Mobile Computing Policy

globedeepΚινητά – Ασύρματες Τεχνολογίες

24 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

73 εμφανίσεις

V
ersion: 2.3

Approved:
March
2011

Review:
March 2012




Page
1

of
19


Mobile Computing Policy









Mobile Computing
Policy

(
Incorporating

Teleworking, Remote Access, and Portable Storage devices)




Document History





























Disclaimer

This document is intended to comply with r
egulations, policies and processes relevant to discrimination on the grounds of age, gender,
disability, learning difficulties, sensory impairment, mental health need, physical disability, religious or spiritual belief
, race or ethnicity, sexual
orientatio
n and homelessness. Every action has been taken to ensure compliance and any transgression is unintentional and coincidental.

Any
suspected transgression should be escalated to line management and the document author without delay.












Policy Reference number

033
-
TB
-
Mar 2011

Version

V2.
3

Ratified by

Information Governance Group


Author

M. Clutton

Reviewed by D Turley

Committee

Responsible

I
nformation Governance Group

Policy Sponsor

Senior Information Risk Owner (SIRO)

Date Issued

February
201
1

Review Date

February
201
2

Target Audience

All staff

V
ersion: 2.3

Approved:
March
2011

Review:
March 2012




Page
2

of
19


Mobile Computing Policy




Version Contr
ol























Version

Date

Reviewed By

Status

Comment

V2.3

Mar 11

Darran Turley

Final

Minor amendments

V2.2

Feb 10

Darran Turley

Final

Appendices amended

V2.1

Aug 09

Mark Clutton

Final

Mobile Working & Device Policy


V1.0

Feb 08

Mark Clutton

Final

Mobile Worki
ng & Device Policy



















































V
ersion: 2.3

Approved:
March
2011

Review:
March 2012




Page
3

of
19


Mobile Computing Policy




Contents


1.

Introduction


2.

Purpose of the Policy


3.

Definitions


4.

Organisational Accountability/Responsibilities


5.

Intended Users


6.

Full detail of Policy


7.

Summary
of Policy development Process


8.

Review and Revision Arrangements


9.

Dissemination and Implementation


10.

Document Control


11.


Appendices



























V
ersion: 2.3

Approved:
March
2011

Review:
March 2012




Page
4

of
19


Mobile Computing Policy




1.
Introduction


The continuous and rapid expansion of technology enables smaller and portable device
s to be
utilised for communications,
accessing data,
the capture and transmission of data, the

storage
and
transfer of records.


Technology also enables access to internal networks and stored information to take place using
suitably secure processes from
locations other than the main place of work e.g. a the home of a
staff member, a vehicle etc.

There are many benefits to the application and use of these technologies with the NHS, but
there are also risks to the integrity of networks and the confidentia
lity of data.


All staff using remote access services or portable devices are required to comply with this
policy.


Please note that all staff using mobile devices must complete the forms contained in the
appendices of this document

before a device is issu
ed for use


2.
Purpose


This policy sets out the context and process for the authorisation and use of mobile computing
and data storage technologies in NHS Derby City (hereafter referred to as “the organisation”).


The purpose
o
f this policy is to ensure
t
hat:


a)

the organisation has clear a mechanism for the authorisation of remote working/access,
teleworking and issue of portable devices;

b)

that the risks associated with remote working, portable electronic devices are addressed and
minimised,

c)

NHS requirement
s relating to security and confidentiality of equipment and information

and
the requirements of the Data Protection Act

are met,

d)

staff utilising remote

access or mobile devices are clear about their responsibilitie
s and
procedures to be followed

e)

only mobil
e devices issued by the organisation (that meet technical and security
requirements) are used by staff members;


3.
Definitions


a) A portable device is defined as any electronic device that can hold or transmit patient or
personal identifiable information
, e.g. portable computers, laptops, notebooks, palmtops,
personal digital assistants (PDA‟s), advanced mobile phones

(including
Blackberry‟s
)
, modems,
portable storage devices (CD re
-
writers, Data keys, USB memory keys/sticks/strips, external Zip
drives),
i
-
pods MP3 players, video cameras, digital cameras, remote access tokens, 3G cards
etc.


b) Remote access is the mechanism by which access to the Southern Derbyshire NHS network
can take place from a non organisation premises or site e.g. the home of a sta
ff member, using
strong authentication processes and security devices. This includes the use of 3G enabled
devices.

