Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust Appendix 1 – Summary of User Declaration CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02- Oct 18
Document Title Acceptable Use of Intranet and Internet Policy
Reference Number CNTW(O)65
Lead Officer Lisa Quinn,
Executive Director of Performance and Assurance
Author(s) (name and designation)
Angela Faill Head of Information Governance and Medico Legal
Ratified by Business Delivery Group
Date ratified October 2018
Implementation Date October 2018
Date of full implementation
October 2018
Review Date October 2021
Version number V02.1
Review and Amendment
Log
Version Type of Change
Date Description of Change
V02 Review Oct 18 Review
V02.1 Review Oct 19 Governance changes
This Policy supersedes the following document which must now be destroyed:
Document Number Title
V02 Acceptable Use of Intranet and Internet Policy
CNTW(O)65
Acceptable Use of Intranet and Internet Policy
Section Contents Page No.
1 Introduction 1
2 Purpose 1
3 Duties, Accountability and Responsibilities 2
4 Definition of Terms 2
5 Procedure / Process 3
6 Identification of Stakeholders 6
7 Training 6
8 Implementation 7
9 Fair Blame 7
10 Fraud, Bribery and Corruption 7
11 Monitoring Compliance 7
12 Associated Documents 7
13 References 8
Standard Appendices – attached to Policy
A Equality Analysis Screening Toolkit 9
B Training Checklist and Training Needs Analysis 11
C Audit Monitoring Tool 13
D Policy Notification Record Sheet - click here
Appendices – attached to Policy
Appendix No.
Description
1 Summary of User Declaration
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
1
1 Introduction 1.1 In common with other NHS organisations, Cumbria Northumberland, Tyne
and Wear NHS Foundation Trust (the Trust / CNTW) operates access to the Internet through its connection to N3 (NHSnet), a private network that operates throughout the NHS and is inaccessible to non-NHS organisations. The Trust also provides an Intranet that is internal to the Trust and provides access to a wide range of Trust-specific information.
1.2 The Internet is fast and effective electronic means of communicating and
gathering information that can enhance the efficiency and effectiveness of staff in the Trust.
The Intranet is a website that is internal to the Trust that will provide access to a wide range of Trust-specific information;
The facilities exist primarily for the purpose of conducting Trust business but can also be used for permitted personal purposes;
The Internet provides a wide-ranging source of information and knowledge but offers no guarantee of accuracy, reliability and authenticity;
The Internet and N3 are now the primary means of communicating policy by the NHS Executive within the NHS organisation;
The Trust will use these facilities to the full (but within available resources and technology) in communicating and cascading information throughout the organisation. Staff are encouraged to familiarise themselves with the facilities and to make use of the Trust’s Intranet site;
Internet facilities employ complex technology which is not guaranteed to be 100% available and staff should not rely wholly and solely on them for critical business. (See the Trust Integrated Emergency Plan).
2 Purpose 2.1 This Policy sets rules and provides guidance for the use of the Trust Intranet
and Internet facilities, and ensures that the Trust adheres to the requirements of the ‘Statement of Compliance’ to N3 (SoC).
2.2 This Policy will ensure that staff understand and comply with legal
requirements surrounding the use of Intranet and Internet facilities.
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
2
3 Duties, Accountability and Responsibilities
Responsibility for implementation and compliance to this Policy lies with the Chief Executive;
The Senior Information Risk Owner (SIRO) has delegated responsibility from the Chief Executive. The SIRO is the Executive Director of Commissioning & Quality Assurance;
The Information Asset Owner (IAO) is responsible for Risk Management of the Internet and Intranet. The Information Asset Owner is the Director of Informatics;
Associate Directors must ensure ownership for implementation throughout their respective Locality Care Groups;
The Director of Informatics has responsibility for ensuring that appropriate safeguards and monitoring facilities are in place;
It is the responsibility of the Information Governance Team to monitor the appropriate use of Internet / Intranet access and alert Trust management where inappropriate use is discovered, in accordance with the Trust Incident Reporting Procedures;
Each and every employee including voluntary and agency staff is responsible for the adherence to this Policy whilst operating any personal computer (or similar equipment), accessing the Trust’s Internet / Intranet. Failure to adhere to this Policy may result in disciplinary action.
