General Policy
Digital & Information
GP/M5
eHealth Systems Support Team Leader
eHealth Information Security Manager, eHealth Endpoint Manager
Director of Finance
01 October 2008
01 May 2016
01 May 2019
4

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy/procedure statements and aims to review policies within the timescales set out.

New policies/procedures will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies/procedures will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy/procedure is past its review date then the content will remain extant until such time as the policy/procedure review is complete and the new version published, or there are national policy or legislative changes.

1 FUNCTION

NHS Fife has a responsibility to ensure that all data stored on its computer systems is appropriate to the needs of NHS Fife, is securely held, is available in a complete and accurate form when needed and complies with the requirements of the Data Protection Act and recommendations of the Information Governance Group. The use of mobile devices forms a major part of the eHealth Strategy for Scotland, however this also increases the risks associated with the secure storage of data. The purpose of this policy is to set out the criteria for the provision of mobile devices and the conditions relating to their use. This policy is a supplementary policy to NHS Fife’s Information Security Policy.

This document forms part of NHS Fifes ISO 27001 Information Security Management System.

NHS Fife reserves the right to change this policy in order to meet any future changes in Information Governance and Data Protection.

This document forms part of NHS Fifes ISO 27001 Information Security Management System.

NHS Fife reserves the right to change this policy in order to meet any future changes in Information Governance and Data Protection.

2 LOCATION

This policy is applicable to all staff, contractors and volunteers working within NHS Fife.

3 RESPONSIBILITY

3.1Users

3.1.1Mobile & Handheld Devices

It is the responsibility of all staff to ensure the confidentiality, availability and integrity of data recorded, managed and referred to under the business auspices of NHS Fife, and to comply with the requirements of the Data Protection Act and Caldicott recommendations.

Each mobile device user must take personal responsibility for the security of the equipment, software and data in his/her care.

All users have a responsibility to report the loss or theft of any mobile device if the device is either wholly owned by NHS Fife or is connected to the NHS Fife network, to the eHealth Service Desk.

Any user opting to connect personally owned devices to the NHS Fife network is deemed to cede control of the device to NHS Fife eHealth.

Obligations:

  • Users must understand that they are solely responsible for backing up any and all personal content.
  • Acknowledge that NHS Fife will in no way be responsible for damage, lost or stolen personal devices while the employee is performing NHS Fife business.
  • Accept that eHealth security policies will be applied to the device which may include but not be limited to, passcode, timeout, passcode complexity and encryption.
  • Users must take appropriate precautions to prevent any other individual from accessing their device, including the safe keeping of any credentials.
  • When connectivity is no longer required the user must contact NHS Fife eHealth in order that the connection can be terminated.
  • Devices that are ‘jailbroken’, ‘rooted’ or have been subjected to any other method of changing built-in protections will not be accepted for connection.

3.2 eHealth Department

NHS Fife wholly owned devices will be supported as a standard device.

Personally owned devices will be supported for connectivity, back-end system operation and delivery of content only. No support can be offered for replacement, upgrade or general usage.

3.3 Line Managers

All managers are to ensure that personnel issued with a moble device have a genuine need for mobile working and that if authorised to work at home, all other policies and staff regulations are met e.g. Encryption and Health & Safety. Additionally, managers must ensure staff are fully trained in the proper use of the device.

It is the responisibility of all line managers to ensure their staff use any device appropriately.

The Line Manager must inform the eHealth Servicdesk when a member of staff leaves to ensure that their remote access rights are removed and any mobile devices are returned to the eHealth Department. Managerial budgetary approval must be obtained for the purchase of mobile devices.

4 OPERATIONAL PROCEDURE

This policy applies to the use of mobile devices supplied or funded by NHS Fife.

NHS Fife will also consider the connection of devices that are:

  • Wholly owned and managed by NHS Fife
  • Personally owned devices where it has been agreed through the application process, that there is an acceptable business need for this connection.

This policy does not affect users ability to access NHS Mail services from their personal devices in compliance with the NHS Mail acceptable use policy.

A key requirement of this policy is that NHS Fife reserves the right to remotely or otherwise, erase all data from any device (including personally owned) in the event of risk of a confidentiality breach.

