Information Governance and Data Protection Policy

Transcription

1 Information Governance and Data Protection Policy Page 1 of 21

2 Document Control Sheet Name of document: Version: Owner: File location / Filename: Information Governance and Data Protection Policy Final Head of Corporate Affairs NNCCG/DC/Policy Date of this version: December 2013 Produced by: Synopsis and outcomes of consultation undertaken: Synopsis and outcomes of Equality and Diversity Impact Assessment: Approved by (Committee): Head of Corporate Affairs This policy has been reviewed and updated from the Cluster s policy in this regard and follows national legislation and guidance No adverse impact identified Executive Team Date ratified: 14 th January 2014 Copyholders: Next review due: December 2015 Enquiries to: Revision History Head of Corporate Affairs, Corporate Affairs Officer Head of Corporate Affairs Revision Date Summary of changes Author(s) Version Number 31/12/13 Addition of Information Governance Framework and reference to the responsibilities of the Audit Committee, Caldicott Guardian and Senior Information Risk Owner (SIRO) Chrissy Jackson V1.1 Approvals This document requires the following approvals either individual(s), group(s) or board. Name Title Date of Issue Version Number Audit Committee 14/01/2014 V1.1 Page 2 of 21

3 Contents 1. Introduction Scope Data Protection Act Information Governance Management Framework Monitoring Appendix 1 Job Description: Senior Information Risk Owner (SIRO) Appendix 2 Job Description: Caldicott Guardian Appendix 3 Audit Committee Terms of Reference Appendix 4 Information Governance Framework

4 1. Introduction 1.1 Information is a vital asset and needs to be managed securely by NHS organisations. Appropriate policies, guidance, accountability and structures must be in place to support the governance and confidentiality of information in order to support the organisation s strategic business aims. 1.2 Information Governance is defined as a framework for handling information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service (Information Security Management: NHS code of Practice, 2007). 1.3 For the purposes of this policy; Information is defined as personal-identifiable (patient and staff), sensitive and commercially sensitive information. Personal-identifiable data is any information relating to an identified or identifiable person (the data subject). An identified or identifiable person is one who can be identified, directly or indirectly, by reference to an identification number (NHS number) or one or more factors specific to their physical, physiological, mental, economic, cultural or social identity. 2. Scope 2.1 This policy outlines the principles of information governance and Data Protection that are applied to North Norfolk Clinical Commissioning Group (NNCCG / the Group) and its member practices. 2.2 The policy applies to both manual and electronic records and incorporates the development of a robust information governance framework for the effective management and protection of organisational and personal information and the CCG s strategic objective towards the management of information risk. 2.3 The CCG s information governance objectives are: To hold information securely and confidentially in accordance with the Confidentiality NHS Code of Practice 2003 and Common Law duty of confidentiality; To obtain information fairly and efficiently in accordance with the Data Protection Act 1998; To record information accurately and ethically in accordance with the Record Management NHS Code of Practice 2006; and To share information appropriately and lawfully in accordance with the NHS Health and Social Care Act 2012 and Access to Health Records Act This policy applies to all staff who work for NNCCG including contractors and members of the Governing Body. 3. Data Protection Act 3.1 NNCCG is committed to compliance with the requirements of the Data Protection Act 1998 ( the Act ) and will ensure that all employees, contractors, agents, consultants and partners who have access to any personal data held by or on behalf of the Group are fully aware of and abide by their duties and responsibilities under the Act. In order to 4

5 operate efficiently, the Group has to collect and use information about people with whom it works, including patients, members of the public, employees (current, past and prospective), clients and customers, and suppliers. In addition, it may be required by law to collect and use information in order to comply with the requirements of the Department of Health. This personal information must be handled and managed appropriately, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means. 3.2 The Data Protection Act 1998 governs how we collect, store, process and share data. The Act dictates that information should only be disclosed on a need to know basis. Printouts and paper records must be treated carefully and disposed of in a secure manner. Staff must not disclose information outside their line of duty. 3.3 The Group will register its data holdings with the Information Commissioners Office (ICO) with effect from 1 st April 2013 in its capacity as a Data Controller, identifying the purposes for holding the data, how it is used and to whom it may be disclosed. Therefore all applications/databases must be registered in compliance with this policy and the 8 Data Protection Principles. The Head of Corporate Affairs will act as Data Protection officer for the Group and manage the validity of its registration. The Data Protection Act 1998 requires every data controller who is processing personal information in an automated form to register with the ICO, unless they are exempt. Failure to notify is a criminal offence. Register entries have to be renewed annually. Failure to renew a registration is a criminal offence. 3.4 Data controller means a person who [either alone or jointly or in common with other persons] determines the purpose for which, and the manner in which any personal data is, or will be, processed. A data controller must be a person recognised in law, that is to say: individuals; organisations; and other corporate and unincorporated bodies of persons. Data controllers will usually be organisations, but can be individuals, for example selfemployed consultants. Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which will be the data controller. In relation to data controllers, the term jointly is used where two or more persons (usually organisations) act together to decide the purpose and manner of any data processing. The term in common applies where two or more persons share a pool of personal data that they process independently of each other. Data controllers must ensure that any processing of personal data for which they are responsible complies with the Act. Failure to do so risks enforcement action, even prosecution, and compensation claims from individuals. 3.5 Data Subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about. The Act does 5

