Information Governance Strategy

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Information Governance Strategy"

Transcription

1 Policy No: IG01 Version: 3.0 Name of Policy: Information Governance Strategy Effective From: 02/06/2015 Date Ratified 06/05/2015 Ratified Health Informatics Assurance Group (HIAG) Review Date 01/05/2017 Sponsor Director of Finance and Information Expiry Date 05/05/2018 Withdrawn Date Unless this copy has been taken directly from the Trust intranet site (Pandora) there is no assurance that this is the most up to date version This policy supersedes all previous issues. Information Governance Strategy v3

2 Version Control Version Release Author / Reviewer Ratified by / Authorised by 2.0 Jan 2012 K. Craddock Health Informatics Assurance Group (HIAG) 2.1 Jan 2013 L. Hamill Health Informatics Assurance Group (HIAG) Date Jan 2012 Jan 2013 Changes (Please identify page no.) Document reformatted to comply with Trust standards /06/2015 M. Galloway Health Informatics Assurance Group (HIAG) 06/05/2015 Document reformatted to comply with Trusts IGTK standards Information Governance Strategy v3 2

3 Contents Section Page 1. Introduction Purpose Scope NHS Framework Objectives of the Strategy Principles of the Strategy Roles and Responsibilities Staff and Resources Management Board Structure Working Groups The Information Governance Toolkit The Information Governance Programme Deliverables The IG Policy Framework The Annual Work Plan Contracts Information Risk Management Programme Projects - Procurement of Systems / Change Management Processes Integrated Working Research Information Requests Management of Records The Management and Reporting of Security Incidents Staff Training E-Learning Training Specialist Training Bespoke or Departmental Training The Training Needs Analysis (TNA) Matrix Communication Staff Disciplinary Equality and Diversity Monitoring and Compliance with Procedures Consultation and Review References Useful Guides/Reviews Monitoring Bodies Associated Documents APPENDICES Appendix 1: Roles and Accountability Structure Appendix 2: Committee/Group Structure Appendix 3: Terms of Reference for the HIAG Appendix 3a: Membership of the HIAG Appendix 4: Information Governance Toolkit Summary Appendix 5: The Policy and Procedure IG Framework Appendix 6: The Information Governance Work Plan Appendix 7: The Trust s IG Specialist Training Programme Information Governance Strategy v3 3

4 Information Governance Strategy 1. Introduction Information is a vital asset for any organisation. Our information assets at Gateshead Health NHS Trust support both the day to day clinical operations and the effective management of our services and resources. As a provider of health, the Trust is responsible for ensuring that any information collated is handled and protected securely, whilst always being available at any one time when needed to ensure the safety and effective care of our patients. Information Governance provides a secure mechanism for the handling of all types of information in relation to patients, employees and clients who do business with the Trust. It is therefore critical that the information we hold across the Trust s business activities is accurate, free from unauthorised disclosures and is available in a timely manner to aid effective decision making when needed. Effective information plays a key part in corporate and clinical governance, strategic risk, service planning and performance management. 2. Purpose 3 Scope This strategy sets out the Trust s information governance assurance framework for the handling of information. It brings together a set of statutory, mandatory and best practice standards as road mapped in the information governance toolkit. It provides a robust information governance framework of clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources which are required to ensure any information sourced by the Trust is held appropriately, securely and legally. By adhering to these requirements, standards and best practice for the processing of personal data it will help the Trust to:- Provide excellent care to our patients Comply with the law Implement the DoH guidelines and standards Plan year on year improvements in the information governance agenda Fulfill the IG Toolkit requirements Provide assurance against international standards such as the ISO Records Management Standard and the ISO 27001/27002 Information Security Standard This strategy applies to:- Any individual employed, in any capacity, by the Trust including employees, students, volunteers and third party contractors All paper and electronic information All information systems and information assets managed by or used by the organisation. For the purpose of this strategy the term information asset will refer to any useful or valuable store of information in any format, which is processed, held or potentially requires a facility of transfer. 4. NHS Framework The NHS Operating Framework sets the Trusts approach to Information Governance. The main legal framework governing the use of personal data includes:- The Data Protection Act 1998 The Freedom of Information Act 2000 Information Governance Strategy v3 4

5 The Environmental Information Regulations 2004 The NHS Act 2006 The Health and Social Care Act 2012 The Human Rights Act Re-Use of Public Sector Information Regulations 2005 The Misuse of Computers Act 1990 Copyright, Designs and Patents Act 1988 (as amended by the Copyright Regulations 1992) Privacy Electronic Communications Act 2003 Protection of Freedoms Act 2012 Codes of Practice The NHS Confidentiality Code of Practice The Caldicott Principles NHS Records Management Code of Practice Lord Chancellor s Code of Practice on Records Management under 46 of the Freedom of Information Act 2000 Information Security Management: NHS Code of Practice The framework pursued by this strategy will implement the six themes of the IG Toolkit. Information Governance (management, accountability, training) Confidentiality and data protection (use of personal data) Information security Clinical information assurance Secondary use assurance of information (data quality, non-direct use of clinical information) Corporate information assurance (records management, freedom of information etc.) 5. Objectives of the Strategy The Trust s key objective of this strategy is to achieve a standard of excellence in Information Governance. Through the implementation of this strategy, the Trust aims to:- Establish and maintain policies and procedures in Data Protection and Confidentiality, Freedom of Information, Information Security and Data Quality that defines appropriate standards for the handling of personal and corporate data. This will lead to improvements in:- o Information handling activities o Record duplication and improved records management o Patient confidence in the Trust and the NHS o Better trained staff Undertake or commission annual assessments and audits of its policies and arrangements to improve current working practices. This will minimise corporate risks arising from poor handing activities such as:- o Increased information security incidents o Corporate/patient complaints o Patient harm caused by inadequate access to patient information o Corporate and clinical negligence claims o Audit investigations and monetary fines from the ICO and other public bodies o Negative press and publicity o Damage and stress to individuals involved in data breaches Complete the annual information governance toolkit to a level 3 compliance target, wherever possible, for the next three years. Information Governance Strategy v3 5

