General Policy
Digital & Information
GP/M5
Information Security Manager
D&I Endpoint Manager
Director Digital & Information
01 October 2008
01 January 2025
01 January 2028
6

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the latest version published, or if national policy or legislative changes are made.

1. FUNCTION 

NHS Fife has a responsibility to ensure that all data stored on its data bearing computer systems is appropriate to the needs of NHS Fife, is securely held, is available in a complete and accurate form when needed and complies with the requirements of the Data Protection Act. The use of corporate endpoint devices forms a major part of the Digital and Information (D&I) estate management. However, this also increases the risks associated with the secure storage of data. The purpose of this policy is to set out the criteria for the provision of devices and the conditions relating to their use. This policy is a supplementary policy to NHS Fife’s Information Security Policy. The term Corporate Endpoints includes, but are not limited to: Desktop computers, laptop computers, tablet, and smartphone devices.

This document forms part of NHS Fife’s alignment to the Network of Information Systems (NIS) Regulations 2018. NHS Fife reserves the right to change this policy to meet any future changes in technology or guidelines for Information Security and Data Protection.

2. LOCATION

This policy is applicable to all staff, contractors and volunteers working within NHS Fife.

3. RESPONSIBILITY

3.1 Digital and Information

The D&I department are responsible for this policy and the management for the endpoint device infrastructure. NHS Fife owned devices will be asset tracked, issued, and deployed with the various device management and orchestration platforms installed.

3.2 Users

It is the responsibility of all staff to ensure the confidentiality, integrity and availability of data recorded, managed, and processed on behalf of NHS Fife and to comply with the requirements NHS Fife and legislative policies.

Each endpoint device user must take personal responsibility for the security of the equipment, software, and data in their care.

All users have a responsibility to report the loss or theft of any device to the D&I Service Desk.

Obligations:

  • Users must understand that corporate endpoint devices are not backed up, and users are solely responsible for all personal content they process on the device.
  • Accept that D&I security policies will be applied to the device, which may include but not be limited to, username and password, passcode, screen timeout, multi-factor authentication, password / passcode complexity and encryption.
  • Users must take appropriate precautions to prevent any other individual from accessing their device, including the safe keeping of any credentials.
  • When connectivity is no longer required the user must contact NHS Fife Digital and Information in order that the connection can be terminated.

3.3 Line Managers

All managers are to ensure that personnel issued with an endpoint device have a genuine need for the device and type. It is the responsibility of all line managers to ensure their staff adhere to policy and use any device in a professional manner.

The Line Manager must inform the D&I Service desk when a member of staff leaves the department or organisation to ensure that their access rights are reviewed / removed, and any devices are returned to the D&I Department. Managerial budgetary approval must be obtained for the purchase of endpoint devices.

4. OPERATIONAL SYSTEM

This policy applies to the use of corporate endpoint devices supplied or funded by NHS Fife. Personal mobile devices that are using approved apps to access corporate applications, are governed by GP/E7 Non-NHS Fife Equipment Policy

NHS Fife will also consider the connection of devices that are:

  • Wholly owned and managed by NHS Fife.
  • Personally owned devices where it has been agreed, through the application process, that there is an acceptable business need for this connection i.e., MICAD.
  • NHS Scotland M365 apps on personal devices that will be subject to conditional access, and subject to additional security policies being applied.

A key requirement of this policy is that NHS Fife reserves the right to remotely or otherwise, erase all data from any corporate device in the event of risk of a confidentiality breach.

NHS Fife cannot be held liable for the erasing of any user content (either personal or business related) should it be deemed necessary to wipe a device to protect NHS Fife information, or if a wipe is accidentally conducted.

Cameras within mobile devices are not to be used unless part of an approved procedure.

Device Management software, or any software deemed necessary, must be installed before connection is allowed.

 4.1 Restrictions

  • Use within the NHS Fife Password and Access Policy for Domain Accounts.
  • Passcode – Minimum 6-digit PIN
  • Auto-lock set to 1 minute.
  • Passcode history 10 previous passwords
  • Grace period for device lock (1 min) is immediate and will lock after the auto-lock period.

4.2 Purchase of Apps

Users issued with a device for their sole use must use Apps@Work on an iPad or the managed Google Play store on Android for the relevant app store. They are then authorised to install apps from the NHS Fife library of apps as well as pre-approved apps they deem useful from the relevant app store.

Users are responsible for the payment of any app unless they have prior agreement with their budget holder.

Any requests for central payment (and installation) of an app will be taken into consideration by the appropriate D&I endpoint manager. Requests should be logged via the D&I Service desk. Apps purchased by NHS Fife and installed via a user’s personal ID will remain the property of NHS Fife.

Users are not permitted to install any unauthorised software, drivers or plugins even if the system does not prevent it. All requests for software, drivers or plugins should be submitted through the IT service desk.

4.3 Personally Identifiable Information (PII)

To comply with the Data Protection Act and the recommendations of the Information Governance & Security Group, personal identifiable information shall be stored on an endpoint device only when this is necessary. Where it is necessary to store such information, the following conditions apply:

  • The device must be owned by NHS Fife.
  • Password authentication must be applied.
  • Encryption must be applied.
  • Only approved applications or apps are to be utilised.
  • Users must allow patches and updates to be applied and restart the device as prompted.
  • Measures shall be taken to maximise the physical security of the device.

4.4 Data Storage

Endpoint devices should not be considered the primary data repository as they are not backed up.

4.3 Personal use

NHS Fife accepts no responsibility if personal data or software that is deleted or corrupted whilst their corporate device is being repaired or serviced by NHS Fife’s D&I Department. The use of corporate devices to incur unauthorised costs by making charity donations, entering competitions, or any other premium rate / charged messaging activities is strictly forbidden. All users should also be aware of the data limit on their corporate tariff and stay within it at all times.

Users wishing to use their personal devices to access corporate data must comply with the GP/E7 Non-NHS Fife Equipment Policy

4.5 Use of internet

Due care must be taken when using the Internet on any devices, maintaining awareness of the persistent cyber threat. Users are advised to be aware of any other relevant NHS Fife policies that apply to endpoint devices. These include (but are not limited to) related policies listed in section 6.

4.6 Audit and Inspection of Devices

All data and software held on NHS Fife endpoint devices may be inspected by authorised staff at any time and without warning. Users may be required to remove software and/or data which are deemed by inappropriate for use by D&I and/or Information Governance.

4.7 Device Management Solution

Various endpoint device management solutions are employed by NHS Fife. These manage user access and simplify app and device management across endpoint devices.

The centralised capabilities include:

  • Publish apps to users.
  • Configure apps and automatically update apps.
  • Apply patches and updates.
  • Create and deploy security Policies.
  • Use conditional access to only allow managed and compliant devices access to the organisation’s resources.
  • Remote wipe/remove the organisation’s data if lost or stolen.

Apply rule-based management and security protection tools to unenrolled or personal devices connecting to corporate cloud applications, such as M365 in order to protect the data stored within these apps.

5. RISK MANAGEMENT

NHS Fife Staff shall respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.

The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.

It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility.

Regarding the Health & Social Care Partnership (H&SCP), the Partnership Management Group will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.

6. RELATED DOCUMENTS

7. REFERENCES

  • General Data Protection Regulation (GDPR)
  • Network and Information Systems (NIS) Regulations 2018
  • Computer Misuse Act 1990
  • Data Protection Act 2018
  • Freedom of Information (Scotland) Act 2002
  • The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.