Information Governance Framework: Policies

(1)

Information Governance

Framework:

Policies

(2)

Information Governance Policy

Version:

Version 1

Ratified by:

Operational Management Executive Committee

(OMEC)

Date ratified:

22 July 2013

Name and Title of

originator/author(s):

Mike Jones, Corporate Secretary

Name of responsible Director:

Lee Whitehead, Director of People &

Communications

Date issued:

29 October 2013

Review date:

3 years from date of first publication

Target audience:

HEE Staff

(4)

Document Status

This is a controlled document. Whilst this document may be printed, the electronic

version posted on the intranet, and copied to the internet, is the controlled copy. Any

printed copies of this document are not controlled.

As a controlled document, this document should not be saved onto local or network

drives but should always be accessed from the intranet.

(5)

Paragraph

Page

1 Introduction

4

2 Purpose

4

3 Scope

4

4 Definitions

4

5 Duties

6

6 Main Body of Policy

5

7 Equality Impact Assessment

7

8 Implications and Associated Risks

7

9 Education and Training Requirements

7

10 Monitoring Compliance and Effectiveness

7

11 Associated Documentation

7

(6)

1. Introduction

1.1. Information is a vital asset for Health Education England (HEE), in relation to both its business and the efficient management of resources and services. It plays a key part in our governance, performance management and planning.

1.2. It is important that information is managed efficiently, and that this is supported by appropriate policies and procedures that provide a sound governance framework.

1.3. This policy sets out the standards we apply to information governance. 2. Scope

2.1. This policy applies to those members of staff that are directly employed by the HEE and for whom HEE has legal responsibility. For those staff covered by a letter of authority/honorary contract or work experience the organisations policies are also applicable whilst undertaking duties for or on behalf of HEE. Further, this policy applies to all third parties and others authorised to undertake work on behalf of the HEE.

3. Principles

3.1. HEE recognises the need for a balance between openness and confidentiality in the management and use of information. We fully support the principles of corporate governance and public accountability, but also recognise the need for confidentiality, supported by security arrangements to safeguard personal information about staff, as well as commercially sensitive and other confidential information. We also recognise the need to share confidential and personal information with stakeholders and others we conduct business with in a controlled way that is consistent with both the interests of that confidentiality and, in certain circumstances, the public interest.

3.2. We believe that accurate, relevant and timely information is vital to deliver high quality services. It is the responsibility of all staff to ensure the quality of information they use in their work and utilise it to enable sensible evidence-based decisions.

4. Standards for information governance

4.1. The policy has four key standards:

• Openness

• Legal compliance

• Information security

• Quality assurance

4.2. Openness

4.2.1. Non-confidential information will be available to the public via the HEE website, in line with best practice principles relating to the Freedom of Information Act 2000.

(7)

4.2.2. HEE will establish and maintain policies to ensure compliance with the Freedom of Information Act 2000.

4.2.3. All individuals will be able to access their personal information in accordance with the Data Protection Act 1998.

4.2.4. HEE will have clear arrangements and procedures for liaising with the media and for handling queries from members of the public.

4.3. Legal Compliance

4.3.1. We recognise that identifiable personal information relating to staff or individuals that we do business with is confidential, except where this is in the public domain or otherwise disclosable under the terms of the Freedom of Information Act 2000.

4.3.2. We will establish and maintain policies that ensure compliance with the Data Protection Act 1998 and the common law of confidentiality.

4.3.3. We will establish and maintain policies for the controlled sharing of personal data as appropriate with other agencies, taking account of relevant legislation and guidance from the Information Commissioner’s Office.

4.4. Information Security

4.4.1. HEE will establish and maintain policies for the effective and secure management of its information assets and resources within its IT network.

4.4.2. We will promote effective confidentiality and security practices to our staff through the provision of relevant policies, procedures and training.

4.4.3. We will establish and maintain incident reporting procedures and monitor and investigate all reported instances of actual or potential breaches of confidentiality, loss of personal data and breaches of security.

4.5. Information Quality Assurance

4.5.1. HEE will establish and maintain policies and procedures for information quality assurance and the effective management of records.

4.5.2. Managers are expected to take ownership of, and seek to continually improve, the quality of information in their service areas.

4.5.3. Wherever possible, information quality should be assured at the point of collection.

4.5.4. Data standards will be set through clear and consistent definition of data items, in accordance with national standards.

4.5.5. We will promote information quality and effective records management through the provision of relevant policies, procedures and training.

(8)

5. Responsibilities

5.1. The Senior Information Risk Officer (SIRO): Lee Whitehead has ultimate responsibility for HEE’s Information Governance policy, ensuring this remains aligned with legal and NHS requirements.

5.2. The Caldicott Guardian: Chris Welsh, is responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing.

5.3. The Corporate Secretary is responsible for the day to day oversight of Information Governance, developing and maintaining policies, procedures, guidance and setting of standards, coordinating work across the organisation and working to raise general awareness of information governance best practice standards.

5.4. All HEE Managers are responsible for ensuring that the policy and its supporting standards are maintained locally in order to achieve full compliance across the whole organisation.

5.5. All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they are aware of the policy’s requirements and that these are complied with in conducting everyday business.

6. Review

6.1. This policy will be reviewed every three years.

7. Related policies

7.1. Data Protection Policy 7.2. Information Security Policy 7.3. Records Management Policy 7.4. Incident reporting policy 7.5. Protective Marking Policy

8. Equality Impact Assessment (EIA)

8.1. It has been assessed that the impact or potential impact of the Information Governance Policy is “no impact”.

9. Education and Training Requirements

9.1. Mandatory training on Information Governance is required for all staff working in the NHS. This will be available through OLM e-Learning.

10. Monitoring Compliance and Effectiveness

10.1.