6 Develop an annual IG Improvement Plan and Action Plan arising from the baseline assessment completed against the IG standards set out in the HSCIC Information Governance Toolkit. This will be the vehicle used for improving information governance at the Trust Instil a culture of information governance so that all staff understand their IG responsibilities and apply best practice and principles when managing data. This will involve the promotion of effective information governance communication and training to raise awareness of key security issues in the Trust. Develop an information risk management reporting structure to ensure all associated information risks in the environment are appropriately managed to support the overall risk management function of the Trust. Ensure there is a clear structure and framework for reporting security incidents and management action in response to all IG requirements. The Trust will foster a culture of change from documented lessons learnt in response to data breaches. This will be in accordance with the Trust s Risk Management Policy, Information Risk Policy, Incident Management Policy and The Reporting of Serious IG Incidents Policy. Provide innovative solutions and streamline business processes and systems for the handling of personal data. It is anticipated this will reduce the number of systems that hold personal data. Encourage multi-disciplinary teams to work closely together to reduce repetitive working practices by sharing information and standardising procedures and practices. Encourage a culture of openness and transparency by making non-confidential information readily and easily available through a variety of media, in line with the Trust s Publication Scheme. This will build positive relations with our internal and external clients by providing an efficient and reliable service in all IG matters. o Clear advice and guidance will be made available via the Trust s internet to explain how service users can exploit their legal rights for access to information and how they can raise concerns if they are dissatisfied with any processing requirements. o Information will be made available in various formats, subject to a range of exemptions and restrictions, in response to Subject Access Requests under the Data Protection Act 1998, FOI requests under the Freedom of Information Act 2000 and EIR requests under the Environmental Information Regulations. o The Trust will publish a fair processing notice via its website to explain how information is recorded, held and shared. o Patients will be made aware of the importance of providing accurate and up to date information about themselves to the Trust so that appropriate care can be given to them as and when necessary. This will allow the Trust s resources to be utilised adequately. Ensure all key service data is accurately recorded and maintained, with regular crosschecking against source data undertaken. Data standards/definitions used will be clear and consistent per data item in accordance with national standards. To regard all personal identifiable data (PID) relating to service users as confidential except where national policy on accountability and openness requires otherwise. Any appropriate sharing of information will take account of relevant legislation such as the Human Rights Act, the Health and Social Care Act, The Crime and Disorder Act, The Protection of Children Act, the revised Caldicott Principles etc. and the common Duty of Confidentiality and its associated guidance. 6. Principles of the Strategy The Trust will adopt the Department of Health standards (called the HORUS Model ), which requires information to be:- Held securely and confidentially Information Governance Strategy v3 6

7 Obtained fairly and efficiently Recorded accurately and reliably Used effectively and ethically Shared appropriately and lawfully The IG Strategy will take account of the Trust s Vision and Compact Values when managing personal data. The implementation of this strategy will:- Help staff to manage personal information for the benefit of our clients and patients care. Ensure that all practices and procedures relating to the handling and holding of personal and Trust corporate data is legal and conforms to best and/or recommended practice. This means the Trust will ensure that its principles of corporate governance and public accountability do not override any security arrangements or any duty of confidentiality owed in safeguarding personal information about service users, families, carers and staff or commercially sensitive information from our clients. Where appropriate a balance will be addressed between openness and confidentiality in the management and use of information. Where information needs to be shared with our partner organisations (particularly health organisations) then this will be done in a controlled manner that is consistent with the interests of the service users or clients unless the public interest test affects our decision making processes and disclosure requirements. Ensure procedures are reviewed to monitor their effectiveness so that improvements or deterioration in information handling standards are recognised and addressed immediately. Ensure that when service developments or modifications are undertaken, a review is undertaken of all aspects of information governance arrangements to ensure to they are robust, do not infringe on privacy rights and support effective patient care. 7. Roles and Responsibilities Role Trust Board Chief Executive Officer (CEO) Senior Information Risk Officer (SIRO) Caldicott Guardian (Medical Director) Responsibility The Trust Board will define the requirements of the Information Governance Strategy, taking into account the legal principles and NHS framework standards. The Board will ensure sufficient resources are provided to support the requirements of this strategy. The Chief Executive has overall accountability and responsibility for Trust s information governance agenda and will provide assurance through the Statement of Internal Control that all risks, including those relating to information risks are effectively managed and mitigated, where appropriate. The CEO will ensure all statutory obligations and any Department of Health Directives are complied with. The Director of Finance and Informatics, who is an appointed Executive Director on the Board, is the Trust s appointed Senior Information Risk Owner (SIRO) responsible for all aspects of IG and Information Security. The Medical Director who is the Trust s appointed Caldicott Guardian will act in a strategic, advisory and facilitative capacity to provide assurance on all clinical, confidentiality and data sharing matters. The Caldicott Guardian will approve, monitor and review processes where access to clinical information is required by other Trust departments and third party organisations, both NHS and non-nhs. The Caldicott function will be managed through an action plan/ gap analysis for the IG toolkit. Information Governance Strategy v3 7

8 Information Governance Officer IT Directory and Security Manager Health Records Manager Information Asset Owners (IAOs) Information Asset Administrators (IAAs) The Information Governance Officer will provide operational management of the Trust s Information Governance framework. The IG Officer will:- Provide strategic direction, planning and guidance to ensure compliance with information governance legislation and the national agenda. Ensure work practices are evaluated and supported through the development of appropriate policy and procedures across the organisation. Develop an appropriate IG induction and mandatory programme for all staff. Monitor all actual and near miss security incidents within the organisation. Complete the Department of Health s annual IGTK self-assessment and submission in a timely manner. Assist the Security Manager with all IG/IT related matters as and when necessary. The Trust s IT Directory and Security Manager will:- Provide IT technical advice on all matters relating to IT security for compliance with the Information Governance Framework. Assist with all reported IG and IT security incidents as and when necessary. The Trust s Health Records Manager will take full responsibility for the management of all health records at the Trust. The Trust s appointed Information Asset Owners (IAOs) will support the Information Governance Officer to ensure all information assets are assigned appropriate ownership. The IAOs are accountable to the SIRO and will report any information risks to the IG Officer/SIRO to ensure all information risks are managed effectively for those information assets which they are assigned ownership. Each IAO will be required:- To foster a culture that values the protection and use of information assets. Know who has access to their information assets (whether it be paper or electronic) and be able to demonstrate that access is routinely monitored and reviewed. Justify the nature and justification of their information flows to and from the Trust s information assets. Provide assurance to the SIRO that all risks are monitored through the application of annual risk assessments. The Trust s appointed Information Asset Administrators (IAAs) will assist the IAOs in their day to day duties and consult with the IAOs on incident management. This will generally be the nominated team managers, supervisors or system administrators who manage the information assets and system processes at a local level. All IAAs will need to ensure:- Systems and assets are configured with appropriate controls and are reviewed regularly for compliance with the Trusts security policy requirements. Ensuring appropriate authority is provided before user access is granted. Ensure user accounts to systems are deleted as and when necessary. Information Governance Strategy v3 8

