E-Mail Usage Policy

Version 5 Name of responsible (ratifying) Information Governance Steering Group committee Date ratified 8th January 2014

Document Manager (job title) Head of IT

Date issued 11th February 2014

Review date November 2015

Electronic location Management Policies Trust ICT Security Policy Confidentiality: Staff Code of Conduct Data Protection Policy Adverse Event & Near Misses Policy Information Governance Strategy Information Risk Policy Related Procedural Documents Non-Clinical Records Management Policy Records Retention & Disposal Policy Safe Haven Policy Dignity At Work Policy Disciplinary Policy IT Guidelines - Using E-Mail

e-mail, personal e-mail, Information assets, sensitive information, confidential information, identifiable personal information, formal Key Words (to aid with searching) communication, written communication, retention, NHSmail, webmail, unacceptable use, inappropriate use, offensive or illegal material, PID

Version Tracking Version Date Ratified Brief Summary of Changes Author 4.1 12th October June 2011 IPHIS 5 January 2014 Full re-write of Policy MSF

E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date – 11th February 2014 CONTENTS

1. INTRODUCTION...... 4

2. PURPOSE...... 4

3. SCOPE...... 5

4. DEFINITIONS...... 5

5. POLICY REQUIREMENTS...... 5

6. PROCESSES...... 7 6.1 Access to Trust E-Mail Systems...... 7 6.2 Unacceptable Use of E-Mail...... 7 6.3 Unacceptable Personal Use of the Trust’s E-Mail Systems...... 8 6.4 Safe Working Practices for Users...... 8 6.5 Action in case of Receipt of Illegal, Inappropriate or Unacceptable E-Mail...... 8 6.6 Inappropriate use of Trust E-Mail Systems...... 8 6.7 Cessation of E-Mail Accounts...... 9

7. DUTIES AND RESPONSIBILITIES...... 9

8. TRAINING REQUIREMENTS...... 10

9. REFERENCES AND ASSOCIATED DOCUMENTATION...... 11

10. EQUALITY IMPACT STATEMENT...... 11

11. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS...... 12

E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date – 11th February 2014 QUICK REFERENCE GUIDE

For quick reference the guide below is a summary of actions required. This does not negate the need for the document author and others involved in the process to be aware of and follow the detail of this policy.

1. Members of staff are encouraged to consider their appropriate use of e-mail, remembering that it may not always be the best way to communicate and when it is that it is considered, and used, as a formal means of written communication.

2. The Trust’s e-mail systems are business communication tools and members of staff must use them responsibly, effectively and lawfully.

3. Reasonable use of the Trust’s e-mail systems for personal purposes is permitted, subject to the agreements and conditions laid out in this policy.

4. Users of e-mail must be fully aware of the unacceptable use conditions defined in this policy and comply at all times with these requirements.

5. Users of e-mail must comply with Trust policies, practices and standards and NHS best practice guidance concerning requirements for access to information. Sensitive Information must not be sent by e-mail unless it is protected to the necessary standards.

6. Sensitive Information must not be sent or intentionally received via personal e-mail addresses.

7. E-Mail accounts shall not be used for continuing storage of e-mail (and its attachments) that is required for the Trust’s future business or operations. Such correspondence and information must be stored in appropriate records systems and subject to relevant retention and disposal policies.

8. To allow for retrieval of necessary material, after being identified as no longer required e-mail accounts will be retained for six months before being permanently deleted.

9. Failure to comply with the requirements of this policy or inappropriate use of resources controlled by this policy is a serious matter and may result in rights to use Trust e-mail being withdrawn, disciplinary action or prosecution under UK law.

E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date – 11th February 2014 1. INTRODUCTION

This policy supports the Trust’s overall information security management framework and has been produced, particularly, to set policy and define processes to be employed in the use and management of the Trust’s e-mail systems.

E-mail is an established method for day-to-day communication within, between and beyond NHS organisations and can be of great benefit when used appropriately. It has considerable potential to support the management and delivery of services by the Trust and for communicating with partner organisations and stakeholders. However, if it is inappropriately used or misused it also has the potential to introduce serious risks for the Trust, including productivity and security concerns, legal and regulatory compliance and litigation.

The e-mail systems of the Trust are provided primarily to support and deliver the business of the Trust. However, within reasonable limitations the constraints of this policy and the discretion of line managers, they are also available for general use by members of staff.

