NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities"

Transcription

1 Information Governance Untoward Incident Reporting and Management Advice for Local Authorities March 2013

2 Contents Page 1. The Role of the NIGB Introduction Background Information The purpose of this document Identification of an Information Governance Untoward Incident Initial Reporting Determining the severity of the Information Governance Untoward Incident Managing the Incident Internal Communications External Communications Informing the Service User Informing the Information Commissioner s Office Media Management Informing others Containment and Recovery Investigation Evaluation Reporting...19 Appendix 1 - An example Information Governance Untoward Incident Checklist...22 Appendix 2 Department of Health severity rating matrix

3 1. The role of the NIGB The National Information Governance Board (NIGB) is an independent statutory advisory body established to promote, improve and monitor information governance in health and adult social care. The NIGB provides advice on the appropriate use, sharing and protection of patient and service user information. The NIGB also advises on the use of powers under Section 251 of the NHS Act 2006 and its associated regulations to permit the duty of confidentiality to be set aside, where other legal routes are not available. Information governance is the term used to describe the principles, processes, legal and ethical responsibilities for managing and handling information. It sets the requirements and standards that the NHS needs to achieve to ensure it fulfils its obligations to ensure that information is handled legally, securely, efficiently and effectively. The NIGB regards information governance as essential for the lawful and ethical use of patient and service user information both for the benefit of the individual to whom the information relates and for the public good. 2. Introduction The NIGB is concerned about the increasing number of information governance related incidents e.g. loss of confidential information about patients and service users, that are reported to the Information Commissioner by the NHS and Local Authorities. In each case the distress caused to the individual is significant, the duty of care owed to the individual is undermined and the publicity surrounding these incidents has a detrimental impact on the public s trust in the provision of confidential services. The definition of an information governance incident is: Any incident involving the actual or potential loss of personal information that could lead to identity fraud or have other significant impact on individuals should be considered as serious 1 The NIGB is also concerned that the policy and procedures for the effective management of an information governance incident differ across health and care sectors and so there are inconsistencies in the way in which organisations respond 1 DH Checklist for Reporting, Managing & Investigating Information Governance Serious Untoward Incidents 3

4 that may disadvantage the service user, particularly where that makes a difference to whether or not they are informed. It is also the NIGB s opinion that organisations are more likely to ensure that any systemic problems that put confidential information at risk of loss or unauthorised access are realised and addressed when lessons are shared and learned from actual and near-miss incidents. In order for organisations to take the appropriate steps to mitigate those risks, it is necessary to have a robust policy in place that outlines the procedures for dealing with an information governance incident. Reliable intelligence gathered from the processes to report, manage and investigate an information governance breach will enable an organisation to identify and analyse root causes, determine and implement remedial action, train staff appropriately and ensure that measures implemented are effective and personal data is adequately protected. It will also enable the organisation to manage the relationship with the service user in those circumstances fairly and equitably. NHS Organisations were mandated to implement measures for managing and reporting Information Governance Serious Untoward Incidents in Since then there has been a need for a consistent approach to the reporting, evaluation of the severity of a breach and management procedures for dealing with the incident. This includes the duty to inform the person whose information has been compromised as well as notifying the Information Commissioner. There is no comparable central mandate or guidance to specify how an information governance incident should be dealt with by a Local Authority. The NHS is also progressing towards implementing a duty of candour, which is written into the 2013/14 NHS Contracts and will it is anticipated become a part of the NHS Constitution and therefore applicable to all organisations and sectors providing health and care services. Under this duty, NHS organisations will be required to be open and tell patients about mistakes particularly where their safety has been compromised; apologise and ensure lessons are learned to prevent them from being repeated 3. The NIGB supported this proposal in our written response to the 2 Matthew Swindells letter of the 20th February 2008 (Gateway 9571) included guidance on the process for reporting Information Governance (IG) Serious Untoward Incidents and assessing their severity

5 Department of Health s consultation 4, as it is our view that patients should be informed because only the individual can make an accurate assessment of the risk of harm that might arise from a breach of confidentiality. It is also recognises the patient/service users position as a partner in the provision of health and care services. For these reasons we also believe that this duty should extend across all service providers and not just to those operating under a NHS contract. Local Authorities have internal procedures in place to report and manage untoward incidents, but those procedures are determined and implemented locally and may not include comparable duties to notify individual service users and the Information Commissioner, or enable a cross-organisational understanding of their information governance risks and their mitigation. The NIGB s recommendation to Local Authorities is to design and implement a policy for dealing with an information governance untoward incident that is comparable to those mandated and in operation within the NHS, in order to introduce a standardised system across all providers of health and care services. We consider the need for a common approach to be of particular importance where those services are integrated so that the patient/service user s rights are dealt with equally and fairly by all organisations involved in the care pathway. It will also enable the service provider to identify and address any weakness in their technical and organisational information security measures designed to protect service user information and contribute to the training and awareness of staff in their individual responsibilities when handling confidential information. This advice has been written to assist Local Authority Information Governance Officers with the design and implementation of an Information Governance Untoward Incident Policy and Procedure and for all staff who are responsible for the reporting, investigation and management of those incidents. The Information Commissioner s Office has produced guidance on data security breach management, which is available at 4 NIGB Response to the Department of Health s Duty of Candour consultation n%20jan% pdf 5

