INTERNET & INTERNET BASED SERVICES USAGE POLICY
Version / 6Name of responsible (ratifying) committee / Data Protection and Data Quality Committee
Date ratified / 18 April 2018
Document Manager (job title) / Head of IT
Date issued / 08 May 2018
Review date / 08 May 2020
Electronic location / Management Policies
Related Procedural Documents / IT Security Policy
IT Portable Computing & Mobile Working Policy
Confidentiality: Staff Code of Conduct
Data Protection Policy
Adverse Event & Near Misses Policy
Information Governance Policy
Information Risk Policy
Safe Haven Policy
Bullying & Harassment Policy
Disciplinary Policy
Social Media Policy
IT Guidelines - Using The Internet & Internet Based Services
Key Words (to aid with searching) / Internet, N3, social media, instant messaging, chat rooms, discussion forums, social networks, web conferencing, on line gaming, cloud storage, file download, web site, sensitive information, confidential information, identifiable personal information, unacceptable use, inappropriate use, offensive or illegal material, PID, personal use, internet monitoring, internet access, blocked web sites, file sharing, media streaming, accidental access, inadvertent access, inappropriate content
Version Tracking
Version / Date Ratified / Brief Summary of Changes / Author6 / 18.04.2018 / Restructuring & rationalisation of previous content. General updates & corrections / MSF
5 / 09.03.2016 / Minor updates & changes / MSF
4 / March 2014 / Full re-write of Policy / MSF
3 / May 2011 / - / IPHIS
CONTENTS
QUICK REFERENCE GUIDE
1. INTRODUCTION
2.PURPOSE
3.SCOPE
4.DEFINITIONS
5.POLICY REQUIREMENTS
5.1General Requirements
5.2Unacceptable Use
6.DUTIES AND RESPONSIBILITIES
7.PROCESSES
7.1Connections to the Internet
7.2Access to the Internet & Control of Content
7.3IT Guidelines & Safe Working Practices for Users
7.4Action in case of Potential or Actual Security Breach
7.5Action in case of Accidental or Inadvertent Access to Inappropriate Internet Content
7.6Action in case of Inappropriate Use of the Internet
7.7Cessation of Internet Accounts
8.TRAINING REQUIREMENTS
9.REFERENCES AND ASSOCIATED DOCUMENTATION
10.EQUALITY IMPACT STATEMENT
11.MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS
EQUALITY IMPACT SCREENING TOOL
QUICK REFERENCE GUIDE
For quick reference the guide below is a summary of actions required. This does not negate the need for the document author and others involved in the process to be aware of and follow the detail of this policy.
1. You may use the Internet, as appropriate, for undertaking and completing your duties; remembering the inherent security, reliability and quality risks that are associated with its use.
2.You must use the Internet responsibly, effectively and lawfully and with consideration to other users. You must ensure your use of the Internet does not cause unnecessary or inappropriate security risks to the Trust’s IT resources or information or bring the Trust in to disrepute.
3.You must be sufficiently aware of appropriate laws of copyright, defamation, obscenity and confidentiality. You must understand your own personal liability and accountability concerning your use of the Internet and publication and distribution of material.
4.You must be fully aware of the Unacceptable Use conditions defined in this policy and comply at all times with these requirements when using the Internet.
5.You must not present views on behalf of the Trust unless you have been authorised to do so, or inappropriately join social networks, web conferences, discussion forums or chat-rooms.
6.With the exception of other NHS websites, you must not use your Trust e-mail identity for the setting up of any personal memberships or accounts to websites and on-line services. This includes on-line forums and blogs, social media websites, auction sites and job sites.
7.You must at all times comply with Trust policies, practices and standards and NHS best practice guidance concerning requirements for access to and sharing of information including, in particular, Sensitive Information.
8.You must be aware that the Trust monitors use of the Internet via its own IT resources and may use monitoring information to meet disciplinary, legal and statutory obligations.
9.The Trust employs systems to control access to Internet content and material that it deems to be inappropriate to its business and operational needs or which it considers may present unacceptable threat. You must not attempt to interfere with the operation of these systems.
10.Subject to the agreements and conditions laid out in this policy, and your acceptance that there is no expectationof privacy, reasonable use of the Internet via the Trust’s IT resources for personal purposes is permitted.
11.You will not be held responsible for accidentally or inadvertently accessing inappropriate Internet material or content as long as you promptly follow the actions prescribed in this policy.
12.Failure to comply with the requirements of this policy or inappropriate use of resources controlled by this policy is a serious matter and may result in rights to use the Internet via the Trust’s IT resources being restricted or withdrawn, disciplinary action or prosecution under UK law.
1. INTRODUCTION
This policy supports Portsmouth Hospitals Trust’s (the Trust) overall information security management framework and has been produced, particularly, to set policy and define processes to be employed in the use and management of internet services via the Trust’s Information Technology (IT) resources.
The internet (which includes the world-wide-web) is a firmly established enabler for research and exchange of information and, especially via social media, communication. It has considerable potential to support the management and delivery of services by the Trust and can be of great benefit when used appropriately. However, it also has inherent security risks, provides no guarantee of reliability or performance and if inappropriately used or misused has the potential to introduce serious risks for the Trust; including productivity and security concerns, legal and regulatory compliance and litigation.
