Email Usage Policy - East Cheshire NHS Trust
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Email Usage Policy
Policy Title:
Executive Sets out the provisions for the use and management of NHSmail in the Trust
Summary and with partnership organisations
Supersedes: Version.2.2
Description of Minor amendments to update new legislation
Amendment(s):
This policy will impact on:
Financial Implications:
Policy Area: Corporate Document ECT002986
Reference:
Version Version 2.3 Effective Date: July 2018
Number:
Issued By: Director of Corporate Review Date: July 2019
Affairs & Governance
Author: Information Impact Assessment
Governance Officer Date:
APPROVAL RECORD
Committees / Group Date
Consultation: Information Governance & July 2018
Records Management Group
meeting
Approved by Director: Director of Corporate Affairs and July 2018
Governance
Ratified by: Information Governance & July 2018
Records Management Group
meeting
Received for
information:
Page 2 of 12
East Cheshire NHS Trust
Integrated Governance Manager
Email Usage Policy June 2018Table of Contents
1. Introduction 4
2. Purpose 4
3. Responsibilities 4
4. Processes and Procedures
5. Monitoring Compliance with the Document
6. Communication Page 11
Page 12
Page 3 of 12
East Cheshire NHS Trust
Integrated Governance Manager
Email Usage Policy June 20181. Introduction
This policy applies to all staff, including non-Trust employees who work for East Cheshire NHS
Trust or under contract to the Trust. This includes, but is not limited to, staff on secondment to
the Trust, students on placement and people working in a voluntary capacity that have been
granted email access.
All staff members are expected to comply with this policy which is based on current law, NHS
Information Governance standards and accepted standards of good practice.
This policy should be read in conjunction with:-
ICT Security Policy
Safe Haven Procedure
Copies of the above policies can be obtained from the Intranet or via the Trust website
www.eastcheshire.nhs.uk
2.0 Purpose
The purpose of this policy is to aid the effective and appropriate use of NHSmail and to reduce
adverse events by:-
Setting out the rules governing the sending, receiving and storing of email
Establishing Trust and user rights and responsibilities for the use of the system
Promoting awareness of and adherence to current legal requirements and NHS
information governance standards
Ensuring that NHSmail is the default system used for Trust business
3.0 Responsibilities
3.1 The Chief Executive is the accountable officer and has overall responsibility for
ensuring that information governance is applied through the organisation. The role carries the
responsibility of being the Trust’s Data Controller and has overall accountability for compliance
with the Trust’s policies ensuring that all staff are aware of the need to comply with the Data
Protection Act (1988), are aware of the requirements of the common law Duty of Confidence as
set out in the NHS Code of Confidentiality. The Chief Executive also carries overall
responsibility for ensuring that arrangements with third parties who process personal data on
the Trust’s behalf do so under written contract which stipulates appropriate compliance with
Information security and confidentiality requirements.
3.2 The Director of Corporate Affairs and Governance is the Trust’s Senior Information
Risk Owner (SIRO) and has delegated accountability for:-
The Data Protection Act
The Data Security and Protection Toolkit
Records Management
Page 4 of 12
East Cheshire NHS Trust
Integrated Governance Manager
Email Usage Policy June 2018 Information Security
Registration Authority activity
3.3 The Associate Medical Director – Clinical Effectiveness will act as Caldicott Guardian
with delegated responsibility from the Medical Director and will take a lead on confidentiality
issues.
a. To act as a champion for data confidentiality at Board level.
b. To develop knowledge of confidentiality and data protection matters including links
with external sources of advice and guidance.
c. To ensure that confidentiality issues are appropriately reflected in organisational
strategies, policies and working procedures for staff.
d. To oversee all arrangements, protocols and procedures where confidential social care
information may be shared with external bodies including disclosures to other public
sector agencies and other outside interests
3.4 The Deputy Director of Corporate Affairs and Governance (Deputy SIRO) is
responsible for ensuring that systems and processes are implemented to ensure sound
information governance across the Trust.
