Information Governance Policy
REFERENCE NUMBER IG 101 / 0v3 May 2012
VERSION V1.0
APPROVING COMMITTEE & DATE Clinical Executive 4.9.12
2
West Lancashire CCG is committed to ensuring that, as far as it is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on the basis of their age, disability, gender, race, religion/belief or sexual orientation.
Should a member of staff or any other person require access to this policy in another language or format (such as Braille or large print) they can do so by contacting the West Lancashire CCG who will do its utmost to support and develop equitable access to all policies.
Senior managers within the CCG have a responsibility for ensuring that a system is in place for their area of responsibility that keeps staff up to date with new policy changes.
It is the responsibility of all staff employed directly or indirectly by the CCG to make themselves aware of the policies and procedures of that CCG.
3
CONTENTS
PAGE 1
PURPOSE
4 2 SCOPE 4 3 GUIDANCE 53.1 Principles of information governance 5
3.2 Aims and objectives 6
3.3 Roles, responsibilities and accountabilities 8
3.4 Information governance strategy 11
3.5 Governance arrangements 11
3.6 Information toolkit and annual performance 12
4 REFERENCE AND BIBLIOGRAPHY 13
5 ASSOCIATED DOCUMENTS 13
4
1.0 PURPOSE
NHS West Lancashire Clinical Commissioning Group (CCG) recognises the importance of information, both in the terms of the clinical management of individual patients, the efficient management of services and resources. Information governance plays a key part in supporting clinical governance, service planning and performance management.
It also gives assurance to NHS West Lancashire CCG and to individuals that personal information is dealt with legally, securely, efficiently and effectively, in order to deliver the best possible care.
Information governance is to ensure that NHS West Lancashire CCG
ensures that one of its most important assets, information, in both clinical and management terms is respected and held in secure and manageable conditions. It is therefore of paramount importance to ensure that information is efficiently managed on the basis of the HORUS categorisation;
Held safely and confidentially Obtained fairly and effectively Recorded accurately and reliably Used effectively and ethically Shared appropriately and lawfully
On this basis NHS West Lancashire CCG will put in place a range of appropriate policies, procedures and management arrangements to provide a robust framework for information governance within the CCG. The information governance agenda of this CCG will be provided by commissioning support unit the CCG enters into a contract with.
The commissioning support unit will establish and maintain policies and procedures on behalf of the CCG to ensure compliance with requirements contained in the Department of Health Information Governance Toolkit. All policies and procedures will be approved by the CCG.
The lead within NHS West Lancashire CCG for all aspects of this policy will be the Chief Finance Officer, who is also the Senior Information Risk Officer (SIRO). The Head of Information Governance from the commissioning support unit will provide additional support for the SIRO.
2.0 SCOPE
This policy applies to all staff employed by or working on behalf of NHS West Lancashire CCG including contracted, non-contracted, temporary, honorary, secondments, bank, agency, students, volunteers or locums.
It covers all aspects of information within the organisation, including but not limited to: -
5
Patient/client/service user information Personnel/staff information
Organisational information
All aspects of handling information, including (but not limited to): Structured record systems - paper and electronic
Transmission of information – fax, e-mail, post and telephone All information systems purchased, developed and managed by/or
on behalf of the organisations. It must be followed by all staff employed by the organisations on a permanent, temporary or voluntary placement or undertaking work on behalf of NHS West Lancashire CCG
The policy covers all aspects of handling information including, but not limited to:
• Structured record systems-paper and electronic
• Transmission of information- fax, email, post and telephone
3.0 GUIDANCE
3.1 Principles of Information Governance
This guidance outlines the four key strands to the Information Governance Policy.
These are:
Openness
Legal Compliance
Information Security
Information Quality Assurance
NHS West Lancashire CCG recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. NHS West Lancashire CCG fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients or staff and commercially sensitive information.
6
NHS West Lancashire CCG also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.
NHS West Lancashire CCG believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers to ensure and promote the quality of information and to actively use information in decision-making processes.
It also gives assurance to NHS West Lancashire CCG and to individuals that personal information is dealt with legally, securely, efficiently and effectively, in order to deliver the best possible care.
