Acceptable access and use of IT - Little Company of Mary ... · Web viewSecure access via Citrix NetScaler for staff Citrix NetScaler is the only method of remote access available

Acceptable access and use of ITCALVARY PUBLIC HOSPITAL BRUCE

Function: IT governancef622d1b9-7fbb-489c-9297-9bce79357e63

Acceptable access and use of IT Table of Contents

1 Applies to..........................................................................................................................................................1

2 Purpose.............................................................................................................................................................1

3 Responsibilities.................................................................................................................................................2

4 Policy................................................................................................................................................................2

4.1 Computing Equipment....................................................................................................................................2

4.2 Portable Devices.............................................................................................................................................5

4.3 System Logons................................................................................................................................................6

4.4 Support...........................................................................................................................................................8

4.5 Remote Access................................................................................................................................................8

4.6 E-mail..............................................................................................................................................................9

4.7 Mobile Phones..............................................................................................................................................14

4.8 Short Messaging Services (SMS)...................................................................................................................17

4.9 Printers.........................................................................................................................................................17

4.10 Pagers.........................................................................................................................................................18

5 Related Calvary Documents............................................................................................................................19

6 Definitions......................................................................................................................................................19

Approved by: CPHB Chief Financial Officer and Director of Corporate Services Approved Date: 17/12/2019

UNCONTROLLED WHEN PRINTED Review Date: 31/12/2020

Page 1 of 19 Continuing the Mission of the Sisters of the Little Company of Mary

POLICYVersion 1.0

CCID1719147



1 Applies to

This policy applies to all departments at Calvary Public Hospital Bruce (CPHB).

2 PurposeConsistent with our values of Hospitality, Healing, Stewardship and Respect, Calvary is committed to specify how IT equipment and IT systems are set-up, allocated, and used within the CPHB environment. This informs staff of their responsibilities and the responsibilities of the Information Communications and Technology (ICT) Department.

ICT equipment and systems are integral to the management of CPHB, but improper use can jeopardise provision of service, harm the Calvary network, cause damage to equipment and result in harm to CPHB’s corporate reputation. This policy is intended to minimise disruptions and risks to equipment and services while balancing their benefits.

3 ResponsibilitiesResponsible Group 1: ICT Manager

Ensure the policy is reviewed in line with the expiry date.

Responsible Group 2: Department Manager

Ensure the policy is communicated to their staff and staff know where to find the policy Monitor compliance to policy in their responsible area Provide staff with opportunities to attend education and training Ensure resources are available to adhere to the policy Investigate any incidents of non-compliance to the policy and if relevant enter in Riskman.

Responsible Group 3: Employees and Contractors / Particular department staff this document applies to

Comply with the policy Notify non-compliance of the policy to the relevant manager and enter into Riskman (if relevant).

4 Policy

4.1 Computing Equipment

Types of Computers

The types of computers required for each role and location will be assessed by the ICT department in conjunction with the CFO and HR. This is based on operational business requirements and allocated according to the requirements of each role. All equipment remains the property of CPHB and is provided for the purpose of undertaking CPHB related business.

As staff duties change (or new systems are introduced), hardware and software requirements may be reassessed.




POLICYVersion 1.0

CCID1719147



AllocationAllocation of CPHB owned computers is in response to requests from Department Managers to their Executive based on operational requirements. If supported by the relevant Executive, they will then propose this request with the CFO for consideration. All requests must clearly state the funding source for the proposed acquisition.

The purchasing of additional equipment can only occur via:1. the asset replacement program; or2. as part of an approved funded project.

Once approved by the CFO, further approval may be required through the Infrastructure & Equipment Committee or the Executive Committee.

All new computers also require software licenses, which is an additional cost to the hardware. All hardware and software quotes must be requested via the ICT Help Desk. All software, licences, applications and other ICT related subscriptions are to be managed through the ICT department and approved by the ICT Manager.

Replaced equipment or equipment no longer used by a department will go back to the ICT equipment pool. Re-allocation of spare equipment will be the responsibility of the CFO through the ICT department based on criteria ensuring we have sufficient licenses, software versions and compatibility, maintenance and greatest operational need.

Computers are procured, configured and installed by the ICT department. This ensures a standard configuration set-up is used throughout CPHB assisting in security, support and maintenance.

ICT SupportAny performance issues relating to IT equipment must be logged through the ICT Help Desk.

The ICT Department will provide maintenance and support where required (including contacting the manufacturer or supplier) and general help desk support for the computer and applications. Staff training of department specific applications is not undertaken by the ICT Department.

The ICT Help Desk are responsible for the physical moving of all computer hardware and monitors.

