Email Policy by wuyunyi


									DRAFT– Version 4.1
                        NHS Education for Scotland


1.   Reasons for an Internet Policy

     1.1   NES wishes to encourage staff to develop Internet skills. This will
           support the business aims of the organisation and provide a learning
           environment which will be good for staff personal and educational

     1.2   This policy is intended to promote reasonable, responsible and well-
           informed behaviour in the use of Internet services. It observes the
           importance of implied trust between employer and employee.
           Necessarily, it also highlights the risks and penalties which may result
           from intentional misuse of these services.

2.   Background

     2.1   Most NES employees are provided with Internet access via the NHS
           network. Others have been given access via Internet Service Providers
           (ISPs) using the public phone network. These services might be
           provided at the normal place of work or elsewhere using NES portable

     2.2   NHS organisations are entitled to monitor the content of work related
           Internet usage for three main reasons:

              To reduce employer liability for staff action through deliberately or
               inadvertently breaking the law
              To audit business communications and ensure working time is not
              To prevent the abuse of NHS assets

     2.3   The Data Protection Act 1998 allows organisations to use routine or
           targeted monitoring as long as staff are forewarned and they are either
           “necessary for compliance with legal obligations” or “necessary for the
           purposes of legitimate interests pursued” (Schedule 2 of the Data
           Protection Act 1998).

     2.4   Traffic between the NHS network and the Internet is routinely audited
           for network management purposes and to detect unauthorised activity
           such as hacking or security breaches. There is no routine content
           auditing of web pages or email.

     2.5   In order to protect individuals and NES from the misuse of Internet
           services, this policy contains important rules on their use.
3.   Scope of the Policy

     3.1   It is intended for all those who work for NES or who access the NHS
           network under the auspices of NES.

4.   Auditing of Internet use

     4.1   The means of auditing Internet access within government and NHS
           organisations exists. There are two types of audit:

           Logging audit

           This class of audit can provide information on the date, time, employee
           identifier, workstation identifier, address of the web site visited, length of
           time visited and the name of any downloaded file.

           Content audit

           This form of audit involves web pages content. This might involve
           manual or automated processes designed to identify web pages with
           particular words or content themes.

5.   NES approach to auditing

     5.1   NES retains the right to monitor Internet access. Retrospective
           examination of downloaded files may be undertaken. This right will be
           exercised only when there is good cause for such monitoring or when
           there is a legal obligation to do so.

     5.2   Good cause shall include the need to:

                  detect employee wrongdoing
                  comply with legal processes
                  protect the rights or property of NES
                  gain access to business communications.

     5.3   Legal obligations may include:
                transmission, processing or storage of inappropriate material such
                 as pornographic and racist material
                any other suspected criminal activity.

     5.4   In all cases, investigation will require the specific authorisation of the
           Chief Executive.

     5.5   Where authority to monitor Internet usage has been granted, line
           managers may request the assistance of IT staff in the process.
           Alternatively, external personnel may be used on the authority of the
           Chief Executive.

                                                                           Page 2 of 8
     5.6   Information on the NES IT infrastructure to support the policy is
           included in Appendix 2.

6.   Internet code of practice

     6.1   NES Internet service is primarily for business use.

           Occasional and reasonable personal use of the Web is permitted
           provided that this does not interfere with the performance of employee
           duties, nor make inordinate demands on equipment or causes
           degradation in network performance.

     6.2   Personal use of Internet services must be restricted to employees’ own
           time and therefore should not take place within core flexitime hours.

     6.3   An employee must not deliberately visit, view or download any material
           from any web site with pornographic content, illegal material or material
           which is offensive in any way. See Appendix 1 for a statement on what
           constitutes ‘pornography’.

     6.4   Possession/storage and distribution/transmission of child pornography
           is a criminal offence which carries a prison sentence. Any staff found
           storing or distributing pornographic material will be subject to
           disciplinary proceedings and may be dismissed.

     6.5   If inappropriate material is accessed or downloaded inadvertently by an
           employee, the line manager must be informed. Access to a log of
           internet access may be obtained (on authority of the Chief Executive) if
           deemed necessary in order to confirm accidental misuse. This
           procedure will protect the employee should any record of inappropriate
           access be recorded on their PC and discovered at a later date.

     6.6   A confidential ‘Internet Incident Register’ must be maintained
           regionally. This should reference the staff involved, the line manager,
           the date and time when the incident occurred or evidence for it was
           found and the actions taken.

     6.7   Files containing inappropriate material inadvertently downloaded must
           be removed from disk once the line manager has obtained details for
           the Incident Register.

     6.8   If backups or archives have been made which might include copies of
           these files, these backup files must be deleted.

     6.9   If these files exist on backup media, the tapes must be identified as
           containing “inappropriate material” and removed from the backup
           sequence. Such media must be reformatted before reuse.