6 3. Background Information The 7 th Data Protection Act 1998 (DPA) principle requires a Data Controller 5 (an organisation) to have appropriate technical and organisational measures in place to keep personal data secure and protected against unauthorised or unlawful processing and to prevent its accidental disclosure, destruction, damage or loss. In particular an organisation is required to: design and organise security measures that are appropriate to the nature of the personal data held and the harm that may result from a security breach be clear about who is accountable for ensuring information security support the physical and technical security measures with clear and robust policies and procedures and ensure staff are suitably trained and aware of their responsibilities have procedures in place to detect and respond to any breach of information security swiftly and responsibly If an organisation s information security measures are inadequate, the risk of an information governance untoward incident occurring will be higher, but even an organisation that does have robust measures in place will not be immune from a data breach happening at some point. It will, however, make a difference when that breach is investigated, because the Data Controller will be able to demonstrate that it has taken appropriate organisational measures to comply with the 7 th principle rather than not. The Information Commissioner IC) is the Regulator for the Data Protection Act and has the lawful power to take action where a Data Controller is found to be failing to comply with the principles of the Act 6. Under sections 55A and 55B of the DPA (introduced by the Criminal Justice and Immigration Act 2008 which came into force on the 6 th April 2010), the Information Commissioner may, in circumstances where there has been a serious contravention of the Act, serve a monetary penalty up to 500,000 on the Data Controller. Other enforcement measures can be used in conjunction with the monetary penalty however, the application of the severest action 5 See Data Protection Act 1998 Part 1 section 1 definitions 6 DPA Section 4(4) it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller 6

7 requires the contravention to have been serious causing distress to the person whose personal data was involved and, it must have been either deliberate or the Data Controller must have, or ought to have known that there was risk that a contravention could occur and failed to take reasonable steps to prevent it. To date the monetary penalties served on Local Authorities has nearly reached 2 million and in every case the organisation was found to have failed in its duty to implement effective organisational and technical security measures to protect personal information in line with the 7 th DPA principle. In the Guide to Data Protection 7, the Information Commissioner s Office (ICO) provides guidance on what an organisation is expected to do to ensure compliance with the seventh principle, which includes being ready to respond to any breach of security swiftly and efficiently. 4. The Purpose of this document This advice is intended for all Local Authority staff involved in the management of an Information Governance untoward incident, for example Information Governance Officers, Line Managers, Heads of Service, Caldicott Guardians, Senior Information Risk Owner, Chief Executives. It is particularly written to assist Information Governance Officers in the design of an Information Governance Untoward Incident Policy. The definition of an information governance incident is: Any incident involving the actual or potential loss of personal information that could lead to identity fraud or have other significant impact on individuals should be considered as serious 8 An Information Governance Untoward Incident is a contravention of the 7 th data protection principle. Anybody who handles personal information about a service user in the course of their work carried out for or, on behalf of the Local Authority, should know how to identify an Information Governance Untoward incident, who to report it to and what 7 The ICO s Guide to Data Protection on/practical_application/the_guide_to_data_protection.ashx 8 DH Checklist for Reporting, Managing & Investigating Information Governance Serious Untoward Incidents 7

8 their responsibilities are in the subsequent actions for investigating and managing that incident. The organisation should have an Information Governance Untoward Incident Policy that sets out how an incident will be managed. It is recommended that this Policy is incorporated into the organisation s IT Disaster Recovery, Business Continuity and Communication Plans as evidence of organisational and technical measures taken to comply with the 7 th DPA principle. The intention is to ensure that: the management of IG untoward incidents conforms to the processes and procedures set out for managing all incidents of a similar nature across all health and care services, in particular where those services are integrated there is a consistent approach to the management, evaluation and reporting IG untoward incidents early reports of IG untoward incidents should be sufficient to decide the appropriate escalation, notification and communication to senior personnel within the Authority, the individual service user(s) and the Information Commissioner. immediate action is taken to assess the impact on the service user and ensure their safety the service user(s) is informed appropriately appropriate action is taken to prevent or limit damage to the service user, staff and reputation of the Local Authority all aspects of an incident are fully explored and lessons learned are identified, recorded and communicated corrective action is taken by the organisation to prevent recurrence information is provided to the Board through regular reports to ensure executive understanding of organisational performance and risks and high level authorisation and support to drive organisational change and improvement. 8