AccessOnly computer systems and peripherals owned by CPHB are permitted to be used with or connected to the CPHB Data Network. For legal, security and integrity reasons, privately owned computer systems or other items including mobile devices, USB’s and portable hard drives must not be connected to the network for any reason, unless specifically approved in writing, by the ICT Manager.

Any employees granted permission to connect personal devices to CPHB’s network must grant CPHB consent as required to audit, reconfigure, load MDM software on or remove such permission to connect to the CPHB




POLICYVersion 1.0

CCID1719147



network without further consent. Any software on this equipment must be legally owned and must not contravene any software “Licence Agreements” or CPHB’s ICT guidelines.

UsageCPHB acknowledges there will be some personal use of computing resources. Users should have no expectation of privacy for any activity undertaken using CPHB’s systems. Users should be aware that emails or documents could be archived by CPHB as it considers appropriate. In addition, files which users may have deleted may still exist in CPHB’s backup systems.

You may use CPHB’s IT resources for the following purposes: - For the purposes of properly performing your duties for CPHB; and For limited and reasonable personal use, subject to any restrictions imposed by CPHB and providing this

does not interfere with the proper performance of your duties.

Computers should be regularly powered off to maintain optimal performance. The ICT Department may request that users log off but leave the computer powered on to enable network management tasks and updates to be undertaken remotely (or unattended) overnight.

Prohibited Operations

You may not use CPHB’s IT resources for the following purposes: - Be granted system administrator privileges* ; To harm the reputation of CPHB or cause embarrassment to CPHB; To act contrary to your obligations to CPHB or contrary to any CPHB policies, procedures, or guidelines; To expose CPHB’s computer systems to any risk or potential risk – including the risk of viruses or

malware; To download any software; To disclose any information other than in the course of your duties; To spam or mass mail or to send or receive chain mail; Use IT resources in a manner that could create congestion; To play games, gamble, or bet; Streaming media including radio; To contribute to electronic chat rooms or bulletin boards; To perform any activity using an anonymous or misleading identity; To provide service or produce materials for non-CPHB commercial gain; For non-CPHB purposes such as running a private business; To do anything unlawful – including criminal activity or breaching any intellectual property rights; and To send, receive or store material that is, or may be construed to be, obscene, derogatory, defamatory,

bullying, harassing, threatening, vilifying, racist, sexist, sexually explicit, pornographic, unlawfully discriminatory, or otherwise offensive or excessively personal;

*Exceptions may be approved by the ICT Manager for staff who undertake a designated systems administrator role.




POLICYVersion 1.0

CCID1719147



Staff are not permitted to: Physically move the computer hardware or monitor; Disconnect any cables attached to the computer; Attach new hardware to the computer; Open the computer case/box; Circumvent or attempt to circumvent any security or virus checking facility installed on the computer; Store any personal (i.e. non-work related) images music or videos on the hard drive or network drives;

or Add software to a CPHB computer.

Requests for software need to be submitted to the ICT Department. If approved the software will be loaded by ICT staff.

4.2 Portable Devices

Portable devices are any electronic device that can be used to access the CPHB network without being directly connected by network cabling. This includes laptops, tablets, mobile telephones, smartphones and other devices. These devices enable access to network systems and resources from a multitude of places, but have a number of specific risks that must be managed.

Only portable computers and devices allocated by the ICT Department may be connected to the CPHB network. This helps to prevent possible security breaches, theft of intellectual data and damage to our corporate network from incorrectly configured or secured computers.

Portable computers may be loaned to a department or staff member on a temporary basis to undertake a specific task or project. The ICT Department manage the loan pool and must be booked through the Microsoft Outlook Resource booking system.

Use of Portable Devices

In addition to the general acceptable usage of CPHB equipment detailed above, additional restrictions apply to portable devices.

Connection is possible using Wi-Fi within the environs of the campus or via a modem and connecting through the Internet using Calvary remote access.

Staff members are responsible for the safety of CPHB mobile devices at all times and are expected to take reasonable precautions to prevent loss or damage. This includes not leaving the portable device unattended in an unlocked office, in a public place or unattended and in clear view in a motor vehicle.

User IDs and passwords must never be written down and left with the portable device.

Confidential or private information must not be stored on the hard drive of a portable computer.

Portable computers should be connected to the CPHB corporate network at a minimum of once a month. This is to ensure the device receives software and security updates. Access to the network may be blocked for portable computers that have been detected as not having received monthly updates until this can be rectified. The ICT Help Desk should be contacted to manually update the device and re-connect it to the Calvary network.




POLICYVersion 1.0

CCID1719147



4.3 System LogonsThe term “Logon” is generally given to credentials used to access a computer system or application. Calvary Staff are provided with Network Logons and Application Logons upon request from their Department Manager.

