Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE.

Size: px
Start display at page:

Download "Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE."

Transcription

1 Title: Information Governance Policy Date Approved: Approved by: Date of review: Policy Ref: Issue: January 2015 Information Governance Group Division/Department: January 2016 Policy Category: ISP-04 5 Information Governance Author (post-holder): Corporate Sponsor (Director): Information Governance Manager Chief Executive CONTENT SECTION DESCRIPTION PAGE 1 Introduction 3 2 Policy statement 3 3 Definitions 4 4 Role and responsibilities 4 5 Scope of Policy 5 6 Consultation 7 7 Narrative 7 8 Evidence base 8 9 Monitoring compliance 8 10 Training Requirements 9 11 Distribution 9 12 Communication 9 13 Author and Review Details 9 14 Appendices 10

2 The issue of this page is the overall issue of this procedure. The current issue of individual pages are as follows: PAGE ISSUE DATE 02/13 02/13 02/13 02/13 02/13 02/13 02/13 02/13 02/13 02/13 PAGE ISSUE DATE 02/13 02/13 02/13 02/13 02/13 02/13 02/13 02/13 02/13 02/13 PAGE All ISSUE DATE 02/13 02/13 02/13 02/13 02/13 02/13 02/13 TBC Page 2

3 1 INTRODUCTION 1.1 This policy is issued and maintained by the Chief Executive on behalf of the Trust, at the issue defined on the front sheet, which supersedes and replaces all previous versions. Information Governance is a framework for handling personal information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service. It provides a consistent way for employees to deal with the many different information handling requirements including: Information Governance Management. Clinical Information assurance Confidentiality and Data Protection assurance. Corporate Information assurance. Information Security assurance. Secondary use assurance. 1.2 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management. 1.3 It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures, management accountability and structures provide a robust governance framework for information management. 1.4 This document sets out the high level principles across the community for confidentiality, integrity and availability of information and the role of information governance (IG) to promote and build a level of consistency across the community on these principles 2. POLICY STATEMENT 2.1 The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The Trust fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information. 2.2 The Trust recognises the need to share patient information with other health organisations and agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. Page 3

4 2.3 The Trust recognises that it is essential that information is accurate, timely and relevant in order to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers to ensure and promote the quality of information and to actively use information in decision making processes. 2.4 To protect the organisation s information assets from all threats, whether internal or external, deliberate or accidental. The Trust will ensure: Information will be protected against unauthorised access. Confidentiality of information will be assured. Integrity of information will be maintained. Information will be supported by the highest quality data. Regulatory and legislative requirements will be met. Business continuity plans will be produced, maintained and tested. Information security training will be available to all staff, and all breaches of information security, actual or suspected, will be reported to, and investigated by the Information Governance Manager. An Equality Impact Assessment (EIA) has been carried out and has concluded that this policy is of low impact. 3. DEFINITIONS Trust Staff : NHSLA : Information Processing : Breach of Confidentiality Refers to Sherwood Forest Hospitals NHS Foundation Trust Means all employees of the Trust, including those managed by a third party on behalf of the Trust Means National Health Service Litigation Authority Includes all principles of the HORUS model from the Data Protection Act, 1998 i.e. Holding, Obtaining, Recording, Using and Sharing information. A b r e a c h o f c o n f i d e n t i a l i t y i s t h e u n a u t h o r i s e d d i s c l o s u r e o f p e r s o n a l i n f o r m a t i o n p r o v i d e d i n c o n f i d e n c e. Confidential Page 4

5 Information C o n f i d e n t i a l i n f o r m a t i o n c a n b e a n y t h i n g t h a t r e l a t e s t o p a t i e n t s, s t a f f o r a n y o t h e r i n f o r m a t i o n ( s u c h a s c o n t r a c t s, t e n d e r s e t c ) h e l d i n a n y f o r m ( s u c h a s p a p e r o r o t h e r f o r m s l i k e e l e c t r o n i c, m i c r o f i l m, a u d i o or v i d e o ) h o w s o e v e r s t o r e d ( s u c h a s p a t i e n t r e c o r d s, p a p e r d i a r i e s, c o m p u t e r o r o n p o r t a b l e d e v i c e s s u c h a s l a p t o p s, P D A s, B l a c k B e r r y s, m o b i l e t e l e p h o n e s ) o r e v e n p a s s e d b y w o r d o f m o u t h. P e r s o n i d e n t i f i a b l e i n f o r m a t i o n i s a n y t h i n g t h a t c o n t a i n s t h e m e a n s t o i d e n t i f y a n i n d i v i d u a l. Disclosure T h i s i s t h e d i v u l g i n g o r p r o v i s i o n o f a c c e s s t o d a t a. Patient identifiable Information K e y i d e n t i f i a b l e i n f o r m a t i o n i n c l u d e s : P a t i e n t s n a m e, a d d r e s s, f u l l p o s t c o d e, d a t e o f b i r t h ; P i c t u r e s, p h o t o g r a p h s, v i d e o s, a u d i o - t a p e s o r o t h e r i m a g e s o f p a t i e n t s ; N H S n u m b e r a n d l o c a l p a t i e n t i d e n t i f i a b l e c o d e s ; A n y t h i n g e l s e t h a t m a y b e u s e d t o i d e n t i f y a p a t i e n t, e i t h e r d i r e c t l y o r i n d i r e c t l y. F o r e x a m p l e, r a r e d i s e a s e s, d r u g t r e a t m e n t s o r s t a t i s t i c a l a n a l y s e s w h i c h h a v e v e r y s m a l l n u m b e r s w i t h i n a s m a l l p o p u l a t i o n m a y a l l o w i n d i v i d u a l s t o b e i d e n t i f i e d Public Interest E x c e p t i o n a l c i r c u m s t a n c e s t h a t j u s t i f y o v e r r u l i n g t h e r i g h t o f a n i n d i v i d u a l t o c o n f i d e n t i a l i t y i n o r d e r t o s e r v e a b r o a d e r s o c i e t a l i n t e r e s t. D e c i s i o n s a b o u t t h e p u b l i c i n t e r e s t a r e c o m p l e x a n d m u s t t a k e a c c o u n t o f b o t h t h e p o t e n t i a l h a r m t h a t d i s c l o s u r e m a y Page 5

