INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY"

Transcription

1 Appendix 1 INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Author Information Governance Review Group Information Governance Committee Review Date May 2014 Last Update February 2013 Document No. GV / 02 Issue No. Version 3 UNCONTROLLED WHEN PRINTED Signed:

2 Revision History: Status Action Name Date Completed Version 1 Created Peter McKenzie August 2007 Version 2 Version 2.1 Version 2.2 Version 3 Endorsed by Information Governance Group Endorsed by Information Governance Group Endorsed by Information Governance Group Endorsed by Information Governance Group March 2009 May 2009 August 2011 February 2013 Version 3 Summary of Changes from Version 2.2 Addition of Section CEL NHS Scotland Information Assurance Strategy to reflect the requirements of the CEL and describe how NHS Tayside will meet those requirements. Alteration of Section 2.1 (and throughout) to reflect changes in the Standing Committee responsible for Information Governance from the Improvement and Quality Committee to the Finance and Resource Committee. Alteration of Section 3.2 Compliance and Accountability and Appendix 4 to reflect the current status of the IG Toolkit pending the development of a replacement. Addition to Appendix 1 of Finance and Resource Committee Information Governance responsibilities.

3 Section Page 1. Policy Definition Purpose Scope Regulatory and NHS Requirements CEL NHS Scotland Information Assurance Strategy 4 2. Policy Details Introduction Principles 5 3. Information Governance Arrangements Statement of Principles Management Arrangements 7 Roles and Responsibilities 7 Policy, Planning and Compliance 7 Data Protection, Confidentiality and Information Security 8 Health Information and Records Management 9 Corporate Information and Records Management 10 Groups 11 Caldicott Guardian 11 Director of Human Resources 11 Associate Medical Directors, General Managers and Heads of Department 11 Director of ehealth 12 Information Governance Manager 12 Estates and Facilities Directorate 13 Risk Management 13 Internal Auditor 13 Third Party Contractors 13 Compliance and Accountability Openness Statement of Principles Information Quality Statement of Principles Information Security Statement of Principles 15 NHS Tayside Information Governance Policy February

4 Section Page 7. Education Statement of Principles Appendix 1 NHS Tayside Finance and Resources Committee (F&RC) Appendix 2 Information Governance Infrastructure Appendix 3 - Regulatory and NHS Requirements Appendix 4 The Information Governance Toolkit Appendix 5 Information Security Introduction Objectives, Aims And Scope Roles And Responsibilities Security Principles Network Connections Physical And Logical Security Approved Software Information Sharing Equipment Physical Access Controls Logical Security 33 Glossary 36 Policy/Strategy Approval Checklist 37 Rapid Impact Checklist 39 NHS Tayside Information Governance Policy February

5 1. Policy Definition 1.1 Purpose The purpose of this document is to set out NHS Tayside's Policy framework in relation to Information Governance (IG). 1.2 Scope Information Governance has four fundamental aims: To support the provision of high quality care by promoting the effective and appropriate use of information. To encourage responsible staff to work closely together, preventing duplication of effort and enabling more efficient use of resources. To develop support arrangements and provide staff with appropriate tools and support to enable them to discharge their responsibilities to consistently high standards. To enable organisations to understand their own performance and manage improvement in a systematic and effective way. IG covers the following topics: IG Policy and Planning Data Protection Confidentiality Caldicott - Clinical Information FOISA Information Management Information Security Health Records Administrative Records Information Quality Assurance. 1.3 Regulatory and NHS Requirements NHS Tayside is obliged to abide by all relevant Scottish, UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and contractors of NHS Tayside, who will be held personally accountable for any breaches of information security for which they are held responsible: NHS Tayside regards all identifiable personal information relating to patients as sensitive and confidential and NHS Tayside will establish and maintain policies to ensure compliance with common law confidentiality. Personal information relating to staff is confidential, except where national policy on accountability and openness requires otherwise. NHS Tayside Information Governance Policy February

6 1.3 Regulatory and NHS Requirements (Cont d) NHS Tayside has established policies to maintain controlled and appropriate sharing of patient information with other agencies and will continue to monitor and establish new agreements when necessary. These agreements take into account relevant legislation and regulation as documented in Appendix CEL NHS Scotland Information Assurance Strategy The Information Assurance (IA) Strategy is not a replacement for an Information Governance (IG) strategy (or new branding for Information Governance). NHS Board Chief Executives, however, identified that there was a particular need to improve the availability, integrity and security of information. The IA Strategy emphasises the need for NHS Boards to focus on using the information they hold wisely and well, as well as responsibly and with care. NHS Boards will outline their contribution to achieving these outcomes in local Information Governance strategies and ehealth plans Information Governance Information Governance (IG) is a term used throughout the NHS to describe the entire framework of policies, procedures for decisionmaking, and guidance that relate to the capture, use, re-use, access, sharing and management of all data and information throughout its lifecycle. This framework takes into account the complex mesh of legislation (such as the Data Protection Act 1998 and the Freedom of Information (Scotland) Act 2002) as well as issues such as confidentiality, quality, and staff training Information Assurance 1.5 Comments Information Assurance (IA) is a closely associated but narrower term that describes the set of activities designed to ensure that the availability, integrity and security of data and information is maintained at the agreed level. Given the fast changing ICT environment it has become clear that relying on traditional audit methods (reactive rather than proactive) is no longer adequate. There is a close interdependency between information assurance objectives and all the other components of IG. Any comments on this document should, in the first instance, be addressed to the Information Governance Manager. NHS Tayside Information Governance Policy February

