internet and electronic communications policy...page 6 of 52 definitions that apply to this policy...

Key Words: e-communication,

Version: 2.0

Adopted by: Quality Assurance Committee

Date Adopted: 17 April 2018

Name of Author:

HIS Information Security Manager

Name of responsible Committee:

Records and Information Governance Group

Date issued for publication:

April 2018

Review date: October 2019

Expiry date: 1 December 2020

Target audience: All Staff

Type of Policy Clinical

☑

Non Clinical

☑

Which Relevant CQC Fundamental Standards?

Regulation 17 – Good Governance

Internet and Electronic Communications

Policy This Policy specifies the detailed requirements for the

acceptable use of the Internet and of Electronic

Communications, including Social Media, and the

monitoring permitted to support Trust responsibilities in this

key control area.

of 52

CONTENTS

Equality Statement 4

Due Regard 4

Definitions that apply to this Policy 5

1.0 Purpose 10

2.0 Summary and Key Points 11

3.0 Introduction 11

4.0 Duties of the organisation 11

5.0 General Principles 12

5.1 Risk Assessment 13

5.2 Rules that Apply 13

5.3 Usage Concerns 13

5.4 Accidental Access/Download 14

5.5 Appropriate Use/Exploitation of communications technology 14

5.6 Personal Use 15

5.6.1 Using NHS Facilities for Personal Use 15

5.7 Transmission/electronic transfer of Personal Confidential Data (PCD) 16

5.8 Use of e-Communications tools/systems for clinical purposes 16

5.9 Investigation Process 17

6.0 Best Practice Requirements 18

6.1 Best Practice when using Trust approved systems and services 19

6.2 Personal use of social media (during unpaid breaks outside of work). 22

7.0 Prohibited Use 23

7.1 General advice applicable to persona and business use of e-communications in and outside of work

23

7.1.1 Exceptions 23

7.2 Prohibited Use: applicable when using NHS equipment and services whether for work or personal purposes

24

8.0 Breaches of Policy 25

of 52

9.0 Training 26

10.0 Monitoring Compliance 26

10.1 Social Media: Content Management 27

10.2 Audit 27

11.0 Standards and Performance Indicators 28

12.0 Reference and Bibliography 28

APPENDICES

Appendix 1 Obtaining an LPT Social Media Account 29

Appendix 2

Personal Usage Considerations 30

Appendix 3

Risk Assessment for electronic communication with patients 31

Appendix 4

Impact Assessment on Monitoring at Work in the Leicestershire and Rutland Health Community (non-Acute).

38

Appendix 5

Training Requirements 47

Appendix 6

NHS Constitution 48

Appendix 7

Stakeholder and Consultation 49

Appendix 8

Due Regard Screening 50

Appendix 9

Privacy Impact Assessment Screening 52

of 52

Version Control and Summary of Changes

Version Date Author Status Comment

1 June 2014 V Hill Draft Version 1 created to replace the Trust

e-messaging policy as a reflection of

the rapidly changing communications

environment.

2 December

2017

V Hill Final

Draft

Version 2 created to reference

[Secure] email and policy annual

review

For further information contact:

Information Security Manager

Leicestershire Health Informatics Service

[email protected]

Equality Statement

Leicestershire Partnership NHS Trust (LPT) aims to design and implement policy

documents that meet the diverse needs of our service, population and workforce,

ensuring that none are placed at a disadvantage over others.

It takes into account the provisions of the Equality Act 2010 and promotes equal

opportunities for all.

This document has been assessed to ensure that no one receives less favourable

treatment on the protected characteristics of their age, disability, sex (gender),

gender reassignment, sexual orientation, marriage, civil partnership, race, religion, or

belief, pregnancy and maternity.

In carrying out its functions, LPT must have due regard to the different needs of

different protected equality groups in their area.

This applies to all the activities for which LPT is responsible, including policy

development and review.

Due Regard

The Trusts commitment to equality means that this policy has been screened in

relation to paying due regard to the Public Sector Equality Duty as set out in the

Equality Act 2010 to eliminate unlawful discrimination, harassment, victimisation;

advance equality of opportunity and foster good relations.

mailto:[email protected]

of 52

Please refer to Appendix xx which provides a detailed over view of the due regard

undertaken in support of this activity.

Definitions that apply to this Policy

Asset Any Trust information system, hardware, software, resource

Attachment A file that is attached to an e-mail message. They are normally considered separately from the body of an email message. Attachments can contain malicious software and should be opened with care.

Authorisation The granting or denying of access rights to network resources by a set of security procedures.

Authorised User An individual, given in accordance with Trust procedures. May

include staff, contractors, trainees, students, locum,

volunteers, and Board members. Authorised users must be

contracted to LLR.

Blogging Using a public website to write an on-line diary (web-log) e.g.

twitter/linked-in

Caldicott Guidelines A set of standards developed in the NHS for the management of patient information.

Channel Shifting Changing communication mechanisms. For example, the use

of interactive websites and online tools to share information,

opinions and knowledge, providing opportunities for

transparent engagement with stakeholders in forums or

equivalents. Thus resulting in one area of ‘shift ‘in the type of

e-communication used and due to raised awareness in the

general public of social networking tools.

Electronic

Communications

E-Communications: In the context of this policy, this term

refers to sending, posting, publishing, download, or otherwise

sharing of digital information including images etc by way of

Trust controlled or other communication systems including

social media systems. Examples are Telephone. Text, Fax.

Email. Teleconferencing, Video Conferencing, Instant

Messaging. Bulletin Boards. Threads. Social Networking.

News Groups. Video/chat applications (e.g. Skype), Electronic

Communication Discussion Groups and more.

Electronic Messaging E-messaging: Any message composed, sent, stored by any electronic means. Including e-mail, SMS texting, voice messaging, digital image, and fax.

Electronic resource/

Equipment

This includes computers (server, PC/ workstation, laptop, palm

top or any PDA (personal digital assistant), and network

assets and any other peripheral equipment linked to the

network or which could be linked to the network, and also

mobile phones and PDAs authorised for use on Trust business

which may not be linked to the network but could be used to

send and receive text messages or other data.

of 52


Electronic mail E-mail: Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system. E-mail may be transmitted across interconnected networks including the local network linked to the NHS N3 network which is in turn linked to the World Wide Web (the Internet). Misaddressed mail may go to insecure locations across the world and be re-sent by the recipients. All email containing sensitive information must be managed according to the tenets of this policy.

Encryption in

transmission

A Trust approved mechanism whereby email containing personal sensitive information (PII) may be sent between Secure Email Contacts in the local health community. This email is encrypted whilst in transit but not on arrival; it is therefore essential that it is correctly addressed.

Encryption in full A Trust approved mechanism whereby email attachments are PKZipped and Encrypted and a 20 character passphrase specified. This can be used to send PII by email outside of the local health community. This email attachment remains encrypted until the recipient applies the 20 character passphrase to unlock the attachment. If the email is misaddressed, the recipient will not be able to view the email. Users should seek support from the LHIS Service Desk when using this solution for the first time.

Firewall A Firewall is security mechanism that limits access across a

network connection

Forum A discussion board (known also by various other names such as discussion group, discussion forum, message board, and online forum) is a general term for any online "bulletin board" where you can leave and expect to see responses to messages you have left. Or you can just read the board. The first discussion boards were available on dedicated bulletin board systems and Usenet now provides thousands of discussion boards on the Internet. Many websites include the software facility to offer discussion boards so that users can share and discuss information and opinions.

Information

Security Policy

(ISP): A Trust Policy governing a wide range of secure process according to the security standards including a policy statement governing these detailed requirements.

Internet A global system connecting computers and computer networks owned by a wide range of Trusts

Intranet A private network for communication and sharing of information accessible only to authorised users within a Trust.

Junk mail/ spam Unsolicited e-mail messages usually of a commercial nature, chain letters or other commercial mass mailings

Libel Libel is the publication of a defamatory statement in

permanent form, which includes publication on the Internet.

Malicious

software (malware)

Software deliberately designed to infiltrate and harm a computer or network without the owner’s consent. Including viruses, Trojan horses, worms, rootkits, spyware, adware,

of 52


crimeware and others.

Microblogging A web service that allows the subscriber to broadcast short messages to other subscribers of the service. Microposts can be made public on a Web site and/or distributed to a private group of subscribers. Subscribers can read microblog posts online or request that updates be delivered in real time to their desktop as an instant message or sent to a mobile device as an SMS text message. The appeal of microblogging is both its immediacy and portability. Twitter for example is becoming widely used by public figures including politicians.

Monitoring Monitoring may include the interception of communications,

monitoring of systems, logging, recording, inspecting and

auditing of electronic activity, and the communication of this

with nominated investigators to satisfy Trust responsibilities

and obligations and in accordance with the law. (Including the

Human Rights Act (Article 9) and the Regulation of

Investigatory Powers Act (RIPA).

N3 An unsecured wide area network developed for the NHS but

shared by other Trusts and considered to a ‘hostile’

environment (requiring systems and services operating across

it to ensure their own security).

Network An infrastructure which is configured and maintained to assure

performance, availability and integrity of information exchange

between the computers and peripherals it connects. A

network may be linked to other computer networks.

NHSmail A national, centrally managed email and directory service

which is available to all NHS staff in England but as yet has

not been authorised for general use by LRHC Trusts.

Personal-confidential

Data and other sensitive

information

PCD: This phrase concerns patient-identifiable sensitive

information, confidential staff information or other third party

confidential information, and business sensitive details.

Depending upon the circumstances, the following examples

can be defined as PCD

Patient’s name, address, full postcode or date of birth

Pictures, photographs, videos, audio-tapes or other images of patients

NHS number and local patient identifiable codes

Other information that may be used to identify a patient directly or indirectly. For example, rare diseases, drug treatments or statistical analyses which have very small numbers within a small population and may allow individuals to be identified

PDA – Personal Digital

Assistant

Any electronic device capable of creating, receiving,

transmitting and storing portable data, with the ability to

connect to, and exchange information with, a PC or laptop

of 52


computer. This includes devices known as:

Palm Tops

Hand Held computers

Psions

Mobile phones ( I-phones, Androids)

IPAD

Any other make/type of equipment meeting this criterion

Phishing (Pronounced Fishing) is an attempt to fraudulently acquire

sensitive or personal information such as credit card details,

bank account details, passwords or similar information, usually

masquerading as a trustworthy source (e.g. a Bank) and

usually in order to commit identity fraud.