6 not count as a data subject an individual who has died or who cannot be identified or distinguished from others. 3.6 Data processor, in relation to personal data, means any person [other than an employee of the data controller] who processes the data on behalf of the data controller Data Protection principles Personal data shall be processed fairly and lawfully; Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes; Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed; Personal data shall be accurate and, where necessary, kept up to date; Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes; Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998; Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and Personal data shall not be transferred to a county or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal. 3.8 Data Subject Access The Data Protection Act gives rights to a copy of the information held about a person. This is known as a subject access request An individual can request access to information regardless of the media in which it may be held Data Retention schedules are detailed in the DOH Records Management: NHS Code of Practice NNCCG will ensure that the general public, staff, including volunteers, locums, temporary employees and patients are aware of why the NHS needs information about them, how this is used and to whom it may be disclosed by the use of leaflets, its website and the websites of member practices. Statements about Data Protection will be included on all forms requesting personal identifiable information. 3.9 Information Sharing There are Acts of Parliament that govern the disclosure/sharing of personal patient information - some make it a legal requirement to disclose and others describe information that cannot be disclosed. NNCCG is a signatory to the Norfolk-wide Information Sharing Protocol and the associated supporting 6

7 agreements with a wide range of third parties to demonstrate the organisation s commitment to appropriate information sharing. The document is managed and held by Norfolk County Council, which holds a current list of signatories. 4. Information Governance Management Framework 4.1 The IG Management Framework provides an overview of how NNCCG will manage the IG agenda. IG Management Framework Senior roles Together, the Senior Information Risk Owner (SIRO), Caldicott Guardian and IG Lead are accountable for: ensuring effective management, accountability, compliance and assurance for all aspects of IG; ensuring there is top level awareness and support for IG; providing direction in formulating, establishing and promoting IG policies; ensuring assessment and audit of IG policies; reporting regularly to the Audit Committee on IG; ensuring the approach to IG is communicated to all staff; ensuring appropriate training is made available to staff in line with the NHS Operating Framework 2010/11; ensuring compliance with law and national guidance; promoting risk assessment and mitigation of IG risks, using Information Risk Management processes and escalating to the Assurance Framework as required; providing advice to staff on using, maintaining, transferring and sharing sensitive information; and act as the conscience of the organisation in relation to the handling and sharing of patient identifiable information and advising on lawful and ethical processing of information. The role of the SIRO, as referred to in Appendix 1 is to: oversee the development of an Information Risk Management Policy, and a Strategy for implementing the policy within the Information Governance Framework; take ownership of the risk assessment process for information risk, including review of the annual information risk assessment to support and inform the Statement of Internal Control; review and agree an action plan in respect of identified information risks; ensure that the Group s approach to information risk is effective in terms of resource commitment; provide a focal point for the resolution and/or discussion of information 7

