NETWORK
SECURITY
POLICY
Document Version:
4.0
Date:
23
rd
January 2012
Review:
31
st
March 2013
Author:
Richard Brady
Approved:
Information Governance
Steering Group
Net
work Security Policy
2
DOCUMENT CONTROL AND AMENDMENT RECORD
NOTE: This is a CONTROLLED d
ocument.
The current version of this document is
maintained and is always available electronically from SharePoint. All other
electronic or paper versions of this docume
nt sourced from any network drive, email
or other sources are uncontrolled and should be checked against the current
SharePoint version prior to use.
Draft Version Control
Version
Date
Detail
Author
Approval
0.1
March 2008
Initial Draft
G Jones
(Information
Governance
Consultant)
0.2
April 2008
Minor revisions
,
additions and
formatting changes
C Brooks
0.3
July 2008
Minor additions
P Williams
0.4
July 2008
Minor additions
and
amendments
including
Appendix
B
and also minor
amendments
following
discussion with P. Williams.
Change of author / owner to
C
Brooks
C Brooks
IG Steering
Group
17/7/08
Amendment Record
Version
Date
Detail
Author
Approval
1.0
17 Jul 2008
1
st
published version following
approval at IG Steering Group
17/7/08
C Brooks
-
2.0
13 Dec
2008
Revised document control
statement added to page 2.
Policy migrated to SharePoint
and version updated to put it in
sync with SharePoint’s version
control function.
C Brooks
-
2.1
(Draft)
23 Feb
2009
Removal of ‘…
and / or
laptops
.’
from the end of para 14.6
(
as
all PCT laptops are now
encrypted
)
.
C Brooks
IGSG
25/3/09
2.1
23
Mar
2009
Removal of ‘…
and / or laptops
.’
from the end of para 14.6 (as
all PCT laptops are now
encrypted).
C Brooks
IGSG
25/3/09
2.2
25 Nov
2009
Minor amendment
s
to para 8.1
and
Appendix A
to reflect the
C Brooks
-
Net
work Security Policy
3
Version
Date
Detail
Author
Approval
change of name of the
Trust
’s
‘
User Access Management
Policy
’ (previously ‘
User
Access and Network
Management Policy
’)
and the
Trust’s ‘
Staff Remote
Working
Policy
’ (previously
Staff
Remote Access
Policy
)
2.3
13 Jan 2010
Update to
change PCT logo
,
include SMCS logo and re
-
branding.
Update to para
27.3.1 to reflect the changed
network password
requirements
as
agreed by the
IGSG.
C Brooks
IGSG
9 Feb 2010
3.0
DRAFT
25 Jun 2010
Updated to add wireless
networking
aspect
-
new
section 11
.
C Brooks
IGSG
8 Jul 2010
3.0
30 Jul 2010
Published version following
agreement by IGSG 8 Jul 2010
C Brooks
IGSG
8 Jul 2010
3.1
Dec 2011
Revised to align with SWL Cluster
R Brady
3.2
Jan 2012
Minor changes
G Jones
4.0
5 Jan 2012
SW London revision
R Brady
IGSG
23/01/2012
Net
work Security Policy
4
CONTENTS
1
Introduction
................................
................................
................................
..........
5
2
Objective
................................
................................
................................
..............
5
3
Network Definition
................................
................................
................................
6
4
Scope of
Policy
................................
................................
................................
....
6
5
The Policy
................................
................................
................................
............
6
6
Risk Assessment
................................
................................
................................
.
7
7
Physical and Environmental Security
................................
................................
...
8
8
Access Control to the Network
................................
................................
.............
8
9
Third Party Access Control to the Network
................................
..........................
9
10
External Network Connections
................................
................................
.........
9
11
Wireless Connectivity
................................
................................
.......................
9
12
Maintenance Contracts
................................
................................
...................
11
13
Fault
Logging
................................
................................
................................
..
11
14
Network Operating Procedures
................................
................................
......
11
15
Data Backup and Restoration
................................
................................
.........
11
16
Training and Awareness
................................
................................
.................
