Information Governance Strategy

Transcription

1 Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version Date Comments (i.e. viewed, or reviewed, amended approved by person or committee) Draft V0.1 September 2007 Approved - IGC Draft V1.1 March 2010 Reviewed by Clinical Quality Manager submitted to IGG for comment 2.0 April 2010 Approved by Integrated Governance Committee Draft 2.1 June 2012 Reviewed by IG Manager V rd February 2015 Review date extension agreed by IGG following approval by EMB Page 1 of 16

2 Document Reference IG Toolkit Information Governance Framework Requirement Directorate: Strategy and Plans Recommended at Date Information Governance Group 23 rd July 2012 Approved at Executive Management Team (pending) Date Review date of approved document Equality Impact Assessment Linked procedural documents Dissemination requirements Checklist completed? Part of Trust s publication scheme 31 st March th July 2012 Information Governance Policy Records Management Policy Information Security Policy Release of Information Policy Internet Use Policy Use Policy Freedom of Information Policy All Trust staff No No The East of England Ambulance Service NHS Trust has made every effort to ensure this policy does not have the effect of discriminating, directly or indirectly, against employees, patients, contractors or visitors on the grounds of age, ethnic origin, gender, transgender, sexual orientation, marital status (including civil partnerships), religion & belief, maternity and pregnancy or disability. This policy will apply to all staff regardless of position or status includes volunteers. All East of England Ambulance Service NHS Trust policies can be provided in alternative formats. Page 2 of 16

3 Contents Paragraph Page 1. Introduction 5 2. Purpose 6 3. Duties Trust Board Chief Executive Senior Information Risk Owner Caldicott Guardian Head of Information Governance Information Governance Manager Other Staff Consultation and Communication with Stakeholders 7 4. Definitions 7 5. Development Prioritisation of Work Identification of Stakeholders Responsibility for Document s Development 8 6. Link to EEAST Information Strategy 8 7. The Importance of Information Governance 8 8. Key Principles of Information Governance Improved Patient Care and Service Delivery Greater Confidence in the Organisation Improved Access and Control of Records Reduction in Adverse Incidents Improved Assurance of Business Continuity Greater Awareness of Public Need Adherence with Government Legislation Improved Quality of Information Better Management of Risk Greater Staff Awareness of Information Governance Greater Awareness of the Security of Information Staff Assigned to Key Roles Taking the Strategy Forward Data Audit and Validation Public Confidence in the Management of Information Records Management 10 Page 3 of 16

4 9.4 Incident Reporting Business Continuity Public Need and Involvement Government Legislation Quality Assurance Information Governance Toolkit Training Registration Authority Staff Responsibility for Information Governance Equality Impact Assessment Dissemination and Implementation Process for Monitoring Compliance and Effectiveness Standards/Key Performance Indicators References Associated Documents 13 Appendices Appendix A Monitoring Table 14 Appendix B Equality Impact Assessment: Executive Summary 16 Page 4 of 16

5 1. Introduction 1.1 What is Information Governance? Information Governance (IG) allows organisations and individuals to ensure that information is handled legally, securely, efficiently and effectively, in order to deliver the best possible care and service. IG provides the framework which enables NHS organisations to comply with legal and statutory requirements, and best practice guidance when dealing with personal and nonpersonal information. This strategy sets out the approach to be taken, within the East of England Ambulance Service NHS Trust (EEAST), to provide the robust IG framework for the future management of information. 1.2 Information Governance Toolkit The Department of Health (DH) and NHS Information Authority set clear standards and national guidance for the handling of information which were representative of DH policy as of June The IG Toolkit is now under the auspices of Connecting for Health and has been developed to enable NHS Organisations to assess themselves with regard to their level of compliance with these national standards. Year on year improvement plans can be developed using this toolkit in order to assist the organisation to ensure compliance is maintained. IG has four fundamental aims and the toolkit has been developed with these in mind: To support the provision of high quality care by promoting the effective and appropriate use of information. To encourage responsible staff to work closely together, preventing duplication of effort and enabling more efficient use of resources. To develop support arrangements and provide staff with appropriate tools and support to enable them to discharge their responsibilities to consistently high standards. To enable organisations to understand their own performance and manage improvement in a systematic and effective way. The IG toolkit focuses on 5 initiatives: Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurance Corporate Information Assurance 1.3 What does Information Governance encompass? IG provides a consistent way for employees to handle information, and encompasses the following: Data quality assurance Page 5 of 16

