INFORMATION TECHNOLOGY SECURITY POLICY

INFORMATION TECHNOLOGY

SECURITY POLICY

Document Author Authorised Signature

Written By: Deputy Director of IM&T / Interim Head of ICT

Date: February 2015

Authorised By: Chief Executive

Date: 17 March 2015 Policy Lead Director:

Executive Director of Transformation and Integration

Effective Date: 17 March 2015 Review Date: 16 March 2018 Approval at: Policy Management Group Date Approved: 17 March 2015

DOCUMENT HISTORY

(Procedural document version numbering convention will follow the following format. Whole numbers for approved versions, e.g. 1.0, 2.0, 3.0 etc. With decimals being used to represent the current working draft version, e.g. 1.1, 1.2, 1.3, 1.4 etc. For example, when writing a procedural document for the first time – the initial draft will be version 0.1)

Date of Issue Version No. Date Approved Director Responsible for Change Nature of Change Ratification / Approval

26 Mar 12 1.0 26 Mar 12 Executive Director of Transformation and Integration

Approved at Provider Executive Board

14 Jan 15 1.1 Executive Director of

Transformation and Integration

Ratified at Information Governance Steering Group

06 Feb 15 1.1 Executive Director of

Transformation and Integration

Minor Amendments

23 Feb 15 1.2 Executive Director of

Transformation and Integration Via Voting Buttons Ratified at Risk Management Committee 17 Mar 15 2 17 Mar 15 Executive Director of

Transformation and Integration

Approved at Policy Management Group

SECTION PAGE

1. Executive Summary 4

2. Introduction 4

3. Scope 4

4. Key Responsibilities 4

5. Policy Detail / Course of Action 10

6. Consultation 11

7. Implementation / Training / Awareness 11

8. Dissemination 11

9. Monitoring & Key Performance Indicators 12

10. References 13

11. Links To Other Policies 13

12. Disclaimer 13

Appendices:

A Key Definitions For Documentation 14

B Impact Assessment Forms on Policy Implementation 15

(Including Checklist)

C Equality Impact Assessment Tool 17

1. EXECUTIVE SUMMARY

This document sets out the Trust policy for the protection of the confidentiality, integrity and availability of the computer network and its resources.

It establishes the security responsibilities for IT security. It provides reference to documentation relevant to this policy.

2. INTRODUCTION

2.1 The aim of this policy is to ensure the security of the Trust’s network. To do this the Trust will:

Preserve integrity of the computer network

Protect the computer network and its resources from unauthorised or accidental modification ensuring the accuracy and completeness of the Trust's assets.

Preserve confidentiality

Protect assets against unauthorised disclosure.

3. SCOPE

3.1 The Information Technology Security Policy applies to all business functions and information contained on the computer network, the physical environment and relevant people who support the network.

4. KEY RESPONSIBILITIES – Head of IT, unless stated otherwise 4.1 Chief Executive

The Chief Executive has delegated the overall responsibility for security, policy and implementation to the Senior Information Risk Officer (SIRO).

4.2 Senior Information Risk Officer (SIRO)

The SIRO is responsible for ensuring the Information Asset Owners comply with their responsibilities.

4.3 Physical & Environmental Security

Network computer equipment will be housed in a controlled and secure environment. Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality.

Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls.

The Head of IT is responsible for ensuring that door lock codes are changed periodically, following a compromise of the code, if s/he suspects the code has been compromised. Critical or sensitive network equipment will be protected from power supply failures.

Critical or sensitive network equipment will be protected by intruder alarms and fire suppression systems.

Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment.

All visitors to secure network areas must be authorised by the Head of IT, following a risk assessment.

All visitors to secure network areas must be made aware of network security requirements. All visitors to secure network areas must be signed in and out. The log will contain name, organisation, purpose of visit, date, and time in and out.

The Head of IT will ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted, when necessary.

