Policy Type General Policy

Policy Category Digital & Information

Policy Number GP/E6

Author Information Security Manager

Reviewer Information Security Manager

Signatory Associate Director of Digital & Information

Implementation Date 01 January 2007

Last Review Date 05 January 2022

Next Review Date 05 January 2025

Version Number 8

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy/procedure statements and aims to review policies within the timescales set out.

New policies/procedures will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies/procedures will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy/procedure is past its review date then the content will remain extant until such time as the policy/procedure review is complete and the new version published.

This policy has been written to comply with current legislation and the policy will be updated appropriately to suit new and/or modified legislation. The references appendix will be updated to reflect this legislation.

1 FUNCTION

This policy details the framework within which NHS Fife supports the use of email. This policy forms part of the Information Security Management System (ISMS) and should be read in conjunction with all the Information Security (IS) policies.

This policy supports the NHS Fife Information Security Policy. The purpose of this policy is to ensure that email is used effectively across NHS Fife.

This policy contains important rules covering email. Many of the rules apply equally to NHS Fife’s other methods of external communication such as letter, the use of fax, telephone, social media and other external communication methods.

1.1 Definitions

Spamming - Spam is unsolicited commercial email, the electronic equivalent of the junk mail that comes through your letterbox.

Phishing - Phishing is the use of bogus emails and websites to trick an email user into supplying confidential and personal information.

Chain Letters - A chain letter is an electronic email that urges you to forward copies to other people.

Ephemeral - Ephemeral email is email which facilitates NHS Fife business but does not need to be retained for business purposes.

2 SCOPE

This policy is intended for all NHS Fife staff to maintain information security.

In the interests of clarity all references to ‘staff’ includes all staff within NHS Fife and all staff who are employed, contracted, engaged or partners within each GP practice (contracted to NHS Fife).

3 RESPONSIBILITY

3.1 All Staff using Email

It is the responsibility of all staff to comply with this and all other Information Security policies.

Email users should be aware that they neither own the documents that they or their colleagues create, nor have intellectual property rights therein.

3.2 Information Governance and Security (IG&S) Department

The IG&S Department will monitor the use of the Email systems. All Email is stored and NHS Fife may inspect email without notice. Some of the most likely reasons for monitoring email are:

• Preventing or detecting misuse;
• Preventing or detecting crime;
• Making sure email is operating properly;
• Checking the quality of service.

The IG&S Department will notify the respective Line Manager and Human Resources Department of any breaches of this policy

3.3 Line Managers

It is the responsibility of Line Managers to ensure that all staff adhere to the contents of this policy.

Responsibility for taking any appropriate disciplinary action following a breach of this policy lies with the relevant Line Manager having taken advice from the Human Resources Department.

4 OPERATIONAL SYSTEM

4.1 When to use Email

It is the responsibility of the person sending an email message to decide whether email is the most appropriate method to communicate the information. The decision to send an email should be based on a number of factors including:

• The subject of the message;
• The recipient’s availability;
• The speed of transmission;
• The speed of response required;
• The number of recipients of the email.
• The Classification (‘sensitivity’) of information contained within the email, refer to the Appendix 1 - Scottish Government Mobile Data Standard for more information.

4.2 Writing Work Related Email Messages

When writing a work related email message it is important that consideration is given to the way in which the message is conveyed. This includes thinking about the title, the text and the addressees.
Refer to Appendix 2 - Email Good Practice Guidelines for more information.

Email messages constitute a formal record and can be used as evidence in legal proceedings.

4.3 Personal Use

NHS Fife defines reasonable personal use as ‘transactions of personal affairs’ which cannot be avoided during working hours.

Staff who have access to email for business purposes may make reasonable personal use of email facilities provided by NHS Fife. The personal use should be kept to a minimum and is permitted only during authorised break times where it:
• does not interfere with the performance of your duties;
• does not overburden the system;
• does not create any additional expense to the organisation.

The conditions of this policy also apply to personal use of email.

4.4 Security

Each Email account, whether a personal or group account, is protected by access control measures i.e. the network configuration, username and password requirements.

Individual users must take personal precautions to ensure the security of their email account including logging off from the PC before leaving it unattended. This will prevent others reading your email or sending phishing emails in your name.

It is possible to permit other email account holders to open your mailbox or send email on your behalf. Employees must contact the Digital and Information Service Desk if this is required before this practice takes place.