Internet access is provided to members of staff primarily to support and deliver the business of the Trust. However, with the prior agreement of their line managers, within reasonable limitations and the constraints of this policy it is also available for general use by members of staff.
All users of the Internet shall comply with this policy.
2.PURPOSE
The purpose of this policy is to ensure that, in a safe and secure way that complies with law and the best interests of the Trust, effective and appropriate use of the Internet is made by the Trust and its staff.
In particular this policy aims to:
2.1Set out the rules which govern acceptable and unacceptable use of the Internet via the Trust’s IT resources.
2.2Through the promotion of awareness and dissemination of good practice reduce the risk of security threats.
2.3Preserve confidentiality of Sensitive Information and protect the Trust’s assets against unauthorised disclosure.
2.4Encourage effective use of Trust resources.
3.SCOPE
3.1This policy applies:
- To all Trust users (including employees, voluntary & bank workers contractors, agency & sub-contract staff, locums, partner organisations, suppliers and customers) of the Internet.
- All use of the Internet; either for business and operational purposes of the Trust or; which identifies the Trust or its employees and may bring the Trust into disrepute.
- In respect to defined users and usage; use of the Internet at any time or location or on any Trust device or internet connection.
3.2In the event of outbreak of an infection, flu pandemic or major incident. The Trust recognises that it may not be possible to adhere to all aspects of this document and in such circumstances, staff should take advice from their manager and all possible action must be taken to maintain ongoing patient and staff safety.
4.DEFINITIONS
4.1Internet means general connection to the internet as well as access to and use of any internet based features, applications, functionality and services.
4.2Sensitive Information means personalidentifiable information, commercially confidential and sensitive information and confidential, sensitive and critical information of the Trust.
4.3The/Your Manager means the line manager of a member of staff or other relevant senior member of staff.
5.POLICY REQUIREMENTS
5.1General Requirements
5.1.1The Internet is a global computer network providing a vast range of information resources, communication facilities and services that may be used in the undertaking of the Trust’s business and operations. Users are obliged to use these resources responsibly, effectively and lawfully.
5.1.2Risks associated with use of the Internet shall be considered and mitigated where possible. Risk levels must be proportionate to benefits realised, and where risks cannot be reduced to acceptable levels they shall be escalated to the Trust’s Risk Assurance Committee / Senior Information Risk Owner (SIRO) as appropriate.
5.1.3Users of the Internet shall comply withTrust policies, IT Guidelines and NHS best practice guidance concerning the requirement for access to and dissemination of information.
5.1.4Use of the Internet for Trust business and operational purposes in public areas of the Trust’s buildings and outside of the Trust’s premises shall be subject to the additional conditions laid out in the Trust’s Portable Computing & Mobile Working Policy and IT Security Policy.
5.1.5Users of the Internet shall not write or present views on behalf of the Trust unless they are authorised to do so. This means that members of staff must not join social networks, web conferences, discussion forums or chat-rooms in the name of the Trust unless authorised to do so.
5.1.6The Trust allows reasonable use of the Internet for personal purposes on the condition that such use does not interfere with work, is previously agreed with Your Manager and that staff members adhere to this policy, related policies, regulations and the Trust’s current safe working practices.
5.1.7The Trust reserves the right to monitor the use of the Internet via its own IT resources. Where there is legitimate cause the Trust reserves the right, without warning or permission from the user, to use such monitoring information as required to meet disciplinary, legal and statutory obligations.
5.1.8To reduce risk to members of staff and the Trust, secure web gateway solutions that; restrict access to web sites and content that is deemed to be inappropriate to the needs of the Trust; prevent confidential data loss and; prevent web based attacks shall be deployed.
5.2Unacceptable Use
5..2.1Any use of the Internet which is deemed to be unacceptable in terms of this policy, or which in any other way contravenes the Trust’s policies, regulations and standards may give rise to disciplinary action. The Trust may inform the police of unlawful use of the Internet and criminal prosecution may follow.
5.2.2You must not:
- Use internet based file sharing applications unless explicitly approved and provided as a service.
- Upload or download private data to and from the internet.
- Download copyrighted or licenced material such as software, text, images, music and video from the internet unless you have legitimate reason and entitlement to access and use of the material.
- Access, download or upload any libelous, discriminatory, defamatory, offensive, harassing, racist, obscene or pornographic remarks, depictions or data.
- Attempt to bypass the Trust’s security systems.
- Attempt to introduce or transmit computer viruses, malware, malicious software and potentially unwanted applications.
- Use NHS systems or internet access for personal advantages (such as business financial transactions or private business activities) that may bring the Trust into disrepute, interfere with its own business, jeopardise the security of its IT resources or information, or cause harm to its patients or staff.
- Use your Portsmouth Hospitals NHS Trust identity (i.e. your e-mail addresses) for private purposes such as with social media, discussion forums and similar.
