IG: Third Party Contracts and Contractors Policy

Size: px
Start display at page:

Download "IG: Third Party Contracts and Contractors Policy"

Transcription

1 IG: Third Party Contracts and Contractors Policy Document Summary This policy provides guidance on the Information Governance arrangements that need to be considered and / or implemented when engaging with a third parry supplier. POLICY NUMBER POL/002/068 DATE RATIFIED February 2016 DATE IMPLEMENTED March 2016 NEXT REVIEW DATE February 2019 ACCOUNTABLE DIRECTOR POLICY AUTHOR Director of Strategy and Support Services Information Governance Performance Manager Important Note: The Intranet version of this document is the only version that is maintained. Any printed copies should therefore be viewed as uncontrolled and, as such, may not necessarily contain the latest updates and amendments. 0

2 Contents 1. Scope Introduction Statement of Intent Definitions Duties Chief Executive Director of Strategy and Support Services (Senior Information Risk Owner) Head of Information Governance IG Team ehealth Contracts Contracts Team Business Managers All Staff Members Processes for contracting with third party suppliers Trust Standards Compliance Explained Checking Compliance Data Controller Registration with ICO Contract Controls Data Processing Clauses Confidentiality / Non-Disclosure Clauses Incident Reporting Mechanisms FOI responsibilities Business Continuity Measures Contractors Training Monitoring compliance with this policy References/ Bibliography Related Trust Policy/Procedures Appendix A: IG Contract Standards Matrix

3 1. Scope This policy is intended to provide guidance for all Cumbria Partnership NHS Foundation Trust ( CPFT or the Trust ) staff members, who have responsibility for procuring services. It intends to guide the considerations and processes for dealing with third party suppliers and procuring services for the Trust. The policy is intended for third party contracts where the Trust is procuring, purchasing and/or commissioning services from third parties. The requirements are not valid for contracts in which the Trust is the provider. There is an internal procedure which is used by IG team; the procedure details the processes which need to be undertaken to check suppliers compliance levels and the escalation required if standards are not met. Cumbria Clinical Commissioning Group ( the CCG ) is subject to the content of all IG policies and procedures due to the Service Level Agreement currently in place which commissions CPFT Information Governance ( IG ) department to provide IG services. 2. Introduction There is a requirement to ensure staff members are aware of the IG requirements for any third party supplier or contractor. The Trust has a strategic target to reach level 3 compliance across all requirements as assessed by the Information Governance Toolkit by In order to meet this requirement the Trust has to ensure that all contracts entered into with suppliers have the appropriate checks carried out and clauses implemented. The considerations should be put in place in the initial stages of planning a procurement to ensure the Trust is only dealing with suppliers who meet the set standard or who will achieve the set standard within six months of contract date. The requirements of this policy should be adhered to; this then gives assurance that the correct IG and security requirements are being followed. 3. Statement of Intent The policy is intended to ensure: the correct checks are carried out on all potential suppliers to the Trust; 2

4 the standard set by the Trust for suppliers is adhered to and maintained; guidance of requirements for contractual clauses for contracts is provided; the Trust has processes which encourages adherence to legal and regulatory requirements when dealing with third party suppliers. This policy is to be used for third party suppliers only, where the Trust or the CCG are providing the services this policy does not apply but provides guidance which could be followed to encourage best practice. 4. Definitions Term and Abbreviation (if applicable) Information Commissioner s Office ICO Health and Social Care Information Centre HSCIC Data Protection Act 1998 DPA, 1998 Freedom of Information Act 2000 FOIA Suppliers Contractor Definition The UK s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The national provider of information, data and IT systems for health and social care Legislation enacted by UK Parliament as a responsive to EU Directive 95/46/EC to protect a living individuals information rights Legislation that gives you the right to access information from the federal government. It is often described as the law that keeps citizens in the know about their government. Within this policy refers to organisations / companies who are engaged or contracted with to provide services for the Trust Within this policy refers to individuals (either solely or as part of an organisation) that work on behalf of the Trust for a specified purpose 3