7 2. Policy Details 2.1 Introduction Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources throughout NHS Tayside. It plays a key part in clinical governance, service planning and performance management. It is, therefore, of paramount importance that information is efficiently managed, and that appropriate policies, procedures and management accountability provide a robust governance framework for information management. The Finance & Resources Committee (F&RC) oversees compliance with IG and IA standards and monitors the organisation's improvement plans to achieve compliance. The Committee and Groups remits can be found in Appendix 1. The management framework for carrying out IG and IA Improvement and Action Plans is in Appendix 2. A number of policies will be approved by F&RC but those with a clinical perspective will be approved by I&G. 2.2 Principles There has to be balance between openness and confidentiality in the management and use of information and NHS Tayside recognises the principles of corporate governance and public accountability. The importance of confidentiality, security, and data quality play a role in the safeguarding of information within NHS Tayside. These include patient and staff information as well as commercially sensitive information. NHS Tayside has agreements to share patient information with other healthcare organisations and other agencies in a controlled manner, which ensure the protection of patients' and public interests. It is essential that accurate, timely and relevant information is recorded. This is essential to deliver the highest quality health care. As such it is the responsibility of all staff to promote data quality and confidentiality. There are 4 key areas which this policy brings together: Openness Information Quality Information Security Legal Compliance The IA Strategy further specifies the 4 key areas to delivering successful information assurance: Leadership and Governance Information Risk Management Policy and Operations Monitoring and Compliance NHS Tayside Information Governance Policy February

8 3. Information Governance Arrangements The F&RC is responsible for overseeing IG and IA issues and supports links and reporting with existing groups with responsibilities in these areas. 3.1 Statement of Principles This policy cannot be seen in isolation, it links into all aspects of the organisation. The implementation of this policy will reduce the level of current risk associated with IG and IA issues. Progress on IG and IA issues will be reported to the F&RC as agreed. There is corporate, clinical and delivery representation on the F&RC to ensure that IG and IA is embedded within the organisational structure. The Director of Finance is the Executive Lead with responsibility for Information Governance and Information Assurance. Members of the F&RC include; 10 Non-Executive Members Chairperson NHS Tayside Regular attendees of the F&RC include; Chief Executive Director of Finance Director of Finance Operational Unit Director of Human Resources 2 Assistant Directors of Finance Representative Area Partnership Forum Representative Communications Department Representative from Area Clinical Forum Employee Director Chief Operational Officer Fundamental to the success of delivering IG and IA compliance is developing an IG and IA culture within NHS Tayside. Awareness and training to all NHS Tayside staff utilising information in their day to day work is essential to promote this culture. The methods currently used to facilitate this are detailed in section 7. Any associated resource implications incurred by the implementation of the IG and IA policy and action plan will be identified by the identified groups with IG and IA responsibilities. Business cases will need to be developed and submitted for approval by the relevant committees. NHS Tayside Information Governance Policy February

9 3.2 Management Arrangements Roles and Responsibilities Information Governance Infrastructure, Areas of Responsibilities, Committees and Groups are described in Appendix 2. Specific lead roles are as follows; Policy, Planning and Compliance Initiative/Work Area Executive Lead Responsible Officer(s) Co-ordinator IG and IA Policy and Planning Director of Finance ehealth Programme Manager ehealth Programme Manager IG Toolkit Director of Finance EHealth Programme Manager, Information Governance Manager EHealth Programme Manager, Information Governance Manager NHS Tayside Information Governance Policy February

10 Data Protection, Confidentiality and Information Security Codes of practice on confidentiality of personal health information state that the senior designated Doctor (Medical Director)/Public Health Director within NHS Tayside have clear responsibility for the confidentiality, security and access to personal health information held by NHS Tayside. Initiative/Work Area Executive Lead Responsible Officer(s) Co-ordinator Data Protection Director of Finance Associate Medical Directors, Director of Finance, General Managers, Heads of Department Information Governance Manager Confidentiality Clinical Medical Director/Director of Public Health Associate Medical Directors Information Governance Manager Confidentiality - Non-Clinical Director of Human Resources Human Resources Officers, General Managers, Heads of Department Information Governance Manager Caldicott Medical Director/Director of Public Health Information Governance Manager Information Governance Manager Information Technology Security Director of Finance Associate Medical Directors, General Managers, Heads of Department Information Governance Manager, Technical Services Manager NHS Tayside Information Governance Policy February

11 Health Information and Records Management The Chief Executive has overall responsibility for ensuring that records are managed responsibly within NHS Tayside. The Medical Director is responsible for maintaining all aspects of healthcare records management Heads of corporate and clinical directorates are responsible for ensuring that the policy is implemented within their individual directorates. They will nominate directorate representatives, who will liase with the NHS Tayside Board Secretary on the management of records within their respective directorates, departments and Community Health Partnerships. Records management responsibilities will be written into all accountable individual s job descriptions and clear procedures for retention of key records will be issued. It is the responsibility of all staff to ensure that they keep appropriate records of their work in NHS Tayside and manage those records in keeping with this policy and with any guidance subsequently produced by NHS Tayside. Initiative/Work Area Executive Lead Responsible Officer(s) Co-ordinator Health Records Electronic Medical Director ehealth Programme Manager, Access Service Manager, Medical Records Health Records - Paper-based Medical Director Associate Medical Directors, General Managers, Heads of Department, Health Records Managers ehealth Programme Manager, Access Service Manager, Medical Records ehealth Programme Manager, Access Service Manager, Medical Records Information Quality Assurance - Clinical Medical Director Associate Medical Directors, General Managers, Heads of Department. ehealth Programme Manager Information Management - Clinical Medical Director Associate Medical Directors, Heads of Department ehealth Programme Manager NHS Tayside Information Governance Policy February

12 Corporate Information and Records Management The Chief Executive has overall responsibility for ensuring that records are managed responsibly within NHS Tayside. The NHS Tayside Board Secretary is responsible for co-ordinating corporate records management within the organisation and identifying key corporate records and providing guidance and advice on their management and retention. Heads of corporate and clinical directorates are responsible for ensuring that the policy is implemented within their individual directorates. They will nominate directorate representatives, who will liase with the NHS Tayside Board Secretary on the management of records within their respective directorates, departments and Community Health Partnerships. Records management responsibilities will be written into all accountable individual s job descriptions and clear procedures for retention of key records will be issued. It is the responsibility of all staff to ensure that they keep appropriate records of their work in NHS Tayside and manage those records in keeping with this policy and with any guidance subsequently produced by NHS Tayside. Initiative/Work Area Executive Lead Responsible Officer(s) Co-ordinator Administrative Records Board Secretary Associate Medical Directors, General Managers, Heads of Department Information Governance Manager Information Quality Assurance - Non- Clinical Director of Finance Associate Medical Directors, General Managers, Heads of Department EHealth Programme Manager, Information Governance Manager Information Management Non- Clinical Director of Finance Associate Medical Directors, General Managers, Heads of Department EHealth Programme Manager, Information Governance Manager NHS Tayside Information Governance Policy February

