Information Governance Policy

(1)

Page 1 of 24

Information Governance Policy

Version Number:

V3

Name of originator/author:

Head of Information Governance and Records

Name of responsible committee:

I&IT Committee

Name of executive lead:

Director of Strategy, Transformation and Performance

Date V2 issued:

September 2011

Last Reviewed:

December 2013

Next Review date:

December 2015

Scope:

Trust wide

(2)

Page 2 of 24

Document Control Sheet

Document Title / Ref: Information Governance Policy Lead Executive

Director

Director of Strategy, Transformation and Performance Author and Contact

Number

Head of Information Governance and Records 0161 882 1081

Type of Document Policy Broad Category Corporate

Document Purpose The purpose of this Information Governance Policy is to be the definitive policy which sets out clear and robust Information Governance at the Trust.

Scope All Staff including locums, trainees, students etc.

Version number V3 Consultation None required

Approving Committee I&IT Committee Approval Date January 2014 Ratification

and Date

Lead Executive Ratification – Director of Strategy, Transformation and Performance

Date of Ratification January 2014

V2 Valid from Date September 2011 Current version is valid from approval date Date of Last Review December 2013 Date of Next Review December 2015

Procedural Documents to be read in conjunction with this document:

n/a Training

Needs Analysis Impact

All staff are required to familiarise themselves with this policy

Financial Resource Impact

None

Document Change History

Changes to this document in different versions must be detailed below. Rationale for the change should also be given Version Number / Name of procedural document this supersedes Type of Change i.e. Review / Legislation / Claim / Complaint

Date Details of Change and approving group or Executive Lead (if done outside of the formal revision process)

Information Governance Policy

Review December 2013

Amended format to be in new Trust format for policy documentation and policy review

External references used in the creation of this document:

If these include monitoring duties upon the Trust for this policy the specific details should be recorded on the Monitoring and Compliance Requirements sheet

Information Governance Toolkit v 11, HSCIC 2013 Privacy Impact

Assessment submitted

Previous PIA 21/07/11 - no major changes

Any issues? None

Fraud Proofing submitted

Previous fraud proofing 02/08/11 - no major changes

Any issues? None

If not relevant to this procedural document give rationale: Review of a previous policy - no major changes

(3)

Page 3 of 24 Policy authors are asked to consider each of the nine protected characteristics under the Equality Act 2010. We expect you to demonstrate that throughout the policy process you have had regard to the aims of the Equality Duty:

1. Eliminate unlawful discrimination, harassment and victimisation and any other conduct prohibited by the Act;

2. Advance equality of opportunity between people who share a protected characteristic and people who do not share it; and

3. Foster good relations between people who share a protected characteristic and people who do not share it.

Please provide a brief account of how you have done this, further work to be completed and any support you have had in considering the aims and working in compliance with the Equality Duty.

If you are unclear on how to do this or would like further advice and support then you may contact

[email protected].

It is the responsibility of the approving group to ensure this statement reflects the Trusts objectives and position with compliance as set out within the NHS Equality Delivery System

This previous version of this policy was subject to a full equality and diversity impact assessment in line with the Equality Duty which was approved by the Equality and Diversity Committee. The Equality Duty has however been considered during the review of the policy but as the policy changes are very minor they do not have any impact the policy complies with the Equality Duty

In line with the Trust values we may publish this document on our External Website. Is there any reason you would prefer this is not done?

No

It is the Authors responsibility to ensure all procedural documents comply with the Trust values

If you are unclear on any of the requirements in the document control sheet then please email

(4)

Page 4 of 24 Monitoring and Compliance Requirements Sheet

For audit, Registration and NHSLA purposes all procedural documents must have monitoring requirements or key performance indicators set by the authors, Committees or Lead Directors. This allows the Trust to routinely monitor the effectiveness and impact of their procedural documents on a regular basis.

NB: If you have selected audit you should complete the required audit registration form and standards document and submit these with your expected timescales for completing the audit to [email protected] as soon as possible and no later than 4 weeks prior to the audit commencing.

