hbl ict services - east and north hertfordshire ccg · hbl ict services version 8.0 e-mail ... siro...
TRANSCRIPT
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 1 of 23
E-Mail and Internet Policy
Document reference
Title: E-Mail and Internet Policy
Product ID:
Version Number: 8.0
Status: Live
Distribution / Issue date: 12 November 2014
Author: K. Fairbrother
Review Period: 2 Years
Owner / Owning entity: HBL ICT Services
Approver / Approval entity: IT Security Forum / SMT / Information Governance Committee
Authoriser / Authorisation entity:
SIRO / IG Leads / HBL IT Director
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 2 of 23
Document control and revision history
Version Revision date Details of Amendment Amended by Checked by
Draft Sept 2007 Initial Draft John Hepburn
1.0 October 2007 V1 Live John Hepburn
2.0 April 2010 V2 Review John Hepburn
3.0 May 2010 Organisational Change / Formatting John Hepburn
4.0 Sept 2012 Amendments Keith Fairbrother
5.0 October 2012 Amendments Keith Fairbrother
6.0 May 2013 Amendments Keith Fairbrother
7.0 June 2013 Amendments Martin Wallis
8.0 October 2014 Organisational Change / Formatting Keith Fairbrother
8.0 November 2014 HBL ICT SMT Approval HBL ICT SMT
8.0 January 2015 Minor amendments following ENHCCG IG Forum
David Hodson
Enclosures
Enclosures
1. None.
Embedded files
1. None.
Distribution
External
Action: IG Reference Groups (HCT, HPFT, ENHCCG, HVCCG, BCCG, LCCG)
Information:
Internal
Action: None
Information: None
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 3 of 23
Contents
1. Executive Summary ............................................................................................................................... 5
2. Introduction............................................................................................................................................ 6
3. Terms / Acronyms Used ........................................................................................................................ 7
4. Purpose and Scope ............................................................................................................................... 8
4.1 Purpose .......................................................................................................................................... 8
4.2 Scope of the Policy ......................................................................................................................... 8
4.3 Local Variation ................................................................................................................................ 8
4.4 Legal Framework ............................................................................................................................ 9
5. Electronic Mail and Internet Services ................................................................................................... 10
6. Permissible Uses of Electronic Mail and Internet ................................................................................. 10
6.1 Authorised users .......................................................................................................................... 10
6.2 Purpose and use .......................................................................................................................... 10
6.3 Transmission of Confidential Information ...................................................................................... 10
6.4 Prohibited uses of e-mail and internet .......................................................................................... 11
6.5 Restrictions on Internet Sites ........................................................................................................ 11
6.6 Contents of messages and internet material ................................................................................. 12
6.7 Inappropriate or offensive inbound E-Mail .................................................................................... 12
6.8 Unsolicited or ‘junk’ mail ............................................................................................................... 12
6.9 Privacy and confidentiality ............................................................................................................ 12
7. Access and disclosure of electronic communications .......................................................................... 13
7.1 General Provisions ....................................................................................................................... 13
7.2 Monitoring of communications ...................................................................................................... 13
7.3 Inspection and disclosure of communications ............................................................................... 14
7.4 Special procedures for monitoring and disclosure. ....................................................................... 14
8. Disciplinary Action ............................................................................................................................... 15
9. Compliance ......................................................................................................................................... 15
10. References ...................................................................................................................................... 15
11. Related Policies and Documents ..................................................................................................... 16
12. Appendix 1 – Equality Impact Assessment Stage 1 Screening ......................................................... 17
13. Appendix 2 – Privacy Impact Assessment Stage 1 Screening .......................................................... 19
14. Appendix 3 – E-Mailing Personal Confidential Data ......................................................................... 21
14.1 Introduction .................................................................................................................................. 21
14.2 NHSMail Service .......................................................................................................................... 21
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 4 of 23
14.3 Limited Facility on the Trust’s Outlook Service ............................................................................. 22
14.4 E-Mailing information to Patients/Service Users ........................................................................... 23
14.5 Exceptions to the Encryption Rules .............................................................................................. 23
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 5 of 23
1. Executive Summary
The E-Mail and Internet Policy sets out the commitment of the Trust/CCG (The Organisation) to
preserve the confidentiality, integrity and availability of electronic communications and to ensure
that such electronic communications are effectively and lawfully managed.