13 Groups The Information Governance Committee remit can be found in Appendix 1 The ehealth Group have responsibility for ensuring that specifications for clinical systems conform to the purposes for which the systems are required as well as ensuring that inhouse developers or suppliers meet the specification. The Business IM&T Group have responsibility for ensuring that specifications for nonclinical systems conform to the purposes for which the systems are required as well as ensuring that in-house developers or suppliers meet the specification. Caldicott Guardian The Caldicott Guardian oversees all access to patient identifiable information. The role is a key component to establish the highest practical standards for handling patient information in NHS Tayside. There are six key principles, as follows:- justify the purpose. use patient identity only where absolutely necessary. use the minimum patient-identifiable information. access to patient-identifiable information should be on a strict need to know basis. everyone should be aware of his or her responsibilities. every use must be lawful. A full and detailed statement of Caldicott arrangements can be accessed via the NHS Tayside Staffnett. Director of Human Resources The Director of Human Resources shall ensure that all contracts of employment and all contracts of agency staff, include a non-disclosure clause. Information Governance responsibilities shall be identified and written into job specifications and terms of reference including sensitive positions. (Defined as those positions which involve ongoing legitimate access to information, tools and functions which could cause significant harm to patients, or significant loss, damage or harm to NHS Tayside s reputation if abused). Associate Medical Directors, General Managers and Heads of Department All managers are required to foster information security and confidentiality awareness in staff and work with others to implement adequate measures to support that. They must strive to adopt fully the values of this and related policies and legislation. Managers must make themselves aware of the business requirements for secure systems access in order to implement and maintain an effective level of control over access to information services, data and information. NHS Tayside Information Governance Policy February

14 Associate Medical Directors, General Managers and Heads of Department (Cont d) Prior to an employee leaving, or to a change of duties, managers must ensure that:- the employee is informed that they continue to be bound by their signed confidentiality agreement. passwords are removed or changed to deny access. relevant departments are informed and the name is removed from authority and access lists. department property is returned e.g. personal identification devices, cards, passes, manuals and documents. Director of ehealth Responsible for:- ensuring that all information systems in use within NHS Tayside are appropriately assessed for security and protected in accordance with NHS Tayside and national policy. appointing an Information Governance Manager to carry responsibility for implementing and monitoring the observance of NHS Tayside and national policy and carry out the day-to-day tasks of promoting and monitoring Information Governance and Information Assurance. ensuring that the appropriate NHS Standards are implemented effectively within NHS Tayside. reporting, at least annually, to the Improvement and Quality Committee on the state of Information Governance in NHS Tayside as part of Information Governance Standards and Information Assurance requirements. Information Governance Manager The Information Governance Manager shall, under the direction of the ehealth Programme Manager, be responsible for the development, maintenance and user compliance with the terms of NHS Tayside and national policy. In particular:- to implement and maintain a compliance programme for evaluating the effectiveness of the IG and IA programme. ensuring that employees within NHS Tayside are made aware of their IG and IA responsibilities. ensuring that appropriate security standards and procedures are in place to support the observance of NHS Tayside and national policy. monitoring observance of NHS Tayside and national policy and their standards and procedures. setting up a procedure for reporting Information Security incidents. investigating Information Security incidents and initiate appropriate action. NHS Tayside Information Governance Policy February

15 Information Governance Manager (Cont d) ensuring that there is a means of carrying out system risk assessment and management. ensuring that appropriate procedures are in place to support compliance with the Data Protection Act 1998 (DPA 98). monitoring observance and reporting on compliance with DPA 98 requirements. ensuring that appropriate procedures are in place to support compliance with the Freedom of Information (Scotland) Act 2002 (FOISA). monitoring observance and reporting on compliance with FOISA requirements. Estates and Facilities Directorate The Estates and Facilities Directorate has responsibility for ensuring that controls are in place to preserve the security of the equipment and environment in which computer systems operate within buildings for which they are responsible. This includes:- fire safety and water damage protection, lightning protection and disaster procedures. power supplies including uninterruptable power supplies where installed. physical access control. Risk Management Information Security risks will be properly identified, assessed, recorded and managed using NHS Tayside s Risk Management procedures. There will be a system security policy developed for all information systems, these policies will be devised by systems managers in conjunction with the Information Governance Team. Internal Auditor Working with relevant NHS Tayside staff, NHS Tayside s Internal Auditors will audit and comment of the existence and implementation of appropriate Information Governance policies and procedures and the extent to which they meet relevant guidelines and practices. Third Party Contractors The use of third party personnel shall be subject to contractual obligations and to NHS Tayside controls. Third parties will be required to produce evidence of their security controls so that NHS Tayside can assess compliance with the requirements of this policy. Third party contractors will not be allowed access to information classified as sensitive without the explicit and signed agreement of the information owner through the Caldicott approval procedure. Such access will be dependent on the implementation of appropriate controls. NHS Tayside Information Governance Policy February

