Information Governance Strategy

Transcription

1 Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the Trust Version 4. Issue 0 Approved by Caldicott and Information Governance Committee Date Approved Ratified by Trust Managment Committee Date Ratified Author Information Governance Manager Lead Director Director of Finance & IT Name of Responsible Caldicott and Information Governance Committee Individual/Committee Consultation Caldicott & IG Committee BHT Document reference S007 Department Document Reference IG0041 Date Issued May 2013 Review Date May 2016 Target Audience All Trust staff Location Swan Live Intranet Policies & Guidelines/Policies & Strategies/Information Governance EIA N/A

2 Approval and Authorisation Completion of the following detail signifies the review and approval of this document, as minuted in the senior management group meeting shown. Version Authority Date 1.0 ISG Caldicott & IG Committee Dec Caldicott & IG Committee June Trust Management Committee Aug Trust Board Sept Trust Management Committee Change History Version Status Reason for change date Author 3.0 Approved Caldicott & IG Committee chairman s action June 2010 A Chilcott 3.0 Ratified Trust Management Committee Aug 2010 A Chilcott 3.0 Ratified Trust Board Sept 2010 A Chilcott 3.0 Informal Yearly Review no changes Nov 2011 A Chilcott 3.1 Draft Formal review circulated to Caldicott & IG Committee for comments 4.0 Approved Caldicott & IG Committee Chairman s Action and noted at meeting Jan 2013 Mar 2013 A Chilcott A Chilcott Document References Ref # Document title Document Reference Location 1 Information Governance Policy IG0005 Intranet 2 Clinical Governance Strategy S002 Intranet 3 Risk Management Strategy Pol045 Intranet 4 Trust Assurance Framework and Corporate Risk Intranet Register 5 Policy on Production, Approval, Registration and Pol 075 Intranet Implementation of Trust-wide Strategies and Policies 6 Department of Health Code of Conduct for Payment by Results May 2013 Page 2 of 18

3 Table of Contents 1. Introduction Aims and Objectives The Scope of the Strategy Strategy Context Key Components of the strategy Information Governance Deliverables Management Structure and Responsibilities Strategy Implementation and Improvement Plans Training Resources Conclusion Monitoring the Strategy Review of this document 11 Appendix A - Information Governance Management & Accountability Framework.12 Appendix B Caldicott & Information Governance Commitee Terms of Reference...16 May 2013 Page 3 of 18

4 1. Introduction This strategy sets out the approach to be taken within the Buckinghamshire Healthcare NHS Trust to support the Information Governance Policy and provide a robust Information Governance (IG) framework for the management of information. Good quality information underpins sound decision making at every level in the NHS and most importantly contributes to the improvement of health care. With penalties for failure to comply with the laws and regulations on information handling on the increase, the Trust must make certain that it has a plan to ensure that its business and person related information is being properly managed. This strategy provides a framework to bring together all of the requirements, standards and best practice that apply to the handling of personal information, allowing: Implementation of Department of Health advice and guidance Compliance with the law Year on year improvement plans Assurance against ISO/IEC 27002:2005 and 27001:2005, the international standard for Information System Security Information Governance is the mechanism by which the Trust handles information about patients and employees, in particular personal and sensitive information. 2. Aims and Objectives The Trust aims to achieve a standard of excellence in information governance by ensuring information is dealt with legally, securely, efficiently and effectively in the course of Trust business, in order to support high quality patient care. All information processing will be undertaken in accordance with relevant legislation and best practice. The Trust will set policies and procedures to ensure that appropriate standards are defined, implemented and maintained. The Trust aims to minimise the risks arising from information handling processes, these are: Legal action due to non-compliance with statutory and regulatory requirements Loss of public confidence in the Trust Contribution to clinical or corporate negligence Damage or stress to an individual The Trust aims to provide support to its staff to be consistent in the way they handle personal information and to avoid duplication of effort. This will lead to improvements in: Information handling activities Patient confidence in the NHS and the Trust Staff training and development May 2013 Page 4 of 18

