Accessing Personal Information on Patients and Staff:

Size: px
Start display at page:

Download "Accessing Personal Information on Patients and Staff:"

Transcription

1 Accessing Personal Information on Patients and Staff: A Framework for NHSScotland Purpose: Enabling access to personal and business information is a key part of the NHSScotland Information Assurance Strategy and access cuts across many areas identified by boards for focussed improvement activity. For example: Acknowledgment that the ability to successfully apply sanctions against individuals depends on the robustness of board polices and procedures [e.g. on how access permissions should be agreed and being clear on identity ] General support for introduction of a software package which could assist with system audit of staff activity [e.g. on audit trails which cover access activities] Robust methodology in place to assess the business impact of access to information and apply the correct protection [e.g. to use technical controls combined with greater staff awareness] The NHS holds more personal information by volume - on both patients and staff - than any other organisation in Scotland. Much of this information constitutes sensitive personal data and needs to be captured, managed, stored and disposed of securely in accordance with the Principles of the Data Protection Act But the information is of no value unless readily accessible to clinicians and other staff tasked with providing healthcare. Recent investment in tools such as Clinical Portals and Single Sign On are designed to enable greater information sharing and access. A balance needs to be struck between protecting privacy and reducing security risks, with the need to access information quickly in a complex healthcare environment heavily dependent on Information and Communications Technology (ICT). The aim of this document is firstly to provide an access framework comprising ten interconnecting components or spokes (see Fig 1) to help organisations achieve this balance, and secondly to outline the practical steps that support the access framework. 1

2 Fig 1: The ten interconnecting components that enable access Accessing personal information: framework * Access here describes logging onto any IT systems which holds data as well as viewing or processing it in any way. ** data ; in this context is used to describe the digital component parts (which may be just codes, names, numbers) which when taken together form information on an individual. Although the prime focus here is on information held digitally, the 10 components described below are still just as valid for the paper file environment. One of the many advantages to accessing information electronically is that the audit trails are more granular and sophisticated and can be used to check that each access activity is within the agreed rules. 2

3 1) Patient Consent all access must respect any informed decisions made by the patient 2) Clear Identification all access is from named individuals who are who they say they are 3) Appropriate Authority all access is authorised by a suitably qualified person 4) Legitimate Relationship all access is based on a legitimate relationship with the patient 5) Clinical and Business Need all access is on a need to know basis to provide healthcare and associated business services 6) Time-bound - all access is related to the period in which there is a relationship, as well as clinical and business need 7) Legal Requirement - all other access is in accordance with the law 8) Technical Control all access permissions are replicated as far as possible by technical controls that prevent unauthorised access Description of each component 9) Audit Trail access activity by staff on systems is recorded and monitored 1) 10) Patient Accountability Consent all access all staff must are accountable respect any informed their decisions actions when made by privacy the patient or security breaches occur 1) Patient Consent all access must respect any informed decisions made by the patient The NHSScotland Code of Practice on Protecting Patient Confidentiality sets out the ways in which patients can provide consent to disclosure as well as circumstances where access can be obtained without consent (e.g. vital interests of subject in an emergency situation or where there is incapacity). Consent also needs to be informed: i.e. patient is clear which part of the clinical record is being discussed, the purpose for sharing and those it is shared with. During routine clinical care express permission to share is not usually required as most patients understand that their information must be shared within the healthcare team. 3

4 Patient consent is an ongoing process and based at the point of care: any verbal or written evidence from a previous care cycle may need to be revisited. It is not always possible to physically separate some types of data in order to respect patient disclosure decisions. In such circumstances there needs to be a dialogue: i.e. explanation that effective care cannot be provided without access to several linked data sources or documents. Any decision within the organisation, or at a national level, to capture new types of personal information on patients and staff (or to allow a wider group of professionals access to existing information) needs to take into account privacy and consent issues (i.e. commissioning and then acting upon Privacy Impact Assessments). 2) Clear Identification all access is from named individuals who are who they say they are Identity management is fundamental to the operation of access policies. It needs to be clear which named individual is accessing the data at any one time (e.g. by unique identifiers). The named individual needs to be working in an official capacity whether it be temporary, contracted or permanent for the NHS and to have signed statements recognising access principles and local policies. Password sharing and generic accounts linked to job titles or teams seriously undermine all the access principles and security. Solutions such as single sign-on enable staff to work more quickly and remove the common reasons for noncompliance (e.g. cannot remember multiple passwords) but can also increase risks if real identity is not clear. There needs to be clarity over naming conventions across multiple systems and staff directories to minimise the risk of persons being confused with others and duplicate identities being created. Joiners, movers and leavers processes need to be orchestrated across corporate services especially ICT, HR, Finance and Estates so that the list of personnel with access to systems is up to date. It needs to be clear how far employees are responsible for updating their own credentials and whether any changes made are synchronised across multiple staff lists (e.g. address book and corporate 4

