Information Governance Strategy

Transcription

1 Policy No: IG01 Version: 3.0 Name of Policy: Information Governance Strategy Effective From: 02/06/2015 Date Ratified 06/05/2015 Ratified Health Informatics Assurance Group (HIAG) Review Date 01/05/2017 Sponsor Director of Finance and Information Expiry Date 05/05/2018 Withdrawn Date Unless this copy has been taken directly from the Trust intranet site (Pandora) there is no assurance that this is the most up to date version This policy supersedes all previous issues. Information Governance Strategy v3

2 Version Control Version Release Author / Reviewer Ratified by / Authorised by 2.0 Jan 2012 K. Craddock Health Informatics Assurance Group (HIAG) 2.1 Jan 2013 L. Hamill Health Informatics Assurance Group (HIAG) Date Jan 2012 Jan 2013 Changes (Please identify page no.) Document reformatted to comply with Trust standards /06/2015 M. Galloway Health Informatics Assurance Group (HIAG) 06/05/2015 Document reformatted to comply with Trusts IGTK standards Information Governance Strategy v3 2

3 Contents Section Page 1. Introduction Purpose Scope NHS Framework Objectives of the Strategy Principles of the Strategy Roles and Responsibilities Staff and Resources Management Board Structure Working Groups The Information Governance Toolkit The Information Governance Programme Deliverables The IG Policy Framework The Annual Work Plan Contracts Information Risk Management Programme Projects - Procurement of Systems / Change Management Processes Integrated Working Research Information Requests Management of Records The Management and Reporting of Security Incidents Staff Training E-Learning Training Specialist Training Bespoke or Departmental Training The Training Needs Analysis (TNA) Matrix Communication Staff Disciplinary Equality and Diversity Monitoring and Compliance with Procedures Consultation and Review References Useful Guides/Reviews Monitoring Bodies Associated Documents APPENDICES Appendix 1: Roles and Accountability Structure Appendix 2: Committee/Group Structure Appendix 3: Terms of Reference for the HIAG Appendix 3a: Membership of the HIAG Appendix 4: Information Governance Toolkit Summary Appendix 5: The Policy and Procedure IG Framework Appendix 6: The Information Governance Work Plan Appendix 7: The Trust s IG Specialist Training Programme Information Governance Strategy v3 3

4 Information Governance Strategy 1. Introduction Information is a vital asset for any organisation. Our information assets at Gateshead Health NHS Trust support both the day to day clinical operations and the effective management of our services and resources. As a provider of health, the Trust is responsible for ensuring that any information collated is handled and protected securely, whilst always being available at any one time when needed to ensure the safety and effective care of our patients. Information Governance provides a secure mechanism for the handling of all types of information in relation to patients, employees and clients who do business with the Trust. It is therefore critical that the information we hold across the Trust s business activities is accurate, free from unauthorised disclosures and is available in a timely manner to aid effective decision making when needed. Effective information plays a key part in corporate and clinical governance, strategic risk, service planning and performance management. 2. Purpose 3 Scope This strategy sets out the Trust s information governance assurance framework for the handling of information. It brings together a set of statutory, mandatory and best practice standards as road mapped in the information governance toolkit. It provides a robust information governance framework of clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources which are required to ensure any information sourced by the Trust is held appropriately, securely and legally. By adhering to these requirements, standards and best practice for the processing of personal data it will help the Trust to:- Provide excellent care to our patients Comply with the law Implement the DoH guidelines and standards Plan year on year improvements in the information governance agenda Fulfill the IG Toolkit requirements Provide assurance against international standards such as the ISO Records Management Standard and the ISO 27001/27002 Information Security Standard This strategy applies to:- Any individual employed, in any capacity, by the Trust including employees, students, volunteers and third party contractors All paper and electronic information All information systems and information assets managed by or used by the organisation. For the purpose of this strategy the term information asset will refer to any useful or valuable store of information in any format, which is processed, held or potentially requires a facility of transfer. 4. NHS Framework The NHS Operating Framework sets the Trusts approach to Information Governance. The main legal framework governing the use of personal data includes:- The Data Protection Act 1998 The Freedom of Information Act 2000 Information Governance Strategy v3 4

