Information Governance Management System
Comprising of policies on:
Use of Personal Information
Information Quality
Security of information (including Forensic readiness)
Management of Records - Overview
Acceptable use of information and communication technologies
Approved by: Quality & Governance Committee
Ratification date: August 2015
South, Central and West Commissioning Support Unit
Document status: for agreement
Version Date Comments
1.0 03/12/02 Initial draft
1.1 23/01/03 Amended and corrected prior to issue for consultation
1.2 06/03/03 Comments from consultation included – issued as
current
1.3 12/08/03 One small amendment to section 5.2.2 (default for
unlabelled information is now ‘public’, rather than ‘sensitive’ – requiring ‘sensitive’ information to be labelled as such – in line with Freedom of Information)
1.4 Feb 2005 Working revisions – to shorten policy and restructure
1.5 Feb 2006 Revised draft issued for comment via IM&T leads in
each PCT
2.0 May 2006 Insert comment from IM&T leads and updates from
‘local security policy assessment tool’ – Fujitsu. Prepare for presentation to Boards
2.1 November 2006 Minor revision to section 2.3 to reflect re-arrangement
of the national Information Governance toolkit
3.0 August 2009 Revised for PCT adaptation
4.0 Sept 2011 Regular update – taking account of:
ICO Monetary penalties
Privacy Impact Assessments
Data Sharing Code of Practice (ICO)
NHS Code of confidentiality Public disclosure update 2010
IG toolkit revisions and NHS structural change
March 2012 BNSSG PCT Cluster approval via Cluster Integrated
Governance Committee (review due March 2013)
5.0 January 2013 Review and amendment for use by Clinical
Commissioning Groups
5.1 February 2014 Review for use by South Gloucestershire Clinical
Commissioning Group
6.0 June 2015 Reviewed Records Management FOI reference and in
line with recommendations of the Caldicott 2 report and HSCIC developments on cyber security detailed in v13 of the IG toolkit
Contents
1
Purpose & Principles ... 1
2
Scope and management framework ... 1
2.1 Information risk management & ‘cyber security’ ... 2
2.2 Legal & regulatory framework ... 3
2.3 Related policy & code(s) of practice ... 4
2.4 Information Governance Management System ... 4
2.4.1
Accountabilities & responsibilities of key roles: --- 4
2.4.2
Responsibilities of specific information governance roles: --- 5
2.4.3
Information Governance responsibilities in other roles --- 5
2.4.4
Review and update of the IGMS: --- 6
2.5 Audit & compliance of information governance requirements ... 7
2.6 Information Assets & Information Risk Management Framework ... 7
2.7 Incident management – including Serious Incidents Requiring Investigation 7 2.8 Information classification ... 9
3
Use of personal information – including core staff responsibilities ... 11
3.1 Managing personal information – legal compliance ... 11
3.1.1
Data Protection, Human Rights & Common Law --- 11
3.1.2
New Services & uses of information: --- 15
3.1.3
Override of confidentiality or patient’s express wishes: --- 15
3.1.4
Key principles to ensure information is shared legally: --- 16
3.2 Employment confidentiality agreements and job description responsibilities 17 3.3 Core responsibilities of staff ... 17
3.4 Education and awareness ... 18
4
Information Quality Policy ... 21
4.1 Legal requirements for quality information ... 21
4.2 Collection of information ... 21
4.3 Rule based processing of information ... 22
4.4 Authenticating data (on systems, and in messages) ... 22
4.5 Validation of information displayed or extracted ... 22
4.6 Checking patient details (demographics) ... 23
4.7 Overseeing data quality in commissioned providers ... 23
5.1 Physical & technical security ... 25
5.1.1
Secure working areas – inc perimeters, entry controls --- 25
5.1.2
Security, installation & maintenance of equipment --- 26
5.1.3
Power supplies --- 26
5.1.4
Cabling security --- 27
5.1.5
Asset registers & secure disposal of equipment --- 27
5.1.6
Protection against malicious software --- 27
5.1.7
Network management & security --- 28
5.2 Access Control ... 28
5.2.1
User access control & management --- 29
5.2.2
User password management --- 30
5.2.3
Remote access and other external connections --- 31
5.2.4
System access control requirements --- 31
5.2.5
Application access control principles --- 32
5.2.6
Monitoring system access & use --- 32
5.2.7
Third party access requirements & outsourcing --- 33
5.3 Systems development and data collection ... 34
5.3.1
Requirements analysis and specification --- 35
5.3.2
Capacity planning and acceptance --- 35
5.3.3
Change control and outsourced development --- 36
5.4 Maintenance and operations ... 36
5.4.1
Operational procedures and responsibilities --- 37
5.4.2
Housekeeping, backups, logs --- 38
5.4.3
Security of system files & documentation --- 39
5.4.4
Software licensing and intellectual property --- 39
5.4.5
Technical system audit --- 39
5.4.6
Forensic readiness --- 39
6
Management of organisational records - policy ... 43
6.1 Creation of organisational records ... 43
6.2 Storage and safeguarding organisational records ... 43
6.3 Publishing and providing access – link to Freedom of Information ... 43
6.4 Archiving and disposal ... 44
6.5 Ensuring storage capacity ... 44
6.6 Document management systems (DMS) ... 44
6.7 Audit of corporate records ... 44
7
Communications management policy ... 47
7.1 Information handling processes ... 47
7.2 Information exchange agreements ... 47
7.3 Use of faxes, emails, phone and post. ... 47
7.4 Acceptable use of email, internet and electronic office (inc monitoring) ... 48
7.5 Mobile computing and home working ... 50
7.6 Management of media, encryption tools and port control & secure file transfer 51 7.7 Intranets and public websites (e-commerce) ... 52
7.8 Business continuity for the use of systems and information ... 53
8
Appendix A – Information Governance documentation & materials ... 55
9
Appendix B - Information Sharing – legal acts & regulations ... 56
10
Appendix C – Support materials: ... 58
1 Purpose & Principles
The Information Governance Management System (IGMS) is a set of policies brought together to set minimum standards and policy direction in relation to confidentiality, integrity availability and the management of risk relating to information. The policies are supported by operational guidance documents that set out how policy statements will be put into practice
(This is illustrated in appendix A).
