Information governance

Information governance

88

02

Introduction to

information governance

88

03

Overview

Information governance – or IG - includes information security and confidentiality, the Data Protection Act and the

Freedom of Information Act. It is of great importance within the Trust’s agenda and is supported by the Trust’s Board of Directors.

This handbook will guide you through each of these areas and the way we comply locally and will help you to attain a high level of compliance with the Trust policies and procedures as well as with the laws concerning the handling of person-identifiable data (PID).

Introduction to

information governance

88

04

Through a well defined framework, IG ensures that PID is handled with appropriate confidentiality and security and is compliant with information laws.

The IG management framework ensures high quality in:

• IG assurance

• Confidentiality and data protection assurance

• Information security assurance • Clinical information assurance • Secondary use assurance • Corporate information

management

The framework brings together the requirements, standards and best practices that apply to the handling of information.

The Rotherham Doncaster and South Humber NHS Foundation Trust has a comprehensive IG programme documented in the IG toolkit framework that is managed by the IG Steering Group and co-ordinated by the IG Manager.

88

05

Information governance structure

Introduction to

information governance

Accounting Officer (Chief Executive)

Caldicott Guardian (Executive Medical Director) SIRO (Executive

Director of Business Assurance)

Head of Corporate Governance

Information Asset Owners

Information Asset Administrators Admin

Officer Information

Governance Officer Information

Governance Security Specialist

Information Governance Manager

Roles and responsibilities

88

06

Accounting Officer

The Trust’s Accounting Officer is the Chief Executive, who has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risks are handled in a similar way to other risks, such as those that are financial, legal and reputational. Reference to the management of information risk and associated IG practice is now required in the Annual Governance Statement, which the accounting officer is required to sign annually.

Senior Information Risk Owner (SIRO)

The SIRO is the Executive Director of Business Assurance, who has lead responsibility for the Trust’s information risks and provides a focus for the management of information risk at Board of Directors level. The SIRO is the chair of the IG Steering Group.

Roles and responsibilities

IG Steering Group

The IG Steering Group co-ordinates IG strategies and policies across the Trust to ensure consistently high standards of compliance with information handling, in accordance with statutory and legal requirements and the IG toolkit. The group also supports the Trust’s objectives in the delivery of high quality patient care.

Caldicott Guardian

The Caldicott Guardian is the Trust’s Executive Medical Director, who has overall responsibility for protecting the confidentiality of PID. The Caldicott Guardian plays a key role in ensuring that the Trust adheres to the highest standards for handling PID and adheres to the Caldicott management principles. It is the responsibility of the Caldicott Guardian to feedback any IG issues to the senior leadership team and the IG Steering Group.

88

07

Roles and responsibilities

88

08

The IG team is responsible for ensuring that IG is implemented throughout the Trust. The team’s responsibilities include:

• completing the interim and annual IG Toolkit assessments;

• investigating incidents; • providing IG training;

• handling requests for information made under the Access to Health Records, Data Protection and Freedom of Information Acts and also the Environmental Information Regulations; • giving advice and assistance in respect of data

protection, information security, information sharing and freedom of information

Roles and responsibilities

88

09

The SIRO is supported by departmental IAOs, who are senior managers involved in running the relevant service. Their role is to understand what information is held, what is added, what is removed, how information is moved, who has access to it and why.

IAOs must understand and address risks to the information assets that they ‘own’ and provide assurance to the SIRO on the security and use of the assets.

IAOs are responsible for information asset registers for their service or directorate and are supported by information asset administrators (IAAs).

A list of Trust IAOs and IAAs is available from the IG Team.

Information security

Sending secure mail

The tables below summarises which emails are secure and which are not. Note that it is the email address that affects the security, not the physical location.

Unsecure emails should have encryption applied: refer to the IT awareness guide for details of how to do this http://nww.intranet.rdash.nhs.uk/ wp-content/uploads/2012/08/IT-Awareness-Guide1.doc

To:

From: @rdash.nhs.uk @doncasterpct.nhs.uk @gp-c86****.nhs.uk

@rdash.nhs.uk Y Y Y

@doncasterpct.nhs.uk Y Y Y

@gp-c86****.nhs.uk Y Y Y

NHSmail N N N

Other NHS N N N

Non NHS N N N

88

10

Information security

88

11

The most common device is a memory stick, also known as a pen drive, thumb drive, USB stick, etc; which connects to the USB port of a computer and is used to store information. They have a large memory capacity so pose a considerable security risk if lost, stolen or abused.

