INTERNET USAGE AND MONITORING POLICY

Documentation Control

Reference / GG/INF/010
Date Approved / 23 October 2007
Approving Body / DIRECTORS’ GROUP
Implementation Date / October 2007
Version / 1
Supersedes / N/A
Consultation Undertaken / INFORMATION GOVERNANCE COMMITTEE
Target Audience / ALL MEMBERS OF STAFF AND USERS OF TRUST IT SYSTEMS
Supporting Procedure(s) / INFORMATION SECURITY AND DATA PROTECTION POLICY AND PROCEDURES
Review Date / SEPTEMBER 2010
Lead Executive / DIRECTOR OF ICT SERVICES
Author/Lead Manager / SPECIALIST ADVISER (CALDICOTT & DATA PROTECTION)
Further Guidance/Information / ICT SERVICES HELPDESK
EXT: 69000

CONTENTS

Paragraph / Title / Page
1. / Policy Statement / 3 - 5
2. / Policy / 5 - 8
3. / Monitoring Of Internet Activity / 8 & 9
4. / Training And Awareness / 10
5. / Breaches Of Policy / 10
6. / Equality And Diversity Statement / 11
7. / Review / 11
8. / Contacts / 11
9. / Appendix 1 – Internet Monitoring September 2003 / 12 - 17
10. / Appendix 2 – Employee Record Of Having Read The Policy / 18

1.Policy Statement

1.1This policy sets out the Trust’s rules that all staff must follow when using the Internet, which includes usage of both the World Wide Web (www) and the internal intranet systems (nuhweb).

1.2This policy also applies to personal use of the Trust’s E-mail (Outlook) system. However, additional confidentiality and liability conditions apply to e-mails. See the Trust’s E-mail Policy[1] for further information.

1.3This policy also explains what the Trust may do as an employer to lawfully monitor and report use of the system and investigate suspected policy breaches or unlawful behaviour.

1.4This policy applies to any person who uses the Trust’s IT facilities to access the Internet and E-mail. Where the policy refers to “staff” or “user” this means all members of staff employed by the Trust, any person carrying out work activities on Trust occupied premises who are not directly employed by the Trust e.g. students, work placements or volunteers, or any person providing a service to the Trust under contract.

1.5Internet access is provided primarily to use for the Trust’sbusiness to develop the skills and knowledge of its workforce to the benefit of its business objectives. A certain amount of limited and responsible personal use is also permitted.

1.6The wide range of information available and the nature of the Internet raises concerns about security, integrity, confidentiality, monitoring and proper conduct. Inappropriate use of the Internet can cause problems ranging from minor distractions up to and including legal claims being made against an individual member of staff or user and/or against the Trust if a national or international law is violated.

1.7This policy seeks to clarify these issues by setting out terms of acceptable use so as to avoid ambiguity and protect the Trust and its staff.

1.8The Trust expects all users to behave in a responsible manner when using the systems and to comply with this policy.

1.9This policy should be read in conjunction with the Trust’s Disciplinary Policy and Procedure[2], in particular sections 4.5.7 and 4.5.13. Any failure to adhere to this policy could lead to disciplinary action being taken. Certain issues are so serious that even the first breach may be classed as gross misconduct and would normally result in dismissal without notice. In certain circumstances it could also lead to prosecution.

1.10Staff are solely responsible for any Internet activity conducted under their individual username and password and must not, under any circumstances let another person either know or use their password to gain access to any part of the Trust’s systems.

1.11Data Protection Statement

The Trust will monitor all user activity on the Internet at network level for the purposes specified in Section 3. Information recorded as part of this automated monitoring process includes user identification, domain names of websites visited, duration of visits, and non-business files downloaded from the Internet. Staff must be made aware that this monitoring may reveal sensitive data about them, for example visits to websites which details the activities of a particular political party or religious group might indicate the political opinion or religious belief of that staff member, or self-help or health advice sites might identify a physical or mental health condition. By carrying out such activities using the Trust’s Internet access facilities, staff consent to the Trust processing any sensitive personal data about them, this may be revealed through monitoring.