The organisation is responsible for:
realising benefits from the right information, being available to the right people at the right time.
monitoring, maintaining and improving compliance with appropriate legal and regulatory requirements detailed in the scope in section 2.
developing, maintaining and monitoring the integrity of information to ensure that it is of sufficient quality for use within the purposes it was collected.
developing and maintaining security of information assets including physical, technical and policy based measures to reduce risks of unauthorised disclosure, unlawful access to, damage or destruction of data.
developing appropriate resilience and recovery arrangements for systems, based on assessed risks to information and its perceived value, to ensure that availability of information is not compromised.
educating and continually raising awareness of all staff about the issues and impacts related to failing to manage information and the consequent responsibilities they have.
pro-actively monitoring and reducing risks to information.
2 Scope and management framework
The IGMS covers all aspects of information, including (but not limited to:)
Personal information including patient/client and staff information
Organisational/corporate information
The IGMS covers all aspects of handling information, including (but not limited to:)
Design and specification of information ‘systems’
Information held in structured record systems (paper & electronic)
Transmission of information (including fax, email, post & telephone)
Retention and disposal of information
Staff conduct relating to the use of information in any form
The IGMS covers all information held, created or accessed by employed staff, or any other party, performing activities in conjunction with the business of the organisation.
Audience:
The IGMS has been set out as a compilation of component policies. It is not designed for all staff to read and be familiar with. Core requirements for all staff are set out in the
(www.protectinginfo.nhs.uk/code.asp) and the Acceptable Use Agreement (for computer systems – Appendix D).
The IGMS is designed for managers to read and reference. It has been broken into
component policies so managers can identify and read the sections most relevant to them. The policy sections are as follows:
Use of Personal Information Policy – this generally relates to managers of front line staff who handle personal information on a day to day basis and covers the
requirements to comply with Data Protection Act, Human Rights Act and common law duty of confidentiality, including situations where confidentiality can be breached legally
Information Quality Policy – This sets out the principles relating to the collection of information to ensure that information is complete, accurate, relevant and timely. Managers involved in service re-design/improvement or review should use these principles when considering the information requirements. Therefore it is required for clinical service leads, IM&T managers, change managers and business managers
Securing Information Policy – Whilst the ‘physical’ security aspects are everyone’s responsibility to adhere to, this section is set out for those working on system design, implementation and management, covering all aspects ranging from physical location of equipment/information storage through to planning system capacity. This is a key section for staff whose role includes managing their departmental ‘information assets’. This also contains the technical element of the IGMS, designed for IT
managers/Senior IT staff.
Management of Organisational Records – This sets core policy for creation, storage and disposal of organisational records and links very much to the corporate/records management function of an organisation. There are also policy statements relating to IT services with regard to electronic document storage.
Acceptable Use of Information and Communication Technology – This sets out policy on the use of phone, email, fax and internet by all staff. It is therefore a key element for department/line managers to ensure their staff are acting correctly.
Freedom of Information Policy – This sets the Organisation approach to managing requests made of it under the Freedom of Information legislation framework.
2.1 Information risk management & ‘cyber security’
The Information Governance toolkit promotes the use of an ‘information risk policy’. Rather than set out a separate policy that re-iterates many of the messages in the IGMS, the approach to information risk is built in where relevant to the IGMS. As an overview the key risks are covered as follows:
Inappropriate disclosure of data by staff – Use of Personal information policy.
Action taken based on inaccurate data – Information Quality policy.
Loss, destruction, theft, ‘cyber’ attack, unauthorised access & technical failure – Security of information policy.
Alteration of data – Information Quality, Security and Acceptable use of systems policies.
Destruction of data – Security of information, Records Management and Acceptable use of systems policies.
2.2 Legal & regulatory framework
The system sets out to comply with the following legal acts and the NHS regulations:
Data Protection Act 1998 (and subsequent Special Information Notices & Modification orders)
Human Rights Act 1998
Access to Health Records Act 1990
Computer Misuse Act 1990 (as amended by Criminal Justice Act & Serious Crime Act)
Copyright, Designs and Patents Act 1988 (as amended by the Copyright (Computer Programs) Regulations 1992
Crime & Disorder Act 1998
Electronic Communications Act 2000
Regulation of Investigatory Powers Act 2000 (& Lawful Business Practice Regulations 2000)
Freedom of Information Act 2000 ( & Re-use of public sector information regulations)
In addition to the above, other legislation can impact upon the way in which we should use information. This includes:
Children Act (1989 & 2004)
Health & Social Care (Safety & Quality) Act 2015
Public Interest Disclosure Act 1998
Audit & Internal Control Act 1987
NHS Sexually Transmitted Disease Regulations 2000
National Health Service Act 1977
Human Fertilisation & Embryology Act 1990
Abortion Regulations 1991
Prevention of Terrorism (Temporary Provisions) Act 1989 & Terrorism Act 2000
Road Traffic Act 1988
Regulations under Health & Safety at Work Act 1974
In relation to many of the above requirements the NHS has set out and mandated a number of elements of regulation that constitute ‘Information Governance’. The regulatory controls are defined in the ‘Information Governance toolkit’ and are explicitly linked to core ‘governance’ standards managed by the Care Quality Commission.
In addition the IGMS takes account of the recommendations of the following reports:
O’Donnell report in to Government Data Handling Procedures (June 2008)
Caldicott 2 (Information, to share or not to share) review 2013
2.3 Related policy & code(s) of practice
Human Resource Policies – In setting out standards relating to Information Governance a number of controls are specified relating to job responsibilities, screening, terms and conditions of employment and disciplinary action. These controls are integrated with related HR policy
Physical Security Policies – A number of controls are specified relating to the physical environments in which information is handled. These control areas are integrated with Estates/Facilities policy and procedure.
Medical Records Policies – such as ‘Health Record Content Policy’
Professional codes of conduct from the BMA, GMC and NMC and others (inc Allied Health Professionals, Finance Professionals and NHS Managers)
Research & Ethics Policies, including Research Governance initiatives and policy
2.4 Information Governance Management System
2.4.1 Accountabilities & responsibilities of key roles:
The Chief Operating Officer is the senior accountable officer for the enforcement of the policy. The Chief Operating Officer is supported by the roles of Senior Information Risk Owner and Caldicott Guardian. The Organisation’s Quality & Governance group is accountable for reporting compliance and ensuring a full resourced workplan to maintain and improve compliance is in place. This may be supported by a ‘sub group’ such as an information governance committee or working group as required.