6 c a u s e a n d t h e i n t e r e s t o f s o c i e t y i n t h e c o n t i n u e d p r o v i s i o n o f c o n f i d e n t i a l h e a l t h s e r v i c e s. Sensitive Data D a t a h e l d a b o u t a n i n d i v i d u a l w h i c h c o n t a i n s b o t h p e r s o n a l a n d s e n s i t i v e i n f o r m a t i o n. T h e r e a r e o n l y s e v e n t y p e s o f i n f o r m a t i o n d e t a i l e d i n t h e D a t a P r o t e c t i o n A c t t h a t a r e d e e m e d a s s e n s i t i v e : R a c i a l o r e t h n i c o r i g i n ; R e l i g i o u s o r o t h e r b e l i e f s ; P o l i t i c a l o p i n i o n s ; T r a d e u n i o n m e m b e r s h i p ; P h y s i c a l o r m e n t a l h e a l t h ; S e x u a l l i f e ; a n d C r i m i n a l p r o c e e d i n g s o r c o n v i c t i o n s. 4. ROLE AND RESPONSIBILITIES 4.1 Chief Executive Overall accountability for procedural documents across the organisation lies with the Chief Executive who has overall responsibility for establishing and maintaining effective information management, for meeting all statutory requirements and adhering to guidance issued in respect of procedural documents 4.2 Caldicott Guardian The Trust Medical Director has been appointed Caldicott Guardian. The Caldicott Guardian will: Ensure that the Trust satisfies the highest practical standards for handling patient identifiable information. Facilitate and enable appropriate information sharing and make decisions on behalf of the Trust following advice on options for lawful and ethical processing of information, in particular in relation to disclosures. Represent and champion Information Governance requirements and issues at Board level. Ensure that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff Oversee all arrangements, protocols and procedures where confidential patient information may be shared with external bodies both within, and outside, the NHS. 4.3 Senior Information Risk Owner (SIRO) Page 6

7 The Chief Financial Officer has been nominated as Senior Information Risk Owner (SIRO). The SIRO will: Take overall ownership of the organisation s Information Risk. Act as champion for information risk on the Board and provide written advice to the Accounting Officer on the content of the organisation s statement of internal control in regard to information risk. Understand how the strategic business goals of the Trust and how other NHS organisations business goals may be impacted by information risks, and how those risks may be managed. Implement and lead the NHS Information Governance Risk Assessment and Management processes within the Trust; Advise the Board on the effectiveness of information risk management across the Trust Receive training as necessary to ensure they remain effective in their role as SIRO. 4.4 Information Asset Owners Information Asset Owners (IAO) will: Lead and foster a culture that values, protects and uses information for the benefit of patients. Know what information comprises or is associated with the asset, and understands the nature and justification of information flows to and from the asset. Know who has access to the asset, whether system or information, and why, and ensures access is monitored and compliant with policy. Understand and address risks to the asset, and providing assurance to the SIRO. Ensure there is a legal basis for processing and for any disclosures Refer queries about any of the above to the SIRO. 4.5 Information Governance Committee T h e I n f o r m a t i o n G o v e r n a n c e C o m m i t t e e i s r e s p o n s i b l e f o r e n s u r i n g t h a t t h i s p o l i c y i s i m p l e m e n t e d, i n c l u d i n g a n y s u p p o r t i n g g u i d a n c e a n d t r a i n i n g d e e m e d n e c e s s a r y t o s u p p o r t t h e i m p l e m e n t a t i o n, a n d f o r m o n i t o r i n g a n d p r o v i d i n g B o a r d a s s u r a n c e in t h i s r e s p e c t 4.6 Trust Managers I t i s t h e r e s p o n s i b i l i t y o f E x e c u t i v e D i r e c t o r s, D i v i s i o n a l M a n a g e r s, H e a d s o f D e p a r t m e n t s, D i v i s i o n a l M a t r o n s a n d w a r d s i s t e r s / c h a r g e n u r s e s t o e n s u r e t h e i m p l e m e n t a t i o n o f p o l i c i e s t h r o u g h o u t t h e i r a r e a s o f r e s p o n s i b i l i t y. M a n a g e r s s h o u l d a l s o r e a c t i n a n a p p r o p r i a t e m a n n e r w h e n i n f o r m e d o f i n s t a n c e s Page 7

8 w h e r e b e h a v i o u r i s n o t i n a c c o r d a n c e w i t h t h e p o l i c y t h a t i s s e t o u t h e r e i n. 4.7 The Information Governance Team The IG team will provide expert advice and guidance to all staff on all elements of Information Governance. The team is responsible for: Providing advice and guidance, to all staff, on all aspects of information governance. Working with staff to ensure there is consistency of Information Governance across the organisation. Developing Information Governance policies and procedures. Working with the Trust and other organisations to establish protocols on how information is to be shared. Developing Information Governance awareness and training programmes for staff. Ensuring compliance with Data Protection, Information Security and other information related legislation. Providing support for freedom of information requests. Providing support to the Caldicott Guardian and Senior Information Risk Owner (SIRO) for Information Governance related issues 4.8 All Staff A l l e m p l o y e e s a n d a n y o n e w o r k i n g o n b e h a l f o f t h e T r u s t, i n v o l v e d i n t h e r e c e i p t, h a n d l i n g o r c o m m u n i c a t i o n o f p e r s o n i d e n t i f i a b l e i n f o r m a t i o n, m u s t a d h e r e t o t h i s p o l i c y t o s u p p o r t t h e r e p u t a t i o n o f t h e T r u s t a n d w h e r e r e l e v a n t o f t h e i r p r o f e s s i o n. E v e r y o n e h a s a d u t y t o r e s p e c t a d a t a s u b j e c t s r i g h t s t o c o n f i d e n t i a l i t y. Individual staff members are responsible for familiarising themselves with current IG policies, in line with their contractual obligations. Any amendments to existing policies will be communicated to all staff by the IG department through the communications team. It is the role of the Board to define the Trust s policy in respect of Information Governance, taking into account legal and NHS requirements. The Board is also responsible for ensuring that sufficient resources are provided to support the requirements of the policy. All staff, whether permanent, temporary or contracted are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis. 5. SCOPE OF POLICY Page 8