Staff who do not consent must take responsibility for the maintenance of their own personal privacy by not using the Trust systems to access this type of information.

2.Policy

2.1Internet access is provided primarily to use for the Trust’s business. Limited and responsible personal use is permitted, but not for personal financial gain, upon the condition that it is done in accordance with this policy and in non-paid working hours so that it does not interfere with the performance of the IT systems or staff duties. Staff must consult with their line manager to confirm the local arrangements for “limited personal use”.

2.2This policy refers to all user activity on the Internet, whether accessed via a PC, a shared departmental computer system or Internet café facilities provided by the Trust. It should be read in conjunction with the Information Security and Data Protection Policy and E-mail Policy[3].

2.3All users must be aware that the use of the Internet is also regulated by legislation.

2.4The Trust monitors all user activity on the Internet at network level for the purposes specified in Section 3. Individuals can be identified from the information recorded. Staff must not assume privacy in their use of the Trust’s systems, even when accessing the systems in their personal time, i.e. out of working hours (See 1.10).

2.5Staff must not access, transmit or download:

  • Any offensive, obscene or indecent images, data or other material
  • Any data capable of being transformed into obscene or indecent images or material

2.6This includes obscene language, pornography, hostile material relating to gender, sex, race, sexual orientation, religious, political convictions, disability or information that would cause or promote incitement of hatred, violence or any other intimidatory material that is designed or could be used to cause offence, annoyance, inconvenience, needless anxiety or which would contravene any Trust policy, in particular equal opportunities or harassment, or break any law.

2.7In addition to the above, the Internet may not be accessed and used for any of the following:

  • Any activity that infringes copyright
  • Transmission of unsolicited commercial or advertising material
  • Deliberate unauthorised access to facilities or services accessible via the Internet
  • Corrupting or destroying another user’s data
  • Any activity that would violate the privacy of others
  • Any activity that would risk bringing the organisation into disrepute or place the Trust in a position of liability
  • Cause damage or disruption to organisational systems
  • Any activity that would violate the laws and regulations of the UK
  • Not to be used for any secondary paid employment or voluntary services
  • Not to be used to run a personal business

2.8Staff must not, under any circumstances, use interactive chat applications (e.g. MSN),

2.9Staff using bulletin boards or newsgroups may not post material of a nature outlined in paragraph 2.5 – 2.7 above.

2.10Only those officers who are authorised to give media statements may write or present views on the Internet on behalf of the Trust.

2.11Information downloaded for personal use must be held on a “C” drive, NOT on the secure network servers “H” drive as this will affect the capacity and performance of the Trust’s systems (See 2.15 and 2.16). Any data held for personal use is the user’s own responsibility and will not be backed up or otherwise supported by ICT Services.

2.12Staff must not use Trust resources e.g. disks, USB's, paper, printer cartridges to download and copy or print information for their own personal use.

2.13Downloading and installation of software from the Internet is not permitted, even if there are no “licence user” implications, unless prior permission is given from ICT Services.

2.14Downloading of programme, sound, picture or any other files where copyright will be infringed is not permitted.

2.15The Trust reserves the right to investigate, taking all necessary measures, any usage which impacts on the effectiveness or efficiency of the network.

2.16All information and documents accessed by or stored on the Trust computer or attached peripherals may be subject to inspection, disclosure or removal by the Trust.

2.17The Trust will recognise staff’s privacy and will not intentionally access information considered to be, or marked “personal” or “private” but reserves the right to do so if there are:

  • Credible grounds to suspect that they may reveal evidence of any unlawful activity, including instances where there may be a breach of Trust policy constituting gross misconduct
  • Where there is reason to suspect a file that contains harmful material such as a computer worm or virus, or
  • Where the law requires it

2.18The Trust reserves the right to block or limit personal access further, where the capacity of the network Internet connection to cope with business traffic is compromised by personal use.