5 directories). Staff need to be removed from systems quickly and to have handed in all assets once they have left the organisation. 3) Appropriate Authority all access is authorised by a suitably qualified person The permission to access particular systems, applications, datasets or data segments needs to be granted by a suitably qualified person with the correct level of authority. These decisions need to be formally recorded and reviewed. The registering authorities (e.g. managers, application and asset owners, clinical leads etc.) making decisions may need to view any relevant background information to confirm the identity and employment status of the person requiring access (e.g. student, locum, contractor or permanent). HR systems will hold evidence that formal checks (e.g. Disclosure Scotland) have taken place. Formal change and review processes need to be in place so that permissions can be added or rescinded quickly when circumstances change (e.g. when a person is no longer performing the same role or has left the organisation). A log needs to be kept and reviewed of access permissions relating to individuals rather than to generic job titles: e.g. a clinician may perform several roles which are different from someone with the same job title or grade. The authority needs to make clear to the employee exactly what the access permissions mean and whether access is read only or gives the ability to modify or delete. For example, an employee should know that although doors to some rooms are left unlocked (i.e. the technology enables browsing across multiple records) entering them would go beyond the access permissions granted. And that the employee would need to justify what appears on the audit trail at all times. 4) Legitimate Relationship all access is based on a legitimate relationship with the patient Relationships with patients take many forms; ranging from regular visits to the same GP, several hours spent with a large team in Accident and Emergency, to a single contact with a Health Visitor. The common denominator is legitimacy: the staff clinical and administrative need access because they are directly involved with the person s healthcare. 5

6 It needs to be clear that simply having a family or personal relationship with someone does not constitute a legitimate relationship. Accessing information on partners, family members, friends, work colleagues, associates, neighbours etc. constitutes a serious breach of confidentiality. Personal life needs to be separated from professional roles when accessing information at all times. Accessing one s own healthcare records also constitutes a breach of confidentiality. Data Subjects, including healthcare staff, can access their own records using the official routes (e.g. Data Subject Access request). This ensures that the privacy of third parties is protected and that the medical and other exemptions on disclosure are applied where necessary. 5) Clinical and Business Need all access is on a need to know basis to provide healthcare and associated business services Staff with a legitimate relationship should only access the data which they actually need. Most patients are aware that allowing access to various datasets held locally or nationally (e.g. allergies data held in Electronic Care Summary) is in their clinical interests. But in other cases the need to access data can be less obvious: e.g. for a secondary care clinician to access GP notes from a patient s childhood in order to fully understand the context in which a medical condition arose in adulthood. It is important to have a dialogue with the patient as to what data is needed and why. There is a complex network of support staff, such as medical secretaries acting for hospital consultants, records managers and technicians, who play a pivotal role in ensuring that data is presented to clinicians in a timely way. In such cases it needs to be clear that they are accessing specific data on behalf of clinicians for a particular patient s need. Accessing patient-identifiable data for medical research needs to follow formal procedures: i.e. obtaining Caldicott Guardian permissions and data anonymisation. 6

7 It is not always technically possible to segregate strictly administrative data from clinical data. But it is vital to distinguish between direct clinical need and secondary purposes when accessing data: i.e. personal identifiable clinical data should not be used in order to perform tasks such as financial planning. 6) Time-bound all access is related to the period in which there is a relationship, as well as clinical and business need Most healthcare activity is time-bound and event driven. Access should only occur during the period in which there is a clinical relationship which might be minutes or decades. Access permissions should not be granted on a just in case basis. Instead, the authority will need to look at the roles being performed within a limited period. For example an access permission might be for system A; but only for patients being treated. The employee has the flexibility to access data on a new patient for example without having to ask for new permissions or change technical controls each time. Matching up the audit trail with the dates of care would flag up where the employee has gone beyond his original permissions. Some applications and systems are directly linked to a specific area of healthcare (e.g. sexual health). It is essential that when an employee moves to another area of work that the permissions are reviewed (and if necessary revoked) rather than simply adding to them. Such snowballing of permissions provides far more access than is actually required and increases privacy and security risks. Although access to information is for a limited period the clinician may still need to read older records within that timeframe (e.g. specified staff may need to access medical histories from different sources during a patient s two-week stay in hospital). 7) Legal Requirement all other access is in accordance with the law There are special circumstances where patient consent is not required to access information: i.e. vital interests of a patient and where it is in the public interest. Examples might be the disclosure of information to the police to help in the prevention and detection of crime or to assist in the planning of public services. Such a decision is not taken lightly and a health professional will need to balance the interests of the patient (and any third parties) 7