Members of staff are encouraged to consider their appropriate use of e-mail, in particular remembering that:  E-mail may not always be the best way to communicate.  Volume of e-mail messages can be prohibitive to effective communication.  Although, by its nature, e-mail may seem less formal than other forms of written communication, the same laws apply.  It is easy for e-mails to be forwarded without the knowledge or consent of the originator.  If e-mail is used, care must be taken over its drafting bearing in mind that it remains as published and formal written communication.  Retention and storage of e-mail needs to be dealt with in the same way as other forms of written communication.

All users of Trust e-mail systems shall comply with this policy.

2. PURPOSE

The purpose of this policy is to ensure, in a safe and secure way that complies with law and the best interests of the Trust, that effective and appropriate use of e-mail is made by the Trust and its staff.

In particular this policy aims to:

2.1 Set out the rules that govern sending, receiving and storing of e-mail, including acceptable and unacceptable use of the Trust’s e-mail systems.

2.2 Reduce and avoid security threats through the promotion of awareness and dissemination of good practice.

E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date – 11th February 2014 2.3 Preserve confidentiality of the Trust’s Sensitive Information and protect its assets against unauthorised disclosure.

2.4 Encourage effective use of Trust resources.

3. SCOPE

3.1 This policy applies:

 To all users (including employees, voluntary & bank workers contractors, agency & sub-contract staff, locums, partner organisations, suppliers and customers) of e-mail for business and operational purposes of the Trust.

 The use of Trust e-mail accounts and NHSmail - NHS.net e-mail accounts.

 The use of personal e-mail (webmail) accounts accessed via the Trust’s network and systems.

 The use of non NHS and personal e-mail addresses for communicating Trust business.

3.2 In the event of outbreak of an infection, flu pandemic or major incident. The Trust recognises that it may not be possible to adhere to all aspects of this document and in such circumstances, staff should take advice from their manager and all possible action must be taken to maintain ongoing patient and staff safety.

4. DEFINITIONS

4.1 Sensitive Information means identifiable personal information, commercially confidential and sensitive information and confidential, sensitive and critical information of the Trust.

4.2 The/Your Manager means the line manager of a member of staff or other relevant senior member of staff.

5. POLICY REQUIREMENTS

5.1 An Information Asset Owner (IAO), who is responsible for management and control of Trust e-mail systems, will be assigned by the IT Department.

5.2 Risks associated with use of e-mail shall be considered and mitigated where possible. Risk levels must be proportionate to benefits realised, and where risks cannot be reduced to acceptable levels they shall be escalated to the Trust’s Risk Assurance Committee / Senior Information Risk Owner (SIRO) as appropriate. E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date – 11th February 2014 5.3 The Trust’s e-mail systems are business communication tools and users are obliged to use them responsibly, effectively and lawfully. Although by its nature e-mail seems less formal than other written communication, the same laws apply. Therefore, it is essential that members of staff make themselves aware of the legal risks associated with the use of e-mail.

5.4 All e-mail accounts maintained in the Trust’s e-mail systems are and remain the property of the Trust. The Trust reserves the right to monitor the content of all e-mails.

5.5 Where there is legitimate cause the Trust reserves the right, without warning or permission from the user, to retain message content as required to meet disciplinary, legal and statutory obligations.

5.6 The Trust allows reasonable use of its e-mail systems for personal purposes on the condition that such use does not interfere with work, is previously agreed with Your Manager and that staff members adhere to this policy, related policies, regulations and the Trust’s current safe working practices.

5.7 Users of e-mail for Trust business purposes and the Trust’s e-mail systems shall comply with Trust policies, IT Guidelines and NHS best practice guidance concerning the requirement for access to information; in particular that information should be shared only on a ‘need to know’ basis.

5.8 Patient information shall not be sent by e-mail unless it is encrypted to NHS requirements and standards. Sensitive Information shall only be sent by approved methods of the Trust detailed in its IT Guidelines practices.

5.9 Personal e-mail addresses, e-mail client software and webmail shall not be used to send or intentionally receive Sensitive Information.

5.10 Use of e-mail for Trust business and operational purposes in public areas of the Trust’s buildings and outside of the Trust’s premises shall be subject to the additional conditions laid out in the Trust’s Portable Computing & Mobile Working and ICT Security policies.

5.11 Executable or potentially executable programs (software) received via e-mail shall not be downloaded onto the Trust’s IT equipment without prior authorisation of the IT Department.

5.12 The e-mail systems of the Trust shall not be used for the continuing storage of e-mails (including their attachments) which are required for the purposes of the Trust’s future business and operations. Such correspondence and information shall be stored appropriately within local and corporate records systems and subject to relevant retention and disposal policies.

5.13 E-Mails within the Trust’s systems shall be monitored for viruses and all e- mail traffic, incoming and outgoing, through the Trust’s networks shall be automatically logged.

