INFORMATION GOVERNANCE POLICY

Transcription

1 INFORMATION GOVERNANCE POLICY POLICY NO IM&T 011 DATE RATIFIED January 2012 NEXT REVIEW DATE January 2015 POLICY STATEMENT/KEY OBJECTIVE: To provide an overarching framework through which Information Governance requirements will be met ACCOUNTABLE DIRECTOR: Dave Tomlinson - Senior Information Risk Officer (SIRO) POLICY AUTHOR: Information Governance Lead Date of Issue: November of 25

2 Subject Information Governance Policy Applicable to Staff, colleagues, Service Users and Carers and families and applicable for all Trust business i.e. with contractors, agencies and partners Key Policy Issues Responsibilities, strategy and framework Date Issued January 2012 Dates Policy Reviewed January 2012 Next Review Due Date January 2015 Policy Written By Consultation Policy Reviewed By Lead Responsible for Policy Monitoring Arrangements Approved by Authorised by Information Governance Lead Clinical Records and IG Group, SIRO Advisory Group, IG Specialists SIRO, SIRO Advisory Group IG Assurance Lead, IG Specialist IG Assurance Lead By SIRO Advisory Group and IG Lead on annual basis SIRO/Director of Finance SIRO/Director of Finance Signature Date of Issue: January of 25

3 CONTENTS Executive Summary 2 Content Page Introduction Rationale Scope Principles... 4 Appendices 2.0 Responsibilities 2.1 Management Responsibilities Legal Compliance Policy 4.1 Information Governance management Openness Information Security Confidentiality Information Quality Assurance Improvement Plan and assessment Implementation Policy Links National Context Training Audit 12 Information Governance Requirements (IGT) 13 Information Governance Strategy 16 Information Governance IG e-learning Matrix 20 Information Governance Framework 21 Policy Equality and Diversity Assessment 22 Date of Issue: January of 25

4 1.0 INTRODUCTION 1.1 Information is a vital organisational asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management. It is therefore of paramount importance to ensure that information is efficiently managed and that appropriate policies, procedures, management accountability and structures provide a robust governance framework for the continual improvement of information management. The Trust will establish and maintain policies and procedures to ensure compliance with requirements contained in the Information Governance Toolkit (IGT), and NHS Litigation Authority (NHSLA.) 1.2 Rationale The aim of the policy is to provide the employees of Lancashire Care NHS Foundation Trust with a simple framework through which the elements of Information Governance will be met. 1.3 Scope This policy applies to the governance of information produced, handled, used and transferred by the Trust including: Patient information paper and electronic Human resources information Finance information Governance information Organisational administrative information This policy covers all information systems purchased, developed and managed by or on behalf of the Trust, any individual directly employed or otherwise by the Trust and its partner organisations. 1.4 Principles The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of its information. The Trust fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information. The Trust also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public Date of Issue: January of 25

5 interest. These transfers of information are governed by a tiered Information Sharing Agreement signed either by the Chief Executive Officer (CEO), Senior Information Risk Officer (SIRO) or Caldicott Guardian. The Trust believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all staff; administrative, clinical and management, to ensure and promote the quality of information and to actively use it in decision making processes. There are four key interlinked strands to the Information Governance Policy: Openness Legal Compliance Information Security Quality Assurance 2.0 RESPONSIBILITIES and ROLES 2.1 This policy, applies to all staff working within the Trust including any individual directly employed or otherwise by the organisation for example, third party contracting staff, temporary staff, locum or bank staff. Managers within the Trust are responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is ongoing compliance. It is the role of the Trust board, or delegated sub-group or SIRO, to ratify Trust policy in respect of Information Governance, taking into account legal and NHS requirements. The board is also responsible for ensuring that sufficient resources are provided to support requirements of this policy. 2.2 Lancashire Care NHS Foundation (LCFT) Trust Board It is the role of the LCFT Board to define the Trust s Policy in respect of Information Governance, taking into account both legal and NHS requirements. The Board is also responsible for ensuring that sufficient resources are provided to support the requirements of the Policy. 2.3 Chief Executive Officer (CEO) The CEO as accountable officer of LCFT has overall accountability for Information Governance and will provide assurance through the Statement of Internal Control, that all information risks are effectively managed and mitigated. 2.4 Senior Information Risk Officer (SIRO) The Executive Director of Finance is the director responsible for Information Risk Assurance and is delegated as the Trust Senior Information Risk Officer (SIRO.) The SIRO takes ownership of Information Risk Policy, acts as an advocate for information risk on the Trust board and provides written Date of Issue: January of 25

