Responsible Directorate: Responsible Director: Author Date Approved: Committee: Review Date:
Corporate Carol McKenna – Chief Operating Officer Terry Service – AD Corporate Services 24 January 2012 SMT April 2013
This document defines the Email Policy for NHS Kirklees. The Email Policy applies to all business functions and all information contained within the email system. This document: a) Sets out the PCT’s policy for the protection of the confidentiality of information and the b) Integrity and availability of the email system; c) Establishes PCT and user responsibilities for the email system; d) Provides reference to documentation relevant to this policy. The purpose of this policy is to ensure the proper use of the organisation email system and to make users aware of what the Trust deems as acceptable and unacceptable use of its email system. If there is evidence of non compliance with this policy, this will be managed under the organisational Disciplinary Procedures. 2.
The objective of this policy is to ensure the security of the Trust’s email system. To do this the Director of Performance and Information, as the overall IT lead for the Cluster, will manage the Service Level Agreement with The Health Informatics Service to: a) b) c) d)
Ensure Availability Ensure that the email system is available for Users; Preserve Integrity Protect the email system from unauthorised or accidental modification of the organisation’s information; e) Preserve confidentiality f) Protect the organisation’s information against unauthorised disclosure. 3.
E-mail and applicable law
Email is a business communication tool and users are obliged to use this tool in a responsible, effective and lawful manner. Although by its nature email seems to be less formal than other written communication, the same laws apply. Therefore, by following this policy, the email user can minimise the legal risks involved in the use of email:a) You must not send emails with any libellous, defamatory, offensive, harassing, racist, homophobic, obscene or pornographic remarks or depictions, you and the organisation can be held liable; b) You must not forward emails with any libellous, defamatory, offensive, harassing, racist, homophobic, obscene or pornographic remarks or depictions, you and the organisation can be held liable. If you receive an email of this nature, you must promptly notify your supervisor; 2
c) You must not unlawfully forward confidential information, you and the organisation can be held liable. Do not forward a confidential message without acquiring permission from the sender first; d) You must not knowingly send an attachment that contains a virus, you and the organisation can be held liable; e) You must not send unsolicited email messages; f) You must not forge or attempt to forge email messages; g) You must not send email messages using another personâ€™s email account; h) You must not knowingly breach copyright or licensing laws when composing or forwarding emails and email attachments. i) You must not send emails containing person identifiable information unless the data is sent to a secure email account and the information is appropriately protected using accredited encryption programmes. The responsibility for protecting information rests with the person sending the email not the person receiving it. See Appendix A for definitions. 4.
The organisation will ensure that all users have access to appropriate training. This is primarily via the NHS online training programme commissioned and supported by Connect for Health. Information Governance is mandated within the Trust for all staff utilising the same programme. The organisation will ensure that users of the email service are aware of policies, protocols, procedures and legal obligations relating to the use of email. This will be completed through mandated on line training, staff communications and open access to policies on the Intranet. 5.
Access to the email system
Authorised access to the email system is obtained by applying to The Health Informatics Service Desk by email on Theservicedesk@this.nhs.uk or 0845 1272600. Users will be sent a Code of Connection agreement which must be completed and signed by the new userâ€™s manager. The new user is required to access and familiarise themselves with the relevant policies. Users are responsible for ensuring unauthorised users do not have access to or use their email account. 6.
Personal Identifiable Information (including sensitive information)
Email is an insecure system and are not routinely encrypted. Therefore, sensitive personal identifiable information (i.e. that relating to identifiable individuals) or commercially sensitive information MUST NOT be sent by email, unless the data is sent to a secure email account and the information is appropriately protected using accredited encryption programmes. 7.
The organisation considers email as an important means of communication and recognises the importance of proper email content and speedy replies in conveying a professional image and delivering good customer service. Therefore the organisation wishes to encourage users to adhere to the following guidelines: 3
a) Write well-structured emails; b) Include your name, job title and organisation name; c) Use the spell checker before you send out an email; d) Do not print emails unless you really need to for work purposes. Emails can be saved, if you need to keep them; e) If you need a reply to your email by a particular date ensure the recipient knows this; f)
If you forward mails, state clearly what action you expect the recipient to take;
g) Only mark emails as important if they really are important; h) Ensure you send your email only to people who need to see it. Sending emails to all in your address book can unnecessarily block the system. ‘All user’ emails via the global address system should not be sent unless authorised by key staff e.g. communications staff i)
Emails should be treated like any other correspondence and should be answered as quickly as possible;
Delete any email messages that you do not need to have a copy of.
k) Remember that emails can be requested under the Freedom of Information Act. Store any emails containing information likely to be requested e.g. spending of public money/development of services, in a separate folder to allow easy, efficient retrieval. 8.