For further details see Network operating procedure. 4.4 Access Control to Secure Network Areas

Entry to secure areas housing critical or sensitive network equipment will be restricted to those whose job requires it. The Head of IT will maintain and periodically review a list of those with unsupervised access.

See service delivery procedure. 4.5 Access Control to the Network

Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access.

There must be a formal, documented user registration and de-registration procedure for access to the network.

Departmental managers must approve user access.

Access rights to the network will be allocated on the requirements of the user's role.

Security privileges (i.e. 'superuser' or network administrator rights) to the network will be allocated on the requirements of the user's role.

4.6 Third Party Access Control to the Network

Third party access to the network will be based on a formal contract that satisfies all necessary NHS security conditions.

All third party access to the network must auditable. See network operating procedure.

4.7 External Network Connections

The Head of IT is responsible for ensuring that all connections to external networks and systems conform to the NHS-wide Network Security Policy, Code of Connection and supporting guidance.

The Head of IT must approve all connections to external networks and systems before they commence operation.

4.8 Maintenance Contracts

The Head of IT will ensure that maintenance contracts are maintained and periodically reviewed for all network equipment. All contract details will constitute part of the IT Department's Asset register.

4.9 Data and Software Exchange

Formal agreements for the exchange of data and software between organisations must be established and approved by the Head of Information Management.

4.10 Fault Logging

The Head of IT is responsible for ensuring that a log of all faults on the network is maintained and reviewed. A report of any faults and review of countermeasures will be taken to the IT User Group.

4.11 Security Operating Procedures (SyOps)

The Head of IT is responsible for producing Security Operating Procedures (SyOps) and security contingency plans that reflect this Network Security Policy. Where appropriate will co-ordinate with the Local Security Management Specialist (LSMS) so that a robust and integrated security systems SyOps can be developed, which will take into account National Security Intelligence which the LSMS is privy to.

Changes to operating procedures must be authorised by the Head of IT. 4.12 Network Operating Procedures

The Head of IT is responsible for documented operating procedures for the operation of the computer network and is resources, to ensure its correct, secure operation.

Changes to operating procedures must be authorised by the Head of IT. Data Backup and Restoration

The Head of IT is responsible for:

Ensuring that backup copies of network configuration, network storage and server data are taken regularly.

All backup tapes will be stored securely in the fire proof safes. 4.13 Business Continuity & Disaster Recovery Plans

The Head of IT is responsible for ensuring that business continuity plans and disaster recovery plans are produced for the network.

4.14 Unattended Equipment and Clear Screen

The Trust operates a clear screen policy that means users must ensure that workstations are locked or logged off if a workstation is left unattended. Users failing to comply may be subject to disciplinary action.

4.15 Security Responsibilities

To produce and implement effective security countermeasures.

Produce all relevant security documentation, security operating procedures and contingency plans reflecting the requirements of this Information Technology Security Policy.

All such documentation will be included in the IT Department's Asset register.

Acting as a central point of contact on information security within the Trust, for both staff and external organisations.

Implementing an effective framework for the management of security.

Produce Trust standards, procedures and guidance on Information Security matters for approval by the Information User Group.

Co-ordinate information security activities particularly those related to shared information systems or IT infrastructures.

Liaise with external organisations on information security matters, including representing the Trust on cross-community committees.

Creating, maintaining, giving guidance on and overseeing the implementation of IT Security.

Representing the Trust on internal and external committees that relate to IT security. Ensuring that risks to IT systems are reduced to an acceptable level by applying security countermeasures identified following an assessment of the risk.

Ensuring that access to the Trust's computer network is limited to those who have the necessary authority and clearance.

Providing advice and guidance to development teams to ensure that the policy is complied with.

Approving system security policies for the infrastructure and common services. Approving tested systems and agreeing rollout plans.

Providing advice and guidance on:
Policy Compliance
Incident Investigation
IT Security Awareness
IT Security Training
IT Systems Accreditation

Security of External Service Provision

Contingency Planning for IT systems

Proposals have been made to connect the Trust's systems, applications or networks to systems, applications or networks that are operated by external organisations.

