INFORMATION GOVERNANCE
HANDBOOK
SECTION ONE
Author Tracey Burrows
Role Information Governance Manager (CSCSU)
Date / Version February 2015
Version FINAL V1.0
Approved by IM&T Board
Date 27 February 2015
Review date April 2017
This handbook may be made available to the public and persons outside of the CCG as part of the CCG’s compliance with the Freedom of Information Act 2000.
DOCUMENT CONTROL SUMMARY
Title Information Governance Handbook
Lead Officer Head of Corporate Affairs
Purpose of document
IG is the practice used by all organisations to ensure that information is efficiently managed and that appropriate policies, system
processes and effective management
accountability provides a robust governance framework for safeguarding information. This handbook is to acquaint employees with the framework, policies and procedures covering all aspects of the Information Governance (IG) agenda so that staff understand both the spirit and the detail of what is expected of them.
Status FINAL
Version No. 1.0
Date February 2015
Author(s) Information Governance Manager CSCSU
Date of approval by Governing
Body 27 February 2015
Review Date April 2017
VERSION CONTROL SUMMARY
Version Date Status Comment/Changes
0.1 05/02/15 DRAFT Draft IG Handbook
CONTENTS
Section Title
Page
1 Information Governance Handbook 1
1 Introduction 5
1 Scope 5
1 Responsibilities 6
1 Dissemination 6
1 Non-Compliance 7
1 Related Policies and Procedures 7
1 Related Guidance 7
1 Policy Review 7
1 Public Sector Equality Duty 7
Policies/Frameworks
2 Information Governance Framework 8
3 Information Governance Policy 13
4 Data Protection and Confidentiality Policy 18
5 Information Security Policy 32
6 Records Management Policy (NEW) 36
7 Freedom of Information Act Policy (NEW) 43 8 Subject Access Request Policy & Procedures (NEW) 49 9 Business Continuity Framework & Plan 63 10 Mobile Information Technology Policy (NEW) 89
11 Incident Management Policy (TBC) 97
12 Training and Awareness Plan (NEW) 98
Procedures
13 Confidentiality Audit Procedures 112
Appendices
A Useful Contacts 126
B Roles & Responsibilities 127
C Data Protection Act Principles 133
D Schedule 2 Conditions to the Data Protection Act 134
E Countries Within The EEA 135
F Model Fair Processing Notice 136
G Caldicott Principles 139
H Freedom of Information - Model Publication Scheme 140
I Freedom of Information Act Exemptions 142
J Related Policies, Procedures, Guidance, References 143
K Legal Framework 145
L IG Training Matrix 146
For the purposes of this handbook, Windsor, Ascot & Maidenhead CCG, Bracknell & Ascot CCG and Slough CCG will be referred to as the “CCGs”.
1. INTRODUCTION
It is essential to have the organisation’s policies and procedures documented to comply with corporate and clinical governance standards, statutory, legal and insurance
requirements and ensure standardisation of practice and therefore efficiency, consistency and safety throughout the organisation.
This Information Governance Handbook evidences the CCGs intentions and approach to fulfilling its statutory and organisational information governance (IG) responsibilities. It will enable management and staff to make correct decisions, work effectively and comply with relevant legislation and guidance (Appendix J & K) and the organisation’s aims and objectives.
This handbook will cover all aspects of IG detailing how the different initiatives are managed and linked.
This handbook and policies and procedures within are approved by the IM&T Board.
2. SCOPE
This handbook and policies and procedures within apply to all CCG staff and other
personnel working for and on behalf of the CCGs, including agency staff and contractors, to ensure that the CCG meets its legal requirements.
This handbook will include policies and procedures to evidence compliance with the Department of Health’s (DoH) IG Toolkit and will include the below IG Policies:
Policy/Procedure Requirement
Information Governance Management Framework 130, 131, 133, 230, 231, 232, 340, 345
Information Governance Policy 131, 231
Data Protection and Confidentiality Policy 131, 231, 235, 250
Information Security Policy 131, 340, 341
Records Management Policy 131
Freedom of Information Act Policy 131
Subject Access Request Policy & Procedures 234, 250 Business Continuity Framework & Plan 340, 346
Confidentiality Audit Procedures 235
Transfer of Personal Information Procedures 131, 231, 232, 236, 350 Business Continuity Framework and Plan 346
Mobile Information Technology Policy 348
Incident Management Policy 349
Records Management Policy 420
The below policies are out of scope as they are provided by CSCSU:
CSCSU Policies/Procedures
IT Change Control Policy 237
HR Induction Policy 250
IT Security Policy 340, 344, 348
System Level Security Policy 340, 344, 346, 348, 352 Risk Management Strategy and Policy 341
RA Policy 342, 343
System Level Security Policy – Networked Services
344, 346, 347, 348 System Level Security Policy – (Infrastructure
Perimeter Security)
344, 346, 347, 348
Access Control Policy 344
Business Continuity Policy 340, 346
Business Continuity Framework and Plan 346 Informatics Business Continuity Plan V1.0 346
IT Disaster Recovery Plan V1.0 346
IT Daily Backup Policy V1.0 346
System Level Security Policy (Backup Infrastructure)
346
IT Disaster Recovery Plan V1.0 346
IT Mobile Working Policy V1.1 348
Transfer of Personal Information Procedures 350
Acceptable Use of IT Policy 350
Pseudonymisation & Anonymisation of Data Policy (NHS BSA)
352
3. RESPONSIBILITIES
It is the role of the CCGs Governing Bodies to define the policies in respect of IG and ensure that sufficient resources are provided to support the requirements of those policies.
IG policies apply to all staff who handle information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B.
On commencement of employment all staff are provided with a Staff Contract which includes information governance clauses outlining legal responsibilities.
Staff should be aware that failure to comply with this policy will be seen as a breach of contract which may result in disciplinary action.
4. DISSEMINATION
The IG Handbook will be published on the CCGs intranet site and staff will be informed by email of its existence and when any changes are made to this document.
