NHS Derby City and NHS Derbyshire County

This document is due for review by the date shown below. After this date, policy and procedure documents may be invalid and may pose a security risk. Please contact the department below immediately.

Internet Use Policy

Policy Reference: Version: Ratified by: Date Ratified: Name of Originator/Author: Name of responsible committee/individual: Procedure Sponsor: Date Issued: Review Date Target Audience:

040 CB-Jan12 V1.0 Final Joint Information Governance Committee December 2011 Bronwyn Jackson Joint Information Governance Committee Senior Information Risk Owner (SIRO) December 2011 December 2012 All CLUSTER PCT Staff

Version: 1.0

1 Document History

Revision History/Version Control

Version 0.1

Date TBC

Reviewed by IGG

Status Draft

0.2

Nov 10

IGG

Draft

0.3

Dec 10

IGG

For Approval

Comments Based on DSS/DCCLU STER PCT policy Revised policy content Revised Policy Content 4. Scope, Appendix 1,2,and 3
First draft of joint for CLUSTER PCT organisation. Based on NHS Derby City Policy originated by Darran Turley Version 0.3 2010. Also replaces NHS Derbyshire County Internet Use Policy Version 3.0 2010.Changes made in order to align NHS Derby City Policy & NHS Derbyshire County Policy.

1.0 Joint

Joint IGC

Draft

Version: 1.0

2 Contents
1 Document History ................................................................................................................................ 2 2 Contents ............................................................................................................................................... 3 3 Background .......................................................................................................................................... 4 4 Scope .................................................................................................................................................... 4 5 Related Legislation and Standards ....................................................................................................... 4 6 Internet Standards ............................................................................................................................... 5 7 Legal Risks ............................................................................................................................................ 6 8 Internet Access..................................................................................................................................... 6 9 Internet Monitoring and Reporting ..................................................................................................... 6 10 Process for Dealing with Unacceptable Internet Usage .................................................................... 7 11 Blocked Sites ...................................................................................................................................... 7 12 Incident Reporting ............................................................................................................................. 8 13 Social Networking Sites, Blogging and Webmail................................................................................ 9 14 Related Documentation ..................................................................................................................... 9 15 References ......................................................................................................................................... 9 16 Cluster PCT Information Governance Contacts ............................................................................... 10 Appendix 1 Blocked categories ............................................................................................................. 11 Appendix 2 Access Denied Screen Shot ................................................................................................ 12 Appendix 3 Internet Access Procedure ................................................................................................. 13 Appendix 4 Declaration of Confidentiality ............................................................................................ 15 Appendix 5 Application to Access Social Networking or any other blocked internet sites ................. 16

Version: 1.0

3 Background
The internet is a worldwide network of computers that contains millions of pages of information. Users are cautioned that many of these pages include offensive, sexually explicit and inappropriate material. In general, it is difficult to avoid at least some contact with this material whilst using the internet. Even innocuous search requests may lead to sites with highly offensive content. Additionally, having an e-mail address on the internet may lead to receipt of unsolicited e-mail containing offensive content. Users accessing the internet do so at their own risk and the Cluster PCT is not responsible for material viewed or downloaded by users from the internet. It is the purpose of this policy to enable the effective and legal use of Cluster PCT internet systems. This policy refers to all user activity on the NHSNet (N3 NHS Secure Network) and wider internet. The Trust will ensure that employees are aware of their responsibilities when accessing the internet and that they have agreed to abide by this policy. This policy is comprehensive but not exhaustive and all guidance should be adhered to. Any queries please contact the Information Governance Team.

4 Scope
This document defines the Internet Access Policy for the Cluster PCT and NHS Derbyshire County (herein after referred to as the Cluster PCT). It applies to all business functions and information of the Internet system and relevant people who support the system. This document: Sets out the Organisations policy for the protection of the confidentiality, integrity and availability of the Internet system. Establishes organisation and user responsibilities of accessing the Internet. Ensure that internet facilities are available for users to carry out their business functions. Protect the systems from unauthorised or accidental modification ensuring the accuracy and completeness of the Organisations assets. Protect assets against unauthorised disclosure. This policy covers the use by staff or any contractor employed the Cluster PCT of all Internet and e-mail facilities within the Cluster PCT, at any Cluster PCT location or on any piece of IT equipment owned or provided by the Cluster PCT.

