[Skip to content]

East Midlands Strategic Health Authority
Search our Site
.

Mobile Computing Procedure

 

Introduction

Portable computer equipment is now being used more and more within the NHS environment and the security of such equipment, and the confidentiality, integrity and availability of information held/stored on the equipment, can be difficult to maintain. 

The security provided should be equivalent to that for on-site equipment used for the same purpose, taking account of the risks of working outside of the organisation’s premises.

The Data Protection Act 1998, Information Security NHS Code of Practice and the Caldicott recommendations all, refer to, and cover, the requirement to ensure information that is transferred must be done so in a secure and confidential manner.

Unauthorised disclosure of personal information, which may occur because someone (the organisation and/or individual) is knowingly reckless, or deliberately sharing information could lead to investigation by the NHS Counter Fraud Service and/or Police. This may result in Criminal, Civil or disciplinary action against the individual and/or the organisation if an individual suffered as a consequence of the disclosure and decides to seek legal redress.

The use of portable equipment also creates risks due to lack of physical security and environmental considerations. Therefore, users of portable equipment need to be made aware of the dangers of loss, damage and breaches of security/confidentiality that can occur to the information they have responsibility for on the portable equipment.

Definition of a Portable Computer/Equipment

Portable computer/equipment covered under the requirements of this procedure can be any of the following:

  • Laptop computer
  • Handheld computer
  • Notebook computer
  • Palmtop computer
  • Personal Digital Assistant (PDA)
  • Blackberry or Smartphone
  • Mobile phone
  • Digital camera
  • Mass Storage Devices – including discs, memory sticks

 

Purpose

A breach of security and/or confidentiality can occur very easily with the loss or misuse of portable equipment. It is therefore the purpose of this procedure to provide clear guidance for those staff/employees/agents of the NHS East Midlands who use any of the equipment identified in section 4 above. 

Management Responsibilities

  • Before it is decided if an employee or agent can be allocated and use portable equipment, a risk assessment should be undertaken to identify any potential risks to the data/information, programmes and the equipment/media.  The vulnerabilities should be examined and it should be established if the countermeasures would be sufficient to ensure the risks are reduced to an acceptable level.  Ideally this will mean the risks have been eliminated.  If it is not possible to eliminate the risks their existence should be recognised and logged.
  • NHS East Midlands needs to be aware who has portable equipment as detailed in section 4 and ensure if they are going to hold/store any person identifiable information for work related purposes, and, if relevant, the information is registered under the Data Protection Act 1998.  This will involve liaising with the data protection lead.  The data protection lead should also provide advice concerning compliance with the relevant data protection principles.
  • The details should be logged on the asset register to include which employee has current responsibility for the portable equipment.  All equipment will be signed out when allocated to a member of staff and signed in when returned to NHS East Midlands.  Either because the employee leaves employment, changes job and no longer needs the equipment or is off on long term sickness or extended annual leave.  The following should also be detailed in the asset register/log:
      • Details of the equipment
    • The information it holds
    • The information it will hold
    • Equipment asset number

    • Details of person ‘loaning’ the equipment

  • It is important to know this detail as it may be relevant for dealing with a data protection subject access request.  It is also needed to ensure compliance with the data protection registration/notification. 
  • Management must ensure all staff using portable equipment are made aware of their personal responsibilities under the Data Protection Act, their contract of employment, Confidentiality Code of Conduct and policies and procedures relevant to the security and confidentiality of personal information.  The most relevant will be the Data Protection Policy and the Information Security and Access Control Policy.
  • Training will be arranged for staff using mobile computing to raise awareness on the additional risks resulting from this way of working and the controls that should be implemented.  Staff should also be made aware of any special security features applicable to the equipment they will be using e.g. locking SIM cards, setting file and equipment passwords.

 

Users Responsibilities

  • No other person must be able to access the equipment.
  • Users must be aware they have personal responsibility for the equipment and all data/information held/stored on the equipment and accompanying media.
  • All users of portable equipment must ensure they have read and understood this Policy.
  • Users must also be made aware of the requirements detailed in the Transportation of Records Procedure.
  • Users must have a copy and understand their requirements detailed in the NHS East Midlands Confidentiality Code of Conduct.
  • Users must be made aware of action to take in the event of the equipment being lost or stolen.  Action required is detailed within NHS East Midlands Incident Reporting Policy.  
  • Users must ensure that all portable media is encrypted to national Connecting for Health encryption standards.

