hbl ict services - intranet.hct.nhs.uk · hbl ict services version 8.0 e-mail ... authoriser /...

HBL ICT Services

Version 8.0 E-Mail and Internet Policy of 40

E-Mail and Internet Policy

Document reference

Title: E-Mail and Internet Policy

Product ID:

Version Number: 8.0

Status: Live

Distribution / Issue date: 12 November 2014

Author: K. Fairbrother Review Period: 12 Months

Owner / Owning entity: HBL ICT Services

Approver / Approval entity: IT Security Forum / SMT / Information Governance Committee

Authoriser / Authorisation entity: SIRO / IG Leads / HBL IT Director

HBL ICT Services


Document control and revision history

Version Revision date Details of Amendment Amended by Checked by

Draft Sept 2007 Initial Draft John Hepburn

1.0 October 2007 V1 Live John Hepburn

2.0 April 2010 V2 Review John Hepburn

3.0 May 2010 Organisational Change / Formatting John Hepburn

4.0 Sept 2012 Amendments Keith Fairbrother

5.0 October 2012 Amendments Keith Fairbrother

6.0 May 2013 Amendments Keith Fairbrother

7.0 June 2013 Amendments Martin Wallis 8.0 October 2014 Organisational Change / Formatting Keith Fairbrother

8.0 November 2014 HBL ICT SMT Approval HBL ICT SMT

Enclosures

Enclosures

1. None.

Embedded files

1. None.

Distribution

External

Action: IG Reference Groups (HCT, HPFT, ENHCCG, HVCCG, BCCG, LCCG)

Information:

Internal

Action: None

Information: None

HBL ICT Services


Contents 1. Executive Summary ............................................................................................................................... 5

2. Introduction............................................................................................................................................ 6

3. Terms / Acronyms Used ........................................................................................................................ 7

4. Purpose and Scope ............................................................................................................................... 8

4.1 Purpose .......................................................................................................................................... 8

4.2 Scope of the Policy ......................................................................................................................... 8

4.3 Local Variation ................................................................................................................................ 8

4.4 Legal Framework ............................................................................................................................ 9

5. Electronic Mail and Internet Services ................................................................................................... 10

6. Permissible Uses of Electronic Mail and Internet ................................................................................. 10

6.1 Authorised users .......................................................................................................................... 10

6.2 Purpose and use .......................................................................................................................... 10

6.3 Transmission of Confidential Information ...................................................................................... 11

6.4 Prohibited uses of e-mail and internet .......................................................................................... 11

6.5 Restrictions on Internet Sites ........................................................................................................ 12

6.6 Contents of messages and internet material ................................................................................. 12

6.7 Inappropriate or offensive inbound E-Mail .................................................................................... 12

6.8 Unsolicited or ‘junk’ mail ............................................................................................................... 13

6.9 Privacy and confidentiality ............................................................................................................ 13

7. Access and disclosure of electronic communications .......................................................................... 14

7.1 General Provisions ....................................................................................................................... 14

7.2 Monitoring of communications ...................................................................................................... 14

7.3 Inspection and disclosure of communications ............................................................................... 15

7.4 Special procedures for monitoring and disclosure. ....................................................................... 15

8. Disciplinary Action ............................................................................................................................... 16

9. Compliance ......................................................................................................................................... 16

10. References ...................................................................................................................................... 16

See Legal Framework – Para 4.4, above ................................................................................................ 16

11. Related Policies and Documents ..................................................................................................... 17

12. Appendix 1 – Equality Impact Assessment Stage 1 Screening ......................................................... 18

13. Appendix 2 – Privacy Impact Assessment Stage 1 Screening .......................................................... 32

14. Appendix 3 – E-Mailing Personal Confidential Data ......................................................................... 36

HBL ICT Services


14.1 Introduction .................................................................................................................................. 36

14.2 NHSMail Service .......................................................................................................................... 36

14.3 Limited Facility on the Trust’s Outlook Service ............................................................................. 37

14.4 E-Mailing information to Patients/Service Users ........................................................................... 38

14.5 Exceptions to the Encryption Rules .............................................................................................. 38

Comment Form ....................................................................................................................................... 39

HBL ICT Services


1. Executive Summary

The E-Mail and Internet Policy sets out the commitment of the trust to preserve the

confidentiality, integrity and availability of electronic communications and to ensure that such

electronic communications are effectively and lawfully managed.

