Eclipse - Memorandum Of Understanding
Introduction
The implementation of Eclipse provides remote access to all of the available services on personal computers and smartphones via a website and dedicated apps. This presents a risk to the Council with respect to access to the service and data management.
Thus, this Eclipse Memorandum of Understanding (MoU) is established to achieve the following:
- To ensure compliance with applicable statutes, regulations, and mandates regarding the use of Eclipse and all of the data contained within and linked the service.
- To establish prudent and acceptable practices regarding the use of Eclipse.
- To educate individuals who may use Eclipse with respect to their responsibilities associated with such use.
This MoU defines authorised partners as organisations which have a formal contract with the Council to provide services which rely on data processed by Eclipse or have a statutory reason to access data processed within Eclipse. Authorised people are those who work for those organisations in a role defined as requiring access to Eclipse data.
The Eclipse Memorandum of Understanding applies equally to all individuals granted access privileges to any Plymouth City Council Eclipse resources. Each organisation signing up to this MoU would need to sign an information-sharing agreement and complete a summary Data Protection Impact Assessment which covers the specific aspects within this MoU.
Access to Eclipse
- Access to Eclipse will only be granted to people who have a business need for access.
- Login details for Eclipse must not be shared with anyone.
- Access to Eclipse will be controlled using Multi-Factor Authentication (MFA). MFA is another layer of security that helps to verify the person accessing the system. When someone logs into the system from a non-PCC device, they will receive a code that helps to verify them.
- The methods available for authentication are: Phone Calls, Text Messages, Microsoft Mobile app notifications, Microsoft Mobile app verification code
- MFA will not be required when using a Council provided device.
Organisational security
Each organisation accessing Eclipse must be able to demonstrate a minimum level of cyber security to ensure that the system is not compromised. This can be demonstrated by obtaining external accreditations such as
- NHS DSPT
- Cyber Essentials Plus
Alternatively, evidence would need to be provided as part of a full Data Protection Impact Assessment to demonstrate that the risk has been reduced.
Acceptable use of Eclipse
- Eclipse must only be used by authorised staff for managing social care cases or work related to the data related to social care cases and service levels.
- Users must not attempt to access any data contained on Eclipse for which they do not have a legitimate business need or explicit consent.
- Eclipse can only be used on computers/devices that are:
- Not shared devices.
- Using an operating system that has not gone end of life.
- Fully patched with the latest security releases.
- Protected by an anti-virus that is running the latest version.
- Plymouth City Council is the Data Controller for all messages, files, media and documents including personal messages, files and documents located on Eclipse.
- All data stored within Eclipse will be subject to data protection rights requests.
- Users must not purposely engage in activity that may:
- harass, threaten or abuse others using Eclipse;
- degrade the performance of Eclipse and related Information Technology property;
- deprive an authorised Plymouth City Council user access to an Eclipse resource;
- obtain extra resources beyond those allocated;
- circumvent Eclipse security measures.
- Users must not intentionally access, create, store or transmit non-business-related material on Eclipse that Plymouth City Council may deem to be offensive, indecent or obscene.
- All personnel are responsible for managing their use of Eclipse and are accountable for their actions relating to Eclipse security.
- Personnel are also equally responsible for reporting any suspected or confirmed violations of the Eclipse Memorandum of Understanding to the appropriate management.
- All use of Eclipse must comply with the Council's current Information Security MoU.
- The use of Eclipse is subject to audit.
Data management
- Any data contained in the Eclipse system must be kept confidential and secure by the user. Furthermore, if this data is downloaded and stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
- Storage of documents, email messages, voice messages, files and media within Eclipse must be attached to the records of the specific service user they are related to.
- There is no restriction on the type or format of data that can be related to a service user's record.
- All data entered into Eclipse must be verified as accurate
- Data processed by Eclipse must only be saved on storage that has been approved.
- Approved storage includes shared network drives including cloud-hosted drives, provided by the council or approved partners.
- Data processed by Eclipse must not be stored on removable media or local storage which is not networked.
- Data contained in Eclipse must not be synchronised with other cloud services.
- This includes personal cloud-hosted accounts.
- Data contained in Eclipse must not be shared with unauthorised people.
- This includes via email, providing access to the drive and other transfer methods.
- Data can only be shared with authorised partners and must not be made available to any organisation where appropriate agreements have not been made.
Working environment
The working environment must be suitable for the work that is undertaken using Eclipse. There are several considerations that need to be applied when working outside a Council building. This includes working in:
- Shared office spaces
- Home or any other private location
- Public spaces
- When working in such areas, the following considerations must be applied:
- The information must not be shared with anyone that is not authorised to access it, including other household members
- This will include information in all forms, including conversations, both in person and remotely.
- Access to the devices used to access Eclipse must not be given to anyone else apart from the person the device was issued to.
- Device screens must not be made visible to anyone who is not authorised to see the information displayed on them.
- Only trusted Wi-Fi connections must be used.
- If Council-provided Wi-Fi is available, this must be used as a preference over all other Wi-Fi connections.
- wifi is the second preference
- If you are aware of any recordable devices in the vicinity, they turned must be turned off if working out of the office.
- This will include smart home devices such as voice-controlled intelligent personal assistant services (Amazon Echo, Apple Home Pod), and any other recording devices that could capture conversations or images about Eclipse and the data it processes.
Violation of this MoU
- Violation of this MoU may result in action which may include termination of contracts with partners. Additionally, individuals may be subject to loss of Eclipse access privileges, civil, and criminal prosecution.