to be maintained. All users and the CCG are subject to the provisions of the:
- DataProtection Act 1998
- Computer MisuseAct 1990
- HumanRights Act 1998
- Copyright,Designs and Patents Act 1988
- Freedom ofInformation Act 2000
- Privacyand Electronic Communications Regulations 2003
- Regulationof Investigatory Powers Act 2000
- DefamationAct 1996
- ObscenePublications Act 1959
- Protectionof Children’s Act 1978
- EqualityAct 2010
Copies of these Acts and guidelines are made available via http://www.legislation.gov.uk.
7.2 Acceptable Use of Email and the Internet IT Policy代写
The CCG views the Internet and e-mail as essential tools for all their staff. However, their use can expose the CCG to technical, commercial and legal risks if they are not used sensibly. It can also degrade the performance of the IT infrastructure due to excessive and inappropriate use.
The aim of this policy is to:
- providedirection on your use of the Internet and e-mail at work to minimise the CCG’s exposure to these risks;
- explainwhat you can and cannot do;
- providesome explanation of the legal risks that you need to be aware of in your use of the Internet and e-mail;
- explainthe consequences for you and the CCG if you fail to follow the rules set out in this policy.
This policy reflects the CCG’s agreed strategy for access and usage of e-mails and the Internet. This policy is part of a comprehensive code of conduct for all staff.
It is essential that all staff read this policy. Breaches of this policy will be taken very seriously and may lead to disciplinary action. If there is anything you do not understand it is up to you to ask your line manager or the Information Governance Manager to explain.
General Rules IT Policy代写
Permitted and Prohibited Uses
You should only access the Internet if such use is required as part of your job, primarily for healthcare related purposes. Limited and reasonable personal use is permitted as long as it does not interfere with the performance of your duties and is authorised by your line manager.
Access to chat lines, bulletin boards, blogs and social networks on the Internet are routinely blocked by the Trust’s web filtering software.
However, if access is needed for official CCG use this should be agreed and coordinated via the Governance team, following approval of your line manager.
- Youmust not use the Internet for any gambling or illegal activity, including for personal business use.
- TheTrust’s may use automated content filtering software to restrict access to categories of websites that are deemed to be inappropriate, g. adult/sexual, violence, criminal, etc.
- Theseare subject to on-going However just because you are able to access a particular website may not always mean that it is permitted.
- You should onlyuse the CCG’s e-mail system for business use, subject to the rules in this policy.
- Ifyou do send a personal e-mail, this should be deleted as soon as possible from your mailbox.
- Usersmust not use CCG email for personal business use or illegal activity.
- Usersmust not use and register their CCG email account for non-CCG related services which may lead to unnecessary Spam email being received.
- Youmust not ‘auto-forward’ email to your personal or other business email accounts including external NHS mail accounts such as net or nhs.uk.
You must not transfer person/patient identifiable or confidential information outside the CCG via email or upload to websites unless you are authorised to do so. It is absolutely necessary for work purposes and is adequately protected using encryption – please see section below for further details.
Offensive, Illegal and Defamatory Materials
You must not under any circumstances use the e-mail system or internet facilities to access, download, send, receive or view any materials that will cause offence to any person by reason of:
- Anysexually explicit content;
- Anysexist or racist remarks;
- Remarksrelating to a person’s sexual orientation, gender reassignment, race, ethnicity, political convictions, religion, disability or age.
The CCG’s Equality and Diversity Policy applies to e-mail communication. You must comply with the Equality and Diversity Policy.
You must not under any circumstances use the e-mail system or Internet to access, download, send, receive or view any materials that you have reason to suspect are illegal. Please refer to the section 8.3 below “A Guide to the legal Issues relating to use of email and internet” for guidance on what materials may be illegal.
Please remember that it may be illegal to copy many materials appearing on the Internet including computer programs, music, text and video clips. If it is not clear that you have permission to copy materials off the Internet, please do not do so.
You must not send or circulate any materials on the Internet or by e-mail that contain any negative and defamatory remarks about other colleagues and the CCG.
Any use of the e-mail system or Internet access for any of these prohibited purposes will be treated as a serious disciplinary matter which may lead to dismissal of the employee concerned.