9 5. Identification of an Information Governance Untoward Incident An information governance breach can happen for a number of reasons, for example (but not limited to): Loss or theft of personal data or equipment on which personal data is stored Loss or theft of confidential information held in paper records Failure of technical controls that allow or risk unauthorised access to personal data e.g. encryption software not applied Human error, such as sending a fax to a wrong number, an to the wrong recipient, a letter to the wrong address etc. Failure to use the security measures provided e.g. secure , protective marking (failure to follow information governance policy); Unforeseen circumstances such as a fire or flood Hacking attack Blagging offences where information is obtained or an attempt is made to obtain personal information by deceiving the organisation who holds it Where there is a near miss, for example, a record containing personal, sensitive information cannot be found after an extensive search and is therefore assumed to be lost ; or it is suspected that there may have been unauthorised access to a record containing personal information; these near miss or unproven incidents should be reported, recorded, risk assessed and acted upon in accordance with the IG Untoward Incident Policy until further information confirms the record has been recovered or the suspicion is unfounded and the severity of the incident is downgraded. The information collected during the process is invaluable to the organisation for risk assessment purposes and used to identify and share in the lessons learned. However if a breach has occurred the following are important elements to any Information Governance Untoward Incident Management Plan: 1. Initial reporting 2. Containment and recovery 3. Managing the incident 4. Notification 5. Evaluation and final reporting, including recommendations to prevent further incidents of the same nature. It is, however important that when it is first realised that an incident has occurred, the service responsible should make an assessment of the immediate risk to the service 9

10 user and take any action necessary to make the situation safe. For example, if personal information that included the address and safe key code of a vulnerable adult has been lost, then the first priority should be to ensure the safety of the individual. 6. Initial Reporting Local Authorities should have robust policies and procedures in place to ensure that the appropriate members of staff are notified immediately of any incident that involves the compromise or loss of personal data or other breach of confidentiality. Ideally, there should be a named individual responsible for managing the Information Governance Untoward Incident process on behalf of the organisation. This central oversight and management of all reported incidents, including incidents of low severity, will ensure the response is appropriate and consistent and will also enable the organisation to understand where serious risks might lie and inform decisions on what action needs to be taken to mitigate those risks. Without a central point of reference, the organisation may not be able to measure the effectiveness of the technical and organisational measures in place to protect personal information or identify and correct common or systemic failures in their information governance controls. This not only increases the risk of an incident occurring, it also puts the organisation at a higher risk of the more severe ICO penalties in the event of an investigation by failing to have organisational measures in place to comply with the seventh data protection principle. All Information Governance untoward incidents, including suspected incidents (near misses) should be reported to the central point of contact for the organisation (the Incident Co-ordinator ), even if the incident is to be investigated and managed by a local area manager. The management of an incident needs to be proportionate and consistent. It is both impractical and unnecessary to conduct a full scale investigation into a small scale incident, but there also needs to be some commonality in how the incident is managed, therefore the approach has to have some element of flexibility. The Incident Co-ordinator should assess the facts reported and determine the appropriate next steps. The incident should be reported as soon as possible after it occurred or is realised (within 24 hours) and should include as much detail as possible (see Appendix 1-10

11 Example Information Governance Untoward Incident Checklist). The report should be updated as more information becomes available, but the following is required in the initial stage in order to make an assessment of severity and determine the necessary action to be taken: Date, time and location of the incident The type of incident e.g. loss of personal information, unauthorised access etc. The name and contact details of the person reporting the incident Contact details for the local incident manager A detailed description of the incident e.g. what happened - theft, accidental loss, inappropriate disclosure, procedural failure etc. The type of record or data involved and sensitivity The number (or estimate) of individual data subjects involved The number of records involved and the media (paper, electronic) of the records If electronic media, whether the data was encrypted or not Any other important factor necessary to determine the impact e.g. local press involvement, incident reported by a member of the public etc. An initial assessment of the severity of the incident based on the reported facts should be made and immediate action taken to recover data (where possible), limit the damage, inform those who need to know, assign responsibility and commence the investigation process. 7. Determining the severity of the incident The harm caused by an information security breach will differ depending on the circumstances, nature and quantity of the information lost. Key considerations when assessing the severity of an incident include the potential harm to the individual or individuals whose personal information has been compromised and what immediate steps need to be taken to ensure their personal safety. Risk assessment methods commonly categorise incidents according to the predicted consequences to give a severity rating which determines a course of action to follow. The NHS uses a matrix to determine a risk score (see Appendix 2). The risk score increases when a large number of individuals personal data is involved. However, it should be noted that ICO monetary penalties have been served on Local Authorities where only one or two individuals have been affected, because the nature of the information accidentally disclosed was highly sensitive and its loss or exposure caused the individual significant distress. The only central guidance currently available to assist organisations in the assessment of severity is the Department of 11