9 Managers Communication Team All Staff Third Parties/Contractors All service managers will ensure:- They take responsibility for the implementation of appropriate IG standards into local processes for compliance purposes. Job descriptions contain appropriate confidentiality and information security clauses. Staff undertake mandatory IG training on an annual basis, including any ongoing training needs that may affect the Trusts practices. Day to day responsibility for their physical environment where information is stored and processed. The Communication Team will liaise with all stakeholders to ensure appropriate messages relating to information governance are communicated. All named staff must have adequate IG training in their dedicated area to enable them to carry out their roles and responsibilities. Appropriate contracts containing confidentiality and information security clauses will be issued and honoured by all contractors and third parties who have been given rights of access to our information assets. (For further information please refer to the Roles and Accountability Structure in Appendix 1). 8. Staff and Resources Other staff roles that will support the Trust s IG strategy include:- Risk Management Risk Manager Business Continuity Business Continuity Manager Registration Authority RA Officer (i.e. Smartcard provisions/access controls) Clinical Information Governance Clinical Manger Procurement Procurement Manager 9. Management Board Structure The Health Information Assurance Group (HIAG) is the delegated steering group appointed to oversee the implementation of this strategy. The group will:- Monitor the effectiveness of this strategy at its bi-monthly meetings to identify potential gaps and weaknesses in the Trust s IG accountability arrangements to ensure the organisation is aligned to best practice and national guidelines. Agree an annual IG improvement work plan for review and sign off. Identify resource implications for each IG work stream. Monitor all quarter and progress reports and action plans. Report on serious security incidents and issues to the HIAG and Trust Board. (All serious incidents will be published and reported via the HSCIC and the ICO). Ensure the accurate completion, review and sign off of the DoH Information Governance Toolkit. All reports are reported to other committees on an adhoc basis, as and when required. A summary of the Trusts Committees that support the IG agenda is stipulated in Appendix 2. Annual membership of the HIAG is stipulated in the Terms of Reference in Appendix Working Groups Two working groups will report into the HIAG focusing on the current IG and CQC arrangements in their respective areas:- Data Quality and Secondary Use Group Information Governance Strategy v3 9

10 Systems Management and Development Group The above groups convene on a bi-monthly basis and will present highlighted reports and action plans to the HIAG, as and when necessary. 11. The Information Governance Toolkit The Department of Health s IGTK requires all NHS organisations in England Wales to achieve a minimum level 2 compliance performance rating against all 45 IG standards. This mandatory online assessment is used as a key source of information by other organisations such as the Healthcare Commission and CQC for compliance auditing purposes. The Trust is very ambitious and will aim to achieve a level 3 compliance rating and a grading score of over 80%, wherever possible over the next three year period. A framework of assurance will be allocated to appropriate information asset holders so that the co-ordination of evidence is in place. The Trust will submit its online IG performance reports on three separate core submission dates:- 30th July - baseline assessment 31 October - self assessment or improvement plan 31 March final annual self-assessment report All IGTK scores will be verified by the annual Internal Audit review and reported in the End of Year IGTK Assurance Report and the Annual IG Report to the HIAG and the Trust Board, along with any action plans necessary to remedy any IG failures. Note: New versions of the IG Toolkit are released annually and set requirements may change to reflect current and new standards. This means that the Trust will have to provide additional evidence to support the changes in order to maintain the score achieved from the previous year. (Please refer to Appendix 4 for a summary of the IG Toolkit controls) 12. The Information Governance Programme Deliverables The Trust will establish a robust information governance programme of deliverables which conforms to the Department of Health s IG Toolkit standards and objectives The IG Policy Framework Table 1: The Information Governance Deliverables Existing policies will be developed and updated every two years and will be approved in principle by the Director of Finance and Information before ratification by the HIAG Group. All policies will be made available via the staff intranet and through staff communication s and newsletters. (Please refer to Appendix 5 for a summary of the Trust s policies Information Governance Strategy v3 10

11 and procedures that support the Trust s IG agenda). Employees will be expected to read the policies in conjunction with their employment contracts and the IG Staff Handbook (circulated via Induction Training). The policies outline the scope of the IG framework and set out the responsibilities of all the staff in the Trust. The Trust will ensure staff familiarise themselves with these policies through its Training and Communication Plan to ensure they understand what is expected of them The Annual Work Plan An annual improvement/action plan arising from the baseline assessment of the IGTK standards will be developed each year. The work plan will be updated quarterly follow any progress reports and IGTK submissions. (Please refer to Appendix 6) Contracts All employment contracts entered into by the Trust will ensure they contain appropriate IG confidentiality clauses that reference the organisation s legal obligations in terms of confidentiality, data protection and freedom of information. For casual staff the confidentiality agreement for third party suppliers/individuals will be signed. All third party contractors of goods and services or consultancy will have an appropriate contract detailing the information governance requirements. The contract will contain confidentiality clauses and an undertaking that any information exchanged or obtained during the performance of a contract is kept confidential and shall only be used for the sole execution of a contract. All parties involved will take necessary precaution to ensure that information is kept secure. This process will be managed by the Head of Procurement. Where a third party requests access or the sharing of patient identifiable information, an information risk assessment will be required before the request is granted Information Risk Management Programme To appropriately scope and prioritise the information risks of the Trust the IG Team will develop an annual information risk management programme to determine how its information is used and protected through:- A series of audits e.g. the corporate/clinical record audit, the RA Audit etc. The compilation of data mapping flows and information asset registers Service ad-hoc spot checks on data compliance and best practice Data quality checks Reviews of security incidents Risk assessments and privacy impact assessments This will protect the Trust, its staff and its patients from information risks where the likelihood of occurrence and the consequences are significant. It will ensure the Trust has a proactive approach to risk rather than a reactive attitude. The focus of the risk management programme will be to determine whether the Trust s implemented policies and procedures are effective in:- Regulating the processing and sharing of personal data Identifying and controlling risks to prevent potential security incidents and data breaches from occurring Testing the adequacy of the IG controls in place To recommend any changes in control, where necessary To act as vehicle in sharing knowledge with trained IG staff Information Governance Strategy v3 11