5 5. Duties Senior roles within the organisation supporting the Information Governance agenda are held by the Organisation s Senior Information Risk Owner (SIRO), the Caldicott Guardian, the Head of Information Governance; all are supported by the IG Team. 5.1 Chief Executive The Trust s Accountable Officer is the Chief Executive who has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. 5.2 Caldicott Guardian It is the responsibility of the Caldicott Guardian to feedback any IG issues to the Senior Management Team. 5.3 Director of Strategy and Support Services (Senior Information Risk Owner) The SIRO is the Director of Strategy and Support Services (Michael Smillie). The role: Is accountable; Fosters a culture for protecting and using data; Provides a focal point for managing information risk and incidents Is concerned with the management of all information assets. The SIRO is an executive Board member with allocated lead responsibility for the Trust s information risks and provides a focus for the management of information risk at Board level. The SIRO chairs the Information Governance Board. 5.4 Head of Information Governance The Information Governance (IG) Lead is the Head of Information Governance. The Head of Information Governance is responsible for ensuring the organisation meets is statutory and corporate responsibilities and engender trust from the public in the management of their personal information. 5.5 IG Team The Information Governance Team, under the instruction of the IG Performance Manager, are responsible for advising the Trust on processes and ensuring checks are carried out; ultimately to comply with regulatory and statutory requirements 4

6 5.6 ehealth Contracts Under the remit of the Information Technology (IT) department, the department is responsible for assisting with contracts and purchasing of services / systems for the Trust s IM&T section. The team also log contract information and ensure invoices are paid to suppliers. 5.7 Contracts Team The Contracts Team deal with tendering processes for CPFT, this team deal with outward facing contracts (i.e. CPFT tendering to provide a commissioned service). This is outside the scope of the regulatory requirements that need to be considered by this IG policy. The contract team also provide a storage facility for contracts; they have a responsibility to maintain permissions for the document store and ensure appropriate individuals have access. 5.8 Business Managers They have a responsibility to create, log and sign off on contracts the Care Group wants to engage in; all documents should be shared within the contracts site and appropriate checks carried out with IG when required. 5.9 All Staff Members Have a responsibility to notify IG of any engagement with third party suppliers they are aware of. 6. Processes for contracting with third party suppliers 6.1 Trust Standards The Trust has agreed a set of IG standards that should apply to third party suppliers; the most stringent of those standards need to be applied to those third party suppliers who have access to information systems, data or the Trust network. The Trust needs to be assured that the information is as secure as possible and access and/or processing is only available to third parties who meet the standard. The following levels can be used as a guide to the required standards for suppliers before entering into contractual agreements: 5

7 LEVEL STANDARD GUIDANCE 1 2 ESSENTIAL i. Data Controller registration with ICO (unless exemption identified) ii. Level 2 Information Governance Toolkit Compliance via HSCIC iii. Data processing clauses (where appropriate) POTENTIAL i. Data Controller registration with ICO (unless exemption identified) ii. Level 2 Information Governance Toolkit Compliance via HSCIC iii. Data processing clauses (where appropriate) Definite access to data and/or network Personal identifiable information and/or business critical information Pseudonymised information on a large scale Level 1 indicates most to the organisation. Safeguards need to be applied stringently to maintain security and prevent data loss. Potential access to network and/or data, Levels of potential access need to be assessed and the scope of the contract may not be fully understood. Personal identifiable and/or business critical data Pseudonymised data depending on scope and quantity 3 ONE REQUIRED i. Non-disclosure clauses in contract or ii. Confidentiality agreement The IG Team will be able to assist in understanding the standards that will be required, usually all requirements will be valid as safeguarding the Trust s network and data is essential and the ability to access poses a risk that requires mitigation. Incidental access (e.g. window cleaning, MFDs maintenance) Access to pseudonymised / anonymised data On site presence / no direct access to data / network 4 NO COMPLIANCE STANDARDS REQUIREMENTS No access will occur, therefore compliance not required. The above standards indicate what would be required for each level and an indication of the level of data access expected for each level. Appendix A provides a matrix of contract categories, potential access and the required standard based on the criteria. This is provided as a method of developing understanding of how the above standards are applied. If engaging with suppliers it is best practice to contact the IG Team who will provide advice and guidance and assist with required assessments. 6