16 Compliance and Accountability The monitoring of NHS Tayside's position in achieving compliance with the IG Standards and IA requirements will be undertaken by employing the IG Toolkit and reporting facilities available in it and those set out in the IA Strategy. Improvement, Action and Implementation Plans will be devised using the information held in the IG Toolkit and in the IA Strategy. Plans will be submitted to the F&RC for approval. Six monthly Progress Reports will be made to the F&RC with Exception Reports being produced where significant impacts occur. ** The following reference to the IG Toolkit are included pending the development of the IG Toolkit as set out in the IA Strategy. It is unclear how the information recorded in the IG Toolkit will now support the Clinical Governance and Risk Management part of the Health Efficiency, Access & Treatment (HEAT) targets. NHS Tayside's Implementation Plan and Quarterly Assessment will be submitted to the Information Governance Team, NSS to the specified timetable (financial year quarters). The Information Governance Team, NSS will then produce a report on NHS Tayside's compliance to the IG Standards. This report will be agreed with NHS Tayside before being sent onto QIS. QIS will then use this information to inform their review of NHS Tayside's compliance to the CGRM. This information will be fed into the SE as the CGRM form part of the HEAT targets, which in turn are a major contributor to the NHS Boards annual Accountability Review. 4. Openness NHS Tayside is obliged to comply with legal and NHS codes of openness, on the operating and performance of business. Access will be provided to enable NHS Tayside employees to make themselves aware of the guidelines and procedures that are in place to deal with requests by staff, patients and members of the public for information. 4.1 Statement of Principles Non-confidential information on NHS Tayside and its services should be available to the public through a variety of media, in line with legal requirements and NHS codes of openness. NHS Tayside also makes this information available through its compliance with the FOISA. Patients will have ready access to information relating to their own health care throughout their care and under DPA 98. Procedures and arrangements are in place for liaison with the press and broadcasting media. Procedures and arrangements are in place for handling requests and queries from patients and the public both under the DPA 98 and FOISA. NHS Tayside Information Governance Policy February

17 5. Information Quality Information Quality is an important part of the Information Governance agenda in terms of data quality/integrity. Quality is generally defined, as fit for purpose and all staff need to ensure that data is relevant and accurate. Good data quality means that data is recorded in full, as accurately as possible and in a timely manner. Timely data entry will help avoid discrepancies and inaccuracies. Where it is not possibility to record data in real time this data should be recorded as soon after the event as possible. 5.1 Statement of Principles NHS Tayside will establish and maintain policies and procedures for information quality assurance and the effective management of records. NHS Tayside will undertake or commission annual assessments and audits of its information quality and records management arrangements Managers are expected to take ownership of, and seek to improve, the quality of information within their services Wherever possible the person responsible for recording information should ensure the quality and accuracy of that information. Data standards will be set through clear and consistent definition of data items, in accordance with national standards. NHS Tayside will promote information quality and effective records management through policies, procedures/user manuals and training. NHS Policies which are managed by IG will be approved by I&Q if it relates to clinical matters and F&RC for all others. 6. Information Security Information security is the responsibility of all managers and staff who must ensure they follow approved guidelines and best practice. NHS Tayside s Information Security policies are set out in Appendix 5. NHS Tayside takes note of and will refer to BS ISO/IEC 17799:2005 and 27001:2005, the standard for Information Security that should be aspired to in line with SGHD plans. 6.1 Statement of Principles NHS Tayside will establish and maintain policies for the effective and secure management of its information assets and resources. NHS Tayside will undertake or commission annual assessments and audits of its information and IT security arrangements. NHS Tayside will promote effective confidentiality and security practice to its staff through policies, procedures and training. NHS Tayside will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. NHS Tayside Information Governance Policy February

18 7. Education NHS Tayside provides training and guidance on Information Governance issues. It is the responsibility of managers and staff to ensure that they have adequate knowledge and access to appropriate resources. 7.1 Statement of Principles NHS Tayside provides guidance on IG issues for all new staff undertaking NHS Tayside induction. This is accomplished via NHS Tayside employee induction processes. Important/new IG issues and information will be communicated. Information and documents relating to IG will be made available on NHS Tayside s Staffnet intranet and at presentations. To support the complexities of the organisation the use of computer and webbased training material and packages will be promoted. The recommendations of the Information Governance in NHSScotland: A Competency Framework will form the basis of NHS Tayside's approach to future IG training and education. NHS Tayside Information Governance Policy February

19 Appendix 1 8. NHS Tayside Finance and Resources Committee (F&RC) Specific IG Responsibilities of the F&RC To ensure that NHS Tayside has effective policies and management arrangements covering all aspects of Information Governance in accordance with the requirements of the Scottish Executive Health Department. The basis of the scope of these requirements is the NHS Quality and Improvement Scotland Clinical Governance and Risk Management Standards and the Information Governance Standards as laid out in the IG Toolkit and the requirements of CEL Information Assurance Strategy. The F&RC will ensure that there arrangements in place to: Ensure that NHS Tayside undertakes or commissions the necessary assessments and audits of its IG and IA policies and arrangements. Establish an annual IG and IA Improvement Plan, identify and seek to secure the necessary implementation resources, and monitor the implementation of that plan. Agree, implement and monitor a communications plan relating to IG and IA matters. Receive and consider reports into breaches of confidentiality and security and where appropriate undertake or recommend remedial action. Liaise with other NHS Tayside committees, working groups and programme boards in order to promote IG and IA issues. NHS Tayside Information Governance Committee The main remit of the Committee is as follows:- Strategic Deal with all matters relating to information governance within NHSTayside covering clinical and business processes ensuring that adequate policies and procedures are in place to ensure the secure use of clinical and business information. Support the provision of high quality care by promoting the effective and appropriate use of information. Encourage staff throughout the Organisation to understand the importance of ensuring that clinical and business information is dealt with in a secure fashion in their daily working environment. Ensure guidelines and protocols are in place to ensure patient confidentiality in line with Data Protection and Caldicott requirements. Ensure that requirements of the National Information Assurance Strategy are met. NHS Tayside Information Governance Policy February

20 Strategic (Cont d) Ensure guidelines and protocols are in place to ensure only authorised staff have access to the clinical and business information that they are entitled to. Ensure guidelines and protocols are in place for the storage, transport and use of clinical and business information across the organisation. Implement revised procedures for reporting of breaches of confidentiality and security and consider reports, recommending remedial action where appropriate. Liaise as appropriate with the undernoted groups Executive Team Medical Directors Area IM&T Business Freedom of Information Disclosure Tayside Data Sharing Partnership LMC/GP Sub-Committee Operational Develop support arrangements and appropriate tools to enable staff to discharge their duties in relation to information governance. Implement the NHS Tayside Information Governance Strategy through the Information Governance assurance improvement plan and report progress to the F&R Committee on a frequent basis and Scottish Government ehealth Department on a six monthly basis. Agree the clinical data which will be shared across the organisation. Manage procedures for reporting of breaches of confidentiality and security and consider reports, recommending remedial action where appropriate. Reporting above breaches to F&R Committee and nationally as appropriate. Ensure agreements are in place for sharing clinical & business information with other partner organisations such as Local Authorities and Universities. Produce an annual work plan covering the resource available. Agree audit rules for National Audit (Fair warning) system. Monitor the Implementation of the National Audit (Fair warning) system. NHS Tayside Information Governance Policy February