12
17
Security Audits
................................
................................
...............................
12
18
Malicious Software
................................
................................
.........................
12
19
Unauthorised Software
................................
................................
...................
12
20
Secur
e Disposal or Re
-
Use of Equipment
................................
......................
12
21
System Change Control
................................
................................
.................
12
22
Security Monitoring
................................
................................
.........................
13
23
Securit
y Awareness Training
................................
................................
..........
13
24
Reporting Security Incidents and Weaknesses
................................
..............
13
25
System Configuration Management
................................
...............................
13
26
Business Continuity and Disaster Recovery Plans
................................
.........
14
27
Unattended Equipment and Clear Screen Requirements
...............................
14
28
Security Responsibilities
................................
................................
.................
14
29
Guidelines
................................
................................
................................
......
15
30
References
................................
................................
................................
.....
15
31
Further Information
................................
................................
.........................
15
APPENDIX
A
-
Related Policies and Procedures
APPENDIX
B
–
Acronyms
Net
work Security Policy
5
1
Introduction
1.1
This document defines the Network
Security Policy for
NHS South West
London
(referred to hereafter as the
Cluster
). The Network Security Policy
applies to all
business functions and information contained on the network,
the physical
environment and relevant people who support the network.
1.2
This document:
a)
Sets out the
Cluster
’s
policy for the protection of the confidentiality,
integrity and availabilit
y of the network;
b)
Establishes the responsibilities for network security;
c)
Provides reference to documentation relevant to this policy.
1.3
This policy applies to anyone using the
Cluster
computer network including
third party contractors
and
companies
employed by the
Cluster’s
.
1.4
This policy covers all SW London (referred to a s the Cluster) IT systems and
applies to the IT environments accessed by NHS Croydon, NHS Sutton and
Merton, NHS Richmond, NHS Wandsworth and Cluster. NHS Wandsworth
COIN users work within the NHS Wandsworth Information Technology and
Security Management Framework. This policy does not apply to NHS
Kingston.
Below are details of the key role holders and contacts for this policy:
Name
Position/Role
Contact
Telephon
e
Number
E
-
mail
Richard
Brady
AD Service
Management
020 3458 5560
richard.brady@swlondon.nhs.uk
Chris
Brooks
Systems and
Security Manager /
Information
Security Manager
020 8687 4605
chris.brooks@swlondon.nhs.uk
Pete
Williams
Network Manager
020 8687
4778
pete.williams@swlondon.nhs.uk
Karen
Moore
Service Desk
Supervisor
0208 687 4567
karen.moore@swlondon.nhs.uk
NHS SWL
IT Service
Desk
020 8687 4567
servicedesk@swlondon.nhs.uk
Glyn Jones
Information
Governance
020 8251 0493
glyn.jones@swlondn.nhs.uk
Net
work Security Policy
6
Manager
2
Objective
2.1
The objective of this policy is to ensure the security of the
Cluster’
s
network.
To do this the designated
Systems and Security Manager
will:
a)
Ensure Availability
Ensure that the
Cluster’
s
computer systems are available for users;
b)
Preserve Integrity
Protect the network from unauthorised or accidental modification;
c)
Preserve Confidentiality
Protect assets against unauthorised disclosure.
2.2
The purpose of this policy is to ensure the proper use of the
Cluster
’s
network
and make users aware of what the
Cluster
deems as acceptable and
unacceptable use of its network.
2.3
If there is evidence that any user is not adhering to the guidelines set
out in
this policy, this will be dealt with under the
Cluster’s
Disciplinary Procedure.
3
Network Definition
3.1
The network is
a collection of communication equipment
such as servers,
switches,
computers
,
mobile devices
and printers
, which ha
ve
been
conne
cted together by cables
and wireless technologies
. The network is
created
in order
to share data, software and peripherals such as printers,
modems, fax machines,
internet connections
,
DVD drives,
CD
-
ROM
drives
,
tape drives, hard disks and other data stora
ge equipment.
