DRAFT– Version 4.1
NHS Education for Scotland
INTERNET ACCEPTABLE USAGE POLICY
1. Reasons for an Internet Policy
1.1 NES wishes to encourage staff to develop Internet skills. This will
support the business aims of the organisation and provide a learning
environment which will be good for staff personal and educational
1.2 This policy is intended to promote reasonable, responsible and well-
informed behaviour in the use of Internet services. It observes the
importance of implied trust between employer and employee.
Necessarily, it also highlights the risks and penalties which may result
from intentional misuse of these services.
2.1 Most NES employees are provided with Internet access via the NHS
network. Others have been given access via Internet Service Providers
(ISPs) using the public phone network. These services might be
provided at the normal place of work or elsewhere using NES portable
2.2 NHS organisations are entitled to monitor the content of work related
Internet usage for three main reasons:
To reduce employer liability for staff action through deliberately or
inadvertently breaking the law
To audit business communications and ensure working time is not
To prevent the abuse of NHS assets
2.3 The Data Protection Act 1998 allows organisations to use routine or
targeted monitoring as long as staff are forewarned and they are either
“necessary for compliance with legal obligations” or “necessary for the
purposes of legitimate interests pursued” (Schedule 2 of the Data
Protection Act 1998).
2.4 Traffic between the NHS network and the Internet is routinely audited
for network management purposes and to detect unauthorised activity
such as hacking or security breaches. There is no routine content
auditing of web pages or email.
2.5 In order to protect individuals and NES from the misuse of Internet
services, this policy contains important rules on their use.
3. Scope of the Policy
3.1 It is intended for all those who work for NES or who access the NHS
network under the auspices of NES.
4. Auditing of Internet use
4.1 The means of auditing Internet access within government and NHS
organisations exists. There are two types of audit:
This class of audit can provide information on the date, time, employee
identifier, workstation identifier, address of the web site visited, length of
time visited and the name of any downloaded file.
This form of audit involves web pages content. This might involve
manual or automated processes designed to identify web pages with
particular words or content themes.
5. NES approach to auditing
5.1 NES retains the right to monitor Internet access. Retrospective
examination of downloaded files may be undertaken. This right will be
exercised only when there is good cause for such monitoring or when
there is a legal obligation to do so.
5.2 Good cause shall include the need to:
detect employee wrongdoing
comply with legal processes
protect the rights or property of NES
gain access to business communications.
5.3 Legal obligations may include:
transmission, processing or storage of inappropriate material such
as pornographic and racist material
any other suspected criminal activity.
5.4 In all cases, investigation will require the specific authorisation of the
5.5 Where authority to monitor Internet usage has been granted, line
managers may request the assistance of IT staff in the process.
Alternatively, external personnel may be used on the authority of the
Page 2 of 8
5.6 Information on the NES IT infrastructure to support the policy is
included in Appendix 2.
6. Internet code of practice
6.1 NES Internet service is primarily for business use.
Occasional and reasonable personal use of the Web is permitted
provided that this does not interfere with the performance of employee
duties, nor make inordinate demands on equipment or causes
degradation in network performance.
6.2 Personal use of Internet services must be restricted to employees’ own
time and therefore should not take place within core flexitime hours.
6.3 An employee must not deliberately visit, view or download any material
from any web site with pornographic content, illegal material or material
which is offensive in any way. See Appendix 1 for a statement on what
6.4 Possession/storage and distribution/transmission of child pornography
is a criminal offence which carries a prison sentence. Any staff found
storing or distributing pornographic material will be subject to
disciplinary proceedings and may be dismissed.
6.5 If inappropriate material is accessed or downloaded inadvertently by an
employee, the line manager must be informed. Access to a log of
internet access may be obtained (on authority of the Chief Executive) if
deemed necessary in order to confirm accidental misuse. This
procedure will protect the employee should any record of inappropriate
access be recorded on their PC and discovered at a later date.
6.6 A confidential ‘Internet Incident Register’ must be maintained
regionally. This should reference the staff involved, the line manager,
the date and time when the incident occurred or evidence for it was
found and the actions taken.
6.7 Files containing inappropriate material inadvertently downloaded must
be removed from disk once the line manager has obtained details for
the Incident Register.
6.8 If backups or archives have been made which might include copies of
these files, these backup files must be deleted.
6.9 If these files exist on backup media, the tapes must be identified as
containing “inappropriate material” and removed from the backup
sequence. Such media must be reformatted before reuse.
