ITPOL06 Hardware Asset Management by Provide Community

Version: V4

Ratified by: Finance and Investment Committee

Date ratified: 05/09/2023

Job Title of author: Director IT & Transformation

Reviewed by Committee or Expert Group Technology Programme Group

Equality Impact Assessed by: Director IT & transformation

1. Introduction

This policy sets out the high-level principles surrounding the IT equipment lifecycle, from ordering to the secure disposal of redundant equipment.

2. Purpose

Our staff are increasingly reliant on technology. Having equipment that is fit for purpose and properly managed can have an enormous impact on staff productivity levels and ultimately on Provide’s ability to deliver excellent patient care, retain tenders and win new business

This policy defines the key principles, processes, and responsibilities of the Provide Group and its’ staff to ensure that IT equipment is being used to improve productivity

3. Benefits

Implementation of this policy contributes to ensuring Provide Group staff have IT equipment that supports them in undertaking their duties in a productive manner.

Implementation of this policy encourages the use of technology; particularly for mobile workers which in turn supports high quality care by encouraging record keeping at the time of care.

The policy supports the cost forecasting of IT equipment for future years.

The policy sets out how IT equipment is re-used where appropriate or disposed of in accordance with all relevant legislation and policies.

4. Scope

This policy covers IT related equipment that is currently owned by, being procured by or being disposed of Provide CIC and all Provide Group companies. For the purposes of this policy, IT related equipment includes the following items:

• All types of external drive

• Desktop computers

• Visual display units

• Handheld computers or organisers

• Laptops and mobile computers devices

• Mobile phones

• Network associated devices and other infrastructure equipment

• Printers

• Projectors

• Scanners

In the event that equipment cannot be clearly classified or where it is believed that it should be securely disposed of but the device is not in the above list, before disposal the Provide Technology Team should be contacted. Only staff working for the Provide Technology Team are authorised to dispose of IT equipment or instruct others to dispose of IT equipment

Equipment Categories

The IT related equipment that is in the scope of this policy will be categorised as follows:

Stock Equipment

This is equipment that has been ordered to be held in stock, in anticipation of future requirements. Stock equipment should only be held for itemsthat are regularly required and should be ordered in small numbers so that no item remains unused for more than a short period of time.

Surplus Equipment

This is equipment that is still safe to use but is being returned to the Provide Technology Team as it is no longer required by the department that were previously using it. Equipment may become surplus to requirements due to the equipment being replaced, changes in staffing levels or changes in procedures.

Surplus equipment should be redeployed within the Provide Group wherever possible, but following an assessment by the Provide Technology Team can be considered as obsolete equipment if there is no prospect of the item being redeployed. All redeployment of equipment must be requested to and approved by the Provide Technology Team so accurate records of it’s location and use.

Obsolete Equipment

This is equipment that may be in working order but will be taken out of use and disposed of securely. This could be for several reasons; due to a change in legislation, change in policy or the equipment becoming uneconomical to repair.

Condemned Equipment

This is equipment that is being taken out of use as it is no longer in a fit state for use and cannot be redeployed.

5. Policy Statement

The Board, Executive Management Team and the Provide Technology Team recognise the importance of ensuring all Provide staff have IT equipment that is fit for purposes; which both enables and supports staff to work productively.

The Board and Executive Management Team have asked the Provide Technology Team to introduce a refresh lifecycle for IT equipment that will ensure equipment is replaced in a managed fashion and where foreseeable, before the point the performance of the equipment has degraded to a point where it is negatively impacts on staff productivity.

Furthermore, the managed replacement and secure disposal of equipment shall be carried out in accordance with legislative and policy requirements.

6. Equipment Replacement

We are committed to replacing IT equipment before it fails or the degradation in performance becomes problematic The Provide Technology Team will be responsible for determining when IT equipment needs to be replaced.

For the purposes of guidance and planning; there will be a refresh cycle of approximately 3-years for mobile phones, 4-years for mobile computers and 5-years for desktops. The exact length may vary due to the availability of stock, condition of the devices due for exchange, financial position and changes in software and hardware.

The Provide Technology Team will set a standard device type for use across the Provide Group and review this at the time of all large purchases to ensure best value and consistency is achieved. Different models will be explored on an individual basis where there is specific need, such as for specific job roles (may require a full keypad or additional resources) or to support staff with disabilities or health requirements.