                                                                       Page 3 of 8
6.10   If these files exist on non rewritable media (such as CD), the media
       must be destroyed. If these files exist on rewritable media (such as
       removable memory) then the contents must be erased before being
       used again.

6.11   If evidence of intentional access or downloading of inappropriate
       material is found, such evidence must not be removed as it may be
       required for disciplinary or legal proceedings. An example could be an
       inappropriate file found in a public file area or on NES owned

6.12   An employee must not subscribe to any bulletin boards, newsgroups or
       any other Internet service of any kind whatsoever without line
       management approval.

6.13   An employee must not download software onto the organisation’s
       system without the prior written permission of the line manager. This
       includes screensaver software and shareware available free on the

6.14   Serious deliberate breach of this policy by NES employees may be
       regarded as gross misconduct and as such dealt with under NES
       disciplinary procedures.

6.15   For those who have access to the Internet through NES computers and
       services but who are not NES employees, deliberate breach of this
       policy may result in withdrawal of these benefits and the appropriate
       employing body advised of this action.

6.16   The Internet Incident Register form is included in Appendix 3.

                                                                  Page 4 of 8
                                                                         APPENDIX 1

What is pornography?

Pornography relates to the use of sexually explicit material i.e. in writings, films or
images. Laws on pornography are embodied in the following legislation:

   The Protection of Children Act 1978
   The Criminal Justice Act 1988
   The Obscene Publications Act 1959 and 1964.

These Acts have either limited application or do not extend to Scotland.

Relevant legislation in Scotland is embodied in the Civic Government (Scotland) Act
1982, Sections 51 and 52. Section 52 of the 1982 Act relates to indecent
photographs of children. ‘Photograph’ is said to include:

Data stored on a computer disk, or by electronic means which is capable of
conversion into a photograph.

Under Section 52, a person commits an offence if he or she:

   Distributes or shows an indecent photograph or pseudo-photograph;
   Has in his/her possession such an indecent photograph or pseudo photograph
    with a view to its being distributed or shown by him/herself or others.

A person is said to be regarded as distributing an indecent photograph or pseudo-
photograph if he/she parts with possession of it to, or exposes or offers it for
acquisition by, another person.

Where a person is charged with an offence, it shall be a defence for him/her to

   That he/she had a legitimate reason for distributing or showing the photograph or
    pseudo-photograph or (as the case may be) having it in his/her possession; or
   That he/she had not him/herself seen the photograph or pseudo-photograph and
    did not know, nor had any reason to suspect, it to be indecent.

The Telecommunications Act 1984 provides that it is an offence to send “by means
of a public telecommunications system, a message or other matter that is grossly
offensive or of an indecent, obscene or menacing character”.

                                                                           Page 5 of 8
                                                                     APPENDIX 2

IT Infrastructure in Support of the Policy

All communication between NES and the Internet passes through a Security
Manager server. This server has three main functions – to keep a record of internet
access, to host a database of known malicious web sites (and block access to them)
and to protect against external threats.

1. All communication between NES and the internet will be logged. The record will
include the employee's network name, web address visited, length of time accessed
and name of any file downloaded.

2. Access to the above record can be granted to members of staff as appropriate on
the authority of the Chief Executive. These records may be held in secure archives.

3. A database of known malicious sites is included in the software and access to
such sites is blocked at all times. The database is kept up-to-date by automatic
downloads from a secure internet site.

3. All web communication is checked for virus content and quarantined as
necessary. Virus protection is kept up-to-date via automatic communication between
the software and the internet.

4. In addition to known malevolent web sites, other sites (for example because they
are considered detrimental to productivity) can be blocked permanently or for as
much of the working day as is felt appropriate by NES. Music download sites, sports
sites and eBay are examples.

5. Downloads from the internet can be managed e.g. restrictions placed on types,
size or time of downloads.

                                                                      Page 6 of 8
                                                                     APPENDIX 3
NHS Education for Scotland
Part A of this form should be completed by an employee after an incident covered
within section 6 of the policy has occurred.

Part A
Date of Incident:                            Employee Name:
Time of Incident:                            Employee Involved:
Filename:                                    PC Identifier:
Description of Incident and action taken:

Signature of employee:                                    Date:

Signature of line manager:                                Date:

                                                                       Page 7 of 8
                                                                    APPENDIX 4
NHS Education for Scotland
Part A of this form should be completed by the head of the department with the
requirement for a change in access
Part B covers approval by the IM&T Manager or Corporate Records Manager as
Part C is the outcome and will be completed by IM&T

Part A
Department:                                 Department
Region:                                     Date:
Change in access for:
Group of staff:
Description of requirement:

Signature of head of department:                            Date:
Part B
Approval given by (signature of one or other required):
IM&T Manager (main):                                        Date:
Records Manager (deputy):                                   Date:
Part C
Action taken:
Change in access as specified above implemented on          Date:
Change in access as specified above denied
Reason for denial:

Action taken by:                                            Date:

                                                                      Page 8 of 8

To top