8 with the wider public interest. The courts, tribunals and other statutory and regulatory bodies also have powers to access a range of personal information. Officials, lawyers and police officers requesting patient data need to provide necessary documentation such as a court order or warrant. Disclosure should not be made just because the person is in authority. There needs to be clear process for approving such requests (clinicians and Information Governance leads) and documenting actions (i.e. exactly what data was approved for disclosure and by whom) To consider data handling issues; whether the original or copy data is provided, whether it needs to be redacted and how it is going to be securely transferred to a named recipient. Regular data sharing with other bodies needs to take place within the constraints of pre-agreed protocols and codes of connections. Access to patient records in order meet other regulatory and professional purposes (e.g. clinical audits for quality improvement and benchmarking) is within agreed rules and needs to be proportionate (i.e. the audit trail will show whether more data was accessed than necessary for the task). 8) Technical Control all access permissions are replicated as far as possible by technical controls that prevent unauthorised access Access permissions are not one and the same as the technical controls that exist in IT systems. This is because it is not always practical or cost-effective to design a set of controls that cover every possible scenario or role. Adding too many barriers or layers of complexity can actually hinder clinical decision making (in some instances putting lives at risk). Even in the physical environment where controls are simpler there is usually a degree of trust: an administrator may not have permission to look at the contents of some filing cabinets (but holds all the keys); or a contractor s security pass is not valid for entry to sensitive clinical areas (but there may not be a swipe card reader to check). 8

9 In most cases simple front door key controls can be used to ensure there is access only to those persons who need to view data on a specific IT network, system, application or dataset: e.g. you should not be able to sign-on to an application or network in the first place if there is no need/access permission. However, clinical portals, make the situation more complex as they are made up of groups of data-fields or portlets pulled out from several applications. Access permissions still need to be applied to each of the applications that are linked to the portal (i.e. the portal remembers which applications you have access to and can create a new layer of technical controls to replicate them). Some individual applications offer role based or team based access controls offering a greater degree of granularity (e.g. to ensure that persons performing only nonclinical tasks do not have access to clinical data on the same application). However, there are no plans for an overarching national role based access model because of the multiplicity of systems (there is no single clinical record spine ) and no amount of technical roles designed for IT can ever reflect all the situations where there is legitimate, time-bound, clinical need. IT System administrators and some record managers often need to override normal technical controls in order to perform tasks necessary to run the system or manage the data. Here risks need to be mitigated by ensuring that staff with such access are a) kept to an absolute minimum; b) given the correct level of vetting and training; c) required to understand and sign a code of conduct that makes clear that routine administration tasks do not usually require actually accessing patient data. 9) Audit Trail access activity by staff on systems is recorded and monitored The audit trails relating to a user s activity can be used as a powerful tool to check that access to patient data has been in accordance with permissions. Basic activity (such as login details, dates, items viewed etc) is gathered automatically. Monitoring, of which audit logs are part, will follow Lawful Business Practice Regulations. Automated activity audit logs are extremely accurate. But if the identity of the person is ambiguous any future investigation is seriously compromised. 9