6 advice to the Chief Executive Officer (CEO) on the content of the Statement of Internal Control in regard to information risk. 2.5 The SIRO is required to undertake strategic information risk management training as a minimum annually. 2.6 Key responsibilities of the SIRO are: To oversee the development of an Information Risk Policy and a strategy for implementing the policy within the existing Information Governance Framework To take ownership of the risk assessment process for information risk, including review of the annual information risk assessment to support and inform the Statement of Internal Control To ensure each network and services undertake risk assessments to form the basis of the network and Trust Enterprise Assurance Management register, identifying controls and assurance against the risks To review and agree action/s in respect of identified information risks To ensure that the Trust approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff To provide a focal point for the resolution and/or discussion of information risk issues To ensure the Board is regularly adequately briefed on information risk issues 2.7 The Caldicott Guardian is responsible for ensuring that LCFT processes satisfy the highest practical standards for handling patient information. The Caldicott Guardian for LCFT will be responsible for ensuring the safe recording, storing and retention of all personal data and ensuring all information flows are mapped to exclude any leaks of information. The Caldicott Guardian will ensure that investigations resulting from issues raised by the Information Governance Lead or Health Records Manager are arranged and overseen and all information sharing agreements are negotiated and signed on behalf of the Trust. 2.8 Information Governance Lead The Information Governance (IG) Lead is responsible for overseeing the day to day Information Governance issues, providing guidance to the organisation, developing and maintaining related policies, protocols, strategies and procedures within the Information Governance framework Date of Issue: January of 25

7 and agenda and raising awareness on an on- going basis to staff of all levels across the Trust. The IG lead is responsible for co-ordinating the Information Governance Toolkit annual submission and periodic returns, providing regulatory progress reports for Monitor and support internal and external audit assurance processes. The IG Lead will fully support and assist the SIRO and Caldicott Guardian and carry out any investigations relating to breaches of confidentiality, suspected or confirmed, 2.9 All Managers All Managers are responsible for ensuring that the Policy and it s supporting standards and guidance are built into local processes and that there is ongoing compliance on a day to day basis. Any breaches or suspected breaches of confidentiality or information security must be referred for immediate investigation All staff includes permanent, temporary, contractors, locums, bank staff and any individual who has been given access to Trust network or systems. Individuals are responsible for ensuring that they familiarise themselves with relevant policies and guidance and that they understand the responsibilities set out in them. If individuals are unsure about any aspect of a Policy or guidance they must seek clarification from their line manager or the Information Governance team. Staff must ensure that they are compliant with legislative and regulatory requirements on a day to day basis Information Governance training is mandatory for all staff and forms part of the Trust Mandatory Training Policy. Therefore all staff are required to undertake annual IG e-learning training. Completion of this training is monitored to ensure compliance with the Information Governance Toolkit standard. 3.0 LEGAL COMPLIANCE 3.1 The Trust will undertake or commission assessments and audits of its compliance with legal requirements and will establish and maintain policy to ensure compliance with the governing legislation. 3.2 The Trust regards all identifiable personal information relating to patients and staff as confidential except where legislation on accountability and openness requires otherwise. 3.3 The Trust will establish and maintain policies and procedures for the controlled and appropriate sharing of patient information with other agencies e.g. Social care, Third Sector, taking account of relevant legislation, for example the Health and Social Care Act, Crime and Disorder Act and the Protection of Children Act. Date of Issue: January of 25

