IGPOL67 Mobile Computing Devices Policy V6.1 by Provide Community

Mobile Computing Devices Policy

Version: V6.1

Ratified by: Finance & Risk Committee

Date ratified: 06/12/2023

Job Title of author: Information Governance Manager

Reviewed by Committee or Expert Group Technology Programme Board

Equality Impact Assessed by: Information Governance Manager

1. Introduction

The use of portable computer devices and removable media, collectively known as mobile computing equipment, which help staff in the performance of their duties is becoming more widespread. This Policy recognise the increased risk to personal information that this way of working poses and they complement organisation’s procedures and guidelines regarding protecting patient information.

2. Purpose

The purpose of this policy is to protect the information held by the organisation on mobile devices from loss or unwanted exposure, and to minimise the risk of loss or theft of these devices. This policy sets out the security measures and practices that must be employed to minimise the risks related to the hardware, data, and working on a mobile basis.

3. Scope

This Policy covers the mobile computing equipment set out below when it has been purchased or authorised by the organisation. It does not include any equipment owned by staff except for personal mobile phone devices used to access NHS Mail as detailed in Appendix 1. The guidelines apply to all staff including permanent, temporary, and locum members of staff.

• Portable computer devices - includes laptops, notebooks, tablet computers, PDA’s and Smartphone’s.

• Removable data storage media - includes any physical item that can be used to store and/or move information and requires another device to access it. For example, CD, DVD, tape, digital storage device (flash memory cards, USB memory sticks, portable hard drives). Essentially anything that data can be copied, saved or written to which can then be taken away and restored on another computer.

4. Authorisation

Only authorized staff will have access to mobile computing equipment. Any member of staff allowing access to any unauthorised person deliberately or inadvertently may be subject to disciplinary action. Staff should not use their own personal (or unauthorised) computing equipment for organisation business. Other than where approved as part of the BYOD Policy, personal mobile phone equipment is authorized to access Provide NHS Mail Accounts only so long as the conditions in Appendix 1 are met.

5. Be Aware

of Security Measures in Place

To reduce the risk of loss and unauthorised access Provide has put the following measures in place:

• An asset register entry is made for any mobile computing device provided to a staff member; and this person is listed in the asset register as the nominated responsible owner;

• Encryption is applied to all mobile computing equipment;

• Password protected screensavers are installed on laptops;

• Anti-virus software is in use and is regularly updated;

• The use of NHS Mail for Secure transmission of Patient Identifiable Information.

6. Recognise the Risks and Comply with Your Responsibilities

You must ensure you DO:

• Store mobile equipment securely when not in use on and off site;

• Ensure files containing personal or confidential data are adequately protected - Advice can be sought from the Provide IT Service Desk;

• Not use removable media unless absolutely necessary and unless issued or approved by the Technology Team;

• Obtain authorisation before you remove mobile equipment (other than mobile computing equipment issued to you) from the premises;

• Be aware that software and any data files created by you on the organisation’s mobile computer equipment are the property of the organisation;

• Ensure that mobile equipment is connected to the organisation’s network on a regular basis for upgrade of software, this MUST be at least once a month;

• Report immediately any stolen, lost or misplaced mobile equipment to your line manager and the Provide Technology Service Desk (failure to report a stolen mobile phone could result in significant charges from the organisation’s telecoms provider) and incident report via Datix. Stolen equipment must also be reported to the Police.

• Be aware that the security of your mobile computer equipment is your responsibility;

• Ensure that all IT equipment, including mobile equipment is returned to the organisation if you are leaving employment (A final salary deduction may be made if equipment is not returned).

• Return any mobile working equipment to the Provide Technology department when no longer required whether in working order or not, so that it can be redeployed or securely destroyed.

