Mobile Devices Policy - · PDF fileMobile Devices Policy Version 1.1 – November 2015...

This policy document is subject to South London and Maudsley copyright. Unless expressly indicated on the material contrary, it may be reproduced free of charge in any format or medium, provided it is reproduced accurately and not used in a misleading manner or sold for profit. Where this document is republished or copied to others, you must identify the source of the material and acknowledge the copyright status. Mobile Devices Policy Version 1.1 – November 2015

Mobile Devices Policy

Version: 1.1

Ratified By: Policy Sub Committee

Date Ratified: 17/11/2015

Date Policy Comes Into Effect: 17/11/2015

Author: ICT Compliance Manager

Responsible Director: Chief Information Officer

Responsible Committee: Information Security Committee

Target Audience: All Trust Staff

Review Date: 18/08/2017

Equalities Equality Impact Assessment Assessor: ICT Compliance Manager

Date: 30/07/2015

HRA Impact Assessment Assessor: ICT Compliance Manager

Date: 30/07/2015

Mobile Device Policy Version 1.1 – November 2015 of 31

Document History Version Control

Version No.

Date Summary of Changes Major (must go to an exec meeting) or minor changes

Author

1.0 18/8/15 Rewrite of Mobile telephones policy

Major ICT Compliance Manager

1.1 17/11/15 Update to 11.5 Tethering Minor ICT Compliance Manager

Consultation

Stakeholder/Committee/ Group Consulted

Date Changes Made as a Result of Consultation

ICT Security Committee 28/8/13 Broadening scope to include mobile devices

Psychosis, CAMHS, MHOA&D Clinical Academic Groups

12/12/13 to 25/2/14

Minor amendments

H&S Professional Group 12/12/13 to 22/1/14

None

CAG/Mental Health Act 10/6/15 feedback for inclusion of service user, visitor and detained patients

Plan for Dissemination of Policy

Audience(s) Dissemination Method Paper or Electronic

Person Responsible

All Trust Staff Via SLaM e-News bulletin Electronic Policy Co-ordinator


Contents 1 Policy Summary ........................................................................................................ 5 2 Introduction ............................................................................................................... 6 3 Definitions ................................................................................................................. 6 4 Purpose and Scope of the Policy ............................................................................... 7 5 Roles and Responsibilities ......................................................................................... 8 5.1 Senior Information Risk Officer (SIRO) ...................................................................... 8 5.3 Service Directors: ...................................................................................................... 8 5.4 Head of Information Governance ............................................................................... 8 5.5 ICT Compliance Manager .......................................................................................... 8 5.6 Manager / Team Leader: ........................................................................................... 8 5.7 Trust Mobile Device Users ......................................................................................... 9 6 Service users and Visitors ....................................................................................... 10 6.1 Responsibilities ....................................................................................................... 10 6.2 Risk Assessment. .................................................................................................... 10 6.3 Incidents .................................................................................................................. 10 6.4 Detained Patients .................................................................................................... 10 6.5 Forensic & PICU Services ....................................................................................... 11 7 Mobile Device Management .................................................................................... 11 7.1 Monitoring. .............................................................................................................. 11 8 Using a Mobile Device Securely .............................................................................. 11 8.1 Minimum Security Standards ................................................................................... 12 8.2 Physical Security ..................................................................................................... 12 8.3 Using devices outside Trust premises. .................................................................... 13 8.4 Built in Operating System Controls. ......................................................................... 13 8.5 Malware Threats ...................................................................................................... 13 8.6 Sharing Devices ...................................................................................................... 13 9 Storing information. ................................................................................................. 13 9.1 Sensitive or Personal Identifiable Information .......................................................... 13 9.2 Cloud Services ........................................................................................................ 14 10 Standard Application Suite ...................................................................................... 14 11 Connecting to the Internet or Other Networks .......................................................... 14 11.1 Trust Network. ......................................................................................................... 14 11.2 Wi-Fi. ....................................................................................................................... 14 11.3 Bluetooth. ................................................................................................................ 15 11.4 SIM Cards. .............................................................................................................. 15 11.5 Tethering. ................................................................................................................ 15 12 Good Practice Guidelines ........................................................................................ 15 12.1 Etiquette .................................................................................................................. 15 12.2 Restricted Areas of Mobile Device Usage ................................................................ 15 12.3 Photographs ............................................................................................................ 15 12.4 Motoring .................................................................................................................. 16 13 Incident Reporting. .................................................................................................. 16 14 User Education and Training ................................................................................... 16 15 Risk Assessment of Mobile Devices ........................................................................ 16 16 Account Administration and Activity ......................................................................... 17 16.1 Registration ............................................................................................................. 17 16.2 Data Allowance Acceptable Use .............................................................................. 17 16.3 Contracts and Licenses ........................................................................................... 17 16.4 Warranties and Damage .......................................................................................... 17 16.5 Finance and Billing .................................................................................................. 17 16.6 Secure Disposal and Re-use ................................................................................... 18 17 Qualification Criteria for Mobile Devices .................................................................. 18


18 Implementation and Monitoring Compliance ............................................................ 19 19 Associated Documentation ...................................................................................... 19 20 References .............................................................................................................. 20 21 Freedom of Information Act 2000 ............................................................................ 20 Appendix 1: Mobile Device Terms of Use ...................................................................... 21 Appendix 2: Devices Table ............................................................................................ 23 Appendix 3: Equality Impact Assessment ...................................................................... 24 Appendix 4: Human Rights Act Assessment .................................................................. 28 Appendix 5: Checklist for the Review and Approval of a Policy ...................................... 30


1 Policy Summary

The policy provides guidance supporting the secure use of mobile devices in order to protect sensitive and personal confidential data, the privacy and dignity of those on Trust premises and the device user. In future, should the Trust make a decision in future to implement “bring your own device” for staff, the policy will be updated to include non-Trust owned devices for staff. Guidance for service users and visitors can be found in section 6. The policy outlines useful guidance to staff to ensure that they understand their responsibilities, ensuring the security of the mobile device without compromising their personal security. 1.1 All mobile device users have a responsibility to ensure the device is set up in a

secure manner in line with instructions and configuration specifications issued by ICT.