Blogging and social networking sites IT Policy代写
The use of blogging and social networking websites can expose the organisation to information risks, even where these sites are not accessed directly from work. The popularity of such websites and the rapid growth of internet enabled devices such as mobile phones, blackberries etc. Has resulted in significant awareness and uptake of these websites from home, from work and when mobile.
The risks that this may pose include:
- Unauthoriseddisclosure of business information and potential confidentiality breach.
- Legalliabilities from defamatory postings by staff
- Reputational damageto the CCG
- StaffIntimidation or harassment with possibility of personal threat or attack against the blogger, sometimes without apparent reason.
- Identity theftof personal data that may be posted
- Maliciouscode and viruses causing damage to IT infrastructure
- Systemsoverload from heavy use of sites with implications of degraded services and non- productive activities, particularly in the use of rich media (such as video and audio) becoming the norm.
Whilst access to blogging and social networking sites is controlled by the Internet web filter and is only permitted by authorised exception, staff should not attempt to use such sites in work time in consideration of the above risks. IT Policy代写
Staff should not have any work related conversations about patients or post defamatory information about colleagues or the CCG to blogging or social networking sites when at home or away from work, as they may be subject to disciplinary action and legal proceedings.
NHS organisations of all types are now making increased use of Social Networking facilities to engage their patients, other stakeholders. And to deliver key messages for good healthcare and patient service generally. These digital interactions are to be encouraged and their values extended as new communications channels become available for use.
The CCG is seeking to make such facility available so that Communications & Engagement will control the CCG corporate social networking messaging to ensure that it is utilised effectively and regularly monitored to remove any inappropriate content.
In future, as improved filters and technology becomes available, staff and stakeholders may be enabled to interact with CCG corporate social networking. This interaction will be managed in consultation with the CCG IG and IW NHS Trust IT department.
Please reference the CCG’s Social Media Policy for further information.
Confidentiality and Sensitive Information IT Policy代写
Please remember that email and internet are not necessarily a secure way of sending information.
You must not use e-mail to send information which is highly confidential or sensitive outside the CCG, as it could cause the CCG loss, damage or embarrassment if it were publicly disclosed, unless you follow these rules:
- Ithas been agreed as a necessary part of the CCG’s service and you have the authority to do so from your department.
- Suchinformation must be adequately Please contact IT services who will advise you on how to encrypt information; NHS mail may also be used to communicate securely with other NHS mail user accounts (i.e. @nhs.net to @nhs.net). This does not apply to other @nhs.uk email accounts.
You must also not upload person/patient identifiable or confidential or sensitive information to websites unless it is a necessary part of the Trust’s service and it is a secure (encrypted) process, which you have authority to undertake.
Please refer to the Information Sharing & Safe Haven Policies for further information.
The following categories of information will be treated as highly confidential:
- Extracts from theCCG’s patient databases
- AnyPerson Identifiable Data (PID) / Personal Confidential Data (PCD)
- Personneland staff records;
- Allinformation received under a duty of professional confidence from staff or patients.
Please also be aware that e-mail messages, like paper based documents, can be required to be produced in legal proceedings, or in relation to Subject Access Requests and on occasion Freedom of Information Requests.
Malware, viruses and spam IT Policy代写
All CCG computers and laptops should have anti-virus software installed, which is regularly updated via the network or directly from the vendor’s website. E-mails are also scanned within the server environment.
Non-text e-mail attachments (e.g. software, computer games, executable files and bitmaps) and software downloaded from the Internet may contain computer viruses or other harmful content which can seriously disrupt the Trust’s computer systems and network.
Any suspicious emails that may contain malware and viruses should be deleted on receipt. If you believe you may have been infected or compromised, this should be reported as an incident to IT services so that they can be investigated and safely removed, as necessary.
Spam email may contain phishing scams and links to fake websites and should also be deleted on receipt. If you believe you may have been infected or compromised, this should be reported as an incident to IT services so that they can be investigated and safely removed, as necessary.
Staff should examine carefully any email coming in to the organisation, including emails from known contacts, as they may be unreliable containing malicious code or spoofed to look as though they are authentic.
