Trust Informatics Policy. Information Governance. Information Governance Policy

Transcription

1 Trust Informatics Policy Information Governance Policy Reference: TIP/IG/IGP I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 1

2 Document Control Policy Title Author/Contact Document Reference Pauline Nordoff-Tate Information Assurance Manager TIP/IG/IGP Version 3.2 Status Approved Publication Date February 2004 Review Date July 2012 Approved by Dr P Williams, Caldicott Guardian 10 th August 2010 Ratified by Information Governance Group 10 th August 2010 Distribution: Royal Liverpool and Broadgreen University hospitals NHS Trust-intranet Please note that the Intranet version of this document is the only version that is maintained. Any printed copies should therefore be viewed as uncontrolled and as such, may not necessarily contain the latest updates and amendments. Version Date Comments Author 1 02/02/2004 Approved by the Information A Penketh Governance Group 2 02/02/05 Amendments made and A Penketh reviewed and approved by the Information Governance Group 3 04/12/2006 Notes new IGT standards A Penketh /07/2010 Significant amendments Information Assurance Manager Review Process Prior to Ratification NAME OF GROUP/DEPARTMENT/COMMITTEE DATE Information Governance Group 02/02/04 Information Governance Group 02/02/05 I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 2

3 Information Governance Group (virtual meeting) 21/01/07 Information Governance Group (Virtual meeting) 10/08/10 I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 3

4 Table of Contents 1. Introduction Equality and Diversity 5 2. Objective 6 3. Scope of Policy 6 4. Policy Protection of Information Management of Records Information Quality Assurance Risk 9 5. Roles and Responsibilities 9 6. Associated documentation and references 9 7. Training & Resources Monitoring and Audit 10 APPENDIX A Supporting Legislation and Guidance 12 I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 4

5 1. Introduction Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information. Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of Trust services and resources. It plays a key part in clinical governance, service planning and performance management and decision-making. It is therefore of paramount importance that information is effectively managed with appropriate policies and procedures in place, and that management accountability is identified to provide a robust information governance framework to support the organisation. The Trust is built on the work carried out in relation to the Information Governance agenda, including Information Quality Assurance, the Caldicott, Data Protection and Information Security agendas and the Health and Corporate Records Management agendas. Information governance needs to be allied closely with advice and guidance from the Information Commissioner and also includes initiatives such as Confidentiality: NHS Codes of Practice, Information Governance Statement of Compliance, the Operating Framework, the NHS Care Records Guarantee and has been established in line with work carried out by the now long established Information Governance Toolkit (IGT). The Information Governance Lead within the Trust is via the Information Governance Group which meets on a bi-monthly basis and includes the Director of Information Management and Technology, and the Caldicott Guardian. The IGT has undergone a major rewrite but still operates under the following sub-headings: Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurance Secondary User Assurance Corporate Information Assurance 1.1 Equality and Diversity The Trust is committed to an environment that promotes equality and embraces diversity in its performance as an employer and service provider. It will adhere to legal and performance requirements and will mainstream equality and diversity principles through its policies, procedures and processes. This policy should be implemented with due regard to this commitment. To ensure that the implementation of this policy does not have an adverse impact in response to the requirements of the Race Relations (Amendment Act), the Disability Discrimination Act 2005, and the I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 5

6 Equality Act 2006 this policy has been screened for relevance during the policy development process and a full impact assessment conducted where necessary prior to consultation. The Trust will take remedial action when necessary to address any unexpected or unwarranted disparities and monitor practice to ensure that this policy is fairly implemented. This policy and procedure can be made available in alternative formats on request including large print, Braille, moon, audio, and different languages. To arrange this please refer to the Trust translation and interpretation policy in the first instance. The Trust will endeavour to make reasonable adjustments to accommodate any employee/patient with particular equality and diversity requirements in implementing this policy and procedure. This may include accessibility of meeting/appointment venues, providing translation, arranging an interpreter to attend appointments/meetings, extending policy timeframes to enable translation to be undertaken, or assistance with formulating any written statements. 2. Objective This document will detail the processes that must be adhered to in ensuring that Information Governance is maintained within the Trust comply with all guidance and legislation relating to this area. 3. Scope of Policy This policy applies to all staff employed by Royal Liverpool & Broadgreen Hospitals NHS Trust, including bank, agency and locum staff, students, voluntary staff, contractors and trainees on temporary placement, those holding honorary contracts or subject to the joint working authority with the Liverpool Chest and Heart Hospital. 4. Policy The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The Trust is publicly accountable and needs to ensure that the principles of corporate governance are fully supported. An equal importance must be placed on the need to ensure high standards of information assurance, data protection and confidentiality to safeguard personal and commercially sensitive information. The Trust also recognises the need to share information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and in some circumstances, the public interest. Underpinning this is the need for electronic and paper information to be accurate, relevant, available when required and processed appropriately, and measures must be taken to keep in line with the information security agendas to safeguard personal data. There are 4 key interlinked areas within Information Governance: I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 6