2.19The Trust reserves the right to instruct staff to remove information held for personal use if found to be occupying space on the network servers.

2.20In addition, some categories of site may be blocked, so as to prevent accidental access. Staff should contact the ICT Services Helpdesk on ext: 69000 if access to a blocked site is required for business use.

2.21If an employee accidentally accesses material which they feel may be considered to be of an offensive nature or otherwise unacceptable to access, they should note the time and website address and exit from the site and then inform the ICT Services Helpdesk.

2.22Although the Trust has anti-virus defences in place, great care should be taken when using the Internet. The ICT Services Helpdesk should be informed if any suspicion of virus infection arises.

3.Monitoring Of Internet Activity

3.1Monitoring software is in use for back-up purposes and to protect the security and integrity of Trust systems.

3.2This software is also used to prevent Internet misuse, for example, by blocking access to inappropriate sites or materials by using filtering software.

3.3Information recorded by the automated monitoring systems can be used to identify an individual user and show, for example, a website or document that a user has been viewing and the time spent browsing.

3.4Because of this, staff must not assume privacy in their use of the Trust’s systems, even when accessing the systems in their personal time i.e. out of paid working hours.

3.5ICT Services and the Trust’s Internal Audit providers undertake periodic monitoring of Internet activity for specific business purposes.

The purpose and extent of monitoring is detailed in Appendix 1 of this policy.

3.6An ICT nominated manager will undertake regular review of the Internet activity logs to monitor system performance.

3.7ICT Services and the Trust’s Internal Audit provider will undertake reviews at the specific request of management or of the Audit Committee. This may include review of usage and investigation of incidents and will be managed in accordance with local Trust procedures.

3.8The Trust also reserves the right to carry out detailed inspection of any IT equipment without notice, where inappropriate activity is suspected.

3.9Any inappropriate use of the Trust’s Internet detected, either incidentally during routine monitoring or through audit activities, will be reported to the relevant Trust Director (or nominated deputy), who will be responsible for co-ordinating an appropriate and proportional response and, if necessary, instigating action under the Trust’s disciplinary and conduct procedures.

3.10ICT Services will also conduct an investigation into user(s) activity if authorised to do so by a senior manager from the employee’s Directorate, who has credible grounds to suspect misuse and authority to instigate the level of disciplinary action that might follow(See Appendix 1).

3.11Where the Trust is in receipt of a Data Protection Subject Access request or Freedom of Information request requiring the Trust to search the system or specific accounts within the system, then such searches will take place in order to allow the Trust to meet its legal obligations, subject to a request from the Director for ICT Services or a nominated deputy. Such access requests may refer to both personal and business related Internet activity and may result in disclosure of such information where this is not in breach of the data protection principles.

4.Training And Awareness

4.1The Trustwill raise awareness of this policy and related issues through staff induction procedures, staff newsletters and by posting the policy onto the Trust Policy and Procedures Board.

4.2Directorate and Line Mangers are responsible for ensuring all staff are aware of, and adhere to this policy.

4.3ICT Services Communications team and the corporate Communications Team will ensure Trust-wide communication of the policy.

5.Breaches Of Policy

5.1Any breaches of this policy will be investigated thoroughly. Examples of breaches of policy, which could be regarded as misconduct to be handled through the Trust’s disciplinary and conduct procedures, are as follows:

Access, downloading material of the type outlined in paragraph 2.5, 2.6 or 2.7

Unreported accidental access of inappropriate sites in paragraph 2.21

Downloading or distribution of copyright material in paragraph 2.14

Levels of personal use of systems resulting in interference with performance of duties

Any activity that would compromise the security and integrity of the Trust’ s systems

Any activity that would compromise the reputation or liability of the Trust

Any illegal activity

(N.B.This list is not exhaustive)

6.Equality And Diversity Statement

6.1The Trust is committed to ensuring that it treats its employees fairly, equitably and reasonably and that it does not discriminate against individuals or groups on the basis of their ethnic origin, physical or mental abilities, gender, age, religious beliefs or sexual orientation.