8 4.0 POLICY 4.1 Information Governance Management Information Governance management across the Trust will be co-ordinated by the Clinical Records and Information Governance Group and they will coordinate liaison with appropriate organisational departments and sub committees as work streams require. Outcomes from this group will be reported to the SIRO and Executive Management Team and the Caldiott Guardian The membership of the Clinical Records and Information Governance Group comprises of: Deputy Caldicott Guardian Health Records Manager Information Governance Lead Clinical Governance and Risk Pharmacy Lead Associate DIr of IM&T Operational Service Managers Clinical Representation e.g. Secure Services and Psychology The responsibilities of the group include but are not limited to: To develop and implement a systematic and planned strategy for the management of clinical records from the moment the need for a record to be created is identified, through its creation and maintenance to its ultimate disposal. To ensure that the Trust has timely access to reliable information. To ensure that clinical records are managed in compliance with the NHS Code of Practice on Records Management and ensure professional standards. To ensure that clinical record management procedures meet the requirements set out under the Data Protection Act 1998, the Freedom of Information Act 2000 and the NHS Patient Guarantee. To ensure compliance with all aspects of the NHS Information Governance Toolkit standards 4.2 Openness Service users should have ready access to information relating to their own health care, their options for treatment and their rights as patients. There are clear procedures and arrangements for handling queries from patients and the public. See Access to Health Records Policy Non-confidential information on the Trust and its services should be available to the public through a variety of media, in line with the principle of openness. The Trust will establish and maintain policy to ensure Date of Issue: January of 25

9 compliance with the Freedom of Information Act 2000, Data Protection Act 1998, Caldicott principles and will undertake or commission an annual review of its policies and arrangements of openness Availability of information for operational purposes will be maintained within set parameters relating to its importance via appropriate procedures and computer system security The Trust will have clear procedures and arrangements for liaison with the press and broadcasting media and for handling queries from service users and the public The Trust will ensure that the exchange / sharing of any information is only carried out when necessary, within the arena in which the Trust has registered and within strict guidelines under which the information was obtained and outlined at the time or with the person s consent. 4.3 Information Security Lancashire Care will establish, develop and maintain policies and procedures for the effective and secure management of its information assets and resources. It will continually assess and improve its information and IT security arrangements The Trust will promote effective confidentiality and security practice to its staff through policies, procedures and training and establish and maintain incident reporting procedures. It will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. The Trust incident reporting system Datix must be used to report, monitor and investigate breaches or potential breaches of security The Trust requires all its staff to ensure that all measures are taken to protect personal identifiable information (PID) both manual and electronic e.g. locking away information, using passwords to logon on to systems, only storing information on secure networks. 4.4 Confidentiality The Trust regards all identifiable personal information relating to service users and staff as confidential Individuals will be made aware of their responsibilities at local induction and through policy and training Staff non compliance with legal and regulatory frameworks will be monitored and managed through the Trust disciplinary procedure Risk assessment, in conjunction with overall priority planning of organisational activity will be undertaken to determine appropriate effective Date of Issue: January of 25

10 and affordable information governance controls are in place with respect to new service developments. 4.5 Information Quality Assurance The Trust will establish and maintain policies and procedures for information quality assurance and the effective management of records Managers are expected to take ownership of, and seek to improve, the quality of information within their services Wherever possible, information quality should be assured at the point of collection Data standards will be set through clear and consistent definition of data items, in accordance with National standards Internal and external audit, and compliance with regulatory agencies and other quality assurance processes such as Monitor, CQC and NHS LA will support this policy 4.6 Assessment and Improvement Plans A regulatory self- assessment is required annually for NHS organisations to ensure compliance with requirements of the Information Governance Toolkit (IGT). The organisation will identify staff to undertake Administration, Reviewer and User roles as described in the Information Governance Toolkit (IGT) as appropriate to the Trust. These responsibilities will sit within the Information department Annual reports and proposed action and development plans will be presented to the Trust board, SIRO or nominated group for approval prior to submission to Connecting for Health and thereafter Monitor and CQC The requirements are grouped in the following initiatives: Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurance Secondary Uses Assurance Corporate Information Assurance Date of Issue: January of 25