5. NON-COMPLIANCE
Non-compliance with the policies within may result in:- A breach of the law
A breach of professional codes of conduct A breach of contract
Damage to personal and organisational reputation Damage to public confidence in the CCGs
Embarrassment of data subjects Compensation claims by data subjects
ICO taking enforcement action, including issuing penalty notices of up to £500,000 Operational activities being affected due to a failure to ensure that appropriate
information is available when required.
Failure to comply with any of these policies may result in disciplinary action. Any non-compliance issues will be handled in accordance with the CCG’s Human Resources Policies and Procedures.
Where non-compliance relates to partner organisations and third party organisations, this will be handled in accordance with contractual agreements and data sharing agreements.
6. RELATED POLICIES AND PROCEDURES
The policies and procedures within this IG Handbook should be read in conjunction with related documents as detailed in Appendix J & K. Some additional policies and
procedures may also be referenced within the policy itself.
7. RELATED GUIDANCE
For the purpose of this IG Handbook other relevant legislation and appropriate guidance may be referenced as detailed in Appendix J & K. Some additional legislation and guidance may be referenced within the policy itself.
8. POLICY REVIEW
This IG Handbook and the policies and procedures within will be reviewed every two years, to ensure they are in line with best practice and legislative requirements and will be presented to the IM&T Board for approval.
9. PUBLIC SECTOR EQUALITY DUTY
The CCGs aim to design and implement services, policies and measures that are fair and equitable. An equality analysis has been completed (Appendix N) for this policy and no adverse impact was identified. Should any adverse impact on equality be subsequently detected or highlighted by staff and other users of the policy then this will be analysed and remedial action taken as appropriate.
INFORMATION GOVERNANCE
FRAMEWORK
SECTION TWO
1. INTRODUCTION
This document sets out the CCGs approach to Information Governance (IG) which requires clear, effective and robust:
Management and leadership Accountability structures Governance processes
Documented policies and procedures In addition:
Appropriately trained staff Adequate resources
The Department of Health (DoH) has developed a set of standard IG requirements. The CCGs are required to submit evidence via the IG Toolkit (IGT) which confirms
compliance with those requirements.
The IGT covers many aspects of IG including: Information Governance Management
Confidentiality and Data Protection Assurance Information Security Assurance
Clinical Information Assurance
2. STRATEGIC AIMS
The aim of this Framework is to set out how the CCGs will effectively manage IG. Each CCG will achieve compliance by:
Establishing robust IG processes that conform to DoH standards and comply with relevant legislation.
Establishing, implementing and maintaining policies for the effective management of information.
Ensuring that clear information is provided for service users, families and carers about how their personal information is recorded, handled, stored and shared. Ensuring that IG responsibilities are included in all third party contracts and
assurance is obtained with regard to the robustness of third party IG practices during tendering and other negotiations.
Providing clear advice and guidance to staff to ensure that they understand and apply the principles of IG to their working practice and ensuring IG responsibilities are included in staff employment contracts.
Sustaining an IG culture through increasing awareness and promoting IG, thus minimising the risk of breaches of personal data.
Assessing the CCGs performance using the IG Toolkit and Internal Audits and developing and implementing action plans to ensure continued improvement.
3. RESPONSIBILITIES
The CCGs Governing Bodies have overall responsibility for ensuring that the organisation complies with all laws, standards, policies, codes of practice and national guidance and are also responsible for ensuring that sufficient resources are provided to support the requirements of this Framework.
Senior roles and CCG Governing Bodies responsibilities are outlined in more detail in Appendix B.
4. RESOURCES
The CCGS currently contract with CSCSU for the provision of specific subject matter expertise and resource. Where relevant this is indicated in the following sections.
Head of Information Governance - CSCSU
The Head of Information Governance provides support in accordance with the Central Southern Commissioning Support Unit (CSCSU) Corporate Services Service Specification.
The Head of Information Governance will oversee the provision of the IG and Subject Access Request (SAR) Service in line with the Corporate Services Service Specification.
Information Governance Team - CSCSU
The IG Team are the subject matter experts with regards to IG and are responsible for the provision of professional advice and support to the CCGs on all aspects of IG
including legal and professional compliance, risk assessment and management, incident management, IG Toolkit Management, document development and maintenance.
The CCGs will be allocated an IG Manager as a first point of contact for IG related queries but the CCGs can also call upon any member of the IG Team for IG support. The IG Team will be responsible for ensuring all tasks delegated to the CSCSU meet the required standards in line with the agreed service specification.
Key tasks delegated to the CSCSU include:-
Developing and maintaining the currency of comprehensive and appropriate documentation that support this framework, including relevant policies and procedures.
Ensuring that there is senior level awareness and support for IG resourcing and implementation of improvements within the CCGs Governing Bodies.
Establishing working groups, if necessary, to co-ordinate the activities of staff given IG responsibilities and progress initiatives.
Ensuring annual assessments and IG audits are carried out, documented and reported.
Ensuring that the annual assessment and improvement plans are prepared for approval by the Chief Officer and CCGs Governing Bodies in a timely manner. Ensuring that the approach to information handling is communicated to all staff. Ensuring that appropriate training is made available to staff.
Liaising with other committees, working groups and programme boards in order to promote and integrate Information Governance standards.
Monitoring information handling activities to ensure compliance with law and guidance.
Providing a focal point for the resolution and/or discussion of IG issues, including incident management and reporting.
Establishing, implementing and maintaining policies, procedures and guidance for the effective management of information.
Freedom of Information Team – CSCSU
(This applies to Subject Access Requests only)The FOI Team (CSCSU) are responsible for co-ordinating completed Subject Access Request (SAR) responses in respect of requests received from individuals (“Data Subjects”) wishing to access their own personal data (“Subject Access”).
The FOI Team (CSCSU) will ensure SARs are administered in line with the Subject Access Provisions of the Data Protection Act 1998 and in accordance with the Corporate Services Service Specification.
