INFORMATION GOVERNANCE STRATEGY NO.CG02

Transcription

1 INFORMATION GOVERNANCE STRATEGY NO.CG02 Applies to: All NHS LA employees, Non-Executive Directors, secondees and consultants, and/or any other parties who will carry out duties on behalf of the NHS LA. Contractors and panel firms are required to adhere to the terms of their contractual agreements. Date of SMT Approval: 15 April 2015 Author Owner Version Joel Henderson Tom Fothergill V4_0 final Review Date: April 2017 Beware when using a printed version of this document. It may have been subsequently amended. Please check online for the latest version Information Governance Strategy v4_0 final SMT Approved April 2015 Page 1 of 9

2 Beware when using a printed version of this document. It may have been subsequently amended. Please check online for the latest version Information Governance Strategy v4_0 final SMT Approved April 2015 Page 2 of 9

3 Information Governance Strategy CONTENTS Paragraph 1 Introduction 2 Statement of intent 3 Equality impact assessment 4 Accountabilities 5 Improvement Plans Confidentiality Information Security Data Protection Act 1998 Freedom of Information Act 2000 Environmental Information Regulations 2004 Re-use of Public Sector Information Regulations 2005 Requests for Research Data Human Rights Act 1998 Queries, Complaint and Incident Reporting 15 Records management Contractual clause Training and support 18 Process for monitoring effective implementation Other relevant procedural documents References 1. INTRODUCTION Information governance, or management of the risks associated with information handling, is relevant to all administrative and business activities at the NHS LA. Everyone working for, or on behalf of, the NHS Litigation Authority (NHS LA) is required to manage these risks. Information governance provides a framework to bring together all of the requirements, standards and best practice that apply to the handling of information. It allows organisations and individuals to ensure that information are accurate, dealt with legally, securely, and efficiently. This strategy seeks to communicate standardised organisational operational requirements and bring consistency to day to day practice with regard to information governance. The NHS LA recognises that: Information Governance Strategy v4_0 final SMT Approved April 2015 Page 3 of 9

4 1) the information that it holds needs to be handled in a secure, ethical, and lawful manner; and 2) as a public body, it is important for it to act in as open and transparent a way as possible and that the public should be able to understand how it handles information. The NHS LA will do this by: 1) ensuring that it meets its legal obligations, including those set out within the Data Protection Act 1998 and the Freedom of Information Act 2000; and 2) implementing and observing a policy and system of information governance to control, monitor and support its staff in handling information and to provide assurance to the public, its staff and stakeholders. 2. STATEMENT OF INTENT The NHS LA is committed to minimising the risks associated with information handling and to ensuring that all employees are fully aware of their responsibilities in relation to information governance. To this end, this strategy aims to communicate the standardised approach to information handling within the NHS LA. 3. EQUALITY IMPACT ASSESSMENT As part of its development, this policy and its impact on equality have been reviewed in consultation with trade union and other employee representatives in line with the NHS LA s Equality Scheme and Equal Opportunities Policy. 4. ACCOUNTABILITIES Chief Executive and Accounting Officer Overarching accountability for all matters relating to information governance lies with the Chief Executive. Director of Finance and Corporate Planning As the Senior Information Risk Owner (SIRO), the Director of Finance has overall responsibility for the management of risks associated with the handling of information at the NHS LA. Information Governance Group The IG Group will have responsibility for reviewing IG risks and incidents and for oversight of all operational and strategic IG matters. The SIRO will sit on this group and a summary of the minutes will be circulated to the Audit Committee. Information Governance Manager Information Governance Strategy v4_0 final SMT Approved April 2015 Page 4 of 9