The Group / Committee should also ensure the monitoring work is added to their yearly schedule of monitoring and action logs as appropriate. Procedural Document Title: Information Governance Policy V3

Does this procedural document offer support or evidence for the Trusts registered activities and outcomes? Yes Primarily IG Toolkit Additional Not Applicable Additional Not Applicable

Is this an NHSLA Document? No Which Standard does this relate to?

n/a Which

Criterion

If other Monitoring requirements are necessary i.e. Health & Safety Act and you should include them here and record them in the External References section Specify where the

requirement originates IG Toolkit Version 11 – HSCIC

Additional Details i.e. Section number, Code of Practice

11-105: policies Minimum Requirement / Standard / Indicator to be

monitored & Section of document it appears

Process for monitoring

Responsible Individual / Group Frequency of Monitoring

Responsible Group for review of results / action plan

approval / implementation

Comments

Level 2 - 11-105 \ 1b – Policies

Policy, approvals, procedure and guidelines in place

(5)

Page 5 of 24 CONTENTS

1. Introduction Page 6

2. Policy purpose Page 7

3. Scope Page 7

4. Policy Objective Page 7

5. Legal Requirements Page 8

6. Principles of Information Use Page 8

7. Responsibilities Page 10

8. Other Relevant Policies Page 13

9. IG Assurances Page 14

10. Training and awareness Page 18

11. Monitoring, evaluation and review Page 18

12. Counter Fraud Measures Page 18

13. Accessibility of Documents Page 19

14. References/Supporting Information Page 19

Appendix B – Caldicott Principles Page 20

(6)

Page 6 of 24

Information Governance Policy

1. Introduction

Manchester Mental Health & Social Care Trust’s (the Trust) uses large amounts of data /information in order to support the delivery of health and social care services. Most of this is service user’s confidential personal information which they provide in support of their health and social care. They have rights under the law to expect the Trust to keep it confidential and therefore securely. To do this effectively what is needed is a cohesive, practical framework that governs and supports the legally compliant use of information. Information assets, such as data and the information systems it is processed on, have become vitally necessary in order to provide modern health and social care services. Such information assets must continue to work well in order to provide the entire scope of

services and support that are now expected. There are strong legal requirements and NHS directives that necessitate working in an IG-compliant manner:-

• Confidential data must be kept confidential, adequately protected, only shared when legal and safe to do so and used (processed) in accordance with the law, notably the Data Protection Act.

• Information assets (e.g. data and systems) must be available when necessary for service provision and support

• Information assets must have the appropriate integrity and quality e.g. applications must work as expected and data must be as accurate as necessary

In order to achieve the above a wide scoping IG risk management framework has developed over the years, comprising: law, ethics, directives, guidelines, controls, technology, standards etc.

This document is the Trust’s Information Governance Policy and is a key part of the IG Framework (IGF). The IGF is a broad framework of risk management implemented to manage the risks associated with using/processing data, especially of confidential data in order to facilitate and ensure its continued, appropriate and legally compliant use. It is firmly based on legislation, NHS policy, directives and guidelines, international information security standards and best practice in many areas (i.e. Informatics and IT, records management, information security, Data Protection etc).

This policy is directed and guided by the Trust’s Information Governance Framework and supported by related policies, procedures and processes. It is intended to be fully

consistent and compatible with the policies and practices throughout the NHS and has been developed to achieve compliance with the legal, regulatory and ethical frameworks. • All staff must read and comply with this policy, raising any points that are not

understood with their management or the relevant staff whose contact details can be found in the Contacts section of this document.

2. Policy Purpose

The purpose of this Information Governance Policy is to be the definitive policy which sets out clear and robust Information Governance at the Trust.

This policy will not discriminate, either directly or indirectly, on the grounds of gender including gender reassignment, race, ethnic or national origin, sexual orientation, marital

(7)

Page 7 of 24 status, religion or belief, age, disability, union membership, offending background and any unjustified grounds.

3. Scope

This policy applies to the following:

• All staff and any others such as any individual, group, company, legal body or entity engaged in work/service provision, support or any other function relating to the Trust. This includes students, locums, maintenance staff, experts, support services, service providers, third parties, software developers, testers, system hosting providers or any others that use, process or have any access to, transmission of, or storage of confidential Trust data or information

• All information assets such as information systems and data processing facilities purchased, developed and managed by or on behalf of the Trust and its partners. • All data and information used by the Trust that it has a legal or ethical requirement to meet and maintain. This is irrespective of how it is stored or transmitted e.g. email, databases, fax, files on networks, paper records

• All kinds of Trust data and information including:- service users, staff and organisational information. Most importantly this is confidential data but also any supporting data is included. It applies to any data the Trust processes on behalf of another organisation or entity under an agreement or contract

• All uses and handling of such information as e.g. structured paper and electronic records and file systems processing, usage and handling

• All transmission and sharing of such information – file-sharing, e-mail, fax, post and telephone. This includes such as database transactions that do not necessarily ‘move’ anywhere except through electronic registers

4. Policy Objective

The objective of this policy is to set out what must be complied with in order to implement the Information Governance (IG) Framework so as to enable the Trust to meet its

responsibilities for the secure and appropriate management of information assets and resources. Furthermore, to set out the principles of IG in a clear and structured way that supports IG implementation with clear and practical rules.