6 Caldicott sharing of patient identifiable information Consent to sharing of personal information Information security management Common law duty of confidentiality The Data Protection Act 1998 Records management The Freedom of Information Act 2000 Registration Authority 2. Purpose The Information Governance Strategy is underpinned by two key documents: The Information Governance Policy The action plan derived from the results of the IG toolkit This strategy should be read in conjunction with these two documents. Responsibility for the monitoring of IG is contained within the remit of the Director for Strategy and Business Development, however complying with the requirements of IG is an organisation-wide responsibility. 3. Duties 3.1 Trust Board Ultimate responsibility for information governance in the NHS rests with the Trust Board of each organisation. 3.2 Chief Executive As the accountable officer for the Trust, the Chief Executive is required to provide assurance that all risks to the Trust (including information risks) are effectively identified, managed and mitigated. Details of Serious Untoward Incidents involving data loss or confidentiality breaches must also be detailed in the annual report. 3.3 Senior Information Risk Owner A Board-level Senior Information Risk Owner (SIRO) will be responsible for the Trust s information risk and act as advocate for information risk on the Trust Board. In the Trust the SIRO is the Director of Strategy and Business Development. 3.4 Caldicott Guardian The Caldicott Guardian is responsible for protecting the confidentiality of patient and serviceuser information and enabling appropriate information-sharing. The Caldicott Guardian is responsible for providing advice within the Trust on the lawful and ethical processing of patient information. 3.5 Head of Information Governance Page 6 of 16

7 The Head of Information Governance is responsible for overseeing the information governance systems and processes within the Trust, raising awareness of information governance issues, and ensuring that good information governance practices are adopted. 3.6 Information Governance Manager The Information Governance Manager provides day-to-day operational support to the Head of Information Governance. 3.7 Other Staff Staff with areas of responsibility related to information governance are expected to have input to the Trust s information governance agenda, either by membership of the Information Governance Group, as responsible officers for IG Toolkit requirements, or by ad-hoc input, as required. 3.8 Consultation and Communication with Stakeholders This strategy is reviewed and approved by the Information Governance Group, which includes key information governance stakeholders from corporate and operational areas in the Trust. 4. Definitions 4.1 Information Governance (IG) Information Governance is an umbrella term which encompasses all the ways that the Trust acts to ensure that information remains secure, particularly person-identifiable and sensitive information, such as that relating to patients personal details, medical records, staff records, and Trust business. IG also covers the systems and procedures which allow NHS organisations and individuals to ensure that information is processed legally, securely, efficiently and effectively. Knowledge of information governance is important for any member of staff who is required to handle information as part of their job. 4.2 Information Governance Toolkit (IGT) The Information Governance Toolkit is an online assessment tool which is managed by NHS Connecting for Health. The Toolkit requires NHS organisations to self-assess annually against specific criteria relating to legislative compliance, government and NHS directives, best practice guidelines, and other information handling standards. Connecting for Health review the Toolkit annually, following the final submission of organisations scores at the end of March. 5. Development 5.1 Prioritisation of Work This strategy is required for staff information and reference and to support the Trust s wider Information Governance Framework. Page 7 of 16