4 Definition of Terms
N3:
Formerly known as NHSnet. A virtual private network that operates throughout the NHS and is inaccessible to non-NHS organisations.
Pornography
Pornography can take many forms. For example, textual descriptions still and moving images, cartoons and sound files. Some pornography is illegal in the UK and some is legal. The law makes it an offence under the Obscene Publications Act 1959 and 1964 to publish, whether for gain or not, any content whose effect will tend to "deprave and corrupt" those likely to read, see or hear the matter contained or embodied in it.
Copyright
Copyright is a term used to describe the rights under law that people have to protect original work they have created. The original work
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
3
can be a computer program, document, graphic, film or sound recording, for example. Copyright protects the work to ensure no one else can copy, alter or use the work without the express permission of the owner. In the case of computer software, users purchase a licence to use the work. The organisation purchases licences on behalf of its users.
5 Procedure / Process 5.1 Core Principles
All Staff will have access to the Intranet and Internet;
Recognised staff organisations, including Trade Unions, will have access to the Intranet and Internet;
Non NHS Organisations and third parties may also have access to Intranet and Internet;
Personal use of the facilities will be limited and within prescribed areas;
Safeguards will be established to protect the security, integrity and availability of the Trust’s systems;
The requirements of relevant Acts of Parliament and mandatory National Policies will be observed at all times;
Staff awareness of copyright and contractual issues will be raised. 5.2 Common Standards – Internet and Intranet 5.2.1 Access 5.2.1.1 All users are required to complete an ‘E-mail and Internet Services - User
Code of Connection’ Form (or any electronic equivalent introduced by the Informatics Department), which needs to be submitted to the Trust’s IT Service Desk before access is granted. Access must be acknowledged by the individual to confirm that they have been made aware of and will adopt good working practices, and that they have read and understood this Acceptable Use Policy.
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
4
5.2.2 Personal Use 5.2.2.1 Limited personal use of Internet facilities is permitted, during scheduled
breaks and with permission of Line Managers, provided that the material accessed is appropriate and is not potentially offensive to others. The Trust may from time to time block certain sites. The use of the Internet for personal transactions only, such as booking reservations or tickets or the purchase of any goods or services for personal use, is permitted. Employees should regard this facility as a privilege that should not be abused and should normally be exercised in their own time and without detriment to the job. Inappropriate or excessive use may result in disciplinary action and / or removal of facilities. Staff should be aware that Internet access will be subject to monitoring.
5.3.3 Inappropriate Use 5.3.3.1 In accordance with Trust Workforce (HR) Policies, access to websites that
contain inappropriate material is strictly forbidden, e.g. pornography, instruction on criminal or terrorist skills, adult themed chat sites, promotion of cults, gambling, content or statements of a nature which are liable to cause offence to others (this list is not exhaustive), or any other material likely to bring the Trust into disrepute.
5.3.3.2 The Trust runs software to filter access to inappropriate sites. Due to the
dynamic nature of the Internet, this software may not always filter inappropriate material. Employees should operate the ‘Back’ button immediately should they inadvertently access unsuitable material and report this immediately to the IT Service Helpdesk (this may be done on-line if out of hours). Purposeful access or downloading of such material shall be deemed an act of gross misconduct. However, the Trust notes that access to subjects and sites of a potentially contentious nature may be appropriate in some areas of normal operation and / or in specific circumstances, e.g. sex education, youth advice, counselling on gambling, approved research, etc. The Trust therefore places special responsibilities of care on staff operating in such areas to ensure that such access is necessary and that other users, staff and members of the community are not exposed to any such material without good cause. Access to such sites must not be excessive for the intended purpose, and must be agreed with line managers, then documented appropriately.
5.3.4 Commercial Use 5.3.4.1 Staff must not use the Internet or Intranet to conduct transactions in pursuit
of their own or other person’s commercial or business interests nor in such a way as to implicate the Trust in those transactions. This is a direct breach of the Trusts compliance with the N3 ‘Statement of Compliance’ (SoC). If in doubt, staff should consult the Information Governance Department.
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
5
5.3.5 Copyright 5.3.5.1 Files must not be downloaded from the Internet and used in such a way as
to violate copyright laws. Even if downloading and / or streaming is permissible under copyright law, there may be restrictions with regard to copying, forwarding, or otherwise distributing files. Staff should be aware that copyright law includes music. Therefore music tracks such as MP3’s videos must not be downloaded or streamed.