Any employee who knowingly distributes a computer virus or any harmful code or spam using the CCG’s e-mail system or network will be subject to disciplinary action which may lead to dismissal.
Security IT Policy代写
- Donot in any circumstances disclose any user password to any other person.
- Donot impersonate any other employee when sending an e-mail and do not amend messages received.
- Youare responsible for the security of your computer data and e-mail and must not allow use by any unauthorised/other person.
IT systems will be regularly monitored using audit trails and log files to ensure appropriate use and, any misuse will be subject to investigation that may lead to disciplinary action, dismissal and/or criminal proceedings.
Housekeeping and Good Practice IT Policy代写
The following rules will help systems to work more efficiently.
- Messagesshould be reviewed and deleted on a regular basis and, if necessary, archived in accordance with the NHS Records Management: Code of Practice.
- Wherepossible, obtain confirmation from the recipient that an important e-mail has been received.
- Ifyou receive a wrongly delivered message you should report this to the sender, and delete the If the e-mail message contains confidential or sensitive information you must not make use of that information and must not disclose it.
- Spamor Junk emails should be deleted immediately.
- All-usere-mails must be avoided if possible as they cause system Messages for a wider distribution should be sent to the Governance team for onwards distribution.
- Donot subscribe to e-mail services which will result in e-mails being sent automatically to you unless these are for the purpose of your role.
- Donot send out trivial or personal e-mail These lead to congestion of the email system and reduce its efficiency
- Donot automatically forward messages to your private email accounts, as they may contain confidential or person identifiable It will also cause unnecessary congestion of the email system.
Where necessary, users should consider appointing an appropriate deputy to access their email (proxy access) for periods of leave IT Policy代写
This deputy should be agreed with your line manager or head of department. Alternatively, users should create an auto reply rule to inform senders to contact an appropriate member of staff if their request needs urgent attention.
In the case of unexpected leave, e.g. long term sick, managers should attempt to obtain consent from the individual to access their email and/or network drive (e.g. H or S drive). If this is not possible managers should seek advice from the Information Governance Officer regarding access to the individuals account. Each case will be assessed individually based on the impact and disruption it may have to the local services.
If a staff member leaves their post or the CCG they should ensure that any data is transferred or proxy access given to an appropriate colleague or their manager, as agreed with your line manager or head of department.
Staff using NHSmail will be subject to its own acceptable use policy and the above arrangements for allowing managers access to staff NHSmail may not be possible.
Note: You should treat e-mail in the same way you would treat a letter or fax.
Do not e-mail a message that you would not want others to read or to be read out in court.
7.3 Legal Issues relating to use of email and the Internet IT Policy代写
This section of the policy is intended to provide staff with information relating to the most important legal issues which may arise from their use of the e-mail system and Internet access.
These are not just theoretical issues. If the law is broken then this could lead to one or more of the following consequences:
- Civiland/or criminal liability for yourself and the Trust.
- Disciplinaryaction against you including your dismissal.
Ignorance of the law is not a defence in court.
7.3.2 Bullying and Harassment IT Policy代写
The CCG requires all employees to be treated with dignity at work, free from harassment and bullying of any kind. Harassment can take the form of general bullying, or be on the grounds of sex, race, disability, sexual orientation, age, religion. Harassment could include sending sexist or racist jokes, making sexual propositions or general abuse by e-mail. You must not send any messages containing such material. Bullying and harassment of any kind will be treated as a serious disciplinary matter which may lead to dismissal.
If you are subjected to or know about any harassment or bullying, whether it comes from inside or outside the organisation you are encouraged to contact your line manager/HR advisor immediately.
7.3.3 Breach of Copyright IT Policy代写
Materials that you encounter on the Internet or receive by e-mail are likely to be protected by copyright. This will apply to written materials, software, music recordings, graphics, artwork and video clips.
Only the owner of the copyright, or other persons who have the owner’s consent, can copy those materials or distribute them.
If you copy, amend or distribute any such materials without the copyright owner’s consent, then you may be sued for damages. The CCG may also be liable and, in some circumstances, criminal liability can arise for both you and the CCG.