4
Scope
of
Policy
4.1
The policy applies to
the whole
network
throughout
the
Cluster
used for:
a)
The storage, sharing and transmission of non clinical data and images;
b)
The storage, sharing and transmission of clinical data and
images;
c)
Printing or scanning non clinical or clinical data or images;
d)
The provision of internet systems for receiving, sending and storing
non clinical or clinical data or images.
5
The Policy
5.1
The overall Network Security Policy for the
Clust
er
is described below:
Net
work Security Policy
7
The
Cluster
information network can
only
be accessed by legitimate users.
The network must also be able to withstand or recover from threats to its
availability, integrity and confidentiality. To satisfy this, the
Systems and
Security Manager
will undertake the following:
a)
Protect all hardware, software and information assets under its control.
This will be achieved by implementing a set of well balanced technical
and non technical measures;
b)
Provide both e
ffective and cost effective protection that is
commensurate with the risks to its network assets;
c)
Implement the Network Security Policy in a consistent, timely and cost
effective manner;
d)
Where relevant, comply with:
-
Copyright, Designs & Pate
nts Act 1988
-
Access to Health Records Act 1990
-
Computer Misuse Act 1990
-
The Data Protection Act 1998
-
The Human Rights Act 1998
-
Electronic Communications Act 2000
-
Regulation of Investigatory Powers Act 2000
-
Freedom of Information
A
ct 2000
-
Health & Social Care Act 2001
e)
Comply with other laws and legislation as appropriate.
6
Risk Assessment
6.1
The
Cluster
will at pre
-
determined intervals
carry out security risk
assessment(s) in relation to all the business processes covered by this policy.
These risk assessments will cover all aspects of the network that are used to
support those business processes. The risk assessment will identify the
appropriate security countermeasures necessary to protect against possible
breaches in confidentiality, integrity and availability.
6.2
Risk assessment
s
will be conducted to determine the IT Security (ITSEC)
Assurance levels required for security barrier
s that protect the network.
6.3
Formal risk assessments will be conducted using the
Cluster
Risk
Assessment Procedure and will conform to ISO17799.
Net
work Security Policy
8
7
Physical and Environmental Security
7.1
Network computer equipment will be housed in a controlled and sec
ure
environment. Critical or sensitive network equipment will be housed in an
environment that has a monitored temperature and power supply.
7.2
Critical or sensitive network equipment will be housed in secure areas,
protected by a secure perimeter, with
appropriate security barriers and entry
controls.
7.3
Door lock codes will be changed periodically
and
following a compromise (or
suspected compromise) of the code;
7.4
Critical or sensitive network equipment will be protected from power supply
failu
res.
7.5
Critical or sensitive network equipment will be protected by intruder alarms
and fire suppression systems.
7.6
Smoking, eating and drinking is forbidden in areas housing critical or sensitive
network equipment.
7.7
All visitors to secure networ
k areas must be autho
rised by the
Systems and
Security Manager
.
7.8
All visitors to secure network areas must be made aware of
the
network
security requirements.
7.9
All visitors to secure network areas must be logged in and out
and, where
considered necessary by
the
Systems and Security Manager
, be
accompanied also
. The log will contain name, organisation,
date, purpose of
visit
and time in and out
.
7.10
The
Systems and Security
Manager
will ensure that all relevant staff are
made aware of procedures for visitors entering secure network areas.
7.11
Entry to secure areas housing critical or sensitive network equipment will be
restricted to those whose job requires it. A list of those with unsupervised
access will be mainta
i
ned
and periodically reviewed
.
8
Access Control to the Network
8.1
Access to the
Cluster’s
network will only be permitted through written
managerial approval and made through a secure log
-
on procedure, designed
to minimise the opportunity for unauthorised
access. Access will be controlled
by the
Cluster
’s
User Access Management Policy
.
8.2
The User Access and Network
Management
Policy provides a formal,
documented user registration and de
-
registration procedure for access to the
network.
Net
work Security Policy
9
8.3
Access righ
ts to the network will be allocated on the requirements of the
user’s
job function
, rather than on a status basis.
8.4
All users to the network will have their own individual user identification and
password.