All information governance policies and procedures will be subject to periodic audit and review to provide assurance to the Executive Team and the Audit and Risk Committee that they remain fit for purpose and the HEE remain compliant.

(9)

Information Security Policy

Version:

Version 2

Ratified by:

HEE Board

Date ratified:

20

th

March 2014

Name and Title of

originator/author(s):

Mike Jones, Corporate Secretary

Name of responsible Director:

Lee Whitehead, Director of People and

Communications

Date issued:

04

th

July 2014

Review date:

3 Years from date of first publication

Target audience:

HEE Staff

Document History:

Approved by Exec Team 06/03/2014

Approved by HEE Board 20/03/2014

(10)

Document Status

This is a controlled document. Whilst this document may be printed, the electronic

version posted on the intranet, and copied to the internet, is the controlled copy. Any

printed copies of this document are not controlled.

As a controlled document, this document should not be saved onto local or network

drives but should always be accessed from the intranet.

(11)

Version Control Sheet

Document Title:

Information Security Policy

Version

: 2.0

The table below logs the history of the steps in development of the document.

See example below

Version

Date

Author

Status

Comment

(12)

Paragraph

Page

1 Introduction

5

2 Objective

5

3 Scope of this Policy

5

4 Accountability

6

5 Definition of Terms

6

6 Procedure

6

7 Training Needs Analysis

9

8 Equality Impact Assessment

10

9 Implementation and Dissemination

10

10 Monitoring compliance with and the effectiveness of the policy

10

(13)

1

Introduction

1.1 This document defines the Information Security Policy for Health Education England (HEE).

1.2 The Information Security Policy applies to all business functions, information systems, networks, the physical environments and relevant people who support those business functions

1.3 This document:-

a) Sets out HEE’s policy for the protection of the confidentiality, integrity and availability of its assets; that is, hardware, software and information handled by information systems, networks and applications;

b) Establishes the security responsibilities of information security; c) Provides reference to documentation relevant to this policy.

1.3 The purpose of this policy is to ensure the proper use of HEE’s networks and to make users aware of what we deem acceptable and unacceptable system use.

1.4 Evidence that any user is not adhering to this policy will be dealt with under HEE’s Disciplinary Procedure.

2 Objective

2.1 The objective of this policy is to ensure the security of HEE’s information assets. To do this we will:

a) Ensure Availability

Ensure that assets are available for users; b) Preserve Integrity

Protect assets from unauthorised or accidental modification; c) Preserve Confidentiality

Protect assets against unauthorised disclosure.

3 Scope of this policy

3.1 This policy applies to all information media, systems, networks, portable devices, applications, locations in use by HEE and/or organisations hosted by HEE and using relevant IT networks and/or systems.

(14)

4 Accountability 4.1 HEE Board

The Board is responsible for ensuring that the necessary support and resources are available for the effective implementation of this Policy.

4.2 Executive Team

Executive Directorsare responsible for the review and approval of this policy.

4.3 Director of People and Communications

The Director of People and Communications has organisational responsibility for all

aspects of Information Governance and is the Senior Information Risk Owner (SIRO). This includes responsibility for ensuring that HEE has appropriate systems, policies and

procedures in place to maintain effective Information Governance.

4.4 Information Asset Owners

Information Asset Owners (IAO) are responsible for the security of all assets that they have been assigned

4.5 Heads

Team heads areresponsible for ensuring that they and their teams are adequately trained, and are familiar with the content of this policy.

4.6 Employees

All employees are responsible for:

 Ensuring compliance with this policy

 Seeking advice, assistance and training where required

5. Definition of terms

The words used in this policy are used in their ordinary sense. The use of technical terms has been minimised.

6 Procedure

6.1 The overall Information Security Policy procedure for HEE is described below: HEE information systems, applications and networks will be available when needed; they will be accessed by legitimate users only and should contain complete and accurate information. The information systems, applications and networks must also

(15)

be able to withstand or recover from threats to their availability, confidentiality and integrity. To satisfy this, HEE commits to the following actions:

a) Protect all hardware, software and information assets under its control. This will be achieved through the implementation of a set of well-balanced technical and non-technical measures;

b) Provide both effective and cost effective protection that is commensurate with the risks to its assets;

c) Implement the Information Security Policy in a consistent, timely and cost effective manner;

d) Where relevant, HEE will comply with the following: - Copyright, Designs & Patents Act 1988

- Access to Health Records Act 1990 - Computer Misuse Act 1990

- The Data Protection Act 1998 - The Human Rights Act 1998

- Electronic Communications Act 2000

- Regulation of Investigatory Powers Act 2000 - Freedom of Information Act 2000

- The Environmental Information Regulations 2004 - Health & Social Care Act 2001

e) HEE will also comply with other laws and legislation as appropriate.

6.2 Risk assessment

6.2.1 HEE in conjunction with its IT partners will carry out security risk assessment(s) in relation to all business processes that are covered by this policy. These risk assessments will cover all information systems, applications and networks used to support those business processes. The risk assessment will identify the appropriate security countermeasures necessary to protect against possible breaches in

(16)

6.3 New systems – responsibilities

6.3.1 The Head of IT will ensure that project managers (normally regional IT leads) produce and implement effective security counter-measures and relevant security

documentation, security operating procedures and contingency plans reflecting the requirements of the System Security Policy, as part of the project to implement a system.

6.3.2 All new systems will be reviewed with relevant security approaches approved by the Head of IT and signed off by the HEE SIRO.

6.4 Accreditation of information systems

6.4.1 HEE is responsible for ensuring that its information systems do not pose an unacceptable security risk to the organisation.

6.5 Malicious software

6.5.1 The Head of IT will ensure that IT service partners have measures in place to detect and protect networks from viruses and other malicious software.