An ‘Information Governance team’ drawn from the appropriate staff in the organisation, where their role includes responsibilities related to Information
Governance, will compile the audit and improvement plan. Facilitation will be by the Organisation’s Information Governance lead, who will be responsible for co-ordinating activities with other key staff.
The work plan will be the basis for activities to maintain compliance (such as education/query support/audit) and development to enhance compliance (such as improved security facilities). Activities will be allocated to appropriate groups and staff within the organisation. The suggested allocation is as follows:
Assurance Area (from DOH IG toolkit)
Overseeing
committee CCG Lead staff/AIMTC support
Confidentiality & Data Protection
Quality &
Governance Group
Caldicott Guardian / Information Governance Manager
Clinical Information Quality &
Governance Group
Caldicott Guardian / Information Governance Manager
Information Governance Management
Quality &
Governance Group
Chief Financial Officer / Information Governance Manager
Secondary Uses Quality &
Governance Group
Chief Financial Officer/ Information Governance Manager & Head of Business Intelligence
Information Security Quality &
Governance Group
Chief Financial Officer / Information Governance Manager & Head of IT
2.4.2 Responsibilities of specific information governance roles:
Senior Information Risk Owner(SIRO) – This role is responsible for ensuring that the
organisation has a pro-active approach to identifying and addressing any risks
resulting from the handling of information in ways that could cause loss, inappropriate disclosure or destruction. The SIRO takes a lead in managing any information related incidents. The SIRO ensures that there is a framework to identify information assets, assess risks to those assets and ensure that these are managed appropriately
Caldicott Guardian role – This role is responsible for ensuring access to and the
use/sharing of patient identifiable data, held in any form, is managed appropriately within the context of providing healthcare. Activities may be delegated to the Information Governance Manager. The guardian also agrees local procedures and protocols to ensure consistency with any relevant central requirements and guidance.
Information Governance Manager will be responsible for:
Production and implementation of audits and work plans
Operational support including education, query resolution, incident support, legal compliance requirements (inc Data Protection & Freedom of Information
compliance)
Co-ordinating the information risk management framework activities including support for information asset owners in mapping information flows, maintaining information asset registers and continuity plans.
Provision of expert support including liaison with legal service providers Any routine or ad-hoc performance reporting requirements of the Board. Act as Data Protection officer for the organisation.
The SIRO, Caldicott Guardian and IG leads will have an annual review of their skills and knowledge and identify any education or training that is required for the role.
2.4.3 Information Governance responsibilities in other roles
It is likely some of these responsibilities will be delegated to support organisations such as a Commissioning Support Unit or external provider. The CCG must ensure that where such delegation takes place any processing of personal data must be covered by appropriate contract/agreement.
Information System management – Each information system (any multi-user computer
based application, potentially including spread sheets etc) should have an identified manager. The governance role of the manager is to implement the system related processes that govern:
management of access to the system
audit of user activity
system data validation processes (input, internal & output)
system administration & supplier support (where applicable)
The manager is also likely to be an ‘Information Asset Owner/Administrator’ as described in section 2.6
Physical security responsibilities – Physical security of information and IT assets is
shared across a number of areas/roles. Perimeter security of sites/buildings is the remit of the Organisation’s Estates/Facilities section. The operation of general
physical security such as door locks, entry controls will be the responsibility of all staff as it relates to all assets, not just information assets. Assessment and promotion of physical security is the responsibility of the nominated security manager for the Organisation. This may not be a specific individual role, but may sit with either corporate services or risk management. The Information Governance Manager will aid and advise on the threats and impacts of loss of information and IT assets.
Line managers will be responsible for:
Managing requests for access to systems, by authenticating the roles and access requirements of staff. Many of them will be ‘sponsors’ of access key departmental and organisational systems.
Ensuring staff are educated and aware of their responsibilities
Monitoring staff compliance with policies
Liaison with the Information Governance Manager when developing or amending processes for handling information
Personnel departments have responsibility for:
Management of staff personal data.
Identity checks for new staff that meet the requirements for ‘e-GIF level 3’ compliance, so that staff can be issued with smartcards for access to smartcard enabled applications. Where cards are to be issued to existing staff, discussion and agreement on responsibilities to perform ID checks will take place separately
Linking ‘change of conditions’ to changes in access requirements for staff
Linking the ‘leavers’ process, so that access privileges and smartcards can be revoked as soon as possible after a member of staff leaves and equipment recalled.
Ensuring staff are aware of and attend the induction and mandatory education programme that includes core information governance education.
Clinical & Corporate Governance – Key staff in these areas are responsible for
facilitating the requirements of IGMS in their areas and ensuring that requirements are practical within the context of clinical services and corporate activities.
Risk Management – The risk manager is responsible for ensuring that any
incident/weakness and risk related to information is not considered in isolation and is an integral part of the organisation’s approach to risk management and that where required expert support of IG staff is engaged to advise on incidents.
2.4.4 Review and update of the IGMS:
The Information Governance Manager will facilitate scheduled review and update of the IGMS. A full review will be conducted every two years, with an interim check on an annual basis.
Review may also take place due to the following occurrences:
Major policy breach or incident within the community
Significant organisational restructuring
Significant change in technical infrastructure
Significant change in legal/regulatory framework
2.5 Audit & compliance of information governance requirements
Audit & compliance will be carried out via a number of means:
Information Governance toolkit audit – The organisation will endeavour to achieve the requirements laid out in the Information Governance toolkit to an appropriate standard as determined by the Department of Health. Audits will be undertaken in line with DH timetables, or in line with contractual
requirements as stipulated by standard national commissioning contracts.
Internal/External audit programmes within the organisation
Information Governance policy compliance programme – featuring on-going audits of records management, access to and use of personal data,
acceptable use of systems and ad-hoc activity determined by the organisation.