7.Review

7.1This policy will be reviewed annually by the Information Governance Committee on behalf of the Trust, in conjunction with Human Resources, and in consultation with Staff Side.

8.Contacts

8.1ICT Services Helpdesk’s extension number is 69000 (0115 924 9924).

Appendix 1

INTERNET MONITORING

1.Summary

1.1This appendix details the procedures associated with the monitoring of Internet use within NUH, and addresses the needs of workers to be informed of such procedures, and on the implications for their use of these facilities.

2.Staffing Implications

2.1All users of Internet facilities are subject to the Trust’s policies in this area. Staff complying with the policies should not be adversely affected by the procedures outlined in this document.

3.Introduction

3.1General Information

The Trust’s Internet Usage and Monitoring Policy, of which this document is an Appendix, indicates that usage of these facilities may be logged and monitored by ICT Services and by internal and external auditors

The monitoring or recording of communications by the Trust is authorised under the “Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000” which came into force on the 24th October 2000 under the Regulation of Investigatory Powers Act 2000 (RIPA)

Employer requirements concerning these regulations are further clarified in Part 3 of the Information Commissioners “Monitoring at Work” guidance, which the Trust embraces

The trade union interpretation of the Information Commissioner’s advice can be found at the TUC’s website and this advice is likewise embraced by the Trust

This document clarifies the procedures under which the monitoring of Internet use may take place

3.2The Trust’s Monitoring Policy

Monitoring, filtering and other products have been, or will be, introduced onto the network. These are being used to enable:

Identification of inappropriate use of the NUH Internet systems in accordance with Trust policy and, in particular to reduce the risks to patient care

Maintenance of network integrity and the Trust’s capability of fulfilling its business function by, for example:

-preventing the introduction of viruses

-preserving adequate server disk space

-ensuring acceptable levels of network traffic

3.3Consequently, Monitoring

Reduces the risks to the availability, confidentiality, integrity of Trust information and systems

Helps protect the Trust from litigation and compromise of its reputation, and to prevent or detect crime or serious breaches of Trust corporate standards

Provides some assurance from the ICT service provider to the Trust regarding the security of the network

Provides independent assurance by subsequent review of monitoring activities and of ICT Services procedures by Auditors

3.4Use of monitoring products is subject to strict procedures. In particular, the detailed monitoring of any individual user’s disk space or Internet usage will only be permitted if authorised by the Director for ICT Services (or nominated deputy) in accordance with the procedures outlined in Section 3 of the Internet Usage and Monitoring Policy.

3.5Suspicious or unacceptable user activity brought to light during routine maintenance or housekeeping procedures, or by user report, will be brought to the attention of the Director for ICT Services (or a nominated deputy) who may authorise further steps be taken in accordance with the procedures outlined in Section 3 of the Internet Usage and Monitoring Policy.

4.The NUH Monitoring Products

ICT Services use a variety of standard products to enable it to maintain a stable and secure networking environment for its computer users. These products include software and hardware for virus protection and for keeping network traffic levels and server disk usage under regular scrutiny. Filtering products are also in place and, more recently the automated logs recorded by the firewall, have been harnessed to enable analysis of Internet usage. These are described in detail below:

4.1Web Filtering And Logging

A firewall is a security device, which controls and logs activity to foreign networks, in this case, the NHS Network. Logging is essential for security and performance monitoring purposes. Logs are used to confirm that the firewall is configured correctly, to check performance, identify intrusions, and to provide some assurance against inappropriate user activity. Firewall monitoring activity is automated.

In order to protect staff from accidental access to inappropriate sites, access is blocked by type (setting criteria such as violence, gambling, sex, terrorism) using filtering software called Websense. The Websense database is not foolproof, as some perfectly innocent sites may be blocked, and as new sites appear every day, inappropriate sites may not be blocked. Users are still under a personal obligation to comply with policy regardless of any filtering that takes place.