3.5 The Head of Integrated Governance acts as the Data Protection Officer for the Trust
and provides assurance reports to the Information Governance & Records Management Group
meeting, manages the information governance team, monitors compliance with the IG Toolkit
and oversees the archiving and retention of records.
The Head of Integrated Governance also has responsibility for operational procedures and
Information Governance and for the implementation and co-ordination of the information
governance work programme across the Trust. Responsibility for specific requirements is
devolved to specialist leads and service managers.
3.6 Managers and Supervisors will be responsible for ensuring the local implementation of
information governance and that they implement this and appropriate information policies within
their sphere of responsibility. This includes taking appropriate management action should non-
compliance arise. Clear accountability arrangements will ensure that staff are held to account
for the work that they do and this will be reinforced through contractual arrangements.
3.7 Employees, Volunteers, Contractors, sub-contractors all Trust staff, whether clinical
or administrative, employed, sub-contracted or volunteers, have a responsibility to ensure
compliance with this and other Information Governance policies and procedures and must
undertake annual training via the Trust’s ESR on-line training package
4.0 Processes and Procedures
Trust Responsibilities
4.1 Access to and use of emails
Page 5 of 12
East Cheshire NHS Trust
Integrated Governance Manager
Email Usage Policy June 2018The Trust provides access to NHSmail to employees and authorised non-Trust employees only
for use in connection with:-
Work duties
Work related educational purposes
Work related research purposes
Non Trust-related emails should be kept to minimum. The Trust allows short communications of
a personal nature, although the personal use of email is discouraged due to the detrimental
effect it may have on Trust business. Personal communications must be brief and carried out in
the user’s own time, must not detract from the user’s work duties and must not disrupt the work
of others.
Personal emails should be stored in a folder marked ‘personal’ and then deleted as soon as
possible after receipt.
No-one has the right of access to an email account. Inappropriate use or abuse of email may
result in access being withdrawn or amended.
The Trust reserves the right to remove or amend access to the email system at any time in
order to protect and preserve the integrity and confidentiality of the system.
Please refer to section 4.16 – misuse of system.
4.2 Investigating breaches of this policy
The Trust will investigate breaches of this policy, actual or suspected, in accordance with Trust
and NHSmail procedures. Where appropriate, the Trust’s disciplinary procedures will be
invoked.
Where relevant and appropriate, the Trust will make a complaint to an individual’s employer
organisation and co-operate fully with any investigation of that complaint where breaches of this
policy are committed by users who are not employees of the Trust (such as staff on
secondment and other users who may be given access to the system)
Where appropriate, the Trust will take legal action (criminal or civil proceedings) in respect of
this policy.
4.3 Liability
The Trust will not be liable for any financial or material loss to an individual when using email for
personal use or when using personal equipment to access work email.
4.4 Retention and Destruction
Emails will be held on backup in accordance with the NHSmail Data Retention Policy. A copy of
this can be accessed via your NHSmail mail account in the information guidance services.
The Trust reserves the right to retain such emails as required to meet its legal obligations.
Users’ responsibilities and rights
4.5 Access to and use of email systems
Page 6 of 12
East Cheshire NHS Trust
Integrated Governance Manager
Email Usage Policy June 2018NHSmail Acceptable Use Policy - all users should read this policy in conjunction with NHSmail
acceptable use policy available at the following link:-
https://portal.nhs.net/Home/AcceptablePolicy
Users should use email only when it is appropriate to do so and not as a substitute for verbal
communication.
Emails should be worded with care because voice inflections and modulations cannot be
detected, and tone may be difficult to interpret.
Emails must not include anything that may offend or embarrass anyone who may read them, or
which could cause embarrassment to the Trust if they were to find their way into the public
domain.
Emails are easily forwarded and may be read by unintended recipients. Consequently, emails
should always be written with this in mind.