NHS West Lancashire CCG will establish and maintain policies and procedures to ensure compliance with requirements contained in the Department of Health Information Governance Toolkit.
It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability provide a robust governance framework for information management. Information governance is the means of providing this governance framework, and currently includes the following legislation and work areas:
Data Protection Act 1998|
Freedom of Information Act 2000| The Confidentiality Code of Practice|
Information Security Management – BS ISO/IEC 27002:2005 Records Management NHS Code of Practice|
Information Quality Assurance (Data Accreditation)| Information Governance Toolkit|
3.2 Aims and Objectives
This document sets out the requirement to maintain policies and procedures in order to be compliant with the criteria of the Department of Health Information Governance Toolkit.
Openness
Non-confidential information of NHS West Lancashire CCG and its services must be available to the public through a variety of media.
7
NHS West Lancashire CCG is required to establish and maintain policies to ensure compliance with the Freedom of Information Act 2000.
Patients must have ready access to information relating to their own health care, their options for treatment and their rights as patients. NHS West Lancashire CCG is required to have clear procedures and
arrangements for liaison with the press and broadcasting media. NHS West Lancashire CCG is required to have clear procedures and
arrangements for handling queries from patients and the public.
Legal Compliance
NHS West Lancashire CCG regards all identifiable personal information relating to patients and staff as confidential and as such takes steps to ensure that the handling of such information complies with the Data Protection Act 1998 except where there is a legal requirement to override the Act.
NHS West Lancashire CCG is required to undertake or commission annual assessments and audits of its compliance with legal requirements.
NHS West Lancashire CCG is required to establish and maintain policies to ensure compliance with the Data Protection Act 1998, the common law of confidentiality and the Freedom of Information Act 2000.
NHS West Lancashire CCG is required to establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (for example, Health and Social Care Act 2001, Crime and Disorder Act 1998, The Children’s Act 2004).
Information Security
NHS West Lancashire CCG is required to:
Establish a Governing Body level Senior Information Risk Officer (SIRO) who will produce and take ownership of the organisation’s Information Risk Policy.
Ensure that the role and responsibilities of the SIRO and the infrastructure to support the SIRO is kept under review.
Ensure that the Annual Statement of Internal Control includes a statement describing how risks to information will be managed and controlled.
Establish and maintain policies for the effective and secure management of its information assets and resources.
8
Undertake or commission annual assessments and audits of its information and IT security arrangements (asset registers).
Promote effective confidentiality and security practice to its staff through policies, procedures and training.
Ensure that it has documented and accessible information and IT security incident reporting and management procedures in place in line with Department of Health requirements.
Maintain and review incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.
Information Quality Assurance
NHS West Lancashire CCG is required to establish and maintain policies and procedures for information quality assurance and the effective management of records.
NHS West Lancashire CCG is required to undertake or commission annual assessments and audits of its information quality and records management arrangements.
Managers are expected to take ownership of, and seek to improve, the quality of information within their services.
Wherever possible, information quality will be assured at the point of collection.
Data standards will be set through clear and consistent definition of data items, in accordance with national standards.
NHS West Lancashire CCG is required to promote information quality and effective records management through policies, procedures/user manuals and training.
3.3 Roles, Responsibilities and Accountabilities
NHS West Lancashire CCG is responsible for the development of the information governance agenda.
Specific Responsibilities
Clinical Executive Committee
It is the role of the NHS West Lancashire CCG Clinical Executive Committee
to define CCG policy in respect of information governance, taking into account the legal and NHS requirements. The Committee is also responsible for ensuring that sufficient resources are provided to support the requirements of the policy.
9
Chief Officer
The Chief Officer of NHS West Lancashire CCG has overall accountability and responsibility for information governance within the CCG and will provide assurance, through the Statement of Internal Control, that all information risks to the CCG are effectively managed and mitigated.
Senior Information Risk Officer (SIRO)
The Chief Finance Officer is the nominated as SIRO for NHS West Lancashire CCG. The SIRO will take ownership of the NHS West Lancashire CCG Information Risk Policy, act as advocate for information risk on the Governing Body and provide written advice to the Chief Officer on the content of their Statement of Internal Control in regard to information risk.