21 FREEDOM OF INFORMATION (SCOTLAND) ACT 2002 COMPLIANCE GROUP Remit Policy Monitor the formulation and dissemination of a non-clinical records management policy, strategy and supporting guidelines, taking into account the Information Governance Strategy and policies for Tayside. Advise on the policy in relation to the Freedom of Information (Scotland) Act 2002 (FOISA) and Environmental Information Scotland Regulations 2004 (EIRS) Promote the need to adhere to FOISA and EIRS throughout NHS Tayside by providing guidance and advice through the Board Secretary and Information Security Officer to staff Ensure that the NHS Tayside Publication scheme under FOISA is maintained Establish and maintain links with Information Commissioners Office and Scottish Executive to ensure knowledge of FOISA and EIRS is current Ensure that adequate training and support resources are available for the introduction and maintenance of FOISA and EIRS Consider matters of mutual interest between Primary Care Contractors, Local Authorities and Universities with regard to FOISA and EIRS. Disclosure Compliance Monitor how NHS Tayside applies absolute or qualified exemptions in relation to whether information should be disclosed in line with the Act and EIRS Ensure an NHS Tayside costing policy for the provision of information to the public is in place. Non-Clinical Records Management and Compliance Liaise with the Information Delivery Group regarding the roll out of the electronic document store for NHS Tayside. Monitor and ensure compliance with the records management policy and strategy. Monitor and ensure compliance with Information Governance Strategy as it relates to FOISA.. NHS Tayside Information Governance Policy February

22 9. Information Governance Infrastructure Appendix 2 Director Level IG Lead Director of Finance, Tayside NHS Board IG Co-ordinator Associate ehealth Director Programmes, Governance & Implementation Confidentiality and Caldicott Medical Director, Associate Medical Directors, General Managers, Human Resources Officers, Department Heads. Health Records Medical Director, Associate Medical Directors, Department Heads, Access Service Manager, Clinical Records Managers Data Protection Director of Finance Associate Medical Directors, General Managers, Human Resources Officers, Department Heads. Corporate Records Board Secretary, Associate Medical Directors, General Managers, Department Heads Freedom of Information Board Secretary, Associate Medical Directors, General Managers, Department Heads I.T. Security Director of Finance, Associate Medical Directors, General Mangers, Department Heads NHS Tayside Information Governance Policy February

23 Information Governance Infrastructure Committees and Groups Tayside NHS Board Finance and Resources Committee Information Governance Committee IG Policy and Guidance Delivery Unit ehealth Group Electronic Clinical Records and Systems Area IM&T Business Group Corporate Systems and Infrastructure Freedom of Information Compliance Corporate Records and FOISA Procedures Tayside Data Sharing Partnership Inter-Agency Data Sharing Health Records Committee Clinical Records and Procedures NHS Tayside Information Governance Policy February

24 Appendix Regulatory and NHS Requirements NHS Tayside shall comply with the following legislation and other legislation as appropriate; Abortion Regulations 1991 Access to Health Records Act 1990 (where not superseded by the Data Protection Act1998) Audit & Internal Control Act 1987 Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 (as amended by the Copyright (Computer Programs) Regulations 1992 Crime & Disorder Act 1998 Data Protection (Processing of Sensitive Personal Data) Order 2000 Data Protection Act 1998 Electronic Communications Act 2000 Fraud Act Freedom of Information (Scotland) Act 2002 Health and Safety at Work Act (1974) Human Fertilisation & Embryology Act 1990 Human Rights Act 1998 Lawful Business Practice Regulations National Health Service Act 1977 NHS Sexually Transmitted disease regulations 2000 Police & Criminal Evidence Act Prevention of Terrorism (Temporary Provisions) Act 1989 & Terrorism Act 2000 Public Interest Disclosure Act 1998 Regulation of Investigatory Powers (Scotland) Act 2000 (& Lawful Business Practice Regulations 2000) Responsibility of Directors Act Road Traffic Act 1988 Regulations under Health & Safety at Work Act 1974 NHS Tayside Information Governance Policy February

25 10. Regulatory and NHS Requirements (Cont d) NHS Tayside will abide by the following Guidance and Recommendations; Caldicott Principles Report, audit & improvement on the use of Patient Identifiable Data NHS Code of Practice on Protecting Patient Confidentiality NHS National Services Scotland Information Governance Standards NHS National Services Scotland Information Governance Toolkit NHS Quality Improvement Scotland Clinical Governance and Risk Management Standards NHS Scotland Information Security Policy Scottish Executive Health Department Corporate Governance: Statement of Internal Control May 2007 CEL NHS Scotland Information Assurance Strategy NHS Tayside supports compliance with the above by providing policy, advice and guidance on these relevant topics; NHS Tayside Information Governance Policy NHS Tayside Data Protection Policy NHS Tayside Records Management Policy NHS Tayside Records Retention Schedules NHS Tayside Portable Computer and Removable Media Policy NHS Tayside Usage Policy NHS Tayside Desktop Policy NHS Tayside Home Working Policy General Information Sharing Protocol Information Access Protocols Information Transfer Protocols Caldicott Approval Procedure NHS Tayside Information Governance Policy February