The Policy aims to ensure that:-

o The E-Mail and internet services used by the Trust are secure and are operated in accordance with NHS Guidance, to industry standards and current best practice;

o Confidentiality and integrity of information communicated electronically is maintained at all times

o Staff are aware of their responsibilities and adhere to the provisions of the policy;

o Procedures are in place to detect and resolve possible security breaches and to prevent a recurrence.

This policy applies to:

o All E-Mail and internet services used by the Trust and the information communicated electronically, processed or stored using these services;

o All staff employed by the Trust, contractors, seconded staff from other organisations and any other persons used by the Trust or engaged on Trust business;

o Any other persons granted access to Trust E-Mail and internet services;

o All locations from which the Trust’s E-Mail and internet services can be accessed.

Application of the policy will assist in compliance with the Trust’s Information Security Policy, information related legislation, NHS Information Security Standards and NHS Information Governance Standards.

HBL ICT Services


2. Introduction

o The Trust is an organisation committed to ensuring that diversity, equality and human

rights are valued. We will not discriminate either directly or indirectly and will not tolerate

harassment or victimisation in relation to gender, marital status (including civil

partnership), gender reassignment, disability, race, age, sexual orientation, religion or

belief, trade union membership, status as a fixed-term or part-time worker, socio -

economic status and pregnancy or maternity.

o The Trust works to a framework for handling personal information in a confidential and

secure manner to meet ethical and quality standards. This enables National Health

Service organisations in England and individuals working within them to ensure personal

information is dealt with legally, securely, effectively and efficiently to deliver the best

possible care to patients and clients.

o The Trust via the Information Governance Toolkit provide the means by which the NHS

and Trust can assess our compliance with current legislation, Government and National

guidance.

o Information Governance covers: Data Protection & IT Security (including smart cards),

Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality, Freedom

of Information Regulations and Information Quality Assurance

HBL ICT Services


3. Terms / Acronyms Used

NHS = National Health Service

IT = Information Technology

ICT = Information and Communications Technology

IM&T = Information Management and Technology

EU = European Union

SIRO = Senior Information Risk Owner

DH = Department of Health

UK = United Kingdom

PCs = Personal Computers

HSCIC = Health and Social Care Information Centre

PCD = Personal Confidential Data

HBL ICT Services


4. Purpose and Scope

4.1 Purpose

The E-Mail and Internet policy sets out the commitment of the organisation to preserve the

confidentiality, integrity and availability of electronic communications and to ensure such

electronic communications are effectively and lawfully managed.

The Policy aims to ensure that:-

o The E-Mail and Internet services used by the Trust are secure and are operated in accordance with NHS Guidance, to industry standards and current best practice;

o The information contained in or processed by these systems is kept secure;

o Confidentiality, integrity and availability are maintained at all times;

o Staff are aware of their responsibilities and adhere to the provisions of the policy;

o Procedures are in place to detect and resolve security breaches and to prevent a recurrence.

4.2 Scope of the Policy

This policy applies to:

o All E-Mail and Internet services used by the Trust and the information communicated electronically, processed or stored using these services;

o All staff employed by the organisation, contractors, seconded staff from other organisations and any other persons used by the organisation or engaged on the organisation’s business.

o Any other persons granted access to Trust E-Mail and Internet services;

o All locations from which the Trusts E-Mail and Internet services can be accessed.

4.3 Local Variation

Variation to some parts of the policy may be allowed where local conditions do not permit full implementation. Applications for such variation must be made to the Head of Infrastructure and must be approved by the Director of ICT Services (To ensure the security of shared infrastructure and to ensure meeting Information Security requirements) and, should the assessed level of risk warrant it, the Information Governance Sub Committee before being introduced.

