Further to reports to EAG in February and March 2014, the purpose of this report is to;

Transcription

1 Report to: Trust Board of Directors Date of Meeting: 29 May 2014 Report Title: Annual Information Governance Report 13/14 Status: Mark relevant box with X Prepared by: Executive Sponsor (presenting): Appendices (list if applicable): For information X Tim Rycroft / Jenny Pope Andrew Copley (SiRO) Discussion Assurance Approval Regulatory requirement Purpose of the Report To update the Board on the Information Governance (IG) programme, confirming the results of the Toolkit assessment for 2013/14 and internal audit outcome To provide an overview of the arrangements in place to manage information risks and improve compliance in the year ahead. Key points for discussion 1) IG TOOLKIT ASSESSMENT 2013/14 2) COMPLIANCE WITH LEGAL AND REGULATORY FRAMEWORK 3) INFORMATION GOVERNANCE INCIDENTS 4) RISK MANAGEMENT AND ASSURANCE 5) IMPROVEMENT PLAN Recommendation The Board of Directors are asked to note and receive the 2013/14 annual Information Governance Report.

2 Airedale NHS Foundation Trust Trust Board: May 2014 Title: Information Governance Report Authors: Tim Rycroft, Head of IG, Jenny Pope, IG Officer ANNUAL INFORMATION GOVERNANCE REPORT 13/14 1) PURPOSE Further to reports to EAG in February and March 2014, the purpose of this report is to; update the Board on the Information Governance (IG) programme, confirming the results of the Toolkit assessment for 2013/14 and internal audit outcome provide an overview of the arrangements in place to manage information risks and improve compliance in the year ahead. 2) IG TOOLKIT ASSESSMENT 2013/14 The IG Toolkit is a tool produced by the Department of Health and draws together the relevant information management legislation, national and international guidance under a single framework designed to enable an organisation to implement the relevant standards. It enables the Trust to measure its performance through an annual self-assessment audit process and report upon level of compliance against a set number of requirements. There are a number of levels: NR Not relevant 0 No or insufficient evidence, not satisfactory for compliance 1 Limited evidence, not satisfactory for compliance 2 Minimum level satisfactory for compliance 3 Evidence of further processes, measures & controls, satisfactory for compliance The Trust is required to measure itself against 45 requirements. These are broken down into the above levels and then each level contains several questions. Every answer at each level requires supporting evidence. Organisations can only achieve a final overall score of Satisfactory by scoring a minimum Level 2 for all requirements. This is regardless of the amount of progress made against individual requirements. The submission for 2013/14 took place on 31 st March The Trust achieved an overall score of Satisfactory. See Appendix B assessment summary Prior to submitting its final assessment the Trust s internal auditors, MIAA audited a sample of 23 requirements. Their overall opinion was Significant assurance. The Board can take assurance that the controls upon which the organisation relies to manage IG are suitably designed, consistently applied and effective. 3) COMPLIANCE WITH LEGAL AND REGULATORY FRAMEWORK Compliance with key legislation, such as the Data Protection Act 1998 (DPA) and Freedom of Information Act 2000 (FOIA) is regulated by the Information Commissioner s Office (ICO). Internally, the IG Group monitors compliance with the FOIA and DPA.

3 There has been a significant increase this year in the number of Freedom of Information requests. During 2013/14 the Trust received 475 requests (to 17 March 2014), an increase of 146 on 2012/13. There have been no complaints made by requesters to date although requests continue to rise, a situation reflected across the NHS. Unfortunately we are also increasingly receiving requests from staff at other NHS trusts and organisations using the Act as a quicker way of attaining information. FOIA remains a challenge to manage and for different areas of the business to respond to. During 2013, the Trust received 1263 requests for Access to Health Records, an average of 105 per month. There were 10 breaches of the 40 day response time; often due to awaiting completion of activity that would be relevant to the information required e.g. outpatient appointment. The department is not aware of any complaints being received in relation to the service. 4) INFORMATION GOVERNANCE INCIDENTS One Level 2 IG SIRI has been reported (ref 36963) in accordance with the new IG SIRI reporting requirements introduced in It related to a response to an Access to Health Records request. As well as posting the requested information, information sheets relating to 3 other patients were mistakenly included. The information was retrieved and a detailed investigation took place, and actions have been put in place, which are currently being progressed. 5) RISK MANAGEMENT AND ASSURANCE The SIRO is responsible for overseeing the development and implementation of the information risk strategy. The SIRO is supported in this by the Information Governance team and by Information Asset Owners (IAO) within each business area. The IAO is responsible for managing information risks to the assets within their control. This involves developing system security policies (SLSP) and business continuity plans as well as documenting their personal data information flows and conducting regular information risk assessments. The Head of IT and IG and Trust s information security lead support IAOs in achieving these objectives. Whilst progress has been made again during 2013/14, further work is required to embed these processes further. The Toolkit is a standing agenda item for the IG Group. Requirement owners must alert the Group to any high risks that could impact on the achievement of Level 2 compliance. Where there are significant concerns these are managed through a local risk register and highlighted to the SIRO. Page 2 of 6

