The internet is a part of our working lives – for good and for ill. How can you ensure your staff are using the internet for the right reasons and in the right ways? You need an acceptable use policy.
Practice Business identifies the key things you need to include in your practice policy
A recent FOI uncovered the reality that some trusts spend as little as £250 on cyber security, putting them – and their systems – at risk. Hackers will use any vulnerability to gain access to your systems – the Wannacry attack provided a clear example of the damage that can be done to entire systems through one weak link.
There are security risks in relation to allowing staff free internet access, but there are also potential positive impacts on productivity, too. The NHS has acted to curb time-wasting activities; The Times reported that 1,200 members of staff had been disciplined for inappropriate social media use, with 65 losing their jobs. In one serious case a member of staff was investigated by the NHS Counter Fraud Authority for viewing and downloading elicit material online, which led to a termination of employment.
It’s your responsibility as an employer to spell out exactly what behaviour will be tolerated – and what won’t. An acceptable use policy spells out the expectations you have of your staff, what is allowed and what isn’t.
According to NHS Digital’s recommendations, your acceptable use policy should have four parts:
- The principles of acceptable use.
- The duty to protect equipment, systems and information.
- Appropriate use of email and the internet.
- Misuse of information systems.
Let’s explore these in more detail.
Acceptable use principles
Employees are only authorised to access to information that’s relevant to their work; accessing, or attempting to gain access to, unauthorised information in organisations is, typically, deemed a disciplinary offence.
In areas where access to information is authorised, the individual user must ensure that the confidentiality and integrity of the information is upheld; they must adequately protect the information in accordance with NHS policies.
All staff have a duty of care to prevent and report any unauthorised access to systems, information and/or data to their line manager.
Duty to protect equipment, systems and information
Use of NHS information systems for malicious purposes is always deemed a disciplinary offence. Some specific offences include:
- Accessing, or attempting to access, medical or confidential information concerning themselves, their family, friends or any other person without a legitimate purpose and prior authorisation.
- Use of NHS information systems or data for personal gain, to obtain personal advantage, or for profit.In some cases the misuse of information might be considered a legal issue, and the practice would be responsible for notifying the police.
In some cases the misuse of information might be considered a legal issue, and the practice would be responsible for notifying the police.
Appropriate use of email and the internet
Internet access should mainly be used for business purposes – though limited private use may be accepted, including access to online banking, public web services and ‘phone web directories. However, excessive personal use of the internet during working hours should not be tolerated, and staff should be warned that such behaviour could lead to disciplinary action.
Email services within the NHS are provided for business purposes. Limited private use to simplify everyday tasks may be acceptable and understandable, but private emails should be distributed through external web-based email services (outside the NHS network).
Staff should never use external, web-based email services (e.g. hotmail.com) for business communications, including the sharing of patient information. This is a significant risk to both the practice and the individual.
Misuse of information systems
The use of NHS information systems for malicious purposes is a disciplinary offence. This is a complex area, but it can include attempts to hack systems (or allowing this to happen), posting discriminatory remarks or sharing such material through NHS networks, viewing or sharing pornography and deliberately using copyright-violated software.
The storage or transmission of large data volumes for personal use – sharing personal digital images, music or video files, or using the practice network to download large files – should also be against your acceptable use policy – not least because these behaviours can lead to slow networks and a negative impact on productivity.
The internet is a part of modern working life and access is essential for the running of an effective practice. The practice needs to ensure that all staff are made aware of what constitutes misuse and the potential consequences of any misuse of systems, information and data.
The simplest way is to ensure that all new staff agree to and sign your practice’s acceptable use policy which details your expectations. They should also be made aware that you retain the right to review their use of email and the internet at any point, with disciplinary action a possible step if there is clear misuse.
Practices can create their own acceptable use policies from scratch but, thankfully, NHS Digital has spared you the time. You can download a Word version of a model acceptable use policy from NHS Digital, adding your practice details in the spaces provided.