Accessing Personal Information on Patients and Staff:
|
|
- Magnus Weaver
- 8 years ago
- Views:
Transcription
1 Accessing Personal Information on Patients and Staff: A Framework for NHSScotland Purpose: Enabling access to personal and business information is a key part of the NHSScotland Information Assurance Strategy and access cuts across many areas identified by boards for focussed improvement activity. For example: Acknowledgment that the ability to successfully apply sanctions against individuals depends on the robustness of board polices and procedures [e.g. on how access permissions should be agreed and being clear on identity ] General support for introduction of a software package which could assist with system audit of staff activity [e.g. on audit trails which cover access activities] Robust methodology in place to assess the business impact of access to information and apply the correct protection [e.g. to use technical controls combined with greater staff awareness] The NHS holds more personal information by volume - on both patients and staff - than any other organisation in Scotland. Much of this information constitutes sensitive personal data and needs to be captured, managed, stored and disposed of securely in accordance with the Principles of the Data Protection Act But the information is of no value unless readily accessible to clinicians and other staff tasked with providing healthcare. Recent investment in tools such as Clinical Portals and Single Sign On are designed to enable greater information sharing and access. A balance needs to be struck between protecting privacy and reducing security risks, with the need to access information quickly in a complex healthcare environment heavily dependent on Information and Communications Technology (ICT). The aim of this document is firstly to provide an access framework comprising ten interconnecting components or spokes (see Fig 1) to help organisations achieve this balance, and secondly to outline the practical steps that support the access framework. 1
2 Fig 1: The ten interconnecting components that enable access Accessing personal information: framework * Access here describes logging onto any IT systems which holds data as well as viewing or processing it in any way. ** data ; in this context is used to describe the digital component parts (which may be just codes, names, numbers) which when taken together form information on an individual. Although the prime focus here is on information held digitally, the 10 components described below are still just as valid for the paper file environment. One of the many advantages to accessing information electronically is that the audit trails are more granular and sophisticated and can be used to check that each access activity is within the agreed rules. 2
3 1) Patient Consent all access must respect any informed decisions made by the patient 2) Clear Identification all access is from named individuals who are who they say they are 3) Appropriate Authority all access is authorised by a suitably qualified person 4) Legitimate Relationship all access is based on a legitimate relationship with the patient 5) Clinical and Business Need all access is on a need to know basis to provide healthcare and associated business services 6) Time-bound - all access is related to the period in which there is a relationship, as well as clinical and business need 7) Legal Requirement - all other access is in accordance with the law 8) Technical Control all access permissions are replicated as far as possible by technical controls that prevent unauthorised access Description of each component 9) Audit Trail access activity by staff on systems is recorded and monitored 1) 10) Patient Accountability Consent all access all staff must are accountable respect any informed their decisions actions when made by privacy the patient or security breaches occur 1) Patient Consent all access must respect any informed decisions made by the patient The NHSScotland Code of Practice on Protecting Patient Confidentiality sets out the ways in which patients can provide consent to disclosure as well as circumstances where access can be obtained without consent (e.g. vital interests of subject in an emergency situation or where there is incapacity). Consent also needs to be informed: i.e. patient is clear which part of the clinical record is being discussed, the purpose for sharing and those it is shared with. During routine clinical care express permission to share is not usually required as most patients understand that their information must be shared within the healthcare team. 3
4 Patient consent is an ongoing process and based at the point of care: any verbal or written evidence from a previous care cycle may need to be revisited. It is not always possible to physically separate some types of data in order to respect patient disclosure decisions. In such circumstances there needs to be a dialogue: i.e. explanation that effective care cannot be provided without access to several linked data sources or documents. Any decision within the organisation, or at a national level, to capture new types of personal information on patients and staff (or to allow a wider group of professionals access to existing information) needs to take into account privacy and consent issues (i.e. commissioning and then acting upon Privacy Impact Assessments). 