Dear South Western Ambulance Service NHS Foundation Trust,

Please can I request a copy of the Trusts data retention policy, I am happy to receive the full policy but my main interest is, data concerning decision making when the decision is made using Signal, WhatsApp or SMS/text Message.

I wish to understand how this data is managed in a corporate environment, with these applications being used on Trust devices such as Smartphones and iPad's.

I further wish to understand how the Trust manages data leakage, where staff are allowed to use their personal Signal and WhatsApp accounts/credentials on Trust devices and therefore how the Trust manages this data then also being viewable on personal devices, when it may contain highly sensitive patient, operational or commend information / decisions.

I am no interested in the security of Signal or WhatsApp as this is freely available, I am interested in how these applications are used on trust devices with personal accounts. Thus how information leakage is prevented say to staff leaving SWAST but still remain in WhatsApp or Signal groups

Yours faithfully,

Sarah-Lee Saltburn

Information Governance, South Western Ambulance Service NHS Foundation Trust

Information Governance
Request ID: 18432 
Freedom of Information request - Retention Policy -  
Created Date | Sep 22, 2024 04:25 PM 

══════════════════════════════════════════════════════════════════════════

Dear Sarah-Lee Saltburn,
This is an acknowledgement mail for your request. Your request has been
created with id 18432. The title of the request is: Freedom of Information
request - Retention Policy.

Kind regards,

Information Governance

South Western Ambulance Service NHS Foundation Trust

This email is sent on behalf of South Western Ambulance NHS Foundation
Trust and any attachments are confidential and may be privileged. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, and then delete the email without making any copies or
disclosing the contents to any other person. Email transmission cannot be
guaranteed to be secure or error or virus free. You should carry out your
own virus check before opening any attachment.

Information Governance, South Western Ambulance Service NHS Foundation Trust

2 Attachments

  • Attachment

    1727084665798012 1196911620.png

    456K Download

  • Attachment

    1727084665919002 785890651.png

    175K Download

Information Governance - Freedom of Information

show quoted sections

Information Governance, South Western Ambulance Service NHS Foundation Trust

2 Attachments

Dear Sarah-Lee Saltburn,

Category : Freedom of Information

I refer to our acknowledgement in respect of your request for information
under the provisions of the Freedom of Information Act 2000.  

Please see below response to your questions below:-

 

Please can I request a copy of the Trusts data retention policy, I am
happy to receive the full policy but my main interest is, data concerning
decision making when the decision is made using Signal, WhatsApp or
SMS/text Message.

 

Our response

Please find attached our policy ‘Acceptable use of IM & T services’ in
particular section 5. This policy is currently under review and a more
specific social media policy is also being drafted.

Please also find attached our records retention and disposal policy.

 

In addition, the below guidance is shared among the Trust (as part of the
Nation Cyber Awareness Month Campaign and be part of our Data Protection
Training material), it contains our overarching principles in the use of
WhatsApp/Signal or SMS/text message.

[1]https://www.gov.uk/government/publicatio...

 

 

I wish to understand how this data is managed in a corporate environment,
with these applications being used on Trust devices such as Smartphones
and iPad's.

 

Our response

WhatsApp is currently deployed as a trusted app.

As we move to COPE (allowing personal apps to be deployed) there will be
policies in place to stop data being copied from work based (trusted) apps
and the likes of WhatsApp.

I further wish to understand how the Trust manages data leakage, where
staff are allowed to use their personal Signal and WhatsApp
accounts/credentials on Trust devices and therefore how the Trust manages
this data then also being viewable on personal devices, when it may
contain highly sensitive patient, operational or commend information /
decisions.

 

Our response

Please see the below sections of the policy ‘Acceptable use of IM & T
services’

5. Internet and Email conditions of use

 

5.7. Under no circumstances should patient or staff records be recorded or
made

available via the internet

 

5.10. Individuals must not use Trust equipment to undertake or perform the
following:

For the avoidance of doubt, internet applications referenced below may be
platforms such

as Facebook, Twitter, Instagram, LinkedIn, or online games. This is not an
exhaustive list.

