PORTABLE COMPUTING AND MOBILE WORKING POLICY
Version / 5Name of responsible (ratifying) committee / Information Governance Steering Group
Date ratified / 25 January 2017
Document Manager (job title) / Head of IT
Date issued / 08 February 2017
Review date / 07 February 2019
Electronic location / Management Policies
Related Procedural Documents / IT Security Policy
E-Mail Usage Policy
Internet & Internet Based Services Usage Policy
Mobile Phones & Devices Policy
Confidentiality Code of Conduct
Data Protection Policy
Photographic Imaging, Consent & Confidentiality Policy
Safety Learning Event & Near Misses Management Policy
Disciplinary Policy
IT Guidelines - Use of Portable Equipment & Mobile Working Solutions
Key Words (to aid with searching) / Portable devices, mobile working, portable computing, personal devices, portable equipment, smart phones, tablet, laptop, memory stick, USB devices, removable media, information assets, sensitive information, confidential information, identifiable personal information, mobiles, mobile phone, electronic media, fax, CD, DVD, texting, SMS, hard disk drive, HDD, cloud file sharing, cloud storage, cloud backup, cloud services, cameras, video recording devices, Dictaphones, remote access, hand held devices
Version Tracking
Version / Date Ratified / Brief Summary of Changes / Author5 / 25. 01.2017 / Minor updates to remove ambiguity and improve clarity / MSF
4 / 05.01.2015 / Minor updates of authorisation processes / MSF
3 / 13.11. 2013 / Full re-write of Policy / MSF
2 / 01.06. 2011 / - / IPHIS
CONTENTS
1. INTRODUCTION 4
2. PURPOSE 4
3. SCOPE 4
4. DEFINITIONS 5
5. POLICY REQUIREMENTS 6
6. DUTIES AND RESPONSIBILITIES 7
7. PROCESSES 8
7.1 Authorisation of use of Trust Equipment & Mobile Working Solutions 8
7.2 Safe Working Practices for Users 9
7.3 Action in case of Theft Loss, Damage, Unauthorised Use or Access 9
7.4 Inappropriate use of Trust Equipment & Mobile Working Solutions 9
7.5 Change of Ownership, Return & Reuse of Trust Equipment 9
8. TRAINING REQUIREMENTS 10
9. REFERENCES AND ASSOCIATED DOCUMENTATION 10
10. EQUALITY IMPACT STATEMENT 10
11. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS 12
Appendix 1 – Portable Equipment & Mobile Working Authorisation Form 13
QUICK REFERENCE GUIDE
For quick reference the guide below is a summary of actions required. This does not negate the need for the document author and others involved in the process to be aware of and follow the detail of this policy.
1. Trust Equipment is issued and access to Mobile Working Solutions is granted where a justified and authorised requirement in meeting business or operational needs of the Trust exists.
2. Managers and staff shall comply with the authorisation processes outlined within this and the Mobile Phone & Devices Policy. Trust Equipment will not be provided, or accesses granted, by the IT Department until appropriate authorisation has been received.
3. Only solutions approved by the Trust shall be used to transport and access its Information Assets outside of the Trust’s premises.
4. Use of Personal Devices and Personal Computing Resources shall be limited to confines detailed in this policy. Sensitive Information shall not be stored by individuals on either Personal Devices or Personal Computing Resources.
5. All staff using Trust Equipment and Mobile Working Solutions shall comply with relevant Trust policies and infection control practices, NHS best practice guidance concerning requirements for access to information and the most current version of IT Guidelines published by the IT Department.
6. Users of Trust Equipment assume responsibility for physical security of the equipment and information accessed or held upon it. They are expected to ensure adequate protection of such equipment against theft, loss, damage, unauthorised access or malicious attack.
7. Managers shall inform the IT Department Service Desk promptly of changes to ownership of Trust Equipment.
8. Surplus, redundant and obsolete Trust Equipment shall be returned to the IT Department.
9. Failure to comply with the requirements of this policy or inappropriate use of resources controlled by this policy is a serious matter and may result in rights to use Trust Equipment and Mobile Working Solutions being withdrawn, disciplinary action or prosecution under UK law.
