Information governance policy

Transcription

1 Information governance policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSAIGM002a S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review IG Policy\Current and Final NHS Business Services Authority Information governance policy Gordon Wanless All NHSBSA staff For information / action Last reviewed 16 January 2014 Revision details Version Date Amended by Approved by Details of amendments Initial release IGSG The third last bullet point in to include reference to EIR and PSI. Amend affordable in the last bullet point in to be cost-effective. The fourth bullet point in to include reference to EIR and PSI. a C Dunn & C Gooday IGSG Add within cost and resource restraints at the end of the third bullet point in Amendments to reflect PCI DSS Compliance 3.2 Review period changed from periodically to annually Final\NHSBSAIGM002a - NHSBSA Information Governance Policy.doc 1

2 Contents 1. Introduction 2. Policy statement 3. Principles 4. Scope of this policy 5. Policy 6. Information governance responsibilities 7. Validity of this policy Appendix A. Information governance management system overview B. Information governance documentation and materials overview 1. Introduction 1.1 The information held by the NHS Business Services Authority (NHSBSA) represents one of our most valuable assets. Without that information the NHSBSA could not operate. It is therefore essential that all information and information systems at the NHSBSA's sites are protected against the many threats which may affect confidentiality and overall service provision. Such threats can range from accidental damage to deliberate disclosure of sensitive information. 1.2 Information security is the responsibility of every member of staff in the NHSBSA. The information systems currently in use employ technical processes to help in maintaining the confidentiality, integrity and availability of the information they hold. However, these security measures can be weakened through careless actions such as writing down or sharing a password. 1.3 The scope of this Information Governance (IG) policy is to support the protection, control and management of NHSBSA s information assets. The policy is concerned with all information systems, electronic and non-electronic, and will apply to all divisions, sites and departments in the NHSBSA, to all NHSBSA staff and as appropriate to its contractors and third party service providers. It will cover all information within the NHSBSA, which could include data and information that is: stored on computers transmitted across internal and public networks such as or intranet/internet stored within databases printed or hand written on paper, white boards etc. Final\NHSBSAIGM002a - NHSBSA Information Governance Policy.doc 2

3 sent by facsimile (fax), telex or other communications method stored on removable media such as CD-ROMs, hard disks, tapes and other similar media stored on fixed media such as hard disks and sub-systems held on film or microfiche presented on slides, overhead projectors, using visual and audio media spoken during telephone calls and meetings or conveyed by any other method. 1.4 The NHSBSA is committed to properly protecting the information that it holds. This policy and associated practices and procedures have been agreed by the NHSBSA Leadership Team and Senior Management of the NHSBSA. 2. Policy statement 2.1 This document defines the IG policy for the NHSBSA. 2.2 The IG policy applies to all information obtained and processed by the NHSBSA and the NHSBSA s employees. 2.3 This document: sets out the NHSBSA s policy for the protection of all information obtained and processed establishes the responsibilities for IG. 3. Principles 3.1 There are four key interlinked strands to this policy: Openness: Openness Legal compliance Information security Quality assurance The NHSBSA recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. Information will be defined and where appropriate kept confidential, underpinning the principles of Caldicott and the regulations outlined in the Data Protection Act 1998 (DPA). Non-confidential information about the NHSBSA and services will be available to the public through a variety of Final\NHSBSAIGM002a - NHSBSA Information Governance Policy.doc 3

4 means, one of which will be the provisions of the Freedom of Information Act 2000 (FOIA). There will be clear procedures and arrangements for handling queries from members of the public. The NHSBSA will have clear procedures and arrangements for liaison with the press and broadcasting media. Integrity of information will be developed, monitored and maintained to ensure that it is appropriate for the purposes intended. Availability of information for operational purposes will be maintained within set parameters relating to its importance via appropriate procedures and computer system resilience. The NHSBSA regards all identifiable personal information relating to members of the public as confidential, compliance with legal and regulatory framework will be achieved, monitored and maintained. The NHSBSA regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise. The NHSBSA will establish and maintain policies and procedures to ensure compliance with the DPA, Human Rights Act 1998 (HRA), the common law duty of confidentiality, Environmental Information regulations 2004 (EIR), the Re-use of Public Sector Information regulations 2005 (PSI) and the FOIA. The NHSBSA will ensure compliance with Payment Card Industry (PCI) Data Security Standard (DSS). Awareness and understanding of all staff, with regard to their responsibilities, will be routinely assessed, recorded and appropriate training and awareness provided. Risk assessment, in conjunction with overall priority planning of NHSBSA activity will be undertaken to determine appropriate, cost-effective IG controls are in place Legal compliance: The NHSBSA regards all identifiable personal information relating to members of the public as confidential. The NHSBSA will undertake or commission annual assessments and audits of its compliance against legal requirements. The NHSBSA regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise. The NHSBSA will establish and maintain policies and procedures to ensure compliance with the DPA, HRA, the common law duty of confidentiality, EIR, PSI and the FOIA. The NHSBSA will establish and maintain policies for the controlled and appropriate sharing of patient identifiable information with other agencies, Final\NHSBSAIGM002a - NHSBSA Information Governance Policy.doc 4