V
ersion: 2.3

Approved:
March
2011

Review:
March 2012




Page
5

of
19


Mobile Computing Policy




Remote access to the network may be on an occasional basis, or if on a regular and frequent
basis, it can be defined as teleworking.


4.
O
rganisation Accountability/Responsibilities


Board Responsibility


Board responsibility for information Governance

lies formally w
ith the Chief Executive and is

delegated to the
Director of Performance and Knowledge Management.


Director of Performance and

Knowledge Management/SIRO


The Director of Performance and Knowledge Management
is
responsible for co
-
ordinating,
publicising, and monitoring implementation of the policy within the PCT. The Director is also the
Senior Information Risk Owner (SIRO) accou
ntable for ensuring compliance with the NHS
Information Governance requirements relating to mobile computing and associated
technologies.

The SIRO is responsible for reporting to the Board all aspects of information risks. This will
include any risks re
lating to mobile computing, records or data on mobile devices. These risks
will be identified, assessed and reported using the established organisational risk management
processes and overseen by the Information Governance Group.

These duties will be disc
harged through clearly designated, suitably qualified and experienced
members of staff.

Caldicott Guardian


The PCT Caldicott Guardian has Board level responsibility

for ensuring that the Caldicott
principles are implemented and adhered to across the organ
isation.

The Guardian plays a key role in compliance monitoring,

implementing national policies,
developing procedures and protocols concerning the security and confidentiality of records and
patient information, information sharing with other agencies a
nd associated topics, including
mobile computing.




The Caldicott Guardian is required to authorise the u
se of any mobile device or remote access
for
patient data.


Information Governance Group


This group is responsible for ensuring that the standards an
d requirements for information
governance (including mobile computing) are implemented and understood across the
organisation. Performance reporting on policy implementation (and compliance with standards
and requirements) will be made to the Trust Board
from the Group via the Integrated Risk
Committee on a regular basis. The group are also responsible for ensuring that appropriate and
effective mechanisms are in place for the identification, reporting and mitigation of risks relating
to mobile computing
using established Trust procedures.






V
ersion: 2.3

Approved:
March
2011

Review:
March 2012




Page
6

of
19


Mobile Computing Policy




Directors and Managers


All Directors and managers are responsible for ensuring that all staff are aware of their
responsibilities for mobile computing and this
must

be included in departmental induction and
the ann
ual staff appraisals, including the identification of any training needs.

All managers within the Trust have responsibility for ensuring that the Trust standards and
policies for mobile computing are actively
promoted

adhered to, and that all staff are awa
re of
their personal responsibilities for information security and Data Protection.


Staff


All NHS employees are responsible for any records which they create or use. This
responsibility is established at, and defined by, the Public Records Act 1958. Fu
rthermore, as
an employee of the NHS, any records created by an employee are public records. Individuals
are also responsible for adherence to the Trust‟s defined data protection, record keeping and
records management policies and procedures, breaches of
which could result in disciplinary or
legal action being taken.
Staff must meet the requirements for the use of mobile devices


see
appendix 2.


5.
Intended User
s


It is the responsibility of all staff (including those on temporary or honorary contracts),

agency
staff and students to comply with this policy.


Compliance with Trust policies is a condition of employment, and breaching a policy may result
in disciplinary action or lead to prosecution under UK law.


It should be noted that the duty of confide
ntiality is a permanent obligation for an individual,
extending beyond the period of NHS employment.




Policy
Principles



The use of mobile devices will be controlled by a strict authorisation

and inventory

process

which will be subjected to regular audit
.


The use of privately owned computers or storage devices for the

accessing,

processing or storage of
clinical data,
PCT documents, data or images is not
permitted.


Staff
who are required to work remotely or use portable devices
will be issued with
suit
able equipment meeting NHS security information requirements and local
technical standards.


Only equi
pment meeting current NHS security requirements will issued to staff.

All
security
features
will be fully activated before the device is issued.


All porta
ble devices will be
uniquely identified and registered in the PCT and service
provider asset register.


Staff are required to
comply with security procedures when using or transporting the
device(s).


This policy will be subject to annual review or as requir
ed due to local incidents or
changes in NHS security standards.

V
ersion: 2.3

Approved:
March
2011

Review:
March 2012




Page
7

of
19


Mobile Computing Policy




6.
Full Detail of policy


6.1
Authorisation


The organisation implement authorisation and control mechanisms to ensure that only
authorised staff are issued with appropriate portable or remote

access devices to enable
them to carry out their duties.