The Policy aims to ensure that:-
o The E-Mail and internet services used by the organisation are secure and are operated in accordance with NHS Guidance, to industry standards and current best practice;
o Confidentiality and integrity of information communicated electronically is maintained at all times
o Staff are aware of their responsibilities and adhere to the provisions of the policy;
o Procedures are in place to detect and resolve possible security breaches and to prevent a recurrence.
This policy applies to:
o All E-Mail and internet services used by the organisation and the information communicated electronically, processed or stored using these services;
o All staff employed by the organisation, contractors, seconded staff from other organisations and any other persons used by the organisation or engaged on the organisation’s business;
o Any other persons granted access to the organisation’s E-Mail and internet services;
o All locations from which the organisation’s E-Mail and internet services can be accessed.
Application of the policy will assist in compliance with the organisation’s Information Security Policy, information related legislation, NHS Information Security Standards and NHS Information Governance Standards.
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 6 of 23
2. Introduction
o The organisation is committed to ensuring that diversity, equality and human rights are
valued. We will not discriminate either directly or indirectly and will not tolerate
harassment or victimisation in relation to gender, marital status (including civil
partnership), gender reassignment, disability, race, age, sexual orientation, religion or
belief, trade union membership, status as a fixed-term or part-time worker, socio -
economic status and pregnancy or maternity.
o The organisation works to a framework for handling personal information in a confidential
and secure manner to meet ethical and quality standards. This enables National Health
Service organisations in England and individuals working within them to ensure personal
information is dealt with legally, securely, effectively and efficiently to deliver the best
possible care to patients and clients.
o The organisation, via the Information Governance Toolkit, provides the means by which
we can assess our compliance with current legislation, Government and National
guidance.
o Information Governance covers: Data Protection & IT Security (including smart cards),
Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality, Freedom
of Information Regulations and Information Quality Assurance
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 7 of 23
3. Terms / Acronyms Used
DH = Department of Health
EU = European Union
HSCIC = Health and Social Care Information Centre
ICT = Information and Communications Technology
IM&T = Information Management and Technology
IT = Information Technology
NHS = National Health Service
PCD = Personal Confidential Data
PCs = Personal ComputersSIRO = Senior Information Risk Owner
UK = United Kingdom
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 8 of 23
4. Purpose and Scope
4.1 Purpose
The E-Mail and Internet policy sets out the commitment of the organisation to preserve the
confidentiality, integrity and availability of electronic communications and to ensure such
electronic communications are effectively and lawfully managed.
The Policy aims to ensure that:-
o The E-Mail and Internet services used by the organisation are secure and are operated in accordance with NHS Guidance, to industry standards and current best practice;
o The information contained in or processed by these systems is kept secure;
o Confidentiality, integrity and availability are maintained at all times;
o Staff are aware of their responsibilities and adhere to the provisions of the policy;
o Procedures are in place to detect and resolve security breaches and to prevent a recurrence.
4.2 Scope of the Policy
This policy applies to:
o All E-Mail and Internet services used by the organisation and the information communicated electronically, processed or stored using these services;
o All staff employed by the organisation, contractors, seconded staff from other organisations and any other persons used by the organisation or engaged on the organisation’s business.
o Any other persons granted access to the organisation’s E-Mail and Internet services;
o All locations from which the organisation’s E-Mail and Internet services can be accessed.
4.3 Local Variation
Variation to some parts of the policy may be allowed where local conditions do not permit full implementation. Applications for such variation must be made to the Head of Infrastructure and must be approved by the Director of HBL ICT Services (To ensure the security of shared infrastructure and to ensure meeting Information Security requirements) and, should the assessed level of risk warrant it, the Information Governance Sub Committee before being introduced.
