Introduction. 1.1 This document is one of a set of WCDs which describe in detail how ..... universities and trade schools. Sites that promote and ...
This document forms part of the implementation process for the policy on Information and Technology Security. Documents to be read Information Management and Technology (IM&T) Security alongside this Policy document: BCUHB Code of Conduct (Disciplinary rules and standards of behaviour). Review Purpose of Issue/Description of current changes: This is the first version of the Written Control Document (WCD) for the Use of Health Board Internet Facilities
Betsi Cadwaladr University Health Board
This document is one of a set of WCDs which describe in detail how Betsi Cadwaladr University Health Board (BCUHB) will implement its IM&T Security Policy.
BCUHB provides Internet access to staff and other authorised users for purposes that are directly of benefit to both BCUHB and the user, in the work they undertake on behalf of BCUHB. These purposes include personal development; research and the review of clinical practice.
BCUHB also permits limited personal use of the Internet, subject to strict conditions, as described below in section 8.
Internet access, or use, is defined, for the purposes of this document, as access to pages and/or web sites that are available outside UK-wide NHS web sites. This access also includes the use of Internet facilities such as web-based email, “blogs”, forums etc.
Aims and purposes of this document
The purpose of this WCD is to:•
Ensure that users are aware of the standards of acceptable use when using the internet
Ensure users are aware of what is regarded as unacceptable use when using the internet
Provide guidance to users on their individual responsibilities when using the internet
Define how internet usage will be monitored
Ensure that users are aware of the consequences of breaching this document.
This document will support BCUHB compliance with British Standard ISO/IEC 27001:2005 - Information Security Management Systems Requirements (see Appendix B), as mandated in Welsh Health Circular WHC 2002(36) – Implementation of BS7799 Standards.
This document will apply equally to all internet users throughout BCUHB and includes facilities which have been provided via the national NHS network
Betsi Cadwaladr University Health Board
Access to the internet will be restricted to authorised users, subject to the following criteria:•
Users must have a valid reason for accessing the internet, which will normally be to enable them to carry out their duties effectively
All applicants must sign an Internet Application Form, which must be counter-signed by a Head of Department or Line Manager
Users must read the IM&T Security Policy along with this document and agree to abide by its content.
Authorisation for access process
Requests for internet access should be directed to the IT Helpdesk in accordance with the Health Board’s IM&T security procedures.
Appropriate use
During normal working hours or when otherwise on duty, use of the internet will be strictly limited to BCUHB business.
Downloading facilities will be restricted to authorised users (see Appendix C – Internet Category Management). If this causes difficulties for any user they should contact their local IT Service Desk.
Users must not, under any circumstances, permit patients, relatives or members of the public to use the Internet via BCUHB owned equipment unless specifically provided for that task
Users must adhere to the criteria for access within this document if accessing the Internet from other locations (e.g. local authority, educational premises) during their normal working hours or when otherwise on duty. Users will also be expected to comply with any additional local criteria for use which are not in conflict with this document.
Inappropriate Use
Users must not use the internet for any purposes which contravene:-
Laws that apply within the United Kingdom (see Appendix A)
International laws (see Appendix A)
BCUHB policies and associated procedures
Relevant professional Codes of Conduct Users must not access the Internet via another users account.
Betsi Cadwaladr University Health Board
Users are advised to particularly note the content of Appendix A, as contravention of the law could have serious consequences such as imprisonment, fines or removal of professional registration.
Users must not access the internet in a way which might be considered offensive to another person.
Users must not infringe the copyright of any person or organisation.
Users must not use the internet for conducting personal business for financial gain or personal benefit.
Users must not use the internet to defame or criticise BCUHB, another organisation or any living or deceased person.
Users must not make or attempt to make any alteration to the configuration of their Internet access software.
Users must not connect BCUHB owned equipment directly to the Internet at home or at any other location outside BCUHB unless you have been granted VPN remote access by your IT department.
Inappropriate use of the internet may lead to suspension of access for the user and/or disciplinary action.
Weblogs (Blogs) and Discussion Forums
BCUHB permits users to benefit from such sites, provided that it is of benefit to BCUHB via the users role.
Users are not permitted to use such sites for personal reasons during working time.