2.6 Information Assets & Information Risk Management Framework
An information asset is – information in a number of forms that the organisation is
reliant on to undertake its business. Value of the assets will vary, between useful and critical. Typical assets include: information systems, policy sets, data sets, reference documents, project documents and committee papers. Information assets will be listed in a number of registers, including a hardware register and ‘departmental’ information asset registers (linked to continuity plans).
Ownership of information assets – Each identified asset will have an appointed owner
who is responsible for the governance of the information asset. Where there is no obvious ‘owner’ the role will default to the Executive Director of the relevant section or the Caldicott Guardian if it is patient related. Ownership of a system that is used across teams maybe vested in a management forum where the strategic development of that system or organisational facility is decided.
Information Risk Management – The Organisation has established an on-going
programme of review of information flows, information assets and business continuity arrangements. This programme aims to review each Organisation area at least annually. The review is facilitated by the IG manager, and engages the Information Asset Owners to provide the detail. Identified risks will be recorded and integrated with the Organisation risk management to ensure they are addressed appropriately. Regular reporting on risks from Information Asset Owners to the Senior Information Risk Owner are a key aspect of this on-going programme. The programme will provide reassurance that all assets storing data, all flows of personal data are secure and operated on an appropriate legal basis.
2.7 Incident management – including Serious Incidents Requiring Investigation Reporting incidents and near misses:
Any incident, near miss or potential weakness in processes, relating to the use of information, such as a breach of confidentiality, inappropriate use of data or mistake due to inaccurate or unavailable information, will be reported via the organisations overall ‘incident reporting’ process. Staff will be informed via education sessions. The Information Governance Manager will be integrated with the incident reporting and
risk management process, so as to identify the information related components of any incidents or near misses.
Serious Incidents Requiring Investigation (SIRI):
Any potential loss of data will be assessed in line with the national SIRI guidance in place at the time with reporting to the Department of Health, Information
Commissioner and organisational Board report as necessary. The Senior Information Risk Owner is responsible for ensuring SIRI reporting is carried out appropriately. Assessment of any ‘SIRI’ will be directed by the IG manager.
Reporting technical/software failures:
If a user is unable to access information due to a system related issue this should be reported to the appropriate IT helpdesk for resolution. In addition, if a system related issue puts either patient care or organisational safety/reputation at risk then it should also be reported via the ‘incident reporting’ process.
Learning from incidents:
Changes determined as a result of an incident, near miss or weakness will be cascaded across relevant staff as part of the process to manage the incident. This will include team briefings, newsletters. Relevant actions will be fed through to education programmes.
Investigating misuse of systems (including Forensic readiness)
If misuse of systems is suspected the IT department will be contacted at the earliest opportunity and will in conjunction with the appropriate line managers and IG staff, determine the need to engage specialist IT support to preserve electronic evidence. Specialist Forensic investigation will be considered in the following situations:
Allegation of illegal activity, such as web browsing to illegal materials or allegations of financial fraud.
Allegation of alteration of clinical information that could have significant impact on safe provision of care
Disciplinary process and removal of access rights
Any investigation, which determines that organisational policy has not been followed, will be subject to formal disciplinary policy under the organisations Human Resources framework and where appropriate a ‘Professional Regulatory’ framework. Access to systems for staff under investigation or disciplinary process will be suspended on the request of any senior manager involved (as above). Separate legal proceedings may be necessary, including seeking prosecution under the Computer Misuse Act 1990 (unlawful/unauthorised access) or section 55 of the Data Protection Act (unlawful obtaining and/or disclosure of personal data).
Where evidence is required for internal or external support of action against an individual, the processes for collection will incorporate the following minimum standards:
Retrieval of paper information will note who withdrew it, when it was withdrawn and incorporate procedure to ensure it is not tampered with. For example the use of a medical record in investigation will record who requested and received the record, any copies of the original that were made, and who witnessed this activity.
Electronic audit trails will be examined where possible to provide evidence. Depending on the severity of the issue specialist computer forensic support will be engaged via the Counter Fraud and Security Management Service.
2.8 Information classification
Information will be classified in one of three categories:
Personally identifiable - Where the information relates to one or more identifiable
individuals to a greater or lesser extent, and is subject to the terms of the Data
Protection Act 1998, common law and Human Rights legislation. The same principles will be applied to information on deceased individuals, unless there is specific other legislation that relates, such as the ‘Access to Health Records Act 1990’. Some personally identifiable data may be disclosable under Freedom of Information (FOI) legislation, however no such information will be published or provided without first checking relevant exemptions. FOI does not generally make confidential information about an individual such as a health record available to others.
Public information – Information that is not ‘personally identifiable’ is generally
accessible via the Freedom of Information Act and either actively published or provided on request. By default all ‘non personal’ records will be classed as public. However if senior staff responsible for any information, have reasonable concerns about the publication or provision of information, then a considered view will be taken as to whether the information should be classed as organisationally sensitive.
Organisationally sensitive – This classification will only be used for information that
can justifiably be exempt from provision under Freedom of Information legislation. Any information determined as ‘sensitive’ will not be routinely published, but if requested the validity of the classification should be checked. This may include financial information, procurement documents (particularly those where disclosure could affect the process or commercial interests of parties) and draft public policy. The sensitivity is likely to be time limited
Responsibility for classification of information into these categories lies with the originator or owner.
Information labelling
Patient records and staff personnel information on any media will be routinely labelled as confidential. Corporate records will be deemed public unless labelled. In line with NHS records management guidance the correct label is ‘NHS Protect’, indicating the information warrants protection, but does not prejudge decisions on disclosure in the way labels such as ‘confidential/sensitive’ may do. It is noted that the use of a label does not mean that the document is exempt under Freedom of Information. It is guidance for consideration.
Use of ‘Personal Information’ policy
–
(inc legal compliance on Data Protection,
Human Rights & common law and core
staff responsibilities with regard to
information use).
3 Use of personal information – including core staff responsibilities 3.1 Managing personal information – legal compliance
The following forms of organisational record need to be securely retained for statutory or regulatory requirements, including defence against potential civil or criminal action.
Patient records
Staff records (employment contracts, staff reviews etc)
Financial records (orders, receipts, invoices etc)
Public accountability records (board minutes, papers etc)
The full list of organisational records requiring safeguarding can be found in the Department of Health Records Management Code of Practice (April 2006, Jan 2009). Many records will be required to be kept for a number of years, therefore the
organisation will ensure that technology change does not make important records inaccessible. This will be either by maintaining relevant technical standards, or by the transfer of data at the relevant time to new technology and media.