5 The Environmental Information Regulations 2004 The NHS Act 2006 The Health and Social Care Act 2012 The Human Rights Act Re-Use of Public Sector Information Regulations 2005 The Misuse of Computers Act 1990 Copyright, Designs and Patents Act 1988 (as amended by the Copyright Regulations 1992) Privacy Electronic Communications Act 2003 Protection of Freedoms Act 2012 Codes of Practice The NHS Confidentiality Code of Practice The Caldicott Principles NHS Records Management Code of Practice Lord Chancellor s Code of Practice on Records Management under 46 of the Freedom of Information Act 2000 Information Security Management: NHS Code of Practice The framework pursued by this strategy will implement the six themes of the IG Toolkit. Information Governance (management, accountability, training) Confidentiality and data protection (use of personal data) Information security Clinical information assurance Secondary use assurance of information (data quality, non-direct use of clinical information) Corporate information assurance (records management, freedom of information etc.) 5. Objectives of the Strategy The Trust s key objective of this strategy is to achieve a standard of excellence in Information Governance. Through the implementation of this strategy, the Trust aims to:- Establish and maintain policies and procedures in Data Protection and Confidentiality, Freedom of Information, Information Security and Data Quality that defines appropriate standards for the handling of personal and corporate data. This will lead to improvements in:- o Information handling activities o Record duplication and improved records management o Patient confidence in the Trust and the NHS o Better trained staff Undertake or commission annual assessments and audits of its policies and arrangements to improve current working practices. This will minimise corporate risks arising from poor handing activities such as:- o Increased information security incidents o Corporate/patient complaints o Patient harm caused by inadequate access to patient information o Corporate and clinical negligence claims o Audit investigations and monetary fines from the ICO and other public bodies o Negative press and publicity o Damage and stress to individuals involved in data breaches Complete the annual information governance toolkit to a level 3 compliance target, wherever possible, for the next three years. Information Governance Strategy v3 5

6 Develop an annual IG Improvement Plan and Action Plan arising from the baseline assessment completed against the IG standards set out in the HSCIC Information Governance Toolkit. This will be the vehicle used for improving information governance at the Trust Instil a culture of information governance so that all staff understand their IG responsibilities and apply best practice and principles when managing data. This will involve the promotion of effective information governance communication and training to raise awareness of key security issues in the Trust. Develop an information risk management reporting structure to ensure all associated information risks in the environment are appropriately managed to support the overall risk management function of the Trust. Ensure there is a clear structure and framework for reporting security incidents and management action in response to all IG requirements. The Trust will foster a culture of change from documented lessons learnt in response to data breaches. This will be in accordance with the Trust s Risk Management Policy, Information Risk Policy, Incident Management Policy and The Reporting of Serious IG Incidents Policy. Provide innovative solutions and streamline business processes and systems for the handling of personal data. It is anticipated this will reduce the number of systems that hold personal data. Encourage multi-disciplinary teams to work closely together to reduce repetitive working practices by sharing information and standardising procedures and practices. Encourage a culture of openness and transparency by making non-confidential information readily and easily available through a variety of media, in line with the Trust s Publication Scheme. This will build positive relations with our internal and external clients by providing an efficient and reliable service in all IG matters. o Clear advice and guidance will be made available via the Trust s internet to explain how service users can exploit their legal rights for access to information and how they can raise concerns if they are dissatisfied with any processing requirements. o Information will be made available in various formats, subject to a range of exemptions and restrictions, in response to Subject Access Requests under the Data Protection Act 1998, FOI requests under the Freedom of Information Act 2000 and EIR requests under the Environmental Information Regulations. o The Trust will publish a fair processing notice via its website to explain how information is recorded, held and shared. o Patients will be made aware of the importance of providing accurate and up to date information about themselves to the Trust so that appropriate care can be given to them as and when necessary. This will allow the Trust s resources to be utilised adequately. Ensure all key service data is accurately recorded and maintained, with regular crosschecking against source data undertaken. Data standards/definitions used will be clear and consistent per data item in accordance with national standards. To regard all personal identifiable data (PID) relating to service users as confidential except where national policy on accountability and openness requires otherwise. Any appropriate sharing of information will take account of relevant legislation such as the Human Rights Act, the Health and Social Care Act, The Crime and Disorder Act, The Protection of Children Act, the revised Caldicott Principles etc. and the common Duty of Confidentiality and its associated guidance. 6. Principles of the Strategy The Trust will adopt the Department of Health standards (called the HORUS Model ), which requires information to be:- Held securely and confidentially Information Governance Strategy v3 6