Network AccessIndividual Network logons assigned to a specific person are used within Calvary Public Hospital Bruce. Historically, generic network logons have been assigned to a group of people performing a similar role or for operational reasons (where the computer is shared between a number of staff at the same time or across a shift roster), however these are in the process of being phased out. No new generic network logons will be created. Exceptions will only be made with the approval of CPHB’s Executive committee, once a full risk assessment has been provided.Network logons are provided by the ICT Help desk once an electronic network access request form (NARF) is submitted by a Department Manager or a nominated delegate.

Network logons for staff who leave will be disabled either when the Help desk sights the staffs termination clearance form, after 90 days of user inactivity or when the staff member has been allocated an end dated in the Human Resources staff management system. Where on long term leave, staff or their manager must inform the ICT to prevent access being disabled. If a network logon has remained disabled for 90 days, it will be removed entirely from the network. As the disabling of network logons for staff who have left may not happen immediately, if a Manager has any concerns about access of the staff member, they must contact ICT prior to the employee leaving.

If a Manager needs to access and retain documents that a disabled staff member had stored in their personal folders, they should contact ICT to have them moved to a networked location prior to the account being removed.

Contractors and volunteers may not be included in the reconciliation of active employees from the Human Resources staff management system therefore, supervisors are required to inform ICT upon their cessation of work.

Users will be granted access required to undertake their role as approved by their Manager or the relevant Business Owner. If staff realise they have unnecessary access to additional information that is beyond what they require for their role, they must contact IT to revoke such access while only accessing the information they require. Any breaches of patient privacy will be investigated using appropriate mechanisms. ICT systems record all access to computers, internet and network folders and files. This information may be used to provide evidence for audit trails upon any investigation.

Application/System LogonsOnly individual application logons, assigned to a specific person, will be created for use at Calvary Public Hospital Bruce. Generic application logons will be phased out.




POLICYVersion 1.0

CCID1719147



When a Calvary network account is disabled, information will be passed onto ACT Health where appropriate to terminate access to ACT Health applications such as ACTPAS, IDIS, Clinical Portal, etc.

When staff transfer between Calvary departments, it is the previous Manager’s responsibility to request the removal of access no longer needed and the new Manager’s responsibility to request any additional access required for the new work area.

If access is requested to an application that is not deemed relevant to a staff member, the Business Owner of that application must provide approval. This policy also applies where applications are managed within business units outside of the ICT Department and the business unit itself is responsible for the allocation and maintenance of logons and passwords for that system.

If there are insufficient licenses for an application, a review of existing users must be undertaken by the ICT Department. ICT and system Business Owner will determine who licenses are to be allocated to. Where the number of users cannot be reduced and additional licenses are required incurring financial cost then the decision must be escalated to the Chief Financial Officer for approval to purchase extra licenses.

Individual Network & Application LogonsWhen a logon is assigned to a specific person, they are responsible for any action performed under that logon, including the sending of emails. The level of identification of such actions is similar to having signed paper documents. Activity performed under your account may be recorded by various computer system logs.

A user’s corporate network logon will use the first two letters of their first name, followed by the first six letters of their surname. Exceptions to this will only be made if the logon is already in use or if the last name is equal to or less than five characters.

PasswordsEvery staff member is responsible for the security of their individual logon password, so passwords must not be revealed to or shared with anyone. Passwords should not be written down or recorded electronically unless the method is secure.

Passwords for network logons are valid for 90 days and once expired, will need to be changed. Staff will be presented with a reminder upon logon when they have five or less days left before a password change is required. New passwords cannot be the same as the last 12 passwords previously used. Staff are not permitted to use passwords that consist of basic words from the dictionary, easy to guess words to do with your workplace (i.e. Calvary, hospital, Canberra, your department, etc.) or any part of your name.

To assist with security, ICT has introduced a complexity requirement for all network logon passwords. Passwords will need to be ten or more characters in length and must contain at least 3 out of the 4 following criteria:-

Numbers; upper case letters; lower case letters; and




POLICYVersion 1.0

CCID1719147



symbols. Not all Calvary applications have the ability to enforce complex passwords therefore staff are expected to include complexity when choosing a password for these applications.

Under no circumstances should you tick the “Remember my Password” if prompted when using Internet Explorer or any other internet browser.

Staff must not leave a workstation unattended when they are logged on. To avoid unauthorised access, staff must lock or log off entirely when leaving a workstation.

If a password is forgotten staff should contact the ICT Help desk during business hours to reset their password. New passwords will not be provided to an external email address. Staff may be asked to verify their identity before a new password is provided. The new password supplied by the Help desk will be randomly generated and must be changed by the staff member at their next logon.