The process will include:


-

completion of a case of need for remote access/teleworking by the individual staff
member, supported and signed off by a Director;

-

completion of a case of need for the u
se of a portable device by the individual and
signed off by
a

Director
;

-

If the device is to be used for the processing or storage of patient identifiable data
then the authorisation of the Caldicott Guardian is required in addition to the Director.

-

approva
l for the remote working or issue of a portable device to be signed off by the
senior Information Governance lead in the PCT.

-

Approval by DHIS before any mobile device is connected to the network.

-

If the staff member is to use remote access on regular basi
s or become an authorised
teleworker, an appropriate health and safety assessment to be carried out by a
qualified person
.


6.2

Portable Device Standards


-

The organisation will only issue and
use portable devices which meet

NHS security
standards
and have

appropriate security mechanisms installed. This will include
password and encryption measures as appropriate to the device and meeting NHS
requirements.

-

All appropriate security measures will be activated before the device is issued.

-

Data stored on porta
ble devices must be backed up to a network file server as
frequently as possible. Restoration of back
-
up data must be tested on a regular
basis.


-

Sensitive data, including that relating to patients, must be kept to the minimum
required for effective busin
ess use in order to minimise risks should a breach of
security or confidentiality occur.

-

DHIS will provide technical advice regarding the application and implementation of
security mechanisms and software on portable devices.

-

Portable devices will be issue
d to staff only through DHIS as part of the SLA.

-

Staff using portable devices will be issued with written
requirements
concerning their
use,
and sign to confirm their acceptance of and compliance with these requirements.

-

A register of portable device users

and equipment
will be maintained.


6.3
Remote Access Standards


The organisation will only implement remote access/teleworking by use of the technical
standards and requirements
required by the NHS Connecting for Health and
detailed in
the Derwent Shared

Services “Remote Access Acceptable Use Policy”
-

see Appendix 1.
These standards and requirements will be reviewed and updated on a periodic basis in
line with changes to NHS requirements and evolving technical standards.

V
ersion: 2.3

Approved:
March
2011

Review:
March 2012




Page
8

of
19


Mobile Computing Policy




-

All users will sign an accepta
nce of this policy.

-

A register of staff granted remote access rights will be maintained.

-

The organisation will carry out regular audits of remote access users.


6.4
User training and awareness


All staff issued with mobile devices will be given trainin
g appropriate to the device and its
intended business use. They will be made aware of the need for increased security
awareness in the use of the devices.

Each user will be provided with a
requirements
document on the use of devices (see appendix 2)



6.5

Policy Compliance

All
directly employed
staff authorised to use portable devices or remote access services
must comply with the requirements of the following organisational polices:

-

Internet

-

Email

-

Information Lifecycle and Records Manage
ment

-

Data Protection policy


-

Code of Confidentiality

-

Incident Reporting

-

Safe Haven

-

C
ode of Confidentiality

These are available on the internet.



For NHS staff not directly employed by the PCT but issued with mobile devices e
.g.
General Practitioners

from the PCT, they will be expected to conform to practice
information governance policies and the requirements set out in this policy .


6.6

Incident Reporting (including near miss)


Incidents (or near misses) that constitute a l
oss of hardware or data, or
any actual or
potential breach of data confidentiality
, must be reported directly to the
DHIS Customer
Service Team

Helpdesk,
and
the Information Governance teams
immediately
. An
Incident Form must be completed and submitted in

accordance with organisational
procedures.


6.7


Inappropriate Use and
Disciplinary Action


Inappropriate use of portable devices or remote access services

including failure to
comply with the written requirements for use
, or breaches of the Code of
Confi
dentiality/Data Protection Act may result in disciplinary action and may ultimately
lead to dismissal.

It may also be necessary to proceed with criminal charges depending on the nature of
the incident.


6.8

Maintenance and Support of devices


V
ersion: 2.3

Approved:
March
2011

Review:
March 2012




Page
9

of
19


Mobile Computing Policy




Maintenance
of portable devices and remote access equipment will be controlled by the
DHIS CST Helpdesk and carried out as part of the SLA.


6.9
Protection


Mobile devices must be protected from theft

and malicious software (
e.g.

viruses)
. They
must never be left una
ttended, particularly in vehicles or other easily accessible areas. If
at all possible devices should be kept under lock and key when not in use. Care must
also be taken in public
places as highly visi
ble equipment can attract the attention of
thieves.