8 6.2 Compliance Explained Data Controller Registration The ICO hold a register of Data Controllers; the Data Protection Act, 1998 s1 details the following definitions: data controller means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed; data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller; data subject means an individual who is the subject of personal data; personal data means data which relate to a living individual who can be identified The personal data could include staff and/or client information, an organisation should look at their operations as a business and control over information to determine which category they fall into. If they are not registered but data controller for information this is illegal under the Act. Therefore, with a registration fee of 35 it is recommended that the Trust is always cautious in accepting exemptions, evidence must always be provided. The ICO count the following as legitimate exemptions: Most organisations that process personal data must notify the ICO of certain details about that processing. However, the Act provides exemptions from notification for organisations that process personal data only for: staff administration (including payroll); advertising, marketing and public relations (in connection with their own business activity); and accounts and records; some not-for-profit organisations; organisations that process personal data only for maintaining a public register; organisations that do not process personal information on computer. 7

9 Please note the difference between a Data Controller and Data Processor needs to be carefully considered and if there is any control over the processing purposes of the information the company must be registered Information Governance Toolkit ( IGT ) Compliance IGT compliance is becoming an important standard especially for NHS organisations. It has been drafted into NHS Standards Terms and Conditions for Contracts that all organisations agree to be Level 2 compliant. This gives organisations an assured organisation status and gives a common level of compliance for Information Governance and Security practices. The Trust ask that all suppliers are compliant with this standard or on engaging with the Trust will become compliant with this standard within 6 months. If suppliers do not meet this standard this will be escalated to the Senior Information Risk Owner, a risk assessment will be completed and actions will be taken to ensure the Trust is compliant with its legislative and statutory requirements Other Security Accreditations Some suppliers claim they do not need to be compliant with the IGT as they have higher security accreditations in place. The Trust has set its minimum standard and to work with NHS organisations compliance with the IGT is becoming common place. Some suppliers for example cite ISO27001 as their recognised security standard; the scope of the accreditation needs to be checked as an organisation can become accredited in a specific area; the risk is this will have no bearing on the contracted services. It is also recommended checks with UKAS are completed to ensure the accreditation has been carried out with a recognised body. This gives the Trust additional assurance but should not replace the requirement for compliance with the IGT. Additional security accreditation is taken into account when risk assessments are carried out and are highlighted to the SIRO where appropriate. 6.3 Checking Compliance On engagement with a third party supplier notification should be sent to IG, as part of the IG Toolkit submissions via the HSCIC there is a requirement to provide evidence that relevant IG checks have been carried out on all suppliers. 8

10 6.3.1 Data Controller Registration with ICO This is checked via the Data Controller Register which can be accessed and checked on the ICO s public website: Data Controller Register This is then logged as per internal IG Procedures and information utilised for reporting and escalation purposes IG Toolkit Compliance to Level 2 Submissions for the IGT are annual and the Trust expects suppliers to be compliant with the most recent version of the IGT. IGT Report Checker This is then logged as per internal IG Procedures and information utilised for reporting and escalation purposes Companies House Checks Checks are made for suppliers within the United Kingdom so ensure they are registered and to check their registered address. The contracting address should match their registered address to show the Trust is contracting with the legal entity. 6.4 Contract Controls The following guidance has been taken from the IGT and provides a framework for consideration when drafting contracts / agreements All relevant information governance controls should be documented in the specific supplier contract. In particular, if the contract requires that the organisation s information is to be shared with or accessed by the third party, the contract must explicitly describe the information types concerned; and how that information will be shared or accessed. 2. Contracts should make specific reference to data protection and security issues, such as: a. notification; b. limitations on disclosure and use of data; c. obligations to comply with limits set by the organisation; d. the security and data protection standards that apply to both parties; e. the restrictions placed upon the data processor to act only on instructions from the organisation (the data controller); f. cyber security and business continuity planning.