12 The IG Strategy will ensure all information assets are:- Identified by purpose and service area. Classified either as sensitive or as critical assets depending on the format and type of information held. Assigned ownership to an information asset owner (IAO) who will provide assurance on the security and use of that asset to the Trust s SIRO (this will determined by where it is located). Key Responsibility Ultimate authority over and responsible for overall direction Oversees the information and data governance programme and makes all strategic decisions Responsible for establishing and shaping enterprise information standards and policies Executes the information and data governance policy Supports on-going technical tasks Table 2: The Information Asset Framework Given a risk score i.e. identified as low, medium or high, are supported by the Trust s Board and where appropriate, are considered for inclusion onto the Trust s Risk Register. This will be determined by how the asset is managed and who the dependencies are in terms of other systems and beneficiaries (either internal or external). Risks that cannot be managed by the IAO will be expected to be escalated for e.g. where they are not managed locally. Proposals for risk mitigation measures will be considered by senior management who will consider whether the risks are real and the proposals affordable and justified. Where mitigating actions are necessary, priorities and timescales will need to be clarified and monitored. The Risk Level Matrix to be used will be: Likelihood score Likelihood Rare Unlikely Possible Likely Almost certain 5 Catastrophic Major Moderate Minor Negligible Table 3: The Trust s Risk Matrix The allocation of information asset ownership will assist the Trust with its Business Continuity Planning requirements. Information Governance Strategy v3 12

13 The Information Asset Management Task is a significant piece of work which will be undertaken in 2015/2016. All information asset owners will be required to update their Information Asset Register each time an information asset is created or amended 12.5 Projects - Procurement of Systems / Change Management Processes Any changes which are made to the way in which information is processed (collected, stored used or disposed of) in the Trust will need to be considered in the context of the IGTK requirements. The IG Strategy will ensure that there are reporting mechanisms in place to the HIAG where new computer systems or upgrades are proposed, computerised or manual, that hold personal identification data (i.e. PID), including PID relating to service users, carers or staff. The HIAG will consider:- Access controls, audit trails and the monitoring of user activity The arrangements for back up data, its resilience and the archiving, retention and deletion of data Confidentiality clauses in respect of third party contractual arrangements i.e. the development, installation and maintenance of the system The secure transfer of data; System security accreditation during the procurement process The systems forensic investigative readiness procedure. Privacy Impact Assessments (PIA) will be required to be undertaken by the relevant IAO in the area where new systems, projects or changes to system processes impact how personal data is used. This is in accordance with guidance available on the Information Commissioner s Office website at Integrated Working The IG Strategy will take into account the need for integrated working practices between third party organisations and departmental services. Data sharing agreements will be used where personal identifiable information (i.e. PID) is routinely shared between organisations and third parties and will be signed off by the Trust s Caldicott Guardian (i.e. the Medical Director) or an equivalent senior member of staff. All ISAs will state the legal principles and purpose of the agreement, the consent process, the approved method of transmission, any other standards associated with secondary use (e.g. re-use of information, retention and destruction requirements) and general housing keeping practices (e.g. the administration of information requests, complaints, the media and withdrawal of agreement terms etc.). ISAs will not be used for adhoc or one off large transfers of personal data for e.g. where clinical data has been shared as a one-off requirement Research Access to clinical information on a day to day basis for research purposes will be via the Caldicott approval process with appropriate sign off by the Trust s Caldicott Guardian (i.e. the Medical Director) and the support of the Trust s Research and Development Team, where necessary. Information Governance Strategy v3 13

14 12.8 Information Requests The IG Strategy will ensure there are designated roles to process all information requests under the Freedom of Information Act 2000, the Data Protection Act 1998 (including the Access to Health Records Act 1998) and the Environmental Information Regulations 2004 and those submitted by third parties e.g. the Police. Responses will be co-ordinated within statutory timescales ensuring that necessary exemptions are applied, where appropriate Management of Records Trust-wide audits on samples of corporate and clinical records will be undertaken to establish if good record keeping and data quality standards are being achieved as set out under the Records Management Code of Practice under s46 of the Freedom of Information Act This will demonstrate if patient information is being recorded and handled in a manner that complies with the Trusts legislative and regulatory requirements. The audits will run for a series of months with a final report produced to show the status of feedback. This will then feedback into the Trusts departments to facilitate improvement and improved targeted training The Management and Reporting of Security Incidents The Trust is very conscious of the repercussions of not managing personal data:- A 1,000 fine for not reporting serious security offences to the Information Commissioner s Office (ICO) within 24 hours of an event occurring. A monetary fine of up to 500,000 by the ICO per data security offence with respect to any potential data breaches regarding the loss, theft, inappropriate disclosure or modification of personal data. A monetary fine of up to 500,000 by the ICO for misuse of personal data regarding the use of , fax and telephone. A compulsory inspection and enforcement notice by the ICO. The IG Strategy will ensure that there are adequate security arrangements in place for:- Reporting IG events or incidents across the Trust and managing risks where appropriate via the Trust s Datix Incident Reporting System (as per protocol under the Incident/Near-Miss Reporting and Investigation Policy and The Reporting of Serious Incidents Policy. Analysing, investigating and upward reporting of events/ incidents and recommendations to senior management. Dealing with Information Commissioner s security reporting requirements. Ensuring all IG work plans are updated with recommendations and lessons learned. Communicating IG developments and standards to staff All incidents categorised at level 1 and above will be reported in the Trust s IG Bi-Monthly Progress and Annual Reports whilst level 2 and above incidents will be escalated and reported to the ICO via the Trust s annual IG Toolkit submission as outlined by the HSCIC Information Governance SUI Checklist published in June Where personal identifiable data is involved, the severity of the incident will be graded by the Information Governance Officer, and in cases of severity, will require the approval of the Trust s SIRO and Caldicott Guardian prior to any disclosure to any legal body. Information Governance Strategy v3 14