10 Core NHS systems produce system logs that match up an ID to activity; but some legacy applications have no or limited audit functionality. Employees have a right to know that they are being monitored but not of the exact methods being used or which applications are being monitored more comprehensively than others. Tools can be used to aggregate audit logs from several systems and generate reports which shows patterns in activity. This can be a powerful aid to privacy and security investigations. 10) Accountability all staff are accountable for their actions when privacy or security breaches occur All staff, regardless of grade or position, will need to account for their access to patient or staff data at all times, particularly, where access has gone beyond the legitimate, timebound, clinical need principles. Ignorance or pointing to the absence of technical controls is a weak defence from staff being investigated, given signed codes of conduct and assurance prompts when logging in. In some cases the system may even generate automatic warnings designed to deter staff from inappropriate access activity. Audit trails are a means rather than an end in themselves. They need to be taken with other contextual business data to ascertain whether unusual activity constitutes a privacy or security breach. The severity of the privacy/security breach and therefore any disciplinary action will be measured in terms of actual or potential impact rather than any simple algorithm (e.g. a single instance of accessing data on one application may have more potential impact than dozens of activities on another). Each audit event (or pattern of events) will be reviewed by appropriate personnel to assess whether any formal investigation which may lead to disciplinary action should take place. If this is deemed necessary, Local Board disciplinary policies and procedures will then be followed. 10

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

The Leeds Teaching Hospitals NHS Trust. Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS

The Leeds Teaching Hospitals NHS Trust. Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS The Leeds Teaching Hospitals NHS Trust Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS 1. Introduction The Research Governance Framework for Health & Social

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

Information Security Incident Management Policy

Information Security Incident Management Policy Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation

More information

Best practice guidance for information security within Choose and Book May 2009

Best practice guidance for information security within Choose and Book May 2009 Best practice guidance for information security within Choose and Book May 2009 Best practice guidance for information security within Choose and Book This guidance has been prepared to help organisations

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

A Question of Balance

A Question of Balance A Question of Balance Independent Assurance of Information Governance Returns Audit Requirement Sheets Contents Scope 4 How to use the audit requirement sheets 4 Evidence 5 Sources of assurance 5 What

More information

The Care Record Guarantee Our Guarantee for NHS Care Records in England

The Care Record Guarantee Our Guarantee for NHS Care Records in England The Care Record Guarantee Our Guarantee for NHS Care Records in England January 2011, version 5 Introduction In the National Health Service in England, we aim to provide you with the highest quality of

More information

USE OF PERSONAL MOBILE DEVICES POLICY

USE OF PERSONAL MOBILE DEVICES POLICY Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014

More information

HMG Security Policy Framework

HMG Security Policy Framework HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Information Security Incident Management Policy September 2013

Information Security Incident Management Policy September 2013 Information Security Incident Management Policy September 2013 Approving authority: University Executive Consultation via: Secretary's Board REALISM Project Board Approval date: September 2013 Effective

More information

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 1/08. NHSCR Scotland Information Governance Standards

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 1/08. NHSCR Scotland Information Governance Standards General Register Office for Scotland information about Scotland s people Paper NHSCR GB 1/08 NHSCR Scotland Information Governance s This is a draft on which the Board s comments would be welcome. Contents

More information

HIPAA Audit Risk Assessment - Risk Factors

HIPAA Audit Risk Assessment - Risk Factors I II Compliance Compliance I Compliance II SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

A Framework for the Safe and Secure Use & Management of Community Pharmacy NHSmail email including Generic Mailboxes

A Framework for the Safe and Secure Use & Management of Community Pharmacy NHSmail email including Generic Mailboxes A Framework for the Safe and Secure Use & Management of Community Pharmacy NHSmail email including Generic Mailboxes Contents 1 Introduction 3 2 NHSmail Acceptable Use Policy 3 3 Objectives 4 4 General

More information

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance QIPP Digital Technology Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance Author: Adam Hatherly Date: 26 th March 2013 Version: 1.1 Crown Copyright 2013 Page 1 of 19 Amendment

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

Quick Guide To Information Governance Policies

Quick Guide To Information Governance Policies Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations.

More information

Access Control Policy

Access Control Policy Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you

More information

Definition document for Health Bodies in Wales (including Local Health Boards, NHS trusts and Ambulance trusts)

Definition document for Health Bodies in Wales (including Local Health Boards, NHS trusts and Ambulance trusts) Freedom of Information Act 2000 Definition document for Health Bodies in Wales (including Local Health Boards, NHS trusts and Ambulance trusts) This guidance gives examples of the kinds of information

More information

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT 9.7 Date of the meeting 15/07/2015 Author Sponsoring Clinician Purpose of Report Recommendation J Green - Head

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

Requesting amendments to health and social care records

Requesting amendments to health and social care records Requesting amendments to health and social care records National Information Governance Board for Health and Social Care Guidance for patients, service users and professionals Contents About this guidance