3.1.1 Data Protection, Human Rights & Common Law
This policy section summarises the organisation’s method of compliance with UK Data Protection legislation by reference to relevant sections of this policy and additional statement where required. Additionally minimum standards around managing confidentiality, in respect of the ‘common law duty’ are detailed.
All processing of personally identifiable information must be considered in line with the tests and principles below. Advice and guidance is available from the Information Governance manager.
Necessity test – The first consideration given to any collection, recording or sharing of information will be whether the individual(s) need to be identified and what data needs to be used. If no identifying information is required, then none should be used. All items of data used must be justified. It may be necessary to ‘pseudonymise’ data by replacing clear identifiers with a code or reference number, that allows data to be linked.
First principle – Use of information shall be fair and lawful. This requires that
individuals are informed how their information is used and that relevant conditions and justifications for the use of information can be shown. Use of information will
generally require compliance with the Data Protection Act (1998), the common law of confidentiality and the Human Rights Act (1998). Full details about informing
individuals is set out in the document ‘No Surprises – Data Protection Communications Strategy’.
The organisation will provide and promote materials for patients (data subjects) that identify how their information is processed and protected. These will be developed with input from patient representative groups. Leaflets will be made available at all sites and ‘facts cards’ will be included with routine mailings. New uses of staff personal data will seek advice on whether specific informing of staff is required. The organisational website will be used to inform both staff and patients how their information is used.
Provision of information materials and any other related activities, locally and nationally, will form the basis of ‘informed implied consent’ to use information for purposes directly related to the care and administration of patients. This is in line with the condition of consent for processing of personal data (DPA 98), the requirements of common law and does not unfairly compromise Article 8 of the Human Rights Act (right to private and family life).
For the processing of sensitive data (including physical or mental health or condition), most activities directly related to the care of a patient will be compliant under schedule three, condition eight – ‘processing is necessary for medical
purposes and is undertaken by a health professional or person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional. (‘Medical purposes includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health services’). The
processing of sensitive personal staff data will be compliant with conditions
‘necessary where conferred by right or obligation with regard to employment’ or ‘explicit consent’ or ‘processing of ethnicity information in relation to equal opportunities monitoring’.
Where the use of Patient Confidential Data (PCD) that includes any level of identification is not directly related to provision or administering the care of the patient, such as research, analysis, financial check, risk stratification or audit, advice must be sought from the Information Governance lead in order to confirm legal justification for the use of the information. There are likely to be
circumstances where justification can only be shown when additional activities to ensure legal compliance are undertaken. Such activities will also refer to current guidance from Health & Social Care Information Centre (HSCIC) on permitted secondary uses of PCD and any provisions made under section 251 of the Health & Social Care Act (2006). The organisation will actively develop, in line with national policy direction, systems to record the wishes of patients that are expressed in response to information presented to them. (See below - ‘rights to prevent processing’).
Where required the organisation will actively develop, in line with national policy direction, systems to record the wishes of patients that are expressed in response to information presented to them. (See below - ‘rights to prevent processing’).
The organisation will maintain an accurate, up to date notification with the
Information Commissioner on the purposes, sources, subjects and disclosures of data it uses.
The organisation will develop, maintain and review procedures to ‘pseudonymise’ records to permit processing that requires record linkage for purposes such as analysis, service planning and performance management (secondary uses). As required by HSCIC guidance such activities will take place within the framework of ‘Data Services for Commissioner’s Regional Office’ (DSCRO), Accredited Safe Havens (ASH) and Controlled Environment for Finance (CEfF).
Second principle: ‘Personal data shall be obtained only for one or more
specified and lawful purposes, and shall not be used for other purposes that the individual is unaware of ’
The organisations Data Protection ‘notification’ will detail the specified and lawful purposes that data shall be obtained and processed for (including staff
administration, health administration and services, research, crime prevention and public health). Relevant purposes will also be detailed in the information provided to patients.
The organisation will actively participate in protocols for Information Sharing between organisations to ensure that further processing and sharing is carried out in a manner compatible with notified purposes. (See section 7.2)
Use of information for any purpose not included in public literature will require additional activity to ensure that it is processed legally. Advice is available from the Information Governance Manager.
Third principle: ‘Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed’
The organisation will conduct routine audits/reviews as part of good data
management practice to ensure that information collection is adequate, relevant and not excessive, including maps of information flows and registers of assets.
All new services and developments will be assessed to ensure compliance and that the collection of data is justified in relation to the purposes and activities. See section 3.1.2.
Professional guidelines on taking and making of records will be adhered to. Awareness will be raised by the continued use and improvement of the ‘Code of Conduct’ leaflet entitled ‘About Patients’ and the provision of education.
Any process/agreement on sharing information will ensure adequate but not excessive sharing, by involving the Information Governance Manager.
Fourth principle: ‘Personal data shall be accurate and where necessary kept up to date’
Validation processes and routines will be developed, utilised and maintained on systems and data sets, as per the Information Quality Policy.
The organisation in signing up to Information Sharing agreements or specific subject policies (such as vulnerable adults) will ensure that the accuracy of data shared between organisations is covered in the agreement.
Fifth principle: ‘Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.’
The organisation will instigate retention and disposal procedures in line with central NHS guidance (DOH Records Management code of practice April 2006, updated Jan 2009) – see section 6 and related health records policy.
Sixth principle: ‘Personal data shall be processed in accordance with the rights of data subjects under this act’
Right of access to records: The organisation will ensure that a formal process for patients to request access to their records is in place and that response will be achieved within 40 days (following receipt of all data necessary to process
request). A process will be maintained for other personal records (Staff Records). Requests must be received in writing and contain enough information for the organisation to identify and provide the relevant information to the requestor. The organisation will provide either sight of the information or a copy on request. Current charges for copies are: computerised records only - £10. Paper records (or a mix) - £50. Individuals whose records are held manually and have been modified in the last 40 days can be provided with a free view of the record.