The FOI Team (CSCSU) will co-ordinate completed responses in line with the requirements of the Access to Health Records Act 1990 in respect of access requests received in respect of deceased patients.
Information Security Lead - CSCSU Head of ICT
The Head of ICT (CSCSU) is responsible for ensuring that CSU Information Systems provided to the CCGs comply with IG requirements.
Human Resources (HR) Manager - CSCSU
The HR Manager is responsible for ensuring that appropriate Information Assurance clauses are included within staff employment contracts and Staff Handbooks.
5. TRAINING AND GUIDANCE
All staff must complete mandatory IG training appropriate to their role via the online HSCIC Information Governance Training Tool or via locally developed face-to-face information governance training.
CCGs mandate all staff to complete annual IG training relevant to their role identified in the Training Matrix (Appendix L).
Staff must be aware of their responsibilities and complete additional training specific to their role which should be monitored by managers.
In addition to staff training and workshops, staff will be informed of the latest information governance matter through internal communications and will be published on the IG Intranet pages. Leaflets and posters will be distributed around the organisation to remind staff of their responsibilities.
APPENDIX B IG Framework IG Policy Data Protection Act Policy Subject Access Request Policy Information Sharing Protocols Transfer of Information Process Leaflets, Posters Leaflets, Posters, Guidance Privacy Impact Assessments Pro-forma
Data Flow Mapping
Asset Registers
Risk Assessment
Risk Assessment
Training Packages & IGTT Admin
FoI Act Policy
Internal Process Leaflets, Posters
Training Packages & IGTT Admin Information Security Policy Acceptable Use Policy* Leaflets, Posters
Staff Awareness Regular Updates
Records Management Policy
CCG IG Framework
Policy and Procedure
INFORMATION GOVERNANCE
POLICY
SECTION THREE
1. INTRODUCTION
Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management.
It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management.
2. SCOPE
This policy covers all aspects of information, regardless of format, within the CCGs including but not limited to:
Personal Information (including that of patients and staff) Organisational Information
This policy applies to handling information including, but not limited to: Processing (including saving, storage, etc.)
Transmission (including email, fax, portable media etc.)
The policy also applies to all information systems purchased, developed and managed by or on behalf of the CCGs and any individual directly employed or otherwise by the CCGs. This policy is underpinned by the standards set out in the IG Toolkit.
This policy should not been seen in isolation, as information supports all aspects of the CCG’s business, including corporate governance, risk management, clinical governance, performance management, etc.
Therefore IG should be adequately reflected in all relevant strategies, policies and procurement exercises.
3. RESPONSIBILITY
It is the responsibility of the CCGs Governing Bodies to define the CCGs policy in respect of IG, taking into account legal and NHS requirements. The CCGs Governing Bodies are also responsible for ensuring that sufficient resources are provided to support the
requirements of the policy.
The IG Policy applies to all staff who handle personal information obtained and
processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B.
On commencement of employment all staff are provided with a Staff Contract which includes IG clauses including IG responsibilities.
4. PRINCIPLES
The CCGs recognise the need for an appropriate balance between openness and confidentiality in the management and use of information. The CCGs fully support the principles of corporate governance and recognises its public accountability; however it equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information. The CCGs also recognise the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.
The CCGs believe that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and
managers (and ultimately, all employees of the CCGs) to ensure and promote the quality of information and to actively use information in decision making processes.
By “quality of information” we mean information that is accurate, up to date, fit for
purpose – information that can be grouped when used to make decisions, whether these decisions are clinical or non-clinical (such as service planning or commission). It must also be readily available when it is needed. Information that cannot be retrieved or understood is of no use.
To support the principles set out in this policy, the CCGs acknowledge the importance that training and awareness plays in guiding staff to operation appropriately, therefore the CCGs mandate the following training:
Annual information governance training for all staff.
An information governance element in induction training / pack. There are 5 key interlinked strands to the information governance policy:
Openness
Legal compliance Information security Quality assurance Confidentiality
Openness
Non-confidential information on the CCGs and their services should be available to the public through a variety of media, in line with the code of openness.
The CCGs will establish and maintain policies to ensure compliance with the Freedom of Information Act and will review the contents of the Publication Scheme on a regular basis.
The CCGs will undertake or commission annual assessments and audits of its policies and arrangements for openness.
Patients will have ready access to information relating to their own health care, their options for treatment and their rights as patients.
The CCGs will have clear procedures and arrangements for liaison with the press and broadcasting media.
The CCGs will have clear procedures and arrangements for handling queries from patients and the public.
Legal Compliance
The CCGs regard all identifiable personal information relating to patients as confidential.
The CCGs will undertake or commission annual assessments and audits of its compliance with legal requirements.
The CCGs regard all identifiable personal information relating to staff as
confidential except where national policy on accountability and openness requires otherwise.
The CCGs will establish and maintain policies to ensure compliance with the Data Protection Act, Human Rights Act, Freedom of Information Act and the common law duty of confidentiality.
The CCGs will establish and maintain policies and protocols for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Acts, Crime and Disorder Act, Protection of Children Act – this list is not exhaustive).
Information Security
The CCGs will establish and maintain policies and procedures for the effective and secure management of its information assets and resources.
The CCGs will undertake or commission annual assessments and audits of its information and IT security arrangements.
The CCGs will promote effective confidentiality and security practice to its staff through policies, procedures and training.
The CCGs will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security and action the findings of these investigations, complete with appropriate recommendations.
Information Quality Assurance
The CCGs will establish and maintain policies and procedures for information quality assurance and the effective management of records.
The CCGs will undertake or commission annual assessments and audits of its information quality and records management arrangements.
Managers will take ownership of, and seek to improve, the quality of information within their services.
Wherever possible, information quality should be assured at the point of collection. Data standards will be set through clear and consistent definition of data items, in
accordance with national standards.
The CCGs will promote information quality and effective records management through policies, procedures/user manuals and training.
