NHS Fife acknowledges and agrees with the importance of regular and timely review of policy/procedure statements and aims to review policies within the timescales set out.
New policies/procedures will be subject to a review date of no more than 1 year from the date of first issue.
Reviewed policies/procedures will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.
If a policy/procedure is past its review date then the content will remain extant until such time as the policy/procedure review is complete and the new version published, or there are national policy or legislative changes.
This policy supports the GP/I5 Information Security Policy. This document forms part of NHS Fifes ISO 27001 Information Security Management System.
The purpose of this policy is to define the framework with which NHS Fife supports the use of the Internet:
- By authorised staff within NHS Fife;
- Staff who although not employed by NHS Fife have authorised access to the internet through a computer owned or managed by NHS Fife.
This policy is applicable to all staff, contractors and volunteers working within NHS Fife.
3.1 Responsibilities of the User
In accordance with the GP/I5 Information Security Policy, it is the responsibility of all staff to ensure that computer systems and the data which they access using them, are safe and secure.
If a user unintentionally downloads files which affect the operation of the PC, the user must notify the eHealth Service Desk immediately.
3.2 Responsibility of the Line Manager
The Line Manager must inform the eHealth Service Desk when a member of staff commences employment and must approve the eHealth System Access Request form which includes internet access as default.
3.3 eHealth Department Monitoring of Internet Use
NHS Fife reserves the right, consistent with UK law, to monitor all Internet access, including but not limited to e-mail and the World Wide Web. No member of staff should consider information sent/received through the Internet as his/her private information. The eHealth Department will produce reports where necessary or upon a line manager’s request on a users’ access to and usage of the Internet.
If it is discovered that a member of staff has been accessing, or attempting to access, a site in breach of this policy, the eHealth Quality and Governance Manager or eHealth Security Manager is responsible for informing the Line Manager or Human Resources department of the potential breach of this policy.
Attempting to evade NHS Fife monitoring of eHealth infrastructure shall also be deemed to be a potential breach of this policy. Access to the internet for the member of staff may be suspended during investigation of the incident.
4 OPERATIONAL SYSTEM
4.1 Becoming an Authorised User
Each member of staff who wishes to access the Internet must complete an eHealth System Access Request form, this form must be approved and countersigned by their Head of Department.
Access to the Internet will normally be through NHS Fife’s network and firewall to the secure gateway provided by SWAN (Scottish Wide Area Network). A filtering server is in place which restricts and logs all internet activities.
4.2 Use Restrictions and Limitations, Personal Use
NHS Fife defines reasonable personal use as ‘transactions of personal affairs’ which cannot be avoided during working hours.
You may make reasonable personal use of internet facilities provided by NHS Fife. The personal use should be kept to a minimum and is permitted only during authorised break times where it:
- does not interfere with the performance of your duties;
- does not overburden the system, i.e. downloading large files;
- does not create any additional expense to the organisation
4.3 Patient Access to IT Facilities
As part of patient treatment access to the internet and computer applications may be permitted.
Departments sponsoring Patient Access to IT Facilities shall produce an Operational Procedure for implementing and managing access to the NHS Fife Infrastructure in a manner that ensures that Information Security and the IT infrastructure are safeguarded. The areas that require to be addressed are:
- Description of the required access;
- Location of treatment;
- The expected clinical benefits;
- Principles of access and restrictions;
- Managing internet access;
- Risk assessment;
- Responsibilities of staff;
The above list is not exhaustive and additional restriction may be applied depending upon the type of access required.
The eHealth Security Manager shall review and approve the Operational Procedure and associated change request. All requests for IT patient treatment programs shall be managed in accordance to the GP/I6 eHealth Change Management Policy.
4.4 Patient Wi-Fi
Patient Wi-Fi is available across all NHS Fife hospitals, meaning that patients and visitors can access free internet whilst they spend time in waiting areas or in their hospital bed.
Patients and visitors have access to a huge number of websites, as well as information about the hospital and the services available.