Thousands of memory sticks are lost or stolen every year resulting in the loss of huge amounts of confidential and sensitive data.

Only approved, encrypted memory sticks issued by the IT Team can be used to store Trust information: the use of any other memory stick is strictly prohibited. When a memory stick is issued it must only be used in accordance with the usage described on the application form, which can be accessed via the following link:

http://nww.intranet.rdash.nhs. uk/support-services/information-technology/informatics-forms/

Trust memory sticks must only be connected to Trust PCs or laptops: they must never be connected to personally-owned equipment unless: • Using the memory stick for

coursework, providing it does not hold any Trust information, or,

• Delivering training on a non-Trust PC or laptop.

88

12

All staff must observe the rules of acceptable use, which include the following:

• No member of staff is permitted to transmit, access, display or download offensive material, including hostile text or images relating to gender, ethnicity, race, sexual orientation, religious or political convictions when using Trust facilities;

• No Trust information may be e-mailed, copied or uploaded to a website, blog, cloud storage or any other form of storage except where it has been approved by the IT team;

• Staff must not introduce inappropriate material to any Trust equipment or network, e.g.: material that is sexually explicit, racially offensive, homophobic or otherwise unlawfully discriminatory;

• Internet and e-mail use is subject to UK law and the Trust’s policies and any misuse will be dealt with appropriately;

• The use of internet and e-mail is monitored for compliance, security and network

management reasons in line with central government guidelines and local policies;

• The Trust has the final decision on what constitutes inappropriate use and offensive material and reserves the right to determine the suitability of any usage, which, if found to be illegal or in breach of Trust policies, will lead to disciplinary proceedings and may lead to dismissal and criminal prosecution.

Internet and email use

88

13

Transporting data

off-site

1. If physical movement is unavoidable, all papers, electronic storage devices or any other media containing PID must be transported in a lockable container or bag that is securely closed and marked ‘confidential’. 2. Where there is a not a regular

transfer, a risk assessment must be conducted and authorisation be obtained from the IAO first. 3. Information that is taken off-site

must be recorded together with the reason it was removed and where it was taken.

4. Electronic media transported between sites and organisations must be encrypted, preferably by using encrypted files on CD or DVD that is packaged and clearly labelled to ensure it is handled correctly and sent using Recorded Delivery. Passwords must be transported separately. 5. Never leave PID unattended or

on view in vehicles.

6. If information is to be returned, ensure it is done so as soon as possible.

Patient Info

88

14

Posting PID

Internal mail

Use a new, robust envelope – not an internal mail envelope; marked ‘private and confidential’.

Clearly print the name and address of the recipient on the front and the sender on the reverse.

Always acknowledge safe receipt.

External Mail

Sensitive information and PID sent to other organisations should be done using recorded delivery or Trust recognised courier and safe receipt must always be confirmed.

Routine correspondence and letters, such as those sent to patients, must be correctly addressed and show the recipient’s full name: these items should be sent by standard first or second class post.

Opening Incoming Mail

Mail marked ‘confidential’ or ‘private and confidential’ or similar should only be opened by the addressee, unless authority has been delegated and recorded.

88

15

Reporting incidents is the

responsibility of all staff, temporary and permanent. Rapid investigation of incidents improves complaints management and allows early communication with the people involved.

By identifying weaknesses in processes and procedures, reporting aims to prevent future incidents and helps to develop and improve service. Many incidents occur due to lack of training so reporting them assists in showing areas of the Trust where staff training needs to be improved.

Any suspected breach of information security involving the confidentiality, integrity or availability of data must be reported using the process detailed below.

Examples of information governance incidents include:

• Loss of staff ID badge

• Loss of a patient or staff record • PID not being transported in the

appropriate manner • PID being lost in the post • PID found on display, e.g.: on

a printer, photocopier, monitor, etc.

• Loss of a USB stick • Loss or theft of a laptop

All teams have access to the Trust’s Incident Reporting Policy and guidance for completing an IR1 form is available on the Intranet.

