Date Approved: November 2009 Committee: Governance Committee
Page 1 of 15
Version Control Current versions of all policies can be found on NHS Kirklees internet and intranet. If printing a document, please check internet/intranet for most up-to-date version. Document Title: Document number: Author: Contributors: Version: Date of Production: Review date: Postholder responsible for revision: Primary Circulation List: Web address: Restrictions:
Email Policy Stephen Rose Information Governance Group 2.0 November 2009 November 2011
All NHS Kirklees employed staff NHS Kirklees Intranet None
Standard for Better Health Map Domain: Core Standard Reference: Performance Indicators:
3rd Domain, Governance C9 C13c 1. Meeting the standards of the Information Governance Toolkit
Page 2 of 15
Section 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Introduction Associated policies & procedures Aims and objectives Scope of the policy Accountabilities and Responsibilities Using the Email System Equality Impact Assessment Training Needs Analysis Monitoring Compliance with this policy References
Page 4 4 4 5 5 6 8 8 8 8
Appendices A B C D
Definitions Key Stakeholders consulted/involved in the development of the policy/procedure Equality Impact Assessment Tool Requesting Access to another users email account
Page 3 of 15
9 11 12 13
Policy Statement To ensure the proper use of NHS Kirklees’s email system and to make users aware of what NHS Kirklees deems as both acceptable and unacceptable in the use of its email system
1.1 This document defines the Email Policy for NHS Kirklees. The Email Policy applies to all business functions and all information contained within the email system. NHS Kirklees has a Service Level Agreement with The Health Informatics Service(THIS) for the provision of email services. This document: a. Sets out NHS Kirklees’s policy for the protection of the confidentiality of information and the integrity and availability of the email system; b. Establishes NHS Kirklees and user responsibilities for the email system; c. Provides reference to documentation relevant to this policy.
Associated policies & procedures This policy should be read in accordance with the following Trust policies, procedures and guidance:
Information Security Policy Network Security Policy
Remote Access Policy Internet Policy
Confidentiality Policy Statement and guidance
Aims and objectives The objective of this policy is to ensure the security, availability and integrity of NHS Kirklees’s email system. THIS will discharge their responsibilities under the Service Level Agreement to: •
Ensure that the email system is available for Users;
Preserve Integrity Protect the email system from unauthorised or accidental modification of information;
Preserve Confidentiality Page 4 of 15
Protect the NHS Kirkleesâ€™s information against unauthorised disclosure.
Scope of the policy
This policy must be followed by all NHS Kirklees employees who are allocated an email account It must be followed by all staff who work for NHS Kirklees, including those on temporary or honorary contracts, bank staff and students. Breaches of this policy may lead to disciplinary action being taken against the individual. Independent Contractors are responsible for the development and management of their own procedural documents and for ensuring compliance with relevant legislation and best practice guidelines. Independent Contractors are encouraged to seek advice and support as required. 5.
Accountabilities and Responsibilities
The Chief Executive
The Chief Executive of NHS Kirklees and Managing Director of KCHS are ultimately responsible for the provision, reliability and integrity of the email system 5.2
The Director of Corporate Services is the lead for information governance. 5.3
All line managers are responsible for ensuring that their staff are both conversant and aware of this policy 5.4
All NHS Kirklees employed staff
All staff have the responsibility for ensuring they follow this policy, failure to comply with this policy may result in disciplinary action 6
Using the Email System
Access to the Email System
6.11 Authorised access to the email system is obtained by applying to The Health Informatics Service, IT Service Desk (0845 1272600). 6.12 Users will be sent a Code of Connection agreement, and relevant policies, which they must familiarise themselves with. Page 5 of 15
