This guidance has been put together to highlight the policies that staff need to be aware of at the current time.

Remember that all staff need to continue to comply with the Trust information governance policies.

The Trust has seen an increase in attempted cyber-attacks on our systems. Please remain vigilant and do not open any links or attachments if the sending email address is not familiar to you, even if they appear to be official documentation relating to COVID-19.

If you need any advice please contact infogov@addenbrookes.nhs.uk , it would help us if in your subject heading you include Covid-19 so we can prioritise your enquiry.

Home working

Trust data must only be accessed through either:

  • A Trust laptop using a RAS token;
  • Via BYOD
  • Outlook Web Access (OWA) (web email access) or email access via an app (active synch)
  • Documents stored on an encrypted (Trust issued) device such as a USB
  • Paper documentation, however this must be kept to a minimum

Whilst working at home, staff must:

  • Not forward Trust data from their work’s email address to their home email address;
  • Avoid leaving mobile devices within sight of ground floor windows or within easy access of external doors;
  • Not leave Personal Identifiable Data (PID)/business confidential information lying around;
  • Destroy hard copies of documents containing PID/business confidential information at the Trust unless you have a cross-cut shredder;
  • Not transfer data from a mobile device to your home PC;
  • Return all trust data to the Trust for storage/retention;
  • Avoid casual observation of PID/business confidential information – for e.g. someone looking over your shoulder;
  • Avoid where possible verbal conversations being over-heard if they involve discussions about patients;
  • Hold direct verbal conversation with the patient in private where at all possible;
  • Put in place secure transport arrangements (see below transporting PID off site) that also comply with the Covid-19 guidance during the current operational pressures if staff are unable to come on site to collect paper documents/dictation tapes etc.
  • Not hold patient contact details on your own mobile phones. If a messages or text is required then patient data must be kept to a minimum and the message or text must be deleted as soon as possible.

Web and video conference facilities

  • Unless you need to share a screen, use teleconference services for meetings
  • Standard Trust tools – Web-ex, Go to Meeting, Zoom or StarLeaf
  • Staff can use a smart phone/tablet/personal device – Skype or Face-time
  • On line meetings must not be recorded/videoed
  • If sharing a screen ensure that no PID is visible unless the purpose of the meeting is to discuss the PID
  • Screen prints of your screen must not be taken
  • If a patient is participating in the conference their consent must be sought first before taking part in the conference
  • Check that the right people have joined the conference before commencing the meeting

Teleconference facilities

  • To be used for all meetings unless the sharing of a screen is absolutely necessary.
    Standard Trust tools – Reservations plus (provided by Voice Services)
  • Check that the right people have joined the conference before commencing the meeting

Use of social media applications for the purpose of communicating with staff

Standard Trust tools – WhatsApp.

  • Each group must have a designated owner.
  • Access to the group must be managed
  • PID must not be shared via apps
  • No photos, videos or PID must be stored on the user’s personal phone
  • Before sending a message check the recipients before sending to ensure all contact details are correct.
  • Users are responsible for taking all reasonable steps to safeguard their device in line with the information governance and information security policy.
  • Users must not screen print or copy the screen.
  • Users must not voice record
  • Users must ensure that WhatsApp is not set to backup

Taking PID off the hospital site

For any paper documents or mobile devices that are not encrypted e.g. dictation tapes & if they contain PID, then they must be:

  • Only taken off site when it is absolutely necessary;
  • Transported in a locked bag/container (e.g. using a padlock on a bag);
  • Information must not be left unattended whilst in transit;
  • Information must be kept secure whilst off site;
  • Medical records or copies of the medical records must not be taken off site unless for outreach clinics or for Coroners/Legal cases. If they have to be taken off site they must be carried in a locked bag or box or transported by Trust approved courier;

Bring your own device (BYOD)

The BYOD policy applies to any Trust-owned or privately owned device which uses the BYOD service to access Trust data and services.

  • Copying or movement of data is not allowed from the BYOD container to the device
  • Devices must be set to automatically lock after 5 minutes of inactivity
  • Where a BYOD-enabled device has been lost or mislaid, it should be reported to the Service Desk within 24 hours so that it can be remotely locked for security purposes.
  • Where a BYOD-enabled device is known to have been stolen, the theft should immediately be reported to the Service Desk who will lock the device remotely and wipe (reset) the BYOD container for security purposes.
  • Access to trust email must remain separate from private email at all times
  • Automatic forward of emails is not possible between Trust email and private email account
  • Personally installed apps cannot access any of the data in the Secure Container.
  • On no account should any personal identifiable information regarding Trust staff or patients be stored or processed on the device outside of the secure container or on any cloud services to which a personal device might be connected.

Taking PID off the hospital site

Users who wish to access Trust email through either web services or apps must adhere to the following policy:

  • Users must set a password or pin on their device
  • Care must be taken to avoid casual observation
  • Automatic screen locks must be enabled on the device
  • Data must not be saved from email to a local PC or device
  • Staff must always log out/lock access when away from the device/PC

Users of remote access to email must be aware that:

  • It does not support shared mail boxes, if this access if required users will need to register for BYOD access
  • Users receiving data to their own device may incur a financial cost , depending on your contract

For more information please contact the information governance team
infogov@addenbrookes.nhs.uk