9 This policy applies to all employees of the trust, including temporary staff and contractors. Temporary staff and contractors will need to agree and sign a confidentiality agreement with the Trust. These agreements are available from the IG department on request. 5.1 INFORMATION GOVERNANCE AIMS T h e T r u s t s I n f o r m a t i o n G o v e r n a n c e a i m s a r e t o : H o l d i n f o r m a t i o n s e c u r e l y a n d c o n f i d e n t i a l l y ; O b t a i n i n f o r m a t i o n f a i r l y a n d e f f i c i e n t l y ; R e c o r d i n f o r m a t i o n a c c u r a t e l y a n d r e l i a b l y ; U s e i n f o r m a t i o n e f f e c t i v e l y a n d e t h i c a l l y ; S h a r e i n f o r m a t i o n a p p r o p r i a t e l y a n d l a w f u l l y ; a n d. 5.2 INFORMATION GOVERNANCE PRINCIPLES T h e T r u s t r e c o g n i s e s t h e n e e d f o r a n a p p r o p r i a t e b a l a n c e b e t w e e n o p e n n e s s a n d c o n f i d e n t i a l i t y i n t h e m a n a g e m e n t a n d u s e o f i n f o r m a t i o n. T h e T r u s t f u l l y s u p p o r t s t h e p r i n c i p l e s o f c o r p o r a t e g o v e r n a n c e a n d r e c o g n i s e s i t s p u b l i c a c c o u n t a b i l i t y, b u t e q u a l l y p l a c e s i m p o r t a n c e o n t h e c o n f i d e n t i a l i t y o f, a n d t h e s e c u r i t y a r r a n g e m e n t s t o s a f e g u a r d, b o t h p e r s o n a l i n f o r m a t i o n a b o u t p a t i e n t s a n d s t a f f a n d c o m m e r c i a l l y s e n s i t i v e i n f o r m a t i o n. T h e T r u s t a l s o r e c o g n i s e s t h e n e e d t o s h a r e p a t i e n t i n f o r m a t i o n w i t h o t h e r h e a l t h o r g a n i s a t i o n s a n d o t h e r a g e n c i e s i n a c o n t r o l l e d m a n n e r c o n s i s t e n t w i t h t h e i n t e r e s t s o f t h e p a t i e n t a n d, i n s o m e c i r c u m s t a n c e s, t h e p u b l i c i n t e r e s t. T h e T r u s t b e l i e v e s t h a t a c c u r a t e, t i m e l y a n d r e l e v a n t i n f o r m a t i o n i s e s s e n t i a l t o d e l i v e r t h e h i g h e s t q u a l i t y h e a l t h c a r e. A s s u c h i t i s t h e r e s p o n s i b i l i t y o f a l l s t a f f t o e n s u r e a n d p r o m o t e t h e q u a l i t y o f i n f o r m a t i o n a n d t o a c t i v e l y u s e Page 9

10 i n f o r m a t i o n i n d e c i s i o n m a k i n g p r o c e s s e s. There are four key interlinked strands to the information governance policy: Openness Legal compliance Information security Quality assurance 5.3 Openness Non-confidential information relating to the Trust and its services should be available to the public through a variety of media, in line with the Information Commissioner s Model Publication Scheme. The Trust will establish and maintain policies to ensure compliance with the Freedom of Information Act. The Trust will undertake or commission annual assessments and audits of its policies and arrangements for openness. Patients should have ready access to information relating to their own health care, their options for treatment and their rights as patients. The Trust will have clear procedures and arrangements for liaison with the press and broadcasting media. The Trust will have clear procedures and arrangements for handling queries from patients and the public. 5.4 Legal Compliance Compliance with the policies and procedures laid down in this document will be monitored via the Information Governance team, together with independent reviews by both Internal and External Audit on a periodic basis. Page 10

11 The Trust regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise. The Trust will establish and maintain policies to ensure compliance with the Data Protection Act, Human Rights Act and the Common Law Duty of Confidentiality. The Trust will establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act). 5.5 Information Security The Trust will establish and maintain policies for the effective and secure management of its information assets and resources. The Trust will undertake or commission annual assessments and audits of its information and IT security arrangements. The Trust will promote effective confidentiality and security practice to its staff through policies, procedures and annual mandatory training. The Trust will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. 5.6 Information Quality Assurance The Trust will establish and maintain policies and procedures for information quality assurance and the effective management of records. The Trust will undertake or commission annual assessments and audits of its information quality and records management arrangements. Managers are expected to take ownership of, and seek to improve, the quality of information within their services. Wherever possible, information quality should be assured at the point of collection. Data standards will be set through clear and consistent definition of data items, in accordance with national standards. Page 11

12 6. CONSULTATION The consultation process for this policy is as follows: Information Governance Group Reporting to BI and IT Board 7. NARRATIVE 7.1 Information Governance Policy Framework The Trust has developed a framework for its Information Governance Policy. This is supported by a set of Information Governance policies and related procedures to cover all aspects of Information Governance which are aligned with the NHS Operating Framework and the Information Governance toolkit requirements. The Key Information Governance Policies are: Freedom of Information Policy This policy sets out the roles and responsibilities for compliance with the Freedom of Information Act and Environmental Information Regulations. Confidentiality Policy This policy lays down the principles that must be observed by all who work within the Trust and have access to personal or confidential business information. All staff must be aware of their responsibilities for safeguarding confidentiality and preserving information security in order to comply with common law obligations of confidentiality and the NHS Confidentiality Code of Practice. Information Security Policy This policy is to protect, to a consistently high standard, all information assets. The policy defines security measures applied through technology and encompasses the expected behaviour of those who manage information within the organisation Document & Records Management Policy This policy is to promote the effective management and use of information, recognising its value and importance as a resource for the delivery of corporate and service objectives. Safe Haven Policy This policy lays down the principles that must be adhered to when sending person identifiable information to and from the Trust 7.2 RESPONSIBILITIES OF THE TRUST A l l i n f o r m a t i o n u s e d i n t h e N H S i s s u b j e c t t o h a n d l i n g b y i n d i v i d u a l s a n d i t i s n e c e s s a r y f o r t h e s e i n d i v i d u a l s t o b e c l e a r a b o u t t h e i r r e s p o n s i b i l i t i e s a n d f o r t h e T r u s t t o p r o v i d e a n d s u p p o r t a p p r o p r i a t e e d u c a t i o n a n d t r a i n i n g. Page 12