Users must never use these sites in a way which would discredit BCUHB or discredit or cause offence to any person, living or deceased.
Users will be personally liable for their actions when using such sites.
Personal Use
Personal use of the internet is permitted for a maximum total of 2 and a half hours a week including Saturday and Sunday. E.g During authorised personal breaks.
These times may only be exceeded with the permission of your Line Manager or Head of Department via request to IT helpdesk.
The user should be aware that any web pages left open will use up their personal allowance quota.
In order to avoid causing offence to other persons or creating any misunderstanding, personal use is not permitted in open, publicly accessible areas.
Betsi Cadwaladr University Health Board
BCUHB will not take any responsibility for personal financial transactions conducted whilst using BCUHB equipment during authorised personal breaks.
BCUHB monitors all internet usage, via the use of automated software, to detect and record details of access to web sites and prevent the introduction of viruses and other malware to the BCUHB computer network.
BCUHB will issue Internet Usage reports to managers, on issues such as top 10 highest users, in order to facilitate local monitoring of internet access and promote compliance with this document.
Line Managers who have concerns regarding inappropriate use of the Internet by a member of their staff should log a request with the Information Technology (IT) helpdesk to obtain a more detailed report on their usage. These detailed reports are confidential and potentially sensitive and should be stored in line with the records management retention and destruction schedule.
Any breaches identified should be reported immediately via the Health Board’s incident reporting procedure.
10. Availability of and access to Internet sites 10.1
In order to protect the interests of BCUHB Internet users, access to certain web sites / pages may be prohibited / restricted.
Users may request access to prohibited / restricted sites and if BCUHB is satisfied that access is appropriate it will be granted.
10.3 Any such requests will be logged and regularly reviewed by your IT department in accordance with change control procedures.
11. Legislation The following is a summary and not an authoritative statement of the law. It is intended solely as a guide to help readers of this document avoid contravention of the law. Relevant advice is also included where appropriate. Further guidance can be provided by Information Governance staff. Illegal material There are four categories of illegal material which users may inadvertently access on the Internet•
Images of child abuse, hosted anywhere in the world
Criminally obscene images, hosted in the UK
Betsi Cadwaladr University Health Board
Criminally racist content, hosted in the UK
Sites which contain content which incites or facilitates the perpetration of any crime
Users are advised that they must never access such sites via a BCUHB computer, as to do so is a serious criminal offence and could result in imprisonment, fines or removal of professional registration. Important advice to users if such a site is accessed inadvertently •
Switch off the screen so that no one else can view the material. Note: Do not switch the machine off.
Place a notice on the machine stating "Do Not Touch or Use".
Inform your manager or other senior person immediately.
Via senior management (usually a Board Executive Director), the police will be informed. Users must not contact the police directly.
Content may also be stored on various servers. Again, nobody should attempt to view this material on these servers. The Police will be informed that material may be cached on those servers as well.
Illegal material must never be forwarded to anyone. If this is done the sender will become part of ‘the chain of distribution’ and will be prosecuted.
If users have concerns about the legality of any site, they should contact their manager or Information Governance team for advice. Indecent images It is against the law to actively seek out or ‘make’ such images, and claiming to do so in order to report such images to a law enforcement agency or any other organisation would not be a defence in court. The term ‘make’ includes downloading images from the Internet and storing or printing them out. The Protection of Children Act 1999 and the Sex Offences Act 2003 prohibits the “taking or making” of an indecent photograph or pseudo-photograph of a child. ('Pseudo-photograph' means an image, whether made by computergraphics or otherwise howsoever, which appears to be a photograph) Obscene images The Obscene Publications Act 1959 and the Obscene Publications Act 1964 make it an offence to publish any article whose effect is such that it will tend to "deprave and corrupt" those likely to read, see or hear the matter contained or embodied in it. Having such matter in your possession will be seen as a contravention of this law. Racist Material Public Order Act 1986 Document number here: Version: 1 - Final draft Page 6 of 15 Paper copies of this document should be kept to a minimum and checks made with the electronic version to ensure the version to hand is the most recent.
Betsi Cadwaladr University Health Board
This act makes it an offence for a person to use threatening, abusive or insulting words or behaviour, or to display any written material which is threatening, abusive or insulting, if:•
A person intends to stir up racial hatred
Having regard to all the circumstances racial hatred is likely to be stirred up.