A concise meaningful title must be used as a subject heading of every email to indicate its
content. This will assist the recipient in prioritising the opening of email and aids the retrieval of
opened messages.
Person identifiable information should not be used in the subject heading of an email.
Users should not use email as the only method of communication if an urgent response is
required.
Where important information has been sent by email, confirmation of receipt must be obtained
either by email or by a follow up telephone call.
Users must access email regularly and respond to messages in a timely manner.
Users should indicate when they are not able to read their email (for example, when on annual
leave or out of the office/off-site on business) by using the ‘out of office’ tool on NHSmail.
Users must only use a disclaimer authorised by the Trust
4.6 Managing emails
Records Management
Email is a communication tool and not a document storage system. Where the content of an
email may be needed in the future, it is the responsibility of the user to ensure it is stored
appropriately. Where the content of an email or attachments forms part of a record it is the
responsibility of the user to ensure it is added to, and becomes part of, that record whether held
in hard copy or electronic format. It should then be managed and stored in accordance with the
Trust’s Records Management policy and the Records Management Code of Practice for Health
and Social Care 2016 published by the Information Governance Alliance (IGA) for the
Department of Health (DH).
Emails and attachments not relating to work activities or which do not need to be kept as part of
a record must be deleted as soon as possible after receipt.
Account Management
There is generally a limit of 4 Gigabytes on all new email accounts, which includes all sub-
folders. It is the account user’s responsibility to manage this limit. Once the limit has been
reached no emails can be sent from that account. Guidance on exporting and saving emails
Page 7 of 12
East Cheshire NHS Trust
Integrated Governance Manager
Email Usage Policy June 2018can be found in your NHSmail account, or obtained from Midlands and Lancashire
Commissioning Support Unit (MLCSU) IT service.
Contacts
It is the user’s responsibility to ensure that saved contact information is regularly reviewed and
deleted or amended where appropriate.
Contact details must always be included to ensure ease of identification for other users. This
includes job title and contact telephone number. Details should be updated as and when
appropriate.
Signatures can be used.
Please also refer to the ECT Style Guide (please contact Communications Department for a
copy).
4.7 Leavers and suspensions
Leavers – when staff leave the Trust, their email account will be set as a ‘leaver’ and access
removed.
Moving to another NHS organisation - a user’s email accounts can move with them when
moving to another NHS organisation. MLCSU IT Service must be informed by email of your
date of leaving the Trust and NHS destination, copying in your line manager so that your
account can be suspended.
User responsibility - all leavers must ensure that emails are reviewed prior to leaving so that
all Trust information has been deleted or filed appropriately.
Manager’s responsibility - managers must ensure that MLCSU IT Service are informed when
staff leave the organisation.
Manager’s responsibility - managers should consider suspending NHSmail accounts if a
member of staff is suspended.
4.8 Legal requirements
Users of the email system must comply with current legislation regarding the use and retention
of information and the use of computer systems. These include but are not limited to:-
The Data Protection Act 2018
General Data Protection Regulation 2018
Access to Health Records Act 1990
Freedom of Information Act 2000
The Copyright, Designs and Patents Act 1988
Computer Misuse Act 1990
The use of email must also comply with and adhere to Trust rules, codes of conduct, policies
and procedures such as this policy and Privacy, Dignity and Respect policy.
Page 8 of 12
East Cheshire NHS Trust
Integrated Governance Manager
Email Usage Policy June 2018Users must not use email for any purpose that conflicts with their contract of employment.
Users must not agree to terms, enter into contractual commitments or make representations by
email without having obtained the proper authority. (A typed name at the end of an email is just
as much a signature as if it had been signed personally.)
Email messages have the same legal status as other written documents and, if relevant to the
issues, are disclosable in legal proceedings. Email content is treated in the same way as verbal
and written expressions and statements and is admissible in a court of law. It is a commonly
held misconception that emails carry less weight than letters on headed paper. This means that
care should be taken with regard to ensuring users do not:-
Send messages or attachments that could be deemed libellous, defamatory, harassing or
pornographic;
Breach the Computer Misuse Act 1990
Breach the Data Protection Act 2018
Breach the General Data Protection Regulation 2018
Send information in breach of copyright legislation
Destroy information once it becomes subject to Freedom of Information legislation.