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 9 of 23
4.4 Legal Framework
This policy is compliant with relevant legislation, Department of Health and NHS regulations and guidance and the policies and procedures of partner organisations; principally:-
UK and EU legislation, including :
o Data Protection Act (1998),
o Freedom of Information Act (2000);
o Human Rights Act (1998)
o the Computer Misuse Act 1990,
o Communications Act (2003) & Electronic Communications Act (2006)
o Regulation of Investigatory Powers Act (2000)
o Copyright, Designs and Patents Act (1988)
o Health and Social Care Act 2012
o Caldicott 2 Review
o Care Act 2014
Department of Health and NHS Regulations and Guidance, including :
o Guide to Confidentiality in Health and Social Care
o NHS IM&T Security Manual,
o NHS Information Governance Standards
o NHS Statement of Compliance
Standards for Information Security Management ISO27001 & ISO27002
Policies and procedures including:
o Policies, procedure & guidance on the management of patient/client records
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 10 of 23
5. Electronic Mail and Internet Services
E-mail and Internet services are provided solely for the conduct of official organisation business
and are subject to the organisation’s Information Security Policy.
These services and the associated systems and information are the property of the
organisation. This includes all hardware, software and all data that are stored within the
systems, any messages, attachments and downloads.
6. Permissible Uses of Electronic Mail and Internet
6.1 Authorised users
Staff will be given a username and/or a smartcard and a password to access the systems they
are authorised to use. These will identify the user to the system.
Contractors and other persons working on behalf of the organisation may be given authority to
use these services in accordance with the organisation’s policies and subject to appropriate
authorisation.
6.2 Purpose and use
The use of any E-Mail and Internet resources must be related to the legitimate business activity
of the organisation and its partners. This includes authorised professional and academic
pursuits.
Incidental and occasional personal use of E-Mail and Internet may be permitted at the discretion
of the appropriate senior manager. Any personal use will also be subject to the provisions of
this policy
6.3 Transmission of Confidential Information
All personal confidential data (PCD) must be encrypted, in accordance with DH standards,
before or during transmission. Refer to Appendix 3 of this document and policy document
[Guidance on the use of E-Mail when sending PCD] for further information
All exchanges or transmission of unencrypted PCD must have the prior authorisation of the
organisation’s Caldicott Guardian and/or SIRO.
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 11 of 23
6.4 Prohibited uses of e-mail and internet
o Use of another person’s identity (username/password or smartcard) to access E-Mail and Internet services;
o Use of E-Mail and Internet resources for personal monetary gain or for commercial purposes that are not directly related to the organisation’s business;
o Personal use that creates a cost or inconvenience for the organisation;
o Intercepting or opening E-Mail or electronic files addressed to another recipient without their permission (except for authorised employees in the course of the organisation’s business);
o Use of E-Mail to harass or intimidate others or to interfere with the ability of others to conduct the organisation’s business;
o Disguising an E-Mail identity in an attempt to deceive the recipient of the source or identity of the sender;
o Use of electronic mail systems for any purpose restricted or prohibited by law or regulations;
o Inclusion of the work of others into E-Mail in violation of copyright laws. Employees have a responsibility to ensure that copyright and licensing laws are not breached when composing or forwarding E-Mails and E-Mail attachments;
o Unauthorised access or attempted access to E-Mail or attempted breach of any security measures on any systems;
o Viewing, distributing or contributing to illegal or inappropriate materials on the internet, including material that might be offensive to others;
o The distribution of chain letters, inappropriate humour, explicit language or offensive images or material;
o Downloading of any files that could jeopardise the security and integrity of the organisation’s networks or systems;
o Injudicious use of work time and facilities for private purposes that impinges on working.
o The sending and receiving of NHS related information, especially PCD using public E-Mail systems (Gmail, Hotmail, Yahoo, Facebook, Twitter etc.) other than in compliance with Appendix 3 of this document and policy document [Guidance on the use of E-Mail when sending PCD].