8 5.2 Identification of Stakeholders Primary stakeholders are the Director of Strategy and Business Development (as the Trust SIRO), the Head of Information Governance, and members of the Information Governance Group. 5.3 Responsibility for Development of the Document The strategy has been developed by the Information Governance Manager, with review and approval by the Information Governance Group. 6. Link to EEAST Information Strategy The EEAST Information Governance Strategy has been developed to clearly define the way in which information should be dealt with in terms of processing, retention and disclosure. It clearly sets out the actions needed to make the best use of information and to raise the profile of the important role information has to play within the Trust. The Information Governance Strategy and Information Governance Policy are closely linked and should be cross-referenced as the increased use of information must be subject to governance in order to protect the Trust and the communities served. 7. The Importance of Information Governance Information is a valuable asset and should therefore be managed and protected appropriately. The Trust and all its employees, whether they are on permanent, fixed term or temporary contracts, have a legal obligation and a duty of confidence to ensure that any information processed is done so in line with legal requirements and best practice. IG provides the framework to ensure the Trust is managing information in line with these legal obligations and best practice guidance. In turn this will protect all users of its services, its staff and other stakeholders. 8. Key Principles of Information Governance 8.1 Improved Patient Care and Service Delivery EEAST collects an abundance of information from various sources, including emergency calls and non-emergency transport bookings. All of this information, in some way, will affect the care given to the patient. For example, an inaccurate location may result in a delay in response time or arriving late for an outpatient appointment. Poor quality information is not conducive to providing a high level of patient care or high quality service. 8.2 Greater Confidence in the Organisation All information processed by the Trust, both personal and non-personal, should be governed by policy. Guidelines on how this information should be handled, kept secure and maintained Page 8 of 16

9 should be readily available to all staff. Having reliable procedures in place to handle information will instil greater confidence in the users of and the stakeholders in EEAST. 8.3 Improved Access and Control of Records The effective management of records, both electronic and manual, is fundamental in allowing the Trust to meet its obligations under the Freedom of Information Act A Records Management Policy which includes the NHS Retention Schedule has been developed and is available for staff reference. 8.4 Reduction in Adverse Incidents The Management of Incidents Policy is accessible to all staff via the intranet. By highlighting the importance of adhering to this policy and drawing attention to any recurrent issues, the likelihood of similar incidents happening again should reduce as a consequence. 8.5 Improved Assurance of Business Continuity Due to the very nature of the Trust s business, EEAST operates several vital computerised information systems. It is essential that these are maintained at all times in order to continue to provide the service expected by stakeholders and the public. It is therefore crucial that, in the unfortunate event of the Trust business being compromised, assurances are in place that will ensure vital functions can be reinstated and continue with minimal disruption. 8.6 Greater Awareness of Public Need Being a public service, EEAST needs to be aware of the public s perception and views on the Trust. Involvement in discussions and surveys by the public is an integral part of maintaining a service tailored to the users needs. Information also needs to be fed back to the public on the results of measures taken along with other information that may be useful to them. 8.7 Adherence with Government Legislation Compliance with government legislation and national guidance will reduce the risks of complaints and litigation against the Trust. Trust contracts will reflect the need to comply with confidentiality legislation, e.g.: Data Protection Act 1998 Freedom of Information Act 2000 Caldicott Principles Confidentiality: NHS Code of Practice 2003 Records Management NHS Code of Practice (2009) Information Quality Assurance (Data Accreditation) Computer Misuse Act 1990 Human Rights Act 1998 Access to Health Records Act 1990 Electronic Communications Act Improved Quality of Information Information is a crucial element in decision-making. Without it judgements would be made on assumptions and guess-work. It is, therefore, essential that decisions made, and subsequent Page 9 of 16