Archiving: The storing of personal data (within the meaning afforded to it with the Data Protection Act 2018) is subject to the same controls as any other personal data, and is therefore subject to Freedom of Information requests.

Virus Protection: The most common way of receiving a computer virus is through email. Software has been installed on the Email servers which scans each email attachment for embedded viruses as soon as it enters the Network.

At individual level it is the responsibility of all email account holders to:
• delete any messages from unknown origin;
• contact the Digital and Information Service Desk immediately should they receive notification that an email sent to or by them contains a virus.

4.5 Confidentiality/Sending Patient Identifiable Information

NHS Fife accepts that NHS email is the only method by which Personal Identifiable information can be securely sent by email.

When using NHS email, Patient Identifiable Information can be sent to the following addresses ensuring confidentiality:

4.5.1 NHS email domains:
• *.nhs.net
• *.nhs.uk
• *.nhs.scot

4.5.2 Central Government email domains:
• *.gsi.gov.uk
• *.gse.gov.uk
• *.gsx.gov.uk
4.5.3 Secure Ministry of Defence email domains:
• *.mod.uk
4.5.4 Secure Police National Network/Criminal Justice Services email domains:
• *.police.uk
• *.pnn.police.uk
• *.scn.gov.uk
• *.cjsm.net
4.5.5 Secure Local Government/Social Services email domains:
• *.gcsx.gov.uk

Where patient identifiable information must be transmitted to external organisations, there is a much greater risk of unencrypted emails being intercepted with a consequent breach of patient confidentiality.

Only NHS email accounts may be used to send patient identifiable information to external recipients who use the secure email addresses noted above.

Refer to section 8 for further guidance on classifications of information that should and should not be sent by email and how the information should be protected.

The nhs.scot address has been approved for use by NHS Scotland.

4.5.6 Insecure email domains
It is not acceptable to send personal identifiable information outwith NHS Fife by another route using internet email providers, unless the following criteria are met:
• Information Governance approval is granted for the method used i.e patient consent, Privacy Impact Assessment (PIA), compliance with the Data Protection Act etc.
• The NHS Fife department has processes and procedures in place to reduce the risks of using the method applied to send emails
• The method of encryption used to send the email meets with approval of the eHealth Security Manager. For example the NHS email [secure] facility;

This strategic decision has been approved by the Information Governance Group – 11th February 2016.

The NHS Fife Data Protection Office has produced guidelines and procedures to assist this process:
• Appendix 3 - Guidelines for Staff – Emailing;
• Appendix 4 - Communicating by Email with the NHS.

4.6 Misuse and Abuse of Email

The sending of email which can or does cause distress will be dealt with by the appropriate NHS Fife Human Resources policy.

The transmission of any kind of sexually explicit image or document is expressly forbidden. If you need to transmit sexually explicit images or documents for a valid clinical reason, the permission of the Caldicott Guardian must be sought in advance.

Behaviour or comments that are not permitted in the spoken or paper environment are also not permitted in email messages.

Email messages containing inaccurate information in the form of opinion or fact about an individual or organisation, may result in legal action being taken against the person sending the email message and anyone forwarding the email message on to others.

4.7 Housekeeping

It is the responsibility of all members of staff to manage their email messages appropriately. It is important that email messages are managed in order to comply with Data Protection and Freedom of Information legislation.

To manage email messages appropriately all NHS Fife staff must identify email messages that are records of their business activities. Clinical or managerial records should be moved from personal mailboxes and managed in the same way as other records.

Ephemeral email messages should be managed within the mailbox and kept only for as long as required before being deleted.

A storage limit is set on all email boxes. Users will receive a warning message informing they are reaching their limit.

Emails must be deleted on a regular basis – this includes inbox, sent items and deleted items.

4.8 Global Email

Although email is often considered to be a good way of disseminating information to large groups, it should be noted that there are some restrictions. The ability to send an email to everyone in NHS Fife is restricted to the Digital and Information Service Desk, the Communications Department and designated staff.

If a message is particularly important an email should be sent to the Communications Department requesting that they send an email to everyone detailing the nature of the information. If the message is Digital and Information related then the request for a global email should be sent to the Digital and Information Service Desk.

4.9 Unsolicited Email (spamming)

NHS Fife Email system is protected from ‘spamming’ and NHSMail users can setup filters both of which can prevent unsolicited mail.

