Information Governance Policy

(1)

Version 4, November 2012 Page 1 of 21

Information Governance Policy

Author: Susan Hall, Information Governance Manager

Owner: Fiona Jamieson, Assistant Director of Healthcare Governance

Publisher: Compliance Unit

Date of first issue: February 2005 Version: 5 Date of version issue: April 2013

Approved by: Executive Board Date approved: 20^th March 2013 Review date: March 2015 Target audience: General Relevant Regulations

and Standards

Information Governance Toolkit

Executive Summary

This Policy sets out the guidelines for York Teaching Hospital NHS Foundation Trust staff to effectively manage information in a secure and accurate manner and in compliance with current legislation & NHS guidelines.

(2)

Version History Log

This area should detail the version history for this document. It should detail the key elements of the changes to the versions.

Version Date Approved

Version Author

Status &

Location

Details of Significant Changes

1.0 December 2004

Susan Hall

Archived – Compliance

Unit

New Policy

2.0 February 2005

“ Archived –

Compliance Unit

Joint Policy with Selby and York Primary Care Trust

3.0 January 2007

(Approved by Fiona Jamieson)

“ Archived –

Compliance Unit

1. Policy applied to York Hospitals Trust only.

2. Removed references to NHS Information

Authority

3. Conformed to new Corporate Policy template

4. Updated list of related Policies at Appendix 1 4.0 January

2010

“ Archived –

Staff Room

Minor changes only to reflect new Committee

structure 5.0 January

2013

“ Current –

Staff Room

Extended Policy statement.

Changed to reflect organisational change, and

new corporate template.

Added volunteers to groups bound by Policy, and reference to possibility of dismissal for breaches. New

section on Training.

(3)

Contents Section No.

Heading Page

Process Flowchart 4

1 Introduction and Scope 5

2 Definitions / Terms Used in Policy 5

3 Policy Statement 6

4 Equality Impact Assessment 9

5 Accountability 9

6 Consultation, Assurance and Approval Process

10

7 Review and Revision Arrangements 10

8 Dissemination and Implementation 11

9 Document Control including Archiving Arrangements

12 10 Monitoring Compliance and

Effectiveness

12

11 Training 13

12 Trust Associated Documentation 13

13 External References 14

Appendix A Equality Impact Assessment Tool 15 Appendix B Checklist for Review and Approval 18 Appendix C Plan for Dissemination of Policy 21

(4)

Process flowchart

Working with any of the following?

Personal information eg patient and staff records Other confidential information eg commercially sensitive

Corporate Information eg Policies, Reports

Application Requirement

Legal compliance

Information security

The Trust ensures that identifiable personal information is protected in accordance with the Data Protection Act and Human Rights Act, and that staff observe their Common law Duty of Confidence.

Staff are fully appraised of these and other legal and contractual responsibilities through the Statutory and Mandatory training programme, supported by documented policies and procedures.

A comprehensive Information Security Policy prescribes technical and organisational measures to reduce the risk of data loss, corruption or misuse.

All reported incidents of actual or potential breaches of confidentiality or security will be investigated.

Information

quality assurance

Data standards are clear and consistent and promote information quality and effective records management.

Procedures are in place to ensure the accuracy of patient information on all systems and /or records that support the provision of care

Openness

Patients have access to information about their healthcare and options for treatment.

Non-confidential information on the Trust and its services is available to the public in compliance with the Freedom of Information Act.

The Trust will follow clear guidelines when liaising with the press, patients or the public.

(5)

1 Introduction and Scope

Information is a vital asset, both in terms of the clinical management of individual service users and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance

management.

It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate

policies, procedures and management accountability provide a robust governance framework for information

management.

This Information Governance policy provides an overview of the organisation’s approach to information governance; a guide to the procedures in use; and details about the IG management structures within the organisation.

This Policy applies to all staff of York Hospitals Foundation Trust. Compliance is also required of contractors, sub- contractors and volunteers.