The aims of this policy and its supporting policies are to ensure and preserve:-

• Confidentiality – limiting access to data to those authorised to view it.

• Integrity – safeguarding the accuracy and completeness of information and

ensuring the correct operation of all information assets (e.g. systems and

networks).

• Accessibility – ensuring that information is available and delivered to the

right person, at the time it is needed.

• Authenticity – ensuring information and records are credible and

authoritative.

• Reliability – ensuring information and records can be trusted as a full and

accurate representation of the transactions, activities or facts.

(8)

Page 8 of 24

5. Legal Requirements

The legal framework on which this information governance policy is based is as follows; • Data Protection Act 1998

• Caldicott 2 Information: To share or not to share • Computer Misuse Act 1990

• Copyright, Designs and Patents Act 1988 • Regulation of Investigatory Powers Act 2000 • Human Rights Act 1998

• Electronic Communications Act 2000 • Freedom of Information Act 2000 • Health and Social Care Act 2001 • Access to Records Act 1990

• The Caldicott Committee Report on the Review of Patient Identifiable Information (1997)

• Common Law Duty of Confidentiality • Fraud Act 2006

• Bribery Act 2010

6. Principles of Information Use

The Trust endorses and promotes the following key principles, which are predicated

from Data Protection Principles, for the effective use and management of its

confidential information, requiring that staff observe and implement them in their

use of data and information. Data/information must be:-

• Held securely and confidentially

o

Management must control access to information assets through

correct, approved authorisation.

o

Confidential data must be kept securely. Staff work in appropriately

secure premises and have lockable rooms, cupboards and cabinets in

which to store confidential information.

o

Security credentials must be required for staff to access computers

and applications. These must be kept secret by the authorised user

granted access.

• Obtained fairly and efficiently. Staff must:-

o

have legitimate grounds for collecting and using the personal data

they do

o

not use the data in ways that have an adverse effects on the

individual(s) concerned

o

be transparent about how you (the care team etc) intend to use the

data, and give individuals appropriate privacy notices when collecting

their personal data

o

handle people’s personal data only in ways they would reasonably

expect

(9)

Page 9 of 24

o

make sure you do not do anything unlawful with the data.

• Recorded accurately and reliably. Staff must:-

Take reasonable steps to ensure the accuracy of any personal data you

obtain

o

ensure that the source of any personal data is clear

o

carefully consider any challenges to the accuracy of information

o

consider whether it is necessary to update the information

• Used effectively and ethically. Staff must:-

o

Strive to achieve the maximum value from the resources used

o

Not use information dishonestly, unethically or unsafely

• Shared appropriately and lawfully. Staff must:-

o

Share confidential information with consent where legal, appropriate

and, where possible, respect the wishes of those who do not consent

to share confidential information. You may still share information

without consent if, in your judgment, that lack of consent can be

overridden in the public interest. This means applying ‘the Public

Interest Test’ and management should be consulted on this if there is

any doubt that it is debatable or weak. Such sharing must be

justifiable under the law and therefore it is advisable for staff to keep a

record of their decision(s).

o

Staff must understand that the law, notably the Data Protection Act,

should not be a barrier to sharing information but provides a

framework to ensure that personal information about living persons is

shared in a legally compliant manner. Whenever there is any doubt or

uncertainty about whether information can be shared or not then

reference must be made to the Trust’s Information Sharing Policy and

Procedure and if necessary Information Governance advice sought

(see Contacts section of this document).

7. Responsibilities

7.1

Staff

Staff use information assets in their work e.g. paper records and computer systems.

Due to the Trust being a health and social care provider there is naturally a lot of

personal identifiable data collected, stored and used constantly on information

assets such as Amigos. Therefore it is vitally important that staff know what kind of

data and systems etc they use and how to access and use them safely and

securely. The Data Protection Act 1998 defines and sets out the principles for

using personal data and staff are advised to understand this and can read it by

following this link:-

(10)

Page 10 of 24

http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.as

px

All the following are really saying is ‘Do the right thing’ when it comes to data and

systems security. If you apply the golden rule of treating other people’s personal

data how you would want them to treat your personal data. N.B. (It should be noted

that this must comply with UK law.)