4.4 Support

The process outlined below describes how CPHB staff should request support for Information, Communication and Technology (ICT) related issues from the CPHB Help Desk, Shared Services Service Desk, Digitals Solutions Division or National ICT helpdesk.

During business hours (7:30am to 5:00pm)The initial point of contact for all ICT related issues is CPHB ICT Help Desk via e-mail or via telephone.

In the event that an issue requires escalation to the next level of support or to a relevant external support service including but not limited to Shared Services (SS) Service Desk or Digital Solutions Division ACT Health Directorate (DSD) Service Desk, the CPHB ICT helpdesk will escalate this issue on your behalf. After Hours (5:00pm to 7:30am)Requests for ICT support outside of normal business hours must go through the Calvary afterhours Coordinator. They will assess the request and advise the next course of action. This may include contacting the CPHB ICT on call number who will assist or escalate this issue on your behalf.

CPHB ICT Support Details – Email: [email protected]: 02 6201 6292Standard Business hours: 7:30am to 5:00pm WeekdaysAfter hours: 02 6201 6165

4.5 Remote Access

The ICT Department currently provides two methods to access the CPHB corporate network remotely.

1. Site-to-Site Virtual Private Network (VPN) generally for vendors




POLICYVersion 1.0

CCID1719147

mailto:[email protected]



2. Secure access via Citrix NetScaler for staff

Citrix NetScaler is the only method of remote access available for Calvary Staff and is often referred to as Portico or Calvary Remote Access. Calvary Remote Access allows for Calvary approved staff to securely connect to CPHB’s internal network from a remote location using Citrix NetScaler technology.

All Acceptable Access and Use of IT policies also apply to systems or services accessed remotely.

AccessCalvary Remote access is only available to approved staff or stakeholders with an identified business requirement to access the CPHB network resources when off-site. Remote Access request forms are available upon request from the ICT Help Desk.

Access will only be granted by the ICT department after a signed request form is received by the ICT Help Desk with the approval of the relevant Executive. This approval process will take into consideration what hardware is approved to be used to access the CPHB network.

Hardware being used to access the CPHB network will need to be assessed by the ICT department before access is granted.

Vendor Access

Some vendors require direct access to the systems they support, which is arranged on a needs basis through the ICT Department and may be via Calvary Remote Access or via a Site to Site Virtual Private Network (VPN).

This access will:

Be temporary (only for a specific task); Be monitored by the ICT Department; and Be protected by appropriate firewall software.

Where systems require a constant secure connection to function, a site to site VPN connection will be used to secure a restricted access to the required system.

4.6 E-mailAccess

Email accounts for individuals are created by the ICT Department when a new user login is requested by the relevant manager via an online request. All Calvary network accounts are issued with a Calvary email account.

Personal use

Email is provided to assist us in our daily duties. CPHB accepts that there may be limited personal use of email. Managers are responsible for setting expectations about acceptable personal use. Employees have a responsibility to meet these expectations.

The Code of Conduct prohibits improper use of CPHB property and requires avoidance of waste in use of hospital resources. Improper use of email or internet systems falls into this category.




POLICYVersion 1.0

CCID1719147



Perceptions of Calvary

Regardless of whether an email is sent for work related or personal reasons, it is identifiable as having originated from Calvary and its content may be interpreted, or misinterpreted, as official comment.

Signature Block

The signature block is part of the email message that is appended by Microsoft Outlook to each email sent from a user’s mail account via a desktop computer. Please note when emails are sent via a mobile device the signature block is not appended therefore it is suggested all formal emails should be sent from a desktop to ensure your email signature is attached.

An Employee’s signature block is automatically populated from their CPHB user account creation. Employees can request changes to their profile via Calvary Directory which will require approval by the relevant executive before it can be actioned by the ICT Help desk.

Below is an example of the format used for signature blocks:

Given Name, SurnameTitleDepartment

CalvaryPublic Hospital BruceCnr Belconnen Way & Haydon Drive Bruce ACT 2617PO Box 254 Jamison Centre ACT 2614P: 02 6201 6292 M: 0412 345 678 F: 02 6201 6299E: [email protected]

A signature block or email message must not include any other graphics, wall paper, quotes or other sayings that are not relevant to or approved by CPHB. The ability to add additional information such as qualifications and provide alternate numbers is available by updating the individuals profile on Calvary Directory following approval by the relevant executive.

Signature blocks must not be removed.

Signature blocks should not include a general disclaimer, as one is automatically provided by the email service for all emails sent externally. See example below:

Please consider the environment before printing this email.

Hospitality | Healing | Stewardship | Respect

Continuing the Mission of the Sisters of the Little Company of Mary

This email is confidential and may be subject to copyright and legal professional privilege. If this email is not intended for you please do not use the information in any way, but delete and notify us immediately. For full copy of our Privacy Policy please visit www.calvarycare.org.au.