NHS Fife will permit the connection and use of personally owned devices to access NHS Fife computing or network services, subject to the following guidelines:

  • Decision to use a personally owned device will be based on a documented business need, risk assessment and appropriate eHealth management approval.
  • Reimbursement of expenses incurred will be restricted to circumstances where the user can provide evidence of expenditure associated with NHS Fife business, existing expenses policies allowing.
  • Reimbursement of expenses incurred will be restricted to the purchase of any software required as part of the approved use of a personally owned device agreement.
  • NHS Fife cannot be held liable for the erasing of any user content (either personal or business related) should it be deemed necessary to wipe a device in order to protect NHS Fife information nor if a wipe is accidentally conducted.
  • Cameras within mobile devices are not to be used unless part of an approved procedure.
  • Mobile Device Management software, or any software deemed necessary, must be installed before connection is allowed.

4.1Restrictions

  • Passcode– 6 digit PIN
  • Maximum 90 day age (days)
  • Auto-lock set to 3 mins
  • Passcode history 10
  • Grace period for device lock (min) is immediate

4.2 Purchase of ‘apps’:

  • Users issued with a device for their sole use are required to create their own unique account for the relevant appstore. They are then authorised to install apps from the NHS Fife library of apps as well as apps they deem useful from the relevant app store.
  • eHealth welcomes feedback on apps deemed to be useful, specifically clinical apps.
  • Users are responsible for the payment of any app unless they have prior agreement with their budget holder.
  • Any requests for central payment (and installation) of an app will be taken into consideration by the appropriate eHealth manager. Requests should be logged via the eHealth Servicedesk.
  • Apps purchased by NHS Fife and installed via a user’s personal ID will remain the property of NHS Fife.

4.3 Conditions Attached to the Provision of Mobile Devices

The provision of NHS Fife mobile devices shall be subject to the following conditions:

4.3.1 Person Identifiable Information

In order to comply with the Data Protection Act and the recommendations of the Information Governance Group, person identifiable information shall be stored on a mobile device only when this is absolutely necessary. Where it is necessary to store such information, the following conditions apply:

  • device must be owned by NHS Fife;
  • Caldicott Administrator approval must be obtained
  • password authentication must be applied;
  • encryption must be applied;
  • data shall be stored only for the time period when it is actively being used;
  • data shall be deleted immediately after use;
  • only the minimum amount of person identifiable information, necessary for the current purpose, shall be stored;
  • the person’s name shall be stored only when absolutely necessary;
  • measures shall be taken to maximise the physical security of the mobile device;
  • for work involving person identifiable information from locations within NHS Fife, users will be required, wherever possible, to use the NHS Fife’s network to store data.
  • no personal mobile devices can be used for the storage or processing of personal identifiable information or other NHS Fife sensitive data;

4.3.2 Data Storage

Mobile devices should not be the primary repository of data.

4.3.3 Personal Use

NHS Fife accepts no responsibility if personal data or software is deleted or corrupted whilst the device is being repaired or serviced by NHS Fife’s eHealth Department.

4.3.4 Use of the Internet

NHS Fife’s Internet Policy and Broadband Policy apply to NHS Fife mobile devices.

4.3.5 NHS Fife’s Right to Inspect Data All data and software held on NHS Fife mobile devices may be inspected by authorised staff at any time and without warning. Users may be required to remove software and/or data which are deemed by the General Manager – eHealth & IMTto be inappropriate.

5 RISK MANAGEMENT

NHS Fife Staff shall respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.

The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.

It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility.

With regard to the Health & Social Care Partnership (H&SCP), the Partnership Management Group will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.

6 RELATED DOCUMENTS

GP/I5 Information Security Policy

GP/I3 Internet Policy

GP/B2 Broadband Remote Access Policy

All supplementary NHS Fife Information Security Policies

7 REFERENCES

Computer Misuse Act (1990)

Data Protection Act (1998)

Human Rights Act (1998)

Freedom of Information (Scotland) Act (2002)

NHSS Information Security Policy Framework July 2015

Related Policies