Академический Документы
Профессиональный Документы
Культура Документы
This document is due for review by the date shown below. After this date, policy and procedure documents may be invalid and may pose a security risk. Please contact the department below immediately.
Policy Reference: Version: Ratified by: Date Ratified: Name of Originator/Author: Name of responsible committee/individual: Procedure Sponsor: Date Issued: Review Date Target Audience:
040 CB-Jan12 V1.0 Final Joint Information Governance Committee December 2011 Bronwyn Jackson Joint Information Governance Committee Senior Information Risk Owner (SIRO) December 2011 December 2012 All CLUSTER PCT Staff
Version: 1.0
1 Document History
Version 0.1
Date TBC
Reviewed by IGG
Status Draft
0.2
Nov 10
IGG
Draft
0.3
Dec 10
IGG
For Approval
Comments Based on DSS/DCCLU STER PCT policy Revised policy content Revised Policy Content 4. Scope, Appendix 1,2,and 3
First draft of joint for CLUSTER PCT organisation. Based on NHS Derby City Policy originated by Darran Turley Version 0.3 2010. Also replaces NHS Derbyshire County Internet Use Policy Version 3.0 2010.Changes made in order to align NHS Derby City Policy & NHS Derbyshire County Policy.
1.0 Joint
Joint IGC
Draft
Version: 1.0
2 Contents
1 Document History ................................................................................................................................ 2 2 Contents ............................................................................................................................................... 3 3 Background .......................................................................................................................................... 4 4 Scope .................................................................................................................................................... 4 5 Related Legislation and Standards ....................................................................................................... 4 6 Internet Standards ............................................................................................................................... 5 7 Legal Risks ............................................................................................................................................ 6 8 Internet Access..................................................................................................................................... 6 9 Internet Monitoring and Reporting ..................................................................................................... 6 10 Process for Dealing with Unacceptable Internet Usage .................................................................... 7 11 Blocked Sites ...................................................................................................................................... 7 12 Incident Reporting ............................................................................................................................. 8 13 Social Networking Sites, Blogging and Webmail................................................................................ 9 14 Related Documentation ..................................................................................................................... 9 15 References ......................................................................................................................................... 9 16 Cluster PCT Information Governance Contacts ............................................................................... 10 Appendix 1 Blocked categories ............................................................................................................. 11 Appendix 2 Access Denied Screen Shot ................................................................................................ 12 Appendix 3 Internet Access Procedure ................................................................................................. 13 Appendix 4 Declaration of Confidentiality ............................................................................................ 15 Appendix 5 Application to Access Social Networking or any other blocked internet sites ................. 16
Version: 1.0
3 Background
The internet is a worldwide network of computers that contains millions of pages of information. Users are cautioned that many of these pages include offensive, sexually explicit and inappropriate material. In general, it is difficult to avoid at least some contact with this material whilst using the internet. Even innocuous search requests may lead to sites with highly offensive content. Additionally, having an e-mail address on the internet may lead to receipt of unsolicited e-mail containing offensive content. Users accessing the internet do so at their own risk and the Cluster PCT is not responsible for material viewed or downloaded by users from the internet. It is the purpose of this policy to enable the effective and legal use of Cluster PCT internet systems. This policy refers to all user activity on the NHSNet (N3 NHS Secure Network) and wider internet. The Trust will ensure that employees are aware of their responsibilities when accessing the internet and that they have agreed to abide by this policy. This policy is comprehensive but not exhaustive and all guidance should be adhered to. Any queries please contact the Information Governance Team.
