Introduction

This document covers the use of all mobile computing devices. This includes but is not restricted to laptops, notebooks, memory sticks, external hard drives, and mobile phones. The policy applies to all co-owners.

Portable computer equipment is now being used more and more within the NHS environment and the security of such equipment, and the confidentiality, integrity and availability of information accessed/held/stored on/by the equipment, can be difficult to maintain.

The security provided should be equivalent to that for on-site equipment used for the same purpose, taking account of the risks of working outside of the organisation’s premises.

The Data Protection Act 1998, Information Security NHS Code of Practice and the Caldicott recommendations all, refer to, and cover, the requirement to ensure information that is transferred must be done so in a secure and confidential manner.

The use of portable and remote equipment also creates risks due to lack of physical security and environmental considerations. Therefore, users of portable equipment need to be made aware of the dangers of loss, damage and breaches of security/confidentiality that can occur to the information they have responsibility for on the portable equipment.

The use of portable devices creates particular risks in the following areas:

• Small size and portability increase risk of loss, breakage, theft, and unauthorised use.
• Connection to a PC or network increases virus and hacking vulnerabilities
• The Scope for installing additional hardware and software could lead to compromised security, licensing problems and increased support requirements.

This document should be read in conjunction with the Information Security Policy.