MOBILE DEVICE MANAGEMENT POLICY

Transcription

1 MOBILE DEVICE MANAGEMENT POLICY

2 Policy Title: Executive Summary: MOBILE DEVICE MANAGEMENT POLICY To formalise the requirements for all staff when utilising mobile devices (either personal or trust-owned) to ensure that all Trust information is secured. Supersedes: Version 1 Description Amendment(s): of Minor changes, including list of approved devices and roles and responsibilities This policy will impact on: All staff - Clinical practices, administrative practices, employees, corporate decision making. Financial Implications: Policy Area: Corporate Document Reference: Version Number: Version 1 Effective Date: March 2017 Issued By: Director of Corporate Review Date: March 2020 Author: APPROVAL RECORD Affairs & Governance Integrated Governance Manager Impact Assessment Date: March 2017 Committees / Group Consultation: Information Governance & Records Group Approved by Committees: Information Governance & Records Group Date 8/3/2017 8/3/2017 Approved by Director: Director of Corporate Affairs & Governance 8/3/2017 East Cheshire NHS Trust Page 2 of 19

3 Content 1. PURPOSE 4 2. SCOPE 4 3. ROLES AND RESPONSIBILITIES 5 3. GUIDANCE 6 4. REFERENCES AND BIBLIOGRAPHY 8 5. ASSOCIATED DOCUMENTS 9 APPENDIX 1 List of Trust-Owned Approved Devices 10 APPENDIX 2 List of approved Applications to be used in connection with business 11 APPENDIX 3 Trust-Owned Mobile Device Acceptance of Use Declaration - Issue of Mobile Media Agreement 12 APPENDIX 4 Staff-Owned Mobile Device Acceptance of Use Declaration 14 East Cheshire NHS Trust Page 3 of 19

4 1. PURPOSE This document details the requirements for the use of portable mobile devices and removable media by East Cheshire NHS Trust staff, and details the requirements that must be in place for the secure operation of such devices. East Cheshire NHS Trust recognises the advantages in the utilisation of portable devices and other handheld devices provided for staff during the performance of their daily duties. As such, this document provides guidance on the use of such devices within the Trust s environment. It is also recognised that Remote Access is a valuable method for employees to connect to the Trust s network resources, when away from Trust premises. This document covers the use of all portable computing storage devices and remote access by East Cheshire NHS Trust staff, both Trust-owned and Staff-owned devices. This Policy forms part of staff member s contractual obligations and code of conduct. It is accepted that technology may make significant advances during the lifetime of this policy and to this end, Appendix 1 (list of approved devices) and Appendix 2 (list or approved applications) should be consulted as to whether a device or application is approved for use as these lists will be updated on a regular basis when appropriate. This policy ensures that any use of a portable device, mobile communications or remote access working adheres to the following principles: To provide secure access to the Trust s information systems To preserve the integrity, availability and confidentiality of the Trust s information and information systems To manage the risk of serious financial loss, loss of patient and public confidence or other serious business impact which may result from a failure in security. In order to comply with all relevant regulatory and legislative requirements (including Data Protection laws) and to ensure that the organisation is adequately protected under computer misuse legislation. As part of the provision of Information Management and Technology services (IM&T) to staff within the organisation, staff may purchase their own portable computing equipment for use, on an ad hoc basis, on Trust business. As such, it is essential that such devices are covered by appropriate security controls in compliance with Principle 7 of the Data Protection Act 1998 and ISO27001: Code of Practice for Information Security. Note: All mobile media is to be used for corporate information only and NOT for storing or processing clinical information, this with the exception of approved apps only. 2. SCOPE This policy applies to all staff employed by East Cheshire NHS Trust, including bank, agency and locum staff, students, voluntary staff, contractors and trainees on temporary placement, as well as those staff holding honorary contracts. East Cheshire NHS Trust Page 4 of 19