13 T h e T r u s t m u s t e n s u r e l e g a l r e q u i r e m e n t s a r e m e t. T h e T r u s t m u s t m a k e a r r a n g e m e n t s t o m e e t t h e p e r f o r m a n c e a s s e s s m e n t r e q u i r e m e n t s o f t h e H S C I C I n f o r m a t i o n G o v e r n a n c e T o o l k i t. T h e T r u s t w i l l c o n t i n u e t o r e p o r t o n t h e m a n a g e m e n t o f i n f o r m a t i o n r i s k s i n t h e s t a t e m e n t o f i n t e r n a l c o n t r o l s a n d t o i n c l u d e d e t a i l s o f d a t a l o s s a n d c o n f i d e n t i a l i t y b r e a c h i n c i d e n t s i n a n n u a l r e p o r t s. T h e T r u s t w i l l e n s u r e a n I n f o r m a t i o n G o v e r n a n c e a u d i t, u t i l i s i n g t h e c e n t r a l ly p r o v i d e d a u d i t m e t h o d o l o g y, i s i n c l u d e d w i t h i n t h e i n t e r n a l a u d i t o r s w o r k p l a n. 8. EVIDENCE BASE 8.1 LEGAL AND REGULATORY FRAMEWORK T h e r e a r e a n u m b e r o f l e g a l o b l i g a t i o n s p l a c e d u p o n t h e T r u s t f o r t h e u s e a n d s e c u r i t y o f p e r s o n i d e n t i f i a b l e d a t a. T h e r e a r e r e q u i r e m e n t s t o a p p r o p r i a t e l y d i s c l o s e i n f o r m a t i o n w h e n r e q u i r e d. T h e r e i s a n N H S r e g u l a t o r y a n d p e r f o r m a n c e f r a m e w o r k f o r t h e m a n a g e m e n t o f i n f o r m a t i o n. T h e r e a r e N H S C o d e s o f C o n d u c t f o r t h e u s e o f i n f o r m a t i o n. T h e r e a r e C o d e s o f P r a c t i c e a n d o p e r a t i n g p r o c e d u r e s a d o p t e d b y t h e N H S. The main legal requirements consist of: Data Protection Act 1998 (and subsequent Special Information Notices) Access to Health Records Act 1990 (where not superseded by the Data Protection Act 1998) Computer Misuse Act 1990 Page 13

14 A summary of the information or guidance that has been used to develop this policy is available as a full list in Appendix MONITORING COMPLIANCE 9.1 Compliance with the IG Assurance Framework will be assessed by the annual completion of the IG Toolkit. Formal reports will be provided to the Audit and Assurance Committee and the Board for sign off prior to annual submission. 9.2 The Trust will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. As part of the training and awareness programme, employees and third party contractors will also be made aware of definitions of incidents/weaknesses and the process for dealing with them. 10. TRAINING REQUIREMENTS 10.1 To ensure organisational compliance with the law and Government guidelines relating to Information Governance, staff must receive appropriate training. Therefore, annual IG training is mandatory for all staff, and staff IG training needs will be routinely assessed, monitored and adequately provided for In many cases the mandatory basic IG training through the online NHS Information Governance Training Tool will be adequate to give staff the knowledge that they require, but the Trust supplements this with training sessions which cover: Fundamentals of data protection and the Caldicott Principles; Freedom of Information Act 2000 responsibilities; Principles of good record keeping; Information security guidance; Reference to relevant Trust policies, procedures and further guidance It is difficult for busy staff to convert theory and guidance into practical work procedures. Changing established routines and adjusting established work practices can be challenging. As a result staff will be trained in the use of systems and procedures, to ensure the quality and appropriate handling of information, in order to minimise risks to the Trust from poor information management. 11. DISTRIBUTION This policy, once approved, will be included within the Governance Policy Section of the Trust s Intranet. Page 14

15 12. COMMUNICATION This policy will be communicated to all existing staff via Team Brief, weekly staff bulletin and the Latest Updates section on the Trust s Intranet homepage for implementation purposes. New members of staff will be informed of the policy at Induction, in line with the Organisation s Induction Policy. 13. AUTHOR AND REVIEW DETAILS Date issued: January 2015 Date to be reviewed by: January 2016 To be reviewed by: Executive Sponsor: 14. APPENDICES Information Governance Manager Chief Executive Appendix 1 List of guidance that has been used to develop this policy Appendix 2 Information Lifecycle Management Strategy Page 15

16 Appendix 1 The Abortion (Amendment) Regulations Act To meet the requirements of these Regulations, organisations must ensure that they have processes in place to ensure that certificates are retained in a secure area for at least three years, and that they are confidentially destroyed once they are no longer required. Disclosure of information to the Chief Medical Officer about terminations does not constitute any breach of confidentiality requirements, as this is a statutory gateway for disclosure. Access to Health Records Act 1990 (where not superseded by the Data Protection Act 1998) Although there is no proven duty of confidence owed to deceased patients, the position has yet to be adequately tested in the courts. The Department of Health advises that records of the deceased should be treated as if confidential and disclosures only made in line with the Access to Health Records Act 1990 or other legislation. Organisations should have processes that address where and how the records of deceased persons are stored. Secure and environmentally safe storage is vital to ensure that records are maintained in good order and are available if required. It is essential that organisations put in place processes and procedures to enable the efficient and effective retrieval of such records within the timescales specified by the Act. The Access to Medical Reports Act 1988 Disclosures of medical reports and the information contained within should only take place in accordance with the consent that has been granted by the patient. Disclosures that have not been consented to may be in breach of the common law duty of confidentiality unless they are in line with other statutory considerations. It is important that these reports remain accessible to the patient for at least six months after they have been supplied to the employer or insurer. After six months, organisation s should consider whether retention is necessary; however, if they do decide to retain the report, it must be accessible should a subsequent subject access request is made. In some organisations, it may be easier to hold the report as part of the health record. Administrative Law Staff should be trained in the legal framework covering the disclosure of confidential patient information. They should also be provided with procedures for obtaining Page 16

