Information Governance Framework: Policies

Transcription

1 Information Governance Framework: Policies June 2014

2 Contents Policy Approval Date Information Governance Policy 22 nd July 2013 Information Security Policy 20 th March 2014 HEE FOI Policy 26 th September 2013 Freedom of Information Publication Scheme 08 th October 2013 Data Protection Policy 26 th September 2013 Forensic Readiness Policy 20 th March 2014 Records Management Policy 20 th May 2013 DH Information Requests Policy 26 th September 2013 Procedure for the Dev & Mgt of Policies 15 th April 2013 Incident Reporting Procedure 20 th March 2014 Incident Reporting Policy 20 th March 2014 (Working Policy Pro-term) Acceptable Use of Mobile Devices and ICT 24 th June 2013 Counter Fraud Policy 08 th October 2013 Conflicts of Interest 09 th July 2013 Business Continuity Policy 20 th May 2013 Raising Concerns at Work (Whistleblowing) 08 th October 2013

3 Information Governance Policy Version: Version 1 Ratified by: Operational Management Executive Committee (OMEC) Date ratified: 22 July 2013 Name and Title of Mike Jones, Corporate Secretary originator/author(s): Name of responsible Director: Lee Whitehead, Director of People & Communications Date issued: 29 October 2013 Review date: 3 years from date of first publication Target audience: HEE Staff Document History: Version 1: OMEC

4 Document Status This is a controlled document. Whilst this document may be printed, the electronic version posted on the intranet, and copied to the internet, is the controlled copy. Any printed copies of this document are not controlled. As a controlled document, this document should not be saved onto local or network drives but should always be accessed from the intranet.

5 Contents Paragraph Page 1 Introduction 4 2 Purpose 4 3 Scope 4 4 Definitions 4 5 Duties 6 6 Main Body of Policy 5 7 Equality Impact Assessment 7 8 Implications and Associated Risks 7 9 Education and Training Requirements 7 10 Monitoring Compliance and Effectiveness 7 11 Associated Documentation 7 12 References

6 1. Introduction 1.1. Information is a vital asset for Health Education England (HEE), in relation to both its business and the efficient management of resources and services. It plays a key part in our governance, performance management and planning It is important that information is managed efficiently, and that this is supported by appropriate policies and procedures that provide a sound governance framework This policy sets out the standards we apply to information governance. 2. Scope 2.1. This policy applies to those members of staff that are directly employed by the HEE and for whom HEE has legal responsibility. For those staff covered by a letter of authority/honorary contract or work experience the organisations policies are also applicable whilst undertaking duties for or on behalf of HEE. Further, this policy applies to all third parties and others authorised to undertake work on behalf of the HEE. 3. Principles 3.1. HEE recognises the need for a balance between openness and confidentiality in the management and use of information. We fully support the principles of corporate governance and public accountability, but also recognise the need for confidentiality, supported by security arrangements to safeguard personal information about staff, as well as commercially sensitive and other confidential information. We also recognise the need to share confidential and personal information with stakeholders and others we conduct business with in a controlled way that is consistent with both the interests of that confidentiality and, in certain circumstances, the public interest We believe that accurate, relevant and timely information is vital to deliver high quality services. It is the responsibility of all staff to ensure the quality of information they use in their work and utilise it to enable sensible evidencebased decisions. 4. Standards for information governance 4.1. The policy has four key standards: Openness Legal compliance Information security Quality assurance 4.2. Openness Non-confidential information will be available to the public via the HEE website, in line with best practice principles relating to the Freedom of Information Act 2000.

7 HEE will establish and maintain policies to ensure compliance with the Freedom of Information Act All individuals will be able to access their personal information in accordance with the Data Protection Act HEE will have clear arrangements and procedures for liaising with the media and for handling queries from members of the public Legal Compliance We recognise that identifiable personal information relating to staff or individuals that we do business with is confidential, except where this is in the public domain or otherwise disclosable under the terms of the Freedom of Information Act We will establish and maintain policies that ensure compliance with the Data Protection Act 1998 and the common law of confidentiality We will establish and maintain policies for the controlled sharing of personal data as appropriate with other agencies, taking account of relevant legislation and guidance from the Information Commissioner s Office Information Security HEE will establish and maintain policies for the effective and secure management of its information assets and resources within its IT network We will promote effective confidentiality and security practices to our staff through the provision of relevant policies, procedures and training We will establish and maintain incident reporting procedures and monitor and investigate all reported instances of actual or potential breaches of confidentiality, loss of personal data and breaches of security Information Quality Assurance HEE will establish and maintain policies and procedures for information quality assurance and the effective management of records Managers are expected to take ownership of, and seek to continually improve, the quality of information in their service areas Wherever possible, information quality should be assured at the point of collection Data standards will be set through clear and consistent definition of data items, in accordance with national standards We will promote information quality and effective records management through the provision of relevant policies, procedures and training.

8 5. Responsibilities 5.1. The Senior Information Risk Officer (SIRO): Lee Whitehead has ultimate responsibility for HEE s Information Governance policy, ensuring this remains aligned with legal and NHS requirements The Caldicott Guardian: Chris Welsh, is responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing The Corporate Secretary is responsible for the day to day oversight of Information Governance, developing and maintaining policies, procedures, guidance and setting of standards, coordinating work across the organisation and working to raise general awareness of information governance best practice standards All HEE Managers are responsible for ensuring that the policy and its supporting standards are maintained locally in order to achieve full compliance across the whole organisation All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they are aware of the policy s requirements and that these are complied with in conducting everyday business. 6. Review 6.1. This policy will be reviewed every three years. 7. Related policies 7.1. Data Protection Policy 7.2. Information Security Policy 7.3. Records Management Policy 7.4. Incident reporting policy 7.5. Protective Marking Policy 8. Equality Impact Assessment (EIA) 8.1. It has been assessed that the impact or potential impact of the Information Governance Policy is no impact. 9. Education and Training Requirements 9.1. Mandatory training on Information Governance is required for all staff working in the NHS. This will be available through OLM e-learning. 10. Monitoring Compliance and Effectiveness All information governance policies and procedures will be subject to periodic audit and review to provide assurance to the Executive Team and the Audit and Risk Committee that they remain fit for purpose and the HEE remain compliant.

9 Information Security Policy Version: Version 2 Ratified by: HEE Board Date ratified: 20 th March 2014 Name and Title of Mike Jones, Corporate Secretary originator/author(s): Name of responsible Director: Lee Whitehead, Director of People and Communications Date issued: 04 th July 2014 Review date: 3 Years from date of first publication Target audience: HEE Staff Document History: Approved by Exec Team 06/03/2014 Approved by HEE Board 20/03/2014

11 Version Control Sheet Document Title: Information Security Policy Version: 2.0 The table below logs the history of the steps in development of the document. See example below Version Date Author Status Comment 0.1 Dec 13 Draft

12 Contents Paragraph Page 1 Introduction 5 2 Objective 5 3 Scope of this Policy 5 4 Accountability 6 5 Definition of Terms 6 6 Procedure 6 7 Training Needs Analysis 9 8 Equality Impact Assessment 10 9 Implementation and Dissemination Monitoring compliance with and the effectiveness of the policy References 10

13 1 Introduction 1.1 This document defines the Information Security Policy for Health Education England (HEE). 1.2 The Information Security Policy applies to all business functions, information systems, networks, the physical environments and relevant people who support those business functions 1.3 This document:- a) Sets out HEE s policy for the protection of the confidentiality, integrity and availability of its assets; that is, hardware, software and information handled by information systems, networks and applications; b) Establishes the security responsibilities of information security; c) Provides reference to documentation relevant to this policy. 1.3 The purpose of this policy is to ensure the proper use of HEE s networks and to make users aware of what we deem acceptable and unacceptable system use. 1.4 Evidence that any user is not adhering to this policy will be dealt with under HEE s Disciplinary Procedure. 2 Objective 2.1 The objective of this policy is to ensure the security of HEE s information assets. To do this we will: a) Ensure Availability Ensure that assets are available for users; b) Preserve Integrity Protect assets from unauthorised or accidental modification; c) Preserve Confidentiality Protect assets against unauthorised disclosure. 3 Scope of this policy 3.1 This policy applies to all information media, systems, networks, portable devices, applications, locations in use by HEE and/or organisations hosted by HEE and using relevant IT networks and/or systems.

14 4 Accountability 4.1 HEE Board The Board is responsible for ensuring that the necessary support and resources are available for the effective implementation of this Policy. 4.2 Executive Team Executive Directors are responsible for the review and approval of this policy. 4.3 Director of People and Communications The Director of People and Communications has organisational responsibility for all aspects of Information Governance and is the Senior Information Risk Owner (SIRO). This includes responsibility for ensuring that HEE has appropriate systems, policies and procedures in place to maintain effective Information Governance. 4.4 Information Asset Owners Information Asset Owners (IAO) are responsible for the security of all assets that they have been assigned 4.5 Heads Team heads are responsible for ensuring that they and their teams are adequately trained, and are familiar with the content of this policy. 4.6 Employees All employees are responsible for: Ensuring compliance with this policy Seeking advice, assistance and training where required 5. Definition of terms The words used in this policy are used in their ordinary sense. The use of technical terms has been minimised. 6 Procedure 6.1 The overall Information Security Policy procedure for HEE is described below: HEE information systems, applications and networks will be available when needed; they will be accessed by legitimate users only and should contain complete and accurate information. The information systems, applications and networks must also

15 be able to withstand or recover from threats to their availability, confidentiality and integrity. To satisfy this, HEE commits to the following actions: a) Protect all hardware, software and information assets under its control. This will be achieved through the implementation of a set of well-balanced technical and nontechnical measures; b) Provide both effective and cost effective protection that is commensurate with the risks to its assets; c) Implement the Information Security Policy in a consistent, timely and cost effective manner; d) Where relevant, HEE will comply with the following: - Copyright, Designs & Patents Act Access to Health Records Act Computer Misuse Act The Data Protection Act The Human Rights Act Electronic Communications Act Regulation of Investigatory Powers Act Freedom of Information Act The Environmental Information Regulations Health & Social Care Act 2001 e) HEE will also comply with other laws and legislation as appropriate. 6.2 Risk assessment HEE in conjunction with its IT partners will carry out security risk assessment(s) in relation to all business processes that are covered by this policy. These risk assessments will cover all information systems, applications and networks used to support those business processes. The risk assessment will identify the appropriate security countermeasures necessary to protect against possible breaches in availability, confidentiality and integrity.

16 6.3 New systems responsibilities The Head of IT will ensure that project managers (normally regional IT leads) produce and implement effective security counter-measures and relevant security documentation, security operating procedures and contingency plans reflecting the requirements of the System Security Policy, as part of the project to implement a system All new systems will be reviewed with relevant security approaches approved by the Head of IT and signed off by the HEE SIRO. 6.4 Accreditation of information systems HEE is responsible for ensuring that its information systems do not pose an unacceptable security risk to the organisation. 6.5 Malicious software The Head of IT will ensure that IT service partners have measures in place to detect and protect networks from viruses and other malicious software. 6.6 Unauthorised software All software used on HEE equipment must have a valid licence agreement. Software may only be installed onto a computer by and with the approval of regional IT leads and/or the Head of IT. Any person who installs or attempts to install unauthorised software onto a computer may be subject to HEE s disciplinary process. 6.7 System change control HEE will ensure that relevant Project Manager s or IAO s will review changes to the security of any information system, application or network. In addition, all such changes must be reviewed and approved by the Head of IT. The relevant Project Manager or IAO is responsible for updating all relevant system documentation The IAO may require checks on or an assessment of the actual implementation based on changes implemented. 6.8 External network connections All connections to external networks and systems will be documented and approved.

17 6.8.2 The Head of IT must approve all connections to external networks and systems before they commence operation All external connections must be protected by an appropriately configured firewall. 6.9 System configuration management The Head of IT will work with regional IT leads to ensure that there is an effective configuration management system for all information systems, applications and networks Technical compliance checking The SIRO will ensure that Information systems are regularly checked for compliance with security implementation standards Business continuity and disaster recovery plans The SIRO will ensure that business continuity plans and disaster recovery plans are required for all critical applications, systems and networks The plans must be reviewed and tested on a regular basis Secure Disposal or Re-use of Equipment All Users must ensure that where equipment is being disposed of, all data on the equipment (e.g. on hard disks or tapes) is securely overwritten. For advice on assessment of re-use or destruction of equipment contact the Head of IT Reporting Data Security Breaches and Weaknesses Data Security Breaches and weaknesses, such as the loss of data or the theft of a laptop, must be reported in accordance with the requirements of the HEE incident reporting procedure. 7 Training Needs Analysis 7.1 HEE will provide basic System Security training through induction and or mandatory Information Governance Training. All training throughout HEE will be recorded by the HR Team.

18 8 Equality impact assessment 8.1 HEE aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage compared to others. 9 Implementation and dissemination 9.1 Following ratification by the Executive Team this policy will be disseminated to staff via the HEE intranet and communication through in-house corporate communication channels. This Policy will be reviewed every two years or as appropriate to respond to changes in relevant legislation or national guidance. 10 Monitoring compliance with and the effectiveness of the policy An assessment of compliance with requirements will be undertaken each year as part of HEE s annual Information Governance Toolkit submission. 11 REFERENCES Related documents include: Disciplinary Procedure Information Governance Policy Confidentiality Policy

19 Freedom of Information Act 2000 Policy and Procedure Version: V2 Ratified by: OMEC Date ratified: 26 September 2013 Name and Title of Mike Jones / Corporate Secretary originator/author(s): Name of responsible Director: Lee Whitehead Director of People and Communications Date issued: Review date: Annual Target audience: Document History: All HEE Staff V2: OMEC 26/09/13

21 Health Education England (HEE), as the new body that has taken on responsibility for education, training and development across the NHS and public health system, will take on responsibility for delivery of the Secretary of State s duty. HEE will provide national leadership for education and training and will be accountable for the investment of education and training resources, which in 2013/14 totals around 4.9 billion. As such we are fully committed to the principles of transparency and openness as well as the protection of personal information and we recognise the importance of both the Freedom of Information Act 2000 (FOIA) and the Data Protection Act 1998 (DPA) and the relevance of both for the way in which we manage and disseminate information. This FOIA policy document establishes a framework to ensure that all requests for information made in accordance with the FOIA are dealt with properly and compliantly. Glossary of Terms Absolute Exemption Applicant Classes of Information Exemption Personal Information Publication Scheme Public Authorities Those circumstances where a decision may be made not to disclose information where there is no requirement to consider the application of the public interest test An Individual, group or organisation requesting information Broad categories in which information is proactively made available Those circumstances within which a decision may be made not to disclose information Information from which an individual can be identified The legally required mechanism for making information held by HEE routinely and proactively available Public sector organisations as defined by the Freedom of Information Act 2000 (FOIA) Public Interest Additional Test applied to information being considered for disclosure in some cases. Consideration of to the greater good. Not the same as what people are interested in Qualified Exemption See Absolute Exemption Third Party Where information is requested about someone other than the applicant

22 1. Introduction 1.1 The FOIA became law on 1 January 2000 and came fully into effect on 1 January The FOIA provides a general right of access to all information held by public authorities and places certain obligations upon them. The existence and application of the exemptions help manage access to information, particularly when requests are made for information which is considered to be extremely sensitive or where the burden on the resources of public authorities in managing a response are considered out of proportion to the benefits in terms of transparency and accountability. 1.2 The main features of the FOIA are: A general right of access to recorded information held by public authorities subject to certain conditions and exemptions A general duty to confirm or deny to the applicant whether information is held by the public authority irrespective in most cases of whether the information which has been requested is to be disclosed A general duty to advice and assist the applicant A specific duty which applies to every public authority to adopt and maintain a publication scheme approved by the Information Commissioner through which it must proactively and routinely publish information. 2. Objectives of the Policy The key objectives of this policy and these procedures are: To ensure that all information other than that which can be considered to be personal data is processed in accordance with the requirements of the FOIA To meet the requirements of the Information Governance Toolkit To provide guidance on the correct way to handle requests for information. 3. Scope of the Policy 3.1 This policy covers all records created in the course of the business of HEE i.e. corporate records (minutes, agenda etc.) which are also public records under the terms of the Public Records Acts 1958 and It also includes messages and other electronic records as well as informal meeting notes. No subject matter is excluded from consideration for disclosure including information relating to contracts, financial arrangements and other sensitive areas. 3.2 This Policy and procedure applies to all employees of HEE, including permanent, temporary and contract staff, who come into contact with information, as well as those working for organisations hosted by HEE. 4. Statutory Obligations and Associated Actions

23 4.1 HEE is required to meet a number of statutory obligations arising from the implementation of the FOIA. These are: To adopt and maintain a Publication Scheme To respond to requests for information in compliance with the terms of the FOIA. 4.2 Publication Scheme HEE has adopted the 2009 Model Publication Scheme as set out by the Information Commissioner and has made it available on-line and in hard copy. A guide to the Publication Scheme has also been produced and is similarly available. The Publication Scheme will be regularly reviewed by relevant HEE Directorates and updated to ensure the relevance of information contained within it Requests for a hard copy of the Publication Scheme and requests for information contained within the Publication Scheme may be made to the FOIA/DPA Manager at HEE. 5. Responding to Requests for Information 5.1. The FOIA confers two general rights on the public, a right: To be informed whether a public body holds information, which has been requested; and To see that information 5.2 It is a legal requirement that requests for information are met within 20 working days of receipt of the request and it is the policy of HEE that this time limit will be met in all cases. 5.3 It is important to note that in order to fall within the terms of the FOIA a request must be in writing but it does not have to quote the FOIA to be a valid request. It is therefore essential that all staff are aware of their responsibilities to recognise requests and to act in compliance with the legislation. 5.4 Any request for information to HEE should be treated as a request under the FOIA. However, it has always been recognised that there are really two levels of request those that can be classified as normal business and those which are sensitive or which raise particular issues for HEE. In such cases HEE has adopted the following benchmarks to define normal business: Can the information which has been requested be located within the 20 day time limit? Will it cost less than at per hour (the statutory amount to be charged) to find and collate the information? Can all the information be disclosed? Can the information be disclosed within the 20 day time limit?

24 5.5 If the answer to all of these questions is yes then the request should be dealt with locally and not referred to the FOIA/DPA Manager. However the time limit must still be adhered to and if a situation develops where it becomes obvious that consideration may have to be given to non-disclosure of information which has been requested then the FOIA/DPA Manager must be consulted immediately. 5.6 If, however, the answer to any of the questions is no, the recipient should immediately seek advice from the FOIA/DPA Manager about what to do - usually within 48 hours. The request will then be processed as a formal FOI request and the advice of the FOIA/DPA Manager will be followed. 5.7 In HEE, responsibility for dealing with requests for Information under the FOIA lies within the responsibility of the Communications Directorate and responsibility for review by the Corporate Secretary. 6. Exemption Information 6.1 The FOIA is designed to create a new culture of openness and accessibility, to allow individuals to access more information held within public authorities than they could before. However, this entitlement to information is not unlimited. The FOIA recognises that there is a need to limit the right of access and this is done by the engagement of the exemptions. Several sections of the FOIA confer an absolute exemption on the disclosure of information. These may also exceptionally have the effect of exempting HEE from confirming or denying that the information which has been requested is held by us. However we will always tell you if we are withholding information or refusing to confirm or deny the existence of any information. 6.2 Other sections of the FOIA direct HEE to consider whether the public interest in maintaining the exemption is greater than the public interest in disclosing the information at all. 6.3 Part 11 of the FOIA sets out the detail of the exemptions which may be considered when information which is the subject of a request is considered particularly sensitive. The use of any exemption has to be justified; even when the engagement of an exemption can be justified HEE might decide not to apply it in a spirit of openness and transparency. The exemptions fall into two categories, those that are absolute, and those that are qualified. 6.4 Absolute Exemptions Absolute exemptions may apply when the harm that would be caused by a disclosure is already established. A few examples of when absolute exemptions may apply are: When you request access to your personal data under FOIA when this should be accessed via the DPA When you request access to someone else s personal data

25 When you request access to information and the disclosure of that information could result in an actionable breach of confidence When you request information from us that you can obtain elsewhere without making a FOI request (a full list can be seen in Appendix 1). 6.5 Qualified Exemptions Qualified exemptions only apply when the public interest in withholding the information outweighs the public interest in disclosure. A few examples of when a qualified exemption may apply are: When you request information that we were intending to publish at a later date When you request information where the disclosure could prejudice someone s commercial interests When you request information that relates to advice we may have obtained from our legal advisors (a full list can be seen in Appendix 2). 6.6 Disproportionate Cost Exemption In the event that at first glance it is considered the disproportionate exemption might apply, then the relevant department will be asked for an estimate of cost no effort should be made to find the information at this stage. The estimate should instead be completed as a matter of urgency and the results should be notified to the FOIA/DPA Manager at HEE within 48 hours. Where HEE estimates that the cost of answering the information request will exceed the appropriate limit ( 25 per hour) it will be under no obligation to provide the information but must inform the applicant of the reasons for not doing so and give the applicant the opportunity to refine the request in accordance with Section 16 of the FOIA which requires that the applicant must be provided with advice and assistance. This obligation will normally be undertaken by the FOIA/DPA Manager. 6.7 There are also certain other circumstances in which HEE is not obliged to comply with requests for information: If it is considered vexatious in accordance with S.14 FOIA. In these circumstances, NHS HEE will log all requests for monitoring purposes and will be able to identify repeated and or vexatious requests If a Fees Notice has been issued to an applicant and any fee is not paid with three months of the date of the Notice. 7. Procedure for Handling Requests 7.1 Requests for information must be put in writing (including ) to HEE in the first instance. Verbal requests are not valid requests under the FOIA, and while they may be dealt with in the course of normal business, the requirements of the FOIA do not apply. If a request is valid under the FOIA then the FOI process must be instigated and the deadline for a substantive reply to the applicant is 20 working days.

26 7.2 The procedure to be followed in HEE is shown in the diagram at Appendix In order for a request to be valid, HEE must understand what information, in general terms, is being asked for. If this is not clear from the correspondence from the applicant to the extent that we are unable to commence a search for the information, then this is not a valid request and will not become so until clarification is received. In such cases the 20 day time limit for compliance will commence only when the valid request is received. 7.4 However in those circumstances where we have received a valid request but because of its volume we ask the applicant to refine it so that it falls below the limit of disproportionate cost, this process must be completed within the 20 day limit which starts with the receipt of the initial valid albeit voluminous request. 7.5 Requests for advice, assistance or referral should be made within 48 hours of the request being received by HEE. 8. FOIA Review and Complaint to the Information Commissioner 8.1 It is a requirement of the FOIA that all public authorities subject to the FOIA implement arrangements for reviewing decisions which have been notified to the applicant and with which the applicant is dissatisfied. Requests for review (which are not complaints and which must not be dealt with under the NHS Complaints Code) usually relate to refusals to disclose information but may also relate to the failure to confirm information is held or indeed any other part of the process. 8.2 HEE has put in place an independent review process which is headed by the Company Secretary. 8.3 Information about the review process must be included in any correspondence sent to the applicant, in particular and specifically in any Refusal Notice under S.17 (1) of the FOIA which is sent to the applicant. 8.4 All complaints from applicants about HEE FOIA procedures and requests for review against any decisions made must be referred immediately upon receipt to the FOIA/DPA Manager. 9. Fees 9.1 The FOIA requires public authorities to publicise their policies in relation to the charging of Fees and Disbursement under the FOIA. 9.2 HEE has approved the following process:

27 9.2.1 Unless the amount of information requested clearly falls outside the limit set by Fees Regulations which apply to the FOIA and the DPA then HEE will not normally levy any Fee for dealing with a request. (However see point 10) Where the statutory cost limit as established in the Regulations is clearly exceeded, then HEE will provide the applicant with an estimate of costs and will normally ask the applicant to refine their request so as to fall within the cost limit. Where an applicant fails to respond to such a request, or the request still falls outside the cost limit, the request will normally be refused under the exemption provided by S.12.(1) of the FOIA HEE as a matter of policy does not normally allow applicants to pay for information where costs exceed the regulatory limit. On the rare, exceptional circumstances in which payment may be agreed, a Fees Notice will be issued and the complete cost of dealing with the request in accordance with the provisions of the FOIA and the Fees Regulations will be charged In such exceptional circumstances HEE estimates costs based on the statutorily provided basis of per hour. It should be noted that it is the complete cost of location and collation which is chargeable not that which falls outside the cost limit If a Fees Notice is issued and no response is received, within 12 weeks the request for information will be considered to have lapsed. 10. Charges 10.1 The responsibility of HEE is limited to disclosing information in the format it is held and there will be no charge for information which can be accessed via our website, or where it is provided in a single hard copy. However where other formats or copies are requested then the following charges will apply which must be paid for before the information is provided:- Photocopying One hard copy of the requested information Free Multiple copies 10p per sheet Reformatting Re-formatting on CD 5.00 per CD Other formats On application 11. Training 11.1 HEE has provided mandatory training for all staff in relation to the FOIA and how to respond appropriately. Training will be on-going and will be monitored for effectiveness 12. Review and Monitoring Process and Related Documents

28 12.1 The Policy will be reviewed regularly by the FOIA/DPA Manager, Director of Communications and People and the Company Secretary Related Documents Data Protection Act Appendices 1 Absolute Exemptions 2 Qualified Exemptions 3 Process for Responding flow chart

29 Appendix 1 Absolute Exemptions Section 21 Information accessible to applicant by other means Section 23 Information supplied by, or relating to, bodies dealing with security matters Section 32 Court records etc. Section 34 Parliamentary privilege Section 36 Prejudice to effective conduct of public affairs Section 40 Personal Information Section 41 Information provided in confidence Section 44 Prohibitions on disclosure where a disclosure is prohibited by an enactment or would constitute a contempt of court.