6.5 Restrictions on Internet Sites
Restrictions will be placed on access to any internet site that could be regarded as a threat to
services, systems and resources, that interferes with the use of the network or other services or
to any site that is considered inappropriate.
This will include, (but is not limited to):
Sites that attempt to propagate malicious code or any other threat;
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 12 of 23
Sites containing information that is inappropriate, offensive or unlawful, (such as pornography, racial bias, gambling and games)
Downloads or data transfers that threaten or interfere with network or other resources ( such as executable files)
Sites that provide ‘cloud-based’ storage functionality (such as huddle, SkyDrive, iCloud, Dropbox, etc.) except where explicitly approved
Variation/s to this policy must be made to the Head of Infrastructure and must be approved by the Director of HBL ICT Services (To ensure the security of shared infrastructure and to ensure meeting Information Security requirements) and, should the assessed level of risk warrant it, the Information Governance Sub Committee before being introduced.
Restrictions may be changed or introduced without notice or consultation to preserve the
confidentiality, integrity and availability of critical network resources.
6.6 Contents of messages and internet material
Messages and Internet material must not contain anything that may be considered offensive or
disruptive to the organisation or their stakeholders. Offensive content would include, but would
not be limited to, sexual comments or images, illegal or unauthorised software, racially biased
materials, gender-specific comments or any comments/material that would offend someone on
the basis of his or her age, sexual orientation, religious or political beliefs, national origin, or
disability. Messages and internet material must not contain anything which could be regarded
as libellous.
6.7 Inappropriate or offensive inbound E-Mail
Inbound E-Mails may contain inappropriate or offensive material that is beyond the control of
the organisation. Receipts of such E-Mails should be reported to the ICT Service Desk.
6.8 Unsolicited or ‘junk’ mail
This is E-Mail received from senders you do not know or companies you do not do business
with. Examples are unsolicited advertising for goods or services or warnings of supposed new
viruses. As soon as these E-Mails are detected they should be deleted. Do not forward or reply
to such E-Mails or visit sites contained in such E-Mails.
6.9 Privacy and confidentiality
The nature and technology of electronic communication means that the privacy of an
individual’s use of the E-Mail system, or the confidentiality of messages, cannot be ensured.
Messages may be received or monitored by someone other than the intended recipient.
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 13 of 23
All reasonable efforts will be made to maintain the integrity and availability of the organisation’s
electronic communications systems. However, the organisation’s systems should not be relied
upon as a secure medium for the communication of sensitive or confidential information.
7. Access and disclosure of electronic communications
7.1 General Provisions
To the extent permitted by law, the organisation reserves the right to access and disclose the
contents of any electronic communications without the consent of the user. This right will be
exercised when there is believed to be a legitimate business reason to do so including, but not
limited to, those listed in Paragraph 7.2 and 7.3 below and with the authority of a Director of the
organisation.
The E-Mail systems should be treated like a shared filing system, i.e., with the expectation that
communications sent or received may be made available for review by any authorised
employee for purposes related to the organisation’s business.
E-Mail may constitute “personal records” and be subject to the provisions of the Data Protection
Act 1998 and the Access to Health Records Act. The data subject has the right to access any
such records.
Any user who sends or receives communications using non-standard encryption devices to
restrict or inhibit access must provide access to such encrypted communications when
requested to do so by the Director of HBL ICT Services or Head of Infrastructure.
7.2 Monitoring of communications
To the extent permitted by law, all electronic communications and their content will be
monitored for purposes of:
Maintaining the integrity and effective operation of systems managed or supported by the organisation;
Ensuring compliance with the organisation’s policies and procedures and compliance with legislation and statute law.
The organisation retains the right to access, review, copy and delete any material created,
stored or transported on its systems. This includes but is not limited to messages sent, received
or stored on the e-mail system and any material accessed or downloaded from the internet.
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 14 of 23
Volumes of electronic communication will be monitored routinely including the source,
destination and subject of the communication.