Where a request relates to a single service, the Head of Service is responsible for the response. If a request is across services, then the Corporate Service lead will co-ordinate. Whilst process for requests across services will be co-ordinated
centrally, senior clinicians involved in the care of the individual will be required to check the information for appropriateness prior to release.
Where health records may contain information that might harm or distress the individual:
If in the opinion of an appropriate senior clinician that disclosure of all or some of the information could cause harm or distress then the individual will be offered the opportunity to discuss the content of their records with the clinician or appropriate senior management, who can make the judgement about release of information at a meeting with the individual. If it is determined that disclosure is an appropriate course of action, then records can be released with such information removed.
Where records may contain information about a third party(ies):
If there is information in a record that is about a third party, then their consent should be sought wherever practical. If consent cannot be gained or is refused, the information should be removed, unless it can be justified (by clinican or senior manager) that it is important for the requestor to know and that there is little chance of harm or distress being caused to the third party. Consent of staff identified, who have contributed to the record does not need to be sought. Any decisions required and made during the process should be documented.
Right of preventing processing likely to cause damage or distress. The
organisation operates a culture of confidentiality, however individuals may make specific requests about how their information is handled, which if possible should be acted upon. This may require that records are only handled by specific staff or that records are marked with preferences such as ‘do not use for research’. If an individual’s request about handling information will in anyway compromise the effectiveness or efficiency of care they receive, then this must be explained to them, so they can fully understand the consequences of their request. Where possible the request and explanation provided must be documented in their record, in an appropriate and acceptable form to the individual. If the individual
requests that no record of treatment is made, then it must be explained that at least a basic paper record must be kept and that clinicians are duty bound to do so, in order to ensure that there is a record of their activities in case of claims for negligence. Any requests made by an individual where the course of
action is at all unclear or contentious should involve the Information Governance Manager and where required the appropriate clinical lead for advice. In line with the NHS Duty of Candour, individual’s requests to manage the use of their data will be respected as far as is possible.
Requests not to share information will be adhered to unless specific significant circumstances or legal requirements override them (See override section below).
Right to take action to rectify, block, erase or destroy inaccurate data. Factual information in records that is inaccurate will be corrected. Subjective information (i.e. that which is not solid fact) that in the view of the subject is inaccurate, will not be altered, as it may alter evidence required in any future action. The subject’s view will however be added to the notes to indicate there is discrepancy between the recorded information and the subject’s viewpoint.
Seventh principle: ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental destruction of, or damage to, personal data’
In essence application of the ‘Information Governance Management System and appropriate controls, moving to compliance with ISO17799 (ISO27000) is seen as a reasonable degree of compliance with this principle. (see sections 5 & 7.8) Eighth principle: ‘Personal data should not be transferred to a country or territory outside the economic area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data’
Anyone requiring transferring data overseas should take advice from Information Governance Manager prior to doing so. There are conditions where the eighth principle does not apply, but these have to be considered individually.
The Information Governance Manager will conduct an annual survey of the organisation to ensure that any transfers are set up appropriately and this is part of regular assessment of information flows by information asset owners.
3.1.2 New Services & uses of information:
All new uses of information require an assessment of the DPA principles and other relevant legal requirements. Assessments are carried out by the Information
Governance staff on request or as part of the organisational wide processes to govern new service developments. This process will pay due heed to the ‘Privacy Impact Assessment’ requirements of the Information Commissioner’s Office. A PIA will be considered in the following typical scenarios:
Implementation of new system
Significant new collection of personal data
Significant new purpose for processing data (outside scope of general purposes), such as a new services not previously offered
Significant cross organisational sharing of data with non NHS partners.
3.1.3 Override of confidentiality or patient’s express wishes:
Responsibility for withholding/disclosing patient information without the patient’s consent lies with the senior clinician in charge of the patient’s care. Occasionally time and situations will not allow this person to make a decision, if the decision cannot be delayed, it must be taken by the next most senior clinician. Information withheld will be reviewed and the restriction withdrawn when appropriate. Actions taken to withhold or disclose information will be documented in the patient record as soon as possible after the event, identifying all those involved.
Disclosure without consent maybe permitted in the following scenarios or under the following legislation (giving a power to disclose):
Prevention/detection of a serious crime, i.e. terrorism, murder - under the Police and Criminal Evidence Act (1984) or Crime & Disorder Act (1998)
Notification of medical condition affecting driving to DVLA (noting DVLA medical officers make the final judgement)
Prevention of harm to a patient or others (under certain conditions relating to Data Protection, Human Rights, Police and Criminal Evidence Acts)
Where judged to be in the best interests of a patient who lacks capacity to consent Disclosure without consent is either required or obliged under the following
Notification of new births (NHS Act 1977 – section 124)
Notification of communicable diseases (Public Health Control of Disease Act 1984 – section 11 and Public Health Infectious Disease regulations 1988).
Road Traffic Act 1988
Prevention of Terrorism act (1989) & Terrorism Act (2000)
Childrens Act (1989 – section 17, 47 enquiries) & (2004)
Where support of section 251 of the Health & Social Care Act 2006 has been provided by the current national committee.
Disclosure to statutory bodies such as CQC as established in the Health & Social Care Act 2008
The organisation will support any member of staff who, using careful consideration and professional judgement, can satisfactorily justify any decision to disclose or withhold information against a patient’s wishes, where documentary evidence can backup claims of action taken or not taken.
Further detail on powers and duties to disclose can be found in Appendix B, however this is an area of law that is continually evolving, so if in any doubt seek advice from the Information Governance Manager.
Guidance and education for staff on information sharing will be based on the
Information Commissioner ‘Data Sharing Code of Practice’ May 2011 and the HSCIC Confidentiality Code of Practice (Dec 2014).
3.1.4 Key principles to ensure information is shared legally:
Many of the legal items to consider are detailed above. Further detail on sharing information can be found in the Department of Health Code of Practice on
Confidentiality (Nov 2003), HSCIC Confidentiality Code of Practice (Dec 2014) and Information Commissioner guidance. The key principles about sharing information have been included in the staff guidance leaflet ‘about patients’ and are referenced here for completeness, they have been designed to be compliant with common law, Human Rights (1998 - especially article 8) and the Data Protection Act (1998) Information can be shared if one of the following legal keys can be applied: 1) A legal requirement – Where there is a legal requirement/duty (see above)
consent is not needed. If it will not cause any harm, the patient should be informed about the sharing of information.