30 Appendix 2 Qualified Exemptions Section 22 Information intended for future publication Section 24 National Security Section 26 Defence Section 27 International Relations Section 28 Relations within the United Kingdom Section 29 The economy Section 30 Investigations and proceedings conducted by public authorities Section 31 Law enforcement Section 33 Audit functions Section 35 Formulation of Government Policy etc. Section 36 Prejudice to effective conduct of public affairs Section 37 Communications with Her Majesty etc. and honours Section 38 Health and safety Section 39 Environmental information as this can be accessed through the Environmental Information Regulations Section 40 Personal information Section 42 Legal professional privilege Section 43 Commercial interests

31 Appendix 3 Process for responding to a request under Freedom of Information Request for Information received either via HEE FOI mailbox or Letter. Note FOI request recorded on HEE FOI database (Vuelio) Requests must be made in writing verbal requests cannot be accepted. Acknowledgeme nt sent by HEE FOI team within 2 days stating that a full response will be sent provided in 20 days FOI team request contribution/advice from appropriate Directorate/LETB. Following sign off of contribution via Senior Manager/Director response is drafted by FOI manager Note Response sent by Day 20 with information requested or stating on what grounds the information will not be disclosed. Is the request normal business? If so then the individual directorate will deal with it themselves. If not normal business request will be directed to the FOI team, normally within 48hrs. It is the responsibility of the relevant directorate to produce the information requested as soon as possible and in any event within the timescale set by the Briefing Team The Briefing team will produce the final letter

32 FREEDOM OF INFORMATION PUBLICATION SCHEME Version: Version 3 Ratified by: HEE Board Date ratified: 8 October 2013 Name and Title of originator/author(s): Name of responsible Director: Chris Brady, FOI Data Protection and Briefing Lead Lee Whitehead, Director of People and Communications Date issued: 29 October 2013 Review date: Annually Target audience: HEE s Stakeholders and members of the public Document History: Version 1, , CB for review Version 2, , NW comments Version 3, , presented to OMEC , HEE Board

34 Executive Summary This guide explains what information is routinely published by Health Education England (HEE). It is a description of the information about us that is made publicly available as a matter of routine. HEE has a legal duty to adopt and maintain a Publication Scheme. The purpose of the Freedom of Information Act is to promote greater openness by public authorities. HEE will review its Publication Scheme at regular intervals and monitor how it is operating. It is important that this Scheme meets the needs of the public and other stakeholders and it has been designed it to be a route map so that you can find information about HEE easily. The Guide to Information will help you to find all the information that HEE publishes. The Publication Scheme contains 7 classes of information information falling in each of these classes is published on our website and can be accessed using the links on the following pages. All information published on the website can be accessed free of charge. Who we are and what we do What we spend and how we spend it What are our priorities and how are we doing How we make decisions Our policies and procedures Lists and registers Services we offer

35 Contents Paragraph 1 Introduction 2 Purpose 3 Scope 4 Definitions 5 Duties 6 Main Body of Policy 7 Equality Impact Assessment 8 Education and Training Requirements 9 Monitoring Compliance and Effectiveness 10 Associated Documentation 11 References Page

36 1. Publication Scheme 1.1. In order to comply with the Freedom of Information Act 2000, public sector organisations such as Health Education England (HEE) have to routinely publish information whenever possible The Information Commissioner, who is responsible for monitoring and enforcing compliance with the Freedom of Information Act 2000, has drawn up what is called a Model Publication Scheme for all public sector organisations which we have decided to adopt and formally commit to. The Commissioner has also published a Definition Document for NHS Organisations which sets out in some detail what the minimum expectations are. Health Education England has adopted this publication scheme which can be viewed via the link on the right We have reviewed the information we routinely put into the public domain to ensure we are compliant with the Definition document. The Publication Scheme includes key headings and links which will take you to this information on our website which we aim to update on a regular basis. 2. How Health Education England works and fits into the NHS structure 2.1. HEE is a public body and part of the National Health Service. It is a statutory body governed by Acts of Parliament and came into existence on 1st April As a statutory body, HEE has specific powers to act as regulator, to contract in its own name, act as a corporate trustee, to fund projects jointly planned with and to make payment and grants to Local Education Training Boards (LETBs), voluntary organisations and other bodies HEE fits into the overall NHS structure as follows: HEE was established as a Special Health Authority in June 2012, taking on some functions from October 2012 before assuming full operational responsibilities from April On 28 May 2013, the Government published its mandate for Health Education England. Through this mandate, which covers the period from April 2013 to March 2015, HEE will work towards providing national leadership and strategic direction for high quality education, training and workforce development. The mandate compliments our key purpose of developing an NHS workforce with the right behaviours, values and skills to deliver quality patient care, responsive to the diverse and changing needs of patients and the public.

37 2.5. The mandate is aligned with and reflective of the mandate for NHS England. The mandate recognises the Francis Report recommendations, reflects the increasing importance of public health and requires us to take into account the development of the Public Health England (PHE) strategy and the Secretary of State s four priorities on preventable mortality; long-term conditions; being caring and dementia The plans emphasise the importance of training to support staff providing community care and preventing patients, those with long term conditions for example, needing to go into hospital The mandate includes a focus on: recruitment into all new NHS-funded training posts that tests for the appropriate values and behaviours; maintaining midwifery training numbers to ensure patient needs are met; delivery of additional trained health visitors to increase the workforce by 4,200 full time equivalents by April 2015; providing dementia training for all NHS staff who look after patients, ensuring that 100,000 staff have foundation level training by March 2014; commissioning the required number of IAPT (increasing access to psychological therapies) training places; making progress to ensure that 50 per cent of medical students become GPs; and work towards a target of at least 50 per cent of student nurses undertaking community placements by March Making an FOI request 3.1. Requests for Information should be sent to Chris Brady, the FOI Manager at Health Education England By law, HEE have to deal with such requests within 20 working days. If you make a request and are not satisfied with the way in which we deal with it you may ask us to review any decision we make. If you wish us to undertake such a review, you should write to Lee Whitehead, Director of People & Communications at HEE For lengthy requests for information that would exceed the statutory limit under which Public Authorities are expected to provide information without charge, HEE estimate costs based on a statutorily provided basis of per hour. If the estimate exceeds in total (181/2 hours at per hour) then the exemption can be claimed.

38 3.4. Should Health Education England decide in exceptional circumstances that an applicant should be allowed to pay it is the complete cost of location etc. which is chargeable not that which falls outside the cost limit 4. Why 4.1. The establishment and development of HEE was set out in Liberating the NHS: Developing the Healthcare Workforce, From Design to Delivery, the Government s policy for a new system for planning and commissioning education and training. The driving principle for reform of the education and training system is to improve care and outcomes for patients and HEE exists for one reason alone to help ensure delivery of the highest quality healthcare to England s population, through the people HEE recruits, educates, trains and develops HEEs mandate from the Government sets out clearly the plans for education and training that will be the cornerstone for the delivery of high quality, effective, compassionate care, by recruiting for values and training for skills. Our 5 billion budget will allow us to recruit, train and develop a workforce that will deliver improved care to patients. The mandate is set out under six broad themes - support for service priorities, NHS values and behaviours, excellent education, competent and capable staff, working in partnership and value for money. It covers the two years from April 2013 to March 2015 and will be reviewed in autumn Role 5.1. HEE will provide leadership for the new education and training system. It will ensure that the shape and skills of the future health and public health workforce evolve to sustain high quality outcomes for patients in the face of demographic and technological change. HEE will ensure that the workforce has the right skills, behaviours and training, and is available in the right numbers, to support the delivery of excellent healthcare and drive improvements. HEE will support healthcare providers and clinicians to take greater responsibility for planning and commissioning education and training through the development of Local Education and Training Boards (LETBs), which are statutory committees of HEE. 6. Function 6.1. The key national functions of the organisation will include: Providing national leadership for planning and developing the whole healthcare and public health workforce

39 Authorising and supporting development of Local Education and Training Boards and holding them to account Promoting high quality education and training which is responsive to the changing needs of patients and communities and delivered to standards set by regulators Allocating and accounting for NHS education and training resources ensuring transparency, fairness and efficiency in investments made across England Ensuring security of supply of the professionally qualified clinical workforce Assisting the spread of innovation across the NHS in order to improve quality of care Delivering against the national Education Outcomes Framework to ensure the allocation of education and training resources is linked to quantifiable improvements If you require information which is not on our website or otherwise available through our guide to information you may ask us for it in accordance with further provisions of the Freedom of information Act 2000 and of the Environmental Information Regulations Who we are and what we do 7.1. How we fit into the NHS structure: This section explains what our main responsibilities are and what Health Education England comprises Xxxxxxx 7.2. Organisational structure: Our organisational structure is included in this section Xxxxxxxxxxxxxx 7.3. Lists of and information relating to organisations with which Health Education works in partnership; we expect to update this section with more information about our key partners as we start to build relationships with stakeholders Senior staff and management board members: Details relating to HEE Board and Directors can be found in this section xxxxxxxxxxxx

40 7.5. Location and contact details for all public-facing departments: Our location, including maps and contact details can be found in this section xxxxxxxxxxxxxxxxxx 8. What we spend and how we spend it 8.1. Annual statements of accounts: This section contains our Annual Report, which includes the annual statements of account. The 2012/13 Annual Report & Accounts will be published after being laid before Parliament Budget and variance reports: Budget and variance reports are routinely made to each meeting of Health Education England s Board. These can be found amongst the papers for each of the Board meetings xxxxxxxxxxxxxxxxxxxxxxxxxxxx 8.3. Financial audit reports: The Annual Audit Letter and the minutes of our Audit Committee meetings can be found in our board meeting papers xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 8.4. Staff and Board member s allowances and expenses: This information is included in Health Education England s Annual Report Details of Directors expenses are currently being collated and will be published here shortly In this section there are details relating to staff pay and grading along with the Agenda for Change handbook and Very Senior Managers framework xxxxxxxxxxxxxxxxxxxxxxxxxxxxx 8.7. Procurement and tendering procedures: Procurement and tendering procedures adopted by Health Education England xxxxxxxxxxxxxxxxxxxxxxxxxxxxx 8.8. Details of contracts currently being tendered: Contracts currently tendered can be found in this section. This list is updated regularly on a monthly basis xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

41 8.9. If you require any further information about contracts being tendered please contact xxxxxxxxxx Lists and value of contract awarded and their value: List and value of contracts over 50k is included in this part of the Publication Scheme xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 9. What our priorities are and how we are doing 9.1. Annual Report: This section includes a link to HEE s current Annual Report, where the appropriate file can be downloaded, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 9.2. Annual business plan: HEE s Annual Business Plan is published on the website below xxxxxxxxxxxxxxxx 9.3. Strategic direction document xxxxxxxxxxxxxxxxxxx 9.4. Performance against targets/performance framework: Regular updates on performance can be found in xxxxxxx. A link can be found on the website below xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 10. How we make decisions Board papers agenda, supporting papers and minutes: Information regarding board meetings including agenda, papers and previous minutes can be found on the website below. This section is updated before every meeting xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Audit reports: The minutes from our Audit and Risk Committee meetings can be found in our Board papers.

42 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 11. Our policies and procedures A full list of HEE s policies, Policy Register and copies of approved policies will be published on the website as they become available. 12. Lists and registers HEE are required to make public the following registers: Main contractors/suppliers Asset Register Information Asset Register Board Members Declarations of Interest Gifts & Hospitality Register FOI Disclosure log These registers will be published on the HEE website as they become available through 2013/14.

43 Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26/09/13 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and Briefing Lead Name of responsible Director: Lee Whitehead Director of People & Communications Date issued: 29/10/2013 Review date: 3 years from date of first publication Target audience: All HEE Staff Document History: Version 1: OMEC, 26/09/13

45 Contents Paragraph Page 1 Introduction 4 2 Aim 4 3 Legislation 4 4 NHS & Related Guidance 4 5 Responsibilities 5 6 Security & Confidentiality 5 7 Database Management 5 8 Back Ups 6 9 Disclosure of Information 6 10 Disclosure of Information Outside the EEA 6 11 Training 7 12 Induction 7 13 Contracts of Employment 8 14 Disciplinary 8 15 Monitoring and Audit 8 16 Subject Access Requests 8 17 Disclosure of Personal Information 9

46 1. Introduction 1.1. Health Education England (HEE) has a legal obligation to comply with all appropriate legislation in respect of Data, Information and IT Security. It also has a duty to comply with guidance issued by the Department of Health, the Information Commissioner, other advisory groups to the NHS and guidance issued by professional bodies Penalties could be imposed upon HEE, and/or employees for non-compliance with relevant legislation and NHS guidance. 2. Aim 2.1. This Data Protection Policy details how HEE will meet its legal obligations and NHS requirements concerning confidentiality and information security standards. The requirements within the Policy are primarily based upon the Data Protection Act 1998 as that is the key piece of legislation covering security and confidentiality of personal information. 3. Legislation 3.1. For the purpose of this Policy other relevant legislation and appropriate guidance may be referenced. The legislation listed below also refers to issues of security and or confidentiality of personal identifiable information/data: Data Protection Act 1998 Access to Health Records 1990 Access to Medical Reports Act 1988 Human Rights Act 1998 Freedom of Information Act 2000 Regulation of Investigatory Powers Act 2000 Crime and Disorder Act 1998 Computer Misuse Act 1990 Criminal Justice and Immigration Act NHS & Related Guidance 4.1. The following are the main publications referring to security and or confidentiality of personal identifiable information/data (see section A for more information): Confidentiality: NHS Code of Practice Records Management: NHS Code of Practice Information Security: NHS Code of Practice Employee Code of Practice (Information Commissioner)

47 5. Responsibilities 5.1. The Chief Executive Officer has overall responsibility for the Data Protection Policy within HEE. The implementation of, and compliance with, this Policy is delegated to the Data Controller (Director of People & Communications) and the Data Protection Lead. The Data Protection Lead will report data protection issues to the Data Controller who will have responsibility for bringing these to the attention of HEE s Executive Team The Data Protection Lead role includes: Maintaining registrations Facilitating training sessions Dealing with subject access requests Acting as initial point of contact for any data protection issues which may arise within HEE Providing reports to the HEE Executive Team as required Auditing data protection compliance Facilitating action in areas identified as being non-compliant Assisting with complaints concerning data protection breaches Acting as the interface between data protection and freedom of information 5.3. This Policy will be reviewed annually, or more frequently if appropriate, to take into account changes to legislation that may occur, and/or guidance from the Department of Health, the Information Commissioner or any relevant case law The day to day responsibilities for enforcing this Policy will be devolved to application/system managers and other nominated personnel. In order to fulfil their roles, the Data Protection Lead in conjunction with the Data Controller will ensure that regular training is provided to remind these personnel of these responsibilities and the most effective way of ensuring adequate information security and confidentiality. 6. Security & Confidentiality 6.1. All information relating to identifiable individuals and any information that may be deemed sensitive, must be kept secure at all times. HEE will ensure there are adequate policies and procedures in place to protect against unauthorised processing of information and against accidental loss, destruction and damage to this information. 7. Database Management 7.1. The HEE Data Protection Lead will ensure that all databases that require registration are registered in accordance with the DPA requirements and these registrations are reviewed on a regular basis. Each computer system/database will have a

48 designated manager. A list of these nominated personnel will be maintained by the Data Protection Lead For the purposes of this policy the term Database refers to a structured collection of records or data held electronically which contains person identifiable information. In the event that further guidance is needed in respect to what constitutes a database please contact the Data Protection Lead. 8. Back-ups 8.1. Each application/system manager will have responsibility for ensuring there is a procedure which outlines the media, frequency and retention period for back-ups of the data and programs for the systems within their control Those systems which are run for the users by a third party organisation will have their systems backed up on a regular basis as defined by the Service Level Agreement. 9. Disclosure of Information & Information in Transit 9.1. It is important that information about identifiable individuals (such as the general public, patients and/or staff) should only be disclosed on a strict need to know basis. Strict controls governing the disclosure of patient identifiable information is also a requirement of the Caldicott recommendations All disclosures of computer held identifiable information should be included in the relevant data protection registration document for the database the disclosure may be made from Some disclosures of information may occur because there is a statutory requirement upon HEE to disclose e.g. with a Court Order, because other legislation requires disclosure (for staff to the tax office, pension agency and for patients to the Department of Health if the patient has a notifiable disease) If person identifiable information/records needs to be transported in any media such as: disc, memory stick or manual paper records, this should be carried out to maintain strict security and confidentiality of this information Contracts between HEE and third parties must include an appropriate confidentiality clause that must be disseminated to the third parties employees. 10. Disclosure of Information Outside the EEA Personal data, even if it would otherwise constitute fair processing, must not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the European Economic Area to a country or territory which does

49 not ensure an adequate level of protection for the rights and freedoms of data subjects In the event that any member of staff wishes to process personal information outside of the United Kingdom, the HEE Data Protection Lead must be consulted prior to any agreement to transfer or process information. 11. Training The Data Protection Lead has overall responsibility for maintaining awareness of confidentiality and security issues for all staff. This is carried out at regular training sessions covering the following subjects: Personal responsibilities Confidentiality of personal information Relevant HEE Policies and Procedures Compliance with the Data Protection Principles Registration of automated databases Individuals rights (access to information and compliance with the principles) 12. Induction General good practice guidelines covering security and confidentiality Contact information relating to who is the Data Protection Lead and how they can be contacted for all problems which may occur in the areas of security and confidentiality of personal information A general overview of all Information Governance components General common sense issues such as locking doors and avoiding gossip in open areas or discussing sensitive information in public places (on trains, in taxis etc.) Letting all staff know about relevant policies, procedures and good practice guidance and where this can be found A brief overview of how the data protection and freedom of information acts work and the differences All new starters to HEE will be given Information Governance training, to include compliance with the Data Protection Act and general IT security training, as part of the induction process. Extra training in these areas will be given to those who need it such as application/systems managers and those dealing with requests for information. A register will be maintained of all staff attendance at training sessions. Non-contract staff and those on short fixed term contracts will also be asked to attend induction sessions. These people will include temporary, agency staff and student placements. Training should also be open to external organisations carrying out functions for HEE such as security guards (where they are not contracted HEE employees) All staff will be made aware of what could be classed as an information security incident or breach of confidentiality. They will be made aware of the

50 process to follow and the forms to complete, so that incidents can be identified, reported, monitored and investigated. 13. Contracts of Employment Staff contracts of employment are produced and monitored by HEE Human Resources department. All contracts of employment include a data protection and general confidentiality clause. Agency and non-contract staff working on behalf of HEE must be subject to the same rules All HEE employees will be made aware of their responsibilities in connection with the DPA mentioned in this Policy through their Statement of Terms and Conditions, and targeted training sessions carried out by application/system managers and/or other trainers/specialists. 14. Disciplinary A breach of the Data Protection requirements could result in a member of staff facing disciplinary action. A copy of HEEs Disciplinary Procedure is available from the Human Resources Department. 15. Monitoring & Audit This policy will be monitored by the Data Protection Lead on a regular basis. In addition, application of this policy will also be reviewed by Internal and External Audit. 16. Subject Access Requests Current Data Protection legislation allows an individual who is the subject of personal information processed by HEE to access their information. In the event that an individual wishes to have a copy of their information under the subject access provision of the Data Protection Act a request must be made in writing to the Data Protection Lead HEE is obliged to respond to requests promptly within 40 days of a request being made for access to records containing person identifiable information. Failure to do so is a breach of the Act and could lead to a complaint to the Information Commissioner. If it is anticipated that a request will take longer than the 40-day period, HEE will inform the applicant giving an explanation of the delay and agree a new deadline In addition, HEE will charge for any subject access requests made in line with legislative guidelines.

51 17. Disclosure of Personal Information There are Acts of Parliament that govern the disclosure of personal information. Some of these Acts make it a legal requirement to disclose and others that state that information cannot be disclosed. These Acts are detailed below: Public Health (Control of Diseases) Act 1984 & Public Health (Infectious Diseases) Regulations 1985 Education Act 1944 (for immunisations and vaccinations to NHS SHAs from schools) Births and Deaths Act 1984 Police and Criminal Evidence Act 1984 Human Fertilisation and Embryology (Disclosure of Information) Act 1992 Venereal Diseases Act 1917 and Venereal Diseases Regulations of 1974 and 1992 Abortion Act 1967 The Adoption Act In the event that a request for disclosure is made referencing any of these Acts the HEE Data Protection Lead must be notified prior to any information being released

52 Forensic Readiness Policy Version: Version 1 Ratified by: HEE Board Date ratified: 20 March 2014 Name and Title of Mike Jones, Corporate Secretary originator/author(s): Name of responsible Director: Lee Whitehead, Director of People and Communications Date issued: 04 th July 2014 Review date: 3 Years from Date of First Publication Target audience: HEE Staff Document History: Approved by Exec Team 06/03/2014

54 Contents Section Page 1. Introduction Purpose and Scope Definitions Duties (Roles and Responsibilities) Principles Further Investigation Contact Details Training and Implementation Equality Impact Assessment Monitoring Compliance Associated Documents, Further Reading and Contacts... 9

55 Introduction Forensic readiness is a key component of NHS information risk. All NHS organisations are required to have Forensic Readiness Policies in place, so it is essential that Information Governance forensic readiness measures support the business and functions of Health Education England (HEE). Purpose The purpose of the Forensics Readiness Policy (FRP) is to provide a systematic, standardised and legal basis for the admissibility of digital evidence that may be required from a formal dispute, criminal investigation or legal process. The policy may include evidence in the form of log files, s, back up data, removable media and other devices that may be collected in advance of an event or dispute occurring. The evidence retrieved can support a legal defence, it can help verify and may show that due care was taken in a particular transaction or process, and may be important when used for internal disciplinary actions. This policy applies to all systems, devices and networks used by HEE or on its behalf for: XXX check: what sort of information should this cover? The transmission of non-clinical data and images The transmission of clinical data and images Printing or scanning non-clinical or clinical data or images The provision of internet systems for receiving, sending and storing nonclinical or clinical data or images Definitions The definitions or explanation of terms relating to this policy are:- IG Forensic readiness The ability of an organisation to make use of digital evidence when required. Its aim is to maximise the organisation s ability to gather and use digital evidence whilst minimising disruption or cost.

56 Duties (Roles and Responsibilities) The Director of People and Communications will be responsible for the implementation of this Policy as the Senior Information Risk Owner for HEE. The Director of People and Communications will have oversight and responsibility for ensuring that all of HEE complies with this policy. Head of IT The Head of IT will be responsible for ensuring that the necessary staff are adequately trained and made available to carry out any digital forensic investigation that may be required. The Head of IT will be responsible for identifying who will be responsible for carrying out any investigations, ensuring they are suitably qualified to do so. All Staff All staff and Non-executive Directors are obliged to adhere to this policy. A failure to adhere to this policy and its associated procedures may result in disciplinary action. Managers at all levels are responsible for ensuring that their staff are aware of and adhere to this policy. They are also responsible for ensuring staff are updated regarding any policy changes. Information Governance Group The Information Governance Group led by the Corporate Secretary will be responsible for overseeing the development and review of the Forensic Readiness Policy and Procedures. Policy and procedures 4.1 Forensic Readiness Planning The following ten steps describe the key activities in forensic readiness planning: 1. Define the business scenarios that require digital evidence. 2. Identify available sources and different types of potential evidence 3. Determine the evidence collection requirement.

57 4. Establish capability for securely gathering legally admissible evidence to meet the requirement. 5. Establish a procedure for secure storage and handling of potential evidence. 6. Ensure monitoring is targeted to detect and deter major incidents. 7. Specify circumstances when escalation to a full formal investigation (which may use the digital evidence) should be launched. 8. Train staff in incident awareness, so that all those involved understand their role in the digital evidence process and the legal sensitivities of evidence. 9. Document an evidence based case describing the incident and its impact. 10. Ensure legal review, where necessary, to facilitate action in response to the incident. 4.2 Forensic Readiness Procedures If you suspect inappropriate or unauthorised usage of computer equipment you should report it to your Line Manager and the Corporate Management team at: HEE.corporatemanagement@nhs.net. All suspected inappropriate or unauthorised usage will be reported to the HEE SIRO, who will notify other Directors as required. The Line Manager should make a judgement as to the strength of the case and whether to proceed. Therefore a preliminary business impact assessment should be made based on whether any of the following are present: Evidence of a reported crime. Evidence of internal fraud, theft or other loss. Required to, or the likelihood of having to, report the matter to the police. Estimate of possible damages. Potential for embarrassment/reputation loss. Any immediate impact on customers, partners or profitability. Recovery plans have been enacted or are required. The incident is reportable under a compliance regime. Where a determination has been made to preserve potential computer-based evidence for further investigation, the following must be adhered to:

58 Computer equipment which is switched on: Secure the area containing the equipment. Move people away from the computer and power supplies. If the computer is attached to the network, disconnect the network cable. Do not touch the mouse or keyboard. Do not take advice from the computer owner/users. Allow any printers to finish printing (as this may constitute further evidence). Computer equipment which is switched off: Do not switch the computer on. Secure and take control of the area containing the equipment. Allow any printers to finish printing (further evidence may be printing). Move people away from any computers and power supplies. Confirm visually that the computer is actually switched off some screen savers can give the appearance that some computers are switched off but hard drive and monitor lights may indicate this is switched on. Be aware some laptops may power on by opening the lid. Remove the battery from laptops. For laptops in a docking station, remove the power supply from the docking station and remove the battery from the laptop only if it is possible to do so without undocking. Unplug the power supply from the computer. A computer that is apparently switched off may be in sleep mode and may be accessed remotely, allowing the alteration or deletion of data. If you have to remove equipment before the investigator arrives, the following steps must be performed: Record what is on the screen and take a photograph if possible. Switch off the computer by pulling the power cable from the computer, not from the power socket (Note: for laptops, remove the battery before pulling the power cable including if the laptop is in a docking station). When removing the power supply always remove the end attached to the computer and not the socket. This will avoid data being written to the hard drive if an uninterruptable power device is fitted. Label and photograph (if possible) all the components in situ. If no camera is available draw a sketch plan.