5 3. The Scope of the Strategy Information Governance provides a consistent way for staff to deal with the many different informationhandling requirements and is a framework for the following processes and duties: Information Governance Management (management, accountability and responsibility) Confidentiality & Data Protection Assurance (person related/identifiable information) Information Security Assurance (manual and electronic information /records management) Clinical Information Assurance (patient information/ records for direct clinical use) Secondary Use Assurance (patient information/records e.g. data quality, non direct clinical use) Corporate Information Assurance (records management e.g. Finance, Human Resources) 4. Strategy Context Information plays a key part in governance, strategic risk, clinical governance, service planning and performance management. The strategy links into all of these aspects and sets out the approach to be taken within the Trust to provide a robust information governance framework for the management of information. Information Governance has been identified as a risk within the Information Governance Assurance Framework; therefore the implementation of this strategy will facilitate and maintain a reduction in the level of this current risk. Accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all staff to ensure that information is accurate and up to date, kept confidential and secure and that it is used proactively in the Trust s decision-making process. The Trust will adopt the principles contained within the Department of Health, Code of Conduct for Payment by Results. 5. Key Components of the strategy The Trust Information Governance Policy outlines the objectives for information governance. An annual action plan arising from a base line assessment against the standards set out in the Connecting for Health Information Governance Toolkit and will be a key vehicle for improving information governance within the Trust. A management framework and robust infrastructure which will support the implementation, monitoring and review of information governance within the Trust. 6. Information Governance Deliverables The Trust will establish a robust information governance process conforming to the Connecting for Health standards and the objectives in the Trust s Information Governance Policy. It is the responsibility of all organisations to comply with relevant legislation. The Department of Health has developed the following five broad standards (called the HORUS model ), that we should apply when information is processed: May 2013 Page 5 of 18

6 o o o o o Held securely and confidentially Obtained fairly and efficiently Recorded accurately and reliably Used effectively and ethically Shared appropriately and lawfully 6.1 All staff must understand and apply best practice and the principles of information governance to manage all information to support the business activities of the Trust All staff involved in the administration of information governance must receive senior management backing, training and encouragement to be aware of developments in information governance and any relevant information handling issues that will affect them. Delivery of mandated information governance induction and update training for all staff. Regular communications to staff using Trust staff bulletin, intranet and management team briefs All staff signing confidentiality clauses within all staff contracts Publication of IG policies, procedures and guidance on the Trust intranet Agreement and sign up by staff to key IG and IT Policies 6.2 The Trust will undertake regular reviews and audits of how information is used through: Mapping of data flows Review of reported information incidents Data quality checks Ad-hoc IG spot checks on compliance with best practice 6.3 The Trust will develop and maintain a robust management and responsibility reporting structure to ensure that information governance and associated risks are appropriately managed to support the overall risk management function within the Trust. Formation of a dedicated Caldicott & Information Governance Committee Appointment of the key roles and responsibilities Informing staff of the key personnel and their responsibility Provision of clear advice and guidance networks throughout the Trust Implementation of defined information incident reporting and investigating procedures linked to the risk management process. Information Governance and Information Technology policies and procedures will be developed, regularly reviewed and maintained to reflect current standards 6.4 Identifying where there are common areas of work will help all employees to work in a cohesive fashion towards a common goal, to the benefit of the patient. Encouraging multi disciplinary teams to work more closely together will lead to a reduction in repetitive practices by seamlessly sharing relevant information and standardising practices and procedures 6.5 The Trust will involve patients and staff in the development of information that is used to improve services. May 2013 Page 6 of 18

7 Patients and staff will be involved in relevant surveys, forums and groups in order to seek the opinions of the service users and where appropriate will act on those opinions. 6.6 The Trust will ensure that clear advice and guidance are made available through Trust website, information leaflets and awareness posters to patients, families and carers about how their personal information is used. Information will be made available in various formats explaining how information is recorded and shared and how any concerns may be raised. Information will also be provided on Subject Access requests (SAR) under the Data Protection Act Patients will be made aware of the importance of providing accurate and up to date information about themselves so that appropriate care is given to the correct patient and to manage the resources adequately. 7. Management Structure and Responsibilities Trust Board Trust Management Committee Director of Property Services /Senior Information Risk Owner (SIRO) It is the role of the Trust Board to define the Trust s policy in respect of Information Governance and risk and meeting legal, statutory and NHS requirements. Is responsible for ensuring that sufficient resources are provided to support the requirement of the policy. The responsibility for this is delegated through the Chief Executive Officer to the Director of Property Services as Senior Information Risk Owner (SIRO). this committee is the forum for making major operational decisions and assists the Chief Executive in the performance of their duties. development and implementation of strategy, operational plans, policies, procedures and budgets monitoring of operating and financial performance the assessment and control of risk, prioritisation and allocation of resources. receives and acts on reports from the SIRO through the Caldicott & Information Governance Committee. The Senior Information Risk Owner is responsible for and takes ownership of the organisation s information governance/risk policy and acts as advocate for information governance risk on the Board. authorises the Information Governance Toolkit Self-Assessment submissions. ensures that an effective information assurance governance infrastructure is in place including information asset ownership, reporting, defined roles and responsibilities. ensures that the Caldicott and Information Governance Committee has a suitably experienced chairman in place. Ensures that there is a systematic and planned approach to the management and quality assurance of trust records. May 2013 Page 7 of 18