Staff must:-

• Comply with the law, notably the Data Protection Act, which contains eight

principles. These specify that personal data must be:-

1. Processed fairly and lawfully.

2. Obtained for specified and lawful purposes.

3. Adequate, relevant and not excessive.

4. Accurate and up to date.

5. Not kept any longer than necessary.

6. Processed in accordance with the “data subject’s” (the individual’s) rights.

7. Securely kept.

8. Not transferred to any country outside the EEA without adequate

protection in situ.

Staff must comply with the following Caldicott Principles:-

• Justify the purpose(s) of every proposed use or transfer

• Don't use it unless it is absolutely necessary

• Use the minimum necessary

• Access to it should be on a strict need-to-know basis

• Everyone with access to it should be aware of their responsibilities

• Understand and comply with the law

• The duty to share information can be as important as the duty to protect

patient confidentiality – “to share or not to share”

Staff must:-

• Comply with the Common Law ‘Duty of Confidence’

This tort of common law obliges staff to secure and maintain the

confidentiality of their service user’s confidences. Information that is obtained

may very well be confidential, and must not be used for the benefit of

persons not authorised by the individual it is about. Staff must also be aware

that such a confidence could, if compelled by law, be overturned. It is best to

notify the individual about this prior to a duty of confidence being entered

into.

(11)

Page 11 of 24

• Comply with Trust Information Governance policies and procedures

A list of Trust policies is set out in its own section (IG Policy) in this policy to

be referred to. A brief explanation of what is covered in each is provided.

• Work to Information Governance Guidelines

Guidelines are available and issued from time to time.

• Be aware that there are legal penalties for breaking the law and that

failure to comply with policy may result in disciplinary action or dismissal

Please refer to the Legal & Regulatory Framework section in this

document

• Complete Information Governance training as mandated or required

◦

The Trust mandates and will maintain the Information Governance

Training Tool for the effective delivery of Information Governance

training, awareness and education. It is available to all staff with

computer access.

◦

The Trust will provide Information Governance induction training to all

new members of staff.

◦

The Trust provides general Information Governance awareness and

training material on the Intranet

◦

Evaluation of Information Governance training will be undertaken to

assess the effectiveness of the training and influence changes to

future training.

• Abide by their Terms of Employment, Contracts and/or Agreements

The Trust will:-

◦

establish staff responsibilities in Terms & Conditions and Contracts of

Employment

◦

establish sufficient IG content in contracts and agreements with Third

Parties

The Trust will:-

◦

appoint a Senior Information Risk Officer (SIRO) at Board level. This

has already been done.

◦

establish and maintain standards and policies for the effective and

secure use and management of its information assets and resources.

◦

establish and maintain standards and guidance for the effective and

secure transfer of information into and out of the Trust.

◦

establish and maintain standards and policies for the disclosure of

information.

◦

undertake or commission timely assessments and audits of its

information and IT security arrangements.

◦

promote effective confidentiality and security practice to its staff

through policies, procedures and training.

(12)

Page 12 of 24

◦

establish and maintain incident reporting procedures, and monitors

and investigates all reported instances of actual or potential breaches

of confidentiality and security.

◦

Staff must ensure:-

• Confidentiality

Confidentiality is about managing and controlling access to data so that only

those authorised to view it can do. Conversely it is also about ensuring

unauthorised persons cannot access information assets.

Authorised users are the only persons permitted to use Trust information

assets. Any unauthorised use will usually constitute a breach of policy. N.B.

Information asset administration staff must ensure confidentiality is kept and

therefore must not access confidential data inappropriately.

All staff must ensure that confidential information is not accessible to

unauthorised persons. Precautions for information assets depend on the

asset:-

• For paper assets such as: records, case notes etc please refer to the Service

User Records Management Policy and procedure for details.

• For computer assets: files, applications and hardware please refer to the

Information Security Policy for further details.

For both above points: staff must ensure that security is implemented and

maintained for the assets they use and share. Anything less could be construed as

negligence.

• Integrity

Integrity means safeguarding the accuracy and completeness of information

and ensuring the correct operation of all information assets (e.g. systems

and networks). Staff must work to the best of their ability and in compliance

with Data Quality Policy to ensure that information is as accurate and

complete as necessary.