7 4.1 Protection of Information This includes the implementation and maintenance of standards associated with the Data Protection Act, the Freedom of Information Act, Information Security Management: NHS Code of Practice (ISO27001), the Confidentiality: NHS Code of Practice, the pseudonymisation project and the Caldicott principles. There is a high overlap with the Records Management Policy that details the requirements for record retention and destruction. In order to ensure high standards in this area: The Trust will establish and maintain policies and procedures to ensure the implementation of the Data Protection Act 1998, Freedom of Information Act 2000, The Computer Misuse Act 1990, and any further related legislation and NHS guidance for the effective and secure management and processing of its information, it s information assets and resources The Trust will undertake or commission annual assessments and audits of its levels of protection of information using the Information Governance Toolkit version 8 and other available mechanisms The Trust will promote effective confidentiality, data protection and security practice to staff through policies, procedures and various methods of training The Trust will ensure information assets are obtained and documented throughout the Trust. The Trust will maintain a risk log in conjunction with the North Mersey Health Informatics Service (HIS). The Trust will ensure a Senior Information Risk Owner (SIRO) from the Trust Board. The Trust will deliver a confidentiality and security work Programme in line with the Information Governance Toolkit and NHS Connecting for Health requirements. The Trust will establish and maintain protocols for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act) The Trust will initiate the planning for the Information Security Standard ISO27001 I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 7

8 4.2 Management of Records This includes the implementation and maintenance of the records management elements of the Clinical Negligence Scheme for Trusts (CNST), the introduction of standards for health records and the Freedom of Information Act. There is a high level of overlap with the Protection of Information and with Information Quality Assurance Policy. In order to ensure high standards in this area: The Trust will establish and maintain policies and procedures to ensure compliance with the Freedom of Information Act, any further related legislation and NHS guidance in relation to FOI and Records Management The Trust will undertake or commission annual assessments and audits of its policies and arrangements for openness and records management using the Information Governance Toolkit and other available mechanisms The Trust will have a strategy for dealing with Records Management The Trust will promote effective records management to staff through policies, procedures/user manuals and training 4.3 Information Quality Assurance This includes the implementation of information quality standards for electronic and manual patient/staff information and the implementation of the Clinical Information and Secondary User Assurance standards in the Information Governance Toolkit. It has a high level of overlap with Protection of Information and with Management of Records. In order to ensure high standards in this area: The Trust has established policies and procedures for information quality assurance. The Trust will maintain rigorous information quality validation checks of data flows against national standards using both internal reporting and externally available reports. The Trust will undertake or commission annual assessments and audits of its information quality using the Information Governance Toolkit and other available mechanisms. The Trust will promote information quality to staff through policies, procedures/user manuals and training. I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 8

9 4.4 Risk The Senior Information Risk Owner (SIRO) will be a Board member and ensure the Trust has appropriate staff available to oversee the completion of an Information Risk Register and its management. The Trust must ensure that it operates within a robust Information Governance framework to reduce the risk of both potential litigation and compromise to patient care. Risk assessments will be carried out in the individual component areas as required by the Information Governance Toolkit. 5. Roles and Responsibilities This Policy is the responsibility of the having been ratified with the Information Governance Group. The policy is available through the Trusts intranet and is referred to in information assurance training. It is the responsibility of all staff to familiarise themselves with this policy and all related Informatics policies and documentation where applicable. It is the responsibility of all Divisional and Directorate Managers to ensure the policy is disseminated to all staff, and that staff have read and understood the policy. Staff must ensure at all times that high standards of information quality, data protection, integrity, confidentiality and records management are met in compliance with the relevant legislation and NHS guidance. Clinicians and managers must promote high standards of Information Governance. Information Governance paragraphs must be included in job descriptions and contracts to ensure that all staff are aware of their responsibilities. 6. Associated documentation and references This policy should be read in conjunction with all Informatics policies found on the Intranet Policy website, which include: Trust Information Assurance Policy Trust Information Access Policy Caldicott Report Personal Information and Confidentiality Policy Password Policy Risk Management Policy (for IT) Information Quality Policy Records Management Policy and Strategy I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 9

10 Legislation to restrict disclosure of personal identifiable information: The Freedom of Information Act 2000 The Data Protection Act 1998 The NHS Code of Confidentiality The Privacy and Electronic Communications Regulations 2003 The Computer Misuse Act 1990 Human Fertilisation and Embryology (Disclosure of Information) Act 1992 The National Health Service (Venereal Diseases) Regulations 1974 (S.I.1974/29) Abortion Act 1967 The Adoption Act 1976 Legislation requiring disclosure of personal identifiable information: Public Health (Control of Diseases) Act 1984 & Public Health (Infectious Diseases) Regulations 1985 Births and Deaths Act 1984 Police and Criminal Evidence Act 1984 The Records Management Code of Practice April Training & Resources The implementation of policies in this area will be carried out across the Trust by all involved staff and will be led by the Information Assurance Manager and associated teams (Information Quality, Data Protection, Information Security, Records Management, Freedom of Information etc). Information Governance elements will be included in standard Trust induction, mandatory training programmes, specific data protection training packages and electronic learning packages. Managers will ensure that the relevant paragraphs are included in staff job descriptions. 8. Monitoring and Audit The Information Governance Sub-Group is the Trust committee with responsibility for the ratification of Information Governance Policies and approval of work programmes. This group has senior level representation, chaired by the Caldicott guardian, and supported from all appropriate areas to ensure the Trust steers this agenda appropriately. It receives regular reports from the Information Assurance Manager and responsible staff dealing with all aspects of I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 10

11 the agenda as outlined above, and approves central returns required by the Information Governance Toolkit to NHS Connecting for Health. The Information Governance Toolkit (IGT) will be used by the Trust to conduct baseline audit and construct action plans for future compliance with this agenda. The work programmes in the individual areas will be created by adherence to the IGT standards and to the national standards appropriate to the individual field of activity. I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 11

12 APPENDIX A Supporting Legislation and Guidance The Data Protection Act 1998 Seventh Principle states: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 12