7 Obtained fairly and efficiently Recorded accurately and reliably Used effectively and ethically Shared appropriately and lawfully The IG Strategy will take account of the Trust s Vision and Compact Values when managing personal data. The implementation of this strategy will:- Help staff to manage personal information for the benefit of our clients and patients care. Ensure that all practices and procedures relating to the handling and holding of personal and Trust corporate data is legal and conforms to best and/or recommended practice. This means the Trust will ensure that its principles of corporate governance and public accountability do not override any security arrangements or any duty of confidentiality owed in safeguarding personal information about service users, families, carers and staff or commercially sensitive information from our clients. Where appropriate a balance will be addressed between openness and confidentiality in the management and use of information. Where information needs to be shared with our partner organisations (particularly health organisations) then this will be done in a controlled manner that is consistent with the interests of the service users or clients unless the public interest test affects our decision making processes and disclosure requirements. Ensure procedures are reviewed to monitor their effectiveness so that improvements or deterioration in information handling standards are recognised and addressed immediately. Ensure that when service developments or modifications are undertaken, a review is undertaken of all aspects of information governance arrangements to ensure to they are robust, do not infringe on privacy rights and support effective patient care. 7. Roles and Responsibilities Role Trust Board Chief Executive Officer (CEO) Senior Information Risk Officer (SIRO) Caldicott Guardian (Medical Director) Responsibility The Trust Board will define the requirements of the Information Governance Strategy, taking into account the legal principles and NHS framework standards. The Board will ensure sufficient resources are provided to support the requirements of this strategy. The Chief Executive has overall accountability and responsibility for Trust s information governance agenda and will provide assurance through the Statement of Internal Control that all risks, including those relating to information risks are effectively managed and mitigated, where appropriate. The CEO will ensure all statutory obligations and any Department of Health Directives are complied with. The Director of Finance and Informatics, who is an appointed Executive Director on the Board, is the Trust s appointed Senior Information Risk Owner (SIRO) responsible for all aspects of IG and Information Security. The Medical Director who is the Trust s appointed Caldicott Guardian will act in a strategic, advisory and facilitative capacity to provide assurance on all clinical, confidentiality and data sharing matters. The Caldicott Guardian will approve, monitor and review processes where access to clinical information is required by other Trust departments and third party organisations, both NHS and non-nhs. The Caldicott function will be managed through an action plan/ gap analysis for the IG toolkit. Information Governance Strategy v3 7

8 Information Governance Officer IT Directory and Security Manager Health Records Manager Information Asset Owners (IAOs) Information Asset Administrators (IAAs) The Information Governance Officer will provide operational management of the Trust s Information Governance framework. The IG Officer will:- Provide strategic direction, planning and guidance to ensure compliance with information governance legislation and the national agenda. Ensure work practices are evaluated and supported through the development of appropriate policy and procedures across the organisation. Develop an appropriate IG induction and mandatory programme for all staff. Monitor all actual and near miss security incidents within the organisation. Complete the Department of Health s annual IGTK self-assessment and submission in a timely manner. Assist the Security Manager with all IG/IT related matters as and when necessary. The Trust s IT Directory and Security Manager will:- Provide IT technical advice on all matters relating to IT security for compliance with the Information Governance Framework. Assist with all reported IG and IT security incidents as and when necessary. The Trust s Health Records Manager will take full responsibility for the management of all health records at the Trust. The Trust s appointed Information Asset Owners (IAOs) will support the Information Governance Officer to ensure all information assets are assigned appropriate ownership. The IAOs are accountable to the SIRO and will report any information risks to the IG Officer/SIRO to ensure all information risks are managed effectively for those information assets which they are assigned ownership. Each IAO will be required:- To foster a culture that values the protection and use of information assets. Know who has access to their information assets (whether it be paper or electronic) and be able to demonstrate that access is routinely monitored and reviewed. Justify the nature and justification of their information flows to and from the Trust s information assets. Provide assurance to the SIRO that all risks are monitored through the application of annual risk assessments. The Trust s appointed Information Asset Administrators (IAAs) will assist the IAOs in their day to day duties and consult with the IAOs on incident management. This will generally be the nominated team managers, supervisors or system administrators who manage the information assets and system processes at a local level. All IAAs will need to ensure:- Systems and assets are configured with appropriate controls and are reviewed regularly for compliance with the Trusts security policy requirements. Ensuring appropriate authority is provided before user access is granted. Ensure user accounts to systems are deleted as and when necessary. Information Governance Strategy v3 8

