General Note
NHS Fife acknowledges and agrees with the importance of regular and timely review of policy/procedure statements and aims to review policies within the timescales set out.
New policies/procedures will be subject to a review date of no more than 1 year from the date of first issue.
Reviewed policies/procedures will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.
If a policy/procedure is past its review date then the content will remain extant until such time as the policy/procedure review is complete and the new version published, or there are national policy or legislative changes.
1 FUNCTION
The purpose of this policy is to set out the conditions relating to the use of non-NHS Fife owned equipment for the processing and/or storage of NHS Fife Personal or Corporate Data and the Installation and Maintenance of such equipment. This policy is a supplementary policy to the GP/I5 Information Security Policy.
This document forms part of NHS Fife’s Information Security Management System (ISMS).
Definition: Personally Owned Devices includes Computers (desktop, laptops, tablets etc.), Mobile Devices, Media Storage Device or any mobile data processing device not owned by NHS Fife.
2 LOCATION
This policy is applicable to all staff, contractors and volunteers working within NHS Fife.
3 RESPONSIBILITY
All staff who use non NHS Fife owned equipment and the managers of such staff.
It is the responsibility of staff using non NHS Fife owned equipment to comply with this policy.
3.1 eHealth Department
3.1.1Installation and maintenance of Non-NHS Fife Equipment
Any non-NHS Fife equipment for use in conjunction with NHS Fife’s network must be approved by the eHealth Department, before installation. All requests should be made though the eHealth Service Desk so that the service request can be assigned to the appropriate eHealth manager.
All mains powered equipment must be electrically tested by the Estates Department before installation by the eHealth Department.
In accordance with the GP/I5 Information Security Policy, all equipment and associated software utilising the NHS Fife network must be installed by the eHealth Department. This includes wireless devices.
The eHealth Department shall provide limited maintenance and support on any non-NHS Fife equipment when previously approved by the eHealth department and subsequently installed by a member of the eHealth Department.
The eHealth Department reserves the right to cease support or to disconnect any device without comeback from the user, where there is an unacceptable risk to the IT services it provides or it breaches’ legislation.
3.2 NHS Fife Staff
3.2.1 Accessing NHS Mail via Personally Owned Mobile Phones
NHS Fife staff connecting to NHS Mail to send or receive emails using personally owned mobiles phones must comply with the restrictions enforced by NHSMail.
For further information, refer to section 3.1.1 of the GP/M5 Mobile Devices Management Policy.
The eHealth Service Desk can be contacted for further assistance.
3.3 Personally Owned Devices Storing Confidential Data (Home Computers)
NHS Fife staff are not permitted to carry out work based activities on their personally owned devices (for example home computers, tablets etc.), where confidential data is accessed, amended, copied to/from a media device or printed. This includes using NHS Mail to send or receive confidential data using personally owned equipment. They shall not connect these devices to the NHS Fife network unless they have the permission of the IT Operations Manager or equivalent grade.
NHS Fife staff shall only access work related websites, which have Information Governance approval for the purpose of their work, via personally owned PC’s, Laptops, Notepads or any other data management device. An example of this is the Staff Bank website.
3.4 Remote Working using Personally Owned Computers
The eHealth Department shall provide the necessary solutions to support remote working for third party contractors using their own computers.
Where third party contractors wish to use this facility they will be required to submit a service request to the eHealth Service desk. Also a number of prerequisites relating to the configuration of the computer will require to be met before the solution can function, these are:
- Approved Anti Virus software;
- Operating System Patching;
- A hardware/software token or equivalent;
This list is not exhaustive and may change without notice depending upon information security risks that arise.
4 OPERATIONAL SYSTEM
In order to comply with GDPR / Data Protection Act and the recommendations of the NHS Fife Information Governance & Security Group, NHS Fife only permits the use of NHS Fife owned or authorised equipment to be used to store confidential information whether patient/ personal data or business sensitive material.
Conditions relating to the Use of non-NHS Fife Equipment (for example third party computer devices, networked equipment etc):
- NHS Fife does not permit the use of non NHS Fife equipment to store confidential data whether patient sensitive, personal or business unless approved by the eHealth Governance and Security Manager (DPO).
- Users will be responsible for ensuring that any software used to process/store NHS Fife data is properly licensed and may be required to provide evidence of this.
- All software used for processing/storing NHS Fife data must be compatible with NHS Fife software. If such software conflicts with any NHS Fife software or systems, or affects the performance of any NHS Fife software or systems, users will be required to remove it.
- Users will be responsible for ensuring that regular secure backups of NHS Fife data to minimise the risk of loss of personal data, and may be required to provide evidence of such backups. Alternatively, users may request that the eHealth Department take on this role, however a charge may be made to implement the backup policy.
- Users will be required to install eHealth Department approved antivirus software on any equipment used to process and store NHS Fife data, to keep such software up to date. A request for guidance on this matter should be made to the eHealth Service Desk.
- The eHealth Security Manager may undertake audits to ascertain whether or not this Policy is being implemented on eHealth Systems using Non-NHS Fife Equipment.
5 RISK MANAGEMENT
To mitigate the risks to NHS Fife’s (including GP Practices) Data, Information and IT infrastructure, the following strategies and techniques’ shall be implemented:
It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.
NHS Fife Staff shall be trained to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.
The unauthorised disclosure of NHS Fife Data in any medium is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.
With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and regularly review these to ensure they take into account legislative and operational requirements.
Should the above risk mitigations not be implemented and a breach of legislation occurs the following impact may follow:
- Disciplinary action against staff;
- Legal action against NHS Fife;
- Legal action against the person(s) involved in the breach;
6 RELATED DOCUMENTS
6.1 GP/I5 Information Security Policy
6.2 GP/D3 Data Protection and Confidentiality Policy
6.3 GP/B2 eHealth Remote Access Policy
6.4 GP/E6 Email Policy
6.5 GP/I3 Internet Policy
6.6 GP/M5 Mobile Device Management Policy
6.7 GP/O2 Online Communication Policy
6.8 GP/P2 Password Policy
6.9 GP/I6 IT Change Management Policy
7 REFERENCES
7.1 Computer Misuse Act (1990)
7.2 Data Protection Act (2018)
7.3 General Data Protection Regulations (GPDR)
7.4 Network and Information Systems (NIS) Regulations
7.5 Civil Contingencies Act (2004)
7.6 Human Rights Act (1998)
7.7 Freedom of Information (Scotland) Act (2002)
7.8 NHSS Information Security Policy Framework July 2015
Related Publications
Related Policies