Passing on the advice of external sources / authorities on IT security matters. 4.16 Information Governance Manager Responsibilities

To ensure that appropriate Data Protection Act 1998 notifications are maintained for information stored on the network.

Dealing with enquires, from any source, in relation to the Data Protection Act 1998 and facilitating Subject Access Requests.

Advising users of information systems, applications and networks of their responsibilities under the Data Protection Act 1998, which may include Subject Access Requests.

Advising the Head of IT on breaches of the Data Protection Act 1998 and recommended actions.

Encouraging, monitoring and checking compliance with the Data Protection Act 1998. Liaising with external organisations regarding Data Protection 1998 Act matters.

Promoting awareness and providing guidance and advice related to the Data Protection Act 1998 as it applies within the Trust.

4.17 Information Asset Owners (IAO) Responsibilities

Ensuring the security of the network, that is information, hardware and software used by staff and, where appropriate, by third parties is consistent with legal and management requirements and obligations.

Ensuring that their staff are made aware of their security responsibilities. Ensuring that their staff have had suitable security training.

4.18 Local Security Management Specialist (LSMS)

To undertake the duties of an LSMS in accordance with Secretary of State Directions to health bodies on measures to tackle violence and general security management measures, and any subsequent advice or guidance issued by the NHS SMS.

To undergo and successfully complete propriety checking and the professional and accredited training in security management provided by the NHS SMS, and to co-operate with any further training provided by the NHS SMS and with the NHS SMS programme of quality assurance.

To undergo and successfully complete propriety checking and the professional and accredited training in security management provided by the NHS SMS, and to co-operate with any further training provided by the NHS SMS and with the NHS SMS programme of quality assurance.

To ensure that all NHS security management work is carried out within a professional and ethical framework developed and provided by the NHS SMS.

To ensure that an inclusive approach to security management work is taken, involving both internal and external NHS stakeholders where appropriate and necessary.

To report to the health body’s Security Management Director on security management work locally.

To ensure strong links are built with the NHS SMS – in particular, with the Area Security Management Specialists (ASMSs).

To lead on day-to-day work in their health body to tackle violence against staff and professionals in accordance with the NHS SMS national framework and guidance.

To ensure, within the Trust and, where applicable, within those organisations contracted to provide services for the Trust, that:

• They attend the health body’s risk management, health and safety and audit committee meetings and ensure appropriate links are made with the health body’s risk assessment process, including the health body’s health and safety representatives, so that security-related issues are an integral part of that process. • Appropriate steps are taken to create a pro-security culture within the health body

and amongst contractors so that staff and patients accept responsibility for this issue and ensure that any security incidents or breaches that occur are detected and reported.

• They participate in the health body’s induction programme for new staff and develop and deliver security awareness sessions for stakeholders.

• Appropriate security incidents and breaches are publicised in accordance with guidelines issued by the NHS SMS so that a deterrent effect is created.

4.19 User Responsibilities

All personnel or agents acting for the Trust have a duty to:

Safeguard hardware, software and information in their care.

Prevent the introduction of malicious software on the Trust's IT systems.

All users to the computer network will have their own unique user identification and password.

Users are responsible for ensuring their password is kept secret (see User Responsibilities).

User access rights will be immediately removed or reviewed for those users who have left the Trust or changed roles.

Users are responsible for ensuring that they save their own data to the designated network storage area.

Users must ensure that they protect the computer network from unauthorised access. They must log off the computer network when finished working.

5. POLICY DETAIL / COURSE OF ACTION

5.1 The overall Information Technology Security Policy for the Trust is described below:

5.2 The Trust’s computer network will be available when needed, can be accessed only by authorised users and will contain complete and accurate information. The computer network must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To satisfy this, the Trust will undertake to the following:

Protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well-balanced technical and non-technical measures.