7.3 Inspection and disclosure of communications
The organisation reserves the right to inspect and disclose the contents of electronic communications:
To discharge legal obligations and legal processes and any other obligations to employees, clients, patients, customers and any third parties (in particular, when disclosure is requested under provisions of the Data Protection Act(1998) or the Freedom of Information Act(2000)).
To locate substantive information required for the organisation’s business that is not readily available by other means.
To safeguard assets and to ensure they are used in an appropriate manner.
In the course of an investigation into alleged misconduct.
7.4 Special procedures for monitoring and disclosure.
Prior approval must be obtained from the appropriate Director to gain access to the contents of electronic communications or data stores, and disclose information gained from such access.
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 15 of 23
8. Disciplinary Action
Breach of any aspect of this policy will be subject to disciplinary action in line with the organisation’s disciplinary policies. Serious breaches will be regarded as gross misconduct and may result in dismissal.
9. Compliance
Compliance with this policy will be monitored both electronically and by means of audits and spot check.
10. References
See Legal Framework – Para 4.4, above
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 16 of 23
11. Related Policies and Documents
Records Management Policy
Standing Financial Instructions
Data Quality Policy
Information Security Policy
Guidance on the use of E-Mail when sending Personal Confidential Data (PCD)
Mobile Device Security Policy
Telecommunications Policy
Information Governance Policy
Serious Incidents Requiring Investigation Policy
Confidentiality Code of Conduct
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 17 of 23
12. Appendix 1 – Equality Impact Assessment Stage 1 Screening
1. Policy EIA Completion Details
Title: E-Mail and Internet Policy
Proposed
Existing
Review Date: October 2015
Date of Completion:
31 October 2014
Names & Titles of staff involved in completing the
EIA:
Keith Fairbrother – Head of Infrastructure
2. Details of the Policy. Who is likely to be affected by this policy?
Staff Patients Public
3. Impact on Groups
Probable impact on group? High,
Medium
or Low
Please explain your answers
Positive Adverse None
Race, ethnicity, nationality,
language etc.
Gender (inc. transgender)
Disability, inc. learning
difficulties, physical disability,
sensory impairment etc.
Sexual Orientation
Religion or belief
Human Rights
Age
Other:
No impact on any of the
groups above.
Policy applies equally to all staff
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 18 of 23
4. Which equality legislative Act applies to the policy?
Human Rights Act 1998
Sex Discrimination Act
Race Relations Act
Disability Discrimination Act
Gender Recognition Act 2004
Mental Health Act 1983
Equality Act 2006
Mental Capacity Act 2005
Age Equality Regulations 2006
Equal Pay Act
Sexual Orientation Regulations 2003
Religion or Belief Regulations 2003
Health & Safety Regulations
Part time Employees Regulations
Civil Partnership Act 2004
5. How could the identified adverse effects be minimised or eradicated?
Not Applicable
6. How is the effect of the policy on different Impact Groups going to be monitored?
Not Applicable
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 19 of 23
13. Appendix 2 – Privacy Impact Assessment Stage 1 Screening
1. Policy PIA Completion Details
Title: E-Mail and Internet Policy
Proposed
Existing
Review Date: October 2015
Date of Completion:
31 October 2014
Names & Titles of staff involved in completing the
PIA:
Keith Fairbrother – Head of Infrastructure
2. Details of the Policy. Who is likely to be affected by this policy?
Staff Patients Public
Yes No Please explain your answers
Technology
Does the policy apply new or additional
information technologies that have the potential
for privacy intrusion?
(Example: use of smartcards)
Application of the policy will minimise
potential for privacy intrusion.
Identity
By adhering to the policy content does it involve
the use or re-use of existing identifiers, intrusive
identification or authentication?
(Example: digital signatures, presentation of
identity documents, biometrics etc.)
Application of the policy will ensure
integrity of information.
By adhering to the policy content is there a risk of
denying anonymity and de-identification or
converting previously anonymous or de-identified
data into identifiable formats?
Application of the policy will ensure
integrity of information.
Multiple Organisations
Does the policy affect multiple organisations?
(Example: joint working initiatives with other
government departments or private sector
organisations)
Policy applies to organisation only. All
other NHS organisations have similar
policy based on the same standards.
