Information Governance Policy

Transcription

1 Information Governance Policy Version: Revised: Consultation: Ratified by: 1.0 Information Governance Committee Governance Committee Date ratified: 19 March 2008 Name of originator/author: David McGrath Date issued: April 2008 Review date: April 2010 Scope: All Trust employees

2 1.Introduction Key Principles Purpose Duties Chief Executive Caldicott Guardian Responsible Director Information Governance Manager Managers Records Manager All Staff Definitions Context Legal and Regulatory Framework Information Governance Assessment for the Trust Training Information Security Monitoring and Review Trust Related Policies... 7

3 1.Introduction 1.1 Key Principles The Trust regards all personal identifiable information relating to patients and their relatives as confidential. Compliance with legal and regulatory framework will be achieved, monitored and maintained. To support this, the Trust will: establish mechanisms that allow the integrity of information to be monitored and maintained to ensure that it is appropriate and fit for its intended purpose. establish a consistent approach by which the Trust manages all the aspects of how information is managed, whether internally or externally generated and in regard to all formats and media types. This will involve all steps of processing; from the generation of documents, to its retention, and then its final disposal ensure that the availability of information for operational purposes will be maintained within set parameters, via appropriate procedures and computer system resilience. establish and maintain policies and procedures to ensure compliance with the appropriate legal framework, to include the Data Protection Act, the Human Rights Act, the common law duty of confidentiality and the Freedom of Information Act. 2. Purpose The purpose of this policy is to set out the responsibilities for Information Governance within the Trust, and the relevant levels of accountability. This policy will apply to all areas where information is held within, or on behalf of, the Trust. This policy relates to all types of information within the Trust. These include: Patient/Client/Service User information Personnel information Organisational information. This policy covers all aspects of handling information, including (but is not limited to): Structured record systems - paper and electronic Transmission of information , post, telephone and fax Monitoring of use of information systems This policy refers to: all information systems purchased, developed and managed by, or on behalf of, the Trust All Trust employees and contractors. All systems provided by Third Party contractors, where the service has been negotiated on the Trusts behalf i.e. by Department of Health.

4 3. Duties 3.1 Chief Executive The Chief Executive has overall responsibility for Information Governance at the Trust. As the Accountable Officer he/she is responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to support service delivery and continuity. 3.2 Caldicott Guardian The Trust s Caldicott Guardian (Medical Director) has a specific responsibility for reflecting patients interests regarding the use of patient identifiable information. The Caldicott Guardian is responsible for ensuring that patient identifiable information is shared in an appropriate and secure manner. 3.3 Responsible Director The Director of Corporate Affairs has overall responsibility for the development and maintenance of Information Governance practices throughout the Trust. 3.4 Information Governance Manager Responsible for the operational day to day management of all issues relating to Information Governance, including drafting policy documents, procedural guidance, training, audit and dealing with all IG queries. The provision of reports to the Trust Board and various external agencies on issues relating to IG. 3.5 Managers The responsibility for overseeing information governance practice in teams is devolved to the relevant directors, managers and team managers. Managers have overall responsibility for IG within their areas 3.6 Records Manager The Records Manager will ensure staff are provided with training for their responsibilities for record keeping and management. 3.7 All Staff All Trust staff, whether clinical or administrative, have responsibility for the safety and proper management of the information they process. Information governance incidents must be recorded on an IR1 form and reported to the Information Governance Manager.

5 4. Definitions Information Governance (IG) - A framework for the handling of electronic and manual information within NHS organisations Sets out the standards for the organisation on how to handle information about patients and employees Ensures the correct handling of information to comply with both legal requirements, and those of the Department of Health Standards. 5. Context The information Governance framework assists the Trust to fulfil its statutory duties in respect of the legislation and guidelines outlined below. 6. Legal and Regulatory Framework There are various legal obligations placed on the Trust regarding the use and security of personally identifiable information including: Data Protection Act (1998) Human Rights Act (1998) Freedom of Information Act (2000) Access to Health Records Act 1990 (where not superseded by the Data Protection Act 1998) Computer Misuse Act (1990) Copyright, designs and patents Act 1988 (as amended by the Copyright Computer programs regulations 1992) Crime and Disorder Act (1998) Electronic Communications Act (2000) Environmental Information Regulations (2000) Public Interest Disclosure Act (1998) Health and Social Care Act (2001) National Health Service Act (1977) In addition to this there: is an NHS regulatory and performance framework for the management. are NHS Codes of Conduct for the use of information. are operating procedures and codes of practice are adopted by the NHS There are requirements to disclose or share information when required to do so for either legislated or operational purposes.

6 7. Information Governance Assessment for the Trust An assessment of compliance will take place on an annual basis. This will take the form of the Information Governance Toolkit (IGT), which is sponsored by Connecting for Health. The requirements within the IGT are grouped into the following initiatives: Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurances Secondary User Assurance Corporate Information Assurance Annual reports and proposed action/development plans, arising from the IG toolkit, will be documented and submitted by the Information Governance Committee for approval prior to submission. The Trust Board or its delegated body will give final approval to the report and its recommendations, prior to its final submission to Connecting for Health. 8. Training All staff will receive, as part of their mandatory induction package, a training session covering basic issues of Information Governance. Refresher training will be made available as required. Where necessary this training must be completed before access to Trust IT systems will be granted. The Information Governance Committee will adopt and monitor an annual training plan. 9. Information Security The Trust will establish and maintain policies for the effective and secure management of its information assets and resources. Audits will be undertaken or commissioned to assess information and IT security arrangements. The Trust s Incident Reporting system will be used to report, monitor and investigate all breaches of confidentiality and security. 10. Monitoring and Review The Information Governance Committee is responsible for this policy and will ensure the necessary reviews and updates take place in accordance with changes in national policy of legislation. The policy will be reviewed annually.

7 11. Trust Related Policies Data Protection Policy Information Quality Assurance: All related policies and procedures Data Quality Policy Records Management Policy HR related Confidentiality code of practice Professional codes of conduct from the BMA, GMC and NMC and others including Allied Health Professionals, Finance Professionals and NHS Managers

8 EQUALITY IMPACT ASSESSMENT Policy under review: Consider: What are the aims of the policy? Date of assessment: 11 March 2008 Assessment: Please see guidance on page 8 This policy sets out the main duties and responsibilities for information governance Names of assessors: David McGrath Action to be taken: Publicise to staff Is there any evidence that some groups could be adversely affected? If there is which groups are affected? Is there any evidence of higher or lower participation or uptake by different groups? Is there any evidence that different groups have different needs, experiences, issues and priorities? What would be the likely impact of the policy? No No No Improved information governance arrangements Should the policy under review be altered so as to provide an opportunity to promote equality of opportunity or good race relations? What consultation is necessary? Should the policy be adopted? Keep a record of the conclusions at each stage of the decision-making process, so that they can be brought together in the equality impact assessment report. The report should contain reasons for decisions made and recommendations as to how the policy will be put into practice, No None Yes. This policy supports legal requirements

9 including suggestions for training and monitoring The report should also clearly show the relative weight given to each type of evidence: Monitoring data research findings other statistics the results of consultations (formal and informal). What monitoring arrangements are necessary? How will the results of consultations and assessments be published? The specific duty to produce and publish a Race Equality Scheme requires that the results of assessments and consultations carried out in respect of any policy is relevant to the race equality duty must be published Compliance with the policy. Internet Monitor effectiveness of training and information to staff through audit and incident reports. Report to Information Governance Committee