8.5
Users are responsible for ensuring their
password is kept secret.
8.6
Upon receipt of a notification from the Human Resources department or other
line manager respective u
ser access rights will be immediately
removed
or
reviewed for those users who have left the
Cluster’s
or changed
jobs
or roles
.
8.7
Remote access
users
will conform to the
Cluster
’s
Remote Access Policy
and
Portable Devices Policy
.
9
Third Party Access Control to the Network
9.1
Third party access to the network will be based on a formal contract that
satisfies all nec
essary NHS security conditions.
9.2
All third party access to the network must be logged by the
Systems and
Security Manager
.
All contract staff will have previously read and signed the
Confidentiality Agreement for Third Party Suppliers
.
9.3
Users are
responsible for the use of passwords used to access the network.
These passwords should be kept confidential and
must
not
be
shared with
other users.
10
External Network Connections
The
Cluster
will as part of
its
overall system security:
Ensure that
all connections to external networks and systems have
documented and approved System Security Policies.
Ensure that all connections to external networks and systems conform
to the NHS
-
wide Network Security Policy, Code of Connection and
supporting guidanc
e.
Must approve all connections to external networks and systems before
they commence operation.
11
Wireless Connectivity
11.1
The
Cluster
, headquarters
(HQ)
in Wimbledonhas a wireless network
(WLAN)
.
Wireless networking offers a great deal of flexibility
to the user
,
Net
work Security Policy
10
h
owever, this flexibility requires balancing against strong security which
protects the
Cluster
’s IT infrastructure
1
.
11.
2
This wireless network comprises both data and voice wireless network
s
. Th
e
data
network comprises access for
Cluster
s
taff who have been issued with
a
laptop
. It also incorporates a potential facility for
external
visitors
who may
wish to utilise the wireless network in order to be able to access the Internet
when on site (termed ‘guest’ access)
.
NB. ‘
guests’
would, howev
er,
have no
access to the
Cluster’s
’s main network or systems
.
(Guest access does not
require the setting up of a user account on the
Cluster
’s
main network.)
At
the
current time, however, ‘guest’ access will not be enabled.
11.3
Access to the
Cluster
’s W
LAN at its Wimbledon HQ will need to be requested
via the IT Service Desk who will arrange for the relevant laptop computer to
be configured in accordance with the agreed wireless network security
standards, as detailed below.
11.4
The wireless network security standards the
Cluster
will adhere to are as
follows:
a)
Access Layer :
i.
Users will connect to the WLAN via Access Points, which will
provide the 802.11a/b/g/n connection standard for the client
devices.
b)
Service Set Identifier (
SSID
2
)
:
i.
The
SSID
for the
Cluster
staff access will be
hidden
and not
broadcast thus reducing the pot
ential for inappropriate access.
ii.
The SSID for ‘guest’ access
to the Internet only
, if enabled in the
future,
will be broadcast so as to make it easily ava
ilable to
authorised
visitors
.
c)
Encryption
:
i.
Both the data and voice networks will utilise AES (Advanced
Encryption Standard) level of encryption. This encryption standard
is mandatory to enable the 802.11n network to be supported.
d)
Authentication
:
i.
The aut
hentication protocol selected
used is
Protected EAP
(PEAP). PEAP is an 802.1X authentication type for wireless
networks.
ii.
The laptops used by
Cluster
staff will confirm to the
WPA 2
(Wi
-
Fi
Protected Access)
standard
.
1
The ‘Wireless Networking
-
Good Practice Guidelines’ document issued by Connecting for Health
has been used as a source of reference for compliance with nationally agreed wireless networking
standards.
2
A service set identifier (
SSID
) is a sequence of characters that uniquely names a wireless local area
network (WLAN).
Net
work Security Policy
11
1
2
Maintenance Contracts
1
2
.1
The
Systems and Security Manager
will ensure that maintenance contracts
are maintained and periodically reviewed for all network equipment. All
contract details will constitute part of the asset register maintained by the
Information Security Manager.