26 Appendix The Information Governance Toolkit ** The following reference to the IG Toolkit are included pending the development of the IG Toolkit as set out in the IA Strategy. It is unclear how the information recorded in the IG Toolkit will now support the Clinical Governance and Risk Management part of the Health Efficiency, Access & Treatment (HEAT) targets. Submission of Supporting Information Each NHS Board is required to submit a number of documents to supplement and support the information collected in the Toolkit. These are: Information Governance Policy Implementation Plan In addition to this NHS Boards are required to submit, on an annual basis, the following: Annual Report Annual Incident Report User Roles There are three different User roles each with different levels of access to the Toolkit: Organisation Administrator the Organisation Administrator is the Information Governance Manager. This role has two main responsibilities: o o Act as main contact between the NHS Board and the Information Governance Team with regards to the IG Toolkit. Set up the local structures for completion of the assessment. This includes setting up access for the other local users of the Toolkit and setting up Divisions (covered in greater detail in the next section). Returning Officer the Returning Officer is the Information Governance Manager. This role has two main responsibilities: o o Manage Returns the Returning Officer is responsible for starting assessments, ensuring that the information recorded is an accurate reflection of the Boards compliance with the Standards, and for ensuring the timely submission of the assessment. Where no Divisions have been set up the Returning Officer will also be responsible for completing the assessment. NHS Tayside Information Governance Policy February

27 User Roles (Cont d) Delegate For each Division that NHS Tayside sets up within the IG Toolkit a Delegate will be established. The Delegate is responsible for completing the assessment for their nominated Division. Approval and Submission Procedure Approval The IG Toolkit will be maintained to support the monitoring of NHS Tayside's compliance with the IG Standards in support of CGRM. The Implementation Plan will further identify what action is required to achieve an acceptable level of compliance, these actions will be prioritised by the relevant groups established within NHS Tayside Information Governance Infrastructure (IG Groups). The prioritised Implementation Plan will be reviewed annually (in line with QIS Review) by the co-ordinators identified in the IG Groups. The prioritised Implementation Plan will be presented by the ehealth Programme Manager to the F&RC for approval. Progress reports based on the Implementation Plan will be presented to the F&RC six monthly by the ehealth Programme Manager and Information Governance Manager. The six-monthly assessments will be approved by the IG Groups prior to submission to the Information Governance Team, NSS NHS Tayside Information Governance Policy February

28 Appendix Information Security 12.1 Introduction NHS Tayside (NHST) has become significantly dependent upon its Information and Communication Technology Systems and Services ( systems ) for both its normal day to day patient care activities and management functions. It is essential, for the successful operation of NHST and the well being of patients and staff, that the availability, integrity and confidentiality of the systems, data and information are maintained at a level appropriate to NHST s needs and in line with current regulatory requirements. It, therefore, follows that it is important that clear guidance is provided to all of NHST s staff and systems users that sets out the limits of operation and their individual and collective responsibilities for ensuring that the provisions of this policy are adhered to. This policy aims to serve that purpose and has been designed to ensure that best practice is adhered to, all relevant NHS standards are met and that NHST s legal obligations are not compromised. NHST will review and update this policy from time to time and publication to NHST staff will be facilitated via NHST Staffnet. Amendments to this policy will be communicated to NHST users via the normal NHST communication channels Objectives, Aims and Scope The objectives of NHS Tayside s Information Security Policy are to preserve: Confidentiality - Access to data and information shall be confined to those with appropriate authority. Integrity Data and information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification. Availability Data and information shall be available and delivered to the right person, at the time when it is needed. Accountability - Information that is delivered cannot be repudiated by the sender. The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by NHS Tayside: Ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies. NHS Tayside Information Governance Policy February

29 12.2 Objectives, Aims and Scope (Cont d) Describing the principles of security and explaining how they shall be implemented in the organisation. Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities. Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business. Protecting information assets under the control of the organisation. This policy has been compiled in line with the instructions set out in NHS HDL (2006) 41 NHS Scotland Information Security Policy, the NHS Scotland Information Security Policy May 2005 and with reference to NHS Connecting for Health: Model Corporate Information Security Policy. This policy supports the principles and requirements set out in the NHS Tayside Information Governance Policy. The policy applies to NHST information assets, whether spoken or written, data that is stored on servers or related components, printed matter or displayed data which is owned or under NHST management. Specific policy objectives include: To provide a set of rules, measures and procedures aimed at ensuring confidentiality, integrity and availability throughout the NHST in line with NHST standards and obligations. To ensure that information is protected from unauthorised access, disclosure, modification or loss and that above all confidentiality of patient data is not compromised. To meet its legal and other requirements and to satisfy obligations to the NHS, patients and staff, NHST must use effective security measures to safeguard its information. In consultation implement such security measures as appropriate, updating whenever necessary. To set out the potential consequences of non-compliance with the provisions of this policy. To make direct reference to supporting Policy and Guidance documents. This policy will be reviewed by the Information Governance Team prior to the date on the cover page of this document or as directed in light of significant change in legislation, organisation or requirements. NHS Tayside Information Governance Policy February

30 12.3 Roles and Responsibilities Ultimate responsibility for the secure operation of all systems used in NHS Tayside rests with the Chief Executive. The responsibility is delegated to all staff involved or using information and information systems. A full description of responsibilities is set out in the NHS Tayside Information Governance Policy. Clinical Managers, Heads of Department and C.H.P. General Managers Managers must ensure that their staff are provided with information systems training as appropriate. Managers must ensure that where the administration of departmental systems has been delegated to a member of their staff that; the role and scope of the systems administrator should be agreed with the relevant parties that the appointee undergoes relevant training that procedures and protocols are developed, documented and implemented by the system administrator that are in line with the requirements of this policy. Systems Administrator This role within each service area or department is responsible for:- acting as liaison between their service area or department and the ICT department preparing a system security policy for systems within their remit. ensuring that all user responsibilities in respect of information security are understood and properly exercised. managing access to particular systems and information and maintain records of authorised system users. administering user security procedures requiring central control including the administration of passwords. reviewing and monitoring day-to-day security control and incidents and identifying unauthorised and unusual use. advising system users on security procedures including briefing new staff. NHS Tayside Information Governance Policy February

