General Note
NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to a review date of no more than 1 year from the date of first issue.
Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.
If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made
1. PURPOSE
The purpose of this policy is to outline the acceptable use of computer equipment and software at NHS Fife and provide an overview and cross-reference to policies relating to acceptable use of specific systems. These rules are in place to protect the employee and NHS Fife. Inappropriate use exposes NHS Fife to risks including loss of confidentiality, virus attacks, compromise of network systems and services, and legal issues.
This document forms part of NHS Fife’s Information Security Management System (ISMS).
2. SCOPE
This policy is applicable to all staff, contractors and volunteers working within NHS Fife and Fife GP Practices.
3. POLICY
3.1 Acceptable Use of All Assets
• Employees are responsible for exercising good judgment regarding reasonableness of personal use. Please refer to GP/E6 Email and GP/I3 Internet Policies for more information.
• All Information Technology (IT) equipment, software and associated services are provided to staff for Business Use Only.
• For information security, IT and network maintenance purposes, authorised individuals within NHS Fife will monitor equipment, systems and network traffic.
• Keep passwords secure and do not share accounts. Users are responsible for the security of their passwords and accounts. Please refer to GP/P2 Password Policy for more information.
• All Personal Computers including laptops, tablet, handheld devices and workstations must be secured by a password protected screensaver with automatic activation of 15 minutes or less. Where a computer is being used as part of a clinical operation a request for the extended screensaver to be applied can be made to the Information Security Manager via the Digital and Information (D&I) Service Desk.
• Personal data contained on portable computers and handheld devices is especially vulnerable, special care should be exercised to protect it from inappropriate access, loss or corruption. Please refer to the GP/M5 Mobile Device Management Policy for more information.
• Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or malware.
• Emails containing personal data or sensitive information must only be sent via authorised email addresses or employ additional security measure (encryption) to protect the contents. Please refer to the GP/E6 Email Policy for more information.
• Remote access must be via the D&I department remote access solutions. Please refer to the GP/B2 eHealth Remote Access Policy for more information.
3.2 Reporting of IT Incidents and Data Breaches
All IT incidents (including suspected) must be reported to the D&I Service Desk for the attention of the Information Security Manager with immediate effect.
NHS Fife is required to report major incidents to the Competent Authority (CA) within 72 hours as required by the Network and Information Systems (NIS) regulations. Please refer to the GP/S8 eHealth Incident Management Policy for more information.
All data breaches (including suspected) must be reported via Datix with immediate effect.
NHS Fife is required to report serious data breaches to the Information Commissioner Office (ICO) within 72 hours as required by the General Data Protection Regulations (GDPR). Please refer to the GP/D3 Data Protection and Confidentiality Policy for more information.
Failure to report incidents or breaches to the CA or ICO can leave NHS Fife exposed to undertakings or fines for not complying with GDPR or NIS regulations, which could result in the loss of public trust in NHS Fife’s ability to provide clinical services, financial impact on service provision, and its competence to hold personal data.
3.3 Unacceptable Use of I.T. Infrastructure
The following list indicates the types of activity that are not allowed on NHS Fife’s IT infrastructure:
• Users shall not reveal their account details including username and/or password to others or allow use of their account by others. This includes family and other household members when work is being done at home.
• Users shall not install or use unlicensed software. This is to prevent deliberate or careless introduction of malicious programs (malware) into the IT infrastructure.
• The copying of copyrighted materials is prohibited.
• Effecting security breaches i.e., include, but are not limited to, accessing data of which the employee is not the intended recipient or logging into a server or account that they are not expressly authorised to access.
• Sending unsolicited email messages, including sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
• Any form of harassment via email or other methods of electronic communication.
• Solicitation of email for any other email address, other than the sender’s account, with the intent to harass or to collect replies.
• Creating or forwarding of “chain letters”
• No member of staff is permitted to access, display or download from Internet sites that hold offensive material.
• Use of the Internet facility for commercial activities other than in the conduct of the NHS Fife business is prohibited. Please refer to the GP/O2 Online Communication Policy for further guidance.
• Due to the insecure nature of Internet mail, users must consider Internet email to be public information. Therefore, only encrypted personal data, patient information, confidential material or government classified information shall be transmitted over the Internet. Please refer to the GP/E6 Email policy for further guidance.
• Users must not download software programs and applications (this includes freeware and shareware) from the Internet or install them on NHS Fife computers.
• Installation of all software within NHS Fife will be undertaken by the Digital & Information department or authorised staff and will be subject to formal change control procedures, refer to GP/I6 IT Change Management Policy for more information.
3.4 Network User Agreement - Restrictions
Users with access to the NHS Fife network must not attempt or by their actions or deliberate inaction assist others to attempt:
• Unauthorised access to hardware platforms.
• Unauthorised introduction of software or hardware components to the network.
• Unauthorised modification of network components.
• Unauthorised attempts to access networks from other networks.
• Unauthorised attempts to access other networks from within networks.
• Unauthorised circumvention of security features such as firewalls, passwords etc.
• Unauthorised copying or distribution of software, documentation or media associated with trust systems.
• Unauthorised removal of hardware, software, documentation or media associated with trust systems.
3.5 Data Protection Act 2018 and Computer Misuse Act 1990
All Users are subject to the provisions of the Data Protection Act 2018
(http://www.legislation.gov.uk/ukpga/2018/12/contents) and the Computer Misuse Act 1990 (http://www.legislation.gov.uk/ukpga/1990/18/contents).
4. OPERATIONAL SYSTEM
4.1 Acceptable Handling of Physical Assets
Where the asset is a physical component (computer, laptop, tablet, phone, printer etc.) of the computer network, the D&I department will have overall responsibility for its functionality. The day-to-day responsibility for the use of IT assets falls to the departments.
Unauthorised use, modification and removal of IT assets is strictly prohibited. Where assets are needed to be removed off-site, departmental management approval for the removal of such assets must be obtained.
5. RISK MANAGEMENT
To mitigate the risks to NHS Fife’s (including GP Practices) Data, Information and IT infrastructure, the following strategies and techniques shall be implemented:
It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.
NHS Fife Staff shall be trained to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.
The unauthorised disclosure of NHS Fife Data in any medium, is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.
With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and regularly review these to ensure they take into account legislative and operational requirements.
Should the above risk mitigations not be implemented, and a breach of legislation occurs the following impact may follow:
• Disciplinary action against staff;
• Legal action against NHS Fife;
• Legal action against the person(s) involved in the breach;
6. RELATED DOCUMENTS
• GP/I5 Information Security Policy
• GP/D3 Data Protection and Confidentiality Policy
• GP/B2 eHealth Remote Access Policy
• GP/E6 Email Policy
• GP/I3 Internet Policy
• GP/I6 IT Change Management Policy
• GP/M5 Mobile Device Management Policy
• GP/O2 Corporate Communications Policy
• GP/P2 Secure Use of Passwords Policy
7. REFERENCES
• Data Protection Act (2018)
• General Data Protection Regulations (GPDR)
• Network and Information Systems (NIS) Regulations
• Computer Misuse Act (1990)
• Civil Contingencies Act (2004)
• Human Rights Act (1998)
• Freedom of Information (Scotland) Act (2002)