E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date – 11th February 2014 5.14 Any use of e-mail which appears to be unacceptable in terms of this policy, or which in any other way appears to contravene the Trust’s policies, regulations and standards may give rise to disciplinary action.

5.15 Potential and actual security breaches associated with the use of Trust e- mail systems shall be reported and investigated in accordance with the Trust’s incident reporting procedures.

6. PROCESSES

6.1 Access to Trust E-Mail Systems Unless The Manager requests otherwise, members of staff are automatically assigned Trust e-mail addresses at the same time as being given a user account.

Requests for user accounts must be submitted by The Manager or other Trust authorised representative to the IT Department Service Desk in accordance with its current ordering processes and procedures.

Requests will be processed by the IT Department in accordance with established procedures and published timescales.

6.2 Unacceptable Use of E-Mail You are fully liable if you disregard the rules set out in this policy. You must not:

 Send or forward e-mails with any libelous, defamatory, offensive, harassing, racist, obscene or pornographic remarks or depictions.

 Unlawfully forward Sensitive Information, or forward Sensitive Information without acquiring the permission of the sender first.

 Attempt to introduce and transmit material (including but not limited to computer viruses, Trojan horses and worms) designed to be destructive to computer systems, or try to get around precautions in the Trust’s systems and network designed to prevent such material.

 Send unsolicited e-mail messages.

 Forward chain letters, junk mail, jokes or executables.

 Forge or attempt to forge e-mail signatures.

 Send e-mail messages using another person’s e-mail account.

 Breach copyright or licensing laws when composing or forwarding e- mails and e-mail attachments.

E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date – 11th February 2014  Use e-mail to commit the Trust to purchasing or acquiring goods or services without proper authorisation.

 Send e-mails that might cause unnecessary annoyance, embarrassment or distress to the recipient.

 Use e-mail in other ways that may be construed as disruptive or a hindrance to the work of others.

6.3 Unacceptable Personal Use of the Trust’s E-Mail Systems You must not use the Trust’s e-mail systems for the following purposes:

 Activity that is commercial or profit-making in nature, or for any other form of personal financial gain.

 Activity, in nature, that competes or conflicts with the Trust’s business.

 Purposes that conflict with your obligations to the Trust as your employer.

 Expressing personal views in such a way that they are likely to be interpreted as being the official policy/view held by the Trust.

6.4 Safe Working Practices for Users All users of Trust e-mail systems are required to comply with the most current version of IT Guidelines published by the IT Department.

Any questions or queries relating to these practices should be addressed to the IT Department Service Desk.

6.5 Action in case of Receipt of Illegal, Inappropriate or Unacceptable E- Mail If you receive an e-mail that contains libelous, defamatory, offensive, harassing, racist, obscene or pornographic remarks or depictions you must promptly notify Your Manager.

If you receive an e-mail that you consider to have been illegally sent or illegal in its content you must promptly contact the IT Department Service Desk and not forward to any further recipient.

6.6 Inappropriate use of Trust E-Mail Systems Failure to comply with the requirements of this policy or inappropriate use of resources is a serious matter and may result in an individual’s right to use Trust e-mail systems being withdrawn. In cases it may result in disciplinary action, and in some circumstances it might lead to prosecution under UK law.

E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date – 11th February 2014 In accordance with the Trust’s disciplinary policies & procedures, line managers shall investigate failures to comply with the requirements of this policy and cases of inappropriate use of resources. Support from the IT Department may be obtained by contacting the IT Service Desk.

6.7 Cessation of E-Mail Accounts The Manager shall ensure that the IT Department’s Service Desk is promptly notified of user accounts that are no longer required, or for which access to the Trust’s e-mail systems is no longer appropriate.

Following receipt of such instruction the IT Department will lock the specified e-mail account/s rendering them to be no longer useable, but available for reactivation should the need occur.

E-Mail accounts will be retained in such condition for a period of six months after which they will be fully deleted. After this time recovery of information from such e-mail accounts will no longer be possible.

7. DUTIES AND RESPONSIBILITIES

7.1 Senior Information Risk Officer (SIRO) The SIRO is responsible for:  The Trust’s information risk assessment process and information management.  Overseeing adherence to this procedure to the satisfaction of the Trust.  Ensuring documentation and appropriate action is taken where non- compliance to this policy or a need for improvement is identified.

7.2 Caldicott Guardian The Caldicott Guardian has responsibility for monitoring controls and procedures governing the safe and confidential transfer of patient identifiable information across the Trust.