P
CT mobile devices will meet NHS and local security standards, including anti
-
virus protection where appropriate.


6.10

Staff Leaving the organisation


Managers and staff members are responsible for ensuring that all mobile devices that
have been issued are

returned and the DHIS Customer Service Team notified before the
individual leaves employment.


6.11

Re
-
use and d
isposal of Equipment


Data stored on mobile devices must be securely erased by DHIS before the device is re
-
assigned for another purpose/user
or disposed of when redundant.


7.
Summary of Policy development process


The policy has been developed from

NHS requirements,

previous organisational policies on this
topic
,

and with the collaboration of members of the Information Governance Group and DHI
S.


8.
Review and Revision Arrangements

The policy will be reviewed and revised on a regular basis (annually or as required by changing
security or technical standards) by the Information Governance Group.


9.
Dissemination and Implementation


The policy w
ill be available to all staff on the intranet and hard copies will be available.

The policy will be available to
the
public under the terms of the Freedom of Information Act.


10.
Document control


This will follow the organisation‟s process identified in

the „Policy for the Development and
Management of Procedural Documents‟ and reflects the PCT‟s records management policy.


11.
Appendices


1

DHIS Remote Access Authorisation and Acceptable Use

Policy

2

Requirements for use + Staff Acceptance form

3

M
obil
e

D
evice

U
ser

F
orm



V
ersion: 2.3

Approved:
March
2011

Review:
March 2012




Page
10

of
19


Mobile Computing Policy





Appendix 1


DHIS Remote Access Authorisation and Acceptable Use
Policy





Derbyshire Health Informatics Service (DHIS)



This document is due for review by the date shown below. After this date, policy and procedure
documents may be

invalid and may pose a security risk. Please contact the department below
immediately.




DHIS Remote Access Authorisation & ‘Acceptable Use’
Policy







Document Control Sheet


Document name

DHIS Remote Access Authorisation & „Acceptable Use‟ Policy

D
ocument Reference

Remote Access Authorisation & Acceptable Use

Subject Area

Information Governance

Category

Policy

Status

Final

Version

v 3.6

Author

Steve Barry

Approved by

Kevin Tuckley

Department

DHIS IG

Target Audience

Client Organisations

Date

01/07/2010

Further copies from

Derbyshire Health Informatics Service


Quality Assurance by:

Information Governance

Review
Date

:

Date June 2011




V
ersion: 2.3

Approved:
March
2011

Review:
March 2012




Page
11

of
19


Mobile Computing Policy





1.

Document History


Document Location


The source of the document will be found in the locations below.


Paper Copy
-

Electronic Copy


Auto updated in the document footer


Revision History


Date of next revision:


Appr
ovals


This document requires the following approvals.

Name

Signature

Job Title

Date of
Issue

Version

Kevin Tuckley


IT Operations Manager
(Infrastructure)


3.6

Andrew Wall


Head of DHIS

15/12/10

3.6


Distribution


This document has been distributed to:


DHIS




Derbyshire County PCT




DCHS




Derby City PCT




Mental Health Trust




EMSHA




Revision

Revision
Date

Summary Of Changes

Change Author

Changes
Marked

0.3

20/07/04


Stephen Barry

No

0.4

01/07/09

Updated organisation names,
up
date doc format

Neil Ford

No

2.1

23/07/09

Updated to include personnel not
employed by organisations e.g.
contractors

Neil Ford

Yes

3.0

29/07/09

Authorisation incorporated

Tamara Birchall

No

3.2

26/01/10

Authorisation form minor change

Neil Ford

No

3.3

10/02/10

Renamed to DHIS/DCHS

Neil Ford

No

3.4

18/02/10

Template and DCHS branding

Julie Painter

No

3.5

26/05/10

Section 3.4 amended. Section 3.6
single form in Appendix 1

Julie Painter

No

3.6

01/07/10

Minor changes to phrasing

Kevin Tuckley

No

Name

Job Title

Date of
Issue

Version

V
ersion: 2.3

Approved: March 2011

Review: March 2012

Review: March 2012





2.

Contents


1

Document History

................................
................................
................................
...............

11

2

Contents

................................
................................
................................
.............................

12

3

Remote Access Authorisation & „Acceptable Use‟ Policy

................................
...................

13

3.1

Purpose

................................
................................
................................
........................