HBL ICT Services


4.4 Legal Framework

This policy is compliant with relevant legislation, Department of Health and NHS regulations and guidance and the policies and procedures of partner organisations; principally:-

UK and EU legislation, including :

o Data Protection Act (1998),

o Freedom of Information Act (2000);

o Human Rights Act (1998)

o the Computer Misuse Act 1990,

o Communications Act (2003) & Electronic Communications Act (2006)

o Regulation of Investigatory Powers Act (2000)

o Copyright, Designs and Patents Act (1988)

o Health and Social Care Act 2012

o Caldicott 2 Review

o Care Act 2014

Department of Health and NHS Regulations and Guidance, including :

o Guide to Confidentiality in Health and Social Care

o NHS IM&T Security Manual,

o NHS Information Governance Standards

o NHS Statement of Compliance

Standards for Information Security Management ISO27001 & ISO27002

Policies and procedures including:

o Policies, procedure & guidance on the management of patient/client records

HBL ICT Services


5. Electronic Mail and Internet Services

E-mail and Internet services are provided solely for the conduct of official Trust business and

are subject to the Trust’s Information Security Policy.

These services and the associated systems and information are the property of the Trust. This

includes all hardware, software and all data that are stored within the systems, any messages,

attachments and downloads.

6. Permissible Uses of Electronic Mail and Internet

6.1 Authorised users

Staff will be given a username and/or a smartcard and a password to access the systems they

are authorised to use. These will identify the user to the system.

Contractors and other persons working on behalf of the Trust may be given authority to use

these services in accordance with the Trust’s policies and subject to appropriate authorisation.

6.2 Purpose and use

The use of any E-Mail and Internet resources must be related to the legitimate business activity

of the Trust and its partners. This includes authorised professional and academic pursuits.

Incidental and occasional personal use of E-Mail and Internet may be permitted at the discretion

of the appropriate senior manager. Any personal use will also be subject to the provisions of

this policy

HBL ICT Services


6.3 Transmission of Confidential Information

All personal confidential data (PCD) must be encrypted, in accordance with DH standards,

before or during transmission. Refer to Appendix 3 of this document and policy document

[Guidance on the use of E-Mail when sending PCD] for further information

All exchanges or transmission of unencrypted PCD must have the prior authorisation of the

Trust’s Caldicott Guardian and/or SIRO.

6.4 Prohibited uses of e-mail and internet

o Use of another person’s identity (username/password or smartcard) to access E-Mail and Internet services;

o Use of E-Mail and Internet resources for personal monetary gain or for commercial purposes that are not directly related to the Trust’s business;

o Personal use that creates a cost or inconvenience for the Trust;

o Intercepting or opening E-Mail or electronic files addressed to another recipient without their permission (except for authorised employees in the course of the Trust’s business);

o Use of E-Mail to harass or intimidate others or to interfere with the ability of others to conduct the Trust’s business;

o Disguising an E-Mail identity in an attempt to deceive the recipient of the source or identity of the sender;

o Use of electronic mail systems for any purpose restricted or prohibited by law or regulations;

o Inclusion of the work of others into E-Mail in violation of copyright laws. Employees have a responsibility to ensure that copyright and licensing laws are not breached when composing or forwarding E-Mails and E-Mail attachments;

o Unauthorised access or attempted access to E-Mail or attempted breach of any security measures on any systems;

o Viewing, distributing or contributing to illegal or inappropriate materials on the internet, including material that might be offensive to others;

o The distribution of chain letters, inappropriate humour, explicit language or offensive images or material;

o Downloading of any files that could jeopardise the security and integrity of the Trust’s networks or systems;

o Injudicious use of work time and facilities for private purposes.

o The sending and receiving of NHS related information, especially PCD using public E-Mail systems (Gmail, Hotmail, Yahoo, Facebook, Twitter etc.) other than in compliance with Appendix 3 of this document and policy document [Guidance on the use of E-Mail when sending PCD].

HBL ICT Services


6.5 Restrictions on Internet Sites

Restrictions will be placed on access to any internet site that could be regarded as a threat to

services, systems and resources, that interferes with the use of the network or other services or

to any site that is considered inappropriate.

This will include, (but is not limited to):

Sites that attempt to propagate malicious code or any other threat;

Sites containing information that is inappropriate, offensive or unlawful, (such as pornography, racial bias, social networking, gambling and games)

Downloads or data transfers that threaten or interfere with network or other resources ( such as executable files and media streaming)

Sites that provide ‘cloud-based’ storage functionality (such as huddle, SkyDrive, iCloud, Dropbox, etc.) except where explicitly approved

Variation/s to this policy must be made to the Head of Infrastructure and must be approved by the Director of ICT Services (To ensure the security of shared infrastructure and to ensure meeting Information Security requirements) and, should the assessed level of risk warrant it, the Information Governance Sub Committee before being introduced.