For further information please contact the IG Team on 01302 796189.

Reporting an Incident

Reporting an IG incident

An information sharing agreement is a signed ratified document between the Trust and a third party that sets out:

• The need to, and reasons for, sharing the data

• The information that will be shared

• Confirmation of the law that allows the information to be shared

• How the information will be shared

• Who the parties to the agreement are

• Any necessary security requirements.

Information sharing agreements (ISAs)

88

16

Information security

88

17

Information security

All Trust workstations (desktop PCs and laptops) require a username and password to be entered before information can be accessed. When a workstation is left, always press ‘Ctrl’ + ‘Alt’ + ‘Delete’ to lock it so that no-one else can access it. Never share your passwords.

Clear c: drive policy

No data is to be stored on a PC or laptop C: drive, regardless of whether it includes PID or not: if the computer crashes or is stolen then you will have lost your work.

U: drive policy

Access to an U: or ‘home’ drive is personal to every user and should be used for storing information that does not need to be shared.

K: drive policy

Folders can be created that are only accessible by defined groups or certain individuals, which is useful for work that is to be shared in teams, departments or services. Ensure PID is saved to a folder with restricted access otherwise it can be shared Trust-wide.

Instructions for requesting new folders are included in the IT awareness guide, which is available via the following link:

http://nww.intranet.rdash.nhs.uk/ wp-content/uploads/2012/08/IT-Awareness-Guide1.doc

Transferring

confidential

electronic records

internally

Best practice is to create a restricted folder in which to save the records that only the sender and recipient

The common law duty of confidentiality prohibits the disclosure of information that was provided in confidence unless there is a statutory requirement to do so, such as by court order, it can be justified in the public interest or the provider consents to it.

Data protection and the common

law duty of confidentiality

Legislative and other

regulatory requirements

They are:

1. Justify the purpose – all use of PID must be clearly defined and reviewed by the Caldicott Guardian; any proposed new use must be discussed with the Caldicott Guardian

2. Only use PID when it is absolutely necessary to do so – this includes within and between staff members, teams, wards, etc. as well as in transfers between the Trust and other organisations: PID must only be included if it is essential for the specified purpose of the transfer 3. Use the minimum necessary

PID – if using PID is essential, the inclusion of every individual item of PID must be justified so the minimum amount is transferred or accessible as required for a specified purpose

4. Only make PID available on a strict need-to-know basis

– only individuals with a justified purpose for needing access to PID should have access to it, and they should only have access to the

5. Be aware of your

responsibilities – everyone who handles PID must be appropriately trained in respect of patient confidentiality, with annual refresher training 6. Understand and comply with

the law – every use of PID must be lawful: the IG Team and Caldicott Guardian are responsible for ensuring that legal requirements are met and provide advice and assistance to staff.

7. The duty to share PID can be as important as the duty to protect it – All staff and workers within the health and care system must be aware that the duty to safeguard children or vulnerable adults may mean PID should be shared, if it is in the public interest to do so, even without consent. Relevant confidential PID held by health and social care organisations should be shared among the

Caldicott principle guidelines

The Caldicott management principles must be used when dealing with PID.

Legislative and other

regulatory requirements

88

19

Legislative and other

regulatory requirements

88

20

_{There are eight principles of good}

practice within the Data Protection Act: these are often referred to as the ‘data protection principles’.

Principle 1 - personal data shall be processed fairly and lawfully • There is a requirement to make

the general public aware of why the NHS needs information about them, how it is used and to whom it may be disclosed • There should be no surprises:

inform data subjects why you are collecting their information, what you are going to do with it and who you may share it with • Remember to be open and

transparent about what will be done with information used in research projects

• Ensure patients know who will be involved in their care and that they may need access to their information

• Always be open, honest and clear.

Principle 2 – personal data shall be obtained for one or more specified and lawful purposes and shall not be further processed in any manner that is incompatible with that purpose/ those purposes

• Only use personal data for the purpose(s) for which it was obtained

• A database is any collection of personal data that can be processed by automated means, for example, patient records, staff records, prescription details and research information

• Personal data held on Maracis, TPP SystmOne or any other patient administration system must only be used for healthcare purposes

• Only share information outside your team, ward, department or service if you are certain it is necessary and appropriate to do so. All new requests to share information outside the Trust

must be referred to the IG Team • If in doubt, check with the IG

Team.

