Information Governance Plan

Transcription

1 Information Governance Plan

2 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources. NHS Stockport Clinical Commissioning Group aims to safeguard patient confidentiality and maintain data security. 1.2 Information Governance (IG) is the way in which the NHS handles all of its information, in particular the personal and sensitive information relating to patients and employees. It provides a framework to ensure that personal information is dealt with legally, securely, efficiently and effectively, in order to deliver the best possible care. It also offers NHS employees a clear structure to deal consistently with the many different rules about how information is handled, including those set out in: The Data Protection Act 1998; The common law duty of confidentiality; The Confidentiality NHS Code of Practice; The NHS Care Record Guarantee for England; The Social Care Record Guarantee for England; The international information security standard: ISO/IEC 27002: 2005; The Information Security NHS Code of Practice; The Records Management NHS Code of Practice; The Freedom of Information Act Ensuring that our staff and clinical leaders are suitably equipped to manage this important area of work is a key priority for NHS Stockport CCG and integral to our capacity to deliver on plans to build local trust, as outlined in our Communications & Engagement Strategy. 2. CCG Principles 2.1 As an evidence-based organisation, we will collect and use a wide range of data to ensure that our decisions reflect the needs of local people. In doing so, we will take all necessary steps to ensure that patient and employee data is safeguarded and used within the parameters of national legislation to improve patient care. 2.2 Our work will be guided by the following principles: 2.3 Confidentiality Information must be secured against unauthorised access. Information Sharing Protocols must be in place for any data sharing. 2.4 Integrity Information must be safeguarded against unauthorised modification. Efforts will be undertaken to ensure that all information is correct. 2.5 Openness

3 Information must be accessible to authorised users at times when they require it. Patients will have ready access to information relating to their own health care, their options for treatment and their rights as patients. Non-confidential information on NHS Stockport CCG and its services will be available to the public through a variety of media, including a Publication Scheme in line with the Freedom of Information Act. 3. Accountability & Responsibilities 3.1 While the principles of Information Governance apply to all employees of NHS Stockport CCG, a structure is in place to monitor progress, minimise risks, advise and train staff, and ensure that NHS Stockport CCG meets its legal responsibilities. 3.2 Senior Information Risk Owner The Senior Information Risk Owner (SIRO) is responsible for fostering a culture for protecting and using data. The role provides a focal point for managing information risks and incidents and is concerned with the management of all information assets. NHS Stockport CCG has appointed its Chief Financial Officer to take on the role of SIRO. 3.3 Caldicott Guardian Each NHS organisation must have a Caldicott Guardian - a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. NHS Stockport CCG has appointed its Public Health Consultant on the Governing Body to take on the role of Caldicott Guardian. 3.4 Information Governance Lead / Data Protection Officer At an operational level, information governance and data protection will be led by the Head of Compliance, within NHS Stockport CCG s Strategy & Governance Directorate. 3.5 Information Asset Owners Each Directorate within NHS Stockport CCG will identify an Information Asset Owner (IAO). Their role is to understand and address risks to the information assets they own, and to provide assurance to the SIRO on the security and use of those assets. They will be responsible for developing information asset registers for all key information sources within their authority. 3.6 Information Asset Administrators Each Directorate will also nominate an Information Asset Administrator (IAA) with responsibility for updating data within the team s information assets. The IAA will be responsible for identifying any actual or potential security incidents, consult their IAO on incident management and ensure that all information asset registers are up-to-

4 date and accurate. 3.7 Freedom of Information The administration of Freedom of Information (FOI) requests will be handled centrally within the Corporate team. All Directorates will have a responsibility to ensure that requests are responded to within the 20 working day time limit. NHS Stockport has appointed the Chief Finance Officer as the Governing Body lead on FOI. 3.8 All staff, whether permanent, temporary or contracted, are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis. Staff will undertake annual IG training through Connecting for Health s e-learning tool. 4. Monitoring Arrangements 4.1 It is the role of Audit Committee to define NHS Stockport CCG s policies in respect of Information Governance, taking into account legal and NHS requirements. 4.2 The Senior Information Risk Owner (SIRO) will report quarterly to Audit Committee on: o Information Security Risks o Information Security Incidents o Data Quality o Staff Training o Progress on the IG Toolkit. 4.3 On an annual basis, Audit Committee will update the Governing Body on NHS Stockport CCG s progress in terms of the Information Governance Toolkit. Any matters of concerns arising will be reported to the Governing Body on an ad-hoc basis. 5. Information Governance Toolkit 5.1 The IG Toolkit is an online system which allows NHS organisations and partners to assess themselves against Department of Health Information Governance policies and standards. It also allows members of the public to view progress reports, offering assurance to our patients that we prioritise their privacy and take all reasonable steps to maintain the confidentiality of their data. 5.2 Over 2011/12 clinical leads on the Governing Body requested that NHS Stockport undertook a major improvement project to develop Information Governance capacity and procedures within the organisation. The project resulted in attainment of level two for all areas of the toolkit, with the exception of 2 requirements, due to a lack of time for all Information Asset Owners and Administrators to undertake all training courses. 5.3 NHS Stockport CCG intends to build upon this work to ensure that the CCG assures