Provide both effective and cost-effective protection that is commensurate with the risks to its computer network assets.

Implement the Information Technology Security Policy in a consistent, timely and cost effective manner.

5.3 Where relevant, the Trust will comply with:

Copyright, Designs & Patents Act 1988

Access to Health Records Act 1990

Computer Misuse Act 1990

The Data Protection Act 1998

The Human Rights Act 1998

Electronic Communications Act 2000

Regulation of Investigatory Powers Act 2000

Freedom of Information Act 2000

Health & Social Care Act 2001

5.4 The Trust will comply with other laws and legislation as appropriate. 5.5 The policy must be approved by the Head of IT.

6. CONSULTATION

6.1 The policy has been to the IT Seniors Team meeting for discussion and consultation, Information Governance Steering Group and Risk management Group. The recommendation from the latter was that a review should take place in six months’ time to reflect additional policies currently in production (Agile Worker for example).

7. IMPLEMENTATION / TRAINING / AWARENESS

7.1 This Information Technology Security Policy does not have a mandatory training requirement but the following non mandatory training is recommended.

7.2 The Trust will ensure that all users of the computer network are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities.

7.3 All users of the computer network must be made aware of the contents and implications of the Information Technology Security Policy.

7.4 Key responsibilities contained in the Information Technology Security policy will be covered by the Information Governance training provided to all staff.

7.5 Irresponsible or improper actions by users may result in disciplinary action(s).

8. DISSEMINATION

8.1 When approved this document will be available on the Intranet and will be subject to document control procedures. Approved documents will be placed on the Intranet within five working days of date of approval once received by the Risk Management Team. 8.2 When submitted to the Risk Management Team for inclusion on the Intranet this document

will have fully completed document details including version control. Keywords and description for the Intranet search engine will be supplied by the author at the time of submission.

8.3 Notification of new and revised documentation will be issued on the Front page of the Intranet, through e-bulletin, and on staff notice boards where appropriate. Any controlled documents noted at the Trust Executive Committee / Policy Management Group will be notified through the e-bulletin.

8.4 Staff using the Trust’s intranet can access all procedural documents. It is the responsibility of managers to ensure that all staff are aware of where, and how, documents can be accessed within their areas of work.

8.5 It is the responsibility of each individual who prints a hard copy of any document to ensure that the printed hardcopy is the current version. Current versions are maintained on the Intranet.

9. MONITORING & KEY PERFORMANCE INDICATORS 9.1 Security Audits

The Head of IT will require checks on, or an audit of, actual implementations based on approved security policies and kept in a master file.

9.2 Malicious Software

Ensure that measures are in place to detect and protect the computer network from viruses and other malicious software.

9.3 Secure Disposal or Re-use of Equipment

Ensure that where equipment is being disposed of, IT Department staff must ensure that all data on the equipment (e.g. on hard disks or tapes) is securely overwritten. Where this is not possible IT Department staff should physically destroy the disk or tape.

Ensure that where disks are to be removed from the premises for repair, where possible, the data is securely overwritten or the equipment de-gaussed by the IT Department.

9.4 System Change Control

Ensure that the Head of IT reviews changes to the security of the computer network. All such changes must be reviewed and approved by the Head of IT. The IT Team leaders are responsible for updating all relevant design documentation, security operating procedures and computer network operating procedures appertaining to their specialty. The Head of IT may require checks on, or an assessment of the actual implementation based on the proposed changes.

The Head of IT is responsible for ensuring that selected hardware or software meets agreed security standards.

As part of acceptance testing of all new computer network systems, the IT department with the permission of the IT Manager will attempt to cause a security failure and log other criteria against which tests will be undertaken prior to formal acceptance.

Testing facilities will be used for all new computer network systems. Development and operational facilities will be separated.

9.5 Security Monitoring

Ensure that the computer network is monitored for potential security breaches. All monitoring will comply with current legislation.