13

3.2

Scope

................................
................................
................................
............................

13

3.3

Policy

................................
................................
................................
............................

13

3.3.1

General

................................
................................
................................
..................

13

3.3.2

Requirements

................................
................................
................................
.........

13

3.4

Enforcement

................................
................................
................................
.................

14

3.5

Definitions

................................
................................
................................
.....................

14

4

Appendix 1


Request and Authorisation Form

................................
................................
..

15







































V
ersion: 2.3

Approved:
March

2011

Review:
March

2012



Page
13

of
19



Mobile Computing Policy



3.

Remote Access Authorisation & ‘Acceptable Use’ Policy

3.1

Purpose

The purpose of this policy is to define standar
ds for connecting to the Derbyshire Health
Informatics Service network from any client. These standards are designed to minimise the
potential exposure of Derbyshire Health Informatics Service and their client organisations to
damage which may result from
unauthorised use of, or access to, resources. Damage includes
the loss or interference with sensitive or confidential data, intellectual property, public image,
critical internal systems, etc.

3.2

Scope

This policy applies to all employees of NHS

Derby City, Derbyshire County PCT, Derbyshire
Mental Health Services NHS Trust and NHS East Midlands (including their authorised
personnel) with an NHS owned computer or workstation used to connect to the Derbyshire
Health Informatics Service network usin
g remote access.


Remote access implementations that are covered by this policy include, but are not limited to,
dial
-
in modems, ISDN, ADSL, VPN, broadband in general and cable modems.

3.3

Policy

3.3.1

General



1.

It is the responsibility of authorise
d individuals with remote access privileges to the
Derbyshire Health Informatics Service network to ensure that their remote access connection is
given the same consideration as the user's on
-
site connection.

2.

Remote access is provided solely for use in con
nection with NHS related activities. No
access for personal use, including web browsing or e
-
mail, is permitted,
except where
specifically allowed within local Trust policies.

3.

Remote access is provided for the use of the NHS employee named on this policy o
nly.
Under no circumstances is the user to permit the use of their remote access connection by any
third party including colleagues, friends and family. The authorised user will be held responsible
for all activities performed using their remote access acc
ount.

4.

Remote access users agree to have their connection usage monitored, including their use of
NHSnet; Internet and e
-
mail in order to maintain the security of the network.

5.

For additional information regarding remote access connection options, including
how to
order or disconnect service, cost comparisons, troubleshooting, please contact the DHIS
Customer Services Team on 01332 868900.

3.3.2

Requirements

1.

Secure remote access must be strictly controlled. Control will be enforced via two factor
auth
entication using RSA SecurID® tokens.

2.

At no time should any employee divulge their PIN or network username and password to
anyone. IT staff members will never ask you for your PIN.

3.

Under no circumstances must Remote Access users write down their PIN on th
e token or
anywhere else. The PIN must be memorised.

4.

The RSA SecurID® token must be kept separately from any device used to connect to the
Derbyshire Health Informatics Service network. Attaching the token to your key ring is
recommended.

V
ersion: 2.3

Approved:
March

2011

Review:
March

2012



Page
14

of
19



Mobile Computing Policy



5.

Remote Access use
rs must not choose a PIN that is insecure, could be easily guessed, or is
personal to you, such as your date of birth or home telephone number.

6.

Users of the Remote Access service must inform the DHIS Customer Services Team
immediately (Telephone 01332 8689
00) if they believe their token has been lost or stolen, even
if uncertain. DHIS can easily reactivate your token if it is later found.

7.

Authorised individuals with remote access privileges to the Derbyshire Health Informatics
Service network must not use n
on NHS email accounts (i.e., Hotmail, Yahoo, AOL), or other
external resources to conduct NHS business, thereby ensuring that official business is never
confused with personal business.

8.

Any reconfiguration of the connecting computer or workstation is stri
ctly prohibited. This
includes the installation/un
-
installation of any software or hardware and the alteration of any
network or other settings.

9.

All hosts that are connected to internal networks via remote access technologies must use
the most up
-
to
-
date a
nti
-
virus software.

10.

DHIS reserves the right to refuse or revoke remote access permission if they believe for any
reason that provision of the service contravenes the
NHSNet

code of connection, or may cause
any other unacceptable breaches of security or con
fidentiality.

11.

Access will not be granted without a signed „Agreement & Authorisation‟ from the client
organisation (section 3.6)

12.