Any staff that work for the Cluster PCT but use or have access to non-Trust systems are also bound by this policy and those of the host organisation. Prior to using the Cluster PCTs Internet facilities employees must give their consent to random monitoring of their email and Internet usage. A consent form is attached at Appendix 3 and without its completion staff will be denied access to the Internet.

5 Related Legislation and Standards

The Regulation of Investigator Powers Act 2000 allows the Cluster PCT to intercept communications for the purpose of monitoring or keeping a record:
4

Version: 1.0

To establish the existence of facts relevant to the business To check that the Cluster PCT is complying with self-regulatory practices or procedures To ensure that appropriate quality standards are maintained In the interests of national security To prevent or detect crime To investigate or detect unauthorised use of the telecommunication system To ensure the effective operation of the telecommunication system The guidelines set down by the Regulation of Investigatory Powers (Communications Data) Order 2003. ISO 27000 Information Security Standard suite control No 10.10 relates to the monitoring to detect unauthorised information processing activities.

6 Internet Standards
The Trust does not allow its equipment to be used for intentionally accessing information of an unlawful, unethical, and/or degrading nature to any being (e.g. pornography, paedophilia, terrorism or from organisations engaged in any kind of armed struggle). This information could be found on websites and in newsgroups. Access to such inappropriate information could place employment at risk. Employees may not use the internet for personal commercial purposes e.g. supplying goods and services. Users should only access sites or services that are appropriate to the work they are engaged in .This ruling is not intended to exclude personal use in the employees own time, but such use should be minimal and should in no way infringe upon work time.

NHS web sites on the NHS Network (nww = e.g. in the address bar http://nww.derbycity.nhs.uk/ ) are deemed secure and therefore documents and files may be downloaded from these sites. The internet (www) is not subject to the same security and therefore staff should be made aware of the security implications. Software programs and files must not be downloaded from the internet unless authorised and proven to be secure. IT resources are not unlimited. Network bandwidth and storage capacity have finite limits and all users connected to the network have a responsibility to conserve these resources. As such, the user must not deliberately perform acts that waste IT resources or unfairly monopolise resources to the exclusion of others. These acts include, but are not limited to, sending mass mailings or chain letters, spending excessive amounts of time on the internet, playing on-line games, engaging in online chat groups, uploading or downloading large files, accessing streaming audio and/or video files, or otherwise creating unnecessary loads on network traffic associated with non-business-related uses of the internet. Users may not illegally copy material protected under copyright law or make that material available to others for copying. You are responsible for complying with copyright law and applicable licenses that may apply to software, files, graphics, documents, messages, and other material you wish to download or copy. You may not agree to a
5

Version: 1.0

license or download any material for which a registration fee is charged without first obtaining the express written permission of the Trust. The internet is a major source of computer viruses, the effects of which can range from the minor irritant to the major disaster but all have costs involved in their eradication. Although the IT network has background anti-virus defences it is still essential for users to remain alert when opening files and mail. In the event that a user suspects a virus infestation DHIS should be contact immediately. Internet users must be aware that the system is inherently insecure. No patient identifiable information or other organisational confidential information must be transmitted or published via the internet. All PCs supported by the Cluster PCT have anti-virus protection software enabled and are automatically updated when connected to the network.

7 Legal Risks
If a user unlawfully forwards corporate, confidential or sensitive information, the user and the Trust can be held liable. If a user send links, email with or without attachments, or any other electronic forms of communication that contain a virus , the user and the Trust can be held liable. By following the guidelines in the policy, the internet user can minimise breaches in policy and legal penalties. If a user disregards the guidelines in the policy, the user will be fully liable and may be subject to the disciplinary process and if required, criminal proceedings.

8 Internet Access
Access to the internet should be open to all using the Cluster PCTs Access Implementation Procedure (see Appendix 1). Users should be made aware of this policy and familiarise themselves with it and comply with the policy at all times. Users must not allow other employees to access the internet and any other systems using their network password and should ensure that the workstation is shut down or locked when leaving it unattended. (See Appendix 2) When the user is logged onto the network, all activity is deemed to be performed by the end user. If the user has any doubts over the security the password should be changed immediately and if required the Information Governance Team should be informed.