Confidentiality
The CCGs will establish and maintain policies that support a confidential way of working
The CCGs will put in place regular training sessions to ensure staff understand the concepts of confidentiality
The CCGs will ensure new technology and working practices support a confidential way of working.
The CCGs will establish information sharing protocols with partner organisations whilst observing fully its common law duty of confidence and any other associated legal requirement.
The CCGs will maintain a log and investigate all breaches of confidentiality. All staff will discharge their duties in a manner that is in line with the common law
duty of confidence and all other aspects of legal compliance.
The CCGs will ensure that when person identifiable information is shared, the sharing complies with the law, guidance and best practice and both service users rights and the public interest are respected.
DATA PROTECTION AND
CONFIDENTIALITY POLICY
SECTION FOUR
1. INTRODUCTION
The CCGs have a legal obligation to comply with all appropriate legislation in respect of data, information and IT security. It also has a duty to comply with guidance issued by the Department of Health (DoH), the Information Commissioner (ICO) and other advisory groups to the NHS and guidance used by professional bodies.
This Data Protection and Confidentiality Policy aims to detail how the CCGs will meet its legal obligations and NHS requirements concerning confidentiality and information security standards and detail how they will ensure that those responsible for processing personal information are aware of their legal responsibilities.
The requirements within this policy are primarily based upon the Data Protection Act 1998 which is the key piece of legislation covering security and confidentiality of personal information.
2. POLICY STATEMENT
The CCGs believes that an individual’s right to confidentiality is of vital importance and regards the law ensuring the correct treatment of personal information, recognising the importance of maintaining confidence of those whose information it uses.
The CCGs intend to meet its legal obligations and NHS requirements and to support this they fully endorse adherence to the eight Data Protection Principles as outlined in the Data Protection Act 1998 (Appendix C).
In addition, the CCGs will ensure that all staff:
managing and handling personal information understand that they are contractually responsible for following good data protection practice
managing and handling personal information are appropriately trained and supervised and know who to contact, should they have any queries
regularly evaluate and review the methods for handling personal information are aware of their responsibilities when disclosing personal data and follow agreed
procedures
ensure that data sharing is carried out under written agreement, clearly setting out the scope, limits and conditions for sharing
complete mandatory IG training on an annual basis and complete additional specialised training appropriate to their role
are aware of incident reporting procedures and know how to report an information security or data breach
recognise requests for information made under the Freedom of Information Act and ensure these requests are dealt with within required timescales
recognise requests from data subjects around how their data is being used (Subject Access Requests) and ensure these requests are dealt with within required timescales
3. SCOPE
This policy covers all personal data processed by the CCGs, including data relating to staff, patients and members of the public regardless of what format the information is held in and outlines the CCGs approach to meeting the responsibilities and obligations specified within the Data Protection Act 1998 and associated legislation and guidance.
4. RESPONSIBILITIES
The Data Protection and Confidentiality Policy applies to all staff who handle personal information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B.
On commencement of employment all staff are provided with a Staff Contract which includes information governance clauses including data protection responsibilities.
5. DATA PROTECTION ACT 1998
The Data Protection Act 1998 became law in March 2000 and sets standards which must be satisfied when obtaining, recording, holding, using or disposing of personal data which are summarised by the 8 Data Protection Principles.
The Act applies to all person identifiable information about living individuals held in manual files, computer databases, videos and other automated media (this list is not exhaustive).
The Information Commissioner holds a register of Data Controllers and unless exempt, the Act requires organisations which processes personal information to register with the Information Commissioner Office (ICO). On registration, organisations must outline how information is held, purposes for holding the data, how it is used and whom it may be disclosed to. Failure to register is a criminal offence.
The CCGs ensure the Data Protection Notification is regularly reviewed for accuracy and any changes to the register must be notified to the Information Commissioner, within 28 days and managers are responsible for notifying and updating the SIRO and Caldicott Guardian of the processing within their area of responsibility.
Compliance with the Data Protection Act is regulated by the Information Commissioner’s Office. The Information Commissioner’s Office website can be found at
https://ico.org.uk/.
6. EIGHT DATA PROTECTION PRINCIPLES
The Eight Data Protection Principles state that personal data must be:
Principle 1: Processed fairly and lawfully
Personal data shall not be processed unless they meet at least one of the conditions in Schedule 2 (Appendix D) to the Data Protection Act. For sensitive data, they must also meet at least one of the conditions in Schedule 3 (Appendix D).
For processing to be fair CCGs must be transparent – clear and open with individuals about how their information will be used.
Fairness requires you to:
be open and honest about your identity
inform individuals how you intend to use their personal data
handle their personal data only in ways they would reasonably expect not use their information in ways that may have a negative effect on them The oral or written statement that individuals are given when information about them is collected is often called a Fair Processing Notice (FPN) (Appendix F) or more recently a “privacy notice”.
In general terms, a privacy notice should state: the organisations identity
the purpose or purposes for which information will be processed
any additional information for individuals to enable you to process the information fairly
The Act does not define “lawful”; however, “lawful” refers to statute and to common law, whether criminal or civil.
An unlawful act may be committed by a public or private-sector organisation if it results in:
a breach of a duty of confidence
an infringement of copyright
a breach of an enforceable contractual agreement a breach of industry-specific legislation or regulations
a breach of the Human Rights Act 1998 which gives individuals the right to respect for private and family life, home and correspondence
Principle 2: Processed for specified purposes
The second data protection principle means that you must:
be clear from the outset why you are collecting personal data and what you intend to do with it
comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data
comply with what the Act says about notifying the Information Commissioner ensure that if you wish to use or disclose the personal data for any purpose that is
additional or different to the originally specified purpose, the new use or disclosure is fair, this includes notification to the ICO where relevant.