59 Label the ports and cables so that the computer can be reconstructed at a later date. Carefully remove all the equipment including docking stations; external hard drives; USB devices and record their serial numbers (each component will have a separate number). Consider asking the user for any passwords and if these are given record them accurately, making sure they are appropriately secured. Make detailed notes of all actions in relation to the seizure of computer equipment. Remove the equipment to a secure location until the investigator arrives. Further Investigation The SIRO or other Directors may refer on the investigation and evidence to either; police, The NHS Protect Forensic Computing Unit, NHS Protect, or other appropriate technical staff. Contact Details Staff who are unsure about best practice in any of these areas, or who may have concerns about existing practice should seek advice from the Corporate Management team. Training and Implementation Training Training will be provided to ensure relevant staff can effectively fulfil their responsibilities under this Policy. An overview of staff responsibilities under this policy is included within information governance mandatory training as well as at Induction. Implementation Upon ratification this policy will be available to all staff via the HEE Intranet. The ratification of the policy will also be communicated to staff via regular corporate communication channels.

60 Equality Impact Assessment HEE aims to design and implement its services, policies and measures to meet the diverse needs of our services, population and workforce, ensuring that none are placed at a disadvantage over others. We therefore aim to ensure that in both employment and services no individual is discriminated against by reason of their age, race, faith, culture, gender, sexuality, marital status or disability. Monitoring Compliance HEE reserves the right to monitor the activity of individuals in relation to the use of data and business sensitive information on all organisation devices, both static and mobile. Any non-compliance or breaches with this policy may be dealt with under HEE s disciplinary procedures as appropriate. Associated Documents, Further Reading and Contacts The Data Protection Act 1998 ACPO Good Practice Guide for Computer-Based Electronic Evidence Freedom of Information Act 2000 Computer Misuse Act 1990 The Regulation of investigatory Powers Act Human Rights Act 1998 Patient Confidentiality Directives Caldicott Directives (NHS Executive 1998) NHS Protect (NHS Counter Fraud) NHS Protect Forensic Computing Unit

61 Records Management Policy Version: Version 1 Ratified by: Operational Management Executive Committee (OMEC) Date ratified: 20 May 2013 Name and Title of originator/author(s): Nicola Wright, Corporate Business Management Lead Name of responsible Director: Lee Whitehead, Director of People & Communications Date issued: 12 July 2013 Review date: 2 years from first publication Target audience: All HEE staff creating and maintaining records. Document History: Version 1, 7 May 2013: for consideration by Corporate Secretary Agreed by Lee Whitehead for submission to OMEC

63 Executive Summary HEE s records are its corporate memory, providing evidence of actions and decisions and representing a vital asset to support daily functions and operations. They support policy formation and managerial decision-making, protect the interests of HEE and its partners, the rights of its staff and members of the public with whom it has dealings. They support consistency, continuity, efficiency and productivity and help HEE to deliver its services in consistent and equitable ways. This policy sets out HEE s approach to records management, through the proper control of the content, storage and volume of records, reduces vulnerability to legal challenge or financial loss and promotes best value in terms of human and space resources through greater coordination of information and storage systems

64 Contents Paragraph Page 1 Introduction 5 2 Purpose 5 3 Scope 5 4 Responsibilities 6 5 Objectives 6 6 Standards to be maintained 7 7 Transfer of records to The National Archives 8 8 Personal Documents 8 9 Equality Impact Assessment 8 10 Education & Training Requirements 8 11 Associated Documents 9 12 References 9 Annex A Table 1 Procedure for the creation, maintenance and disposal of HEE records Summary: Business & Corporate (Non-Health) Records Retention Schedule 12 14

65 1. Introduction 1.1. Health Education England (HEE) is dependent on its records to operate efficiently and account for its actions. This policy defines a structure for HEE to ensure adequate records are maintained and they are managed and controlled effectively and at best value, commensurate with legal, operational and information needs. 2. Purpose 2.1. HEE s records are its corporate memory, providing evidence of actions and decisions and representing a vital asset to support daily functions and operations. They support policy formation and managerial decision-making, protect the interests of HEE and its partners, the rights of its staff and members of the public with whom it has dealings. They support consistency, continuity, efficiency and productivity and help HEE to deliver its services in consistent and equitable ways Records management, through the proper control of the content, storage and volume of records, reduces vulnerability to legal challenge or financial loss and promotes best value in terms of human and space resources through greater coordination of information and storage systems All HEE records are Public Records under the Public Records Acts 1967 and must be kept in accordance with following statutory and NHS guidelines: Public Records Acts 1958 and 1967 Data Protection Act 1998 Freedom of Information Act 2000 HSC 1999/053 For the Record Audit Commission, Setting the Record Straight, 1995 International Standard on Records Management (ISO 15489) 2.4. Records Management is a core component of business planning and is integrated fully into the annual business planning cycle 3. Scope 3.1. This policy relates to all records held by HEE relating to information created or received in the course of business and captured in readable form in any medium, providing evidence of the functions, activities and transactions of the organisation. They include: Administrative records; Records in electronic format; and Personal data as defined by the Data Protection Act They do not include copies of documents created by other organisations such as Department of Health, kept for reference or for information only.

66 3.3. All records created in the course of the business of HEE and corporate records are public records under the terms of the Public Records Act 1958 and This includes messages and other electronic records. 4. Responsibilities 4.1. The Chief Executive has overall responsibility for ensuring that records are managed responsibly within the Institute HEE s Corporate Secretary is responsible for day to day co-ordination of records management in the organisation, identifying key corporate records and providing guidance and advice on their management and retention The Senior Leadership Team will be responsible for ensuring that the policy is implemented across HEE It is the responsibility of all staff to ensure that they keep appropriate records of their work and manage those records in keeping with this policy and with any relevant guidance produced by the Institute. 5. Objectives 5.1. There are seven main objectives of this policy Accountability that adequate records are maintained to account fully and transparently for all actions and decisions in particular: To protect legal and other rights of staff or those affected by those actions To facilitate audit or examination To provide credible and authoritative evidence 5.3. Quality that records are complete and accurate and the information they contain is reliable and their authenticity can be guaranteed 5.4. Accessibility that records and the information within them can be efficiently retrieved by those with a legitimate right of access, for as long as the records are held by the organisation 5.5. Security that records will be secure from unauthorised or inadvertent alteration or erasure, that access and disclosure will be properly controlled and audit trails will track all use and changes. Records will be held in a robust format which remains readable for as long as records are required Retention and disposal that there are consistent and documented retention and disposal procedures to include provision for permanent preservation of archival records

67 5.7. Training that all staff are made aware of their record-keeping responsibilities through generic and specific training programmes and guidance and where significant new systems are introduced, tailored training programmes are put in place to guide staff through the process of change Performance measurement that the application of records management procedures are regularly monitored against agreed indicators and action taken to improve standards as necessary. 6. Standards to be maintained 6.1. This policy will be implemented by a series of programmes of work which will deliver clear practice and procedures to include: 6.2. Records creation (Annex A) Creation of adequate records to document essential activities; Structured information (content management, version control) to facilitate shared systems based on functional requirements; Referencing and classification for effective retrieval of accurate information; Documented guidelines on creation and use of record systems 6.3. Records maintenance (Annex A) Assignment of responsibilities to protect records from loss or damage over time; Access controls to prevent unauthorised access or alteration of records; Defined security levels for access to electronic records and procedures to amend access authorisations as appropriate when staff move Tracking systems to control movement/audit use of records; Identification and safeguarding key or vital records; Arrangements for business continuity; Training and guidance 6.4. Records disposal (Annex A) Systematic retention schedules and procedures for consistent and timely disposal; Central storage systems for records requiring long-term retention to include electronic archiving systems; Mechanisms for regular transfer of records designated for permanent preservation to appropriate archives Secure destruction of confidential information including sensitive personal data 6.5. Training and guidance Inclusion of records management functions in job processes where appropriate; Generic and specific guidance on record-keeping standards and procedures; Training programmes 6.6. Performance measurement

68 Development of effective indicators and review systems to improve records management standards. 7. Transfer of records to the National Archive (Public Records Office) 7.1. All records produced HEE, in any media, are public records and, as such, are subject to the Public Records Act However, not all public records are worthy of permanent preservation after their administrative usefulness has ended The Corporate Secretary will identify and select any notable or precedent cases which are likely to warrant permanent preservation in the National Archive. 8. Personal Documents 8.1. It is recognised that staff will occasionally use their work computers for their own personal use, which is for material not related to the business of HEE Such material must not be stored on the shared file server, but on the hard drive of the individual s PC. It should be understood therefore that this information is not secured and it is the responsibility of the individual member of staff to organise back up facilities if this is required. 9. Equality Impact Assessment (EIA) 9.1. This policy applies to all HEE staff irrespective of age, race, colour, religion, disability, nationality, ethnic origin, gender, sexual orientation or marital status, domestic circumstances, social and employment status, HIV status, gender reassignment, political affiliation or trade union membership. In implementing the Records Management policy, HEE will implement reasonable adjustments where appropriate. 10. Education and Training Requirements There is an obligation upon every line manager to ensure that staff are informed and instructed with regards to information governance and that such activities are properly recorded and records maintained As an employee of HEE, you are required to participate in information governance training relevant to you and to read this policy document carefully and raise any queries that you may have with your line manager or the Corporate Governance Team.

69 11. Associated Documentation Acceptable use of Mobile Devices & ICT Facilities Freedom of Information Publication Scheme Information governance Induction Procedure for the creation, maintenance and disposal of HEE records 12. References Public Records Acts 1958 and 1967 Data Protection Act 1998 Freedom of Information Act 2000 Audit Commission, Setting the Record Straight, 1995 International Standard on Records Management (ISO 15489) Records Management, NHS Code of Practice, Part 2 (2 nd Edition)

70 1. Annex A: Procedure for the creation, maintenance and disposal of HEE records. 2. Introduction 2.1. The purpose of this document is to provide Health Education England (HEE) employees with clear procedures for the creation, filing and tracking/tracing of electronic and paper corporate records to enable efficient retrieval and effective records management. 3. Scope 3.1. For the purpose of this procedure records refer to: Corporate and administrative records including personnel, estates, financial and accounting and complaints Reports and independent enquiries Policies and procedures Public involvement and consultation Regular publications and information for the public Communications with the press and media releases 3.2. It relates to records held in any format, both paper and electronic including e mails. It does not relate to medical records or patient case notes. 4. Paper Records v Electronic Records 4.1. It is recognised that the majority of corporate documents and records held within the HEE will be in electronic format. It makes sense not to use up valuable accommodation storing vast amounts of paper Where documents are filed in both electronic and paper format the filing and naming conventions must mirror each other. The procedure described for this process therefore refers to both paper and electronic records. 5. Electronic Storage Areas 5.1. Currently HEE utilise a range of Shared Drives operating on different systems in order to store the majority of its electronic records HEE at a national level is seeking to bring its IT facilities under the DH s Open Service system by September It is recognised that LETBs each work with their own separate systems and servers When utilising Shared Drives the content, purpose and intended audience of the document must be considered, in the event that access to the document is to be limited then the document creator must ensure that the record is located in a restricted area on the shared drive.

71 5.4. Use of external web storage or file sharing systems such as GoogleDocs, DropBox, MobileMe, SkyDrive, Box.net etc. is not permitted. HEE have access to SharePoint which can be granted if you need to be able to share documents with colleagues across sites SharePoint and other authorised applications, such as the intranet and EShare Board Packs are sharing and dissemination points, they should not be used for the filing of master copies. 6. Filing Structure 6.1. Filing structures must be logical to enable the quick and efficient filing and retrieval of records when required and enable implementation of authorised disposal arrangements i.e. archiving, migration to another format or destruction Requests for the creation of departmental folders and security permissions to be set up and modified must come from a senior manager within the Directorate/LETB. 7. Referencing & Naming Conventions 7.1. Where a referencing system is used it should be easily understood by staff that create and access electronic or paper documents and records. A simple guide is to think how quickly a new member of staff or a temp could be trained to use the filing system The naming convention should closely reflect the applicable date, record s content, and version. Express elements of the name in a structured and predictable order and locate the most specific information at the beginning of the name and the most general at the end At folder level, folder titles must be subject based and where applicable reflect the titles used in corresponding paper filing systems Use of non-specific general titles such as Correspondence or Miscellaneous must be avoided. Where a date is required in the title, show this first in YYMMDD format so that documents are listed chronologically Whilst file and folder names should be descriptive, please keep them as short as possible, e.g. use 1 to 4 words maximum when naming folders/up to 25 characters. 8. Document Version Control 8.1. Some high level corporate documents such as policies and procedures undergo a consultation process and numerous drafts prior to them being approved. It is therefore necessary that these documents include a Record Reference Sheet, containing metadata describing at what stage they are within this process and which version the document refers to: 1 Paragraph of the Acceptable Use of Mobile Devices & ICT Facilities refers.

72 Version: Ratified by: Date ratified: Name and Title of originator/author(s): Name of responsible Director: Date issued: Review date: Target audience: Document History: 8.2. The document title must contain within it an indication of which version this document is, starting with V0.00. At each redrafting it should be altered to V0.01, V0.02 and so on until it has gone through to the final approval stage at which point it becomes a formal HEE record When the record is next reviewed, for example after a year has elapsed or a major change is required the document version must be renamed V2.00 and then changed to V2.01 and V2.02 and so on, as this version goes through the draft approval process. 9. Filing & Storage of Paper Records 9.1. Paper records and files must be grouped in a logical structure to enable the quick and efficient filing and retrieval of information when required and enable implementation of authorised disposal arrangements, i.e. archiving or destruction HEE are aiming to meet the NHS s target of 2017 to become a paperless organisation. The use of records management and storage facilities should now be limited to historic information transferred to HEE on 31 March Where required, suitable storage areas must be used to ensure records remain accessible and usable throughout their life cycle. Access must be controlled through a variety of security measures e.g. authorised access to storage and filing areas, lockable storage areas. Access should not be allocated to just one individual member of staff within HEE Records containing personal data should be stored in line with the guidance given in the Data Protection Act 1998.

73 10. Retention & Destruction It is good practice to review on a regular basis information which is held in individual file directories and filing systems. Files should be retained in line with the minimum retention periods as specified in the NHS Code of Practice: Records Management. An extract covering information relevant to HEE is included within Table 1, below Table 1 provides a non-exhaustive summary of the minimum retention period for each type of non-health record. Records, whatever the media, may be retained for longer than the minimum period. However, records should not ordinarily be retained for more than 30 years. The National Archives (see Note 1 below) should be consulted where a longer period than 30 years is required. HEE should also remember that records containing personal information are subject to the Data Protection Act Note An organisation with an existing relationship with an approved Place of Deposit should consult the Place of Deposit in the first instance. Where there is no preexisting relationship with a Place of Deposit, organisations should consult the National Archives.

74 Table 1. Summary: Business and Corporate (Non-Health) Records Retention Schedule TYPE/SUB-TYPE OF RECORD MINIMUM RETENNTION DERVIATION FINAL ACTION PERIOD ADMINISTRATIVE (CORPORATE AND ORGANISATION) Accident forms 10 years Destroy under confidential conditions Accident Register (Reporting of Injuries, Diseases and Dangerous Occurrences Register) Agendas of Board Meetings, Committees, Sub-Committees (master copies, including associated papers) 10 years Reporting of Injuries, Diseases and Dangerous Occurrences (reg 7) 30 years See Note 1 Destroy under confidential conditions Agendas (other) 2 years Destroy under confidential conditions Annual/Corporate Reports 3 years See Note 1 Parliamentary Questions, MP enquiries Audit Records (e.g. organisational audits, records audits, systems audits) Internal and External in any format 10 years As these documents include all information provided by HEE in response to a PQ (e.g. background note to the Minister or the Minister may amend the response) all of which may not be used in the response and therefore will not be in the public domain on House of Commons records they must be destroyed under confidential conditions. 2 years from the date of completion of the audit Destroy under confidential conditions

75 TYPE/SUB-TYPE OF RECORD Business Plans, including local delivery plans Complaints - Correspondence, investigation and outcomes - Returns made to DH MINIMUM RETENNTION DERVIATION FINAL ACTION PERIOD 20 years Destroy - 6 years from date of appeal decision - 6 years from date of decision Copyright declaration forms 6 years Copyright, Designs & Patents Act 1988 Diaries (office) Freedom of Information Act requests 1 year after the end of the calendar year to which they refer. 3 years after full disclosure; 10 years if information is redacted or the information requested is not disclosed. Destroy under confidential conditions Destroy under confidential conditions Destroy under confidential conditions Destroy under confidential conditions Health & Safety Documentation 3 years Destroy under confidential conditions History of organisation or predecessors, its organisation and procedures (e.g. establishment order) 30 years See Note 1 Incident forms 10 years Destroy under confidential conditions Indices (records management) Registry lists of public records marked for permanent preservation, or containing the record of management of public records 30 years See Note 1

76 TYPE/SUB-TYPE OF RECORD Records /documents relating to any form of litigation Manuals policy and procedure (administrative and strategy documents) Meetings and minutes of papers of major committees and subcommittees (master copies) Meetings and minutes of papers (other, including reference copies of major committees) MINIMUM RETENNTION PERIOD File lists and document lists where public records or their management are not covered 30 years 10 years, or where legal action has commenced, keep as advised by legal representatives. 10 years after life of the system (or superseded) to which the policies or procedures refer DERVIATION FINAL ACTION 30 years See Note 1 Destroy under confidential conditions Destroy under confidential conditions Destroy (policy documents may have archival value xxx) 2 years Destroy under confidential conditions Press Releases 7 years See Note 1 Project Files (over 100,00) on termination, including abandoned or deferred projects Project files (less than 100,000) on termination Project team files (summary retained) 6 years See Note 1 2 years Destroy under confidential conditions 3 years Destroy under confidential conditions Public consultations 5 years Destroy under confidential conditions Receipts for registered and recorded mail 2 years following the end of the financial year to which they relate Destroy under confidential conditions

77 TYPE/SUB-TYPE OF RECORD Records documenting the archiving, transfer to public records archive or destruction of records MINIMUM RETENNTION DERVIATION FINAL ACTION PERIOD 30 years See Note 1 Reports (major) 30 years See Note 1 Requests for access to records, other than Freedom of Information or Subject Access Requests 6 years after last action Destroy under confidential conditions Requisitions 10 months Destroy under confidential conditions ESTATES Leases the grant of leases, licences and other rights over property Period of the lease plus 12 years Limitation Act 1980 Destroy under confidential conditions Maintenance contracts (routine) 6 years from end of contract Destroy under confidential conditions Other items relating to Estates will not generally be held by HEE but by the landlord of each building occupied. FINANCIAL Accounts annual (final one set only) 30 years See Note 1 Accounts minor records 2 years from completion of audit Destroy under confidential conditions Accounts working papers 3 years from completion of audit Destroy under confidential conditions Advice notes (payment) 18 months Destroy under confidential conditions

78 TYPE/SUB-TYPE OF RECORD Audit Records (internal and external audit) original documents Audit reports internal and external (including management letters, value for money reports and system/final accounts memoranda) MINIMUM RETENNTION PERIOD DERVIATION FINAL ACTION 2 years from completion of audit Destroy under confidential conditions 2 years after formal completion by statutory auditor Destroy under confidential conditions Bank statements 2 years from completion of audit Destroy under confidential conditions BACS records 6 years after year end Destroy under confidential conditions Budgets (including working papers, reports, virements and journals) Contracts financial Contracts non-sealed (property) on termination Contracts non-sealed (other) on termination Creditor payments Expense claims, including travel and subsistence claims and claims and authorisations 2 years from completion of audit Destroy under confidential conditions Approval files 15 years Approved suppliers lists 11 years 6 years after termination of contract 6 years after termination of contract 3 years after end of financial year to which they relate 5 years after end of financial year to which they relate Limitation Act 1980 Limitation Act 1980 Destroy under confidential conditions Destroy under confidential conditions Destroy under confidential conditions Destroy under confidential conditions Destroy under confidential conditions Fraud case files/investigations 6 years Destroy under confidential

79 TYPE/SUB-TYPE OF RECORD Fraud national proactive exercises Funding data Invoices Ledgers PAYE records MINIMUM RETENNTION PERIOD DERVIATION FINAL ACTION conditions 3 years Destroy under confidential conditions 6 years after end of financial year to which they relate 6 years after end of financial year to which they relate 6 years after end of financial year to which they relate 6 years after termination of employment Limitation Act 1980 Limitation Act 1980 Destroy under confidential conditions Destroy under confidential conditions Destroy under confidential conditions Destroy under confidential conditions Payments 6 years after year end Destroy under confidential conditions Payroll (list of staff in the pay of the organisation) 6 years after termination of employment Destroy under confidential conditions. For superannuation purpose, organisation may wish to retain such records until the subject reaches benefit age. Superannuation accounts 10 years Destroy under confidential conditions Superannuation registers 10 years Destroy under confidential conditions Tax forms 6 years Destroy under confidential conditions Wages/salary records 10 years after termination of employment Destroy under confidential conditions.

80 TYPE/SUB-TYPE OF RECORD IM & T Documentation relating to computer programmes written inhouse MINIMUM RETENNTION PERIOD Lifetime of software DERVIATION FINAL ACTION For superannuation purposes, organisations may wish to retain such records until the subject reaches benefit age. Destroy under confidential conditions Software licenses Lifetime of software Destroy under confidential conditions HUMAN RESOURCES Industrial relations (not routine staff matters) including industrial tribunals 10 years Destroy under confidential conditions Job advertisements 1 year Destroy Job applications (successful) 3 years following termination of employment Destroy under confidential conditions Job applications (unsuccessful) 1 year Destroy under confidential conditions Job descriptions 3 years Destroy under confidential conditions Leavers dossiers 6 years after the individual has left Summary to be retained until individual s 70 th birthday or until 6 years after cessation of employment if aged over 70 years at the time. The 6 year retention period is to take into account and ET claims or EL claims that may arise after the employee leaves NHS employment, requests from information from the NHS pensions agency etc. Destroy under confidential conditions

81 TYPE/SUB-TYPE OF RECORD Letters of appointment MINIMUM RETENNTION PERIOD 6 years after employment has terminated or until 70 th birthday, whichever is later DERVIATION Pension forms (all) 7 years HMRC Technical Pensions Notes for registered pension schemes under regulation 18 of SI2006/567 RPSM Scheme Administrator Information Requirements and Administration for General Retention of Records PURCHASING/SUPPLIES Approval files (contracts) 6 years after the year the contract expired FINAL ACTION Destroy under confidential conditions Destroy under confidential conditions Destroy under confidential conditions Approved suppliers lists 11 years Consumer Protection Act 1987 Destroy under confidential conditions Delivery notes Tenders (successful) 2 years after end of financial year to which they relate Tender period plus 6 year limitation period Limitation Act 1980 Destroy under confidential conditions Destroy under confidential conditions Tenders (unsuccessful) 6 years Limitation Act 1980 Destroy under confidential conditions

82 DEALING WITH INFORMATION REQUESTS FROM DEPARTMENT OF HEALTH Version: Version 1 Ratified by: Operational Management Executive Committee (OMEC) Date ratified: 26 September 2013 Name and Title of originator/author(s): Monica Olsson, DH Business Management Lead Name of responsible Director: Lee Whitehead, Director of People & Communications Date issued: 29 October 2013 Review date: Target audience: 3 years from date of first publication HEE staff, DH SDS team, DH staff Document History: Version 3 years 1 from reviewed date of by first Corporate publication Secretary

83 Executive Summary The Framework Agreement between the Department of Health (DH) and Health Education England (HEE) covers the requirement for the timely provision of relevant and accurate information to be provided by HEE on request. This policy explains the HEE commitment to dealing with information requests from DH and sets out the process for doing this. The purpose of the process is to: 1) Capture the range of information requests from DH 2) Monitor the response rate and the quality of the information 3) Facilitate regular reviews and 4) Address any potential issues to ensure the requested information is provided as effectively and efficiently as possible. NB This policy should be read in conjunction with the HEE policy: Dealing with public and parliamentary requests from Department of Health. This policy will apply to all HEE staff when dealing with requests from DH staff requiring information excluding public and parliamentary requests. The process should be used by HEE staff for all communication in relation to information requests between the HEE/DH. The DH HEE sponsor team will be made aware of the policy and asked to support the process. The information requests will be logged and monitored by the HEE Corporate Management Team to ensure the process runs smoothly and to enable HEE and DH to work well together. This policy will be reviewed after six months and thereafter on an annual basis to ensure the process is working well. Relevant issues will be addressed as required.

84 Contents Paragraph Page 1 Introduction 4 2 Purpose 4 3 Scope 4 4 Definitions 4 5 Duties 4 6 Dealing with information requests from DH 5 7 Logging and evaluating information requests from DH 5 Flow chart 6 8 Equality Impact Assessment 7 9 Education and Training Requirements 7 10 Monitoring Compliance and Effectiveness 7 11 Associated Documentation/references 8

85 1 Introduction 1.1 This policy explains the standards and the process for Health Education England (HEE) staff dealing with information requests from the Department of Health (DH) and the Department of Health sponsor team relating to non-public and Parliamentary Accountability (PPA) work. Existing arrangements are in place to cover PPA work and these are described further in several documents including the HEE Dealing with PPA requests from Department of Health policy. 2 Purpose 3 Scope 2.1 The purpose of this policy is to ensure that a robust process is in place for HEE to deal with DH information requests in an effective and efficient manner. The benefits of doing this are to help ensure. A positive working relationship with DH and the DH sponsor team A good flow of communication within HEE and with DH That HEE fulfils its obligations as a model arm s length body 3.1 This policy applies to all HEE staff. 4 Definitions HEE DH DH sponsor team LETBs Health Education England Department of Health Designated DH team, overseeing HEE activities Local Education & Training Board(s) 5 Duties 5.1 Within HEE the responsibility for overseeing the process for dealing with non- PPA related information requests from DH rests with the Corporate Management Team. The HEE Briefing Team covers PPA information requests. 5.2 During the first six months of introducing the policy the process will be monitored closely by the Corporate Management Team to ensure its successful implementation across the organisation. Additional information and support for HEE staff will be provided where required.

86 5.3 The Corporate Management Team will maintain an information request log which will be monitored and assessed regularly to provide assurance that the process is functioning well. 5.4 Feedback will be provided to the Director of People and Communications on the effectiveness of the policy and any related issues.