 

Physical Protection

  • Portable computers/equipment are prone to rougher treatment than a desktop computer unit and are therefore more likely to breakdown or become damaged.   All employees/users should ensure they take care of the equipment in their care.
  • Portable equipment (any NHS items) must not be left unattended in any public places.
  • Portable equipment (as defined above) must not be left unattended in open offices.
  • If the portable equipment is to be used in an office, that office must be kept secure when unattended.

  • It is normal for portable computer equipment to come with a purpose made carry case.  These cases should always be used when transporting the equipment inside or outside of NHS East Midlands premises.
  • Portable equipment must be kept in the possession of the employee at all times. Therefore the equipment must be removed from the car when the employee leaves the car unattended e.g. in car park.   
  • If the portable equipment has a removable disc which can hold data/information it is sometimes better to detach the two and transport separately e.g. equipment in carry case and disc in inside pocket of coat.
  • All portable media must be encrypted to national Connecting for Health encryption standards.
  • Ensure that any equipment is always kept within the environmental ranges detailed with the user guide that accompanies the equipment.  This also applies to the media that may also be carried with the equipment e.g. CD, memory stick or other media.  There have been situations where data has been corrupted on a floppy/hard disc when there was a rapid fluctuation of temperature.  Although most equipment and media is robust there are still occasions when things can go wrong.

 

Data Protection

  • Before personal information is stored on the portable equipment to be transported a risk assessment must be completed to identify risks, vulnerabilities and countermeasures to reduce the risks
  • All portable equipment must have a machine/boot up password (such as SafeBoot) or user id that should be required (in the set up) when powered up.  This is to stop unauthorised access to the information/data stored on the equipment and also to stop unauthorised persons being able to access the operating system and programmes. 
  • Approved users of NHS East Midlands laptops will be allowed access to the NHS East Midlands network, from the portable equipment, by the use of a VPN (Virtual Private Network) connection/token on their laptop.  The issuing of the VPN will be controlled by Derwent Shared services and the user will need to sign a receipt when this is supplied.  This is to reduce the amount of NHS East Midlands information held/transported on laptops where employees work at home. 
  • If information is to be uploaded there must be sufficient security and authorisation checks in place to ensure no disruption to services or corruption to data can occur. This may be relevant for some employees of the organisation.
  • The data/information must where possible be encrypted or at the very least the files should be password protected.  Guidance on this should be available from the organisational HQ IT lead or Derwent Shared Services Customer Service Team. 
  • Where the equipment can receive and send data files/e-mails and attachments there will be a need to have up to date virus detection software installed. 
  • There must be no loading of unauthorised software.  Any software on the equipment must be that which is authorised and licensed.  This is loaded by the Derwent Shared Services and should not be tampered with by any employee or other person using the equipment.  Any tampering of the software may be considered a disciplinary offence.
  • If the equipment is to be used to access the Internet NHS East Midlands must ensure by doing this there will be no conflict between access occurring and the NHS Connecting for Health Statement of Compliance and the Internet and E-Mail policies are not compromised.
  • Care should be taken if mobile computing facilities have to be used in public places/areas, meeting rooms, on the train and other unprotected areas outside of the organisation’s premises.  Protection should be in place to avoid the unauthorised access or disclosure of the information stored and processed by the equipment e.g. no other person should be able to access the equipment or view information on the screen.

 

Retention of Information

  • The information on the portable equipment may be governed by the requirements detailed in the Records Management Lifecycle Protocol.  This should be read and a decision kept relating to how long the information can be kept on the portable equipment.
  • It is a requirement that when an employee who has a piece of portable equipment leaves the employment of NHS East Midlands that the equipment is returned to their line manager.
  • If the equipment is to be re-assigned to another part of the organisation it will be necessary to reformat or re image the hard drive and/or delete the information that is held/stored on the equipment before it is re-assigned.
  • pdf
  • Mobile Computing Procedure [pdf / 82KB] This policy is intended to provide guidance for those staff/employees/agents of NHS East Midlands who use any form of portable computer equipment and includes specific guidance in respect to user responsibilities, physical protection and device encryption.