9 Managers Communication Team All Staff Third Parties/Contractors All service managers will ensure:- They take responsibility for the implementation of appropriate IG standards into local processes for compliance purposes. Job descriptions contain appropriate confidentiality and information security clauses. Staff undertake mandatory IG training on an annual basis, including any ongoing training needs that may affect the Trusts practices. Day to day responsibility for their physical environment where information is stored and processed. The Communication Team will liaise with all stakeholders to ensure appropriate messages relating to information governance are communicated. All named staff must have adequate IG training in their dedicated area to enable them to carry out their roles and responsibilities. Appropriate contracts containing confidentiality and information security clauses will be issued and honoured by all contractors and third parties who have been given rights of access to our information assets. (For further information please refer to the Roles and Accountability Structure in Appendix 1). 8. Staff and Resources Other staff roles that will support the Trust s IG strategy include:- Risk Management Risk Manager Business Continuity Business Continuity Manager Registration Authority RA Officer (i.e. Smartcard provisions/access controls) Clinical Information Governance Clinical Manger Procurement Procurement Manager 9. Management Board Structure The Health Information Assurance Group (HIAG) is the delegated steering group appointed to oversee the implementation of this strategy. The group will:- Monitor the effectiveness of this strategy at its bi-monthly meetings to identify potential gaps and weaknesses in the Trust s IG accountability arrangements to ensure the organisation is aligned to best practice and national guidelines. Agree an annual IG improvement work plan for review and sign off. Identify resource implications for each IG work stream. Monitor all quarter and progress reports and action plans. Report on serious security incidents and issues to the HIAG and Trust Board. (All serious incidents will be published and reported via the HSCIC and the ICO). Ensure the accurate completion, review and sign off of the DoH Information Governance Toolkit. All reports are reported to other committees on an adhoc basis, as and when required. A summary of the Trusts Committees that support the IG agenda is stipulated in Appendix 2. Annual membership of the HIAG is stipulated in the Terms of Reference in Appendix Working Groups Two working groups will report into the HIAG focusing on the current IG and CQC arrangements in their respective areas:- Data Quality and Secondary Use Group Information Governance Strategy v3 9

10 Systems Management and Development Group The above groups convene on a bi-monthly basis and will present highlighted reports and action plans to the HIAG, as and when necessary. 11. The Information Governance Toolkit The Department of Health s IGTK requires all NHS organisations in England Wales to achieve a minimum level 2 compliance performance rating against all 45 IG standards. This mandatory online assessment is used as a key source of information by other organisations such as the Healthcare Commission and CQC for compliance auditing purposes. The Trust is very ambitious and will aim to achieve a level 3 compliance rating and a grading score of over 80%, wherever possible over the next three year period. A framework of assurance will be allocated to appropriate information asset holders so that the co-ordination of evidence is in place. The Trust will submit its online IG performance reports on three separate core submission dates:- 30th July - baseline assessment 31 October - self assessment or improvement plan 31 March final annual self-assessment report All IGTK scores will be verified by the annual Internal Audit review and reported in the End of Year IGTK Assurance Report and the Annual IG Report to the HIAG and the Trust Board, along with any action plans necessary to remedy any IG failures. Note: New versions of the IG Toolkit are released annually and set requirements may change to reflect current and new standards. This means that the Trust will have to provide additional evidence to support the changes in order to maintain the score achieved from the previous year. (Please refer to Appendix 4 for a summary of the IG Toolkit controls) 12. The Information Governance Programme Deliverables The Trust will establish a robust information governance programme of deliverables which conforms to the Department of Health s IG Toolkit standards and objectives The IG Policy Framework Table 1: The Information Governance Deliverables Existing policies will be developed and updated every two years and will be approved in principle by the Director of Finance and Information before ratification by the HIAG Group. All policies will be made available via the staff intranet and through staff communication s and newsletters. (Please refer to Appendix 5 for a summary of the Trust s policies Information Governance Strategy v3 10

11 and procedures that support the Trust s IG agenda). Employees will be expected to read the policies in conjunction with their employment contracts and the IG Staff Handbook (circulated via Induction Training). The policies outline the scope of the IG framework and set out the responsibilities of all the staff in the Trust. The Trust will ensure staff familiarise themselves with these policies through its Training and Communication Plan to ensure they understand what is expected of them The Annual Work Plan An annual improvement/action plan arising from the baseline assessment of the IGTK standards will be developed each year. The work plan will be updated quarterly follow any progress reports and IGTK submissions. (Please refer to Appendix 6) Contracts All employment contracts entered into by the Trust will ensure they contain appropriate IG confidentiality clauses that reference the organisation s legal obligations in terms of confidentiality, data protection and freedom of information. For casual staff the confidentiality agreement for third party suppliers/individuals will be signed. All third party contractors of goods and services or consultancy will have an appropriate contract detailing the information governance requirements. The contract will contain confidentiality clauses and an undertaking that any information exchanged or obtained during the performance of a contract is kept confidential and shall only be used for the sole execution of a contract. All parties involved will take necessary precaution to ensure that information is kept secure. This process will be managed by the Head of Procurement. Where a third party requests access or the sharing of patient identifiable information, an information risk assessment will be required before the request is granted Information Risk Management Programme To appropriately scope and prioritise the information risks of the Trust the IG Team will develop an annual information risk management programme to determine how its information is used and protected through:- A series of audits e.g. the corporate/clinical record audit, the RA Audit etc. The compilation of data mapping flows and information asset registers Service ad-hoc spot checks on data compliance and best practice Data quality checks Reviews of security incidents Risk assessments and privacy impact assessments This will protect the Trust, its staff and its patients from information risks where the likelihood of occurrence and the consequences are significant. It will ensure the Trust has a proactive approach to risk rather than a reactive attitude. The focus of the risk management programme will be to determine whether the Trust s implemented policies and procedures are effective in:- Regulating the processing and sharing of personal data Identifying and controlling risks to prevent potential security incidents and data breaches from occurring Testing the adequacy of the IG controls in place To recommend any changes in control, where necessary To act as vehicle in sharing knowledge with trained IG staff Information Governance Strategy v3 11