12 Health matrix, which can be used to give an initial baseline score which should then be revised and adjusted accordingly in light of the presenting facts and additional risks such as sensitivity and potential harm. The incident should be categorised at the highest level that applies when all of the characteristics, potential outcomes and risks have been considered. For example: Scenario: The loss of an unencrypted laptop holding a spreadsheet for people containing personal demographic information which would identify individuals and their bank details has been reported to the local press. Assessment: The DH Matrix scores this severity level 4 (out of 5). The combination of risk factors i.e. the potential for damage to the organisation s reputation, risk of identity theft, media coverage, high number of people involved and ICO enforcement action confirms a high risk/high severity factor The severity rating would however reduce to low if the data had been held on an encrypted laptop, because there is no risk of identities and related data being revealed; technical information security measure have been applied so the 7 th Data Protection principle is met and national information security policy had been adhered to. According to the ICO s breach reporting guidance, this would not be considered serious enough to report and as there is no risk to the individual s concerned, there would be no requirement to inform them. It would, however, be advisable to notify the ICO when the individual service users have been informed of the incident and/or there is some media interest, because of the increased possibility that it will be reported to the Regulator by someone else. 8. Managing the Incident All incidents, regardless of the severity, need to be managed and investigated. It is worth investing resources into investigating the low severity incidents (although that should be proportionate) because they may indicate a systemic problem or developing risk that would not otherwise be obvious and allows the organisation to take remedial action to prevent a deteriorating situation developing into an eventual breach. 12

13 It is essential to identify who is responsible for the overall management of an incident and for coordinating all of the separate related activities, including who will take responsibility for informing the individual data subjects and how to manage their expectations and concerns. In some circumstances it may be necessary to involve the Human Resources department if it is necessary to suspend the relevant member of staff whilst the incident is under investigation. Where that is the case, their right to confidentiality needs to be taken into consideration especially where that might lead to further disciplinary action being taken. The central Incident Co-ordinator should coordinate the incident management procedures, ensuring timely progress is made and deadlines are met, the people involved are kept informed and records are maintained and kept up to date. Decisions taken at the start of the procedures need to be assessed and adjusted as further information become known and, where necessary, communicated to all those involved. 9. Internal Communications Where it is suspected that an IG incident has taken place, it is good practice to notify key senior personnel. Who will need to know depends on the organisation s structure, internal policy and the severity of the incident, but may include all or some of the following examples (role titles will vary within organisations) Line Manager Senior Departmental Officer/Head of Service (Breach Owner) Head of Information Governance Compliance/ Data Protection Officer Legal Data Protection adviser IT Security Manager Head of Communications Senior Information Risk Owner (SIRO) Caldicott Guardian Where a breach is classified as serious and requires reporting to the data subject(s) and to the ICO, consideration should also be given to notifying the following key staff Director or Head of Service Chief Executive Head of Human Resources Corporate Risk Manager Communication Service Legal team 13

14 Lead Member Complaints Team Emergency Planning (if risk to community) Insurance Services 10. External Communications 10.1 Informing the data subjects Whilst there is no legal obligation to report a data loss incident to the individual or to the Information Commissioner s Office (ICO), to do so should be a matter of good practice, routine procedure and seen as a duty of care. In some circumstances it may not be necessary to tell the individual, and in making the decision about what action to take, the organisation needs to make an assessment about the pros and cons of either informing or not informing. It is however, the NIGB s opinion that only the individual can make an accurate risk assessment of the personal harm that might have been caused and what action they need to take to mitigate those risks. Harm can range from the mild inconvenience or annoyance caused; the personal risk or disruption of service that might arise from the loss of information at the point of care, up to significant distress caused by a breach of confidentiality or risk of identity theft or other financial loss. From the analysis of the monetary penalties imposed on Local Authorities by the Information Commissioner, his interpretation of significant distress suggests that just the knowledge that somebody, who had no business or reason to otherwise know, has had sight of very personal and sensitive information is enough in itself to warrant harm. In our experience organisations are often reluctant to be candid and inform the individual s whose personal information has been lost or compromised in fear of the repercussions. Honesty and saying sorry to the individual concerned in the majority of cases will enable the organisation to limit the damage caused and re-establish a steady state in the user/provider relationship. Not being honest risks a bad situation becoming even worse if the incident is later found out by other means and the organisation appearing to have attempted to cover it up. This will not exempt or protect an organisation from complaint or enforcement action by the ICO, but is recommended as good practice and advantageous to do so in the event of a subsequent formal investigation as opposed to where the incident is reported to them by the service user or a whistleblower. How to inform a service user about the loss of their personal data and who is responsible for telling them is an important part of the incident management process. Special consideration needs to be given to how to inform children or 14