Where information assets are systems, computers etc staff must ensure their

operation is not jeopardised and any potentials for such are reported to the

line manager/ IT Help Desk.

• Accessibility

Accessibility is about ensuring that information is available and delivered to

the right person, at the time it is needed. This is primarily an operational

issue regarding access to paper records and computer equipment, networks

and data. Therefore staff must ensure that assets are accessible by

authorised staff who need such access e.g. premises are open, computers

are available.

Administration staff must ensure such access is granted in an authorised and

timely manner.

(13)

Page 13 of 24

• Authenticity

Authenticity is about ensuring that data, information and records are credible

and authoritative. All staff involved in processing data, records etc must

implement the available checks and balances regarding this and comply with

relevant policy.

• Reliability

Reliability is about ensuring information and records can be trusted as a full

and accurate representation of the transactions, activities or facts. Staff must

implement the available checks and balances regarding this and comply with

relevant policy, raising queries if thought necessary.

8.

9. I G Assurances

9.1 Confidentiality and Data Protection Assurance

Please refer to the Legal & Statutory Framework section of this policy.

• Information Sharing & Encryption

◦

Staff must ensure that information is disclosed and shared in

accordance with the law and policy e.g. if an email is to be sent that

will contain confidential information then that must not be put in the

message body of the email but in an encrypted email attachment. The

password to open it must be sent in a separate email or provided by

phoning

◦

The Trust will ensure that Information Sharing Protocols and

Agreements are available to be used in facilitating information sharing

in a considered and controlled manner.

• Protective Marking Scheme

There are 3 types of data categories at the Trust set out in the following grid.

CONFIDENTIAL

The Trust regards all identifiable personal information

relating to patients and staff as confidential except and

will keep it confidential unless compelled by law (e.g.

the ‘public interest’) to release it.

Service User and Patient data, case notes, Amigos

files, staff personnel records, financial records

INTERNAL

Statistics, work-a-day internal emails with

non-confidential messages

PUBLIC

Communications advertising, internet site

• Safe Haven Guidelines

The term ‘Safe Haven’ applies to the handling of confidential information

such as confidential faxes which must be sent securely. It also applies to

staff that work in safe havens such as secure locations or between secure

computers/systems. This is covered more extensively in the following

documents:-

◦

The Trust has produced Safe Haven Policy and Service User Records

Management Policy and Procedure. Staff must comply with these in

their daily data use.

◦

• Legal Compliance

Please refer to the Legal & Statutory Framework in this document for

further information.

◦

All staff must comply with the law and proactively help the Trust to

continue in its compliance.

◦

The Trust will undertake or commission annual assessments and

audits of its compliance with legal requirements.

(15)

Page 15 of 24

◦

Service users/ patients can apply for access to information relating to

their own health care, their options for treatment and their rights as

patients under the Data Protection Act

◦

The public may apply for information in the ‘Public’ category under the

Freedom of Information Act

9.2 Information Security Assurance

All staff are expected to safeguard the information assets that they use e.g. their

Trust laptop and access to the data that is accessible through it. Therefore staff

must work in such a way as not to jeopardise the asset or put it at risk and ensure

that it is secure. Where there is a risk to found then it must be reported to the IAO or

IAA of the asset it is about.

Staff must comply with the Information Security Policy and supporting

procedures.

The Trust will continue to manage risk in a proactive way and therefore put in place

the appropriate:-

◦

Policies and procedures – the Trust will govern and strive to prevent a

range of potential security incidents and ensure that critical services can be

resumed in a timely manner. It will therefore ensure much work and many

policies, procedures, controls and countermeasures exist and more are

proposed for update or development.

◦

Awareness Training – the Trust has put in place, and monitors an IG

Awareness training programme.

◦

Information Security Management – The Trust will ensure it minimises or

diminishes the compromise or loss of information through carelessness,

theft, fraud, deliberate leak or attack. Therefore the Trust will work in

accordance with best practice guidelines and NHS directives and adopted

standards. Staff must ‘do their bit’ in this, always seeking to look after the

information assets around them and reporting anything untoward.

◦

Information Security Incident Management - Significant incidents and

risks must be escalated to the Head of IG and SIRO for

consideration/investigation on behalf of the Trust Board. The level of

acceptable risk will be agreed by the Trust Board by consideration of the

Trust's Risk Registers that they have oversight of and kept under review.