5 3. GUIDANCE 3.1 Portable Devices For the purpose of this document, a Portable Device is defined as any device that may synchronise with another computer, and may be any of the following items: Laptop and notebook computers IPads / Tablets Smart phones including IPhones and any other mobile system that may fall into this category, including Blackberry s Webcams USB memory sticks, (only for temporary storage of information, information to be transferred to secure server as soon as practicable and deleted from USB stick) MP3 players (including ipods), (must not be used at any time for storing personal or commercial information) CD s, DVD s Any other item that may be utilised to store or transport data. This list is not to be considered exhaustive. Any portable device used in connection with the organisation must be encrypted to a minimum of 256bit encryption. There are no exceptions. Further guidance may be obtained from the Information Security Manager in relation to what is defined as a portable media device and encryption. 3.2 Use of own devices The use of staff members own devices is permitted according to the following guidelines: - staff will only be allowed access to the Trust s WiFi network; there will be no access to the Trust s secured drives; - Staff will NOT save/store confidential or patient identifiable information on their personal devices Some requirements specific to staff-owned devices may differ to those contained within this document. This policy concentrates on Trust-owned devices, however where requirements relating to staff-owned devices differ, staff should refer to the section identified within the text. 3.3 Working Procedures All mobile devices issued by the organisation are issued to a named individual only and must not be shared or used by anyone who is not recorded as the asset owner, this for audit purposes and to comply with the Data Protection Act The exception to this requirement will be when a Business Group provides a generic business group device and the information East Cheshire NHS Trust Page 5 of 19

6 security requirements in these instances are the responsibility of the assigned user at any one time. Business Groups are to implement a signing-in/signing-out log which is to be completed each time the device changes hands. Transfer of any device between staff members must only be done via the IT Servicedesk. Transfer of Mobile phones to be done via the Telecommunications manager. All laptops, notebooks, USB Pens, IPads, Blackberrys and other Smartphones must be encrypted. Staffowned devices must have the password facility activated. Use the minimum information necessary removing as much identifying data as possible. Do not copy documents containing personal or commercial data from the organisations servers without express permission of Information Governance Do not allow information to be seen by individuals who do not need to see it. Only use the equipment in a public area if you absolutely have to. 3.4 Asset Management Any business related software applications on mobile media devices must be approved, appropriately licensed and recorded on the Merseyside & Lancashire Commissioning Support Unit IT (MLSCU IT) licence asset register. The MLCSU IT Department will maintain a software application asset list to ensure licensing conditions are not breached. Procurement of additional software for business must adhere to Information Governance procedures, including the potential for a Privacy Impact Assessment to be completed. Mobile devices must not be readily identifiable as belonging to, or associated with East Cheshire NHS Trust. If the device can be associated with the Trust or the NHS, this may increase the impact (e.g. risk) to Trust s reputation in the event of loss or theft. However, all Trust-owned mobile devices must carry asset identification. All ipads should have Airwatch (Mobile device management) installed before they are issued. 3.5 Security Staff are personally responsible for the security of the mobile media device in their possession at all times whether this is on Trust premises, the premises of other organisations, in the car, on public transport or at home and will be liable for any cost resulting from the loss or accidental damage of the device as a result of carelessness. Where a device has been stolen, and on production of a Police Crime Report, the Trust will be liable. Where staff are using their own device, it is the Trust position that where this is the choice/decision of the member of staff concerned, all responsibility and liability for the device in terms of loss/damage will remain with the member of staff. Each device is issued on a personal, individual basis only (with the exception of Business Group generic devices) and mobile devices will be recorded on the Trust s Information Asset Register. Do not leave the equipment unattended unless it is in a secure position. East Cheshire NHS Trust Page 6 of 19