9.6 Reporting Security Incidents & Weaknesses

All potential security breaches must be investigated and reported to the Head of IT. Security incidents and weaknesses must be reported in accordance with the requirements of the Trust's incident reporting procedure.

9.7 System Configuration Management

Ensure that there is an effective configuration management system for the computer network.

10. REFERENCES

10.1 Copyright, Designs & Patents Act 1988 Access to Health Records Act 1990 Computer Misuse Act 1990

The Data Protection Act 1998 The Human Rights Act 1998

Electronic Communications Act 2000

Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000

Health & Social Care Act 2001

11. LINKS TO OTHER POLICIES / DOCUMENTS 11.1 Network Operating Procedure

Service Delivery Procedure

12. DISCLAIMER

12.1 It is the responsibility of all staff to check the Trust intranet to ensure that the most recent version / issue of this document is being referenced.

Appendix A KEY DEFINITIONS FOR DOCUMENTATION

Define any word or phrase that may need explaining or clarifying in more detail

Configuration Management - focuses on establishing and maintaining consistency of a

system's or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life.

Computer Network – refers to all the IT resources of the Trust (the Data centre, the

Appendix B CHECKLIST FOR THE DEVELOPMENT AND APPROVAL OF CONTROLLED

DOCUMENTATION

To be completed and attached to any document when submitted to the appropriate committee for consideration and approval.

Title of document being reviewed: Y/N/

Unsure Comments

1. Title/Cover

Is the title clear and unambiguous? Y

Does the title make it clear whether the controlled document is a

guideline, policy, protocol or standard? Y

2. Document Details and History

Have all sections of the document detail/history been completed? Y 3. Development Process

Is the development method described in brief? Y Are people involved in the development identified? Y Do you feel a reasonable attempt has been made to ensure

relevant expertise has been used? Y

4. Review and Revision Arrangements Including Version Control

Is the review date identified? Y

Is the frequency of review identified? If so, is it acceptable? Y Are details of how the review will take place identified? Y Does the document identify where it will be held and how version

control will be addressed? Y

5. Approval

Does the document identify which committee/group will approve it? Y If appropriate have the joint Human Resources/staff side

committee (or equivalent) approved the document? N 6. Consultation

Do you have evidence of who has been consulted? Y 7. Table of Contents

Has the table of contents been completed and checked? Y 8. Summary Points

Have the summary points of the document been included? Y 9. Definition

Is it clear whether the controlled document is a guideline, policy,

protocol or standard? Y

10. Relevance

Has the audience been identified and clearly stated? Y 11. Purpose

Are the reasons for the development of the document stated? Y 12. Roles and Responsibilities

Are the roles and responsibilities clearly identified? Y 13. Content

Is the objective of the document clear? Y

Is the target population clear and unambiguous? Y

Are the intended outcomes described? Y

Title of document being reviewed: Y/N/

Unsure Comments

14. Training

Have training needs been identified and documented? Y 15. Dissemination and Implementation

Is there an outline/plan to identify how this will be done? Y Does the plan include the necessary training/support to ensure

compliance? Y

16. Process to Monitor Compliance and Effectiveness

Are there measurable standards or Key Performance Indicators (KPIs) to support the monitoring of compliance with and

effectiveness of the document?

Y Is there a plan to review or audit compliance within the document? Y Is it clear who will see the results of the audit and where the action

plan will be monitored? Y

17. Associated Documents

Have all associated documents to the document been listed? Y 18. References

Have all references that support the document been listed in full? Y 19. Glossary

Has the need for a glossary been identified and included within the

document? Y

20. Equality Analysis

Has an Equality Analysis been completed and included with the

document? Y

21. Archiving

Have archiving arrangements for superseded documents been

addressed? Y

Has the process for retrieving archived versions of the document

been identified and included within? Y

Distributed Trust Policy Section of Intranet

22. Format and Style

Does the document follow the correct style and format of the

Document Control Procedure? Y

23. Overall Responsibility for the Document

Is it clear who will be responsible for co-ordinating the

dissemination, implementation and review of the documentation? Y Committee Approval

If the committee is happy to approve this document, please sign and date it and forward copies for inclusion on the Intranet.