6.6 Unauthorised software

6.6.1 All software used on HEE equipment must have a valid licence agreement. Software may only be installed onto a computer by and with the approval of regional IT leads and/or the Head of IT. Any person who installs or attempts to install unauthorised software onto a computer may be subject to HEE’s disciplinary process.

6.7 System change control

6.7.1 HEE will ensure that relevant Project Manager’s or IAO’s will review changes to the security of any information system, application or network. In addition, all such changes must be reviewed and approved by the Head of IT. The relevant Project Manager or IAO is responsible for updating all relevant system documentation.

6.7.2 The IAO may require checks on or an assessment of the actual implementation based on changes implemented.

6.8 External network connections

(17)

6.8.2 The Head of IT must approve all connections to external networks and systems before they commence operation.

6.8.3 All external connections must be protected by an appropriately configured firewall.

6.9 System configuration management

6.9.1 The Head of IT will work with regional IT leads to ensure that there is an effective configuration management system for all information systems, applications and networks.

6.10 Technical compliance checking

6.10.1 The SIRO will ensure that Information systems are regularly checked for compliance with security implementation standards.

6.11 Business continuity and disaster recovery plans

6.11.1 The SIRO will ensure that business continuity plans and disaster recovery plans are required for all critical applications, systems and networks.

6.11.2 The plans must be reviewed and tested on a regular basis.

6.12 Secure Disposal or Re-use of Equipment

6.12.1 All Users must ensure that where equipment is being disposed of, all data on the equipment (e.g. on hard disks or tapes) is securely overwritten. For advice on assessment of re-use or destruction of equipment contact the Head of IT.

6.13 Reporting Data Security Breaches and Weaknesses

6.13.1 Data Security Breaches and weaknesses, such as the loss of data or the theft of a laptop, must be reported in accordance with the requirements of the HEE incident reporting procedure.

7 Training Needs Analysis

7.1 HEE will provide basic System Security training through induction and or mandatory Information Governance Training. All training throughout HEE will be recorded by the HR Team.

(18)

8 Equality impact assessment

8.1 HEE aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage compared to others.

9 Implementation and dissemination

9.1 Following ratification by the Executive Team this policy will be disseminated to staff via the HEE intranet and communication through in-house corporate communication channels.

This Policy will be reviewed every two years or as appropriate to respond to changes in relevant legislation or national guidance.

10 Monitoring compliance with and the effectiveness of the policy

An assessment of compliance with requirements will be undertaken each year as part of HEE’s annual Information Governance Toolkit submission.

11 REFERENCES

Related documents include: Disciplinary Procedure

Information Governance Policy Confidentiality Policy

(19)

Freedom of Information Act 2000

Policy and Procedure

Version:

V2

Ratified by:

OMEC

Date ratified:

26 September 2013

Name and Title of

originator/author(s):

Mike Jones / Corporate Secretary

Name of responsible Director:

Lee Whitehead

Director of People and Communications

Date issued:

Review date:

Annual

Target audience:

All HEE Staff

Document History:

(20)

Document Status

This is a controlled document. Whilst this document may be printed, the electronic version

posted on the intranet, and copied to the internet, is the controlled copy. Any printed copies

of this document are not controlled.

As a controlled document, this document should not be saved onto local or network

drives but should always be accessed from the intranet.

(21)

Health Education England (HEE), as the new body that has taken on responsibility for

education, training and development across the NHS and public health system, will take on

responsibility for delivery of the Secretary of State’s duty. HEE will provide national

leadership for education and training and will be accountable for the investment of education

and training resources, which in 2013/14 totals around £4.9 billion.

As such we are fully committed to the principles of transparency and openness as well as the

protection of personal information and we recognise the importance of both the Freedom of

Information Act 2000 (FOIA) and the Data Protection Act 1998

(DPA) and the relevance of both for the way in which we manage and disseminate

information.

This FOIA policy document establishes a framework to ensure that all requests for

information made in accordance with the FOIA are dealt with properly and compliantly.

Glossary of Terms

Absolute Exemption Those circumstances where a decision may be made not to disclose information where there is no requirement to consider the application of the public interest test

Applicant An Individual, group or organisation requesting information

Classes of Information Broad categories in which information is proactively made available Exemption Those circumstances within which a decision may be made not to

disclose information

Personal Information Information from which an individual can be identified

Publication Scheme The legally required mechanism for making information held by HEE routinely and proactively available

Public Authorities Public sector organisations as defined by the Freedom of Information Act 2000 (FOIA)

Public Interest Additional Test applied to information being considered for disclosure in some cases. Consideration of ‘to the greater good’. Not the

same as what people are interested in Qualified Exemption See Absolute Exemption

Third Party Where information is requested about someone other than the applicant

(22)

1. Introduction

1.1 The FOIA became law on 1 January 2000 and came fully into effect on

1 January 2005. The FOIA provides a general right of access to all information held by public

authorities and places certain obligations upon them. The existence and application of the

exemptions help manage access to information, particularly when requests are made for

information which is considered to be extremely sensitive or where the burden on the

resources of public authorities in managing a response are considered out of proportion to

the benefits in terms of transparency and accountability.

1.2 The main features of the FOIA are:



A general right of access to recorded information held by public authorities subject to

certain conditions and exemptions



A general duty to confirm or deny to the applicant whether information is held by the

public authority irrespective in most cases of whether the information which has been

requested is to be disclosed



A general duty to advice and assist the applicant



A specific duty which applies to every public authority to adopt and maintain a

publication scheme approved by the Information Commissioner through which it must

proactively and routinely publish information.

2. Objectives of the Policy

The key objectives of this policy and these procedures are:



To ensure that all information other than that which can be considered to be ‘personal

data’ is processed in accordance with the requirements of the FOIA



To meet the requirements of the Information Governance Toolkit



To provide guidance on the correct way to handle requests for information.