Restrictions may be changed or introduced without notice or consultation to preserve the

confidentiality, integrity and availability of critical network resources.

6.6 Contents of messages and internet material

Messages and Internet material must not contain anything that may be considered offensive or

disruptive to the Trust or their stakeholders. Offensive content would include, but would not be

limited to, sexual comments or images, illegal or unauthorised software, racially biased

materials, gender-specific comments or any comments/material that would offend someone on

the basis of his or her age, sexual orientation, religious or political beliefs, national origin, or

disability. Messages and internet material must not contain anything which could be regarded

as libellous.

6.7 Inappropriate or offensive inbound E-Mail

Inbound E-Mails may contain inappropriate or offensive material that is beyond the control of

the Trust. Receipts of such E-Mails should be reported to the ICT Service Desk.

HBL ICT Services


6.8 Unsolicited or ‘junk’ mail

This is E-Mail received from senders you do not know or companies you do not do business

with. Examples are unsolicited advertising for goods or services or warnings of supposed new

viruses. These E-Mails should be deleted without opening them. Do not forward or reply to such

E-Mails or visit sites contained in such E-Mails.

6.9 Privacy and confidentiality

The nature and technology of electronic communication means that the privacy of an

individual’s use of the E-Mail system, or the confidentiality of messages, cannot be ensured.

Messages may be received or monitored by someone other than the intended recipient.

All reasonable efforts will be made to maintain the integrity and availability of Trust’s electronic

communications systems. However, the Trust systems should not be relied upon as a secure

medium for the communication of sensitive or confidential information.

HBL ICT Services


7. Access and disclosure of electronic communications

7.1 General Provisions

To the extent permitted by law, the Trust reserves the right to access and disclose the contents

of any electronic communications without the consent of the user. This right will be exercised

when there is believed to be a legitimate business reason to do so including, but not limited to,

those listed in Paragraph 7.2 and 7.3 below and with the authority of a Director of the Trust.

The E-Mail systems should be treated like a shared filing system, i.e., with the expectation that

communications sent or received may be made available for review by any authorised

employee for purposes related to the Trust’s business.

E-Mail may constitute “personal records” and be subject to the provisions of the Data Protection

Act 1998 and the Access to Health Records Act. The data subject has the right to access any

such records.

Any user who sends or receives communications using non-standard encryption devices to

restrict or inhibit access must provide access to such encrypted communications when

requested to do so by the Director of ICT Services or Head of Infrastructure.

7.2 Monitoring of communications

To the extent permitted by law, all electronic communications and their content will be

monitored for purposes of:

Maintaining the integrity and effective operation of systems managed or supported by the Trust

Ensuring compliance with the Trust policies and procedures and compliance with legislation and statute law

The Trust retains the right to access, review, copy and delete any material created, stored or

transported on its systems. This includes but is not limited to messages sent, received or stored

on the e-mail system and any material accessed or downloaded from the internet.

Volumes of electronic communication will be monitored routinely including the source,

destination and subject of the communication.

HBL ICT Services


7.3 Inspection and disclosure of communications

The Trust reserves the right to inspect and disclose the contents of electronic communications:

To discharge legal obligations and legal processes and any other obligations to employees, clients, patients, customers and any third parties (in particular, when disclosure is requested under provisions of the Data Protection Act(1998) or the Freedom of Information Act(2000)).

To locate substantive information required for the Trust business that is not readily available by other means.

To safeguard assets and to ensure they are used in an appropriate manner.

In the course of an investigation into alleged misconduct,

7.4 Special procedures for monitoring and disclosure.

Prior approval must be obtained from the appropriate Director to gain access to the contents of electronic communications or data stores, and disclose information gained from such access.

HBL ICT Services


8. Disciplinary Action

Breach of any aspect of this policy will be subject to disciplinary action in line with the Trust’s disciplinary policies. Serious breaches will be regarded as gross misconduct and may result in dismissal.

9. Compliance

Compliance with this policy will be monitored both electronically and by means of audits and spot check.