Name of Committee

Date

Appendix C

IMPACT ASSESSMENT ON DOCUMENT IMPLEMENTATION

Summary of Impact Assessment (see next page for details)

Document

title Information technology Security Policy

Totals WTE Recurring

£

Non

Recurring £

Manpower Costs Nil Nil Nil

Training Staff Nil Nil Nil

Equipment & Provision of resources Nil Nil Nil

Summary of Impact:

All referral systems and processes detailed in this policy are already embedded within the Trust. The approval and implementation of this policy will incur no further costs.

Risk Management Issues:

The implementation of this policy should ensure that any significant Information Security and Governance risk to the Trust are minimised.

Benefits / Savings to the organisation:

Equality Impact Assessment

Has this been appropriately carried out? YES
Are there any reported equality issues? NO If “YES” please specify:

IMPACT ASSESSMENT ON POLICY IMPLEMENTATION

Please include all associated costs where an impact on implementing this policy has been considered. A checklist is included for guidance but is not comprehensive so please ensure you have thought through the impact on staffing, training and equipment carefully and that ALL aspects are covered.

Manpower WTE Recurring £ Non-Recurring £

Operational running costs

Additional staffing required - by affected areas / departments:

Nil Nil Nil

Totals:

Staff Training Impact Recurring £ Non-Recurring £

Affected areas / departments Nil Nil

e.g. 10 staff for 2 days

Totals:

1 Equipment and Provision of Resources Recurring £ * Non-Recurring £ *

Accommodation / facilities needed Nil Nil

Building alterations (extensions/new) Nil Nil

IT Hardware / software / licences Nil Nil

Medical equipment _{Nil Nil}

Stationery / publicity _{Nil Nil}

Travel costs Nil Nil

Utilities e.g. telephones Nil Nil

Process change Nil Nil

Rolling replacement of equipment Nil Nil

Equipment maintenance Nil Nil

Marketing – booklets/posters/handouts, etc Nil Nil Totals:

• Capital implications £5,000 with life expectancy of more than one year.

Funding /costs checked & agreed by finance: N/A Signature & date of financial accountant: N/A

Funding / costs have been agreed and are in place: N/A Signature of appropriate Executive or Associate Director: N/A

IMPACT ASSESSMENT ON DOCUMENT IMPLEMENTATION - CHECKLIST

Points to consider

Have you considered the following areas / departments?

• Have you spoken to finance / accountant for costing? • Where will the funding come from to implement the policy? • Are all service areas included?

o Ambulance

o Acute

o Mental Health

o Community Services, e.g. allied health professionals

o Public Health, Commissioning, Primary Care (general practice, dentistry, optometry), other partner services, e.g. Council, PBC Forum, etc.

Departments / Facilities / Staffing

• Transport • Estates

o Building costs, Water, Telephones, Gas, Electricity, Lighting, Heating, Drainage, Building alterations e.g. disabled access, toilets etc

• Portering

• Health Records (clinical records) • Caretakers • Ward areas • Pathology • Pharmacy • Infection Control • Domestic Services • Radiology • A&E

• Risk Management Team / Information Officer – responsible to ensure the policy meets the organisation approved format

• Human Resources • IT Support

• Finance

• Rolling programme of equipment • Health & safety/fire

• Training materials costs

Appendix D Equality Analysis and Action Plan

(This template should be used when assessing services, functions, policies, procedures, practices, projects and strategic documents)

Step 1. Identify who is responsible for the equality analysis. Name: Jake Gully

Role: Interim Head of ICT

Other people or agencies who will be involved in undertaking the equality analysis:

Step 2. Establishing relevance to equality

Show how this document or service change meets the aims of the Equality Act 2010?