9 Internet Monitoring and Reporting

The Trust has the right to monitor and log any aspects of its IT system including, but not limited to, monitoring internet sites visited by users, monitoring chat and newsgroups, monitoring file downloads and all communications sent and received by users. These may be available for both Internal and External Audit review. In order to satisfy legal requirements and Trust policy the DHIS utilise the Surf control web management and reporting software. This software allows the monitoring and blocking of web traffic between each external gateway and the internet. At the request of the Trust, DHIS will provide to nominated IG staff (Information Security and Governance Manager is the nominated lead for the trust), internet browsing details and trend reports
6

Version: 1.0

on internet users. The Trust will decide the frequency and nominate appropriate staff to receive these reports. These reports will be stored in a confidential manner and will be stored within a specific timescale dependent upon nature of the issue.

10 Process for Dealing with Unacceptable Internet Usage

In the event the Trust considers an employees internet usage to be sufficiently inappropriate they will take steps to inform relevant management. The Trust information Governance team, in conjunction with IT Suppliers as appropriate, will be responsible for the collation of information from a technical perspective. If excessive internet use is evident from the monthly reports, the individuals line manager will be provided with the internet usage report, and feedback will be provided back to the Information Governance Team. The monthly reports will also be reviewed at Information Governance Committee for trend analysis. Where there is evidence of an offence or breach of policy, it will be investigated in accordance with the Trusts Disciplinary Procedures applicable to all Trust employees. In such cases DHIS IGT will act immediately with the priority of preventing any possible continuation of the incident. As a result of such actions accounts may be closed or emails may be blocked to prevent further damage or similar occurring.

11 Blocked Sites
The Trust will block certain categories of sites in order to alleviate infringement of inappropriate use of the internet. However in order for employees to access sites that are relevant to their work the Trust will give formal agreement to DHIS for access rights to be given. It is recommended the Trust maintain a list of individuals who have special access permissions to ensure that in the event of any queries there is confirmation individuals have been given special access. An example of this is where a member of staff moves jobs or Trust and does not require special access for their new job role. Members of staff who attempt to access a blocked site will receive a pop up message where the user is prompted to seek permission from their line manager should they feel there is a genuine work related need to access that particular site (see Appendix 2). In light of the internet continually evolving the Trust reserves the right to amend the blocked categories on a continual basis. A current list of all blocked sites will be available from the IT supplier and an example is shown at Appendix 1.

Version: 1.0

12 Incident Reporting
If an incident occurs, the Information Governance Team will be notified within one working day.
Potential or actual Security breach

Confidential breach of data

Internet Misuse

Key
SHA - Strategic Health Authority IG Information Governance

Report incident to NHS IG within 1 day

NHS IG will investigate using Root Cause Analysis

Recommendations levels actions to be taken at: Individual level Team level

Organisation Level

Lead Director will be appointed for the investigation

Agreed objectives and involvement will be agreed by Lead Director

Body of report Scope of investigation Summary of the incident Background Process of investigation and methodology Chronology of events Analysis and Findings Recommendations Conclusions

Evidence gathered including interviews, timelines etc

Lessons learnt documentation produced

Possible legal involvement breach of contract etc

If findings point to the incident being a Serious Untoward Incident, NHS SHA may be involved and possible ICO notification

NHS Sign off once actions have been completed

Escalation actions completed and signed off Documentation completed

Version: 1.0

13 Social Networking Sites, Blogging and Webmail

Social Networking is the use of interactive web based sites that mimic some of the interactions that occur between people in real life. There has been extensive academic and industry research in personal data on social networking sites and it was found that individuals are more likely to release personal information more readily on an internet site than they would through face to face contact. Blogging is using a public website to write an on line diary, sharing thoughts and opinions on various subjects. There is a steady increase of incidents relating to disclosure of confidential information, so if users are authorised by their line manager to use these sites, disclosure of confidential information must not occur. Blogging and social networks provide an easy means for information leaks, either maliciously or otherwise, even when the sites are not accessed directly from work. Once loaded to a site, confidential information enters the public domain and may be accessed, processed and stored anywhere globally leading to possible organisation reputational damage and breaches of confidentiality. Access to social networking sites such as Twitter, Facebook etc. and webmail must be authorised from the end users line manager. Users that access unauthorised webmail, blogging sites and social networking sites from Trust equipment will be in breach of the policy and this may lead to disciplinary or criminal action.

14 Related Documentation
E-mail Policy IT Security Policy Staff Confidentiality Code of Conduct Data Protection Policy Safe Haven Policy Trust Disciplinary Policy Trust Incident Policy Mobile Computing Policy Forensic Readiness Policy Information Governance Strategy Freedom of Information Policy Information Lifecycle & Records Management.