17 explicit consent and guidance on where to seek advice if they are unsure whether they should disclose such information. Audit Commission Act The Blood Safety and Quality Regulations 2005 Organisations must ensure that they are able to provide full traceability of whole blood and blood components. There should be a record-keeping system that: allows for identification of each single blood donation and each single blood unit and components thereof; and enables full traceability to the donor as well as to the transfusion and the recipient. The Census (Confidentiality) Act 1991 Any staff that may use census information for their work must be instructed on the lawful way in which they may use it and the processes put in place to ensure that unlawful disclosure does not occur. The Children Act Organisations must ensure that staff are adequately trained and put processes in place to ensure that information is appropriately shared. The Civil Contingencies Act 2004 It is important that affected NHS organisations are aware of and comply with their obligations under this Act. These will include the identification of information required to support the organisation s business in the event of an emergency occurring and the development and testing of relevant information technology disaster recovery or fallback continuity plans where computerised information services may be disrupted. However, the Act does not provide a statutory obligation to breach the common law duty of confidentiality. Where information is confidential, the party making the disclosure must consider whether the interests of the individual(s) will be better served by making the disclosure (i.e. is it in the public interest to disclose?). The Civil Evidence Act 1995 A public authority is making a legal statement by authenticating such documents and records. The organisation must therefore be sure of the quality and reliability of an electronic record. It will therefore be important to be able to verify that the computer was not misused and was operating properly at the time the record was produced. The Common Law Duty of Confidentiality All persons who use patient records should be aware of their responsibility for facilitating and maintaining confidentiality of those records. Systems and processes should ensure that employees only have access to those parts of the record required to carry out their role. Access to records should be logged and periodically audited. Page 17

18 Particular care should be taken to protect health records during their transportation between sites or organisation s, for example security envelopes and approved carriers should be used where necessary. Computer Misuse Act It is important that all staff members are aware of and comply with all security measures put in place to protect all health records. The organisation should have policies and procedures in place to facilitate compliance alongside disciplinary measures for failure to comply. The Congenital Disabilities (Civil Liability) Act 1976 Organisations need to take the provisions of this Act into account and ensure that the health records of all children and, in particular, the records of children born with a disability are not destroyed prematurely. The Consumer Protection Act (CPA) 1987 A claimant generally has three years to begin legal action after the damage; however, this period may be extended to 10 years after the product was supplied. The NHS is affected by these provisions and may be liable as a supplier or user of a product. Therefore, it is important that accurate records are maintained for all products that may fall into this category in order that any claim can be defended. The Control of Substances Hazardous to Health (COSHH) Regulations 2002 The Regulations require that organisations retain records of risk assessments, control measures, exposure monitoring and health surveillance. Some of these records must be kept for specified periods. Copyright, Designs and Patents Act 1988 (as amended by the Copyright (Computer Programs) Regulations It is important that all staff members are aware of and comply with the licensing requirements of software they use, which exist to protect the rights of the software copyright owner. Unauthorised installation, copying, duplication, resale or other misuse of commercial software is likely to breach the terms of licence and could potentially result in criminal prosecution. A copy of the purchase order and licence should be retained for all commercial software purchases. Corporate web pages where information is published should be checked for infringement of the Act and/or that necessary permissions or acknowledgements have been given. If there is any doubt, check with the organisation s legal advisers. Crime & Disorder Act Any request for disclosure under this Act must be referred to the Caldicott Guardian Page 18

19 and possibly the organisation s legal advisers, who should decide whether such disclosure is necessary or proportionate. Section 115 of this Act permits the disclosure of personal information that may otherwise be prohibited. There is not a compulsion to disclose and the organization must make its own decision; however, the requirements of the common law duty of confidence and the Data Protection Act 1998 must still be met. Therefore, information given in confidence must not be disclosed unless there is a clear overriding public interest in doing so. If a disclosure is to be made, the disclosure must be necessary or appropriate to allow the Crime and Disorder Act 1998 to be applied and the information must only be disclosed to a relevant authority. What is necessary or proportionate depends on the individual circumstances of each case. The outcome to be achieved in disclosing information must be weighed against the public interest in provision of a confidential health service by the NHS. The Criminal Appeal Act 1995 The exchange of information must comply with the DPA 1998 and sensitive personal data must only be exchanged where the DPA permits. Data Protection Act Data Protection Act 1998 s.43 Information Notices The Data Protection (Processing of Sensitive Personal Data) Order 2000 The Order amends the DPA 1998 by defining several circumstances under which it would be lawful to disclose sensitive personal data without explicit consent. However, there must be a substantial public interest in making the disclosure; therefore, any decision must involve the Caldicott Guardian and may require referral to the organisation s legal advisers. The Disclosure of Adoption Information (Post-Commencement Adoptions) Regulations 2005 The Regulations require that adoption agencies keep records on the adopted children they have placed for at least 100 years and place limits on the information that can be disclosed. The Electronic Commerce (EC Directive) Regulations 2002 While NHS organisations may not currently offer online selling services of this type, it is possible that these may arise in future, or that staff of NHS Organisations may participate in online transactions provided by external organisations. Many NHS Page 19

20 Organisations have already implemented websites to promote their corporate identity and services. Organisations need to consider the potential implications of these Regulations when designing new NHS online services. Electronic Communications Act 2000 (Commencement No. 1) Order Organisations should ensure that electronic information is held and transferred in accordance with the Act and other provisions, to ensure that confidential information is accessed only by those with a need to know it in order to carry out their role. They should do their best to ensure that electronic signatures can be verified in case the authenticity of a signature becomes subject to a legal dispute. Organisations should also be aware of the need to ensure the retention and protection of any cryptographic keys that have been used to protect records, as they may have evidential value over the lifetime of the record. The Environmental Information Regulations (EIR) 2004 As with the FOI Act 2000, the organisation needs a robust records management programme. The requirements of the two pieces of legislation are similar so it is advised that Organisations deal with requests in a like manner. The main difference is that requests for environmental information need not be in writing. The Freedom of Information (FOI) Act 2000 The organisation should carry out a records audit to determine what records it holds, the location of the records and whether they need to be kept. This should lead to a review of the organisation s retention schedules and provide information for its publication scheme. As with DPA 1998 subject access requests, appropriately trained staff and effective procedures are crucial to compliance with this Act. There is a duty imposed on Organisations to supply information in a timely fashion currently within 20 working days. To facilitate this obligation to provide information within these time limits, the organisation must ensure that all employees are aware of how an FOI Act 2000 application should be progressed and of the requirement to respond to requests quickly. Organisations should consider maintaining a log of requests with the view to making frequently requested information available through the publication scheme. The Gender Recognition Act 2004 As protected information covers all information that would identify a person as being a transsexual, if an applicant is successful in their application a new health record must be created so that protected information is not disclosed. The Gender Recognition (Disclosure of Information) (England, Wales and Page 20