SMS Short Message Service, often referred to as texting to mobile

phones

Social Bookmarking The facility to ‘tag’ favourites. Web sites dedicated to social bookmarking, such as Flickr provide users with a place to store, categorize, annotate and share favourite Web pages...

Social Curation Collaborative sharing of Web content organized around one or

more particular themes or topics.

Social Media Social media is the collective of online communications channels dedicated to community-based input, interaction, content-sharing and collaboration. Websites and applications dedicated to forums, microblogging, social networking, social bookmarking, social curation and wikis, and wikis are among the different types of social media. Examples are Facebook, Twitter, linked-in. Social media is becoming an integral part of life online as social websites and applications proliferate. Most traditional online media include social components, such as comment fields for users.

Social Networking The practice of expanding the number of one's business

and/or social contacts by making connections through

individuals. The unparalleled potential of the Internet to

promote such connections is now being fully recognized and

exploited, through Web-based groups established for that

purpose e.g. Facebook, Linked-in

Spoofing Forgery of an e-mail so that it appears to have been sent by

someone other than the sender

Streaming Media A video or audio content sent in compressed form over the

Internet and played immediately, rather than being saved to

the hard drive. With streaming media, a user does not have to

wait to download a file to play it. Because the media is sent in

a continuous stream of data it can play as it arrives. Users can

pause, rewind or fast-forward, just as they could with a

downloaded file, (unless the content is live).

Third Generation, General 3G/GPRS: Provides mobile high-speed internet connectivity

http://searchsoa.techtarget.com/definition/wiki

of 52


Packet Radio Service using a USB stick (dongle) or built into a laptop. This enables

use of the Trust VPN solution at locations without a dedicated

or wireless network link. The reliability of this solution can be

intermittent.

You Tube A video-sharing website on which users can upload, share,

and view videos

Wiki User collaboration in forming the content of a Web site. The

term comes from the word "wikiwiki," which means "fast" in the

Hawaiian language.

1.0. Purpose of the Policy

This policy applies to all employees, (including all Board members and non-executive board members), employed directly by Leicestershire Partnership NHS Trust and to secondees, agency and consultancy staff, contractors and any others

of 52

working on behalf of the Trust including students and volunteers. Referred to throughout this policy as ‘staff’. The policy defines acceptable usage of e-Communications and the Internet for work purposes (including existing, planned, or emerging ‘channel shifting’ facilities), and points to acceptable usage guidelines for electronic communications between a clinician and a patient. (Reference section 5.8 and appendix 3 of this policy.).

The guidelines relating to clinician and patient e-communications must be followed in association with any system specific guidance issued, with professional guidance issued to clinicians and allied professionals by their professional bodies, and in line with the Trust Information Lifecycle and Records Management Policy.

Obtaining or publishing information via streaming media such as You Tube is included.

The policy defines acceptable use of Trust electronic communication facilities for personal purposes.

The policy includes acceptable use guidelines for Internet and social media independent usage (for example, the use of Facebook in a private capacity with non-NHS equipment at home). . These requirements do not seek to impinge on the human right to a private and personal life and opinion. Their purpose is to satisfy the Trust’s obligation to reduce the risks to staff, patients and the Trust, which have resulted from a significant shift in the general and business population towards publishing and sharing information and opinions via social media links (and the consequent blurring of the lines between business and personal information).

The requirements take account of ICO advisories, and are HR and staff side approved. The policy defines the monitoring activities undertaken to meet Trust obligations in relation to its provision of, use of and access to the Internet and to e-communication facilities, and further defines the action that will be taken to identify and investigate reports of suspected Internet libel or defamatory statements impacting the Trust, or where a member of staff’s internet activity is considered to be in breach of the Trust Code of Business conduct. This activity complies with the Regulation of Investigatory Powers Act and with advice from the Information Commissioner and Trade Unions relating to this Act, and published as guidance on monitoring at work The policy should be read in the context of the Data Protection Act, Freedom of Information Act, Copyright, Designs & Patents Act, Computer Misuse Act, Regulation of Investigatory Powers Act, the Human Rights Act (Article 8) and other relevant legislation, the Caldicott Principles, the NHS Code of Confidentiality and other Trust policies

Relevant legislation, including existing NHS policies and existing NHS Leicester, Leicestershire & Rutland (LLR) policies must be complied with. (Ref:

http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidan

ce/DH_079616

http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_079616


of 52

2.0. Summary and Key Points The acceptable usage of e-Communications and the Internet, including social media, will be specified in order to optimise the benefits of these services to LRHC, protect the Leicestershire Partnership NHS Trust from embarrassment, criticism or litigation, and to ensure that Internet users are able to distinguish official corporate Trust information from the personal opinion of staff. Acceptable usage policy is supported by appropriate and proportional monitoring arrangements. The good practice requirements and prohibited usage outlined in this policy, apply to

all e-communications (ref. definitions table) by staff

Policy includes specific requirements regarding the use of e-communications for

personal purposes whether in or outside of work, for example social networking,

blogs or other forms of publishing information and opinions, in order to guard against

a breach of good conduct guidelines.

Note: The Leicestershire Partnership NHS Trust is referred to as ‘the Trust’ in the

remainder of this policy document.

3.0. Introduction This policy specifies the detailed requirements of the Trust Information Security

Policy Part One

E-Communications: In the context of this policy, this term refers to sending,

posting, publishing, download, or otherwise sharing of digital information by staff

whether using Trust controlled or other communication systems or the Internet

including social media systems.

‘Channel Shifting’ is a phrase applied to burgeoning changes in the way we

communicate. For example, the LPT email system, a key communication tool

available to all employees; is supplemented by use of interactive websites and online

tools to share information, opinions and knowledge, and to build trust by

‘networking’. The success of these ‘shifting’ mechanisms is due in part, to a raised

public awareness of the social media tools available through the Internet

4.0 Duties within the Organisation

4.1 The Trust Board has a legal responsibility for Trust policies and for ensuring that they are carried out effectively.

4.2 All direct employees of this Trust will have access to Internet and Email facilities.

4.3 Information Security: Access to Trust provided facilities is subject to the

Information Security Policy (ISP) and to specific systems policies. Device security must comply with the Trust ISP and personally owned devices must be authorised before being used for work purposes.

of 52

4.4 Communications Department: Only those authorised to give media statements, may write or present views on behalf of the Trust. Unauthorised individuals may not, for example, join a discussion group or publish video communications (e.g. via You Tube), in the name of the Trust. Authorisation must be sought from the Communications Department. (Ref Appendix 1).

All official LPT social media accounts are managed in conjunction with the LPT

Communications Department. Teams/staff within the Trust wishing to create official accounts should consult the Communications Department before setting up an account to ensure consistent messaging and approach to social media.

4.5 Data Privacy: Websites designed for Trust purposes must be under project

control and must have the approval of the Trust Communications and the Head of Data Privacy/ Data Protection Officer.

4.6 IM&T Delivery Group Usage of sites and systems for work purposes is subject to risk assessment, including a privacy impact assessment, and approval of the system by the Trust IM&TDG (ref. 5.3 below).

4.7 Line management is responsible for ensuring that users are familiar with

policies and procedures relating to access and to acceptable use. 4.8 Patients and the general public are NOT permitted to access the Internet via a

device connected to the Trust’s Network. Staff wishing to provide internet connectivity to patients must contact the HIS to arrange a suitable solution.

4.9 Business visitor or contractor to the Trust wishes to use Internet facilities to access their own systems (e.g. for presentation purposes), the responsible Trust employee should request access to the Trust whitestar network. Visitors should be made aware that all accesses to the Internet from the Trust are captured and may be subject to review and investigation.

5.0 General Principles

The Trust recognises the benefit of the Internet, Electronic Communications,

including Social Media, as valuable business (and personal) communication tools,

which should be used in a responsible, professional and lawful manner, and in

compliance with the Trust Business Code of Conduct. The Trust wishes to

encourage use of these facilities to benefit its business objectives and to protect its

reputation, patients and staff from the adverse impacts which can result from

careless or inappropriate usage

Where staff, have any doubts regarding acceptable use of the Internet or of

Electronic communications, consult with this policy, line management, Trust

Governance or with HR for advice. The use of these tools when working, should

of 52

support the performance of duties, be of reasonable duration and frequency, and

should serve a legitimate Trust interest.

5.1 Risk Assessment

The use of new tools for work purposes, which are not commonly used within the

Trust, must be risk assessed (including a data protection impact assessment) and

approved by the Trust IM&T Delivery Group supported by the LHIS, and with the

involvement of Communications, as appropriate. Staff should be aware that some

tools may have features which present risks, for example, business social

networking tools which include an option to merge address books, websites which

store content outside the UK, e-communications with patients which do not give the

Clinician control over planning and initiating the communication.

5.2 Rules that Apply

Do not access, create, send, forward, copy, post, or distribute any material (including

information, questions, opinions, or images), which is libellous, defamatory or

derogatory, pornographic, sexually explicit, obscene, indecent or extreme, or which

is discriminatory or harassing, or includes hostile material relating to gender, sex,

race, sexual orientation, religious or political convictions or disability, or incitement of

hatred, violence, terrorism or any illegal activity Ask yourself “Would I like this

content to be disclosed in a Court of Law?”

Do not knowingly send or post material which causes distress or offence to another

user. Senior Trust Management is the final arbiter on what is or is not offensive

material, or what is or is not permissible access, (other than for instances which

demand criminal investigation.).

In addition, staff must not send or post communications which encourage

behaviour that could be linked to safeguarding issues, for example:

- Bullying - Luring and exploitation - Theft of personal information - Encouraging self-harm or violence - Glorifying activities such as excessive drinking or drug taking

5.3 Usage Concerns

Where staff are harassed, bullied or victimised by a message or post from another

member of staff or from a patient or visitor, whether inside or outside of work, and,

the individual does not respond to an initial request for the activity to stop, contact

your line manager or an HR adviser in the first instance. (The Trust’s Dignity at Work

Policy and the patient and visitor mobile phone usage policy refer). Where offensive

or defamatory comments about members of staff are shared in any public forum,

legal advice may be sought and action taken where necessary.

of 52

Staff who considers themselves to be at risk of receiving inappropriate or obsessive

attention from patients via social networking sites should seek advice from line

management or from HR.