Information security risks will be reviewed, evaluated, and risk management

principles embedded as part of day-to-day business. Departmental

approaches must be flexible and capable of adapting to fast moving or

unpredictable events that require dynamic decision-making.

◦

Information security needs to be approached in a structured manner to

ensure that risks are managed appropriately. The following approach to

information risk management will be taken:-

(16)

Page 16 of 24

• Identify Assets: To identify its assets such as people, information, systems

and services. Understand their values in terms of how they support health and

social care services provision and what the impact of compromise or loss may

be.

• Identify/engage Information Asset Owners: For the SIRO to nominate and

engage Information Asset Owners over the Trust's information assets. (Note:

This will include shared services assets.)

• Threat Assessment: To identify threats to the Trust’s information assets on

an ongoing basis, assessing the likelihood and scale of the threat and impact

of a occurrence

• Vulnerability Assessment: To consider the vulnerability of assets, systems

and services, including an assessment of the adequacy of existing safeguards;

Risk Tolerance: understand the level of risk that the Trust is prepared to

tolerate.

• Implement Controls: select proportionate security controls as necessary to

reduce the risk to an acceptable level. Risks should be continuously monitored

and corrective action taken where necessary.

NB: The above will be done over all

information assets, including shared

infrastructure ones e.g. the computer network.

9.3 Clinical Information Assurance

Staff must comply with all applicable Records Management policies and

procedures.

• Information and records management

Records Management

◦

The Trust will establish and maintain policies and procedures for the

effective management of records.

◦

The Trust will undertake or commission timely assessments and

audits of its records management.

◦

Managers are expected to ensure effective records management

within their service areas.

◦

The Trust promotes records management through policies,

procedures and training.

◦

The Trust uses Records Management: NHS Code of Practice as its

standard for records management.

9.4 Secondary Use Assurance

Staff must comply with all applicable Data Quality Policy and supporting procedures

and raise related matters to the relevant management and Informatics staff.

Information quality assurance

▪ Data Quality Assurance

◦

The Trust will establish and maintain policies and procedures for

information quality assurance.

◦

The Trust will undertake or commission annual assessments and

audits of its information quality.

(17)

Page 17 of 24

◦

Managers are expected to take ownership of, and seek to improve,

the quality of information within their services.

◦

Wherever possible, information quality should be assured at the point

of collection.

◦

Data standards will be set through clear and consistent definition of

data items, in accordance with national standards.

◦

The Trust will promote information quality through policies,

procedures/ user manuals and training

9.5 Corporate Information Assurance

Business continuity and disaster recovery plans

◦

Physical security incident management/ Disaster Recovery – The

Trust has Disaster Recovery and Business Continuity Plans (please

refer to them on the Intranet) so they will not be dealt with here but to

say that e.g. break-ins, terrorist attack, flooding), electronic attacks,

compromise of communications security or disruption of online

services must be reported to the relevant Information Asset Owner

(IAO) who reports to the SIRO

• Monitoring and compliance assurance

• Freedom of Information

• Non-confidential information about the Trust and its services will be available to

the public through a variety of media.

• The Trust has established and will maintain policies to ensure compliance with

the Freedom of Information Act.

• The Trust undertakes or commissions annual assessments and audits of its

freedom of information policies and arrangements.

• The Trust has clear procedures and arrangements for liaison with the press

and broadcasting media (Please refer to Communications Departmental policy

etc)

• The Trust has clear procedures and arrangements for handling queries from

patients and the public.

10 Training and Awareness

In line with the Trust Mandatory Training policy, the Trust will ensure that all users of Trust information systems and assets are provided with the necessary information governance guidance, awareness and training as appropriate to discharge their IG responsibilities based on the outcome of the training needs analysis undertaken by the Learning and Development Department. This information is available on the Trust intranet.

(18)

Page 18 of 24

11 Monitoring, Evaluation and Review of the Policy

The process for monitoring both the compliance with this policy and its effectiveness will be through the use of audit in accordance with the Trust Audit Plan.

All Audit Reports and action plans will be subject to regular monitoring by the I&IT Committee.

In addition external and internal audits will be commissioned as appropriate.

