Information Governance Policy

Policy Number / Version: v2.0

Ratified by: Audit Committee

Date ratified: 25th February 2015

Review date: 24th February 2016

Name of originator/author: CSU Information Governance Team Name of responsible

committee/individual:

Audit Committee/Chief Finance Officer

Target audience: All staff, including temporary staff and contractors

Information

VERSION CONTROL

Policy Name:

Version Valid From Valid To Document Path/Name 1.0 15 May 2013 14 May 2014

1. Introduction

Information is a vital asset, both in terms of clinical management of individual patients and the efficient planning and management of services and resources.

It is therefore of paramount importance to ensure that information is effectively managed and that appropriate policies, procedures, management accountability and structures provide a robust governance framework for information management.

This policy provides assurance to the CCG and to individuals that personal information is dealt with legally, securely, efficiently and effectively, in order to deliver the best possible care.

The CCG will establish and maintain this policy and the associated procedures to ensure compliance with the requirements contained in the Health and Social Care Information Centre’s (HSCIC) Information Governance Toolkit.

This policy, and its supporting procedures, are fully endorsed by the Board through the production of these documents and their minuted approval.

2. Scope

2.1 This policy covers all aspects of information within the organisation, including but not limited to:

• Personal Information

- Patient/client/service user information - Employee information

• Organisational Information

2.2 This policy covers all aspects of handling information, including but not limited to:

• Structured record systems – paper and electronic

• Transmission of information – fax, email, other forms of electronic transmission such as FTP, post and telephone

2.3 This policy covers all information systems purchased, developed and managed by or on behalf of the CCG, and any individual directly employed or otherwise by the CCG.

2.4 The key component underpinning this policy is the annual action plan arising from a baseline assessment against the standards set out in the HSCIC’c Information Governance Toolkit.

2.6 The policy therefore links into all these aspects of the CCG and should be reflected in these respective strategies/policies.

3. Principles

The CCG recognises the need for an appropriate balance between openness and confidentiality in the management and use of information.

The CCG fully supports the principles of corporate governance and recognizes its public accountability. It equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information.

The CCG also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.

The CCG believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all CCG employees to ensure and promote the quality of information and to actively use information in decision making processes.

There are 4 key interlinked strands to the information governance policy: • Openness and transparency

• Legal compliance

• Information security and Risk • Quality assurance

3.1 Openness & Transparency

• The CCG recognises the need for an appropriate balance between openness and confidentiality in the management and use of information.

• Patients will have access to information relating to their own health care, options for treatment and their rights as patients. There will be clear procedures and arrangements for handling queries from patients and the public.

• The CCG will have clear procedures and arrangements for liaison with the press and broadcasting media.

• Integrity of information will be developed, monitored and maintained to ensure that it is appropriate for the purposes intended.

• The CCG regards all identifiable information relating to patients as confidential. Compliance with legal and regulatory framework will be achieved, monitored and maintained.

• The CCG regards all identifiable information relating to staff as confidential except where national policy on accountability and openness requires otherwise.

• The CCG will ensure that when person identifiable information is shared, the sharing complies with the law, guidance and best practice and both service users rights and the public interest are respected.

• Non-confidential information relating to the CCG and its services is available to the public through a variety of media, in line with the Freedom of Information Act and Environmental Information Regulations.

• The CCG will establish and maintain policies and procedures to ensure compliance with the Data Protection Act, Human Rights Act, the common law duty of confidentiality and the Freedom of Information Act and Environmental Information Regulations.

• Information Governance training including awareness and understanding of Caldicott principles and confidentiality, information security, records management and data protection will be mandatory for all staff. Information governance will be included in induction training for all new staff.

3.2 Legal Compliance

• The CCG regards all identifiable information relating to patients as confidential.

• The CCG will undertake or commission annual assessments and audits of its compliance with legal requirements through the IG Toolkit.

• The CCG regards all person identifiable information relating to staff as confidential, except where national policy on accountability and openness requires otherwise.

• The CCG will establish and maintain procedures to ensure compliance with the Data Protection Act, Human Rights Act and common law confidentiality.