12 The IG Strategy will ensure all information assets are:- Identified by purpose and service area. Classified either as sensitive or as critical assets depending on the format and type of information held. Assigned ownership to an information asset owner (IAO) who will provide assurance on the security and use of that asset to the Trust s SIRO (this will determined by where it is located). Key Responsibility Ultimate authority over and responsible for overall direction Oversees the information and data governance programme and makes all strategic decisions Responsible for establishing and shaping enterprise information standards and policies Executes the information and data governance policy Supports on-going technical tasks Table 2: The Information Asset Framework Given a risk score i.e. identified as low, medium or high, are supported by the Trust s Board and where appropriate, are considered for inclusion onto the Trust s Risk Register. This will be determined by how the asset is managed and who the dependencies are in terms of other systems and beneficiaries (either internal or external). Risks that cannot be managed by the IAO will be expected to be escalated for e.g. where they are not managed locally. Proposals for risk mitigation measures will be considered by senior management who will consider whether the risks are real and the proposals affordable and justified. Where mitigating actions are necessary, priorities and timescales will need to be clarified and monitored. The Risk Level Matrix to be used will be: Likelihood score Likelihood Rare Unlikely Possible Likely Almost certain 5 Catastrophic Major Moderate Minor Negligible Table 3: The Trust s Risk Matrix The allocation of information asset ownership will assist the Trust with its Business Continuity Planning requirements. Information Governance Strategy v3 12

13 The Information Asset Management Task is a significant piece of work which will be undertaken in 2015/2016. All information asset owners will be required to update their Information Asset Register each time an information asset is created or amended 12.5 Projects - Procurement of Systems / Change Management Processes Any changes which are made to the way in which information is processed (collected, stored used or disposed of) in the Trust will need to be considered in the context of the IGTK requirements. The IG Strategy will ensure that there are reporting mechanisms in place to the HIAG where new computer systems or upgrades are proposed, computerised or manual, that hold personal identification data (i.e. PID), including PID relating to service users, carers or staff. The HIAG will consider:- Access controls, audit trails and the monitoring of user activity The arrangements for back up data, its resilience and the archiving, retention and deletion of data Confidentiality clauses in respect of third party contractual arrangements i.e. the development, installation and maintenance of the system The secure transfer of data; System security accreditation during the procurement process The systems forensic investigative readiness procedure. Privacy Impact Assessments (PIA) will be required to be undertaken by the relevant IAO in the area where new systems, projects or changes to system processes impact how personal data is used. This is in accordance with guidance available on the Information Commissioner s Office website at Integrated Working The IG Strategy will take into account the need for integrated working practices between third party organisations and departmental services. Data sharing agreements will be used where personal identifiable information (i.e. PID) is routinely shared between organisations and third parties and will be signed off by the Trust s Caldicott Guardian (i.e. the Medical Director) or an equivalent senior member of staff. All ISAs will state the legal principles and purpose of the agreement, the consent process, the approved method of transmission, any other standards associated with secondary use (e.g. re-use of information, retention and destruction requirements) and general housing keeping practices (e.g. the administration of information requests, complaints, the media and withdrawal of agreement terms etc.). ISAs will not be used for adhoc or one off large transfers of personal data for e.g. where clinical data has been shared as a one-off requirement Research Access to clinical information on a day to day basis for research purposes will be via the Caldicott approval process with appropriate sign off by the Trust s Caldicott Guardian (i.e. the Medical Director) and the support of the Trust s Research and Development Team, where necessary. Information Governance Strategy v3 13