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 20 of 23
Data
By adhering to the policy is there likelihood that
the data handling processes are changed?
(Example: this would include a more intensive
processing of data than that which was originally
expected)
Application of the policy will ensure
integrity of information during
processing.
If Yes to any of the above have the risks been
assessed, can they be evidenced, has the policy
content and its implications been understood and
approved by the department?
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 21 of 23
14. Appendix 3 – E-Mailing Personal Confidential Data
The details within this Appendix are to be used as a supplemental guide to the document
‘Guidance on the use of E-Mail when sending PCD’.
14.1 Introduction
The Secretary of State for Health has directed that all E-Mails containing personal confidential data must be encrypted unless there is some substantial reason that overrides or modifies the confidentiality due to the person - see Paragraph 14.6, below. This applies both to information in the body of the E-Mail or in any attachments to the E-Mail.
The organisation has 2 methods available for sending encrypted E-Mail and these are described below.
14.2 NHSMail Service
The NHSMail service is provided by the NHS nationally and available to all NHS staff. It is the only nationally approved method of sending PCD relating to patients.
NHSMail addresses take the form: [email protected]
The important part is the .nhs.net suffix which identifies it as an NHSMail address. (The organisation’s standard E-Mail addresses have a suffix .nhs.uk. It is not an NHSMail service.)
Using the NHSMail service you can send E-Mails containing PCD to:
Other NHSMail addresses i.e., with the suffix: .nhs.net
To the secure E-Mail services with the following addresses:
o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected]
You cannot send E-Mails containing PCD from your NHSMail account to any other address.
(If you do not have an NHSMail account you can enrol yourself at www.nhs.net or contact the ICT Service Desk)
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 22 of 23
14.3 Limited Facility on the Trust’s Outlook Service
The organisation’s standard Outlook E-Mail service has an address in the form:
o @hchs.nhs.uk o @hertspartsft.nhs.uk o @hpft.nhs.uk o @enhertsccg.nhs.uk o @hertsvalleysccg.nhs.uk o @lutonccg.nhs.uk o @bedfordshireccg.nhs.uk
Please refer to document ‘Guidance on the use of E-Mail when sending PCD’ for further details.
When using Outlook encryption you need to be aware of the following limitations and take the recommended action:
Outlook will warn you if it cannot encrypt the E-Mail. This can happen for a variety of reasons: the recipient cannot read encrypted E-Mail, it is being sent to a group address etc. You will need to use an alternative means of sending the person identifiable information.
Encrypted Outlook E-Mails can only be read by the addressee and cannot be read by any delegates nominated by the addressee. You must address the E-Mail to all the people who need to read it.
Encrypted E-Mails will not always be found when searches are performed for Data Protection Act or Freedom of Information Act requests. Encrypted E-Mails must be saved outside the Outlook system either by:
o exporting them to a file and storing them on the appropriate place on SystmOne or a shared network drive;
o or by printing them and filing the paper copy in the data subjects file.
As a general rule, Caldicott principles must be applied when sending E-Mails containing PCD. Such E-Mails should only be addressed to individuals who have a right to see the information; such E-Mails must never be addressed to a circulation list.
HBL ICT Services
Version 8.0 E-Mail and Internet Policy Page 23 of 23
14.4 E-Mailing information to Patients/Service Users
PCD may be sent to the patient/service user it relates to by E-Mail provided the person has given their consent.
This consent and the E-Mail address must be obtained in writing – not by E-Mail – and the E-Mail address verified before personal information is sent.
Please refer to document ‘Guidance on the use of E-Mail when sending PCD’ for further
details.
14.5 Exceptions to the Encryption Rules
There will be circumstances when the need to send information quickly is of greater importance than maintaining confidentiality, e.g. in the best interests of the data subject.
You must seek the advice of the organisation’s Caldicott Guardian in these circumstances. Exception can be made on a case by case basis or for a specific regular information exchange. Such exception will be recorded in the Trust’s Caldicott Issues Log.