• The CCG will establish and maintain procedures for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act).

3.3 Information Security and Risk

• The CCG will establish and maintain procedures for the effective and secure management of its information assets and resources.

• The CCG will undertake or commission annual assessments and audits of its information and IT security arrangements through the IG Toolkit framework.

• The CCG will promote effective confidentiality and security practice to its staff through procedures and training.

• The CCG will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.

• The CCG will establish and maintain Risk Management and reporting procedures and will have in place risk control and monitor all reported information risks.

3.4 Information Quality Assurance

• The CCG will establish and maintain procedures for information quality assurance and the effective management of records.

• The CCG will undertake or commission annual assessments and audits of its information quality and records management arrangements in line with IG toolkit requirements.

• The CCG will ensure that information is managed throughout its lifecycle of creation, retention, maintenance, use and disposal.

• The CCG will ensure that information is effectively managed so that it is accurate, up to date, secure, retrievable and available when required.

• Employees are expected to take ownership of, and seek to improve, the quality of information within their services.

• Information quality should be assured at the point of collection.

• The CCG will promote information quality and effective records management through procedures and training.

4. Responsibilities

The Chief Officer as Accountable Officer of the CCG has overall accountability and responsibility for Information Governance in the CCG and is required to provide assurance, through the Annual Governance Statement that all risks to the CCG, including those relating to information, are effectively managed and mitigated.

The Senior Information Risk Owner (SIRO) is an Executive Director of the CCG Board. The SIRO is expected to understand how the strategic business goals of the CCG will be impacted by information risks. The SIRO will act as an advocate for information risk on the Board and in internal discussions, and will provide written advice to the Accounting Officer on the content of their Annual Governance Statement in regard to information risk.

The SIRO will provide an essential role in ensuring that identified information security threats are followed up and incidents managed. They will also ensure that the Board and the Accountable Officer are kept up to date on all information risk issues. The role will be supported by the Midlands and Lancashire Commissioning Support Unit by the Information Governance Team, the CCG Caldicott Guardian, and a network of Information Asset Owners and Information Asset Administrators, although ownership of Information Risk assessment process will remain with the SIRO.

Information Asset Owners (IAOs) shall ensure that information risk assessments are performed at least once each quarter on all information assets where they have been assigned ‘ownership’, following guidance from the SIRO on assessment method, format, content and frequency. IAOs shall submit the risk assessment results and associated plans to the SIRO for review, along with details of any assumptions or external dependencies. Mitigation plans shall include specific actions which expected completion dates, as well as an account of residual risks.

The organisation must have a Caldicott Guardian. This role is an amalgamation of management and clinical issues which helps to ensure the involvement of healthcare professionals in relation to achieving improved information governance compliance. The Caldicott Guardian has responsibility for ensuring that all staff comply with the Caldicott Principles and the guidance contained in the Health and Social Care Information Centre’s (HSCIC) document – “A Guide To Confidentiality in Health and Social Care”.

The Caldicott Guardian will guide the organisation on confidentiality and protection issues relating to patient information. This role is pivotal in ensuring the balance between maintaining confidentiality standards and the delivery of patient care. The Caldicott Guardian will also advise the Board on progress and major issues as they arise.

The Audit Committee is responsible for overseeing day to day Information Governance issues, developing and maintaining policies, standards, procedures and guidance, coordinating and raising awareness of Information Governance in the CCG.

responsible for ensuring that staff attend mandatory awareness training and refresher training as required.

All staff, whether permanent, temporary or contracted, are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis.

5. Training/Awareness

Information governance will be a part of an induction process. All new and existing staff will receive annual mandatory training and guidance on information governance, which will include Caldicott and confidentiality, data protection, information security and Freedom of Information.

6. Monitoring/Audit

• The CCG will monitor this policy and related strategies and procedures through the Audit Committee.

• As assessment of compliance with the requirements of the Information Governance Toolkit (IGT) will be undertaken each year. The CCG will identify staff to undertake Administrator, Reviewer and User roles as described in the IGT.