87 6 Dealing with information requests from DH 6.1 For simplicity DH information requests are categorised in this policy as follows. A: Public and Parliamentary Accountability requests. B: All other information requests for example in relation to policy, governance or management information. All HEE staff, members of the DH sponsor team and other relevant DH staff will be made aware of the process and its relevance. The process for ensuring that information requests are dealt with as efficiently and effectively as possible is as follows: Step 1 Determine what type of request it is. Step 2a If it is a category A request, it should be forwarded to the HEE Briefing team as soon as possible via the designated PPA mailbox: HEE.Parliamentary@nhs.net Step 2b If it is a category B request; deal with it if you are the appropriate person. If not, pass on to the relevant colleague/team. Step 3 Copy all relevant communication relating to category B information requests into the designated mailbox: HEE.DHmanagement@nhs.net Step 4 Make sure the final communication, confirming the closure of the information request is copied into the designated inbox. The flowchart on the next page describes these four steps.

88 DH information requests to HEE are categorised as follows: A: Public and Parliamentary Accountability requests B: All other requests, including policy, governance, management information etc. Step 1: A member of staff from DH makes contact by phone or asking for information If the request isn t clear, ask for clarification for example who the originator of the request is, what the information is going to be used for, what the deadline is etc. Don t be afraid to probe until you know what is required. Category A: Step 2a. Pass PPA requests on to the HEE Briefing team straightaway via the designated PPA mailbox (Hee.Parliamentary@ nhs.net) Category B: Step 2b. Deal with the request if you are the appropriate person or, if not, pass it on to the colleague/team who deals with the relevant area of work Step 3. Copy all relevant communication relating to the request to the designated inbox: HEE.DHmanagement@nhs.net No further action Step 4. Copy the final communication, confirming the closure of the information request, into the designated inbox: HEE.DHmanagement@nhs.net

89 7 Logging and evaluating information requests from DH to the designated HEE.DHmanagement.nhs.net mailbox 7.1 The designated inbox will be monitored regularly and all requests logged onto an information request log by the Corporate Management team. 7.2 The Corporate Management team will regularly review the information process and log to ascertain how well it is working. 7.3 The Corporate Management team will address any issues that may arise through the appropriate channels and report on progress to the Director of People and Communications. 7.4 Issues arising from the process will be shared with the DH sponsor team as appropriate. 8 Equality Impact Assessment (EIA) 8.1 This policy applies to those listed at paragraph 3.1 irrespective of age, race, colour, religion, disability, nationality, ethnic origin, gender, sexual orientation or marital status, domestic circumstances, social and employment status, HIV status, gender reassignment, political affiliation or trade union membership. In overseeing the process for DH information requests, HEE will treat those concerned in a fair and equitable manner and reasonable adjustments will be made where appropriate. 9 Education and Training Requirements 9.1 The training requirements for effective implementation of the policy are information sharing, by to the groups identified in section 3.1 above, outlining the process and explaining the reasons for the policy. 9.2 A reminder of the process, and its importance, will be issued by to the relevant group/s identified in section 3.1 as and when deemed necessary. 9.3 Additional one to one training on the process will be available from the Corporate Management Team where this is required. 9.4 Members of the Corporate Management Team will receive training on use of the information request log as required to ensure it is maintained in a timely and accurate manner.

90 10 Monitoring Compliance and Effectiveness 10.1 Monitoring of the compliance of the policy will be carried out by the Corporate Management Team HEE and DH staff will copy any communication regarding DH information requests into a designated DH Management inbox. The information will be recorded onto a DH information request log. The log will be monitored regularly If any discrepancies come to light, the Corporate Management Team will contact the staff concerned, seeking clarification or to remind the individual/s of the policy and process as appropriate If this contact does not resolve the issue, it will be flagged to the responsible manager. If issues persist, they will be flagged to the Director of People and Communications and/or the DH sponsor team as appropriate. Likewise, any issues arising from monitoring the process will be flagged in the same way Any major issues in relation to the policy i.e. lack of compliance with the policy and the process such as HEE staff not copying correspondence to the DH information request inbox, not responding to s requesting HEE management information or not meeting requested deadlines will be recorded by the Corporate Management Team and flagged accordingly Learning will take place by regular monitoring of the log and by seeking feedback from those concerned, as identified in section 3.1 above. 11 Associated Documentation/References 11.1 Framework Agreement between the Department of Health and Health Education England HEE Public and Parliamentary Accountability Protocol 11.3 HEE Public and Parliamentary Accountability Policy 11.4 HEE Public and Parliamentary Accountability Guide

91 Procedure for the Development and Management of Policy Documents Version: Version 1: Ratified by: OMEC Date ratified: 15 April 2013 Name and Title of originator/author(s): Name of responsible Director: Mike Jones, Corporate Secretary Nicola Wright, Corporate Business Management Lead Lee Whitehead, Director of People & Communications Date issued: 12 July 2013 Review date: 3 years from first approval Target audience: All Health Education England employees who develop policies. Document History: Version 1 draft for consideration by OMEC,

93 Contents Paragraph Page 1 Introduction 4 2 Development of Policies 4 3 Equality Impact Assessment 4 4 Staff Consultation 5 5 Approval and Authorisation 5 6 Publication 6 7 Effective Date 6 8 Document Control 6 9 Review 7 Annex A HEE Policies 8 Annex B Policy Development and Approval 11 Annex C HEE Policy Template 13

94 1 Introduction 1.1 This procedure sets out how policies, procedures and other documents such as committee standing orders should be originated, maintained and reviewed as part of the governance arrangements for Health Education England (HEE). 1.2 The procedure is intended to ensure consistency and robust standards in the development of policies, timeliness in the provision of information to staff and a clear audit trail for the approval and authority of HEE s policies. 1.3 In this procedure the word policy covers all policies, procedures, codes of practice, standing orders and terms of reference that are approved by HEE and are binding on staff. Annex A provides details of all HEE policies to which this procedure applies. 1.4 This procedure and all policies referenced at Annex A apply equally to HEE, its non-executive directors, executive directors, staff and the governing body members and staff of Local Education & Training Boards (LETBs) which are established as Committees of HEE. 2 Developing policies 2.1 The People & Communications Directorate has responsibility for the development of HEE s policies. The development of any new policy will be recommended to the Operational Management Executive Committee (OMEC) prior to the commencement of drafting and entering the approval process. 2.2 The Corporate Management and HR teams will be responsible for developing policies in accordance with the procedure set out in Annex B. This will include consistency checking across relevant policies. 2.3 Recognised unions have a right to jointly negotiate and to seek agreement any policy affecting staff terms and conditions and will be involved in the development of t h o s e policies through engagement by the HR team. 3 Equalities Impact Assessment 3.1 Under the Equality Act, the need for public bodies in England to undertake or publish an equality impact assessment of their policies, practices and decisions was removed in April 2011 when the 'single equality duty' was introduced. Public bodies must still give "due regard" to the need to avoid discrimination and promote equality of opportunity for all protected groups when making policy decisions and are required to publish information

95 showing how they are complying with this duty. 4 Staff consultation 4.1 All new HR policies and those requiring significant change will be considered by the HEE Partnership Forum, on behalf of all staff, for a period of up to 30 days prior to approval to ensure maximum consultation before final adoption of the policy. 4.2 Corporate policies will be discussed in draft with OMEC which will consider whether general staff consultation is appropriate. 4.3 Following consultation, where substantial comments have been made, amended policies with a summary of comments provided will be referred to OMEC for subsequent consultation. 4.5 Committee Standing Orders and Terms of Reference will be circulated to the relevant team(s) only for comment and will not be circulated to all staff. These will be placed on the intranet and HEE website. 4.6 Where necessary, third party stakeholders such as committee chairs, LETB Chair or LETB Managing Directors may be consulted on specific Corporate policies. 5 Approval and authority 5.1 OMEC will approve all new policies and those requiring significant amendment unless it is otherwise agreed that those policies require approval of the Board or a Committee of the Board. Board approval will be required for any new or substantially changed policy in which the Non-Executive Directors play a part. 5.2 All standing orders will be approved by the Board. These include the Standing Orders, Standing Financial Instructions, Scheme of Delegation for HEE, Scheme of Delegation for LETBs and Committee Terms of Reference. 5.3 HR policies will be considered by OMEC; however final approval will be delegated to the Partnership Group. 5.4 Policies considered fit for purpose at review requiring negligible or no amendment e.g. a new review date, or drafting amendment with no material impact on the policy, will be approved by the Director of People and Communications.

96 6 Publication 6.1 All current policies will be placed on the HEE website and on the Intranet page (once available). The Corporate Management team will alert staff to the existence of the new or updated policy or procedure. 6.2 It is the responsibility of line managers to seek guidance on the potential implications of a new policy on their area of responsibility. Where necessary, arrangements will be made to brief staff on the implications of the policy on their area of work and, for updated policies, will highlight any significant changes that have been made. 6.3 In selected cases, for significant new policies or where there are important changes to existing policies, the key issues will be featured within staff briefings. 7 Effective date 7.1 The effective date of an updated or new policy will be when it has been given final approval in accordance with this procedure. Where there is no material change the policy will remain current with a new review date approved by the Director of People and Communications. If the policy is not updated by the due date, it will remain current until it is reviewed. 8 Document Control 8.1 The Corporate Management Team will maintain a library cataloguing all policies in use, review dates, all policies replaced and all policies in development. All policies, regardless of their status will be recorded on this register which will be controlled and maintained by the Corporate Secretary. 8.2 Attached at Annex C is the template to be used for the drafting of HEE policies. The front page of this template clearly identifies the latest version of the policy, a summary of amendments and which documents it replaces. 8.3 Once a draft policy has been ratified or an existing policy is review all previous versions must be archived. All approved policies must be retained for the lifetime of HEE. The Corporate Secretary is responsible for the safe storage of all approved archived policies. Where it is necessary to retrieve an archived policy, a request should be made to the Corporate Secretary.

97 9 Review 9.1 Policies will normally be reviewed on a 3-year cycle unless otherwise stated. This review may be brought forward on the advice of the Director of People and Communications. 9.2 The OMEC and the Audit Committee will receive a report once a year on policy development.

98 ANNEX A

99

100

101 Policy Development and Approval ANNEX B

102 Template for HEE Policies ANNEX C

103 Click here and type policy title Version: Ratified by: Date ratified: Name and Title of originator/author(s): Name of responsible Director: Date issued: Review date: Target audience: Document History:

105 Executive Summary This summary should serve as a quick reference guide to the document, providing an overview of what the policy covers and why it is necessary. The summary should be no more than one single side of A4.

106 Contents Paragraph 1 Introduction 2 Purpose 3 Scope 4 Definitions 5 Duties 6 Main Body of Policy 7 Equality Impact Assessment 8 Implications and Associated Risks 9 Education and Training Requirements 10 Monitoring Compliance and Effectiveness 11 Associated Documentation 12 References Page

107 1 Introduction This section should set the context for the development of the policy document. This section may also include the purpose and scope of the policy document, should these not require a section on their own. 2 Purpose This section should state the purpose of the document including the rationale for development. It should outline the objectives and intended outcomes of the process/system being described. 3 Scope This section should identify the staff groups, services and/or activities covered by the policy document. 4 Definitions This section lists and describes the meaning of the terms used in the context of the document (if considered necessary). These may be included as an appendix if numerous definitions are necessary. 5 Duties This section should give an overview of the individual, departmental and committee duties, including levels of responsibility within the organisation. 6 Main Body of Policy Other sections may be added here as necessary to describe the process/system being described. 7 Equality Impact Assessment (EIA) Under the Equality Act, the need for public bodies in England to undertake or publish an equality impact assessment of their policies, practices and decisions was removed in April 2011 when the 'single equality duty' was introduced. Public bodies must still give "due regard" to the need to avoid discrimination and promote equality of opportunity for all protected groups when making policy decisions and are required to publish information showing how they are complying with this duty. 8 Education and Training Requirements This section should identify any education and training requirements related to the effective implementation of the policy, where relevant. 9 Monitoring Compliance and Effectiveness This section should identify how HEE plans to monitor compliance with the policy. It should include: Who will perform the monitoring? When will monitoring be performed?

108 How is it going to be monitored? What will happen if any discrepancies are identified? Where will the monitoring results be reported? How will learning take place? 10 Associated Documentation Other related HEE procedural documents should be identified here. 11 References

109 Incident Reporting Procedure Version: Version 1 Ratified by: HEE Board Date ratified: 20 March 2014 Name and Title of Mike Jones, Corporate Secretary originator/author(s): Name of responsible Director: Lee Whitehead, Director of People and Communications Date issued: 04 th July 2014 Review date: 3 Years from Date of Publication Target audience: HEE Staff Document History: Approved by Exec Team 06/03/2014 Approved by HEE Board 20/03/2014

111 Contents Page Number Introduction 4 Information Security 4 Reporting security incidents 5 Sensitive security incidents 5 Accidental breaches of security 5 Security weaknesses 6 Incident resolution 6 Further information 6 Appendix 1 8 Annex A 10 Annex B 12 Annex C 16

112 Introduction 1. Incident reporting plays a major role in helping HEE maintain a safe and secure working environment. It helps protect the confidentiality, integrity and availability of our information and systems and is an essential element for effective risk management. Analysis of reported incidents will enable the organisation to highlight areas of weakness and, if necessary, take appropriate action to reduce specific threats and vulnerabilities. 2. HEE must demonstrate a commitment to, and delivery of, effective information governance. Incident management is part of this; a process of identification, reporting, investigation, resolution and learning to minimise the risk of incidents reoccurring. 3. All staff members have a responsibility to report information security incidents whether deliberate or accidental. 4. The procedure outlines the main requirements for incident reporting related to information security only and is designed to ensure core data is recorded, the event is properly reviewed, corrective action taken as required to minimise the risk of reoccurrence and to provide clarity over accountability and responsibility for actions. 5. Incidents relating to health and safety should be reported in accordance with other relevant guidelines. +Any identified fraud should be reported in accordance with the Counter Fraud policy. Information security 6. An information security incident is any actual or potential breach of security which may compromise the confidentiality, integrity or availability of information stored, processed and communicated whether in hard copy or electronic format that relates to HEE business. 7. The term security incident covers a wide range of events which can vary considerably and it is therefore not possible to detail every single event. A range of possible security breach types is included at Annex B of this policy. 8. This list may not describe perfectly all possible incident types. Staff must ensure they report any incident where they have a reasonable belief that there is a risk to the security of sensitive personal data or any other type of confidential information.

113 Reporting security incidents 9. All information security incidents should be reported using the form at Appendix 1 and the following notified: line manager, Corporate Secretary and the HEE Senior Information Risk Owner (SIRO), the Director of People and Communications. The incident report should be ed to the Corporate Management address: HEE.corporatemanagement@nhs.net. Any incident occurring outside secure office premises should be reported immediately to the Corporate Secretary and the SIRO. 10. Information on the incident should include a description of the data lost or stolen, whether it was held in hard copy or portable media, the quantity (if known), where it was lost and the sensitivity of the data (if known). 11. The Corporate Management Office will retain a central log of all significant security breaches. These will be reported using the Information Governance Toolkit Reporting Tool. The Corporate Secretary will report incidents internally to the Audit Committee and escalated via the SIRO as necessary in accordance with national guidance for reporting on Serious Incidents Requiring Investigation. Sensitive security incidents 12. Addressing some incidents may be sensitive, especially if colleagues or managers may be incriminated. It is important that the person reporting an incident receives absolute protection and a guarantee of confidentiality even in the event of a false alarm. In these circumstances the provisions of the Whistleblowing policy will apply and the individual identifying the incident should complete the incident report on the person s behalf and forward direct to the SIRO. Accidental breaches of security 13. If an individual unintentionally causes a potential breach of security such as losing their smart card, they should inform their line manager immediately. The reporting procedure detailed below will still apply. Security weaknesses 14. Staff should report any security weaknesses they observe or suspect, such as staff sharing User IDs and Passwords, including Smartcards, or system administrator privileges given to individuals who do not require them. 15. Staff should not attempt to investigate or prove a suspected security weakness themselves as this could lead to, and be interpreted as, a

114 potential misuse of the system. Instead, any suspected weakness should be reported to their line manager who will notify the Head of IT. The Head of IT will ensure the weakness is reported to the Corporate Secretary and the HEE SIRO, and work to resolve any issue in liaison with regional IT leads, reporting back to give assurance that a resolution has been found. Incident Management, investigation and reporting 16. Incident management will be overseen by the HEE SIRO and managed by the Corporate Secretary. An audit trail will be kept of events and evidence supporting decisions taken in relation to the incident. Where appropriate, the Information Commissioner, Department of Health and other regulators will be informed, via the IG Incident Reporting Tool, of any incidents that reach IG SIRI severity level 2 (reportable). Relevant data subjects will be informed. 17. Incidents will be investigated in line with national requirements regarding forensic preservation of evidence relating to IG incidents. The HEE SIRO will agree an appropriate Investigating Officer for any incident and ensure that they are supported by any specialist resource required (IG, IT, Records Management). Investigations will include a root cause analysis and identification of lessons learned from the incident. Final reports will be reviewed by the Executive Team for sign-off. 18. Reporting of IG SIRIs will occur in line with national guidance, included in quality or end of year reports as required and published on the HEE website. Incident resolution 19. Once an incident has been dealt with and closed, the individual who reported the incident should be notified of the resolution. This is the responsibility of the designated manager investigating the incident but may be delegated to the individuals line manager. Further information 20. Further information, including contact details, can be found on the HEE intranet.

115 Appendix 1 Incident reporting form Please PRINT all details on this form [To be completed by the person who identified the incident or the person reporting on their behalf] Completing this form does not imply an admission of liability on any person. Date of incident Place of incident Time of incident (24 hr. clock) Name of person reporting incident Position Tel: Brief description of incident (brief factual account of what happened) Brief description of any immediate action taken Date form submitted Signature Name and position of any other staff involved / witnesses [max 2] Name Signature Position Name Signature Position Date form sent to BPRD

116 Incident number Date form received Incident level Report to (tick) Audit Committee Board ALB BSU Brief description of action taken Identify likely cause of incident Action to prevent repeat of incident Investigating Officer Signature Date

117 Annex A Definition of personal data 1 Personal data is any information: Which relate to a living individual who can be identified (a) (b) from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual 2 This definition should be considered in light of the extent to which the data relates to the individual s privacy in their family life, business or professional capacity. 3 The DH defines sensitive personal data as information that includes the name of an individual, combined with one or more of the following: Bank / financial / credit card details National Insurance number / Tax, benefit or pension records Passport number / information on immigration status Travel details (for example at immigration control, or Oyster records) Passport number / information on immigration status / personal (non- HEE ) travel records Health records Work record Material related to social services (including child protection) or housing case work Conviction / prison / court records / evidence Other sensitive data defined by s.2 of the Data Protection Act 1998 including information relating to: (a) racial or ethnic origin (b) political opinions (c) religious beliefs or other beliefs of a similar nature (d) membership of a trade union

118 (e) (f) (g) (h) physical or mental health or condition sex life the commission or alleged commission by him of any offence any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

119 Annex B - Serious Incidents Requiring Investigation Breach Types Defined These detailed definitions and examples should help IG Incident Reporting Users select the most appropriate Breach Type category when completing the IG SIRI record on the online tool. However, it is recognised that many data incidents will involve elements of one or more of the following categories. For the purpose of reporting, the description which best fits the key characteristic of the incident should be selected. Breach Type Lost in Transit Examples / incidents covered within this definition The loss of data (usually in paper format, but may also include CD s, tapes, DVD s or portable media) whilst in transit from one business area to another location. May include data that is; - Lost by a courier; - Lost in the general post (i.e. does not arrive at its intended destination); - Lost whilst on site but in situ between two separate premises / buildings or departments; - Lost whilst being hand delivered, whether that be by a member of the data controller s staff or a third party acting on their behalf Generally speaking, lost in transit would not include data taken home by a member of staff for the purpose of home working or similar (please see lost or stolen hardware and lost or stolen paperwork for more information). Lost or stolen hardware The loss of data contained on fixed or portable hardware. May include; - Lost or stolen laptops; - Hard-drives; - Pen-drives; - Servers; - Cameras; - Mobile phones containing personal data; - Desk-tops / other fixed electronic equipment; - Imaging equipment containing personal data; - Tablets; - Any other portable or fixed devices containing personal data; The loss or theft could take place on or off a data controller s premises. For example the theft of a laptop from an employee s home or car, or a loss of a portable device whilst travelling on public transport. Unencrypted devices are at particular risk. Lost or stolen paperwork The loss of data held in paper format. Would include any paper work lost or stolen which could be classified as personal data (i.e. is part of a relevant filing system/accessible record). Examples would include; - medical files;

120 Breach Type Examples / incidents covered within this definition - letters; - rotas; - ward handover sheets; - employee records The loss or theft could take place on or off a data controller s premises, so for example the theft of paperwork from an employee s home or car or a loss whilst they were travelling on public transport would be included in this category. Work diaries may also be included (where the information is arranged in such a way that it could be considered to be an accessible record / relevant filing system). Disclosed in Error This category covers information which has been disclosed to the incorrect party or where it has been sent or otherwise provided to an individual or organisation in error. This would include situations where the information itself hasn t actually been accessed. Examples include: - Letters / correspondence / files sent to the incorrect individual; - Verbal disclosures made in error (however wilful inappropriate disclosures / disclosures made for personal or financial gain will fall within the s55 aspect of reporting); - Failure to redact personal data from documentation supplied to third parties; - Inclusion of information relating to other data subjects in error; - s or faxes sent to the incorrect individual or with the incorrect information attached; - Failure to blind carbon copy ( bcc ) s; - Mail merge / batching errors on mass mailing campaigns leading to the incorrect individuals receiving personal data; - Disclosure of data to a third party contractor / data processor who is not entitled to receive it Uploaded to website in error This category is distinct from disclosure in error as it relates to information added to a website containing personal data which is not suitable for disclosure. It may include; - Failures to carry out appropriate redactions; - Uploading the incorrect documentation; - The failure to remove hidden cells or pivot tables when uploading a spread-sheet; - Failure to consider / apply FOIA exemptions to personal data Non-secure Disposal hardware The failure to dispose of hardware containing personal data using appropriate technical and organisational means. It may include; - Failure to meet the contracting requirements of principle seven when

121 Breach Type Examples / incidents covered within this definition employing a third party processor to carry out the removal / destruction of data; - Failure to securely wipe data ahead of destruction; - Failure to securely destroy hardware to appropriate industry standards; - Re-sale of equipment with personal data still intact / retrievable; - The provision of hardware for recycling with the data still intact Non-secure Disposal paperwork The failure to dispose of paperwork containing personal data to an appropriate technical and organisational standard. It may include; - Failure to meet the contracting requirements of principle seven when employing a third party processor to remove / destroy / recycle paper; - Failure to use confidential waste destruction facilities (including on site shredding); - Data sent to landfill / recycling intact (this would include refuse mix up s in which personal data is placed in the general waste); Technical security failing (including hacking) This category concentrates on the technical measures a data controller should take to prevent unauthorised processing and loss of data and would include: - Failure to appropriately secure systems from inappropriate / malicious access; - Failure to build website / access portals to appropriate technical standards; - The storage of data (such as CV3 numbers) alongside other personal identifiers in defiance of industry best practice; - Failure to protect internal file sources from accidental / unwarranted access (for example failure to secure shared file spaces); - Failure to implement appropriate controls for remote system access for employees (for example when working from home) In respect of successful hacking attempts, the ICO s interest is in whether there were adequate technical security controls in place to mitigate this risk. Corruption or inability to recover electronic data Avoidable or foreseeable corruption of data or an issue which otherwise prevents access which has quantifiable consequences for the affected data subjects e.g. disruption of care / adverse clinical outcomes., for example; - The corruption of a file which renders the data inaccessible; - The inability to recover a file as its method / format of storage is obsolete; - The loss of a password, encryption key or the poor management of access controls leading to the data becoming inaccessible Unauthorised access/disclosure The offence under section 55 of the DPA - willful unauthorised access to, or disclosure of, personal data without the consent of the data controller.