21 Northern Ireland) (No. 2) Order 2005 The Order defines the circumstances under which it would be lawful to disclose protected information. Staff should be appropriately trained in seeking informed consent. Where consent cannot be given, a decision to disclose must be taken by senior personnel only. The Health and Safety at Work etc Act Organisations should retain equipment maintenance records, records of assessments and training records etc for appropriate periods, as proof that they are complying with the law and maintaining the safety of their employees. Retention of these records will also assist organisations to appropriately defend against any legal action and comply with investigations carried out by the Health and Safety Executive and/or the Healthcare Commission. The Health and Social Care Act 2008 Code of Practice for health and adult social care on the prevention and control of infections and related guidance et/dh_ pdf The Human Fertilisation and Embryology Act 1990, as amended by the Human Fertilisation and Embryology (Disclosure of Information) Act To meet the requirements of this Act, organisations must ensure that they have processes in place to ensure that such information is available only to those permitted access. This is especially important as regards paper records, where information on this form of treatment is likely to be included within past medical history (particularly hospital records). Human Rights Act Current understanding is that if organisations comply with the provisions of the The Limitation Act 1980 A claimant generally has three years to begin legal action after an injury. However, the lapse between an injury and knowledge of it is without limit of time. Therefore, it is important that accurate records are retained in accordance with national guidance and local policies. As with other statutory provisions, organisations must be able to locate and supply information if requested and ensure that closed records are stored in accordance with National Archives guidance. The Medicines for Human Use (Clinical Trials) Amendment Regulations 2006 Page 21

22 The sponsor and the chief investigator shall ensure that the documents contained, or which have been contained, in the trial master file are retained for five years after the conclusion of the trial. The sponsor and the chief investigator shall ensure that the medical files of trial subjects are retained for at least five years after the conclusion of the trial. An ethics committee shall retain all the documents relating to a clinical trial on which it gives an opinion for: Where the trial proceeds, at least three years from the conclusion of the trial; or Where the trial does not proceed, at least three years from the date of the opinion. National Health Service Act Procedures should be put in place to provide information under section 251 regulations. Organisations should also have a process to inform anyone requesting patient-identifiable information for purposes other than direct healthcare of the need to gain approval from PIAG, unless they have the explicit consent of the patient. The NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases) Directions 2000 To meet the requirements of this Act, organisations must ensure that they have processes in place to ensure that such information is available only to those permitted access. This is especially important as regards paper records, where information on this form of treatment might be included within past medical history (particularly hospital records). Every NHS Trust and PCT must take all necessary steps to ensure that any information capable of identifying an individual obtained by any of their members or employees with respect to persons examined or treated for any sexually transmitted disease shall not be disclosed except: for the purpose of communicating that information to a medical practitioner, or to a person employed under the direction of a medical practitioner in connection with the treatment of persons suffering from such disease or the prevention of the spread thereof; and for the purpose of such treatment or prevention. The Police and Criminal Evidence (PACE) Act 1984 Those responsible for managing any computer system from which information is requested which is to be used as evidence should be aware that they will need to provide a statement that the computer was operating properly at the time that the evidence was provided, or that any malfunction did not affect the production or Page 22

23 accuracy of the document. They may also be requested to provide information on the function and operation of the system. Prevention of Terrorism Act The Public Health (Control of Diseases) Act 1984 and the Public Health (Infectious Diseases) Regulations 1988 Organisations should ensure that copies of the notification certificate or counterfoils from a notification book are held securely and retained for the recommended minimum period. The Privacy and Electronic Communications (EC Directive) Regulations Staff with responsibility for information security management should be aware of the Regulations and their potential implications for the technical design of NHS websites. Consideration is also necessary for the use of within NHS business activities and in particular the rules for unsolicited marketing. The Public Interest Disclosure Act Staff should be made aware of the correct procedures to be followed if circumstances arise that require them to breach confidentiality and any policy guidance; see Health Service Circular (HSC) 1999/198 on public interest disclosure. The Public Records Act 1958 Further guidance is given in the introduction to the retention schedules in Records Management: NHS Code of Practice, available at: Guidance/DH_ The Radioactive Substances Act 1993 Records relating to radioactive substances and radioactive waste must be retained as specified by the Environment Agency. The Agency may also require that records be retained for a specified period after the activity has ceased. Once this period has expired, records should be filed with an appropriate repository, i.e. a Place of Deposit. The Regulation of Investigatory Powers Act Staff with responsibility for information security management should be fully aware of the Act and its related Regulations, as these potentially impact information services used by the organisation s staff and others. Where interception or monitoring of communications or systems usage is locally permitted under the Act s provisions, it is Page 23

24 essential that potentially affected individuals, the organisation s legal advisers and human resources department are all aware of this possibility. In such circumstances, it is advisable to notify staff in induction training and routine awareness programmes and at the point of system log-on of this possibility. The Re-use of Public Sector Information Regulations 2005 Employees responsible for re-use issues should work closely with those responsible for FOI for several reasons, including: An information audit is required for both pieces of legislation to determine the records held and the locations of those records; Information available for re-use and the terms and conditions of re-use can be included within the organisation s publication scheme (see FOI Act 2000 on page 29); and If a request is made for access and re-use, the processes need to be coordinated so that the access issue is dealt with before permission to re-use is granted. The Office of Public Sector Information provides further advice on the link between the FOI Act 2000 and these Regulations, and wording on re-use that can be included when responding to an FOI request, available at: The Road Traffic Acts NHS bodies are required by law to provide information to the CRU to enable the recovery of the costs of the treatment. The Road Traffic Acts require that NHS Organisations give any information, which is in their power to give and which may lead to identification of a driver who has committed an offence under the Acts. The Sexual Offences (Amendment) Act 1976, sub-section 4(1), as amended by the Criminal Justice Act 1988 To meet the requirements of this legislation, organisations must ensure that they have processes in place to answer press enquiries about high-profile cases. If an interview is given to the press, particularly a live interview, it is vital that information is not inadvertently disclosed that could identify the victim. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations Page 24

25 Appendix 2 - Information Lifecycle Management Strategy Within the Trust, all staff creating any type of record are required to liaise with their division records manager to ensure the appropriate Records Management Policy is implemented. For every item of information created, there will be a time period (retention period) for which it is required, and must be accessible. These are outlined in the Trust s Retention and Destruction Policy. Once information has reached the end of its period of retention, it is no longer appropriate to retain the record and it must be destroyed in line with the hospital s legislative responsibilities the Freedom of Information Act, Health Records Act, and Data Protection Act. Figure 1 Records Management Life Cycle NEW RECORD CREATED NEW RECORD REQUIREMENT REVIEWED AND DATA ITEMS AGREED HIGHLIGHT RETENTION PERIOD RECORD DESTROYED SAVE / FILE RECORD APPROPRIATELY (refer to Admin/Health Records Management Policy) REGULARLY REVIEW RECORDS HELD AND ACTIVELY WEED RECORDS NO LONGER REQUIRED ENSURE OTHERS ABLE TO ACCESS RECORDS ENSURE RECORD CAN BE MAINTAINED FOR RETENTION PERIOD Page 25