• The Audit Committee will ensure implementation of the Information Governance Strategy.

• Annual reports and proposed action/development plans will be presented to the CCG Board for approval prior to submission of the IGT.

• The policy and associated procedures will be subjected to both internal and external audit reviews.

• The CCG will ensure that the support infrastructure for the SIRO is in place, and is kept under regular review.

7. Information Governance Management

Information Governance management across the organisation will be co-ordinated by the Audit Committee.

The responsibilities of the Audit Committee will include, but not be limited to:

• Recommending policies and procedures to the appropriate CCG Board for approval. • Recommending the annual submission of compliance with requirements in the IGT and

• Co-ordinating and monitoring the Information Governance Strategy across the organisation

The Audit Committee will endorse Information Governance Strategy for the CCG.

8. Information Governance Improvement Plan

The Audit Committee will be responsible for monitoring the improvement plans and associated progress. The improvement plan is fundamental to the organisation achieving the Information Governance Toolkit. It is essential that the Audit Committee are updated on the progress of the plan and of any associated risks which will affect the organisations ability to achieve IG Toolkit compliance. The Improvement Plan can be found in Appendix 2.

9. Review

This policy and associated strategy and procedures will be reviewed on an annual basis or earlier if appropriate, to take into account any changes to legislation that may occur, and/or guidance from the Department of Health and/or NHS Executive.

10. Supporting Procedures

Appendix A - Information Governance Management Framework Requirement Detail Senior Roles within the CCG Accountable Officer: Dr Caron Morton, Chief Officer

The Chief Officer as Accountable Officer of the Shropshire CCG and has overall accountability and responsibility for Information Governance in the CCG and is required to provide assurance through the Annual Governance Statement that all risks to the organisation, including those relating to information, are effectively managed and mitigated.

Senior Information Risk Owner: Donna McGrath, Chief Finance Officer

The Senior Information Risk Owner (SIRO) is an Executive Director of Shropshire CCG Board. The SIRO is expected to understand how the strategic business goals of the CCG may be impacted by information risks. The SIRO will act as an advocate for information risk on the Board and in internal discussions, and will provide written advice to the Accountable Officer on the content of their Annual Governance Statement in regard to information risk.

The SIRO will provide an essential role in ensuring that identified information security threats are followed up and incidents managed. They will also ensure that the Board and the Accountable Officer are kept up to date on all information risk issues.

The role will be supported by the Midlands and Lancashire Commissioning Support Unit Information Governance Team and the Caldicott Guardian, although ownership of the Information Risk Agenda will remain with the SIRO.

The SIRO will be supported through a network of Information Asset Owners and Administrators who have been identified and trained throughout the organisation.

Caldicott Guardian: Bharti Patel-Smith, Director of Governance & Involvement

Shropshire CCG Caldicott Guardian has particular responsibility for reflecting patients’ interests regarding the use of patient identifiable information and to ensure that the arrangements for the use and sharing of clinical information comply with the Caldicott principles. The Caldicott Guardian will advise on lawful and ethical processing of information and enable information sharing. They will ensure that confidentiality requirements and issues are represented at Board level and within the Shropshire CCG overall governance framework.

Information Governance Organisational Lead: Hayley Gidman, Information Governance Lead (Midlands and Lancashire Commissioning Support Unit)

The key purpose of the role is to ensure Shropshire CCG successfully manages the risks associated with Information Governance & Information Security. The post holder will ensure the establishment of corporate standards and a consistent CCG wide approach to Information Governance & Information Security and will be responsible for assuring the implementation of a range of policies, processes, monitoring audits and training and awareness mechanisms to ensure a high level of compliance with external assessments including the Information Governance Toolkit, Care Quality Commission and the NHS Litigation Authority.

The Senior Information Governance and Information Security Manager will also be responsible for the implementation and ongoing development of the SIRO

Information Governance Organisational Lead: Ilse Newsome, Deputy Chief Finance Officer

The key purpose of the role is to ensure Shropshire CCG successfully implements a range of policies, processes, monitoring audits and training and awareness mechanisms to ensure a high level of compliance with Information Governance & Information Security. The post holder will ensure the implementation of corporate standards and a consistent organisation wide approach to Information Governance & Information Security.

