The Informatics Policy Information Governance Process

Transcription

1 Informatics Policy Information Governance Policy Ref: 3593

2 Policy Title Author/Contact Document Reference 3593 Pauline Nordoff-Tate, Information Assurance Manager Document Impact Assessed Yes/No Date: 28/10/11 Version 2 Status Approved Publication Date October 2011 Review Date October 2013 Approved by Peter Williams, Caldicott Guardian 28/10/11 Ratified by Information Governance Group (virtual meeting) 28/10/11 Distribution: Royal Liverpool and Broadgreen University hospitals NHS Trust-intranet using Sharepoint which will maintain the policy document in conjunction with each document author. Please note that the Intranet version of this document is the only version that is maintained. Any printed copies should therefore be viewed as uncontrolled and as such, may not necessarily contain the latest updates and amendments. Version Date Comments Author Draft 29/06/2006 Initial document drafted for Neil Morgan review 1 30/11/06 Minor revisions Neil Morgan 1.1 March Minor revisions and placed Amanda Penketh 2007 into Trust format 1.2 May 09 Minor revision changed IT Darren Mort dept to HIS 1.3 July 2009 Minor revisions Mark Haynes 2 28/10/11 Reformatted to Trust standard and minor amendments Pauline Nordoff-Tate 2

3 Review Process Prior to Ratification NAME OF GROUP/DEPARTMENT/COMMITTEE DATE North Mersey HIS November 2006 Information Governance Group March 2007 Information Governance Group September 2009 Information Governance Group (virtual meeting) 28/10/11 3

4 Heading Table of Contents Page Number 1. INTRODUCTION Equality and Diversity 5 2. OBJECTIVE 5 3. SCOPE OF POLICY 5 4. POLICY Departmental Drive Personal Drive Local Hard Drive Prohibited Content Retention of Data 7 5. ROLES AND RESPONSIBILITIES Directorate Managers/Heads of Department Staff 8 6. ASSOCIATED DOCUMENTS AND REFERENCES 8 7. TRAINING AND RESOURCES 8 8. MONITORING AND AUDIT Recording and monitoring of equality & diversity 9 4

5 1. Introduction In order to improve and assist healthcare provision, the Trust provides all staff and departments with shared and individual network storage space. This document details the policy and procedures for the utilisation and management of all Trust Network drives. The Trust provides network drive storage through both departmental and personal drive space. This storage space is provided to ensure that all appropriate Trust data is stored in a secure and robust environment. Due to the vast amount of data utilised within the Trust, it is essential that network drives are maintained in an appropriate manner. Failure to manage storage may result in poor performance and have a financial implication upon the Trust through the requirement to procure extra, unnecessary storage space. 1.1 Equality and Diversity The Trust is committed to an environment that promotes equality and embraces diversity in its performance as an employer and service provider. It will adhere to legal and performance requirements and will mainstream equality and diversity principles through its policies, procedures and manuals. This manual should be implemented with due regard to this commitment. This manual can be made available in alternative formats on request including large print, Braille, Moon, audio and different languages. To arrange this please refer to the Trust translation and interpretation policy in the first instance 2. Objective The objectives of this document are: To raise staff awareness of how to manage the departmental and personal network drives in relation to the storage of data. To ensure that network drives provided are utilised in an appropriate manner and in accordance with related Trust policies. 3. Scope of Policy This policy intends to document the procedures and processes to be undertaken in order to store data on various available drives, and the responsibilities staff have in relation to this. 5

6 4. Policy 4.1 Departmental Drive This drive contains generic information and files which are used by many different people within the department/directorate. This is a trusted departmental area. Access to these drives should be through a Line Manager s request direct from their address to the Service Desk, with the appropriate shared drive referenced accordingly. All data stored upon a departmental drive MUST be work related. The storage of non-work or inappropriate content is strictly prohibited and may result in disciplinary action. 4.2 Personal Drive An R drive is a personal network area in which you can save draft documents you are working upon for which no one else requires access to. All data stored within an R Drive MUST be work related. The storage of any data that is non-work related, or may be defined as prohibited content, is in direct contravention of this policy and may result in disciplinary action. If a member of staff wishes to store non-work related material, then approval must be received from the relevant line manager. Staff should be aware that their managers will have the right to access R: drives in the unexpected event that they are absent from work, and where there is a need based on business continuity. 4.3 Local Hard Drive A local hard drive is the C drive of a Trust PC or laptop. No data, whether it is work related data or non-work related data should be stored on a local hard drive, as this is not backed up by the Trust and has the potential to be lost. 4.4 Prohibited Content Prohibited content is defined as any material that is non-work related, examples of such content are as follows: Music files Movie files Image files 6