15 vulnerable adults. It is also important to consider the duty of care to the service user in terms of the possible adverse impact the information may have on their physical or mental wellbeing. The approach needs careful consideration and it may be necessary to ensure both immediate and ongoing support is available where there is a concern that the news will cause significant distress. The Information Commissioner s guidance on data security breach management provides the following advice on what to consider when making a decision to notify individual service users: You should at the very least include a description of how and when the breach occurred and what personal data was involved. Include details of what you have already done to respond to the risks posed by the breach When notifying individuals give specific and clear advice on the steps they can take to protect themselves and also what you are willing to do to help them Provide a way in which they can contact you for support and further information. Further information is available in the ICO s Guide on Information Security Breach Management cuments/library/data_protection/practical_application/guidance_on_data_sec urity_breach_management.ashx 10.2 Informing the Information Commissioner s Office The ICO has produced guidance for organisations on the information that should be reported to them as part of a breach notification. This guidance is available on the ICO s website: /principle_7.aspx 10.3 Media Management Arrangements should be made to ensure that press and media enquiries are appropriately managed. It is therefore good practice to alert the organisation s Communication s department of the very basic facts and a contact number for further information so they can prepare a press statement in advance, deal with any incoming enquiries and manage the organisation s subsequent public statements. 15

16 10.4 Informing others You may also need to consider notifying third parties such as professional and trade unions where staff data has been compromised. In some circumstances, it may be necessary to consider informing the Police, and/or Counter Fraud services. 11. Containment and recovery It may be necessary to contain the incident and preserve forensic evidence or attempt to recover the data if the incident is due to a technology failure or where factual information is available via automated audit trails. This requires specialist information technology advice and our recommendation is to ensure the availability of expert knowledge to provide support and advice to the Incident Coordinator. Where specialist third party services are commissioned to recover data or provide audit trails etc. it is important to ensure that a written contract is established to clearly specify the organisation s instructions and satisfy the Data Controller/Data Processor arrangements set out in the 7 th Data Protection principle. 12. Investigation Ideally, the person responsible for conducting an investigation should be someone who can provide an independent and unbiased view. They should have the authority to mobilise the necessary resources to assist them in their investigation and interview all relevant personnel. It may be necessary to temporarily suspend the staff member involved, in which case their line manager and Human Resources would need to be contacted. The Incident Coordinator should be kept updated as the investigation progresses and, it may be necessary to revise and amend decisions made at the beginning of the investigation as further information emerges. The investigating officer should Have a general understanding of the nature of the concerns that an information governance incident would raise Be familiar with local policy and procedure Have had some training and/or are experienced in investigation process 16

17 Have access to relevant advice and expertise to assist them Have the necessary time to conduct the investigation protected The investigating officer should remain objective, collect evidence and focus on the facts presented in order to make an accurate assessment of the root causes of the incident. 13. Evaluation Various tools are available to help to analyse the information obtained during an investigation. The National Patient Safety Agency has developed a series of guidance and materials to assist in the reporting and management of incidents within the NHS: Guidance is also available from the Health and Safety Executive Investigating accidents and incidents: A workbook for employers, unions, safety representatives and safety professionals. It is important to remain objective and formulate an opinion about the actual causes of the incident from the presenting facts obtained during the investigation as opposed to making assumptions. Incidents are often caused by a combination of factors as opposed to a single event and it is therefore important to explore the related events as well as the actual event. For example, if the incident was caused because a member of staff had not received adequate training, questions should be asked about the organisation s training policy, what training was available, would that training have prevented the incident, why had training not been provided, why was booked training cancelled etc. This will help to determine what remedial action the organisation should take to prevent further incident, for example by ensuring training material is adequate; cancelled training sessions get re-arranged etc. 14. Reporting Case records should be kept secure and confidential and should be managed in accordance with organisational policy on records and information management and the Data Protection Act

18 Where information is held separately by those involved in the management and investigation of the incident, it should be collected after that process has been completed and held in a secure central area. The investigation report should contain information that explains the facts of the case and supports subsequent decision making. Recommended headings include: Introduction Background The investigation and methods used Findings of fact Conclusion Recommendations An action plan and timetable for implementation of the recommendations, including who is responsible for those actions. Organisational policy should specify what happens to the final report i.e. who should receive it and who is responsible for taking the recommendations forward. It may also depend on outcomes, for example, where the risk of further incident is a localised event within a specific service area, the report should be presented to the Director or Head of Service who is responsible for final decision and authorising the recommendations. If however, the risk extends to the rest of the organisation, the Senior Risk Information Owner (SIRO) should receive the report and decide its further distribution and implementation. It may, for example, be necessary to liaise with other senior personnel or seek legal advice before endorsing and acting upon the recommendations made. A summary of the findings and recommendations should be reported to the Board to inform them of the incident and to authorise the necessary action, especially where there is a risk of a similar occurrence elsewhere in the organisation. Periodic reports to provide statistical and factual information about the Information Governance Untoward Incidents reported within the organisation should be presented to the Board with an analysis of risk and recommended mitigating action to provide assurance that technical and organisational security measures are effective or to authorise action wherever necessary to strengthen and improve the controls designed to protect the personal data they are responsible for. 18