8 risk issues; and ensure the Governing Body is adequately briefed on information risk issues. The role of the Caldicott Guardian, as referred to in Appendix 2 is to: champion confidentiality issues at Governing Body/Executive Team level and act as both the conscience of the organisation and as an enabler for appropriate information sharing; and ensure that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures. Key Policies The following policies have been established and adopted by NNCCG as the foundation of the IG Management Framework: Norfolk Overarching Information Sharing Protocol Information Lifecycle and Records Management Policy Information Risk Policy Freedom of Information Act 2000 and Environmental Information Regulations 2004, Managing Requests for Information and Publication Scheme Information Governance Serious Incident Requiring Investigation Policy Privacy Impact Assessment Policy Risk Management Strategy and Assurance Framework Disciplinary Policy Staff Leavers Policy NNCCG will observe the following policies in respect of services commissioned under SLA from the Commissioning Support Unit (CSU) Information and IT Security Policy Registration Authority Policy Mobile and Homeworking Policy Key Governance Bodies Resources The Audit Committee oversees the IG agenda and is the main steering group for IG/Information Security. The Audit Committee reports to the Governing Body which reports to the Council of Members. Key staff (responsibilities highlighted in Job Descriptions):- Head of Corporate Affairs: Data Protection Officer, maintaining the Data Protection registration with the Information Commissioner; IG Facilitator; Corporate Records Manager; Corporate Affairs Officer: responsible for the delivery of the CCG s IG 8

9 agenda; oversees complaints and delivery of Freedom of Information requests commissioned under SLA from the Commissioning Support Unit (CSU) Head of Business Intelligence: responsible for Data Quality IT Security Manager: commissioned under SLA from the Commissioning Support Unit (CSU) Chief Information Officer: commissioned under SLA from the Commissioning Support Unit (CSU) Registration Authority Manager: commissioned under SLA from the Commissioning Support Unit (CSU) Information Asset Owners (IAOs) and Administrators (IAAs) Governance Framework Information Asset Owners (IAOs) will be identified, provided with training and support and will carry out risk assessments on the information assets they are responsible for, to protect against unauthorised access or disclosure and to support the SIRO IAOs will ensure the integrity of information within their area; they will understand what information is held, what is added and what is removed, and who has access and why. As a result they will understand and address risks to the information. Information Asset Administrators are tasked with ensuring all Information Assets are recorded, mapped and risk assessed within their area. All third party contracts will be clear with regard to IG expectations. All managers and staff will have key IG responsibilities as part of their job descriptions and contracts. They will be familiar with the relevant policies, have attended appropriate training, support the IAOs and ensure that all patient/personal identifiable information is accurate, relevant, upto-date and used appropriately, both in electronic and manual form, and kept secure. The Disciplinary policy will clearly outline the procedures for managing breaches with contracts and policies. A failure to adhere to this policy and its associated procedures may result in disciplinary action. The Data Protection Work Programme, managed by the CSU, will ensure compliance with all aspects of the Data Protection Act and related provisions. It will promote awareness throughout the organisation and ensure service users are provided with information on their rights under data protection legislation Freedom of Information, The CCG will make available, upon request, non-confidential information about the organisation and the services it commissions through a variety of media and in accordance with the Freedom of Information Act The CCG will commission under SAL with the Commissioning Support Unity (CSU) annual assessments and audits of its FOI responsibilities. Training & Guidance IG Mandatory e-learning training for all staff using the DH IG Training Tool (IGTT) available at 9

10 learning.connectingforhealth.nhs.uk/igte/index.cfm Training is role-specific. Specialised IG and Data Protection Act training is available according to Training Needs analysis from annual appraisal and PDPs, including the Caldicott Guardian, SIRO and Information Asset Owners (IAOs) Newsletters and support will be provided to staff and member practices for all aspects of information governance and completion of their IG toolkits Responsibility of Users Users of information registered as a data holding of the CCG, in their capacity as a Data Controller, will: Be aware of their responsibilities, both legal and contractual; Comply with policies and procedures used by the CCG; and Work within the principles outlined in the Information Governance Framework Incident Management The Information Governance Serious Incident Requiring Investigation Policy outlines NNCCG s approach to reporting and investigating all incidents, including actual and potential breaches of confidential and person identifiable information, IT security issues, and RA incidents (including loss of Smartcards) in line with the guidance provided within the Health and Social Care Information Centre (HSCIC) Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requirement Investigation (IG SIRI). Lessons learned will be shared across the organisation and member practices. Information Risk Management Data security loss and confidentiality breach incidents will be reported in the Governance Statement in the Annual Report, in accordance with SIRO guidance, Gateway 9571 and IG toolkit requirement 349. The CSU will ensure an up to date business continuity plan for the organisation, including specific plans for IT and information systems, is maintained. The core principle of information risk assessment and management requires the identification and quantification of information security risks in terms of the perceived value of the asset, severity of impact and the likelihood of occurrence. Once identified, information security risks will be managed on a formal basis. They will be recorded within the Risk Register and managed in accordance with the CCG s Risk Management Assurance Framework. The risk register and all associated actions will be reviewed at regular intervals. Any implemented information security arrangements will also be regularly reviewed feature of NNCCG s risk management programme. These reviews will help identify areas of continuing best practice and possible weakness, as well as potential risks that may have arisen since the last review was completed. 10