5.4 Accidental Access/Download

In the case of accidental access to material of the type referred to in paragraph 5.4,

or to other material which may be considered of an offensive nature, note the time

and web site address, exit from the site, inform a Senior Manager (or nominated

deputy). If you accidentally download or otherwise receive such material, inform the

Service Desk and your line manager immediately on becoming aware of the content.

Be aware that content of many internet websites is not monitored or vetted and

innocuous seeming content for example, on streaming media sites such as You

Tube, may hold content of an offensive or illegal nature.

Be aware that where the Health Informatics Service becomes aware of suspected

inappropriate material on the network or equipment, a report will be raised to the

relevant Trust governance lead for investigation.

If such material is accidentally downloaded or accessed or otherwise received in a

personal capacity using non-NHS equipment or services, the user is advised to exit

from the material immediately, raise a report to the site management, delete any

offensive content downloaded, and to keep a record of the date and time of the

incident and actions taken to mitigate its effects. Under no circumstances should

you access the content for extended periods or send or forward or otherwise

distribute its contents.

5.5 Appropriate Use/Exploitation of communication technology

The Trust wishes to embrace the use by staff of social media interactive and

collaborative websites and tools. Communications will provide guidance and training

to empower staff to interact online in a way that is consistent, transparent and

relevant to the benefit of its business objectives.

The Trust recognises that Electronic Communications are for many, an essential part

of modern life, and are widely used outside the world of work. The increasingly

blurred line between ‘corporate social networking’ and ‘personal social networking’

however, means that posts made through personal accounts that are public may

breach organisational policy if they misrepresent or bring the Trust into disrepute.

For example: if you are identifiable as a ‘Trust member of staff’ when using social

networking tools or when commenting on Trust related matters in a public forum.

Staff are reminded that where there are reasonable grounds to believe that an

employee has, for example in blogs or on social networking sites, published material

which brings the Trust into disrepute, or is libellous or defamatory or harassing, or

breaches the NHS Code of Confidentiality, or damages working relationships, or

of 52

seeks to misrepresent the Trust, or is otherwise in breach of professional or of

reasonable conduct guidelines, then this could be viewed as misconduct or as gross

misconduct and therefore be subject to the Trust disciplinary procedures. Staff

should follow the detailed guidance in this policy and are strongly advised to note

point 5.4 above in their personal/ independent use of e-Communications/ Social

Media.

5.6 Personal Use

Limited personal use of Trust electronic communication facilities (e.g. access to the

internet from your NHS owned device, or use of the Trust email system, or accessing

social media from the Trust network), is permitted as a benefit where these are

available, provided this does not interfere with the performance of duties, infringe

upon work time, or in any way damage the reputation of the Trust. Personal usage

must be of limited duration and frequency; must be confined to use during an

employee’s unpaid breaks; and should not take place during paid contracted hours.

Personal usage must not overburden the system or create unreasonable expense.

Consult with your line manager to confirm any local definition of ‘limited personal

use’ of electronic communications and to agree restitution where costs may be

incurred (for example, use of dongles, SMS texting, fax, telephone calls). Some of

the criteria used by line management to determine acceptable personal use are

outlined in Appendix 2. Users may be asked to justify the number of messages or

time spent on personal usage of these services.

5.6.1 Using NHS Facilities for Personal Use

In using NHS facilities for personal purposes, the user should be aware that personal

privacy cannot be guaranteed. Other means of communication should be chosen for

communications or activities, which staff consider to include personal confidential

information and which they wish to keep private.

Occasional and reasonable personal use is a privilege and not an entitlement and

this privilege may be withdrawn at any time, either for specific individuals or for all

employees of the Trust.

The Trust reserves the right to investigate, taking all necessary measures, any

usage impacting network effectiveness or efficiency , and reserves the right to limit

further personal access to Internet, Intranet and e-communication services, where

the capacity of the Network Internet connection to cope with business traffic is

compromised.

Be aware that the Internet is inherently insecure and confidential information in

relation to the business of the Trust and/or personal confidential data of patients,

staff or others must never be disclosed.

of 52

Personal related messages or posts sent via the Trust e-communication systems

should be marked as ‘personal’ (e.g. in the email subject line) to enable access to

work-only messages in the case of sickness or absence. Privacy cannot be

guaranteed but marked messages will be regarded as such and efforts made to

ensure that they are accessed only where it is reasonable and proportional to do so,

for example, in relation to allegations of bullying or harassment or to a criminal

investigation.

Any personal postings which might otherwise be construed as being representative

of the Trust should include a statement to the effect that it is sent or posted in a

personal capacity and is not representative of the Trust.

5.7 Transmission /electronic transfer of Personal Confidential Data (PCD)

Personal confidential data sent on behalf of the Trust, must be encrypted before

transmission across the Internet. The Trust has adopted a [Secure] send and receive

policy. Staff must follow Trust guidelines when sending personal confidential data or

other sensitive data across internal networks, N3, the Internet, or via any services or

electronic resource/equipment. Contact the Service Desk for initial advice.

Reference: Secure email for PCD Guidance Notes

When sending confidential or sensitive information to non-NHS addresses,

appropriate disclaimer and confidentiality statements must be included. For

example, at the beginning of outgoing email: '*** NHS Email Confidentiality Notice

***. This message and any files transmitted with it are private and confidential. If you

have received this message in error, please notify us and remove it from your

system.'

Include contact details beneath the message.

The NHS Code of Confidentiality applies at all times and posting of personal

confidential information for which the Trust is responsible (i.e. patient or staff

information) for example via blogs, business social networking sites, or personal

social networking sites is expressly forbidden.

5.8 Use of e-Communications tools/systems for clinical purposes

When planning or initiating the use of tools and systems which will enable direct

electronic communications/ and consultations with patients ensure that a risk

assessment has been undertaken, and where relevant, a service specific policy is in

place.

Services or clinicians wishing to adopt this approach should first consult with their

Service Director or a nominated deputy and may wish to consult further with the

Head of Data Privacy (ref appendix 3, which considers e-communications, for

example, by phone, email and text).

Where a dedicated patient communication system is proposed (e.g. video

consultation) ensure that:

of 52

the mechanism has been risk assessed (including a privacy impact assessment) from a security and governance including clinical governance viewpoint, and approved by the Trust IM&TOG (Information Management and Technology Operations Group),

the mechanism as far as is possible, places initiation and control of the communication with the clinician,

the contact takes place in environments which are controlled as far as is necessary according to the nature of the appointment/ consultation,

there is provision to ensure a face to face consultation or other intervention if a patient care emergency should arise or if the electronic system fails,

the consultation is appropriately documented in the patient record and extraneous recordings are archived or deleted as appropriate,

the patient has been made aware of the limitations and any risks (including information risks) which are associated with a remote/electronic consultation

the process is supported by written policy and procedures, including documented consents where necessary,

regular reviews are scheduled to ensure that usage of the tool is not expanded to other patients/patient groups/ conditions without a full risk assessment having taken place (ref appendix 3 for risk assessment guidance),

regular assessment on the impacts of these type of communication on the Network will be built into the risk assessment and benefits realisation processes

Reasonable conduct and usual authorisation and vetting procedures will be followed

when using e-communication facilities. Staff should note for example, that emails

carry the same weight in a court of law as do letters on headed notepaper, and must

be approached in the same considered and professional way.

Some categories of internet site will be blocked, so as to prevent accidental access,

or to protect the network. If access is required for business use users should contact

their Director (or nominated deputy) to escalate the request to HIS for technical

review.

5.9 Investigation Process

All information and documents and all e-messages or communications, and including

SMS, faxes and images, accessed, created, received, sent, stored or posted by an

individual, on or via the network, or via any electronic resource authorised for use for

Trust purposes or attached peripherals may be subject to audit, inspection,

disclosure or removal by the Trust or a nominated deputy from HIS or 360

Assurance or qualified IT Assurance personnel. The only exception to this principle

is material obtained by union officials working in their official capacity for union

purposes. Union related e-messages should be marked as ‘union’ in the subject line.

Individuals with authorised access to confidential clinical information are bound by

the principles of the Data Protection Act, the NHS Code of Confidentiality, and by

their individual contract of employment to maintain patient confidentiality. 360

Assurance and qualified IT Assurance leads are required to comply with NHS

of 52

Internal Audit Standards in relation to all their work and will comply with the Police

and Criminal Evidence Act (1984) in undertaking any investigation

Where the material referred to in 5.19, is held on equipment which is not owned or

contracted by the NHS, (for example user owned equipment authorised for use for

work purposes, non-NHS owned sites, including social networking sites) such

removal/disclosure or inspection will be with the consent of the equipment or system

owner, or otherwise in accordance with law.

6.0 Best Practice Requirements

In all circumstances (i.e. business or personal use; at work or outside of work)

Verbal and written agreements can be contractually binding. Do not inadvertently

enter into a contract with a third party on behalf of the Trust without the written

authority to do so, and ensure that appropriate advice has been sought before

entering into such agreements. Contract law differs across the international

community.

Legislation differs between countries and may be interpreted where the information

is received. Ensure that you or the Trust does not become inadvertently liable for

advice given by e-communications and Internet pages.

Be aware that emails, other e-communications and electronic documents can be

required to be produced in court by a court order –deleted documents may still exist

in back-ups, recycle bins, or deleted folders and so can be produced. Deletion after

the commencement of legal proceedings may be viewed as contempt of court.

When posting information for example on social/ business networking sites, ensure

the expected privacy settings and controls are in place.

Phishing (pronounced Fishing) is an attempt to fraudulently acquire sensitive or personal information such as credit card details , bank account details, passwords or similar information, usually masquerading as a Trustworthy source (e.g. a Bank) and usually in order to commit identity fraud. The Trust cannot prevent receipt of all such email/ website links at work, and users are equally as vulnerable at home.

Be vigilant; never reply to such e-communication requests.

Ensure you have strong password protection on your personal and work accounts

and including social networking and web accounts.

The Health Informatics Service will never ask for your password or passcode – you

should keep this confidential. If you receive an email asking for such information, do

not reply to it or click on any link in the email. Report such incidents to the Service

Desk.

