NOTTINGHAM UNIVERSITY HOSPITALS NHS TRUST INTERNET USAGE AND MONITORING POLICY Documentation Control Reference Approving Body Date Approved Implementation Date Version Summary of Changes from Previous Version

Supersedes Consultation Undertaken

GG/INF/010 Directors’ Group 7 February 2014 7 February 2014 3 Ever increasing use of internet resources resulting in changes in monitoring requirements and capability ensuring that the Trust continues to maintain its responsibilities. Internet Usage and Monitoring Policy version 2, October 2010 Information Governance Committee

Date of Completion of Equality Impact Assessment Date of Completion of We Are Here for You Assessment

31st October 2013 – see separate template attached at Appendix 1 31st October 2013 – see separate template attached at Appendix 3

Date of Environmental Impact Assessment (if applicable) Legal and/or Accreditation Implications

31st October 2013 – see separate template attached at Appendix 2

Target Audience Review Date

All Staff with access to the Trusts internet, intranet and network systems. October 2016

Lead Executive

Director of ICT Services

Author/Lead Manager

Name: Femi Famodile Job title: Information Security & Risk

Internet Usage And Monitoring Policy Version 3 February 2014

Data Protection Act 1998 Electronic Communications Act 2000 Telecommunications Act 1984

1

Manager Extension: 56702 Further Guidance/Information Name: Femi Famodile Job title: Information Security & Risk Manager Extension: 56702

Internet Usage And Monitoring Policy Version 3 February 2014

2

CONTENTS Paragraph

Title

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

4 4 5 5 6 8 14 16 16 17

Appendix (1)

Introduction Executive Summary Policy Statement Definitions (including Glossary as needed) Roles and Responsibilities Policy and/or Procedural Requirements Training, Implementation and Resources Impact Assessments Monitoring Matrix Relevant Legislation, National Guidance and Associated NUH Documents Equality Impact Assessment

Appendix (2)

Environmental Impact Assessment

21

Appendix (3)

Here For You Assessment

23

Appendix (4)

Certification Of Employee Awareness

25

Internet Usage And Monitoring Policy Version 3 February 2014

Page

18

3

1.0

Introduction

1.1

Internet access is provided primarily to support the Trust’s business activities and its workforce to meet its business objectives. The Trust takes seriously its responsibility for ensuring the confidentiality, integrity and availability of information and information systems provided over the Internet and used for its business purposes.

2.0

Executive Summary

2.1

The wide range of information and other material available over the Internet raises concerns about the security and appropriateness of access to certain web content and the implications for NUH and its staff as inappropriate use of the Internet can cause problems ranging from minor distractions up to and including legal claims being made against staff and/or the Trust if a national or international law is violated. Do…. Be aware of who you are allowed to share information with and how it is shared Report any information security incident/breaches including malicious websites and phishing emails to ICT Behave in a responsible manner when using the Trust’s Internet systems. Don’t…. Ignore, turn off or bypass any information security controls put in place or recommended by the Trust Download or install software from the Internet Automatically expect privacy when using the Trust Internet systems

Internet Usage And Monitoring Policy Version 3 February 2014

4

for personal matters.

3.0

Policy Statement

3.1

The trust will lawfully monitor and report Internet use and investigate suspected policy breaches or unlawful behaviour ensuring that;  Internet access is justified and cost effective  There is established and documented good practice in place for the distribution of information through the Internet  The confidentiality and security of Trust information is not compromised  Where limited and reasonable, personal use of the Internet is permitted, as long as such access complies with NUH policy

4.0

Definitions

4.1

The Internet is a general term that covers access to numerous computers and computer systems worldwide that are accessed electronically. Such systems include the World Wide Web (WWW), email, File Transfer Protocol (FTP), newsgroups, Gopher, etc. N3 (the NHS network) NUH intranet (nuhweb) is the Trust’s internal intranet system used to access information. Junk-mail or spam messages - refers to unsolicited commercial web mail, jokes, chain letters or advertisements.

5.0 5.1

Roles and Responsibilities Committees

Internet Usage And Monitoring Policy Version 3 February 2014

5

5.1.1 Information Governance (IG) Committee The IG Committee is responsible for ensuring that this policy is implemented, including any supporting guidance and training deemed necessary to support its implementation. The committee will ensure that the standards and requirements for information and acceptable internet are understood across the Trust whilst also ensuring that appropriate and effective mechanisms are in place for the identification, reporting and mitigation of risks relating to internet use to ensure the highest level of safety and security for all staff and Trust systems. The IG Committee reports to Directors Group (Quality).