The Trust will also complete and submit the NHS Statement of Assurance and the IG Toolkit which monitors attainment against NHS Information Governance standards. The policy will be reviewed on a bi-annual basis by the Information Governance Manager and the Trust Information Governance Group and any amendments or additions will be made. However, where review is necessary due to legislative change this will happen immediately

12 Counter Fraud Measures

In accordance with the Trust’s counter fraud & corruption plan any suspicious activity, within the scope of this policy, will be referred to and subsequently investigated by the Trust’s Local Counter Fraud Specialist. The results of any such investigation could lead to internal disciplinary and/or civil/criminal prosecution proceedings being instigated against the appropriate person/persons involved.

13 Dissemination, Implementation and Access to this Document

This policy and associated procedural guidance once ratified will be disseminated by the Head of Regulation Compliance and Quality Improvement through the Trust

Communication Channels as agreed with the Communications Department. The document will be made available on the Trust intranet site.

14 References and Supporting Information

NHS Code of Practice for Information Security 2007, DoH Information Governance Toolkit v 11, HSCIC 2013

(19)

Page 19 of 24 Appendix A – Caldicott Principles

The Caldicott Principles - Revised September 2013

Principle 1. Justify the purpose(s) for using confidential information

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.

Principle 2. Don’t use personal confidential data unless it is absolutely necessary

Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

Principle 3. Use the minimum necessary personal confidential data

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.

Principle 4. Access to personal confidential data should be on a strict need-to-know

basis

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.

Principle 5. Everyone with access to personal confidential data should be aware of

their responsibilities

Action should be taken to ensure that those handling personal confidential data - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality.

Principle 6. Comply with the law

Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.

Principle 7. The duty to share information can be as important as the duty to protect

patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

(20)

Page 20 of 24 Appendix B

LEGAL & REGULATORY FRAMEWORK

The Trust acknowledges the complexity of the Legal and Regulatory Framework described

in this section seeking at all times to work in a compliant manner.

Much legislation exists over the use of information, mostly pertaining to personal

identifiable data (PID) as it has the highest risk rating and therefore needs most robust

protection and secure handling.

The Trust has implemented an appropriate management structure, as set out in the

IG

Management Framework

section of this document, to govern all of this with the goal of

achieving and sustaining legal compliance in all its data use.

It is essential that relevant legislation is understood and applied sufficiently over the

spectrum of IG, e.g. data loss incidents, breaches of confidentiality, technical security

implementations etc. This requires that:-

(a)

In-house IG expertise will need timely updating and that – the Trust’s

strategic stance on this is to employ experts and update skills on an ongoing

basis via PDPs

(b)

External expertise may at times need to be called upon – for this, the Trust

has well established links with solicitors. The Trust will engage experts as

and when necessary.

The

Legislative Framework

is set out next:-

LEGISLATIVE FRAMEWORK

The Data Protection Act 1998

http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1

This Act sets out the principles and statutory requirements for guiding and enforcing legally

compliant ‘personal data’ use. The Trust’s use (processing) of personal identifiable data

must comply with the following principles:-

• Fairly and lawfully processed

• Processed for limited purposes

• Adequate, relevant and not excessive

• Accurate and up to date

• Not kept for longer than is necessary

• Processed in line with individual rights

• Secure

• Not transferred to other countries without adequate protection

Secondly, the Act provides individuals with important rights, including the right to

find out what personal information is held on computer and most paper records.

Moreover, all staff should be familiar with their own professional codes relating to

(21)

Page 21 of 24

ethical aspects of information governance (i.e. respect for patient privacy and

dignity).

• Data Protection – The Trust will process requests for individual’s personal data under

the Act.

• Confidential data - Health records are defined under the Data Protection Act as

sensitive personally identifiable information which therefore requires rigorous controls

to be in place to support service user’s expectation that their information will be held

securely and shared only in a legally, ethically compliant manner. Data considered by

the Trust and the law, to be commercially confidential will be safeguarded accordingly.

• Personal data access for patients, service users and staff etc - The Trust will give

patients ready access to information relating to their own care in accordance with

legislation, and will have clear procedures for handling queries from patients, service

users and the public. Further the Trust will make available to staff, information relating

to their employment subject to the Data Protection Act 1998.

• (NB: The Information Commissioner’s Office (ICO) has the ability to set monetary

penalties against organisations up to £500,000 for serious breaches of the Data

Protection Act. This liability rests with the legal entity responsible for the processing of

the data, even where this has been contracted out. The Trust needs to be aware of its

obligations to ensure that information flows have a sound legal basis and ensure that

they remain compliant with the law.)