1
3
Faul
t Logging
1
3
.1
The IT Service Desk is responsible for ensuring that a log of all faults on the
network is maintained and passed onto
the appropriate team
for review
and
action
.
1
4
Network Operating Procedures
1
4
.1
The
operational IT leads
will prepare cle
ar, documented operating procedures
for the operation of the network, to ensure its correct, secure operation.
1
4
.2
Changes to operating procedures must be authorised by
the
Systems and
Security
Manager.
13.3
The
Systems and Security Manager
will impleme
nt all good practice
guidelines detailed by the Connecting for Health Information Governance
team
and security contingency plans that
affect
the Network Security Policy
where appropriate.
1
5
Data Backup and Restoration
1
5
.1
The
Systems and Security
Manager
is responsible for ensuring that backup
copies of network configuration data are taken regularly.
1
5
.2
The details of the
backup process
are
contained
in the
IT Back
up Procedure
s
document,
which have
been
communicated to all relevant staff.
1
5
.
3
Documented procedures for the storage of backup tapes
are
also
contained
in
the
IT Backup Procedures
.
1
5
.4
All backup tapes wi
ll be stored securely and relevant copies
stored off
-
site
also, as per the
Cluster
’s
IT Backup Procedures
.
1
5
.5
Documented
procedures for the safe and secure disposal of backup media
will be produced and communicated to all relevant staff.
1
5
.6
Users are responsible for ensuring that they
do not store
any
data on
the
local
drives of their networked computers
.
1
5
.7
Software p
atches and any hot fixes will only be applied by the
Systems and
Desktop
team
s
following an approved
change control procedur
e.
Net
work Security Policy
12
1
6
Training and Awareness
1
6
.1
A
ll users of the network will be provided with the necessary security guidance,
awareness and
,
where appropriate
,
training to discharge their security
responsibilities.
1
6
.2
All users of the network must be made aware of the contents and implications
of the Network Security Policy.
1
7
Security Audits
1
7
.1
The
System and
Security Manager
will carry out the required checks on, or an
audit of, actual implementations based on approved security policies.
1
8
Malicious Software
1
8
.1
Automatic measures are in place to detect and protect the network from
viruses and other malicious software.
The
se are identified in the Securing
against Viruses, Malware and E
mail Hoaxes Policy and Procedure.
1
9
Unauthorised Software
1
9
.1
Use of any non
-
standard software on
Cluster
equipment will not be permitted
unless authorised by the
Systems and Security
Manager
prior to installation.
The
Systems and Security Manager
will backup such software and document
its use to facilitate reinstallation as required. A
ll software used on
Cluster
equipment must have a valid licence agreement
-
it is the responsibility
of the
“owner” or Responsible User of non
-
standard software to ensure that this is
the case.
20
Secure Disposal or Re
-
Use
of
Equipment
The
Primary Care Support Manager
must:
Ensure that where equipment is being disposed of all data on the
equipment (e.g
. on hard disks or tapes) is securely overwritten. Where
this is not possible the disk or tape must be physically destroyed.
Ensure that where disks are to be removed from the premises for
repair, where possible, the data is securely overwritten.
2
1
Sys
tem Change Control
2
1
.1
All such changes must be reviewed and approved by the
Systems and
Security Manager
or
other
designated
Cluster
officer.
Net
work Security Policy
13
2
1
.2
The
Systems and Security Manager
or
other
designated
Cluster
officer may
require checks on, or an assessment of the actual implementation
based on
changes implemented.
2
1
.3
The
Systems and Security Manager
or designated
Cluster
officer is
responsible for ensuring that selected hardware or software meets agreed
sec
urity standards.
2
1
.4
Testing facilities will be used for all new
IT
systems. Development and
operational facilities will be separated
.
2
1
.5
As part of acceptance testing of all new network systems, the
Systems and
Security Manager
or designated
Cluster
officer will attempt to cause a security
failure and document other criteria against which tests will be undertaken prior
to formal acceptance.
2
2
Security Monitoring
2
2
.1
The
Systems and
Security Manager
will ensure that the network is
automatical
ly monitored for potential security breaches. All monitoring will
comply with current legislation.