5.2

Individual Officers

5.2.1 The Director of ICT Services/SIRO is responsible for ensuring that comprehensive audit tools are in place which enforce the policy and monitor Internet usage. The Senior Information Risk Officer (SIRO) will authorise audits investigating any Serious Incidents Requiring Investigation with support from the IG Manager and Information Security & Risk Manager. 5.2.2 Department/Line Managers are responsible for enforcing this policy within their work areas, reporting any breach of this policy using the Trust’s incident reporting procedures and conducting appropriate disciplinary investigations where breaches occur. 5.2.3 The Information Security & Risk Manager is responsible for periodically monitoring Internet use to ensure compliance with this policy and to assist HR in any disciplinary investigations regarding Internet use. 5.2.4 The IG Manager will authorise audit requests on behalf of the SIRO as required and take general responsibility for ensuring that Information Governance related policies & procedures are in place, appropriate and adhered to. 5.2.5 All staff including volunteers, those holding honorary contracts, contractors working on behalf of the Trust, Board of Governors and Internet Usage And Monitoring Policy Version 3 February 2014

6

Non-Executive Directors who are authorised to use the Internet for the purposes of their job roles must adhere to this policy.

6.0

Policy and/or Procedural Requirements

Internet Usage And Monitoring Policy Version 3 February 2014

7

6.1

Where the policy refers to “staff” or “user” this means all members of staff employed by the Trust, any person carrying out work activities on Trust occupied premises who are not directly employed by the Trust e.g. students, work placements or volunteers, or any person providing a service to the Trust under contract.

Internet access is provided primarily to use for the Trust’s business to develop the skills and knowledge of its workforce to the benefit of its business objectives. The Trust considers the Internet as an important means of communication and recognises the importance of proper Internet content and speedy replies in conveying a professional image and delivering good customer service. Acceptable Internet Usage Use of the Internet by staff is permitted and encouraged where such use is suitable for business purposes and supports the goals and 6.1.1 objectives of the Trust. The Internet is to be used in a manner that is consistent with the Trust’s standards of business conduct and as part of the normal execution of an employee's job responsibility i.e. to communicate with other NHS/Health organisations, to research relevant topics and obtain useful healthcare-related information. Whilst reasonable personal use of the Internet is permitted, staff should be aware that the Trust monitors the use of the network and is legally entitled to do so in accordance with the Lawful Business Practice Regulations 2000 and the Trust reserves the right to withdraw personal use of Trust network resources. Reasonable personal use is defined as use that is not in work time, is not excessive and does not interfere with the users’ ability to complete their work. Also, any personal use should be such that it does not interfere with the performance of the IT systems or staff duties and is not for personal financial gain. If staff are in any doubt about what constitutes acceptable and appropriate use, they should seek the advice and guidance of their Line Manager. Staff should not assume privacy in their use of the Trust’s systems, even when accessing the systems in their personal time, i.e. out of working hours; however the Trust will recognise staff’s privacy and will not intentionally access information considered to be, or marked “personal” or “private” but reserves the right to do so if there are: Internet Usage And Monitoring Policy Version 3 February 2014

8

• Credible grounds to suspect that they may reveal evidence of any unlawful activity, including instances where there may be a breach of Trust policy constituting gross misconduct • Where there is reason to suspect a file that contains harmful material such as a computer worm or virus, or • Where the law requires it, or any other reason as outlined in section 6.1.2. Unacceptable Internet Usage While the Trust’s Content Filtering software1 will block certain categories of sites from being accessed2, the software is not fool proof, as some perfectly innocent sites may be blocked, and as new 6.1.2 sites appear every day, inappropriate sites may not be blocked. If staff accidentally access material which they feel may be considered to be of an offensive nature or otherwise unacceptable to access, they should note the time and website address and exit from the site and then inform the ICT Services Helpdesk. The activities below constitute unacceptable use of the Trust’s Internet. • Staff must not access, transmit or download: - Any offensive, obscene or indecent images, data or other material - Any data capable of being transformed into obscene or indecent images or material. This includes obscene language, pornography, hostile material relating to gender, sex, race, sexual orientation, religious, political convictions, disability or information that would cause or promote incitement of hatred, violence or any other intimidatory material that is designed or could be used to cause offence, annoyance, inconvenience, needless anxiety or which would contravene any Filtering also helps to ensure that damaging code or viruses do not enter the Trust’s network or systems. The ICT Services Helpdesk should be informed if any suspicion of virus infection arises. 2 Staff should contact the ICT Services Helpdesk on Ext: 69000 if access to a blocked site is required for business use. 1