10 reports, are based on the highest quality information. This will reduce the risk of wasted effort and resources in correcting errors. 8.9 Better Management of Risk Assessing compliance to standards enables the Trust to proactively identify and assess risks associated with not adopting the IG model. Preventative or corrective measures can then be taken to minimise the risk Greater Staff Awareness of Information Governance The training and development of staff, in IG requirements, will ensure they act accordingly. This will not only protect EEAST, but also the individual. This training should be embraced by the whole Trust and staff should be encouraged to participate Greater Awareness of the Security of Information Procedures will be in place to ensure that access is granted to information systems on a need to know basis. Security measures will also be present to prevent unauthorised access to systems from both internal and external routes e.g. malicious software. These will be backed up by policy and supported by Senior Management. Systems will be auditable and access to them logged Staff Assigned to Key Roles Staff, with appropriate levels of seniority, responsibility and expertise will be assigned to the key roles within IG. These individuals will have support from the Trust Board and will remain abreast of any relevant changes in policy, procedure etc. 9. Taking the Strategy Forward In order to take the Information Governance Strategy forward, the following action points need to be addressed: 9.1 Data audit and validation EEAST processes a vast amount of information that can directly affect patient care. It is essential that the accuracy of this information is checked on a regular basis to identify areas for improvement quickly. Regular audits of all the patient information systems in use within EEAST should be undertaken to identify any training needs. The Information Asset Owner for each system will be responsible for the validation process Staff information should also be maintained at the highest level of accuracy in order to comply with the Data Protection Act Staff information should be validated annually to ensure accuracy is maintained. 9.2 Public Confidence in the Management of Information All information processed within EEAST should be governed by policy. An Employees Code of Conduct for Confidentiality has been produced which details how information will be handled within the Trust. This has been made available via the Intranet and is also available to the public via the Freedom of Information Publication Scheme. Additional guidance for the public is also available on the Trust website. 9.3 Records Management Page 10 of 16

11 A Records Management Policy has been developed in order to allow the Trust to meet its obligations under the Freedom of Information Act This will also provide a greater focus on the need to maintain an effective means of accessing and controlling records. An appropriately trained records manager will oversee the adherence with this function. 9.4 Incident Reporting Staff should be encouraged to report incidents, no matter how minor they may appear. This would not only apply to clinical incidents, but also to information security breaches. These security incidents will be discussed at the Information Governance Group. Areas of weakness can be identified thereby preventing similar incidents occurring in the future. Serious Untoward Incidents relating to information security breaches will be reported to the Strategic Health Authority. 9.5 Business Continuity It is essential that the Trust has an up to date and tested business continuity plan in place. Failure to react effectively to a loss of services could have a detrimental effect on the care of patients. 9.6 Public Need and Involvement The views of the public should be included in service development. Results of patient surveys undertaken should be fed back to patient forums with details of any actions being taken as a consequence of these. 9.7 Government Legislation It is essential that all staff within EEAST comply with government legislation governing the use of information. Trust contracts will make specific mention of the requirement for confidentiality. 9.8 Quality Assurance The Trust will be committed to quality assurance in order to ensure that information processed is of the highest quality. 9.9 Information Governance Toolkit The Trust is committed to meeting the requirements of the IG Toolkit. By adhering to this initiative, the Trust will reduce the risks associated with poor information management. All relevant departments will be informed of their responsibilities via an agreed action plan Training The Learning and Development Unit of the Trust, in conjunction with the Information Governance Lead, is responsible for designing an Information Governance training package. This training is included within the mandatory training programme and uptake is monitored through the Learning and Development Unit. Information Governance is also included in the corporate induction programme and additional awareness raising exercises will be conducted on a regular basis via internal publications and workshops Registration Authority Page 11 of 16