Be particularly careful not to copy text or to download software or music unless you are sure you have permission to do so. Always check the materials in question to see if they contain any written prohibitions or permissions before you copy or download them.leg
Never download any software, music recordings or other materials that you know to be fakes or “pirate copies”.
7.3.4 Unwanted Contracts IT Policy代写
An exchange of e-mail messages can lead to a contract being formed between yourself, or the CCG, and another organisation. Contracts can arise easily; all that is required is the acceptance of an offer with the intention that legal obligations should arise and some payment or other consideration being made for the performance of those obligations.
Breach of contract can expose the CCG to a claim for damages.
Contracting by e-mail is subject to the same requirements as any other form of contract. You must adhere to the established policies and procedures about purchasing and contracting.
Never commit the CCG to any obligations by e-mail without ensuring that you have the authority to do so. If you have any concerns that what you are doing will form a contract, contact your line manager. Mark all e-mails relating to contractual negotiations “Subject to Contract”.
You should also ensure that any person with whom you wish to enter into a contract is adequately identified.
Any contract entered into via e-mail must contain the following statement:
“Any contract formed by this e-mail will be governed and construed in accordance with the laws of England and the parties submit to the non-exclusive jurisdiction of the English courts”.
Beware of any attempt by the party with whom you are dealing to incorporate its own terms and conditions into a contract.
7.3.5 Legal liabilities from defamatory postings by email or internet IT Policy代写
If you send an e-mail (NB: even an internal e-mail), or post any information on the Internet/Intranet, which contains any remarks which may adversely affect the reputation of another organisation or person, you will be exposing both yourself and the CCG to the risk of legal action for defamation.
Companies have been sued for the defamatory contents of e-mails sent by employees and have been required to pay out considerable sums as a result.
Legal liabilities may arise where an individual has registered with a site and indicated their acceptance of the sites terms and conditions, which can be several pages long, contain difficult to read legal language and give the site ‘ownership’ and ‘third party disclosure’ rights over content placed on the site. This includes web email accounts. Add-ons installed by additional features or applications can also change the terms and conditions or security features that the user has accepted.
Liabilities may also arise if a user registers with a particular site using a PC within the Trust, as it may be assumed that the user is acting on behalf of the organisation and any libellous or derogatory comments may result in legal action. In addition information being hosted by the website may be subject to other legal jurisdiction overseas.
7.3.6 Obscene Materials IT Policy代写
You must not under any circumstances use the e-mail system or Internet to access, display, circulate or transmit any material with a sexual content. This may constitute a criminal offence and both the CCG and you personally could be liable. Sexual harassment will be treated as a serious disciplinary matter which may lead to dismissal.
7.3.7 Protection of Personal Data
Please note that the CCG is required to comply with the Data Protection Act 1998 concerning the protection of personal data. Failure to adhere to that legislation could expose the CCG to civil liability and to enforcement action by the Information Commissioner Office.
Obligations under that legislation are complex but you can help ensure compliance by adhering to the following rules:
- Donot disclose any information about a person in an e-mail or on the Internet which you would object to being disclosed about yourself.
- Beparticularly careful when dealing with sensitive information concerning a person’s racial or ethnic origin, sexual life, political beliefs, trade union membership, religious beliefs, physical or mental health, financial matters and criminal offences.
- Donot send person identifiable or confidential data using email unless you are authorised to do so and it is encrypted to the required security strandard.
- Donot send any personal data outside the European Economic Area.
7.3.8 Freedom of Information Act
Emails are deemed to be business records and may be subject to disclosure under the Freedom of Information Act 2000.
7.4 Acceptable use of Mobile Devices, Removable Media and Remote Access IT Policy代写
Removable media can be classified as any portable device that can store and/or move data. These include, and are not limited to, Universal Serial Bus (USB) Memory Sticks / Pen Drives, Floppy Disks, Read/Write Compact Disk (CD), DVD, ZIP Drives, Magnetic Tapes, etc.
Mobile devices include tablet PCs, laptops, Personal Digital Assistants (PDA’s), mobile phones and blackberry.