6.13 Users are responsible for ensuring unauthorised Users do not use their email account.
Email and the Law
Email is a business communication tool and Users are obliged to use this tool in a responsible, effective and lawful manner. Although by its nature email seems to be less formal than other written communication, the same laws apply. Therefore, by following this policy, the email User can minimise the legal risks involved in the use of email:You must not send emails with any libellous, defamatory, offensive, harassing, racist, homophobic, obscene or pornographic remarks or depictions, you and NHS Kirklees can be held liable;
You must not forward emails with any libellous, defamatory, offensive, harassing, racist, homophobic, obscene or pornographic remarks or depictions, you and NHS Kirklees can be held liable. If you receive an email of this nature, you must promptly notify your supervisor;
You must not unlawfully forward confidential information, you and NHS Kirklees can be held liable. Do not forward a confidential message without acquiring permission from the sender first;
You must not knowingly send an attachment that contains a virus, you and NHS Kirklees can be held liable;
You must not send unsolicited email messages; You must not forge or attempt to forge email messages;
You must not send email messages using another persons email account;
You must not knowingly breach copyright or licensing laws when composing or forwarding emails and email attachments.
Sending Sensitive Personal Information by Email
6.3.1 NHS Kirklees’s email system is part of a secure network that also comprises of:NHS Calderdale NHS Wakefield Calderdale & Huddersfield NHS Foundation Trust Mid Yorkshire NHS Trust South West Yorkshire Partnership Foundation Trust 6.3.2 It is acceptable to send sensitive personal information (i.e. that relating to patients or staff sensitive information, such as, salary details, disciplinary matters, health matters etc) or commercially sensitive information, between members of staff who have an official email account issued by any of the above organisations. An official email account is one that is addressed as follows @calderdale-pct.nhs.uk @cht.nhs.uk @kirklees.nhs.uk @kirkleeschs.nhs.uk @midyorks.nhs.uk Page 6 of 15
@this.nhs.uk @wdpct.nhs.uk Any such information must be contained in a password protected file attached to the email and NOT in the main body of the email. The password must be relayed to the recipient via another means i.e. telephone Before sending sensitive personal information via email staff must consider the risk and is there a legitimate business reason for doing so. NHS national guidance is that email MUST NOT be used for sending sensitive personal information, to any other types of email address i.e. @kirklees.gov.uk unless it is encrypted to 256 Advanced Encryption Standard (AES) using software approved by NHS Kirklees. The standard email account issued to members of staff does not offer this level of encryption .http://www.connectingforhealth.nhs.uk/systemsandservices/nsts/security/PID.doc 6.3.3 Should any member of staff have a business need for sending any type of information set out in paragraph 6.3.2 via email, using an un-encrypted method, then the document(s) MUST be password protected, a risk assessment must be carried out and approval obtained from the Governance Committee. The password must be relayed to the recipient(s) by another means e.g. telephone.
Best Practice in using Email
NHS Kirklees considers email as an important means of communication and recognises the importance of proper email content and speedy replies in conveying a professional image and delivering good customer service. Therefore NHS Kirklees wishes to encourage Users to adhere to the following guidelines: •
Write well-structured emails;
Include your name, job title and NHS Kirklees name;
Use the spell checker before you send out an email; Do not print emails unless you really need to for work purposes. Emails can be saved, if you need to keep them;
If you need a reply to your email by a particular date let the recipient know this;
If you forward mails, state clearly what action you expect the recipient to take; Only mark emails as important if they really are important;
Ensure you send your email only to people who need to see it. Sending emails to all in your address book can unnecessarily block the system;
Emails should be treated like any other correspondence and should be answered as quickly as possible;
Delete any email messages that you do not need to have a copy of.