7 Devices can be secured by leaving in a locked drawer within a locked / secure office or by being stored out of sight at home. When transporting the equipment in the car it should be stored correctly and out of site i.e. a mobile media devices such as a laptop should be placed in its case and stored in the locked boot. If possible, the device must be returned to your office for storage before you go home. You must not leave any mobile media device in a vehicle overnight. It must be stored securely in the house or in a locked drawer in a secure office. Do not give anyone the password to your device. Your password must be changed regularly. Never download or install any software to the device. Any requests for software should be forwarded to the CMCSU IT department who will handle such requests where these are deemed necessary. The above requirement relates to Trust-owned devices only. For staff-owned devices, staff are required to ensure that an antivirus programme and firewall is operational and up to date. Make a note of the asset number of each device you are issued with. The Trust s Information Asset Register will record you as the sole person responsible for the device. If your device is lost or stolen you must report it immediately to the Information Security Manager via the IT service desk on and the Information Governance Manager, via the Datix Incident Reporting System, according to the Trust s Incident Reporting Policy (see Section 5). This requirement is applicable to both Trust-owned and Staff-owned devices. 3.6 Passwords/Security Staff must employ whatever security initiatives are available with the device for example utilising the device PIN code and, where supported, Face Recognition. In addition to the individual device security features, each device will require a password to access it (and this requirement applies to staff-owned devices). You are not permitted to give that password to anyone else under any circumstances. Each device has a different protocol for passwords. All staff using Trust-owned devices must choose a unique password utilising the criteria outlined below. Staff using their own mobile devices are strongly advised to follow the criteria for Trust-owned devices. You are advised to change your device password every 6 weeks and in terms of creating your new password, you the following applies: The password must NOT contain the user's account name or parts of the user s full name that exceed two consecutive characters. The password must be at least eight characters in length. East Cheshire NHS Trust Page 7 of 19

8 The password must contain characters from three of the following four categories: 1. Capital letters 2. Lowercase letters 3. Numbers 4. Non-alphabetic characters (e.g.!, $, #, %) NOTE: Device Lockout for USB Pens Trust-purchased encrypted USB Safesticks (the only type acceptable for use on Trust premises) have a lock-out feature if the password is incorrectly entered 10 times the device is locked and the information contained will be deleted. Staff should be aware that should they forget their password, there is no way to retrieve the information. If you have any queries about setting your password or experience any problems, please contact the MLCSU IT Service Desk on Implementation/Compliance Staff given a Trust-owned encrypted mobile device will be required to sign a declaration that they have read, understand and accepted this policy, and the conditions of use before using the device (See Appendix 3). Where a generic Business Group device is provided, all staff having access to the device will be required to sign the declaration. Upon leaving the organisation all mobile media devices must be handed back and signed for by your line manager. Failure to hand the mobile media device back at the end of your employment will be viewed as theft and may result in legal action being taken against you to recover the item. It is the responsibility of the Line Manager to ensure staff within their department are aware of and follow the conditions of use set out within this Policy including the return of mobile media devices upon termination of an employee s contract. Failure to follow these guidelines may lead to disciplinary action and/or legal action being taken again those involved, which could ultimately lead to dismissal and/or criminal proceedings. Staff using their own mobile device will be required to sign the declaration at Appendix REFERENCES AND BIBLIOGRAPHY Information sources that the author has referred to or quoted from shall be referenced as an appendix in the document. This Policy has been written to meet the requirements of: The Computer Misuse Act 1990 The Data Protection Act (DPA) 1998 The Data Protection (Processing of Sensitive Personal Data) Order 2000 The Electronic Communications Act 2000 The Human Rights Act 1998 East Cheshire NHS Trust Page 8 of 19

9 The National Health Service Act 2006 The Privacy and Electronic Communications (EC Directive) Regulations 2003 The Regulation of Investigatory Powers Act 2000 Other obligations placed on NHS organisations The Department of Health Information Governance Toolkit Sir David Nicholson s letter to NHS CEO s dated September 2008 (Gateway ref 10509) ASSOCIATED DOCUMENTS Information Governance Policy Information Security Policy Policy Data Protection & Code of Confidentiality Policy Record Management Policy Incident Reporting Policy Mobile Phone Policy Photography, Face Time and Video Recordings of Patients SOP East Cheshire NHS Trust Page 9 of 19