3. Scope of the Policy

3.1 This policy covers all records created in the course of the business of HEE i.e. corporate

records (minutes, agenda etc.) which are also public records under the terms of the Public

Records Acts 1958 and 1967. It also includes email messages and other electronic records

as well as informal meeting notes. No subject matter is excluded from consideration for

disclosure including information relating to contracts, financial arrangements and other

sensitive areas.

3.2 This Policy and procedure applies to all employees of HEE, including permanent,

temporary and contract staff, who come into contact with information, as well as those

working for organisations hosted by HEE.

(23)

4.1 HEE is required to meet a number of statutory obligations arising from the

implementation of the FOIA. These are:



To adopt and maintain a Publication Scheme



To respond to requests for information in compliance with the terms of the FOIA.

4.2 Publication Scheme

4.1.1 HEE has adopted the 2009 Model Publication Scheme as set out by the Information

Commissioner and has made it available on-line and in hard copy. A guide to the Publication

Scheme has also been produced and is similarly available.

The Publication Scheme will be regularly reviewed by relevant HEE Directorates and

updated to ensure the relevance of information contained within it.

4.1.2 Requests for a hard copy of the Publication Scheme and requests for information

contained within the Publication Scheme may be made to the FOIA/DPA Manager at HEE.

5. Responding to Requests for Information

5.1. The FOIA confers two general rights on the public, a right:



To be informed whether a public body holds information, which has been requested;

and



To see that information

5.2 It is a legal requirement that requests for information are met within 20 working days of

receipt of the request and it is the policy of HEE that this time limit will be met in all cases.

5.3 It is important to note that in order to fall within the terms of the FOIA a request must be

in writing – but it

does not

have to quote the FOIA to be a valid request. It is therefore

essential that all staff are aware of their responsibilities to recognise requests and to act in

compliance with the legislation.

5.4 Any request for information to HEE should be treated as a request under the FOIA.

However, it has always been recognised that there are really two levels of request – those

that can be classified as ‘normal business’ and those which are ’sensitive’ or which raise

particular issues for HEE. In such cases HEE has adopted the following benchmarks to

define ‘normal’ business:



Can the information which has been requested be located within the 20 day time limit?



Will it cost less than £450.00 at £25.00 per hour (the statutory amount to be charged)

to find and collate the information?



Can all the information be disclosed?

(24)

5.5 If the answer to all of these questions is ‘yes’ then the request should be dealt with locally

and not referred to the FOIA/DPA Manager. However the time limit must still be adhered to

and if a situation develops where it becomes obvious that consideration may have to be

given to non-disclosure of information which has been requested then the FOIA/DPA

Manager must be consulted immediately.

5.6 If, however, the answer to any of the questions is ‘no’, the recipient should immediately

seek advice from the FOIA/DPA Manager about what to do - usually within 48 hours. The

request will then be processed as a formal FOI request and the advice of the FOIA/DPA

Manager will be followed.

5.7 In HEE, responsibility for dealing with requests for Information under the FOIA lies within

the responsibility of the Communications Directorate and responsibility for review by the

Corporate Secretary.

6. Exemption Information

6.1 The FOIA is designed to create a new culture of openness and accessibility, to allow

individuals to access more information held within public authorities than they could before.

However, this entitlement to information is not unlimited. The FOIA recognises that there is a

need to limit the right of access and this is done by the engagement of the exemptions.

Several sections of the FOIA confer an absolute exemption on the disclosure of information.

These may also exceptionally have the effect of exempting HEE from confirming or denying

that the information which has been requested is held by us. However we will always tell you

if we are withholding information or refusing to confirm or deny the existence of any

information.

6.2 Other sections of the FOIA direct HEE to consider whether the public interest in

maintaining the exemption is greater than the public interest in disclosing the information at

all.

6.3 Part 11 of the FOIA sets out the detail of the exemptions which may be considered when

information which is the subject of a request is considered particularly sensitive. The use of

any exemption has to be justified; even when the engagement of an exemption can be

justified HEE might decide not to apply it in a spirit of openness and transparency. The

exemptions fall into two categories, those that are

‘absolute’

, and those that are

‘qualified’

.

6.4 Absolute Exemptions

Absolute exemptions may apply when the harm that would be caused by a disclosure is

already established. A few examples of when absolute exemptions may apply are:



When you request access to your personal data under FOIA when this should be

accessed via the DPA

(25)



When you request access to information and the disclosure of that information could

result in an actionable breach of confidence



When you request information from us that you can obtain elsewhere without making

a FOI request (a full list can be seen in Appendix 1).

6.5 Qualified Exemptions

Qualified exemptions only apply when the public interest in withholding the information

outweighs the public interest in disclosure. A few examples of when a qualified exemption

may apply are:



When you request information that we were intending to publish at a later date



When you request information where the disclosure could prejudice someone’s

commercial interests



When you request information that relates to advice we may have obtained from our

legal advisors (a full list can be seen in Appendix 2).

6.6 Disproportionate Cost Exemption

In the event that at first glance it is considered the disproportionate exemption might apply,

then the relevant department will be asked for an estimate of cost –

no effort should be

made to find the information at this stage.

The estimate should instead be completed as a

matter of urgency and the results should be notified to the FOIA/DPA Manager at HEE within

48 hours.

Where HEE estimates that the cost of answering the information request will exceed the

appropriate limit (£450 @£25 per hour) it will be under no obligation to provide the

information but must inform the applicant of the reasons for not doing so and give the

applicant the opportunity to refine the request in accordance with Section 16 of the FOIA

which requires that the applicant must be provided with advice and assistance. This

obligation will normally be undertaken by the FOIA/DPA Manager.