11 5.0 POLICY IMPLEMENTATION The policy will be advised via E-bulletin, the Trust Intranet and if deemed appropriate by the policy administration office, Chief Executive Team Brief. Copies of the policy will be disseminated to nominated policy file holders. 6.0 TRUST POLICY AND PROCEDURE LINKS Access to Health Records Policy(Including Subject Access) Data Quality Policy Communications Policy Staff Code of Conduct Control and Use of Mobile Devices Electronic Communications Policy Freedom of Information Policy IT Security Policy Procedure for Communicating Personal Identifiable Information Information Sharing Agreement/s Tier 0, Tier 1 and Tier 2 Professional records Keeping Policy Health Records Confidentiality and Security Policy Registration Authority Policy (NCRS Security) Research Governance Policy Safehaven Procedure 7.0 NATIONAL CONTEXT 8.0 TRAINING Connecting for Health Information Governance Toolkit Professional codes of conduct from the BMA, GMC and NMC and others including Allied Health professionals, Finance Professionals and NHS Managers NHS Code of Confidentiality NHS Code of Practice for Information Security NCRS Guarantee All staff attend a mandatory training programme as part of their induction that includes Information Governance. Staff must also undertake annual mandatory e-learning IG training. Further sessions can be scheduled and delivered as necessary upon request and will be tailored to the demands of various staff groups Additional modules are available and are both optional and recommended for specific roles which will support and enhance their knowledge aligned with their responsibilities e.g. SIRO, Information Asset Owners. Date of Issue: January of 25

12 8.1.3 Completion of mandatory e-learning IG Training modules are regularly monitored and reports provided to senior management and SIRO Background information on information governance is available on the NHS Connecting for Health website AUDIT Staff knowledge of Information Governance including Policy, procedure and practices will be monitored and assessed each year via a staff survey. This meets part of the IG training requirement of the Information Governance Toolkit. Date of Issue: January of 25

13 Requirement Information Governance Requirements Current at 2011 APPENDIX ONE 101 There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda 105 There are approved and comprehensive Information Governance Policies with associated strategies and/or improvement plans 110 Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations 111 Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation 112 Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained 200 The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation s assessed needs 201 Staff are provided with clear guidance on keeping personal information secure and on respecting the confidentiality of service users 202 Personal information is only used in ways that do not directly contribute to the delivery of care services where there is a lawful basis to do so and objections to the disclosure of confidential personal information are appropriately respected 203 Individuals are informed about the proposed uses of their personal information 205 There are appropriate procedures for recognising and responding to individuals requests for access to their personal data 206 There are appropriate confidentiality audit procedures to monitor access to confidential personal information 207 Where required, protocols governing the routine sharing of personal information have been agreed with other organisations 209 All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines 210 All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements 300 The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation s assessed needs 301 A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed 302 There are documented information security incident / event reporting and management procedures that are accessible to all staff 303 There are established business processes and procedures that satisfy the organisation s obligations as a Registration Authority 304 Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use 305 Operating and application information systems (under the organisation s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems Date of Issue: January of 25