11 5 Monitoring 5.1 Appendix 4 depicts the reporting infrastructure that supports the Information Governance Framework. 5.2 The Audit Committee will formally monitor the implementation and performance of this policy by: reviewing progress against the IG Toolkit; considering IG risk mitigation plans; ensuring a programme of internal/external audit reviews (including audit of the IG toolkit self-assessment); and monitoring the implementation of audit recommendations. 5.3 The Governing Body will sign off the IG Toolkit submission. 5.4 Breaches of data and information security, and of this policy, must be reported using the Incident Reporting system and/or Serious Incident Policy (depending on severity). Incident trend reports will be regularly reviewed by the Audit Committee. 5.5 The Chief Finance officer, as SIRO, will receive an annual review of information risk to support their written advice to the Chief Officer, as detailed in the Governance Statement. 5.6 Business continuity plans for IT and information systems will be regularly tested by the CSU and reported to the Audit Committee. 5.7 The Group will use the complaints system to respond effectively to complaints in connection with the Data Protection Act and information governance. If the complainant is dissatisfied with the response, they will be referred to the Information Commissioner and Health Service Ombudsman. 5.8 Training data will be reviewed by the Executive Team. 11

12 Appendix 1 J O B D E S C R I P T I O N JOB TITLE: ACCOUNTABLE TO: SENIOR INFORMATION RISK OFFICER (SIRO) CHIEF OFFICER JOB SUMMARY The Senior Information Risk Owner (SIRO) will be a Senior Management Governing Body Member who will take overall ownership of the Organisation s Information Risk Management Policy, act as champion for information risk on the Governing Body and provide written advice to the Chief Officer on the content of the CCG s Annual Governance Statement with regard to information risk. The SIRO is expected to understand how the strategic business goals of the CCG and how other NHS organisations business goals may be impacted by information risks, and how those risks may be managed. The SIRO will implement and lead the NHS Information Governance (IG) risk assessment and management processes within the CCG and advise the Governing Body on the effectiveness of information risk management. The SIRO will receive training as necessary to ensure they remain effective in their role as Senior Information Risk Officer. KEY RELATIONSHIPS Within the CCG: Chief Officer and other Governing Body members Head of Corporate Affairs (IG Lead) Information Asset Owners Information Security Manager Programme Managers Caldicott Guardian, although ownership of the Information Risk Management Policy and risk assessment processes will remain with the SIRO. Regularly has contact with: Chief Executives, other Senior Information Risk Owners, Caldicott Guardians and Information Governance Leads of Department of Health and other NHS Organisations KEY RESPONSIBILITIES 1. Policy and process Oversee the development of an Information Risk Management Policy. This should include a Strategy for implementing the policy within the existing Information 12

13 Governance Assurance Framework and be compliant with NHS IG policy, standards and methods. Take ownership of the assessment processes for information risk, including prioritisation of risks and review of the annual information risk assessment to support and inform the Annual Governance Statement. Ensure that the Governing Body and the Chief Officer are kept up to date and briefed on all information risk issues affecting the organisation and its business partners. Review and agree actions in respect of identified information risks. Ensure that the CCG s approach to information risk is effective in terms of resource, commitment and execution, being appropriately communicated to all staff. Provide a focal point for the escalation, resolution and/or discussion of information risk issues. Ensure that an effective infrastructure is in place to support the role by developing a simple Information Assurance governance structure, with clear lines of Information Asset ownership and reporting with well-defined roles and responsibilities 2. Incident Management Ensure that identified information threats and vulnerabilities are followed up for risk mitigation, and that perceived or actual information incidents are managed in accordance with NHS IG Serious Incidents Requiring Investigation (IG SIRI) procedures. To ensure that there are effective mechanisms in place for reporting and managing IG SIRIs relating to the information of the CCG. These mechanisms should accommodate technical, operational or procedural improvements arising from lessons learnt. 3. Leadership TRAINING Provide leadership for Information Asset Owners (IAOs) of the CCG through effective networking structures, sharing of relevant experience, provision of training and creation of information risk reporting structures. Advise the Governing Body on the level of Information Risk Management performance within the CCG, including potential cost reductions and process improvements arising etc. The SIRO will be required to undertake information risk management training at least annually to be able to demonstrate their skills and capabilities are up to date and relevant to the needs of the organisation. Signed:... Print Name:... Dated:... 13