“SPAM” Mail can be avoided by the following:
• If you don’t know the sender delete the email;
• Never respond to spam or click on links within it;
• Never give your email address on the internet;
• Only give your email address to people you trust;
• Use the ‘bcc’ field if you email many people at once;
• Never make a purchase from unsolicited email.

4.10 Hoaxes, Scams & Chain Letters

If you receive any form of the above in emails do not forward them to anyone, delete them immediately and inform the Digital and Information Service Desk.

4.11 Accessing the Mailbox of another Member of Staff

There may be occasions when it is necessary to access email messages from an individual’s mailbox when a person is away from the office for an extended period, for example sick leave. The reasons for accessing an individual’s mailbox are to action:
• Subject access request under the Data Protection Act;
• Freedom of Information requests;
• Evidence in legal proceedings;
• Line of business enquiry;
• Conducting an investigation which may result in disciplinary action.

Where it is not possible to ask the permission of the member of staff whose mailbox needs to be accessed, the procedure for gaining access to their mailbox is:
• Gain authorisation from the Head of Department;
• Submit a request to the eHealth Service Desk;
• A record will be made of the reason for accessing the mailbox together with the names of the people involved;
• Inform the person whose mailbox was accessed.

It is less likely that this procedure will need to be followed if mailbox access has been delegated to a trusted third party.

4.12 Shared Mailboxes

Shared mailboxes should be used where there is a group of people responsible for the same area of work to ensure that queries are answered quickly when members of the team are away from the office.

Access to a shared mailbox is initially given by the eHealth Department and can be granted by the person who owns the mailbox.

4.13 Generic Mailboxes

Generic mailboxes should be created for the receipt of specific clinical information whether they are for referrals, laboratory test requests or any other clinical requirement.

Generic mailboxes should be kept to a minimum or one per functional area. However it is recognised that there could be business and clinical reasons that require more than one generic mailbox per functional area.

4.14 Public Mailbox Folders

The public folders are accessible by everyone using an Active Directory user account and are organised into folders.

The public folder should be used for people across NHS Fife who want to share ideas relating to a particular area of work.

4.15 Disclaimer

An NHS Fife disclaimer is appended to every email message sent from an NHS Fife email system.

4.16 Summary
DO protect the Security and Confidentiality of the system and information;
DO regular Housekeeping;
DO read and action the email good practice guide;
DO NOT misuse or abuse the system;
DO NOT email anything that could result in criminal or civil prosecution, or which could lead to disciplinary proceedings against you;
DO NOT send a Global Email without careful consideration.

5 RISK MANAGEMENT

NHS Fife Staff shall respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.

The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities, is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.

It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility.

With regard to the Health & Social Care Partnership (H&SCP), the Partnership Management Group will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the Partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.

6 RELATED DOCUMENTS

GP/I5 Information Security Policy
All other supplementary NHS Fife Information Security Policies

7 REFERENCES APPENDIX

The principal Acts of Parliament, Scottish Government circulars, and internal guidance documents relevant to this policy are:

• General Data Protection Regulation (GDPR)
• Network and Information Systems Regulations 2018 (NIS Regulations)
• CEL 25 (2012) NHS Scotland Mobile Data Protection Standard
• Civil Contingencies Act 2004
• Computer Misuse Act 1990
• Copyright, Design and Patents Act 1988
• Data Protection Act 2018
• Freedom of Information (Scotland) Act 2002
• MEL 2000 (17) Data Protection Act 1998
• Public Records (Scotland) Act 2011
• Regulation of Investigatory Powers (Scotland) Act 2000
• Scottish Government Records Management: NHS Code Of Practice (Scotland) Version 2.1 January 2012
• SG DL (2015) 17 Information Governance and Security Improvement Measures 2015-2017 (NHSS Information Security Policy Framework)
• The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000

Related Publications:
GP/E6 Email Policy - EQIA
GP/E6 Appendix 1 - Scottish Government Mobile Data Standard
GP/E6 Appendix 2 - Email Good Practice Guidelines
GP/E6 Appendix 3 Guidelines for Staff – Emailing
GP/E6 Appendix 4 - Communicating by Email with the NHS

Related Policies:
GP/D3-5 - 'Safe Haven' Procedure for Operating Fax Machines
GP/C9 - Confidentiality
GP/D3 - Information Governance and Data Protection
GP/D3-7 - Good Practice Guide - Using Office Equipment & Machinery
GP/I5 - Information Security

Email Policy