2) Consent – Patient consent is only valid, if the patient has been informed, given time to decide, not been co-erced, been given clear choice and has the capacity to understand the implications of their decision,. Where information is to be shared that is not directly related to the care or administration of patients then explicit consent should be used, where possible. Any consent forms will be designed so it provides a clearly indicated choice that cannot be altered.
3) Public or vital interest/benefit – If sharing information can be shown to have a considerable benefit to the public, such as reducing risk of serious harm or distress or is absolutely critical to providing someone’s care then it may be possible to share it either in the ‘public’ interests or the ‘vital’ interests of the individual, without consent of the individual(s). Information should not be shared unless there is a legal power, which generally relates to the Organisation’s core business of providing care, or specific legislation (e.g the Crime & Disorder Act (1998).
4) The Caldicott 2 review has established a new principle: ‘The duty to share
information can be as important as the duty to protect patient confidentiality’. The review also established that information sharing should be routine between the professionals involved in the multi-disciplinary care of the patient. In line with the above ‘keys’ the overall approach of the organisation will be to encourage and develop information sharing wherever possible, beneficial and legally justified. This is further supported by a ‘duty’ to share information in the Health & Social Care (Safety & Quality) Act 2015, where it is related to direct care and is compliant with the Data Protection Act 1998 and common law duty of confidentiality.
5) The organisation will assess information sharing arrangements against the statements in NICE Clinical Guidelines (138, standard 15)
3.2 Employment confidentiality agreements and job description responsibilities
A standard statement on responsibilities for handling information appropriately will be included in all job descriptions and employment contracts.
In section 2.4 (Allocation of information governance responsibilities), more detailed, specific responsibilities/roles are defined. These are included in appropriate job descriptions, over and above the basic statements.
It should note these responsibilities are required in perpetuity beyond the length of the staff member’s employment. Terms and conditions will also state the responsibilities extend to all places and all times, including outside the work environment.
Identification & authentication (link to Smartcard Registration Policy).
As reliance on information is key to the efficient and safe running of an organisation, there is a need to be as sure as possible about the identity of employees and
appropriateness of role related access, particularly in electronic systems with a much wider capacity to share data. The implementation of ‘Registration Authorities’ for the National Programme for IT requires all staff accessing the system to go through a rigorous ‘authentication’ process, prior to the issue of their ‘smartcard’. This process is integrated with appropriate Human Resource processes for ‘starters’ and ‘leavers’. The national policy on Registration Authorities will be followed and supplemented by separate local policy and processes around card creation and issue.
Staff not directly employed by the Organisation
Casual staff, contractors and others, (including volunteers such as League of Friends, Patient Participation Groups etc), not covered by an employment contract, are
required to sign a confidentiality agreement prior to being given access to information processing facilities. All such staff will be informed about the need and method for maintaining confidentiality; regardless of what access their role gives them to information. It is the responsibility of the manager agreeing to fund the use of such staff to ensure that appropriate contractual statements are signed and awareness raised.
3.3 Core responsibilities of staff
This section briefly outlines the responsibilities for all staff with regard to handling information to ensure information is handled appropriately. These are set out and communicated to all staff via the code of practice leaflet ‘About Patients – Guidance for staff, volunteers and contractors handling patient information’ and the ‘Acceptable use email’ that all staff receive on starting employment and are required to agree to, or access will be removed. The guidance leaflet is structured depending on whether the staff role is in direct contact with patients, personal data or not.
Inform patients what information they are recording, why it is being used, who has access and who it will be shared with for their care (supported by leaflets & cards – see Appendix C for examples)
Address any concerns patients may have about the use of their information.
Liaise with department managers and the Information Governance Manager when patients make requests to restrict the use of their information.
Protect patient information when using communication methods (see section 7)
Share information appropriately and legally (see section 3.1.3, 3.1.4 and Caldicott principle 7)
Staff will not extract or use personal data unless necessary.
Ensure that confidential information is not left lying around when unattended. Paper and computer media should be stored in suitable lockable cabinets when not in use. Sensitive information on removable media and portable devices must be encrypted.
Maintain and follow processes required to ensure accuracy, completeness and timeliness of information. (see section 4)
Protect electronic information by: o Keeping passwords confidential o Avoid keeping records of passwords
o Change passwords if you think someone else knows it
o Select passwords that are easy to remember, but not based on anything easy to guess.
o Change temporary passwords at first log on.
o Personal computers and computer terminals should not be left logged on when unattended and should be protected by screensaver passwords (even though this may mean having a single ‘screensaver’ password known by multiple staff).
o Ensure that only individuals who need to know information can see it on either a desk or a screen (i.e. Not have screens visible to the public, not display details of other patients during consultations etc).
Given the public nature of the healthcare environment, these policy elements are crucial to the appropriate handling of information. Failures of these policies in areas open to the public will by their nature be public. The impact of an incident may have serious implications for the organisation and even the well-being of individuals. Advice should be sought from the Information Governance Manager
3.4 Education and awareness
The organisation will ensure that all staff receive appropriate education about handling information via the following programme of provision:
Annual knowledge assessment. All staff will be required to undertake an annual core
knowledge assessment. The requirement for compliance is 95%+ to maintain a satisfactory score in the IG toolkit. This will also be used by all new starters within 1 month after they commence employment. Those achieving a sufficient level of core knowledge will not be required to undertake any core training and will be assessed
again in the following year. Online materials are available to aid staff in completing the assessment.
Any individual who needs role specific knowledge will have this identified in their personal development plan. An organisational TNA will be maintained by the IG lead.
Induction – The organisation will ensure that all newly employed staff receive basic
guidance in organisational policy in relation to information governance as part of an overall organisational induction.
System training – All user training on systems will include details and education on
appropriate policy and procedure elements for that system. These will focus on both security and data quality elements.
Awareness activities – The Organisation will use the following to ensure all staff are
kept aware of their responsibilities:
Code of Conduct – the leaflet ‘About Patients – guidance for handling patient information’ will be distributed to all staff upon each major revision
Screensaver – The IT department will include the information governance screensaver as a standard item on each new PC installed in the organisation. Users will not select another screensaver
Ad-hoc methods – newsletter articles, workshops and other awareness materials will be used.