14 Appendix 2 J O B D E S C R I P T I O N JOB TITLE: ACCOUNTABLE TO: CALDICOTT GUARDIAN CHIEF OFFICER JOB SUMMARY: The appointment of a Caldicott Guardian was one of the recommendations of the Caldicott Report published in December The role of the guardian is to safeguard and govern uses made of patient information within the CCG s, as well as data flows to other NHS and non-nhs organisations. Caldicott Guardianship is a key component of broader information governance. The Guardian is responsible for the establishment of procedures governing access to, and the use of, person-identifiable patient information and, where appropriate, the transfer of that information to other bodies. In addition to the principles developed in the Caldicott Report, the Guardian must also take account of the codes of conduct provided by professional bodies, and guidance on the Protection and Use of Patient Information and on IM&T security disseminated by the Department of Health, including the NHS Confidentiality Code of Practice WORKING RELATIONSHIPS The Caldicott Guardian will be expected to liaise and work with Service Managers and the Governing Body in the course of promoting Caldicott principles, which will include attendance at various meetings as appropriate. The Caldicott Guardian will work closely with records management, HR and IM&T. Through an established network of NHS and Social Services representatives, the Caldicott Guardian also contributes to the peer review and interpretation of local or national confidentiality issues and the development of standards throughout the local health and social care community and partner organisations. The Caldicott Guardian is supported by the IG Lead. TIME COMMITMENT The amount of time spent on Caldicott work will vary from week to week depending on scheduling of meetings and ad hoc demands etc.; however it is estimated that on average the time commitment will equate to one clinical session per week (1 SPA). 14

15 KEY TASKS 1. PRODUCTION OF PROCEDURES, GUIDELINES AND PROTOCOLS 1.1 To oversee development and implementation of procedures that ensure that all routine uses of person-identifiable patient information are identified, agreed as being justified and documented. 1.2 To oversee development and implementation of criteria and a process for dealing with ad hoc requests for person-identifiable patient information for non-clinical purposes. 1.3 To ensure standard procedures and protocols are in place to govern access to personidentifiable patient information. 1.4 Ensure protocols for releasing information for research and audit are in line with applicable information governance standards. 1.5 To understand and apply the principles of confidentiality and data protection as set out in the DH publication Confidentiality: NHS Code of Practice, and, where current practice falls short of that required, to agree challenging and achievable improvement plans. 2 INFORMATION FOR STAFF 2.1 To ensure standard information governance procedures and protocols are in an understandable format and available to staff. 2.2 To ensure raised awareness, through training and education, of the standards of good information governance practice and Caldicott principles, and that they are understood and adhered to. 3 INFORMATION SHARING TO SUPPORT CARE 3.1 To work with other care providers and linked agencies to facilitate better sharing of relevant information about patients, in a manner that facilitates joined-up care across institutional boundaries while ensuring that patients legal rights and Caldicott Principles are maintained. 3.2 To that end, ensure establishment of Information Sharing Protocols, in line with guidance provided by the Department of Health, to govern the use and sharing of patient-identifiable information between organisations both within and outside the NHS. 3.3 In collaboration with the IG Lead to draw to the attention of all staff through raising general awareness ( bulletins, Team Brief, and any other suitable means identified) correct practices in relation to person identifiable patient information, following specific incidents where procedures, guidelines and protocols have been breached by staff. 4 STRATEGIC 4.1 To ensure that the CCG, in its development of strategy and process to implement the various elements of Connecting for Health, especially the National Care Record Service (NCRS), maintains its compliance with Caldicott Principles and other relevant legislation. 4.2 Specifically this will include, but not be limited to: Advising on staff registration and authentication processes 15

16 Assignment of appropriate role profiles to staff Advising on workgroup construction for access control purposes Ensuring that confidentiality alerts and audit trail monitoring are effectively managed 4.3 To keep abreast of developments within Connecting for Health, and in particular the opportunities for safeguarding patient information through promoting use of anonymised or coded data obtained via the Secondary Uses Service (SUS). 5 REPORTING 5.1 In collaboration with the IG Lead, to draw to the attention of the relevant manager any occasion where the appropriate procedures, guidelines and protocols may have not been followed. 5.2 To raise concerns about any inappropriate uses made of patient information with the Chief Officer where necessary. 5.3 On an annual basis, to participate in the Information Governance Toolkit Assessment (adherence to the standards are included in the CCG s performance ratings). 5.4 Also on an annual basis, to formally report to the Governing Body the CCG s performance against the whole IG agenda, making recommendations for further improvement where appropriate. Signed:... Print Name:... Dated:... 16

