Document Title… · CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19...

Cumbria Northumberland, Tyne and Wear NHS Foundation Trust Appendix 1 – Summary of User Declaration CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02- Oct 18

Document Title Acceptable Use of Intranet and Internet Policy

Reference Number CNTW(O)65

Lead Officer Lisa Quinn,

Executive Director of Performance and Assurance

Author(s) (name and designation)

Angela Faill Head of Information Governance and Medico Legal

Ratified by Business Delivery Group

Date ratified October 2018

Implementation Date October 2018

Date of full implementation

October 2018

Review Date October 2021

Version number V02.1

Review and Amendment

Log

Version Type of Change

Date Description of Change

V02 Review Oct 18 Review

V02.1 Review Oct 19 Governance changes

This Policy supersedes the following document which must now be destroyed:

Document Number Title

V02 Acceptable Use of Intranet and Internet Policy

CNTW(O)65

Acceptable Use of Intranet and Internet Policy

Section Contents Page No.

1 Introduction 1

2 Purpose 1

3 Duties, Accountability and Responsibilities 2

4 Definition of Terms 2

5 Procedure / Process 3

6 Identification of Stakeholders 6

7 Training 6

8 Implementation 7

9 Fair Blame 7

10 Fraud, Bribery and Corruption 7

11 Monitoring Compliance 7

12 Associated Documents 7

13 References 8

Standard Appendices – attached to Policy

A Equality Analysis Screening Toolkit 9

B Training Checklist and Training Needs Analysis 11

C Audit Monitoring Tool 13

D Policy Notification Record Sheet - click here

Appendices – attached to Policy

Appendix No.

Description

1 Summary of User Declaration

https://www.cntw.nhs.uk/about/policies/appendix-d-policy-notification-record-sheet/

CNTW(O)65

Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19

1

1 Introduction 1.1 In common with other NHS organisations, Cumbria Northumberland, Tyne

and Wear NHS Foundation Trust (the Trust / CNTW) operates access to the Internet through its connection to N3 (NHSnet), a private network that operates throughout the NHS and is inaccessible to non-NHS organisations. The Trust also provides an Intranet that is internal to the Trust and provides access to a wide range of Trust-specific information.

1.2 The Internet is fast and effective electronic means of communicating and

gathering information that can enhance the efficiency and effectiveness of staff in the Trust.

The Intranet is a website that is internal to the Trust that will provide access to a wide range of Trust-specific information;

The facilities exist primarily for the purpose of conducting Trust business but can also be used for permitted personal purposes;

The Internet provides a wide-ranging source of information and knowledge but offers no guarantee of accuracy, reliability and authenticity;

The Internet and N3 are now the primary means of communicating policy by the NHS Executive within the NHS organisation;

The Trust will use these facilities to the full (but within available resources and technology) in communicating and cascading information throughout the organisation. Staff are encouraged to familiarise themselves with the facilities and to make use of the Trust’s Intranet site;

Internet facilities employ complex technology which is not guaranteed to be 100% available and staff should not rely wholly and solely on them for critical business. (See the Trust Integrated Emergency Plan).

2 Purpose 2.1 This Policy sets rules and provides guidance for the use of the Trust Intranet

and Internet facilities, and ensures that the Trust adheres to the requirements of the ‘Statement of Compliance’ to N3 (SoC).

2.2 This Policy will ensure that staff understand and comply with legal

requirements surrounding the use of Intranet and Internet facilities.

CNTW(O)65


2

3 Duties, Accountability and Responsibilities

Responsibility for implementation and compliance to this Policy lies with the Chief Executive;

The Senior Information Risk Owner (SIRO) has delegated responsibility from the Chief Executive. The SIRO is the Executive Director of Commissioning & Quality Assurance;

The Information Asset Owner (IAO) is responsible for Risk Management of the Internet and Intranet. The Information Asset Owner is the Director of Informatics;

Associate Directors must ensure ownership for implementation throughout their respective Locality Care Groups;

The Director of Informatics has responsibility for ensuring that appropriate safeguards and monitoring facilities are in place;

It is the responsibility of the Information Governance Team to monitor the appropriate use of Internet / Intranet access and alert Trust management where inappropriate use is discovered, in accordance with the Trust Incident Reporting Procedures;

Each and every employee including voluntary and agency staff is responsible for the adherence to this Policy whilst operating any personal computer (or similar equipment), accessing the Trust’s Internet / Intranet. Failure to adhere to this Policy may result in disciplinary action.