1. INTRODUCTION
This policy supports the Trust’s overall information security management framework and has been produced, particularly, to set policy and define processes to be employed with the use of portable computing and mobile working technology.
The Trust aims to take advantage of the many benefits offered by such technologies to improve communications and access to data. Portable devices and mobile working solutions are a valuable tool in the delivery and improvement of patient care but present unique and specific risks through their unapproved or unsafe use. It is the policy of the Trust to protect and maintain user safety, security and privacy, whilst also protecting its own Information Assets.
All users of Trust Equipment and Mobile Working Solutions and Trust Information Assets outside of its premises shall comply with this policy.
2. PURPOSE
The purpose of this policy is to define, and make clear to all users, the accepted practices and responsibilities associated with mobile working technologies and portable equipment used for business and operational purposes of the Trust, including (but not limited to) situations outside of the boundaries of the Trust’s premises and in public areas.
The aims of this policy are to:
2.1 Set out the processes for authorising and using Trust Equipment and Mobile Working Solutions to access its information and IT resources.
2.2 Define responsibilities and requirements; to meet the Trust’s legislative obligations and; provide for physical security of equipment and confidentiality of data and; set standards and practices in provision, maintenance and use of the Trust’s own network, systems, equipment and information.
2.3 Mitigate risk of loss, misuse or unauthorised access to the Trust’s Information Assets arising from the use of Trust Equipment and Mobile Working Solutions.
3. SCOPE
This policy applies:
3.1 To all users (including employees, voluntary & bank workers contractors, agency & sub-contract staff, locums, suppliers and customers) granted use of Trust Equipment and access to its Mobile Working Solutions.
3.2 All Information Assets of the Trust. That is to say, all information associated with Trust business that is created, processed, stored or transmitted in the course of its operations. This includes, but is not limited to:
i. data stored on mobile and portable devices, or other electronic media (such as flash drives, memory sticks, disk or tape); or
ii. that is transmitted across networks (including fax); or
iii. printed or written on paper; or
iv. directly communicated via telephone.
3.3 The access, use and processing of Trust Information Assets outside the boundaries of the Trust’s premises.
3.4 Personal Devices and Personal Computing Resources that are used to connect to the Trust’s Mobile Working Solutions.
3.5 In the event of outbreak of an infection, flu pandemic or major incident. The Trust recognises that it may not be possible to adhere to all aspects of this document and in such circumstances, staff should take advice from their manager and all possible action must be taken to maintain ongoing patient and staff safety.
4. DEFINITIONS
4.1 Information Assets means information in digital or hard copy forms that is printed, written, electronically stored or transmitted. It may include, but is not limited to, computerised records, patient health reports, administrative information and images. It may exist as letters, reports, photographs or slides, or be stored on fixed or portable digital media (including servers, PCs, laptops, tablets, CD, DVD or Bluray, removable memory sticks). It may be electronically transmitted by e-mail, text or other message types.
4.2 Mobile Working Solutions means the varying technologies that the Trust provides to allow remote access to the Trust’s network and use of its IT resources. This includes access gained when working from locations outside of the Trust’s premises as well as that gained via Personal Devices and Trust Devices when working within the Trust’s premises.
4.3 Personal Computing Resources means equipment, software and services other than Personal Devices, owned or used by individuals, with the capability to process, store or transmit information independently. This includes, but is not limited to broadband services, external hard-disk drives, removable memory sticks and cards, other devices with flash memory storage, cloud file sharing, storage and backup services (including applications on smart devices)
4.4 Personal Devices means any device, owned by an individual, with the capability to process, store or transmit information independently. This includes, but is not limited to, mobile phones, smartphones, tablets, PCs, laptops and cameras.
4.5 Sensitive Information means identifiable personal information and confidential, sensitive and critical information of the Trust.
4.6 The Manager means the line manager of a member of staff or other relevant senior member of staff.
4.7 Trust Devices means devices owned, controlled or provided by the Trust that have the capability to process, store or transmit information independently. This includes, but is not limited to, mobile phones, smartphones, tablets, laptops, hand held devices, Dictaphones, cameras and other video recording devices.
4.8 Trust Equipment means portable and removable equipment and material owned, controlled or provided by the Trust for the purposes of processing, storing, transmitting or transporting information. This includes Trust Devices as well as electronic removable media (memory sticks, CDs, DVDs, Bluray, tapes and similar).