… 5.10.8. Send unprotected sensitive or confidential information
externally.

 

8. Mobile storage devices

8.2. Only SWAST authorised mobile storage devices with encryption enabled
must be

used when transferring sensitive or confidential data. Staff are
responsible for

notifying the IM&T department if they hold any equipment not suitably
encrypted.

 

If  there is a data leakage thru the use of WhatsApp or SMS, the Trust
should report the case to ICO thru the DSPT within 72 hours same as other
data leakage incidents.

 

This policy is currently under review and a more specific social media
policy is also being drafted.

 

I am no interested in the security of Signal or WhatsApp as this is freely
available, I am interested in how these applications are used on trust
devices with personal accounts. Thus how information leakage is prevented
say to staff leaving SWAST but still remain in WhatsApp or Signal groups

 

Our response

If sensitive information is sent using WhatsApp or Signal out of the
Trust, it will no longer under the control of SWAST, other than the
acceptable use policy, we will have no other ways to further prevent
information leakage.

 

Please note that, under the Re-use of Public Sector Information
Regulations, if you wish to publish or otherwise use this information
besides for your own means, you will need to seek our permission to do so.

 

Please feel free to contact me if you require further clarification of the
information provided, or to discuss any aspect of the way in which we have
responded to your request. 

However, if you are dissatisfied with our response, you also have the
right to make use of the following complaints procedures:

In the first instance you may write to the Chief Executive of this Trust:

Dr John Martin

South Western Ambulance Service NHS Foundation Trust

Abbey Court

Eagle Way

Exeter  EX2 7HY

Dr Martin will then either make arrangements for your complaint to be
reviewed and for the outcome to be communicated to you, or will convene a
panel of Trust Directors to consider an appeal against a decision to
withhold information.

If you are unhappy with the response to your complaint, or findings of the
Panel, you can contact the Information Commissioner at:

Information Commissioner’s Office,

Wycliffe House,

Water Lane,                                

Wilmslow,

Cheshire.  SK9 5AF

Tel: 01625 545 700

 

Kind regards,

Information Governance Team 

South Western Ambulance Service NHS Foundation Trust

Description :
Please be aware. This email originated from outside the organisation. Do
not click on links or open attachments unless you recognise the sender and
know the content is safe.

Dear South Western Ambulance Service NHS Foundation Trust,

Please can I request a copy of the Trusts data retention policy, I am
happy to receive the full policy but my main interest is, data concerning
decision making when the decision is made using Signal, WhatsApp or
SMS/text Message.

I wish to understand how this data is managed in a corporate environment,
with these applications being used on Trust devices such as Smartphones
and iPad's.

I further wish to understand how the Trust manages data leakage, where
staff are allowed to use their personal Signal and WhatsApp
accounts/credentials on Trust devices and therefore how the Trust manages
this data then also being viewable on personal devices, when it may
contain highly sensitive patient, operational or commend information /
decisions.

I am no interested in the security of Signal or WhatsApp as this is freely
available, I am interested in how these applications are used on trust
devices with personal accounts. Thus how information leakage is prevented
say to staff leaving SWAST but still remain in WhatsApp or Signal groups

Yours faithfully,

Sarah-Lee Saltburn

-------------------------------------------------------------------

Please use this email address for all replies to this request:
[2][FOI #1178031 email]

Is [3][South Western Ambulance Service NHS Foundation Trust request email]
the wrong address for Freedom of Information requests to South Western
Ambulance Service NHS Foundation Trust? If so, please contact us using
this form:
[4]https://www.whatdotheyknow.com/change_re...

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:
[5]https://www.whatdotheyknow.com/help/offi...

For more detailed guidance on safely disclosing information, read the
latest advice from the ICO:
[6]https://www.whatdotheyknow.com/help/ico-...
[7]https://www.whatdotheyknow.com/help/ico-...

Please note that in some cases publication of requests and responses will
be delayed.

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

show quoted sections