10. References

See Legal Framework – Para 4.4, above

HBL ICT Services


11. Related Policies and Documents

Management of Records Policy and Procedure

Standing Financial Instructions

Data Quality Policy

Information Security Policy

Guidance on the use of E-Mail when sending PCD

Mobile Device Security Policy

Telecommunications Policy

Information Governance Strategy

Incident Policy

Confidentiality Policy

HBL ICT Services


12. Appendix 1 – Equality Impact Assessment Stage 1 Screening

HBL ICT Services


1. Policy EIA Completion Details

Title: E-Mail and Internet Policy Names & Titles of staff involved in completing the

EIA:

Keith Fairbrother – Head of Infrastructure

Proposed

Existing

Date of Completion:

31 October 2014

Review Date: October 2015

HBL ICT Services


2. Details of the Policy. Who is likely to be affected by this policy?

Staff Patients Public

3. Impact on Groups

Probable impact on group? High,

Medium

or Low

Please explain your answers

HBL ICT Services


Positive Adverse None

Race, ethnicity, nationality,

language etc.

HBL ICT Services


Gender (inc. transgender)

HBL ICT Services


Disability, inc. learning

difficulties, physical disability,

sensory impairment etc.

HBL ICT Services


Sexual Orientation

HBL ICT Services


Religion or belief

HBL ICT Services


Human Rights

Age

HBL ICT Services


Other:

HBL ICT Services


No impact on any of the

groups above.

Please explain and provide evidence

Policy applies equally to all staff

4. Which equality legislative Act applies to the policy?

HBL ICT Services


Human Rights Act 1998

Sex Discrimination Act

Race Relations Act

Disability Discrimination Act

Gender Recognition Act 2004

Mental Health Act 1983

Equality Act 2006

Mental Capacity Act 2005

Age Equality Regulations 2006

Equal Pay Act

Sexual Orientation Regulations 2003

Religion or Belief Regulations 2003

Health & Safety Regulations

Part time Employees Regulations

Civil Partnership Act 2004

HBL ICT Services


5. How could the identified adverse effects be minimised or eradicated?

Not Applicable

6. How is the effect of the policy on different Impact Groups going to be

monitored?

HBL ICT Services


Not Applicable

HBL ICT Services


13. Appendix 2 – Privacy Impact Assessment Stage 1 Screening

HBL ICT Services


1. Policy PIA Completion Details

Title: E-Mail and Internet Policy Names & Titles of staff involved in completing the PIA:

Keith Fairbrother – Head of Infrastructure

Proposed

Existing

Date of

Completion:

31 October 2014

Review Date: October 2015

HBL ICT Services


2. Details of the Policy. Who is likely to be affected by this policy?

Staff Patients Public

Yes No

Please explain your answers

Technology

Does the policy apply new or additional

information technologies that have the potential

for privacy intrusion?

(Example: use of smartcards)

Application of the policy will minimise

potential for privacy intrusion.

Identity

By adhering to the policy content does it involve

the use or re-use of existing identifiers, intrusive

identification or authentication?

(Example: digital signatures, presentation of

identity documents, biometrics etc.)

Application of the policy will ensure

integrity of information.

HBL ICT Services


By adhering to the policy content is there a risk of

denying anonymity and de-identification or

converting previously anonymous or de-identified

data into identifiable formats?


integrity of information.

Multiple Organisations

Does the policy affect multiple organisations?

(Example: joint working initiatives with other

government departments or private sector

organisations)

Policy applies to organisation only. All

other NHS organisations have similar

policy based on the same standards.

Data

By adhering to the policy is there likelihood that

the data handling processes are changed?

(Example: this would include a more intensive

processing of data than that which was originally

expected)


integrity of information during

processing.

If Yes to any of the above have the risks been

assessed, can they be evidenced, has the policy

content and its implications been understood and

approved by the department?

HBL ICT Services


14. Appendix 3 – E-Mailing Personal Confidential Data

The details within this Appendix are to be used as a supplemental guide to the document

‘Guidance on the use of E-Mail when sending PCD’.

14.1 Introduction

The Secretary of State for Health has directed that all E-Mails containing personal confidential data must be encrypted unless there is some substantial reason that overrides or modifies the confidentiality due to the person - see Paragraph 14.6, below. This applies both to information in the body of the E-Mail or in any attachments to the E-Mail.