Principle 3: Adequate, relevant and not excessive in relation to the purpose(s)
This third principle, in practice, means you should ensure that:
you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual
you do not hold more information than you need for that purpose
So you should identify the minimum amount of personal data you need to properly fulfil your purpose but hold no more
You should not hold personal data on the off-chance that it might be useful in the future. However, it is permissible to hold information for a foreseeable event that may never occur
Principle 4: Accurate and kept up-to-date
This is the fourth data protection principle and although it sounds straightforward, the law recognises that it may not be practical to double-check the accuracy of every item of personal data you receive. So the Act makes special provision about the accuracy of information that individuals provide about themselves, or that is obtained from third parties.
To comply with these provisions you should:
take reasonable steps to ensure the accuracy of any personal data you obtain ensure that the source of any personal data is clear
carefully consider any challenges to the accuracy of information consider whether it is necessary to update the information
If an individual challenges the accuracy of information and where necessary delete or correct it. If an individual is not satisfied that you have taken appropriate action to keep their personal data accurate, they may apply to the court for an order that you rectify, block, erase or destroy the inaccurate information.
Principle 5: Not be kept for longer than necessary
The Act does not set out any specific minimum or maximum periods for retaining
personal data. Instead, it says that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
In practice, it means that you will need to:
review the length of time you keep personal data (refer to Records Management Policy and DoH Records Management - NHS Code of Practice)
consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it
securely delete information that is no longer needed for this purpose or these purposes
update, archive or securely delete information if it goes out of date
Where personal data is shared between organisations, those organisations should agree about what to do once they no longer need to share the information. In some cases, it may be best to return the shared information to the organisation that supplied it, without keeping a copy.
Principle 6: Processed in accordance with the rights of Data Subjects
The sixth data protection principle gives certain rights to individuals such as: a right to access their own personal data
a right to object to processing which may cause or is causing damage or distress a right to prevent processing for direct marketing
a right to object to decisions being taken by automated means
a right in to have inaccurate personal data rectified, blocked, erased or destroyed a right to claim compensation for damages caused by a breach of the Act.
An individual has the right to access their own personal data, this topic is covered under subject heading “Subject Access Requests”.
The Act refers to the “right to prevent processing” and this only applies if it causes unwarranted and substantial damage of distress to an individual.
The Act does not define what is meant by unwarranted and substantial damage or distress but in most cases substantial damage would be financial loss or physical harm and/or substantial distress would be a level of upset, or emotional or mental pain that goes beyond annoyance or irritation, strong dislike, or a feeling that the processing is morally abhorrent.
The Act gives individuals the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give you written notice to stop (or not begin) using their personal data for this purpose. Any individual can exercise this right if the CCGs receive a notice it must be complied with within a reasonable timeframe. The right of subject access allows an individual access to information about the reasoning behind any decisions taken by automated means. An individual can give written notice requesting that their personal data is not be used for automated decisions and even if notice is not given, individuals should be informed when such a decision has been taken.
Individuals have a right to compensation if they suffer damage which can only be
enforced through the courts. The Act allows organisations to defend claims on the basis that all reasonable care was taken to avoid the breach.
Principle 7: Protected by appropriate security (practical and organisational)
The seventh data protection principle, in practice, means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach
be clear about who in your organisation is responsible for ensuring information security
make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff
be ready to respond to any breach of security swiftly and effectively The security measures you put in place should seek to ensure that:
only authorised people can access, alter, disclose or destroy personal data those people only act within the scope of their authority
if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned
The level of security should be appropriate to the nature of the information in question and the harm that might result from its improper use, or from its accidental loss or destruction.
The Data Protection Act does not define the security measures you should have in place. However, it is essential that organisation’s focus on physical and technological security as well as management and organisational security measures.
Principle 8: Not transferred outside the EEA without adequate protection
Data principle 8 is relevant to sending personal data overseas. Those considering sending personal data outside the EEA, should go through the below checklist to help decide if the eighth principle applies and, if so, how to comply with it to make a transfer.
1. Do you need to transfer personal data abroad?
Can you achieve your objectives without processing personal data at all? For example, could the information be anonymised?
2. Are you transferring the data to a country outside the EEA or will it just be in transit through a non-EEA country?
If data is only in transit through a non-EEA country, there is no transfer outside the EEA. Note that if you add personal data to a website based in the EU that is accessed in a country outside the EEA, there will be a transfer of data outside the EEA.
3. Have you complied with all the other data protection principles?
If you transfer personal data outside the EEA, you are required to comply with all the principles and the Act as a whole, not just the eighth principle relating to international data transfers.
4. Is the transfer to a country outside the EEA?
There are no restrictions on the transfer of personal data to EEA countries. 5. Is the transfer to a country on the EU Commission’s list of countries or
territories providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data?
Transfers may be made to any country or territory in respect of which the Commission has made a ‘positive finding of adequacy’.
6. If the transfer is to the United States of America, has the US recipient of the data signed up to the US Department of Commerce Safe Harbor Scheme? The Safe Harbor scheme is recognised by the European Commission as
providing adequate protection for the rights of individuals in connection with the transfer of their personal data to signatories of the scheme in the USA.
7. Is the personal data passenger name record information (PNR)?
The agreement made between the EU and the USA (to legitimise and regulate the transfer of PNR from EU Airlines to the US Department of Homeland Security) is regarded as providing adequate protection for the rights of the data subjects whose personal data (in the form of PNR) is transferred. Arrangements also exist between the European Commission, Canada and Australia.
If you decide you need to transfer personal data outside the EEA, and the
recipient is not in a country subject to a Commission ‘positive finding of adequacy’ nor signed up to the Safe Harbor Scheme, you will need to assess whether the
proposed transfer will provide an adequate level of protection for the rights of the data subjects in connection with the transfer/processing of their personal data. 8. Can you make an assessment that the level of protection for data subjects’
rights is ‘adequate in all the circumstances of the case’?
https://ico.org.uk/media/for-organisations/documents/1529/assessing_adequacy_international_data_tra nsfers.pdf
9. If not, can you put in place adequate safeguards to protect the rights of the data subjects whose data is to be transferred?