The Freedom of Information Act 2000

http://www.opsi.gov.uk/Acts/acts2000/ukpga_20000036_en_1

This Act is about information which (a) the Trust has agreed to make public or (b) provide

in meeting a request under the FOI Act.

• FOI requests - The Trust will process requests under the Act.

• Publicly available information - The Trust will make available non-confidential

information about the Trust and its services to the public through a variety of media,

and has developed clear procedures for liaison with the press and media.

Common Law: ‘Duty of Confidence’ – this ‘tort’ of law relates to there being a

reasonable expectation of the patient/service user to expect their personal data to be kept

confidential by the clinician/staff they divulge it to.

Access to Health Records Act 1990 (unless superseded by the Data Protection Act)

– regarding the right to apply for copies of deceased patients/service users clinical

records. Living patients/Service users apply under the Data Protection Act 1998.

Computer Misuse Act 1990 – about cybercrime/hacking

The Human Rights Act 1998

http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980042_en_1

Access to Health Records Act 1990

http://www.opsi.gov.uk/acts/acts1990/ukpga_19900023_en_1

(22)

Page 22 of 24

http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuid

ance/DH_4068403

Caldicott 2

http://systems.hscic.gov.uk/infogov/caldicott/caldresources

There are many other laws and the following list is not exhaustive:-

• Crime and Disorder Act 1998

• Electronic Communications Act 2000

• Environmental Information Regulations 2004

• Health and Social Care Act

• Regulation of Investigatory Powers Act 2000 (and Lawful Business Practice

Regulations)

• Public Interest Disclosure Act 1998

• NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases) Directions

2000

• Human Fertilisation and Embryology Act 1990

• Abortion Regulations 1991

• Public Records Act 1958

• Regulations under the Health and Safety at Work Act 1974

• Re-use of Public Sector Information Regulations 2005

REGULATORY FRAMEWORK

Further to legislation the NHS has mandated a number of elements of regulation that are

an intrinsic part of Information Governance via a national programme. This area is

developing at a fast changing pace and the focus within this section will need significant

periodical review.

Information Governance Toolkit which requires trusts to assess their progress against

set criteria

https://nww.igt.connectingforhealth.nhs.uk/

NHS Operating Framework - Since version 9 of the IG Toolkit, all requirements are 'key'

and the Trust is expected to attain level 2 against all the requirements in its assessment

set.

Caldicott – a report for the audit and improvement on the use of patient identifiable data

(1997) and HSC 1999/012. The Caldicott Principles were derived from this.

ISO 27001: Information Security Management Standard & CoP

Information Quality Assurance, QIPP and the quality agenda generally.

Confidentiality: NHS Code of Practice (2003)

(23)

Page 23 of 24

Information Security Management: NHS Code of Practice

http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/codes/securitycode.pd

f

NHS Guidance on Consent to Treatment

Records Management: NHS Code of Practice

http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuid

ance/DH_4131747

Clinical Negligence Scheme for Trusts (CNST) via NHS Litigation Authority

NHS Code of Confidentiality

http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/codes/confcode.pdf

The Trust’s Annual Governance Statement – this mentions the work undertaken around

IG and the completion and submission of the IG Toolkit self-assessment which is audited.

Care Quality Commission Regulations and NHSLA compliance particularly ‘Care

Quality Commission, Outcome 21 (and 6): Records’ - This is one of the core 16 quality

and safety standards and relates entirely to records management and handling. It is

closely related to Regulation 20 of the Health and Social Care Act 2008 (Regulated

Activities). Both require appropriate and legal records management.

Information Technology – As information technology progresses there needs to be

information governance in place over it.

Payment by Results/ Service Line reporting

Pressure from clinical communities and Ministers to produce high quality

information on the quality of care.

Increased risk that clinical care will be undermined due to reliance on poor quality

records made readily accessible through electronic means.

Pressure from central government to assure the security of data transfers as a

result of data losses.

Monitor – IG assurance agency

Annual Governance Statement - IG assurance is a recognised part of the Trust’s overall

governance framework.

ETHICAL FRAMEWORK

The right to expect confidentiality to be kept when it can reasonably be expected entitles a

patient to the exercise of control over the content, uses of and disclosures of their personal

information. Respect for that privacy is an essential part of the patient/staff relationship.

The ethical framework is enshrined by the following:-

Common Law: Duty of Confidence – a tort of UK Law

‘Confidentiality: NHS Code of Practice’ which includes the following principles:-

Protect – look after patient’s information

(24)

Page 24 of 24