Legislative and other

regulatory requirements

88

21

Principle 3 – personal data shall be adequate, relevant and not excessive for the purpose(s) for which it is processed

• Only collect and keep

information you require: it is not acceptable to hold information without a firm view as to how it will be used

• Never collect information “just in case …”

• Explain abbreviations • Use clear, legible writing • Stick to the facts and avoid

personal opinions and comments.

Principle 4 – personal data shall be accurate and up to date

• Take care when inputting information to ensure accuracy • Check existing records

thoroughly before creating new ones to avoid duplication • Check patient details at every

contact, e.g.: address and

Principle 5 – personal data processed for any purpose(s) shall not be kept for longer than is necessary for the purpose(s) • Follow the records retention

guidelines, which are available under ‘General Policies’ on the Intranet

• Ensure regular housekeeping/ spring cleaning of information • Do not keep information “just in

case …”

• Follow the guidelines for disposal, which are included in the records retention guidelines.

Principle 6 – personal data shall be processed in accordance with the rights of the data subject

• Right to subject access

• Right to prevent processing likely to cause harm or distress

• Right to prevent processing for the purposes of direct marketing • Right in relation to automated

Legislative and other

regulatory requirements

88

22

• Right to take action for

compensation if the data subject suffers damage

• Right to take action to rectify, block, erase or destroy inaccurate data

• Right to make a request to the Information Commissioner’s Office (ICO) for an assessment to be made as to whether any provision of the Data Protection Act has been contravened.

Principle 7– appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

• Follow the Trust’s security and confidentiality procedures • Ensure the security of

confidential faxes by using safe haven fax machines and checking receipt

• Always keep confidential papers locked away when not in use • Ensure confidential conversations

cannot be overheard • Never share your passwords • Ensure confidential information is

transported securely • Be aware of confidentiality

contracts with third parties.

Principle 8– data must not be transferred outside the European Economic Area (EEA) without adequate protection.

If data needs to be transferred outside the EEA please contact the IG Team for guidance.

Access to records

23

What is a subject access

request?

The Data Protection Act allows all living individuals a right of access to information that an organisation may hold about them: requesting access to this sort of information is known as a subject access request. Access encompasses:

• A right to obtain a copy of the record in permanent form • A right to view a record without

obtaining a copy

• A right to have information explained where necessary.

How do I know if I’ve

received a subject access

request?

A request does not have to state ‘subject access request’ or ‘access to records request’ or mention the Data Protection Act: it must be in writing, state who the data subject is, state what information is being requested and include the appropriate consent to access the information.

If the request is being made directly by a patient, or by a person acting on behalf of a patient, proof of identity will also be required.

All papers should be forwarded immediately to the IG team by post or fax. It is essential that this is done on receipt as there is a legal time scale for compliance, which starts when the request is received by the Trust, not when it is sent onto the

The team will then contact the relevant individuals to advise what needs to happen and the legal deadline for completion. The IG team are based at Woodfield House, Tickhill Road

What should I do if I receive a subject access request?

Do I have to release the

requested records?

An appropriate medical professional must consider requests for patients and what level of access should be granted. Typically, the Trust will provide the requested information unless:

• The record contains third party information where the third party is not a medical professional and has not given their consent to the information being disclosed; • Access to all or part of the record

would cause harm to the physical or mental wellbeing of the patient or another person. unless original records are explicitly requested by the General Medical Council

An HR professional must consider requests for staff records.

Only copy records are to be provided to the IG team and requestor.

How long do I have to

respond to a request?

The Data Protection Act allows 40 working days to provide a response: this starts when all information that is required to process the request is received.

What if the patient is

deceased?

The Data Protection Act does not cover deceased individuals; however, the Access to Health Records Act 1990 allows a right of access to deceased patients’ records to certain individuals.

For further information refer to the Access to Health Records policy, which is held under information governance policies on the intranet.

Access to records

88

24

Anybody can make a request: competitors, potential suppliers, journalists, patients, staff and any other member of the public, whether they are connected to the Trust or not.

