General Policy
Digital & Information
GP/I3
Information Security Manager
Cyber Security Manager & Deputy Head of IT Operations
Director Digital & Information
01 January 2007
01 May 2024
01 May 2027
6

GENERAL NOTE

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out.  New policies will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made.

1.     FUNCTION 

This policy supports the GP/I5 Information Security Policy. The purpose of this policy is to define the framework within which NHS Fife supports the acceptable use of the Internet:

•    By authorised staff within NHS Fife.
•    Staff who although not employed by NHS Fife have authorised access to the internet through a computer owned or managed by NHS Fife.

2.     LOCATION 

This policy is applicable to all staff, contractors and volunteers working within NHS Fife.

3.     RESPONSIBILITY 

3.1.     Responsibilities of the User

3.1.1    In accordance with the GP/I5 Information Security Policy, it is the responsibility of all staff to ensure that internet enabled systems and the data which they access using them, are safe and secure. Staff members should ensure the undertake mandatory Information Governance training as required.  

3.1.2    If a user downloads files which affect the operation of the PC or mobile device, the user must notify the Digital and Information Service Desk immediately.

3.2.     Responsibility of the Line Manager

3.2.1    The Line Manager must approve the Digital and Information System Access Request which includes internet access as default and ensure the staff member has read and understood all relevant general policies and undertaken mandatory Information Governance training as required.

3.3.     Digital and Information Department Monitoring of Internet Use

3.3.1    NHS Fife reserves the right, consistent with UK laws including Data Protection Act 2018/UK GDPR, to conduct Lawful business monitoring of IT systems. It is essential for maintaining the confidentiality, integrity and availability of NHS Fife’s digital infrastructure. No member of staff should consider information sent/received through the Internet as their private information. The Digital and Information Department will produce reports where necessary, or upon a line manager’s request on a user’s access to and usage of the Internet.

3.3.2    If it is discovered that a member of staff has been accessing, or attempting to access, a site in breach of this policy, the Information Governance and Security and/or Information Security Manager is responsible for informing the Line Manager or Human Resources department of the potential policy contravention. 

3.3.3    Attempting to evade NHS Fife monitoring of Digital and Information infrastructure shall also be deemed to be a potential breach of this policy. Access to the internet for the member of staff may be suspended during investigation of the incident.

4.     OPERATIONAL SYSTEM 

4.1    Internet Access

4.1.1    Upon account enablement, users will have Internet access by default. Access to the Internet will normally be through NHS Fife’s network and firewall to the secure gateway provided by SWAN (Scottish Wide Area Network). A filtering server is in place which restricts and logs all internet activities. NHS Fife regular monitors Internet traffic for vulnerabilities, threats and content blocking is in place for many websites. Where a site is blocked, a user will be presented with a Digital & Information notice in place of access. 

4.2    Use Restrictions and Limitations, Personal Use

4.2.1    NHS Fife defines reasonable personal use as ‘transactions of personal affairs’ which cannot be avoided during working hours. You may make reasonable personal use of internet facilities provided by NHS Fife. The personal use should be kept to a minimum and is permitted only during authorised break times where it:

•    does not interfere with the performance of your duties.
•    does not overburden the system, i.e. downloading large files.
•    does not create any additional expense to the organisation.

4.2.2    As per para 3.3, users are reminded that NHS Fife reserves the right to monitor all internet traffic and that care should be taken when conducting any personal internet transactions.

4.3    Patient Access to IT Facilities

4.3.1    As part of patient treatment, access to the internet and computer applications may be permitted.  Departments sponsoring Patient Access to NHS Fife IT Facilities shall produce an Operational Procedure for implementing and managing access to the NHS Fife Infrastructure in a manner that ensures that Information Security and the IT infrastructure are safeguarded. The areas that require to be addressed are:

•    Description of the required access.
•    Department.
•    Location of treatment.
•    The expected clinical benefits.
•    Principles of access and restrictions.
•    Managing internet access.
•    Risk assessment.
•    Responsibilities of staff.

4.3.2    The above list is not exhaustive and additional restriction may be applied depending upon the type of access required. The Information Governance and Security team shall review and approve the Standard Operational Procedure employed by the managing service. Any technical changes need to be coordinated through the D&I IT Service Desk and in line with the GP/I6 Change Management Policy. 

4.4    Patient & Public Wi-Fi

4.4.1    Patient & Public Wi-Fi is available across all NHS Fife hospitals, meaning that patients and visitors can access free internet whilst they spend time in waiting areas or in their hospital bed.

4.4.2    Patients and visitors have access to a huge number of websites, as well as information about the hospital and the services available. To ensure the ease of access, there will be no requirement to register to use the service although patients will be asked to read and agree to the terms and conditions of use.