More information

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff. Information Governance Policy 1 SUMMARY This policy is intended to ensure that staff are fully aware of their Information Governance (IG) responsibilities, so that they can effectively manage and best

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

Case Recording Practice Adults Services

Case Recording Practice Adults Services Case Recording Practice Adults Services Guidance on case recording practice and on document management Version: 3.3 Effective from: 1 st October 2014 Next review date: 1 st Nov 2015 Signed off by: Jenny

More information

Information Security Policy

Information Security Policy Information Security Policy Reference No: Version: 5 Ratified by: CG007 Date ratified: 26 July 2010 Name of originator/author: Name of responsible committee/individual: Date approved by relevant Committee:

More information

Information Security Policy

Information Security Policy Information Security Policy JUNE 2014 Author Responsibility Lynda Harris, Head of Information Governance, Central Eastern CSU, Bedfordshire and Luton All staff Effective Date June 2014 Review Date June

More information

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data Data Protection and Information Data - Guidelines for the use of Personal Data Page 1 of 10 Created on: 21/06/2013 Contents 1. Introduction... 3 2. Definitions... 3 4. Physical... 4 5 Electronic... 6 6

More information

Informatics Policy. Information Governance. Network Account and Password Management Policy

Informatics Policy. Information Governance. Network Account and Password Management Policy Informatics Policy Information Governance Policy Ref: 3589 Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information

More information

2. Reporting The national clinical audit is on the list of mandatory national audits for inclusion in Trust s Quality Accounts.

2. Reporting The national clinical audit is on the list of mandatory national audits for inclusion in Trust s Quality Accounts. National clinical audit of rheumatoid and early inflammatory arthritis Information for Caldicott Guardians 1. Overview The national clinical audit of rheumatoid and early inflammatory arthritis is part

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version Version 1 Ratified By Date Ratified PROPOSED FOR APPROVAL 15/11/12 Author(s) Responsible Committee / Officers Date Issue November 2012 Review Date November 2013 Intended

More information

Frequently Asked Questions on new guidance for email in NHSScotland

Frequently Asked Questions on new guidance for email in NHSScotland May 2012 Approved Frequently Asked Questions on new guidance for email in NHSScotland 1) Why the need for new guidance? There is confusion as to what can be sent between NHSScotland boards, to business

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading

More information

INFORMATION SECURITY MANAGEMENT POLICY

INFORMATION SECURITY MANAGEMENT POLICY INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June

More information

Data Protection Act. Conducting privacy impact assessments code of practice

Data Protection Act. Conducting privacy impact assessments code of practice Data Protection Act Conducting privacy impact assessments code of practice 1 Conducting privacy impact assessments code of practice Data Protection Act Contents Information Commissioner s foreword... 3

More information

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 5/07. NHSCR s quality assurance procedures

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 5/07. NHSCR s quality assurance procedures General Register Office for Scotland information about Scotland s people Paper NHSCR GB 5/07 NHSCR s quality assurance procedures November 2007 NHSCR SCOTLAND INFORMATION GOVERNANCE STANDARDS Author: Muriel

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY. December 2014

CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY. December 2014 CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY December 2014 DOCUMENT INFORMATION Author: Barbara Sansom Information Governance Manager Equality Impact Assessment Consultation & Approval

More information

Gloucestershire Hospitals

Gloucestershire Hospitals Gloucestershire Hospitals NHS Foundation Trust TRUST POLICY In the case of hard copies of this policy the content can only be assured to be accurate on the date of issue marked on the document. The Policy

More information

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking The Information Commissioner has responsibility for promoting and enforcing the

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

NHS LANARKSHIRE HEALTH RECORDS POLICY Management and Maintenance, Security, Storage, Distribution and Retention of Health Records

NHS LANARKSHIRE HEALTH RECORDS POLICY Management and Maintenance, Security, Storage, Distribution and Retention of Health Records NHS LANARKSHIRE HEALTH RECORDS POLICY Management and Maintenance, Security, Storage, Distribution and Retention of Health Records Author: Responsible Lead Executive Director: Endorsing Body: Governance

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy NHS Waltham Forest Clinical Commissioning Group Information Governance Policy Author: Zeb Alam & David Pearce Version 3.0 Amendments to Version 2.1 Updates made in line with National Guidance and Legislation