11 3. Specific reference should also be made within contractual arrangements to freedom of information issues, such as: 4. Additionally: a. duty to disclose; b. exemption from disclosure provisions; c. records management structure; d. responsibility for freedom of information applications. a. penalties for breach of the contract; b. a provision to indemnify the organisation against breaches by the third party; c. responsibilities for costs, e.g. for security audit, subject access, for handling information requests; d. specific reference to other relevant legal obligations, e.g. common law duty of confidence, Computer Misuse Act 1990, intellectual property rights and copyright; e. duty to provide reports to the organisation on the effectiveness of information governance controls that the third party has implemented; f. measures that will be taken if the third party is no longer able to perform their role under the contract. For specific guidance on IT access for Suppliers please refer to the Access Control Policy for Contractors IG Contract Clause Guidance The following has been provided as examples of considerations that need to be made and clauses that could be used: Data Processing Clauses There is a requirement under Principle 7, DPA 1998 that information must be afforded appropriate security controls. This encompasses all aspects of the processes and the trust must ensure that when the supplier is processing data on its behalf appropriate clauses have been included within the contract to dictate the terms of that processing. If this has not been done via the initial contract this can be resolved by getting the supplier to sign a Data Processing Agreement; please contact the Information Governance Team. Example: 1.1. The Contractor shall keep the Personal Data secure and shall: 10

12 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data; and notify the Trust immediately if at any time the Contractor suspects or has reason to believe that Personal Data have or may become corrupted, lost or sufficiently degraded in any way for any reason and inform the Trust of the remedial action the Contractor proposes to take. The Contractor will restore those Personal Data at its own expense and will provide the Trust with as much information as it reasonably requires in relation to the incident, the cause and its resolution Confidentiality / Non-Disclosure Clauses Confidentiality or non-disclosure clauses as they are also known ensure the supplier cannot discuss, pass on or use the information they may have come into contact with during the contract performance. This is relevant for those identified as a Level 3 organisation or above. Example: 1. Non-Disclosure 1.1 Confidentiality. Each party agrees to hold the disclosing party's Confidential Information [confidential] [in strict confidence] [in accordance with this Agreement]; 1.2 Non-Disclosure. Each party agrees not to disclose any Confidential Information to third parties without the prior, written consent of the disclosing party except as expressly permitted in this Agreement; 1.3 Non-Use. Each party agrees not to use any Confidential Information for any purpose except for the Disclosing Purpose without the prior written consent of the disclosing party; 1.4 Protection. Each party agrees to exercise at least the same care in protecting the disclosing party's Confidential Information from disclosure as the receiving party uses with regard to its own Confidential Information (but in no event less than reasonable care) Incident Reporting Mechanisms The contract must include clauses which identify how information incidents will be reported and managed. Under current legislation the data controller remains responsible for data breaches and must be able to notify the ICO if relevant. It is recommended that Information Governance contact details are included in this section so all information incidents can be dealt with and reported if required within the 48hour standard set by the Health and Social Care Information Centre. 11

13 Details of information incidents committed by suppliers can be forwarded to: NB: Any incidents which occur internally are outside the scope of this paragraph and should be reporting via the Trust s incident management system as per policy FOI responsibilities Marking a document as confidential does not provide an exemption under the Freedom of Information Act The following is an example of what should be included to ensure the supplier understands responsibilities Example: 2. Freedom of Information 2.1. The Contractor acknowledges that the Trust is subject to the requirements of the FOIA and the EIR and shall assist and cooperate with the Trust (at the Contractor s expense) to enable the Trust to comply with these Information disclosure requirements The Contractor shall and shall procure that its sub-contractors (if any) shall: transfer to the Trust all Requests for Information that it receives as soon as practicable and in any event within 3 (three) working days of receiving a Request for Information; provide the Trust with a copy of all Information in its possession or power in the form that the Trust requires within 5 (five) working days (or such other period as the Trust may specify) of the Trust's request; and provide all necessary assistance as reasonably requested by the Trust to enable the Trust to respond to the Request for Information within the time for compliance set out in section 10 of the FOIA or regulation 5 of the EIR The Trust shall be responsible for determining in its absolute discretion whether the Commercially Sensitive Information and/or any other Information: is exempt from disclosure in accordance with the provisions of the FOIA or the EIR; or is to be disclosed in response to a Request for Information and in no event shall the Contractor respond directly to a Request for Information unless expressly authorised to do so by the Trust The Contractor acknowledges that the Trust may, acting in accordance with the Secretary of State's Code of Practice on the Discharge of the Functions of Public