5.3.6 Viruses 5.3.6.1 Viruses can damage computer systems, destroy data, cause disruption and
incur considerable expense for the Trust. The Trust will provide an Antivirus solution and staff must not alter of change the configuration under any circumstances. All files downloaded from the Internet must be virus checked before use. Employees must not independently load software onto their PCs (this includes screen-savers). All software installations must be arranged with the Informatics Department.
5.3.7 Internet Service Providers 5.3.7.1 Internet access must be via the Trust’s network provided equipment in all
instances. The use of modems is strictly prohibited on the Trust network. Through connection to N3, Organisations have the ability to send messages and documents globally across the Internet. E-mail being transmitted across the Internet is completely insecure without encryption. No patient identifiable / confidential information must be sent over the Internet without the use of an approved encryption certificate.
5.3.7.2 Many employees of the Trust will have private external E-mail accounts
(webmail) that are provided by Internet Service Providers (ISP’s), which may be accessible via the Web, e.g. Hotmail accounts etc. These accounts must under no circumstances be used to transfer confidential Organisational information or for the transfer of confidential person identifiable information. No E-mails containing such information are to be sent to or from these accounts. No confidential person identifiable information should be stored on the Internet via Cloud file storage.
5.3.7.3 Employees wishing to use personal mobile broadband on Trust premises
must seek approval from their Line Manager. 5.3.8 Blocking of Inappropriate Content 5.3.8.1 The Trust employs software to enable the blocking of sites, the content of
which is deemed inappropriate, or where access may cause excessive use of bandwidth.
Attempts to access web sites that display inappropriate content will be
logged by the system and may result in disciplinary action being taken against the individual concerned up to and including dismissal.
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
6
5.3.8.2 Suspected attempts to access certain categories of site, specifically those which display any material likely to be illegal such as Child abuse or obscene images which seek to deprave will result in immediate notification to the Police for immediate investigation. Attempts to access this type of material is a criminal offence.
5.3.8.3 All use of the Internet will be logged by the system and monitored. 5.3.8.4 Where a user identifies a site that has been blocked that they require access
to as part of their work, they can make a request to have the site opened for use, via the Informatics Service Desk. Any decision to unblock a site for a particular user, group of users or Trust wide will be considered by the Information Governance Team in the first instance.
6 Identification of Stakeholders 6.1 This is an existing Policy with additional / changed content that relates to
operational and / or clinical practice and was therefore circulated to the following for a four week consultation period:
North Locality Care Group
Central Locality Care Group
South Locality Care Group
North Cumbria Locality Care Group
Corporate Decision Team
Business Delivery Group
Safer Care Group
Communications, Finance, Informatics
Commissioning and Quality Assurance
Workforce and Organisational Development
NTW Solutions
Local Negotiating Committee
Medical Directorate
Staff Side
Internal Audit
7 Training 7.1 Training of the key elements of this Policy is incorporated into the annual
Information Governance training mandated to all staff. 7.2 Where additional training is required it is the responsibility of both managers
and staff to ensure that this is undertaken and that attendance is verified and recorded.
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
7
8 Implementation 8.1 Taking into consideration all the implications associated with this policy, it is
considered that a target date of November 2018 is achievable for the contents to be implemented across the Trust.
9 Fair Blame 9.1 The Trust is committed to developing an open learning culture. It has
endorsed the view that, wherever possible, disciplinary action will not be taken against members of staff who report near misses and adverse incidents, although there may be clearly defined occasions where disciplinary action will be taken.
10 Fraud, Bribery and Corruption 10.1 In accordance with the Trust’s Policy CNTW(O)23 – Fraud, Bribery and
Corruption Policy / Response Plan, all suspected cases of fraud and corruption should be reported immediately to the Trust’s Local Counter Fraud Specialist or to the Executive Director of Finance.
11 Monitoring Compliance 11.1 Responsibility for monitoring compliance with this Policy locally lies with
Associate Directors and Line Managers. 11.2 The Information Governance Team will monitor compliance with this Policy
through observation, spot checks and through incident management in line with the Trust Incident Reporting Process.