14 12.8 Information Requests The IG Strategy will ensure there are designated roles to process all information requests under the Freedom of Information Act 2000, the Data Protection Act 1998 (including the Access to Health Records Act 1998) and the Environmental Information Regulations 2004 and those submitted by third parties e.g. the Police. Responses will be co-ordinated within statutory timescales ensuring that necessary exemptions are applied, where appropriate Management of Records Trust-wide audits on samples of corporate and clinical records will be undertaken to establish if good record keeping and data quality standards are being achieved as set out under the Records Management Code of Practice under s46 of the Freedom of Information Act This will demonstrate if patient information is being recorded and handled in a manner that complies with the Trusts legislative and regulatory requirements. The audits will run for a series of months with a final report produced to show the status of feedback. This will then feedback into the Trusts departments to facilitate improvement and improved targeted training The Management and Reporting of Security Incidents The Trust is very conscious of the repercussions of not managing personal data:- A 1,000 fine for not reporting serious security offences to the Information Commissioner s Office (ICO) within 24 hours of an event occurring. A monetary fine of up to 500,000 by the ICO per data security offence with respect to any potential data breaches regarding the loss, theft, inappropriate disclosure or modification of personal data. A monetary fine of up to 500,000 by the ICO for misuse of personal data regarding the use of , fax and telephone. A compulsory inspection and enforcement notice by the ICO. The IG Strategy will ensure that there are adequate security arrangements in place for:- Reporting IG events or incidents across the Trust and managing risks where appropriate via the Trust s Datix Incident Reporting System (as per protocol under the Incident/Near-Miss Reporting and Investigation Policy and The Reporting of Serious Incidents Policy. Analysing, investigating and upward reporting of events/ incidents and recommendations to senior management. Dealing with Information Commissioner s security reporting requirements. Ensuring all IG work plans are updated with recommendations and lessons learned. Communicating IG developments and standards to staff All incidents categorised at level 1 and above will be reported in the Trust s IG Bi-Monthly Progress and Annual Reports whilst level 2 and above incidents will be escalated and reported to the ICO via the Trust s annual IG Toolkit submission as outlined by the HSCIC Information Governance SUI Checklist published in June Where personal identifiable data is involved, the severity of the incident will be graded by the Information Governance Officer, and in cases of severity, will require the approval of the Trust s SIRO and Caldicott Guardian prior to any disclosure to any legal body. Information Governance Strategy v3 14

15 Staff Training Staff training is fundamental to the success of any information governance strategy. The Trust will develop an effective induction and mandatory IG training programme that extends beyond basic principles in confidentiality and security so as to improve staff awareness and best practices. Staff will be informed of the Trust s legal obligations in terms of data processing and their own responsibilities and rights in terms of privacy, choice and client/patient confidentiality. To ensure the Trust achieves the 95% compliance rate as stipulated by the IGTK standards all training sessions will be recorded on the Electronic Staff Record (ESR) and a system employed to ensure that non-attendance is followed up by O&D. Training Staff Type of Training Frequency Corporate Induction IG New starters Face to face Monthly Training training Core Mandatory Annual IG Training Existing employees Face to face training or via the new E-learning IG Fortnightly Risk Management training Specialist training SIRO, IAOs and IAAs training tool Courses stipulated in the HSCIC IG e- learning training tool Specialist Teams Face to face presentations/talks to key staff involved in IG matters Every 3 years As and when necessary All new starters will attend a face to face session as part of the induction process. The IG module will cover:- The Importance of Information Governance The Data Protection, Confidentiality and the Caldicott Principles Information Risk Reporting Records Management Data Quality Information Security All starters that have a desktop device will be sent a copy of the Trusts IG Code of Conduct Book and the IG Staff handbook for information purposes. IG refresher training will form part of the annual mandatory training programme for all current staff E-Learning Training From March 2015 the Trust will offer staff the option to complete their annual mandatory IG Training via the Trust s new e-learning portal. This will cater for different learning styles and individual needs and will enable staff to complete the module through their own computer device at a time that is more convenient to them. This will provide greater flexibility for staff to complete their training on time. The e-learning portal is accessed via the staff intranet at: and will require user logins and passwords. All promotion and training arrangements will be organised through the O&D. Information Governance Strategy v3 15

16 12. Communication Specialist Training In addition to the Mandatory Information Governance training programme all staff in specialist roles will be expected to undertake further training as stipulated in Appendix 7 within 3 months of taking up their post. The Trust will use the national e-learning Information Governance Training Tool (IGTT) to deliver the specialist training programme. The tool is accessed via Each module will be expected to be refreshed every three years. The IG Officer will frequently check that the training has been undertaken. It is noted that the Health and Social Care Information Centre (HSCIC) is the copyright owner responsible for the content and design of the Information Governance Training Tool (IGTT). It is not a product of the Trust and therefore any concerns or queries with any modules will need to be raised with the Information Governance Team initially who will inform the HSCIC. The methodology and effectiveness of this training programme will be monitored closely from evaluations collated and analysed by the Organisational Development Team Bespoke or Departmental Training Subject to discussions with the Information Governance Team additional bespoke training sessions will be available to departments that require specialised IG training. This will enable:- A greater understanding of the application of the Trust s IG policies and procedures Provision of specific departmental advice and guidance Facilitation of a more informal Q&A Session Training will be delivered in response to demand and serious information security incidents The Training Needs Analysis (TNA) Matrix All mandatory training needs are outlined in the Trusts Training Needs Analysis (TNA) which will form part of the Information Governance Training and Communication Plan. All training reports will form the basis of evidence for compliance with the IGTK and external auditors. The Trust has developed a communication plan to roll out the deliverables of this IG Strategy. The key communication tools will be:- External Tools Publication Scheme Gateshead Trust website Internal Tools IG articles in staff newsletters/bulletins IG annual training programme Information Governance Strategy v3 16