15 Staff Training Staff training is fundamental to the success of any information governance strategy. The Trust will develop an effective induction and mandatory IG training programme that extends beyond basic principles in confidentiality and security so as to improve staff awareness and best practices. Staff will be informed of the Trust s legal obligations in terms of data processing and their own responsibilities and rights in terms of privacy, choice and client/patient confidentiality. To ensure the Trust achieves the 95% compliance rate as stipulated by the IGTK standards all training sessions will be recorded on the Electronic Staff Record (ESR) and a system employed to ensure that non-attendance is followed up by O&D. Training Staff Type of Training Frequency Corporate Induction IG New starters Face to face Monthly Training training Core Mandatory Annual IG Training Existing employees Face to face training or via the new E-learning IG Fortnightly Risk Management training Specialist training SIRO, IAOs and IAAs training tool Courses stipulated in the HSCIC IG e- learning training tool Specialist Teams Face to face presentations/talks to key staff involved in IG matters Every 3 years As and when necessary All new starters will attend a face to face session as part of the induction process. The IG module will cover:- The Importance of Information Governance The Data Protection, Confidentiality and the Caldicott Principles Information Risk Reporting Records Management Data Quality Information Security All starters that have a desktop device will be sent a copy of the Trusts IG Code of Conduct Book and the IG Staff handbook for information purposes. IG refresher training will form part of the annual mandatory training programme for all current staff E-Learning Training From March 2015 the Trust will offer staff the option to complete their annual mandatory IG Training via the Trust s new e-learning portal. This will cater for different learning styles and individual needs and will enable staff to complete the module through their own computer device at a time that is more convenient to them. This will provide greater flexibility for staff to complete their training on time. The e-learning portal is accessed via the staff intranet at: and will require user logins and passwords. All promotion and training arrangements will be organised through the O&D. Information Governance Strategy v3 15

16 12. Communication Specialist Training In addition to the Mandatory Information Governance training programme all staff in specialist roles will be expected to undertake further training as stipulated in Appendix 7 within 3 months of taking up their post. The Trust will use the national e-learning Information Governance Training Tool (IGTT) to deliver the specialist training programme. The tool is accessed via Each module will be expected to be refreshed every three years. The IG Officer will frequently check that the training has been undertaken. It is noted that the Health and Social Care Information Centre (HSCIC) is the copyright owner responsible for the content and design of the Information Governance Training Tool (IGTT). It is not a product of the Trust and therefore any concerns or queries with any modules will need to be raised with the Information Governance Team initially who will inform the HSCIC. The methodology and effectiveness of this training programme will be monitored closely from evaluations collated and analysed by the Organisational Development Team Bespoke or Departmental Training Subject to discussions with the Information Governance Team additional bespoke training sessions will be available to departments that require specialised IG training. This will enable:- A greater understanding of the application of the Trust s IG policies and procedures Provision of specific departmental advice and guidance Facilitation of a more informal Q&A Session Training will be delivered in response to demand and serious information security incidents The Training Needs Analysis (TNA) Matrix All mandatory training needs are outlined in the Trusts Training Needs Analysis (TNA) which will form part of the Information Governance Training and Communication Plan. All training reports will form the basis of evidence for compliance with the IGTK and external auditors. The Trust has developed a communication plan to roll out the deliverables of this IG Strategy. The key communication tools will be:- External Tools Publication Scheme Gateshead Trust website Internal Tools IG articles in staff newsletters/bulletins IG annual training programme Information Governance Strategy v3 16

17 Patient leaflets Fair processing notice (privacy notice) Patient surveys Policy framework Staff surveys Staff screensavers Staff IG alerts This list is not exhaustive but represents a sample of communication materials. The Trust will engage patients and staff in the development of its information practices This will be through the completion of anonymised patient/staff surveys where users can provide feedback on how well they think the Trust manages their data to help improve our services. 13. Staff Disciplinary Any breaches of confidentiality for e.g. disclosing data to unauthorised parties, the theft, loss or tampering of information, viewing records without authority, transferring personal information electronically without appropriate encryption or secure procedures, sharing passwords, logins and smart cards etc. will invoke staff disciplinary procedures and may result in dismissal or criminal charges. Staff will be advised of their legal responsibilities through the Trusts training programme. All security breaches will be considered serious and will be reported immediately to the Information Governance Lead and the Caldicott Guardian. 14. Equality and Diversity The Trust is committed to ensuring that, as far as is reasonably practicable, the way we deliver services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on the grounds of any protected characteristic (Equality Act 2010). An equality assessment was undertaken and no equality and diversity issues were identified. 15. Monitoring and Compliance with Procedures The monitoring and compliance of this policy will be the responsibility of the Information Governance Officer. Standard/Process/Issue Compliance with the strategy Completion of IG training Completion of the IGTK Annual reports and final IGTK scores Compliance with information requests Number of IG/IT Incidents Monitoring and Audit Method By Group Frequency Is the strategy IG Officer HIAG 2 yearly published No. of staff O&D and HIAG Quarterly attending training IG sessions Officer IG Officer HIAG Quarterly No. of requests not responded to within statutory timescales Numbers, location, severity, type of incidents IG Officer / Health Records Mgr. IG Officer/ Security Mgr. HIAG HIAG Quarterly Quarterly/ Ongoing Information Governance Strategy v3 17

18 16. Consultation and Review This strategy will comply with all relevant UK and European Union legislation. The HIAG will formally review this strategy every two years, although the content may be reviewed at any time if any significant changes to mandatory requirements, national guidance or the result of any significant IG breaches or incidents results in any changes to current processes or policies. 17. References 17.1 Useful Guides/Reviews Privacy Impact Assessment Handbook Version 2.0 (Information Commissioner) The Caldicott 2 Review Department of Health September 2013 Data Handling Procedures in Government: Final Report June Monitoring Bodies Information Commissioners Office Ministry of Justice - General Medical Council - Department of Health Associated Documents Information Risk Policy (IG03) Freedom of Information Policy (IG04) Confidentiality and Data Protection Policy (IG06) Records Management Policy (IG05) Caldicott & Safe Haven Procedure (IG07) Pseudonymisation Policy (IG08) Clinical Photography and Audio Visual Recording of Patients Confidentiality & Consent Policy (IG09) IT and Information Security Policy (OP6B) The Reporting of Serious IG Incidents Policy (IG11) Data Quality Strategy Multi-Agency Protection Panel Policy (MAPPA) Anti-Virus Policy (OP58) Internet, Intranet and Acceptable Use Policy (OP17) Information Governance Policy for New and Changed Systems, Processes and Services (IG10) General IG Checklist (IG10a) IT Systems Information Governance Checklist (IG10b) Privacy Impact Assessment Procedure (IG10c) Third Party Due Diligence Assessment (IG10d) Remote Access Risk Assessment (IG10e) Information Governance Contracts Guidance (IG10f) Information Governance Strategy v3 18