Betsi Cadwaladr University Health Board
Betsi Cadwaladr University Health Board
Appendix A – Internet Category Management The table below categorises the types of web sites available and indicates whether categories are blocked, principally business-related or for personal use. Category Title
Description of Category
Sites that offer or promote software that collects information about users to display targeted advertising based on browsing patterns and/or install toolbars with the user's knowledge
Sites promoting the use of alcohol, including drinking, recipes, home brewing, adverts etc
Sites that provide information or promote animal/pet care, breed, veterinary care, boarding, adoption and care info
Personal use permitted
Non-commercial sites that promote, exhibit and/or display works of art, artists, and provide instruction on the creation of art, excluding explicit art, and museum sites
Personal use permitted
Bad Reputation Domains
Sites that appear on one or more security industry blacklists for repeated bad behaviour, including hosting malware and phishing sites, generating spam or hosting content linked to by spam email
Banner/Web Ads
Banner ads served from 3rd party URLs that track online analytics and/or website traffic for marketing report purposes
Books & Literature/Writings
Sites that discuss and promote books, literature, and periodicals distributed with the intention of providing entertainment
Personal use permitted
Sites that known malware and spyware connects to for command and control of infected machines by criminals
Sites offering chat rooms and chat services as well as Chat sites accessed via a web browser
Child Pornography
Sites that promote, discuss or portray children in sexual acts and activity, or the abuse of children. Pornographic sites that advertise or imply the depiction of under age models
Sites that discuss, distribute, display and promote comics, comic books and cartoons. These include on-line cartoons and official web sites of comic strips
Personal use permitted
Community Organisations
Sites of non-profit charity and community involvement organisations
Classified as Business use
Criminal Skills
Sites that promote crime or illegal activity such as credit card number generation, illegal surveillance
Betsi Cadwaladr University Health Board
and murder Cults
Sites relating to non-mainstream religious organisations
Dating / Personal use permitted
Sites that are related to Personal use permitted ads, dating, dating services, relationships, introductions, etc
Domain Landing
Registered hosted pages with no significant appreciable content other than current owner information, solicitation for URL buyers, and/or links to seller information
Sites of a questionable legal or ethical nature. Sites which promote products, information or devices whose use may be deemed unethical or, in some cases, illegal
Dynamic DNS Services
Domains used by Dynamic DNS service providers for IP aliasing
Edge Content Servers/Infrastructure
Sites that host images, media and static secondary content for web sites. Sites in this category represent Internet "infrastructure"; they provide web companies with high speed delivery of content. Examples include Akamai or Level 3.
Classified as Business use
Web sites of schools, learning centres, universities and trade schools. Sites that promote and discuss materials and information that aid in teaching
Classified as Business use
Educational Games
Sites that offer games relating to education, such as reading, spelling, maths etc
Classified as Business use
Sites geared towards job seekers, such as on-line job bulletin boards, classified ads, resume listing services, head hunting firms etc
Personal use permitted
All general entertainment sites excluding books, comics, movies, music, theatre, restaurants, clipart, amusement parks and cell phone ringtones
Personal use permitted
Explicit Art
Art sites that display art containing nudity, nude photography, sex acts and/or disturbing images
Fantasy Sports
Sites that promote, discuss, provide advice on or provide automated management of fantasy sports teams and leagues
Personal use permitted
Sites promoting and discussion of models, modelling, fashion and apparel in a noncommercial manner. May contain some R Rated material or bikini pictures
Personal use permitted
Financial Institution
Sites relating to the finance trade such a stock trading, financial news, online banking services and trading exchanges
Personal use permitted
Sites promoting and discussing exercise, yoga, Classified as health clubs, nutrition and weight loss Business use Document number here: Version: 1 - Final draft Page 10 of 15 Paper copies of this document should be kept to a minimum and checks made with the electronic version to ensure the version to hand is the most recent.