The SIRO is required to undertake strategic information risk management training and every three years there after.
Key responsibilities of the SIRO are:
To oversee the development of an Information Risk Policy and a strategy for implementing the policy within the existing information governance framework.
To take ownership of the risk assessment process for information risk, including review of the annual information risk assessment to support and inform the Statement of Internal Control.
To ensure the organisation undertakes risk assessments to form the basis of the organisation’s risk register.
To review and agree action in respect of identified information risks. To ensure that the approach to information risk is effective in terms of
resource, commitment and execution and that this is communicated to all staff.
To provide a focal point for the resolution and/or discussion of information risk issues.
To ensure the Governing Body is regularly adequately briefed on information risk issues.
Caldicott Guardian
Dr John Caine, NHS West Lancashire CCG Chair is nominated as CCG Caldicott Guardian. The Caldicott Guardian is responsible for ensuring that NHS West Lancashire Clinical Commissioning Group processes satisfy the highest practical standards for handling patient information. The safe recording; storing and retention of all personal data and ensuring all information flows are mapped to exclude any leaks of information.
10
The Caldicott Guardian will carry out any investigations brought to their attention and negotiate all information sharing agreements on the behalf of
NHS West Lancashire CCG.
Information Governance Support
The CCG Chief Finance Officer will be supported by the commissioning support unit Head of Information Governance and the Information Governance Support Officer for the CCG.
Specific measures will include:
Ensuring that standards and procedures are documented and actively implemented in every location where information is collected and used.
Ensuring that staff are properly trained and equipped to fulfill their responsibilities.
Making available adequate resources for reviewing, monitoring and continually improving security and data quality.
Taking appropriate, positive action where standards are not met.
CCG managers
All managers are responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is on-going compliance on a day-to-day basis. Any breaches or
suspected breaches of confidentiality or information security must be referred for immediate investigation.
CCG Staff
All staff are responsible for ensuring understanding of the relevant polices and issues. All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis.
National guidance (Department of Health, Information Governance Toolkit) states, “The organisation NHS West Lancashire CCG should aim to establish an active training programme comparable to the health and safety training model. This requires that the training is made available so that each staff member may attend on a yearly basis for updates and that attendance has an element of compulsion”. Information governance is, therefore, part of the mandatory training requirements of the organisation for all staff.
11 Internal Governance
Information governance performance will be monitored by the Clinical Executive Committee and audited annually. The audit results, once approved by the NHS West Lancashire CCG, will be submitted on an annual basis to the Department of Health using the Information Governance Toolkit. The senior information governance staff from the commissioning support unit will support the Committee, as required by it. The NHS West Lancashire CCG Governing Body and the Chief Officer will be advised on information governance, data protection and information security issues through the Committee.
3.4 Information Governance Strategy
An Information Governance Strategy has been produced to describe the way in which improvements to the performance of the NHS West Lancashire CCG will be carried out. The key elements will include:
How this Information Governance Policy will be supported in terms of both resources and operationally
How existing systems and processes will be impacted How ownership of the Strategy will be ensured
What mechanism will be used to review the Strategy
How the Information Governance Strategy will link to other organisational strategies
Annual objectives and action plans. 3.5 Governance Arrangements
Arrangements will be in place for NHS West Lancashire CCG as part of the governance arrangements to review and improve compliance with the Information Governance Standards.
Training will be given to ensure staff are supported in ensuring Information governance compliance.
That all statutory annual targets laid down in the Information Governance Toolkit are achieved, they consist of: -
• At least 95% compliance by all staff, of the annual information governance training.
• All staff, without exception, signs the annual code of confidentiality.
• All information asset registers are completed, updated and risk assessed at least annually.
• A data mapping exercise on all inbound and outbound flows of all information is carried out at least bi-annually including risk assessments.
12
3.6 Information toolkit and annual performance
An assessment of compliance with requirements of the Information Governance Toolkit (IGT) is undertaken each year by NHS West Lancashire CCG. Annual reports and proposed work programmes are presented to NHS West Lancashire CCG Clinical Executive Committee for approval prior to submission.
An assessment of compliance with requirements of the Information Governance Toolkit (IGT) will be undertaken each year by an external body and a detailed final performance report completed.