19 Appendix 1: Roles and Accountability Structure Error! Not a valid link. Information Governance Strategy v3 19

20 Appendix 2: Committee/Group Structure Information Governance Strategy v3 20

21 Appendix 3: Terms of Reference for the HIAG Health Informatics Assurance Group (HIAG) Terms of Reference (TOR) 1 June 2015 (for Review 1 June 2017) Name of Steering Group: Health Informatics Assurance Group (HIAG) Purpose of the HIAG: The Health Informatics Assurance Group (HIAG) has been established to ensure that the Trust has a consistent and robust approach for the co-ordination of its informatics agenda and its IG work streams requirements. In adherence to the conditions of the Data Protection Act 1998 and the revised Caldicott principles, the Trust recognises that access to patient information is an essential part in providing excellent patient care. Where conflicting priorities arise between the need to share information and the need to protect patient confidentiality an appropriate balance will be struck between openness and the Trust s legal obligations of accountability and safeguarding data. The Health Informatics Assurance Group will be the accountable body for such decisions. The HIAG will report to the Audit Committee who will then report into the Trust Board. The Steering Group is responsible for ensuring that there are effective policies and management arrangements covering all aspects of Information Governance in line with the Trust s Information Governance Strategy and Procedures to ensure the Trust complies with:- - Openness - Legal Compliance - Information Security - Information Quality Assurance Objectives and Key Tasks To provide the responsible Director with expert advice on Data Protection and Confidentiality, Records Management (Corporate and Clinical), IT Security and Data Quality. Ensure there is top level awareness and support for IG resourcing and the implementation of improvements. To support the Trust s Caldicott Guardian in his advisory and facilitative capacity to provide assurance on all clinical, confidentiality and data sharing matters involving third parties. To liaise with the other Trust Steering Groups, Committees and Boards in order to promote and integrate IG and CQC standards and to provide a focal point for the discussion of information governance issues. To provide direction and support to the development of Trust-wide Information Governance standards, policies, and staff training programmes in order to promote effective information governance. To receive reports from the following dedicated working groups, in order to co-ordinate the activities of staff allocated IG responsibilities and progress initiatives:- o Data Quality and Secondary Use Strategy Group o Systems Management & Development Group To ensure annual assessments, audits and improvement plans are documented and undertaken by the dedicated teams for sign off by the Trust Board or an appropriate senior member of staff. To provide support to the SIRO in managing the strategic risks associated with the Trusts Information Asset Registers and ensure actions plans are monitored where gaps have been identified. All actions Information Governance Strategy v3 21

22 will be agreed to mitigate the risk and where appropriate will be added to the Trust Risk Register. To ensure that the Informatics Risk Register is maintained and regularly reviewed with any high risk exceptions reported to the HIAG Members as and when necessary. To ensure all existing or proposed databases and data flows regarding corporate and patient identifiable information comply with the Data Protection Act and the Caldicott Principles. The group will always in the first instance, promote the use of pseudonymised data flows wherever possible to restrict access to the Trust s Data. To receive, consider and assess reports on all security incidents, complaints and claims relating to breaches in data confidentiality and IT security and to recommend appropriate action, where possible. The Group will determine when incidents of a serious nature are to be reported to the ICO and the HSCIC via the IGTK. To monitor the Trusts performance in terms of openness and compliance with Subject Access Requests, Freedom of Information requests and Environmental Information Regulation Requests, including the Publication Scheme. To monitor the clinical recording and the associated risk of poor data quality across all corporate and clinical records to ensure the Trust is compliant with the Records Management Code of Practice under section 45 of the Freedom of Information Act To ensure the approach to information handling is communicated to all staff and made available to the public. To ensure appropriate IG training is made available and completed by all staff, including those in specialised roles, as and when necessary to support their duties whilst at the Trust. To oversee the development and review of protocols governing the sharing and disclosure of patient information across organisational boundaries. To review new processes of how personal identifiable data will be managed when new systems or system processes are reviewed and approved. The Group will promote the use of privacy impact assessments to ensure the principles of the Data Protection Act are not compromised by any change of service or access to a third party. To complete the submission of the IG Toolkit baseline assessment in July and October with final assessments published by 31 st March of each year. Membership of the HIAG Membership of the HIAG is stipulated in Appendix 3a. Meetings The HIAG will meet on a bi-monthly basis, with the Director of Finance and Information to chair the Group. Expected attendance is 80% of meetings by members or a nominee. The group will be deemed quorate when the SIRO, Clinical Safety Officer or Caldicott Guardian is available, with either the Deputy Director of Informatics or the Head of Information and Data Quality; in addition to 2 other members or their nominated representatives. The minimum attendance to be quorate will be 4. Administration The HIAG will have a standing agenda with specific topics added, as authorised by the Chair of the Group. The standing items will be:- o Information Governance issues to cover all reporting on the IG work plan o Information Requests - to cover all FOI, DP and EIR requests o Risk reporting o Incident reporting o ICT Information Governance Strategy v3 22

23 o Records Management o Data Quality o Systems Management The agenda and any paper attachments will be circulated at least 3 working days prior to the meeting. Papers tabled on the day will only be accepted for discussion only, unless agreed by the Chair. The minutes and agreed actions will be documented and circulated to all attendees within 5 working days. Attendees will be given 5 working days to query details and submit any comments, after which the minutes will be considered completed until ratified at the next meeting. Reporting Structure All HIAG reports will feed into the Audit Committee. Version Date Review Date Summary of Changes Author V1 None applicable Lauren Hamill IG Officer V2 03/03/ /03/2017 Changes in the group structures. Marie Galloway IG Officer V3 01/06/ /06/2017 Minor changes Marie Galloway IG Officer Information Governance Strategy v3 23

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

Information Governance Policy

Information Governance Policy Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

Information Governance Plan

Information Governance Plan Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

Information Governance Strategy. Version No 2.1

Information Governance Strategy. Version No 2.1 Livewell Southwest Information Governance Strategy Version No 2.1 Notice to staff using a paper copy of this guidance. The policies and procedures page of LSW Intranet holds the most recent version of

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY Directorate of Performance Assurance INFORMATION GOVERNANCE POLICY Reference: DCP074 Version: 2.5 This version issued: 27/03/15 Result of last review: Minor changes Date approved by owner (if applicable):

More information

Information Governance and Data Protection Policy

Information Governance and Data Protection Policy Information Governance and Data Protection Policy Page 1 of 21 Document Control Sheet Name of document: Version: Owner: File location / Filename: Information Governance and Data Protection Policy Final

More information

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Name of Policy Author: Name of Review/Development Body: Ratification Body: Ruth Drewett Information Governance Steering Group Committee Trust Board : April 2015 Review date:

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy. Title: Reference No: NHSNYYIG - 007 Owner: Author: INFORMATION GOVERNANCE POLICY Director of Standards First Issued On: September 2010 Latest Issue Date: February 2012 Operational Date: February 2012 Review

