Electronic Remote Working Policy
May 2016 – May 2019
CONTROL RECORDReference Number
IG 004 / Version
1.1 / Status
Final / Author
Head of Information Governance
Sponsor
Director of Corporate Development
Amendments / Section 12- Interaction with other CCG policies
Added- reference to Network Security Policy
Added- reference to Access to Patient Information and Use of Smart Card Policy
Added- reference to Secure Transfer of Information/Safe Haven Policy
Reference to the Company Secretary have been amended to Director of Corporate Development
Inserted access statement
Purpose / To ensure that remote access to the CCG’s electronic information systems is authorised, resilient, secure and confidential, in line with the organisation’s business needs and statutory requirements.
Audience / All CCG employees, appointees, temporary staff, contractors/agency staff, consultants, students and other individuals working on behalf of the CCG.
Consulted with / Risk and Performance Committee members
Senior Information Risk Owner
Equality Outcome Assessment
Approving Body / Risk and Performance Committee / Date approved / May 2016
Date of issue / May 2016
Review Date / May 2019
NCCCG policies can be made available on request in a range of languages, large print, Braille, audio, electronic and otheraccessible formats from the CCG Communications Team at .
Contents
Page
1 / Introduction / 42 / Purpose / 4
3 / Scope / 4
4 / Definitions / 5
5 / Remote Access Authorisation / 6
6 / Authorised Mobile and Removable Storage Devices / 7
7 / Use of Personal/Staff-owned Devices / 8
8 / User Responsibilities for the Security of Mobile Devices / 8
9 / User Responsibility for the Security of Information / 9
10 / Remote Working and Smartcard Access / 10
11 / Reporting Security Incidents and Weaknesses / 11
12 / Interaction with Other Policies and Procedures / 11
13 / Duties and Responsibilities / 12
14 / Staff Training / 12
15 / Equality and Diversity Statement / 12
16 / Monitoring and Review / 13
17 / References / 13
Appendix A - Application for Remote Access Form / 14
1.Introduction
1.1.Critical business processes often rely on easy and reliable access to organisational information systems.Remote access to CCG systems and information by staff is an important way of working away from the CCG and can be undertaken using mobile devices.
For the purposes of this policy, ‘remote access’ refers to the use of mobile devicesbeyond the CCG’s premises to accessthe organisation’s network and information thatare usually accessed from within the CCG.For further information see the ‘definitions’ section below.
1.2.This policy has been developed to ensure that those with a business requirement to access the organisation’s systems remotely, or to use mobile devices in a standalone mode, do sosecurely and without introducing unacceptable threats to the processing of information or to the networked system.
2.Purpose
2.1.The purpose of this policy is to:
- Provide effective controls to ensure that remote access by CCG staff to the organisation’s electronic information and information systems is authorised, resilient, secure, and confidential, in line with the organisation’s business requirements.
- Ensure the remote processing of CCG information is operated in accordance with statutory requirements and all relevant guidance.
- Ensure that any risks associated with a remote access service are recognised, assessed and managed.
3.Scope
3.1.This policy applies to all CCG staff* granted with remote access to the CCG’s IT network via mobile devices for processing and/or storing digital information.
*For the purpose of this and all other information governance policies, the term ‘CCG staff’ refers to CCG employees, appointees, temporary staff, contractors/agency staff, consultants, students and other individuals working on behalf of the CCG.
Failure by any member of CCG staff to adhere to this policy and all appropriate supporting guidance may be considered as gross misconduct and may result in disciplinary action.
4.Definitions
Backup: the activity of copying documents, files or databases so that they will be preserved in case of equipment failure or other system failure or disaster. The retrieval of backup files is called restoring.
Mobile Devices:includesany device that can process and/or store data, images and other information, such as laptops, tablets, iPads, Blackberries, SmartPhones and Personal Digital Assistants (PDAs).It also includes digital audio and visual recording/playback devices and digital cameras.
Personal Confidential Data (PCD): this term describes personal information about identified or identifiable individuals, which should be kept private or secret. For the purposes of this policy ‘personal’ includes the Data Protection Act definition of personal data, but it is adapted to include deceased as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act. PCD includes data that on its own, or in combination with another piece of data, can identify an individual. This may be factual, such as name*, address, date of birth, NHS number, but also includes information offered as an opinion, such as a manager’s opinion of an employee as the result of a performance appraisal.
*This excludes the names of staff, their job role and work location, but does apply to their personal data such as home address, date of birth, financial and HR information.
Removable Storage Devices:devices capable of storing digital data,images and other information and requires another device to access it. The term usually refers to mass storage devices, such as (but not exclusively) memory sticks, portable hard drives, memory cards, CDs and DVDs.
NHIS: Nottinghamshire Health Informatics Service, the provider of IT services and telecoms to the CCG.
Remote Access: technology connecting users in geographically dispersed locations to organisation-owned systems.Remote access is typically over a wireless/GPRS/4G and broadband connection using a VPN token, although it can include Wide Area Network connections.