More information

HIPAA Audit Risk Assessment - Risk Analysis

HIPAA Audit Risk Assessment - Risk Analysis I SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your practice at the first encounter or episode

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

Employment Policies, Procedures & Guidelines for Schools

Employment Policies, Procedures & Guidelines for Schools DEALING WITH ALLEGATIONS OF ABUSE AGAINST TEACHERS, OTHER STAFF AND VOLUNTEERS GUIDANCE FOR LOCAL AUTHORITIES, HEAD TEACHERS, SCHOOL STAFF AND GOVERNING BODIES March 2012 1 ABOUT THIS GUIDANCE This is

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Remote Access Policy

Remote Access Policy BASINGSTOKE AND NORTH HAMPSHIRE NHS FOUNDATION TRUST Remote Access Policy Summary This is a new document which sets out the policy for remote access to the Trust s network and systems. Remote access is

More information

Policy on Public and School Bus Closed Circuit Television Systems (CCTV)

Policy on Public and School Bus Closed Circuit Television Systems (CCTV) DEPARTMENT OF TRANSPORT Policy on Public and School Bus Closed Circuit Television Systems (CCTV) Responsibility of: Public Transport Division TRIM File: DDPI2010/3680 Effective Date: July 2010 Version

More information

Data Processing Agreement

Data Processing Agreement Data Processing Agreement BETWEEN GP Name and practice address (Hereinafter known as the Data Controller) AND Coventry & Rugby Clinical Commissioning Group, of Christchurch House, Greyfriars Lane, Coventry,

More information

OxCCARE Information Governance Policy

OxCCARE Information Governance Policy OxCCARE Information Governance Policy Introduction: This document is intended to act as a practical guide to information governance (IG) for all research, audit, quality improvement and service evaluation

More information

Procedures. Issue Date: June 2014 Version Number: 2.0. Document Number: POL_1009. Status: Approved Next Review Date: April 2017 Page 1 of 17

Procedures. Issue Date: June 2014 Version Number: 2.0. Document Number: POL_1009. Status: Approved Next Review Date: April 2017 Page 1 of 17 Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:

More information

Information Sharing Protocol

Information Sharing Protocol Information Sharing Protocol South Central PCTs, General Practices and Tribal Consulting Limited Commissioning Enablement Service (Analytics) Document Control Date Version Author Comment 08/02/10 0.1 A.

More information

Information Security Policy

Information Security Policy Information Security Policy v2.0 Target Audience: Policy Endorsed by: ESCC Staff, members and other agencies handling ESCC information Governance Committee Final V2.0 Page 1 of 13 Information Security

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Data Quality Policy SH NCP 2. Version: 5. Summary:

Data Quality Policy SH NCP 2. Version: 5. Summary: SH NCP 2 Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: The Trust provides a framework to ensure all data that is recorded by the Trust is accurate and complies to

More information

Using AWS in the context of Australian Privacy Considerations October 2015

Using AWS in the context of Australian Privacy Considerations October 2015 Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview

More information

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy

More information

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY Report to the Trust Board 22 September 2015 Sponsoring Director: Author: Purpose of the report: Key Issues and Recommendations: Director

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

16 Electronic health information management systems

16 Electronic health information management systems 16 Electronic health information management systems Section 16: Electronic information management systems The continued expansion and growth in global technologies is aiding the development of many new

More information

Electronic health records: data protection issues in Europe

Electronic health records: data protection issues in Europe Electronic health records: data protection issues in Europe By Clare Sellars and Dr Amanda Easey IPM&T Group, McDermott Will & Emery UK LLP This article has been published in the April 2008 issue of BNAI

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching

More information

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Paper 9 Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Please ensure that all THREE pages of this contract are returned to: Information Governance Manager, Health Informatics, Chertsey House, St Peter

More information

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé NHS HDL (2006)41 abcdefghijklm = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé Dear Colleague NHSSCOTLAND INFORMATION SECURITY POLICY Summary 1. NHSScotland IT Security Policy was

More information

An Approach to Records Management Audit

An Approach to Records Management Audit An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

IAPT Data Standard. Frequently Asked Questions

IAPT Data Standard. Frequently Asked Questions IAPT Data Standard Frequently Asked Questions Version 1.0 March 2012 IAPT FAQs 1.0-1 - Contents Section 1: About the IAPT Data Standard.. 3 Section 2: Who is responsible for doing what?. 5 Section 3: How