19 Appendix 1 Example Information Governance Untoward Incident Management Checklist Information Governance Incident Management Checklist Incident Reference Number Date Started Date Completed Severity Rating Service User informed (Y/N) ICO informed (Y/N) Department Responsible Investigating Officer Address Telephone Number Address Required Information Check Date 1 Date, time and location of incident 2 Confirmation that LA information governance incident guidelines are being followed and appropriate action being taken 3 Description of what happened: Theft, accidental loss, inappropriate access/disclosure, procedural failure etc 4 Number of individuals/staff (individual data subjects) involved and/or number of records 5 The type of record or information/data involved and sensitivity 6 If information was in paper format how was it being transferred or stored when lost i.e. locked briefcase or envelope 19

20 7 If electronic media, whether encrypted or not 8 Whether the information security incident is in the public domain, whether the media (press etc) are involved or there is a potential for media interest. Has a press statement been prepared? 9 Whether the reputation of an individual (s), Team, an organisation or Local Authority as a whole is at risk and whether there are legal implications 10 Whether the Information Commissioner has been or will be notified and if not why not 11 Whether data subjects have been or will be notified and if not why not 12 Whether the police have been involved 13 Immediate action taken, including whether any staff have been suspended pending the results of the investigation 14 Whether there are any consequent risks of the incident (e.g. individual safety, continuity of service etc) and how these will be managed 15 What steps have been or will be taken to recover records/data (if applicable 16 What lessons have been learned from the incident and how will recurrence be prevented 17 Whether, and to what degree, any member of staff has been disciplined by the organisation or 3 rd party company (where applicable) - if not appropriate why 18 Closure of information security incident - only when all aspects, including any disciplinary action taken against staff, are settled 20

21 Appendix 2 Severity rating matrix (Department of Health) No significant reflection on any individual or body Media interest very unlikely Damage to an individual s reputation. Possible media interest, e.g. celebrity involved Damage to a team s reputation. Some local media interest that may not go public Damage to a services reputation/ Low key local media coverage. Damage to an organisation s reputation/ Local media coverage. Damage to the organisation s reputation/ National media coverage. Minor breach of confidentiality. Only a single individual affected Potentially serious breach. Less than 5 people affected or risk assessed as low, e.g. files were encrypted Serious potential breach & risk assessed high e.g. unencrypted sensitive records lost. Up to 20 people affected Serious breach of confidentiality e.g. up to 100 people affected Serious breach with either particular sensitive data or up to 1000 people affected Serious breach with potential for ID theft or over 1000 people affected NB: This matrix is currently under revision but is provided as a guide to assist in the initial assessment of severity 21

Guidance on data security breach management

Guidance on data security breach management Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction

More information

Guidance on data security breach management

Guidance on data security breach management ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...

More information

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom

More information

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful

More information

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT GD21 2 DATA PROTECTION (JERSEY) LAW 2005: GUIDANCE ON DATA SECURITY BREACH MANAGEMENT Introduction Organisations which process

More information

Data Security Breach Incident Management Policy

Data Security Breach Incident Management Policy Data Security Breach Incident Management Policy Contents 1. Background... 1 2. Aim... 1 3. Definition... 2 4. Scope... 2 5. Responsibilities... 2 6. Data Classification... 2 7. Data Security Breach Reporting...

More information

Information Incident Management and Reporting Procedures

Information Incident Management and Reporting Procedures ` Information Incident Management and Reporting Procedures Compliance with all CCG policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may

More information

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31 THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

Information Incident Management and Reporting Procedures

Information Incident Management and Reporting Procedures Information Incident Management and Reporting Procedures Compliance with all policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may result

More information

Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation

Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation Applicable to all organisations processing Health, Public

More information

Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requiring Investigation (IG SIRI)

Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requiring Investigation (IG SIRI) Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requiring Investigation (IG SIRI) Applicable to all organisations processing Health, Public Health

More information

Information Incident Management Policy

Information Incident Management Policy Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit

More information

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy

More information

NHS Commissioning Board: Information governance policy

NHS Commissioning Board: Information governance policy NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Schedule 13 Security Incident and Data Breach Policy. January 2015 v2.1

Schedule 13 Security Incident and Data Breach Policy. January 2015 v2.1 Schedule 13 Security Incident and Data Breach Policy January 2015 v2.1 Document History Purpose Document Purpose Document developed by Document Location To provide a corporate policy for the management

More information

Data Protection Breach Reporting Procedure

Data Protection Breach Reporting Procedure Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Incident reporting procedure

Incident reporting procedure Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance

More information

Information Governance Serious Incident Requiring Investigation Policy and Procedure

Information Governance Serious Incident Requiring Investigation Policy and Procedure Information Governance Serious Incident Requiring Investigation Policy and Procedure Document Control Sheet Name of document: Information Governance Serious Incident Requiring Investigation (SIRI) Policy

More information

Once more unto the breach... Dealing with Personal Data Security Breaches. Helen Williamson Information Governance Officer

Once more unto the breach... Dealing with Personal Data Security Breaches. Helen Williamson Information Governance Officer Once more unto the breach... Dealing with Personal Data Security Breaches Helen Williamson Information Governance Officer Aims of the session What are we going to look at? What is a data security breach?

