Information Security Access Agreement

Information and Computer Security Agreement for Staff Members

Introductory comments

With the introduction of the New Zealand Health Network and TestSafe to community pharmacy it is important for pharmacies to have a robust set of measures in place to allow them to manage any staff issues surrounding information and computer security. Many pharmacies already have extensive measures in place in their employment contracts and house rules.

This template agreement allows a pharmacy wishing to strengthen their ability to manage information security by clarifying staff members’ responsibilities to maintain computer system security and information confidentiality with minimal effort, by providing a starting point for a new agreement.

To use the document we suggest the following process:

1. Read the template agreement and compare it to your present arrangements.
2. If you decide your present arrangements need upgrading, use this template as the starting point for your new staff agreement to minimise your workload.
3. Work through the template making any changes neededto record the policy you decide is most appropriate for your pharmacy.

Note

When preparing this template it became apparent pharmacy proprietors were divided on the use of private use of the internet and e-mail by staff and both viewpoints have merit.. In consequence this issue is highlighted as needing decision in this way:

Policy Decision needed

Some pharmacy proprietors do not want their staff using the pharmacy’s internet and e-mail facilities for personal use, others consider restricted use acceptable under conditions ………….

The template text permits restricted use in building on the precedent of limited personal use of the phone being allowed in most pharmacies. If the pharmacy’s policy is to prohibit personal internet and e-mail use this paragraph must be altered.

«Insert Pharmacy name»

Information and Computer Security Agreement

Computer System Usage

The Employeemust onlyusethis Pharmacy’s computer equipment for business purposes and in a responsible manner, so that the computer equipment and health and commercial data are not placed at undue risk of loss, damage, or misuse.

The Employee must not connect personal portable USB drives or other portable data storage devices to this Pharmacy’s computer systems (“the System”).

Authorised Software

The Employee must only use software that has been authorised by and properly licensed to «insert Pharmacy name». The Pharmacy Security Officer must approve all software before it is installed. Software installation may only be undertaken by authorised personnel. .If you are uncertain about whether you are authorised to install software you must check with the Pharmacy Security Officer or Pharmacy Manager

Work areas

The Employee must, as far as is conveniently possible, keep their work areas clear of papers and removable storage media to reduce the possibility of unauthorised access, loss or, and damage to information during and outside working hours.

Confidentiality

All staff members must keep all health and commercial information confidential. Health information must only be discussed with the staff member directly responsible for providing care to the patient concerned.

The Employee must only access the System to view or use health or commercial information that is necessary for the performance of their duties. Such information must not be removed, copied or disclosed to other parties except in accordance with «Pharmacy name’s » security policy and the Health Information Privacy Code following authorisation by the Pharmacy Manager or the Pharmacy Security Officer.

Storage Of Data

The Employee must store all health and commercial information on the System’s network servers to ensure appropriate security protection and backup.

Patient information,or commercially sensitive, and confidential employee information obtained from the System mustnot be stored on an unsecured local storage device (such as hard disk, floppy disk, CD/DVD, USB drive or portable computer). Any off-site data storage by a staff member must be at the request of the Pharmacy Manager and under agreed secure conditions.

Passwords and Digital Certificates

The Employeeis responsible for safeguarding the confidentiality of their User ID, any digital certificates they use and passwords. The Employee of individual User IDs or digital certificates must not use another individual’s User ID or digital certificate or disclose their password to any other User.

Users of shared User IDs, digital certificatesand passwordsmust not disclose their password to any individual other staff membersor anyone else outside the workgroup.

The Employeeisresponsible for advising the Pharmacy Security Officer if they suspect that their User ID, individual or shared digital certificate, or password has been compromised or disclosed in any way.

Passwords must not be written down, openly displayed, or stored on or near the User's computer.

The Employee must change their passwords every 90 days. Passwords must comply with the Pharmacy’s Security Policy.

Internet And E-mail Usage

The Employee must not access, possess, transmit or knowingly receive material through the Internet and E-mail, or any other facility associated with this pharmacy, that may be deemed to be offensive, abusive, defamatory or in any way harmful to the pharmacy’sreputation or its relationships with its patients, business partners, or any other persons or organisations the user in their private and business capacities might have contact with. Nothing should be included in an e-mail message that would not be printed on the Pharmacy’s letterhead paper.

The Employee may only send sensitive information in an e-mail or as an e-mail attachment if the information is encrypted. If you are uncertain about this, you must check with the Pharmacy Security Officer.

The Employee must not open e-mail attachments if the e-mail is from anyone other than a trusted source. The Employee must apply suitable caution before opening any attachments from trusted sources.

The Employee must protect the integrity of the System at all times. All connections to other networks including the internet must be through the System’s firewall. The System’s antivirus and antispyware protection must be operating at all times. No software is to be downloaded from the Internet without the prior knowledge and agreement of the Pharmacy Security Officer or Pharmacy Manager.

The Employee must not access the System from computers outside the system unless specifically authorised to do so by the Pharmacy Manager or the Pharmacy Security Officer.

Personal Use

Use of the Internet and Email for personal matters is acceptable provided it is for short durations and kept to a minimum, does not adversely impact the performance or cost of the network, and does not impact the Employee’swork.

Policy Decision needed

Some pharmacy proprietors do not want their staff using the pharmacy’s internet and e-mail facilities for personal use, others consider restricted use acceptable under conditions which minimise the risk of a breach of computer system security and potential impact on productivity.

This component of the template permits restricted use in building on the precedent of limited personal use of the phone being allowed in most pharmacies. If the pharmacy’s policy is to prohibit personal internet and e-mail use this paragraph must be altered.

Monitoring Usage

All messages sent or received via the Email system are subject to inspection, retention, and monitoring by the Pharmacy Manager or the Pharmacy Security Officer.

The Pharmacyreserves the right to inspect, delete, or retain the Employee’s Internet and Email usage, and to block the transmission or receipt of unacceptable content or messages.

Storage Limits

Data storage limits may be set for the Employee or groups

Reporting Problems

The Employee must immediately report to the Pharmacy Security Officer or the Pharmacy Manager any malfunctions, security breaches, or damage to the System or any concerns they have about the security or the function of the System so as to minimise the down-time and possible impact on the Pharmacy.

Compliance Monitoring

Audits for compliance with this agreement may be conducted at any time and without notice.

Acceptance

We both agree you understand the importance of protecting the confidentiality of health and commercial information held by the Pharmacy.

I agree to comply with the terms and conditions of this agreement (and any future amendments as notified from time to time.) I acknowledge that non-compliance may result in action being taken in accordance with the Pharmacy’s disciplinary procedures. Non-compliance may be deemed serious misconduct and any resulting action may include dismissal.

______/___/___ / ______/___/___
«insert staff member’s name» / «insert name» on behalf of
«insert pharmacy name»

Page 1 of 4