Surrey & Sussex Healthcare NHS Trust

Transcription

1 Surrey & Sussex Healthcare NHS Trust An Organisation-wide Policy for Information Governance (IG) Version 1.3 Status Ratified Date Ratified March 2008 Name of Owner Name of Sponsor Group Name of Ratifying Group Type of Procedural document Information Governance & Security Manager Dipa Bhella Information Governance Steering Group Management Board Quality & Risk Policy Policy Reference 0109 Date issued Oct 2010 Review date Oct 2013 Target audience Human Rights Statement EIA Status All employees of Surrey and Sussex Healthcare NHS Trust (including contractors, volunteers etc) The Trust incorporates and supports the human rights of the individual, as set out by the European Convention on Human Rights and the Human Rights Act 1988 Completed This policy is available on request in different formats and languages from the Policy Coordinator / PALS. The latest approved version of this document supercedes all other versions. Upon receipt of the latest approved versions all other version should be destroyed, unless specifically stated that the previous version(s) are to remain extant. If in any doubt please contact the document owner or Policy Coordinator. Page 1 of 13

2 Contents Page Number 1. Introduction 3 2. Purpose 3 3. Definitions 4 4. Duties 5 5. Policy 6 6. Consultation and Communication with Stakeholders 9 7. Approval and Ratification 9 8. Review and Revision Arrangements 9 9. Dissemination and Implementation Archiving Arrangements Monitoring Compliance References Associated Documents 10 Appendices 1. Equality Impact Assessment 11 Change history Version Date Author/Procedure Lead Details of change Head of Information Technology First Version Information Governance & Security Manager Information Governance & Security Manager Minor amendments Minor amendments Page 2 of 13

3 1. Introduction Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in Clinical Governance, service planning performance management and the Trust s interactions with other organisations. Information Governance (IG) is concerned with the way NHS organisations handle information about patients/clients and employees, in particular personal and sensitive information. It allows organisations and individuals to ensure that personal information is dealt with legally, securely, efficiently and effectively in order to deliver the best possible care. Information Governance is a framework that brings together all of the requirements, standards and best practice that apply to the handling of personal information. The importance of Information Governance is reflected in the effort devoted by NHS Connecting for Health to integrating a number of information initiatives and providing a uniform knowledge base, assessment and performance management toolkit across all areas of the health community. This Information Governance Toolkit (IGT) is used as a performance measure and the introduction of national systems increase the importance of maintaining a suitable management framework to progress the IG agenda. The IGT is used by the Care Quality Commission to determine the quality of the Trust s services. IG is everyone s responsibility. To develop information governance within the Trust there are five areas to be addressed: policies, training, operational practices, audit and compliance and performance measurement. 2. Purpose The aim of the policy is to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management to assure and demonstrate the proactive use of information as determined by legislative acts, statute and best practice. Page 3 of 13

4 3. Definitions Information Governance Toolkit (IGT) - is a performance tool produced by the Department of Health (DH). It draws together the legal rules and central guidance set out above and presents them in one place as a set of information governance requirements. Organisations are required to carry out self-assessments of their compliance against the IG requirements. Senior Information Risk Owner (SIRO) at board level is responsible for the ongoing development and day-to-day management of the Trust Risk Management Programme for information security. Care Quality Commission (CQC) - is the independent regulator of all health and adult social care in England. Information is defined as data that can be stored in any format, e.g. paper, electronic, audio or visual, or can be passed by word of mouth. Page 4 of 13