Key Policies

Policies set out the scope and intent of the organisation in relation to the management of Information Governance. Ratification

Schedule: Audit Committee Information Governance Policy 25/02/2015 Information Governance Hand Book 25/02/2015

Policies are communicated to appropriate staff via the membership of the groups at which they are ratified, and through internal communications utilising the CCGs intranet site and staff briefing announcements. All policies are available on the CCGs

shared network drive and on the external website at http://www.shropshireccg.nhs.uk/policies#IG .

Key Governance Bodies A group, or groups, with appropriate authority should have responsibility for the IG agenda. Audit

Committee The Audit Committee is responsible for overseeing day to day Information

Governance issues, developing and maintaining policies, standards, procedures and guidance, coordinating and raising awareness of Information Governance in the CCG. Resources Details of key staff roles Dedicated Information Governance Staff

Information Governance Support Officer

Kate Faulkner-Elliott

[email protected] 07525 613008

Information Security Manager

Andy Thompson

[email protected] 07702 967496

Information Governance Manager

Emma Styles

[email protected] 07825 716409

Information Governance Lead

Hayley Gidman [email protected] 07809 320323 Governance Framework Details of how responsibility and accountability for IG is cascaded through the organisation. Information Asset Owners

Information Asset Owners are senior individuals involved in running the relevant business.

The IAOs role is to:

- Understand and address risks to the information assets they ‘own’; and - Provide assurance to the SIRO on the security and use of these assets.

Information Asset

Administrators

The Information Asset Administrators and will:

- Ensure that policies and procedures are followed - Recognise potential or actual security incidents - Consult their IAO on incident management

- Ensure that information assets registers are accurate and maintained up to date.

Information Asset Owners have received specialist information risk training to allow them to be effective in their role.

Training and Guidance

Staff need clear guidelines on expected working practices and on the consequences of failing to follow policies and procedures. The approach to ensuring that all staff receive training appropriate to their roles should be detailed.

Information Governance Handbook

Purpose of the Handbook:

• To inform staff of the need and reasons for keeping information confidential

• To inform staff about what is expected of them

• To protect the Organisation as an employer and as a user of confidential information

This Handbook has been written to meet the requirements of: • The Data Protection Act 1998

• The Human Rights Act 1998 • The Computer Misuse Act 1990

• The Copyright Designs and Patents Act 1988

• A Guide To Confidentiality in Health and Social Care (HSCIC)

This Handbook has been produced to protect staff by making them aware of the correct procedures so that they do not inadvertently breach any of these

requirements.

If the Handbook is breached then this may result in legal action against the individual and/or Organisation as well as investigation in accordance with the Organisation’s disciplinary procedures.

The Handbook will be disseminated to all staff working for the CCG and they will be required to acknowledge that they have received and understand the

document. In future, any new starters to the organisation will receive a copy of this with their contract. Both should be signed and returned to their line manager and kept on file.

Training for all staff

All staff will receive basic IG training, initially via the “Introduction to Information Governance” module of the Information Governance online training tool

(https://www.igtt.hscic.gov.uk/igte/index.cfm). Annual refresher training will then be conducted through face to face training sessions facilitated by the

Information Governance Support Officer.

Specialist IG training

As required specialist IG training will be provided across the organisation for those staff that are given additional responsibility for IG within their areas. Current specialist training includes:

• Information Risk Training • Privacy Impact Assessments

Incident Management Clear guidance on incident management procedures should be documented and staff should be aware of their existence, where to find them, and how to implement them. Documented Procedures and Staff Awareness

Incident Management in the CCG is covered in the following organisational policies and Procedures:

• Information Governance Policy • Information Governance Handbook

Staff awareness is raised through the following ways: • Staff Induction

• Information Governance Training • Information Risk Training

Appendix B – CCG Improvement Plan 2014-15

Improvement/Requirement Measurable Action Target Dates Lead/Resources IG Toolkit elements

met by this requirement Information Governance Management

Information Governance Training

Delivery of all staff IG

training •

Deliver Face to face refresher IG training within the CCG

Sessions booked for: - 31/10/2014 - 20/11/2014 - 06/01/2015 Jan/Feb 2015 – Joint session between Telford & Wrekin and Shropshire CCGs to catch anyone who has not been able to attend the previous three dates

CSU Operational Lead: Information Governance Officer CSU Strategic Lead: Information Governance Manager CCG Resource: All Staff
12-134
12-230
12-234
12-340
12-345
12-420

• Implement new starter IG induction Process, including ensuring that the e-learning tool is completed as part of the induction.

Ongoing

• Provide Senior Information Risk Owner (SIRO) Training

Improvement/Requirement Measurable Action Target Dates Lead/Resources IG Toolkit elements met by this requirement CCG Resource: SIRO Information Governance Promotional & Communication Campaign

Raise the profile of IG Information Governance Officer Visual presence within the CCG Base

Ongoing CSU Operational Lead: Information Governance Officer CSU Strategic Lead: Information Governance Manager CCG Resource: All Staff
12-130
12-131
12-133
12-134
12-231
12-232
12-234
12-235
12-237
12-250
12-346
12-347
12-348
12-349
12-420 Meet all new CCG new starter s and

conduct an IG induction.

Ongoing Development of promotional materials

including the design of Screensavers and posters.

December 2014 Ensure the CCG website meets the

requirements of privacy and fair processing notices.

December 2014 Bi-monthly IG Newsletter to be issues to

all staff

Ongoing Raise awareness of

national IG legislation and guidance

Training sessions to cover the legislative background to IG and any changes to guidance that has been issued.

Ongoing

Staff Engagement Use surveys to understand staffs

perception of IG and the general satisfaction levels in relation to the IG communications.

October 2014

Confidentiality & Data Protection Assurance Confidentiality

and Information Security Audits

Identification of those areas within the CCG where patient

information is routinely accessed and the

Contacting all Information Asset Owners and Assistants to provide updates the processes and systems used within their departments where patient information is regularly accessed. This will be

Improvement/Requirement Measurable Action Target Dates Lead/Resources IG Toolkit elements met by this

requirement

systems used to do so. completed in conjunction with the review of the CCG Information Asset Registers. Where it identified that staff are

accessing patient or confidential information an audit of those accesses will be completed. Officer CSU Strategic Lead: Information Security Manager CCG Resource: All Staff
12-348

Smart Card Audit Ensure that where staff have a smart card that the appropriate role based access codes are on the card and that historical access codes from previous roles have been removed.

October 2014

Identification of the access controls in place on the systems used by the CCG including the level of monitoring that is undertaken.

Contact individual system administrators and/or IT Provider to ensure appropriate controls are in place

Ongoing

Testing the information recorded within the Information Asset Registers as a true and accurate reflection using the Plan, Do, Check, Act model of Information Security Assurance.

To be completed during the final review of asset registers for the financial year. Contacting information Assets

owners/Assistants to review and record any changes from previously.

Carryout an Information Security Audit to test the recorded information.

February 2015

Spot Check Audits Completing regular spot checks within the CCG offices early morning

Checking for hardware unattended from the previous working day

Improvement/Requirement Measurable Action Target Dates Lead/Resources IG Toolkit elements met by this

requirement

Ensuring all desks adhere to the clear desk policies

• Reporting all findings to CCG SIRO/IG Lead

• Following up any actions required

Where necessary additional training following audit to highlight risks and findings, promoting best practice

Information Lifecycle Management Shared Drive &

Records Management Standards

Work with the CCG to move away from the legacy drive and to look to set the standards and structures in place for a CCG shared drive that meets the business needs.