6.7 There are also certain other circumstances in which HEE is not obliged to comply with

requests for information:



If it is considered vexatious in accordance with S.14 FOIA. In these circumstances,

NHS HEE will log all requests for monitoring purposes and will be able to identify

repeated and or vexatious requests



If a Fees Notice has been issued to an applicant and any fee is not paid with three

months of the date of the Notice.

7. Procedure for Handling Requests

7.1 Requests for information must be put in writing (including email) to HEE in the first

instance. Verbal requests are not valid requests under the FOIA, and while they may be dealt

with in the course of normal business, the requirements of the FOIA do not apply. If a request

is valid under the FOIA then the FOI process must be instigated and the deadline for a

(26)

7.2 The procedure to be followed in HEE is shown in the diagram at Appendix 3.

7.3 In order for a request to be valid, HEE must understand what information, in general

terms, is being asked for. If this is not clear from the correspondence from the applicant to

the extent that we are unable to commence a search for the information, then this is not a

valid request and will not become so until clarification is received. In such cases the 20 day

time limit for compliance will commence only when the valid request is received.

7.4 However in those circumstances where we have received a valid request but because of

its volume we ask the applicant to refine it so that it falls below the limit of disproportionate

cost, this process must be completed within the 20 day limit which starts with the receipt of

the initial valid albeit voluminous request.

7.5 Requests for advice, assistance or referral should be made within 48 hours of the request

being received by HEE.

8. FOIA Review and Complaint to the Information Commissioner

8.1 It is a requirement of the FOIA that all public authorities subject to the FOIA implement

arrangements for reviewing decisions which have been notified to the applicant and with

which the applicant is dissatisfied. Requests for review (which are not complaints and which

must not be dealt with under the NHS Complaints Code) usually relate to refusals to disclose

information but may also relate to the failure to confirm information is held or indeed any

other part of the process.

8.2 HEE has put in place an independent review process which is headed by the Company

Secretary.

8.3 Information about the review process must be included in any correspondence sent to

the applicant, in particular and specifically in any Refusal Notice under S.17 (1) of the FOIA

which is sent to the applicant.

8.4 All complaints from applicants about HEE FOIA procedures and requests for review

against any decisions made must be referred immediately upon receipt to the FOIA/DPA

Manager.

9. Fees

9.1 The FOIA requires public authorities to publicise their policies in relation to the charging

of Fees and Disbursement under the FOIA.

(27)

9.2.1 Unless the amount of information requested clearly falls outside the limit set by Fees

Regulations which apply to the FOIA and the DPA then HEE will not normally levy any Fee

for dealing with a request. (However see point 10).

9.2.2 Where the statutory cost limit as established in the Regulations is clearly exceeded,

then HEE will provide the applicant with an estimate of costs and will normally ask the

applicant to refine their request so as to fall within the cost limit. Where an applicant fails to

respond to such a request, or the request still falls outside the cost limit, the request will

normally be refused under the exemption provided by S.12.(1) of the FOIA.

9.2.3 HEE as a matter of policy does not normally allow applicants to pay for information

where costs exceed the regulatory limit. On the rare, exceptional circumstances in which

payment may be agreed, a Fees Notice will be issued and the complete cost of dealing with

the request in accordance with the provisions of the FOIA and the Fees Regulations will be

charged.

9.2.4 In such exceptional circumstances HEE estimates costs based on the statutorily

provided basis of £25.00 per hour. It should be noted that it is the complete cost of location

and collation which is chargeable not that which falls outside the £450.00 cost limit.

9.2.5 If a Fees Notice is issued and no response is received, within 12 weeks the request for

information will be considered to have lapsed.

10. Charges

10.1 The responsibility of HEE is limited to disclosing information in the format it is held and

there will be no charge for information which can be accessed via our website, or where it is

provided in a single hard copy. However where other formats or copies are requested then

the following charges will apply which must be paid for before the information is provided:-

Photocopying



One hard copy of the requested information

Free



Multiple copies

10p per sheet

Reformatting



Re-formatting on CD

£5.00 per CD



Other formats

On application

11. Training

11.1 HEE has provided mandatory training for all staff in relation to the FOIA and how to

respond appropriately. Training will be on-going and will be monitored for effectiveness

12. Review and Monitoring Process and Related Documents

(28)

12.1 The Policy will be reviewed regularly by the FOIA/DPA Manager, Director of

Communications and People and the Company Secretary.

12.2 Related Documents



Data Protection Act 1998

13. Appendices

1 Absolute Exemptions

2 Qualified Exemptions

(29)

Appendix 1 Absolute Exemptions

Section 21 Information accessible to applicant by other means

Section 23 Information supplied by, or relating to, bodies dealing with security matters

Section 32 Court records etc.

Section 34 Parliamentary privilege

Section 36 Prejudice to effective conduct of public affairs

Section 40 Personal Information

Section 41 Information provided in confidence

Section 44 Prohibitions on disclosure where a disclosure is prohibited by an enactment or

would constitute a contempt of court.

(30)

Appendix 2 Qualified Exemptions

Section 22 Information intended for future publication

Section 24 National Security

Section 26 Defence

Section 27 International Relations

Section 28 Relations within the United Kingdom

Section 29 The economy

Section 30 Investigations and proceedings conducted by public authorities

Section 31 Law enforcement

Section 33 Audit functions

Section 35 Formulation of Government Policy etc.