31 Systems Administrator (Cont d) maintaining records of security incidents and reporting them to the Administrator/Manager and the Information Security Officer. Periodically reviewing error or incident logs and report frequent occurrences to the Information Security Officer. The application of the above structure, at all levels, represents arrangements to accommodate substantial systems with wide-ranging coverage. However, the tasks and responsibilities still have to be taken on when operating smaller systems, procedures and processes. This may require some alteration to the structure to allow for practicalities Security Principles All NHST security principles are in line with best practice and comply with current legislation and NHS Scotland obligations. Access Access to NHST systems will be logged and monitored to help ensure use is in line with the requirements of this policy. Each member of NHST s staff and its authorised partners will be issued with a unique login identification and password. Any member of staff who requires legitimate access to specific NHST applications e.g. PMS, A&E, Theatres etc will be issued with appropriate and unique application login identification information for those applications and will be given sufficient access rights to undertake their job functions. The login authentication system will require users to change their passwords on a regular basis. Staff and other authorised users are prohibited from disclosing password information whether it be accidentally or purposefully given to another users. In the event that access details are disclosed (either deliberately or accidentally) then the owner of that access information must immediately change their password details. Note: Staff are reminded that as well as a serious breach of this policy it may be a criminal offence under the Computer Misuse Act 1990 if you either take part in a malicious act or know of or suspect that a malicious act has taken place in an NHST IT systems and services and do not report it. Third party support staff will be required to sign confidentiality agreements and adhere to NHST policies. NHS Tayside Information Governance Policy February

INFORMATION GOVERNANCE POLICY & STRATEGY FINAL DRAFT

INFORMATION GOVERNANCE POLICY & STRATEGY FINAL DRAFT INFORMATION GOVERNANCE POLICY & STRATEGY FINAL DRAFT Prepared By: Alistair Stewart Responsible Person: Endorsed by: Information Governance Committee Date: May 2008 Review: June 2009 Issue Number Draft

More information

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Information Governance Policy

Information Governance Policy Author: Susan Hall, Information Governance Manager Owner: Fiona Jamieson, Assistant Director of Healthcare Governance Publisher: Compliance Unit Date of first issue: February 2005 Version: 5 Date of version

More information

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy. Title: Reference No: NHSNYYIG - 007 Owner: Author: INFORMATION GOVERNANCE POLICY Director of Standards First Issued On: September 2010 Latest Issue Date: February 2012 Operational Date: February 2012 Review

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version Version 1 Ratified By Date Ratified PROPOSED FOR APPROVAL 15/11/12 Author(s) Responsible Committee / Officers Date Issue November 2012 Review Date November 2013 Intended

More information

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY Moorland is committed to ensuring that, as far as it is reasonably practicable, the way we provide services to the public and the way we treat

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY Directorate of Performance Assurance INFORMATION GOVERNANCE POLICY Reference: DCP074 Version: 2.5 This version issued: 27/03/15 Result of last review: Minor changes Date approved by owner (if applicable):

More information

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 1/08. NHSCR Scotland Information Governance Standards

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 1/08. NHSCR Scotland Information Governance Standards General Register Office for Scotland information about Scotland s people Paper NHSCR GB 1/08 NHSCR Scotland Information Governance s This is a draft on which the Board s comments would be welcome. Contents

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

Information Governance Policy

Information Governance Policy BEXLEY CARE TRUST MANAGEMENT MANUAL Title: INFORMATION GOVERNANCE POLICY Originating Department: IT DEPARTMENT Authorised by: Risk Management Committee June 2008 Reference no: CA12 Date of Issue: JANUARY

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching

More information

Gloucestershire Hospitals

Gloucestershire Hospitals Gloucestershire Hospitals NHS Foundation Trust TRUST POLICY In the case of hard copies of this policy the content can only be assured to be accurate on the date of issue marked on the document. The Policy

More information

Information Governance Policy

Information Governance Policy Information Governance Policy REFERENCE NUMBER IG 101 / 0v3 May 2012 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive 4.9.12 REVIEW DUE DATE May 2015 West Lancashire CCG is committed to ensuring

More information

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE.

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE. Title: Information Governance Policy Date Approved: Approved by: Date of review: Policy Ref: Issue: January 2015 Information Governance Group Division/Department: January 2016 Policy Category: ISP-04 5

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Trust Informatics Policy. Information Governance. Information Governance Policy

Trust Informatics Policy. Information Governance. Information Governance Policy Trust Informatics Policy Information Governance Policy Reference: TIP/IG/IGP I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 1 Document Control Policy Title Author/Contact Document Reference

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY NWAS Information Governance Policy Page: Page 1 of 10 Date of Issue: January 2014 Date of Review February 2015 Recommended by Approved by Information Governance Management

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE STRATEGY INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

SALISBURY NHS FOUNDATIONTRUST

SALISBURY NHS FOUNDATIONTRUST SALISBURY NHS FOUNDATIONTRUST PAPER SHC 1738 TITLE Information Governance Policy PURPOSE OF PAPER The Information Governance Policy was first approved in April 2005. It is currently due for review to ensure

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

Information Governance policy

Information Governance policy Information Governance policy Key Points Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources throughout

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 5/07. NHSCR s quality assurance procedures

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 5/07. NHSCR s quality assurance procedures General Register Office for Scotland information about Scotland s people Paper NHSCR GB 5/07 NHSCR s quality assurance procedures November 2007 NHSCR SCOTLAND INFORMATION GOVERNANCE STANDARDS Author: Muriel

More information

Information Governance Policy. Church Road Medical Practice

Information Governance Policy. Church Road Medical Practice Information Governance Policy Church Road Medical Practice Version No: 1.0 Issue Date: March 2015 INFORMATION GOVERNANCE POLICY 1. Summary Information is a vital asset, both in terms of the clinical management

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: Revised: Consultation: Ratified by: 1.0 Information Governance Committee Governance Committee Date ratified: 19 March 2008 Name of originator/author: David McGrath

More information

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs NOTE: This is a CONTROLLED Document. Any documents appearing in paper

More information

NHS Business Services Authority Information Security Policy

NHS Business Services Authority Information Security Policy NHS Business Services Authority Information Security Policy NHS Business Services Authority Corporate Secretariat NHSBSAIS001 Issue Sheet Document reference NHSBSARM001 Document location F:\CEO\IGM\IS\BSA

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

Information security policy

Information security policy Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current