7 Any other multimedia content Inappropriate content (as defined by the and Internet Use and Monitoring Policy) Software Installation Packages (ISO, EXE, ZIP files etc) Games This list is not exhaustive. The storage of such material may be in contravention of legislative and Trust requirements and staff may be subject to disciplinary action. 4.5 Retention of Data Staff must ensure that any data stored upon a departmental or personal drive is stored in accordance with this policy. Any obsolete or redundant data should be removed either permanently or archived locally, if required. For further information relating to the retention of data please see the Records Management Policy. 5. Roles and Responsibilities This Policy is the responsibility of the. 5.1 Directorate Managers/Heads of Department Directorate Managers/Heads of Department are responsible for ensuring that all staff within their departments are aware of: This policy and its contents How to obtain a copy if required Their own responsibilities and obligations to comply with its procedures To ensure that security breaches are investigated and reported in line with Trust procedures It is the responsibility of all staff to familiarise themselves with this policy and all related Informatics policies and documentation where applicable and to ensure high standards of data protection are met. This policy is applicable to any contractors or external agencies that have cause to handle personal information on behalf of the Trust. They must therefore ensure that data protection standards are met. The Medical Director (Caldicott Guardian) and Director of Information Management and Technology (IM&T) have senior responsibility reporting to the Trust Board. The Information Governance Group will oversee policy setting and implementation of the governance agenda. 7

8 The Information Security Officer has responsibility for the IT security element of the data protection agenda. Each computer system/database will have a designated application and/or system manager who will also act as Information Asset Owner and is responsible for enforcing this policy. The IT Security Officer will maintain a list of these nominated personnel. 5.2 Staff All staff that have access to a network drive must ensure that they understand and comply with the requirements detailed within this policy. It must be noted that failure to adhere to the requirements of this policy can result in poor network drive performance and have an adverse impact upon critical Trust clinical and operational systems. 6. Associated documents and references The following documents support the implementation of this policy: Copyright, Designs and Patents Act (1988) Data Protection Act (1998) Freedom of Information Act (2000) Regulation of Investigatory Powers Act (2000) Obscene Publications Act (1964) HSC 1999/053 For The Record ISO27001 Code of Practice for Information Security Information Assurance Policy Records Management Policy 7. Training and resources The IT team will ensure that there is a robust network drive structure present, providing that the operational requirements of this document are adhered to. The team has the technological capability to and will perform periodic reviews of the Network drives to ensure compliance with the requirements of this Policy. 8. Monitoring and audit The Information Governance Group is the Trust Committee with responsibility for the formulation of Information Governance Policies and approval of work programmes. This group has senior level representation 8

9 from all appropriate areas to ensure the Trust steers this agenda appropriately. The Information Governance Toolkit (IGT) will be used by the Trust to conduct baseline audit and construct action plans for future compliance with this agenda. The Risk Manager will maintain a Trust corporate risk register which is populated on the Datix system and is the responsibility of all staff within the organisation. 8.1 Recording and monitoring of equality & diversity The Trust understands the business case for equality and diversity and will make sure that this is translated into practice. Accordingly, all policies and procedures will be monitored to ensure their effectiveness. Monitoring information will be collated, analysed and published on an annual basis as part of our Single Equality and Human Rights scheme. The monitoring will cover all strands of equality legislation and will meet statutory employment duties under race, gender and disability. Where adverse impact is identified through the monitoring process the Trust will investigate and take corrective action to mitigate and prevent any negative impact. The information collected for monitoring and reporting purposes will be treated as confidential and it will not be used for any other purpose. 9