Equality Act – General Duty Relevance to Equality Act General Duties

Eliminates unlawful discrimination, harassment, victimization and any other conduct prohibited by the Act.

There are no discrimination issues relating to this policy

Advance equality of opportunity between people who share a protected

characteristic and people who do not share it

Relevant to all staff

Foster good relations between people who share a protected characteristic and people who do not share it.

N/A

Step 3. Scope your equality analysis

Scope

What is the purpose of this document or service change?

This document has been reviewed in line with the policy review date.

Who will benefits? _{All staff.}

What are the expected outcomes? To ensure that all staff are aware of their

responsibilities in relation to Information Governance

Relevance

Protected Groups Staff Service Users Wider Community

Age √ √ √

Gender Reassignment √ √ √

Race √ √ √

Sex and Sexual Orientation √ √ √

Religion or belief √ √ √

Disability √ √ √

Marriage and Civil Partnerships √ √ √

Human Rights √ √ √

Why do we need this document or do we need to change the service?

To meet legislative requirements, reduce the

risk of Information Governance related incidents and ensure organisational learning.

It is important that appropriate and relevant information is used about the different protected groups that will be affected by this document or service change. Information from your service users is in the majority of cases, the most valuable.

Information sources are likely to vary depending on the nature of the document or service change. Listed below are some suggested sources of information that could be helpful:

• Results from the most recent service user or staff surveys. • Regional or national surveys

• Analysis of complaints or enquiries

• Recommendations from an audit or inspection • Local census data

• Information from protected groups or agencies. • Information from engagement events.

Step 4. Analyse your information. As yourself two simple questions:

• What will happen, or not happen, if we do things this way? • What would happen in relation to equality and good relations?

In identifying whether a proposed document or service changes discriminates unlawfully, consider the scope of discrimination set out in the Equality Act 2010, as well as direct and indirect discrimination, harassment, victimization and failure to make a reasonable adjustment.

Findings of your analysis

Description Justification of your analysis

No major change Your analysis demonstrates that the proposal is robust and the evidence shows no potential for discrimination.

Implementation of this policy will have no potential for

discrimination, as it applies to all staff.

Adjust your document or service change proposals

This involves taking steps to remove barriers or to better advance equality outcomes. This might include introducing measures to mitigate the potential effect.

Continue to implement the document or service change

Despite any adverse effect or missed opportunity to advance equality, provided you can satisfy yourself it does not unlawfully discriminate.

Stop and review Adverse effects that cannot be justified or mitigated against, you should

consider stopping the proposal. You must stop and review if unlawful discrimination is identified

5. Next steps.

5.1 Monitoring and Review.

Equality analysis is an ongoing process that does not end once the document has been published or the service change has been implemented.

This does not mean repeating the equality analysis, but using the experience gained through implementation to check the findings and to make any necessary adjustments.

Consider:

How will you measure the effectiveness of this change

Through regular monitoring and reporting as defined in the policy When will the document or service change be

reviewed?

Annually in November of each year in preparation for the completion of the annual IG Toolkit assessment. Who will be responsible for monitoring and review? Deputy Director of IM&T, Risk

Management and the Information Governance Steering Group

What information will you need for monitoring? Evidence of all IS and IG related work

initiatives and Incident investigation from Datix How will you engage with stakeholders, staff and

service users

Through consultation and discussion

5.2 Approval and publication

The Trust Executive Committee / Policy Management Group will be responsible for ensuring that all documents submitted for approval will have completed an equality analysis.

Under the specific duties of the Act, equality information published by the organisation should include evidence that equality analyses are being undertaken. These will be published on the organisations “Equality, Diversity and Inclusion” website.

Useful links:

Equality and Human Rights Commission

http://www.equalityhumanrights.com/advice-and-guidance/new-equality-act-guidance/equality-act-guidance-downloads/