7.4.2 General Rules IT Policy代写
In order to prevent damage, compromise or loss of Trust data, the following restrictions will apply to the use of mobile devices and removable media within the Trust:
- OnlyCCG owned and managed devices should be used to connect to, or synchronise with, the CCG’s IT No privately owned devices should be used. The IT department will advise on suitable PDA or removable media devices.
- Thedevice should only be used for Healthcare (work) related purposes.
- PDA’ssupplied by the CCG are not permitted to connect to privately owned non- Trust systems.
- Infraredor wireless synchronisation is only to be carried out when it has been specifically agreed and set up by the IT department.
- Confidentialand/or person Identifiable data must not be stored on devices unless it is encrypted to at least 256bit encryption The IT department can advise on suitable encryption methods.
- TheCCG provides encrypted USB sticks for authorised use by staff to transfer any CCG data, including confidential However this data should not be transferred and stored on any personal equipment e.g. home PC, laptop or mobile devices (e.g. phones) as they do not offer adequate protection (i.e. encryption) and may lead to unauthorised access of confidential data.
- Whentransferring data from outside of the CCG, extreme caution must be taken, due to the potential risk of introducing malicious software or viruses on the CCG’s IT All data must be virus checked prior to transfer.
and IT Policy代写
- Ifthe media or data is no longer required by the user or the CCG, it should be securely erased and/or disposed of by approved methods by the IT services department.
- All removable media and mobile devices should be stored in a safe, secure environment in line with the CCG security policies and manufacturers recommendations.
- TheCCG may use technical measures to enforce restrictions on the use of portable devices and removable media on USB ports and other connecting interfaces.
- Datastored on removable media should be backed up or transferred to the network at regular intervals to ensure compliance with the NHS Records Retention Schedule and mitigate the risk of business disruption.
- Appropriatesecurity measures should be in place to protect the data on any back up media. Including encryption of any person identifiable data and secure physical storage.
- Allremovable media and mobile devices must be returned to the IT services department if the staff member leaves employment or no longer requires it for their job.
- Remoteaccess to the CCG managed networks must be authorised by CCG Only CCG-owned laptops can be used for remote access. And must be configured with necessary VPN remote access and security software by the IT department.
- Remoteaccess users should be aware of the security of their connection at any remote location (home, hotel, public hotspot or internet café). It is recommended that home wireless networks are not left on the default or supplier provided settings. And should be configured to use Wi-Fi Protected Access 2 (WPA2) and AES encryption to provide the best level of protection.
- Remoteaccess users must ensure the safekeeping of their VPN security tokens and laptops at all times and that the security token is kept separate from the laptop.
Please refer to the Portable Devices and Remote Access Policies.
7.5 Acceptable Network and System Usage IT Policy代写
It is the responsibility of all users to ensure that they adhere to the instructions laid down in this policy.
Before a new user can be allocated an account, they must have signed, understood and agreed to the terms of this policy, indicating that they are aware of their responsibilities. A record of which will be retained by the IT department.
The instructions contained in the policy are special restrictions in force with regard to the CCG related computer systems and network and, are clarifications or additions to the normal security measures in force within the CCG. All usual security precautions must be taken in addition to these specific requirements.
There are also strict NHS security requirements for Trust networks that are connected to the national NHS network by way of mandated compliance with the Information Governance Assurance Statement (IGAS – formerly NHS code of connection).
Restrictions IT Policy代写
Users with access to the CCG’s network must not attempt or by their actions or deliberate inaction assist others to attempt:
- Unauthorisedaccess to hardware platforms;
- Unauthorisedintroduction of software or hardware components to the network;
- Unauthorisedmodification of network components;
- Unauthorisedattempts to access the CCG’s network from other networks;
- Unauthorisedattempts to access other networks from within the CCG’s networks;
- Unauthorisedcircumvention of security features such as firewalls, passwords,etc. ;
- Unauthorisedcopying or distribution of software, documentation or media associated with the CCG’s IT systems;
- Unauthorisedremoval or relocation of hardware, software, documentation or media associated with the Trust’s IT systems.