14 Authorities under Part I of the Freedom of Information Act 2000 be obliged under the FOIA, or the EIR to disclose Information: without consulting with the Contractor; or following consultation with the Contractor and having taken its views into account The Contractor shall ensure that all information produced in the course of the Contract or relating to the Contract is retained for disclosure in accordance with the Department of Health Records Management NHS Code of Practice 2006 currently at Guidance/DH_ and shall permit the Trust to inspect such records as requested from time to time The Contractor acknowledges that any list it produces of its own confidential or commercially sensitive information is of indicative value only and that the Trust may be obliged to disclose it in accordance with clause 2.4 or clause Error! Reference source not found Business Continuity Measures The Trust needs to ensure that on contracting with a Supplier performance of the contract is measured and business continuity measures are implemented which provide assurance that contingencies are in place to assist with the performance of the contract. Checking Suppliers business continuity plans can be a way of giving assurance that measures are in place which protect service provision. 6.5 Contractors If an individual or group external to the Trust is involved with any business process and has access to personal identifiable information and / or business critical information we need to ensure that an appropriate agreement is in place to give assurance that safeguards are in place to protect the Trust s information. Contractors that are engaged and delivering services as an employee of the Trust have appropriate clauses included in their contracts by the Trust s Human Resource department. For more information on the Trust s requirements for contractors and agency staff please read the following policies: POL/004/003/001 Recruitment and Selection POL/004/033 Recruitment of Agency Staff If an individual or organisation is granted access to Trust information and or systems but is not a direct employee; processes and safeguards need to be in place to ensure 13

15 that the Trust s security is maintained. In these circumstances an honorary contract would be issued to the individual detailing the level of involvement in Trust business and also ensures confidentiality clauses are in place and bind the individual and organisation. This requirement is in line with the Data Protection Act and the necessity to ensure that as a data controller there are stringent and controlled security mechanism in place for ensuring you know what the Trust s data is being used for and can give assurance that appropriate safeguards are in place to protect that data from unlawful processing and/or access. The aim of the organisation is to ensure that the processes are flexible enough to allow information to be used and appropriately accessed but with security mechanisms in place to show reasonable steps have been taken to put safeguards in place. 7. Training There is no mandatory training available in this specific area, training has been provided on an ad hoc basis and is based on staffing need. IG mandatory training must be completed annually and provides the basis for IG knowledge which would assist in this area. Information Governance will provide advice and guidance as required to staff members. 8. Monitoring compliance with this policy The table below outlines the Trusts monitoring arrangements for this policy/document. The Trust reserves the right to commission additional work or change the monitoring arrangements to meet organisational needs. Aspect of compliance or effectiveness being monitored Monitorin g method Individual responsibl e for the monitorin g Frequency of the monitorin g activity Group / committe e which will receive the findings / monitorin g report Group / committee / individual responsibl e for ensuring that the actions are 14

16 Compliance Checks Spot Check Compliance with Suppliers / Contractors IG Training Public Website Checks on IGT and ICO websites Evidence requests to prove IG provisions are being complied with (e.g. IG training / DBS checks) as per IG audit methodolo gy IG Data Officer IG Data Officer / IG Performanc e Manager As suppliers are identified Monthly (1 x CPFT 1 x CCG) IG Board / SIRO IG Board / SIRO Training will be monitored in line with the Learning and Development Policy. completed IG Board IG Board 9. References/ Bibliography Include reference to all procedural documents that cross refer to this document and those which the author has used as a source of information, evidence or inspiration. Items in the bibliography are not referred to directly in the text. Information Commissioner's Office Data controllers and data processors: what the difference is and what the governance implications are. [ONLINE] Available at: https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-dataprocessors-dp-guidance.pdf. [Accessed 21 January 16]. NHS England /16 NHS standard contract. [ONLINE] Available at: https://www.england.nhs.uk/nhs-standard-contract/15-16/. [Accessed 21 January 16]. 15