Remember that emails can be requested under the Freedom of Information Act. Store any emails containing information likely to be requested e.g. spending of public money/development of services, in a separate folder to allow easy, efficient retrieval. Page 7 of 15
Personal use of Email
Although NHS Kirklees’s email system is meant for business use, NHS Kirklees allows the reasonable use of email for personal use if certain guidelines are adhered to: •
Personal use of email should not interfere with work;
Personal emails must also adhere to this policy; Personal emails should be kept in a separate folder, named ‘Private’. The emails in this folder must be deleted regularly so as not to clog up the system. Under appropriate circumstances where NHS Kirklees feels that this policy has not been complied with, NHS Kirklees may look at this folder;
The forwarding of chain letters, junk mail and executables is forbidden. The sending of unsolicited mail is considered by many Users as wasteful of user time and can also disrupt the service for other Users; NHS Kirklees reserves the right to manage a mailbox on behalf of an individual
6.61 All emails are automatically monitored for viruses and to maintain the size of accounts. All email traffic (incoming and outgoing) is logged automatically. These logs are audited periodically. 6.62 The content of emails is not routinely monitored. However, NHS Kirklees reserves the right to inspect, monitor and retain message content as required to meet legal, statutory and business obligations. 6.63 If access is required to a member of staff’s email account where sharing privileges have not been granted i.e. unplanned absence, misuse of the email system then this must be authorised by a Director See Appendix B 6.64 If there is evidence that you are not adhering to this policy, this may be dealt with under NHS Kirklees Disciplinary Procedure 7.
Equality Impact Assessment
All public bodies have a statutory duty under the Race Relation (Amendment) Act 2000 to “set out arrangements to assess and consult on how their policies and functions impact on race equality.” This obligation has been increased to include equality and human rights with regard to disability age and gender. The Trust aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others. In order to meet these requirements, a single equality impact assessment is used to assess all its policies/guidelines and practices. This Policy/procedure/guidance (delete as appropriate) was found to be compliant with this philosophy (see appendix C). 8.
Training Needs Analysis
Page 8 of 15
The use of NHS Kirkleesâ€™s email system is covered within Information Governance Training. All staff are required to attend the Information Governance sessions on induction and should attend NHS Kirklees Mandatory Training Programme every 2 years. 9.
Monitoring Compliance with this policy
Incidents reported involving misuse of the email system 10.
References Copyright, Designs & Patents Act 1988 Access to Health Records Act 1990 Computer Misuse Act 1990 The Data Protection Act 1998 The Human Rights Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Environmental Information Regulations 2004 (EIRs) Health & Social Care Act 2001
Appendices A. Definitions Defamation & libel What is defamation & libel? A published (spoken or written) statement or series of statements, which affects the reputation of a person or an organisation and exposes them to hatred, contempt, ridicule, being shunned or avoided, discredited in their trade, business, office or profession, or pecuniary loss. If the statement is not true then it is considered slanderous or libellous and the person towards whom it is made has redress in law. What you must not do Make statements about people or organisations in any email that you write without verifying their basis in fact. Note that forwarding an email with a slanderous or libellous statement also makes you liable. Harassment Page 9 of 15
What is harassment? Any unwarranted behaviour, which is unreasonable, unwelcome or offensive. This may include physical contact, comments or printed material, which causes the recipient to feel threatened, humiliated or patronised. Harassment takes many forms. It can range from extreme forms such as violence and bullying, to less obvious actions like ignoring someone at work. Whatever the form, it will be unwanted behaviour that is perceived as unwelcome and unpleasant by the recipient. Harassment can be on a variety of grounds, including sex/gender, race, sexual orientation, mental status, age, physical/mental disability. Note that this list is not exhaustive. What you must not do Use email to harass other members of staff by sending messages that they consider offensive or threatening. Pornography What is pornography? Pornography can take many forms. For example, textual descriptions, still and moving images, cartoons and sound files. Some pornography is illegal in the UK and some is legal. Pornography that is legal in the UK may be considered illegal elsewhere. Because of the global nature of email these issues must be taken into consideration. Therefore, NHS Kirklees defines pornography as the description or depiction of sexual acts or naked people that are designed to be sexually exciting. NHS Kirklees will not tolerate its facilities being used for this type of material and considers such behaviour to constitute a serious disciplinary offence. What you must not do • Send, deliberately view or forward emails containing pornography. If you receive an email containing pornography you should report it to the Confidentiality and IM&T Security Officer (THIS) or your supervisor. •
Send, deliberately view or forward emails with attachments containing pornography. If you receive an email with an attachment containing pornography you should report it to the Confidentiality and IM&T Security Officer (THIS) or your supervisor. Save pornographic material that has been transmitted to you by email.