17 Appendix 3 AUDIT COMMITTEE TERMS OF REFERENCE 1 Introduction The audit committee (the committee) is established in accordance with North Norfolk Clinical Commissioning Group s constitution. These terms of reference set out the membership, remit, responsibilities and reporting arrangements of the committee and shall have effect as if incorporated into the constitution. The Committee will review its performance annually by undertaking a self-assessment; it will provide a report arising from its findings to the Governing Body entitled Effectiveness of the Audit Committee. 2 Membership The committee shall be appointed by the clinical commissioning group as set out in the clinical commissioning group s constitution and may include individuals who are not on the governing body. Members will include: the lay member on the governing body, with a lead role in overseeing key elements of governance; the lay member on the governing body, with a lead role in overseeing engagement; and a maximum of 3 of the elected managers from the clinical commissioning group s Member Practices. The lay member with a lead role in overseeing key elements of governance will chair the audit committee. In the event of the chair of the committee being unable to attend all or part of the meeting, he or she will nominate a replacement from within the membership to deputise for that meeting. 3 Quorum A quorum will comprise three members of the committee, including at least one lay member. 4 Attendance (in addition to the members of the committee) The Chief Finance Officer will attend meetings of the audit committee routinely along with representatives from appointed external and internal auditors. In addition: at least once a year the committee will meet privately with the external and internal auditors; representatives from NHS Protect will be invited to attend meetings and will normally attend at least one meeting each year; regardless of attendance, external audit, internal audit, local counter fraud and security management (NHS Protect) providers will have full and unrestricted rights of access to the audit committee; the Accountable Officer will be invited to attend and discuss, at least annually with the committee, the process for assurance that supports the Annual Governance Statement. He or she will also attend when the committee considers the draft internal audit plan and the annual accounts; senior officers may be invited to attend, particularly when the committee is discussing areas of risk or operation that are the responsibility of that person; the chair of the governing body will also be invited to attend one meeting each year in order to form a view on, and understanding of, the committee s operations. 17

18 5 Secretary The Head of Corporate Affairs is responsible for supporting the chair in the management of the committee s business and for drawing the committee s attention to best practice, national guidance and other relevant documents as appropriate. 6 Frequency and notice of meetings 6.1 The committee will meet on at least four occasions each year. 6.2 The agenda and supporting papers will be sent to members seven days in advance of the meeting. 6.3 The Chair may call a meeting of the group at any time. 6.4 External auditors or the Head of Internal Audit may request a meeting at any time if it is considered that one is necessary. 7 Remit and responsibilities of the committee 7.1 The committee shall critically review the clinical commissioning group s financial reporting and internal control principles and ensure an appropriate relationship with both internal and external auditors is maintained. 7.2 The committee shall review the establishment and maintenance of an effective system of integrated governance, risk management and internal control, across the whole of the clinical commissioning group s activities that support the achievement of the clinical commissioning group s objectives. 7.3 Its work will dovetail with that of the joint quality and patient safety committee to seek assurance that robust clinical quality is in place. 7.4 In particular, the committee will review the adequacy and effectiveness of: All risk and control-related disclosure statements (in particular the governance statement), together with any appropriate independent assurances, prior to endorsement by the clinical commissioning group; The underlying assurance processes that indicate the degree of achievement of clinical commissioning group objectives, the effectiveness of the management of principal risks and the appropriateness of the above disclosure statements; The policies for ensuring compliance with relevant regulatory, legal and code of conduct requirements and related reporting and self-certification; The policies and procedures for all work related to fraud and corruption as set out in Secretary of State Directions and as required by the NHS Counter Fraud and Security Management Service; 7.5 In carrying out this work the committee will primarily utilise the work of internal audit, external audit and other assurance functions, but will not be limited to these sources. It will also seek reports and assurances from managers as appropriate, concentrating on the over-arching systems of integrated governance, risk management and internal control, together with indicators of their effectiveness. This will be evidenced through the committee s use of an effective assurance framework to guide its work and that of the audit and assurance functions that report to it. 7.6 Internal audit The committee shall ensure that there is an effective internal audit function that meets mandatory NHS Internal Audit Standards and provides appropriate independent assurance to the audit committee, accountable officer and clinical commissioning group. This will be achieved by: 18