POLICYVersion 1.0

CCID1719147

http://connect.calvarycare.org.au/committees/CHCBruceNonClinicalPublications/_layouts/15/WopiFrame.aspx

mailto:[email protected]



Legal Liability

Emails have the legal status of written documentation, even if only transmitted and stored electronically. As such, emails are subject to the laws of defamation, harassment, unlawful discrimination, copyright and privacy. In circumstances where an allegation or a breach of these laws has been made, emails may be submitted as evidence.

Use of email to harass, send abusive material, defame, disclose private information or send pornography is unlawful. The Code of Conduct and all related policies apply equally to email use as to other workplace conduct.

Security and Privacy

When using Calvary’s email system, Calvary employees cannot expect privacy. Where a genuine business need exists, the relevant Executive can request ICT to provide access to an employee’s email account. All requests must be submitted to the ICT Manager who will seek approval from both the CFO and the GM. Where there is an allegation that this policy or the Code of Conduct has been breached, an investigating officer appointed under the misconduct provisions may request information from the information system’s security records, including stored emails.

Employees must be mindful that, in most instances, external email is not secure so recipients of staff or patient information must only use this information for the purpose for which it was gathered. Employees must consider staff and patient privacy, safety and security when sending or receiving emails. While identifying an email as "personal" or "confidential" in the body of the email may assist the recipient in their management of its content, it does not alter the basic security of the software sending the email.

Emails sent externally that contain personal or sensitive information must be sent using email encryption. This is done by selecting confidential in the “Sensitivity” dropdown as shown below. This will automatically encrypt the email.

All incoming and outgoing emails are screened by the ICT network for viruses, malware and ransomware. If the screening process warns of an alert or Virus, ICT staff may be required to check the content for appropriateness before it can be forwarded. If an email has detected a malicious attachment, the attachment maybe removed allowing the email to pass through. If this removal process is unsuccessful, the email is withheld.




POLICYVersion 1.0

CCID1719147



External Mail Distribution

You may not use CPHB email to spam or receive chain mail. The use of address lists for the transmission of email must only contain addresses that have specifically requested email correspondence, or could reasonably expect email correspondence from business dealings they have had with Calvary.

All emails sent from CPHB must include a valid return address, contact details, and the person or organisation authorising sending the message.

The email must include instructions on how to prevent being sent any similar emails in the future (i.e. Unsubscribe).

In general the provisions of this policy are covered providing the sender includes the CPHB signature block, the sender transmits the email using the corporate email software (Microsoft Outlook), and the sender checks any replies and removes any requested address.

If a more automated form of transmission is used (eg a electronic marketing software or CRM), then the ICT Department must be consulted to ensure the policy is being adhered to and there is provisions to unsubscribe.

Record Keeping

Emails are increasingly being used as records of correspondence. To comply, emails must follow the normal standards for record keeping – e.g. contain information of dates sent and received, sender’s name, etc. – and must be kept according to relevant guidelines. The email system and processes followed by the ICT Department does not satisfy record retention standards therefore any email required to be kept as record keeping must be dealt with by the owner of the email ensuring alternative arrangements for storage are in place, for example saving to the approved server drive, record management system or printing.

Sending and Responding to Electronic Correspondence

As with more formal forms of correspondence, if you are the intended recipient of an email you would not normally forward that message without either the sender’s knowledge or consent other than as routinely necessary for acting upon its content. This practice should be respected relating to email communication including CC and BCC in particular. Clear and honest communication is to be practiced. Classifications of sensitivity applied to email, such as "confidential" or "personal", are to be respected in accordance with normal conventions.

Calvary employees are able to send emails to web mail addresses using their Calvary email address and similarly receive mail from web mail addresses but are prohibited from accessing anonymous web mail inboxes using the Calvary network.

Where a prohibited email is received by a Calvary employee from an external source (for example an email containing pornography or other offensive material) the Calvary employee must immediately delete the offensive email. This email is prohibited from being forwarded through the CPHB email system. If the email is kept in the employee’s inbox, the employee may be managed in accordance with relevant misconduct provisions of the Code of Conduct. If the prohibited email is received from a Calvary colleague, the Calvary employee must report the incident to the HR Manager immediately.




POLICYVersion 1.0

CCID1719147



Receiving SPAM or suspicious Email

CPHB has filters in place to detect and block Spam that is sent to CPHB email addresses. If the filters block email, you may or may not receive notification advising of blocked emails. This is an automated process and therefore there should be no expectation that you will be notified.