The Provide Technology Team will contact individuals when equipment in their department is due to be replaced. The cost of replacing this equipment will be met by planned capital budgets, agreed on an annual basis. The cost of new or replacement equipment required outside of this planned refresh cycle will be met by the requesting department, other than where the equipment has been condemned through no fault of the user or service

Equipment is issued to a post and not an individual. When a member of staff leaves their post, any mobile devices and equipment should be returned to the Provide Technology Team where it will be reimaged before being redeployed to their replacement or another member of staff. If a staff member is moving within the Provide Group, they must contact the Service Desk to agree the appropriate approach.

Equipment Purchase

All IT equipment must be purchased by, or with the consent of the Provide Technology Team and be delivered directly to the Technology Team so that the asset register can be updated and where necessary licences checked.

Equipment purchased outside of the above process, may not ever be permitted to connect to the provide network, especially where there is any concern with regards to support or security of the devices.

7. Equipment Management

The Provide Technology Team will ensure that stock equipment is kept to appropriate levels to ensure that new requests can be processed efficiently but avoiding stock being unused for extended periods of time.

Surplus equipment will be issued before stock equipment. This will ensure that the maximum use is gained from IT equipment but may result in staff being issued with surplus equipment on some occasions.

Obsolete and condemned equipment should be returned to the Provide Technology Team at the earliest opportunity The Provide Technology Team will update the

Configuration Management Data Base (CMDB) to reflect this and will ensure that the equipment is stored securely prior to secure disposal.

All changes to the location of equipment must be reflected on the CMDB and IT Asset Register.

Periods of disuse

Where it is known that equipment will not be used for an extended period, especially where this is more than 2-months, the Technology Team should be notified so that the appropriate course of action can be advised. Action may include collection of this equipment with replacement equipment issued when it is required again, this is important not only to avoid additional equipment being purchased but from a security perspective as unused devices will become out of date with critical security updates and will pose a threat to the whole of the Provide Groups IT Network.

The Provide Technology Team may block unused devices from us on Provide Group Networks, requiring that these devices are updated by the Technology Team prior to reversing this block.

Equipment Disposal

All IT hardware will be disposed of on behalf of Provide and in accordance with all legislation by an experienced specialist company. Provide will receive disposal confirmation documentation for each batch of IT equipment. Provide will ensure that where possible condemned and obsoleted IT equipment is recycled and therefore minimise the amount sent to landfill.

Legislation

Extensive legislation and regulation covers the disposal of IT equipment. The Provide Technology Team are responsible for ensuring the organisation adheres to all relevant legislation. This legislation includes but is not limited to the following:

Hazardous Waste Directive (July 2005) – This legislation classified cathode ray tube (CRT) monitors as hazardous material for the first time in UK law along with other hazardous IT equipment such as uninterruptible power supply (UPS) batteries. It requires any site that produces more than 200Kgs of such waste product per annum to register with the Environment Agency as a producer of hazardous waste. Thereafter the movement and treatment of that material has to be carried out in accordance with strict guidelines.

Web link: http://ec.europa.eu/environment/waste/hazardous_index.htm

Waste Electrical and Electronic Equipment recycling (WEEE) Regulations ( 2013)Recycling of WEEE is a specialist part of the waste and recycling industry. It is a rapidly growing sub-sector due largely to the implementation of the original WEEE Directive in the UK by the WEEE Regulations 2006, With that came the associated requirements for the recovery, reuse, recycling and treatment of WEEE. The Waste Electric and Electronic Equipment (WEEE) Regulations 2013 ("the Regulations") became law in the UK on the 1st of January 2014 and replaced the 2006 Regulations. The new Regulations transpose the main provisions of Directive 2012/19/EU on WEEE which

recasts the previous Directive 2002/96/EC. These regulations also provide for a wider range of products to be covered by the Directive with effect from 1st January 2019.

Further information on the WEEE Regulations 2013 can be found in the Government Guidance Notes (PDF) produced by the Department for Innovation and Skills

Web-link: https://www.hse.gov.uk/waste/waste-electrical.htm

The Data Protection Act 2018 (DPA 2018) – Came into force on the 25th May 2018. It replaces the Data Protection Act 1998 and it is the UK’s implementation of the General Data Protection Regulations (GDPR). It aims to modernises data protection laws. Under the Data Protection Act 2018, Data Controllers (Provide) have obligations regarding the secure disposal of electronic systems/devices that contain personal data. Some of the key obligations include:

Documentation and Auditing: Data Controllers must maintain records and documentation related to the disposal of electronic systems containing personal data. This documentation should include the date, method, and confirmation of the secure disposal.

Secure Disposal Procedures: Data controllers should establish documented procedures for the secure disposal of electronic devices. This may involve securely erasing or destroying data to render it irretrievable.

Data Processor Contracts: When engaging third-party data processors for the disposal of electronic devices, Data Controllers should have appropriate contractual agreements in place. These contracts should outline the processor's responsibilities, including the secure disposal of data.