More information

Information Governance Framework

Information Governance Framework Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information

More information

NHS Business Services Authority Information Governance Policy

NHS Business Services Authority Information Governance Policy NHS Business Services Authority Information Governance Policy NHS Business Services Authority Corporate Secretariat NHSBSAIGM002 Issue Sheet Document reference NHSBSAIGM002 Document location F:\CEO\IGM\Info

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Information Governance Policy_v2.0_060913_LP Page 1 of 14 Information Reader Box Directorate Purpose Document Purpose Document Name Author Corporate Governance Guidance Policy

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY Version 8.0 Purpose: For use by: This document is compliant with /supports compliance with: To outline the lifecycle of a record and to provide guidance on retention and disposal

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Name of Policy Author: Name of Review/Development Body: Ratification Body: Ruth Drewett Information Governance Steering Group Committee Trust Board : April 2015 Review date:

More information

Information Governance Plan

Information Governance Plan Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

Information Security Policy

Information Security Policy Information Security Policy v2.0 Target Audience: Policy Endorsed by: ESCC Staff, members and other agencies handling ESCC information Governance Committee Final V2.0 Page 1 of 13 Information Security

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy ID IG02 Version: V1 Date ratified by Governing Body 27/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review date: September

More information

Information governance policy

Information governance policy Information governance policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSAIGM002a S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review IG Policy\Current

More information

Information Security Policy

Information Security Policy Information Security Policy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

Policy: D9 Data Quality Policy

Policy: D9 Data Quality Policy Policy: D9 Data Quality Policy Version: D9/02 Ratified by: Trust Management Team Date ratified: 16 th October 2013 Title of Author: Head of Knowledge Management Title of responsible Director Director of

More information

Information Security Policy Data Protection

Information Security Policy Data Protection Information Security Policy Data Protection Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation

More information

Information Security Policy

Information Security Policy Information Security Policy Reference No: Version: 5 Ratified by: CG007 Date ratified: 26 July 2010 Name of originator/author: Name of responsible committee/individual: Date approved by relevant Committee:

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from August 2009 Date last amended August 2009

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

Information Governance Strategy 2015/16

Information Governance Strategy 2015/16 Information Governance Strategy 2015/16 Ratified Governing Body (November 2015) Status Final Issued November 2015 Approved By Executive Committee (August 2015) Consultation Equality Impact Assessment Internal

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

An Approach to Records Management Audit

An Approach to Records Management Audit An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION

More information

Information Governance Policy

Information Governance Policy Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

NHS Commissioning Board: Information governance policy

NHS Commissioning Board: Information governance policy NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Information Security Policy

Information Security Policy You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version

More information

IG: Third Party Contracts and Contractors Policy

IG: Third Party Contracts and Contractors Policy IG: Third Party Contracts and Contractors Policy Document Summary This policy provides guidance on the Information Governance arrangements that need to be considered and / or implemented when engaging

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version: 3.2 Authorisation Committee: Date of Authorisation: May 2014 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

NHS Lanarkshire Information Governance Committee

NHS Lanarkshire Information Governance Committee INFORMATION GOVERNANCE COMMITTEE DRAFT TERMS OF REFERENCE Name Purpose NHS Lanarkshire Information Governance Committee To provide direction of and oversee the development of NHS Lanarkshire Information

More information

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013 Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This

More information

Information Governance Policy and Management Framework

Information Governance Policy and Management Framework Information Governance Policy and Management Framework Policy Number: IG01 Version: 3.0 Ratified by: Governing Body Date ratified: February 2016 Name of originator/author: Louise Chatwyn Information Governance

More information

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS Newcastle Gateshead Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Approved No impact NHS Quality, Safety

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY POLICY NO IM&T 011 DATE RATIFIED January 2012 NEXT REVIEW DATE January 2015 POLICY STATEMENT/KEY OBJECTIVE: To provide an overarching framework through which Information Governance

More information

Internet Use Policy and Code of Conduct

Internet Use Policy and Code of Conduct Internet Use Policy and Code of Conduct UNIQUE REF NUMBER: AC/IG/023/V1.1 DOCUMENT STATUS: Agreed by Audit Committee 18 July 2013 DATE ISSUED: July 2013 DATE TO BE REVIEWED: July 2014 1 P age AMENDMENT

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and

More information

CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY. December 2014

CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY. December 2014 CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY December 2014 DOCUMENT INFORMATION Author: Barbara Sansom Information Governance Manager Equality Impact Assessment Consultation & Approval

More information

Policy Checklist. Head of Information Governance

Policy Checklist. Head of Information Governance Policy Checklist Name of Policy: Information Governance Policy Purpose of Policy: To provide guidance to all staff on their responsibilities regarding information governance and to ensure that the Trust

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY Report to the Trust Board 22 September 2015 Sponsoring Director: Author: Purpose of the report: Key Issues and Recommendations: Director

More information

A Question of Balance

A Question of Balance A Question of Balance Independent Assurance of Information Governance Returns Audit Requirement Sheets Contents Scope 4 How to use the audit requirement sheets 4 Evidence 5 Sources of assurance 5 What

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

INFORMATION RISK MANAGEMENT POLICY

INFORMATION RISK MANAGEMENT POLICY INFORMATION RISK MANAGEMENT POLICY DOCUMENT CONTROL: Version: 1 Ratified by: Steering Group / Risk Management Sub Group Date ratified: 21 November 2012 Name of originator/author: Manager Name of responsible

More information

INFORMATION GOVERNANCE

INFORMATION GOVERNANCE This document is uncontrolled once printed. Please refer to the Trusts Intranet site (Procedural Documents) for the most up to date version INFORMATION GOVERNANCE NGH-PO-233 Ratified By: Procedural Document

More information

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Information Governance Framework and Strategy. November 2014

Information Governance Framework and Strategy. November 2014 November 2014 Authorship : Committee Approved : Chris Wallace Information Governance Manager CCG Senior Management Team and Joint Trade Union Partnership Forum Approved Date : November 2014 Review Date

More information

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS North Durham Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Final No impact Risk and Audit Committee/Governing

More information