11.3 Any compliance issues will be reported to the Line Managers concerned and
may be handled through staff disciplinary processes or contractual arrangements.
11.4 Incident Reporting
11.4.1 All incidents involving the loss of data whether encrypted or unencrypted
must be reported immediately to the Information Governance and dealt with in accordance with the Trust incident Reporting Procedure (See Trust Policy, CNTW(O)05 - Incident Reporting and Procedures).
12 Associated Documents
CNTW(HR)04 - Disciplinary Policy
CNTW(HR)24 – Social Media Policy
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
8
CNTW(O)05 - Incident Policy , (including the management of
Serious Untoward Incidents and associated practice guidance notes (PGNs))
IP-PGN-14 – Reporting of Information Governance Incidents
CNTW(O)08 - Dignity and Respect at Work Policy
CNTW(O)09 - Management of Records Policy (and associated PGNs)
CNTW(O)29 - Confidentiality Policy (and associated PGN)
CNTW(O)33 - Risk Management Policy
CNTW(O)35 - Information Security Policy
CNTW(O)43- Freedom of Information Policy
CNTW(O)55 - Information Risk Policy
CNTW(O)62 - Information Sharing Policy
13 References
http://www.connectingforhealth.nhs.uk/
www.iwf.org.uk/
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
9
Appendix A
Equality Analysis Screening Toolkit
Names of Individuals involved in Review
Date of Initial Screening
Review Date Service Area / Locality
Angela Faill October 2018 October 2021 Trustwide
Policy to be analysed Is this policy new or existing?
CNTW(O)65 Acceptable use of Intranet and Internet Policy
New
What are the intended outcomes of this work? Include outline of objectives and function aims
This Policy sets rules and provides guidance for the use of the Trust Intranet and Internet facilities, and ensures that the Trust adheres to the requirements of the ‘Statement of Compliance’ to N3 (SoC).
Who will be affected? e.g. staff, service users, carers, wider public etc
Staff, Service Users and the wider public.
Protected Characteristics under the Equality Act 2010. The following characteristics have protection under the Act and therefore require further analysis of the potential impact that the policy may have upon them
Disability N/A
Sex N/A
Race N/A
Age N/A
Gender reassignment
(including transgender)
N/A
Sexual orientation. N/A
Religion or belief N/A
Marriage and Civil Partnership
N/A
Pregnancy and maternity
N/A
Carers N/A
Other identified groups N/A
How have you engaged stakeholders in gathering evidence or testing the evidence available?
Though standard Policy consultation mechanisms.
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
10
How have you engaged stakeholders in testing the policy or programme proposals?
Though standard Policy consultation mechanisms.
For each engagement activity, please state who was involved, how and when they were engaged, and the key outputs:
Though standard Policy consultation mechanisms.
Summary of Analysis Considering the evidence and engagement activity you listed above please summarise the impact of your work. Consider whether the evidence shows potential for differential impact, if so state whether adverse or positive and for which groups. How you will mitigate any negative impacts. How you will include certain protected groups in services or expand their participation in public life.
N/A
Now consider and detail below how the proposals impact on elimination of discrimination, harassment and victimisation, advance the equality of opportunity and promote good relations between groups. Where there is evidence, address each protected characteristic
Eliminate discrimination, harassment and victimisation
N/A
Advance equality of opportunity N/A
Promote good relations between groups N/A
What is the overall impact?
N/A
Addressing the impact on equalities N/A
From the outcome of this Screening, have negative impacts been identified for any protected characteristics as defined by the Equality Act 2010? No
If yes, has a Full Impact Assessment been recommended? If not, why not?
Manager’s signature: Angela Faill Date: October 2018
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
11
Appendix B Communication and Training Check list for policies
Key Questions for the accountable committees designing, reviewing or agreeing a new Trust policy
Is this a new policy with new training requirements or a change to an existing policy?
This is an existing policy.
If it is a change to an existing policy are there changes to the existing model of training delivery? If yes specify below.
N/A
Are the awareness/training needs required to deliver the changes by law, national or local standards or best practice?
Please give specific evidence that identifies the training need, e.g. National Guidance, CQC, NHS Resolutions etc.
Please identify the risks if training does not occur.
Ensure that all staff are made aware of Trust Policy, Legal and N3 Code of Connection requirements.