Web-link: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

8. Roles and Responsibilities

To enable IT hardware management to work effectively, staff at all levels within Provide will need to play their part, some of the key responsibilities are listed below

Executive Directors

Responsible for ensuring procedures are in place within their directorates that ensure staff are aware of their responsibilities contained within this policy and that these responsibilities are adhered to.

Director IT

• Implementation and regular review of this policy

• Ensuring all sensitive data stored on desktops, tablets, laptops, mobile phones and other

• IT devices are stored securely and where appropriate at the required level of encryption

• Leading investigations into reported breaches of this policy

Technology Operations Manager

• Responsible for ensuring all applicable IT hardware assets are recorded on the CMDB and IT Asset Register

• Ensuring the accuracy of the CMDB and IT Asset Register is maintained at all times

• Ensuring regular reconciliations are performed between the hardware assets and those recorded on the CMDB

• Ensuring that the CMDB and IT Asset Register is updated following the destruction of hardware assets

• Ensuring procedures are in place for the recording of warranty details, the checking of these details in the event of faults and ensuring the procedures are followed by all IT staff

• Provision of reports relating to the CMDB.

Technology Service Desk Manager

• Responsible for ensuring that IT equipment is disposed of in accordance with all legislation and Provide’s policies

• Ensuring all data is removed from IT equipment in accordance with all legislation

• Ensuring the Provide Technology Team hold a copy of the ‘certificate of compliance’, for the company Provide use for the secure disposal of IT equipment.

• Undertaking an annual review of the performance of any third-party organisations involved in the waste disposal process, this review should be undertaken in conjunction with Provide’s IG Manager.

Line Managers

• Responsible for ensuring that all unwanted equipment is returned to the Provide Technology Team for safe disposal and that all disposals are completed by the IT department who will have a contract in place with an appropriate certified data destruction company. This includes (but is not limited to) Computer base units, laptops, tablets, memory sticks, Camera’s, Printers and photocopiers (with internal hard drives), mobile telephones

• Responsible for ensuring all IT equipment issued to staff that leave Provide is returned to the Provide Technology Team or the team is notified to whom the equipment should be reassigned

• Ensuring all new equipment for their teams is purchased by, or with the consent of the Provide Technology Team

• Ensuring that all equipment that is unused or likely to be unused for a period longer than 2 months is returned to stock so that it can be updated and utilised elsewhere in Provide, this may occur in cases of long term sick or maternity leave

• Ensuring their staff have read and understood this policy

All Staff

• Must ensure all desktops, laptops and tablets issued to them are regularly connected to the Provide network

• Responsible for contacting the IT helpdesk to report problems and any damage caused or discovered to IT equipment contemporaneously

• Ensure that all sensitive information is removed from all IT devices before they are returned to the IT department for redeployment or disposal

• Ensuring IT equipment is used in an appropriate manner and only for work purposes

Provide Technology Team

Responsible for the recording of all IT hardware assets in the CMDB and recording all of the following attributes that are applicable:

• Asset tag number

• Date of acquisition

• Express service code (Dell items)

• Hard disk drive size

• IMEI number

• Location of equipment

• Main user of equipment

• Make and model

• Operating system

• Processor type and speed

• Purchase value

• Serial number

• SIM number

• Telephone number

• Warranty expiry date

Checking the ‘leavers list’ to ensure that the equipment held by leavers has been returned or reassigned on the CMDB.

Each member of the Technology Team is responsible for the accuracy of the data they enter into Provide’s IT systems and databases.

Ensure that high quality advice and guidance in relation to the purchase and use of IT equipment is provided.

Required to follow all policy, guidance and legislation that relates to the disposal of Provide’s IT equipment.

Ensure that any equipment returned that is to be re-issued, is suitably erased of any person identifiable* information before being re-issued to another member of staff.

Ensure that any non-serviceable equipment holding Person Identifiable information* is disposed of via the approved contracted data destruction company.

Assessing returned equipment and redeploying this equipment where possible.

*This includes Patient, staff and contractor information

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

IT Hardware Management Policy

Provide a brief summary (bullet points) of the aims of the initiative and main activities:

This policy sets out the high level principles of the IT equipment lifecycle; from ordering to the secure disposal of redundant equipment

Project/Policy Manager: Director IT & Transformation Date: 06/07/2023

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

Neutral effect on all services and staff

Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?

Neutral effect on all services and staff

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

No further action required

Guidelines: Things to consider

Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.

Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?

It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

Guidelines: Things to consider

An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised. It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative. The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action. If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.efa.org.uk – Employers forum on age