If a member of staff becomes aware of an e-communication (including a posting on a website whether internal or external) which could be considered defamatory

of 52

to the Trust, or breaches the Trust’s good conduct guidelines, they should inform their line manager and contact the LHIS Service Desk.

If a member of staff is contacted directly or indirectly by press or other media group about anything Trust-related they have written or posted or to request other information or an interview, they should notify their line manager as soon as possible and contact the Head of Communications on 0776 928 6563 , or by email to [email protected]

Respect copyright, fair use, data protection, defamation, libel, financial disclosure law.

Be aware that people who join networks and participate in groups may be colleagues, clients, journalists, suppliers, or patients, or may not be who they say they are.

Staff must not set up accounts or sites that are made to resemble an official LPT site or account, or which could be confused as an official site or account.

Staff may not take or publish photographs of patients on NHS premises, other than in accordance with the Trust Audio and Visual Recording Policy. To do so could constitute a breach of patient confidentiality and good conduct guidelines. (See further guidance in section 7.1.5 below).

6.1 Best Practice: when using Trust approved equipment and Services

When using these services for work purposes, identify yourself honestly and accurately and ensure that your details are kept up to date. Do not purport to be someone else when using electronic communications and Internet services.

Do not seek to by-pass Trust approved and authorised login where provided (e.g. email, Trust approved Internet accounts).

Notify your line manager, and the LHIS Service Desk if you suspect your Trust approved social media account or any other Trust e-communication account has been ‘hacked’. That is if you think the username and password for the site/account have been compromised and/or unexplained contributions to the site/ system or service are coming from someone purporting to be you or from the Trust.

When in doubt about whether it is appropriate to access a site, obtain Senior Manager level approval in writing before doing so.

If you have been authorised to publish information on behalf of the Trust you must follow the specific advice provided by Communications and should:

a) Communicate in a polite, professional and transparent manner

b) Make it clear that you are publishing on behalf of the Trust

c) Never reveal confidential information


of 52

d) Ensure your posts are within the remit of the business objectives set out

e) Follow agreed process for peer review and publication of posts

You must follow Trust system specific Policy and Guidance when using authorised e-communication mechanisms to process personal confidential information for work purposes (e.g. e-consultations and email).

Ensure that the address of the intended recipient of a person’s to person’s e-message (e.g. fax, text, email) is correct. Where possible, use address book information or send a test e-message and follow the good practice guidelines in Appendix 4 of this policy.

Send work related e-communications with appropriate identifying details. Work emails for example should include your Name*, role*, title*, telephone number*, email address*, service, site, mobile number, fax number (*mandatory). Follow the advice of the Communications department for LPT authorised accounts.

Established codes of conduct concerning relationships with patients apply to all e-communications whether business or personal.

Owners of data must classify their data and protect it to the appropriate level before sending or sharing it by whatever means, in accordance with any Trust published classification standard.

Ensure that when using calendar services (e.g. Microsoft Outlook) sensitive personal identifiable appointment information is shielded from colleagues without the ‘need to know’.

Mark private calendar appointments as private.

When accessing information and services off-site, away from your usual place of work, (for example in a patient’s home), take steps to ensure that unauthorised persons cannot overlook the information.

Do not use SMS facilities (for example, those offered by NHS wide email systems and mobile devices) for transmission of personal confidential information unless a local Trust approved procedure exists for your service.

Electronic messages containing data relating to patients or to staff should be stored in the patient/staff records. Such data could be subject to Subject Access requests under Section 7 of the Data Protection Act, and staff should be mindful of this.

Where retention of electronic message information is required in compliance with the Freedom of Information Act or for other valid business reasons, this should be appropriately stored.

of 52

When using portable devices, including personal devices authorised for use for work purposes, you must comply with the Trust Remote and Mobile working Policy. Loss or theft of any portable device must be reported immediately through the LHIS Service Desk (0116 295) 3500, and the Trust’s incident reports process. Always state if the device gives access to Trust owned personal confidential information whether in clinical systems, local web systems, or trust email.

Exercise caution and restraint in the use of services in different environments, in particular:

a) Follow local health site policy with regard to permissible on site use of PDA, mobile phone, and laptop technology for example within an acute hospital environment,

b) Comply with Trust policy and the law for use of equipment whilst driving. The use of mobile phones and PDAs whilst driving is expressly forbidden with or without hands free sets

c) Consult with your line manager before using NHS equipment for personal purposes for example whilst working on a reception desk

d) Where staff such as IT or Health and Safety staff take photographs on site to show a physical set of circumstances, care must be taken to exclude staff, patients, visitors or medical records from the image. If these are inadvertently included, the image should be deleted

The use of NHS IT equipment and services for private work resulting in personal commercial gain is not permitted. (This does not apply to the provision of private healthcare services)” (Ref. ISP ‘Private Work’).

The use of NHS IT equipment and services for private advertising is not permitted, with the exception of the service provided on the LARNET.

Access to Trust information and services must be via Trust approved equipment and mechanisms only. Such equipment must be used from a secure location. This means for example, that you may not access information and services via an Internet café.

Exercise caution and restraint when using services to ensure that the integrity of the Trust network is not compromised; including

a) Trust wide e-communications must be sent for Trust purposes only and appropriately sanctioned by the communications department.

b) Obtain prior permission from IT Support to download and install software from the Internet, even if there are no “licence user” implications. This does not apply to ‘Apps’ downloaded to personally owned devices used for work purposes. Be aware that i-Apps are better tested and more secure than android type Apps (ref. the ISP).

c) If there is any doubt about the origin or content of an electronic communication or attachment or if any suspicion of virus infection arises when using messaging or Internet services, immediately inform the HIS Service Desk. Opening suspect email attachments (e.g. from unknown or suspicious senders, or with unusual

of 52

attachment file names), or accessing seemingly innocent websites can result in serious infection.

d) Where there is shared drive access, emails that need to contain a document, should reference the document with a link to a shared drive.

Be aware that e- communications, including personal communications and internet access, crossing the Trust network are logged. Logs are captured and stored and may be subject to review and investigation.

Be aware that some e-communications (e.g. email) may be disclosed to individuals or outside agencies as required by Data Protection, or Freedom of Information, or any other statutory or legal duty imposed upon the Trust.

Contact details disclosed to commercial organisations may be passed on generating ‘junk’ mail. Limit such disclosures to requests for specific information, goods or services.

Ensure the Health and Safety Executive guidance on rest breaks for eyes is not breached in favour of personal use of electronic services during breaks or outside of normal working hours. Take small breaks away from your screen. Contact the Risk Management team if you require a workplace assessment.

6.2 Personal Use of Social Media (during unpaid breaks or outside of work)

When participating in online activities (e.g. social media) the following requirements

and those detailed in the good practice guidance in Appendix 4 also apply.

Content published to any website outside of the Trust that could be perceived to have a connection to work or subject associated with the Trust, must have a disclaimer such as: "“The views here expressed are entirely my own and not those of my employer.”.

Staff writing a personal blog, should adhere to the guidance given and if the blog touches on any work related matters, add a disclaimer such as: “The views here expressed are entirely my own and not those of my employer.”

For sites such as LinkedIn where personal and professional references are the focus: Where staff present themselves as a Trust employee, professional references about any current or former employee, contractor, vendor or contingent worker must not be provided. Staff may provide a personal reference or recommendation for current or former Trust employees, contractors, vendors and contingent workers provided:

i) The reference is factually accurate; and

ii) A disclaimer is included to the effect that: ““The views here expressed are

entirely my own and not those of my employer.”

of 52

For clarity, staff may wish to include a similar disclaimer on the home page to cover

the provision of y/n type endorsements.

Do not blog or participate in a social network where this would constitute a conflict of interest (e.g. resulting in personal gain).

Do not permit access to Trust sites/ accounts to any unauthorised person.

Do not ‘hack’ sites or accounts, or make unauthorised modification of computer data.

Do not use social media to ‘whistleblow’ without first raising concerns through the proper channels. Be aware that the Public Interest Disclosure Act 1998 gives legal protection to those with such concerns.

7.0 Prohibited Use

7.1 General advice applicable to personal and business use of e-

communications in and outside of work

When using social media in a personal capacity, content posted which could be construed as relevant to your employment with the Trust, must meet good conduct guidelines and including the NHS Code of Confidentiality.

Ensure that personal views posted or published cannot be construed as being the views of your employer. Use a disclaimer where necessary for example “The views here expressed are entirely my own and not those of my employer.”

7.1.1 Excepting in the case of being authorised to publish on behalf of the Trust

Do not reveal information that is confidential, business sensitive or proprietary to the Trust, its patients, its staff, partners or suppliers; including:

Do not take or publish photographs of patients on NHS premises, other than in accordance with the Trust Audio and Visual Recording Policy. To do so could constitute a breach of patient confidentiality and good conduct guidelines.

Never post information that can be used to identify a patient’s identity or health condition and is in breach of the NHS Code of Confidentiality.

Do not publish or report on business conversations that are private or internal to the Trust its partners or suppliers (for example, do not quote such material in a discussion forum post);

Be wary when discussing work-related issues online. Even anonymised conversations relating to patients, patient care, and complaints about colleagues may be construed as being inappropriate and in breach of the Trust Code of Conduct

Remember that your obligation to maintain patient confidentiality continues after the patient’s death, and on leaving the Trust.

Do not use e-communications (including email, social media) to attack or abuse colleagues;

- Do not copy photos from the Trust’s internet or intranet sites to a non-NHS site/account or otherwise breach NHS copyright.

- Do not publish the Trust or the NHS logo on any non-NHS site or account

Follow the rules for etiquette and good practice outlined in appendix 4

of 52

7.2 Prohibited Use: applicable when using NHS equipment and services

whether for work or personal purposes

Do not permit access to Trust sites/ accounts to any unauthorised person.

Do not ‘hack’ sites or accounts, or make unauthorised modification of computer data.

Do not route communications at work to by-pass system logging or audit functionality.

Do not disguise the sending address; and do not send or post communications purporting to be someone else.

Do not attempt to introduce computer viruses via email messages, web links or attachments or forward, send or post spam, chain mail, jokes or other frivolous material.

Do not attempt to disable the virus protection software or other preinstalled software without the permission of the LHIS IT Support and Infrastructure Manager.

Do not attempt to overload or disable the computer system or network. Intentional introduction of files which cause computer problems could be prosecutable under the Computer Misuse Act.