17 National Archives Data Protection Act [ONLINE] Available at: [Accessed 21 January 16]. National Archives Freedom of Information Act [ONLINE] Available at: [Accessed 21 January 16]. Health and Social Care Information Centre Information Governance Toolkit. [ONLINE] Available at: https://nww.igt.hscic.gov.uk/. [Accessed 21 January 16]. Health and Social Care Information Centre NHS Codes of Practice and legal obligations. [ONLINE] Available at: [Accessed 21 January 16]. 10. Related Trust Policy/Procedures Third Party Suppliers and Contractors IG Policy Access Control for Third Parties Policy Freedom of Information Act Policy Information Security Policy 16

18 17

19 11. Appendix A: IG Contract Standards Matrix TYPE IG CONTRACT STANDARD MATRIX - RECOMMENDATIONS POTENTIAL ACCESS LEVELS OUTCOME CONTRACT CATEGORIES NO access INCIDENTAL access POTENTIAL Network Access POTENTIAL Access to Data: * Personal * Personal Sensitive * Business Sensitive DEFINITE Network Access DEFINITE Access to Data: * Personal * Personal Sensitive * Business Sensitive REQUIRED STANDARD SYSTEM / APPLICATION e.g. installation and set up SYSTEM & SUPPORT e.g. supplier installs product and provide helpdesk X X SUPPORT ONLY e.g. supplier helpdesk and problem shooting X X INFRASTRUCTURE e.g provision of data centre support X X CONFIDENTIAL WASTE DISPOSAL e.g. provision of disposal services EQUIPMENT e.g. Delivery and Install of equipment X X SYSTEM / APPLICATION e.g. provision of installation processes and support X X CLINICAL WASTE DISPOSAL HARDWARE SUPPORT e.g. Printer engineer SYSTEM / APPLICATION e.g. provision of off shelf product (MS Office) EQUIPMENT e.g. Delivery equipment (medical or corporate) X X X X X X X Level 1 Level 1 Level 1 Level 1 Level 1 Level 2 Level 2 Level 2 Level 3 Level 4 Level 4 NB: This is not an exhaustive list but designed to give examples of application Level 1 Level 2 Level 3 Level 4 KEY: ICO REG, IGT Compliance, data processing clauses (where appropriate) ESSENTIAL ICO REG, IGT Compliance, data processing clauses (where appropriate) may be required - risk assessment of scope and activities required (contact IG) Non-disclosure clauses or confidentiality agreement required No compliance required 18

Information Governance Standards in Relation to Third Party Suppliers and Contractors

Information Governance Standards in Relation to Third Party Suppliers and Contractors Information Governance Standards in Relation to Third Party Suppliers and Contractors Document Summary Ensure staff members are aware of the standards that should be in place when considering engaging

More information

Information Governance Policy and Management Framework

Information Governance Policy and Management Framework Information Governance Policy and Management Framework Policy Number: IG01 Version: 3.0 Ratified by: Governing Body Date ratified: February 2016 Name of originator/author: Louise Chatwyn Information Governance

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

Information Governance Plan

Information Governance Plan Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version: 3.2 Authorisation Committee: Date of Authorisation: May 2014 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy NHS Waltham Forest Clinical Commissioning Group Information Governance Policy Author: Zeb Alam & David Pearce Version 3.0 Amendments to Version 2.1 Updates made in line with National Guidance and Legislation

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff. Information Governance Policy 1 SUMMARY This policy is intended to ensure that staff are fully aware of their Information Governance (IG) responsibilities, so that they can effectively manage and best

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

INFORMATION GOVERNANCE STRATEGY NO.CG02

INFORMATION GOVERNANCE STRATEGY NO.CG02 INFORMATION GOVERNANCE STRATEGY NO.CG02 Applies to: All NHS LA employees, Non-Executive Directors, secondees and consultants, and/or any other parties who will carry out duties on behalf of the NHS LA.