More information

INFORMATION PRIVACY STATEMENT

INFORMATION PRIVACY STATEMENT INFORMATION PRIVACY STATEMENT Victoria Police is bound by the Privacy and Data Protection Act 2014 in how it manages personal information. Victoria Police is committed to protecting the personal information

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

WSIC Integrated Care Record FAQs

WSIC Integrated Care Record FAQs WSIC Integrated Care Record FAQs How your information is shared now Today, all the places where you receive care keep records about you. They can usually only share information from your records by letter,

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

SHIP Guiding Principles and Best Practices

SHIP Guiding Principles and Best Practices A document of the SHIP Information Governance Working Group The objectives of this document This document is a statement of agreed guiding principles for governance and instances of best practice arising

More information

Information Governance Policy

Information Governance Policy BEXLEY CARE TRUST MANAGEMENT MANUAL Title: INFORMATION GOVERNANCE POLICY Originating Department: IT DEPARTMENT Authorised by: Risk Management Committee June 2008 Reference no: CA12 Date of Issue: JANUARY

More information

Information Governance Policy and Management Framework

Information Governance Policy and Management Framework Information Governance Policy and Management Framework Policy Number: IG01 Version: 3.0 Ratified by: Governing Body Date ratified: February 2016 Name of originator/author: Louise Chatwyn Information Governance

More information

HOW WE USE YOUR PERSONAL INFORMATION

HOW WE USE YOUR PERSONAL INFORMATION HOW WE USE YOUR PERSONAL INFORMATION Information Leaflet Your Health. Our Priority. Page 2 of 9 Introduction This Leaflet explains why the NHS collects information about you and how it is used, your right

More information

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services Issue 1.0 (Effective 27 June 2012) This document contains a copy of the STFC policy statements outlining

More information

Records Management and Information Lifecycle Strategy

Records Management and Information Lifecycle Strategy LINCOLNSHIRE PARTNERSHIP NHS FOUNDATION TRUST Records Management and Information Lifecycle Strategy DOCUMENT VERSION CONTROL Document Type and Title: Strategy New or Replacing: Revised/Updated Version

More information

Policy and Procedure Document. Information Security Incident Management Policy and Procedure

Policy and Procedure Document. Information Security Incident Management Policy and Procedure Policy and Procedure Document Information Security Incident Management Policy and Procedure [23/08/2011] Page 1 of 9 Document Control Organisation Redditch Borough Council Title Information Security Incident

More information

Health and social care staff members: What you should know about Information Governance

Health and social care staff members: What you should know about Information Governance Health and social care staff members: What you should know about Information Governance p2 Information Governance What is Information Governance? You have probably heard of Clinical or Social Care Governance,

More information

CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH

CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH These notes are designed to be used in conjunction with the core training PowerPoint slides. The purpose of the

More information

NHS Business Services Authority Registration Authority and Smartcard Management Procedure

NHS Business Services Authority Registration Authority and Smartcard Management Procedure NHS Business Services Authority Registration Authority and Smartcard Management Procedure NHS Business Services Authority Corporate Secretariat NHSBSAIS005 Issue Sheet Document reference Document location

More information

TRUST SECURITY MANAGEMENT POLICY

TRUST SECURITY MANAGEMENT POLICY TRUST SECURITY MANAGEMENT POLICY EXECUTIVE SUMMARY The Board recognises that security management is an integral part of good, effective and efficient risk management practise and to be effective should

More information

Electronic Communications Monitoring Policy

Electronic Communications Monitoring Policy Electronic Communications Monitoring Policy Printed copies should not be considered the definitive version DOCUMENT CONTROL POLICY NO. 79 Policy Group Information Governance and Security Author Andrew

More information

SURVEILLANCE AND PRIVACY

SURVEILLANCE AND PRIVACY info sheet 03.12 SURVEILLANCE AND PRIVACY Info Sheet 03.12 March 2012 This Information Sheet applies to Victorian state and local government organisations that are bound by the Information Privacy Act

More information

Public Consultation regarding Data Sharing and Governance Bill. Contribution of Office of the Data Protection Commissioner

Public Consultation regarding Data Sharing and Governance Bill. Contribution of Office of the Data Protection Commissioner Submission of the Office of the Data Protection Commissioner (DPC) on the data-sharing and Governance Bill: - Policy Proposals (dated the 1 st of August 2014) Public Consultation regarding Data Sharing

More information