4 Definition of Terms

N3:

Formerly known as NHSnet. A virtual private network that operates throughout the NHS and is inaccessible to non-NHS organisations.

Pornography

Pornography can take many forms. For example, textual descriptions still and moving images, cartoons and sound files. Some pornography is illegal in the UK and some is legal. The law makes it an offence under the Obscene Publications Act 1959 and 1964 to publish, whether for gain or not, any content whose effect will tend to "deprave and corrupt" those likely to read, see or hear the matter contained or embodied in it.

Copyright

Copyright is a term used to describe the rights under law that people have to protect original work they have created. The original work

CNTW(O)65


3

can be a computer program, document, graphic, film or sound recording, for example. Copyright protects the work to ensure no one else can copy, alter or use the work without the express permission of the owner. In the case of computer software, users purchase a licence to use the work. The organisation purchases licences on behalf of its users.

5 Procedure / Process 5.1 Core Principles

All Staff will have access to the Intranet and Internet;

Recognised staff organisations, including Trade Unions, will have access to the Intranet and Internet;

Non NHS Organisations and third parties may also have access to Intranet and Internet;

Personal use of the facilities will be limited and within prescribed areas;

Safeguards will be established to protect the security, integrity and availability of the Trust’s systems;

The requirements of relevant Acts of Parliament and mandatory National Policies will be observed at all times;

Staff awareness of copyright and contractual issues will be raised. 5.2 Common Standards – Internet and Intranet 5.2.1 Access 5.2.1.1 All users are required to complete an ‘E-mail and Internet Services - User

Code of Connection’ Form (or any electronic equivalent introduced by the Informatics Department), which needs to be submitted to the Trust’s IT Service Desk before access is granted. Access must be acknowledged by the individual to confirm that they have been made aware of and will adopt good working practices, and that they have read and understood this Acceptable Use Policy.

CNTW(O)65


4

5.2.2 Personal Use 5.2.2.1 Limited personal use of Internet facilities is permitted, during scheduled

breaks and with permission of Line Managers, provided that the material accessed is appropriate and is not potentially offensive to others. The Trust may from time to time block certain sites. The use of the Internet for personal transactions only, such as booking reservations or tickets or the purchase of any goods or services for personal use, is permitted. Employees should regard this facility as a privilege that should not be abused and should normally be exercised in their own time and without detriment to the job. Inappropriate or excessive use may result in disciplinary action and / or removal of facilities. Staff should be aware that Internet access will be subject to monitoring.

5.3.3 Inappropriate Use 5.3.3.1 In accordance with Trust Workforce (HR) Policies, access to websites that

contain inappropriate material is strictly forbidden, e.g. pornography, instruction on criminal or terrorist skills, adult themed chat sites, promotion of cults, gambling, content or statements of a nature which are liable to cause offence to others (this list is not exhaustive), or any other material likely to bring the Trust into disrepute.

5.3.3.2 The Trust runs software to filter access to inappropriate sites. Due to the

dynamic nature of the Internet, this software may not always filter inappropriate material. Employees should operate the ‘Back’ button immediately should they inadvertently access unsuitable material and report this immediately to the IT Service Helpdesk (this may be done on-line if out of hours). Purposeful access or downloading of such material shall be deemed an act of gross misconduct. However, the Trust notes that access to subjects and sites of a potentially contentious nature may be appropriate in some areas of normal operation and / or in specific circumstances, e.g. sex education, youth advice, counselling on gambling, approved research, etc. The Trust therefore places special responsibilities of care on staff operating in such areas to ensure that such access is necessary and that other users, staff and members of the community are not exposed to any such material without good cause. Access to such sites must not be excessive for the intended purpose, and must be agreed with line managers, then documented appropriately.

5.3.4 Commercial Use 5.3.4.1 Staff must not use the Internet or Intranet to conduct transactions in pursuit

of their own or other person’s commercial or business interests nor in such a way as to implicate the Trust in those transactions. This is a direct breach of the Trusts compliance with the N3 ‘Statement of Compliance’ (SoC). If in doubt, staff should consult the Information Governance Department.

CNTW(O)65


5

5.3.5 Copyright 5.3.5.1 Files must not be downloaded from the Internet and used in such a way as

to violate copyright laws. Even if downloading and / or streaming is permissible under copyright law, there may be restrictions with regard to copying, forwarding, or otherwise distributing files. Staff should be aware that copyright law includes music. Therefore music tracks such as MP3’s videos must not be downloaded or streamed.