2) Clear Identification all access is from named individuals who are who they say they are Identity management is fundamental to the operation of access policies. It needs to be clear which named individual is accessing the data at any one time (e.g. by unique identifiers). The named individual needs to be working in an official capacity whether it be temporary, contracted or permanent for the NHS and to have signed statements recognising access principles and local policies. Password sharing and generic accounts linked to job titles or teams seriously undermine all the access principles and security. Solutions such as single sign-on enable staff to work more quickly and remove the common reasons for noncompliance (e.g. cannot remember multiple passwords) but can also increase risks if real identity is not clear. There needs to be clarity over naming conventions across multiple systems and staff directories to minimise the risk of persons being confused with others and duplicate identities being created. Joiners, movers and leavers processes need to be orchestrated across corporate services especially ICT, HR, Finance and Estates so that the list of personnel with access to systems is up to date. It needs to be clear how far employees are responsible for updating their own credentials and whether any changes made are synchronised across multiple staff lists (e.g. address book and corporate 4
5 directories). Staff need to be removed from systems quickly and to have handed in all assets once they have left the organisation. 3) Appropriate Authority all access is authorised by a suitably qualified person The permission to access particular systems, applications, datasets or data segments needs to be granted by a suitably qualified person with the correct level of authority. These decisions need to be formally recorded and reviewed. The registering authorities (e.g. managers, application and asset owners, clinical leads etc.) making decisions may need to view any relevant background information to confirm the identity and employment status of the person requiring access (e.g. student, locum, contractor or permanent). HR systems will hold evidence that formal checks (e.g. Disclosure Scotland) have taken place. Formal change and review processes need to be in place so that permissions can be added or rescinded quickly when circumstances change (e.g. when a person is no longer performing the same role or has left the organisation). A log needs to be kept and reviewed of access permissions relating to individuals rather than to generic job titles: e.g. a clinician may perform several roles which are different from someone with the same job title or grade. The authority needs to make clear to the employee exactly what the access permissions mean and whether access is read only or gives the ability to modify or delete. For example, an employee should know that although doors to some rooms are left unlocked (i.e. the technology enables browsing across multiple records) entering them would go beyond the access permissions granted. And that the employee would need to justify what appears on the audit trail at all times. 4) Legitimate Relationship all access is based on a legitimate relationship with the patient Relationships with patients take many forms; ranging from regular visits to the same GP, several hours spent with a large team in Accident and Emergency, to a single contact with a Health Visitor. The common denominator is legitimacy: the staff clinical and administrative need access because they are directly involved with the person s healthcare. 5
6 It needs to be clear that simply having a family or personal relationship with someone does not constitute a legitimate relationship. Accessing information on partners, family members, friends, work colleagues, associates, neighbours etc. constitutes a serious breach of confidentiality. Personal life needs to be separated from professional roles when accessing information at all times. Accessing one s own healthcare records also constitutes a breach of confidentiality. Data Subjects, including healthcare staff, can access their own records using the official routes (e.g. Data Subject Access request). This ensures that the privacy of third parties is protected and that the medical and other exemptions on disclosure are applied where necessary. 5) Clinical and Business Need all access is on a need to know basis to provide healthcare and associated business services Staff with a legitimate relationship should only access the data which they actually need. Most patients are aware that allowing access to various datasets held locally or nationally (e.g. allergies data held in Electronic Care Summary) is in their clinical interests. But in other cases the need to access data can be less obvious: e.g. for a secondary care clinician to access GP notes from a patient s childhood in order to fully understand the context in which a medical condition arose in adulthood. It is important to have a dialogue with the patient as to what data is needed and why. There is a complex network of support staff, such as medical secretaries acting for hospital consultants, records managers and technicians, who play a pivotal role in ensuring that data is presented to clinicians in a timely way. In such cases it needs to be clear that they are accessing specific data on behalf of clinicians for a particular patient s need. Accessing patient-identifiable data for medical research needs to follow formal procedures: i.e. obtaining Caldicott Guardian permissions and data anonymisation. 6