2 Definitions / Terms used in policy

Information Governance: The NHS framework for handling information and records, promotes quality and security

through provision of legal and best practice guidelines. IG is the foundation for high quality healthcare using information which is accurate, complete, up-to-date, and available to authorised professionals when and where needed.

The Data Protection Act 1998 governs processing of data on identifiable living people. It places obligations on those who hold personal data, and gives rights to individual ‘data subjects.’ Breaches of the DPA can result in financial

penalties of up to £500, 000.

The Freedom of Information Act 2000 provides public access to information held by public authorities, including NHS trusts. Personal and otherwise confidential information are exempt from disclosure.

Information Security: Information Security includes

technical and procedural means to protect information and information systems from unauthorised access, use,

disclosure, disruption, modification or destruction.

(6)

Confidential Information: Privileged information, shared with only selected authorised people for furthering certain purposes, such as with a doctor for treatment of a medical condition, or a potential customer for entering into a business contract. The receiver of confidential information is generally prohibited from using it to take advantage of the giver.

Everyone who works for the NHS is bound by a duty to protect confidential information. This duty:

a. is a legal obligation derived from case law;

b. is a requirement established within professional codes of conduct; and

c. must be included within NHS employment contracts as a specific requirement linked to disciplinary procedures.

3 Policy Statement

The Trust undertakes to implement information governance effectively and will ensure the following:

 Information will be protected against unauthorised access;

 Confidentiality of information will be assured;

 Integrity of information will be maintained;

 Information will be supported by the highest quality data;

 Regulatory and legislative requirements will be met;

 Business continuity plans will be produced, maintained and tested;

 Information governance training will be available to all staff as necessary to their role;

 All breaches of confidentiality and information security, actual or suspected, will be reported and investigated.

This policy addresses the key elements of Information Governance:

a) Openness

b) Legal compliance c) Information security

(7)

d) Information quality assurance 3.1 Openness

 Non-confidential information on the Trust and its services will be made available to the public through a variety of media, in accordance with the Trust’s values of openness

 The Trust will establish and maintain policies to ensure compliance with the Freedom of Information Act 2000

 The Trust will undertake or commission annual

assessments and audits of its policies and arrangements for openness

 Patients should have ready access to information relating to their own health care, their options for treatment and their rights as service users

 The Trust will have clear procedures and arrangements for liaison with the press and broadcasting media

 The Trust will have clear procedures and arrangements for handling queries from patients and the general public.

3.2 Legal Compliance

 The Trust regards all identifiable personal information relating to patients as confidential

 The Trust will undertake or commission annual assessments and audits of its compliance with legal requirements

 The Trust regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise

 The Trust will establish and maintain policies to ensure compliance with the Data Protection Act, Human Rights Act and the common law duty of confidentiality

 The Trust will establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Mental Capacity Act, Crime and Disorder Act,

Children Act)

(8)

3.3 Information Security

 The Trust will establish and maintain policies for the effective and secure management of its information assets and resources

assessments and audits of its information and IT security arrangements

 The Trust will promote effective confidentiality and

security practice to its staff through policies, procedures and training

 The Trust will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.

3.4 Information Quality Assurance

 The Trust will establish and maintain policies and procedures for information quality assurance and the effective management of records

assessments and audits of their information quality and records management arrangements

 Managers are expected to take ownership of, and seek to improve, the quality of information within their services

 Wherever possible, information quality should be assured at the point of collection

 Data standards will be set through clear and consistent definition of data items, in accordance with national standards

 The Trust will promote information quality and effective records management through policies, procedures/user manuals and training.

3.5 Other Related Issues

Information Governance encompasses a wide range of initiatives, which are governed in the Trust by a developing body of policies and procedures. These are kept under

(9)

review in the light of changes to Information Governance requirements. A list of the key documents is given in Section 11: guidance is published and maintained on Staff Room.

4 Equality Impact Assessment

The Trust aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at an unreasonable or unfair disadvantage over others.

In the development of this policy, the Trust has considered its impact with regard to equalities legislation. The outcome of the Equality Impact Assessment is reported at Appendix A.