4 Scope
This document defines the Internet Access Policy for the Cluster PCT and NHS Derbyshire County (herein after referred to as the Cluster PCT). It applies to all business functions and information of the Internet system and relevant people who support the system. This document: Sets out the Organisations policy for the protection of the confidentiality, integrity and availability of the Internet system. Establishes organisation and user responsibilities of accessing the Internet. Ensure that internet facilities are available for users to carry out their business functions. Protect the systems from unauthorised or accidental modification ensuring the accuracy and completeness of the Organisations assets. Protect assets against unauthorised disclosure. This policy covers the use by staff or any contractor employed the Cluster PCT of all Internet and e-mail facilities within the Cluster PCT, at any Cluster PCT location or on any piece of IT equipment owned or provided by the Cluster PCT.
Any staff that work for the Cluster PCT but use or have access to non-Trust systems are also bound by this policy and those of the host organisation. Prior to using the Cluster PCTs Internet facilities employees must give their consent to random monitoring of their email and Internet usage. A consent form is attached at Appendix 3 and without its completion staff will be denied access to the Internet.
Version: 1.0
To establish the existence of facts relevant to the business To check that the Cluster PCT is complying with self-regulatory practices or procedures To ensure that appropriate quality standards are maintained In the interests of national security To prevent or detect crime To investigate or detect unauthorised use of the telecommunication system To ensure the effective operation of the telecommunication system The guidelines set down by the Regulation of Investigatory Powers (Communications Data) Order 2003. ISO 27000 Information Security Standard suite control No 10.10 relates to the monitoring to detect unauthorised information processing activities.
6 Internet Standards
The Trust does not allow its equipment to be used for intentionally accessing information of an unlawful, unethical, and/or degrading nature to any being (e.g. pornography, paedophilia, terrorism or from organisations engaged in any kind of armed struggle). This information could be found on websites and in newsgroups. Access to such inappropriate information could place employment at risk. Employees may not use the internet for personal commercial purposes e.g. supplying goods and services. Users should only access sites or services that are appropriate to the work they are engaged in .This ruling is not intended to exclude personal use in the employees own time, but such use should be minimal and should in no way infringe upon work time.
NHS web sites on the NHS Network (nww = e.g. in the address bar http://nww.derbycity.nhs.uk/ ) are deemed secure and therefore documents and files may be downloaded from these sites. The internet (www) is not subject to the same security and therefore staff should be made aware of the security implications. Software programs and files must not be downloaded from the internet unless authorised and proven to be secure. IT resources are not unlimited. Network bandwidth and storage capacity have finite limits and all users connected to the network have a responsibility to conserve these resources. As such, the user must not deliberately perform acts that waste IT resources or unfairly monopolise resources to the exclusion of others. These acts include, but are not limited to, sending mass mailings or chain letters, spending excessive amounts of time on the internet, playing on-line games, engaging in online chat groups, uploading or downloading large files, accessing streaming audio and/or video files, or otherwise creating unnecessary loads on network traffic associated with non-business-related uses of the internet. Users may not illegally copy material protected under copyright law or make that material available to others for copying. You are responsible for complying with copyright law and applicable licenses that may apply to software, files, graphics, documents, messages, and other material you wish to download or copy. You may not agree to a
5
Version: 1.0
license or download any material for which a registration fee is charged without first obtaining the express written permission of the Trust. The internet is a major source of computer viruses, the effects of which can range from the minor irritant to the major disaster but all have costs involved in their eradication. Although the IT network has background anti-virus defences it is still essential for users to remain alert when opening files and mail. In the event that a user suspects a virus infestation DHIS should be contact immediately. Internet users must be aware that the system is inherently insecure. No patient identifiable information or other organisational confidential information must be transmitted or published via the internet. All PCs supported by the Cluster PCT have anti-virus protection software enabled and are automatically updated when connected to the network.
7 Legal Risks
If a user unlawfully forwards corporate, confidential or sensitive information, the user and the Trust can be held liable. If a user send links, email with or without attachments, or any other electronic forms of communication that contain a virus , the user and the Trust can be held liable. By following the guidelines in the policy, the internet user can minimise breaches in policy and legal penalties. If a user disregards the guidelines in the policy, the user will be fully liable and may be subject to the disciplinary process and if required, criminal proceedings.