Internet Usage And Monitoring Policy Version 3 February 2014

9

Trust policy, in particular equal opportunities or harassment, or break any law. • Staff must not display any kind of sexually explicit image or document on any Trust system (other than for properly authorised or lawful research). In addition, sexually explicit material may not be archived, stored, distributed, edited or recorded using NUH network or computing resources. • Staff must not create, download or transmit (other than for properly authorised and lawful research) any defamatory, sexist, racist, offensive or otherwise unlawful images, data or other material. • Staff must not, under any circumstances, use interactive chat applications (e.g. MSN) this includes all web-based interfaces for Instant Messaging applications. • Staff must not use the Trust’s Internet and computing facilities to violate the laws and regulations of the United Kingdom or any other nation in any material way. Use of any Trust resources for such illegal activity is grounds for disciplinary action and the Trust may be required to report such activity as well as cooperate with legitimate law enforcement agencies. • Staff must not use Trust Internet and computing facilities to knowingly conduct downloads or uploads which may have adverse implications for the Trust, including the; - Download or distribution of pirated software or copyright data, documents, images, videos etc.; any software must be properly licensed and/or registered and must only be used within the terms of its license. - Use of the Trust’s Internet facilities to download entertainment software or games, or to play games against opponents over the Internet. - Upload of any software licensed to the Trust or data owned or licensed by the Trust without proper authorisation. - Propagation of any virus, worm, Trojan horse, trap-door or other malicious program code for the purpose of corrupting or destroying other user’s data or hardware. Internet Usage And Monitoring Policy Version 3 February 2014

10

- Creation or transmission of “junk-mail” or “spam” messages. - Download/streaming of video or audio material for entertainment (non- work related) purposes. • Staff must not use the Trust’s Internet facilities to disable, defeat or overload any computer system or network, or to circumvent any system intended to protect the privacy or security of any Trust IT security facilities as well as any activity that would risk bringing the Trust into disrepute or place the Trust in a position of liability. • Staff must not reveal confidential Trust information or data (i.e. personal, sensitive or business critical) and any other material covered by existing Trust policies and procedures on the Internet.3 • Staff must not share user IDs or passwords obtained for access to Internet sites. Staff are reminded that they are solely responsible for any Internet activity conducted under their individual username and password and must not, under any circumstances let another person know or use their password to gain access to any part of the Trust’s systems. If you wish to access Internet facilities and find that a previous user has left their session open/logged in - do not use this session - you must logout and begin your own session. • Staff must not use the Internet to conduct private or freelance business for the purpose of commercial gain including passing trade secrets to a competitor or supplier. All of the above includes internet access from VPN or via remote access to the Trusts network. (N.B. This list is not exhaustive) Only those staff who are authorised to give media statements may write or present views on the Internet on behalf of the Trust. Non ICT Services staff that have been granted ‘admin rights’ should seek appropriate advice from ICT Services technical colleagues before downloading and installing any software from the internet. System Monitoring and Compliance 3