5 Accountability

Acting on behalf of the Chief Executive, the lead Director for Information Governance is the Chief Nurse/Director of

Infection Prevention and Control. Operational responsibility is delegated to the Assistant Director of Healthcare

Governance.

The Information Governance Group is responsible for overseeing the Information Governance work programme.

Chaired jointly by the Medical Director and the Assistant Director of Healthcare Governance, the group will report into the Corporate Risk Management Group and Governance Committee.

The Medical Director, as Caldicott Guardian, has lead responsibility at Board level for the protection, use and sharing of patient-identifiable information. The Director of Finance, as the Trust’s Senior Information Risk Owner, oversees the organisation’s information risk management policy and strategy.

Working to the Assistant Director of Healthcare Governance, the Information Governance lead manager is responsible for developing policy and supporting compliance across the specialist areas (Records Management/Freedom of Information, Confidentiality/Data Protection etc).

Responsibility for the implementation of the Information Governance standards is devolved to managers working

(10)

within the Directorates, although the IG Team will provide any appropriate advice and guidance to support local managers in this role.

Fundamentally, every member of Trust staff is responsible for protecting the integrity and confidentiality of the

information they work with. This is a common legal and contractual duty, set out in the Trust’s Information Security Policy and reinforced for many staff groups by their

professional Codes of Conduct. Breaches will be

investigated and disciplinary action taken where appropriate, including dismissal for the most serious cases.

6 Consultation, Assurance and Approval Process 6.1 Consultation Process

This Policy is based on legal and best practice

standards issued by NHS Connecting for Health. The standards represent Department of Health Policy and compliance is mandatory.

In York Teaching Hospital NHS Foundation Trust, this Policy was agreed by the then Information and

Records Management Committee (now Information Governance Group) and Executive Board.

6.2 Quality Assurance Process

Following consultation with stakeholders and relevant consultative committees, this policy was reviewed by the Trust’s Quality Assurance group to ensure it meets the NHSLA standards for the production of procedural documents.

6.3 Approval Process

Following completion of the Quality Assurance Process, this policy and any subsequent policy revisions will require the approval of the Information Governance Group and Corporate Risk Management Group.

7 Review and Revision Arrangements

The date of review is given on the front cover sheet.

(11)

The Assistant Director of Healthcare Governance shall review the Policy at least every two years to ensure that it continues to meet the requirements of the law and guidance, and to protect the interests of the local health community.

The Policy Manager will notify the author of the policy of the need for its review six months before the date of expiry.

On reviewing this policy, all stakeholders identified in section 6 will be consulted as per the Trust’s Stakeholder policy.

Subsequent changes to this policy will be detailed on the version control sheet at the front of the policy and a new version number will be applied.

Subsequent reviews of this policy will continue to require the approval of the appropriate committee as determined by the Policy for Development and Management of Policies.

8 Dissemination and Implementation 8.1 Dissemination

Once approved, this revision will be made available to all staff working at and for York Teaching Hospital NHS Foundation Trust. It will be reported to staff through staff brief, and published on Staff Room in the Policies and Procedures area.

This policy will be made available to Service Users and the public, on request, and in the format requested.

For detail, see Dissemination Plan at Appendix C.

8.2 Implementation of Policies

This overarching Policy statement is supported by detailed policies governing specific IG topics – Information Security, Data Protection, Records Management etc, each associated with its own

implementation plan. In addition, detailed Information Governance Staff Guides set out operational

requirements by function (e.g. E-mail) or topic area (e.g. Data Protection). Guidance materials will be issued to new starters attending introductory IT Core Access and CPD training. Support for implementation

(12)

is provided by the Information Governance Team via the annual IG Work Plan.

9 Document Control including Archiving Arrangements The register and archiving arrangements for policies will be managed by the Compliance Unit. To retrieve a former version of this policy the Compliance Unit should be contacted.