Staff should pay particular attention to any email that contains links or attachments. Take a moment to check the email looks legitimate. This can be done by ensuring you know who the sender is or check the “from” email address is correct. If you are unsure, you should always check with the IT help Desk prior to taking any action. If you have received a suspicious email or accidently clinked on a suspicious link, you are to call the ICT help Desk immediately for assistance.

The filter can be modified by adding senders or names to a whitelist (do not treat these emails as Spam) or blacklist (always treat these emails as Spam). The whitelist and blacklist are managed by the ICT department. If you are receiving emails that you want blocked as Spam, or are not receiving newsletters because they have been blocked by the Spam filter, then a request should be sent to the ICT Help Desk requesting an addition to either the whitelist or the blacklist.

Best Practice Email

Best practice should always be used for internal and external email. Email is still a formal business communication and our core values should be considered when writing emails and care taken in drafting the email. This includes spell checking, consistent use of fonts and mixed case sentences. Where large attachments are required externally, consider compressing the file through Windows Explorer. Internally where possible, links should be sent to relevant attachments in preference to attaching the file.

The out-of-office assistant must be used to alert colleagues that you are out of the office, what arrangements are in place while you are absent and when you are returning. Inappropriate out-of-office messages may be removed by the Help Desk. If an employee has failed to set an out-of-office message prior to going on leave their manager may request a message to be added via the Help Desk.

Email Storage

Network storage is a cost to the organisation both in terms of hardware and the time taken to run backup procedures. Therefore emails are archived and deleted regularly. New employees will have a 512MB limit applied to their mailbox at time of creation. Email archiving is utilised and applies a 60 day limit to the amount of emails employees can keep in their email account. The following archival rules apply:-

Emails are archived to Enterprise Vault after 30 Days. A link to the archived item will still be available in your inbox. This link will remain active in your inbox for another 30 days.

The archived emails are available via Enterprise Vault search. Emails will be permanently deleted after seven years (current employees only). The contents of a staff member’s inbox will be permanently deleted three months post resignation.

Exceptions to these email deletion rules may apply depending on the position of the employee.

Due to commercial-in-confidence reasons; staff will not be provided with a copy of their inbox upon resignation. If access is required to terminate employees’ email accounts, please refer to the “Privacy” section of this policy




POLICYVersion 1.0

CCID1719147



for the approval procedure. If a staff member is away on extended leave, arrangements are to be made to notify ICT Help Desk to ensure the email account is not deleted. Staff on leave for more than three months may have their email account temporarily suspended. This suspension will be lifted by contacted the Help desk on their return.

All Mail Users Group

Only the Executive Team including their Executive Assistants, Department Managers and the Help Desk, may send or approve an email to the All Mail Users group.

An all-mail-user email must include the following:

who the email is being sent on behalf of (i.e. Department name); who the email is being approved by; a body of text describing any attachments; and Calvary signature.

Staff sending an all-mail-user email should ensure the size of the email is kept to a minimum, if possible attachments should be saved to Calvary Connect or a network location and a link provided.

Email Groups

If you require an Email group to be created, please contact the Help desk. The Help desk will not create an email group containing email addresses other than those associated with CPHB, including but not limited to Calvary National and ACT Health. Email groups containing non-CPHB email accounts can be created but cannot be published through the global address list for others to access.

Shared Mailboxes

Requests for shared mailboxes is via the ICT Help desk with the relevant approvals. You must advise what this mailbox is being used for and who requires access. Generally these are set up as not having permission to send from to ensure the security of data.

External Access to Mail

Access to email externally is not automatically granted. A request for external access is via the Help desk who will seek approval from the relevant Executive.

4.7 Mobile Phones

Allocation principles

The following principles apply when considering the provision of a mobile phone to an employee: Allocation is based on genuine business needs and not a position in the organisation; A mobile phone is never to be used for prohibited uses as specified in the Telecommunications Act 1997; Other lower cost options such as a pager, DECT phone, and Vocera cordless telephones have been

considered; Alternative savings strategies such as pooling of mobile phones or mobile phones in lieu of fixed desktop

phones has been considered; Reallocation of low use mobile phone has been considered; and




POLICYVersion 1.0

CCID1719147



Accessories such as in-car hands free equipment are not provided. Staff must comply with the relevant road traffic laws and regulations.

All mobile phones and carrier services provided must be acquired through the CPHB ICT Department service provider. Outright purchase of devices by the ICT Department is the only approved method of obtaining a handset and accessories. This will be at the cost of the requesting Department or service after written authorisation has been provided from the relevant Executive. Only standard approved mobile phones, as determined by CPHB, will be issued. This is dictated by the terms of contract with the service provider and LCM.