Adequate safeguards may be put in place in a number of ways including using Model Contract Clauses, Binding Corporate Rules or Binding Corporate Rules for Processors (BCRs) or other contractual arrangements. Where “adequate
safeguards” are established, the rights of data subjects continue to be protected even after their data has been transferred outside the EEA.
10. Can you rely on another exception from the restriction on international transfers of personal data?
Schedule 4 DPA concerns “Cases where the Eighth Principle does not apply”. It covers BCRs, model contract clauses, and the use of other contractual clauses as well as a number of other exceptions to the restriction on overseas data transfers. If you are able to rely on an exception, the transfer may take place even though there is no other protection for individuals’ rights.
7. CALDICOTT PRINCIPLES
The term Caldicott refers to a review commissioned by the Chief Medical Officer. In 1997 a review committee, investigated ways in which patient information is used within the NHS under the chairmanship of Dame Fiona Caldicott, who devised six key principles of information governance that could be used by all NHS organisations with access to patient information. In January 2012 a second review took place “to ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care”. This is known as the Caldicott 2 Review which resulted in seven key principles (Appendix G)
As well as the Data Protection Act, staff should also comply with these principles when processing personal information:
Principle 1: Justify the purpose(s) of using confidential information
Every proposed use or transfer of personal confidential data within or from an
organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate person such as an Information Asset Owner (IAO).
Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
Principle 3: Use the minimum necessary that is required
Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.
Principle 4: Access should be on a strict need-to-know basis
Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.
Principle 5: Everyone must understand their responsibilities
Action should be taken to ensure that those handling personal confidential data — both clinical and non-clinical staff — are made fully aware of their responsibilities and
obligations to respect patient confidentiality.
Principle 6: Understand and comply with the law
Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the
organisation complies with legal requirements.
Principle 7: The duty to share information can be as important as the duty to protect patient confidentiality
Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They
should be supported by the policies of their employers, regulators and professional bodies.
These principles should underpin information governance across the health and social care services.
8. THIRD PARTIES
Most CCGs will in the course of their business, contract or make arrangements with third parties The NHS Standard Contract is mandated by NHS England for use by
commissioners for all contracts for healthcare services other than primary care. These contracts include the following clauses which enforce third parties to:
ensure the reliability of their staff who will have access to personal data and confirm that their staff are appropriately qualified and trained and aware of their responsibilities
ensure their Staff are aware of the relevant policies and procedures governing the use of personal data and not cause or allow personal data to be transferred
outside the European Economic Area without the prior consent of the Commissioner.
ensure that they comply with NHS Employment Check Standards and other checks as required by the DBS which are to be undertaken
ensure that confidential information remains confidential and only be used for the purposes for which it obtained and not disclosed unless required by law or with prior agreement from the CCGs
Ensure they acknowledge their obligations arising under the Freedom of
Information Act, Data Protection Act, Health Records Act and under the common law duty of confidentiality
Ensure they achieve a minimum level 2 against all requirements in the NHS Information Governance Toolkit and complete an annual information governance assessment
Ensure they nominate an IG Lead responsible for providing the Governing Body with IG reports which include details of IG incidents and ensure they follow procedures for reporting Serious Incidents Requiring Investigation (SIRI).
Ensure a Caldicott Guardian and Senior Information Risk Owner is nominated who must be a member of their Governing Body
Ensure they adopt and implement recommendations of the Caldicott 2 Review. Ensure they publish, maintain and operate policies relating to confidentiality, data
protection and information disclosures that comply with the law, Caldicott Principles and good practice.
Ensures it only provides anonymised, pseudonmysed or aggregated data to the CCGs where it is required for the purposed of quality management of care
processes and must not disclose personal data unless written consent is obtained or lawful basis for disclosure is provided (such as s251 Regulations)
Ensure Sub-Contractors can provide sufficient guarantees in respect of its
technical and organisational security measures governing the data processing to be carried out and take reasonable steps to ensure compliance with those
measures.
Ensure Sub-Contractors process personal data only in accordance with the third parties instructions and comply at all times with obligations equivalent to those imposed on the Provider by virtue of the Seventh Data Protection Principle.
Ensure that where they act as a Data Processor on behalf of the CCGs, personal data is only processed to the extent necessary to perform its obligations under Contract and take appropriate technical and organisational measures against any unauthorised or unlawful processing of that Personal Data as well as against the accidental loss or destruction of or damage
Ensure they understand the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage.
9. TRANSFER OF PERSONAL INFORMATION
Every proposed use or transfer of personal confidential data within or from an
organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.
The CCGs have developed a Transfer of Personal Information Procedure to assist staff in understanding what requirements should be in place to ensure the transfer is lawful.
10. SUBJECT ACCESS REQUESTS
Under a provision of the Data Protection Act an individual can request access to their personal information regardless of the media in which this information may be held / retained. This is referred to as a Subject Access Request (SAR).
SARs are processed in line with the Subject Access Request Policy and Procedure by the CSCSU FOI Team on behalf of the CCGs to ensure that they are processed in accordance with the law.
To support the CSCSU with this role, the CCGs will ensure that all staff are able to recognise when they receive a Subject Access Request (SAR) ensure they are forwarded in a timely manner to the FOI Team.
The CSCSU FOI Team will ensure that:
requests are logged and recorded on the SARs database the applicant is sent a pre-acknowledgement letter
identity documents, fee and consent are requested where applicable identity documents are vetted and verified
required information is gathered from relevant parties
quality assurance and final sign off is obtained from the CCGs
a final response letter is sent to the applicant and information provided in the format requested
the SARs database is kept up to date and records are maintained
the CCGs are provided with monthly reports evidencing requests received
11. RECORDS RETENTION
All staff must ensure they are familiar with the Records Management Policy which describes the standards of practice required by the CCGs in the management of its documents and records. It is based on current legal requirements and professional best practice.
This policy is mandatory and applies to all information in all formats. It covers all stages within the information lifecycle, including create/receive, maintain/use, document
appraisal, declare as a record, record appraisal, retention and disposition.