5.3.6 Viruses 5.3.6.1 Viruses can damage computer systems, destroy data, cause disruption and

incur considerable expense for the Trust. The Trust will provide an Antivirus solution and staff must not alter of change the configuration under any circumstances. All files downloaded from the Internet must be virus checked before use. Employees must not independently load software onto their PCs (this includes screen-savers). All software installations must be arranged with the Informatics Department.

5.3.7 Internet Service Providers 5.3.7.1 Internet access must be via the Trust’s network provided equipment in all

instances. The use of modems is strictly prohibited on the Trust network. Through connection to N3, Organisations have the ability to send messages and documents globally across the Internet. E-mail being transmitted across the Internet is completely insecure without encryption. No patient identifiable / confidential information must be sent over the Internet without the use of an approved encryption certificate.

5.3.7.2 Many employees of the Trust will have private external E-mail accounts

(webmail) that are provided by Internet Service Providers (ISP’s), which may be accessible via the Web, e.g. Hotmail accounts etc. These accounts must under no circumstances be used to transfer confidential Organisational information or for the transfer of confidential person identifiable information. No E-mails containing such information are to be sent to or from these accounts. No confidential person identifiable information should be stored on the Internet via Cloud file storage.

5.3.7.3 Employees wishing to use personal mobile broadband on Trust premises

must seek approval from their Line Manager. 5.3.8 Blocking of Inappropriate Content 5.3.8.1 The Trust employs software to enable the blocking of sites, the content of

which is deemed inappropriate, or where access may cause excessive use of bandwidth.

Attempts to access web sites that display inappropriate content will be

logged by the system and may result in disciplinary action being taken against the individual concerned up to and including dismissal.

CNTW(O)65


6

5.3.8.2 Suspected attempts to access certain categories of site, specifically those which display any material likely to be illegal such as Child abuse or obscene images which seek to deprave will result in immediate notification to the Police for immediate investigation. Attempts to access this type of material is a criminal offence.

5.3.8.3 All use of the Internet will be logged by the system and monitored. 5.3.8.4 Where a user identifies a site that has been blocked that they require access

to as part of their work, they can make a request to have the site opened for use, via the Informatics Service Desk. Any decision to unblock a site for a particular user, group of users or Trust wide will be considered by the Information Governance Team in the first instance.

6 Identification of Stakeholders 6.1 This is an existing Policy with additional / changed content that relates to

operational and / or clinical practice and was therefore circulated to the following for a four week consultation period:

North Locality Care Group

Central Locality Care Group

South Locality Care Group

North Cumbria Locality Care Group

Corporate Decision Team

Business Delivery Group

Safer Care Group

Communications, Finance, Informatics

Commissioning and Quality Assurance

Workforce and Organisational Development

NTW Solutions

Local Negotiating Committee

Medical Directorate

Staff Side

Internal Audit

7 Training 7.1 Training of the key elements of this Policy is incorporated into the annual

Information Governance training mandated to all staff. 7.2 Where additional training is required it is the responsibility of both managers

and staff to ensure that this is undertaken and that attendance is verified and recorded.

CNTW(O)65


7

8 Implementation 8.1 Taking into consideration all the implications associated with this policy, it is

considered that a target date of November 2018 is achievable for the contents to be implemented across the Trust.

9 Fair Blame 9.1 The Trust is committed to developing an open learning culture. It has

endorsed the view that, wherever possible, disciplinary action will not be taken against members of staff who report near misses and adverse incidents, although there may be clearly defined occasions where disciplinary action will be taken.

10 Fraud, Bribery and Corruption 10.1 In accordance with the Trust’s Policy CNTW(O)23 – Fraud, Bribery and

Corruption Policy / Response Plan, all suspected cases of fraud and corruption should be reported immediately to the Trust’s Local Counter Fraud Specialist or to the Executive Director of Finance.

11 Monitoring Compliance 11.1 Responsibility for monitoring compliance with this Policy locally lies with

Associate Directors and Line Managers. 11.2 The Information Governance Team will monitor compliance with this Policy

through observation, spot checks and through incident management in line with the Trust Incident Reporting Process.

11.3 Any compliance issues will be reported to the Line Managers concerned and

may be handled through staff disciplinary processes or contractual arrangements.