122 Breach Type Examples / incidents covered within this definition Example (1) An employee with admin access to a centralised database of patient details, accesses the records of her daughter s new boyfriend to ascertain whether he suffers from any serious medical conditions. The employee has no legitimate business need to view the documentation and is not authorised to do so. On learning that the data subject suffers from a GUM related medical condition, the employee than challenges him about his sexual history. Example (2) An employee with access to details of patients, who have sought treatment following an accident, sells the details to a claims company who then use this information to facilitate lead generation within the personal injury claims market. The employee has no legitimate business need to view the documentation and has committed an offence in both accessing the information and in selling it on. A recent successful prosecution for a s55 offence: Other This category is designed to capture the small number of occasions on which a principle seven breach occurs which does not fall into the aforementioned categories. These may include: - Failure to decommission a former premises of the data controller by removing the personal data present; - The sale or recycling of office equipment (such as filing cabinets) later found to contain personal data; - Inadequate controls around physical employee access to data leading to the insecure storage of files (for example a failure to implement a clear desk policy or a lack of secure cabinets). This category also covers all aspects of the remaining data protection principles as follows: - Fair processing; - Adequacy, relevance and necessity; - Accuracy; - Retaining of records; - Overseas transfers

123 Annex C - Assessing the Severity of the Incident Although the primary factors for assessing the severity level are the numbers of individual data subjects affected, the potential for media interest, and the potential for reputational damage, other factors may indicate that a higher rating is warranted, for example the potential for litigation or significant distress or damage to the data subject(s) and other personal data breaches of the Data Protection Act. As more information becomes available, the IG SIRI level should be re-assessed. Where the numbers of individuals that are potentially impacted by an incident are unknown, a sensible view of the likely worst case should inform the assessment of the SIRI level. When more accurate information is determined the level should be revised as quickly as possible. All IG SIRIs entered onto the IG Toolkit Incident Reporting Tool, reaching severity level 2, will trigger an automated notification to the Department of Health, Health and Social Care Information Centre and the Information Commissioner s Office, in the first instance and to other regulators as appropriate, reducing the burden on the organisation to do so. The IG Incident reporting tool works on the following basis when calculating the severity of an incident: There are 2 factors which influence the severity of an IG SIRI Scale & Sensitivity. Scale Factors Whilst any IG SIRI is a potentially a very serious matter, the number of individuals that might potentially suffer distress, harm or other detriment is clearly an important factor. The scale (noted under step 1 below) provides the base categorisation level of an incident, which will be modified by a range of sensitivity factors. Sensitivity Factors Sensitivity in this context may cover a wide range of different considerations and each incident may have a range of characteristics, some of which may raise the categorisation of an incident and some of which may lower it. The same incident may have characteristics that do both, potentially cancelling each other out. For the purpose of IG SIRIs sensitivity factors may be: i. Low reduces the base categorisation ii. Medium has no effect on the base categorisation iii. High increases the base categorisation

124 Categorising SIRIs The IG SIRI category is determined by the context, scale and sensitivity. Every incident can be categorised as level: 1. Confirmed IG SIRI but no need to report to ICO, DH and other central bodies. 2. Confirmed IG SIRI that must be reported to ICO, DH and other central bodies. A further category of IG SIRI is also possible and should be used in incident closure where it is determined that it was a near miss or the incident is found to have been mistakenly reported: 0. Near miss/non-event Where an IG SIRI has found not to have occurred or severity is reduced due to fortunate events which were not part of pre-planned controls this should be recorded as a near miss to enable lessons learned activities to take place and appropriate recording of the event. The following process should be followed to categorise an IG SIRI Step 1: Establish the scale of the incident. If this is not known it will be necessary to estimate the maximum potential scale point. Baseline Scale 0 Information about less than 10 individuals 1 Information about individuals 1 Information about individuals 2 Information about individuals 2 Information about individuals 2 Information about 501 1,000 individuals 3 Information about 1,001 5,000 individuals 3 Information about 5,001 10,000 individuals 3 Information about 10, ,000 individuals 3 Information about 100,001 + individuals

125 Step 2: Identify which sensitivity characteristics may apply and the baseline scale point will adjust accordingly. Sensitivity Factors (SF) modify baseline scale Low: For each of the following factors reduce the baseline score by 1-1 for each No clinical data at risk Limited demographic data at risk e.g. address not included, name not included Security controls/difficulty to access data partially mitigates risk Medium: The following factors have no effect on baseline score 0 Basic demographic data at risk e.g. equivalent to telephone directory Limited clinical information at risk e.g. clinic attendance, ward handover sheet High: For each of the following factors increase the baseline score by 1 +1 for each Detailed clinical information at risk e.g. case notes Particularly sensitive information at risk e.g. HIV, STD, Mental Health, Children One or more previous incidents of a similar type in past 12 months Failure to securely encrypt mobile technology or other obvious security failing Celebrity involved or other newsworthy aspects or media interest A complaint has been made to the Information Commissioner Individuals affected are likely to suffer significant distress or embarrassment Individuals affected have been placed at risk of physical harm Individuals affected may suffer significant detriment e.g. financial loss Incident has incurred or risked incurring a clinical untoward incident

126 Step 3: Where adjusted scale indicates that the incident is level 2, the incident will be reported to the ICO and DH automatically via the IG Incident Reporting Tool. Final Score Level of SIRI 1 or less Level 1 IG SIRI (Not Reportable) 2 or more Level 2 IG SIRI (Reportable) Example Incident Classification Examples A Health Visitor data inappropriately disclosed in response to an FOI request. Data relating to 292 children, detailing their client and referral references, their ages, an indicator of their level of need, and details of each disability or impairment that led to their being in contact with the health visiting service e.g. autism, chromosomal abnormalities etc. Baseline scale factor Sensitivity Factors 2-1 Limited demographic data 0 Limited clinical information +1 Particularly sensitive information +1 Parents likely to be distressed Final scale point 3 so this is a level 2 reportable SIRI B Imaging system supplier has been extracting PID in addition to non-identifying performance data. A range of data items including names and some clinical data and images have been transferred to the USA but are being held securely and no data has been disclosed to a third party. Baseline scale factor Sensitivity Factors 3 (estimated) -1 Limited demographic data 0 Limited clinical information -1 Data held securely +1 Sensitive images +1 Data sent to USA deemed newsworthy Final scale point 3 so this is a level 2 reportable SIRI

127 C Information about a child and the circumstances of an associated child protection plan has been faxed to the wrong address. Baseline scale factor 0 Sensitivity Factors -1 No clinical data at risk 0 Basic demographic data +1 Sensitive information +1 Information may cause distress Final scale point 1 so this is a level 1 SIRI and not reportable D Subsequent to incident c the same error is made again and the recipient this time informs the Trust she has complained to the ICO. Baseline scale factor 0 Sensitivity Factors -1 No clinical data at risk 0 Basic demographic data +1 Sensitive information +1 Information may cause distress +1 Repeat incident +1 Complaint to ICO Final scale point 3 so this is a level 2 reportable SIRI E Two diaries containing information relating to the care of 240 midwifery patients were stolen from a nurse s car. Baseline scale factor 2 Sensitivity Factors 0 Basic demographic data 0 Limited clinical information Final scale point 2 so this is a level 2 reportable SIRI F A member of staff took a ward handover sheet home by mistake and disposed of it is a public waste bin where it was found by a member of the public. 19 individual s details were included. Baseline scale factor 1 Sensitivity Factors -1 Limited demographic data 0 Limited clinical information +1 Security failure re disposal of data Final scale point 1 so this is a level 1 SIRI and not reportable

128 G A filing cabinet containing CDs with personal data relating to several thousand members of staff sent to landfill in error during an office move. Baseline scale factor 3 Sensitivity Factors -1 No clinical data at risk -1 Landfill unlikely to be accessed 0 Basic demographic data Final scale point 2 so this is a level 2 reportable SIRI +1 Security failure (no encryption & poor disposal) H Loss of an individual s medical records. The records were found to be missing when the patient concerned made a subject access request. Baseline scale factor 0 Sensitivity Factors 0 Basic demographic data +1 Detailed clinical information +1 Patient distressed +1 Complaint to ICO Final scale point 3 so this is a level 2 reportable SIRI

129 Incident Reporting Policy Version: Version 1 Ratified by: HEE Board Date ratified: 20 March 2014 Name and Title of Mike Jones, Corporate Secretary originator/author(s): Name of responsible Director: Lee Whitehead, Director of People and Communications Date issued: 07 th July 2014 Review date: 2 Years from Date of First Publication Target audience: HEE Staff Document History:

131 Contents Section Page 1 Introduction 6 2 Aims and Objectives 6 3 Scope of the policy 9 4 Accountability 9 5 Definition of Terms Used 13 6 Risk Management Structure, Accountabilities and Responsibilities 14 7 Training Needs Analysis 16 8 Equality Impact Assessment 16 9 Implementation, Dissemination and Consultation Monitoring Compliance with and the Effectiveness of Procedural documents Archiving References Associated Documentation 18

132 1 Introduction Health Education England (HEE) is committed to ensuring that an incident reporting system is in place as part of its Approach to Risk Management, so that HEE can learn from incidents to improve safety within the organisation. Incidents may occur in any area of the organisation or within commissioned services and may be clinical or non-clinical in nature. Reporting incidents will enable HEE to identify trends and take positive action to prevent or minimise the likelihood of the error or incident recurring in the future. This policy is one of a set that support the delivery of the organisation s Approach to Risk Management and is underpinned by the following procedures The Incident Management Procedure The Investigation Procedure The Serious Incident Procedure Being Open Policy Taken together they: clarify roles and responsibilities of staff regarding the management of incidents; set standards regarding investigation and analysis; and set standards regarding the development and implementation of risk reduction strategies. 2 Aims and Objectives Health Education England aims to be an organisation with a memory to learn lessons from its incidents. The objective of this policy is to ensure that HEE manages and investigates all incidents in accordance with best practice, learns and shares lessons from them and takes appropriate action to protect patients, staff contractors, volunteers and members of the public from harm by: recording adverse incidents; investigating incidents as appropriate; regular monitoring of incident data and appropriate reporting to the Audit Committee; timely and effective reporting to statutory agencies; promotion of a just and fair culture; minimising loss of reputation, or assets;

133 ensuring that lessons are learned from incidents to prevent such incidents recurring; and ensuring that Health Education England complies with current legislation, policies and best practice providing information to the accountable officer regarding incidents where fraudulent activity is suspected. The principles underlying Health Education England s approach are given below: 2.1 Ensuring Confidentiality The incident reporting forms may include patient and staff identifiable information. All information relating to incidents will be stored securely in accordance with the Data Protection Act (1998), and will conform to HEE s Records Management Policy. When sending an incident reporting form or associated documentations through the postal system staff must use a sealed envelope and mark it confidential. Any requests to keep the identity of patients and staff confidential will be respected as far as possible. 2.2 Learning from Incidents A clinical or non-clinical error, accident or incident, however serious, is rarely caused wilfully. Errors are often caused by a number of factors, including process problems, human factors, individual behaviour and lack of knowledge or skills. Learning from such incidents can only take place when they are reported and investigated in a positive, open and structured way. Determining safe practice is an important part of successful risk management and moving away from blaming towards learning from incidents will promote a fair and open culture and safe environment throughout the organisation. HEE wishes to ensure as far as reasonably practicable there is appropriate learning from an incident so that the likelihood of a similar incident happening again is reduced. Incidents will be investigated as appropriate to ascertain the root cause of the problem and to enable HEE to learn from any mistakes to prevent recurrence. Learning from incidents should be shared within the team and throughout HEE.

134 2.3 Just and Fair Culture Health Education England is committed to promoting an open and fair culture where staff feel able to report incidents or near misses and learn from mistakes without fear of recrimination. All staff will be encouraged to recognise potential risks and feel supported in the reporting of an event (whether an incident or a near miss) in a fair blame culture. Exceptions to this are where the organisation s policies and guidelines are deliberately breached or there is wilful misconduct or negligence. 3 Scope of the policy This policy and procedure must be followed by all staff who carry out work for HEE, including while on another organisation s premises or staff who are injured while travelling during their working hours. This includes staff on temporary or honorary contracts, secondments, pool staff and students. It also applies to volunteers, visitors and contractors. 4 Accountability 4.2 The Chief Executive is responsible for the policy. 4.3 The Audit Committee is responsible for monitoring compliance with the policy and will receive regular reports on incidents reported. 4.4 The Executive Team will monitor the incident reports. 4.5 The Audit Committee will be made aware of reports on incidents reported under the policy to enable trends and patterns to be identified. An annual risk management report will also summarise incidents reported under the policy in the year and identify any trends and lessons learned. The Audit Committee will also be informed on a quarterly basis regarding incidents via a Quarterly Report. 4.6 Chief Executive The Chief Executive has overall accountability for risk management and the safety of patients, visitors and staff. The Chief Executive is ultimately responsible for ensuring all investigations are dealt with appropriately.

135 4.7 Directors Each Director is responsible for: ensuring appropriate arrangements are in place for implementing the incident reporting procedure in their areas of responsibility; providing help and support to all staff that investigate incidents; ensuring that risks identified within their Directorate are acted upon depending on the responsibility grading; creating an open and fair culture; and escalating adverse events according to the risk rating score. 4.8 Director of Finance The Director of Finance is the accountable officer for incidents where fraudulent activity is suspected and all such information should be reported to the Director of Finance with immediate effect. In the absence of the Director of Finance such matters may be reported to the Local Counter Fraud Specialist (LCFS) or the National Fraud Reporting line. Please refer to HEE s Counter-Fraud and Anti-Bribery Policy. 4.9 Director of People & Communications The Director of People & Communications is responsible for ensuring that a robust incident reporting process is in place and will; work with colleagues to ensure an integrated approach to patient safety and embed a risk management culture throughout HEE; develop a culture of learning lessons from risks, sharing the lessons learned and changing practice as required; maintain the Serious Incidents and incident reporting systems; and be responsible for consistently implementing the organisational arrangements for incident reporting throughout the organisation ensure that all incidents are investigated appropriately in accordance with their severity and are signed off as completed report any patient-centred incident to the National Patient Safety Agency; collate data quantitatively and qualitatively for reporting to the Integrated Governance Committee at appropriate intervals, including Learning from Incidents; offer advice to managers in the investigation of incidents; and offer support to staff during the investigation of incidents.

136 4.10 LETB Managing Directors and Heads of Service LETB Managing Directors and Heads of Service will usually be the investigating manager (see below) and should acknowledge, investigate and provide feedback to staff about incidents that have been reported. They are also responsible for ensuring that: all staff receive relevant training; reporting to RIDDOR is undertaken where necessary; arrangements are put in place to support staff who are involved in an incident (this should not be the lead investigator); where the investigation overlaps with other procedures, e.g. complaints, disciplinary these are dealt with under a separate investigation process; where potentially fraudulent activity is identified as part of the investigation this is reported to the Local Counter Fraud Specialist or through the NHS Fraud and Corruption Reporting Line ( ); and learning is shared in line with the Learning from Experience Policy Staff LETB Managing Directors and Heads of Service are responsible for reviewing the electronic incident forms and processing them for final approval. Staff are responsible for highlighting any risk issues which could warrant further investigation. Any member of staff can complete an incident reporting form. Electronic incident reports are accessible via HEE s intranet page. Paper versions are available in the event that the electronic version is inaccessible. All staff should be fully open and co-operative with any investigation process. Staff are responsible for reporting, completing and grading incidents as soon as possible after the incident. If the member of staff is unable for any reason to complete the form themselves, it is acceptable for a colleague to do so on their behalf Independent Contractors

137 Independent Contractors are encouraged to report incidents to Health Education England. 5 Definition of Terms Used There are three main types of incidents which are defined below: 5.1 Near Miss (Prevented Incident) A near miss is an incident in which the contributory causes are serious and had the potential to cause serious injury or loss; however on this occasion a serious injury or loss was prevented (for example, medicine discovered to be out of date and removed). This should be distinguished from a no harm incident, which is where the incident happened, but no harm resulted (for example, out of date medicine administered, but the patient suffered no ill effects). 5.2 Incident An incident is any injury, loss, damage or abuse to staff, patient, visitor, external contractor, student, volunteer or other person, or to property/equipment. Incidents may be caused by any of the following: human failure; systems failure; or a combination of several small mistakes occurring at the same time. 5.3 Serious Incidents (SI) An SI is an incident where a patient, member of staff or a member of the public has suffered serious injury, major permanent harm or unexpected death on health service premises or other premises where health care is provided. An SI can also be an occasion where actions of health service staff are likely to cause significant public concern. Health Education England has a separate Serious Incident procedure for the management of serious incidents which includes liaison with NHS

138 Commissioning Board. If staff suspect that an incident is serious they should consult that procedure and liaise with the Governance Lead. 5.4 The definition of an Information governance incident is Any incident involving the actual or potential loss of personal information that could lead to identity fraud or have other significant impact on individuals should be considered as serious. The above definition applies irrespective of the media involved and includes both loss of electronic media and paper records. 6 Incident Management Structure, Accountabilities and Responsibilities HEE has an organisational structure in place to help manage and implement risk management systems. This is described below. The Audit Committee and the reporting structures of HEE are designed to work together to ensure a concerted and integrated approach to the management of risk. The primary purpose of risk management is to enable both the organisation as a whole and individuals to deal competently with all key risk both clinical and non-clinical. Annex A sets out the process for Information Governance Incident Processing. 6.1 The Board The Board has ultimate responsibility for the management of risk and for agreeing the annual Statement of Internal Control. It receives reports and assurance from the governance committee on the quality and safety of services and assurances of the effectiveness of risk reduction strategies. It has delegated powers to the Executive Team to identify and manage risks on its behalf. 6.2 Audit Committee The organisation s Audit Committee assist the Board by carrying out a review of the effectiveness of the management of risk activities, providing assurance and an independent overview on risk management. 6.3 Counter Fraud in the NHS

139 A Counter-Fraud and Anti-Bribery Policy is in place and is available to staff via the intranet. 7 Training Needs Analysis HEE recognises that learning from incidents is vital to prevent recurrence. Appropriate training or retraining will be provided to affected staff member when necessary. Risk Management training is included in the mandatory Health and Safety training. 8 Monitoring Compliance with and the Effectiveness of Procedural Documents The final review of all electronic incidents will ensure that investigation and feedback to staff has been carried out. Quarterly reports on incident numbers, trends and themes will be provided to the Audit Committee together with an Annual Report 9 References The following guidance and legislation has been used in the development of this policy: Seven Steps to Patient Safety NPSA Doing Less Harm DoH and NPSA, 2001 An Organisation with a Memory DoH, 2000 Building a Safer NHS for Patients Implementing An Organisation with a Memory, DoH, 2001 Design for Patient Safety DoH 2005 Safety First: A report for patients, clinicians and healthcare managers DoH 2006 Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) HSE Procedure for the Management of Serious Untoward Incidents (SUIs) NHS Yorkshire and the Humber Being Open When Patients are Harmed NPSA 2005 NHSLA Risk Management Standard 5 Learning from Experience Standards for Better Health first (safety) and third (governance) domains Healthcare Commission 13 Associated Documentation

140 HEE s Approach to Risk Management Acceptable Use of Mobile Devices and ICT Records Management Policy Counter-Fraud and Anti-Bribery Policy Raising Concerns at Work (Whistleblowing) Policy

141 Annex A: Information Governance Incident Processing 1. INTRODUCTION With effect from 01/06/2013, new information governance incident reporting guidelines were established for healthcare organisations and adult social care. The new guidelines differed to the previous regime with the following specific changes:- A revised incident grading / scoring regime, based on quantity of data subjects involved in any breach, varied by fixed sensitivity factors. The rebadging of serious incidents formerly Serious Untoward Incident (SUI), now Serious Incident Requiring Investigation (SIRI). A revised trigger point for national escalation. The introduction of a dedicated IG incident online reporting tool, allied to the IG Toolkit. Automated escalation of SIRI-grade incidents (level 2 and above) to the Information Commissioners Office, Department of Health and other regulators and commissioners. Although the changes require no adjustment of the existing procedures for incident reporting via the IR-1 mechanism, as dictated in the incident reporting policy, this local procedure was developed to document the approach taken by (Health Education England) HEE in processing IG incidents under the new guidelines. Although this document was authored in October 2013, the process has been effective since the guidelines came into force on 01/06/ DUTIES Staff: Will continue to report IG-related incidents using the standard documentation (Annex B) under HEE s procedure Corporate Management Team: Will continue to forward a copy of all IG-related incidents to the IG Team, as soon as possible on receipt. Corporate Secretary: Will receive copies of IG related incident reports from Corporate Management and process them under the Local Working Instructions set out in (3) below.

142 Corporate Business Management Lead / FOI, Data Protection and Briefing Lead: Will provide expert input to assist with the grading of IG-related incidents and deputise for the Corporate Secretary under the Local Working Instructions set out in (3) below when required. Medical Director / Director of People & Communications (as SIRO) / IG Group: Will provide support to the IG Team as required, including: Input on incident grading Post- incident action planning & communication Input on recurrence prevention measures Board-level awareness of SIRI-grade incidents and low-level incident trends 3. LOCAL WORKING INSTRUCTIONS All Incidents The Corporate Management Team will receive copies of IG-related incident reports. The Corporate Secretary will assess the report and consider whether it contains all information required to grade the incident. Any deficiencies / omissions in the report will be followed up with the reporting staff / manager named in the report. The incident will be graded under the IG Incident grading methodology from the Guidelines. The incident will be summarised in the incident spreadsheet for presentation to the monthly IG Group meeting. Level 2 (and higher) SIRI Incidents On grading any incident at level 2 or higher, the Corporate Secretary will escalate the incident as follows: Director of People & Communications (as SIRO) all incidents Medical Director patient-related incidents

143 Chief Executive all incidents Level 2 or higher incidents will be filed in the online IG Incident Reporting Tool. The incident will be updated online as required as any further investigation or actions are progressed The incident will be closed online when appropriate, which will trigger automatic publication and escalation. The Corporate Secretary will be first point of contact for external agencies (ICO etc.) for incident escalation.

144 Annex B: Department of Health checklist for Information Governance (IG) incidents For completion where an IG incident is identified as level 1 5 (SI - red), or where an incident is investigated with the view to upgrading the incident. Please refer to the Corporate Secretary for advice on completion of this form. Unique SI or other incident reference number : Initial assessment of level of incident (1-5): Organisation(s) and LETB/Directorates involved: Required Information Check 01 Date, time and location of the incident 02 Confirmation that DH guidelines for incident management are being followed and that disciplinary action will be invoked if appropriate 03 Description of what happened: Theft, accidental loss, inappropriate disclosure, procedural failure etc. 04 The number of patients/ staff (individual data subjects) data involved and/or the number of records 05 The type of record or data involved and sensitivity 06 The media (paper, electronic, tape) of the records 07 If electronic media, whether encrypted or not 08 Whether the SI is in the public domain and whether the media (press etc.) are involved or there is a potential for media interest 09 Whether the reputation of an individual, team, an organisation or the NHS as a whole is at risk and whether there are legal implications

145 10 Whether the Information Commissioner has been or will be notified and if not why not 11 Whether the data subjects have been or will be notified and if not why not 12 Whether the police have been involved 13 Immediate action taken, including whether any staff have been suspended pending the results of the investigation 14 Whether there are any consequent risks of the incident (e.g. patient safety, continuity of treatment etc.) and how these will be managed 15 What steps have been or will be taken to recover records/data (if applicable) 16 What lessons have been learned from the incident and how will recurrence be prevented 17 Whether, and to what degree, any member of staff has been disciplined if not appropriate why? 18 Closure of SI only when all aspects, including any disciplinary action taken against staff, are settled. Notes:

146 Annex C: Serious Incident Grading Tool HEE note: the SI grading tool is designed for Trusts, but has sufficient read-across to be relevant to HEE. The tool was prepared prior to April 2013, hence references to organisations now abolished. Grade 0 Action required: Notification only - it is unclear if a serious incident has occurred. The provider organisation must update the commissioning body/sha with further information within three working days of a grade 0 incident being notified. If within three working days it is found not to be a serious incident, it can be downgraded with the agreement of the accountable SHA/commissioning body. If a serious incident has occurred it will be regraded as a grade 1 or 2. Grade 1 Action required: Commissioning bodies will monitor the case and report findings, recommendations and associated action plans to the SHA. SHA will monitor progress on a quarterly basis with the commissioning body unless earlier discussion is required or the serious incident is re-graded. Comprehensive Investigation Root Cause Analysis (RCA) required Level 2 Investigation Monitoring required: Local monitoring The commissioning body and/or SHA will close the incident when it is satisfied the investigation, recommendations and action plan are satisfactory, and local monitoring arrangements are in place and working efficiently. Publish incident details within Annual Reports. Timescales: Up to 60 working days from the date the incident is notified to the commissioning body/sha. Examples: Examples of cases: Mental Health - deaths in the community HCAI outbreaks Unavoidable/unexplaine d death Mental health - attempted suicides as inpatients Data loss and information security (DH Criteria level 2) Poor discharge planning causes harm to patient Detained patients who have absconded Death or serious injury of staff Failure of medical equipment Serious fires which result in casualties/or major disruption to services *patients who have received care in last

147 6months Grade 2 Action required: Case will be monitored by the SHA/commissioning body/la in conjunction with the provider organisation. The SHA will review findings, recommendations and associated action plans. For Never Events, the commissioning body will be obliged to monitor overall numbers and report these in its annual reporting arrangements. Comprehensive Investigation (RCA Level 2 investigation) (as above) or Independent Investigation (RCA Level 3 Investigation) Monitoring required: SHA/commissioning body Incidents involving an independent investigation or inquiry or those considered high risk will continue to be monitored by the SHA/commissioning body or LA until evidence is provided that each action point has been implemented. Incidents involving adult or child abuse are referred to local safeguarding arrangements. Publish quarterly reports. Timescales: For Independent Investigations allow up to 26 weeks/6 months for completion of the investigation. Extensions can be granted on an individual case by case basis by the SHA/commissioning body. Example of cases: Never Events Inpatient suicides (including following absconsion)* Data loss and information security (DH Criteria level 3-5) Never Events Accusation of physical/sexual misconduct or harm is made Death of child resulting in serious case review although PCT report on STEIS Homicides following recent contact with mental health services* * Mental Health incidents should refer to DH guidance: Independent investigation of adverse events in mental health services (2005).

148 Acceptable use of Mobile Devices and ICT Facilities Version: Version 3 Ratified by: Operational Management Executive Committee (OMEC) Date ratified: 24 June 2013 Name and Title of Nicola Wright, Corporate Business Management originator/author(s): Lead Name of responsible Director: Lee Whitehead, Director of People & Communications Date issued: 12 July 2013 Review date: 3 years from date of first publication Target audience: Employees of HEE HEE Non-Executive Directors LETB Governing Body members with access ICT facilities or issued with mobile devices Document History: Version : for consideration by Corporate Secretary Version incorporated comments from Lee Whitehead for issue to OMEC Version (NW) incorporated comments from OMEC, for resubmission on

150 Executive Summary Health Education England (HEE) provides mobile devices (e.g. mobile telephone, tablets and laptops) and ICT resources for use in conducting its business and relies on effective use of those resources to achieve its objectives. This policy sets out standards for the acceptable use of mobile devices and ICT facilities, for both business and personal use. The guidance applies to all those who use mobile devices and ICT equipment, facilities or services provided or made available by HEE, including, but not restricted to, desktops, laptops, mobile phones or tablets. For simplicity, wherever the remainder of this policy refers to the use of ICT, it applies to the use of all HEE issued mobile devices or ICT equipment, facilities or services. It also applies to the use and transfer of HEE information. Anyone accessing remote services via mobile devices should bear in mind that use of these carry additional costs to HEE. ICT should be used with due regard to HEE's guidance on Workstation Health & Safety and risk evaluation and control measures. Personal use of HEE's ICT is a factor HEE is becoming increasingly aware of and additional guidance has been produced in this document in order to manage that. A list of dos and don'ts for personal use is included. Any use of HEE's ICT must comply with the following four principles: Principle 1: the use of HEE ICT does not break the law; Principle 2: the use of ICT must not risk bring HEE into disrepute or placing it in a position of liability; Principle 3: the use of ICT must not violate any provision set out in this or any other HEE policy or contravene HEE's standards of conduct; and Principle 4: the use of ICT must not cause damage or disruption to HEE's systems or business. Everyone must abide by this policy in order to use of HEE ICT and you agree to do this by logging onto any HEE system. Any breach of this policy will be taken seriously, followed up and may result in disciplinary action.