The content of any emails may be disclosed under the Data Protection Act 2018 and Freedom
of Information Act 2000.
4.9 Security
Passwords - all passwords and log in details for email systems must be kept confidential.
Sharing passwords or log-in details will be considered misconduct. Where necessary, users can
give proxy access to their email account.
Protect against disclosure - users must lock their computer terminal when it is not in use or
they have temporarily moved away from it. To lock the keyboard automatically, press the
Windows key + L or CTRL–ALT–DEL.
Remote working - any computer used for accessing NHSmail must be installed with up to date,
anti-virus software. Advice about anti-virus software can be obtained from MLCSU IT Service
Desk.
Mobile devices - portable devices, including mobile and smart phones, used to store emails
must be encrypted. NHSmail guidance on using mobile devices must be read and complied
with. The Mobile Configuration Guide for NHSmail can be found at the following link:-
https://s3-eu-west-1.amazonaws.com/comms-mat/Training-
Materials/Guidance/mobileconfigurationguide.pdf
Data Losses and Confidentiality/Security Breaches - ALL data loss, security and/or
confidentiality breaches must be reported using Datix, the Trust incident reporting system.
Any staff reporting incidents directly to the MLCSU IT Service Desk will be asked to complete
and submit an incident form to the Information Governance email box: ecn-
tr.informationgovernance@nhs.net.
Where there is a potential breach in patient/staff confidentiality, a copy of the incident form will
be sent to the Information Governance Officer.
4.10 Sending patient or other confidential information by email
Page 9 of 12
East Cheshire NHS Trust
Integrated Governance Manager
Email Usage Policy June 2018Addressing and sending your email - be selective, send the email only to those who really
need it
Subject heading – do not include identifiable information in the subject header
NHSmail global address book - NHSmail is a national database and there may be several
persons with the same or similar names at different organisations. Do not assume that the email
of the person you want to contact will be firstname.surname@nhs.net and if you are emailing a
recipient at the Trust ensure that their name is followed by 'East Cheshire NHS Trust -RJN).
Always validate before sending confidential information.
Read the NHSmail guidance before sending called “Sharing sensitive and patient
identifiable information”. This can be found using the following link on NHSmail:-
https://s3-eu-west-1.amazonaws.com/comms-mat/Training-
Materials/Guidance/sharingsensitiveinformationguide.pdf
Contact the NHSmail Local Organisation Administrator (LOA) via MLCSU IT Service Helpdesk
on 0844 800 9982 or ext 3131 or the Information Governance Officer on 01625 663608 if further
guidance is required.
4.11 Sending an encrypted email from NHSmail to a non-secure email address
Using NHSmail to send emails containing sensitive data in the method described below
removes the need to encrypt or password-protect attachments.
If you have a contact that uses a non-accredited or non-secure email service (e.g. ending
.nhs.uk (excluding *.secure.nhs.uk), Hotmail, Gmail or Yahoo), and you need to exchange
sensitive information with them, firstly you will need to send an encrypted email with [secure] in
the subject line, so that the recipient can open, read and reply to your email securely. By using
[secure] in the subject line, NHSmail will work out if the encryption tool is required and it will no
longer be necessary to check a list of secure domains.
If it is the first time the recipient has received an encrypted email from an NHSmail account, it
will be necessary for them to register for the service before being able to read your email. Once
the initial email has been sent and a reply made, the channel has been created and sensitive
information can be sent securely.
The full guidelines can be found by selecting this link:-
https://s3-eu-west-1.amazonaws.com/comms-mat/Comms-
Archive/Accessing+Encrypted+Emails+Guide.pdf
4.12 Guidance for recipients of an encrypted NHSmail email
There is guidance for non-NHSmail users to exchange information securely with a member of
health or social care staff who does use NHSmail. Advice can be found by selecting this link:-
https://s3-eu-west-1.amazonaws.com/comms-mat/Training-
Materials/Guidance/encryptionguide.pdf
4.14 Forwarding emails
Page 10 of 12
East Cheshire NHS Trust
Integrated Governance Manager
Email Usage Policy June 2018Users must not forward confidential or sensitive emails from their Trust email account to non-
NHS email accounts. Examples of non-NHS email accounts include Hotmail, Yahoo, AOL, and
email services provided by internet service providers.
4.15 Misuse of the system
Users must not:-
Use the Trust’s email to conduct private or freelance work for the purpose of commercial
gain.
Create, hold, send or forward emails that have obscene, pornographic, sexually or racially
offensive, defamatory, harassing or otherwise illegal content. (If you receive such a
message you should report it to MLCSU IT Service Desk immediately.)
Create, hold, send or forward emails that contain statements that are untrue, inaccurate,
misleading or offensive about any person or organisation.
Access and use another user’s email account without permission. If it is necessary to
access another user’s account then contact MLCSU IT Service Desk for details of the
necessary procedure. Users should be aware that access to their email account by
authorised individuals may be necessary in periods of absence for business continuity
reasons.
Send email messages from another staff member’s email account or under a name other
than your own unless proxy access has been given.
Send global emails to all staff. There are processes that must be followed for such
communications. Contact the Communications and Marketing Team for advice.
Send unsolicited emails (spam) to large numbers of users unless it is directly relevant to the
recipient’s work.
Send emails to large numbers or groups of users unless the recipients have been blind
copied (bcc). If the email is not blind copied, individual email addresses will be visible to
everyone on the list which may compromise a recipient’s confidentiality.
Send emails to a distribution list comprising members of the public unless the recipients
have been blind copied (bcc)
Send or forward chain letters or other similar non-work related correspondence
Use email for political lobbying
Knowingly introduce to the system, or send an email or attachment, containing malicious
software, for example, viruses
Forge or attempt to forge email messages
5.0 Monitoring Compliance
5.1 The number of incidents relating to email usage will be monitored and reviewed
5.2 MLCSU IT Service monitors the number and use of NHSmail accounts
Page 11 of 12
East Cheshire NHS Trust
Integrated Governance Manager
Email Usage Policy June 20185.3 Audit
Where internal audit are carrying out work that includes polices relating to Information
Communications Technology or Information Governance, this policy will be audited. The audit
will include two elements of the policy:
Six monthly audit of removal of leavers, i.e. leavers checklist is reviewed against
address book
Annual audit of users’ contact details to ensure that they are up to date
Any information held or passing through the email system is the property of the Trust.
At the request of the Chief Executive, the MLCSU may carry out investigations into email
usage.
All external emails are routinely virus scanned and where viruses are detected the email is
quarantined until clean. If this is impossible, then the email administrator will contact the
recipient. In this case the email would be opened by the recipient within the quarantine area.
Formal complaints about misuse of email will be investigated.
Inappropriate emails will be automatically blocked for the protection of the Trust and individuals
(e.g. spam and adult content).
Any monitoring or interception of communications will be carried out in accordance with
legislation such as the Regulation of Investigatory Powers Act 2000, The Telecommunications
(Lawful Business Practice) (Interceptions of Communications) Regulations 2000, The Data
Protection Act 2018, General Data Protection Regulation, and the Human Rights Act 1998
which outline the circumstances in which the Trust can lawfully intercept emails on NHSmail
such as:
Gaining routine access to business communications;
Monitoring standards of service and training;
Preventing or detecting crime
Unauthorised use of systems
The policy will be reviewed in 12 months to take account of imminent changes to NHSmail
Page 12 of 12
East Cheshire NHS Trust
Integrated Governance Manager
Email Usage Policy June 2018You can also read