When a request is made there is no requirement for the applicant to tell us why they are making the request, and we have no to right to ask. The Act applies to all information held by the Trust, in paper or electronic form. Note that scraps of paper with rough notes or comments on are just as releasable

email forms part of a

decision-making process it needs to be filed electronically or printed and kept in a file.

All letters, memos, emails, notes and comments must be written in a way that a member of the public could read and understand them. Good records management means that we can easily determine whether we hold the requested information and where it can be located.

The Freedom of Information Act 2000 gives the general public a right of access to information held by the Trust.

This Act gives the public a right of access to information held by Trust. There are some exemptions but, typically, we have to provide

requested information unless there is a good reason not to. If we refuse a request or withhold the requested information the applicant has a right to appeal to the information commissioner, who is appointed by parliament to ensure the Act is complied with.

Who can request information under the Act?

What is the Freedom of Information act?

Freedom of Information

88

25

What information is

covered by the Act?

The Act applies to all information held by the Trust, in paper or electronic form. Note that scraps of paper with rough notes or comments on are just as releasable as letters, memos and emails. If an email forms part of a

decision-making process it needs to be filed electronically or printed and kept in a file.

All letters, memos, emails, notes and comments must be written in a way that a member of the public could read and understand them. Good records management means that we can easily determine whether we hold the requested information and where it can be located.

What about information

created prior to the Act

coming into force?

The Act is retrospective and covers all information, including that which was created and held by the Trust prior to the Act coming into force in 2000.

How is an FOI request

made?

A request must be in writing, which includes email; and it must include the name of the applicant, which can be an organisation, and an address for correspondence, which includes an email address.

Freedom of Information

88

26

What should I do if I

receive a request?

All requests must be sent immediately to the IG Team: it is important that this is done immediately as legally the Trust has 20 working days to respond, which starts the day after the request is received by the Trust.

Images and videos of

services users and staff

Images are capable of being personal data as people can be recognised and identified by others who know them.

The data protection principles must be applied in the same way as they are applied to electronic or paper-based personal data.

Copyright

If copyright is held by the Trust then the material can be licensed for re-use for a charge.

If another party holds copyright the Trust cannot licence re-use of the material.

In addition, the Open Government Licence (OGL) provides a simple set of terms and conditions enabling the free re-use of public sector information.

Under the OGL the Trust has the authority to license material for re-use as long as the source of the information is acknowledged.

Freedom of Information

88

27

Further information

Where can I find

more information?

More information on FOI and what it means for you can be found: • On the Ministry of Justice

website

http://www.justice.gov.uk/

• On the Information Commissioner’s website

http://www.ico.gov.uk/

• On the Trust’s publication scheme on the Intranet

http://www.rdash.nhs.uk/ information-for-the-public/ freedom-of-information/foi-publication-scheme/

• From the IG team.

IG team contact

details

Sue Meakin, IG Manager T: 01302 796189 M: 07909 880396

Steve Massen, IG Security Specialist T: 01302 796385

M: 07584 889382 Rachael Smith, IG Officer T: 01302 796756 M: 07775 012253 Sue Hales, Admin Officer T: 01302 796338

Woodfield House Trust Headquarters Tickhill Road Hospital Doncaster

DN4 8QN

88

28

Further information

Top tips

Forward any requests for specific information to the IG Team.

Maintain and weed your paper and electronic files so they only contain necessary information.

Only keep information for as long as it is needed or for the required retention period.

Review your filing practices: all filing should be in a logical and common system agreed within your department or directorate. All staff in departments should be able to access each other’s filing systems in the absence of a member of staff. If an FOI request is made it is not acceptable to give staff absence as a reason for exceeding the 20 day deadline. Ensure electronic documents have footers on that easily identifies where they are held.

Follow the Safe Haven policy and remember that emails are classed as official records that the public has a right of access

88

29

88

30

88

Accounting Officer (Chief Executive)

Caldicott Guardian (Executive Medical Director) SIRO (Executive

Director of Business Assurance)

Head of Corporate Governance

Information Asset Owners

Information Asset Admin

Information Governance Information

Governance Security Specialist

Information Governance Manager

RDaSH

Contact details

Information Governance Business Assurance Trust Headquarters Woodfield House Tickhill Road Hospital Doncaster