1.2 Some mobile device’s such as tablet computers will come with a device management

solution pre-installed by ICT which provides additional features to protect information on the device in case the device is lost or stolen. This feature must not be deactivated or uninstalled.

1.3 Devices configured to receive SLaM emails must be encrypted with the Trust mobile

device management software. 1.4 Mobile devices are a desirable target for thieves. To ensure users’ safety and that of

the device, holders must always remain vigilant of their surroundings and take suitable measures to protect themselves from risk of loss or damage to the device.

1.5 To ensure confidential and sensitive information on the device remains secure, the

security controls specified by ICT at device set up and the minimum security settings specified in this policy must remain activated. All device holders have a responsibility to ensure these are maintained.

1.6 To ensure anti-virus, anti-spyware software and manufacturer security controls

remain up to date, software updates must be accepted unless ICT advise otherwise. 1.7 Sensitive or personal identifiable information may only be temporarily downloaded to

Trust owned devices which are password protected and encrypted to NHS standards.

1.8 The backup of contents to cloud services for confidential or sensitive information are

restricted to approved Trust file storage services. 1.9 When connecting through Wi-Fi to access sensitive corporate or personal identifiable

data, the connection must use either the Trust secure mobile device management solution, APN connection or VPN. Wi-Fi connections must be restricted to trusted networks, such as a secure Trust Wi-Fi network or a security enabled private Wi-Fi network.

1.10 Consideration must be used when using devices to ensure they do not unnecessarily

disturb other people, are not used where they may affect complex medical devices. 1.11 Photographs and recordings must only be made with the subject’s consent.


1.12 Any loss, theft, damage to a device must be immediately reported to the ICT Service

Desk, the device holders line manager, logged as an incident on Datix and when necessary, the network provider contacted in order to place a bar on the SIM.

1.13 Any breaches of this policy must be reported as an incident on Datix, investigated

and may lead to disciplinary action. 1.14 All device service contracts must be purchased through ICT and are allocated a data

allowance when the contract is set up. Changes to these must be arranged with ICT. 1.15 Requests for a device to be reallocated or securely decommissioned must be

arranged through the ICT Service Desk.

2 Introduction

The Trust makes every effort to support employees in maintaining contact when they are out of the office to enhance their personal safety, productivity and effectiveness. The Trust provides services from several sites and technology advances in recent years have improved opportunities for mobile and teleworking. The capability of mobile computing has increased rapidly and encompasses mobile phones tablet devices and laptop computers. Mobile devices present a number of risks that are not necessarily found in more traditional technology solutions, for example, due to the mobile nature of these devices, they may be lost, damaged, or stolen easily, potentially resulting in the loss or inappropriate disclosure of data. The policy aims to ensure users operate devices securely, preventing risk to themselves, theft and protection of the information contained on the device. While the device remains the property of the Trust at all times, the user is wholly responsible for the security and care of the device, regardless of where it is used.

3 Definitions

Access Point Name (APN)

The name of a gateway used to securely connect mobile devices to the Trust network by automatically making a secure connection to the SLaM Mobile Device (APN) via the SIM card if installed and alternatively via Wi-Fi.

Hacking Unauthorised circumvention of manufacturer and security controls.

Malware Short for malicious software. Malware refers to software designed specifically to damage or disrupt a system, gather sensitive information, or gain access to private computer systems

Mobile Device Any removable media or mobile device that can store data. This includes Smartphones, Mobile phones, Tablets, Laptops, MP3 players, digital cameras and any other device that stores data.

Mobile Storage Any component that is incorporated in or attaches to a mobile device that can store data. This includes USB memory sticks, USB hard disks, SD cards, memory cards and any other hardware that stores data.


Jailbreaking (Apple iOS) Process of removing limitations on Apple devices running the iOS operating system.

Rooting (Android) Process of removing limitations on devices running the Android mobile operating system.

User Roles Power User Senior Management Mobile Worker Clinician working in the Community Roaming Worker Clinician working on in-patient wards Semi Fixed Worker Admin & clerical staff Fixed Worker Administrator

MDM Mobile Device Management.

VPN A secure, authenticated connection via the internet using two-factor authentication to provide remote connection to the Trust network.

Wi-Fi Wireless network capacity which provided access to the Trust’s LAN (Local Area Network) and WAN (Wide Area Network) via a non-wired access point.

4 Purpose and Scope of the Policy

The purpose of the policy is to:

enable staff with mobile devices to connect with Trust services whilst protecting the

Trust from any loss of information that may be stored on that device,

provide policy guidelines supporting the use of mobile devices within the Trust and in

unprotected environments, using appropriate security procedures to minimise the

risks associated with their use,

ensure users of mobile devices do not compromise the security the Trust ICT estate

through the introduction of malware or allowing the exploitation of weaknesses in

mobile device security,

regulate the purchase and use of mobile devices to achieve the most cost-effective

mobile communication solution for staff,

set out the criteria that must be satisfied before staff will be issued with mobile

devices and list the responsibilities of staff when using a mobile device,

ensure that mobile devices are only provided by the Trust where the role requires

staff to make telephone calls and access Trust networked services when they may

not have access to other fixed ICT telecommunication and networked facilities.


This policy does not cover:

identifying specific technical controls or solutions,

endorsement of particular vendors or products,

Bring Your Own Device (BYOD)

The policy must be read in conjunction with the related policies in the associated

documentation section.

5 Roles and Responsibilities

This policy applies to all Trust employees and agency staff who have been assigned a mobile device.

5.1 Senior Information Risk Officer (SIRO)

has overall responsibility for this policy whilst ensuring the Trust receives ‘value for money’.

ensures devices have a high level of security and do not compromise the Trust ICT estate.

5.2 Service Directors:

to ensure this policy is disseminated to all Trust employees and agency staff and a process is in place to oversee its implementation,

to monitor compliance with the policy.

5.3 Head of Information Governance

to oversee compliance with the policy is monitored as required.

5.4 ICT Compliance Manager

to identify industry standards in order to maintain use of mobile devices in line with NHS policy and requirements,

to undertake activities to ensure compliance with the policy,

to escalate issues, risk and incidents involving mobile devices,

to ensure security incidents are followed-up as appropriate.