5 4. Duties The Chief Executive as Accountable Officer of the Trust has overall accountability and responsibility for Information Governance in the Trust and is required to provide assurance, through the Statement of Internal Control that all risks to the trust, including those relating to information, are effectively managed and mitigated. The Director of Business Intelligence and Technology at board level is responsible for overseeing implementation and performance assessment of Information Governance, and is the Trusts Senior Information Risk Owner (SIRO). The Information Governance & Security Manager is responsible for the coordination and management of Information Governance, and is responsible for the day to day coordination of aspects of Information Security. The Information Governance & Security Manager is also the Data Protection Officer. The Caldicott Guardian is the Trust s Medical Director. The Caldicott Guardian has responsibility for safeguarding the confidentiality of patient information. The Information Governance Steering Group is responsible for overseeing day to day Information Governance issues; developing and maintaining policies, standards, procedures and guidance, coordinating Information Governance in the Trust and raising awareness of Information Governance. The Information Governance Steering Group reports to the Management Board Quality & Risk at Board Level. The Freedom of Information Lead is responsible for freedom of information requests. The Head of Ambulatory Care is responsible for Health Records and Subject Access Requests. Senior managers are accountable for the communication about and compliance with this strategy and policy. Line managers must ensure that staff are appropriately trained and apply the appropriate policy and guidelines across the information governance agenda All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis. Staff should ensure they attend information governance training awareness sessions and pass the relevant information governance e-learning modules to maintain their knowledge and skills Page 5 of 13

6 All staff have responsibility to adhere to information governance standards which are written into the terms and conditions of their contract of employment. 5. Policy This policy covers all information systems purchased, developed and managed by, or on behalf of, the organisation and any individual directly employed or otherwise by the organisation. The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The Trust fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information. The Trust also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. The Trust believes that accurate, timely and relevant information is essential to deliver the highest quality healthcare. As such, it is the responsibility of all clinicians and managers to ensure and promote the quality of information and to actively use information in the decision making processes. The Trust undertakes to maintain high standards of information handling by reference to the HORUS model, where information is: Held securely and confidentiality Obtained fairly and efficiently Recorded accurately and reliably Used effectively and ethically Shared appropriately and lawfully There are 4 key interlinked strands to the information governance: Openness Legal compliance Information security Quality assurance Page 6 of 13

7 5.1 Openness The Trust will be open and helpful in making information available to the public in line with the Code of practice on openness in the NHS (2003) and the Freedom of Information Act (2000). The Trust will establish and maintain policies to ensure compliance with the Freedom of Information Act The Trust will undertake or commission assessments and audits of its policies and arrangements for openness in line with the Information Governance Toolkit requirements. Patients should have ready access to information relating to their own health care, their options for treatment and their rights as patients The Trust will have clear procedures and arrangements for liaison with the press and broadcasting media. The Trust will have clear procedures and arrangements for handling queries from patients and the public. 5.2 Legal Compliance The Trust regards all identifiable personal information relating to patients as confidential The Trust will undertake or commission assessments and audits of its compliance with legal requirements in line with the Information Governance Toolkit requirements. The Trust regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise The Trust will establish and maintain policies to ensure compliance with the Data Protection Act. Policies established will take into account the Human Rights Act and the common law of confidentiality The Trust will establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act). Page 7 of 13

8 5.3 Information Security The Trust will establish and maintain policies for the effective and secure management of its information assets and resources The Trust will undertake or commission assessments and audits of its information and IT security arrangements in line with the Information Governance Toolkit requirements. The Trust will promote effective confidentiality and security practice to its staff through policies, procedures and training The Trust will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security 5.4 Information Quality Assurance The Trust will establish and maintain policies and procedures for information quality assurance and the effective management of records The Trust will undertake or commission assessments and audits of its information quality and records management arrangements in line with the Information Governance Toolkit requirements. Managers are expected to take ownership of, and seek to improve, the quality of information within their services Wherever possible, information quality should be assured at the point of collection Data standards will be set through clear and consistent definition of data items, in accordance with national standards. The Trust will promote information quality and effective records management through policies, procedures/user manuals and training 5.6 Training It is mandatory for all staff to attend the Information Governance training. Training can either be conducted by an E-learning package developed by Connecting for Health or attend a face-to-face training session. Page 8 of 13