More information

CONTRACTS REVIEW FOR INFORMATION GOVERNANCE COMPLIANCE PROCEDURE

CONTRACTS REVIEW FOR INFORMATION GOVERNANCE COMPLIANCE PROCEDURE This document is uncontrolled once printed. Please check on the CCG s Intranet site for the most up to date version CONTRACTS REVIEW FOR INFORMATION GOVERNANCE COMPLIANCE PROCEDURE Document Title: Contracts

More information

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY ENFIELD CLINICAL COMMISSIONING GROUP INFORMATION GOVERNANCE POLICY PLEASE DESTROY ALL PREVIOUS VERSIONS OF THIS DOCUMENT Enfield CCG Information Governance Policy Information Governance Policy (Policy

More information

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT 9.7 Date of the meeting 15/07/2015 Author Sponsoring Clinician Purpose of Report Recommendation J Green - Head

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

INFORMATION GOVERNANCE HANDBOOK

INFORMATION GOVERNANCE HANDBOOK INFORMATION GOVERNANCE HANDBOOK SECTION ONE Author Tracey Burrows Role Information Governance Manager (CSCSU) Date / Version February 2015 Version FINAL V1.0 Approved by IM&T Board Date 27 February 2015

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

Information Governance Framework

Information Governance Framework Information Governance Framework Authorship: Chris Wallace, Information Governance Manager Committee Approved: Integrated Audit and Governance Committee Approved date: 11th March 2014 Review Date: March

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: Revised: Consultation: Ratified by: 1.0 Information Governance Committee Governance Committee Date ratified: 19 March 2008 Name of originator/author: David McGrath

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

Corporate Policy and Strategy Committee

Corporate Policy and Strategy Committee Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

Trust Informatics Policy. Information Governance. Information Governance Policy

Trust Informatics Policy. Information Governance. Information Governance Policy Trust Informatics Policy Information Governance Policy Reference: TIP/IG/IGP I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 1 Document Control Policy Title Author/Contact Document Reference

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Information Governance Policy_v2.0_060913_LP Page 1 of 14 Information Reader Box Directorate Purpose Document Purpose Document Name Author Corporate Governance Guidance Policy

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY Directorate of Performance Assurance INFORMATION GOVERNANCE POLICY Reference: DCP074 Version: 2.5 This version issued: 27/03/15 Result of last review: Minor changes Date approved by owner (if applicable):

More information

Information Governance and Data Protection Policy

Information Governance and Data Protection Policy Information Governance and Data Protection Policy Page 1 of 21 Document Control Sheet Name of document: Version: Owner: File location / Filename: Information Governance and Data Protection Policy Final

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

Information Governance Strategic Management Framework 2015-2017

Information Governance Strategic Management Framework 2015-2017 Document Summary Information Governance Strategic Management Framework 2015-2017 This framework sets out the Cumbria Partnership NHS Foundation Trust (the organisation) Strategic Management Framework and

More information

Information Governance Policy

Information Governance Policy Information Governance Policy REFERENCE NUMBER IG 101 / 0v3 May 2012 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive 4.9.12 REVIEW DUE DATE May 2015 West Lancashire CCG is committed to ensuring

More information

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE STRATEGY INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying

More information

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013 Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

A Question of Balance

A Question of Balance A Question of Balance Independent Assurance of Information Governance Returns Audit Requirement Sheets Contents Scope 4 How to use the audit requirement sheets 4 Evidence 5 Sources of assurance 5 What

More information

Information Governance Strategy 2015/16

Information Governance Strategy 2015/16 Information Governance Strategy 2015/16 Ratified Governing Body (November 2015) Status Final Issued November 2015 Approved By Executive Committee (August 2015) Consultation Equality Impact Assessment Internal

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Information Governance Framework and Strategy. November 2014

Information Governance Framework and Strategy. November 2014 November 2014 Authorship : Committee Approved : Chris Wallace Information Governance Manager CCG Senior Management Team and Joint Trade Union Partnership Forum Approved Date : November 2014 Review Date

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

NHS Commissioning Board: Information governance policy

NHS Commissioning Board: Information governance policy NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION

More information

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

Information Governance Strategy. Version No 2.1

Information Governance Strategy. Version No 2.1 Livewell Southwest Information Governance Strategy Version No 2.1 Notice to staff using a paper copy of this guidance. The policies and procedures page of LSW Intranet holds the most recent version of

More information

Data Protection Breach Reporting Procedure

Data Protection Breach Reporting Procedure Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Information Sharing Protocol

Information Sharing Protocol Information Sharing Protocol South Central PCTs, General Practices and Tribal Consulting Limited Commissioning Enablement Service (Analytics) Document Control Date Version Author Comment 08/02/10 0.1 A.

