Information Governance Policy and Management Framework

Transcription

1 Information Governance Policy and Management Framework Policy Number: IG01 Version: 3.0 Ratified by: Governing Body Date ratified: February 2016 Name of originator/author: Louise Chatwyn Information Governance Manager Name of responsible individual: Helen Potton Interim Chief Operating Officer Review date: February 2017 Target audience: All Staff Page 1 of 11

2 Version Control Sheet Version Date Who Change / /13 Rewrite to take into account changes in the NHS structure in April /13 Amendment to sections 6,8,10,12 following Nene review /13 M Griffiths Review for CCG ownership /13 M Griffiths Reference to the Incident Reporting Policy inserted into the Information Governance Policy /13 M Griffiths Point 6 changed to overall accountability for procedural documents is the Accountable Officer. Name of responsible individual for the policy within Nene changed to Marie Griffiths /16 L Chatwyn Review and update to current Page 2 of 11

3 Contents 1. Introduction and Strategy Policy Scope Information Governance staff handbook Information Governance and Records Management Governance Key Roles and Responsibilities Use of Information Openness Incident Management Monitoring and Review Training Distribution and Implementation Key Documents References Page 3 of 11

4 1. Introduction and Strategy Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The Health and Social Care Information Centre (HSCIC) mandates that the Information Governance Toolkit (IGT) is completed annually by all organisations that commission or provide services within and to the NHS The way that an organisation delivers against these requirements is referred to within the Information Governance Toolkit (IGT) as the organisation s Information Governance Management Framework. This Framework must be documented, approved at the most appropriate senior management level in the organisation (e.g. a member of the Senior Management Team) and reviewed annually. This document sets out Nene CCG s strategy for embedding and implementing robust Information Governance practice throughout the CCG for the current and future management of information to ensure compliance with all appropriate legislation, and standards. The IGT is available here: A user name and password is required to access the CCG IG Toolkit Return. This document provides a summary of how the CCG is addressing the IG agenda by: Demonstrating compliance with the key IG standards through achievement of a level 2 (satisfactory) position within the IG toolkit Maintain a robust IG workplan to ensure continuity of delivery and progress beyond the minimum where it has been achieved Mandating that all staff complete annual IG training commensurate with their role profile Document, act and improve on information security incidents to provide assurance to the Board through periodic reports to the Audit and Risk Committee 2. Policy This document is a statement of the approach and intentions for Nene CCG to fulfil its statutory and organisational responsibilities. It will enable management and staff to make correct decisions, work effectively and comply with relevant legislation and the organisations aims and objectives. Page 4 of 11

5 This document sets out the high level principles for confidentiality, integrity and availability of information (Information Governance) within Nene CCG to promote and build a level of consistency across the community on these principles. The CCG is committed to ensuring that information, in whatever its context, is handled as determined by prevailing law. The Information Governance Policy provides a consistent way for staff to deal with the many different information handling requirements including: information governance management; clinical information assurance; confidentiality and data protection assurance; corporate information assurance; information security assurance; and secondary use assurance. The following references and areas of legislation should be adhered to. Confidentiality NHS Code of Practice Data Protection Act 1998 Caldicott Guardian principles Freedom of Information Act 2000 Environmental Information Regulations 2004 Access to Health Records 1990 Nene CCG has also developed internal policy and procedural documents to support the framework Confidentiality and Data Protection Information Management and Security (including computer use and misuse) Electronic Communications and internet Information Incident Records and Information Management including compliance with the Freedom of Information Act. 3. Scope This document applies to all staff, whether permanent, temporary or contracted. They are responsible for ensuring that they are aware of all relevant requirements and that they comply with them on a day to day basis. Furthermore, the principles of this document apply to all third parties and others authorised to undertake work on behalf of Nene CCG. Page 5 of 11

6 This document covers all aspects of handling information, in both paper and electronic format 4. Information Governance staff handbook An Information Governance staff handbook will be developed and published that provides a guide to Information Governance and summarises the key user requirements that support the CCG Information Governance policies and framework. 5. Information Governance and Records Management The Records Management: NHS Code of Practice has been published by the Department of Health as a guide to the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England. It is based on current legal requirements and professional best practice. We will adhere to this Code of Practice. 6. Governance Nene CCG fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal confidential information about patients and staff and business sensitive information. Nene CCG also recognises the need to share patient information between partner health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. Nene CCG believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers to ensure and promote the quality of information and to actively use information in decision-making processes. Nene CCG will establish an appropriate committee; the Information Governance Working Group (IGWG) to champion a set of information standards and ensure that these are escalated into organisational governance arrangements. Membership of the group will include the Senior Information Risk Owner (SIRO) and Caldicott Guardian. The remit of the group will be to: Page 6 of 11

