E-MAIL USAGE POLICY
Version / 7Name of responsible (ratifying) committee / Information Governance Steering Group
Date ratified / 03 May 2017
Document Manager (job title) / Head of IT
Date issued / 17 July 2017
Review date / 16 July 2019
Electronic location / Management Policies
Related Procedural Documents / IT Security Policy
Confidentiality: Staff Code of Conduct
Data Protection Policy
Safety Learning Event & Near Misses Policy
Information Governance Policy
Information Risk Policy
Records Management Policy (Non-Clinical Records)
Records Retention & Disposal Policy
Safe Haven Policy
Disciplinary Policy
IT Guidelines - Using E-Mail
IT Guidelines - Use of Portable Equipment & Mobile Working Solutions
IT Guidelines - Using Photographs With Personal Address Book Profiles
Key Words (to aid with searching) / e-mail, personal e-mail, Information assets, sensitive information, confidential information, identifiable personal information, formal communication, written communication, retention, NHSmail, webmail, unacceptable use, inappropriate use, offensive or illegal material, PID, patient communication
Version Tracking
Version / Date Ratified / Brief Summary of Changes / Author7 / May 2017 / Minor corrections & clarifications / MSF
6 / May 2015 / Inclusion of conditions for using e-mail for patient communication & general review of policy / MSF
5 / January 2014 / Full re-write of Policy / MSF
CONTENTS
QUICK REFERENCE GUIDE 3
1. INTRODUCTION 4
2. PURPOSE 4
3. SCOPE 5
4. DEFINITIONS 5
5. POLICY REQUIREMENTS 6
6. DUTIES AND RESPONSIBILITIES 7
7. PROCESSES 8
7.1 Access to Trust E-Mail Systems 8
7.2 Unacceptable Use of E-Mail 9
7.3 Unacceptable Personal Use of the Trust’s E-Mail Systems 9
7.4 Safe Working Practices for Users 10
7.5 Patient Communication via E-Mail 10
7.6 Action in case of Receipt of Illegal, Inappropriate or Unacceptable E-Mail 10
7.7 Inappropriate use of Trust E-Mail Systems 10
7.8 Cessation of E-Mail Accounts 11
8. TRAINING REQUIREMENTS 11
9. REFERENCES AND ASSOCIATED DOCUMENTATION 11
10. EQUALITY IMPACT STATEMENT 12
11. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS 13
EQUALITY IMPACT SCREENING TOOL 14
QUICK REFERENCE GUIDE
For quick reference the guide below is a summary of actions required. This does not negate the need for the document author and others involved in the process to be aware of and follow the detail of this policy.
1. Members of staff are encouraged to consider their appropriate use of e-mail, remembering that it may not always be the best way to communicate and when it is that it is considered, and used, as a formal means of written communication.
2. The Trust’s e-mail systems are business communication tools and members of staff must use them responsibly, effectively and lawfully.
3. Reasonable use of the Trust’s e-mail systems for personal purposes is permitted, subject to the agreements and conditions laid out in this policy.
4. Users of e-mail must be fully aware of the unacceptable use conditions defined in this policy and comply at all times with these requirements.
5. Users of e-mail must comply with Trust policies, practices and standards and NHS best practice guidance concerning requirements for access to information. Sensitive Information must not be sent by e-mail unless it is protected to the necessary standards.
6. Sensitive Information must not be sent or intentionally received via personal e-mail addresses.
7. Provided that the conditions and processes within this policy are met, e-mail may be used for correspondence with patients once written consent has been obtained.
8. E-Mail accounts shall not be used for continuing storage of e-mail (and its attachments) that is required for the Trust’s future business or operations. Such correspondence and information must be stored in appropriate records systems and subject to relevant retention and disposal policies.
9. To allow for retrieval of necessary material, after being identified as no longer required e-mail accounts will be retained for six months before being permanently deleted.
10. Failure to comply with the requirements of this policy or inappropriate use of resources controlled by this policy is a serious matter and may result in rights to use Trust e-mail being withdrawn, disciplinary action or prosecution under UK law.
1. INTRODUCTION
This policy supports the Trust’s overall information security management framework and has been produced, particularly, to set policy and define processes to be employed in the use and management of the Trust’s e-mail systems.