8 Information Asset Owner (IAO) Caldicott & Information Governance Committee Caldicott Guardian Information Governance Manager/Information Security Officer IT Services Manager/ IT Security Officer Information Asset Owners are senior individuals involved in running the relevant business. Their responsibility is to identify, understand and address risk to the information assets they own. Responsible for the operational management of Trust s records in accordance with Trust policy. Accountable to the SIRO for providing assurance on the security and use of their information assets. this committee is responsible for overseeing day to day Information Governance issues. develop, maintain and approve policies, standard procedures and guidance coordinate and raise awareness of Information Governance in the Trust report on an exception basis to the Trust Management Committee on information Governance issues and risk Support the Senior Information Risk Manager in completion of their delegated duties. direct and monitor compliance with the Department of Health Information Governance Toolkit the Caldicott Guardian acts in a strategic, advisory and facilitative capacity in the use and sharing of patient information. responsible for approving, monitoring and reviewing protocols governing access to person identifiable information by staff within the Trust and other organisations both NHS and non NHS provides expert technical advice and guidance to the Trust on matters relating to information governance acts as the Trust Information Security Manager develops and provides suitable information governance training for all staff monitors actual or potential reported information security incidents within the organisation supports and assists the IT security officer with regard to IT/information security incidents responsible for the timely completion and submission of the end of financial year Department of Health IG Toolkit self assessment provides expert technical advice to the Trust on matters relating to IT Security and ensures compliance and conformance acts as the Trust IT Security Manager support and assists Information Security Officer with regard to IT/information security incidents. May 2013 Page 8 of 18

9 Managers All staff Third Party Contractors/third parties responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is on going compliance. that all staff job descriptions contain the relevant responsibility for information security, confidentiality and records management. that staff undertake information governance mandatory training and ongoing training needs are routinely assessed. managers shall be individually responsible for the security of their physical environment where information is processed and stored. day to day responsibility for the management of trust records within their respective area/department all staff, whether permanent, temporary or contracted, including students, contractors and volunteers all staff shall comply with information security policy and procedures including the maintenance of data confidentiality and data integrity and ensure that no breach of information security or confidentiality, result from their actions. Failure to do so may result in disciplinary action. all staff must ensure they keep appropriate records of their work in the Trust and manage those records in keeping with this policy and Trust record management policies. each member of staff shall be responsible for the operational security of the information systems they use. all staff are required to undertake relevant information governance training covering confidentiality and information security. appropriate contracts and confidentiality/ information security agreements shall be in place with third party contractors/ third parties where potential or actual access to information assets is identified. See: Appendix A Information Governance Management & Accountability Framework Appendix B- Caldicott and Information Governance Committee - Terms of Reference 8. Strategy Implementation and Improvement Plans The Caldicott and Information Governance Committee will monitor implementation of this strategy and its associated work programmes through regular quarterly meetings. All Trusts are mandated to complete a self assessment of their information governance performance using the IG Toolkit. This is an on-line self assessment tool based on 45 Information Governance Standards (IG) and is used as one of the sources of information by the Care Quality Commission for assessing compliance with Quality Standards, self improvement reviews etc. The IG standards are based on generally accepted definitions of good practice in relation to information governance and inter-link with other recommendations and standards such as those in the Care Quality Commission, NHS Litigation Authority, and the Data Protection Act 1998 etc. May 2013 Page 9 of 18