9 6. Consultation and Communication with Stakeholders The policy was last reviewed Oct 2010 in line with the Information Governance Toolkit requirements, in consultation with the Information Governance Steering Group. 7. Approval and Ratification The policy was approved by the Information Governance Steering Group and ratified by the Management Board Quality & Risk 8. Review and Revision This policy will be reviewed in line with the Trust Policy on Management and Development of Procedural Documents; the standard length of time for review is three years. However, changes within the organisation affecting this process, together with any changes in legislation or the requirements of external regulators /accreditation organisations may prompt the need for revision before the 3 year natural expiry date. 9. Dissemination and Implementation The Trust process for dissemination of polices will be followed as described in the Organisation Wide Policy for the Management and Development of Procedural Documents. This includes; Posting on the dedicated Polices and Procedures page of the Intranet tification to all staff of the new policy on the next available e-bulletin. 10. Archiving The policy will be held in the Trust database, known as the library and archived in line with the arrangements in the Organisation wide Policy for the Management and Development of Procedural Documents. Working copies will be available on request from the Policy Co-coordinator by contacting the dedicated mailbox trustpolicies@sash.nhs.uk Page 9 of 13

10 11. Monitoring compliance What will be monitored Responsible Frequency Reported to Staff understanding of guidance through regular spot checks and staff surveys Information Governance & Security Manager Annually IG Steering Group 12. References. Data Protection Act (1998) Freedom of Information Act (2000) The Caldicott Report (1997) Confidentiality NHS Code of Practice (DoH) Code of practice on openness in the NHS (2003) The Information Governance Toolkit (V8) 13. Associated Documents ICT, Security, Confidentiality & Acceptable Use Policy Information Governance Strategy Faxing Policy Access to patient records/information (Subject access request) policy Data Protection Act & Confidentiality Policy Records Management Policy & Information Life Cycle Strategy Staff Confidentiality Code of Conduct Policy Freedom of Information Policy Page 10 of 13

11 Appendix 1: Equality Impact Assessment Name of Person carrying out Equality Impact Assessment Sally Spencer Dipa Bhella Peter Hodgetts Department of assessor Legal Affairs 1. Name of the strategy / policy / clinical practice IG Policy Date last reviewed or created Sept What is the aim, objective or purpose of the strategy / policy / clinical practice 3. Who implements the strategy / policy / clinical practice 4. Who is intended to benefit from this strategy / policy / clinical practice and in what way? 5. Is the strategy/ policy / clinical procedure applied uniformly throughout the Trust? 6. Who are the main stakeholders in relation to the strategy / policy / clinical procedure (for example certain groups of staff, patients, visitors etc)? The aim of the policy is to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management to assure and demonstrate the proactive use of information as determined by legislative acts, statute and best practice. All employees of Surrey and Sussex Healthcare NHS Trust (including contractors, volunteers etc) All employees of Surrey and Sussex Healthcare NHS Trust (including contractors, volunteers etc), patients, carers and external stakeholders. Yes All employees of Surrey and Sussex Healthcare NHS Trust (including contractors, volunteers etc), patients, carers and external stakeholders. Page 11 of 13

12 7. What data are available to facilitate the screening of this strategy / policy / clinical procedure Staff understanding of guidance through regular spot checks and staff surveys 8. Is there any evidence of higher or lower participation, uptake or exclusion by the following characteristics? Race (Evidence) Gender (Evidence) Disability (Evidence) Sexual Orientation Evidence) Age (Evidence) Religious Belief (Evidence) Carers or those with dependants 9. In the context of the preceding sections are there any groups which you believe should be consulted? 10. What data are required in the future to ensure effective monitoring? 11. Considering all information please indicate areas where a differential impact occurs or has the potential to occur. Staff understanding of guidance through regular spot checks and staff surveys Page 12 of 13

13 Please specify and give reasons. Potential for differential impact? Signed Sally Spencer Date of assessment 03/11/2010 Recommended for full impact assessment? Page 13 of 13