Staff member responsibilities The staff member to whom a CPHB mobile phone and related equipment is provided, must:

Assume personal responsibility for its correct use and safekeeping; Always use a Hospital desk handset when available in preference to the mobile phone; Only forward desk handset to mobile phones when absolutely necessary or instructed by the relevant

Executive; Not make calls to entertainment, competition, “personal services” or similar phone numbers, “ring

tones” and 1500 and 1900 numbers; Limit calls to information numbers, such as directory assistance, to essential urgent use only; Note that Global roaming (overseas) and other premium services such as “pocket news” and “voice to

txt” will be disabled from all CPHB mobile plans; Promptly report loss, theft or damage to the mobile phone or accessories to their supervisor and the ICT

Department as soon as possible; Return the mobile phone and all accessories supplied by CPHB immediately prior to ceasing

employment, or when otherwise directed by the Supervisor; Bluetooth synchronisation of mobile phones with the staff members’ vehicle is the responsibility of the

staff member; and CPHB work issued mobile phones are not to be taken overseas.

Reimbursement of private handset or private SIM call costs

Staff require prior approval from the relevant Executive to seek reimbursement for the cost of legitimate work-related phone calls from the use of their private handset, SIM or non-CPHB contract carrier. Reimbursement of work-related international call costs will only be permitted if the officer has prior written approval from the relevant Executive to make such calls.

For Medical Practitioners, the Director of Clinical Services-Medical may approve payment to a Medical Officer or Senior Medical Officer of an allowance towards meeting the costs of a private mobile phone to be used for work related purposes. Only those employees who are eligible for and receiving payment of an on-call allowance are eligible. This allowance is only available to employees who are not provided with a CPHB mobile phone.

Handset and Phone Number Portability

Staff leaving CPHB may submit a request to their Executive to take the mobile phone handset, phone number (SIM card) or accessories with them. Assessment of CPHB’s requirements for the handset and specific phone




POLICYVersion 1.0

CCID1719147



number must be made before agreeing to any transfer. The Executive must liaise with ICT to ensure the mobile phone number is transferred from the CPHB phone plan to another account. If another account is not nominated, it will be cancelled on that staff member’s separation date. Any costs incurred as a result of a transfer must be met by the outgoing staff member and be at no cost to CPHB.

Managers are to ensure that the mobile phone handset, SIM and all accessories are returned to ICT Department prior to the staff member leaving CPHB or when directed. Only the ICT Department are to re-issue mobile phones as directed by the relevant Executive.

Safe use The following safety measures should be observed during the handling and operation of mobile phones:

The user should keep the volume to a reasonable level.

CPHB employees in control of a vehicle must stop the vehicle to take a call or return the call at a later time. It is an offence under the Motor Traffic Act 1930 to operate a motor vehicle and hold a mobile phone at the same time. It is the responsibility of the driver to pay any infringement notices that may result from non-compliance or breaches under this Act.

Mobile phones are to be switched off in any areas you are advised to do so.

Loss/Theft/Damage

Costs incurred due to the loss, theft or damage of a mobile phone remains the responsibility of the Department registered as the holder of the phone. The staff member to whom the phone is registered must immediately notify both their supervisor and the ICT Department of the loss, theft or damage of the phone.

Third Party Applications (Apps)

A third party app is any app installed on a mobile device which is not provided by the manufacturer of the device. Staff members should not use personal accounts in the app stores of smart phones issued by CPHB. If a third party app is required, it must be requested via the ICT Department.

Where an account is required for the download or use of a third party app the account are to be set up by the ICT team and will use a Calvary branded username and password. Calvary branded accounts should only be used on the CPHB issued devices they are intended for.

4.8 Short Messaging Services (SMS)

SMS sent from Calvary can be done using a desktop SMS application or via a CPHB issued mobile device. Only desktop applications authorised by the ICT Department may be used to send SMS.

The use of desktop SMS applications is as a supplementary communication facility for the delivery of short messages pertaining to CPHB systems. CPHB currently approves the use of Telstra Desktop SMS and SPOK messenger as our desktop SMS applications.

Only staff authorised via their Executive are able to utilise the desktop SMS applications. The delivery of SMS messages incurs a cost to CPHB, and where appropriate this cost will be passed to the relevant department sending the SMS. This excludes messages sent for the escalation of emergency procedures.




POLICYVersion 1.0

CCID1719147



Each SMS has a maximum length of 256 characters, any message over this length will be sent as multiple messages and incur additional costs. Desktop SMS applications may be configured to send SMS automatically by some Calvary systems. Only systems approved by the ICT Department may be used for automated delivery of SMS.

Mobile Device SMS messages are sent directly from a mobile phone or Smartphone (e.g. iPhone) to the recipient device. These messages are restricted in length by the rules of that device and/or the third party communications’ provider.