Personnel not employed by a client organisation but given authorisation must also sign the
“Internet Access Policy”

3.4

Enforcement


Any employee suspected to have violated this policy will have their remote access privileges
immediately revoked and be reported to the employing organisation.

3.5

Definitions

Term

Definition

Derbyshire Health
Informatics Service
network

Any Computer netwo
rk owned or managed by either NHS Derby City,
Derbyshire County PCT, Derbyshire Mental Health Services NHS Trust and
NHS East Midlands.

Remote Access

Any access to the Derbyshire Health Informatics Service private network
through a non NHS controlled netw
ork, device, or medium.

Dial
-
in Modem

A peripheral device that connects computers to each other for sending
communications via the telephone lines. The modem modulates the digital
data of computers into analogue signals to send over the telephone lines,
t
hen demodulates back into digital signals to be read by the computer on the
other end; thus the name "modem" for modulator/demodulator.

ISDN



Integrated Services Digital Network or ISDN is a digital line allowing faster
connection speeds (up to 128Kbps)
than modem connections

Cable Modem


Cable companies such as Telewest provide Internet access over Cable TV
coaxial cable. A cable modem accepts this coaxial cable and can receive
data from the Internet at up to 56 Mbps. Cable is currently available only i
n
certain areas

ADSL

Asymmetric Digital Subscriber Line (ADSL) is a form of high
-
speed Internet
access competing with cable modems. ADSL works over standard phone
lines and supports data speeds of 2


8 Mbps downstream (to the user) and
slower speeds upst
ream (to the Internet).

VPN

Virtual Private Network, A VPN is a way of establishing a private secure
network by tunnelling data across existing insecure public networks such as
the Internet. This technology is used to provide secure remote access to an
or
ganisation's network.

V
ersion: 2.3

Approved:
March

2011

Review:
March

2012



Page
15

of
19



Mobile Computing Policy



4

Appendix 1


Request and Authorisation Form


Details of user requesting remote access

Name:


IT Call Number:


Trust:


Department:


Main Location:


Tel No:


Job Title:


Email:


Laptop Name
(If Known)


Required National
Applicati
ons
(e.g.
PAS, TPP, Choose &
Book)



Security Information


Please fill in last to keep details private

Username:


Date of Birth:


Place of Birth:


Home Postcode:


Memorable Date:


Memorable Place:



Package

Description

Setup
Cost

Annual
Cost

Tick Req
’d

Dial In access only

Allows connections over a Phone Line or
ISDN line using a modem

£8
0

£35


VPN access only

Do you want to connect your laptop to the
Internet and the NHS Network from home,
through your Broadband connection?

£15
0

£75


Dial In and VP
N access

Both of the packages above.

£1
5
0

£90



Request for remote access authorised by:

Name:


Trust:


Department:


Position:


Signed:


Date:



It is important that you understand all the above requirements for the provision of remote access. In a
ddition you
should understand the responsibility in general you bear for playing your part in keeping access to the NHS
network and confidential information restricted to authorised users. If there are any areas of this document that are
not clear, please
contact the DHIS Customer Services Team for further clarification.


Please fill out form, sign it below, and return to the Customer Service Team, IT Department, DHIS, Laurie
House, Colyear Street, Derby, DE1 1LJ or Fax to 01332 868800


Signed:


Date:



V
ersion: 2.3

Approved:
March

2011

Review:
March

2012



Page
16

of
19



Mobile Computing Policy



.

Appendix 2 :
Requirements for use +
Staff Acceptance form


NHS Derby
City Mobile

Devices
-

Requirements

for Use



All users are responsible for the correct use/operation of the device
and for all data processing and storage.


All users are responsible for s
afeguarding the security of the device(s)
and the information /data it contains.



Users must take all reasonable steps to ensure that any mobile device
is not misplaced or stolen

(especially whilst in transit)
. Where possible
the device should be kept out

of sight
,

and preferably in a locked facil
i
ty
when not in use

or unattended
.


Mobile devices must not be left unattended in vehicles
.


Users must not change or disable any security features installed on the
device(s)
.


Passwords, a
ccess tokens, en
cryption ke
ys
must not be stored with the
device.


Never share passwords or log
-
on scripts


Authorised d
ata held or stored on portable devices should be backed
up to network storage files or folders at the earliest opportunity and on
an on
-
going basis.


Do not hold or s
tore data on a mobile device that is
not
authorised,
current or no longer required.