7 It is not always technically possible to segregate strictly administrative data from clinical data. But it is vital to distinguish between direct clinical need and secondary purposes when accessing data: i.e. personal identifiable clinical data should not be used in order to perform tasks such as financial planning. 6) Time-bound all access is related to the period in which there is a relationship, as well as clinical and business need Most healthcare activity is time-bound and event driven. Access should only occur during the period in which there is a clinical relationship which might be minutes or decades. Access permissions should not be granted on a just in case basis. Instead, the authority will need to look at the roles being performed within a limited period. For example an access permission might be for system A; but only for patients being treated. The employee has the flexibility to access data on a new patient for example without having to ask for new permissions or change technical controls each time. Matching up the audit trail with the dates of care would flag up where the employee has gone beyond his original permissions. Some applications and systems are directly linked to a specific area of healthcare (e.g. sexual health). It is essential that when an employee moves to another area of work that the permissions are reviewed (and if necessary revoked) rather than simply adding to them. Such snowballing of permissions provides far more access than is actually required and increases privacy and security risks. Although access to information is for a limited period the clinician may still need to read older records within that timeframe (e.g. specified staff may need to access medical histories from different sources during a patient s two-week stay in hospital). 7) Legal Requirement all other access is in accordance with the law There are special circumstances where patient consent is not required to access information: i.e. vital interests of a patient and where it is in the public interest. Examples might be the disclosure of information to the police to help in the prevention and detection of crime or to assist in the planning of public services. Such a decision is not taken lightly and a health professional will need to balance the interests of the patient (and any third parties) 7
8 with the wider public interest. The courts, tribunals and other statutory and regulatory bodies also have powers to access a range of personal information. Officials, lawyers and police officers requesting patient data need to provide necessary documentation such as a court order or warrant. Disclosure should not be made just because the person is in authority. There needs to be clear process for approving such requests (clinicians and Information Governance leads) and documenting actions (i.e. exactly what data was approved for disclosure and by whom) To consider data handling issues; whether the original or copy data is provided, whether it needs to be redacted and how it is going to be securely transferred to a named recipient. Regular data sharing with other bodies needs to take place within the constraints of pre-agreed protocols and codes of connections. Access to patient records in order meet other regulatory and professional purposes (e.g. clinical audits for quality improvement and benchmarking) is within agreed rules and needs to be proportionate (i.e. the audit trail will show whether more data was accessed than necessary for the task). 8) Technical Control all access permissions are replicated as far as possible by technical controls that prevent unauthorised access Access permissions are not one and the same as the technical controls that exist in IT systems. This is because it is not always practical or cost-effective to design a set of controls that cover every possible scenario or role. Adding too many barriers or layers of complexity can actually hinder clinical decision making (in some instances putting lives at risk). Even in the physical environment where controls are simpler there is usually a degree of trust: an administrator may not have permission to look at the contents of some filing cabinets (but holds all the keys); or a contractor s security pass is not valid for entry to sensitive clinical areas (but there may not be a swipe card reader to check). 8
9 In most cases simple front door key controls can be used to ensure there is access only to those persons who need to view data on a specific IT network, system, application or dataset: e.g. you should not be able to sign-on to an application or network in the first place if there is no need/access permission. However, clinical portals, make the situation more complex as they are made up of groups of data-fields or portlets pulled out from several applications. Access permissions still need to be applied to each of the applications that are linked to the portal (i.e. the portal remembers which applications you have access to and can create a new layer of technical controls to replicate them). Some individual applications offer role based or team based access controls offering a greater degree of granularity (e.g. to ensure that persons performing only nonclinical tasks do not have access to clinical data on the same application). However, there are no plans for an overarching national role based access model because of the multiplicity of systems (there is no single clinical record spine ) and no amount of technical roles designed for IT can ever reflect all the situations where there is legitimate, time-bound, clinical need. IT System administrators and some record managers often need to override normal technical controls in order to perform tasks necessary to run the system or manage the data. Here risks need to be mitigated by ensuring that staff with such access are a) kept to an absolute minimum; b) given the correct level of vetting and training; c) required to understand and sign a code of conduct that makes clear that routine administration tasks do not usually require actually accessing patient data. 9) Audit Trail access activity by staff on systems is recorded and monitored The audit trails relating to a user s activity can be used as a powerful tool to check that access to patient data has been in accordance with permissions. Basic activity (such as login details, dates, items viewed etc) is gathered automatically. Monitoring, of which audit logs are part, will follow Lawful Business Practice Regulations. Automated activity audit logs are extremely accurate. But if the identity of the person is ambiguous any future investigation is seriously compromised. 9