- Express personal views (including in social media) in ways that; they are likely to be interpreted as being the represented view of the Trust or wider NHS; or bring the Trust or wider NHS into disrepute, harm or tarnish its image through offensive, inappropriate or derogatory remarks.
6.DUTIES AND RESPONSIBILITIES
6.1Senior Information Risk Officer (SIRO)
The SIRO is responsible for:
- The Trust’s information risk assessment process and information management.
- Overseeing adherence to this procedure to the satisfaction of the Trust.
- Ensuring documentation and appropriate action is taken where non-compliance to this policy or a need for improvement is identified.
6.2Caldicott Guardian
The Caldicott Guardian has responsibility for monitoring controls and procedures governing the safe and confidential transfer of patient identifiable information across the Trust.
6.3Data Protection & Data Quality Committee
The Data Protection & Data Quality Committee is responsible for ensuring that this policy is:
- In accordance with information governance requirements.
- Implemented and understood across the Trust.
6.4Head of IT
The Head of IT is responsible for:
- Day-to-day management of the procedures related to this policy
- Authorising internet connection and provision for use by the Trust.
- Ensuring this policy is implemented and adhered to by IT Department staff
6.5The IT Department
The IT Department and its staff are responsible for:
- Ensuring the continuing availability of internet provisions and their supporting infrastructure.
- Managing, administering and maintaining the Trust’s internet connections on a day-to-day basis.
- The provision of monitoring, filtering and content control systems used in connection with the Internet that ensure compliance with the Trust’s policies and its legal and statutory obligations.
- Providing advice and guidance to users of the Internet for business and operational purposes of the Trust.
- Providing support in cases involving suspected inappropriate use of IT resources (including the Internet) and undertaking investigations into suspected failures of compliance with policy.
6.6Managers
Managers are responsible for undertaking duties as outlined in Section 7 of this document, and appropriately ensuring that their permanent, temporary and agency staff and contractors have read and understood this policy. Further that:
- Staff work in compliance with this policy, related processes, guidelines and safe working practices.
- Staff are appropriately instructed/trained in use of the Internet.
- Personal use of the Internet by staff is in compliance with the requirements of this policy.
6.7Staff
All staff that use the Internet shall:
- Comply with this policy; its related processes, guidelines and safe working practices.
- Ensure that they are fully aware of the unacceptable uses of the Internet as outlined in this policy.
- Ensure that any personal use of the Internet via the Trust’s IT resources does not interfere with their work andhas been previously agreed with The Manager.
Staff working locally in areas and with children and young people that have been granted access to the Internet via the Trust’s own IT resourcesare responsible for supervising Internet use, and preventing inappropriate access or usage.
7.PROCESSES
7.1Connections to the Internet
Connections to the internet shall only be implemented by the IT Department and any connection that introduces unacceptable security risks shall not be permitted. Any department or member of staff requiring a new connection to the internet to be made must contact the IT Service Desk to agree and arrange provision.
7.2Access to the Internet & Control of Content
Unless The Manager requests otherwise, members of staff are automatically granted internet access at the same time as being given a user account.
Requests for user accounts must be submitted by The Manager or other Trust authorised representative to the IT Service Desk in accordance with its current ordering processes and procedures.
Children and young people (under the age of 18) are not normally allowed access to the Internet via the Trust’s own IT resources. Should a requirement for such access, or other patient access, arise appropriate justification and authorisation (including guardian’s) must be included with the request (e.g. for educational support whilst in hospital). In such instances:
- Access will be provided via systems that monitor Internet use and restrict access to appropriate sites only.
- Staff working locally in areas and with patients granted such access will be responsible for supervising Internet use and preventing inappropriate access or usage.
Requests will be processed by the IT Department in accordance with established procedures and published timescales.
Members of staff experiencing problems accessing legitimate websites in the course of their work (e.g.being blocked by the Trust’s access/content management systems) should contact the IT Service Desk for guidance and further assistance.
7.3IT Guidelines & Safe Working Practices for Users
Any questions or queries relating to Trust IT policies, guidelines or NHS best practice guidance should be addressed to the IT Service Desk.
7.4Action in case of Potential or Actual Security Breach
Potential and actual security breaches associated with the use of the Internet shall be reported and investigated in accordance with the Trust’s incident reporting procedures.
7.5Action in case of Accidental or Inadvertent Access to Inappropriate Internet Content
The Trust acknowledges that it is not possible to regulate absolutely what sites are provided over the internet. It views the content of some sites as being a risk to the confidentiality, security and integrity of its own IT resources and information.
Should you accidentally or inadvertently access inappropriate material or content through your use of the Internet (including hostile, offensive and sexually explicit websites and material) you must exit immediately, making a note of the web address, promptly notify the IT Service Desk and inform Your Manager of the incident.
You will not be held responsible for accidental or inadvertent access provided that the above action is taken.
7.6Action in case of Inappropriate Use of the Internet
Failure to comply with the requirements of this policy or inappropriate use of the Trust’s resources is a serious matter and may result in an individual’s right to use the Internet being restricted or withdrawn. In cases it may result in disciplinary action, and in some circumstances it might lead to prosecution under UK law.