26

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy. Title: Reference No: NHSNYYIG - 007 Owner: Author: INFORMATION GOVERNANCE POLICY Director of Standards First Issued On: September 2010 Latest Issue Date: February 2012 Operational Date: February 2012 Review

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY Directorate of Performance Assurance INFORMATION GOVERNANCE POLICY Reference: DCP074 Version: 2.5 This version issued: 27/03/15 Result of last review: Minor changes Date approved by owner (if applicable):

More information

Information Governance Policy

Information Governance Policy Information Governance Policy REFERENCE NUMBER IG 101 / 0v3 May 2012 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive 4.9.12 REVIEW DUE DATE May 2015 West Lancashire CCG is committed to ensuring

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

NHS Commissioning Board: Information governance policy

NHS Commissioning Board: Information governance policy NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Information Governance Policy_v2.0_060913_LP Page 1 of 14 Information Reader Box Directorate Purpose Document Purpose Document Name Author Corporate Governance Guidance Policy

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Information Governance Policy

Information Governance Policy Author: Susan Hall, Information Governance Manager Owner: Fiona Jamieson, Assistant Director of Healthcare Governance Publisher: Compliance Unit Date of first issue: February 2005 Version: 5 Date of version

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE STRATEGY INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying

More information

Information Governance Policy

Information Governance Policy BEXLEY CARE TRUST MANAGEMENT MANUAL Title: INFORMATION GOVERNANCE POLICY Originating Department: IT DEPARTMENT Authorised by: Risk Management Committee June 2008 Reference no: CA12 Date of Issue: JANUARY

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of

More information

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY Moorland is committed to ensuring that, as far as it is reasonably practicable, the way we provide services to the public and the way we treat

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version Version 1 Ratified By Date Ratified PROPOSED FOR APPROVAL 15/11/12 Author(s) Responsible Committee / Officers Date Issue November 2012 Review Date November 2013 Intended

More information

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

Information Governance policy

Information Governance policy Information Governance policy Key Points Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources throughout

More information

Information Governance Policy

Information Governance Policy Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:

More information

NHS Information Governance. Guidance on Legal and Professional Obligations

NHS Information Governance. Guidance on Legal and Professional Obligations Guidance on Legal and Professional Obligations September 2007 DH INFORMATION READER BOX Policy HR/Workforce Management Planning Clinical Document purpose Estates Performance IM & T Finance Partnership

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

Trust Informatics Policy. Information Governance. Information Governance Policy

Trust Informatics Policy. Information Governance. Information Governance Policy Trust Informatics Policy Information Governance Policy Reference: TIP/IG/IGP I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 1 Document Control Policy Title Author/Contact Document Reference

More information

Procedures. Issue Date: June 2014 Version Number: 2.0. Document Number: POL_1009. Status: Approved Next Review Date: April 2017 Page 1 of 17

Procedures. Issue Date: June 2014 Version Number: 2.0. Document Number: POL_1009. Status: Approved Next Review Date: April 2017 Page 1 of 17 Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs NOTE: This is a CONTROLLED Document. Any documents appearing in paper

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY Version 8.0 Purpose: For use by: This document is compliant with /supports compliance with: To outline the lifecycle of a record and to provide guidance on retention and disposal

More information

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Appendix 1 INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Author Information Governance Review Group Information Governance Committee Review Date May 2014 Last Update February 2013 Document No. GV

More information

Information Governance Strategy. Version No 2.1

Information Governance Strategy. Version No 2.1 Livewell Southwest Information Governance Strategy Version No 2.1 Notice to staff using a paper copy of this guidance. The policies and procedures page of LSW Intranet holds the most recent version of

More information

Date of review: Information Governance Group January 2016. Policy Category: CONTENT SECTION DESCRIPTION PAGE

Date of review: Information Governance Group January 2016. Policy Category: CONTENT SECTION DESCRIPTION PAGE Title: Date Approved: January 2015 Division/Department: Corporate Services Corporate Records Policy Approved by: Date of review: Information Governance Group January 2016 Author (post-holder): Interim

More information

Gloucestershire Hospitals

Gloucestershire Hospitals Gloucestershire Hospitals NHS Foundation Trust TRUST POLICY In the case of hard copies of this policy the content can only be assured to be accurate on the date of issue marked on the document. The Policy

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

Information Governance Policy. Church Road Medical Practice

Information Governance Policy. Church Road Medical Practice Information Governance Policy Church Road Medical Practice Version No: 1.0 Issue Date: March 2015 INFORMATION GOVERNANCE POLICY 1. Summary Information is a vital asset, both in terms of the clinical management

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy ID IG02 Version: V1 Date ratified by Governing Body 27/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review date: September

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY NWAS Information Governance Policy Page: Page 1 of 10 Date of Issue: January 2014 Date of Review February 2015 Recommended by Approved by Information Governance Management

More information

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY. December 2014

CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY. December 2014 CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY December 2014 DOCUMENT INFORMATION Author: Barbara Sansom Information Governance Manager Equality Impact Assessment Consultation & Approval

More information

Information Governance Plan

Information Governance Plan Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.