10 Monitoring Compliance With and the Effectiveness of Policies

Compliance with the Policy is managed as follows:

Evidence Monitoring /Who by Frequency a. In-year,

progress against the Information Governance Improvement Plan

Information

Governance Group Corporate Risk Management Group

Quarterly

b. Audit Report – IG Toolkit evidence

Internal Audit External Audit

Annually

On direction of CfH c. Assessment

results (Toolkit submission)

NHS Connecting for Health

Care Quality Commission

Audit Commission Monitor

Three times annually (July, October, March) Annually

d. Compliance

reviews Assistant Director of Healthcare

Governance

Rolling programme

(13)

e. Incident

Reports Information

Governance Group

Quarterly

f. SIRO Report Board of Directors Annually

10.2 Standards / Key Performance Indicators

 Information Governance Toolkit (NHS Connecting for Health)

11 Training

In accordance with Information Governance Toolkit

requirements, appropriate IG training is delivered to all staff on an annual basis. The IG training needs of particular staff groups will be identified through an annual IG Training Needs Analysis, linked to the corporate TNA.

Corporate and local induction procedures, along with

mandatory IT training, will introduce new starters to the main provisions of this policy. Existing staff will receive annual IG refresher training delivered as part of the Statutory and Mandatory programme.

12 Trust Associated Documentation

Information Governance guidance for staff is published on Staff Room. Guidance documents include:

Information Governance Staff Guides Series (Confidentiality, Data Protection, Safe Haven Guide etc)

The following associated Policies are also available for reference on Staff Room:

Information Security Policy Acceptable Use Policy Data Quality Policy Data Protection Policy

Records Management Policy Freedom of Information Policy

(14)

Advice can also be obtained from the IG Team on [email protected] .

13 External References

The Information Governance Toolkit can be viewed on the NHS Connecting for Health website at:

nww.igt.connectingforhealth.nhs.uk

The Information Commissioner is the national regulator for access to information. The IC’s Office publishes news, penalty notices and guidance relating to Data Protection, Freedom of Information and related legislation. Website address: www.ico.gov.uk/

There is also the definitive guide to protection of patient information in the NHS: NHS Confidentiality Code of Practice

(15)

Appendix A: Equality Impact Assessment Tool

To be completed when submitted to the appropriate committee for consideration and approval.

Name of Policy: Information Governance Policy

1. What are the intended outcomes of this work?

To inform staff how to effectively manage information in a secure and accurate manner.

2 Who will be affected?

All staff and patients, enquirers.

3 What evidence have you considered?

List any examples of good practice you have used in putting this policy together, ensuring consideration to the ability to implement the policy by the following groups has been given

Principal model is national policy as represented in Connecting for Health’s Information Governance Toolkit. The Policy is designed to protect the information rights of all people, including protected groups.

a Disability

In this and related policies, provision has been made for those who may lack capacity to consent in relation to information sharing and use.

b Sex

This policy is inclusive and does not differentiate between people on the basis of this characteristic.

c Race

d Age ^.

e Gender Reassignment

f Sexual Orientation

This policy is inclusive and does not differentiate between people on the basis of this

(16)

Version 4, November 2012 Page 16 of 21 characteristic.

g Religion or Belief

h Pregnancy and Maternity^.

i Carers

j Other Identified Groups

None

4. Engagement and Involvement

a. Was this work subject to consultation? ^Yes b. How have you engaged stakeholders

in constructing the policy

Via consultation with Information Governance Group c. If so, how have you engaged

stakeholders in constructing the policy

As above

d. For each engagement activity, please state who was involved, how they were engaged and key outputs

Medical Director / Caldicott Guardian, Senior Information Risk Owner and representatives of Departments and Directorates on the Information Governance Group

Outputs = review, approval, systems for training and compliance monitoring

5. Consultation Outcome

Now consider and detail below how the proposals impact on elimination of discrimination, harassment and victimisation, advance the equality of opportunity and promote good relations between groups

a Eliminate discrimination, harassment and victimisation

Makes information rights available to all

b Advance Equality of Opportunity Makes information rights available to all

(17)

c Promote Good Relations Between Groups

Encourages dialogue between Trust and service

users

d What is the overall impact? Information rights available to all

Name of the Person who carried out this assessment:

Susan Hall, Information Governance Manager

Date Assessment Completed 2^nd December 2012

Name of responsible Director Libby McManus

If you have identified a potential discriminatory impact of this procedural document, please refer it to the Equality and Diversity Committee, together with any suggestions as to the action required to avoid/reduce this impact.