SmartPhones:a mobile phone that allows users to store information, use email and install programs.
Token: an electronic password generation device, which is used to enable remote access to the network and specific systems.This device works through dedicated software installed on any machine.
User: any person authorised to accessCCG IT systems and networks remotely.
Virtual Private Network(VPN): these systems use encryption and other security mechanisms to ensure that only authorised users can access the network externally and that the data cannot be intercepted.
Wide Area Network (WAN):a computer network that spans a relatively large geographical area and typicallyconsists of two or more local-area networks (LANs). Computers connected to a wide-area network are often connected through public networks, such as the telephone system. The largest WAN in existence is the Internet.
Encryption: the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing the key.The result of the process is encrypted information and within the NHS the appropriate encryption standard is AES 256 bit. Password protection is not a form of encryption.
5.Remote Access Authorisation
5.1.For a member of staff to obtain authorised and secure remote access to the CCG’s network and be issued with the required mobile device, their relevant Assistant Director or Senior Manager must submit a request to the Director of Corporate Development/Head of Information Governance by completing the Application for Remote Access Form (Appendix A).
5.2.Each application must include reasonable justification for users to have remote access.
5.3.The requesting manager and required user must be aware that any additional equipment, circuits, or line installations to support remote access, and all recurrent costs of line rental, maintenance etc for mobile phones must be provided from departmental budgets.
5.4.All CCG-owned mobile devices are registered with NHIS following procurement and initial distribution.
5.5.Any need to transfer a device from the authorised user to another member of staff should be discussed in advance with the Director of Corporate Development/Head of Information Governance. And the appropriate section of the form in Appendix A completed.
5.6.Technical problems or queries regarding remote access or mobile devices should be addressed to the NHIS Service Desk, which is open Monday to Friday 8.30am to 5pm.
6.Authorised Mobile and Removable Storage Devices
6.1.Mobile devices issued by the CCG include laptops, iPads, memory sticks, VPN tokens, and mobile phones.
6.2.VPN tokens must only be used on CCGissued laptops, as the use of home computers to access the organisation’s network is not allowed.
6.3.The Director of Corporate Development/Head of Information Governance maintains a log of all mobile devices issued.
6.4.All mobile devices issued will be installed with appropriate and approved encryption and anti-virus software, password/PIN control by NHIS.
6.5.Any requirement for an unencrypted device must be requested and approved by the Director of Corporate Development/Head of Information Governance.
6.6.Personal confidential data must not be stored on an unencrypted device(NB: Password protection is not a method of encryption and must not be relied upon as such).
6.7.The CCG is responsible for the safety testing and annual portable equipment testing of CCG mobile devices.Authorised users are responsible for ensuring that these checks are undertaken.
6.8.Users must return all mobile devices to the Director of Corporate Development/Head of Information Governance when remote access is no longer required, or when leaving the organisation. All data from returned devices should be deleted or archived.
6.9.In the event of a major incident, the organisation may recall all remote access equipment to provide core services.
7.Use of Personal/Staff-Owned Devices
7.1.The CCG acknowledges that there are benefits from staff using their own mobile devices - known as ‘Bring Your Own Device’ (BYOD) for CCG business purposes, and that some staff may wish to do so.However, as sufficient network and other controls are not yet in place, the assessed risks of BYOD currently outweigh the perceived benefits. Therefore, it is CCG policy that staff must not use their own mobile devices for any work-related activities and must not be connected to CCG-owned IT equipment.
7.2.Individual requests forprospective use of staff-owned devicesfor specific purposes must be referred to the Director of Corporate Development/Head of Information Governance for consideration. Where such a request is granted, a personal device must not be used until the appropriate encryption/security controls have been put in place by NHIS and user controls agreed with the Director of Corporate Development/Head of Information Governance.
7.3.Staff who use their own computer or mobile device for processing CCG information without authorisation are contravening this policy and may be liable to disciplinary procedures.
7.4.The organisation does not accept any responsibility for any software or hardware failure resulting from unauthorised use of staff-owned computers or mobile devices for CCG business.
8.User Responsibilities for the Security of Mobile Devices
8.1.All mobile devices should be held and transported securely, should not be left unattended (e.g. in vehicles), and should be locked away when not in use.
8.2.All devices should be used in a clean and secure environment.
8.3.Password control must be adhered to on all mobile devices.Where users of mobile devices have changed their network password they should connect (dock) their device to the network to update the network password on the device to avoid loss of access.
8.4.All relevant devices must be regularly docked to the network to ensure that virus protection and encryption software is up to date.
8.5.Stolen or lost equipment must be reported as soon as possible to the NHIS Service Desk, the Head of Information Governance and the organisation’s incident reporting procedures invoked.
8.6.Users must not install any unauthorised or unlicensed software on any CCG device.
8.7.CCG-owned devices should not be used for non-business-related or personal purposes.