12 Access to information will be on a strict need to know basis with all systems being audited on a regular basis. As part of the Connecting for Health programme, the Registration Authority (RA) will be responsible for authorising access to national information systems by means of a smart card. The RA function will be incorporated within the Information Governance Team Staff Responsibility for Information Governance Key staff throughout the Trust will be identified to have responsibility for Information Governance issues. These will work closely with the IG and Data Protection leads to ensure information is processed appropriately and securely. 10. Equality Impact Assessment An Equality impact Assessment has been undertaken. See Appendix B. 11. Dissemination and Implementation 11.1 Dissemination This Strategy will be disseminated to staff via the Trust intranet. Significant revisions and updates to the Policy will also be promoted in the staff bulletin Implementation Awareness of the Strategy and compliance with its requirements will be promoted via information governance training sessions, such as the induction programme for new Trust staff and annual refresher training for existing staff. The IG Team will monitor staff compliance with the requirements of the Strategy as part of their on-going work, and take action to rectify any perceived weaknesses in compliance as necessary. 12. Process for Monitoring Compliance and Effectiveness See Appendix A Monitoring Table. The security and integrity of the information processes within EEAST will be monitored for compliance by the Information Governance Group who will escalate any areas of concern to the Performance and Finance Committee. 13. Standards/Key Performance Indicators The Key Performance Indicator for this Strategy is satisfactory compliance with the requirements of the annual Information Governance Toolkit return. 14. References Page 12 of 16

13 Data Protection Act 1998 Freedom of Information Act 2000 Human Rights Act 1998 Access to Health Records Act 1990 Computer Misuse Act 1990 Crime and Disorder Act 1998 Electronic Communications Act Associated Documents Information Governance Policy Records Management Policy Information Security Policy Release of Information Policy Internet Use Policy Use Policy Freedom of Information Policy Page 13 of 16

14 Appendix A Monitoring Table What Who How Frequency Evidence Reporting arrangements Acting on recommendations Change in practice and lessons to be shared Information Governance Toolkit Information Governance Team. Progress reports from IG Team. Review of interim Toolkit scores. Review of independent internal audit reports. Bi-monthly updates at IGG. Annual report to Board. Formal written reports. Review by Information Governance Group. Formal progress reports will be discussed and required actions and timescales agreed. Decisions of the Group will be formally recorded in minutes. Head of Information Governance with support from the IG Team and designated IGG members. Review of processes underpinning the IG Toolkit scores, to improve the Trust s overall IG framework and hence compliance with the requirements of the Toolkit. Information Governance Risk Register Information Governance Team. SIRO. Progress reports from IG Team. Monitoring of the Trust Risk Register (4Risk). Bi-monthly updates at IGG. Annual report to Board. Summary reports from the 4Risk system. Review by Information Governance Group. Ongoing monitoring by the Risk Manager. Formal progress reports will be discussed at IGG and required actions and timescales agreed. Head of Information Governance. Other risk leads deemed responsible for the area where the IG risk occurs. Action taken to improve controls and mitigate any IG-related risks, reducing risk score. Decisions of the Group will be formally recorded in minutes. Information Governance Awareness Training Information Governance Team. Learning and Development. Training completion reports. Monthly reports from LDU. Bi-monthly updates at IGG. Formal written reports. Review by Information Governance Group. Ongoing monitoring by the Learning and Development Manager. Head of Information Governance. Learning and Development Manager. Action taken to ensure that all staff have completed either information governance induction training or annual refresher training. Page 14 of 16

15 Unit Formal progress reports will be discussed at IGG and required actions and timescales agreed. Decisions of the Group will be formally recorded in minutes. Page 15 of 16

16 Appendix B Equality Impact Assessment: Executive Summary Executive Summary Page for Equality Impact Assessment: Document Reference: Version 2.1 Document Title: IG Strategy Assessment Date: 23 rd July 2012 Responsible Director: Strategy and Bus. Dev. Document Type: Strategy Lead Manager: Head of IG Conclusion of Equality Impact Assessment: The Strategy is E&D neutral and has no impact, positive or negative. Recommendations for Action Plan: None. Risks Identified: None. Approved by a member of the executive team: YES Name: Adrian Matthews Signature: - by - Date: 25 th July 2012 NO Position: Director of Strategy & Business Development This whole document should be stored with the master document and a final approved electronic copy must be sent to the Equality & Diversity Lead at Bedford Office Page 16 of 16