5.5 Manager / Team Leader:

to ensure that staff who use a mobile device read and understand their responsibilities,

to monitor monthly call and data use and associated costs,

for covering any costs arising for data plans, call charges, warrantee purchases, repair costs, software, application and software purchases or replacement devices.

to ensure leavers return mobile devices issued by the Trust in working order,


to inform the ICT Administration Team of any changes in circumstances, e.g. re-allocation of the mobile device to a different individual, transferring departments, leavers, budget code.

5.6 Trust Mobile Device Users

must read and understand this policy and ensure all internet and email use from mobile devices complies with ICT policies including: Information Security, Internet, Email, Clinical Multimedia and Information Risk, Incident and Forensic Readiness policies,

are provided mobile devices primarily for Trust business although personal use is permitted with the prior agreement of your line manager, so long as it is not during work time or invokes additional usage charges to the Trust,

must be aware that breaches of Trust policy must be reported and investigated, and individuals who have acted negligently and in breach of the policy may be subject to the Trust’s disciplinary procedure.

should opt to use landline phones when available to avoid unnecessary call charges,

must declare personal calls from mobile devices provided by the Trust that incur a charge to their line manager and reimburse the Trust for the costs incurred, unless the calls are made under exceptional circumstances (see section 16.5 Finance and Billing),

are wholly responsible for the security and care of the device, regardless of where it is used, while the device remains the property of the Trust at all times,

are responsible for all material on the device and should act responsibly when downloading Applications or Apps to the device and must ensure they have appropriate software licenses. If unsure, email ICT-Librarian,

must be aware that software and any data files created on the organisation’s mobile device is the property of the Trust,

must ensure no personal confidential data or business sensitive information is submitted to external “cloud” storage providers other than the Trust approved provider,

must diligently protect such devices from loss and accidental disclosure of private information belonging to or maintained by the Trust,

in the event the device is lost or stolen, report details to the Trust ICT department at the first possible opportunity and cancel the SIM card, if installed,

must, if the device is stolen, report the theft to the Police and obtain a crime reference number,

must keep the configuration specifications as issued by ICT,

must ensure Trust equipment is not used by unauthorised users,

must ensure manufacturer and security controls that are implemented by default are not bypassed,

must ensure the mobile device, including any accessories, is returned to the Trust in working order before leaving employment of the Trust.


6 Service users and Visitors

This section applies to all service users and visitors use of mobile devices on Trust premises. Local protocols must be made clear to all service users and visitors when admitted to or attending Trust premises.

6.1 Responsibilities

be aware of local operational policies. i.e. some clinical areas may have specific local guidelines or not permit any use of mobile devices in public areas.

must be considerate when using mobile devices in Trust premises as their use can have an impact on other individuals using those areas.

to respect the privacy, dignity and security of other service users, staff and visitors at all times when using a mobile device capable of recording audio visual footage or connecting to social media and other internet based services.

photographs and audio visual footage may only be made of other individuals with their prior written consent. Where photographs and audio visual footage are made, they must be made in an area restricted to those who have consented.

when using internet sites, social media, apps, consideration must be taken when using the media not to upload footage or comments which may identify other individuals in Trust settings. These facilities on devices must not be used in environments where other individuals may be included on the footage without their consent.

ring tones, music or other footage played on a mobile device must be muted or the volume reduced to ensure it does not cause a nuisance or disturbance. If use of the device causes a disturbance, then restricting its use to designated areas may be necessary

devices are brought onto the Trust’s premises entirely at the owner’s risk and they are responsible for the security of the device at all times.

6.2 Risk Assessment.

If there is concern about a service user or visitor retaining their device, a risk assessment should be undertaken. If the decision is made to remove the mobile device or charger, e.g. due to ligature risk, it must be labelled clearly with the name of the owner and placed in storage until they leave or discharge from the ward. Where chargers have been removed, the device must be charged in a restricted access area where the charger presents no risk. A receipt must be issued for any device retained by Trust staff. Alternatively the device may be given to a carer or relative for safekeeping.

6.3 Incidents

Those found to have used mobile device inappropriately or have made footage without the consent of those included will be asked to delete the footage and may be requested to temporarily relinquish the device for safekeeping by Trust staff.

6.4 Detained Patients

Access to mobile phones (including mobile computing devices) are an important part of everyday life and most detained patients will possess them. On low and medium secure


units, issues of public protection require enhanced levels of security and blanket restrictions on the use of phones may be justified. Detained patients attention must be drawn to local operational procedures in addition to their general responsibilities outlined in the Service Users and Visitors section. For further details see Mental Health Act 1983: Code of Practice, https://www.gov.uk/government/publications/code-of-practice-mental-health-act-1983

6.5 Forensic & PICU Services

Forensic and Psychiatric Intensive Care Services may operate locally agreed procedures for the use of mobile devices by patients and visitors. The procedures describe a more restrictive approach in order to meet the specific needs of the client group. These must be clearly explained and displayed clearly on units.

7 Mobile Device Management

In order to monitor and maintain the security of Trust owned and managed mobile devices, a mobile device management solution (MDM) is installed by ICT onto each device. This allows ICT to:

update device settings to ensure devices use adequate encryption levels and passwords,

deliver updates to anti-virus and anti-spyware components,

verify the device is authenticated to connect to the Trust network,

deliver a standard suite of applications to the device,

operate a remote wipe of the device should it be lost or stolen.

7.1 Monitoring.

The mobile device management solution for Trust owned devices provides application inventory monitoring. This provides information on commonly used applications and allows ICT to make available and recommend popular business applications to device users from the Apps store and Self Service portal. Application inventory monitoring identifies commonly used applications and does not monitor the content of applications used. Routine anonymous monitoring of email and internet traffic is undertaken for capacity planning and to ensure the Trust does not compromise the code of connection to the NHS N3 internet network.