The device must never be left unattended when in use.



The connection/installation of non
-
PCT issued equipment or software
to the device(s) is not permitted.


Users should

be aware that when used in public places e.g. trains or
conferences, information held on the device may be observed by
others
not authorised to do so
,

resulting in breach of confidentiality. It
should also be remembered that conversations may be overhear
d.


Staff working at home should ensure that all precautions to safeguard
the security and confidentiality of data and equipment are maintained.


Staff working at home should ensure t
hat they work in accordance wit
h
the PCT‟s Health and Safety requirements.


Mobile devices should never be shared with colleag
ues or family and
are must not
be used for non
-
work purposes.


Only NHSmail (nhs.net) should be used for the transmission of
clinical
or
person identifiable

data. Staff must comply with the requirements of
the E
-
mail and Safe Haven Policies.


All users are responsible for complying with re
quests from
the PCT
Information Governance Tea
m r
elating to implementing revisions or
changes to the security features or operation of the device(s).


Software must be instal
led or downloaded onto the portable device
unless authorised by line manager/ Director.

V
ersion: 2.3

Approved:
March

2011

Review:
March

2012



Page
17

of
19



Mobile Computing Policy




Incidents (or near misses) that constitute a loss of hardware or data, or
any actual or potential breach of data confidentiality
, must be reported
directly to the DHIS
Customer Service Team Helpdesk, and
the
Information Governance team

immediately
. An Incident Form must be
completed and submitted in accordance with organisational
procedures.


If staff have any queries about the use of their mobile devices or the
security

and confidentiality of data, they should contact the PCT
Information Governance team.



Agreement


It is important that you understand all the above requirements.


In addition you should understand the responsibility in general you bear for
playing your
part in keeping access to the NHS network and confidential
information restricted to authorised users. If there are any areas of this
document that are not clear, please contact the PCT Information Governance
Team for further clarification.



I


_________
____________________________________

(print name)



In my role as

_____________________________________________

(print job title)




have read and fully understand the above document and my responsibilities.

I also understand that any suspected breach of

the above
requirements will

result in my device(s) being revoked without warning, and may result in
disciplinary action, up to and including the termination of my employment or
prosecution.













V
ersion: 2.3

Approved:
March

2011

Review:
March

2012



Page
18

of
19



Mobile Computing Policy



Appendix
3


Please ensure appropriate sections on bot
h pages are completed


MOBILE DEVICE USER FORM


USER DETAILS


Name:


Job Title:


Department/Directorate:


Base:


Contact details:


Line Manager Name:

Job Title:



LINE MANAGER AUTHORISATION


I authorise the above member of staff to use the following
mobile device(s):


* Laptop



PDA



Blackberry



Memory stick



SD card



Other


(please specify):


………………………………………………………………………………………………


Signature of line manager: …………………………………… Date: …...……………….


* If laptop,
is Remote Access required?

Yes


No





Has RAS authorisation been obtained?

Yes


No


(If yes, attach copy of completed document)


FOR IG/IMT USE ONLY


Name, model, serial number of device(s) issued:


1.


2.


3.


4.


5.



Signature of recipient: …………………………………
……………..

Date: ……………..

Signature of issuing staff member: ………………………...............

Date: ……………..




V
ersion: 2.3

Approved:
March

2011

Review:
March

2012



Page
19

of
19



Mobile Computing Policy



PURPOSE(S) FOR WHICH DEVICE(S) WILL BE USED


Provide a brief description:








Will person identifiable data be stored on the device?

Yes


(e.g. names, dat
es of birth, NHS number, addresses)

No


If yes, specify data to be stored:






If you have ticked yes, the
Caldicott

Guardian will need to sign the form before you can
use the device (
please contact Mark Clutton
).

Will any other type of sensitive data b
e stored on the device?

Yes


(e.g. financial, contractual, clinical, investigations, images, reports)

No


If yes, specify:










If you have ticked yes, the
Caldicott

Guardian will need to sign the form before using
the device. (Please contact
Mark Cl
utton
).

How will the data be backed up, where and how often?







Mobile Devices
are issued for users to transfer data from one computer to another. The
device
must

not
be

used

as a backup device
. A
ll content stored on the mobile device
must be backed up

frequently on the server.



Signature of recipient: ………………………………………………..

Date: ……………..


Signature of issuing staff member: ………………………...............

Date: ……………..