Section 36 Prejudice to effective conduct of public affairs

Section 37 Communications with Her Majesty etc. and honours

Section 38 Health and safety

Section 39 Environmental information as this can be accessed through the

Environmental Information Regulations

Section 40 Personal information

Section 42 Legal professional privilege

Section 43 Commercial interests

(31)

Request for Information received either via HEE FOI mailbox or Letter. FOI request recorded on HEE FOI database (Vuelio) Acknowledgeme nt sent by HEE FOI team within 2 days stating that a full

response will be sent provided in 20 days

FOI team request contribution/advice from appropriate Directorate/LETB. Following sign off of contribution via Senior Manager/Director response is drafted by FOI manager Response sent by Day 20 with information requested or stating on what grounds the information will not be disclosed. Note

Requests must be made in writing verbal requests cannot be accepted.

Is the request ‘normal business? If so then the individual directorate will deal with it themselves.

If not ‘normal business’ request will be directed to the FOI team, normally within 48hrs.

Note

It is the responsibility of the relevant directorate to produce the

information requested as soon as possible and in any event within the timescale set by the Briefing Team

The Briefing team will produce the final letter

Appendix 3 Process for responding to a request under Freedom of

Information

(32)

FREEDOM OF INFORMATION PUBLICATION

SCHEME

Version:

Version 3

Ratified by:

HEE Board

Date ratified:

8 October 2013

Name and Title of

originator/author(s):

Chris Brady, FOI Data Protection and Briefing Lead

Name of responsible Director:

Lee Whitehead, Director of People and

Communications

Date issued:

29 October 2013

Review date:

Annually

Target audience:

HEE’s Stakeholders and members of the public

Document History:

Version 1, 28-05-13, CB for review

Version 2, 14-06-13, NW comments

Version 3, 18-07-13, presented to OMEC

8-10-13, HEE Board

(33)

Document Status

This is a controlled document. Whilst this document may be printed, the electronic

version posted on the intranet, and copied to the internet, is the controlled copy. Any

printed copies of this document are not controlled.

As a controlled document, this document should not be saved onto local or network

drives but should always be accessed from the intranet.

(34)

Executive Summary

This guide explains what information is routinely published by Health Education England (HEE). It is a description of the information about us that is made publicly available as a matter of routine.

HEE has a legal duty to adopt and maintain a Publication Scheme. The purpose of the Freedom of Information Act is to promote greater openness by public authorities.

HEE will review its Publication Scheme at regular intervals and monitor how it is operating. It is important that this Scheme meets the needs of the public and other stakeholders and it has been designed it to be a route map so that you can find information about HEE easily.

The Guide to Information will help you to find all the information that HEE publishes. The Publication Scheme contains 7 classes of information – information falling in each of these classes is published on our website and can be accessed using the links on the following pages. All information published on the website can be accessed free of charge.

 Who we are and what we do

 What we spend and how we spend it

 What are our priorities and how are we doing  How we make decisions

 Our policies and procedures  Lists and registers

(35)

Paragraph

Page

1 Introduction

2 Purpose

3 Scope

4 Definitions

5 Duties

6 Main Body of Policy

7 Equality Impact Assessment

8 Education and Training Requirements

9 Monitoring Compliance and Effectiveness

10 Associated Documentation

(36)

1. Publication Scheme

1.1. In order to comply with the Freedom of Information Act 2000, public sector

organisations such as Health Education England (HEE) have to routinely

publish information whenever possible.

1.2. The Information Commissioner, who is responsible for monitoring and

enforcing compliance with the Freedom of Information Act 2000, has drawn

up what is called a

Model Publication Scheme

for all public sector

organisations which we have decided to adopt and formally commit to. The

Commissioner has also published a ‘

Definition Document for NHS

Organisations

which sets out in some detail what the minimum expectations

are. Health Education England has adopted this publication scheme which

can be viewed via the link on the right.

1.3. We have reviewed the information we routinely put into the public domain to

ensure we are compliant with the Definition document. The

Publication

Scheme

includes key headings and links which will take you to

this information on our website which we aim to update on a regular basis.

2. How Health Education England works and fits into the NHS structure

2.1. HEE is a public body and part of the National Health Service. It is a statutory

body governed by Acts of Parliament and came into existence on 1st April

2013. As a statutory body, HEE has specific powers to act as regulator, to

contract in its own name, act as a corporate trustee, to fund projects jointly

planned with and to make payment and grants to Local Education Training

Boards (LETBs), voluntary organisations and other bodies.

2.2. HEE fits into the overall NHS structure as follows:-

www.nhs.uk/nhsengland/thenhs/about/pages/overview.aspx

2.3. HEE was established as a Special Health Authority in June 2012, taking on

some functions from October 2012 before assuming full operational

responsibilities from April 2013.

2.4.

On 28 May 2013, the Government published its mandate for Health Education England. Through this mandate, which covers the period from April 2013 to March 2015, HEE will work towards providing national leadership and strategic direction for high quality education, training and workforce development. The mandate compliments our key purpose of developing an NHS workforce with the right behaviours, values and skills to deliver quality patient care, responsive to the diverse and changing needs of patients and the public.

(37)

2.5.

The mandate is aligned with and reflective of the mandate for NHS England. The mandate recognises the Francis Report recommendations, reflects the increasing importance of public health and requires us to take into account the development of the Public Health England (PHE) strategy and the Secretary of State’s four priorities on preventable mortality; long-term conditions; ‘being caring’ and dementia.

2.6.

The plans emphasise the importance of training to support staff providing community care and preventing patients, those with long term conditions for example, needing to go into hospital.

2.7.

The mandate includes a focus on:

 recruitment into all new NHS-funded training posts that tests for the appropriate values and behaviours;

 maintaining midwifery training numbers to ensure patient needs are met;

 delivery of additional trained health visitors to increase the workforce by 4,200 full time equivalents by April 2015;

 providing dementia training for all NHS staff who look after patients, ensuring that 100,000 staff have foundation level training by March 2014;

 commissioning the required number of IAPT (increasing access to psychological therapies) training places;

 making progress to ensure that 50 per cent of medical students become GPs; and

 work towards a target of at least 50 per cent of student nurses undertaking community placements by March 2015.