10 Note: New versions of the IG Toolkit are released annually and the requirements may be changed to reflect current and new standards. This means that the Trust will have to provide additional evidence to support the changes and to maintain the score achieved in the previous year. The Caldicott and Information Governance Committee will: Undertake a baseline assessment of the current position in relation to the IG standards Agree an annual work programme to ensure a year on year improvement in performance Ensure the development and implementation of information governance strategies, policies, procedures. Identify resources for implementation Ensure that the IG agenda is supported by appropriately skilled Information Governance Toolkit/Caldicott Function Leads Monitor progress against action plans Report on progress, incidents and issues to the Trust Management Committee Complete the self assessment toolkit on an annual basis The Caldicott and Information Governance Committee will formally review this strategy every three years however the content will be reviewed annually to include any significant changes to mandatory requirements, national guidance or as a result of significant information governance breaches or incidents in order to ensure that all types of information are more effectively managed within the Buckinghamshire Healthcare NHS Trust. 9. Training Fundamental to the success of delivering the Information Governance Strategy is developing an information governance culture within the Trust, providing training and promoting awareness for all staff. 10. Resources Resource implications incurred by the implementation of the Information Governance Strategy and action plan, will be identified by the Caldicott & Information Governance Committee. Business cases will be then developed and submitted to the Trust Management Committee for approval. 11. Conclusion The implementation of the Information Governance strategy, policy and implementation plan will ensure that information is more effectively managed at Buckinghamshire Healthcare NHS Trust. Each year the strategy will be reviewed and an action plan developed against the Connecting for Health Toolkit to identify key areas for continuous improvement. This strategy should be classified as a working document for the period of and will be reviewed annually. 12. Monitoring the Strategy The Caldicott and Information Governance Committee will monitor the implementation of this strategy in terms of its supporting Policy, Procedures, Plans and subsequent revisions through: May 2013 Page 10 of 18

11 regular reports from Information Governance Toolkit/Caldicott Function Leads on improvements, risks and issues overseeing the content and review of patient information 13. Review of this document This document will be formally reviewed every three years. This document will be subject to revision when any of the following occur: The adoption of the standards highlights errors and omissions in its content. Where other standards/guidance issued by the Trust conflict with the information contained. Where good practice evolves to the extent that revision would bring about improvement. May 2013 Page 11 of 18

12 Appendix A - Information Governance Management & Accountability Framework INFORMATION GOVERNANCE MANAGEMENT & ACCOUNTABILITY STRUCTURE TRUST BOARD CLINICAL RECORDS COMMITTEE TRUST MANAGEMENT COMMITTEE HEALTHCARE GOVERNANCE COMMITTEE CALDICOTT & INFORMATION GOVERNANCE COMMITTEE links with committee through Caldicott Guardian and Medical Director IG Management & Accountability structure Feb 2013 V 2 1 May 2013 Page 12 of 18

13 INFORMATION GOVERNANCE ROLES & ACCOUNTABILITY CHAIN Medical Director (Lead responsibility for clinical governance with the Director of Nursing & Patient Care Standards) Caldicott Guardian (Provide focal point to patient confidentiality and information sharing issues. Is concerned with management of Patient information. Is the advisory and conscience of the organisation.) Chief Executive Accountable Officer ( overall responsibility for ensuring that organisation risks are assessed and mitigated to an acceptable level) Senior Information Risk Owner (SIRO) (board level position with lead responsibility for the organisation s information risk and owning the Information risk policy & risk assessment procedure) Assoc Director Of Information Management (Overall responsibility for information management development within the Trust) Information Asset Owner (IAO) (assigned owners responsible for a particular information asset/s and responsible for providing assurances to the SIRO on information risks) Information Asset Administrators (IAA) (supports IAOs in undertaking assets specific risk management. Raising IG awareness and best practices.) IT Service Officer (Provide expert technical advice and support to the Information Security Officer on issues relating to information system security, on security incidents, risk analysis and management) Information Governance Manager/ Information Security Officer (Management of IG across the whole organisation, ensuring it complies with statutory requirements in relation to Information security, confidentiality, data protection, caldicott) Information Governance Officers (Provide day to day administrative support and assist with identification of IG risk and weakness across the Trust) link with IT Security Officer IG Management & Accountability structure Feb 2013 V 2 May 2013 Page 13 of 18

14 INFORMATION GOVERNANCE DEPARTMENT STRUCTURE Chief Operating Officer/ Deputy CEO/SIRO Associate Director of Information Management Freedom of Information Lead Information Governance Manager/ Information Security Officer Data Quality Manager Information Governance Officers IT Security Officer link with IG Department through IG Manager IG Management & Accountability structure Feb 2013 V2 May 2013 Page 14 of 18