More information

USE OF PERSONAL MOBILE DEVICES POLICY

USE OF PERSONAL MOBILE DEVICES POLICY Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

SALISBURY NHS FOUNDATIONTRUST

SALISBURY NHS FOUNDATIONTRUST SALISBURY NHS FOUNDATIONTRUST PAPER SHC 1738 TITLE Information Governance Policy PURPOSE OF PAPER The Information Governance Policy was first approved in April 2005. It is currently due for review to ensure

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: Revised: Consultation: Ratified by: 1.0 Information Governance Committee Governance Committee Date ratified: 19 March 2008 Name of originator/author: David McGrath

More information

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS Newcastle Gateshead Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Approved No impact NHS Quality, Safety

More information

NHS Business Services Authority Information Governance Policy

NHS Business Services Authority Information Governance Policy NHS Business Services Authority Information Governance Policy NHS Business Services Authority Corporate Secretariat NHSBSAIGM002 Issue Sheet Document reference NHSBSAIGM002 Document location F:\CEO\IGM\Info

More information

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Management Policy CCG Policy Reference: IG 2 v4.1 Information Management Policy CCG Policy Reference: IG 2 v4.1 Document Title: Policy Information Management Document Status: Final Page 1 of 15 Issue date: Nov-2015 Review date: Nov-2016 Document control

More information

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013 Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This

More information

Policy Checklist. Head of Information Governance

Policy Checklist. Head of Information Governance Policy Checklist Name of Policy: Information Governance Policy Purpose of Policy: To provide guidance to all staff on their responsibilities regarding information governance and to ensure that the Trust

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from August 2009 Date last amended August 2009

More information

INFORMATION GOVERNANCE STRATEGY NO.CG02

INFORMATION GOVERNANCE STRATEGY NO.CG02 INFORMATION GOVERNANCE STRATEGY NO.CG02 Applies to: All NHS LA employees, Non-Executive Directors, secondees and consultants, and/or any other parties who will carry out duties on behalf of the NHS LA.

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

Information Governance Strategy 2015/16

Information Governance Strategy 2015/16 Information Governance Strategy 2015/16 Ratified Governing Body (November 2015) Status Final Issued November 2015 Approved By Executive Committee (August 2015) Consultation Equality Impact Assessment Internal

More information

JOB DESCRIPTION. Information Governance Manager

JOB DESCRIPTION. Information Governance Manager JOB DESCRIPTION POST TITLE: Information Governance Manager DIRECTORATE: ACCOUNTABLE TO: BAND: LOCATION: CSS Head of Information Governance 8a CSS Job Purpose The Information Governance Manager will ensure

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY Report to the Trust Board 22 September 2015 Sponsoring Director: Author: Purpose of the report: Key Issues and Recommendations: Director

More information

NHS Business Services Authority Information Security Policy

NHS Business Services Authority Information Security Policy NHS Business Services Authority Information Security Policy NHS Business Services Authority Corporate Secretariat NHSBSAIS001 Issue Sheet Document reference NHSBSARM001 Document location F:\CEO\IGM\IS\BSA

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version: 3.2 Authorisation Committee: Date of Authorisation: May 2014 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying

More information

INFORMATION GOVERNANCE HANDBOOK

INFORMATION GOVERNANCE HANDBOOK INFORMATION GOVERNANCE HANDBOOK SECTION ONE Author Tracey Burrows Role Information Governance Manager (CSCSU) Date / Version February 2015 Version FINAL V1.0 Approved by IM&T Board Date 27 February 2015

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and

More information

Information security policy

Information security policy Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current

More information

Information Governance Framework

Information Governance Framework Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information

More information

Information governance policy

Information governance policy Information governance policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSAIGM002a S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review IG Policy\Current

More information

BIG LOTTERY FUND Document archive and retention policy

BIG LOTTERY FUND Document archive and retention policy BIG LOTTERY FUND Document archive and retention policy December 2010 Sonia Howe Head of Information Governance For further information regarding retention schedules please contact Page 1 of 18 Version

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise

More information

Information Governance Policy and Management Framework

Information Governance Policy and Management Framework Information Governance Policy and Management Framework Policy Number: IG01 Version: 3.0 Ratified by: Governing Body Date ratified: February 2016 Name of originator/author: Louise Chatwyn Information Governance

More information

INFORMATION GOVERNANCE

INFORMATION GOVERNANCE This document is uncontrolled once printed. Please refer to the Trusts Intranet site (Procedural Documents) for the most up to date version INFORMATION GOVERNANCE NGH-PO-233 Ratified By: Procedural Document

More information

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff. Information Governance Policy 1 SUMMARY This policy is intended to ensure that staff are fully aware of their Information Governance (IG) responsibilities, so that they can effectively manage and best

More information

Subject Access Request (SAR) Procedure

Subject Access Request (SAR) Procedure Subject Access Request (SAR) Procedure East and North Hertfordshire Clinical Commissioning Group Page 1 of 16 DOCUMENT CONTROL SHEET Document Owner: Chief Finance Officer Document Author(s): Anne Ephgrave

More information

Harper Adams University College. Information Security Policy

Harper Adams University College. Information Security Policy Harper Adams University College Information Security Policy Introduction The University College recognises that information and information systems are valuable assets which play a major role in supporting

More information

Corporate Policy and Strategy Committee

Corporate Policy and Strategy Committee Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching

More information

CCG: IG06: Records Management Policy and Strategy

CCG: IG06: Records Management Policy and Strategy Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of

More information

A Question of Balance

A Question of Balance A Question of Balance Independent Assurance of Information Governance Returns Audit Requirement Sheets Contents Scope 4 How to use the audit requirement sheets 4 Evidence 5 Sources of assurance 5 What

More information

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS North Durham Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Final No impact Risk and Audit Committee/Governing

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY ENFIELD CLINICAL COMMISSIONING GROUP INFORMATION GOVERNANCE POLICY PLEASE DESTROY ALL PREVIOUS VERSIONS OF THIS DOCUMENT Enfield CCG Information Governance Policy Information Governance Policy (Policy

More information

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy NHS Waltham Forest Clinical Commissioning Group Information Governance Policy Author: Zeb Alam & David Pearce Version 3.0 Amendments to Version 2.1 Updates made in line with National Guidance and Legislation

More information

Information Assurance Policies and Guidance. Information Governance Policy. Document Version: v0.5 Review Date: 1 May 2016

Information Assurance Policies and Guidance. Information Governance Policy. Document Version: v0.5 Review Date: 1 May 2016 Information Assurance Policies and Guidance Information Governance Policy Document Version: v0.5 Review Date: 1 May 2016 Owner: Information Governance Manager 1 P a g e Document History Revision Version

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Name of Policy Author: Name of Review/Development Body: Ratification Body: Ruth Drewett Information Governance Steering Group Committee Trust Board : April 2015 Review date:

More information

Information Management Strategy. July 2012

Information Management Strategy. July 2012 Information Management Strategy July 2012 Contents Executive summary 6 Introduction 9 Corporate context 10 Objective one: An appropriate IM structure 11 Objective two: An effective policy framework 13

More information

What NHS staff need to know

What NHS staff need to know St George s Healthcare NHS NHS Trust Surrey Health Informatics Service Sussex Health Informatics Service Records Management Explained What NHS staff need to know A guide to Records Management Contents

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information