15 References
The following legal or contractual requirements apply when monitoring users activity on the Internet: Copyright, Designs and Patents Act 1988 Data Protection Act 1998 Telecommunications (Lawful Business Practice (Interception of Communications) Regulations 2000 Human Rights Act 1998 Regulation of Investigatory Powers Act (RIPA) 2000 Computer Misuse Act 1978

Version: 1.0

16 Cluster PCT Information Governance Contacts

Marianne Heading Head of Information Governance 01246 514902 Darran Turley Information Security and Governance Manager 01332 888080 Lynn Blurton Information Governance and Access Officer 01332 888080 Bronwyn Jackson Information Governance Officer 01332 888080 Karen McBride IG, Projects & Programme Support Officer 01332 888080

10

Version: 1.0

Appendix 1 Blocked categories

Categories that are currently blocked using Surf Control Adult/sexually explicit eBay sites Games Glamour & intimate apparel Hacking Personals & dating Streaming media Web-based E-mail Chat Criminal Activity Criminal Skills Downloads Gambling Hate Illegal Drugs note this site may be required for certain areas of work Intimate Apparel & Swimwear Intolerance and Hate Peer to Peer Phishing & Fraud Ringtones/Mobile Phone Downloads Spam URLs Spyware Tasteless & Offensive Violence Weapons

11

Version: 1.0

Appendix 2 Access Denied Screen Shot

12

Version: 1.0

Appendix 3 Internet Access Procedure

Requests for Internet access should be made to DHIS Customer Service Team, Cardinal Square, 10 Nottingham Road, Derby DE1 3QT Telephone: 01332 868900. The line manager will be sent an e-mail from the Customer Service Team outlining instructions on the procedure for requesting a new account for the applicant. Attachments will consist of:A copy of the Internet Access Policy Internet Access Procedure One copy of the Declaration of Confidentiality A copy of the E-mail Policy

The applicant should read and understand the Internet Access and E-mail Policies and retain these for their use. The application form should be completed and signed by the line manager and applicant. This should be filed according to Trust. Upon acceptance of the applicant being granted permission the line manager should email the Customer Service Team with specific information that has been requested. Once this has been received the account will be created. The Customer Service Team will send an e-mail to the line manager informing that the account has been created and giving instructions on how the applicant can access the account. A user name and password will be provided with the request to change the password upon first login.

13

Version: 1.0

Internet Access Application Form

Does this employee require internet access to support their working business needs? Yes No (Please tick one box) Name: Post:.. Base:

Declaration I confirm that I have been made aware of and fully understand the Cluster PCT Internet Use Policy. I understand that if I am in breach of any part of the Internet Use policy my Internet access will be withdrawn and disciplinary action may be instigated. Name ... Signature .. Date

Authorised by Line Manager I authorise the provision of Internet access to the applicant named above. Signature Date

Managers - please file the completed and authorised form within your staff members personal file. 14

Version: 1.0

Appendix 4 Declaration of Confidentiality

I acknowledge receipt of password(s) which will mean access to the Internet on the understanding that: a) I will not convey the password(s) to any other person. b) I will not leave information on the VDU screen when not in use. c) I will not divulge any confidential information held on any computer based system to any unauthorised person. d) I understand that non-compliance with the above conditions would be a breach of confidentiality and could result in disciplinary proceedings being taken against me which may place my employment at risk. e) I understand that access to the World Wide Web is strictly limited to topics, addresses and downloads relating to the business of the Trust and that access to inappropriate information could place my employment at risk. f) I will not disclose, unlawfully forward or publish corporate, confidential or sensitive information which may lead to a potential confidentiality breach. Signed: .. Name (Block Capitals): Job Title: .. Department: . Date: .
Managers - please file the completed and authorised form within your staff members personal file.

15

Version: 1.0

Appendix 5 Application to Access Social Networking or any other blocked internet sites
Name: Department:..

Date:

Site:..
(Please quote full URL)

Date site required:.

Reason for access.

(This section must contain enough information for the Information Governance Team to understand the clinical/business reason for allowing access to this site. It must also indicate why this site in particular should be allowed. Insufficient information will result in the form being returned and delays. Some requests may be referred to the Joint Information Governance Committee for approval. ) Signature (of Applicant) Service Line Manager agreement: (sign and print name) Date: IG Team agreement: (sign and print name) Date:

Form to be sent to: Information Governance Team, 4 Floor, North Point, Cardinal Square, 10 Nottingham Road, Derby DE1 3QT.

th

16