See the Data Protection, Confidentiality and Disclosures Policy

Internet Usage And Monitoring Policy Version 3 February 2014

11

The Trust will monitor all user activity on the Internet and the use of monitoring products is subject to strict procedures by ICT Services staff. Information recorded as part of this automated monitoring process includes user identification, domain names of websites visited, duration of visits, and non-business files downloaded from 6.1.3 the Internet. Staff should be aware that this monitoring may reveal sensitive data about them, for example visits to websites which detail the activities of a particular political party or religious group might indicate the political opinion or religious belief of that staff member, or self-help or health advice sites might identify a physical or mental health condition. By carrying out such activities using the Trust’s Internet access facilities, staff consent to the Trust processing any sensitive personal data about them that may be revealed through monitoring. Staff who do not consent must take responsibility for the maintenance of their own personal privacy by not using the Trust systems to access this type of information. Where a breach is identified, the Trust reserves the right to take disciplinary action, which may lead to a termination of contract and/or legal action; the Trust also reserves the right to block or limit personal access further, where the capacity of the network Internet connection to cope with business traffic is compromised by personal use. The following will apply where monitoring of user access is requested;  Monitoring undertaken during an investigation will be the minimum necessary to prove or disprove misuse of Internet facilities and is likely to concentrate on positively identifying the PC involved by close analysis of the dynamic allocation of addresses processed  Monitoring will be for a specified period of time only. Monitoring requests may be renewed at the end of the period providing they are still justifiable  Results of the monitoring process could be used as evidence in disciplinary hearings or evidence in criminal or civil judicial processes  Any serious misuse found will be reported to the Director of ICT Services or the nominated deputy for the case. Internet Usage And Monitoring Policy Version 3 February 2014

12

Disciplinary action may be taken which could include dismissal in case of gross misconduct Monitoring reports show (in raw text format):  Summary of the greatest use by username, bytes transferred, date and time  Summary of the most highly accessed external hosts (site receiving the most hits from our network)  Access requests denied by the blocker, username, date and time from and to  Pages visited by each username, date and time, from and to  The same information is collected for FTP activity Reports and logs are archived monthly and held for two years and then destroyed. Investigation and Audit of Inappropriate Access The Trust reserves the right to investigate, taking all necessary measures, any usage which impacts on the effectiveness or efficiency of the network. Any inappropriate use of the Trust’s Internet detected, either incidentally during routine monitoring or through audit activities, will 6.1.4 be reported to the relevant Trust Director (nominated deputy or HR Manager), who will be responsible for co-ordinating an appropriate and proportional response and, if necessary, instigating action under the Trust’s disciplinary and conduct procedures. Where there are credible grounds to suspect misuse, ICT services will conduct an audit into the user’s activity. An audit request will be made to the IG team and logged to the ICT Services Helpdesk. Requests for audits into a member of staff’s Internet activity must be made by either a line manager, senior directorate manager or HR manager; and in all cases audit requests will be authorised by the Director of ICT Services (or nominated deputy i.e. the Information Governance Manager or the Information Security & Risk Manager). Suspicious or unacceptable user activity brought to light during Internet Usage And Monitoring Policy Version 3 February 2014

13

routine maintenance or housekeeping procedures, or by user report, will be brought to the attention of the Director for ICT Services (or a nominated deputy) who may authorise further steps be taken. Where the Trust is in receipt of a Data Protection Subject Access request or Freedom of Information request requiring the Trust to search the system or specific accounts within the system, then such searches will take place in order to allow the Trust to meet its legal obligations, subject to a request from the Director for ICT Services or a nominated deputy. Such access requests may refer to both personal and business related Internet activity and may result in disclosure of such information where this is not in breach of the data protection principles.

7.0

Training and Implementation

7.1

Training No training required.

7.2

Implementation All staff with access to the Trust’s network and the internet are required at login to agree to comply with the Trusts policies governing the use of its ICT equipment, data and network.

Internet Usage And Monitoring Policy Version 3 February 2014

14

The Trust’s internet monitoring tools will be used to investigate any non-compliance and restrict access to preapproved and relevant sites and material. 7.3

Resources No additional resources are required.

8.0

Trust Impact Assessments

8.1

Equality Impact Assessment “An equality impact assessment has been undertaken on this draft and has not indicated that any additional considerations are necessary.”

8.2

Environmental Impact Assessment “An environmental impact assessment has been undertaken on this draft and has not indicated that any additional considerations are necessary.”

8.3

Here For You Assessment “A Here For You assessment has been undertaken on this document and has not indicated that any additional considerations are necessary.”