8 Using a Mobile Device Securely

Mobile devices are highly portable by design and present an attractive target for thieves. As well as the financial cost, the risk of loss of sensitive or personal confidential data may be higher with these devices than other portable solutions due to their desirability, ease of concealment and potential ease of access to device content once it has been stolen. Users are required to ensure physical security of the device by keeping it secure at all times and locking it away when not in use.

https://www.gov.uk/government/publications/code-of-practice-mental-health-act-1983


8.1 Minimum Security Standards

All mobile device users must ensure:

the mobile device PIN (Personal Identification Number) has been enabled,

the voicemail mailbox PIN protection is enabled,

the automatic screen lock is enabled with PIN or password function activated,

strong passcodes are used wherever possible, with a minimum of 4 characters on smartphones and 6 alpha-numeric characters on tablets,

screen timeout facility is set for 1 minute on inactivity,

mobile devices are not used while driving a vehicle; this includes using them via a Headset or Bluetooth device,

they are aware that some devices are configured to allow for remote wipe or render the device inoperable after a maximum of 8 failed password attempts. Mobile device users must note and accept that, should they continually input their passcode incorrectly or if the device is lost or stolen, the device will be reset or reformatted and all data held on it will be erased,

the GPS / Location Services functionality is switched on to track the location of the device,

the device is not used to permanently store or provide bulk transfer of sensitive or personal confidential data (the Information Governance department must be contacted to record any bulk stores of information assets or secure bulk transfers of personal confidential information),

the Trust secure mobile device management solution (MDM), APN connection, both part of the standard ICT settings provided at the time the device was set up, or VPN connection is used to access sensitive or personal identifiable information remotely,

any local temporary copies of emails or other confidential or sensitive information are properly erased after use,

automatic back up of mobile device contents to commercial cloud services is switched off. Only approved Trust file storage services to be used,

the Bluetooth feature on devices should only be switched on when required and not paired to non-Trust equipment.

8.2 Physical Security

As mobile devices are used from a variety of locations including public places, consideration must always be given to the risk of using the device in each location before using it. e.g. risk of of damage, theft, eavesdropping or overlooking by unauthorised persons, may vary considerably between locations and should be taken into account when using the device. Do not make yourself a target.

Public transport and streets are high risk areas. Remain vigilant of the surroundings at all times,

Ensure devices are physically secure at all times, including when unattended or not in use.


8.3 Using devices outside Trust premises.

An increased level of security over that applied within the work place must apply in any location away from it to mitigate the risk of information on the device being seen by any unauthorised person. In addition, increased vigilance must be exercised to prevent the device being lost, damaged or stolen.

8.4 Built in Operating System Controls.

Users of Trust owned mobile devices must not bypass manufacturer and security controls that are implemented by default. This form of bypassing is also known as ‘”Jailbreaking” or “Rooting”.

Standard ICT set up and manufacturer security controls implemented on the device must not be deliberately bypassed.

8.5 Malware Threats

Software updates from device manufacturers must be accepted unless an email or other notification is received from ICT stating otherwise. Other anti-virus and anti-spyware components will be updated by ICT via the mobile device management solution to protect against Malicious and Unauthorised Mobile Code.

8.6 Sharing Devices

Shared devices may only be used to access services requiring further login authentication. Where there is a shared device access code used within a team, functionality will be restricted to applications requiring individual logins.

9 Storing information.

All information created during Trust business must be stored securely on resources provided and authorised by the Trust. Portable storage options are available, providing the device is password protected and encrypted to NHS standards.

9.1 Sensitive or Personal Identifiable Information

Only Trust owned mobile devices may be used to temporarily store sensitive or personal identifiable information providing the device is password protected and encrypted to NHS standards,

where mobile devices are used to access sensitive or personal identifiable information remotely, remote access must be by the Trust secure mobile device management solution, APN connection or VPN solution,

email may be accessed directly from mobile devices. Users must remain vigilant when accessing emails in public places to prevent unauthorised access to sensitive or confidential information.

If the device does not have an automatic lock or PIN code, ensure references to names are restricted to first name or initials.


9.2 Cloud Services

Many mobile devices offer the ability to automatically back up their contents to Cloud services. Cloud services servers may be anywhere in the world and may be out of the jurisdiction of the Trust which is responsible for that information, potentially putting the user and Trust in breach of the Data Protection Act 1998.

use of cloud file storage facilities for storing confidential or sensitive information is restricted to Trust approved file storage services accessed by Trust secure mobile device management solution, APN connection or VPN solution,

the device must be used as set up by ICT and if any changes are required to the set up of the device, these must be requested through the ICT Service Desk,

commercially available cloud service applications must be used with caution and only for non-sensitive content, which does not include person identifiable information about service users and staff.

10 Standard Application Suite

Applications in the standard application suite will, wherever possible take advantage of built in manufacturer security features and encryption to restrict access to the sensitive or personal identifiable information on the device. Installations from “cracked” applications are not permitted as they may present a security risk.

11 Connecting to the Internet or Other Networks

Connecting to networks or other devices, either via Wi-Fi or Bluetooth present a means by which a device may be compromised, potentially giving other parties access to information contained on the device. When connecting to other devices or networks, ensure a strong password is used at all times.

11.1 Trust Network.

Mobile devices may be connected to Trust networked PC’s or Laptops to charge the batteries. Connecting mobile devices E.g. portable hard disks to Trust networked PC’s or Laptops for the purpose of data transfer is only permitted for Trust issued devices where the device has been security assessed by ICT and is approved for use on the Trust network.

11.2 Wi-Fi.

Access to sensitive or personal identifiable data on a tablet or other mobile device, can only be made via a secure Wi-Fi connection, a secure mobile broadband using the SlaM private APN (mobile.slam.nhs.uk), or a VPN. The device must also comply with the Trusts security policies, have password protection and be encrypted. If the device user wishes to enable 3G connectivity on the device, they may purchase a 3G SIM and data plan from the ICT Administration Team (020 3228 8806).


Link to 3G Application form: http://sites.intranet.slam.nhs.uk/ICT/ICT%20forms/useraccounts/default.aspx

11.3 Bluetooth.

Unless specifically required, the Bluetooth feature on devices must be kept switched off, in order to prevent disclosure of information, e.g. contact lists or compromising the device though weaknesses in the Bluetooth software. Devices should be configured to ensure that inbound connection requests are prohibited or permitted only from known and trusted sources. When Bluetooth is switched on, a strong password must be used. Where available, encryption and anti-malware software must be implemented.