14 307 An effectively supported Senior Information Risk Owner takes ownership of the organisation s information risk policy and information risk management strategy 308 All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers 309 Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place 310 Procedures are in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error 311 Information Assets with computer components are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code 313 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely 314 Policy and procedures ensure that mobile computing and teleworking are secure 323 All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures 324 The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate 400 The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience 401 There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements 402 Procedures are in place to ensure the accuracy of service user information on all systems and /or records that support the provision of care 404 A multi-professional audit of clinical records across all specialties has been undertaken 406 Procedures are in place for monitoring the availability of paper health/care records and tracing missing records 501 National data definitions, standards, values and validation programmes are incorporated within key systems and local documentation is updated as standards develop 502 External data quality reports are used for monitoring and improving data quality 504 Documented procedures are in place for using both local and national benchmarking to identify data quality issues and analyse trends in information over time, ensuring that large changes are investigated and explained 506 A documented procedure and a regular audit cycle for accuracy checks on service user data is in place 507 The Completeness and Validity check for data has been completed and passed 508 Clinical/care staff are involved in validating information derived from the recording of clinical/care activity 514 An audit of clinical coding, based on national standards, has been undertaken by a member of staff from the NHS Connecting for Health list of registered clinical coding auditors within the last 12 months 516 Training programmes for clinical coding staff entering coded clinical data are comprehensive and conform to national standards 601 Documented and implemented procedures are in place for the effective management of corporate records 603 Documented and publicly available procedures are in place to ensure compliance with the Freedom of Information Act 2000 Date of Issue: January of 25

15 604 As part of the information lifecycle management strategy, an audit of corporate records has been undertaken Date of Issue: January of 25

16 APPENDIX NO.2 INFORMATION GOVERNANCE STRATEGY This strategy sets out the approach to be taken within the Trust to provide a robust Information Governance Framework for the future management of information. 1.0 The Scope of the Strategy 1.1 Information Governance currently encompasses the following: Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurance Secondary User Assurance Corporate Information Assurance 1.2 Information Governance has the following fundamental aims: To support the provision of high quality care by promoting the effective and appropriate use of information To encourage responsible staff to work closely together, preventing duplication of effort and enabling more efficient use of resources To develop support arrangements and provide staff with appropriate tools and support to enable them to discharge their responsibilities to consistently high standards To enable organisations to understand their own performance and manage improvement in a systematic and effective way 1.3 The Trust has a statutory responsibility to patients and the public to ensure that the services it provides has effective processes, policies and people in place to deliver its objectives in relation to holding and using confidential and personal information. Date of Issue: January of 25

17 1.4 This strategy outlines the approach the Trust will take to ensure that it develops effective information governance processes throughout the organisation, which will enable the Trust to deliver its objectives and meet its statutory and regulatory requirements. 2.0 Key Components of the Strategy 2.1 There are 2 key components underpinning this strategy which are: The Trust Information Governance Policy which outlines the objectives for Information Governance and Strategy An annual Action / Improvement Plan arising from a baseline assessment against the standards set out in the Connecting for Health Information Governance Toolkit. 2.2 The Clinical Records and Information Governance Group has overall responsibility for overseeing the implementation of this strategy, the Information Governance Policy and the Information Governance Improvement Plan. All will be subject to periodic review and progress reported to the SIRO and Trust Board. There is sufficient representation at the Clinical Records and Information Governance Group to ensure that Information Governance is embedded within organisational structure. 2.3 A key function of the Clinical Records and Information Governance Group is to monitor and review untoward incidents and occurrences relating to Information Governance. Such incidents should be recorded on the Caldicott Log and reviewed for appropriate action, progress and timely closure. 2.4 An Information Governance Action Plan identifying responsible leads will be agreed each year to ensure compliance against each of the requirements. This Improvement Plan forms part of the overall Board or SIRO endorsed Information Governance Strategy and includes established links to the Board Assurance Framework. Date of Issue: January of 25