3. Making an FOI request

3.1. Requests for Information should be sent to

Chris Brady

, the FOI Manager at

Health Education England.

3.2. By law, HEE have to deal with such requests within 20 working days. If you

make a request and are not satisfied with the way in which we deal with it you

may ask us to review any decision we make. If you wish us to undertake

such a review, you should write to Lee Whitehead, Director of People &

Communications at HEE.

3.3. For lengthy requests for information that would exceed the statutory limit

under which Public Authorities are expected to provide information without

charge, HEE estimate costs based on a statutorily provided basis of £25.00

per hour. If the estimate exceeds £450.00 in total (181/2 hours at £25.00 per

hour) then the exemption can be claimed.

(38)

3.4. Should Health Education England decide in exceptional circumstances that

an applicant should be allowed to pay it is the complete cost of location etc.

which is chargeable not that which falls outside the £450.00 cost limit

4. Why

4.1. The establishment and development of HEE was set out in ‘Liberating the

NHS: Developing the Healthcare Workforce, From Design to Delivery’, the

Government’s policy for a new system for planning and commissioning

education and training. The driving principle for reform of the education and

training system is to improve care and outcomes for patients and HEE exists

for one reason alone – to help ensure delivery of the highest quality

healthcare to England’s population, through the people HEE recruits,

educates, trains and develops.

4.2. HEEs mandate from the Government sets out clearly the plans for education

and training that will be the cornerstone for the delivery of high quality,

effective, compassionate care, by recruiting for values and training for skills.

Our £5 billion budget will allow us to recruit, train and develop a workforce

that will deliver improved care to patients. “The mandate is set out under six

broad themes - support for service priorities, NHS values and behaviours,

excellent education, competent and capable staff, working in partnership and

value for money. It covers the two years from April 2013 to March 2015 and

will be reviewed in autumn 2013

5. Role

5.1. HEE will provide leadership for the new education and training system. It will

ensure that the shape and skills of the future health and public health

workforce evolve to sustain high quality outcomes for patients in the face of

demographic and technological change. HEE will ensure that the workforce

has the right skills, behaviours and training, and is available in the right

numbers, to support the delivery of excellent healthcare and drive

improvements. HEE will support healthcare providers and clinicians to take

greater responsibility for planning and commissioning education and training

through the development of Local Education and Training Boards (LETBs),

which are statutory committees of HEE.

6. Function

6.1. The key national functions of the organisation will include:

6.1.1. Providing national leadership for planning and developing the whole

healthcare and public health workforce

(39)

6.1.2. Authorising and supporting development of Local Education and

Training Boards and holding them to account

6.1.3. Promoting high quality education and training which is responsive to

the changing needs of patients and communities and delivered to

standards set by regulators

6.1.4. Allocating and accounting for NHS education and training resources –

ensuring transparency, fairness and efficiency in investments made

across England.

6.1.5. Ensuring security of supply of the professionally qualified clinical

workforce

6.1.6. Assisting the spread of innovation across the NHS in order to improve

quality of care

6.1.7. Delivering against the national Education Outcomes Framework to

ensure the allocation of education and training resources is linked to

quantifiable improvements.

6.2. If you require information which is not on our website or otherwise available

through our guide to information you may ask us for it in accordance with

further provisions of the Freedom of information Act 2000 and of the

Environmental Information Regulations 2005.

7. Who we are and what we do

7.1. How we fit into the NHS structure:

This section explains what our main

responsibilities are and what Health Education England comprises.

7.1.1. Xxxxxxx

7.2. Organisational structure

: Our organisational structure is included in this

section.

7.2.1. Xxxxxxxxxxxxxx

7.3. Lists of and information relating to organisations with which Health

Education works in partnership;

we expect to update this section with

more information about our key partners as we start to build relationships

with stakeholders.

7.4. Senior staff and management board members:

Details relating to HEE

Board and Directors can be found in this section

.

(40)

7.5. Location and contact details for all public-facing departments

: Our

location, including maps and contact details can be found in this section.

7.5.1. xxxxxxxxxxxxxxxxxx

8. What we spend and how we spend it

8.1. Annual statements of accounts:

This section contains our Annual Report,

which includes the annual statements of account. The 2012/13 Annual

Report & Accounts will be published after being laid before Parliament.

8.2. Budget and variance reports

: Budget and variance reports are routinely

made to each meeting of Health Education England’s Board. These can be

found amongst the papers for each of the Board meetings.

8.2.1. xxxxxxxxxxxxxxxxxxxxxxxxxxxx

8.3. Financial audit reports

: The Annual Audit Letter and the minutes of our

Audit Committee meetings can be found in our board meeting papers.

8.3.1. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

8.4. Staff and Board member’s allowances and expenses:

This information is

included in Health Education England’s Annual Report.

8.5. Details of Directors’ expenses are currently being collated and will be

published here shortly.

8.6. In this section there are details relating to staff pay and grading along with the

Agenda for Change handbook and Very Senior Managers framework.

8.6.1. xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

8.7. Procurement and tendering procedures:

Procurement and tendering

procedures adopted by Health Education England.

8.7.1. xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

8.8. Details of contracts currently being tendered

: Contracts currently

tendered can be found in this section. This list is updated regularly on a

monthly basis.

(41)

8.9. If you require any further information about contracts being tendered please

contact

xxxxxxxxxx

8.10. Lists and value of contract awarded and their value:

List and value

of contracts over £50k is included in this part of the Publication Scheme.

8.10.1. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

9. What our priorities are and how we are doing

9.1. Annual Report:

This section includes a link to HEE’s current Annual Report,

where the appropriate file can be downloaded,

9.1.1. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

9.2. Annual business plan

:

HEE’s Annual Business Plan is published on the

website below.