Internet Usage And Monitoring Policy Version 3 February 2014

15

9.0

Policy / Procedure Monitoring Matrix

Minimum requirement to be monitored

Responsible individual/ group/ committee

Process for monitoring e.g. audit

Undertake monitoring of internet access for inappropriate content IG toolkit evidence (for req. 323)

ICT services technical support team

Monitoring of Daily web content monitoring management and monitoring tools

Information Security & Risk Manager

Information Security & Risk Manager

Evidence collection against national standard

IG Committee

Internet Usage And Monitoring Policy Version 3 February 2014

Frequency of monitoring

Annually

Responsible individual/ group/ committee for review of results

Responsible individual/ group/ committee for development of action plan Information Governance Committee

Responsible individual/ group/ committee for monitoring of action plan

Information Security & Risk Manager

IG Committee

IG Committee

16

10.0

Relevant Legislation, National Guidance and Associated NUH Documents

10.1

Legislation  Data Protection Act 1998  Electronic Communications Act 2000  Telecommunications Act 1984 National Guidance  ISO/IEC 27001:2005  ISO/IEC 27002:2005 BS 7799-1:2005 Information Security Management: NHS Code of Practice Associated NUH Documents(with NUH referencing)  Information Security & Risk Policy  Information Governance Policy  Email Policy  Information Security Guidelines

Internet Usage And Monitoring Policy Version 3 February 2014

17

APPENDIX 1 Equality Impact Assessment (EQIA) Form (Please complete all sections) Q1. Date of Assessment:31st October 2013 Q2. For the policy and its implementation answer the questions a – c below against each characteristic (if relevant consider breaking the policy or implementation down into areas) a) Using data and supporting b) What is already in place in c) Please state any Protected information, what issues, the policy or its barriers that still need to Characteristic needs or barriers could the implementation to address be addressed and any protected characteristic any inequalities or barriers to proposed actions to groups experience? i.e. are access including under eliminate inequality there any known health representation at clinics, inequality or access issues to screening consider? The area of policy or its implementation being assessed: Race and Ethnicity Gender

None

Not applicable

Not applicable

None

Not applicable

Not applicable

Age

None

Not applicable

Not applicable

Religion

None

Not applicable

Disability

None

Not applicable Not applicable

Sexuality

None

Not applicable

Internet Usage And Monitoring Policy Version 3 February 2014

Not applicable Not applicable 18

Pregnancy and Maternity Gender Reassignment Marriage and Civil Partnership Socio-Economic Factors (i.e. living in a poorer neighbour hood / social deprivation)

None

Not applicable

Not applicable

None

Not applicable

Not applicable

None

Not applicable

Not applicable

None

Not applicable

Not applicable

Area of service/strategy/function Q3. What consultation with protected characteristic groups inc. patient groups have you carried out? Not applicable Q4. What data or information did you use in support of this EQIA? Not applicable Q.5 As far as you are aware are there any Human Rights issues be taken into account such as arising from surveys, questionnaires, comments, concerns, complaints or compliments? Not applicable Q.6 What future actions needed to be undertaken to meet the needs and overcome barriers of the groups identified or to create confidence that the policy and its implementation is not discriminating against any groups? Internet Usage And Monitoring Policy Version 3 February 2014

19

Not applicable What

Q7. Review date

Internet Usage And Monitoring Policy Version 3 February 2014

By Whom

By When

Resources required

October 2016

20

Environmental Impact Assessment APPENDIX 2 The purpose of an environmental impact assessment is to identify the environmental impact of policies, assess the significance of the consequences and, if required, reduce and mitigate the effect by either, a) amend the policy b) implement mitigating actions. Area of impact

Environmental Risk/Impacts to consider For each question, state (at the end) ‘yes’, ‘no’, or ‘not applicable’. If any result in a ‘yes’ answer , the necessary remedial action should then be stated in the next column. One remedial action may be that the draft policy was amended accordingly.

Waste and  Is the policy encouraging using more materials/supplies? materials  Is the policy likely to increase the waste produced?  Does the policy fail to utilise opportunities for introduction/replacement of materials that can be recycled? Soil/Land  Is the policy likely to promote the use of substances dangerous to the land if released (e.g. lubricants, liquid chemicals)  Does the policy fail to consider the need to provide adequate containment for these substances? (e.g. bunded containers, etc.) Water  Is the policy likely to result in an increase of water usage? (estimate quantities)  Is the policy likely to result in water being polluted? (e.g. dangerous chemicals being introduced in the water) Internet Usage And Monitoring Policy Version 3 February 2014

Action Taken (where necessary)