Do not waste or unfairly monopolise resources by non-business related use of services such as spending excessive time on the Internet playing on-line games, engaging in forums or social networking for non-work purposes, or uploading and downloading large files, including streaming audio and/or video files, or otherwise creating unnecessary loads on network traffic.

Follow Trust system specific policy and guidance when processing personal confidential information for work purposes (e.g. e-consultations and email).

Do not use social media to ‘whistleblow’ without first raising concerns through the proper channels. Be aware that the Public Interest Disclosure Act 1998 gives legal protection to those with such concerns.

Do not use interactive chat applications (e.g. MSN), or social networking sites (e.g. Facebook), without the express permission of your line manager.

Do not use services to interfere with the business of the Trust or for illicit distribution of personal identifiable or business confidential material.

Do not send personal messages to a large number of recipients (no more than your own department), or send spam or bulk unsolicited emails.

Do not subscribe to forums for personal purposes using a work email address

Do not represent personal opinions as that of the Trust

Do not download or distribute programmes, sound, picture or any other files where copyright will be infringed. If in doubt contact the HIS Service Desk.

Do not agree to a licence or download any material for which a registration fee is charged without first obtaining the express written permission of the Trust.

The auto-forward feature of Microsoft Outlook must never be used to automatically forward mail to other NHS Trusts, or to email addresses external to the NHS, including personal Internet home accounts and University accounts, or to your NHSmail account. The originator of a business message and the Trust

of 52

has the right to assume that sending an e-mail to an NHS address should result in that e-mail terminating within the NHS environment, ideally at the formal location of the addressee or their deputy. If there is an urgent business need to receive email outside of your work account, contact your line manager with a view to use of the secure device solution, or VPN.

Do not use or install any file sharing, Peer to Peer, or similar system on the Trust network or equipment. Peer to Peer and file sharing software enables users to share information including files across the Internet and can create a number of security and legal concerns as it connects directly with other users computers. This includes Dropbox, iCloud, internet messaging services and cloud based storage systems.

8. Breaches of Policy

Any breaches of this policy should be reported to the appropriate line manager and to the LHIS service desk. All breaches will be investigated thoroughly. Access to the services may be withdrawn whilst hte breach is under investigation and only reconnected when the threat has passed. Examples of breaches of policy which could be regarded as misconduct, or depending upon the severity, gross misconduct, to be handled through the Trust’s disciplinary and conduct procedure, are as follows:

Access, downloading or emailing material

Unreported access of inappropriate sites

Downloading or distribution of copyright material

Levels of private use of systems resulting in interference with performance of duties.

Sending of unencrypted personal identifiable sensitive information by electronic means in berach of Trust published procedures

Suspected breach of the business Code of Conduct when using Social Media sites (whether in or outside of work)

(NB: This list is not exhaustive).

9.0 Training

There is no training requirement identified within this policy.

The Leicestershire Health Informatics Service will undertake training on the use of

the Internet and other services and electronic resources where requested.

10.0 Monitoring Compliance and Effectiveness

Ref Minimum

Requirements

Evidence for Self-

assessment

Process for Monitoring

Responsible Individual /

Group

Frequency of

monitoring

of 52

Ref Minimum

Requirements

Evidence for Self-

assessment

Process for Monitoring

Responsible Individual /

Group

Frequency of

monitoring All official Trust

social media accounts are managed through the Communications Team

Section 4.4 Review of communication requests for social media accounts

Data Privacy Steering Group

Quarterly

The use of new tools for work purposes must be risk assessed and approved by the Trust

Section 5.1 Review of requests

IM&T Delivery Group

As required

Personal Confidential Data must be encrypted before sending

Section 5.7 Monitoring of incidents through Caldicott Report

Clinical Effectiveness Group

Quarterly

Electronic communications with service users are risk assessed before opting to communicate in this way

Section 5.8 Review of requests/DPIAs

Data Privacy Steering Group

Quarterly or as required

A summary of the purpose and extent of the monitoring undertaken by the Trust can

be found in Appendix 5. This document is subject to continual review by the Health

Informatics Service. All or any usage on the Trust network may be monitored

including application, network access and Internet, intranet and e-communication

usage.

10.1 Social Media: Content Management.

Communications maintain a register of LPT approved social media sites and undertakes quarterly reviews to ensure regular and relevant content giving added value. The expectations and responsibilities are outlined in appendix 1.

10.2 Audit

HIS IT Support and Internal and External auditors undertake routine monitoring of Internet and E-communication activity via the Trust network/ equipment with a view to minimising potential misuse and monitoring legal liability.

360 Assurance Computer Audit or other independent assurers may undertake regular review of Internet Activity Logs. Logs will be periodically handed to 360 Assurance or other independent assurers for review and to assure independent process.

HIS and 360 Assurance Computer Audit Function will undertake reviews at the specific request of management or of the Audit Committee. This may include review of usage and investigation of incidents and will be managed in accordance

of 52

with Trust procedures and where applicable, the Trust Incident Management Policy (ref. ISP).

The Trust reserves the right to block what is in its opinion, excessive usage. Staff

members should consult with line management to confirm acceptable usage levels.

Any inappropriate use of e-communications or of the Trust’s, Intranet or Internet,

including complaints of excessive usage and of harassment or defamation, may be

reported to the relevant Trust Director (or nominated deputy), who will be responsible

for co-ordinating an appropriate and proportional response and if necessary,

including action under the Trust’s disciplinary and conduct procedures.

The Trust also reserves the right to carry out detailed inspection of information held

on any electronic resource, including communications equipment without notice,

where inappropriate activity is suspected.

Where the Trust is in receipt of a Subject Access or Freedom of Information Request

requiring the Trust to search the email system, or specific accounts within the

system, or portable communications equipment, then such searches will take place

in order to allow the Trust to meet its legal obligations, subject to a request from the

Head of Data Privacy or a nominated deputy. Such access requests may refer to

both personal and business related e-communications and may result in disclosure

of such information where this is not in breach of the data protection principles.

Other than for the monitoring purposes already referred to, and access defined in 8.9

above, access to the content of any authorised users mailbox or e-messaging

equipment in their absence will only be granted on submission of a written request

from a Director or their nominated deputy or from the Organisation’s Counter Fraud

Specialist under the NHS Counter Fraud Strategy, to the LHIS IT Support and

Infrastructure Manager or a representative. This request must identify the business

need for the access requested, as outlined in Appendix 5, and indicate the e-

messages to be examined. Where such a request is granted, access will be by the

LHIS IT Support and Infrastructure Manager or a representative only, who will

provide the required information/e-messages to the requester. The LHIS IT Support

and Infrastructure Manager or a representative will notify the user of the mailbox

about the access, at the earliest possible opportunity.

Access to equipment authorised for use on Trust business which is not owned or

contracted by the Trust or the wider NHS will where possible be with the consent of

the owner or otherwise as required by law.

Further guidance can be found in:

Audio and Visual Recording Policy

Data Protection, Caldicott and Confidentiality Policy

The Information Lifecycle and Records Management Policy

of 52

The Information Security Policy (Parts 1&2)

11.0 Standards/Performance Indicators

TARGET/STANDARDS KEY PERFORMANCE INDICATOR

Meet the requirements of the National Data Guardian Standards

Compliance against the Data Protection and Security Toolkit

12. References and Associated Documentation

The British Standard for Security

NHS Information Security Management Code of Practice

Data Protection and Security Toolkit

NHS Infrastructure Maturity Model

Information Security Policy Part 1 – High Level Statements

Information Security Policy Part 2 – Associated Detailed Requirements

Records Management Code of Practice for Health and Social Care 2016

Records Management Strategy 2014-19

Information Lifecycle and Records Management Policy

Data Protection, Caldicott and Confidentiality Policy

Data Protection Law: EU General Data Protection Regulation; Data Protection Act

2018

The Human Rights Act 1998 (Article 8)

Related Legislation: (Ref:

http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAn

dGuidance/DH_079616

Common Law Code of Confidentiality

The Trust Statement of Applicability



of 52

Obtaining an LPT authorised Social Media Account (for example, an

authorised Twitter Account, request to submit postings on an LPT social

network, or applying to formally contribute to an existing online social network

on work-related subjects).

Requests should be made by email to Communications communications@leicspart nhs.uk

Requests should clearly illustrate the potential benefit to patients/stakeholders and/or colleagues both within LPT and the wider healthcare community and/or the organisation as a whole.

They should also be able to illustrate commitment to the project from team and departmental colleagues. Regular posts to social media work best so it is good practice to have colleagues who are able to cover during absence. The frequency of posts is not pre-determined and will change from one approval to the next.

Authorised social media accounts should only be set up once approval has been given by Communications.

A register of LPT-approved social media sites is maintained by Communications. Sites are reviewed to ensure they are providing regular and relevant content that adds value. Reviews may result in accounts being closed.

The approving line manager(s) is the site administrator and conducts a monthly review of any social networking venture overseen by them, checking for regular and relevant submissions that add value and that the following standards are met:

It is clear to members/audience whether the group is open to all or invitees only

The purpose of the blog/social network group is clearly displayed

There is an appropriate and prominent, disclaimer. For example: The views expressed in this (group/blog/website/forum etc..) are those of the members and do not necessarily reflect the views of Leicestershire Partnership NHS Trust

The NHS lozenge, the LPT logo and name is not used as a way of identifying the association to the Trust without the explicit permission of Communications.

Communications should be supplied with up-to-date information about all blog/social network group/sites. This information should include the current administrator and backup administrator (including their login username and passwords).

Any passwords used to administer an external group/site are changed if a former administrator leaves the Trust.

Employees agree to hand over ownership of the blog/social network group/site to another appropriate staff member if they leave the group or if they leave the Trust. If no staff member is available staff must hand over full ownership to Communications who will make the appropriate provision to have the account managed elsewhere or to shut down the account.

Employees should demonstrate knowledge and proficiency in the use of relevant social media. Guidance and assistance in setting up and using social media can be provided by Communications.

Appendix 1


of 52

Personal Usage Considerations

Consult with your line manager to confirm any local definition of ‘limited personal

use’ of electronic communications and to agree restitution where costs may be

incurred (for example, use of dongles, sms texting, fax, telephone calls.). Some of

the criteria used by line management to determine acceptable personal use are

outlined below. Users may be asked to justify the number of messages or time spent

on personal usage of these services.