File Storage and Housekeeping IT Policy代写
Users must store their work in the most appropriate place, giving due consideration to confidentiality and availability.
Documents should not be stored locally (e.g. C: drive) on a desktop computer, laptop or mobile device as they are not backed up and may be irretrievable lost if the device fails or is stolen.
There is also a risk that it may contain person identifiable or confidential data which could get into the wrong hands if lost or stolen.
All new mobile devices (laptops and tablets) must be fully encrypted by the IT department. Older Windows XP Devices may have an encrypted folder for sensitive data, these are being phased out. Desktop PC’s that are not encrypted and located in publicly accessible locations should be either fully encrypted or be physically secured (e.g. securely cabled to desks).
Documents saved to the network (e.g. drive letters E: to X:) are stored in a secure area and are backed up daily by the IT department. IT Policy代写
Folders on network drives can be restricted to specific staff members. It is advised to store files on departmental shared drives and have the access to the folder restricted by the IT department for authorised users only. Storing information on departmental drives means that more than one person has access. And the information can be retrieved in cases of unexpected leave etc.
Users must keep data storage to a minimum. Delete obsolete files on a regular basis and never store personal non-business related files on the CCG’s IT equipment. Files should only be deleted in line with the NHS Records Management Code of Practice – Retention Schedules.
If a staff member leaves their post or the CCG they should ensure that any data is transferred to an appropriate colleague or their manager. As agreed with your line manager or head of department.
User Access Control and System Usage IT Policy代写
The IAAs or system managers are responsible for ensuring that access to IT systems is strictly controlled to authorised users with the appropriate level of access permissions granted and that adequate training is provided prior to access being enabled.
The IAAs must also ensure that access to IT systems is regularly monitored for appropriate use and that any misuse is reported immediately to the relevant line manager, IAO, Information Governance Manager and, may be subject to the CCG’s formal disciplinary procedure.
Users must adhere to the following rules:
Password rules: IT Policy代写
- Neverreveal their passwords to anyone;
- Neverrecord or write down their passwords in any form;
- Inthe event that a password is forgotten, or there are suspicions that it has been discovered by a third party the user should change their password immediately/contact the appropriate system administrator in order to obtain a new password.
- Useof another individual’s account for any purpose, whether or not their password was disclosed in the process, is strictly prohibited and is a disciplinary offense;
- Passwordsmust be “strong”, containing a minimum of 9 characters, a mixture of upper and lower case letters, mixture of alpha, numeric and symbol characters.
- Neither the usernamenor the user’s full name should be contained in the password;
- Toprevent unauthorised access, all workstations should be secured when left unattended, particularly those in publicly accessible. The use of screen lock (‘Windows’ and ‘L’ or ‘Ctrl’, ‘Alt’ and ‘Delete’ followed by the ‘Return’ key), is recommended for short periods of absence. Individual user accounts should log off shared computers, if they may be called off, or absent for an extended period, particularly where other staff may need access to the workstation.
General conditions of system use:
- Ensureyour user details are accurate and up to date;
- Smartcardsthat are used for IT access must be kept safe and secure and not left unattended;
- Usersmust not to look at any healthcare or personal information relating to themselves, in any circumstances, or that relating to family, friends or acquaintances unless directly involved in the patient’s clinical care or management. In such circumstances the user must only access information if required to as part of their role.
- Usersmust not maliciously alter, neutralise, circumvent, tamper with or manipulate any part of the system/application components or any access profiles given to them;
- Usersmust notify the system administrator at any time should any of their access profiles require amendment or should they wish to have their username/password revoked g. on cessation of their employment/contracts or other relevant change in their job role.
- Neveruse or allow anyone else to use a system without authorisation e. being issued with an individual username and password and undertaking the appropriate systems training.
- Donot deliberately corrupt, invalidate, deface, damage or otherwise misuse any part of the system/application or information stored by them. Including but not limited to the introduction of computer viruses or malicious software that may cause damage or disruption to services.
- Onlyuse any username and password, the system/application and all patient or staff data in accordance with the CCG’s Information Governance Policies. And Procedures (as available on the Information Governance section on the CCG’s intranet). The NHS Confidentiality Code of Practice (as available on dh.gov.uk) and (where applicable) in accordance with your contract of employment or contract of provision for service (whichever is appropriate) and with any instructions relating to the system which you are notified of.