Not applicable

Not applicable

Not applicable

21

Air

Energy Nuisances

 Does the policy fail to include a mitigating procedure? (e.g. modify procedure to prevent water from being polluted; polluted water containment for adequate disposal)  Is the policy likely to result in the introduction of procedures and equipment with resulting emissions to air? (e.g. use of a furnaces; combustion of fuels, emission or particles to the atmosphere, etc.)  Does the policy fail to include a procedure to mitigate the effects?  Does the policy fail to require compliance with the limits of emission imposed by the relevant regulations?  Does the policy result in an increase in energy consumption levels in the Trust? (estimate quantities)  Would the policy result in the creation of nuisances such as noise or odour (for staff, patients, visitors, neighbours and other relevant stakeholders)?

Internet Usage And Monitoring Policy Version 3 February 2014

Not applicable

Not applicable Not applicable

22

APPENDIX 3

We Are Here For You Policy and Trust-wide Procedure Compliance Toolkit The We Are Here For You service standards have been developed together with more than 1,000 staff and patients. They can help us to be more consistent in what we do and say to help people to feel cared for, safe and confident in their treatment. The standards apply to how we behave not only with patients and visitors, but with all of our colleagues too. They apply to all of us, every day, in everything that we do. Therefore, their inclusion in Policies and Trust-wide Procedures is essential to embed them in our organization. Please rate each value from 1 – 3 (1 being not at all, 2 being affected and 3 being very affected) Value 1. Polite and Respectful Whatever our role we are polite, welcoming and positive in the face of adversity, and are always respectful of people’s individuality, privacy and dignity. 2. Communicate and Listen We take the time to listen, asking open questions, to hear what people say; and keep people informed of what’s happening; providing smooth handovers. 3. Helpful and Kind All of us keep our ‘eyes open’ for (and don’t ‘avoid’) people who need help; we take ownership of delivering the help and can be relied on. 4. Vigilant (patients are safe) Every one of us is vigilant across all aspects of safety, practices hand hygiene & demonstrates Internet Usage And Monitoring Policy Version 3 February 2014

Score (13) 2

1

1

1

23

attention to detail for a clean and tidy environment everywhere. 5. On Stage (patients feel safe) We imagine anywhere that patients could see or hear us as a ‘stage’. Whenever we are ‘on stage’ we look and behave professionally, acting as an ambassador for the Trust, so patients, families and carers feel safe, and are never unduly worried. 6. Speak Up (patients stay safe) We are confident to speak up if colleagues don’t meet these standards, we are appreciative when they do, and are open to ‘positive challenge’ by colleagues 7. Informative We involve people as partners in their own care, helping them to be clear about their condition, choices, care plan and how they might feel. We answer their questions without jargon. We do the same when delivering services to colleagues. 8. Timely We appreciate that other people’s time is valuable, and offer a responsive service, to keep waiting to a minimum, with convenient appointments, helping patients get better quicker and spend only appropriate time in hospital. 9. Compassionate We understand the important role that patients’ and family’s feelings play in helping them feel better. We are considerate of patients’ pain, and compassionate, gentle and reassuring with patients and colleagues. 10. Accountable Take responsibility for our own actions and results 11. Best Use of Time and Resources Simplify processes and eliminate waste, while improving quality 12. Improve Our best gets better. Working in teams to innovate and to solve patient frustrations TOTAL Internet Usage And Monitoring Policy Version 3 February 2014

1

1

1

1

1

2 1 1 14 24

APPENDIX 4 CERTIFICATION OF EMPLOYEE AWARENESS Document Title Internet Usage & Monitoring Policy Version (number) 3 Version (date) 7 February 2014 I hereby certify that I have:  Identified (by reference to the document control sheet of the above policy/ procedure) the staff groups within my area of responsibility to whom this policy / procedure applies.  Made arrangements to ensure that such members of staff have the opportunity to be aware of the existence of this document and have the means to access, read and understand it. Signature Print name Date Directorate/ Department The manager completing this certification should retain it for audit and/or other purposes for a period of six years (even if subsequent versions of the document are implemented). The suggested level of certification is;  Clinical directorates - general manager  Non clinical directorates - deputy director or equivalent. The manager may, at their discretion, also require that subordinate levels of their directorate / department utilize this form in a similar way, but this would always be an additional (not replacement) action.

Internet Usage And Monitoring Policy Version 3 February 2014

25