E-mail is an established method for day-to-day communication within, between and beyond NHS organisations and can be of great benefit when used appropriately. It has considerable potential to support the management and delivery of services by the Trust and for communicating with partner organisations and stakeholders. However, if it is inappropriately used or misused it also has the potential to introduce serious risks for the Trust, including productivity and security concerns, legal and regulatory compliance and litigation.
Increasingly, patients are asking for e-mail to be used for communication with the Trust; and, whilst the Trust seeks to engage with patients using the most effective and desired methods, it remains obliged to ensure that adequate safeguards are maintained to preserve patient privacy.
The e-mail systems of the Trust are provided primarily to support and deliver the business of the Trust. However, within reasonable limitations the constraints of this policy and the discretion of line managers, they are also available for general use by members of staff.
Members of staff are encouraged to consider their appropriate use of e-mail, in particular remembering that:
· E-mail may not always be the best way to communicate.
· Volume of e-mail messages can be prohibitive to effective communication.
· Although, by its nature, e-mail may seem less formal than other forms of written communication, the same laws apply.
· It is easy for e-mails to be forwarded without the knowledge or consent of the originator.
· If e-mail is used, care must be taken over its drafting bearing in mind that it remains a published and formal written communication.
· Retention and storage of e-mail needs to be dealt with in the same way as other forms of written communication.
All users of Trust e-mail systems shall comply with this policy.
2. PURPOSE
The purpose of this policy is to ensure, in a safe and secure way that complies with law and the best interests of the Trust, that effective and appropriate use of e-mail is made by the Trust and its staff.
In particular this policy aims to:
2.1 Set out the rules that govern sending, receiving and storing of e-mail, including acceptable and unacceptable use of the Trust’s e-mail systems.
2.2 Reduce and avoid security threats through the promotion of awareness and dissemination of good practice.
2.3 Preserve confidentiality of the Trust’s Sensitive Information and protect its assets against unauthorised disclosure.
2.4 Encourage effective use of Trust resources.
3. SCOPE
3.1 This policy applies:
1.
2.
3.
· To all users (including employees, voluntary & bank workers contractors, agency & sub-contract staff, locums, partner organisations, suppliers and customers) of e-mail for business and operational purposes of the Trust.
· The use of Trust e-mail accounts and NHSmail - NHS.net e-mail accounts.
· The use of personal e-mail (webmail) accounts accessed via the Trust’s network and systems.
· The use of non NHS and personal e-mail addresses for communicating Trust business by all users.
3.2 In the event of outbreak of an infection, flu pandemic or major incident. The Trust recognises that it may not be possible to adhere to all aspects of this document and in such circumstances, staff should take advice from their manager and all possible action must be taken to maintain ongoing patient and staff safety.
4. DEFINITIONS
4.1 Sensitive Information means:
· Identifiable patient and personal information
· Commercially confidential and sensitive information
· Confidential, sensitive and critical information of the Trust.
4.2 The/Your Manager means the line manager of a member of staff or other relevant senior member of staff.
5. POLICY REQUIREMENTS
4.
5.
6.
5.1 An Information Asset Owner (IAO), who is responsible for management and control of Trust e-mail systems, will be assigned by the IT Department.
5.2 Risks associated with use of e-mail shall be considered and mitigated where possible. Risk levels must be proportionate to benefits realised, and where risks cannot be reduced to acceptable levels they shall be escalated to the Trust’s Risk Assurance Committee / Senior Information Risk Owner (SIRO) as appropriate.
5.3 The Trust’s e-mail systems are business communication tools and users are obliged to use them responsibly, effectively and lawfully. Although by its nature e-mail seems less formal than other written communication, the same laws apply. Therefore, it is essential that members of staff make themselves aware of the legal risks associated with the use of e-mail.
5.4 All e-mail accounts maintained in the Trust’s e-mail systems, and the contents contained within them, are and remain the property of the Trust. The Trust reserves the right to monitor the content of all e-mails.
5.5 Where there is legitimate cause the Trust reserves the right, without warning or permission from the user, to retain message content as required to meet disciplinary, legal and statutory obligations.