5 compliance in this important area. A project plan has been developed to review and transfer the recently upgraded IG provision of the PCT over to the CCG. A major part of this work plan will be the review and transfer of existing PCT processes and procedures to the CCG. 5.4 An initial assessment of the requirements for CCGs under Version 10 of the NHS's IG Toolkit suggests that NHS Stockport CCG is fully compliant with its IG responsibilities, comfortably meeting level 2 in all 27 requirements (the requirement for version 9 of the toolkit in 2011/12), and is on target to achieve level 3 in 14 areas by the 31 March 2013, through implementation of the CCG's IG transition plan. Attainment s for All Initiatives Not Yet Answered Not Relevant See full breakdown by requirement in appendix This would give NHS Stockport CCG a score of 83%. The target level for CCGs in this first year of our IG Toolkit submission is to achieve a score of 80% N/A Score Information Governance Management % Confidentiality and Data Protection Assurance % Information Security Assurance % Clinical Information Assurance % All Initiatives % 6. Next Steps 6.1 We will put in place a post authorisation workplan to take NHS Stockport CCG s IG Toolkit score up to 100% over the next three financial years. 6.2 Using the parameters of the IG Toolkit, the workplan will focus on the areas identified for improvement in our baseline submission and will include:

6 Calendar of staff training sessions Review, amend and adopt IG policies and procedures for the new CCG Review and update all Information Sharing Protocols Convene IAOs and IAAs with the SIRO to review the Information Asset Register of the old PCT and develop a new register for NHS Stockport CCG Map data flows within the organisation Agree core IG clauses for all staff and provider contracts Undertake internal assurance checks Undertake assurance checks on provider organisations.

7 Appendix 1 - IG Toolkit Baseline Submission 31 July 2012 Req No Description Information Governance Management There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda There are approved and comprehensive Information Governance Policies with associated strategies and/or improvement plans Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained Confidentiality and Data Protection Assurance The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation s assessed needs Staff are provided with clear guidance on keeping personal information secure and on respecting the confidentiality of service users Personal information is only used in ways that do not directly contribute to the delivery of care services where there is a lawful basis to do so and objections to the disclosure of confidential personal information are appropriately respected Individuals are informed about the proposed uses of their personal information There are appropriate procedures for recognising and responding to individuals requests for access to their personal data There are appropriate confidentiality audit procedures to monitor access to confidential personal information All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements Past (PCT) Current Target NR NR NR

8 Req No Description Information Security Assurance The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation s assessed needs A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed There are established business processes and procedures that satisfy the organisation s obligations as a Registration Authority Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use Operating and application information systems (under the organisation s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems An effectively supported Senior Information Risk Owner takes ownership of the organisation s information risk policy and information risk management strategy Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely Policy and procedures ensure that mobile computing and teleworking are secure There are documented incident management and reporting procedures All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate Clinical Information Assurance The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements PCT Current Target 1 3 3

9 Version Control Document Amendment History: Date Version Author Changes Angela Beagrie Initial draft Tim Ryley Various from first read through by senior staff Angela Beagrie Inserted leadership roles and next steps Reviewers: This document has been reviewed by the following: Name Role Date Gary Jones SIRO Dr Vicci Owen-Smith Caldicott Guardian Approvals: This document has been approved by the following: Name Role Date Dr Ranjit Gill Chief Clinical Officer Gaynor Mullins Chief Operating Officer Distribution: Controlled copy stored on SharePoint site Information Governance Plan Page 8