ITPOL05 Information Technology Software Management by Provide Community

Information Technology

Software Management

Version: V5

Ratified by: Finance & Investment Committee

Date ratified: 03/04/2024

Job Title of author: Assistant Director – IT & Systems

Reviewed by Committee or Expert Group Technology Programme Group

Equality Impact Assessed by: Assistant Director – IT & Systems

1. Introduction

This policy sets out the high-level principles for the management of software used within Provide or connecting to the Provide network and should be read in conjunction with:

• IGPOLCORE88 Email, Internet, Instant Messaging & Social Media Policy

• IGPOL53: Information Security Policy

• ITPOL06: IT Hardware Asset Management Policy

• IGPOL90 Data Protection (Privacy) Impact Assessment Policy and Procedure

Information from the interim ‘Anti-Piracy Policy’ and ‘Malicious Software Policy’ have been combined into this policy.

2. Purpose

Provide’s staff are increasingly reliant on technology. Having software that is safe, legitimate, fit for purpose and properly managed helps enable good staff productivity levels and ultimately supports Provide’s ability to deliver excellent patient care, and to retain and win new business.

This policy defines the key principles, processes and responsibilities of Provide and its’ staff to ensure there is good practice for the purchase, management, use of and licensing of systems.

3. Benefits

Implementation of this policy will encourage the use of technology and contribute to ensuring Provide’s staff have fully licenced software that supports them in undertaking their duties in a productive manner.

The policy will allow the future cost of software to be accurately forecast, avoid the cost of unnecessary or unused licences and ensures compliance with all relevant legislation and policies.

4. Scope

This policy applies to all Provide staff and all users of Provide’s software and hardware, including but not limited to; contractors, consultants, commissioners, suppliers and temporary staff.

This policy covers all software installed on Provide’s IT equipment regardless of licensing requirements and all software (including shareware and freeware) installed on or behalf of Provide, regardless of ownership of the equipment it is installed on. Software subscriptions are out of scope.

This policy includes software installed on the following devices:

• All types of external drive

• Desktop computers

• Handheld computers or organisers

• Laptops and tablet computers

• Mobile phones

• Servers

• Network associated devices and other infrastructure equipment

This policy will also apply to companies in the Provide group for which Provide undertake the IT support and there is no local IT Policy.

5. Software Procurement

Prior to purchase, all software must be formally assessed and approved by the Information Governance Manager, Assistant Director – Technology & Systems and the Technology Programme Group. Once approved, the software will be listed on the IT Service Catalogue. Software on the service catalogue can be requested by Provide staff, the outcome of each request may be subject to available licences, cost, suitability and management approval.

Software should only be purchased if it is listed in the IT Service Catalogue and funding for the software, trialling, support and ongoing costs is identified prior to purchase. Provide are committed to replacing outdated software before it fails, support is ended or the degradation in performance becomes problematic. The Provide Technology Team are responsible for recommending to the Technology Programme Group when IT software needs to be upgraded or replaced.

Software must only be purchased by, or with the consent of the Provide Technology Team. Where possible, systems that contain patient data should only be procured if access can be controlled by smartcards.

Software Delivery

All newly purchased software must be delivered directly to the Technology Team so that licences can be verified and asset registers updated. No other departments or staff should take delivery of software.

6. Software Installations and Updates

The lists of standard and available software will be reviewed by the Provide Technology Team on a regular basis and changes will be reflected in the Service Catalogue.

Users are not permitted to download or install software, including executable files, this must only be done by the Technology Team. The only exception to this is the installation of drivers and patches from a known source under the instruction of Provide Technology Team staff.

In most cases, it will only be possible to install software with administrative rights, these will only be issued to qualified staff that are working as part of or for the Provide Technology Team.

Software will only be installed once this has been approved by the users’ line manager and a licence has been identified or purchased.

Software will only be installed if it is listed in the Service Catalogue.

Software Registration

All software must be registered to the organisation that owns it and not to individual users or departments, regardless of who has paid for the software.

Standard Software

Standard software will be installed on all Provide computers; this configuration is regularly reviewed by the Provide Technology Team who will maintain build documents containing details of the latest configuration.

Available Software

A full list of available software can be found in the service catalogue, the most commonly used available software is listed below and can be requested to be installed, requests will be assessed on a case by case basis and will be subject to compatibility with existing software, cost, need and available licences:

• Microsoft Visio

• Nuance Power PDF

• Dragon

Software Audit

Provide will install monitoring software on its devices and can at any point choose to monitor what software is installed on the devices. The discovery of unauthorised software may result in disciplinary action being taken against anyone that has installed or was complicit with the installation of unauthorised software.