11.4 SIM Cards.

Trust supplied mobile device SIM cards must not be transferred to an alternative mobile device, including device holder’s personal mobile devices. If it is found that calls, data use and Apps were purchased during the period the SIM card was transferred to an alternative mobile device, any charges incurred to the Trust will be repayable to the Trust by the device holder and disciplinary action may be taken.

11.5 Tethering.

A secure passcode must be used when tethering Trust supplied mobile devices.

12 Good Practice Guidelines

12.1 Etiquette

Mobile devices must be switched on silent / vibrate where in areas that notification tones e.g. ring tone, text notification or email notification could disturb other people.

12.2 Restricted Areas of Mobile Device Usage

On wards which do not allow service users to have mobile devices on their person, where use of such devices will generate direct interest, a potential for paranoia, conflict, etc, mobile device users are to refrain from using their device until they are safely away from patient areas and can use the device unobserved. The use of mobile devices has little or no effect on modern clinical equipment unless operated within close proximity, or about 2 metres (Device Bulletins DB9702 “Electromagnetic compatibility of medical devices with Mobile Communications”, issued by MHRA in July 2004 - this document can be viewed at the following URL: http://www.mhra.gov.uk/Publications/Safetyguidance/DeviceBulletins/CON007365

12.3 Photographs

Staff should recognise the need for privacy and dignity of patients, the public and staff by not allowing mobile device camera facilities to be switched on in the vicinity of patients. The

http://sites.intranet.slam.nhs.uk/ICT/ICT%20forms/useraccounts/default.aspx

http://www.mhra.gov.uk/Publications/Safetyguidance/DeviceBulletins/CON007365


taking of photos or videos in ward areas is only allowed when the subject has given explicit consent. For further information, please refer to the Clinical Multimedia Policy.

12.4 Motoring

Staff Members who drive must be aware of the highway code which states that: You must exercise proper control of your vehicle at all times and never use a hand held mobile telephone when driving.

13 Incident Reporting.

All incidents of theft, loss or serious damage of a mobile device must be reported in line with the relevant incident policy and:

contact the ICT Administration Team at the first possible opportunity to place a bar on the SIM,

report immediately to your line manager,

log the incident immediately on the ICT Service Desk,

report immediately to Information Governance Team (email [email protected] ),

log on Datix, the Trust Incident reporting system http://sites.intranet.slam.nhs.uk/risk/datixwebhelp/default.aspx

if stolen, must be reported to the Police and a crime number obtained. Any charges incurred by the Trust due to staff member negligence may be recovered from the staff member.

14 User Education and Training

New mobile device users must read and understand the user manual provided with the device, paying particular attention to the security settings.

15 Risk Assessment of Mobile Devices

Prior to any new Trust owned mobile device being deployed, ICT must conduct a risk assessment on the equipment. Risk assessment to include an assessment of:

authentication must include individual user accounts and passwords,

availability to force password protection,

encryption controls, to ensure encryption levels conform to NHS Information Governance standards,

technical parameters required for secure network connections,

restriction and revocation procedures; to enable remote wipe,

anti-virus / malicious code detection, removal and prevention procedures,

availability of GPS tracking for the device,

likelihood of Apple jail-breaking or Android Rooting,

cloud services other than the Trust appointed provider to ensure they are not enabled by default.

Risk assessments will be presented to the Information Security Committee and if the device has a satisfactory level of security and the risk assessment is approved, a change request for its connection to the Trust network must be logged to the Change Advisory board.

mailto:[email protected]

http://sites.intranet.slam.nhs.uk/risk/datixwebhelp/default.aspx


16 Account Administration and Activity

16.1 Registration

All mobile devices used for Trust business or holding NHS information must be uniquely identified and registered with ICT as configuration items.

16.2 Data Allowance Acceptable Use

Trust mobile devices are allocated a data allowance and put on a fair usage policy when the contract is set up by ICT. Tariff’s incorporating higher data allowances are available on request to ICT. Text messages and voice calls are not included in the monthly price plan. Further details on mobile phones can be found on the following link: http://sites.intranet.slam.nhs.uk/ICT/Services/Service%20Catalogue/Communications/Mobile%20Phones/default.aspx

16.3 Contracts and Licenses

All mobile devices and their associated service contracts must be purchased through ICT. Any mobile device user who is transferring from an existing contract must make arrangements with ICT for setting up the new contract. To access SLaM applications, Trust owned mobile devices must have an appropriate license assigned. For further advice, email ICT-Librarian. Link to software application form: http://sites.intranet.slam.nhs.uk/ICT/ICT%20forms/software/default.aspx

16.4 Warranties and Damage

Any modifications, upgrades or repairs to a device must be arranged either under product

warranty, insurance or via the Supplies Department with the manufacturer or supplier.

Repairs determined to be caused by negligence and not covered by the warranty are the

responsibility of the device owner.

16.5 Finance and Billing

All invoices relating to mobile devices accessing paid for services will be sent direct to the Finance Department. These will be processed immediately, through Accounts Payable, and will be settled in full. The cost, for the full amount of the bill, will then be charged to each cost centre. Team leaders can request a copy of the itemised mobile device bill from their Management Accountant. The Finance Department will review the highest individual bills each month, and, if necessary, query these with budget holders to ensure that there is no misuse of the mobile device.

http://sites.intranet.slam.nhs.uk/ICT/Services/Service%20Catalogue/Communications/Mobile%20Phones/default.aspx

http://sites.intranet.slam.nhs.uk/ICT/Services/Service%20Catalogue/Communications/Mobile%20Phones/default.aspx

http://sites.intranet.slam.nhs.uk/ICT/ICT%20forms/software/default.aspx


Mobile device bills that show no itemised calls for two or more consecutive months will be

queried to identify whether the device is still in use.