5 Has responsibility for day to day management of information governance matters Information Access Manager Has responsibility for handling requests for information under both the DPA and FOIA Head of IT & Facilities As the Information Security Officer, the Head of IT & Facilities has overall responsibility for the provision of systems and facilities to support accurate, legally compliant, secure and efficient information governance. Caldicott Guardian The Caldicott Guardian within an organisation should be a senior health professional, who is responsible for ensuring patient data are kept secure. The Director of Safety and Learning fulfils this role for the NHS LA. Line Managers All line managers are responsible for the promotion of the information governance principles outlined within this strategy and associated policies, within their teams. Employees All employees are responsible for the implementation of the information governance principles outlined within this strategy and associated policies and for reporting any related adverse incident in line with RM05 Incident Reporting Policy and Procedure. 5. IMPROVEMENT PLANS The Authority will utilise the Information Governance Toolkit as part of action planning to ensure that it addresses all required areas of risk 6. CONFIDENTIALITY Much of the information held by the NHS LA both on computer and in paper files is confidential in nature. The NHS LA has a duty both under the common law, the Human Rights Act 1998 and NHS Code of Practice on Confidentiality 2003 to ensure that the confidential information it holds is not inappropriately disclosed. The NHS LA takes its obligations to keep information confidential very seriously. The NHS LA s information handling guidance on confidentiality and anonymisation is set out within ITFA02 - Guidance for Working with Confidential or Sensitive Information. This guidance also stipulates that no new information systems, databases or data stores containing sensitive Information Governance Strategy v4_0 final SMT Approved April 2015 Page 5 of 9

6 personal information are created or introduced without the completion of a Privacy Impact Assessment, which must be approved by the SIRO. This is referenced in more detail in the Procedure for Risk Assessment. 7. INFORMATION SECURITY The NHS LA has a legal obligation to ensure that all information it holds is kept securely, both when it is held in electronic and in paper form. The NHS LA s policy on Information Security is set out within the Information Security Policy, Procedure/Guidance for Working with Confidential or Sensitive Information and Policy on the Acceptable Use of NHS LA systems. 8. DATA PROTECTION ACT 1998 The Data Protection Act 1998 (DPA) requires organisations that hold personal data (information which identifies individuals) to meet certain minimum standards in the way they process that data. The Act also grants certain rights to data subjects (those individuals whose information is being processed). Under the DPA, data subjects may request information held about them. The NHS LA will ensure that it complies with the DPA, and that it processes personal data in accordance with the Principles of the DPA and the rights of data subjects, except where an exemption under the Act applies. The NHS LA policy regarding compliance with the DPA is set out within RM18 - Data Protection Policy. 9. FREEDOM OF INFORMATION ACT 2000 The Freedom of Information Act 2000 (FOIA) places two main duties on public authorities such as the NHS LA: to produce a Publication Scheme, setting out what information will be made routinely available to the public; and to respond positively to requests from the public for information, unless that information is explicitly exempt under other provisions in the FOIA. The NHS LA s Publication Scheme is available on the public website and policy regarding compliance with the FOIA is set out within RM19 - Freedom of Information Policy. 10. ENVIRONMENTAL INFORMATION REGULATIONS 2004 The Environmental Information Regulations 2004 (EIR) provide a right of access by the public to information held by a public sector body, where that information relates to the environment, relates to aspects of how the public Information Governance Strategy v4_0 final SMT Approved April 2015 Page 6 of 9