Staff members must not alter, deface, block, erase, destroy or conceal records with the intention of preventing disclosure under a request relating to the Freedom of Information Act 2000 or the Data Protection Act 1998.
Staff members are expected to manage records about individuals in accordance with the policy irrespective of their race, disability, gender, age, sexual orientation, religion or belief, or socio-economic status.
12. DATA FLOW MAPPING
To adequately protect personal information, organisations need to know who holds the information, how the information is held and transferred, what information comes into and out of the organisation, where the information is transferred to and frequency of these transfers. To comply with professional standards and relevant legislation the CCGs will ensure that:
All staff adhere to the Transfer of Personal Information procedures
All routine flows of information are mapped, e.g. those that occur on a regular basis
All routine flows are risk assessed and reviewed regularly or should any changes to the process or flows occur
All elements including data, format, transfer method, location of recipient are considered for every transfer
Any risks identified are documented on departmental Risk Registers and appropriate safeguards are implemented to minimise the risk and protect the information
Any significant risks are reported to the SIRO and immediate action taken to either suspend the transfer or identify another secure method
13. INFORMATION ASSET REGISTER
Organisations must ensure that all of their information assets that hold or are personal data are protected by technical and organisational measures appropriate to the nature of the asset and the sensitivity of the data.
The CCGs will ensure that all information assets are:
Formally recorded on the information asset register Allocated an Information Asset Owner
Formally risk assessed and SIRO informed of any risks
Reviewed regularly and assessed should any changes to processes or assets occur
Safeguarded against unauthorised access
Encrypted in line with mandatory requirements and standards Disposed of securely
Audited to evidence compliance
14. SHARING INFORMATION
Under the right circumstances and for the right reasons, data sharing across and
between organisations can play a crucial role in providing a better, more efficient service to customers in a range of sectors – both public and private. But citizens’ and
consumers’ rights under the Data Protection Act must be respected.
Whilst there is a public expectation of appropriate sharing of information between organisations providing health care services to them and with other organisations providing related services, the public rightly expect that their personal data will be properly protected.
When sharing personal information, CCG staff must ensure that the Principles of the DPA 1998, the Human Rights Act 1998, the Caldicott Principles (including Caldicott 2) and the Common Law Duty of Confidentiality are upheld.
The ICO has published a Data Sharing Code of practice which explains how the Data Protection Act 1998 (DPA) applies to the sharing of personal data and provides good practice advice that will be relevant to all organisations that share personal data. The CCG recognises that Information sharing agreements provide the basis for facilitating the exchange of information between organisations but do not make the sharing legal.
Prior to sharing information the CCGs will ensure that:
CCGs have the legal power to share and the sharing of personal information is justified
the sharing of personal information achieves its objective and could not be achieved without the sharing taking place and is proportionate to the issue that needs addressing
the potential benefits/risks to individuals and/or society whether to share or not to share have been assessed
CCGs are able to share with the organisations that have been identified
a data sharing agreement is in place covering what information will be shared and who it will be shared with
a communication plan is in place to inform individuals that there information will be shared and consent obtained where applicable
privacy impact assessments have been completed and adequate securities are in place to protect the data
assets registers have been updated, data flows have been mapped and risk assessed
processes are in place to provide individuals with access to their personal data retention periods for the data have been agreed and processes are in place to
ensure secure deletion takes place
an IG checklist has been completed and sharing has been authorised by the information governance team
15. INCIDENT RISK AND REPORTING
All staff members are responsible for maintaining compliance with the Data Protection Principles
and for reporting non-compliance through the CCG’s incident reporting process. The CCGs will ensure that all incidents and risks are:
reported in a timely manner on the incident reports form and in line with the CCGs Incident Risk Reporting Process
reported to the Information Governance Manager
reported to the Head of Corporate Affairs, SIRO and Caldicott Guardian investigated to identify root cause
assessed to determine whether it is a Serious Incident Requiring Investigation (SIRI)
monitored to identify weaknesses and ensure that lessons can be learnt reported to the IM&T Board
In addition, where the incident is deemed to be a SIRI, CCGs will ensure that incidents are:-
Reported within 24 hours via the Information Governance Toolkit Incident Reporting Tool
Reviewed to determine whether HR should be involved to proceed with disciplinary action
Assess any risk and take action to prevent further occurence
16. MONITORING AND AUDIT
The effectiveness of this policy will be monitored through analysis of information related incidents and complaints which will be further supplemented by audits, assessments and spot checks undertaken by the Information Governance Manager.
This policy and associated procedures will be monitored by the IM&T Board and who will provide assurance to the Governing Bodies.
Compliance will also be monitored through the Information Governance Toolkit submission and Internal Audit process.
INFORMATION SECURITY POLICY
SECTION FIVE
1. INTRODUCTION
Information is an asset which, like other important business assets, has value to an organisation and consequently needs to be suitably protected.
This information security policy sets out how the CCGs information should be protected in order to ensure its:
Confidentiality
That information is only available to those with a legitimate reason to see it. Integrity
That information can be trusted to be of good quality. Availability
That information is available to those that need it, when they need it.
If any of these are compromised, then this can have a direct impact on the ability of the CCGs to fulfil their objectives and may lead to consequences to patient care, the local health economy and to the reputation of the CCGs.
The CCGs have legal obligations to maintain security and confidentiality, notably under the:
Data Protection Act (1998) Human Rights Act (1998)
Copyright Patents and Designs Act (1988) Computer Misuse Act (1990)
In addition, the Caldicott Committee's Report on the Review of Patient-Identifiable Information, published in 1997, led to the establishment of a set of clear principles, reflecting best practice in the handling of confidential patient Information. The report called for regular and routine testing of Information flows against these principles and this would be developed and overseen by a network of Caldicott Guardians who would act, within each organisation, in a strategic, advisory and facilitative capacity.
Caldicott 2 was published in May 2013 and featured 23 recommendations which should be adhered to.
