Information Governance Toolkit Report 2013/14

Transcription

1 TAUNTON AND SOMERSET NHS FOUNDATION TRUST Information Governance Toolkit Report 2013/14 Report to: Trust Board on: 28 May 2014 Purpose of the Report: This report is presented to the Trust Board for information relating to the submitted Information Governance Toolkit Assessment 2013/2014. Sponsor: David Allwright, Director of Corporate Planning & Performance Author: Contact Details: ouise Coppin, Health Records & Information Governance Manager Indicative Timings (Mins) Financial/Resource Implications: - Risk Implications ink to Assurance Framework or Corporate Risk Register: - egal Implications: - ink to CQC Essential Standards - Freedom of Information Status: Previous Considerations: Action Required: Tick if one of the following apply: Data protection staff or patient detail Commercially sensitive Stakeholder management Early stage of discussion Potentially prejudicial to staff morale or partnership working None For information. ouise Coppin, Health Records & IG Manager TSTA/05.14 Page 1 of 6

2 1. Introduction 1.1 The Information Governance (IG) Toolkit is a performance tool produced by the Department of Health which draws together legal rules and central guidance. NHS organisations are required to carry out self-assessments of their compliance against the IG requirements. The requirements cover personal information relating to patients/service users and employees, and corporate information. 1.2 IG provides a way for employees to deal consistently with the many different rules about how information is handled, including those set out in the Data Protection Act 1998, Confidentiality NHS Code of Practice, Freedom of Information Act 2000 and the NHS Care records Guarantee. 1.3 The purpose of the assessment is to enable organisations to measure their compliance against the law and central guidance and to ensure information is handled correctly and protected from unauthorised access, loss, damage and destruction. 1.4 The ultimate aim is to demonstrate that an organisation can be trusted to maintain the confidentiality and security of personal information. This in-turn increases public confidence that the NHS and its partners can be trusted with personal data. 2. When does the IG assessment have to be submitted? 2.1 There are 3 stages to the IG annual submission: 31 July baseline assessment 31 October updated assessment 31 March final assessment 2.2 The work necessary to make improvements or to maintain compliance should be an on-going process throughout the year. 2.3 There are 45 requirements within the Acute Trust IG Toolkit, each having 4 levels of compliance. evel 0 No evidence available Not satisfactory evel 1 Minimal evidence available Not satisfactory Good evidence available Satisfactory Good evidence available and monitoring in place Satisfactory 3. Taunton & Somerset NHS Foundation Trust s Annual Assessment 3.1 Assessment Overall Score Version 11 ( ) Version 10 ( ) Submitted Assessment Grade 88% Satisfactory Achieved Attainment or above on all requirements 85% Satisfactory Achieved Attainment or above on all requirements Version 9 85% Not Satisfactory Not achieved Attainment or ouise Coppin, Health Records & IG Manager TSTA/05.14 Page 2 of 6

3 Assessment Overall Score Submitted Assessment Grade (202012) above on all requirements Version 8 ( ) 81% Not Satisfactory Not achieved Attainment or above on all requirements A list of all requirements and Taunton & Somerset NHS Foundation Trust s scores can be found in Appendix A. 3.2 Comparison to ocal Trusts (at March 2014 final submission) RUH 91% Satisfactory North Bristol 90% Satisfactory South Devon 88% Satisfactory UHBT 85% Satisfactory Yeovil 84% Not Satisfactory Exeter 71% Satisfactory Weston 71% Satisfactory North Devon 70% Satisfactory 3.3 Comparison to Acute Trusts Nationally (at March 2014 final submission) % Satisfactory Not Satisfactory Taunton & Somerset NHS Foundation Trust s score is in the top 10 Trusts in the Country. ouise Coppin, Health Records & IG Manager TSTA/05.14 Page 3 of 6

4 Appendix A Information Governance Toolkit v 11 Baseline Submission March 2014 Req No Description Information Governance Management There is an adequate Information Governance Management Framework 101 to support the current and evolving Information Governance agenda There are approved and comprehensive Information Governance 105 Policies with associated strategies and/or improvement plans Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation Information Governance awareness and mandatory training procedures 112 are in place and all staff are appropriately trained Confidentiality and Data Protection Assurance The Information Governance agenda is supported by adequate 200 confidentiality and data protection skills, knowledge and experience which meet the organisation s assessed needs Staff are provided with clear guidance on keeping personal information secure and on respecting the confidentiality of service users Personal information is only used in ways that do not directly contribute to the delivery of care services where there is a lawful basis to do so and objections to the disclosure of confidential personal information are appropriately respected Individuals are informed about the proposed uses of their personal information There are appropriate procedures for recognising and responding to individuals requests for access to their personal data There are appropriate confidentiality audit procedures to monitor access to confidential personal information Where required, protocols governing the routine sharing of personal information have been agreed with other organisations All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements Information Security Assurance The Information Governance agenda is supported by adequate 300 information security skills, knowledge and experience which meet the evel ouise Coppin, Health Records & IG Manager TSTA/05.14 Page 4 of 6

5 Req No organisation s assessed needs Description evel A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed There are documented information security incident / event reporting and management procedures that are accessible to all staff There are established business processes and procedures that satisfy the organisation s obligations as a Registration Authority Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use Operating and application information systems (under the organisation s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems An effectively supported Senior Information Risk Owner takes ownership of the organisation s information risk policy and information risk management strategy All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place Procedures are in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error Information Assets with computer components are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code Clinical Information Assurance Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely Policy and procedures ensure that mobile computing and teleworking are secure All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements Procedures are in place to ensure the accuracy of service user information on all systems and /or records that support the provision of care ouise Coppin, Health Records & IG Manager TSTA/05.14 Page 5 of 6

6 Description A multi-professional audit of clinical records across all specialties has been undertaken Procedures are in place for monitoring the availability of paper health/care records and tracing missing records Req No Secondary Use Assurance National data definitions, standards, values and validation programmes 501 are incorporated within key systems and local documentation is updated as standards develop External data quality reports are used for monitoring and improving data 502 quality Documented procedures are in place for using both local and national benchmarking to identify data quality issues and analyse trends in information over time, ensuring that large changes are investigated and explained An audit of clinical coding, based on national standards, has been undertaken by a NHS Classifications Service approved clinical coding auditor within the last 12 months Corporate Information Assurance A documented procedure and a regular audit cycle for accuracy checks on service user data is in place The Completeness and Validity check for data has been completed and passed Clinical/care staff are involved in validating information derived from the recording of clinical/care activity Training programmes for clinical coding staff entering coded clinical data are comprehensive and conform to national standards Documented and implemented procedures are in place for the effective management of corporate records Documented and publicly available procedures are in place to ensure compliance with the Freedom of Information Act 2000 As part of the information lifecycle management strategy, an audit of corporate records has been undertaken evel ouise Coppin, Health Records & IG Manager TSTA/05.14 Page 6 of 6