More information

Data Security Breach Management Procedure

Data Security Breach Management Procedure Academic Services Data Security Breach Management Procedure Document Reference: Data Breach Procedure 1.1 Document Type: Document Status: Document Owner: Review Period: Procedure v1.0 Approved by ISSG

More information

Security Incident Management Policy

Security Incident Management Policy Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015

More information

Information security incident reporting procedure

Information security incident reporting procedure Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended

More information

Data Breach Management Policy and Procedures for Education and Training Boards

Data Breach Management Policy and Procedures for Education and Training Boards Data Breach Management Policy and Procedures for Education and Training Boards POLICY on DATA BREACHES in SCHOOLS/COLLEGES and OTHER EDUCATION and ADMINISTRATIVE CENTRES UNDER the REMIT of TIPPERARY EDUCATION

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities.

1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities. Data Protection Policy 2011 Contents Page 1. Introduction... 3 2. Statement of Policy. 3 3. The Eight Principles of Data Protection...... 4 4. Scope.... 5 5. Roles and Responsibilities. 5 6. Development

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and

More information

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT 9.7 Date of the meeting 15/07/2015 Author Sponsoring Clinician Purpose of Report Recommendation J Green - Head

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

INFORMATION GOVERNANCE STRATEGY NO.CG02

INFORMATION GOVERNANCE STRATEGY NO.CG02 INFORMATION GOVERNANCE STRATEGY NO.CG02 Applies to: All NHS LA employees, Non-Executive Directors, secondees and consultants, and/or any other parties who will carry out duties on behalf of the NHS LA.

More information

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013 Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is

More information

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS North Durham Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Final No impact Risk and Audit Committee/Governing

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Information Governance Strategy 2015/16

Information Governance Strategy 2015/16 Information Governance Strategy 2015/16 Ratified Governing Body (November 2015) Status Final Issued November 2015 Approved By Executive Committee (August 2015) Consultation Equality Impact Assessment Internal

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Statutory duty of candour with criminal sanctions Briefing paper on existing accountability mechanisms

Statutory duty of candour with criminal sanctions Briefing paper on existing accountability mechanisms Statutory duty of candour with criminal sanctions Briefing paper on existing accountability mechanisms Background In calling for the culture of the NHS to become more open and honest, Robert Francis QC,

More information

Council, 14 May 2015. Information Governance Report. Introduction

Council, 14 May 2015. Information Governance Report. Introduction Council, 14 May 2015 Information Governance Report Introduction 1.1 The Information Governance function within the Secretariat Department is responsible for the HCPC s ongoing compliance with the Freedom

More information

NHS Waltham Forest Clinical Commissioning Group Information Governance Strategy

NHS Waltham Forest Clinical Commissioning Group Information Governance Strategy NHS Waltham Forest Clinical Commissioning Group Governance Strategy Author: Zeb Alam, CCG IG Lead, (NELCSU) David Pearce, Head of Governance, WFCCG Version 3.0 Amendments to Version 2.1 Annual Review Reference

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

NHS England Complaints Policy

NHS England Complaints Policy NHS England Complaints Policy 1 2 NHS England Complaints Policy NHS England Policy and Corporate Procedures Version number: 1.1 First published: September 2014 Prepared by: Kerry Thompson, Senior Customer

More information

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS Newcastle Gateshead Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Approved No impact NHS Quality, Safety

More information

Information Incident Management. and Reporting Policy

Information Incident Management. and Reporting Policy Information Incident Management and Reporting Policy Policy ID IG10 Version: 1 Date ratified by Governing Body 21/3/2014 Author South CSU Date issued: 21/3/2014 Last review date: N/A Next review date:

More information

Notification of data security breaches to the Information Commissioner s

Notification of data security breaches to the Information Commissioner s ICO lo Notification of data security breaches to the Information Commissioner s Data Protection Act Contents Overview... 2 What the DPA says... 2 Reporting a breach... 2 Potential detriment to data subjects...