5 taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act) Information security: The NHSBSA will establish and maintain policies for the effective and secure management of its information assets and resources. Audits will be undertaken or commissioned to assess information and IT security arrangements. The NHSBSA s incident reporting system will be used to report, monitor and investigate all breaches of confidentiality and security Information quality assurance: The NHSBSA will establish and maintain policies for information quality assurance and the effective management of records. Audits will be undertaken or commissioned of the NHSBSA s quality of data and records management arrangements. Managers will be expected to take ownership of, and seek to improve, the quality of data within their services within cost and resource restraints Wherever possible, information quality will be assured at the point of collection. The NHSBSA will promote data quality through policies, procedures/user manuals and training. 3.2 This policy and any associated procedures will be reviewed annually by the NHSBSA Leadership Team. Where review is necessary due to legislative change this will happen immediately. 3.3 In accordance with the NHSBSA s Equality and diversity policy, this policy will not discriminate, either directly or indirectly, on the grounds of gender, race, colour, ethnic or national origin, sexual orientation, marital status, religion or belief, age, union membership, disability, offending background or any other personal characteristic. 4. Scope of this policy This policy covers all forms of information held by the NHSBSA, including (but not limited to): information about members of the public non NHSBSA employees on NHSBSA premises staff and personnel information organisational, business and operational information cardholder data. Final\NHSBSAIGM002a - NHSBSA Information Governance Policy.doc 5

6 4.2 This policy applies to all aspects of information handling, including (but not limited to): structured record systems - paper and electronic information recording and processing systems whether paper, electronic, video or audio records information transmission systems, such as fax, , portable media, post and telephone. 4.3 This policy covers all information systems purchased, developed and managed by / or on behalf of, the NHSBSA and any individual directly employed or otherwise by the NHSBSA. 5. Policy 5.1 IG is the function of corporate governance that ensures the confidentiality, integrity and availability of the NHSBSA s information assets. It is concerned with the facilitation of delivering accurate contextual information to those who require it for a recognised purpose, whether they be manager, administrator, supporting staff, service user or a member of the public, whilst complying with the legal and regulatory framework. 5.2 An information governance management system (IGMS), including associated policies, procedures, protocols and guidelines and the ongoing monitoring thereof, ensures that the risks to such information assets are identified, assessed and adequately controlled in compliance with: the current legislative framework applicable NHS codes of practice and regulations recognised best practice for information handling and information security information governance toolkit requirements PCI DSS. 5.3 Developing an overall IGMS will include: the definition of an IG policy and strategy the identification (audit) of all existing information assets and the documentation thereof in a suitable information asset register completion of a formal risk assessment, identify threats and vulnerabilities to assets and systems and the potential associated impacts on delivery that each risk eventually would cause assessment, costing, selection and implementation of appropriate controls, and the developing of procedure and process-related documentation production of a Statement of Applicability (SOA) and the final combining of documentation to allow, if desired, formal accreditation to the adopted Final\NHSBSAIGM002a - NHSBSA Information Governance Policy.doc 6

7 standard of information security (ISO/IEC 27001:2005 (formerly BS :2002)) the ongoing monitoring of the effects of the IGMS and SOA and the review of controls accordingly management of the IG toolkit annual production of an Attestation of Compliance with PCI DSS. 6. Information governance responsibilities 6.1 It is the role of the NHSBSA Leadership Team to define the NHSBSA s policy in respect of IG, taking into account legal and NHS requirements. The NHSBSA Leadership Team is also responsible for ensuring that sufficient resources are provided to support the requirements of the policy. 6.2 The NHSBSA Leadership Team members, whilst retaining their legal responsibilities, have delegated IG compliance to the NHSBSA Information Governance and Security Group (IGSG). 6.3 The IGSG is responsible for overseeing day to day IG issues; developing and maintaining policies, standards, procedures and guidance, coordinating IG in the NHSBSA and raising awareness of IG. 6.4 Managers within the NHSBSA are responsible for ensuring that this policy and its supporting standards and guidelines are built into local processes and that there is on-going compliance. 6.5 All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis. 7. Validity of this policy 7.1 This policy is designed to avoid discrimination and be in accordance with the HRA and its underlying principles. 7.2 This policy should be reviewed annually under the authority of the NHSBSA Leadership Team members. Associated IG standards should be subject to an ongoing development and review programme. Final\NHSBSAIGM002a - NHSBSA Information Governance Policy.doc 7

8 Appendix A Information governance management system overview Information Governance Management System Data Protection Freedom of Information Information Security Business Continuity Records Management Information Governance Policy Procedure Policy Procedure Policy Procedure Policy Policy Records Register Policy Strategy Procedure Subject Access Requests Requests for Information Disclaimer Information Governance Confidentiality Code of Practice Internal Review Incident Reporting Acceptable Use (inc. Monitoring) Policy Asset Register

9 Appendix B Information governance documentation and materials overview Policy Information governance management system (IGMS) Consists of policies on: o data protection o freedom of information o acceptable use o information security o business continuity o records management o information governance. The IGMS sets high level direction and required standards across the NHSBSA. This is supported where necessary by procedures and specific guidance documents, where the required controls are explained in detail. Procedure and guidance Data protection procedure Freedom of information procedure guidance document Internet guidance document Records register Responsibilities and key awareness messages for all staff are contained in the IGMS and guidance documents, but also in two key documents that have been written specifically to be accessible to all staff as detailed below: Awareness all staff Confidentiality code of practice summary leaflet Acceptable use staff agreement In addition to the code of practice leaflet and the acceptable use staff agreement, a reference pack of guidance will be available online.

10 Reference available to all Information handling reference pack, including: o awareness materials for staff and public o guidance on providing access to patient type records (patients, relatives, children, deceased and solicitors) o information sharing documentation (police, research, children) o freedom of information process documentation o communication guidance (fax, phone etc.). This pack will be updated regularly. Computer based materials: o Screen saver o Acceptable use challenge o Data protection/freedom of information/information security awareness training.