2
3
Security Awareness Training
2
3
.1
Security awareness training will be provided for all new staff
by
completion of
the appropriate modules of the IG
E
-
learning training programme
to ensure
that they are aware of their responsibilities for security, and the actions that
they need to undertake in order to discharge those responsibilities. Refresher
training will be provided when needs are identified.
2
4
Reporting Security Incidents and Weaknesses
2
4
.1
Any actual or suspected breaches of network security should be reported
immediately to the IT Service Desk. Depending on the nature of the incident
this may require the reporting of the breach via the
Clus
ter
’s
Adverse Incident
Reporting form. This may result in the
Systems and
Security Manager
underta
k
ing a formal investigation which will be reported to the Information
Governance Steering Group (IGSG). Any major IT incidents will be reported
to the
Assoc
iate
Director of
IT.
A major incident would constitute a loss of
function of a clinical system or breach of confidential information for one or
more individuals or a breach of information, which is likely to lead to harm to
an individual.
2
5
System Config
uration Management
2
5
.1
The
Systems and Security Manager
will ensure that there is an effective
configuration management process for the network.
Net
work Security Policy
14
2
6
Business Continuity and Disaster Recovery Plans
2
6
.1
The
Systems and Security Manager, together with the op
erational team
leaders,
will ensure that business continuity plans and disaster recovery plans
are produced for the n
etwork and server infrastructure.
2
6
.2
The plans
will
be reviewed and tested by the
Systems and Security Manager
or designated
Cluster
officer on a regular basis.
2
7
Unattended Equipment and Clear Screen
Requirements
2
7
.1
Users must ensure that they protect the network from unauthorised access.
2
7
.2
The
Cluster
operates an automatic
locked
screen
process
after 10 minute
s
of
inactivity
.
However
, staff are
advised
to log off the network if they
expect to
leave their computer
and / or network connected laptop
unattended
for a
longer period e.g.
to
attend
a meeting.
2
7
.3
Computers
and / or network connected laptop
s
must
always be shutdown
when leaving the office
either during or
at the end of the
working
day.
2
8
Security Responsibilities
2
8
.1
The
Systems and Security Manager is
responsible
for ensuring
that
appropriate s
tandards of IT and Information S
ecurity are take
n.
2
8
.2
Data Protection
Responsibilities
2
8
.2.1
T
he
Cluster
’s
Data Protection lead who will be responsible for:
Ensuring that Data Protection Act notifications are maintained.
Advising users of their responsibilities under the Data Protection Act.
Ensuring appropriate actions are undertaken where breaches of the
Act have occurred.
Promoting awareness, encouraging, monitoring, and checking
compliance with the Data Protection Act.
2
8
.3
User Responsibilities
2
8
.3.1
All
staff
or agents acting for the
organisation have a duty to:
Safeguard hardware, software and information in their care.
Prevent the introduction of malicious software on the organisation's IT
systems.
Net
work Security Policy
15
Ensure their password is kept secret
-
passwords
must
not be shared.
Passwords should be changed regularly and be such that they are not
easily guessed e.g. names of relatives or pets.
Network passwords
must:
a)
be
changed every 30 days
b)
not
contain the user's
network
account name or parts of the user's
full
name that exceed two consecutive characters
c)
be
at least 8 characters in length
d)
contain
characters from three of the following four categories:
i.
English
uppercase characters (A through Z)
ii.
English
lowercase characters (a through z)
iii.
base
10 digits (0 through 9
)
iv.
non
-
alphabetic characters (for example, !, $, #, %)
If a user suspects that their
network
password has become
compromised, they should report this to the IT Service Desk and
change their password.
Report any suspected or actual breaches in security.
2
9
Guidelines
2
9
.1
For detailed advice on how to determine and implement an appropriate level
of security users should contact the IT Service Desk.
30
References
30
.1
All r
elated documents
are listed in Appendix A
.
3
1
Further Information
31.1
Further
information regarding this policy
is available from
the
Systems and
Security Manager
.