17 Patient leaflets Fair processing notice (privacy notice) Patient surveys Policy framework Staff surveys Staff screensavers Staff IG alerts This list is not exhaustive but represents a sample of communication materials. The Trust will engage patients and staff in the development of its information practices This will be through the completion of anonymised patient/staff surveys where users can provide feedback on how well they think the Trust manages their data to help improve our services. 13. Staff Disciplinary Any breaches of confidentiality for e.g. disclosing data to unauthorised parties, the theft, loss or tampering of information, viewing records without authority, transferring personal information electronically without appropriate encryption or secure procedures, sharing passwords, logins and smart cards etc. will invoke staff disciplinary procedures and may result in dismissal or criminal charges. Staff will be advised of their legal responsibilities through the Trusts training programme. All security breaches will be considered serious and will be reported immediately to the Information Governance Lead and the Caldicott Guardian. 14. Equality and Diversity The Trust is committed to ensuring that, as far as is reasonably practicable, the way we deliver services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on the grounds of any protected characteristic (Equality Act 2010). An equality assessment was undertaken and no equality and diversity issues were identified. 15. Monitoring and Compliance with Procedures The monitoring and compliance of this policy will be the responsibility of the Information Governance Officer. Standard/Process/Issue Compliance with the strategy Completion of IG training Completion of the IGTK Annual reports and final IGTK scores Compliance with information requests Number of IG/IT Incidents Monitoring and Audit Method By Group Frequency Is the strategy IG Officer HIAG 2 yearly published No. of staff O&D and HIAG Quarterly attending training IG sessions Officer IG Officer HIAG Quarterly No. of requests not responded to within statutory timescales Numbers, location, severity, type of incidents IG Officer / Health Records Mgr. IG Officer/ Security Mgr. HIAG HIAG Quarterly Quarterly/ Ongoing Information Governance Strategy v3 17

18 16. Consultation and Review This strategy will comply with all relevant UK and European Union legislation. The HIAG will formally review this strategy every two years, although the content may be reviewed at any time if any significant changes to mandatory requirements, national guidance or the result of any significant IG breaches or incidents results in any changes to current processes or policies. 17. References 17.1 Useful Guides/Reviews Privacy Impact Assessment Handbook Version 2.0 (Information Commissioner) The Caldicott 2 Review Department of Health September 2013 Data Handling Procedures in Government: Final Report June Monitoring Bodies Information Commissioners Office Ministry of Justice - General Medical Council - Department of Health Associated Documents Information Risk Policy (IG03) Freedom of Information Policy (IG04) Confidentiality and Data Protection Policy (IG06) Records Management Policy (IG05) Caldicott & Safe Haven Procedure (IG07) Pseudonymisation Policy (IG08) Clinical Photography and Audio Visual Recording of Patients Confidentiality & Consent Policy (IG09) IT and Information Security Policy (OP6B) The Reporting of Serious IG Incidents Policy (IG11) Data Quality Strategy Multi-Agency Protection Panel Policy (MAPPA) Anti-Virus Policy (OP58) Internet, Intranet and Acceptable Use Policy (OP17) Information Governance Policy for New and Changed Systems, Processes and Services (IG10) General IG Checklist (IG10a) IT Systems Information Governance Checklist (IG10b) Privacy Impact Assessment Procedure (IG10c) Third Party Due Diligence Assessment (IG10d) Remote Access Risk Assessment (IG10e) Information Governance Contracts Guidance (IG10f) Information Governance Strategy v3 18