Multifunction Devices (Printer/Scanner/Photocopier/Fax) IT Policy代写
Multifunction devices may copy scanned documents and images into its storage disk or memory before printing, which may be permanently retained even if no longer required.
Appropriate security measures should be in place to protect such data from unauthorised access,e.g. use of erasure and encryption incorporated into these devices by the manufacturer, as well as the secure physical location of such devices.
In addition, support/maintenance arrangements for service/repair of the equipment should comply with CCG security policies. Also, any replacement parts that may hold data should be securely deleted/disposed of by the supplier/maintenance company.
Any Multifunction devices with a Public Switched Telephone Network (PSTN) dial-up modem connection. That is used for faxing should not be connected directly or indirectly (via PC) to the CCG network. As it poses a serious risk of unauthorised access to the Trust network via the PSTN.
All purchases of multifunctional devices should be reviewed and approved by the IT and Information Governance department to ensure that the risk of storage and unauthorised access to any data on such devices is minimised.
Implementation IT Policy代写
The responsibility of implementing this document, including training and other needs that arise shall remain with the author. Line managers have the responsibility to cascade information on new and revised policies/procedures and other relevant documents to the staff for which they manage.
Line managers must ensure that departmental systems are in place to enable staff including agency staff to access relevant policies, procedures, guidelines and protocols and to remain up to date with the content of new and revised policies, procedures, guidelines and protocols.
This document has been compiled by the ICT Department in consultation with the Corporate Governance Department.
8 CONSULTATION IT Policy代写
This document has been reviewed by the IW NHS Trust ICT team and the Information Security Manager.
This policy assumes that staff are IT literate.
General IT training is provided by the IW NHS Trust Training & Development team.
10 MONITORING COMPLIANCE AND EFFECTIVENESS IT Policy代写
The CCG will regularly monitor and audit its acceptable use practices for compliance with this policy and best practice guidelines.
The audit will:
- Identifyareas of operation that are covered by the CCG’s policies and identify which procedures and/or guidance should comply to the policy;
- Followa mechanism for adapting the policy to cover missing areas if these are critical to processes, and use a subsidiary development plan if there are major changes to be made;
- Setand maintain standards by implementing new procedures, including obtaining feedback where the procedures do not match the desired levels of performance; and
- Highlightwhere non-conformance to the policy is occurring and suggest a tightening of controls and adjustment to related procedures.
The CCG reserves the right to monitor and inspect any e-mail, Internet access and files at any time without notice. Automated monitoring may take place using audit and security software and intended to ensure that this policy is being adhered to, is effective, and that the CCG and its employees are acting lawfully.
Permission may be granted to a senior manager with overall responsibility for a particular staff member to access staff email, files or internet logs. IT Policy代写
This will only be allowed in exceptional circumstances where the individual is suspected of breaching this policy. And in cases where disciplinary action is being taken against the individual and it will substantially assist with the investigation. Advice should be sought from the Information Governance Manager and authorisation obtained from an director of the CCG.
However, NHSmail cannot be monitored by the CCG, as it is not owned or managed by the IW NHS Trust. The Secretary of State for Health is the appointed Data Controller for NHSmail and NHS Directory. Procedures for formal data access requests should be requested from the NHSmail helpdesk.
Failure to follow the requirements of the policy may result in investigation and management action being taken as considered appropriate. This may include formal action in line with the CCG’s Disciplinary and Dismissal Policy and Procedures.
|Monitoring Arrangements||Responsibility / Process / Frequency|
Process for monitoring e.g. audit
|– Internal Audit
– External Audit
– Information Governance Toolkit
Responsible individual/ group/ committee
Information Communication Technology Dept
Frequency of monitoring
Responsible individual/ group/ committee for review of results
Information Communication Technology Programme Group
Responsible individual/ group/ committee for development of action plan
Information Communication Technology Programme Group
Responsible individual/ group/ committee for monitoring of action plan
Information Communication Technology Assurance Subcommittee