You must ensure you DO NOT:

• Disable the virus protection software or bypass any other security measures put in place by the organisation;

• Store personal information on mobile equipment unless the equipment is protected with encryption, and it is absolutely necessary to do so;

• Remove personal information or mobile computer equipment off site without authorisation;

• Use your own mobile computer equipment for the organisation’s business unless authorisation is sought from the Information Governance Manager and/or the Technology department or where the device is approved and being used in accordance with the BYOD Policy;

• Use your own removable media such as unencrypted memory sticks to transport or hold the organisation’s information;

• Connect any personally owned or non-Provide Issued mobile computing devices to the organisation’s network;

• Allow unauthorised personnel/friends/relatives to use mobile equipment in your charge;

• Disclose VPN token remote access login credentials to anyone including family members.

• Utilize remote access solutions not provided or approved by the organisation;

• Leave mobile equipment in places where anyone can easily steal them;

• Leave mobile equipment visible in a vehicle when traveling between locations;

• Leave mobile equipment in an unattended vehicle unless locked in the boot and not overnight;

• Leave mobile equipment unattended in a public place e.g. hotel rooms, train luggage racks;

• Install unauthorised software or download software / data from the Internet;

• Delay reporting lost or stolen equipment.

7. Non–Compliance

Non-Compliance with the terms of this policy may lead to disciplinary action and dismissal.

8. Disaster Recovery / Major Incidents

In the event of a major incident or disaster, the organisation may recall and re-allocate all mobile equipment on loan to provide core services.

9. Monitoring and Review

All staff are responsible for monitoring their compliance with the principles and procedures detailed within this policy: line managers and supervisors should also monitor compliance on a regular basis.

This policy will be reviewed every 3 years by the Information Governance and IT Projects Manager.

Earlier review may be required in response to exceptional circumstances, organisational change, or relevant changes in legislation.

10. Fraud

The portability and connectivity of Mobile Computing Devices also introduce potential vulnerabilities that can be exploited for fraudulent activities. To safeguard the integrity of patient data and protect the organisation from financial losses, we will implement robust fraud prevention and detection measures specifically tailored to the use of Mobile Computing Devices. These are covered throughout this policy and include:

• Strong access controls and device management to restrict unauthorised access to the data held on these devices.

• Encrypting sensitive data stored on these devices to protect it from unauthorised access or disclosure in the event of loss or theft.

• Ensuring devices are running the latest security patches and updates to address known vulnerabilities and minimise the risk of exploitation.

• Establishing clear and accessible fraud reporting procedures to encourage colleagues to report any suspected fraudulent activity promptly.

• Taking appropriate disciplinary action against any employee found to have engaged in fraudulent activity.

• Implementing corrective actions to address any vulnerabilities or weaknesses that may have contributed to the fraud incident.

Any suspected fraud should be reported to the organisation's Local Counter Fraud Specialist or NHS Counter Fraud Authority on 0800 028 40 60. Please refer to the Anti-Crime Policy for further information.

Appendix 1: Conditions For the Use of Personal Mobile Devices:

Other than where approved as part of the BYOD Police, Provide allows the use of personal mobile phone devices for the purposes of Synchronising a Provide NHS Mail Account, only. This is subject to the conditions below being followed.

Scope

This applies to any Personal Mobile Device which may be used to synchronise a NHS Mail Account to. This includes (but is not limited to) Mobile Phones, Personal Digital Assistants (PDA’s) and Tablet devices such as the Apple iPad.

The term “Synchronise” means that a copy of your emails are stored on the device itself and presents many security issues due to risk of theft, loss or unauthorised access. This Policy does not cover accessing NHS Mail through a web browser whereby the data is retained on the system and does not present the same security issues.

These conditions apply to NHS Mail accounts which have issued by Provide or created whilst employed or contracted by Provide and which is used to conduct Provide Business.

Conditions

In order to utilise a personal Mobile Device to synchronise to NHS Mail, the following conditions must be met:

Approved Devices

Provide only allows the use of mobile devices which are approved by NHS Digital. These are devices which meet the minimum security standards required to protect the information whilst stored on the device including encrypting the information to the perquisite level (256 Bit AES Encryption)

The following devices automatically encrypt data at rest and are approved for access to NHS Mail:

• Apple iPhone 5/6/7/8/10 and the Apple iPad and IPad 2 iOS 4.3 and later

• Blackberry with NotifySync 4.7 or higher installed – users which already have it installed can continue using it, but for new devices it is not required.