(18)

Appendix B Checklist for Review and Approval

To be completed and attached to any document which guides practice when submitted to the appropriate committee for consideration and approval.

Title of document being reviewed: Yes/No/

Unsure Comments 1 Development and Management of Policies

Is the title clear and unambiguous? Yes Is it clear whether the document is a

guideline, policy, protocol or procedures?

Yes

2 Rationale

Are reasons for development of the

document stated? Yes

3 Development Process

Is the method described in brief? Yes Are individuals involved in the

development identified? Yes

Do you feel a reasonable attempt has been made to ensure relevant expertise has been used?

Yes

Is there evidence of consultation with

stakeholders and users? Yes

Has an operational, manpower and financial resource assessment been undertaken?

Yes

4 Content

Is the document linked to a strategy? Yes Is the objective of the document clear? Yes Is the target population clear and

unambiguous? Yes

Are the intended outcomes described? Yes

(19)

Unsure Comments Are the statements clear and

unambiguous? Yes

5 Evidence Base

Is the type of evidence to support the

document identified explicitly? Yes Are key references cited? Yes

Are the references cited in full? Yes Are local/organisational supporting

documents referenced? Yes

5a Quality Assurance

Has the standard the policy been written to address the issues identified?

Has QA been completed and approved? Yes 6 Approval

Does the document identify which

committee/group will approve it? Yes If appropriate, have the staff side

committee (or equivalent) approved the document?

N/a

7 Dissemination and Implementation Is there an outline/plan to identify how

this will be done? Yes

Does the plan include the necessary

training/support to ensure compliance? Yes 8 Document Control

Does the document identify where it will

be held? Yes

Have archiving arrangements for superseded documents been addressed?

Yes

(20)

Unsure Comments 9 Process for Monitoring Compliance

Are there measurable standards or KPIs to support monitoring compliance of the document?

Yes

Is there a plan to review or audit

compliance with the document? Yes 10 Review Date

Is the review date identified? Yes Is the frequency of review identified? If

so, is it acceptable? Yes

11 Overall Responsibility for the Document Is it clear who will be responsible for

coordinating the dissemination, implementation and review of the documentation?

Yes

Individual Approval

If you are happy to approve this document, please sign and date it and forward to the chair of the committee/group where it will receive final approval.

Name Fiona Jamieson Date 17^th January 2013 Signature

Committee Approval

If the committee is happy to approve this document, please sign and date it and forward copies to the person with responsibility for disseminating and implementing the document and the person who is responsible for maintaining the organisation’s database of approved documents.

Name Cheryl Gaynor for Executive Board – minutes show approval of Policy

Date 20^th March 2013

Signature

(21)

Appendix C Plan for dissemination of policy

To be completed and attached to any document which guides practice when submitted to the appropriate committee for consideration and approval.

Title of document: Information Governance Policy Date finalised: March 2013

Previous document in use? Yes

Dissemination lead Susan Hall

Which Strategy does it relate to? Information Governance Strategy

If yes, in what format and where? Document held by Healthcare Governance Directorate

Proposed action to retrieve out of date copies of the document:

Healthcare Governance Directorate will hold archive Dissemination Grid

To be disseminated to: 1) All Staff 2) Method of dissemination Staff Briefing

who will do it? IG Team

and when? Next available

Format (i.e. paper or electronic)

Electronic

Dissemination Record

Date put on register / library On approval

Review date March 2015

Disseminated to All via Staff Room Format (i.e. paper or electronic) Electronic

Date Disseminated

No. of Copies Sent N/A

Contact Details / Comments No substantial change to communicate. Supporting IG Policies set out detailed requirements.