Free Hosts
Sites hosted by consumer oriented free hosts or ISPs
Sites that provide repositories of shareware and freeware for download
Sites which encourage gambling such as betting sites, bookmaker odds, lottery, bingo, horse/dog tracks, online sports betting, online casinos etc
Sites related to computer games such as game downloads sites, online games and video games. Sites containing information about board, roleplaying or tabletop games are also included
Personal use permitted
General Classified as Business use
Web sites for Classified as Business uses and commercial organisations where Classified as Business use is defined as an organisation that provides goods and/or services for profit
Classified as Business use
Generic Remote Access
Sites that provide information about or facilitate access to information, programs, online services or computer systems remotely eg web x, go to my pc
Generic Streaming Media
Sites designed to offer streaming media
Sites of governmental agencies at a national, state, local or international level
Classified as Business use
Sites discussing and/or promoting unlawful or questionable tools or information revealing the ability to gain access to software or hardware/communications equipment and/or passwords
Hate & Discrimination
Sites that contain material related to discrimination to any people based on race, gender, religion, nationality etc
Sites of medical practices, hospitals, health insurance providers and nursing homes. Sites offering information on health, medicines, preventative care or other health-related topics
Classified as Business use
Sites offering information on alternative medicines and natural healing
Classified as Business use
Sites whose primary purpose is for comedy, jokes, fun, etc
Personal use permitted
Illegal Drugs
Sites that promote the use, cultivation or purchase of illegal drugs. These may include products which claim to help users clean their system for drug tests
Image Servers and Image Search Engines
Web servers and search engines whose primary function is to deliver images, artwork, Personal use permitted photos, photo galleries and free images/pictures for commercial use. Excluded adult content categorized elsewhere
Personal use permitted
Betsi Cadwaladr University Health Board
Information Technology
Sites containing reviews, discussion, distribution and promotion of computer programs, software, systems and hardware. Sites which offer information resources, hosting, or guides for the creation of computer software and websites
Personal use permitted
Internet Radio
Sites that offer streaming radio internet programming and podcasts
Internet Service Providers
Sites and guides to services that offer access to the Internet
Invalid Web Pages
Sites where a domain may be registered but no content is served or the server is offline
Child friendly sites. Sites designed specifically for children. Excludes educational games
Personal use permitted
Sites pertaining to legal services, Personal use permitted legal reference and on-line legal aid
Personal use permitted
Sites that contain material relative to an individual's Personal use permitted life choices. This includes sexual preference, cultural identity or organisation/club affiliations
Personal use permitted
Local Community
Sites of community governmental agencies and sites that promote and announce community events and community involvement
Personal use permitted
Malicious Code/Virus
Sites that promote, demonstrate and/or carry malicious executable virus or worm code that intentionally causes harm by modifying or destroying computer systems
Message Boards
Websites that offer message boards, bulletin boards and forums. Websites that provide downloads and customisation of web message board software
Personal use permitted
Military Appreciation
Sites that pertain to individual appreciation, remembrance or dedication to military units and organisations
Personal use permitted
Military Official
Official websites of government-backed military organisations
Personal use permitted
Movies & Television
Sites that discuss and promote film and television, including official and unofficial sites of movies and TV programs, as well as those of celebrities
Personal use permitted
Music Appreciation
Sites that discuss and promote music, musicians, and the methods by which they are distributed These sites include official and unofficial sites of musicians
Personal use permitted
Websites that distribute news, current events and headlines
Personal use permitted
Sites that contain explicit, graphical or text depictions of such things as mutilation, murder, bodily functions, horror, death, rude behaviour,
Blocked Personal use permitted
Betsi Cadwaladr University Health Board
executions, violence and obscenities etc
Online Auction
Sites that offer access to online auctions where visitors can bid on items
Personal use permitted
Online Classes
Sites that provide access to classes conducted via the Internet
Personal use permitted
Online Greetings Cards
Sites that offer e-greeting cards or e-postcards
Personal use permitted
Online Trading/Brokerage
Sites that facilitate online active trading of securities
Personal use permitted
Sites dealing with subjects of the paranormal. This includes topics such as mysticism, UFOs, astrology, numerology, the occult and conspiracy theories
Personal use permitted