15 CALDICOTT & INFORMATION GOVERNANCE ASSURANCE PROCESS Trust Management Committee Senior Information Risk Owner (SIRO) Caldicott & Information Governance Committee Information Asset Owner IG Toolkit/Caldicott Function Leads * Caldicott Guardian Information Governance Manager/ Information Security Officer * Freedom of Information Lead Data Quality Manager Registration Authority Manager IT Service Manager Information Service Manager Medical Records Service Manager IG Management & Accountability structure Feb 2013 V 2 Information Governance Officers 4 May 2013 Page 15 of 18

16 14. Appendix B Caldicott & Information Governance Committee- Terms of Reference Dec 2011 (amended June 2012) Name of Committee: Caldicott and Information Governance Committee Purpose of Committee The committee will be responsible to the Trust Board through the Trust Management Committee (TMC) for ensuring that the Trust has effective policies and management arrangements covering all aspects of Information Governance in line with the Trust s overarching Information Governance Policy i.e. Openness Legal Compliance Information Security and Confidentiality Information Quality Assurance Objectives and Key Tasks To ensure that the Trust undertakes or commissions annual assessments and audits of its Information Governance policies and arrangements. To establish an annual Caldicott and Information Governance work programme leading on from yearly submission of the IG Toolkit. Monitor the implementation of the programme and identify to the Trust Management Committee, the requirement for necessary resources to support its implementation. To ensure that all existing and proposed databases and data flows involving patient-identifiable information are tested against Caldicott and Data Protection principles and basic principles of good information management practice. To review and monitor IG risks identified through issues registers and incident reports and ensuring where appropriate they are entered onto the relevant risk register. To receive updates from IG initiative leads on IG toolkit progress, action plans and areas of risk. To develop, monitor and review internal protocols governing the protection and use of patient identifiable information by Trust staff and ensure delivery of adequate training and awareness. To oversee the development and review of protocols governing the sharing and disclosure of patient information across organisational boundaries, between both NHS and non - NHS bodies. To develop, monitor and review information governance policy, raising confidentiality requirements and potential areas of risk at Board level. To monitor and enforce processes regarding smartcards and other RA related areas. May 2013 Page 16 of 18

17 To co-ordinate the activities of staff given data protection, confidentiality, information security, information quality, records management and Freedom of Information responsibilities. To ensure that Information Governance training is made available by the Trust and is taken up by staff as necessary to support their role. To oversee the provision of appropriate information to patients regarding the purpose for which data is collected and the people and bodies who may have access to it. To report quarterly on an exception basis to the Trust Management Committee on Information Governance issues. To liaise with other Trust committees, working groups and programme boards in order to promote Information Governance issues and to provide a focal point for the resolution and/or discussion of information governance issues. Completion and submission of the Information Governance toolkit baseline assessments in July and October and final assessment by 31 st March each year. To monitor committee attendance and review the Terms of Reference yearly Membership Caldicott Guardian (Chair), Reports to the Trust Management Committee Senior Information Risk Owner Medical Director Assoc Director Of Information & Medical Records Information Governance Manager(Information Security Officer/ IG toolkit lead) Governance Representative Head of Access or Operational Manager Care Records System representative Associate Director of IT Community Integrated Care representative Freedom of Information Lead (toolkit lead) Health Records Manager (toolkit lead) IT Services Manager/ IT Security Officer (toolkit lead) Information Governance Officer Nursing representative Human Resource representative Other IG Toolkit initiative leads as necessary: Data Quality Manager RA Manager Information Services Manager Senior Information Asset Owners (exception reports): Co-Opted members where required. This may include a patient representative. Frequency: At least quarterly May 2013 Page 17 of 18

18 Quorum Caldicott Guardian or deputy (SIRO) 4 members or their designated deputy of which two must be the IG Manager and Associate Director of IT or IT Services Manager Accountability: Reports to the Trust Management (TMC) formally on a quarterly basis or more frequently as required Links with other committees and groups (eg. PCT links) Clinical Records Committee, Healthcare Governance Committee Policies requiring yearly informal review Policy Information Governance Policy (Incorporating IM &T Security) Information Governance Strategy Confidentiality Code of Conduct Records Management Policy Last date of yearly review May 2013 Page 18 of 18