To ensure the ease of access for patients, there will be no requirement to register to use the service although patients will be asked to read and agree to the terms and conditions of use.
4.5 Inappropriate Use
Transmission of material in violation of any contractual, national or local regulation is prohibited. This includes but is not limited to copyrighted, threatening or obscene material. No member of staff is permitted to access, display or download from Internet sites that hold offensive material. To do so is considered a serious breach of security and may result in dismissal. This list is not exhaustive. In instances which may demand criminal prosecution, NHS Fife Executive Directors Group (EDG) is the final arbiter of what constitutes offensive material, and what is permissible access to the Internet.
Information obtained through the Internet may not be accurate, and users must check the accuracy, adequacy or completeness of any such information.
Use of copyrighted material must be in accordance with the publishers’ permission statement.
4.7 Other Use
Use of the Internet facility for commercial activities other than in the conduct of the NHS Fife business is prohibited.
Use of the Internet facility for political activities is prohibited.
Due to the insecure nature of Internet mail, users must consider Internet email to be public information. No unencrypted patient identifiable information, confidential material or government classified information must be transmitted over the Internet.
This does not include the use of the NHSmail email service which is encrypted end to end to and from an nhs.net address to an nhs.net address or from an nhs.net address to a GSX.gov.uk, GSI or CJS address, this list is not exhaustive please refer to secure transmission of confidential information within the GP/E6 Email policy.
4.9 User Names and Passwords
Each user is responsible for maintaining the security of their individual login and password. Staff must not share their user name or password with anyone. Please refer to the GP/P2 Password Policy, for more detailed guidance. At the end of each session, users must log out of the computer. Should a user wish to access the Internet and find that a previous user has left their computer access open, the new user must log out from that session and commence their own session. If a breach of security is recorded under a user’s login, the burden of proof will be with that user to show that he/she is not responsible for the breach.
4.10 Unintentional Breaches of Security
If a user unintentionally connects to a site which breaches this policy, the user must disconnect from the site immediately and inform the eHealth Service Desk.
4.11 Download of Files
Users must be aware that the Internet is a major transmission platform for computer viruses, the effects of which can range from the minor irritant to a major disaster.
File downloads must be done in accordance with the laws which protect copyright, designs and patents.
It is a breach of security to download files which disable the network or compromise the integrity and security of NHS Fife’s networks and file servers.
To intentionally introduce files which cause computer problems may be prosecutable under the Misuse of Computers Act and will lead to disciplinary action.
Users must not download software programmes and applications including freeware and shareware, from the Internet or install them on NHS Fife computers. Please contact eHealth Service Desk to request installation of any applications or programs.
4.12 Use of the NHS Fife’s Name
If users join a discussion group or news group they should conduct themselves in an honest and professional manner. Unless they are authorised to do by the nature of their job and responsibilities, they are not permitted to write or present views on behalf of NHS Fife. No member of staff is authorised to join a discussion group under the name of NHS Fife, or to design a web site and publish it under the name of NHS Fife, without the authority of the NHS Fife Chief Executive.
All users of the Internet are bound by the confidentiality and security policies of NHS Fife, by the Caldicott principles governing the use of patient identifiable information and by the common law duty to maintain confidentiality concerning the data and information they use as part of their everyday work.
Staff must not disclose any confidential information relating to any aspect of the business of NHS Fife.
Any user being aware of, or suspecting a confidentiality or security breach must immediately alert the eHealth Security Manager who will initiate investigation procedures.
Dependent upon the breach scenario investigations will be carried out jointly with the Data Protection Officer, Caldicott Guardian, Head of eHealth, Human Resources and the Information Security Consultant, NISG.
5 RISK MANAGEMENT
NHS Fife Staff shall respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.
The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.
It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility.
With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.
6 RELATED DOCUMENTS
GP/I5 Information Security Policy
All supplementary NHS Information Security Policies
Computer Misuse Act (1990)
Data Protection Act (1998)
Human Rights Act (1998)
Freedom of Information (Scotland) Act (2002)
NHSS Information Security Policy Framework July 2015