7 body operates that impacts upon the environment, or relates to the effect such factors have on human health. Because of the nature of the NHS LA s business and working practices, it is unlikely that it will receive requests for information under EIR. Should there be any such request, or need for further information about the EIR, it should be addressed to the Head of Governance. 11. RE-USE OF PUBLIC SECTOR INFORMATION REGULATIONS 2005 The Re-use of Public Sector Information Regulations 2005 (RPSIR) aims to encourage the commercial exploitation of information owned and made available by public bodies. The NHS LA is keen to allow re-use of its information in appropriate circumstances and will do so in accordance with the RPSIR. The NHS LA s statement on the re-use of its information appears on the NHS LA website, under Terms of Use. 12. REQUESTS FOR RESEARCH DATA From time to time the NHS LA may make available anonymised information to NHS and other bodies for the purposes of relevant research activities. Any such request will be considered on an individual basis and should be forwarded to the Information Access Manager who leads on FOIA. 13. HUMAN RIGHTS ACT 1998 The Human Rights Act 1998 (HRA) gives further legal effect in the UK to the fundamental rights and freedoms contained in the European Convention on Human Rights. These rights not only impact on matters of life and death, but also affect rights in everyday life: what you can say and do, your beliefs, your right to respect for private and family life, and other similar basic entitlements. As a public authority, in managing information, the NHS LA has regard to the provisions of the Human Rights Act QUERIES, COMPLAINTS AND INCIDENT REPORTING All complaints relating to information governance matters should be directed to the Head of Governance, with a copy being sent to the person indicated within Section 4 of this policy, as being responsible for the area to which the complaint relates. The NHS LA s policy on dealing with complaints is set out within the RM07Complaints Policy and RM05 Incident Reporting Policy and Procedure. 15. RECORDS MANAGEMENT The NHS LA holds and records information in both paper and electronic format but is increasingly moving away from the former in favour of a paper light approach. The NHS LA's policy on the storage, archiving, retrieval and disposal of records is set out within RM20 - Records Management Policy. Information Governance Strategy v4_0 final SMT Approved April 2015 Page 7 of 9

8 16. INFORMATION GOVERNANCE CONTRACTUAL CLAUSE All contracts with the NHS LA should include an Information Governance clause to comprise, at the very minimum, accountabilities, risk assessment, access controls, limitations on disclosure, audit and incident reporting. 17. TRAINING AND SUPPORT The NHS LA will provide appropriate training to all staff on information governance, and specific requirements are addressed within individual policies where applicable. Managers and other staff may request advice from the Corporate Governance Team should they require support with the implementation of this strategy. All staff must complete, or refresh, information governance training annually. Temporary staff must who are expected to be with the NHS LA for more than 3 months must also complete the training. The NHS LA has produced a bespoke training package for staff to complete. Staff with key responsibilities for information governance and/or information assets should complete additional training as identified. This includes external SIRO Baseline Training and internal training for IAOs on Managing the Information Asset Register and Completing Privacy Impact Assessments. 18. PROCESS FOR MONITORING EFFECTIVE IMPLEMENTATION The effective implementation of this strategy will be monitored by the Information Governance Group through review of a range of key performance indicators, including related incidents reported and associated actions taken, and by obtaining assurance that there are effective policies, systems and management arrangements covering all aspects of information governance, and by the NHS LA Board through review of actions taken in response to requests made under the FOIA and DPA. 19. OTHER RELEVANT PROCEDURAL DOCUMENTS RM05 Incident Reporting Policy and Procedure RM07 Complaints Policy and Procedure RM16 RM18 Procedure for Risk Assessment Data Protection Policy RM19 Freedom of Information Policy RM20 Records Management Policy ITFA02 Procedure/Guidance for Working with Confidential or Sensitive Information ITFA05 Information Security Policy 20. REFERENCES Information Governance Strategy v4_0 final SMT Approved April 2015 Page 8 of 9

9 The Data Protection Act, 1998 Freedom of Information Act, 2000 NHS Code of Practice on Confidentiality, 2003 Environmental Information Regulations, 2004 Re-use of Public Sector Information Regulations, 2005 Human Rights Act, 1998 IG Toolkit Document Control Change Record Date Author Version Reason for Change 29/08/13 Joel Henderson V1_0 draft Initial draft 25/09/13 Joel Henderson V2_0 draft Comments from IG Group 10/11/14 Joel Henderson V3_0 draft Changes in line with other IG policy formatting 26/02/15 Joel Henderson V4_0 draft Minor format amendments 15/04/15 Joel Henderson V4_0 final SMT approved Information Governance Strategy v4_0 final SMT Approved April 2015 Page 9 of 9