Net
work Security Policy
16
APPENDIX A
Related Policies and Procedures
1
Confidentiality Code of Conduct
2
Safe Haven Policy and Procedures
3
Confidentiality Agreement for Third party Supplier
s
4
Registration Authority Policy and Procedures
5
Five Borough Sharing Agreement
6
Information Sharing Policy
7
Procedure for the Notification of Information and System Changes
8
User Access Management Policy
9
System Development Policy and
Procedures
10
Securing Against Viruses, Malware and E
-
mail Hoaxes Policy and Procedures
11
Policy and Procedure for Reporting Adverse Incidents
12
E
-
mail and Internet Acceptable Use Policy
13
Staff Remote
Working
Policy
14
Information Security Policy
15
IT Backup Procedures
Net
work Security Policy
17
APPENDIX B
Acronyms
Item
Description
CRAMM
Central Computer and
Telecommunications Agency Risk
Analysis and Management Method.
ITSEC
IT
Security Assurance
-
The National
Technical Authority for Information
Assurance.
ISO17799
An international standard approved by
the ISO (International Standards
Organisation) comprising an agreed set
of security controls, measures and
safeguards.
Net
work Security Policy
18
APPENDIX
1
EQUALITY IMPACT ASSESSMENT
(EIA) TEMPLATE
(Screening and Full
EIA Template)
Please use section 1 to screen your policy or activity to establish if it has any
relevance to equality and diversity. Where relevance is established, proceed to a full
impact assessment, using the template in section 2. Once the form in
section 2 has
been completed email to
the Equality Lead
1
Screening
your policy for relevance to equalities and equalities duties
(Policy in this context applies to strategies, decisions, plans, procedures, service,
informal practices or customs which are
embedded in our core functions, written
organisational policies, change management activities).
Screening must be done during the development or design of the policy and before it
goes to any group or committee for approval. If it is going to the Board
for approval,
then it is a requirement of the Board that a full EIA is carried out where the policy is
found to be relevant to equality and diversity.
Screening is a short easy process which makes use of statistics, consultation
outcomes, and results of e
thnicity monitoring, complaints, analysis of PALS, audit
reports, research information, and reviews demographic data. If there is no data,
take action to collect the evidence of likely impact and revisit the document (it could
be through PPI, research, co
nsultations, desk research/interview, public health data).
When screening a policy or undertaking a full assessment you can involve your
team, other colleagues or partners in the sector and together consider the full
implications of the policy and improve
ments to be made.
Before you start screening do the following:
Be clear about policy aims, purpose, objectives and outcomes and
beneficiaries
Use the evidence/data you have. However, if you have none or require
additional information to make an informed
decision, then put monitoring in
place/gather some data to support the process
Ask the following questions and answer using the evidence/data you have,
your knowledge, expertise, partnership input, past experiences or research
about how your policies have
affected certain groups, national information
about how some groups are affected by our activities/policies/decisions.
Questions for You to use in the Screening Process
Yes
No
Does/will the policy or activity affect the public directly or indirectly?
√
Have there been or likely to be any public concerns about the policy
or proposal?
√
Does the evidence/data show an existing or likely differential impact
for the different strands of diversity? Age, gender, disability, race,
religion, sexuality
√
C
ould the policy or activity affect how services, commissioning or
√
Net
work Security Policy
19
procurement activities are organised, provided, where and by
whom?
Could the policy or activity affect our workforce or employment
practices?
√
Have complaints been received from
different equality groups about
the effect of this policy, proposal or our activities in general (having
no complaints does not always mean there is no issue
–
always
advisable to find out)
√
Does the policy involve or will it have an impact upon
elimin
ating unlawful discrimination
promoting equality of opportunity
promoting good relations between diverse groups
√
2
5
Nil impact
process stops here. Complete and sign the screening section (see
page 2) and return to Frances Newell
Low impact
1
–
3 yes’s, full EIA required but not an immediate priority, you can
prioritise for later on in the year
High impact,
4
–
7 Yes’s, full EIA required immediately using the EIA template on
page 2, in consultation with affected groups.
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο