HSPOL06 Security Policy v5 by Provide Community

Version: V 5

Ratified by: Property Health Steering Group

Date ratified: 01/02/2024

Job Title of author: Head of Health, Safety and Compliance

Reviewed by Committee or Expert Group Property Health Steering Group

Equality Impact Assessed by: Head of Health, Safety and Compliance

1. Introduction

Security affects everyone who uses our Health or Social Care services. The security and safety of staff, patients/service users, contractors and property must be a priority within the delivery and development of Provide Services. All of those working within Provide have a responsibility to be aware of these issues and to assist in preventing security related incidents and losses. In line with published guidance, Provide is committed to providing the best possible protection for its staff, patients/service users, contractors and property.

The aim of this Security Policy is to ensure that the optimum level of security is achieved and that accessibility to our services is reconciled with integrated security measures, designed to protect staff, patients/service users, contractors’ property, and possessions. Maintaining discreet and effective security and safety enables staff, patients, and visitors alike to be confident in the knowledge that the environment they are in is a safe and secure one.

Provide has a legal duty of care to provide a safe place of work for staff under the Health and Safety at Work Act 1974 (HSW Act). This includes protection from violence or the risk of violence. The duty of care does not mean that the employer should guarantee staff safety, but rather that they should undertake all reasonably practicable actions to protect staff from foreseeable risks.

All staff must be aware of and apply the principles of effective risk management so as to ensure that their own security, health and safety and that of their patients and colleagues are maintained at all times in accordance with the HSW Act 1974 and organisational policies.

Provide is required under General Condition 5.9 of the NHS Standard Contract to have regard to the NHS Violence Prevention and Reduction Standard Strategy with regards to Counter Fraud and the work of the Local Counter Fraud Specialist (LCFS)

2. Purpose

The aim of the Security Policy is to support the organisation in delivering high quality services and the organisations commitment to providing a safe and secure environment for staff, patients/service users and visitors. Security is the responsibility of all staff in not only safeguarding their own wellbeing and personal property but also that of patients/service users, visitors and Provide property.

Provide seeks to provide a safe environment for staff, patients and visitors by providing security measures across sites, training to deal with violence and aggression and to minimise security risk to all through continuous vigilance and improvement.

3. Definitions

Criminal Damage Damage caused by any person to the property of another without lawful consent can include negligent acts. includeS graffiti and vandalism.

Physical Assault The intentional application of force to the person, without lawful justification resulting in physical injury or personal discomfort.

Clinical Assault

The application of force to the person, without lawful justification, due to the clinical condition, resulting in physical injury or personal discomfort.

Non-Physical Assault The use of inappropriate words or behaviour causing distress and or constituting harassment.

HSW Act

4. Duties

Health and Safety at Work Act 1974

Group Chief Executive Has overall responsibility for all matters pertaining to security and this authority is delegated to the Executive Finance Director, who is the Security Management Director (SMD) for Provide.

The SMD has overall accountability for security and shall ensure:

• Appropriate action is taken to ensure compliance with any Health or Social Care standards for the management of security

• Responsibilities for security matters are properly assigned

• Requirements for additional resources to meet the objectives of the policy are brought to the attention of the Board

• Compliance with the policy is monitored by review reports provided to the Health, and Safety Oversight Group

• Security is given adequate consideration prior to any major changes in the Provides activities

• Staff receive appropriate training in security matters

• Appropriate security procedures are established and implemented

• Security risks are suitable assessed

• Where a criminal offence against Trust employees, contractors or property is suspected the Police are immediately informed, except in the case of a suspicion of fraud where the matter should be reported immediately to the Executive Finance Director and Provides Local Counter Fraud Specialist (LCFS)

Head of Health Safety and Compliance

The Head of Health, Safety and Compliance will act as the Security Management Advisor for Provide and will have responsibility to ensure that:

• Reports as appropriate are generated and presented to the Health, and Safety Oversight Group Accurate records of any breaches or suspected breaches of security are maintained

• Security management work is carried out in accordance with the NHS standards for the management of security

• Appropriate security incidents or breaches are notified to Health, and Safety Oversight Group

• Investigations into security matters are conducted where appropriate

• Advice is given to staff on key preventative and proactive measures to raise security awareness and reduce risk

• Advice is given in relation to site security

• Advice is given in relation to personnel security.

Data Protection Officer

The Information Governance Manager is responsible for supporting the organisation’s information governance and information security agenda, ensuring that the organisation meets its statutory and corporate responsibilities and engenders trust from the public with regard to how it manages their personal information

The organisation’s date Protection Officer’s role is to-

• Maintain an awareness of information governance issues within the organisation

• Review and update the information governance policy and strategy in line with local and national requirements

• Establish protocols on how information is to be shared internally and externally with other providers

• Develop Information Governance awareness and training programmes for staff

• Ensure compliance with Data Protection, Confidentiality, Freedom of Information, Information Security and other information related legislation

• Manage information security issues and involve The Head of Health, Safety and Compliance for physical security where appropriate

Directors/Assistant Directors and Team Managers

• To be accountable for the practical application of the Security Strategy within their area of control and in line with the organisation’s Security Policy

• To ensure appropriate overall co-ordination of security within the services within their area of control including compliance with all relevant organisational policies.

• To agree arrangements for risk management responses to security issues

• To receive and act on advice from the Head of Health, Safety and Compliance as required.

• To ensure that all staff including temporary staff, contractors, students etc. within their area of responsibility, receive the correct training to ensure their own and others safety as well as promote the protection of Provide Assets

Employees

• To work in compliance with Provide’s Policies and Procedures

• To work within organisational policies and guidelines to ensure the security of Provide/service user/personal property

• To report all security breaches/violent incidents/near misses using the Datix/Access incident reporting system

• To liaise with senior mangers when involved in a violent or security related incident and co-operate with investigations

• To embrace and commit to organisation’s Pro-Security Culture

5. Consultation and Communication

The security management strategy applies to:

• All Provide owned and leased premises

• Service Users

• Staff employed by the organisation including seconded, bank, full-time and part-time employees

• Visitors

• Contractors

• Sub-contractors

• Students

• Volunteers

All other persons engaged in business on behalf of Provide

6. Monitoring

Reports as appropriate are generated and presented to the Health, and Safety Oversight Group, Finance and Investment Committee and the Quality and Safety Committee

7. Training

Provide is committed to ensuring all staff receive training appropriate to their role. All staff will receive Conflict Resolution Training. Staff who are deemed by the organisation’s Occupational Health provider as not sufficiently physically fit to attend the above training will be risk assessed within the terms of their role and appropriate adjustments made and reviewed at a minimum annually. Further training will be arranging following a formal training needs analysis for their role

8. Risk Assessment

Provide has well established risk management arrangements detailed in the Risk Management Strategy.

Risk specific assessments i.e. lone working etc. are completed by staff and by the team managers with assistance from the Health and Safety Team for support and advice.

9. Clear Desk and Clear Screen

To ensure that personal, confidential or otherwise sensitive information (in digital and physical formats) and information assets (for example, computers and mobile devices, notebooks etc.) that hold or provide direct access to confidential information, are not left unprotected at desks or in personal workspaces or public settings when they are not in use.

Clear Desk

• Ensure you have taken reasonable measures to prevent unauthorised access to confidential information. Lock away documents containing Restricted or Confidential information when the records are not in use and, in particular,

when the office/workspace is unoccupied or the workstation is left unattended for an extended period of time.

• If you are away from your desk for a short period of time, ensure any hard copy records containing confidential information are not left in view and that devices/screens are locked.

• Avoid printing or duplicating documents unnecessarily. Do not leave printing on or by copiers for others to find: wherever possible, remain at the printer while your print job is in progress. Keep your Smart Card safe and report any loss of a card without delay.

• Store confidential records and files securely and out of sight. Pedestal and tambour units, drawers, filing cabinets and/or shared cupboards and store rooms should be locked when left unattended.

• Keep desks and workspaces free of clutter. Actively manage records and data at all stages of the information life cycle, using appropriate storage solutions to ensure the safekeeping, accessibility and retention of records for as long as required.

• Do not put confidential information on sticky notes and/or leave such notes on monitors, boards or under keyboards.

• Dispose of documents with restricted or confidential information in a timely and secure manner, via confidential waste or by shredding

• Do not place sensitive or confidential documents in the general waste.

• Erase information on white boards and take away or dispose of flip-chart sheets securely after use and remove any documents/papers used during meetings/training/teaching when vacating meeting rooms and dispose of them securely (for example, via confidential waste or shredding).

Clear Screen

• There is a risk that information could be viewed by unauthorised users if left on an unlocked and unattended monitor or display screen. Lock your computer screen whenever it is left unattended. For Windows machines, use Ctrl+Alt+Del and Enter or the Windows key and ‘L’.

• Log out of accounts/applications and devices when they are not in use for any length of time.

• Position/protect screens and devices to prevent members of the public, or people passing by who lack the necessary authority, from being able to see any confidential information that may be displayed there.

Remote/home working

Follow the same policies when working away from the office, including at home. Be aware of the risks of others (including family) being able to view or access confidential material - for instance by ‘shoulder surfing’ or being able to listen into confidential conversations, whether at home, when travelling or in public locations, such as conferences and cafes.

10.General Security Arrangements

Creating a pro-security culture amongst staff, professionals and the public - to engender a culture where the responsibility for security is accepted by all and the actions of the minority who breach securities are not tolerated.

Deterring those who may be minded to breach security – using publicity to raise awareness of what the consequences of their intended actions could be, both personally and to the Provide CIC

Preventing security incidents or breaches from occurring, wherever possible, or minimising the risk of them occurring by conducting risk assessments, learning from operational experience about previous incidents, using technology wisely and sharing best practice.

Detecting security incidents or breaches and ensuring these are reported in a simple, consistent manner across the Company so that trends and risks can be analysed, allowing this data to properly inform the development of preventative measures or the revision of policies and procedures, both nationally and locally.

Investigating security incidents or breaches in a fair, objective and professional manner, to ensure the causes of such incidents or breaches are fully examined and fed into prevention work to minimise the risk of them occurring again and those responsible for such incidents are held to account for their actions.

Applying sanctions against those responsible for security incidents and breaches, including civil and criminal action as appropriate.

Seeking redress through the criminal and civil justice systems against those whose actions lead to loss of resources, through security breaches or incidents, and ensuring that those who are the victims of violence within the provide CIC environment are supported to seek appropriate compensation from offenders for loss of earning or for the effects of injuries sustained.

Unauthorised visitors

Staff should be alert to the fact that the organisation may receive unauthorised visitors. Staff who identify potential unauthorised visitors to Provide sites should alert their line manager immediately. Any such visitors should be approached only if it is thought safe to do so. If someone is identified in Provide work areas who has no legitimate reason to be there, they should be asked respectfully to leave and the incident reported via the appropriate incident reporting system, Datix/access

Bomb Threats

The vast majority of bomb threats are hoaxes. Making such malicious calls is an offence contrary to Section 51 of the Criminal Law Act 1977 and should always be reported to the Police with support from the Health and Safety Team. Any member of staff receiving such a call should seek the immediate advice of the most senior manager available and contact the Health and Safety Team. Any suspicious packages must not be moved and should be reported to the Health and Safety Team for advice.

Security access devices (cards, fobs, tokens, Smart cards)

Security access/devices are allocated/returned to staff via the new starter/leavers process.

• Lost security devices should be reported via the incident reporting system Datix/Access before a replacement fob can be issued.

• Lost devices should also be reported to your Line Manager.

• Security devices should not be shared with others

Identification Badges

ID Badges are issued to all staff on commencement of employment. Persons not wearing an ID badge should be challenged and asked to identify themselves.

When staff leave, all ID badges should be returned to the Line Manager and destroyed as per the IG process. If an ID badge is lost or stolen this must be reported to the Line Manager and reported onto the incident reporting system (Datix/Access) before a new ID badge is supplied.

Visitors / Contractors

All visitors/contractors are to sign in and out of Provide premises. For security reasons some premises require visitors to be escorted to and from their destination

Property/Assets

All property should be securely managed. Managers and staff should follow the roles and responsibilities set out within this procedure. All IT equipment is secured behind door access controls with the exception of some reception areas where the desktop PCs are encrypted.

Personal Property/assets

Staff should be aware that Provide cannot accept liability for loss or damage to staff property brought onto its premises.

Staff are advised to take adequate precautions to ensure the safety of their possessions and not bring valuables to work. Where storage has been provided for personal use, the individual to whom it is allocated will be responsible for ensuring it is locked

Staff must report any loss of or damage to their belongings and co-operate in any consequent inquiry into the loss or damage. If private property has been stolen, then it is the owner’s and not Provides responsibility to report the matter to the Police. This should be after notifying a Line Manager and reporting the incident on Datix/Access reporting system. Any incident management or Police reference number assigned should also be recorded on the incident log

Security of Motor Vehicles

Provide cannot accept liability for any motor vehicle or its contents when they are parked on a Provide site or when the vehicle is in being used by staff on Provide business

Lease Cars

In the event of an incident or accident involving a lease car, the employee must notify their manager and the lease company in accordance with the car lease agreement and also report onto the incident reporting system

Prevention of Violence to Staff

Provide has a duty to provide a safe and secure environment for all employees and visitors and has a zero-tolerance approach to violence or abusive behaviour. Provide takes a very serious view of violence, abuse and aggression at work and recognises its responsibility to protect employees and others who may be subjected to any acts of violence, abuse or aggression whether or not the act results in physical or non-physical assault and whether carried out by members of the public, patients, service usets relatives or by members of staff. Violent or abusive behaviour will not be tolerated, and decisive action will be taken by Provide to protect staff and visitors.

Reporting of Security Incidents

All staff have a responsibility to report all crimes and breaches of security and should refer to the Incident Reporting and Management Policy.

Reporting falls into the following categories:

• Assault or abuse of a staff member or visitor. All incidents of assault or abuse must be reported through the incident reporting system and should be reported as soon as practical after the incident. All physical assaults to staff should be reported by the Manager through the incident reporting system Datix/Access

• Where a security incident or crime is in progress it should be reported immediately to the Police and the senior manager on site. The incident must be reported via the incident reporting system as soon as possible after the incident

• Where a criminal incident is discovered after the fact and the time of the offence is not known, the incident must be reported as soon as the crime is discovered The manager should then inform the Police as it may be necessary to obtain a crime reference number for insurance purposes etc.

• Where a security incident involved the theft of personal information this must immediately be reported via Datix/Access. Any theft or loss of data storage e.g. computer, laptop etc should all be reported in this way. Also, incidents where systems are suspected of being compromised should be reported

All cases of suspected fraud or corruption should be notified immediately to your line manage and the Local Counter Fraud Specialist (LCFS) informed.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

HSPOL06 Security Policy

Provide a brief summary (bullet points) of the aims of the initiative and main activities:

Project/Policy Manager: Head of Health, Safety and Compliance Date: May 2023

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

Neutra

Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?

Neutral

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

Neutral

Guidelines: Things to consider

Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.

Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?

It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

N/A

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

N/A

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

N/A

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

N/A

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

N/A

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

N/A

Guidelines: Things to consider

An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised.

It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.

The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.

If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.efa.org.uk – Employers forum on age

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage One: ‘Screening’