19 Consideration of the provision of the internal audit service, the cost of the audit and any questions of resignation and dismissal; Review and approval of the internal audit strategy, operational plan and more detailed programme of work, ensuring that this is consistent with the audit needs of the organisation, as identified in the assurance framework; Considering the major findings of internal audit work (and management s response) and ensuring co-ordination between the internal and external auditors to optimise audit resources; Ensuring that the internal audit function is adequately resourced and has appropriate standing within the clinical commissioning group; An annual review of the effectiveness of internal audit. 7.7 External audit The committee shall review the work and findings of the external auditors and consider the implications and management s responses to their work. This will be achieved by: Consideration of the performance of the external auditors, as far as the rules governing the appointment permit; Discussion and agreement with the external auditors, before the audit commences, on the nature and scope of the audit as set out in the annual plan, and ensuring coordination, as appropriate, with other external auditors in the local health economy; Discussion with the external auditors of their local evaluation of audit risks and assessment of the clinical commissioning group and associated impact on the audit fee; Review of all external audit reports, including the report to those charged with governance, agreement of the annual audit letter before submission to the clinical commissioning group and any work undertaken outside the annual audit plan, together with the appropriateness of management responses. 7.8 Other assurance functions The audit committee shall review the findings of other significant assurance functions, both internal and external, and consider the implications for the governance of the clinical commissioning group. These will include, but will not be limited to: reviews by Department of Health arm s length bodies or regulators/inspectors (for example, the Care Quality Commission and NHS Litigation Authority); review by professional bodies with responsibility for the performance of staff or functions (for example, Royal Colleges and accreditation bodies); and the organisation s performance against such as the NHS Information Governance Toolkit. This last will be carried out by receipt of an Annual Report and Improvement Action Plan in this regard, the report to facilitate the committee s monitoring of compliance with training requirements. 7.9 Counter fraud The committee shall satisfy itself that the clinical commissioning group has adequate arrangements in place for countering fraud and shall review the outcomes of counter fraud work. It will also approve the counter fraud work programme Management The committee shall request and review reports and positive assurances from managers on the overall arrangements for governance, risk management and internal control. 19

20 The committee may also request specific reports from individual functions within the clinical commissioning group as they may be appropriate to the overall arrangements and may establish such sub-committees as may be necessary to assist the discharge of its responsibilities Financial reporting The audit committee shall monitor the integrity of the clinical commissioning group s financial statements and any formal announcements relating to the clinical commissioning group s financial performance. The committee shall ensure that the systems for financial reporting to the clinical commissioning group, including those of budgetary control, are subject to review as to completeness and accuracy of the information provided to the clinical commissioning group. The audit committee shall review the annual report and financial statements before submission to the governing body and the clinical commissioning group, focusing particularly on: The wording in the governance statement and other disclosures relevant to the terms of reference of the committee; Changes in, and compliance with, accounting policies, practices and estimation techniques; Unadjusted mis-statements in the financial statements; Significant judgements in preparing of the financial statements; Significant adjustments resulting from the audit; Letter of representation; and Qualitative aspects of financial reporting. 8 Relationship with the Governing Body The committee will provide copies of the minutes of its meetings to the next meeting in public of the Governing Body. Minutes will be accompanied by a formal report identifying key matters of activity, concern and interest. 9 Policy and best practice The committee has full authority to commission any reports or surveys it deems necessary to help it fulfil its obligations and will apply best practice in all decision-making processes. 10 Conduct of the committee The committee will conduct business in accordance with the clinical commissioning group s policy on Standards of Business Conduct which incorporates: The NHS Codes of Conduct and Accountability; Standards of Business Conduct for NHS Staff; and The Nolan Principles. The committee will review its performance, membership and terms of reference annually. Any proposed changes must be approved by the Governing Body. Date agreed: 19 th March

21 Confidentiality and Data Protection Delivery of the Information Governance Agenda Information Risk Management Appendix 4 Information Governance Reporting Framework Governing Body Chief Officer Caldicott Guardian Audit Committee Senior Information Risk Owner (SIRO) Information Asset Owner(s) (IAO) Information Asset Administrator(s) (IAA) Head of Corporate Affairs (IG Lead) / Corporate Affairs Officer 21