11.4 Incident Reporting

11.4.1 All incidents involving the loss of data whether encrypted or unencrypted

must be reported immediately to the Information Governance and dealt with in accordance with the Trust incident Reporting Procedure (See Trust Policy, CNTW(O)05 - Incident Reporting and Procedures).

12 Associated Documents

CNTW(HR)04 - Disciplinary Policy

CNTW(HR)24 – Social Media Policy

CNTW(O)65


8

CNTW(O)05 - Incident Policy , (including the management of

Serious Untoward Incidents and associated practice guidance notes (PGNs))

IP-PGN-14 – Reporting of Information Governance Incidents

CNTW(O)08 - Dignity and Respect at Work Policy

CNTW(O)09 - Management of Records Policy (and associated PGNs)

CNTW(O)29 - Confidentiality Policy (and associated PGN)

CNTW(O)33 - Risk Management Policy

CNTW(O)35 - Information Security Policy

CNTW(O)43- Freedom of Information Policy

CNTW(O)55 - Information Risk Policy

CNTW(O)62 - Information Sharing Policy

13 References

http://www.connectingforhealth.nhs.uk/

www.iwf.org.uk/

http://www.connectingforhealth.nhs.uk/

http://www.iwf.org.uk/

CNTW(O)65


9

Appendix A

Equality Analysis Screening Toolkit

Names of Individuals involved in Review

Date of Initial Screening

Review Date Service Area / Locality

Angela Faill October 2018 October 2021 Trustwide

Policy to be analysed Is this policy new or existing?

CNTW(O)65 Acceptable use of Intranet and Internet Policy

New

What are the intended outcomes of this work? Include outline of objectives and function aims

This Policy sets rules and provides guidance for the use of the Trust Intranet and Internet facilities, and ensures that the Trust adheres to the requirements of the ‘Statement of Compliance’ to N3 (SoC).

Who will be affected? e.g. staff, service users, carers, wider public etc

Staff, Service Users and the wider public.

Protected Characteristics under the Equality Act 2010. The following characteristics have protection under the Act and therefore require further analysis of the potential impact that the policy may have upon them

Disability N/A

Sex N/A

Race N/A

Age N/A

Gender reassignment

(including transgender)

N/A

Sexual orientation. N/A

Religion or belief N/A

Marriage and Civil Partnership

N/A

Pregnancy and maternity

N/A

Carers N/A

Other identified groups N/A

How have you engaged stakeholders in gathering evidence or testing the evidence available?

Though standard Policy consultation mechanisms.

CNTW(O)65


10

How have you engaged stakeholders in testing the policy or programme proposals?


For each engagement activity, please state who was involved, how and when they were engaged, and the key outputs:


Summary of Analysis Considering the evidence and engagement activity you listed above please summarise the impact of your work. Consider whether the evidence shows potential for differential impact, if so state whether adverse or positive and for which groups. How you will mitigate any negative impacts. How you will include certain protected groups in services or expand their participation in public life.

N/A

Now consider and detail below how the proposals impact on elimination of discrimination, harassment and victimisation, advance the equality of opportunity and promote good relations between groups. Where there is evidence, address each protected characteristic

Eliminate discrimination, harassment and victimisation

N/A

Advance equality of opportunity N/A

Promote good relations between groups N/A

What is the overall impact?

N/A

Addressing the impact on equalities N/A

From the outcome of this Screening, have negative impacts been identified for any protected characteristics as defined by the Equality Act 2010? No

If yes, has a Full Impact Assessment been recommended? If not, why not?

Manager’s signature: Angela Faill Date: October 2018

CNTW(O)65


11

Appendix B Communication and Training Check list for policies

Key Questions for the accountable committees designing, reviewing or agreeing a new Trust policy

Is this a new policy with new training requirements or a change to an existing policy?

This is an existing policy.

If it is a change to an existing policy are there changes to the existing model of training delivery? If yes specify below.

N/A

Are the awareness/training needs required to deliver the changes by law, national or local standards or best practice?

Please give specific evidence that identifies the training need, e.g. National Guidance, CQC, NHS Resolutions etc.

Please identify the risks if training does not occur.

Ensure that all staff are made aware of Trust Policy, Legal and N3 Code of Connection requirements.