(This may not be relevant to all CCGs)

Work with the Records Management Lead to determine what the business requirements are and to use this to inform the structure that needs to be implemented. Oct 2014 CSU Operational Lead: Information Governance Officer CSU Strategic Lead: Information Governance Manager CCG Resource: All Staff

National Best Practice for Corporate Records Management

Support the CCG with the ongoing set up of the shared drive providing

specialist Records Management advice as required. This will also include make recommendations as required.

Ongoing

Ensure folders identified as being unsecure from asset register exercise are held in the appropriate area with restrictions where applicable.

Ongoing throughout the information asset review work programme – actions to be completed as issues are found. Development of best

practice guidelines for staff in relation to records management practices to include:

Work with the CCG to understand whether they wish to raise awareness of records management best practice or whether they wish to make an

organisation decision to implement the nest practice records management

Improvement/Requirement Measurable Action Target Dates Lead/Resources IG Toolkit elements met by this

requirement

- Folder & File Naming Conventions - Version Control - Retention of Records - Destruction of records standards as policy.

Information Security Assurance Project

Management & Privacy

Requirements

Ensuring that the Privacy Impact

Assessment process is embedded and that the identification of the need to complete an assessment is met.

Ensure that the PIA forms are included within the project initiation procedures and procurement processes.

Nov 2014 CSU Operational Lead: Information Governance Officer CSU Strategic Lead: Information Security Manager CCG Resource: Project & Commissioning Managers
12-237 Measures should be taken to raise the

awareness of this matter amongst those teams who are involved in the

implementation of new projects, processes or services.

Ongoing

Communications – raising the profile as PIA:

- Team Briefings - Newsletters

- As part of the Information Asset Reviews - Training Ongoing Information Risk Assurance Work Programme 2014-15

Ensure that there is an effectively continued information risk

processes; there should be a comprehensively

Review the existing list of IAAs and IAOs and update as necessary based on staffing changes and the

requirements of the business.

Improvement/Requirement Measurable Action Target Dates Lead/Resources IG Toolkit elements met by this

requirement

documented programme that considers the security risks to Information Assets.

Information Asset Register to new

template CSU Strategic

Lead:

Information Security Manager

CCG Resource:

IAO, IAAs and the SIRO Conduct workshops/drop in sessions for

IAAs and IAOs

Ongoing Review of Information Assets for

departments.

Ongoing Transfer information from previous Data

Flow Mapping to new template where a data flow had previously been recorded and applicable information had been recorded

Oct 2014

Work with IAAs and IAOs to review, update and add to the Data Flow Mapping spreadsheet.

Oct 2014 Senior Information Risk

Owner Reports

Reports to be sent to the SIRO on a quarterly basis, informing them of

Progress against the Information Risk Work Programme

Highlighted areas of information risk

Any incidents that have occurred during the previous quarter

Quarterly

Contracts and sharing Agreements

Ensure that contacts and sharing agreements are in place

Provide a checklist and templates which can be used by the CCGs to ensure that all requirements are included and adequately addressed in any new contracts or sharing agreements

Nov 2014 CSU Operational Lead: Information Governance Officer CSU Strategic

Review any existing (or new) contracts or sharing agreements (specifically tier 2

Improvement/Requirement Measurable Action Target Dates Lead/Resources IG Toolkit elements met by this

requirement

agreements) against the Information Sharing checklist Lead: Information Security Manager CCG Resource:

IAO, IAAs and the SIRO Put plans in place to ensure where

contracts and agreements are not in place or need amendment that this is done within the IG toolkit reporting year.

Ongoing IG Incident Management Establish and implement incident reporting processes in line with the national IG Serious Incident Guidance

Work with CCG to ensure adequate, relevant information is recorded

regarding the incident/near miss. Update entries made in the reporting tool to reflect investigation and closure of the incident

• Verify incident severity assessments • Support IGSO with the investigation

of Level 0 or Level 1 incidents. • Support the investigating officer in

the investigation of Level 2 incidents. Ongoing Operational Lead: Information Governance Officer Strategic Lead: Information Security Manager Information Technology Information Technology Toolkit Requirements and Business Continuity Requirements Working in conjunction with the IT Lead, to identify the measures that can be taken to obtain appropriate assurance from each of the IT services