Please specify which staff groups need to undertake this awareness/training. Please be specific. It may well be the case that certain groups will require different levels e.g. staff group A requires awareness and staff group B requires training.
Trustwide
Is there a staff group that should be prioritised for this training / awareness?
It is essential that all staff groups within the Trust are made aware of the policy and the responsibilities associated with the legislation and guidance.
Please outline how the training will be delivered. Include who will deliver it and by what method. The following may be useful to consider: Team brief/e bulletin of summary Management cascade Newsletter/leaflets/payslip attachment Focus groups for those concerned Local Induction Training Awareness sessions for those affected by the new policy Local demonstrations of techniques/equipment with reference documentation Staff Handbook Summary for easy reference Taught Session E Learning
Team brief, CEO Bulletin, Intranet, face to face training, E learning ,Staff IT Handbook
Please identify a link person who will liaise with the training department to arrange details for the Trust Training Prospectus, Administration needs
Head of IG and Medico Legal.
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
12
Appendix B – continued
Training Needs Analysis
Staff / Professional Group
Type of Training Duration of Training
Frequency of Training
All Mandatory IG Training 1 hour Annual
Should any advice be required, please contact: - 0191 245 6777 (internal 56777) Option 1
CNTW(O)65
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19
13
Appendix C Monitoring Tool
Statement The Trust is working towards effective clinical governance and governance systems. To demonstrate effective care delivery and compliance, Policy authors are required to include how monitoring of this policy is linked to Auditable Standards / Key Performance Indicators will be undertaken using this framework.
CNTW(O)65 – Acceptable Use of Intranet and Internet Policy - Monitoring Framework
Auditable Standard / Key Performance Indicators
Frequency / Method / Person Responsible
Where Results and Any Associate Action Plan Will Be Reported To and Monitored; (this will usually be via the relevant Governance Group)
1. The Trust will ensure that appropriate controls are in place to provide security to networked facilities
The Trust network is subject to an Annual Risk Assessment by the Information Asset Owner / Information Asset Administrator which will include access to Internet and Intranet
Identified risks will be reported via Information Asset Owner to the Senior Information Risk Owner annually and reported to Caldicott and Health Informatics Group
2. The most current version of anti-virus software will be available on all Trust computers
The Trust network is subject to an Annual Risk Assessment by the Information Asset Owner / Information Asset Administrator.
Identified risks will be reported via Information Asset Owner to the Senior Information Risk Owner annually or if and when an incident occurs
3. All incidents or breaches of policy are clearly and accurately recorded through the reporting of incidents
Incidents discussed at Information Governance Incident Management Group Bi-monthly Incident Report through Caldicott and Health Informatics Group
Caldicott and Health Informatics Group
The Author(s) of each Policy is required to complete this monitoring template and ensure that these results are taken to the appropriate reporting Governance Group as above in line with the frequency set out.
CNTW(O)65
Appendix 1
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust Appendix 1 – Summary of User Declaration CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02- Oct 18
Summary of User Declaration
Internet and E-mail Services are provided for those purposes directly related to a user’s work or areas of legitimate research and operational services.
Limited personal use of the services is permitted. Always obtain management consent for such usage, and do not abuse the privilege.
No illicit material will be sent / viewed / downloaded or obtained via the Internet or E-mail. Advice should be taken from the Information Governance Department where there is any doubt.
The Trust will provide an Antivirus solution and staff must not alter of change the configuration under any circumstances.
Forwarded material may be subject to copyright and all copyright restrictions must be adhered to.
Unlicensed or unauthorised software must not be installed on any PC.
Care must be taken when sending E-mails to ensure that they are addressed to the intended recipients only.
Breaches of security, abuse of services or non-compliance with the Trust’s Information Security Policy or the Code of Connection, may result in the withdrawal of E-mail and Internet Services.
The Trust’s Disciplinary Procedure will be invoked should abuse of E-mail Services or non-compliance with the Code of Connection occur.
USER ACCEPTANCE:
I have read and understand the E-mail and Internet Services Code of Connection and agree to abide by it. User Signature: ………………………………………………………………….. Name (please print): …………………………………………………………..… Telephone No: …………………… Date:……………………………….... Department / Directorate: ………………………………………………