• Blackberry OS 10 and greater (e.g. Z10).

• Windows Mobile 10.

• Android devices with Symantec Touchdown installed - users who already have it installed can continue using. Newer android devices do include an encryption at rest capability and do not require touchdown installed.

For more information about encryption and an up to date full list of compatible devices please see:

https://s3-eu-west-1.amazonaws.com/comms-mat/TrainingMaterials/Guidance/mobileconfigurationguide.pdf

The use of non-encrypted devices is prohibited.

Passcode (Password)

A device passcode prevents unauthorised users from accessing data stored on the mobile device or otherwise gaining access to the device. NHS Mail device settings policy will determine the mandatory set of minimum security requirements, including timeout periods, passcode strength, and how often the passcode must be changed. These settings are enforced by NHS Mail and must not be circumvented.

Information Security and Confidentiality

You are responsible for maintaining security and Confidentiality and preventing unauthorised access to the information held on your personal device.

If the device is no longer under your control (e.g. selling, loaning, disposing, sending off for repair) then all Provide data must be erased from the device and the associated NHS Mail account settings removed.

If leaving the employment of Provide, all associated data must be erased from the device.

Users must ensure that the latest security patches are applied to their phone.

“Jailbroken” Devices

Jail broken devices are ones which have moved away from the manufacturer’s standard specification which may include overriding the standard security settings of the device. Jail broken devices are not permitted by the organisation to access Provide NHS Mail Accounts.

Remote Wipe

Any devices that are lost or stolen and are used to synchronise to NHS Mail must be remotely wiped. This may be initiated through the NHS Mail web portal which will remove all data from the device:

• Log into your account at www.nhs.net

• Select “Email” from the menu

• From your inbox click on settings icon ( ) in the top right

• Select ‘Options’

• Click on ‘Phone’ in the left hand menu

• Select the Device you wish to wipe

• Click on ‘Wipe Device’ Icon ( )

The Technology Service Desk (0300 303 9955) can also do this on your behalf.

If it is considered that this is, or has the potential to be a clinical safety or an Information Governance incident then this should also be reported on the Organisation’s Datix Incident Reporting System in line with the organisation’s Incident Reporting Policy.

The organisation reserves the right to initiate a remote wipe of a mobile device at any time without warning if a user is deemed not to be working to the terms and conditions of this policy.

The organisation will not be responsible for any loss of data stored on themobile device as a result of applying this policy. It remains the responsibility of the individual to ensure their information is backed up prior to synchronising their NHS Mail Account.

Performing a remote wipe will remove all data from a device including any personal data and settings.

Data Backup and Cloud Based Storage

Cloud based storage systems (e.g. iCloud, Drop Box, Google Cloud etc) must either be switched off or be set not to back up emails received into your NHS Mail account. This not only has the potential to compromise security but may also breach the Data Protection Act (Transfers of Data outside the EEA) and therefore may be deemed to be a breach of the organisation’s Data Protection Policy.

Accessing Other Provide Systems

Accessing other Provide Corporate or Clinical Systems or downloading Provide Personal or Personal Sensitive Information to a Personal Mobile Device is strictly prohibited.

Failure to follow any of these conditions may result in Disciplinary action and Dismissal.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

IGPOL67 Mobile Computing Devices Policy

Provide a brief summary (bullet points) of the aims of the initiative and main activities:

Mobile computing devices

Project/Policy Manager: Petra Lastivkova

Date: 06/12/2023

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

N/A

Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?

N/A

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

N/A

Guidelines: Things to consider

Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.

Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?

It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

N/A

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

N/A

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

N/A

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

N/A

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

N/A

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

N/A

Guidelines: Things to consider

An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised.

It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.

The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.

If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.efa.org.uk – Employers forum on age