9.User Responsibility for the Security ofInformation
9.1.CCG data should only be remotely accessed, held and processed on equipment supplied or authorised by the CCG.
9.2.Users are responsible for ensuring that unauthorised individuals are not able to see or access the CCG’s systems.Password-protected screensavers should be used on relevant devices.
9.3.The use of mobile devices in a public area should be kept to an absolute minimum, due to the risk of information being viewed and the theft of equipment.
9.4.Staff must ensure that CCG devices and information accessed at home are secure from theft and damage and cannot be accessed by family members, friends, or any other unauthorised user.
9.5.Any security incident resulting from using a mobile device off CCG premises will require the authorised user to explain their actions and the efforts made to protect the device and information.
9.6.No mobile device should be used to store, transfer, or process personal confidential data (PCD) except in exceptional circumstances, where approval has been sought from the Caldicott Guardian via the Director of Corporate Development/Head of Information Governanceand undertaken in full compliance with relevant sections of the CCG’s Data Protection and Confidentiality Policy.
9.7.Personal confidential data files should have additional protection against unauthorised access (for example an additional password).
9.8.Data should not beheld on a mobile device for longer than it is required and should be deleted or archived promptly.
9.9.Emails containing personal confidential data and other confidential information must not be sent to or from personal email accounts.
All CCG-related email communications from remote devices should comply with the relevant sections of the organisation’s Internet and Electronic Mail Use Policy.
9.10.Information held on mobile devices must be backed up regularly.
9.11.Where possible, data should not be stored on the C: Drive of relevant devices. If saving to a personal or shared network drive is not an immediate option, it should be done soas soon as possible.
10.Remote Working and Smartcard Access
10.1.Gaining access to National Programme for IT (NPfIT) programmes (such as SystmOne and Choose and Book) via remote access also require Smartcard sign-in.
10.2.Users wishing to gain access to these systems will need to have a Smartcard reader and software installed onto their remote computer.
10.3.Remote access to these systems should be authorised by the Head of Department or Service.The NHIS Service Desk will provide advice on installing the Smartcard reader and software.
10.4.All Smartcard policies and procedures must be followed when using Smartcard access for remote working; this includes the policy for Access to Patient and Staff Information Using Smart Cards.
11.Reporting Security Incidents and Weaknesses
11.1.Staff are responsible for mobile devices and all data held on them. In the event of loss, theft or any data security incidents associated with remote working, users must inform their Line Manager and the Head of Information Governance and the IT Service Desk immediately and follow the organisation’s incident reporting processes.
12.Interaction with Other CCG Policies and Procedures
12.1.This policy should be read in conjunction with relevant sections of the following CCG policies and procedures:
- Information Security Policy
- Network Security Policy
- Confidentiality and Data Protection Policy
- Internet and Electronic Mail Use Policy
- Records Management Policy
- Encrypted USB Memory Stick User Guidance
- Confidentiality – requirements of staff Code of Conduct and contract of employment
- Policy for Access to Patient and Staff Information Using Smart Cards
- Secure Transfer of Information/Safe Haven Procedures
13.Duties and Responsibilities
13.1.Chief Officer
The Chief Officer is responsible for ensuring that the organisation complies with the statutory and good practice requirements governing electronic remote working outlined in this policy and is supported by the delegated management responsibilities outlined below.
13.2.Director of Corporate Development/Head of Information Governance
These roles will oversee the day to day implementation of this policy.
13.3.All Managers
All managers are responsible for ensuring that their staff receive relevant training, guidance and support to understand and adhere to this policy and all appropriate supporting guidance.
13.4.All Staff
All CCG staff must ensure that they are aware of their responsibilities for complying with electronic remote working requirements in accordance with this policy and supporting guidance.
All staff with remote access and/or use of mobile devices must safeguard the CCG’s equipment and information and report immediately any associated security incidents.
14.Staff Training
14.1.It is mandatory for all new CCG staff to undertake the online or classroom basedinformation governance training relevant to their post as part of their induction process.
14.2.It is mandatory for all CCG staff to complete the online or classroom basedinformation governance refresher training every twelve months.
14.3.Staff must inform their Line Manager if they do not understand any aspects of this policy and/or require further associated training.
14.4.Any specific training needs identified to ensure compliance with this policy should be referred to theDirector of Corporate Development.
15.Equality and Diversity Statement
15.1.The organisation is committed to ensuring that it treats everyone fairly, equitably and reasonably and that it does not discriminate against individuals or groups on the basis of their age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion and belief, sex or sexual orientation.
15.2.If you have any concerns or issues with the content of this policy or have difficulty understanding how this policy relates to you and/or your role, please contact the Director of Corporate Development/Head of Information Governance.
16.Monitoring and Review
16.1.The Director of Corporate Development/Head of Information Governance is responsible for monitoring overall compliance with this policy, supported by assurances obtained from the Information Governance Toolkit self-assessment submissionsand reports on routine monitoring of the use of the internet and email system from NHIS.