19 Appendix 1: Roles and Accountability Structure Error! Not a valid link. Information Governance Strategy v3 19

20 Appendix 2: Committee/Group Structure Information Governance Strategy v3 20

21 Appendix 3: Terms of Reference for the HIAG Health Informatics Assurance Group (HIAG) Terms of Reference (TOR) 1 June 2015 (for Review 1 June 2017) Name of Steering Group: Health Informatics Assurance Group (HIAG) Purpose of the HIAG: The Health Informatics Assurance Group (HIAG) has been established to ensure that the Trust has a consistent and robust approach for the co-ordination of its informatics agenda and its IG work streams requirements. In adherence to the conditions of the Data Protection Act 1998 and the revised Caldicott principles, the Trust recognises that access to patient information is an essential part in providing excellent patient care. Where conflicting priorities arise between the need to share information and the need to protect patient confidentiality an appropriate balance will be struck between openness and the Trust s legal obligations of accountability and safeguarding data. The Health Informatics Assurance Group will be the accountable body for such decisions. The HIAG will report to the Audit Committee who will then report into the Trust Board. The Steering Group is responsible for ensuring that there are effective policies and management arrangements covering all aspects of Information Governance in line with the Trust s Information Governance Strategy and Procedures to ensure the Trust complies with:- - Openness - Legal Compliance - Information Security - Information Quality Assurance Objectives and Key Tasks To provide the responsible Director with expert advice on Data Protection and Confidentiality, Records Management (Corporate and Clinical), IT Security and Data Quality. Ensure there is top level awareness and support for IG resourcing and the implementation of improvements. To support the Trust s Caldicott Guardian in his advisory and facilitative capacity to provide assurance on all clinical, confidentiality and data sharing matters involving third parties. To liaise with the other Trust Steering Groups, Committees and Boards in order to promote and integrate IG and CQC standards and to provide a focal point for the discussion of information governance issues. To provide direction and support to the development of Trust-wide Information Governance standards, policies, and staff training programmes in order to promote effective information governance. To receive reports from the following dedicated working groups, in order to co-ordinate the activities of staff allocated IG responsibilities and progress initiatives:- o Data Quality and Secondary Use Strategy Group o Systems Management & Development Group To ensure annual assessments, audits and improvement plans are documented and undertaken by the dedicated teams for sign off by the Trust Board or an appropriate senior member of staff. To provide support to the SIRO in managing the strategic risks associated with the Trusts Information Asset Registers and ensure actions plans are monitored where gaps have been identified. All actions Information Governance Strategy v3 21

22 will be agreed to mitigate the risk and where appropriate will be added to the Trust Risk Register. To ensure that the Informatics Risk Register is maintained and regularly reviewed with any high risk exceptions reported to the HIAG Members as and when necessary. To ensure all existing or proposed databases and data flows regarding corporate and patient identifiable information comply with the Data Protection Act and the Caldicott Principles. The group will always in the first instance, promote the use of pseudonymised data flows wherever possible to restrict access to the Trust s Data. To receive, consider and assess reports on all security incidents, complaints and claims relating to breaches in data confidentiality and IT security and to recommend appropriate action, where possible. The Group will determine when incidents of a serious nature are to be reported to the ICO and the HSCIC via the IGTK. To monitor the Trusts performance in terms of openness and compliance with Subject Access Requests, Freedom of Information requests and Environmental Information Regulation Requests, including the Publication Scheme. To monitor the clinical recording and the associated risk of poor data quality across all corporate and clinical records to ensure the Trust is compliant with the Records Management Code of Practice under section 45 of the Freedom of Information Act To ensure the approach to information handling is communicated to all staff and made available to the public. To ensure appropriate IG training is made available and completed by all staff, including those in specialised roles, as and when necessary to support their duties whilst at the Trust. To oversee the development and review of protocols governing the sharing and disclosure of patient information across organisational boundaries. To review new processes of how personal identifiable data will be managed when new systems or system processes are reviewed and approved. The Group will promote the use of privacy impact assessments to ensure the principles of the Data Protection Act are not compromised by any change of service or access to a third party. To complete the submission of the IG Toolkit baseline assessment in July and October with final assessments published by 31 st March of each year. Membership of the HIAG Membership of the HIAG is stipulated in Appendix 3a. Meetings The HIAG will meet on a bi-monthly basis, with the Director of Finance and Information to chair the Group. Expected attendance is 80% of meetings by members or a nominee. The group will be deemed quorate when the SIRO, Clinical Safety Officer or Caldicott Guardian is available, with either the Deputy Director of Informatics or the Head of Information and Data Quality; in addition to 2 other members or their nominated representatives. The minimum attendance to be quorate will be 4. Administration The HIAG will have a standing agenda with specific topics added, as authorised by the Chair of the Group. The standing items will be:- o Information Governance issues to cover all reporting on the IG work plan o Information Requests - to cover all FOI, DP and EIR requests o Risk reporting o Incident reporting o ICT Information Governance Strategy v3 22

23 o Records Management o Data Quality o Systems Management The agenda and any paper attachments will be circulated at least 3 working days prior to the meeting. Papers tabled on the day will only be accepted for discussion only, unless agreed by the Chair. The minutes and agreed actions will be documented and circulated to all attendees within 5 working days. Attendees will be given 5 working days to query details and submit any comments, after which the minutes will be considered completed until ratified at the next meeting. Reporting Structure All HIAG reports will feed into the Audit Committee. Version Date Review Date Summary of Changes Author V1 None applicable Lauren Hamill IG Officer V2 03/03/ /03/2017 Changes in the group structures. Marie Galloway IG Officer V3 01/06/ /06/2017 Minor changes Marie Galloway IG Officer Information Governance Strategy v3 23