Although the organisations email system is meant for business use, the Trust allows the reasonable use of email for personal use if certain guidelines are adhered to: a) Personal use of email should not interfere with work; b) Personal emails must also adhere to this policy; c) Personal emails should be kept in a separate folder, named ‘Private’. The emails in this folder must be deleted regularly so as not to clog up the system. Under appropriate circumstances where the organisation feels that this policy has not been complied with, the organisation may review the contents of the folder; d) The forwarding of chain letters, junk mail and executable attachments is forbidden. The sending of unsolicited mail is considered by many Users as wasteful of user time and can also disrupt the service for other Users; e) The organisation reserves the right to manage a mailbox on behalf of an individual. Please read appendix A (includes definitions).
Computer Virus Infection
If you suspect that you have received a virus by email - contact The Health Informatics Service Desk on 0845 1272600. Do not forward the email to the service desk or another user unless expressly advised to do so. Do not attempt to remove the virus yourself. The IT Service Desk will need to know what virus it is. Do not switch off or restart your PC unless expressly told to do so by the IT Service Desk. Where you suspect the presence of a virus, do not send any further e-mail until the IT Service Desk has confirmed that it is safe to do so. 10.
All emails are automatically monitored for viruses and to maintain the size of accounts. All email traffic (incoming and outgoing) is logged automatically. These logs are audited periodically. The content of emails is not routinely monitored. However, the organisation reserves the right to inspect, monitor and retain message content as required to meet legal, statutory and business obligations. 11.
All email accounts maintained on organisational email systems are the property of the organisation. 12.
References • • • • • • • • • •
Copyright, Designs & Patents Act 1988 Access to Health Records Act 1990 Computer Misuse Act 1990 The Data Protection Act 1998 The Human Rights Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Environmental Information Regulations 2004 (EIRs) Health & Social Care Act 2001 Associated Documents
• • • • • • •
Information Security Policy Network Security Policy Remote Access Policy Internet Policy Harassment At Work Policy Disciplinary Procedure Confidentiality Policy Statement and guidance 5
Appendix A 1.
Defamation & libel What is defamation & libel? A published (spoken or written) statement or series of statements, which affects the reputation of a person or an organisation and exposes them to hatred, contempt, ridicule, being shunned or avoided, discredited in their trade, business, office or profession, or pecuniary loss. If the statement is not true then it is considered slanderous or libellous and the person towards whom it is made has redress in law. What you must not do Make statements about people or organisations in any email that you write without verifying their basis in fact. Note that forwarding an email with a slanderous or libellous statement also makes you liable. Harassment What is harassment? Any unwarranted behaviour, which is unreasonable, unwelcome or offensive. This may include physical contact, comments or printed material, which causes the recipient to feel threatened, humiliated or patronised. Harassment takes many forms. It can range from extreme forms such as violence and bullying, to less obvious actions like ignoring someone at work. Whatever the form, it will be unwanted behaviour that is perceived as unwelcome and unpleasant by the recipient. Harassment can be on a variety of grounds, including sex/gender, race, sexual orientation, mental status, age, physical/mental disability. Note that this list is not exhaustive. What you must not do Use email to harass other members of staff by sending messages that they consider offensive or threatening. Pornography What is pornography? Pornography can take many forms. For example, textual descriptions, still and moving images, cartoons and sound files. Some pornography is illegal in the UK and some is legal. Pornography that is legal in the UK may be considered illegal elsewhere. Because of the global nature of email these issues must be taken into consideration. Therefore, the organisation defines pornography as the description or depiction of sexual acts or naked people that are designed to be sexually exciting. The organisation will not tolerate its facilities being used for this type of material and considers such behaviour to constitute a serious disciplinary offence. 6
What you must not do • Send, deliberately view or forward emails containing pornography. If you receive an email containing pornography you should report it to your line manager. •
Save pornographic material that has been transmitted to you by email.
What are the consequences of not following this policy? Users and/or the organisation can be prosecuted or held liable for transmitting or downloading pornographic material, in the UK and elsewhere. The reputation of the organisation will be seriously questioned if its systems have been used to access or transmit pornographic material and this becomes publicly known. Users found to be in possession of pornographic material, or to have transmitted pornographic material, will be dealt with under the organisation Disciplinary Procedure. Copyright What is copyright? Copyright is a term used to describe the rights under law that people have to protect original work they have created. The original work can be a computer program, document, graphic, film or sound recording, for example. Copyright protects the work to ensure no one else can copy, alter or use the work without the express permission of the owner. Copyright is sometimes indicated in a piece of work by this symbol ©. However, it does not have to be displayed under British law. So a lack of the symbol does not indicate a lack of copyright. In the case of organisation standard use computer software, the organisation purchases licences on behalf of its Users. What you must not do • Alter any software programs, graphics etc without the express permission of the owner. • Claim someone else’s work is your own • Send copyrighted material by email without the permission of the owner. Unsolicited Email What is unsolicited email? Electronic mail which is unrequested by the recipient and is of an advertising, promotional or humorous nature.