The Trust has 2 methods available for sending encrypted E-Mail and these are described below.

14.2 NHSMail Service

The NHSMail service is provided by the NHS nationally and available to all NHS staff. It is the only nationally approved method of sending PCD relating to patients.

NHSMail addresses take the form: [email protected]

The important part is the .nhs.net suffix which identifies it as an NHSMail address. (The Trust’s standard E-Mail addresses have a suffix .nhs.uk. It is not an NHSMail service.)

Using the NHSMail service you can send E-Mails containing PCD to:

Other NHSMail addresses i.e., with the suffix: .nhs.net

To the secure E-Mail services with the following addresses:

o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected] o [email protected]

o [email protected]

You cannot send E-Mails containing PCD from your NHSMail account to any other address.

(If you do not have an NHSMail account you can enrol yourself at www.nhs.net or contact the ICT Service Desk)

mailto:[email protected]







http://www.nhs.net/

HBL ICT Services


14.3 Limited Facility on the Trust’s Outlook Service

The Trust’s standard Outlook E-Mail service has an address in the form:

o @hertfordshire.nhs.uk o @hchs.nhs.uk o @hertspartsft.nhs.uk o @hpft.nhs.uk o @enhertsccg.nhs.uk o @hertsvalleysccg.nhs.uk o @lutonccg.nhs.uk o @bedfordshireccg.nhs.uk

Please refer to document ‘Guidance on the use of E-Mail when sending PCD’ for further details.

When using Outlook encryption you need to be aware of the following limitations and take the recommended action:

Outlook will warn you if it cannot encrypt the E-Mail. This can happen for a variety of reasons: the recipient cannot read encrypted E-Mail, it is being sent to a group address etc. You will need to use an alternative means of sending the person identifiable information.

Encrypted Outlook E-Mails can only be read by the addressee and cannot be read by any delegates nominated by the addressee. You must address the E-Mail to all the people who need to read it.

Encrypted E-Mails will not always be found when searches are performed for Data Protection Act or Freedom of Information Act requests. Encrypted E-Mails must be saved outside the Outlook system either by:

o exporting them to a file and storing them on the appropriate place on SystmOne or a shared network drive;

o or by printing them and filing the paper copy in the data subjects file.

As a general rule, Caldicott principles must be applied when sending E-Mails containing PCD. Such E-Mails should only be addressed to individuals who have a right to see the information; such E-Mails must never be addressed to a circulation list.

HBL ICT Services


14.4 E-Mailing information to Patients/Service Users

PCD may be sent to the patient/service user it relates to by E-Mail provided the person has given their consent.

This consent and the E-Mail address must be obtained in writing – not by E-Mail – and the E-Mail address verified before personal information is sent.

Please refer to document ‘Guidance on the use of E-Mail when sending PCD’ for further

details.

14.5 Exceptions to the Encryption Rules

There will be circumstances when the need to send information quickly is of greater importance than maintaining confidentiality, e.g. in the best interests of the data subject.

You must seek the advice of the Trust’s Caldicott Guardian in these circumstances. Exception can be made on a case by case basis or for a specific regular information exchange. Such exception will be recorded in the Trust’s Caldicott Issues Log.

HBL ICT Services


Comment Form

As part of HBL ICT Services Department continuous improvement regime, would you please complete this form. Any comments or feedback on this document should be addressed to the Owner. Please provide your name and contact details in case clarification is required.

Name: Please send to:

Address: HBL ICT Services

Charter House

Welwyn Garden City

Phone: Hertfordshire AL8 6JL

E-Mail: E-Mail:

1. Please confirm the document you want to give response to as:

2. Please rate the document using the topics and criteria indicated below:

Very Good Good Average Fair Poor

Format and layout

Accuracy

Consistency

Readability

Clarity

Brevity

Illustrations (tables, figures etc.)

Examples

Other

Overall rating

3. When using the document, what were you looking for?

4. Did you find what you looking for?

5. Which topics did the document handle well?

HBL ICT Services


6. Which topics could be handled better?

7. And if so how could this be achieved?

8. How could the document be improved?

9. How often do you use the document?

10. If you have additional comments, please include them below:

Thank you for your time.