18 3.0 Role and Responsibilities 3.1 The Executive Director of Finance, Estates & Facilities and IM&T is the named individual on the Trust Board with overall accountability for Information Governance and the Trust Senior Information Risk Officer (SIRO.) 3.2 The Medical Director is the Caldicott Guardian. This role is supported by a deputy Caldicott Guardian and the Health Records Manager is a delegated Authority. 3.3 The Information Governance Lead is the senior manager with responsibility for the Information Governance Agenda and reports to the Associate Director of IM&T. 3.4 This Strategy cannot be seen in isolation as information plays an integral part in Governance, Strategic Risk, Clinical Governance and Performance and Service Planning. The strategy therefore links into all of these aspects of the organisation and is reflected in the Governance strategy. In addition, the Trust board has identified Information Governance as a risk within the Board Assurance Framework. The implementation of this strategy will reduce the level of this risk. 3.5 The Information Governance Lead will identify associated resource implications incurred by the implementation and maintenance of the Information Governance Policy Improvement Action Plan and expansion of services. Approval will be agreed by either the Clinical Records and Information Governance Group and /or the Trust SIRO. Business cases may be prepared as appropriate. 3.6 Performance will be monitored by the Clinical Records and Information Governance Group and submitted via the Information Governance Toolkit as a minimum annually. 3.7 Fundamental to the success of delivering the Information Governance Strategy is developing an Information Governance culture within the Trust. This will be embedded into day to day work practices. This will be assessed using an annual staff survey to gauge individuals Information Governance knowledge and compliance. 3.8 Awareness and training will be provided to all Trust staff. Staff will be directed to use the mandatory IG training modules currently hosted by CfH (Connecting for Health.) This training forms part of the Trust Mandatory Training Policy. Additional training modules are (as optional and recommended) available for staff to complete particular to their work role and outlined in a training matrix as attached. Additional training modules should be discussed as part of the PDP process. Date of Issue: January of 25

19 4.0 Conclusion 4.1 The implementation of the Information Governance Strategy, Policy and Action Plan will ensure that information is more effectively managed in the organisation. A revised action plan will be developed annually against the Information Governance Toolkit requirements to identify areas for continuous improvement. Date of Issue: January of 25

20 Access to Health Records Business Continuity Manageemnt Clinical Information Systems Records Management & the NHS Code of Practice Patient Confidentiality Information Security Management Information Security Guidelines Secure Transfers of Personal Data NHS Information Risk for SIROs & IAOs Caldicott Guardian in the NHS & Social Care Password Management Beginners Gide to IG IG for Medical Secretaries Intro to IG or Refresher Training (as applicable) Designation Information Governance Policy Appendix No.3 INFORMATION GOVERNANCE IG E-LEARNING MATRIX Caldicott Guardian M R M R M Clinical Governance staff M R Clinical Systems Trainers M R R R R M Clinicians/Social Care staff M R R M R Community Admin M R R R R Facilities staff M R Finance staff M R Health Records staff M R R R M M HR staff M R R Informatics staff M R R R Information Asset Owners M R M R R Information Governance staff M R R R M M R M M M M M Information Security staff M R M R M M R IT staff M R R R R Medical Secretaries M R R R M R Non Executive Directors M R R Payroll staff M R Planning & Performance staff M R R R SAR Handlers M R R R M SIRO M R M R R Volunteers M R R M denote Mandatory modules R- denotes Recommended Modules Date of Issue: January of 25

21 INFORMATION GOVERNANCE FRAMEWORK Appendix no.4 External reporting Information Governance Policy CQC Stds / External Audit MONITOR CfH via IGT Trustboard Member TRUST BOARD Trustboard Member AUDIT COMMITTEE (Inc Internal Audits) SIRO ADVISORY GROUP SIRO attends EMT Governance EMT GOVERNANCE including Corporate, Clinical and Information Caldicott Guardian attends EMT Governance Caldicott Guardian (Max Marshall) Information Asset Owners (IAO s) IM&T Dept Including Information Governance function Corporate Records Management Group Clinical Records & IG Management Group Receives reports via PCUI SLA Information Quality & Records Mgmt Grp Health Records Management including health records stores External Standards Network Gov Groups Including Adult MH, Adult comm Secure and Children & Families Legislation e.g. DPA Operational service groups NHSLA Stds Date of Issue: January of 25