Private calls from the device must be declared to the Staff Member’s Team Leader, for billing purposes. These calls should be paid for at the current rate at Trust Cashiers Offices at Bethlem Royal Hospital, Maudsley Hospital or Lambeth Hospital, by cheque made payable to South London and Maudsley NHS Foundation Trust and sent to Finance at Bethlem Royal Hospital, or by email consent sent from the manager of the mobile telephone user to Payroll, in the format of: “Dear Payroll, please deduct £xxx.xx from [staff name] next salary payment, in respect of personal calls made from their Trust mobile. The employee is fully aware of this deduction being made”. The emergency private call rate will be reviewed regularly in line with the tariffs for the contract and will be published on the Trust Intranet and from Cashiers offices.

16.6 Secure Disposal and Re-use

Mobile devices must be securely wiped before the device is reassigned for another purpose or disposed of when redundant. Failure to securely wipe the device may result in the data remaining on the device being available to the new owner/user of it. Contact the ICT Service Desk to request a device be reallocated or securely decommissioned.

17 Qualification Criteria for Mobile Devices

The following statements reflect examples where Trust employees or agency staff would meet the qualification criteria for mobile devices:

employees or agency staff who work in high risk situations where a mobile device will increase security or minimise risk for either the employee or service users,

employees or agency staff who are required to work 60% or more of their working time away from their normal place of work at locations where they do not have access to a workstation and need to be able to communicate with colleagues on Trust business,

employees or agency staff with on-call commitments who do not routinely have access to a workstation.


18 Implementation and Monitoring Compliance

All Clinical Academic Group and Corporate Services may be required to participate, where applicable, in audits of mobile information security on a regular basis. The results of audits will be reported to the Information Security Committee. Compliance with the Mobile Device policy is monitored by the ICT Compliance Manager and overseen by the Information Security Committee. The HSCIC Information Governance Toolkit and the annual Information Governance Assurance Programme consists of internal and independent audits. The program reviews compliance with Trust Information Governance Policies, including the Mobile Device policy. Progress on the recommended actions is monitored by the Information Security Committee.

What will be monitored i.e. measurable policy objective

Method of Monitoring

Monitoring frequency

Position responsible for performing the monitoring/ performing co-ordinating

Group(s)/committee(s) monitoring is reported to, inc responsibility for action plans and changes in practice as a result

Use of the policy and any concerns / issues which may be raised

Staff surveys Bi-annual ICT Compliance Manager

Information Security Committee

Activity and billing Itemised bills Monthly Line manager Management accountant

Monitoring of frequently used applications

Mobile device management solution

Monthly MDM Administrator

Information Security Committee

19 Associated Documentation

Information Security Policy

Information Risk, Incident and Forensic Readiness Policy

Email policy

Internet policy

Clinical Multimedia Policy Mobile Telecommunication Procurement Procedure can be found at http://sites.intranet.slam.nhs.uk/ICT/Policies/procedures/default.aspx Further information on information security and related matters is available from the NHS Health and Social Care Information Centre website: http://systems.hscic.gov.uk/qipp/mobile/

http://sites.intranet.slam.nhs.uk/ICT/Policies/procedures/default.aspx

http://systems.hscic.gov.uk/qipp/mobile/


20 References

NHS Health and Social Care Information Centre website: http://systems.hscic.gov.uk/qipp/mobile/ Use of Tablet Devices in NHS environments: Good Practice Guidelines, NHS Connecting for Health, Version 1, 19/12/2011.

21 Freedom of Information Act 2000

All Trust policies are public documents. They will be listed on the Trusts FOI document schedule and may be requested by any member of the public under the Freedom of Information Act (2000).

http://systems.hscic.gov.uk/qipp/mobile/


Appendix 1: Mobile Device Terms of Use

Acceptance of the following Terms and Conditions is a prerequisite to using any Trust owned and connected mobile device. Set-up, Warranty and Finance 1. On receipt of the device, the Responsible Owner will either set up a new Apple ID or

Play Store account.

2. The device must be set up in accordance with the instructions and configuration

specifications provided by ICT.

3. Devices are configured with SLaM Secure Wi-Fi. 3G SIM and data plan can be

purchased from the ICT Administration team to connect to the Internet where Wi-Fi

access is not available.

4. ICT will support the standard set up configuration of the device.

5. Any device configuration and set up outside the standard specifications provided by ICT

is the responsibility of the device owner; e.g. home internet connections, external

internet connections, non-Trust email accounts and other non-standard applications.

6. Any modifications, upgrades or repairs to a device must be arranged either under

product warranty or via the Supplies Department with the manufacturer or supplier.

7. Device owners can choose to extend the warranty on the device by contacting the

Supplies Department.

8. Repairs determined to be caused by negligence and not covered by the warranty are the

responsibility of the device owner.

9. The ICT department will not reimburse for any warrantee purchases, data plans, repair

costs, software, application purchases or replacement devices.

10. Trust owned mobile devices are allocated a data allowance and put on a fair usage

policy when the contract is set up by ICT.

11. Applications or software must be purchased locally. Remote Monitoring and Mobile Device Management On delivery, the mobile device will be preconfigured and connected to a Mobile Device Management system administrated by the Trust to; 1. Enable content monitoring, which provides the Trust with information on commonly used

applications. This does not monitor the content of applications used.

2. Enable real time tracking to locate the device if it is lost or stolen,

3. Enable remote wipe to remove any sensitive data in cases where the device is lost or stolen.

The Trust reserves the right to remotely wipe the mobile device. While ICT will try and contact device owners prior to this happening, where this is not possible, data may need to be wiped remotely urgently and without notice.


Responsibilities of Mobile Device Users

1. To be wholly responsible for the security and care of the device, regardless of where it is used and to diligently protect it from loss or damage,

2. In the event the device is lost or stolen, device owners must report details to the Trust

ICT department at the first possible opportunity and cancel the SIM card.