Personal usage of electronic messaging and internet services may be withdrawn at

any time for an individual or for more or all members of staff.

When reviewing questions relating to Acceptable Personal Use of Internet, Intranet

and Electronic messaging services, for example, use of dongles, sms texting, fax,

telephone calls, emails, social media postings, management may wish to consider:

The users role

The role of colleagues

Impact to the Department’s service delivery

The time of day; use is restricted to breaks or outside of normal working hours (see policy statement)

The perception given to others (including the public)

The duration

Frequency

Recipients

The content

The fact that an email will come from the users work account and be associated with the Trust

Possible costs and restitution arrangements

Appendix 2

of 52

Risk Assessment for Electronic Communications with Patients

Telephone consultations are already commonly used for situations such as repeat

prescribing and to support patients with long term conditions and many of the

associated risks are relevant to email, text messaging and other e-communication

mechanisms.

Section 5.14 of this policy states that

When planning or initiating the use of tools and systems which will enable direct

electronic communications/ and consultations with patients ensure that a risk

assessment has been undertaken, and where relevant, a service specific policy is in

place. Services or clinicians wishing to adopt this approach should first consult with

their Service Director or a nominated deputy and may wish to consult further with the

Organisation Records Transformation and Information Governance Manager.

Where a dedicated patient communication system is proposed (e.g. video

consultation) ensure that:

the mechanism has been risk assessed (including a privacy impact assessment) from a security and governance including clinical governance viewpoint, and approved by the Trust IM&TOG (Information Management and Technology Operations Group),

the mechanism as far as is possible, places initiation and control of the communication with the clinician,

the contact takes place in environments which are controlled as far as is necessary according to the nature of the appointment/ consultation,

there is provision to ensure a face to face consultation or other intervention if a patient care emergency should arise or if the electronic system fails,

the consultation is appropriately documented in the patient record and extraneous recordings are archived or deleted as appropriate,

the patient has been made aware of the limitations and any risks (including information risks) which are associated with a remote/electronic consultation

the process is supported by written policy and procedures, including documented consents where necessary,

regular reviews are scheduled to ensure that usage of the tool is not expanded to other patients/patient groups/ conditions without a full risk assessment having taken place (ref appendix // for risk assessment guidance),

regular assessment on the impacts of these type of communication on the Network will be built into the risk assessment and benefits realisation processes

This policy seeks to highlight the risks of e-communications with individual patients,

and to remind all concerned that whenever such a communication is considered

suitable, a clear account of the potential risks and appropriate remedial measures be

described alongside the benefits of such communication.

Appendix 3

of 52

Principles

Services and Clinicians should abide by this policy, take account of other published

policy and procedures of the Trust or Service, the advice of Professional Bodies and

of the Department of Health, and should bear in mind the identified risks.

Services or clinicians may wish to use direct electronic communications with patients

where it is the wish of the patient, considered to be appropriate to their care, and in-

line with the aims and resources of the service.

Direct electronic communication solutions should not be used to replace face to face

consultation inappropriately or be imposed upon the patient.

Where a particular patient wishes to communicate by e-communication mechanisms,

the risks and benefits of doing so should be assessed on a case by case basis and

must ensure that the service user is aware of the limitations of these forms of

communication.

Services are required to develop clear policy and procedural guidance in

circumstances where the Trust views that such communications are appropriate and

such policy and procedures to include the outcomes from the risk assessment

criteria detailed below.

Automated text messages to patients

The use of automated messaging has proven to be beneficial in a number of

systems to reduce the numbers of ‘Did Not Attend’ or to provide simple ‘All Clear’

information or other information to patients who have undergone screening type

procedures or who are involved in health support programmes (for example,

smoking cessation, Chlamydia screening).

When developing automated messaging in these types of circumstances ensure that

a. Appointment and other reminders or information text messages contain the

minimum amount of information required.

For example ‘Please remember your health appointment at... (time, date)’. You

cannot reply to this text message. If you have an enquiry, please call... (contact

number)’

Details regarding the patient’s name, address, the health complaint, the clinic or

hospital are unnecessary and may lead to a breach of confidentiality.

b. The recipient cannot text a reply to the message sender. There will be a

technical means in the system to prevent this. An alternative mechanism should

be provided for patients to address any queries

of 52

c. Where automated text messaging services are provided by a third party supplier

ensure

- mobile phone contact details are maintained up to date

- confidential patient information is not held by the third party at locations external to the NHS unnecessarily and that there is secure management of any patient information held

d. Where third party suppliers attach advertising to the messages sent. Any such

advertising:

- must be in line with the ethics of the NHS

- must, be supported by the Trust’s Data Protection Registration (if not, the registration may need amending); meet DPA marketing requirements

Risks Associated with e-communications with Patients

Risks related to

e-communications with patients Some Suggested controls

Sharing the clinician’s e-contact

details (e.g. mobile number, email

address, Skype account), with the

patient may breach Trust or Service

Policy

Confirm the benefits of sharing in the

circumstances presented and consider policy

amendment

Confirm the appropriateness of having a single

‘team’/service contact details which patients may

use. Develop procedures for ensuring that

messages are regularly checked and responded to

Confirm the expectations of good conduct both from

the clinician and the patient and evidence the

formal agreement. The agreement should include

the circumstances where termination would result.

Ensure that the clinician is not contactable by the

patient when away from work (annual leave/

sickness/suspension).

Ensure the patient understands the agreed

procedures and the more usual way of contact

should this mechanism fail. Identify when the

service would be available (work hours only?) and

inform the family

Is the service available to all patients in a certain

category according to need and availability or would

use be risk assessed?

When providing a work e-contact to patients/carers,

ensure they do a test, by using the mechanism

of 52

Risks related to


immediately.

Ensure the receiving device/account is checked for

messages at least 2x daily

Define actions to be taken where nuisance calls are

made to staff

Ensure back up of patient contact details on a

secure network area

Define actions to be taken where the clinician has

left their e-contact details at home/base in error.

(Ensure provision of alternative communication –

work telephone number)

Is there a point at which the patient/carer will be

asked to remove the clinician’s e-contact details

from their device/account?

Communications may increase

workloads for staff

Ensure the purpose and benefits and risks of the

service are clearly identified.

Inappropriate use of the patient’s e-

contact details

Agree where in the patient record contact details

will be stored.

Ensure loss or theft of clinician’s mobile device is

reported immediately. The patient should be

notified.

Ensure the user wishes to use this service and

consents to provision of their e-contact details for

the stated purpose

Ensure the user takes responsibility for who has

access to their e-contact device or account.

Ensure the user is aware of any limitations to the

service (times etc/min/ max response time and has

an alternative number to call (office number)

On provision of the user’s e-contact details, store

the information with an identifiable name and test

that it has been stored correctly by sending a test

communication.

It is the patient/carer’s responsibility to inform the

clinician as soon as possible when their device is

lost or stolen or their email account is unsafe to

of 52

Risks related to


use.

The patient/carer’s e-contact details will be

removed from the clinician’s device or account list

following discharge.

Misaddressed message or loss of

clinician’s device leading to

communication breakdown or

breach of confidentiality

Ensure the patient e-contact detail is confirmed for

each episode of care in the same way that

demographic details are checked.

Agreed procedure for recording patient details in

the mobile device/ account.

Agreed procedure for securing the device in line

with Trust ISP

Agreed procedure for reporting loss of the device

in line with the Trust ISP

Use of the Trust approved mobile device solutions

which ensure remote locking and wiping of data in

case of loss where possible.

Ensure the patient is advised to inform the clinician

should their e-contact details change

Consider; does the patient/carer allow other family

members to use their account/device

Does the patient carer have basic security applied

to their account/device?

Breach of ISP by storing PID on

PDAs and handheld devices which

can be reset at the push of a button

leading to data loss, and are

vulnerable to theft

Consider Trust policy statements re appropriate

service risk assessment and detailed security

procedures permitting PID on handheld devices.

Breach of ISP by storing

unencrypted PID on mobile devices

Ensure that procedures ensure appropriate and

timely update of patient records.

Ensure that mobile devices used meet the Trust

Information Security Policy requirements.

Consider mechanisms for pseudonymisation of

contact details and messages

Consider responding to patient e-communications

by telephone calls

of 52

Risks related to


Consider advice to patients on content of the

messages they send

All email messages containing PID must use the

Trust’s encryption solutions

Confirm risks around the storage and accessibility

of video communications with patients.

Failure to pick up the message by

the parent/carer leading to possible

risk to patient care

Request confirmation of receipt of significant

messages.

Technical limitations of e-

messaging resulting in failure to

keep an audit trail or read receipts

on messages

Ensure clinicians maintain appropriate patient

records regarding e- communications and delete

messages from mobile devices/accounts regularly.

Overuse/unauthorised use of e-

messaging leading to confidentiality

breach and risk to patient care

Ensure the purpose of the service is clearly

specified

Ensure staff are appropriately authorised to use

the service

Ensure reporting mechanisms are established to

control use of the service

Inappropriate use of electronic

communications leading to failure in

patient care and leading to

complaints or litigation against the

Trust

Ensure that clinical care of patients is confirmed by

face to face meetings or verbal consultation as

appropriate and that a fair representation is

reflected in the medical record

Failure to understand storage of

electronic data (cache of emails/

SIM card on mobile phone) leading

to risk of breach of confidentiality

Ensure appropriate storage and disposal/ removal

mechanisms in line with Trust policy

Ensure appropriate guidance to staff re the content

of messages

Reference the Trust’s remote and mobile working

policy for guidance on the areas to be considered.

Recording of consultations by

Patients

The patient/carer when on private property is not

obliged by law to request consent to record by

video or audio means.

Clinicians are advised, where recording is known

to be taking place, they can point out to the patient

of 52

Risks related to


that obtaining consent is a courtesy.

Where the clinician objects to such a recording,

they should risk assess whether not treating the

patient in this circumstance would have a

detrimental or clinical risk associated with it, and

make a decision as to whether to treat on this

basis.

of 52

Created – September 2003

Last Reviewed December 2017

Impact Assessment on Monitoring at Work in the

Leicestershire and Rutland Health Community (Non-Acute)

1.0 INTRODUCTION

1.1 Purpose

This Impact Assessment seeks to clarify

The reasons and justification for monitoring and the expected benefits

The impact of monitoring at work on staff

The steps taken to limit the electronic processing of identifiable data captured for monitoring purposes and the alternatives adopted

This Impact Assessment, further details the procedures and products associated

with monitoring network and network services in use within Leicestershire and

Rutland Health Community (LRHC), and it addresses the needs of workers to be

informed of such procedures.

1.2 The Legal Basis

1.2.1 The Trust’s Internet and e-Communications Policy, of which this document is

an appendix, indicates that usage of these facilities may be logged and monitored by

HIS and by Internal and External auditors.

1.2.2 The monitoring or recording of communications by the LRHC (non-acute),

including the Trust is authorised under the “Telecommunications (Lawful Business

Practice) (Interception of Communications) Regulations 2000” which came into force

on 24 October 2000 under the Regulation of Investigatory Powers Act 2000 (RIPA)

and is mindful of Article 8 of the European Convention on Human Rights which

creates a right to respect for private and family life and for correspondence.

1.2.3 Employer requirements concerning these regulations are further clarified in

the Information Commissioner’s ‘The Employment Practices Code Part 3, Data

Protection and Monitoring at Work, and its supplementary guidelines, which the Trust

embraces.

1.2.4 The trade union interpretation of the Information Commissioner’s advice is

explained (ref. www.worksmart.org.uk/rights/monitoring) and this advice is likewise

embraced by the Trust.

Appendix 4

http://www.worksmart.org.uk/rights/monitoring

of 52

1.3 The Reasons, Justification and Benefits

1.3.1 Monitoring, filtering and other products have been, and will be, introduced

onto the network. These are used to enable:

Identification of inappropriate use of the LRHC services (e.g. the Internet) in accordance with Trust policy and, in particular, to reduce the risks to patient care

Maintenance of network integrity and the Trust’s capability of fulfilling its business function by, for example:

preventing the introduction of viruses,

preserving adequate server disk space,

ensuring acceptable levels of network traffic

Consequently, monitoring

Reduces the risks to the availability, confidentiality, integrity of Trust information and systems

Helps protect the Trust from litigation and compromise of its reputation, and to prevent or detect crime or serious breaches of Trust corporate standards

Provides some assurance from the HIS service provider to the Trust regarding the security and availability of the network

Provides independent assurance by subsequent review of monitoring activities and of HIS procedures by Auditors

1.3.2 Use of monitoring products is subject to strict procedures. In particular, the

targeted monitoring of any individual user’s email, disk space or internet usage will

only be permitted if authorised by the Director with responsibility for IM&T (or their

deputy) in accordance with the procedures outlined in section 11.2 of the Internet and

e-Communications Policy.

1.3.3 Suspicious or unacceptable user activity brought to light during routine

maintenance or housekeeping procedures, or by user report, or indicated by routine

monitoring will be brought to the attention of the Director with responsibility for IM&T

(or a nominated deputy) who may authorise further steps be taken in accordance

with the procedures outlined in in section 11.2 of the Internet and e-Communications

Policy.

2.0 IDENTIFYING AND MITIGATING ADVERSE IMPACTS ON STAFF

2.1 Potential Adverse Impacts

POTENTIAL ADVERSE IMPACT ASSESSMENT

What intrusion if any is there into

the private lives of workers and

others or interference with their

private emails, telephone calls, or

other correspondence

Automated tools (e.g. virus checkers) mean that there

is no human intervention

E-mails are not generally monitored except as part of

a targeted investigation

of 52


Emails not labelled ‘personal’/‘union’ may be

accessed for work purposes in case of absence

Is the monitoring of Internet

Activity intrusive?

Internet accesses are captured and may include

sensitive information e.g. religious convictions, but

are not immediately identifiable to an individual

without a targeted investigation

To what extent will users be

aware when they or their

information is being monitored

and be in a position to limit any

intrusion or adverse effect

This policy is published on the Intranet, referenced on

the sign on screen and available through the HIS

Includes advice on acceptable personal usage and

labelling of personal information

The Trust has an incident reporting process which

fast tracks IT concerns

Will information that is

confidential and private, or

otherwise sensitive be seen by

those who do not have a need to

know (e.g. IT workers involved in

monitoring)

Capture of Internet information is automated and with

limited access to authorised staff and identifiable only

as part of a targeted investigation

In relation to emails, no access is made except

- in the case of absence, by official request,

witnessed and the user subsequently informed;

Emails labelled personal are not released

- or as part of a targeted investigation

What impact if any on the

relationship of mutual trust and

confidence between the

employer and staff?

Staff are made aware that a key obligation is to

protect patient and staff from inappropriate usage of

these services

What about other relationships

(for example Trade Unions)?

The staff side is consulted in relation to the monitoring

undertaken and union officials are advised to label

their communications as ‘union’ in the subject line so

that these will not be mistaken for work related

messages/ communications

Internet access is not identified to the user unless

reasonable grounds have been found to suspect

abuse

What impact, if any, will there be

on the relationship with

individuals with professional

obligations of confidentiality/

secrecy (e.g. doctors).

Patient information may only be sent if encrypted and

so not viewed. If a user fails to encrypt such

information and it is viewed, then this is treated as a

breach of confidentiality as per the Trust policy and

professional standards and is not impacted by

monitoring

of 52


Is the monitoring oppressive or

demeaning?

There is no continuous monitoring of e-messages.

Continuous capture of Internet access is identifiable

only as part of a targeted investigation

2.2 Alternatives to Electronic Monitoring


Can established or new methods

of supervision/management/

training reduce the need for

electronic monitoring

Excessive usage: supervision and management are

likely to be the first step in identifying unreasonable

usage but evidence may be sought from the firewall

logs to support concerns

In relation to abusive usage user/management report

may result in targeted investigations. Firewall log

monitoring identifies general high usage areas as

opposed to specifics but can be used to support

targeted investigations

These are mutually beneficial mechanisms

Can the investigation of specific

incidents or problems be relied

on for example, accessing stored

emails to follow up an allegation

or malpractice, rather than

continuous monitoring

This is the current alternative adopted by the Trust

Can monitoring be limited to

workers about whom complaints

have been received or about

whom there are other grounds to

suspect wrong-doing

This is the current alternative adopted by the Trust

Can monitoring be targeted at

areas of highest risk e.g. can it

be directed at a few individuals

whose jobs mean they pose a

particular risk to the business

than by other workers?

This is not undertaken electronically unless as part of

an official targeted investigation

Only internet accesses are captured as a general

control and the capture is not specific unless it

becomes a targeted investigation

Can monitoring be automated

and so less intrusive?

Yes this is the current process and only targeted

investigation involves human intervention

Can spot checks or audit be

undertaken instead of using

Spot checks are undertaken on HIS activity to reflect

the risk involved in their access rights. However, spot

checks can be more intrusive than automated

of 52


continuous monitoring? monitoring

2.3 Is Monitoring Justified?

The monitoring undertaken supports the Trust responsibilities to staff and patients

and is a limited and justified response to the need.

Users of email and Internet facilities are subject to the Trust’s policies in this area.

Staff complying with the policies will not be adversely affected by the procedures

outlined in this document.

Staff, have a right to be protected from the consequences of inappropriate use by

other users whether internal or external to the NHS.

Staff have a right to be informed of the monitoring that is taking place and to be given

assurance that such monitoring is both necessary (not excessive) and justified.

3.0 DETAIL

3.1 The LRHC’s monitoring products

3.1.1 The HIS, on behalf of LRHC, has, over a number of years, used a variety of

standard products to enable it to maintain a stable and secure networking

environment for its computer users. These products include software and hardware

for virus protection and for keeping network traffic levels and server disk usage

under regular scrutiny. Filtering products are also in place and the automated logs

recorded by the firewall, have been harnessed to enable analysis of Internet usage.

These are described in detail below.

3.1.2 Web filtering and logging

A firewall is a security device which controls and logs activity to foreign networks, in

this case, the NHS Network (N3). Logging is essential for security and performance

monitoring purposes. Logs are used to confirm that the firewall is configured

correctly, to check performance, identify intrusions, and to provide some assurance

against inappropriate user activity. Firewall monitoring activity is automated.

In order to protect staff from accidental access to inappropriate sites, access is

blocked by type (setting criteria such as violence, gambling, sex, terrorism) using

filtering software called Web Blocker. The Web Blocker and Websense databases

are not fool proof, as some perfectly innocent sites may be blocked, and as new

sites appear every day, inappropriate sites may not be blocked. Users are still under

a personal obligation to comply with policy regardless of any filtering that takes

place.

of 52

Often perfectly legitimate access requests are blocked by the Firewall filter. Where

there is a business justification for access by an individual or a group to a blocked

site, this can be arranged by application to the IT Service Desk.

This firewall software records and reports upon, common HTTP and FTP accesses

to the N3/Internet and any blocked site information (Web Blocker is the current

filtering software in use). The firewall software does not log accesses to business

orientated services such as payroll, Choose and Book (activity on these services is

logged by the application). Unless for diagnostic and fault finding purposes.

Reports show in raw text:

Access requests denied by the blocker, IP address, date and time, from and to

Pages visited by each IP address, date and time, from and to

The same information is collected for FTP activity

Reports and logs are archived periodically to an external hard drive.

Logs and reports are reviewed for deletion from the system and archived after two

years.

The logs maybe passed to 360 Assurance Internal Audit Service regularly in order

that searches can be made and to report upon the extent of personal/against

business usage on the network.

Reports may include:

Summary of the greatest use by IP address, bytes transferred, date and time

Summary of the most highly accessed external hosts (site receiving the most hits from our network)

No attempt is made to identify the individuals involved in suspected inappropriate

access or excessive usage, other than at the request of the responsible Trust for a

targeted investigation.

The IP address is the identifier on all the information held and indicates the site from

which the access has been made. In most circumstances the IT security team and/

or 360 Assurance will be able to identify the machine involved in an inappropriate

access.

The report on pages visited by each IP address is subjected to a key word search to

identify activity to inappropriate sites. Where potentially inappropriate activity is

highlighted the URL for the site is then accessed by a member of the IT Security

Team and/or 360 Assurance in the presence of a second team member. Where

there appears to have been an incident, the team member will identify the building

from which the access was made – this enables HIS/360 Assurance to inform the

of 52

relevant Trust IM&T lead or a deputy of the inappropriate access. Information

passed to the Trust will include the site identification, the time frame involved, and

whether this may have been a one off, accidental access incident, or whether there

is evidence of frequent or continuing activity.