What are the consequences of not following this policy? •
Users and/or NHS Kirklees can be prosecuted or held liable for transmitting or downloading pornographic material, in the UK and elsewhere.
The reputation of NHS Kirklees will be seriously questioned if its systems have been used to access or transmit pornographic material and this becomes publicly known.
Users found to be in possession of pornographic material, or to have transmitted pornographic material, will be dealt with under NHS Kirklees Disciplinary Procedure.
Copyright What is copyright? Copyright is a term used to describe the rights under law that people have to protect original work they have created. The original work can be a computer program, document, graphic, film or sound recording, for example. Copyright protects the work to ensure no one else can copy, Page 10 of 15
alter or use the work without the express permission of the owner. Copyright is sometimes indicated in a piece of work by this symbol ©. However, it does not have to be displayed under British law. So a lack of the symbol does not indicate a lack of copyright. In the case of NHS Kirklees standard use computer software, NHS Kirklees purchases licences on behalf of its Users. What you must not do • • •
Alter any software programs, graphics etc without the express permission of the owner. Claim someone else’s work is your own Send copyrighted material by email without the permission of the owner. This is considered copying.
Unsolicited Email What is unsolicited email? Electronic mail which is unrequested by the recipient and is of an advertising, promotional or humorous nature.
B. Key stakeholders consulted/involved in the development of the policy/procedure
Stakeholders name and designation Information Governance Group
Page 11 of 15
Key Participant Yes/No Yes
Feedback requested Yes/No Yes
Feedback accepted Yes/No Yes
C. Equality Impact Assessment Tool To be completed and attached to any procedural document when submitted to the appropriate committee for consideration and approval. Insert Name of Policy / Procedure Email policy 1.
Does the policy/guidance affect one group less or more favourably than another on the basis of: • Race
• Ethnic origins (including gypsies and travellers)
• Religion or belief
• Sexual orientation including lesbian, gay and
Page 12 of 15
Insert Name of Policy / Procedure Email policy
bisexual people â€˘ Age
â€˘ Disability - learning disabilities, physical disability, sensory impairment and mental health problems
Is there any evidence that some groups are affected differently?
If you have identified potential discrimination, are any exceptions valid, legal and/or justifiable?
Is the impact of the policy/guidance likely to be negative?
If so can the impact be avoided?
What alternatives are there to achieving the policy/guidance without the impact?
Can we reduce the impact by taking different action?
If you have identified a potential discriminatory impact of this procedural document, please refer it to [insert name of appropriate person], together with any suggestions as to the action required to avoid/reduce this impact. For advice in respect of answering the above questions, please contact [insert name of appropriate person and contact details].
Page 13 of 15
D Requesting access to another users email account
Request for access to a member of staff’s email account where permission has not, or cannot be obtained from that member of staff I request that the Service Desk of The Health Informatics Service grant access to the following member of staff’s email account: Name of member of staffs account to be accessed ………………………………...………… Job Title:
Name of person to access account …………………………………..: Job Title:………………………………………….................................. Location:
The member of staff named above, is on unplanned absence, left organisation Please give reason i.e. Sickness, Left NHS Kirklees etc* I believe that the member of staff has been using the email system contrary to NHS Kirklees Email Policy.* * Delete as appropriate. An appropriate Out of Office message must be placed on the account, when applicable. An Auto forward rule must be placed on the account.
Signed ……………………………………………. Date………………………………………………... Name……………………………………………….. Position…………………………………………….. Director Page 14 of 15
Page 15 of 15