5. POLICY REQUIREMENTS
5.1 An Information Asset Owner (IAO), who is responsible for management and control of Trust Equipment and the Trust’s Mobile Working Solutions, will be assigned by the IT Department.
5.2 Risks associated with use of portable equipment and mobile working technologies shall be considered and mitigated where possible. Risk levels must be proportionate to benefits realised, and where risks cannot be reduced to acceptable levels they shall be escalated to the Trust’s Risk Assurance Committee / Senior Information Risk Owner (SIRO) as appropriate.
5.3 Trust Equipment remains the property of the Trust and shall only be issued where there is a justified and authorised requirement in meeting business or operational needs of the Trust. It shall be configured by the IT Department in accordance with defined standards, that are appropriate to its use and, which take account of NHS requirements, standards, recommendations and guidelines for such devices and Information Security Management.
5.4 Allocation of Trust Equipment and access to its Mobile Working Solutions shall be controlled by authorisation and asset management processes. It is an express condition that where users are granted access to, and use of these resources, they shall assume responsibility for the physical security of equipment and information accessed or held upon. At all times they shall comply with the Trust’s associated IT Guidelines and current safe working practices, including infection control policy and those associated with access and use.
5.5 Personal Devices and Personal Computing Resources shall only be used in conjunction with Mobile Working Solutions for Trust related work. It is an unequivocal condition that users agree that Trust software and information accessed by a Personal Device or via Personal Computing Resources is property of Trust, and the Trust may take whatever action it decides necessary to maintain or remove such software or information from a user’s Personal Device/Computing Resources. When accessing Mobile Working Solutions via Personal Devices, or Personal Computing Resources, users shall comply with the requirements of the Trust’s current IT Guidelines in association with the configuration, set-up and use of their own devices and computing resources.
5.6 Trust Equipment and Information Assets, shall be protected against theft, loss, damage, unauthorised access and malicious attack. The degree of protection to be provided shall be proportionate to the situation and risk faced.
5.7 NHS requirements and standards for encryption shall be applied in all instances where Sensitive Information is, or may be stored, on portable equipment.
5.8 Users shall comply with Trust policies and NHS best practice guidance concerning the requirement for access to information; in particular that information should be shared only on a ‘need to know’ basis. Storage of Sensitive Information on Trust Equipment shall be kept to the necessary minimum (in respect to both content and duration).
5.9 Sensitive Information shall not be stored by individuals on Personal Devices or Personal Computing Resources.
5.10 Data on Trust Devices shall be regularly backed up to the Trust’s file storage systems. It shall be the responsibility of users to ensure that equipment assigned to them is regularly connected to the Trust’s network to ensure that backups are made.
5.11 The disposal & destruction of Trust Equipment used for storing or transporting Information Assets shall be managed securely and follow prescribed procedures determined by the IT Department. Trust Equipment that is no longer required shall be returned to the IT Department for reuse or safe disposal.
5.12 Potential and actual security breaches associated with Trust Equipment, the use of Information Assets and Mobile Working Solutions shall be reported and investigated in accordance with the Trust’s incident reporting procedures.
6. DUTIES AND RESPONSIBILITIES
6.1 Senior Information Risk Officer (SIRO)
The SIRO is responsible for:
· The Trust’s information risk assessment process and information management.
· Overseeing adherence to this procedure to the satisfaction of the Trust.
· Ensuring documentation and appropriate action is taken where non-compliance to this policy or a need for improvement is identified.
6.2 Caldicott Guardian
The Caldicott Guardian has responsibility for monitoring controls and procedures governing the safe and confidential transfer of patient identifiable information across the Trust; including the use of Trust Devices and Mobile Working Solutions that remotely access, or enable access to, patient data.
6.3 Information Governance Group
The Information Governance Group is responsible for ensuring that this policy is:
· In accordance with information governance requirements.
· Implemented and understood across the Trust.
6.4 Information Asset Owners
Information Asset owners are responsible for understanding and addressing risks to their assigned information assets; including the use of Trust Devices and Mobile Working Solutions in conjunction with their own information assets.