4 6) IMPROVEMENT PLAN Appendix A is an extract from the draft improvement plan showing Toolkit actions carried forward from 2013/14. New actions have also been included based on the outcome of the assessment and recommendations from the internal audit review. The plan itself is a more comprehensive live document forming part of the online Toolkit. It enables a requirement owner in agreement with IG to set and manage all actions. Actions are reviewed, progressed and monitored by the IG Group. Update, highlight or exception reports are included in any routine reports to EAG. The whole informs the general IG work programme; not all actions specifically relate to the Toolkit requirements. The plan is developed and updated throughout the year, in particular on publication of the new Toolkit version. 7) SUMMARY The Trust has a robust process for managing IG and the associated responsibilities that come with our commitment to adopt best practice processes and procedures in order to protect patient and service users information. It has a dynamic action plan to refresh and improve its compliance with the Toolkit standards. Evidence for many of the requirements is refreshed as part of established daily business or monitoring activities. However some objectives are more challenging and for this reason are being targeted already. Key areas are to: promote and monitor the uptake of IG training work with the Caldicott and Risk department to target IG incident near misses with a view to reducing the potential for IG SIRIs work with IAOs to embed effective information risk management activities plan and undertake additional corporate records management audits review and update the annual information workflow exercise to capture new flows, and ensure that data sharing agreements and/or appropriate IG controls are in place review the Trust contracts register to ensure key contracts are aware of updated IG clauses. We must continue to respond to the challenges faced by changing working practices in order to ensure that we keep pace with the ever-changing information society we work in. Going forward this will only become even more demanding. National developments will have a bearing on the direction of the Information Governance programme. For example, the new EU DPA regulation if it becomes law and Caldicott2 IG review recommendations will have an impact. Page 3 of 6

5 We will continue to work with other NHS organisations in our region sharing good practice and to aim for an integrated approach. The IG Group asks the Board to receive and note this report. It is asked to support plans to ensure that the Trust achieves an overall satisfactory position by achieving a minimum Level 2 for all requirements for 2014/15 and crucially, that it continues to improve and embed IG into routine working practice across the Trust. May 2014 Tim Rycroft, Head of IG and IT Jenny Pope, IG Officer Page 4 of 6

6 Airedale NHS Foundation Trust Trust Board: May 2014 Title: Information Governance Report Authors: Tim Rycroft, Head of IG, Jenny Pope, IG Officer Appendix A: Extract from draft Improvement Plan 2014/15 IGT req. Action Action owner Deadline Progress Status 1013b, 105 Review IG Framework and Strategy in line with the stated requirements within toolkit guidance for in view of extension to IG policy review Tim Rycroft 31/07/2014 work started by IG Officer 110 Review the Trust contracts register to ensure key contracts are aware of updated IG clauses 201 3c Check IG Policy content meets guidance when reviewed_review extended into 2014 Tim Rycroft 31/03/2015 instructions issued in part for key system TBC 31/07/2014 work started by IG Officer 202 2b Double-check and update all IG staff posters TBC 31/03/2015 ongoing throughout the year not started 203 1a Continue to monitor display of fair processing posters (privacy notices) TBC 31/03/2015 ongoing throughout the year 203 2b Add IG contacts to the fair processing posters/web information when reviewed? 207 2b Implementation of IG surveys/data sharing or confidentiality agreements for individual information sharing partners - as discussed through Review and update the annual information workflow exercise to capture new flows, and ensure that data sharing agreements and/or appropriate IG controls are in place 207 2b Review new high level information exchange charter (sharing protocol) during TBC 31/03/2015 action to be considered not started Tim Rycroft 31/07/2014 Martin Fisher TBC IG Group 31/03/2015 new patch-wide protocol replaced previous version March 2014 not started 210 2b Strengthen PID/PIA documentation for new projects Tim Rycroft 31/07/2014 not started 300 2b All staff assigned responsibility for Information Security have been appropriately trained to carry out their role. Tim Rycroft 31/03/2015 review arrangements, ensure existing mandatory training up to date not started 112 Ensure all IG, IT and IG Group members up to date with mandatory IG training 112 Review IG training strategy and matrix: consider new modules, arrangements for refresher (non pc users, is current module still fit for purpose, workshops, hard copy materials etc.) TBC 31/03/2015 ensure mandatory training up to date TBC 31/07/2014 may extend beyond July depending on whether Toolkit criteria changes requirements not started ongoing

7 300 3b Ensure IG Risk Register is presented to IG Tim Rycroft 31/05/2014 standing agenda item, register was being reviewed during a formalise SLSP risk reviews spot checks Tim Rycroft 31/03/2015 ongoing 303 1b New local plan when new Reg Authority ownership defined Tim Rycroft 30/06/2014 not started 303 1c Formal approval of new RA plan (see action L1b) Andrew Copley 31/07/2014 not started 304 1b Ensure plan (action 303) includes links to HR processes Tim Rycroft 30/06/2014 not started 304 3a Review smartcard enforcement measures IG Group 30/06/2014 not started 304 3b Publicise any new smartcard enforcement measures in IG bulletin, safety matters and staff briefings TBC 31/08/2014 not started 307 2b Review process for IG Group sight of IAO risk reviews Tim Rycroft 31/07/2014 as part of annual SLSP process, initiated during c Discuss with business continuity lead for Trust how to ensure more alignment with corporate BCP required for Tim Rycroft 31/07/2014 initiated during b Review mobile computing policy Andrew Leng 31/05/2014 not started 400 Data Quality Strategy implementation Martin Fisher TBC draft Strategy approved at IG, needs development 101, 105 IG Policy and relates/underlying policies and procedures review TBC 30/06/2014 review commenced, extension arranged All Review new toolkit requirements Head of IG 31/07/2014 new Toolkit anticipated June 2014 not started All Identify requirement owners & issue instructions Head of IG 31/07/2014 new Toolkit anticipated June 2014 not started All Work with the Caldicott and Risk department to target IG incident 'near misses' with a view to reducing the potential for IG SIRIs TBC 31/03/2015 work started by IG Officer 601, 604 Plan and undertake additional corporate records management audits Jane Downes 31/07/2014 Process in place. Work started for 2014/15 programme of audits Page 6 of 6