4.5    Inappropriate Use

4.5.1    Transmission of material in violation of any contractual, national or local regulation is prohibited. This includes but is not limited to copyrighted, threatening or obscene material. No member of staff is permitted to access, display or download from Internet sites that hold offensive material. To do so is considered a serious breach of security and may result in disciplinary action. This list is not exhaustive. In instances which may demand criminal prosecution, NHS Fife Executive Directors’ Group (EDG) is the final arbiter of what constitutes offensive material, and what is permissible access to the Internet.

4.5.2    Information obtained through the Internet may not be accurate, and users must check the accuracy, adequacy or completeness of any such information.

4.6    Social Media And Online Conduct

4.6.1    Unless directed in an official capacity by role, users are not to represent themselves as providing comment on behalf of NHS Fife. Care should be taken when participating on social media, forums, blogs, discussion groups etc where the reputation and values of NHS Fife may be questioned and that statements are not interpreted as official NHS Fife comment. No member of staff is authorised to join such groups under the name of NHS Fife, or to publish a website under the name of NHS Fife, without the authority of the NHS Fife Chief Executive. GP/O2 Corporate Communications Policy provides further direction and guidance.

4.7    Copyright

4.7.1    Use of copyrighted material must be in accordance with the publishers’ permission statement.

4.8    Other Use

4.8.1    Use of the Internet facility for commercial activities other than in the conduct of the NHS Fife business is prohibited. 

4.8.2    Use of the Internet facility for political activities is prohibited.

4.9    Security

4.9.1    Due to the insecure nature of Internet mail, users must consider Internet email to be public information. No unencrypted patient identifiable information, confidential material or government classified information must be transmitted over the Internet. This does not include the use of the NHS email service which encrypts data end to end between NHS.scot addresses.  For further guidance and direction on email communications please refer to GP/E6 Email policy. 

4.10    Usernames and Passwords

4.10.1    Each user is responsible for maintaining the security of their individual login and password. Staff must not share their username or password with anyone. Please refer to the GP/P2 Password Policy, for more detailed guidance. At the end of each session, users must log out of the computer. Should a user wish to access the Internet and find that a previous user has left their computer access open, the new user must log out from that session and commence their own session. If a breach of security is recorded under a user’s login, the burden of proof will be with that user to show that he/she is not responsible for the breach.

4.11    Unintentional Breaches of Security

4.11.1    If a user unintentionally connects to a site which breaches this policy, the user must disconnect from the site immediately and inform the Digital and Information Service Desk.

4.12    Download of Files

4.12.1    Users must be aware that the Internet is a major transmission platform for malware which can include viruses, worms, trojans, ransomware and spyware, the effects of which can range from the minor irritant to a major incident. File downloads are a known primary vehicle for the delivery of such malicious code and users are should always assess whether files are coming from a trusted source. 

4.12.2    File downloads must be done in accordance with the laws which protect copyright, designs and patents.

4.12.3    It is a breach of security to download files which disable the network or compromise the integrity and security of NHS Fife’s networks and file servers.

4.12.4    To intentionally introduce files which cause disruption to the effective operation of a system or NHS Fife enterprise may be prosecutable under the Computer Misuse Act 1990 and will lead to disciplinary action.

4.12.5    Users must not download software programmes and applications, including freeware and shareware, from the Internet or install them on NHS Fife computers. Please contact Digital and Information Service Desk to request installation of any applications or programs.

4.13    Confidentiality

4.13.1    All NHS Fife users of the Internet are bound by the confidentiality and security policies of NHS Fife, by the Caldicott principles governing the use of patient identifiable information and by the common law duty to maintain confidentiality concerning the data and information they use as part of their everyday work.

4.13.2    Staff must not disclose any confidential information relating to any aspect of the business of NHS Fife.

4.13.3    Any user being aware of or suspecting a confidentiality or security breach must immediately alert the Information Security Manager who will initiate investigation procedures.

4.13.4    Dependent upon the breach scenario investigations may be carried out jointly with the Data Protection Officer, Caldicott Guardian, Head of Digital and Information, Human Resources, Cyber Security and the Information Security Manager.

5.    RISK MANAGEMENT

5.1    NHS Fife Staff shall respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.

5.2    The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities, is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.

5.3    It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility and where contraventions of policy are identified, to submit a Datix report in accordance with GP I9 – Adverse Events Policy.

5.4    With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.

6.    RELATED DOCUMENTS

•    GP/I5 Information Security Policy
•    GP/O2 Corporate Communications Policy
•    GP/P2 Password Policy
•    GP/E6 Email Policy
•    GP/I6 Change Management Policy
•    GP/A4 Acceptable Use Policy
•    GP/I9 Adverse Events Policy

All supplementary NHS Information Security Policies

7.    REFERENCES

•    Data Protection Act 2018
•    General Data Protection Regulation (GDPR)
•    Network and Information Systems Regulations 2018 (NIS Regulations)
•    Computer Misuse Act 1990
•    Copyright, Design and Patents Act 1988 
•    Freedom of Information (Scotland) Act 2002
•    Public Records (Scotland) Act 2011
•    Regulation of Investigatory Powers (Scotland) Act 2000