9.2.1. xxxxxxxxxxxxxxxx

9.3. Strategic direction document

9.3.1. xxxxxxxxxxxxxxxxxxx

9.4. Performance against targets/performance framework

: Regular updates

on performance can be found in xxxxxxx. A link can be found on the website

below.

9.4.1. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

10. How we make decisions

10.1. Board papers

– agenda, supporting papers and minutes

:

Information regarding board meetings including agenda, papers and previous

minutes can be found on the website below. This section is updated before

every meeting.

10.1.1. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

10.2. Audit reports

: The minutes from our Audit and Risk Committee

meetings can be found in our Board papers.

(42)

10.2.1. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11. Our policies and procedures

11.1. A full list of HEE’s policies, Policy Register and copies of approved

policies will be published on the website as they become available.

12. Lists and registers

12.1. HEE are required to make public the following registers:

12.1.1. Main contractors/suppliers

12.1.2. Asset Register

12.1.3. Information Asset Register

12.1.4. Board Members’ Declarations of Interest

12.1.5. Gifts & Hospitality Register

12.1.6. FOI Disclosure log

12.2. These registers will be published on the HEE website as they become

available through 2013/14.

(43)

Data Protection Policy

Version:

V1

Ratified by:

Operational Management Executive Committee

Date ratified:

26/09/13

Name and Title of

originator/author(s):

Chris Brady,

FOI, Data Protection and Briefing Lead

Name of responsible Director:

Lee Whitehead

Director of People & Communications

Date issued:

29/10/2013

Review date:

3 years from date of first publication

Target audience:

All HEE Staff

(44)

Document Status

This is a controlled document. Whilst this document may be printed, the electronic

version posted on the intranet, and copied to the internet, is the controlled copy. Any

printed copies of this document are not controlled.

As a controlled document, this document should not be saved onto local or network

drives but should always be accessed from the intranet.

(45)

Paragraph

Page

1 Introduction 4

2 Aim 4

3 Legislation 4

4 NHS & Related Guidance 4

5 Responsibilities 5

6 Security & Confidentiality 5

7 Database Management 5

8 Back Ups 6

9 Disclosure of Information 6 10 Disclosure of Information Outside the EEA 6

11 Training 7

12 Induction 7

13 Contracts of Employment 8

14 Disciplinary 8

15 Monitoring and Audit 8

16 Subject Access Requests 8 17 Disclosure of Personal Information 9

(46)

1. Introduction

1.1. Health Education England (HEE) has a legal obligation to comply with all

appropriate legislation in respect of Data, Information and IT Security. It also has a duty to comply with guidance issued by the Department of Health, the Information Commissioner, other advisory groups to the NHS and guidance issued by

professional bodies.

1.2. Penalties could be imposed upon HEE, and/or employees for non-compliance with relevant legislation and NHS guidance.

2. Aim

2.1. This Data Protection Policy details how HEE will meet its legal obligations and NHS requirements concerning confidentiality and information security standards. The requirements within the Policy are primarily based upon the Data Protection Act 1998 as that is the key piece of legislation covering security and confidentiality of personal information.

3. Legislation

3.1. For the purpose of this Policy other relevant legislation and appropriate guidance may be referenced. The legislation listed below also refers to issues of security and or confidentiality of personal identifiable information/data:

 Data Protection Act 1998

 Access to Health Records 1990

 Access to Medical Reports Act 1988

 Human Rights Act 1998

 Freedom of Information Act 2000

 Regulation of Investigatory Powers Act 2000

 Crime and Disorder Act 1998

 Computer Misuse Act 1990

 Criminal Justice and Immigration Act 2008 4. NHS & Related Guidance

4.1. The following are the main publications referring to security and or confidentiality of personal identifiable information/data (see section A for more information):

 Confidentiality: NHS Code of Practice

 Records Management: NHS Code of Practice

 Information Security: NHS Code of Practice

(47)

5. Responsibilities

5.1. The Chief Executive Officer has overall responsibility for the Data Protection Policy within HEE. The implementation of, and compliance with, this Policy is delegated to the Data Controller (Director of People & Communications) and the Data Protection Lead. The Data Protection Lead will report data protection issues to the Data Controller who will have responsibility for bringing these to the attention of HEE’s Executive Team.

5.2. The Data Protection Lead role includes:

 Maintaining registrations

 Facilitating training sessions

 Dealing with subject access requests

 Acting as initial point of contact for any data protection issues which may arise within HEE

 Providing reports to the HEE Executive Team as required

 Auditing data protection compliance

 Facilitating action in areas identified as being non-compliant

 Assisting with complaints concerning data protection breaches

 Acting as the interface between data protection and freedom of information 5.3. This Policy will be reviewed annually, or more frequently if appropriate, to take into

account changes to legislation that may occur, and/or guidance from the Department of Health, the Information Commissioner or any relevant case law.

5.4. The day to day responsibilities for enforcing this Policy will be devolved to

application/system managers and other nominated personnel. In order to fulfil their roles, the Data Protection Lead in conjunction with the Data Controller will ensure that regular training is provided to remind these personnel of these responsibilities and the most effective way of ensuring adequate information security and

confidentiality.

6. Security & Confidentiality

6.1. All information relating to identifiable individuals and any information that may be deemed sensitive, must be kept secure at all times. HEE will ensure there are adequate policies and procedures in place to protect against unauthorised

processing of information and against accidental loss, destruction and damage to this information.

7. Database Management

7.1. The HEE Data Protection Lead will ensure that all databases that require registration are registered in accordance with the DPA requirements and these registrations are reviewed on a regular basis. Each computer system/database will have a

Information Governance Framework: Policies