10 Core NHS systems produce system logs that match up an ID to activity; but some legacy applications have no or limited audit functionality. Employees have a right to know that they are being monitored but not of the exact methods being used or which applications are being monitored more comprehensively than others. Tools can be used to aggregate audit logs from several systems and generate reports which shows patterns in activity. This can be a powerful aid to privacy and security investigations. 10) Accountability all staff are accountable for their actions when privacy or security breaches occur All staff, regardless of grade or position, will need to account for their access to patient or staff data at all times, particularly, where access has gone beyond the legitimate, timebound, clinical need principles. Ignorance or pointing to the absence of technical controls is a weak defence from staff being investigated, given signed codes of conduct and assurance prompts when logging in. In some cases the system may even generate automatic warnings designed to deter staff from inappropriate access activity. Audit trails are a means rather than an end in themselves. They need to be taken with other contextual business data to ascertain whether unusual activity constitutes a privacy or security breach. The severity of the privacy/security breach and therefore any disciplinary action will be measured in terms of actual or potential impact rather than any simple algorithm (e.g. a single instance of accessing data on one application may have more potential impact than dozens of activities on another). Each audit event (or pattern of events) will be reviewed by appropriate personnel to assess whether any formal investigation which may lead to disciplinary action should take place. If this is deemed necessary, Local Board disciplinary policies and procedures will then be followed. 10
Information Sharing Policy
Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed
More informationThe Leeds Teaching Hospitals NHS Trust. Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS
The Leeds Teaching Hospitals NHS Trust Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS 1. Introduction The Research Governance Framework for Health & Social
More informationIM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...
IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This
More informationInformation Security Incident Management Policy
Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:
More informationA Question of Balance
A Question of Balance Independent Assurance of Information Governance Returns Audit Requirement Sheets Contents Scope 4 How to use the audit requirement sheets 4 Evidence 5 Sources of assurance 5 What
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationBest practice guidance for information security within Choose and Book May 2009
Best practice guidance for information security within Choose and Book May 2009 Best practice guidance for information security within Choose and Book This guidance has been prepared to help organisations
More informationInformation Governance Policy
Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups
More informationInformation Security Incident Management Policy September 2013
Information Security Incident Management Policy September 2013 Approving authority: University Executive Consultation via: Secretary's Board REALISM Project Board Approval date: September 2013 Effective
More informationElectronic Palliative Care Co-Ordination Systems: Information Governance Guidance
QIPP Digital Technology Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance Author: Adam Hatherly Date: 26 th March 2013 Version: 1.1 Crown Copyright 2013 Page 1 of 19 Amendment
More informationData Protection Act. Conducting privacy impact assessments code of practice
Data Protection Act Conducting privacy impact assessments code of practice 1 Conducting privacy impact assessments code of practice Data Protection Act Contents Information Commissioner s foreword... 3
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationData Protection Policy June 2014
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
More informationRemote Access Policy
BASINGSTOKE AND NORTH HAMPSHIRE NHS FOUNDATION TRUST Remote Access Policy Summary This is a new document which sets out the policy for remote access to the Trust s network and systems. Remote access is
More informationINFORMATION SECURITY MANAGEMENT POLICY
INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationData Protection and Information Security. Data Security - Guidelines for the use of Personal Data
Data Protection and Information Data - Guidelines for the use of Personal Data Page 1 of 10 Created on: 21/06/2013 Contents 1. Introduction... 3 2. Definitions... 3 4. Physical... 4 5 Electronic... 6 6
More informationThe Manitowoc Company, Inc.
