Information security remote working policy

1 Introduction

Working remotely can present risks in that significant amounts of data can be held on a single device that can be easily lost or stolen or accessed by people without the appropriate authority. Through this policy, Rotherham, Doncaster, and South Humber NHS Foundation Trust (hereafter referred to as ‘the trust’) aims to:

outline how the trust’s information, communication and technology (ICT) equipment can be protected when working remotely
protect the trust’s network by mandating the external networks and devices colleagues can connect to from the trust’s devices
help reduce risk of the removal or loss of data held or processed by the trust when working remotely

2 Purpose

This document sets out the policy on the handling of information held or processed by, or on behalf of the trust when working remotely. Information still remains subject to the same standard of protection under legislation, regulation and management in accordance with the information risk appetite of the trust when remotely accessed.

3 Scope

This policy covers the usage of IT owned and issued by the trust, the usage of personal devices in reference to the trust and its activities and, relates to all IT equipment and electronic communications used when working on behalf of the trust, off trust premises.

This policy shall be reviewed every three years or in response to significant changes due to security incidents, variations of law and or changes to organisational infrastructure.

In the event of a national health emergency such as the covid-19 pandemic, this policy still applies, unless it is superseded by specific clauses mandated by the trust’s business continuity policy.

4 Responsibilities, accountabilities and duties

This policy applies to all those working for the trust in whatever capacity, including the trust’s colleagues, volunteers, students, temporary workers, contractors, suppliers and third parties (thereafter referred to as ‘colleagues’). Third parties and suppliers are expected to follow this approach unless specifically excluded or where conditions have been applied within the procurement and contract management process.

Terminology
Term	Definition
Shall	This term is used to state a mandatory requirement of this policy
Should	This term is used to state a recommended requirement of this policy
May	This term is used to state an operational requirement of this policy

5 Procedure or implementation

It is necessary to have a remote working policy to ensure the confidentiality, integrity, and availability of the trust’s information whilst individuals are working away from the trust’s premises.

Remote working is defined as any work that is conducted on behalf of the trust by a colleague whilst not on company premises.

Mobile working and remote access extend the transit and storage of information (or operation of systems) outside of the trust infrastructure, typically over the Internet.

5.1 ICT equipment

All equipment provided by the trust is the property of the trust or its partners. Colleagues allocated equipment to support them in their role are responsible for ensuring its security while it is in their possession. Equipment which is the property of the trust should not be personalised or de-faced (avoid the use of stickers etc.) as equipment may be used by other colleagues member upon its return.

5.2 Data security

If working remotely with protectively marked documents, colleagues with authorised access to such documents must ensure that the same standard of security is applied to these documents as when on company premises. Colleagues must be able to justify the movement of protectively marked documents off the company premises. Unless there is a necessary reason for the movement and or transfer of such documents, documents should be kept securely on the trust’s premises. If information or data is transferred, colleagues are bound by the removable media policy.

The trust’s VPN facility is configured such that connections may only be established from IP addresses residing in the UK, except in very exceptional circumstances.

The trust’s security stance is based on known and recorded malicious activities associated with overseas actors attempting access to the trust’s networks.

As such it would be possible to establish a VPN, on a case-by-case basis from outside of the UK, and it being required that:

VPN connections may only be established from countries where it is legal to do so
access may be revoked at any time and without warning for cyber security reasons
colleagues should be able to provide IT with a single IP address that will be used throughout the period of remote working
colleagues accept that for any IT support requirements they will need to factor in any time difference with the UK, noting the service desk opening times

Colleagues should take steps to ensure that the remote working environment offers a suitable level of privacy (for example, from other individuals in the vicinity being able to view papers or screens being worked on, or being able to overhear private conversations) before working on any classified Information outside of the trust’s premises.

All colleagues shall follow the trust’s procedures and the requirements set out in the records management policy when disposing of trust-related documents. Colleagues may be required to bring paper documents into the office for disposal or the trust may supply colleagues with the means to securely dispose of the paper documents. Under no circumstances should classified trust-related documents be disposed of domestically.