8 Internet Access
Access to the internet should be open to all using the Cluster PCTs Access Implementation Procedure (see Appendix 1). Users should be made aware of this policy and familiarise themselves with it and comply with the policy at all times. Users must not allow other employees to access the internet and any other systems using their network password and should ensure that the workstation is shut down or locked when leaving it unattended. (See Appendix 2) When the user is logged onto the network, all activity is deemed to be performed by the end user. If the user has any doubts over the security the password should be changed immediately and if required the Information Governance Team should be informed.
Version: 1.0
on internet users. The Trust will decide the frequency and nominate appropriate staff to receive these reports. These reports will be stored in a confidential manner and will be stored within a specific timescale dependent upon nature of the issue.
11 Blocked Sites
The Trust will block certain categories of sites in order to alleviate infringement of inappropriate use of the internet. However in order for employees to access sites that are relevant to their work the Trust will give formal agreement to DHIS for access rights to be given. It is recommended the Trust maintain a list of individuals who have special access permissions to ensure that in the event of any queries there is confirmation individuals have been given special access. An example of this is where a member of staff moves jobs or Trust and does not require special access for their new job role. Members of staff who attempt to access a blocked site will receive a pop up message where the user is prompted to seek permission from their line manager should they feel there is a genuine work related need to access that particular site (see Appendix 2). In light of the internet continually evolving the Trust reserves the right to amend the blocked categories on a continual basis. A current list of all blocked sites will be available from the IT supplier and an example is shown at Appendix 1.
Version: 1.0
12 Incident Reporting
If an incident occurs, the Information Governance Team will be notified within one working day.
Potential or actual Security breach
Internet Misuse
Key
SHA - Strategic Health Authority IG Information Governance
Body of report Scope of investigation Summary of the incident Background Process of investigation and methodology Chronology of events Analysis and Findings Recommendations Conclusions
Version: 1.0
14 Related Documentation
E-mail Policy IT Security Policy Staff Confidentiality Code of Conduct Data Protection Policy Safe Haven Policy Trust Disciplinary Policy Trust Incident Policy Mobile Computing Policy Forensic Readiness Policy Information Governance Strategy Freedom of Information Policy Information Lifecycle & Records Management.
15 References
The following legal or contractual requirements apply when monitoring users activity on the Internet: Copyright, Designs and Patents Act 1988 Data Protection Act 1998 Telecommunications (Lawful Business Practice (Interception of Communications) Regulations 2000 Human Rights Act 1998 Regulation of Investigatory Powers Act (RIPA) 2000 Computer Misuse Act 1978
Version: 1.0
10
Version: 1.0
11
Version: 1.0
12
Version: 1.0
The applicant should read and understand the Internet Access and E-mail Policies and retain these for their use. The application form should be completed and signed by the line manager and applicant. This should be filed according to Trust. Upon acceptance of the applicant being granted permission the line manager should email the Customer Service Team with specific information that has been requested. Once this has been received the account will be created. The Customer Service Team will send an e-mail to the line manager informing that the account has been created and giving instructions on how the applicant can access the account. A user name and password will be provided with the request to change the password upon first login.
13
Version: 1.0
Declaration I confirm that I have been made aware of and fully understand the Cluster PCT Internet Use Policy. I understand that if I am in breach of any part of the Internet Use policy my Internet access will be withdrawn and disciplinary action may be instigated. Name ... Signature .. Date
Authorised by Line Manager I authorise the provision of Internet access to the applicant named above. Signature Date
Managers - please file the completed and authorised form within your staff members personal file. 14
Version: 1.0
15
Version: 1.0
Appendix 5 Application to Access Social Networking or any other blocked internet sites
Name: Department:..
Date:
Site:..
(Please quote full URL)
Form to be sent to: Information Governance Team, 4 Floor, North Point, Cardinal Square, 10 Nottingham Road, Derby DE1 3QT.
th
16