5.6 The Trust allows reasonable use of its e-mail systems for personal purposes on the condition that such use does not interfere with work, is previously agreed with Your Manager and that staff members adhere to this policy, related policies, regulations and the Trust’s current safe working practices.
5.7 Users of e-mail for Trust business purposes and the Trust’s e-mail systems shall comply with Trust policies, IT Guidelines and NHS best practice guidance concerning the requirement for access to information; in particular that information should be shared only on a ‘need to know’ basis.
5.8 Patient information shall only be sent via the Trust’s approved encrypted e-mail solutions; unless a patient has expressly consented otherwise, in which case the conditions of paragraph 5.9 shall apply. Sensitive Information shall only be sent by approved methods of the Trust. All approved methods of sending information are detailed in the Trust’s IT Guidelines.
5.9 Where patients request that e-mail be used as their preferred means of communication with the Trust; written consent (in the prescribed format) must be obtained before correspondence commences and; the processes and procedures further detailed in this policy implemented.
5.10 Personal e-mail addresses, e-mail client software and webmail shall not be used to send or intentionally receive Sensitive Information.
5.11 Use of e-mail for Trust business and operational purposes in public areas of the Trust’s buildings and outside of the Trust’s premises shall be subject to the additional conditions laid out in the Trust’s Portable Computing & Mobile Working and IT Security policies.
5.12 Executable or potentially executable programs (software) received via e-mail shall not be downloaded onto the Trust’s IT equipment without prior authorisation of the IT Department.
5.13 The e-mail systems of the Trust shall not be used for the continuing storage of e-mails (including their attachments) which are required for the purposes of the Trust’s future business and operations. Such correspondence and information shall be stored appropriately within local and corporate records systems and subject to relevant retention and disposal policies.
5.14 E-Mails within the Trust’s systems shall be monitored for viruses and all e-mail traffic, incoming and outgoing, through the Trust’s networks shall be automatically logged.
5.14 Any use of e-mail which appears to be unacceptable in terms of this policy, or which in any other way appears to contravene the Trust’s policies, regulations and standards may give rise to disciplinary action.
5.15 Potential and actual security breaches associated with the use of Trust e-mail systems shall be reported and investigated in accordance with the Trust’s incident reporting procedures.
6. DUTIES AND RESPONSIBILITIES
6.1 Senior Information Risk Officer (SIRO)
The SIRO is responsible for:
· The Trust’s information risk assessment process and information management.
· Overseeing adherence to this procedure to the satisfaction of the Trust.
· Ensuring documentation and appropriate action is taken where non-compliance to this policy or a need for improvement is identified.
6.2 Caldicott Guardian
The Caldicott Guardian has responsibility for monitoring controls and procedures governing the safe and confidential transfer of patient identifiable information across the Trust.
6.3 Information Governance Group
The Information Governance Group is responsible for ensuring that this policy is:
· In accordance with information governance requirements.
· Implemented and understood across the Trust.
6.4 Head of IT
The Head of IT is responsible for:
· Day-to-day management of the procedures related to this policy
· Authorising Trust e-mail systems for use by the Trust.
· Ensuring this policy is implemented and adhered to by IT Department staff
6.5 The IT Department
The IT Department and its staff are responsible for:
· Ensuring the continuing availability of Trust e-mail services and their supporting infrastructure.
· Managing the security and integrity of data in Trust e-mail systems through the appropriate deployment of anti-virus, mail content and anti-spam products and quarantine control.
· Managing, administering and maintaining the Trust’s e-mail systems on a day-to-day basis.
· Ensuring the provision of monitoring facilities for Trust e-mail services that ensure compliance with the Trust’s policies and its legal and statutory obligations.
· Providing advice and guidance to users of the Trust’s e-mail systems.
6.6 Managers
Managers are responsible for undertaking duties as outlined in Section 6 of this document, and appropriately ensuring that their permanent and temporary staff and contractors have read and understood this policy. Further that:
· Staff work in compliance with this policy, related processes, guidelines and safe working practices.
· Staff are appropriately trained in use of the Trust’s e-mail systems.
· Personal use of e-mail by staff is in compliance with the requirements of this policy.
· Local procedures for handling patient requests for e-mail to be used for communication are implemented in accordance with this policy, and signed patient e-mail consent forms are stored in local file management systems.