The trust, shall:

inform colleagues of the additional risks associated with remote working (including the increased likelihood of theft of equipment or accidental unauthorised disclosure of sensitive or confidential information) and provide training where appropriate
provide adequate technical support (for example, via a help desk, provision of a VPN, service support or equivalent) which can be accessed remotely
ensure working arrangements are compliant with legal and regulatory requirements (for example, health and safety laws and data privacy regulations)

Staff, shall:

obtain authorisation from their care group director and confirm the authorisation with the SIRO or deputy SIRO to work remotely and for VPN access from non-UK sources
be aware of their responsibility to be compliant with the trust’s acceptable use policy, including the security measures they must take to protect the trust’s assets
store physical documents in suitable, secure storage when not in use
report any security incidents in line with the internal security incident process
use trust-certified forms of communication (for example, the trust’s email accounts) to send personal or business critical information to other colleagues when required
not allow unauthorised personnel to access smart cards, access tokens, trust-related information, approved portable devices or approved desktop PCs
seek line manager’s approval when needing to connect a trust-owned device, a personal home-based printer or other personal device

6 Training implications

6.1 All colleagues, data security awareness

How often should this be undertaken: Upon commencement of employment and annually thereafter.
Length of training: 1 and a half hours.
Delivery method: E-learning or face to face.
Training delivered by whom: IG or NHS digital e-learning package.
Where are the records of attendance held: ESR.

At the outset of any work taking place to move services towards remote working, all colleagues will be provided with the opportunity to complete a self assessment of their basic IT skills. Additional training and support will be provided where required. Training on all new IT solutions deployed to facilitate agile working will be provided at the time of deployment of the equipment with ad hoc follow up support also available. Specific training will be required on the IT hardware and all software which is provided for agile working. Specific training is being considered for the health, safety, fire and security aspects of agile working which also includes specific training on back care and human factors. Some colleagues may benefit from other training such as time management to increase their personal productivity or IT skills training if they are not confident using any of the technology provided to them. Resilience training is available to managers and colleagues who are involved in a change process.

As a trust policy, all colleagues need to be aware of the key points that the policy covers. Colleagues can be made aware through:

training specific to remote working
team meetings
one to one meetings or supervision
trust wide emails

7 Monitoring arrangements

7.1 Incidents raised with people experience team associated with remote working

How: Monitoring HR database and incident forms.
Who by: IG manager.
Reported to: Communications team and IG manager.
Frequency: This policy shall be reviewed every 3 years or in response to significant changes due to security incidents, variations of law and or changes to organisational infrastructure.

7.2 Policy

How: Review of best practice against the policy will be undertaken in response to significant changes due to security incidents, variations of law and or changes to organisational infrastructure.
Who by: Head of information governance.
Reported to: Information governance group and health informatics group.
Frequency: As required.

8 Equality impact assessment screening

To access the equality impact assessment for this policy, please see the overarching equality impact assessment.

8.1 Privacy, dignity and respect

The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.

As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

8.1.1 How this will be met

No issues have been identified in relation to this policy.

8.2 Mental Capacity Act 2005

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals capacity to participate in the decision making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all colleagues working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005) to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.

8.2.1 How this will be met

Not applicable to this policy.

9 Links to any associated documents

10 References

NHS Confidentiality Code of Practice.
Freedom of Information (FOI) Act 2000.
Environmental Information Regulations 2004 (EIR).
Data Protection Act (2018).
UK General Data Protection Regulations 2018.

Document control

Version: 2.1.
Unique reference number: 606.
Date approved: 15 January 2024.
Approved by: Corporate policy approval group.
Name of originator or author: Data protection officer or head of information governance.
Name of responsible individual: Director of health informatics or senior information risk owner (SIRO).
Date issued: 16 January 2024.
Review date: 31 January 2026.
Target audience: Audience: All colleagues.

Page last reviewed: April 30, 2024
Next review due: April 30, 2025

Feedback

Report a problem

Contents