Please specify which staff groups need to undertake this awareness/training. Please be specific. It may well be the case that certain groups will require different levels e.g. staff group A requires awareness and staff group B requires training.

Trustwide

Is there a staff group that should be prioritised for this training / awareness?

It is essential that all staff groups within the Trust are made aware of the policy and the responsibilities associated with the legislation and guidance.

Please outline how the training will be delivered. Include who will deliver it and by what method. The following may be useful to consider: Team brief/e bulletin of summary Management cascade Newsletter/leaflets/payslip attachment Focus groups for those concerned Local Induction Training Awareness sessions for those affected by the new policy Local demonstrations of techniques/equipment with reference documentation Staff Handbook Summary for easy reference Taught Session E Learning

Team brief, CEO Bulletin, Intranet, face to face training, E learning ,Staff IT Handbook

Please identify a link person who will liaise with the training department to arrange details for the Trust Training Prospectus, Administration needs

Head of IG and Medico Legal.

CNTW(O)65


12

Appendix B – continued

Training Needs Analysis

Staff / Professional Group

Type of Training Duration of Training

Frequency of Training

All Mandatory IG Training 1 hour Annual

Should any advice be required, please contact: - 0191 245 6777 (internal 56777) Option 1

CNTW(O)65


13

Appendix C Monitoring Tool

Statement The Trust is working towards effective clinical governance and governance systems. To demonstrate effective care delivery and compliance, Policy authors are required to include how monitoring of this policy is linked to Auditable Standards / Key Performance Indicators will be undertaken using this framework.

CNTW(O)65 – Acceptable Use of Intranet and Internet Policy - Monitoring Framework

Auditable Standard / Key Performance Indicators

Frequency / Method / Person Responsible

Where Results and Any Associate Action Plan Will Be Reported To and Monitored; (this will usually be via the relevant Governance Group)

1. The Trust will ensure that appropriate controls are in place to provide security to networked facilities

The Trust network is subject to an Annual Risk Assessment by the Information Asset Owner / Information Asset Administrator which will include access to Internet and Intranet

Identified risks will be reported via Information Asset Owner to the Senior Information Risk Owner annually and reported to Caldicott and Health Informatics Group

2. The most current version of anti-virus software will be available on all Trust computers

The Trust network is subject to an Annual Risk Assessment by the Information Asset Owner / Information Asset Administrator.

Identified risks will be reported via Information Asset Owner to the Senior Information Risk Owner annually or if and when an incident occurs

3. All incidents or breaches of policy are clearly and accurately recorded through the reporting of incidents

Incidents discussed at Information Governance Incident Management Group Bi-monthly Incident Report through Caldicott and Health Informatics Group

Caldicott and Health Informatics Group

The Author(s) of each Policy is required to complete this monitoring template and ensure that these results are taken to the appropriate reporting Governance Group as above in line with the frequency set out.

CNTW(O)65

Appendix 1

Cumbria Northumberland, Tyne and Wear NHS Foundation Trust Appendix 1 – Summary of User Declaration CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02- Oct 18

Summary of User Declaration

Internet and E-mail Services are provided for those purposes directly related to a user’s work or areas of legitimate research and operational services.

Limited personal use of the services is permitted. Always obtain management consent for such usage, and do not abuse the privilege.

No illicit material will be sent / viewed / downloaded or obtained via the Internet or E-mail. Advice should be taken from the Information Governance Department where there is any doubt.

The Trust will provide an Antivirus solution and staff must not alter of change the configuration under any circumstances.

Forwarded material may be subject to copyright and all copyright restrictions must be adhered to.

Unlicensed or unauthorised software must not be installed on any PC.

Care must be taken when sending E-mails to ensure that they are addressed to the intended recipients only.

Breaches of security, abuse of services or non-compliance with the Trust’s Information Security Policy or the Code of Connection, may result in the withdrawal of E-mail and Internet Services.

The Trust’s Disciplinary Procedure will be invoked should abuse of E-mail Services or non-compliance with the Code of Connection occur.

USER ACCEPTANCE:

I have read and understand the E-mail and Internet Services Code of Connection and agree to abide by it. User Signature: ………………………………………………………………….. Name (please print): …………………………………………………………..… Telephone No: …………………… Date:……………………………….... Department / Directorate: ………………………………………………

Document Title… · CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19...

Documents

Transcript of Document Title… · CNTW(O)65 – Acceptable Use of Intranet and Internet Policy – V02.1 Oct 19...