- This policy describes the acceptable use of the LeDeR web-based platform (WBP) and the responsibilities of its users.
- NHS England will ensure that users of the WBP are sufficiently informed of the policy requirements to be able to comply with the policy. All updates to the policy will be communicated to existing users.
Scope of Policy
- Each LeDeR partner must have their own policy, or set of policies, that includes the acceptable use of their Information Technology assets, email, internet, network and systems/applications/software use. These policies should align to the relevant national standards set out by the Data Security and Protection Toolkit or equivalent national standards.
- This policy is supplementary to the policy/policies of the LeDeR partners and covers only the use of the WBP.
- Staff must only access and/or use information in the WBP that they are authorised to access and solely for the purpose of the LeDeR programme.
- Staff must follow established procedures for password changes.
- Staff must take all reasonable steps to maintain;
- the confidentiality of their access to the WBP
- the information within the WBP, and,
- the security of the WBP (i.e. staff must not share their access credentials).
- Personal use of the WBP, such as access by staff to information about their self or someone they know in a personal capacity, is strictly forbidden.
- For circumstances where staff may be required to access the records of someone they know, acting in their professional capacity, they should consult their employer’s policy and/or seek authorisation from their organisation’s Caldicott Guardian or an appropriate senior clinician within their organisation.
- Access to the WBP must be by way of individual accounts (each staff member should have credentials that are unique to them).
- It is strictly forbidden to circumvent, attempt or cause to circumvent, established security mechanisms or controls to view, modify, delete or transmit information in the WBP.
- It is strictly forbidden for staff members to share their, or another staff member’s, usernames or passwords to gain access to the WBP.
- It is strictly forbidden to access or use information in the WBP in support of any illegal activities.
- Anyone that is found to have made unacceptable use of the WBP may be disciplined and/or prosecuted.
- If a staff member has read this policy and is still unsure what is considered to be acceptable or unacceptable use of the WBP, they must check with their organisation’s Caldicott Guardian or an appropriate senior clinician.
Definition of Terms
Caldicott Guardian – A senior person responsible for protecting the confidentiality of people's health and care information and making sure it is used properly. All NHS organisations and local authorities which provide social services must have a Caldicott Guardian.
WBP – a secure system which enables consolidation of information relevant to LeDeR reviews from different health and social care organisations, including information from GP surgeries, hospitals, community and mental health, social services and others.
LeDeR Partner – An organisation with responsibility for making sure LeDeR reviews are carried out in their area.
Duties and Responsibilities
- Overall responsibility for this Acceptable Use Policy must be determined by each LeDeR partner, this should rest with the Director (or equivalent) that has responsibility for information risks (e.g. in NHS organisations this would be the individual occupying the role of Senior Information Risk Owner).
- The LeDeR partners’ Caldicott Guardians will provide advice and guidance on acceptable use of the WBP where applicable.
- Employees of LeDeR partners will receive instruction and direction regarding this policy from a number of sources:
- Policy and Strategy Manuals
- Line Managers
- Training courses
- Acceptable Use statement (displayed routinely on screen when accessing the WBP)
- Other communication methods (e.g. briefings or newsletters)
- Access and use will be recorded and may be monitored or audited for the purpose of investigating legitimate concerns.
- This policy will be reviewed at least on a yearly basis, or when required following:
- Legislative changes
- Good practice guidance
- Case law
- Significant incidents reported
- New vulnerabilities
- Organisational changes