Annual staff survey of knowledge & understanding (where mandatory assessment tools do not provide adequate data).
More detailed training is available by arrangement with the Information Governance Manager.
Information Quality Policy:
(Principles for complete, accurate,
relevant & timely information).
4 Information Quality Policy
4.1 Legal requirements for quality information
The organisation is required to operate policy and processes to ensure that information is of good ‘quality’. Quality is defined as information that is ‘complete, accurate, relevant, available and timely’. The CCG will in general be a recipient of data from other organisations and requiring those organisations to ensure quality of data. The items below illustrate what the CCG will implement in its own systems and that which it will also expect of contracted providers. Failure to ensure the quality of information may lead to breaches of legislation as follows:
Data Protection Act (1998):
The Third principle includes a requirement that information should be ‘adequate, relevant and not excessive’. If the wrong information is recorded, or is incomplete, then it could be found to be ‘inadequate’ or irrelevant.
More directly the fourth principle requires information to be ‘accurate and up to date’ and poor quality information will almost certainly breach this principle. An
organisation is required to take all reasonable steps to ensure the quality of its information.
There have not been many examples of legal action being taken against
organisations, purely on the principle of poor quality information, however the effect of poor quality must be seen in a wider context of the potential impact it can have on patient care and there is potential that organisations could breach an individual’s human rights where information they use to treat a patient is of poor quality.
Human Rights Act (1998)
There have been examples where mistakes in records have led to clinical errors in treatment, resulting in harm or even death of patients. Such instances are likely to be breaches of the Human Rights Act (1998), especially Article 2 (right to life) and Article 3 (protection from degrading treatment) and clearly lead to clinical negligence cases. Where a clinical negligence case itself is not caused by poor quality information, any defence by the Organisation can be compromised if information is of poor quality.
4.2 Collection of information
Data collection processes (electronic and paper) will have rule based data input designed into them along the following guidelines:
Value ranges – Acceptable ranges will be indicated on paper forms and built into systems so that only values within the determined range will be accepted.
Invalid characters – Paper collection forms will indicate where the required collection is either numeric or character based. Electronic systems will ensure that data collection fields will only accept characters relevant to the data item being collected (e.g. numeric characters will not be allowed in ‘name’ fields)
Missing or incomplete data – Paper forms will indicate where items of data must be completed in relation to the collection purpose of the form. Electronic systems will feature rules (that may allow local configuration) that indicate to users when required data items have not been completed before data collection screens can be committed (saved to the database).
Identifiers – The New NHS Number will be used as the common identifier on all patient records and correspondence. The organisation will ensure processes around data collection and transfer, capture and use the NHS number. Local identifiers are permitted.
The Information Governance Manager will support the use of the above guidelines, however they will only be successfully applied with input from the user and clinical communities within the organisation, so there is a responsibility for the ‘Information Asset Owners’ and ‘system management’ to be involved in input/collection data validation processes.
Each system will have a checklist of core processes for data collection that is linked to training guides. These will be reviewed periodically or as a need arises via
feedback/quality monitoring and incidents. These will be based on the core data collection process list managed by the Information Governance team, covering items such as registering and amending patient details, capture of referral/diagnosis, attendance and outcome data, removal of patients and caseload management. Responsibility for review and development of input/collection validation will by default lie with the ‘system management’.
Line managers of staff will have default responsibility to ensure their staff are aware of processes and procedures relating to the quality of data.
The organisational clinical audit department will within an agreed framework, conduct audit of paper-based records with documented regularity across specialities and teams on an on-going basis.
The organisation will identify a lead member of staff to receive and implement ‘Data Set Change Notices’ from the Department of Health.
4.3 Rule based processing of information
This control generally applies to electronic systems and relates to any ‘automated’ process that takes inputted data and processes it into another form, such as creating a result from a calculation run on two data fields.
Elements of an information system that run an internal process on data will be specified in developments and tested before system acceptance. Checks will be run as part of change control and system acceptance procedures (see section 5) when system developments affect any of the internal processing.
Standard system reports or processes will be checked so that if they have a running order this is maintained.
4.4 Authenticating data (on systems, and in messages)
Data items in paper format will be subject to rules and guidelines detailed in medical record policies and procedures for ensuring identification of the author. Typically reliance is on a dated signature of staff completing forms or records
Data items in electronic format will be attributed to the User ID recorded in any audit trail relating to the creation, viewing, amendment or deletion of data.
On-going use of ‘smartcards’ for electronic patient records and the electronic staff record will ensure a robust level of authenticity provided cards are used and managed appropriately, as per national and local smartcard policy and procedure.
Despite implementation of controls on both data collection/input and internal system processing, data cannot be entirely relied on without further checks on ‘output’. For the purpose of this policy output is defined as follows:
Regular or ad-hoc reports compiled from summary of information on multiple records. These may be run by users or specific ‘Information Analysis staff’
Viewing and use of individual records (both paper and electronic) for delivery and management of care.
Information analysis staff will be responsible for running regular validation checks on reports. Confirmation of the validity will require input from the system owners. Typically reports can be validated by comparison with other data/reports
Use of individual records (paper and electronic) within the delivery and management of care will be checked as part of a regular programme by clinical audit departments. Staff line managers will have a default responsibility to ensure their employees are familiar with processes/procedures around handling data output, especially with regard to interpretation.
4.6 Checking patient details (demographics)
All departments with direct contact with patients will ensure that their administrative processes include checking the detail of patient records, such as name, address, date of birth, GP etc with the patients themselves.
Patients (and others making enquiries) must be asked to confirm demographic details to staff, rather than staff informing them of the details (such as address) and asking if it is correct. This is to ensure that patient demographics are not disclosed
inappropriately to others (such as ex partners), and that patients can choose how to confirm details to staff, if they are perhaps unhappy about informing staff of details verbally in open public areas.
4.7 Overseeing data quality in commissioned providers
The CCG will ensure that data submitted by it’s providers is put through validation and benchmarking processes. This will be part of commissioning performance
management (overseen by the Leadership group) and also clinical governance (overseen by the Quality & Governance Group).