Annual reports and proposed action/development plans will be presented to NHS West Lancashire CCG Clinical Executive Committee for approval prior to submission to the IGT.
The Information Governance team within the commissioning support unit will take responsibility to fulfil these annual obligations on behalf of the CCG.
The requirements are grouped into the following initiatives: Information Governance Management
Confidentiality and Data Protection Assurance Information Security Assurance
Clinical Information Assurance Secondary Uses Assurance Corporate Information Assurance
The annual Senior Information Risk Owner’s Report will be compiled for approval by the NHS West Lancashire CCG Clinical Executive Committee. An action plan to ensure continued compliance and improvement with the Toolkit will be produced and maintained for the Clinical Executive Committee. This will be assessed by an external body, e.g. Audit North West, and progress towards the action plan will be reported to the Committee on a regular basis.
The Information Governance team within the commissioning support unit will take responsibility to fulfil these annual obligations on behalf of the CCG.
Training and communications
In order for information governance policies and procedures to be effective, it is essential that all staff are aware of their obligations in this area.
13
The Information Governance team within the commissioning support unit will take responsibility to fulfil these annual obligations on behalf of the CCG. The CCG, via the CSU, will ensure that this occurs by:
An Annual Information Governance Training programme will be produced and available.
Induction to educate new starters about information governance issues.
The organisation will providing annual mandatory training for all staff in Information Governance issues via the Connecting for Health IG Training Tool and dedicated training events.
Regular communications to staff on new information governance policies and procedures.
Guidance and access to policies and procedures in staff base.
Regular meetings between the CCG and commissioning support unit, as agreed between parties
Inclusion of information governance topics in regular newsletter for staff.
Ensuring that information governance information is available electronically for staff via an appropriate medium.
Audit and review
The Clinical Executive Committee will review this policy every three years, or as and when significant changes make earlier review necessary.
The commissioning support unit providing information governance support will provide a report to the CCG on adherence to this policy.
4.0 REFERENCES AND BIBLIOGRAPHY
• Data Protection Act 1998 available from www.opsi.gov.uk
• Access to Health Records Act 1990 available from www.opsi.gov.uk
• Human Rights Act 1998 available from www.opsi.gov.uk
• Freedom of Information available from www.opsi.gov.uk
• Record Management available from
http://www.nationalarchives.gov.uk/recordsmanagement
• Common Law of Confidentiality
• NHS Confidentiality- code of Practice available from
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/Public
ationsPolicyAndGuidance/DH_4069253
14
http://www.dh.gov.uk/en/Publicationsandstatistics/Lettersandcirculars/
Healthservicecirculars/DH_4004793
• NHS For the Record available from
http://www.dh.gov.uk/en/Managingyourorganisation/Informationpolicy /Recordsmanagement/index.htm
• The Abortion Regulations Act 1991 available from
http://www.opsi.gov.uk/SI/si1991/Uksi_19910499_en_1.htm • The Computer Misuse Act 1990 available from
http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm • The Census (Confidentiality) Act 1991
http://www.opsi.gov.uk/ACTS/acts1991/Ukpga_19910006_en_1.htm • The Civil Evidence Act 1995
http://www.opsi.gov.uk/ACTS/acts1995/Ukpga_19950038_en_1.htm • The Electronic Communications Act 2000
http://www.opsi.gov.uk/acts/acts2000/20000007.htm • The Public Interest Disclosure Act 1998
http://www.opsi.gov.uk/ACTS/acts1998/19980023.htm • Crime and Disorder Act 1998
http://www.opsi.gov.uk/ACTS/acts1998/19980023.htm
• NHS For the Record available from
http://www.dh.gov.uk/en/Managingyourorganisation/Informationpolicy /Recordsmanagement/index.htm
• NHS Retention of Records available from
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/Public
ationsPolicyAndGuidance/DH_4131747
• The National Health Service Act 2006 available from
http://www.opsi.gov.uk/Acts/acts2006/ukpga_20060041_en_1
5.0 ASSOCIATED DOCUMENTS –
Document TitleAnnual Code of Confidentiality Policy Information Security Policy