Software Disposal

Software may be present on devices being disposed and therefore, Provide will only allow hardware to be disposed by an organisation that is under contract and conforms with the Waste Electrical and Electronic Equipment (WEEE) Directive.

Malicious Software

Malicious software can infect our network from number of sources and whilst the Technology Team will maintain a number of defences against this, such as Anti-Virus Software and Firewalls; a common way of introducing malicious software for the purposes of cyber-crime is by electronic communication, all users must adhere to the following rules to protect against this:

1. Do not open communications where there is any concern or suspicion about them; these should be deleted from the inbox and deleted items. This includes the following scenarios that should raise concern:

a. Items with unexpected attachments, even if they appear to come from a known source.

b. Items with a double file extension, such as .txt.scr

c. Items from a suspicious or unknown source

d. Items that require the use of Macros

7 of 16

2. If there is any doubt about the legitimacy of an electronic communication, the Service Desk must be contacted for advice, prior to opening it or any attachments

3. If an electronic communication or attachment has been opened and there is then a doubt about its legitimacy, the user must immediately inform the Technology Service Desk, leave the attachment closed and await further instructions

4. User must switch off any device that is suspected of being infected by a virus and ensure isolation from any network, and immediately inform the Technology Service Desk

5. Macros must remain disabled, including whenever the relevant dialogue box appears, unless absolutely certain of the source of the document.

Users must not flood the Organisation’s system by passing on unconfirmed virus warning messages. The only virus warnings within the Organisation must come from the ISMS Manager, these may be sent by the Provide Communications Team.

Copying Software

Provide does not tolerate the use of unauthorised copies of software, any employee found copying software illegally is subject to dismissal.

Users must not make illegal/unlicensed copies of software, even if expressly requested to do so by any third party, including contractors, suppliers and service users. Staff should call the Technology Service Desk if in doubt or feel under pressure in this regard. Any concerns or breaches with regards to software should be reported to the Assistant Director – IT & Systems.

Written permission from the Assistant Director – IT & Systems must be obtained if you want to copy any programme that is installed on your computer or smartphone, for whatever reason.

Staff are not permitted to use software licensed by the Organisation on home devices without the written permission from the Assistant Director – IT & Systems

7. Licensing

Provide requires that all software installed on Provide equipment is properly licenced.

Use of any unlicensed or duplicated software program is illegal and can expose the user and the Organisation to civil and/or criminal liability with regard to Intellectual Property Rights*/Copyright law. The Organisation takes this very seriously, and any breach of these rules may result in disciplinary action, including dismissal.

*Having the right type of intellectual property protection helps you to stop people stealing or copying: the names of your products or brands, your inventions, the design or look of your products, things you write, make or produce. Copyright, patents, designs and trade marks are all types of intellectual property protection <https://www.gov.uk/intellectualproperty-an-overview/protect-your-intellectual-property>. You get some types of protection automatically, others you have to apply for. (source: gov.uk)

Each piece of software will have its own licence agreement that must be adhered to by its users; the Provide Technology Team and all Provide staff must ensure compliance with these terms.

Legislation

Using software without the correct licence or using software outside of the terms and conditions of the licence could amount to copyright infringement which could lead to unlimited fines or two years imprisonment.

The Copyright, Designs and Patents Act 1988: This act covers ‘Intellectual Property rights’ including software and protects the investment in the software by the copyright owner by making it illegal to do any of the following unless allowed to by the software licence:

• Copy software

• Use pirated software (as a copy would be created)

• Transmit software (as a copy would be created)

Examples of the above are as follows:

• Copying Provide owned software onto a non-provide computer

• Copying privately owned software onto Provide computers

• Putting a singularly licenced copy of software onto a LAN server for use of multiple users without purchasing the additional licences.

8. Role and Responsibilities

To enable software to be managed effectively, staff at all levels within Provide will need to play their part, some of the key responsibilities are listed below: -

Executive Directors

Responsible for ensuring procedures are in place within their directorates that ensure staff are aware of their responsibilities contained within this policy and that these responsibilities are adhered to.