More information

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs NOTE: This is a CONTROLLED Document. Any documents appearing in paper

More information

Information Governance Policy

Information Governance Policy Author: Susan Hall, Information Governance Manager Owner: Fiona Jamieson, Assistant Director of Healthcare Governance Publisher: Compliance Unit Date of first issue: February 2005 Version: 5 Date of version

More information

Information Governance Framework and Strategy. November 2014

Information Governance Framework and Strategy. November 2014 November 2014 Authorship : Committee Approved : Chris Wallace Information Governance Manager CCG Senior Management Team and Joint Trade Union Partnership Forum Approved Date : November 2014 Review Date

More information

Information Governance Strategy Includes Information risk & incident management methodology

Information Governance Strategy Includes Information risk & incident management methodology Version 2.0 LOGOLOGO Information Governance Strategy Includes Information risk & incident management methodology Approved by: Quality & Governance Committee Ratification date: May 2014 Review date: May

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Information Governance Policy

Information Governance Policy Information Governance Policy REFERENCE NUMBER IG 101 / 0v3 May 2012 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive 4.9.12 REVIEW DUE DATE May 2015 West Lancashire CCG is committed to ensuring

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version: 3.2 Authorisation Committee: Date of Authorisation: May 2014 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of

More information

INFORMATION RISK MANAGEMENT POLICY

INFORMATION RISK MANAGEMENT POLICY INFORMATION RISK MANAGEMENT POLICY DOCUMENT CONTROL: Version: 1 Ratified by: Steering Group / Risk Management Sub Group Date ratified: 21 November 2012 Name of originator/author: Manager Name of responsible

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy ID IG02 Version: V1 Date ratified by Governing Body 27/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review date: September

More information

A Question of Balance

A Question of Balance A Question of Balance Independent Assurance of Information Governance Returns Audit Requirement Sheets Contents Scope 4 How to use the audit requirement sheets 4 Evidence 5 Sources of assurance 5 What

More information

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE STRATEGY INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY Version 8.0 Purpose: For use by: This document is compliant with /supports compliance with: To outline the lifecycle of a record and to provide guidance on retention and disposal

More information

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy NHS Waltham Forest Clinical Commissioning Group Information Governance Policy Author: Zeb Alam & David Pearce Version 3.0 Amendments to Version 2.1 Updates made in line with National Guidance and Legislation

More information

Information Governance Strategy Includes Information risk & incident management methodology

Information Governance Strategy Includes Information risk & incident management methodology Version 3.0 LOGOLOGO Information Governance Strategy Includes Information risk & incident management methodology Approved by: Quality Assurance Group Ratification date: March 2015 Review date: March 2016

More information

INFORMATION GOVERNANCE STRATEGY NO.CG02

INFORMATION GOVERNANCE STRATEGY NO.CG02 INFORMATION GOVERNANCE STRATEGY NO.CG02 Applies to: All NHS LA employees, Non-Executive Directors, secondees and consultants, and/or any other parties who will carry out duties on behalf of the NHS LA.

More information

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT 9.7 Date of the meeting 15/07/2015 Author Sponsoring Clinician Purpose of Report Recommendation J Green - Head

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise

More information

Information Governance Standards in Relation to Third Party Suppliers and Contractors

Information Governance Standards in Relation to Third Party Suppliers and Contractors Information Governance Standards in Relation to Third Party Suppliers and Contractors Document Summary Ensure staff members are aware of the standards that should be in place when considering engaging

More information

Information Governance Policy

Information Governance Policy BEXLEY CARE TRUST MANAGEMENT MANUAL Title: INFORMATION GOVERNANCE POLICY Originating Department: IT DEPARTMENT Authorised by: Risk Management Committee June 2008 Reference no: CA12 Date of Issue: JANUARY

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading

More information

Information Governance Framework

Information Governance Framework Information Governance Framework Authorship: Chris Wallace, Information Governance Manager Committee Approved: Integrated Audit and Governance Committee Approved date: 11th March 2014 Review Date: March

More information

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff. Information Governance Policy 1 SUMMARY This policy is intended to ensure that staff are fully aware of their Information Governance (IG) responsibilities, so that they can effectively manage and best

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY POLICY NO IM&T 011 DATE RATIFIED January 2012 NEXT REVIEW DATE January 2015 POLICY STATEMENT/KEY OBJECTIVE: To provide an overarching framework through which Information Governance

More information

Trust Informatics Policy. Information Governance. Information Governance Policy

Trust Informatics Policy. Information Governance. Information Governance Policy Trust Informatics Policy Information Governance Policy Reference: TIP/IG/IGP I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 1 Document Control Policy Title Author/Contact Document Reference

More information

Policy Checklist. Head of Information Governance

Policy Checklist. Head of Information Governance Policy Checklist Name of Policy: Information Governance Policy Purpose of Policy: To provide guidance to all staff on their responsibilities regarding information governance and to ensure that the Trust

More information

Auditing data protection a guide to ICO data protection audits

Auditing data protection a guide to ICO data protection audits Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version Version 1 Ratified By Date Ratified PROPOSED FOR APPROVAL 15/11/12 Author(s) Responsible Committee / Officers Date Issue November 2012 Review Date November 2013 Intended

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Information Governance Policy_v2.0_060913_LP Page 1 of 14 Information Reader Box Directorate Purpose Document Purpose Document Name Author Corporate Governance Guidance Policy

More information

Policy: D9 Data Quality Policy

Policy: D9 Data Quality Policy Policy: D9 Data Quality Policy Version: D9/02 Ratified by: Trust Management Team Date ratified: 16 th October 2013 Title of Author: Head of Knowledge Management Title of responsible Director Director of

More information

Document No: IG10f. Version: 1.0. Information Governance Contracts Guidance. Name of Procedure: Version Control

Document No: IG10f. Version: 1.0. Information Governance Contracts Guidance. Name of Procedure: Version Control Document No: IG10f Version: 1.0 Name of Procedure: Information Governance Contracts Guidance Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: Revised: Consultation: Ratified by: 1.0 Information Governance Committee Governance Committee Date ratified: 19 March 2008 Name of originator/author: David McGrath

More information

Information Incident Management and Reporting Procedures

Information Incident Management and Reporting Procedures ` Information Incident Management and Reporting Procedures Compliance with all CCG policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may

More information

Corporate Policy and Strategy Committee

Corporate Policy and Strategy Committee Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset

More information

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE.