7 discuss Information Security Incidents including data breaches discuss Information Governance Training compliance as part of the broader IG Workplan approve Information Sharing and Consent Agreements. discuss Information Flows captured as part of the Data Mapping exercise review issues in respect of Information Asset Registers consider compliance and improvement issues in respect of the IG Toolkit submission Nene CCG aims to ensure organisations contracted to deliver services also achieve a satisfactory standard. This includes commissioned services delivering both clinical and non-clinical services. Nene CCG will be responsible for delivering a robust IG service which provides a full range of expert advice, guidance, training and support in Data Protection and confidentiality, information risk management, security, data quality, and information management. 7. Key Roles and Responsibilities Role Accountable Officer Senior Information Risk Officer Responsibility The Accountable Officer and the Board have ultimate accountability for actions and inactions in relation to this document The CCG s SIRO is responsible for having overall accountability for Information Governance; this includes the Data Protection and Confidentiality function. The role includes briefing the Board and providing assurance through the Audit and Risk Committee that the IG approach is effective in terms of resource, commitment and execution. Caldicott Guardian Chief Operating Officer The SIRO for Nene CCG is the Chief Finance Officer The Caldicott Guardian has responsibility for ensuring that there are adequate standards for protecting patient information and that all data transfers are undertaken in accordance with Safe Haven guidelines and the Caldicott principles. The Caldicott Guardian for Nene CCG is the GP Chair The Chief Operating Officer has overall day to day responsibility for the Information Governance in the CCG. Page 7 of 11

8 Information Governance Lead The role includes briefing the Board, including the SIRO and Caldicott Guardian of information risks and information incidents The Information Governance Manager has day to day responsibility for implementing and monitoring procedures to ensure compliance with relevant information legislation The Information Governance Manager is responsible for completion of the IG Toolkit, actions arising to ensure compliance and subsequent workplans for continuing improvement Information Asset Owners Managers All staff Information Asset Owners (IAO) will act as nominated owner of CCG information assets. Their responsibilities will include: Identify Information Asset Administrators to assist them with their duties, where this is appropriate and necessary. Document, understand and monitor what information assets are held, and for what purpose, how information is created, amended or added to, who has access to the information and why Managers and supervisors are responsible for ensuring that staff who report to them have suitable access to this document and it s supporting policies and procedures and that they are implemented in their area of authority. Managers are also responsible for ensuring the initial training compliance of all staff reporting to them Have a responsibility to: Be aware of the Information Governance requirements Support the CCG to achieve Toolkit Compliance Complete annual IG training Report information Incidents appropriately 8. Use of Information Nene CCG recognises that as a Clinical Commissioning Group it does not have legal rights to personal confidential data for commissioning purposes and will use anonymised, pseudonymised and aggregated data for that purpose. The CCGs will: Page 8 of 11

9 proactively use information within the organisation and with partner agencies, both for the care of service users and for service management as determined by law, statute and best practice; put in place effective arrangements to ensure the confidentiality, security and quality of personal confidential information and other sensitive information; ensure information within the organisation is of the highest quality in terms of completeness, accuracy, relevance, accessibility and timeliness. 9. Openness Non-confidential information relating to Nene CCG and its services should be available to the public through a variety of media, in line with the CCGs code of openness. All members of staff working within Nene CCG are bound by the Common Law Duty of Confidentiality, in addition to their contract of employment, code of professional practice or other applicable ethical standards. As such, staff can be held personally liable for any breaches of confidentiality. If service user confidentiality is breached, this may lead to disciplinary action, a personal fine, and/or employees can be held personally responsible for a civil action. Nene CCG will establish and maintain policies to ensure compliance with the Freedom of Information Act (2000). A Publication Scheme will be maintained in line with the Information Commissioner s Office (ICO) model Publication Scheme and this is available for all service users on the CCG Internet site. This will be maintained and updated frequently in line with the guidance. Patients should have ready access to information relating to their own health care, their options for treatment and their rights as patients. This information will inform patients of the use of their information, which agencies their information will be shared with and the circumstances where explicit consent will be sought. Nene CCG will, where there is a defined purpose (or set of) that are beneficial and justifiable, engage in information sharing protocols with partner organisations, provided these protocols are set out within the boundaries of applicable legislation and regulation and do not compromise the organisation or the confidentiality of the personal/sensitive data that it holds. 10. Incident Management Clear guidance on incident management procedures will be documented and published on the Nene CCG intranet Page 9 of 11

10 The Information Governance team will co-ordinate analysis, investigation and upward reporting of events and recommendations for remedial action 11. Monitoring and Review Performance against key performance indicators will be reviewed on an annual basis through the IG Toolkit submission and used to inform the development of future documents. Unless there is major legislation or policy, this document will be reviewed annually 12. Training Appropriate training will be provided to all Staff commensurate with their role profile as necessary. Training is available through the HSCIC Information Governance Training Tool which can be found here: Distribution and Implementation A set of policy and procedural documents to support this Strategy will be made available via the Nene CCG staff intranet. Staff will be made aware of procedural updates as they occur via team briefs, management communications and notification via the CCG staff intranet. 14. Key Documents To include: Personal Confidentiality Data Policy Information Security Policy Information Asset Management Policy Information Sharing Procedure Information Disclosure Procedure Information Incident Procedure 15. References The IG Toolkit Page 10 of 11

11 Data Protection Act Freedom of Information Act Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation d%20checklist%20guidance.pdf The NHS Constitution for England NHS Code of Confidentiality NHS Care Record Guarantee NHS Information Risk Management The Caldicott Review: Information Governance in the Health and Social Care System /192572/ _InfoGovernance_accv2.pdf Access to Health Records Act Page 11 of 11