3. To take precautions preventing accidental disclosure of private information belonging to or maintained by the Trust,

4. Ensure all internet and email use from mobile devices complies with ICT policies including: Mobile Devices, Information Security, Internet, Email, Clinical Multimedia and Information Risk, Incident and Forensic Readiness policies,

5. Ensure the mobile device PIN (Personal Identification Number) or screen lock has been enabled,

6. Ensure the voicemail PIN has been enabled, 7. Mobile devices must not be used while driving a vehicle; this includes using them via a

Headset or Bluetooth device, 8. Ensure personal use of the device is with the prior agreement of your line manager, so

long as it is not during work time or invokes additional usage charges to the Trust, 9. Personal calls may only be made from mobile devices in exceptional circumstances and

must be declared to the Staff Member’s Team Leader,

10. Users must not deliberately bypass manufacturer and security controls that are implemented on the device,

11. Be responsible for all material on the device and act responsibly when downloading applications to the device ensuring appropriate software licenses are obtained,

12. Be aware that software and any data files created on the organisation’s mobile device is the property of the Trust,

13. Ensure the mobile device is returned to the Trust before leaving employment of the Trust,

14. Ensure Trust equipment is not used by unauthorised users or for unauthorised purposes,

15. Be aware that breaches of Trust policy must be reported and investigated, individuals who have acted negligently and in breach of the policy may be subject to the Trust’s disciplinary procedure,

16. Ensure no personal confidential data or business sensitive information is submitted to

external “Cloud” storage providers other than the Trust approved provider.

Responsible Owner Name: .............................................................................................. Responsible Owner Signature: ....................................................................................... Date: .................................................................................................................................. Device Name: ................................................................................................................... Device Serial Number: .....................................................................................................


Appendix 2: Devices Table

Role Desktop Workstation

PC or Thin Client

Mobile Device Tablet or Laptop

Mobile Phone Smartphone or

standard handset

Power User Fixed workspace with multiple shared workspaces and or workstations

Optional Optional

Mobile Worker Shared workspace with allocated mobile device(s) (4G/WiFi)

Optional

Roaming Worker Shared workspace with use of or allocated mobile device (WiFi)

Optional Optional

Semi Fixed Worker Shared workspace with dedicated workstations

Optional Optional

Fixed Worker Fixed workspace with dedicated workstation

N/A Optional

Note. Shared workspace is available in a hot desk area


Appendix 3: Equality Impact Assessment

PART 1: Equality relevance checklist The following questions can help you to determine whether the policy, function or service development is relevant to equality, discrimination or good relations:

Does it affect service users, employees or the wider community? Note: relevance depends not just on the number of those affected but on the significance of the impact on them.

Is it likely to affect people with any of the protected characteristics (see below) differently?

Is it a major change significantly affecting how functions are delivered?

Will it have a significant impact on how the organisation operates in terms of equality, discrimination or good relations?

Does it relate to functions that are important to people with particular protected characteristics or to an area with known inequalities, discrimination or prejudice?

Does it relate to any of the following 2013-16 equality objectives that SLaM has set? 1. All SLaM service users have a say in the care they get 2. SLaM staff treat all service users and carers well and help service users to achieve the

goals they set for their recovery 3. All service users feel safe in SLaM services 4. Roll-out and embed the Trust’s Five Commitments for all staff 5. Show leadership on equality though our communication and behaviour

Name of the policy or service development: Mobile Device Policy v1

Is the policy or service development relevant to equality, discrimination or good relations for people with protected characteristics below? Please select yes or no for each protected characteristic below

Age Disability Gender re-assignment

Pregnancy & Maternity

Race Religion and Belief

Sex Sexual Orientation

Marriage & Civil Partnership (Only if considering employment issues)

Yes Yes Yes Yes Yes Yes Yes Yes Yes

If yes to any, please complete Part 2: Equality Impact Assessment If not relevant to any please state why:

Date completed: 30/7/15 Name of person completing: Ben Tunmore CAG: ICT Service / Department: Information Governance Please send an electronic copy of the completed EIA relevance checklist to:

1. [email protected]

2. Your CAG Equality Lead



PART 2: Equality Impact Assessment 1. Name of policy or service development being assessed? Mobile Device Policy v1

2. Name of lead person responsible for the policy or service development? Ben Tunmore

3. Describe the policy or service development

What is its main aim? To ensure users operate mobile devices securely, preventing risk to

themselves, theft and protection of the information contained on the device. What are its objectives and intended outcomes?

To ensure staff with mobile devices connecting with Trust services do so securely,

to protect the Trust from loss of information,

to provide policy guidelines supporting secure use of mobile devices and minimise the risks

associated with their use.

What are the main changes being made? This is a new policy which supersedes the Trust Mobile Phone policy. What is the timetable for its development and implementation? To be immediately available.

4. What evidence have you considered to understand the impact of the policy or service

development on people with different protected characteristics? Feedback and experience of staff in Information Security Committee, Psychosis, CAMHS, MHOA&D Clinical Academic Groups and the H&S Professional Group.

5. Have you explained, consulted or involved people who might be affected by the policy or

service development?

(Please let us know who you have spoken to and what developments or action has come out of this) The policy was reviewed in consultation with Information Security Committees, Psychosis, CAMHS, MHOA&D Clinical Academic Groups and the H&S Professional Group.

6. Does the evidence you have considered suggest that the policy or service development

could have a potentially positive or negative impact on equality, discrimination or good relations for people with protected characteristics?

(Please select yes or no for each relevant protected characteristic below)

Age Positive impact: Yes Negative impact: No

Please summarise potential impacts: It is anticipated the Mobile Device policy will have a positive impact on service users and staff of all ages by ensuring that the Trust operates mobile devices securely and protects data in an effective way. Disability Positive impact: Yes Negative impact: No

Please summarise potential impacts: It is anticipated the Mobile Device policy will have a positive impact on disabled service users and staff by ensuring that the Trust operates mobile devices securely and protects data in an effective way.

Gender re-assignment Positive impact: Yes Negative impact: No

Please summarise potential impacts: It is anticipated the Mobile Device policy will have a positive impact on transgender service users and staff by ensuring that the Trust operates mobile devices securely and protects data in an effective way.

Race Positive impact: Yes Negative impact: No

Please summarise potential impacts: It is anticipated the Mobile Device policy will have a positive impact on service users and staff of all ethnicities by ensuring that the Trust operates mobile devices securely and protects data in an effective way.

Pregnancy & Maternity Positive impact: Yes Negative impact: No

Please summarise potential impacts: It is anticipated the Mobile Device policy will have a positive impact on pregnant service users and staff by ensuring that the Trust operates mobile devices securely and protects data in an effective way.