10 APPENDIX 1 List of Trust-Owned Approved Devices 1. Apple ipad 2 2. Apple ipad 3 (new) 3. Apple ipad mini Smartphones including but not limited to:- 3. Apple iphone 3GS 4. Apple iphone 4 5. Apple iphone 4S 6. Apple iphone 5 Date updated March 2017 This list is not exhaustive will be reviewed periodically. Staff should ensure that they refer to the most up to date version of the Policy located on the internet. If you have any queries please contact Information Governance East Cheshire NHS Trust Page 10 of 19

11 APPENDIX 2 List of approved Applications to be used in connection with business 1 Access to Go 2. Airwatch 3. EMIS mobile 4. BNF Date updated March 2017 This list is not exhaustive will be reviewed periodically. Staff should ensure that they refer to the most up to date version of the Policy located on the internet. If you have any queries please contact Information Governance East Cheshire NHS Trust Page 11 of 19

12 APPENDIX 3 Trust-Owned Mobile Device Acceptance of Use Declaration - Issue of Mobile Media Agreement East Cheshire NHS Trust operates a system where mobile media devices (e.g. Laptops, ipad, Smartphones including iphones or Blackberry) are issued to an individual staff member. It is the responsibility of that individual staff member to ensure the security of the device that has been issued and abide by policies relevant to such device(s). Staff remain responsible until the device is returned to their Line Manager when accountability can be signed over. Staff/User Agreement I agree to ensure the security of the mobile media I have been issued in accordance with the Trust s Mobile Device Management Policy and all other relevant policies. I understand that any breach of this policy may be dealt with by the Trust s Disciplinary Policy. Brief description of equipment TAG/Mobile/ID No. of device Name Signature Department /Business Group Base Location (full address) Date Line Manager s Name & Title East Cheshire NHS Trust Page 12 of 19

13 Line Manager s confirmation that Asset has been recorded on the Business Group s Information Asset Register Date Added: Please complete above and send to Information Governance within 7 days East Cheshire NHS Trust Page 13 of 19

14 APPENDIX 4 Staff-Owned Mobile Device Acceptance of Use Declaration East Cheshire NHS Trust operates a system where staff-owned mobile media devices (e.g. Laptops, ipads, smartphones including iphones or Blackberrys) may be used on Trust-business, via the Eastmobile WiFi network (i.e. no access to the Trust s Networked drives). It is the responsibility of each member of staff wishing to use their own devices to ensure that the contents of this Policy are strictly adhered to. Staff are aware, and accept that Cheshire & Mersey Commissioning Support Unit IT Department are not responsible for the maintenance and upkeep of the device and any technical problems experienced by the user CANNOT be referred to the ICT Helpdesk for resolution. Staff/User Agreement I agree to ensure the security of the information contained on my mobile device and will abide by the Trust s Mobile Device Management Policy and all other relevant policies. I understand that any breach of this policy may be dealt with by the Trust s Disciplinary Policy. Brief description of equipment MAC address of device Name Signature Department /Business Group Base Location (full address) Date Line Manager s Name & Title Please complete above and send to Information Governance within 7 days East Cheshire NHS Trust Page 14 of 19

15 Equality Analysis (Impact assessment) Please START this assessment BEFORE writing your policy, procedure, proposal, strategy or service so that you can identify any adverse impacts and include action to mitigate these in your finished policy, procedure, proposal, strategy or service. Use it to help you develop fair and equal services. Eg. If there is an impact on Deaf people, then include in the policy how Deaf people will have equal access. 1. What is being assessed? Mobile Device Management Details of person responsible for completing the assessment: Name: Kathryn L Hepplestone Position: Information Governance Officer Team/service: Corporate Affairs & Governance State main purpose or aim of the policy, procedure, proposal, strategy or service: (usually the first paragraph of what you are writing. Also include details of legislation, guidance, regulations etc which have shaped or informed the document) To provide a framework for the secure use of portable devices on Trust business taking into account the requirements of the Data Protection Act (1998) 2. Consideration of Data and Research To carry out the equality analysis you will need to consider information about the people who use the service and the staff that provide it. Think about the information below how does this apply to your policy, procedure, proposal, strategy or service 2.1 Give details of RELEVANT information available that gives you an understanding of who will be affected by this document Cheshire East (CE) covers Eastern Cheshire CCG and South Cheshire CCG. Cheshire West & Chester (CWAC) covers Vale Royal CCG and Cheshire West CCG. In 2011, 370,100 people resided in CE and 329,608 people resided in CWAC. Age: East Cheshire and South Cheshire CCG s serve a predominantly older population than the national average, with 19.3% aged over 65 (71,400 people) and 2.6% aged over 85 (9,700 people). Vale Royal CCGs registered population in general has a younger age profile compared to the CWAC average, with 14% aged over 65 (14,561 people) and 2% aged over 85 (2,111 people). Since the 2001 census the number of over 65s has increased by 26% compared with 20% nationally. The number of over 85s has increased by 35% compared with 24% nationally. Race: East Cheshire NHS Trust Page 15 of 19

16 In 2011, 93.6% of CE residents, and 94.7% of CWAC residents were White British 5.1% of CE residents, and 4.9% of CWAC residents were born outside the UK Poland and India being the most common 3% of CE households have members for whom English is not the main language (11,103 people) and 1.2% of CWAC households have no people for whom English is their main language. Gypsies & travellers estimated 18,600 in England in Gender: In 2011, c. 49% of the population in both CE and CWAC were male and 51% female. For CE, the assumption from national figures is that 20 per 100,000 are likely to be transgender and for CWAC 1,500 transgender people will be living in the CWAC area. Disability: In 2011, 7.9% of the population in CE and 8.7% in CWAC had a long term health problem or disability In CE, there are c.4500 people aged 65+ with dementia, and c.1430 aged 65+ with dementia in CWAC. 1 in 20 people over 65 has a form of dementia Over 10 million (c. 1 in 6) people in the UK have a degree of hearing impairment or deafness. C. 2 million people in the UK have visual impairment, of these around 365,000 are registered as blind or partially sighted. In CE, it is estimated that around 7000 people have learning disabilities and 6500 people in CWAC. Mental health 1 in 4 will have mental health problems at some time in their lives. Sexual Orientation: CE - In 2011, the lesbian, gay, bisexual and transgender (LGBT) population in CE was estimated at18,700, based on assumptions that 5-7% of the population are likely to be lesbian, gay or bisexual and 20 per 100,000 are likely to be transgender (The Lesbian & Gay Foundation). CWAC - In 2011, the LGBT population in CWAC is unknown, but in 2010 there were c. 20,000 LGB people in the area and as many as 1,500 transgender people residing in CWAC. Religion/Belief: The proportion of CE people classing themselves as Christian has fallen from 80.3% in 2001 to 68.9% In 2011 and in CWAC a similar picture from 80.7% to 70.1%, the proportion saying they had no religion doubled in both areas from around 11%-22%. Christian: 68.9% of Cheshire East and 70.1% of Cheshire West & Chester Sikh: 0.07% of Cheshire East and 0.1% of Cheshire West & Chester Buddhist: 0.24% of Cheshire East and 0.2% of Cheshire West & Chester Hindu: 0.36% of Cheshire East and 0.2% of Cheshire West & Chester Jewish: 0.16% of Cheshire East and 0.1% of Cheshire West & Chester Muslim: 0.66% of Cheshire East and 0.5% of Cheshire West & Chester Other: 0.29% of Cheshire East and 0.3% of Cheshire West & Chester None: 22.69%of Cheshire East and 22.0% of Cheshire West & Chester Not stated: 6.66% of Cheshire East and 6.5% of Cheshire West & Chester Carers: In 2011, nearly 11% (40,000) of the population in CE are unpaid carers and just over 11% (37,000) of the population in CWAC. East Cheshire NHS Trust Page 16 of 19

17 2.2 Evidence of complaints on grounds of discrimination: (Are there any complaints or concerns raised either from patients or staff (grievance) relating to the policy, procedure, proposal, strategy or service or its effects on different groups?) There have been no complaints raised with regard to the use of portable devices Does the information gathered from indicate any negative impact as a result of this document? No negative impact 3. Assessment of Impact Now that you have looked at the purpose, etc. of the policy, procedure, proposal, strategy or service (part 1) and looked at the data and research you have (part 2), this section asks you to assess the impact of the policy, procedure, proposal, strategy or service on each of the strands listed below. RACE: From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect, racial groups differently? Yes No Explain your response: The policy relates to the use of portable devices and the security of information contained on the device. This security relates to all information, regardless of race GENDER (INCLUDING TRANSGENDER): From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect, different gender groups differently? Yes No Explain your response: As above, any information held on a portable device is required to be secured to the same high standards there is no differentiation on security levels due to gender DISABILITY From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect, disabled people differently? Yes No Explain your response: Portable devices may be used only under certain security considerations it relates to the secure storage of all information, regardless of disability. AGE: From the evidence available does the policy, procedure, proposal, strategy or service, affect, or have the potential to affect, age groups differently? Yes No Explain your response: All Trust information is required to be held securely especially when the use of portable devices increases. The security aspects of this policy does not discriminate on the basis of age. Were there to be any discrimination, it could be argued that there may be a discrimination on age, but positively (in the case of Safeguarding children) East Cheshire NHS Trust Page 17 of 19

18 LESBIAN, GAY, BISEXUAL: From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect, lesbian, gay or bisexual groups differently? Yes No Explain your response: The Trust is duty bound to secure information to a high standard and there is no discrimination on the basis of sexuality RELIGION/BELIEF: From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect, religious belief groups differently? Yes No Explain your response: The Trust is required to store information to the same standard regardless of its content. There can be no discrimination in this policy on the basis of religion/belief. CARERS: From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect, carers differently? Yes No Explain your response: The content of this policy relates directly to the Data Protection Act (1998) which requires that a person s information is secured against disclosure to third-parties. This could have an impact on Carers, however the Policy is in place to secure information and the DPA will be the over-arching legislation followed. The policy itself does not discriminate. OTHER: EG Pregnant women, people in civil partnerships, human rights issues. From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the potential to affect any other groups differently? Yes No Explain your response: The content of the policy provides a framework for the security of information and it covers all information, for all patient and staff groups. 4. Safeguarding Assessment - CHILDREN a. Is there a direct or indirect impact upon children? Yes No b. If yes please describe the nature and level of the impact (consideration to be given to all children; children in a specific group or area, or individual children. As well as consideration of impact now or in the future; competing / conflicting impact between different groups of children and young people: The security aspects of this policy does not discriminate on the basis of age. Were there to be any discrimination, it could be argued that there may be a discrimination on age, but positively (in the case of Safeguarding children) c. If no please describe why there is considered to be no impact / significant impact on children 5. Relevant consultation East Cheshire NHS Trust Page 18 of 19

19 Having identified key groups, how have you consulted with them to find out their views and that the made sure that the policy, procedure, proposal, strategy or service will affect them in the way that you intend? Have you spoken to staff groups, charities, national organisations etc? There has been no consultation with any stakeholder groups however the policy has been reviewed by the Corporate Affairs & Governance Managers. 6. Date completed: Review Date: 7. Any actions identified: Have you identified any work which you will need to do in the future to ensure that the document has no adverse impact? Action Lead Date to be Achieved 8. Approval At this point, you should forward the template to the Trust Equality and Diversity Lead Approved by Trust Equality and Diversity Lead: Date: East Cheshire NHS Trust Page 19 of 19