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
More informationA Framework for the Safe and Secure Use & Management of Community Pharmacy NHSmail email including Generic Mailboxes
A Framework for the Safe and Secure Use & Management of Community Pharmacy NHSmail email including Generic Mailboxes Contents 1 Introduction 3 2 NHSmail Acceptable Use Policy 3 3 Objectives 4 4 General
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationHMG Security Policy Framework
HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More information2. Reporting The national clinical audit is on the list of mandatory national audits for inclusion in Trust s Quality Accounts.
National clinical audit of rheumatoid and early inflammatory arthritis Information for Caldicott Guardians 1. Overview The national clinical audit of rheumatoid and early inflammatory arthritis is part
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationInformation Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.
Information Governance Policy 1 SUMMARY This policy is intended to ensure that staff are fully aware of their Information Governance (IG) responsibilities, so that they can effectively manage and best
More informationIT Credentials Management Policy
IT Credentials Management Policy the place of useful learning The University of Strathclyde is a charitable body, registered in Scotland, number SC015263 IT Credentials Management Policy Overarching Principle
More informationHIPAA Audit Risk Assessment - Risk Factors
I II Compliance Compliance I Compliance II SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your
More informationHow To Ensure Network Security
NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationInformatics Policy. Information Governance. Network Account and Password Management Policy
Informatics Policy Information Governance Policy Ref: 3589 Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information
More informationDefinition document for Health Bodies in Wales (including Local Health Boards, NHS trusts and Ambulance trusts)
Freedom of Information Act 2000 Definition document for Health Bodies in Wales (including Local Health Boards, NHS trusts and Ambulance trusts) This guidance gives examples of the kinds of information
More informationThe Care Record Guarantee Our Guarantee for NHS Care Records in England
The Care Record Guarantee Our Guarantee for NHS Care Records in England January 2011, version 5 Introduction In the National Health Service in England, we aim to provide you with the highest quality of
More informationElectronic health records: data protection issues in Europe
Electronic health records: data protection issues in Europe By Clare Sellars and Dr Amanda Easey IPM&T Group, McDermott Will & Emery UK LLP This article has been published in the April 2008 issue of BNAI
More informationData Protection in the Charity & Voluntary Sector
1 Data Protection in the Charity & Voluntary Sector Guidelines April 2011.Version 5.0 Office of the Data Protection Commissioner 2 CONTENTS Page INTRODUCTION 3 1. Key Recommendations 4 2. Donor Databases
More informationInformation Governance Policy
Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting
More informationGeneral Register Office for Scotland information about Scotland s people. Paper NHSCR GB 1/08. NHSCR Scotland Information Governance Standards
General Register Office for Scotland information about Scotland s people Paper NHSCR GB 1/08 NHSCR Scotland Information Governance s This is a draft on which the Board s comments would be welcome. Contents
More informationInformation Governance Strategy. Version No 2.0
Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent
More informationPolicy on Public and School Bus Closed Circuit Television Systems (CCTV)
DEPARTMENT OF TRANSPORT Policy on Public and School Bus Closed Circuit Television Systems (CCTV) Responsibility of: Public Transport Division TRIM File: DDPI2010/3680 Effective Date: July 2010 Version
More informationData Quality Policy SH NCP 2. Version: 5. Summary:
SH NCP 2 Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: The Trust provides a framework to ensure all data that is recorded by the Trust is accurate and complies to
More informationNHS Waltham Forest Clinical Commissioning Group Information Governance Policy
NHS Waltham Forest Clinical Commissioning Group Information Governance Policy Author: Zeb Alam & David Pearce Version 3.0 Amendments to Version 2.1 Updates made in line with National Guidance and Legislation
More informationCase Recording Practice Adults Services
Case Recording Practice Adults Services Guidance on case recording practice and on document management Version: 3.3 Effective from: 1 st October 2014 Next review date: 1 st Nov 2015 Signed off by: Jenny
More informationNHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT
NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT 9.7 Date of the meeting 15/07/2015 Author Sponsoring Clinician Purpose of Report Recommendation J Green - Head