Religion and Belief Positive impact: Yes Negative impact: No


Please summarise potential impacts: It is anticipated the Mobile Device policy will have a positive impact on service users and staff of all religions and beliefs by ensuring that the Trust operates mobile devices securely and protects data in an effective way.

Sex Positive impact: Yes Negative impact: No

Please summarise potential impacts: It is anticipated the Mobile Device policy will have a positive impact on service users and staff of all sexes by ensuring that the Trust operates mobile devices securely and protects data in an effective way.

Sexual Orientation Positive impact: Yes Negative impact: No

Please summarise potential impacts: It is anticipated the Mobile Device policy will have a positive impact on service users and staff of all sexual orientations by ensuring that the Trust operates mobile devices securely and protects data in an effective way.

Marriage & Civil Partnership (Only if considering employment issues)

Positive impact: Yes Negative impact: No

Please summarise potential impacts: It is anticipated the Mobile Device policy will have a positive impact on staff that are married or in a civil partnership by ensuring that the Trust operates mobile devices securely and protects data in an effective way.

Other (e.g. Carers) Positive impact: Yes Negative impact: No

Please summarise potential impacts: It is anticipated the Mobile Device policy will have a positive impact on service users, staff and visitors by ensuring that the Trust operates mobile devices securely and protects data in an effective way.

7. Are there changes or practical measures that you can take to mitigate negative impacts or

maximise positive impacts you have identified?

YES: Please detail actions in PART 3: EIA Action Plan

8. What process has been established to review the effects of the policy or service

development on equality, discrimination and good relations once it is implemented?

The policy will be reviewed in 1 year.

Date completed: 30/7/15 Name of person completing: Ben Tunmore CAG: ICT Service / Department: Information Governance Please send an electronic copy of the completed EIA relevance checklist to:

1. [email protected] 2. Your CAG Equality Lead



PART 3: Equality Impact Assessment Action plan Potential impact Proposed actions Responsible/

lead person Timescale Progress

New developments in technology impact on the policies effectiveness in ensuring Trust data remains secure.

Review Equalities Impact Assessment

ICT Compliance Manager

30/7/16 Not started.

Date completed: 30/7/15 Name of person completing: Ben Tunmore CAG: ICT Service / Department: Information Governance Please send an electronic copy of your completed action plan to: 1. [email protected] 2. Your CAG Equality Lead


Mobile Devices Policy Version 1.1 – November 2015 of 31

Appendix 4: Human Rights Act Assessment

To be completed and attached to any procedural document when submitted to an appropriate committee for consideration and approval. If any potential infringements of Human Rights are identified, i.e. by answering Yes to any of the sections below, note them in the Comments box and then refer the documents to the Trust Legal Services for further review.

For advice in completing the Assessment please contact Paul Bellerby, Legal Services [[email protected]]

HRA Act 1998 Impact Assessment Yes/No If Yes, add relevant comments

The Human Rights Act allows for the following relevant rights listed below. Does the policy/guidance NEGATIVELY affect any of these rights?

Article 2 - Right to Life [Resuscitation /experimental treatments, care of at risk patients]

No

Article 3 - Freedom from torture, inhumane or degrading treatment or punishment [physical & mental wellbeing - potentially this could apply to some forms of treatment or patient management]

No

Article 5 – Right to Liberty and security of persons i.e. freedom from detention unless justified in law e.g. detained under the Mental Health Act [Safeguarding issues]

No

Article 6 – Right to a Fair Trial, public hearing before an independent and impartial tribunal within a reasonable time [complaints/grievances]

No

Article 8 – Respect for Private and Family Life, home and correspondence / all other communications [right to choose, right to bodily integrity i.e. consent to treatment, Restrictions on visitors, Disclosure issues]

No

Article 9 - Freedom of thought, conscience and religion [Drugging patients, Religious and language issues]

No

Article 10 - Freedom of expression and to receive and impart information and ideas without interference. [withholding information]

No

Article 11 - Freedom of assembly and association

No

Article 14 - Freedom from all discrimination No


Name of person completing the Initial HRA Assessment:

Ben Tunmore

Date: 30/7/15

Person in Legal Services completing the further HRA Assessment (if required):

N/A

Date:


Appendix 5: Checklist for the Review and Approval of a Policy

This checklist must be used for self-assessment at the policy writing stage by policy leads and be completed prior to submission to an appropriate Executive Committee/Group for ratification.

Title of document being reviewed: Yes/No/ Unsure

Comments

1. Style and Format

Does the document follow The South London and Maudsley NHS Foundation Trust Style Guidelines? i.e.:

The Trust logo is in the top left corner of the front page only and in a standard size and position as described on the Intranet

Front page footer contains the statement about Trust copyright in Arial 10pt

Document is written in Arial font, size 11pt (or 12pt)

Headings are all numbered

Headings for policy sections are in bold and not underlined

Pages are numbered in the format Page X of Y

Yes

Yes

Yes

Yes

Yes

Yes

2. Title

Is the title clear and unambiguous? Yes

3. Document History

Is the document history completed? Yes

4. Definitions

Are all terms which could be unclear defined? Yes

5. Policy specific content

Does the policy address, as a minimum, the NHSLA Risk management Standards at Level 1 where appropriate

Unsure

6. Consultation and Approval

Has the document been consulted upon? Yes

Where required has the joint Human Resources/staff side committee (or equivalent) approved the document?

N/A

7. Dissemination

Does the document include a plan for dissemination of the policy?

Yes


Title of document being reviewed: Yes/No/ Unsure

Comments

8. Process for Monitoring Compliance

Is it explicit how compliance with the policy will be monitored?

Yes

9. Review Date

Is the review date identified on the cover of the document?

Yes

10. References

Are supporting references cited? Yes

11. Associated documents

Are associated SLaM documents cited? Yes

12. Impact Assessments

Is an Equality Impact Assessment included as the appendix of the document?

Yes

Is a HRA Assessment included as an appendix of the document?

Yes

Mobile Devices Policy - · PDF fileMobile Devices Policy Version 1.1 – November 2015...

Documents

Transcript of Mobile Devices Policy - · PDF fileMobile Devices Policy Version 1.1 – November 2015...