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching

More information

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Quick Guide To Information Governance Policies

Quick Guide To Information Governance Policies Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations.

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs NOTE: This is a CONTROLLED Document. Any documents appearing in paper

More information

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote

More information

Subject Access Request (SAR) Procedure

Subject Access Request (SAR) Procedure Subject Access Request (SAR) Procedure East and North Hertfordshire Clinical Commissioning Group Page 1 of 16 DOCUMENT CONTROL SHEET Document Owner: Chief Finance Officer Document Author(s): Anne Ephgrave

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Name of Policy Author: Name of Review/Development Body: Ratification Body: Ruth Drewett Information Governance Steering Group Committee Trust Board : April 2015 Review date:

More information

NON-DISCLOSURE AGREEMENT BETWEEN. HM Treasury AND. (To be completed at Contract Award Stage)

NON-DISCLOSURE AGREEMENT BETWEEN. HM Treasury AND. (To be completed at Contract Award Stage) DATE NON-DISCLOSURE AGREEMENT BETWEEN HM Treasury AND (To be completed at Contract Award Stage) THIS AGREEMENT is made on (Date to be updated at Contract Award stage) BETWEEN: (1) HM Treasury of 1 Horse

More information

Information Governance Policy

Information Governance Policy Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:

More information

Information Governance Policy

Information Governance Policy Author: Susan Hall, Information Governance Manager Owner: Fiona Jamieson, Assistant Director of Healthcare Governance Publisher: Compliance Unit Date of first issue: February 2005 Version: 5 Date of version

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading

More information

Lancashire County Council Information Governance Framework

Lancashire County Council Information Governance Framework Appendix 'A' Lancashire County Council Information Governance Framework Introduction Information Governance provides a framework for bringing together all of the requirements, standards and best practice

More information

NHS Waltham Forest Clinical Commissioning Group Information Governance Strategy

NHS Waltham Forest Clinical Commissioning Group Information Governance Strategy NHS Waltham Forest Clinical Commissioning Group Governance Strategy Author: Zeb Alam, CCG IG Lead, (NELCSU) David Pearce, Head of Governance, WFCCG Version 3.0 Amendments to Version 2.1 Annual Review Reference

More information

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS Newcastle Gateshead Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Approved No impact NHS Quality, Safety

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Information Security and Governance Policy

Information Security and Governance Policy Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information

More information

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Appendix 1 INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Author Information Governance Review Group Information Governance Committee Review Date May 2014 Last Update February 2013 Document No. GV

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY Version 8.0 Purpose: For use by: This document is compliant with /supports compliance with: To outline the lifecycle of a record and to provide guidance on retention and disposal

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

Information security incident reporting procedure

Information security incident reporting procedure Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Somerset County Council - Data Protection Policy - Final

Somerset County Council - Data Protection Policy - Final Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council

More information

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy. Title: Reference No: NHSNYYIG - 007 Owner: Author: INFORMATION GOVERNANCE POLICY Director of Standards First Issued On: September 2010 Latest Issue Date: February 2012 Operational Date: February 2012 Review

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE.

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE. Title: Information Governance Policy Date Approved: Approved by: Date of review: Policy Ref: Issue: January 2015 Information Governance Group Division/Department: January 2016 Policy Category: ISP-04 5

More information

Information Governance White Paper EDGE Programme

Information Governance White Paper EDGE Programme Information Governance White Paper EDGE Programme Forward Dear Subscriber The research landscape within the UK continues to evolve; from April 2014 we will see the formation of 15 Local Clinical Research

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information