Peer-to-peer/File Sharing
Sites dealing with peer-to-peer file sharing protocols and applications
Deceptive sites used to acquire Personal use permitted information for fraudulent purposes
Political opinion
Opinions dealing with political concerns such as party platforms, political reform, candidate advocacy, PACs, lobbying organisations etc
Personal use permitted
Pornography/Adult Content
Sites that portray sexual acts or simulated sexual acts. Sites with explicit nudity (Including see-through clothing), sex toys, explicit writing, swinger sites, adult verification systems and fetish sites
Sites whose primary purpose is to offer entry point services to other web sites via links sorted by topics and/or subjects
R Rated
Sites involving 18+ material such as lingerie, swimwear and revealing pictures. Adult in nature but not explicitly pornographic
Real Estate
Sites pertaining to the buying, selling, renting and leasing of properties
Personal use permitted
Sites dedicated to recreational activity such as outdoor activities, horticulture, decorating, collecting and social organisations
Personal use permitted
Reference collections, including encyclopaedias, atlases, science resources, historical data, dictionaries, thesaurus and translators etc
Classified as Business use
Sites that pertain to mainstream religious institutions such as churches, temples, mosques etc
Personal use permitted
Religious opinion
Sites with commentary on mainstream religious issues
Personal use permitted
Sites that provide information, promote, list, review or advertise dining, catering services, restaurants, cafes, eateries, take-outs and fast
Personal use permitted
Classified as Business use
Betsi Cadwaladr University Health Board
food Reviewed/Miscellaneous
Random content that does not fall under other categories
School Cheating
Sites that offer material which enables students to plagiarise or cheat in their academic endeavours
Search Engines
Major portal sites that either search the internet or have a directory-based database of sites. Includes all sub-URLs under the main site
Classified as Business use
Self Defence
Websites that offer information and advocacy on self defence tools of a non-lethal nature. Techniques and products such as those designed to immobilise or harm a subject but not intended to case death
Personal use permitted
Self Help
Sites that include information such as therapies, counselling services, motivation, conferences, articles, self-awareness, spirituality etc
Classified as Business use
Sites that contain consumer oriented online shopping, online malls, classifieds and online trading/auction services
Personal use permitted
Social Networking
Sites that promote online social networking. The content of such sites consists mostly of Personal use permitted pages linked together in a social network that can be based on any criteria, such as schools, universities, Classified as Business use or friendship
Social Opinion
Sites that contain opinion on a variety of topics
Personal use permitted
Sites for professional, collegiate and other competitive sports, teams, magazines, events etc
Personal use permitted
Sites that promote or secretively install software to monitor user behaviour and/or change user computer configuration for malicious or advertising purposes
Sites that contain information regarding militias, anti-government groups, terrorism, anarchy etc
Sites that promote and discuss live drama performances
Personal use permitted
Sites that offer ticket sales for entertainment concerts, sporting events, racing etc
Personal use permitted
Sites that sell or promote the use of tobacco and tobacco-related products
Sites that offer travel tickets and reservations, travel clubs, travelogues, visitor information bureaus etc
Personal use permitted
Sites that discuss, promote and offer information on all forms of transportation
Personal use permitted
Video Sharing
Sites that allow users to post, share and view
Betsi Cadwaladr University Health Board
videos. VoIP
Sites that provide information and/or products to facilitate phone calls using the Internet
Sites that provide information and promote the collecting, maintenance, advocacy and sale of legal firearms, knives, swords and other weapons
Web sites that offer forecasts, updates and traffic condition information
Personal use permitted
Web-based Email
Sites that offer online web-hosted email services.
Web-based Newsgroups
Archives of Usenet postings
Web-based Storage
Storage of Personal use permitted files on remote servers for backup or exchange purposes
Web Hosts
Sites that offer domain names and web space for hosting fee-based web pages
Web Logs/Personal use permitted Pages
Web sites from Personal use permitted or noncommercial sources which feature commentary and articles written in a log or journal
Web-based Productivity Apps
Sites that host web-based applications for word processing, spreadsheets, collaboration or project management
Web-based Proxies/Anonymisers
URLs and Patterns which Blocked access to webbased proxies and anonymisers which are typically used to circumvent URL filtering
Personal use permitted
Personal use permitted
Document number here: Version: 1 - Final draft Page 15 of 15 Paper copies of this document should be kept to a minimum and checks made with the electronic version to ensure the version to hand is the most recent.