Director – IT & Systems

The Assistant Director – IT & Systems is responsible for:

• The implementation and updating of this policy every two years or sooner following any significant change

• Investigating inappropriate use of software, or use of unlicensed software, this will include completion of Datix Incident Forms

• Ensuring that there are procedures in place that ensures that where possible; all equipment that will no longer be used by Provide has all software removed and where this is not possible, the hard drive is destroyed

• Ensuring that IT equipment is disposed of in accordance with all legislation and Provide’s policies

• Ensuring all data is removed from IT equipment in accordance with all legislation

• Ensuring the IT department hold a copy of the ‘certificate of compliance’, for the company Provide use for the secure disposal of IT equipment

• Ensuring all sensitive data stored on desktops, tablets, laptops, mobile phones and other IT devices is stored securely and where appropriate at the required level of encryption

• Leading investigations into reported breaches of this policy

Assistant Director – IT & Systems

The Technology Operations Manager is responsible for: -

• Ensuring all Provide purchased software licences and licences owned by third parties but used by Provide are recorded on a licence inventory, this document must retain a trail of licences back to the original version if licences have been upgraded

• Ensuring that where possible, the setup of Provide computers does not give the ability for users to download and install software that requires approval by the Provide Technology Team

• Ensuring regular reconciliations are performed between the licence inventory and those installed on Provide computers

• The provision of reports relating to software and licencing

• Ensuring all Provide computers and servers have monitoring software installed on them

• Ensuring there are up to date build documents that contain details of standard software

Line Managers

Line managers are responsible for:

• Ensuring the Technology Team are informed of any software that is specifically purchased for a user (such as Microsoft Project and Microsoft Visio) that is unused or likely to be unused so that this can be removed and utilised elsewhere inProvide, this may occur in cases of long term sick or maternity leave

• Ensuring staff members that leave the department have the appropriate RA form completed to cease their access to the systems that are no longer required. If the leaver has access to a system where access is controlled by password, the system administrator must be informed

• Ensuring their staff have read and understood this policy

• Ensuring that members of their team receive the appropriate training to enable them to access and use Provide’s systems correctly

• Ensuring members of their team receive the appropriate access rights to the trusts networks and systems and that these are removed when staff leave

• Ensuring that the Provide Technology Team are involved with the assessment of any new software they are considering purchasing and that no purchase is made without the approval of the Provide Technology Programme Group

• Ensuring that they or their team members do not purchase software, this must be done by the Technology Team.

All Staff

All staff must:

• Make all requests for new, additional or upgraded software should be made through the approved process

• Ensure software is used in an appropriate manner, in accordance with the software licence and only for work purposes

• Be aware that Provide’s systems have the capability to audit who has accessed them, inappropriate use will be reported to their line manager who may take disciplinary action in line with Provide’s policies

• Ensure that passwords and smartcards are not shared in any circumstances

• Not install any software, other than mobile phone apps listed on the ‘Pre-approved smartphone apps list’ to any work devices themselves, especially where this is being downloaded from the internet

• Understand that any failure to comply with this policy could result in disciplinary action which may ultimately lead to dismissal or criminal prosecution

Provide Technology Team

The Provide Technology Team is responsible for:

• Updating the CMDB with details of new, upgraded or ceased software

• Prior to installing software, first ensure there is a valid license and update the relevant register

• Assessing requests for new software in a timely manner, ensuring there is an available licence before granting a request

• Using software discovery tools to regularly audit software installed on computers and servers connecting to the Provide network

• Ensuring the licence inventory is updated each time a licence is purchased, installed or removed

• Ensuring new versions of software are assed and producing recommendations with regards to implementation of the updates to the Technology Programme Group

• Supporting services by assessing software they are considering for future use

• Ensuring high quality advice and guidance in relation to the purchase and use of IT software is provided

• Following all policy, guidance and legislation that relates to the use and installation of software

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

IT Software Management Policy

Provide a brief summary (bullet points) of the aims of the initiative and main activities:

This policy sets out the high level principles for the management of software used within Provide or connecting to the Provide network.

Project/Policy Manager: Assistant Director – IT & Systems Date: 14/01/2024

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

All staff will benefit from this policy.

Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?

This policy is neutral.

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

No further actions required.

Guidelines: Things to consider

Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this –e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan. Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?

It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that datagathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

Guidelines: Things to consider

An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised.

It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.

The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.

If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.disabilitynow.org.uk – online disability related newspaper www.womenandequalityunit.gov.uk – Gender issues in more depth www.opportunitynow.org.uk - Employer member organisation (gender) www.efa.org.uk – Employers forum on age www.agepositive.gov.uk – Age issues in more depth