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationFrequently Asked Questions on new guidance for email in NHSScotland
May 2012 Approved Frequently Asked Questions on new guidance for email in NHSScotland 1) Why the need for new guidance? There is confusion as to what can be sent between NHSScotland boards, to business
More informationMobility and Young London Annex 4: Sharing Information Securely
Young London Matters April 2009 Government Office For London Riverwalk House 157-161 Millbank London SW1P 4RR For further information about Young London Matters contact: younglondonmatters@gol.gsi.gov.uk
More informationPublic Consultation regarding Data Sharing and Governance Bill. Contribution of Office of the Data Protection Commissioner
Submission of the Office of the Data Protection Commissioner (DPC) on the data-sharing and Governance Bill: - Policy Proposals (dated the 1 st of August 2014) Public Consultation regarding Data Sharing
More informationEmployment Policies, Procedures & Guidelines for Schools
DEALING WITH ALLEGATIONS OF ABUSE AGAINST TEACHERS, OTHER STAFF AND VOLUNTEERS GUIDANCE FOR LOCAL AUTHORITIES, HEAD TEACHERS, SCHOOL STAFF AND GOVERNING BODIES March 2012 1 ABOUT THIS GUIDANCE This is
More informationDisciplinary Policy and Procedure
Disciplinary Policy and Procedure Policy 1. Purpose of the policy and procedure Disciplinary rules are important for the running of the University so that everyone understands what is expected of them
More informationUSE OF PERSONAL MOBILE DEVICES POLICY
Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014
More informationInformation Sharing Protocol
Information Sharing Protocol South Central PCTs, General Practices and Tribal Consulting Limited Commissioning Enablement Service (Analytics) Document Control Date Version Author Comment 08/02/10 0.1 A.
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationINFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY
Appendix 1 INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Author Information Governance Review Group Information Governance Committee Review Date May 2014 Last Update February 2013 Document No. GV
More informationUnited States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)
for the United States Citizenship and Immigration Services (USCIS) June 22, 2007 Contact Point Harry Hopkins Office of Information Technology (OIT) (202) 272-8953 Reviewing Official Hugo Teufel III Chief
More informationInformation Integrity & Data Management
Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is
More informationAccess Control Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationInformation Governance Policy
Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY
More informationSOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager
SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY Report to the Trust Board 22 September 2015 Sponsoring Director: Author: Purpose of the report: Key Issues and Recommendations: Director
More informationSURVEILLANCE AND PRIVACY
info sheet 03.12 SURVEILLANCE AND PRIVACY Info Sheet 03.12 March 2012 This Information Sheet applies to Victorian state and local government organisations that are bound by the Information Privacy Act
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationInformation Incident Management Policy
Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit
More informationInformation Governance Policy
Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading
More informationAn Approach to Records Management Audit
An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION
More informationNETWORK SECURITY POLICY
NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet
More informationElectronic Communications Monitoring Policy
Electronic Communications Monitoring Policy Printed copies should not be considered the definitive version DOCUMENT CONTROL POLICY NO. 79 Policy Group Information Governance and Security Author Andrew
More informationInformation Governance Strategy
Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version
More informationStaff Guide to Information Sharing
Central Bedfordshire Council www.centralbedfordshire.gov.uk Staff Guide to Information Sharing May 2015 Security Classification: Not Protected Factors to consider before sharing information When deciding
More informationNational Occupational Standards. Compliance
National Occupational Standards Compliance NOTES ABOUT NATIONAL OCCUPATIONAL STANDARDS What are National Occupational Standards, and why should you use them? National Occupational Standards (NOS) are statements
More informationCORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH
CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH These notes are designed to be used in conjunction with the core training PowerPoint slides. The purpose of the
More informationData Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana
Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationSenior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES
Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the
More information16 Electronic health information management systems
16 Electronic health information management systems Section 16: Electronic information management systems The continued expansion and growth in global technologies is aiding the development of many new
More informationRequesting amendments to health and social care records
Requesting amendments to health and social care records National Information Governance Board for Health and Social Care Guidance for patients, service users and professionals Contents About this guidance
More informationNHS Business Services Authority Registration Authority and Smartcard Management Procedure
NHS Business Services Authority Registration Authority and Smartcard Management Procedure NHS Business Services Authority Corporate Secretariat NHSBSAIS005 Issue Sheet Document reference Document location
More informationUsing AWS in the context of Australian Privacy Considerations October 2015
Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview
More informationINFORMATION GOVERNANCE POLICY
ENFIELD CLINICAL COMMISSIONING GROUP INFORMATION GOVERNANCE POLICY PLEASE DESTROY ALL PREVIOUS VERSIONS OF THIS DOCUMENT Enfield CCG Information Governance Policy Information Governance Policy (Policy
More informationOxCCARE Information Governance Policy
OxCCARE Information Governance Policy Introduction: This document is intended to act as a practical guide to information governance (IG) for all research, audit, quality improvement and service evaluation
More informationSecure Transfer of Information Guidance for staff
Secure Transfer of Information Guidance for staff Document number CCG.GOV.013.1.1 Version: 1.1 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 8 th January 2014 Name of originator /author
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationData Sharing Protocol
Data Sharing Protocol Agreement for Sharing Data Between Partners of the South Dublin Childrens Services Committee Version 0.4 Final Draft June 2009 Contents 1 Preface...3 2 Introduction & Overview...3
More informationThe Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking
The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking The Information Commissioner has responsibility for promoting and enforcing the
More informationGUIDEILINE FOR MONITORING STAFF COMPUTER USE
GUIDEILINE FOR MONITORING STAFF COMPUTER USE TRUST REF: B41/2007 APPROVED BY: Policy and Guideline Committee VERSION NUMBER: 1 DATE OF APPROVAL: 12 th November 2007 AUTHOR: DIRECTORATE: REVIEW DATE: Gareth
More informationINFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK
INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire
More informationMandatory data breach notification in the ehealth record system
Mandatory data breach notification in the ehealth record system Draft September 2012 A guide to mandatory data breach notification under the personally controlled electronic health record system Contents
More informationSTFC Monitoring and Interception policy for Information & Communications Technology Systems and Services
STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services Issue 1.0 (Effective 27 June 2012) This document contains a copy of the STFC policy statements outlining
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
More informationInformation Governance Strategy
Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationNon ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3
Paper 9 Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Please ensure that all THREE pages of this contract are returned to: Information Governance Manager, Health Informatics, Chertsey House, St Peter
More informationHow To Ensure Information Security In Nhs.Org.Uk
Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:
More informationSHIP Guiding Principles and Best Practices
A document of the SHIP Information Governance Working Group The objectives of this document This document is a statement of agreed guiding principles for governance and instances of best practice arising
More informationNHS Waltham Forest Clinical Commissioning Group Information Governance Strategy
NHS Waltham Forest Clinical Commissioning Group Governance Strategy Author: Zeb Alam, CCG IG Lead, (NELCSU) David Pearce, Head of Governance, WFCCG Version 3.0 Amendments to Version 2.1 Annual Review Reference
More informationData Protection Policy
Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationOriginator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy
Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy Computer Security Policy Contents 1 Scope... 3 2 Governance... 3 3 Physical Security... 3 3.1 Servers... 3 3.2
More informationHow To Audit Health And Care Professions Council Security Arrangements
Audit Committee 28 Internal audit report ICT Security Executive summary and recommendations Introduction Mazars has undertaken a review of ICT Security controls, in accordance with the internal audit plan
More information