151 Contents Paragraph Page 1 Introduction 4 2 Purpose 4 3 Scope 4 4 Definitions 4 5 Duties 4 6 Use of HEE Mobile Devices and ICT Facilities 6 7 Personal Use of HEE ICT 9 9 Personal Use of HEE Mobile Devices Equality Impact Assessment Education and Training Requirements Monitoring Compliance and Effectiveness Associated Documents References 14 Annexes to follow: 1 September 2013 Annex A Key contacts: ICT Annex B Use of mobile devices for personal use

152 1. Introduction 1.1. This policy sets out standards for the acceptable use of mobile devices and ICT facilities, for both business and personal use. 2. Purpose 2.1. The purpose of this policy is to ensure the proper use of HEE's ICT and to make users aware of what HEE deems as acceptable and unacceptable in its use of ICT.1 3. Scope 3.1. This policy applies to: all employees of HEE; HEE Non-Executive Directors LETB Governing Body members with access ICT facilities or issued with mobile devices; third parties (including agency staff), students, trainees, secondees and other staff on placement with HEE; and Staff of partner organisations with approved access. 4. Definitions HEE LETB ICT Mobile device Health Education England Local Education & Training Board(s) all HEE issued mobile devices or ICT equipment, facilities, systems or services laptop, mobile phone, tablet 5. Duties 5.1. Within HEE the responsibility for overseeing the provision of ICT sits within the Corporate Management Team During 2013/14 HEE will be in a period of transition with ICT systems supplied by a range of providers across national and LETB sites. Clarity will emerge during the year as to which systems HEE is using and who is responsible for their provision. Annex A will continue to be updated informing users of ICT who their key contacts are OMEC are responsible for agreeing the Acceptable Use of Mobile Devices and ICT. The Corporate Secretary will alert staff, and others to whom this policy applies of the existence of a newly approved or updated policy.

153 6. Use of HEE Mobile Devices and ICT Facilities 6.1. In order to protect you when using any component of HEE ICT for business or personal use and to ensure proper, secure conduct of HEE's business and operation, it is important that what you are doing complies with the following principles: Principle 1: the use of HEE ICT does not break the law; Principle 2: the use of ICT must not risk bring HEE into disrepute or placing it in a position of liability; Principle 3: the use of ICT must not violate any provision set out in this or any other HEE policy or contravene HEE's standards of conduct; and Principle 4: the use of ICT must not cause damage or disruption to HEE's systems or business In relation to business use you must ensure that only information, applications or programme that you have been authorised to use on HEE's networks are used to develop, support or represent HEE business. You must seek approval to install and use any application on HEE ICT systems. You must not use hosted applications, such as Huddle or Survey Monkey, for business purposes unless authorised. You should be satisfied that use of any of the above does not risk bringing HEE into disrepute Principle 1: the use of HEE ICT must not break the law In some cases, misuse of HEE ICT can constitute a criminal offence. Where HEE believes a criminal offence has taken place it has a duty to inform the police. In such cases, you may be open to prosecution resulting in a custodial sentence, community order or compensation order against you. HEE could also face prosecution. Using HEE's ICT in any way that breaks the law is a serious disciplinary offence which could lead to action against you under HEE's Disciplinary policy and could ultimately lead to your dismissal. The following, non-exhaustive list highlights some of the key current statutes which you should be aware of when using ICT within HEE Obscene Publications Act 1959; Protection of Children Act as amended by Section 84 of the Criminal Justice and Public Order Act 1994); Equality Act 2010; Defamation Act 1996; Copyright, Design and Patents Act 1998; Data Protection Act 1990; Communications Act 2003; Freedom of Information Act 2000; and Malicious Communications Act 1988.

154 At all times anyone issued with a mobile device should comply with legislation regarding the use of mobile phones and devices whilst driving. HEE does not expect anyone with access to mobile devices to take unnecessary action whilst driving and would advise that mobile devices are turned to silent or off whilst driving and any calls returned when it is safe to do so. HEE will not reimburse any fines or other penalties which users of mobile devices incur as a result of being prosecuted under relevant legislation Principle 2: the use of HEE ICT facilities must not risk bringing HEE into disrepute or placing it in a position of liability When you send s or connect to the internet you will be identified as coming from a HEE electronic address and anything you communicate could be interpreted as representing the views of HEE. s leaving HEE, either from nhs.net or xx.hee.nhs.uk contain a disclosure, but you must ensure that personal views or inappropriate comments are not sent out in s transmitted from a HEE address or in a call or text message from a HEE telephone or mobile phone You should take particular care not to send or say anything that could involve HEE in controversy or criticism or risk placing it in a position of liability that could result in legal action. s can be traced and retrieved even if they have been deleted from personal mailboxes and anything written in an could be used in evidence in legal proceedings Whilst is widely thought of as an informal means of communicating, if used carelessly it is capable of forming or varying the terms of a contract unintentionally in the same way as a written letter. In some circumstances, a contract could be formed or varied by a telephone conversation. You should take care, particularly when communicating with individuals or organisations outside HEE, not to place HEE in a position whereby it may be bound by an inadvertently formed contract. If you are not sure whether what you intend to say could unwittingly bind HEE to a contract, please ask your line manager or contact the Finance department The use of ICT must not violate any provision set out in this or any other HEE policy or contravene HEE's standards of conduct Our terms and conditions of service place certain requirements on us while carrying out official business. You need to take these requirements into account when using ICT facilities for both business and personal

155 purposes. Principles set out in our corporate policies also need to be considered, in particular: Offensive Material. Websites containing material capable of causing offence to others, for example, sexually explicit or indecent material must not be accessed and under no circumstances should such material be downloaded, circulated, or printed unless it is legitimately needed for your work, when it should be treated appropriately. accounts and personal drives are subject to monitoring and if such material is found, disciplinary action will be taken Equality & Diversity. Before sending electronic communications, you should consider both the wording and tone of your message to ensure that neither come across as intimidating or discourteous. You should take care to ensure that you avoid writing anything that you would not consider using in a face-to-face situation, on the telephone or in an official letter Passwords must never be shared with anyone under any circumstances. Sharing your passwords can lead to the HEE s security or financial processes being compromised. Password sharing is taken seriously and where the consequences lead to a more serious issue could lead to the strongest disciplinary action. You may occasionally need to share your password with technical staff. If this happens, then you must change your password immediately the device is handed back to you Conflict of Interest. ICT facilities must not be used in any way that compromises your official position. This includes passing on information acquired in the course of your official duties to further your private interests or the private interests of others. You must not use ICT to disclose without authority any official information, which has been communicated in confidence or received in confidence from others. You can find further information in the HEE s code of Practice for Declaring & Dealing with conflicts of Interest Use of . There is a presumption that everyone working in HEE will use nhs.net or xx.hee.nhs.uk accounts when sending or receiving on behalf of HEE. This ensures compliance with Government security and assurance standards with appropriate safeguards and protection in place. Personal accounts are not acceptable substitutes for you to use The use of ICT must not cause damage or disruption to HEE's systems or business

156 Connection to HEE ICT and systems can be made from desktop (PC; or laptop) at HEE sites or remotely via DH approved solutions. Mobile devices are also a component of the HEE s ICT provision Use of external web storage or file sharing systems such as GoogleDocs, DropBox, MobileMe, SkyDrive, Box.net etc. is not permitted. HEE have access to SharePoint which can be granted if you need to be able to share documents with colleagues across sites An efficient and robust ICT network is vital if HEE is to deliver its business objectives. Preventing network damage, disruption, or overload is everyone s responsibility. Carry out regular housekeeping to help to minimise the risk of overload to the system. In addition: Be conscious of security risks if using personal wireless equipment such as ipads, for HEE business; Unauthorized connection or modification to equipment on the network is not permitted; You should exit from the Internet when you have finished. Leaving it minimised on your desktop may have a detrimental impact on the service provided to others and the responsiveness of your own ICT services and facilities Use your phone and mobile devices with the same consideration as other HEE ICT equipment HEE uses the social web to promote and communicate key messages and engage with the public. The social web can be described as popular interactive applications which allow users to create a personal profile and build and maintain links with other users. The term covers personal social networking sites such as Facebook, enterprise social networking sites such as Yammer and Huddle, discussion groups, chat forums, collaboration forums, wikis, blogging and microblogging sites such as Twitter, and media sharing sites such as YouTube and Flickr. You should be aware that all such sites are public and entirely outside HEE s control. There can be no expectation of privacy when posting content. Web content can create a permanent archive and it is unlikely that you will be able to eradicate completely any posting which you might later regret Unless otherwise authorised to do so, your social web presence should clearly state that your personal views are being expressed not those of HEE. 7. Personal Use of HEE ICT 7.1. Reasonable levels of personal use of HEE s ICT is permitted at the absolute discretion of HEE. With busy working lives we do accept that some limited personal use of ICT at work is necessary. This guidance is designed to help you

157 to understand what is and isn t allowed although you should be aware that the department can decide to deny or amend access permissions at any time. You must note that all guidance about the acceptable use of ICT generally in this policy applies to any personal use of HEE ICT HEE may limit or deny access to internet services for personal use, such as internet banking, personal webmail and social networking to maintain business use of the Internet or for any other reason at its absolute discretion Personal use specifically must not: Be excessive or interfere with official duties; Add significantly to the running costs of HEE (see para 6.7) 7.4. The following points underpin these two principles: Personal use is not a right and must be exercised with discretion; HEE does not accept any liability for loss, damage or claims arising out of personal use of ICT facilities. This includes any charges or loss incurred in relation to personal purchases or financial transactions using ICT facilities, such as circumstances where, due to a computer or system problem, any transaction is not completed, or where a transaction does not successfully pass out through the Department's network. The responsibility for ensuring that personal transactions made using ICT facilities have been completed rests with the individual; HEE retains the right to prohibit your personal use of ICT facilities without warning or consultation and may block access to particular websites; Failure to comply with this guidance or any other internal HEE policies could result in disciplinary action and/or legal action against you and/or HEE; HEE does not provide a secure transaction system for any information passed, or purchase made, for personal use; If you create, send, or import personal information onto HEE ICT, this is entirely at your own risk; HEE accepts no liability for any loss or detriment suffered by you through personal use of HEE s ICT Line managers are responsible for ensuring that their staff do not abuse personal use of HEE s ICT, however you remain personally accountable for adhering to this policy The following activities are not permitted: On-line gambling; Operating a personal or freelance business; Participating in chain schemes (such as pyramid selling); Undertaking any form of share dealing; Selling of any items in any form, including internet auction sites such as EBay; Participating in political activities;

158 Sending or forwarding of controversial jokes, images or text; Circulating chain or hoax letters, or any other kind of unsolicited or inappropriate s, to outside organisations or individuals or other Departmental staff; 7.7. Downloading, circulating or storing of non-business related video clips, animated graphics, audio or music clips e.g. MP3 on Departmental ICT facilities. If you receive material of this nature, you should not pass it on but delete it. If the sender is a personal friend or colleague, you should notify them that you do not wish to receive such mail in future; Streaming internet radio as this significantly affects bandwidth; Accessing sites that support playing or downloading video games, computer games or electronic games; Circulating non-business related material to large numbers of people; Using corporate credit cards online to pay for any personal items; Printing of large quantities of personal material; Downloading of software to desktop and laptop PCs. This includes any online shopping transactions requiring you to download software or a program before proceeding. This is to protect the Department's system from potential viruses and disruption to individual PCs and the network 7.8. The following activities are permitted, but must be kept to a minimum: On-line shopping. Occasional on-line shopping is permitted. However, it is your responsibility to satisfy yourself that the vendor is reputable and has adequate security measures in place to protect your personal information, for example, credit card details. You are advised to familiarise yourself with their security measures before proceeding; Online banking. On-line banking is permitted, but you are advised to familiarise yourself with your bank s security measures before proceeding; Online (webmail) such as Hotmail or Google Mail. Occasional personal use is permitted, however you must not use it to conduct HEE business; Use of the social web (such as Facebook, Twitter etc.) is permitted for occasional use and should normally be accessed outside of core hours on a limited basis You may make occasional personal use of HEE software packages for example, to prepare and print simple 1-2 page documents; Unless it is in the context of your work, you should keep any access to the Internet to check the latest position on regular or one-off events to a minimum. This includes sporting tournaments for example. It is important to remember that at any one time, you may not be the only person accessing a particular site; Personal material should not be stored for longer than one month on HEE ICT facilities.

159 7.9. If sending personal s from HEE addresses, the following points should be noted: If you use your HEE account to send personal s it will be identified as coming from a HEE address and anything you write could be interpreted as representing the views of the HEE (see Principle 2 above); Particular care should be taken to ensure that you do not send anything that could involve the HEE in controversy or criticism or risk placing it in a position of liability that could result in legal action; If you receive s containing such information, you should delete them immediately. If the sender is a personal friend or colleague please explain the position to them so they do not send you more like this in the future. You should avoid responding to mail from unknown sources Personal use must be kept to a minimum. Unauthorised or excessive personal use during paid working hours amounts to misuse of official time and is regarded as a disciplinary offence. 8. Personal Use of Mobile Devices 8.1. Personal use of HEE issued mobile devices is likely to incur additional cost to HEE. If you are in possession of a HEE issued mobile device and would wish to have use of the device for non-hee related activity, HEE request that you register your interest in doing so (Annex B) From 1 September 2013, personal users of HEE mobile devices will be asked to contribute, via salary deduction by payroll, 20 per month for heavy use and 10 per month for regular use of each mobile device they are issued with. Monthly mobile phone bills from network providers will be reviewed at random and compared to users declarations regarding personal use. From time to time this may mean that we advise you to either change your usage plan or review and amend your personal use As a guide, it is estimated that a typical smartphone user in the UK will consume around 10MB of data per day. This is equivalent to 300MB per month, which is approximately: ,000 basic wepages (mainly text); ,000 rich webpages (multi-media); ,000 basic s (text only); rich s (with attachments); songs; hours of Skype voice calls; hour of Skype video calls; hours listening to radio online; or Downloading/updating 50 apps.

160 8.4. We would therefore classify heavy and regular use as: Heavy Use: in excess of 300MB of data; over 1.5 hours of personal voice calls and up to 500 text messages; and Regular Use: Up to 300MB of data. Up to 1.5 hours of personal voice calls and below 200 text messages 8.5. If you choose not to use your HEE issued mobile device for personal use, this will not restrict you from making acceptable levels of personal calls from the device, e.g. if a meeting has over-run and impacts upon domestic arrangements that you need to communicate to someone. Calls of this nature should be infrequent and less than 5 minutes in duration Where available Wifi connections rather than in built 3G connections these should be used Personal use is granted at the discretion of HEE and it is not a contractual right. Should use of mobile devices for personal use become unmanageable or too costly, HEE will review this policy and the privilege of personal use may be withdrawn. 9. Equality Impact Assessment (EIA) 9.1. This policy applies to those listed at paragraph 3.1 irrespective of age, race, colour, religion, disability, nationality, ethnic origin, gender, sexual orientation or marital status, domestic circumstances, social and employment status, HIV status, gender reassignment, political affiliation or trade union membership. In overseeing the acceptable use of mobile devices and ICT, HEE will treat those concerned in a fair and equitable manner and reasonable adjustments will be made where appropriate. 10. Education and Training Requirements To promote and encourage the best use of ICT, HEE provides a range of training and resources. Upon joining HEE your training requirements in respect of ICT should be considered with your line manager, and further issues raised during the annual and quarterly appraisal review process. 11. Monitoring Compliance and Effectiveness ICT equipment and programmes, and the information generated and stored on them as with all other assets, are the property of HEE. HEE therefore reserves the right to monitor and record use of these facilities to ensure compliance with the policy on appropriate use of ICT. You should not therefore have any expectation of 'privacy' in relation to accessing websites or personal correspondence or messages sent via the Intranet or Internet, as these will

161 be subject to the same checking procedures applied to business-related access and correspondence. The contents of drives and directories may also be read during routine monitoring checks If, in the course of carrying out routine checks, the HEE have concerns about the level of personal use or if material is discovered that contravenes this guidance then your line manager will be informed as will the appropriate section within Human Resources (HR). In cases where serious contravention of the policy is suspected then the evidence will be shared with HR, who will consider appropriate action It is recognised that some business areas have a genuine business need to access sites that may show up as 'inappropriate' on routine monitoring checks. In these circumstances, line managers need to be aware that they could still be asked to verify that access to such sites is business related. 12. Associated Documentation Health & Safety Policy Workstation Health & Safety, including workstation assessment form Information Governance Policy Disciplinary Policy Records Management Policy 13. References Obscene Publications Act 1959 under this Act it is a criminal offence to 'publish' (download, transmit or forward) material that may be considered 'obscene' Protection of Children Act 1978 (as amended by Section 84 of the Criminal Justice and Public Order Act 1994) Under the Protection of Children Act 1978, it is a criminal offence to take, distribute, show or have in one's possession any indecent photograph or pseudo-photograph of a child. This includes an image on screen whether or not the image was downloaded. Material passing over the Internet is subject to the same laws as material being distributed by other means - what is illegal off-line is illegal on-line Equality Act 2010 The 2010 Equality Act covers nine protected characteristics namely; age, disability, sex, gender reassignment, pregnancy and maternity, race, sexual orientation, religion or belief, and marriage and civil partnership. As an equal opportunities employer, HEE is committed to treating all staff fairly and responsibly. Employees and other users of ICT facilities should not be discriminated against, either directly or indirectly, on such grounds as race, colour, ethnic or national origin, sex, marital or civil partnership status,

162 responsibility for children or other dependants, disability, sexual orientation, religious or political beliefs Remarks sent by , including jokes or quips, can amount to harassment and could form the basis for complaints of discrimination under the above Acts. Deliberately searching for, soliciting or circulating any form of discriminatory material or views contravenes HEE s commitment to Equality and Diversity Defamation Act 1996 Defamation occurs where a person makes a statement (oral or written) about another person that is either untrue or is not an expression of fair comment. Where a statement is intended to damage that person s reputation in the eyes of other people it may be defamatory. Adverse comments (perhaps sent in the heat of the moment) for example, about someone's professional competence, or salacious gossip about somebody's personal life, which may not be true, could amount to defamation and make the author of the statement and HEE liable to civil proceedings. You should therefore take care when composing s to ensure that you do not make defamatory remarks Copyright, Design and Patents Act 1988 Copyright applies equally to material on the Internet as it does to hard copy. Many websites contain a copyright notice detailing how the material they contain may be used. Often, this is in the form of a hyperlink from a short copyright notice to a more detailed statement of what is permitted. If no copyright notice is provided, it is not safe to assume anything. If you want to print out a web page or attachment, or copy and paste anything from a web page or attachment into a document of your own, you should obtain the permission of the copyright owner. For any use beyond everyday web-browsing, permission should be obtained. A good starting point is to check the Terms and Conditions of use which appear on the website. If there isn t one then use the Contact us or about us section to find an address for the website and then send an . Where permission has not been granted, individuals and HEE could be liable for copyright infringement if the copyright owner takes civil proceedings Data Protection Act 1998 The Data Protection Act protects individuals' rights in relation to their personal data. If you process personal data, which includes storing it on your PC or sending it via , you must ensure that you comply with the requirements that the Act places on HEE. This includes keeping data up-to-date, not keeping any more personal data than is necessary for your purpose, respecting the rights of data subjects and ensuring that you have adequate security measures in place to protect the data, e.g. passwords and protection for personal data in transit.

163 13.8. HEE has access to encryption software to protect sensitive information. Unencrypted laptops, CDs, DVDs, USB or other storage devices holding personal data must not be taken outside secured office premises.

164 13.9. Sending personal information on the Internet or via is inherently insecure and might breach the Data Protection Act. You should not send personal information, including photographs, about any other person by or place it on the Internet, unless you either have the written consent of the person concerned or you have made sure that it is legal under the Data Protection Act to publish the information. You must not send any personal information via to a country outside the European Economic Area, nor place personal information on a Web site, without the written consent of the individual concerned (See further information on the Information Commissioner's website). Computer Misuse Act 1990 The Computer Misuse Act covers a number of criminal offences such as hacking. For example, it is an offence to knowingly obtain unauthorised access to a system. It is a more serious offence to obtain such unauthorised access with the intention to modify data or programs either permanently or temporary. It is also an offence to release a virus or deliberately cause disruption to any other computer users service or facilities. HEE could be held liable for the acts of someone who causes damage to a third party as a result of negligent virus transmission Remember, if you receive an which you suspect may contain a virus, DO NOT open it or forward it to others. Contact your local IT helpdesk Communications Act 2003 s.127 The relevant part of this Act states: A person is guilty of an offence if he sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent obscene or menacing character and also under s.127 (2) if he sends a message that he knows to be false, causes such a message to be sent and causes annoyance, inconvenience or needless anxiety to another Malicious Communications Act 1988 s.1 The relevant part of this Act states: A person is guilty if they send to another a letter, electronic communication which conveys a message which is indecent or grossly offensive, a threat or information which is false and known or believed to be false by the sender of any electronic communication which is grossly offensive The above two offences cover use of text messages, telephone messages and voic s International Laws Care should be taken when sending international messages, which will be subject to the law of other jurisdictions Personal social media There are countless examples of personal social media and the list frequently changes. You should be aware that such websites are open to the public, and you should not reveal too many details about yourself or your work. You should be wary of approaches from people you do not know or from their contacts.

165 Social media websites are becoming the vehicle of choice for web scammers and criminals. Such people are adept at harvesting personal information from such sites to help them steal identities or infect computers etc.

166 Counter-Fraud and Anti-Bribery Policy Version: Version 2 Ratified by: HEE Board Date ratified: 8 October Name and Title of originator/author(s): Name of responsible Director: Nicola Wright, Corporate Business Management Lead Jason Steve Lander, Clarke, Finance Director of Finance Date issued: 29 October 2013 Review date: 3 years from date of first publication Target audience: HEE Staff Document History: Version 1: for Audit Committee review prior to Board approval Version 2: amended following Audit Committee comments

168 Contents Paragraph Page 1 Introduction 4 2 Scope 4 3 Policy 5 4 Gifts & Hospitality 7 5 Sponsorship 7 6 Definitions 7 7 Public Service Values 8 8 Roles & Responsibilities 9 9 Training Reporting Fraud and Bribery Monitoring Effectiveness Additional Information Related Policies 18

169 1. INTRODUCTION 1.1. This document sets out Health Education England s policy and advice to employees in dealing with fraud or suspected fraud. This policy details the arrangements made in the organisation for such concerns to be raised by employees or members of the public Health Education England (HEE) does not tolerate fraud and bribery. The intention is to eliminate all fraud and bribery as far as possible. The aim of the policy and procedure is to protect the property and finances of HEE HEE is committed to taking all necessary steps to counter fraud and bribery. To meet its objectives, it has adopted the seven-stage approach developed by NHS Protect: 1) The creation of an anti-fraud culture 2) maximum deterrence of fraud 3) successful prevention of fraud which cannot be deterred 4) prompt detection of fraud which cannot be prevented 5) professional investigation of detected fraud 6) effective sanctions, including appropriate legal action against people committing fraud and bribery, and 7) effective methods of seeking redress in respect of money defrauded HEE will take all necessary steps to counter fraud and bribery in accordance with this policy, the NHS Counter Fraud and Corruption Manual, the policy statement Applying Appropriate Sanctions Consistently published by NHS Protect and any other relevant guidance or advice issued by NHS Protect This document sets out the organisation s policy for dealing with detected or suspected fraud and bribery, incorporated in the Secretary of State for Health s Directions to NHS Bodies on Counter Fraud Measures that were issued in November SCOPE 2.1. This policy relates to all forms of fraud and bribery and is intended to provide direction and help to anyone who may identify suspected fraud. It provides a framework for responding to suspicions of fraud, advice and information on various aspects of fraud and implications of an investigation. It is not intended to provide a comprehensive approach to preventing and detecting fraud and bribery. The overall aims of this policy are to: improve the knowledge and understanding of everyone for HEE, irrespective of their position, about the risk of fraud and bribery within the organisation and its unacceptability assist in promoting a climate of openness and a culture and environment where people feel able to raise concerns sensibly and responsibly

170 set out the responsibilities of HEE in terms of the deterrence, prevention, detection and investigation of fraud and bribery ensure the appropriate sanctions are considered following an investigation, which may include any or all of the following: o criminal prosecution o civil prosecution o internal/external disciplinary action(including professional/regulatory bodies) 2.2. This policy applies to all employees of HEE, regardless of position held, as well as Board members, consultants, temporary and agency staff committee members, contractors, and/or any other parties who have a business relationship with HEE. It will be brought to the attention of all employees and form part of the induction process for new staff. It is incumbent on all of the above to report any concerns they may have concerning fraud and bribery. 3. POLICY 3.1. All employees have a personal responsibility to protect the assets of HEE, including all buildings, equipment and monies from fraud, theft, or bribery HEE is absolutely committed to maintaining an honest, open and well-intentioned atmosphere within the organisation, so as to best fulfil the objectives of HEE and of the NHS. It is, therefore, also committed to the elimination of fraud within HEE, to the rigorous investigation of any such allegations and to taking appropriate action against wrong doers, including possible criminal prosecution, as well as undertaking steps to recover any assets lost as a result of fraud HEE wishes to encourage anyone having reasonable suspicions of fraud to report them. The policy, which will be rigorously enforced, is that no individual will suffer any detrimental treatment as a result of reporting reasonably held suspicions. The Public Interest Disclosure Act 1998 came into force in July 1999 and gives statutory protection, within defined parameters, to staff who make disclosures about a range of subjects, including fraud and bribery, which they believe to be happening within the organisation employing them. Within this context, reasonably held means suspicions other than those which are raised maliciously and are subsequently found to be groundless Any unfounded or malicious allegations will be subject to a full investigation and appropriate disciplinary action in accordance with HEE policies HEE expects anyone having reasonable suspicions of fraud to report them. It recognises that, while cases of theft are usually obvious, there may initially only be a suspicion regarding potential fraud and, thus, employees should report the matter to their Local Counter Fraud Specialist who will then ensure that procedures are followed.