The policy aims to ensure that: -
Information systems, whether electronic or manual are properly assessed for security
Confidentiality, integrity and availability are maintained Staff and managers are aware of their responsibilities
The risk to the information resource of the CCGs is effectively managed
2. SCOPE
This policy covers all information processed and information systems utilised by the CCGs and covers all staff employed by or acting on behalf of the CCGs.
3. RESPONSIBILITIES
It is the role of the CCGs Governing Bodies to define the policy in respect to the Information Security and ensure that sufficient resources are provided to support the requirements of the policy.
This policy applies to all staff who handle information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B.
4. PRINCIPLES
The CCGs will maintain an Information Security Policy supported by appropriate linked policies, codes of practice, protocols and guidance documents that reflect best practice. It will ensure that that all staff have access to that policy and its subordinate documents by cascading information to managers and posting copies on the intranet.
The CCGs will comply with whatever legislative requirements apply. It will further seek to maintain compliance with national guidance.
The CCGs will expect compliance with the Information Security Policy together with the associated linked policies, codes of practice, protocols and guidance.
The CCGs will have procedures in place to evaluate security measures systematically with the greatest emphasis being given to areas where the potential impact of a security breach would be most serious.
The CCGs will assign responsibility to key personnel to ensure a sound and robust security and information management infrastructure.
The acknowledge that where appropriate resources are identified, it will need to carefully consider the balance of risk between action and inaction.
The CCGs will measure its compliance against this policy with an annual Information Governance Toolkit return.
5. PROCESS CHANGES
The CCGs will ensure that when changes take place that may impact on information assets:
A risk assessment will be undertaken, with respect to information security best practice.
The SIRO will be informed of any risks to such assets.
Guidance will be sought from the CSCSU Information Governance team.
6. THIRD PARTIES
The CCGs will ensure that all contracts with third parties will: Identify inbound and outbound flows of personal data.
Confirm that the third party has robust processes in place to comply fully with the Data Protection Act.
Adhere to the guidance provided by the CSCSU Information Governance Team on safe information sharing.
7. TRANSFER OF PERSONAL INFORMATION
The CCGs will ensure that all that: All Staff adhere to the Transfer of Personal Information Procedure and the Data Protection Act policy.
The transfer is Lawful.
8. INCIDENT AND RISK REPORTING
The CCGS will ensure that all incidents and risks are:
Reported promptly to the SIRO and Caldicott Guardian.
Recorded within a formal process to ensure they can be learnt from or mitigated. Reported in line with the CCG’s Incident and Risk reporting processes.
9. INFORMATION ASSET REGISTER
The CCGS will ensure that all information assets are:
Formally recorded on the information Asset Register. Allocated an Information Asset Owner.
Formally risk assessed – with the SIRO informed of all risks. Reviewed regularly
10. BUSINESS CONTINUITY PLAN
The CCGS will ensure that: Tested Business Continuity Plans are adopted.
Business Continuity Plans covers all assets identified on the Information Asset Register.
Business Continuity Plans will prioritise assets identified in the risk assessment plan.
RECORDS MANAGEMENT POLICY
SECTION SIX
1. INTRODUCTION
This policy sets out how CCGs will approach the management of its business records. This policy is part of a Records Framework that includes additional procedures, guidance audit and training modules. The records framework fits into the wider context of
Information Management and Governance.
2. PURPOSE
This policy sets out roles and responsibilities for records management and the key operating principles for record keeping across the business.
A records management policy is a requirement of the Records Management: NHS Code of Practice. The NHS IG Toolkit specifies broad requirements for records management provision and policy in an organisation, records being a key component of our information governance landscape.
Managing records well will help our staff to do their jobs and contributes to effective healthcare and business efficiencies; good quality records are vital if we are to be accountable to the public. The CCGs have a statutory duty to provision for the safekeeping, accessibility and eventual disposal of their records.
3. SCOPE
The CCGs define records as any form of information which has been created or gathered as a result of any aspect of our work. This shall include administration records as well as health records are processed and maintained.
This policy covers all CCG business areas and record formats.
The CCGs records, including those of customers, are the property of the NHS and are Public Records as defined by the Public Records Act.
Records can be manual (paper) and, most commonly, electronic. Examples include invoices, email correspondence, faxes, contracts, datasets and spreadsheets.
Broadly speaking, records are finalised evidence of the CCGs work. Work-in-progress documents, although not final, are in scope of this policy because they are an information resource and may still be used to support litigation or requests for information e.g.
Freedom of Information, Subject Access Requests. Another organisation’s records are also in scope as they can support our activities and may need to be retained by us for a period of time.
Records Management is the formal process of managing records as information resources throughout their life.
4. RESPONSIBILITIES
It is the role of the CCGs Governing Bodies to define this policy in respect of Records Management, taking into account legal and NHS requirements. The CCGs Governing Bodies are also responsible for ensuring that sufficient resources are provided to support the requirements of the policy.
The Records Management Policy applies to all staff who handle information on behalf of the CCGs. Staff responsibilities including those in key roles are outlined in more detail in Appendix B.
5. RECORDS LIFECYCLE
The CCGs will manage records in the context of a records lifecycle:
Lifecycle
Stage
Description
1. Planning At a corporate level the CCGs shall develop and implement policy, procedures and functionality to deliver compliant records management. Departments shall ensure they have identified key records that must be captured as a result of their activities and that these are managed following policy.
2. Creation & receipt
This is where a record is born and is saved, the CCGs shall ensure that records are properly captured into approved filing systems, and that they are protected from unauthorised access or change and named following an agreed standard.
3. Use / Distribute
The CCGs records shall be appropriately available so that they support current business and decision making as well as statutory access requirements. Wherever possible the CCGs shall share one version of records rather than create duplicates.
4. Retention The CCGs shall retain non-current and superseded records in filing systems so to support ongoing business needs and compliance requirements. Disposal schedules shall govern how long records are retained which shall continue to be protected and accessible with storage facilities meeting appropriate standards.
5. Disposal The CCGs records shall not be retained indefinitely. At the end of the retention, records shall be disposed of. In most cases this will mean