More information

NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Final No impact Document Ratified/Approved By Hartlepool

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

Auditing data protection a guide to ICO data protection audits

Auditing data protection a guide to ICO data protection audits Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD Data Breach Management Policy Adopted by Cavan and Monaghan Education Training Board on 11 September 2013 Policy Safeguarding personally identifiable information

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Incident reporting procedure

Incident reporting procedure Incident reporting procedure Number: THCCGCG0045 Version: V0d1 Executive Summary All incidents must be reported. This should be done as soon as practicable after the incident has been identified to ensure

More information

Cork ETB Data Breach Management Policy and Procedures

Cork ETB Data Breach Management Policy and Procedures Cork ETB Data Breach Management Policy and Procedures POLICY ON THE MANAGEMENT OF DATA BREACHES IN SCHOOLS/COLLEGES AND OTHER EDUCATION AND ADMINISTRATIVE CENTRES UNDER THE REMIT OF CORK EDUCATION AND

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Security Incident Policy

Security Incident Policy Organisation Title Author Owner Protective Marking Somerset County Council Security Incident Policy Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will

More information

Coláiste Pobail Bheanntraí

Coláiste Pobail Bheanntraí Coláiste Pobail Bheanntraí Seskin Bantry, Co. Cork. Principal: Dr. Kevin Healy B.A, H.D.E, M.Ed, Ed.D Deputy Principal: Mr. Denis O Sullivan, BSc. (Ed.), H.D.E Phone: 027 56434 Fax: 027 56439 E-mail: admin@colaistepobailbheanntrai.com

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

Incident Reporting Procedure

Incident Reporting Procedure Incident Reporting Procedure Version: Version 1 Ratified by: HEE Board Date ratified: 20 March 2014 Name and Title of Mike Jones, Corporate Secretary originator/author(s): Name of responsible Director:

More information

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY CORPORATE POLICY Document Control Title Paper Records Secure Handling and Transit Policy Author Information Governance Manager ** Owner SIRO/CIARG Subject

More information

Procedure for Managing a Privacy Breach

Procedure for Managing a Privacy Breach Procedure for Managing a Privacy Breach (From the Privacy Policy and Procedures available at: http://www.mun.ca/policy/site/view/index.php?privacy ) A privacy breach occurs when there is unauthorized access

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

INFORMATION GOVERNANCE HANDBOOK

INFORMATION GOVERNANCE HANDBOOK INFORMATION GOVERNANCE HANDBOOK SECTION ONE Author Tracey Burrows Role Information Governance Manager (CSCSU) Date / Version February 2015 Version FINAL V1.0 Approved by IM&T Board Date 27 February 2015

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

Administrative Procedures Memorandum A1452

Administrative Procedures Memorandum A1452 Page 1 of 11 Date of Issue February 2, 2010 Original Date of Issue Subject References February 2, 2010 PRIVACY BREACH PROTOCOL Policy 2197 Management of Personal Information APM 1450 Management of Personal

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY [Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

Information Governance and Data Protection Policy

Information Governance and Data Protection Policy Information Governance and Data Protection Policy Page 1 of 21 Document Control Sheet Name of document: Version: Owner: File location / Filename: Information Governance and Data Protection Policy Final

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

JOB DESCRIPTION. Information Governance Manager

JOB DESCRIPTION. Information Governance Manager JOB DESCRIPTION POST TITLE: Information Governance Manager DIRECTORATE: ACCOUNTABLE TO: BAND: LOCATION: CSS Head of Information Governance 8a CSS Job Purpose The Information Governance Manager will ensure

More information

Information Governance in Commissioning. Mental Health Commissioners Collaborative

Information Governance in Commissioning. Mental Health Commissioners Collaborative Information Governance in Commissioning Mental Health Commissioners Collaborative Introduction David Stone Head of Information Governance Apira Limited david.stone@apira.co.uk 07947 052704 2011/12 Standard

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Information Security Incident Management Policy and Procedure

Information Security Incident Management Policy and Procedure Information Security Incident Management Policy and Procedure Version Final 1.0 Document Control Organisation Title Author Filename Owner Subject Protective Marking North Dorset District Council IT Infrastructure

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) PURPOSE: The purpose of this procedure is to establish the roles, responsibilities, and communication procedures for the Computer Security Incident

More information

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 -

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 - Leeds City Council Data Protection Policy - 1 - Document Control Organisation Leeds City Council Title Data Protection Policy Author Mark Turnbull, Legal Services Filename DPA policyvr1.doc Owner Assistant

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

Quick Guide To Information Governance Policies

Quick Guide To Information Governance Policies Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations.

More information

Somerset County Council - Data Protection Policy - Final

Somerset County Council - Data Protection Policy - Final Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Corporate Policy and Strategy Committee

Corporate Policy and Strategy Committee Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset

More information

Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requiring Investigation

Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requiring Investigation Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requiring Investigation 1 st June 2013 Version 2.0 Revision History Version Date Summary of Changes

More information

Health and social care staff members: What you should know about Information Governance

Health and social care staff members: What you should know about Information Governance Health and social care staff members: What you should know about Information Governance p2 Information Governance What is Information Governance? You have probably heard of Clinical or Social Care Governance,

More information