Confidential information including patient information should not be transmitted via SMS.

4.9 Printers

Printers currently in use at CPHB are Lexmark printers which are under a maintenance and consumables contract through Calvary National ICT.

Allocation

Allocation of existing printers is determined by ICT and is based on greatest need and usage. ICT may swap printers from one location to another to ensure all printers are fully utilised based on usage. Once printers have reached end-of-life they will be replaced by ICT.

Network printers are to be procured, configured and installed by ICT. All printers will be connected to network print servers and positioned in a location where they can be accessed by multiple users. Printers not procured by ICT will not be connected to the corporate network, e.g. printers directly connected to medical equipment.

The request to purchase additional printers must be made via the ICT Help Desk. These requests must be approved by the relevant departmental manager and Executive of the area making the request. Standalone printers (connected directly to individual’s computer) are not endorsed by the ICT Department and will not be approved. CPHB is not responsible for the cost of any standalone printer consumables.

Operations

ICT will provide maintenance support where required, however the day-to-day operation of the printers (including resolving paper jams, replacement of toner and paper, etc.) is the responsibility of the department where the printer is located.Paper and label consumables are to be procured and maintained by the department in which the printer resides. ICT manages the automatic purchasing of toner, photoconductor units and maintenance kits for all network printers when 20% life remaining has been reached. These consumables should only be installed when the quality of the print starts to deteriorate or when prompted by the device. Printer consumables should only be installed in the printer for which they were ordered.

Relocation

Printers must only be moved by the ICT Department. Requests to move equipment must be made to the ICT Help desk. Any costs associated with the relocation of printers will be charged to the department or Project requesting the move. As above, the ICT Department may re-allocate or re-locate printers as a means of maximising service to all departments and to ensure all printers are fully utilised prior to end-of-life.




POLICYVersion 1.0

CCID1719147



Monochrome or Colour Printing

Consideration for other users should be exercised when printing large documents or multiple copies and be scheduled for when the least amount of disruption to other staff members.

All CPHB networked printers default to duplex printing in black and white. These defaults will only be changed with the approval of the Executive Director if there is a clinical need.

Colour printing costs significantly more than black-and-white printing. For this reason access to colour printers is available but should be limited to those with a work-related need for colour printouts only.

4.10 Pagers

AllocationPagers are issued where staff are required to be on duty to enable them to be contacted immediately. Pagers may be allocated to an individual staff member or to a role within a Department.

Pagers are procured and configured by the ICT Department. This ensures that a standard configuration is used throughout CPHB. Costs associated with new and replacement pagers will be incurred by the department the pager is allocated to with the exception of Medical Emergency Team (MET) pagers, which will be charged to the ICT Department.

Care of PagersWhile robust they can be damaged by improper use. Avoid dropping them or exposing them to excessive heat or moisture. If a pager is immersed in water, it should be switched off and brought to ICT to replace. Batteries on pagers must be replaced where indicated by the low battery indicator of the pager, this is the responsibility of the staff member allocated the pager.

The Calvary Switchboard will assist with replacement batteries for the MET pagers only. At 10am on the first Wednesday of every month, the owners of MET pagers are to present the pagers to Switchboard Reception for battery replacement. The batteries are changed and the MET call tested to ensure all pagers receive the MET call for both MET Groups.

Replacement

As faulty pagers can impact on patient care, the ICT Department ensures spare pagers are available.

Faulty pagers should be provided to the ICT Department to be replaced or repaired.

Replacement pagers (other than MET pagers) must be paid for by the relevant department. Replacement pagers for the MET team are available from the switchboard 24 hours a day or from the ICT Help desk.

5 Related Calvary Documents

ICT Calvary Connect Department page (full of helpful hints/cheat sheets) Requesting Calvary Network and Application Accounts




POLICYVersion 1.0

CCID1719147

http://connect.calvarycare.org.au/Services/PublicHospitals/Bruce/Departments/ICT/Pages/default.aspx



Calvary Public Hospital Bruce ICT System Security Policy

6 Definitions

Employees for the purposes of this procedure refers to:

o Every Calvary employee;

o Contractors/sub-contractors and any of their employees whilst engaged on work for Calvary;

o Visiting Medical Officers;

o Volunteers and unpaid employees;

o Students on placement

o Researchers

o Partners and visitors (e.g. domestic services contractors, Local Health District employees)

o Consultants or consultants’ employees whilst on Calvary work; and

o Agents who are acting on behalf of Calvary.

Personal use – use of corporate systems not relative to work

DECT phone: Digital Enhanced Cordless Telecommunication

Portable computers - Portable computers are any electronic device that can be used to access the CPHB network without being directly connected to the network cabling




POLICYVersion 1.0

CCID1719147