22 Lancashire Care NHS Foundation Trust Initial Equality Impact Assessment Department/Function IM&T Information Governance Lead person Michelle J Brammah Contact details michelle.brammah@lancashirecare.nhs.uk Name of policy/procedure/service to be Information Governance Policy assessed Date of assessment Is this a new or existing policy/procedure/service? 1. Briefly describe the aims, objectives and purpose of the policy/procedure/service? Existing Policy Information is a vital organisational asset. It supports both clinical management and Corporate management. It plays a key role in patient care, service and performance management and governance. Date of Issue: January of 25 The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The aim of the Policy is to provide a simple framework for all Trust staff through which elements of Information Governance will be met. 2. Who is intended to benefit? Policy implementation will benefit staff working within the Trust including any person directly employed or indirectly employed e.g. 3 rd party contract staff, temporary staff, locums or temporary staff 3. What outcomes are wanted? There are several outcomes: 1. To raise staff awareness of the Information Governance Framework and identify the

23 management forums to which related issues can be presented 2. To ensure that all staff from senior level through to service level understand their responsibilities in terms of confidentiality and security of Trust information including patient, staff and corporate. 3. To set out expectations for Information Quality Assurance 4. To detail the use of Improvement plans in order to meet the requirement for regulatory annual self- assessment. 5. To outline the requirement of Mandatory Information Governance training for all Trust staff 4. Who are the main stakeholders? The main stakeholders are all staff working within the Trust including any person directly employed or indirectly employed e.g. 3 rd party contract staff, temporary staff, locums or temporary staff 5. Who is responsible for implementation? Section 2 of the Policy outlines all the key roles who should be involved with the application of the Policy from the Trust Board to the individual member of staff. Specifically the IG Lead is responsible for ensuring that the Policy is widely communicated through a variety of methods e.g. Trust weekly e-bulletin, Insight Magazine, Trust Intranet, Corporate Induction, Network Governance meetings. As part of the Monitoring and Compliance of the Policy, the IG Lead will include an awareness check in the annual IG Staff Survey. Line Management should ensure that staff comply with this policy and individuals are responsible for familiarising themselves with the procedure and associated guidance. Date of Issue: January of 25

24 6. Are there concerns that there could be differential impact on the following groups and what existing evidence do you have for this? People from a Black or minority ethnic background please explain and also include local demographics, monitoring of E and D (e.g. % of BME communities in East Lancashire is this % reflected in recruitment and/or service use?) Y N No. The application of this policy has equal relevance to all and makes no distinction to any particular group Women or men Y N No. Declaration of gender has no bearing on this Policy and applies to all groups People with disabilities or long term health conditions People with a particular religion or beliefs Y N No. This Policy applies equally to all staff and does not discriminate against people with disabilities or long term health conditions. Y N No. There is nothing intended or stated in the Policy that identifies or distinguishes a particular belief or religion Lesbian, gay,bisexual, trans people Y N No. Sexuality has no bearing on the adherence of the Policy Older or younger people Y N No. Regardless of age group the Policy is relevant based on the objectives stated above. Carers Y N No. There is no differential on this group. Assurance should be given by the principles set out in the Policy for the protection of information 7. Could any differential impact identified above be potentially adverse? 8. Can any adverse impact be justified on the grounds of promoting equality of opportunity? (e.g. single sex group, BME group) 9. Have you consulted with those who are likely to be affected? Y N No. Y N No Y N The Policy has been presented to the Clinical Records and Information Governance Group December Members were asked to provide comment and suggest any amendments or feedback to the IG Lead so that they could be reflected in the final version. Date of Issue: January of 25

25 10. Should the policy/procedure/service proceed to full impact assessment? Y N Information Governance Policy No. This is not required. No particular group is affected by implementation and therefore it does not warrant greater scrutiny I understand the impact assessment of this policy/procedure/service is a statutory obligation and take responsibility for the completion of this process. Names of assessors Michelle J Brammah IG Lead Sue Stone IG Specialist Date of assessment Date of next review Jan 2015 Date of Issue: January of 25