Page 3 of 8
6.10 If these files exist on non rewritable media (such as CD), the media
must be destroyed. If these files exist on rewritable media (such as
removable memory) then the contents must be erased before being
6.11 If evidence of intentional access or downloading of inappropriate
material is found, such evidence must not be removed as it may be
required for disciplinary or legal proceedings. An example could be an
inappropriate file found in a public file area or on NES owned
6.12 An employee must not subscribe to any bulletin boards, newsgroups or
any other Internet service of any kind whatsoever without line
6.13 An employee must not download software onto the organisation’s
system without the prior written permission of the line manager. This
includes screensaver software and shareware available free on the
6.14 Serious deliberate breach of this policy by NES employees may be
regarded as gross misconduct and as such dealt with under NES
6.15 For those who have access to the Internet through NES computers and
services but who are not NES employees, deliberate breach of this
policy may result in withdrawal of these benefits and the appropriate
employing body advised of this action.
6.16 The Internet Incident Register form is included in Appendix 3.
Page 4 of 8
What is pornography?
Pornography relates to the use of sexually explicit material i.e. in writings, films or
images. Laws on pornography are embodied in the following legislation:
The Protection of Children Act 1978
The Criminal Justice Act 1988
The Obscene Publications Act 1959 and 1964.
These Acts have either limited application or do not extend to Scotland.
Relevant legislation in Scotland is embodied in the Civic Government (Scotland) Act
1982, Sections 51 and 52. Section 52 of the 1982 Act relates to indecent
photographs of children. ‘Photograph’ is said to include:
Data stored on a computer disk, or by electronic means which is capable of
conversion into a photograph.
Under Section 52, a person commits an offence if he or she:
Distributes or shows an indecent photograph or pseudo-photograph;
Has in his/her possession such an indecent photograph or pseudo photograph
with a view to its being distributed or shown by him/herself or others.
A person is said to be regarded as distributing an indecent photograph or pseudo-
photograph if he/she parts with possession of it to, or exposes or offers it for
acquisition by, another person.
Where a person is charged with an offence, it shall be a defence for him/her to
That he/she had a legitimate reason for distributing or showing the photograph or
pseudo-photograph or (as the case may be) having it in his/her possession; or
That he/she had not him/herself seen the photograph or pseudo-photograph and
did not know, nor had any reason to suspect, it to be indecent.
The Telecommunications Act 1984 provides that it is an offence to send “by means
of a public telecommunications system, a message or other matter that is grossly
offensive or of an indecent, obscene or menacing character”.
Page 5 of 8
IT Infrastructure in Support of the Policy
All communication between NES and the Internet passes through a Security
Manager server. This server has three main functions – to keep a record of internet
access, to host a database of known malicious web sites (and block access to them)
and to protect against external threats.
1. All communication between NES and the internet will be logged. The record will
include the employee's network name, web address visited, length of time accessed
and name of any file downloaded.
2. Access to the above record can be granted to members of staff as appropriate on
the authority of the Chief Executive. These records may be held in secure archives.
3. A database of known malicious sites is included in the software and access to
such sites is blocked at all times. The database is kept up-to-date by automatic
downloads from a secure internet site.
3. All web communication is checked for virus content and quarantined as
necessary. Virus protection is kept up-to-date via automatic communication between
the software and the internet.
4. In addition to known malevolent web sites, other sites (for example because they
are considered detrimental to productivity) can be blocked permanently or for as
much of the working day as is felt appropriate by NES. Music download sites, sports
sites and eBay are examples.
5. Downloads from the internet can be managed e.g. restrictions placed on types,
size or time of downloads.
Page 6 of 8
NHS Education for Scotland
INTERNET INCIDENT RECORD
Part A of this form should be completed by an employee after an incident covered
within section 6 of the policy has occurred.
Date of Incident: Employee Name:
Time of Incident: Employee Involved:
Filename: PC Identifier:
Description of Incident and action taken:
Signature of employee: Date:
Signature of line manager: Date:
Page 7 of 8
NHS Education for Scotland
CHANGE OF INTERNET ACCESS REQUEST
Part A of this form should be completed by the head of the department with the
requirement for a change in access
Part B covers approval by the IM&T Manager or Corporate Records Manager as
Part C is the outcome and will be completed by IM&T
Change in access for:
Group of staff:
Description of requirement:
Signature of head of department: Date:
Approval given by (signature of one or other required):
IM&T Manager (main): Date:
Records Manager (deputy): Date:
Change in access as specified above implemented on Date:
Change in access as specified above denied
Reason for denial:
Action taken by: Date:
Page 8 of 8