171 3.6. Bribing anybody is absolutely prohibited. HEE employees will not pay a bribe to anybody. This means that you will not offer, promise, reward in any way or give a financial or other advantage to any person in order to induce that person to perform his/her function or activities improperly. It does not matter whether the other person is a UK or foreign public official, private individual, private or public sector employee or any other person (including creating the appearance of an effort to improperly influence another person) Off-the-book accounts and false or deceptive booking entries are strictly prohibited. All gifts, payments or any other contribution whether in cash or in kind, shall be documented, regularly reviewed, and properly accounted for by HEE. Record retention and archival policy must be consistent with HEE accounting standards, tax and other applicable laws and regulations HEE procures goods and services ethically and transparently with the quality, price and value for money determining the successful supplier/contractor, not by receiving (or offering) improper benefits. HEE will not engage in any form of bribery; neither in the UK nor abroad. HEE and all employees, independent of their grade and position, shall at all times comply with the Bribery Act 2010 and with this policy HEE may, in certain circumstances, be held responsible for acts of bribery committed by intermediaries acting on its behalf such as subsidiaries, clients, business partners, contractors, suppliers, agents, advisors, consultants or other third parties. The use of intermediaries for the purpose of committing acts of bribery is prohibited All intermediaries shall be selected with care, and all agreements with intermediaries shall be concluded under terms that are in line with this policy. HEE will contractually require its agents and other intermediaries to comply with the Counter-Fraud and Anti-Bribery Policy and to keep proper books and records available for inspection by HEE, auditors or investigating authorities. Agreements with agents and other intermediaries shall at all times provide for the necessary contractual mechanisms to enforce compliance with the anti-bribery regime. HEE will monitor performance and, in case of non-compliance, require the correction of deficiencies, apply sanctions, or eventually terminate the agreement even if this may result in a loss of business Where HEE is engaged in commercial activity (irrespective as to what happens to the profit) it could be considered guilty of a corporate bribery offence if an employee, agent, subsidiary or any other person acting on its behalf bribes another person intending to obtain or retain business or an advantage in the conduct of business for HEE and it cannot demonstrate that it has adequate procedures in place to prevent such. HEE does not tolerate any bribery on its behalf, even if this might result in a loss of business for it. Criminal liability must be prevented at all times.

172 3.12. Recovery of any losses will always be sought. 4. GIFTS AND HOSPITALITY 4.1. Courtesy gifts and hospitality must not be given or received in return for services provided or to obtain or retain business but shall be handled openly and unconditionally as a gesture of esteem and goodwill only. Gifts and hospitality shall always be of symbolic value, appropriate and proportionate in the circumstances, and consistent with local customs and practices. They shall not be made in cash. Please refer to the HEE Gifts and Hospitality policy and register for more guidance. 5. SPONSORING 5.1. Sponsoring means any contribution in money or in kind by HEE towards an event organised by a third party in return for the opportunity raise the organisation s profile. All sponsoring contributions must be transparent, pursuant to a written agreement, for legitimate business purposes, and proportionate to the consideration offered by the event host. They may not be made towards events organised by individuals or organisations that have goals incompatible with the organisation s ethical standards or that would damage the reputation of HEE. All sponsorships will be publicly disclosed Where commercial sponsorship is used to fund HEE training events, training materials and general meetings, the sponsorship must be transparent, pursuant to a written agreement, for legitimate business purposes, and proportionate to the occasion. Where meetings are sponsored by external sources, that fact must be disclosed in the papers relating to the meeting and in any published minutes/proceedings. 6. DEFINITIONS 6.1. Fraud - any person who dishonestly makes a false representation to make a gain for himself or another or dishonestly fails to disclose to another person, information which he is under a legal duty to disclose, or commits fraud by abuse of position, including any offence as defined in the Fraud Act Appendix B is a summary of the Fraud Act Bribery - Inducement for an action which is illegal, unethical or a breach of Institute. Inducements can take the form of gifts, loans, fees, rewards or other advantages. Appendix C is a summary of the Bribery Act This can be broadly defined as the offering or acceptance of inducements, gifts, favours, payment or benefit-in-kind which may influence the action of any person. Bribery does not always result in a loss. The corrupt person may not benefit directly from their deeds; however, they may be unreasonably using their position to give some advantage to another. It is a common law offence of bribery to bribe

173 the holder of a public office and it is similarly an offence for the office holder to accept a bribe HEE has procedures in place that reduce the likelihood of fraud occurring. These include Standing Orders, Standing Financial Instructions, documented procedures, a system of internal control (including Internal and External Audit) and a system of risk assessment. In addition, HEE seeks to ensure that a comprehensive anti-fraud and bribery culture exists throughout the organisation via the appointment of a dedicated Local Counter Fraud Specialist, in accordance with the NHS Secretary of State s Directions to NHS Bodies on Counter Fraud Measures that were re-issued in November It is expected that Non-Executive Directors and staff at all levels will lead by example in acting with the utmost integrity and ensuring adherence to all relevant regulations, policies and procedures. 7. PUBLIC SERVICE VALUES 7.1. High standards of corporate and personal conduct, based on the recognition that patients come first, have been a requirement throughout the NHS since its inception. The three fundamental public service values are: Accountability Probity Openness Everything done by those who work at HEE must be able to stand the tests of parliamentary scrutiny, public judgements on property and professional codes of conduct. Absolute honesty and integrity should be exercised in dealing with NHS patients, assets, employees, suppliers, contractors and customers. The actions of HEE should be sufficiently public and transparent to promote confidence between HEE and its patients, our employees and the public In addition, all those who work for or are in contract with HEE should exercise the following when undertaking their duties: Selflessness Integrity should take decisions solely in terms of the public interest. They should not do so in order to gain financial or other material benefits for themselves, their family or their friends should not place themselves under any financial or other obligation to outside individuals or organisations that might influence them in the

174 performance of their official duties Objectivity Accountability Openness Honesty Leadership should, in carrying out public business, (including making public appointments, awarding contracts, or recommending individuals for rewards and benefits), make choices on merit are accountable for their decisions and actions to the public and must submit themselves to whatever scrutiny is appropriate to their office should be as open as possible about all the decisions and actions that they take. They should give reasons for their decisions and restrict information only when the wider public interest demands have a duty to declare any private interests relating to their public duties and to take steps to resolve any conflicts arising in a way that protects the public interest should promote and support these principles by leadership and example 7.3. These standards are national benchmarks that inform our local policies and procedures. The arrangements made in this policy have been designed to ensure compliance with the national standards. 8. ROLES AND RESPONSIBILITIES ROLES 8.1. HEE has a duty to ensure that it provides a secure environment in which to work, and one where people are confident to raise concerns without worrying that it will reflect badly on them. This extends to ensuring that staff feel protected when carrying out their official duties and are not placed in a vulnerable position. If staff have concerns about any procedures or processes that they are asked to be involved in, HEE has a duty to ensure that those concerns are listened to and addressed.

175 8.2. The Chief Executive of HEE is liable to be called to account for specific failures in the organisation s system of internal controls. However, responsibility for the operation and maintenance of controls falls directly to line managers and requires the involvement of all of HEE employees. HEE therefore has a duty to ensure employees who are involved in or who are managing internal control systems receive adequate training and support in order to carry out their responsibilities. Therefore, the Chief Executive and Director of Finance will monitor and ensure compliance with this policy. EMPLOYEES 8.3. For the purposes of this policy, Employees includes HEE staff, temporary and agency staff and contractors, and Board Members All employees should be aware that fraud and bribery (of finances of the NHS or of patients in our care) will normally, dependent upon the circumstances of the case, be regarded as gross misconduct thus warranting summary dismissal without previous warnings. However, no such action will be taken before a proper investigation and a disciplinary hearing have taken place in accordance with HEE policies. Such actions may be in addition to the possibility of criminal prosecution HEE employees will not request or receive a bribe from anybody, nor imply that such an act might be considered. This means that you will not agree to receive or accept a financial or other advantage from a former, current or future client, business partner, contractor or supplier or any other person as an incentive or reward to perform improperly your function or activities Employees must act in accordance with the HEE Standards of Business Conduct, Gifts and Hospitality and Code of Practice on Declaration of Interest policies which include guidance on the receipt of gifts or hospitality Employees also have a duty to protect the assets of HEE including information, goodwill and reputation, as well as property Employees are expected to act in accordance with the standards laid down by their Professional Institute(s), where applicable The HEE Standing Orders and Standing Financial Instructions place an obligation on all staff and non-executive directors to act in accordance with best practice. In addition, all HEE staff and non-executive directors must declare and register any interests that might potentially conflict with those of HEE or the wider NHS In addition, all employees have a responsibility to comply with all applicable laws and regulations relating to ethical business behaviour, procurement, personal expenses, conflicts of interest, confidentiality and the acceptance of gifts and hospitality. This means, in addition to maintaining the normal standards of personal honesty and integrity, all employees should always:

176 act with honesty, integrity and in an ethical manner behave in a way that would not give cause for others to doubt that the organisation s employees deal fairly and impartially with official matters be alert to the possibility that others might be attempting to deceive All employees have a duty to ensure that public funds are safeguarded, whether or not they are involved with cash or payment systems, receipts or dealing with contractors or suppliers When an employee suspects that there has been fraud or bribery, they must report the matter to the nominated Local Counter Fraud Specialist. MANAGERS Line managers at all levels have a responsibility to ensure that an adequate system of internal control exists within their areas of responsibility and that controls operate effectively. The responsibility for the prevention and detection of fraud and bribery therefore primarily rests with managers but requires the cooperation of all employees As part of that responsibility, line managers need to: Inform staff of the code of business conduct, gifts and hospitality, declaration of interest and counter fraud and bribery policies as part of their induction process, paying particular attention to the need for accurate completion of personal records and forms ensure that all employees for whom they are accountable are made aware of the requirements of the policy assess the types of risk involved in the operations for which they are responsible ensure that adequate control measures are put in place to minimise the risks. This must include clear roles and responsibilities, supervisory checks, staff rotation (particularly in key posts), separation of duties wherever possible so that control of a key function is not invested in one individual, and regular reviews, reconciliations and test checks to ensure that control measures continue to operate effectively be aware of the HEE Counter-Fraud and Anti-Bribery Policy and the rules and guidance covering the control of specific items of expenditure and receipts identify financially sensitive posts ensure that controls are being complied with contribute to their director s assessment of the risks and controls within their business area, which feeds into the HEE and the Department of Health Accounting Officer s overall statements of accountability and internal control All instances of actual or suspected fraud or bribery, which come to the attention of a manager, must be reported immediately. It is appreciated that some employees will initially raise concerns with their manager, however, in such cases

177 managers must not attempt to investigate the allegation themselves, and they have the clear responsibility to refer the concerns to the Local Counter Fraud Specialist as soon as possible Where staff have access to the Internet, managers need to ensure that any use is linked to the performance of their duties and any private use specifically agreed beforehand in accordance with the and Internet Policy. Any instance of deliberate viewing of offensive material (e.g. pornography or hate material) must be reported immediately. LOCAL COUNTER FRAUD SPECIALIST (LCFS) The Directions to NHS Bodies on Counter Fraud Measures 2004 require HEE to appoint and nominate an LCFS. For HEE this is Jason Lander, Financial Accountant. The LCFS s role is to ensure that all cases of actual or suspected fraud and bribery are notified to the Director of Finance and reported accordingly Investigation of the majority cases of alleged fraud within HEE will be the responsibility of the Local Counter Fraud Specialist (LCFS). NHS Protect will only investigate cases which should not be dealt with by HEE. Following receipt of all referrals, NHS Protect will add any known information or intelligence and based on this case acceptance criteria determine if a case should be investigated by NHS Protect. This list is not exhaustive. Cases which: have a strategic or national significance or are deemed to be of suitable national public interest; from intelligence or information have been identified as being part of a suspected criminal trend or an area which is suspected of being targeted by organised crime and which requires a centrally coordinated investigation; form part of a series of linked cases already being investigated or about to be by NHS Protect. are known or likely to have a high degree of complexity either in the nature of the fraud or the investigation required; will require a significant investigation which could include the involvement of other agencies such as OFT, FSA, or Serious Fraud Office (not day to day involvement of agencies on lower level cases); have any factors which would determine that the case should be investigated outside of the NHS body, for example very senior management involvement, the need to use directed surveillance, obtain communications data or use powers provided to NHS Protect in the NHS Act 2006; extend beyond the geographical, financial or legal remit of the NHS body affected by the fraud; may be retained by NHS Protect The LCFS will regularly report to the Director of Finance on the progress of the investigation and when/if referral to the police is required.

178 8.20. The LCFS and the Director of Finance, in conjunction with NHS Protect, will decide who will conduct the investigation and when/if referral to the police is required. Cases, for instance, where more than 100,000 or where possible bribery is involved may be investigated by NHS Protect (though the LCFS may assist); otherwise the investigation will normally be undertaken by the organisation s own LCFS directly The LCFS in consultation with the Director of Finance will review the strategic objectives contained within the assurance framework to determine any potential fraud or bribery risks. Where risks are identified these will be included on the HEE risk register so the risk can be proactively addressed. DIRECTOR OF FINANCE The Director of Finance, in conjunction with the Chief Executive, monitors and ensures compliance with Secretary of State Directions regarding fraud and bribery The Director of Finance, in consultation with NHS Protect and the LCFS, will decide whether there is sufficient cause to conduct an investigation, and whether the Police and External Audit need to be informed The Director of Finance or the LCFS will consult and take advice from the Associate Director of HR if a member of staff is to be interviewed or disciplined. The Director of Finance or LCFS will not conduct a disciplinary investigation, but the employee may be the subject of a separate investigation by HR The Director of Finance will, depending on the outcome of investigations (whether on an interim/on-going or a concluding basis) and/or the potential significance of suspicions that have been raised, inform the Chair of HEE and the Chair of the Audit Committee of cases, as may be deemed appropriate or necessary The Director of Finance is also responsible for informing the Audit Committee of all categories of loss. INTERNAL AND EXTERNAL AUDIT Any incident or suspicion that comes to Internal or External Audit s attention will be passed immediately to the LCFS. HUMAN RESOURCES Human Resources will liaise closely with Managers and the LCFS, from the outset, where an employee is suspected of being involved in fraud in accordance with agreed liaison protocols. Human Resources are responsible for ensuring the appropriate use of the HEE Disciplinary Procedure. The Human Resources Department shall advise those involved in the investigation in matters of

179 employment law and in other procedural matters, such as disciplinary and complaints procedures. Close liaison between the LCFS and HR will be essential to ensure that any parallel sanctions (i.e. criminal and disciplinary) are applied effectively and in a coordinated manner Human Resources will take steps at the recruitment stage to establish, as far as possible, the previous record of potential employees as well as the veracity of required qualifications and memberships of professional bodies, in terms of their propriety and integrity. In this regard, temporary and fixed term contract employees are treated in the same manner as permanent employees. INFORMATION MANAGEMENT & TECHNOLOGY The Corporate Secretary or Head of IT will contact the LCFS immediately in all cases where there is suspicion that IT is being used for fraudulent purposes. This includes inappropriate internet/intranet, , telephone and PDA use. Human Resources will be informed if there is a suspicion that an employee is involved. EXTERNAL COMMUNICATIONS Individuals (be they employees, agency staff, locums, contractors or suppliers) must not communicate with any member of the press, media or another third party about a suspected fraud as this may seriously damage the investigation and any subsequent actions to be taken. Anyone who wishes to raise such issues should discuss the matter with either the Director of Finance or the Chief Executive. 9. TRAINING 9.1. HEE will provide anti-bribery training to all relevant employees on a regular basis to make them aware of our Anti-Fraud and Bribery Policy and guidelines, including possible types of bribery, the risks of engaging in bribery activity, and how employees may report suspicion of bribery. 10. REPORTING FRAUD, BRIBERY OR OTHER ILLEGAL ACTS This section outlines the action to be taken where fraud, bribery or other illegal acts involving dishonesty, inappropriate Internet use, or damage to property are discovered or suspected. For completeness, it also deals with the action to be taken where theft is discovered or suspected If any of the concerns mentioned in this document come to the attention of an employee, they must inform the Local Counter Fraud Specialist or the Director of Finance immediately. Employees can also call the NHS Fraud and Corruption Reporting Line on Freephone This provides an easily accessible route for the reporting of genuine suspicions of fraud within or affecting the NHS. It allows NHS staff who are unsure of internal reporting

180 procedures to report their concerns in the strictest confidence. All calls are dealt with by experienced caller handlers Contact information for the above is listed in Appendix A The attached Appendix A is designed to be a reminder of the key what to do steps - as well as contact details - to be taken where fraud or other illegal acts are discovered or suspected Managers are encouraged to copy this to staff and to place it on staff notice boards in their department Anonymous letters, telephone calls etc. are received from time to time from individuals who wish to raise matters of concern, but not through official channels. While the allegations may be erroneous or unsubstantiated, they may also reflect a genuine cause for concern and should always be taken seriously Sufficient enquiries will be made by the LCFS to establish whether or not there is any foundation to the allegations. If the allegations are found to be malicious, they will also be considered for further investigation as to their source HEE wants all employees to feel confident that they can expose any wrongdoing without any risk to themselves. In accordance with the provisions of the Public Interest Disclosure Act 1998, HEE has produced a whistleblowing policy. This procedure is intended to complement the HEE Anti-Fraud and Bribery Policy and code of business conduct and ensures there is full provision for staff to raise any concerns with others if they do not feel able to raise them with their line manager/management chain. DISCIPLINARY ACTION The disciplinary procedures of HEE must be followed where an employee is suspected of being involved in a fraudulent or other illegal act It should be noted, however, that the duty to follow disciplinary procedures will not override the need for legal action to be taken (e.g. consideration of criminal action). In the event of doubt, legal statute shall prevail. POLICE INVOLVEMENT In accordance with the NHS Counter Fraud & Bribery Manual, the Director of Finance, in conjunction with the LCFS and NHS Protect, will decide whether a case should be referred to the police. Human Resources and line managers will be involved as necessary. Any referral to the police will not prohibit action being taken under the organisation s disciplinary procedures.

181 RECOVERY OF LOSSES INCURRED BY FRAUD OR BRIBERY The seeking of financial redress or recovery of losses should always be considered in cases of fraud or bribery that are investigated by the LCFS or NHS Protect where a loss is identified. As a general rule, recovery of the loss caused by the perpetrator should always be sought. The decisions must be taken in the light of the particular circumstances of each case Redress allows resources that are lost to fraud and bribery to be returned to the NHS for use as intended, for provision of high-quality patient care and services Sections 10 and 11 of the NHS Counter Fraud and Manual provide in-depth details of how sanctions can be applied where fraud and bribery is proven and how redress can be sought. To summarise, local action can be taken to recover money by using the administrative procedures of the organisation or the civil law In cases of serious fraud and bribery, it is recommended that parallel sanctions are applied. For example: disciplinary action relating to the status of the employee in the NHS; use of civil law to recover lost funds; and use of criminal law to apply an appropriate criminal penalty upon the individual(s), and/or a possible referral of information and evidence to external bodies for example, professional bodies if appropriate NHS Protect can also apply to the courts to make a restraining order or confiscation order under the Proceeds of Crime Act 2002 (POCA). This means that a person s money is taken away from them if it is believed that the person benefited from the crime. It could also include restraining assets during the course of the investigation Actions which may be taken when considering seeking redress include: No further action criminal investigation civil recovery disciplinary action confiscation order under POCA recovery sought from on-going salary payments or pensions In some cases (taking into consideration all the facts of a case), it may be that the organisation, under guidance from the LCFS and with the approval of the Director of Finance, decides that no further recovery action is taken Criminal investigations are primarily used for dealing with any criminal activity. The main purpose is to determine if activity was undertaken with criminal intent. Following such an investigation, it may be necessary to bring this activity to the attention of the criminal courts (magistrates court and Crown court). Depending on the extent of the loss and the proceedings in the case, it may be suitable for the recovery of losses to be considered under POCA.

182 The civil recovery route is also available to the organisation if this is costeffective and desirable for deterrence purposes. This could involve a number of options such as applying through the Small Claims Court and/or recovery through debt collection agencies. Each case needs to be discussed with the Director of Finance to determine the most appropriate action The appropriate senior manager, in conjunction with the HR department, will be responsible for initiating any necessary disciplinary action. Arrangements may be made to recover losses via payroll if the subject is still employed by the organisation. In all cases, current legislation must be complied with Action to recover losses should be commenced as soon as practicable after the loss has been identified. Given the various options open to the organisation, it may be necessary for various departments to liaise about the most appropriate option In order to provide assurance that policies were adhered to, the Director of Finance will maintain a record highlighting when recovery action was required and issued and when the action taken. This will be reviewed and updated on a regular basis. 11. MONITORING EFFECTIVENESS Qualitative Assessments (QA s) are a self-assessment tool developed by NHS Protect to measure the effectiveness of the Counter Fraud arrangements at the organisation. QA s require NHS organisations to make a declaration of the counter fraud work they have completed during the financial year. The declaration focuses on the importance of demonstrating effectiveness and the correlation between work plan tasks, output and impact and innovative action. A copy of the self-assessment will be included in the LCFS Annual Report As a result of reactive and proactive work completed throughout the financial year, closure reports are prepared and issued by the LCFS. System and procedural weaknesses are identified in each report and highlight suggested recommendations for improvement. HEE, together with the LCFS will track the recommendations to ensure that they have been implemented. 12. ADDITIONAL INFORMATION Any abuse or non-compliance with this policy or procedures will be subject to a full investigation and appropriate disciplinary action This policy will be subject to regular review.

183 13. RELATED POLICIES Whistleblowing Policy Disciplinary Policy Declaration of Interests Gifts & Hospitality

184 Appendix A ACTION TO BE TAKEN IF YOU DISCOVER OR SUSPECT ANY FRAUDULENT ACTIVITY! This includes: Fraud Any deliberate intention to make a gain for themselves or anyone else, or inflicting a loss (or a risk of loss) on another i.e. the NHS. This could be through the falsification of any records or documents or obtaining any service(s) and/or failing to disclose information. Bribery Anything that induces or intends to induce improper performance. This covers offering, promising or giving a bribe, requesting, agreeing to receive or accepting a bribe, and failing to prevent bribery. Where someone is influenced by bribery, payment of benefit-in-kind to unreasonably use their position to give some advantage to another. What to do: If any of these concerns come to light you must immediately report your suspicions and what you have discovered to one of the following: Local Counter Fraud Specialist: Jason Lander: jlander@nhs.net Director of Finance Steve Clarke The NHS Fraud Reporting Line Or online Confidentiality will be maintained and all matters will be dealt with in accordance with the NHS Counter Fraud standards. You will not suffer any recriminations as a result of raising concerns You have protection under The Public Interest Disclosure Act DO Tell someone! Confidentiality will be respected. Any delay might cause the organisation to suffer further financial loss. Make a note of your concerns! Note all relevant details, what was said, the date time and names of all parties involved. Keep a record or copy any documentation that arouses your suspicion. DO NOT Confront the individual(s) with your suspicions. Try to investigate the matter yourself. Contact the police directly. Convey your suspicions to anyone other than those with the proper authority as listed. Do nothing!