Where access appears to have been accidental, the HIS may be requested to block

the offending site. The Trust may inform the Service Director of the site and issue

advice to staff at that location.

Where the incident is suspected of being intentional the Trust may wish to pursue

the incident with support from the IT Security Team and/or 360 Assurance. In this

case, the Trust must make a request in writing to the IT Security Team with a defined

business need, before further investigations are carried out.

Access to inappropriate material for example, by health professionals whilst on duty,

could represent a risk to patient care, and there is a concern from Trusts supported

by the HIS that where abuse is found, every avenue should be explored to identify

the perpetrator. For this reason, and from April 2004, where abuse is suspected, it is

proposed that, at the written request of the responsible Trust (as described above),

the HIS/ 360 Assurance will give every support to identify and investigate the

machine which was used in accordance with published incident investigation

procedures. If the IP address can be used to identify a machine, then that machine

will be checked for evidence of misuse. If this is not possible, all machines on the

site may be checked to identify which was used to make inappropriate access.

Where accesses identified by the HIS Security or by 360 Assurance, are deemed to

be potentially illegal, the Trust Director with Responsibility for IM&T will be informed

and appropriate action taken to investigate the incident.

3.1.3 Virus Checker and Email System settings

Software has been introduced to assist the HIS in enforcing the email

Policy; its facilities are as follows:

Virus checking – the software checks all incoming and outgoing email, including attachments, for viruses. It can delete or quarantine infected emails. It will send a warning to the intended recipient and will log all occurrences for review by the administrator.

Size checking – Email system checking software can be used to check the size of all incoming and outgoing email and restrict their passage accordingly. It will warn the sender where necessary.

Recipient restriction, Email system checking software – normally, users cannot send email to more than 750 recipients. Where there are more either in a sent or received email, the email is rejected.

Attachment type checking – the Firewall software can be used to restrict the type of inbound attachment. For example, a video or an executable

of 52

program attachment might not be permitted (SMTP proxy service restrictions).

Macro checking – the Outlook software can check whether an attached document or spreadsheet has macros, which are potential virus carriers, and these may be blocked.

Text searching – the software has the facility for searching for any specific text which could be implemented if required. This facility would only be invoked under strict procedures authorised by the Director with responsibility for IM&T or a nominated deputy as per section 9.9 of policy.

Sensitivity labelling – we have no software with the facility for classifying email security levels according to agreed criteria.

Annotation – the software has no facility to add an automatic message to all outgoing emails. If this is required in the future, it will be necessary to purchase third party software.

Activity logging – The exchange servers log all incoming and outgoing emails as part of the normal SMTP tracking service. The tracking log files are retained for ten days.

Spam Control – In order to protect the network and to protect employees from unwelcome and sometimes, unpleasant content, HIS have installed Microsoft Exchange 2010 Anti-Spam filter service and Sophos PureMessage to inspect all inbound and outbound email. This uses an inbuilt algorithm to determine whether a message contains spam or not and rates them according to likelihood. The software is set to block all emails with a ratings score above a set figure, which is agreed with Internal Audit and the client Trusts of HIS. There is a risk that in protecting staff from Spam, some legitimate email will also be blocked.

3.2 The Trust’s Monitoring Procedures

3.2.1 The above monitoring products have been introduced primarily to prevent rather

than detect abuse of systems.

3.2.2 Non-compliance with the policy could have serious consequences for the

stability of the computing network and for the working environment, and for this

reason procedures have been formulated to allow for detailed scrutiny of usage only

where there is a serious and justified suspicion of misuse.

3.2.3 Procedures allow for detailed examination of all relevant actions that are taken

by an individual (or group of individuals) once suspicion of possible misuse has been

raised. They include the following provisions:

That a request for access to an individual’s PC in order to review their Internet and Email activity, may only be made as outlined in section 11.2 of the Internet and e-Communications Policy.

Any officer involved in carrying out an investigation will be bound by the duty of confidentiality.

of 52

Monitoring processes undertaken during an investigation will be the minimum necessary to prove or disprove misuse of email and/or Internet facilities, and are likely to concentrate on positively identifying the PC involved by close analysis of the dynamic allocation of addresses process.

Monitoring will be for a specified period of time only. Monitoring requests may be renewed at the end of the period providing they are still justifiable.

Results of the monitoring process could be used as evidence in disciplinary hearings, or evidence in criminal or civil judicial processes.

Any misuse found will be reported to the Trust IM&T Lead or the nominated deputy for the case. Disciplinary action may be taken which could include dismissal in case of gross misconduct.

of 52

Training Requirements Training Needs Analysis

Training Required YES NO ☑

Training topic:

Type of training: (see study leave policy)

☐ Mandatory (must be on mandatory training register)

☐ Role specific

☐ Personal development

Division(s) to which the training is applicable:

☐ Adult Mental Health & Learning Disability Services

☐ Community Health Services

☐ Enabling Services

☐ Families Young People Children

☐ Hosted Services

Staff groups who require the training:

Please specify…

Regularity of Update requirement:

Who is responsible for delivery of this training?

Have resources been identified?

Has a training plan been agreed?

Where will completion of this training be recorded?

☐ ULearn

☐ Other (please specify)

How is this training going to be monitored?

Appendix 5

of 52

The NHS Constitution The NHS will provide a universal service for all based on clinical need, not ability to pay. The NHS will provide a comprehensive range of services

Shape its services around the needs and preferences of individual patients, their families and their carers

☑

Respond to different needs of different sectors of the population ☑

Work continuously to improve quality services and to minimise errors ☑

Support and value its staff ☑

Work together with others to ensure a seamless service for patients ☑

Help keep people healthy and work to reduce health inequalities ☑

Respect the confidentiality of individual patients and provide open access to information about services, treatment and performance

☑

Appendix 6

of 52

Stakeholders and Consultation Key individuals involved in developing the document Name Designation

Ian Wakeford Head of LHIS

Chris Biddle LHIS IT Assurance Manager

Sam Kirkland Head of Information Governance

Circulated to the following individuals for comment Name Designation

Members of IM&T Delivery Group

Members of Records and Information Governance Group

Appendix 7

of 52

Due Regard Screening Template

Section 1 Name of activity/proposal Internet and e-Communications Policy

Date Screening commenced December 2017

Directorate / Service carrying out the assessment

Medical/ LHIS

Name and role of person undertaking this Due Regard (Equality Analysis)

Vicky Hill, Information Security Manager

Give an overview of the aims, objectives and purpose of the proposal:

AIMS: To provide a framework within which staff can safely and with confident use social media in the course of their work activities

OBJECTIVES: Enable staff to use e-Communications to maintain effective working relationships with colleagues; Enable staff to explore the use of eCommunications with service users where this is their preference

Section 2 Protected Characteristic If the proposal/s have a positive or negative impact

please give brief details

Age Positive – the policy creates multiple ways of communicating by catering for all groups

Disability Positive – the policy creates multiple ways of communicating by catering for all groups

Gender reassignment Positive – the policy creates multiple ways of communicating by catering for all groups

Marriage & Civil Partnership Positive – the policy creates multiple ways of communicating by catering for all groups

Pregnancy & Maternity Positive – the policy creates multiple ways of communicating by catering for all groups

Race Positive – the policy creates multiple ways of communicating by catering for all groups

Religion and Belief Positive – the policy creates multiple ways of communicating by catering for all groups

Sex Positive – the policy creates multiple ways of communicating by catering for all groups

Sexual Orientation Positive – the policy creates multiple ways of communicating by catering for all groups

Other equality groups?

Section 3 Does this activity propose major changes in terms of scale or significance for LPT? For example, is there a clear indication that, although the proposal is minor it is likely to have a major affect for people from an equality group/s? Please tick appropriate box below.

Yes No High risk: Complete a full EIA starting click here to proceed to Part B

Low risk: Go to Section 4. ☑

Appendix 8

http://www.leicspart.nhs.uk/Library/MasterDueRegardTemplateOct2013.docx

of 52

Section 4 If this proposal is low risk please give evidence or justification for how you reached this decision:

The policy is to be used to help identify all means of communication to engage with staff groups who may have difficulty with traditional means; and assist clinicians in supporting service users by catering to their communication preferences

Signed by reviewer/assessor Date

Sign off that this proposal is low risk and does not require a full Equality Analysis

Head of Service Signed Sam Kirkland Date 13/03/2018

of 52

PRIVACY IMPACT ASSESSMENT SCREENING

Privacy impact assessment (PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individual’s expectations of privacy. The first step in the PIA process is identifying the need for an assessment.

The following screening questions will help decide whether a PIA is necessary. Answering ‘yes’ to any of these questions is an indication that a PIA would be a useful exercise and requires senior management support, at this stage the Head of Data Privacy must be involved.

Name of Document:

Internet and e-Communications Policy

Completed by: Vicky Hill

Job title LHIS Information Security Manager

Date March 2018

Yes / No

1. Will the process described in the document involve the collection of new information about individuals? This is information in excess of what is required to carry out the process described within the document.

No

2. Will the process described in the document compel individuals to provide information about themselves? This is information in excess of what is required to carry out the process described within the document.

No

3. Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information as part of the process described in this document?

No

4. Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?

No

5. Does the process outlined in this document involve the use of new technology which might be perceived as being privacy intrusive? For example, the use of biometrics.

Yes

6. Will the process outlined in this document result in decisions being made or action taken against individuals in ways which can have a significant impact on them?

Yes

7. As part of the process outlined in this document, is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For examples, health records, criminal records or other information that people would consider to be particularly private.

Yes

8. Will the process require you to contact individuals in ways which they may find intrusive?

No

If the answer to any of these questions is ‘Yes’ please contact the Head of Data Privacy Tel: 0116 2950997 Mobile: 07825 947786 [email protected] In this case, ratification of a procedural document will not take place until approved by the Head of Data Privacy.

IG Manager approval name: Sam Kirkland

Date of approval 09/03/2018

Acknowledgement: Princess Alexandra Hospital NHS Trust

Appendix 9

internet and electronic communications policy...page 6 of 52 definitions that apply to this policy...

Documents