7.3 Information Governance Group The Information Governance Group is responsible for ensuring that this policy is:  In accordance with information governance requirements.  Implemented and understood across the Trust.

7.4 Head of IT The Head of IT is responsible for:  Day-to-day management of the procedures related to this policy  Authorising Trust e-mail systems for use by the Trust.  Ensuring this policy is implemented and adhered to by IT Department staff

7.5 The IT Department The IT Department and its staff are responsible for:

E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date – 11th February 2014  Ensuring the continuing availability of Trust e-mail services and their supporting infrastructure.  Managing the security and integrity of data in Trust e-mail systems through the appropriate deployment of anti-virus, mail content and anti-spam products and quarantine control.  Managing, administering and maintaining the Trust’s e-mail systems on a day-to-day basis.  Ensuring the provision of monitoring facilities for Trust e-mail services that ensure compliance with the Trust’s policies and its legal and statutory obligations.  Providing advice and guidance to users of the Trust’s e-mail systems.

7.6 Managers Managers are responsible for undertaking duties as outlined in Section 6 of this document, and appropriately ensuring that their permanent and temporary staff and contractors have read and understood this policy. Further that:  Staff work in compliance with this policy, related processes, guidelines and safe working practices.  Staff are appropriately trained in use of the Trust’s e-mail systems.  Personal use of e-mail by staff is in compliance with the requirements of this policy.

7.7 Staff All staff that use e-mail shall:  Comply with this policy; its related processes, guidelines and safe working practices.  Ensure that they are fully aware of the unacceptable uses of e-mail as outlined in this policy.  Ensure that any personal use of the Trust’s e-mail systems does not interfere with their work and has been previously agreed with The Manager.

8. TRAINING REQUIREMENTS

Members of staff are individually responsible for ensuring that they comply with Trust policies and procedures and complete annual mandatory training which includes Information Governance principles and practices.

Users of Trust e-mail systems must ensure that they are familiar with and follow the latest IT Guidelines issued by the IT Department.

Specific questions relating to the use of e-mail for the Trust’s business and operation needs can be addressed to the IT Service Desk.

E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date – 11th February 2014 9. REFERENCES AND ASSOCIATED DOCUMENTATION

9.1 The Trust is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the Trust, who may be held personally accountable for any breaches of information security for which they may be held responsible. The Trust shall comply with the following legislation and other legislation as appropriate:

 The Data Protection Act (1998)

 Computer Misuse Act (1990)

 Common Law Duty of Confidentiality

 Human Rights Act 1998

 Privacy and Electronic Communications Regulations

 Regulation of Investigatory Powers Act 2000

 Freedom of Information Act (2000)

9.2 The Trust complies with all national NHS information security and governance requirements and aims to adopt other standards and recognised best practice it considers appropriate. This includes:

 Information Governance Toolkit V11 requirements 11-301, 11-302, 11- 305, 11-310, 11-311, 11-313, 11-314 and 11-323

 Information Security Management: NHS Code of Practice 2007

 E-Mail, Calendar & Messaging Services - Good Practice Guideline: NHS Connecting for Health 2006

 Good Practice Guide - Internet & e-mail usage: NHS Connecting for Health 2008

 NHSmail Acceptable Use Policy: NHS Connecting for Health

 Health & Social Care Information Centre (HCSIS) website

 ISO27001:2005 International Standard for Information Security Management

 ISO27002:2005 Code of Practice for Information Security Management

E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date – 11th February 2014 10. EQUALITY IMPACT STATEMENT

Portsmouth Hospitals NHS Trust is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds.

This policy has been assessed accordingly.

E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date – 11th February 2014 11. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS

This document will be monitored to ensure it is effective and to assurance compliance.

Minimum requirement to Frequency of Report Lead(s) for acting on Lead Tool Reporting arrangements be monitored of Compliance Recommendations Information asset ownership is assigned & e-mail To be assigned by systems are being managed IT Department nominated IG Toolkit compliance IG Toolkit compliance Annually Information Governance in accordance with IT responsible returns returns Steering Group Security Policy requirements for core IT assets Appropriate & secure Information Asset Owner, methods for sending patient, Information Governance Report to Information To be assigned by Report to Information confidential & sensitive Manager & Information Governance Steering Annually Information Governance Governance Steering Group information exist & are Security Management Group Steering Group regularly reviewed Assurance Lead IT Guidelines for Using E- Report to Information IT Department nominated Report to Information Mail are regularly reviewed Governance Steering Annually Not applicable responsible Governance Steering Group & updated Group

E-Mail Usage Policy Issue 5 Review Date - November 2015 Issue Date - January 2014