185 THE FRAUD ACT 2006 SUMMARY Section 1of The Fraud Act sets out provisions for a general offence of fraud. There are several new offences created the main three being sections 2, 3 and 4. The Act also creates new offences of obtaining services dishonestly and of possessing, making and supplying articles for use in fraud, as well as containing a new offence of fraudulent trading applicable to non-corporate traders. Section 2: Fraud by False Representation It is an offence to commit fraud by false representation. The representation must be made dishonestly. This test applies also to sections 3 and 4 below. The current definition of dishonesty was established in R vghosh[1982] Q.B That judgment sets a two-stage test. The first question is whether a defendant's behaviour would be regarded as dishonest by the ordinary standards of reasonable and honest people. If answered positively, the second question is whether the defendant was aware that his conduct was dishonest and would be regarded as dishonest by reasonable and honest people. The person must make the representation with the intention of making a gain or causing loss or risk of loss to another. The gain or loss does not actually have to take place. A representation is defined as false if it is untrue or misleading and the person making it knows that it is, or might be, untrue or misleading. A representation means any representation as to fact or law, including a representation as to a person's state of mind. A representation may be express or implied. It can be stated in words or communicated by conduct. There is no limitation on the way in which the representation must be expressed. It could be written or spoken or posted on a website. A representation may also be implied by conduct. An example of a representation by conduct is where a person dishonestly misuses a credit card to pay for items. By tendering the card, he is falsely representing that he has the authority to use it for that transaction. It is immaterial whether the merchant accepting the card for payment is deceived by the representation. This offence would also be committed by someone who engages in "phishing": i.e. where a person disseminates an to large groups of people falsely representing that the has been sent by a legitimate financial institution. The prompts the reader to provide information such as credit card and bank account numbers so that the "phisher" can gain access to others' personal financial information. A representation may be regarded as being made if it (or anything implying it) is submitted in any form to any system or device designed to receive, convey or respond to communications (with or without human intervention). The main purpose of this provision is to ensure that fraud can be committed where a person makes a representation to a machine and a response can be produced without any need for human involvement. (An example is where a person enters a number into a "CHIP and PIN" machine.) Section 3: Fraud by Failing to Disclose Information Section 3 makes it an offence to commit fraud by failing to disclose information to another person where there is a legal duty to disclose the information. A legal duty to disclose

186 information may include duties under oral contracts as well as written contracts. For example, the failure of a solicitor to share vital information with a client within the context of their work relationship, in order to perpetrate a fraud upon that client, would be covered by this section. Similarly, an offence could be committed under this section if for example an NHS employee failed to disclose to HEE that certain patients referred by him for private treatment are private patients, thereby avoiding a charge for the services provided by that NHS employee during NHS time. Section 4: Fraud by Abuse of Position Section 4 makes it an offence to commit a fraud by dishonestly abusing one's position. It applies in situations where the defendant has been put in a privileged position, and by virtue of this position is expected to safeguard another's financial interests or not act against those interests. The necessary relationship will be present between HEE and beneficiary, director and company, professional person and client, agent and principal, employee and employer, or between partners. It may arise otherwise, for example within a family, or in the context of voluntary work, or in any context where the parties are not at arm's length. The term "abuse" is not limited by a definition, because it is intended to cover a wide range of conduct. The offence can be committed by omission as well as by positive action. For example, an employee who fails to take up the chance of a crucial contract in order that an associate or rival company can take it up instead at the expense of the employer commits an offence under this section. An employee of a software company who uses his position to clone software products with the intention of selling the products on would commit an offence under this section. Another example covered by this section is where a person who is employed to care for an elderly or disabled person has access to that person's bank account and abuses his position by removing funds for his own personal use. Note: It is now no longer necessary to prove a person has been deceived in the above offences. The focus is now on the dishonest behaviour of the suspect and their intent to make a gain or cause a loss. Section 5: (not relevant for the purposes of this document) Section 6: Possession etc. of Articles for Use in Frauds Section 6 makes it an offence for a person to possess or have under his control any article for use in the course of or in connection with any fraud. This wording draws on that of the existing law in section 25 of the Theft Act 1968 (These provisions make it an offence for a person to "go equipped" to commit a burglary, theft or cheat, although they apply only when the offender is not at his place of abode. Proof is required that the defendant had the article for the purpose or with the intention that it be used in the course of or in connection with the offence, and that a general intention to commit fraud will suffice. Section 7: Making or Supplying Articles for Use in Frauds Section 7 makes it an offence to make, adapt, supply or offer to supply any article knowing that it is designed or adapted for use in the course of or in connection with fraud, or intending

187 it to be used to commit or facilitate fraud. For example, a person makes devices which when attached to electricity meters cause the meter to malfunction. Section 8: Article Section 8 extends the meaning of "article" for the purposes of sections 6 and 7 and certain other connected provisions so as to include any program or data held in electronic form. Examples of cases where electronic programs or data could be used in fraud are: a computer program can generate credit card numbers; computer templates can be used for producing blank utility bills; computer files can contain lists of other peoples' credit card details or draft letters in connection with 'advance fee' frauds. Section 9: Participating in fraudulent business carried on by sole trader etc. Section 9 makes it an offence for a person knowingly to be a party to the carrying on of fraudulent business where the business is not carried on by a company or (broadly speaking) a corporate body. A person commits the offence of fraudulent trading dishonesty is an essential ingredient of the offence; the mischief aimed at is fraudulent trading generally, and not just in so far as it affects creditors; the offence is aimed at carrying on a business but that can be constituted by a single transaction; and It can only be committed by persons who exercise some kind of controlling or managerial function within the company. Section 10: (not relevant for the purposes of this document) Section 11: Obtaining Services Dishonestly Section 11 makes it an offence for any person, by any dishonest act, to obtain services for which payment is required, with intent to avoid payment. The person must know that the services are made available on the basis that they are chargeable, or that they might be. It is not possible to commit the offence by omission alone and it can be committed only where the dishonest act was done with the intent not to pay for the services as expected. It requires the actual obtaining of the service. For example, data or software may be made available on the Internet to a certain category of person who has paid for access rights to that service. A person dishonestly using false credit card details or other false personal information to obtain the service would be committing an offence under this section. The section would also cover a situation where a person climbs over a wall and watches a football match without paying the entrance fee - such a person is not deceiving the provider of the service directly, but is obtaining a service which is provided on the basis that people will pay for it. Section 11 also covers the situation where a person attaches a decoder to her television to enable viewing access to cable / satellite television channels for which they has no intention of paying for. Section 12: Liability of Company Officers for Offences by Company This section repeats the effect of section 18 of the Theft Act It provides that company officers who are party to the commission of an offence under the Bill by their body corporate will be liable to be charged for the offence as well as the company. It applies to directors,

188 managers, secretaries and other similar officers of a company. If the body corporate charged with an offence is managed by its members the members involved in management can be prosecuted too. The Fraud Act 2006 repeals the following Theft Act offences: Theft Act 1968 Section 15 (obtaining property by deception). Section 15A (obtaining a money transfer by deception). Section 15B (Section 15A: supplementary). Section 16 (obtaining a pecuniary advantage by deception). Section 20(2) (procuring the execution of a valuable security by deception). Theft Act 1978 Section 1 (Obtaining services by deception). Section 2 (evasion of liability). The Act came into force on 15th January 2007 and carries a maximum sentence of 10years imprisonment with the exception of the going equipped offence which is 5years. Any suspicions of fraud against the organisation should be reported to: Jason Lander: jlander@nhs.net. Alternatively you can telephone the NHS Fraud & Corruption Line in confidence on: Or online

189 BRIBERY ACT 2010 The following business practices constitute criminal offences under the Bribery Act 2010 and are therefore prohibited: Offences of bribing another person Case 1 is where an employee offers, promises or gives a financial or other advantage to another person and intends the advantage (i) to induce that or another person to perform improperly a relevant function or activity, or (ii) to reward that or another person for the improper performance of such a function or activity. Case 2 is where an employee offers, promises or gives a financial or other advantage to another person and knows or believes that the acceptance of the advantage would itself constitute the improper performance of a relevant function or activity by that person. The bribery must relate to (i) a function of a public nature, (ii) an activity connected with a business, (iii) an activity performed in the course of a person s employment, or (iv) an activity performed by or on behalf of a body of persons (whether corporate or unincorporate). The person performing the function or activity must be expected to perform it in good faith, impartially or in a position of Institute. It does not matter whether the function or activity is performed inside or outside the UK, whether the other person(s) involved is/are in the public or private sector and whether the advantage is offered, promised or given directly by a Institute employee or through a third party, e.g. an agent or other intermediary. Offences relating to being bribed Case 3 is where an employee requests, agrees to receive or accepts a financial or other advantage intending that, in consequence, a relevant function or activity should be performed improperly (whether by him-/herself or another person). Case 4 is where an employee requests, agrees to receive or accepts a financial or other advantage, and the request, agreement or acceptance itself constitutes the improper performance by him-/herself of a relevant function or activity. Case 5 is where an employee requests, agrees to receive or accepts a financial or other advantage as a reward for the improper performance (whether by him-/herself or another person) of a relevant function or activity. Case 6 is where, in anticipation of or in consequence of an employee requesting, agreeing to receive or accepting a financial or other advantage, a relevant function or activity is performed improperly (i) by that, or (ii) by another person at his/her request or with his/her assent or acquiescence. Again, the bribery must relate to (i) a function of a public nature, (ii) an activity connected with a business, (iii) an activity performed in the course of a person s employment, or (iv) an activity performed by or on behalf of a body of persons (whether corporate or unincorporate). The person performing the function or activity must be expected to perform it in good faith, impartially or in a position of Institute. It does not matter whether the function or activity is performed inside or outside the UK, whether the other person(s) involved is/are in the public or private sector, whether a Institute employee requests, agrees to receive or accepts the advantage directly or through a third party, e.g. an agent or other intermediary, and whether the advantage is for the benefit of a Institute employee or another person.

190 In Cases 4 to 6, it does not matter whether an employee knows or believes that the performance of the function or activity is improper. Bribery of foreign public officials Case 7 is where an employee bribes a foreign public official and intends (i) to influence that official in his/her capacity as a foreign public official and (ii) to obtain or retain a business or an advantage in the conduct of business. A foreign public official is someone who holds a legislative, administrative or judicial position of any kind or exercises a public function of a country outside the UK, or is an official or agent of a public international organisation. The following paragraph will apply if any part of the organisation is considered as a commercial one. Failure of commercial organisations to prevent bribery A corporate or partnership is guilty of a corporate bribery offence if an employee, agent, subsidiary or any other person acting on its behalf bribes another person intending to obtain or retain business or an advantage in the conduct of business for the corporate or partnership. For a definition of bribery, please refer to Cases 1, 2 and 7 above. It should be the policy of a corporate or partnership not to tolerate any bribery on its behalf, even if this might result in a loss of business for it. Criminal liability must be prevented at all times.

191 Conflicts of Interest Policy Version: 2.0 Ratified by: HEE Board Date ratified: 9 July 2013 Name of originator/author: Name of responsible committee/individual: Name of executive lead: Date issued: 12 July 2013 Review date: July 2016 Target audience: Mike Jones: Corporate Secretary Mike Jones, Corporate Secretary Lee Whitehead, Director of People & Communications All Health Education England staff, Board and Committee members, including those of Local Education and Training Board governing bodies.

192 Review and Amendment Log Version No Type of Change Date Description of change V.1.0 Document first produced June 2012 V.2.0 Amendments March/June 2013 Amendments to escalation process, with the inclusion of an escalation flowchart and examples of conflicts of interest Document Status This is a controlled document. Whilst this document may be printed, the electronic version posted on the intranet, and copied to the internet, is the controlled copy. Any printed copies of this document are not controlled. As a controlled document, this document should not be saved onto local or network drives but should always be accessed from the intranet.

193 CONTENTS INTRODUCTION AND PURPOSE LEGISLATION AND GUIDANCE SCOPE AIMS AND OBJECTIVES ACCOUNTABILITY AND RESPONSIBILITIES POTENTIAL FOR CONFLICTS OF INTEREST DECLARING A CONFLICT OF INTEREST REGISTER OF INTERESTS FAILURE TO MAKE A DECLARATION TRAINING REVIEW AND DISSEMINATION EQUALITY IMPACT ASSESSMENT Page APPENDICES A B C THE NOLAN PRINCIPLES NHS HEE CODES OF CONDUCT AND ACCOUNTABILITY DECLARATION OF INTEREST FORM

194 INTRODUCTION & PURPOSE 1.1. It is a principle that public sector bodies must be impartial and honest in the conduct of their business, and that their employees should remain beyond suspicion. NHS Health Education England and its committees, the governing bodies of its Local Education and Training Boards, therefore adopt a transparent approach to all its activities, which are undertaken in line with the seven Nolan Principles (Appendix A) of: Selflessness Integrity Objectivity Accountability Openness Honesty Leadership 1.2. A conflict of interest can be defined as a set of conditions in which professional judgement concerning a primary interest tends to be unduly influenced by a secondary interest or as a situation in which one s ability to exercise judgement in a role is impaired by one s obligation in another On behalf of NHS Health Education England staff, its Board and Committee members, including those of LETB governing bodies and Advisory Group members, it is crucial that an interest and involvement in the education and healthcare system does not involve a vested interest in terms of financial or professional bias towards or against particular solutions or decisions. Therefore, in order to ensure that employees and appointees are protected against potential conflicts of interest, this document provides the tools and support to identify, declare and record conflicts through clear guidelines, with measures to be taken to manage conflicts of interest when they arise. 2. LEGISLATION & GUIDANCE 2.1. Under NHS Health Education England: Standing Orders and Codes of Conduct and Accountability, Chairs and Board/Committee members should act impartially and should not be influenced by social or business relationships (Appendix B). No one should use their public position to further their private interests Under the Bribery Act 2010 any money, gift or consideration received by an Employee or Board/Committee member from a person or company seeking a contract with Health Education England will have been deemed to have been received under a bribe. Any gift received from a supplier such as pens, pencils or calendars may not be declared but if unsure, clarification should be sought from your line manager or Local Education and Training Board Managing Director. Any hospitality other than meals or buffets provided by suppliers must be declared in writing, Health Education England Code of Practice for Declaring and Dealing with gifts and Hospitality provides full guidance The General Medical Council s Good Medical Practice guidance includes a section for doctors working as managers, which will apply to those doctors who take up

195 leadership roles in NHS Health Education England and/or the Local Education and Training Boards, stating that: You must declare any interest you have that could influence or be seen to influence your judgement in any financial or commercial dealings you are responsible for. In particular you must not allow your interests to influence: the treatment of patients purchases from funds for which you are responsible the terms or awarding contracts the conduct of research 3. SCOPE 3.1. This policy covers the correct procedure to follow in the event of identifying, declaring and recording conflicts of interest. This policy applies to: members of staff that are directly employed by NHS Health Education England and for whom NHS Health Education England has legal responsibility; those staff covered by a letter of authority/honorary contract or work experience this policy is also applicable whilst undertaking duties on behalf of NHS Health Education England or working on NHS Health Education England premises and forms part of their arrangements with NHS Health Education England; and Anyone appointed to the HEE Board, a Committee (e.g. LETB Governing Body) or HEE Advisory Group Through the remainder of this Code of Practice these groups will collectively be referred to as employees and appointees As part of good employment practice, agency workers are also required to abide by NHS Health Education England policies and procedures, as appropriate, to ensure their health, safety and welfare whilst undertaking work for NHS Health Education England. 4. AIMS & OBJECTIVES 4.1. The aims of this policy are: To provide guidance to employees and appointees in identifying and declaring conflicts of interest To provide guidance on how to document, monitor and report on conflicts of interest To ensure that all employees and appointees are aware of the correct procedure and forms to complete in the event of a conflict of interest To encourage openness and transparency in the declaration process. 5. ACCOUNTABILITY & RESPONSIBILITIES 5.1. In accordance with the NHS Codes of Conduct and Accountability, NHS Health Education England employees and appointees should take responsibility as a member of NHS Health Education England and/or Local Education and Training Boards both during the meetings and outside them to conduct the business of NHS Health Education England as a whole rather than representing any specific interests.

196 5.2. Members with a declared interest should apply best endeavours to ensure that any conflict of interest is not affected by their conduct as a member between meetings The Chief Executive of NHS Health Education England is ultimately responsible for ensuring there is an effective system in place for employees and appointees to declare sponsorship, gifts, hospitality, outside income and any other interests, and also to minimise professional liability risks All Directors, Chairs, Board Members, Managers, employees and other appointees are responsible for ensuring compliance with this policy Where there is uncertainty regarding the contents of this Policy, confirmation should be sought from your Line Manager or Local Education and Training Board Managing Director. 6. POTENTIAL FOR CONFLICTS OF INTEREST 6.1. The following types of conflicts of interest are likely to affect members of NHS Health Education England and/or the Local Education and Training Boards A Direct Financial Interest A clear conflict of interest arises when an individual involved in taking or influencing the decisions of NHS Health Education England taking and/or the Local Education and Training Boards could receive a direct financial benefit as a result of the decisions being taken. This may arise as a result of holding an office or shares in a private company or business, or a charity or voluntary organisation that may do business with the NHS An Indirect/ Pecuniary Interest Indirect (financial) interest arises when a close relative of a Director or other key person benefits from a decision of the organisation Spouse shall include any person who lives with another person in the same household (and any pecuniary interest of one spouse shall, if known, to the other spouse, be deemed to be an interest of that other spouse); Contract shall include any proposed contract or other course of dealing; Subject to the exceptions set out in this Standing Order, a person shall be treated as having an indirect pecuniary interest in a contract if: he/she, or a nominee of his/her, is a member of a company or other body (not being a public body), with which the contract is made, or to be made or which has a direct pecuniary interest in the same, or he/she is a partner, associate or employee of any person with whom the contract is made or to be made or who has a direct pecuniary interest in the same A person shall not be regarded as having a pecuniary interest in any contract if:

197 Neither he/she or any person connected with him/her has any beneficial interest in the securities of a company of which he/she or such person appears as a member, or Any interest that he/she or any person connected with him/her may have in the contract is so remote or insignificant that it cannot reasonably be regarded as likely to influence him/her in relation to considering or voting on that contract, or Those securities of any company in which him/her (or any person connected with him/her) has a beneficial interest do not exceed 5,000 in nominal value or one per cent of the total issued share capital of the company or of the relevant class of such capital, whichever is less Provided however, that where paragraph (c) above applies the person shall nevertheless be obliged to disclose/declare their interest in accordance with the NHS Health Education England Standing Orders Non-Financial or Personal Interests These occur where directors or other key persons receive no financial benefit, but are influenced by external factors such as gaining some other tangible benefit, for example through awarding contracts to friends or personal business contacts. Individuals who do not have any commercial or other direct interests in a particular service or provider are likely to have long-standing professional relationships with colleagues to whom they may have allegiances as peers, and whom they have developed particular ways of working over a period of time. Personal conflicts could therefore exist when decisions are being taken that would affect such relationships in some way Conflicts of Loyalty Decision makers may have competing loyalties between the organisation to which they owe a primary duty and some other person or entity. For healthcare and academic professionals, this could include loyalties to a particular professional body, society or special interest group, and could involve an interest in a particular condition or treatment due to an individual s own experience or that of a family member Preferential Treatment in Private Transactions Staff should not seek or accept any preferential benefits from private companies with which they have had or may have dealings with on behalf of NHS Health Education England and its Local Education and Training Boards. Every employee has a duty to ensure that they are not put in a position of risk of conflict between private interests and their NHS Health Education England duties All contractual obligations must be completed before any extra work is undertaken. If the employee believes that they have a conflict of interest due to engaging in any other work then they should contact their Line Manager or Local Education and Training Board Managing Director for clarification With prior agreement staff may undertake private work for other agencies, providing they do so outside of the times they are contracted to NHS

198 6.7. Contracts Health Education England and the Local Education and Training Boards, and to ensure compliance with the code of conduct All staff who are in contact with suppliers and contractors (including external consultants), and in particular those who are authorised to sign purchase orders, or place contracts for goods, materials or services, are expected to adhere to professional standards of the kind set out in the Ethical Code of the Institute of Purchasing and Supply (IPS) Staff should be particularly careful of using, or making public, internal information of a commercial in-confidence nature, particularly if its disclosure would prejudice the principle of a purchasing system based on fair competition. This principle applies whether private competitors or other NHS providers are concerned, and whether or not disclosure is prompted by the expectation of personal gain Employees should ensure that no special favour is shown to current or former employees or their close relatives or associates in awarding contracts to private or other businesses run by them or employing them in a senior or relevant managerial capacity. Contracts may be awarded to such businesses where they are won in fair competition against other tenders, but scrupulous care must be taken to ensure that the selection process is conducted impartially, and that staff who are known to have a relevant interest play no part in the selection Materiality of Interests Interests that should be regarded as relevant and material are: Directorships, including non-executive directorships held in private companies or PLCs (with the exception of those of dormant companies); Ownership or part-ownership of private companies, businesses or consultancies likely or possibly seeking to do business with the NHS; Majority or controlling share holdings in organisations doing or possibly seeking to do business with the NHS; A position of authority in another health or social care body or a charity or voluntary organisation in the field of health and social care; Any connection with a voluntary or other organisation contracting for NHS services; Research funding/grants that may be received by an individual or their department; Interests pooled funds that are under separate management (any relevant company included in this fund that has a potential relationship with NHS Health Education England and the Local Education Training Boards must be declared); Membership of an organisation that may seek to influence how health care is managed; Potential employment by a body that could result from organisational change in the NHS. 7. DECLARING A CONFLICT OF INTEREST 7.1. Declarations of Interest

199 It is a requirement that Chairman and all Board members should declare any conflict of interest that arises in the course of conducting business on behalf of NHS Health Education England. This applies to the HEE Board, LETB Governing Bodies and HEE Advisory Groups. That requirement continues in force All employees and appointees are to declare on appointment any business interests, position of authority in a charity or voluntary body in the field of health and social care and/or education, and any connection with a voluntary or other body contracting for NHS services Additional Declarations of Interest should be made as and when a new Conflict of Interest becomes known to the employee or appointee Individuals are to complete a Declaration of Interest form (Appendix C), which should be submitted to your line manager or Local Education and Training Board Managing Director Where a conflict of interest has been declared, this will be monitored via a Local Conflict of Interest Register Upon declaration, the Local Education and Training Board Managing Director shall escalate conflicts of interest declared by the four mandated members from each Local Education and Training Board to the NHS Health Education England Board via the Corporate Secretary The NHS Health Education England Board and/or Corporate Secretary may request details of conflicts of interest declared by non-mandated members of the Local Education and Training Boards Declaration of interest in items on NHS Health Education England and Local Education and Training Board Agendas Each NHS Health Education England and Local Education and Training Board meeting will have an item at the beginning of the agenda asking members to declare any interests in any item on the agenda Such declarations will not be required where an agenda item talks in principle about funding streams or contractual issues to all such providers but must be made where an agenda item is explicitly about a specific provider NHS Health Education England and the Local Education and Training Board papers should only cover issues concerning a single provider where there are specific valid reasons to do so Where a member has declared an interest in an item of business, this will be noted in the minutes of the meeting and added to the Local Conflicts of Interest Register. The Chair will then decide whether the following actions will be taken; The member will receive no further papers for the item, will not be able to contribute to the discussion and will be excluded from contributing to a Board decision (they will be excluded from the meeting for that item);

200 The member will receive papers for the item, will be able to contribute to the discussion but will be excluded from contributing to a Board decision; The conflict is deemed insignificant as to conflict the individual or the decision of the Board in such a way that is deemed inappropriate A log of actions taken should be maintained for inspection upon request Further to action ( ), on the advice of the Chief Executive or Local Education and Training Board Managing Director, NHS Health Education England Board or a Local Education Training Board may ask a member to answer questions or clarifications on the agenda item should that be required, but they should be absent during the discussion and decision taking for that item When a member s interest is not directly associated with the issue under discussion but could be construed as having potential influence on the outcome of the discussion due to the interest, the member will also be excluded from the discussions Should the Chair of the NHS Health Education England Board or Local Education and Training Board declare a conflict of interest to an agenda item, members will agree to nominate a deputy to continue chairing the meeting for that item. Where arrangements have been previously confirmed in the eventuality of a Chair declaring a conflict of interest, the meeting must follow these The minutes of the meeting, and the Board s Register of Declared Conflicts of Interest, will record all declarations of interest and actions taken in mitigation Where over half of members withdraw from a part of a meeting the Chair (or Deputy) will determine whether or not the discussion can proceed. In making this decision the Chair will consider whether the meeting is quorate in accordance with the required number/ balance of membership Where the meeting is not quorate the Chair will suspend Standing Orders, and members will continue to discuss the item. The Board will then write to the Audit Chair, informing the Audit Committee of this suspension These arrangements used must be recorded in the minutes The Chief Executive of NHS Health Education England and/or Managing Directors of the Local Education and Training Boards will take such steps as judged by them to be appropriate, and request information deemed appropriate from individuals, to ensure that all conflicts of interest and potential conflicts of interest are declared Escalation through the management of Conflicts of Interest Where a NHS Health Education England member is concerned about another member s conflict of interest, this should be raised with the NHS Health Education England Chief Executive. Where a Local Education and Training Board member is concerned about another member s conflict of interest, this

201 should be raised with the Local Education and Training Board Managing Director Where there are conflicts of interest between Local Education Training Boards, this will be resolved by reference to the NHS Health Education England Chief Executive. 8. REGISTER OF INTERESTS 8.1. A Local Declaration of Conflict of Interest Register shall be held by each Local Education and Training Board and by NHS Health Education England for locally declared interests. The Corporate Secretary shall maintain the Conflict of Interest Register for HEE and Local Education & Training Board Managing Directors shall ensure that a Register is held and maintained within the LETB For mandated Local Education and Training Board members, declarations of interest will also be escalated to NHS Health Education England Board by the Local Education and Training Board Managing Director NHS Health Education England and the Local Education Training Boards will maintain Registers of Interest which will be open to public inspection and be published on the relevant website, in addition to publication in the NHS Health Education England and Local Education and Training Board s annual report The Registers will contain any real or perceived interests that may produce a conflict of interest for members of NHS Health Education England or Local Education and Training Board. In the absence of doubt, members may request clarification from the NHS Health Education England Chief Executive, Local Education and Training Board Managing Director or Corporate Secretary, but the default position would be to declare For Local Education and Training Board members the declaration of interests should contain any personal interests but should also give the value and nature of MPET funding that their employing organisation receives from that Local Education and Training Board and other Local Education and Training Boards Members will be asked to annually make a declaration of interests in a form to be determined by the NHS Health Education England Corporate Secretary. Any new members will be asked to make a declaration upon joining Individual employees are responsible for ensuring that their registered interests are kept up to date at all times. Although the interest is declared, this does not negate the individuals personal responsibilities of removing themselves from a position or situation which may result in a potential breach of this policy If an employee or member feels that they have been offered an incentive or bribe to place an order or contract, this should be declared in writing immediately to their Line Manager or Local Education and Training Board Managing Director. 9. FAILURE TO MAKE A DECLARATION 9.1. Should it be suspected that an employee or appointee has failed to appropriately declare an interest, or failed to demonstrate compliance with the conduct outlined in this policy, it may be deemed appropriate to take action in line with NHS Health

202 Education England s Disciplinary Policy and/or make a referral to the organisation s Local Counter Fraud specialist. 10. TRAINING Staff will receive instruction and direction regarding the Conflicts of Interest Policy from a number of sources: Policy/Strategy and Procedural Manuals Line Managers Trust Website and Intranet Training Sessions Other communication methods Corporate/ Local Induction 11. REVIEW AND DISSEMINATION The Conflicts of Interest Policy will be reviewed every three years, or before if considered necessary by the NHS Health Education England Board. 12. EQUALITY IMPACT ASSESSMENT This policy applies to those listed at paragraph 3.1 irrespective of age, race, colour, religion, disability, nationality, ethnic origin, gender, sexual orientation or marital status, domestic circumstances, social and employment status, HIV status, gender reassignment, political affiliation or trade union membership.

203 APPENDIX A THE NOLAN PRINCIPLES The Seven Principles of Public Life 1. Selflessness Holders of public office should take decisions solely in terms of the public interest. They should not do so in order to gain financial or other material benefits for themselves, their family, or their friends. 2. Integrity Holders of public office should not place themselves under any financial or other obligation to outside individuals or organisations that might influence them in the performance of their official duties. 3. Objectivity In carrying out public business, including making public appointments, awarding contracts, or recommending individuals for rewards and benefits, holder of public office should make choices on merit. 4. Accountability Holders of public office are accountable for their decisions and actions to the public and must submit themselves to whatever scrutiny is appropriate to their office. 5. Openness Holders of public office should be as open as possible about all the decisions and actions that they take. They should give reasons for their decisions and restrict information only when the wider interest clearly demands. 6. Honesty Holders of public office have a duty to declare any private interests relating to their public duties and to take steps to resolve any conflicts arising in a way that protects the public interest. 7. Leadership Holders of public office should promote and support these principles by leadership and example.

204 APPENDIX B NHS Health Education England Codes of Conduct and Accountability

205

206

207

208

209

210

211

212