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE. Title: Information Governance Policy Date Approved: Approved by: Date of review: Policy Ref: Issue: January 2015 Information Governance Group Division/Department: January 2016 Policy Category: ISP-04 5

More information

NHS Commissioning Board: Information governance policy

NHS Commissioning Board: Information governance policy NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY ENFIELD CLINICAL COMMISSIONING GROUP INFORMATION GOVERNANCE POLICY PLEASE DESTROY ALL PREVIOUS VERSIONS OF THIS DOCUMENT Enfield CCG Information Governance Policy Information Governance Policy (Policy

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

INFORMATION GOVERNANCE POLICY (INCORPORATING INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK)

INFORMATION GOVERNANCE POLICY (INCORPORATING INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK) Ref No: IN-101 INFORMATION GOVERNANCE POLICY (INCORPORATING INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK) AREA: POLICY SPONSOR: Trust Wide Director of Finance IMPLEMENTED: October 2009 REVISED: June 2011

More information

JOB DESCRIPTION. Information Governance Manager

JOB DESCRIPTION. Information Governance Manager JOB DESCRIPTION POST TITLE: Information Governance Manager DIRECTORATE: ACCOUNTABLE TO: BAND: LOCATION: CSS Head of Information Governance 8a CSS Job Purpose The Information Governance Manager will ensure

More information

Information governance strategy 2014-16

Information governance strategy 2014-16 Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope

More information

Information Management Strategy. July 2012

Information Management Strategy. July 2012 Information Management Strategy July 2012 Contents Executive summary 6 Introduction 9 Corporate context 10 Objective one: An appropriate IM structure 11 Objective two: An effective policy framework 13

More information

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY Report to the Trust Board 22 September 2015 Sponsoring Director: Author: Purpose of the report: Key Issues and Recommendations: Director

More information

INFORMATION GOVERNANCE

INFORMATION GOVERNANCE This document is uncontrolled once printed. Please refer to the Trusts Intranet site (Procedural Documents) for the most up to date version INFORMATION GOVERNANCE NGH-PO-233 Ratified By: Procedural Document

More information

Information Security Assurance Plan 2015/16

Information Security Assurance Plan 2015/16 Information Security Assurance Plan 2015/16 Policy number: N/A Version 2.0 Approved by Name of author/originator Owner (Exec Director) Date of approval August 2015 Date of last review July 2015 Next due

More information

Information Governance Strategic Management Framework 2015-2017

Information Governance Strategic Management Framework 2015-2017 Document Summary Information Governance Strategic Management Framework 2015-2017 This framework sets out the Cumbria Partnership NHS Foundation Trust (the organisation) Strategic Management Framework and

More information

INFORMATION GOVERNANCE HANDBOOK

INFORMATION GOVERNANCE HANDBOOK INFORMATION GOVERNANCE HANDBOOK SECTION ONE Author Tracey Burrows Role Information Governance Manager (CSCSU) Date / Version February 2015 Version FINAL V1.0 Approved by IM&T Board Date 27 February 2015

More information

Public Records (Scotland) Act 2011. Healthcare Improvement Scotland and Scottish Health Council Assessment Report

Public Records (Scotland) Act 2011. Healthcare Improvement Scotland and Scottish Health Council Assessment Report Public Records (Scotland) Act 2011 Healthcare Improvement Scotland and Scottish Health Council Assessment Report The Keeper of the Records of Scotland 30 October 2015 Contents 1. Public Records (Scotland)

More information

Information Governance Lead

Information Governance Lead Peninsula Community Health Information Governance Policy Title: Information Governance Policy Procedural Document Type: Policy Reference: CO-IG-P04 CQC Outcome: Version: 2.0 Approved by: Information Governance

More information

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective. Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

Lancashire County Council Information Governance Framework

Lancashire County Council Information Governance Framework Appendix 'A' Lancashire County Council Information Governance Framework Introduction Information Governance provides a framework for bringing together all of the requirements, standards and best practice

More information

Information Governance Strategy 2015/16

Information Governance Strategy 2015/16 Information Governance Strategy 2015/16 Ratified Governing Body (November 2015) Status Final Issued November 2015 Approved By Executive Committee (August 2015) Consultation Equality Impact Assessment Internal

More information

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY Moorland is committed to ensuring that, as far as it is reasonably practicable, the way we provide services to the public and the way we treat

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Page 1 of 46 Policy Title: Executive Summary: Information Governance Policy This policy seeks to identify the actions required to ensure that information is appropriately

More information

Date: 30 th May 2013. Agenda Item: 5.5. Ian Mackenzie Director of Information and Estates REPORT AUTHOR:

Date: 30 th May 2013. Agenda Item: 5.5. Ian Mackenzie Director of Information and Estates REPORT AUTHOR: TRUST BOARD IN PUBLIC Date: 30 th May 2013 Agenda Item: 5.5 REPORT TITLE: Information Governance Annual Report EXECUTIVE SPONSOR: Ian Mackenzie Director of Information and Estates REPORT AUTHOR: Sarah

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS Newcastle Gateshead Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Approved No impact NHS Quality, Safety

More information

Information Governance Framework

Information Governance Framework Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Risk Management and Risk Assessment Policy

Risk Management and Risk Assessment Policy SharePoint Location Non-clinical Policies and Guidelines SharePoint Index Directory 3.0 Corporate Sub Area 3.1 Risk and Health & Safety Documents Key words (for search purposes) Risk, Risk Management,

More information

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Appendix 1 INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Author Information Governance Review Group Information Governance Committee Review Date May 2014 Last Update February 2013 Document No. GV

More information

West Dunbartonshire Council. Follow-up data protection audit report

West Dunbartonshire Council. Follow-up data protection audit report West Dunbartonshire Council Follow-up data protection audit report Auditors: Lee Taylor (Audit Team Manager) Jonathan Kay (Engagement Lead Auditor) Data controller contacts: Michael Butler (Data Protection/Information

More information

Gloucestershire Hospitals

Gloucestershire Hospitals Gloucestershire Hospitals NHS Foundation Trust TRUST POLICY In the case of hard copies of this policy the content can only be assured to be accurate on the date of issue marked on the document. The Policy

More information

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1 Policies for: Information Governance Information Quality Information Management Information Security Approved by: None this version Date approved: Name of originator/author: Ade Oduntan, Mike Hellier,

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

Data Protection Breach Reporting Procedure

Data Protection Breach Reporting Procedure Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval

More information