Serius Infrmatin Gvernance Incidents - OverVIEW

Transcription

1 Serius Infrmatin Gvernance Incident Plicy UNIQUE REF NUMBER: AC/IG/019/V1.2 DOCUMENT STATUS: Apprved by Audit Cmmittee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June P age

2 AMENDMENT HISTORY VERSION DATE AMENDMENT HISTORY V1 June 2013 Versin apprved by Audit Cmmittee 19 June 2013 AC/IG/019/V1.1 December 2013 Additin f branding and frmatting changes in line with Plicy fr Develpment f Plicies AC/IG/019/V1.2 February 2014 Additin f unique reference number prir t publicatin REVIEWERS NAME DATE TITLE/RESPONSIBILITY VERSION Dnna Dallaway June 2013 CSU Infrmatin Gvernance Manager V1 Matthew Hartland June 2013 Chief Finance Officer V1 Julia Dixn June 2013 Staff Side Representative V1 APPROVALS This dcument has been apprved by: NAME DATE TITLE/RESPONSIBILITY VERSION CCG Audit 19 June 2013 Delegated authrity frm the Bard V1 Cmmittee NB: The versin f this plicy used n the intranet must be a PDF cpy f the apprved versin. DOCUMENT STATUS This is a cntrlled dcument. Whilst this dcument may be printed, the electrnic versin psted n the intranet is the cntrlled cpy. Any printed cpies f the dcument are nt cntrlled. RELATED DOCUMENTS These dcuments will prvide additinal infrmatin: REFERENCE NUMBER AC/IG/008 AC/IG/010 AC/IG/011 AC/IG/013 AC/IG/014 AC/IG/016 AC/IG/020 AC/IG/002 DOCUMENT TITLE Crprate Recrds Plicy Data Prtectin Plicy Plicy and Cde f Cnduct Freedm f infrmatin Plicy Infrmatin Gvernance Plicy Infrmatin Gvernance Tlkit Plicy Infrmatin Security Plicy Passwrd Management Plicy RA (Smartcard) Plicy Safe Haven Plicy Staff Cde f Cnduct n Cnfidentiality VERSION APPLICABLE LEGISLATION Data Prtectin Act 1998 Human Rights Act 1998 Freedm f Infrmatin Act 2000 Access t Health Recrds Act 1990 (where nt superseded by the Data Prtectin Act) Cmputer Misuse Act Cpyright, Designs and Patent s Act 1998 (as amended by the Cpyright Cmputer Prgrams Regulatins 1992) 2 P age

3 Crime and Disrder Act Electrnic Cmmunicatins Act 2000 Regulatry f Investigatry Pwers Act 2000 Cmmn Law Duty f Cnfidentiality Natinal Health Service Act 1977 Natinal Health Service Act 2006 Health and Scial Care Act 2012 GLOSSARY OF TERMS TERM ACRONYM DEFINITION Serius Untward Incident SUI Any incident invlving the actual r ptential lss f persnal infrmatin that culd lead t identity fraud r cause ther significant distress t individuals shuld be cnsidered as serius. The definitin applies irrespective f the media invlved and includes lss f bth electrnic and paper recrds. Infrmatin Cmmissiner Office ICO The Infrmatin Cmmissiner s Office is the UK s independent authrity set up t uphld infrmatin rights in the public interest, prmting penness by public bdies and data privacy fr individuals. Find ut mre abut ur rganisatin. Senir Infrmatin Risk Officer SIRO Takes wnership f infrmatin risk and is a key factr in successfully raising the prfile f infrmatin risks and t embedding infrmatin risk management int Dudley CCG s culture. 3 P age

4 CONTENTS PAGE NO POLICY OVERVIEW Intrductin Purpse Wh this Plicy applies t 5 THE POLICY Definitin f an Infrmatin Gvernance Incident Immediate respnse t an Infrmatin Gvernance 5 Serius Untward Incident 6.0 Assessing the Severity f the Incident Reprting t the Infrmatin Gvernance Team Reprting t the Department f Health Infrming Patients Maintaining an Infrmatin Gvernance Incident File Securing Key Infrmatin including Healthcare Recrds Strage and Cpying f Secured Recrds Respnsibilities f the Senir Representative Incidents and Disciplinary Actins Disciplinary Prcess Dcument Decisin Making Onging Cmmunicatin with Infrmatin Gvernance Team Embedding the Actins and Learning Reprting Arrangements and Assurances External Reprting Mechanisms Dealing with the Media Mnitring Cmpliance 12 4 P age

5 POLICY OVERVIEW 1.0 Intrductin 1.1 This plicy defines the cre principles and prcedures assciated with the prcess f reprting and learning frm serius infrmatin gvernance incidents r events ccurring within Dudley CCG. 1.2 This Plicy acts as an appendix t lcal verarching Risk Management/Serius Incident Reprting Plicies. 1.4 The safe haven cncept f restricting access t identifiable data, albeit in a lgical cntext, is required t supprt the prcess that enables de-identified recrds t be created. 2.0 Purpse 2.1 The plicy prvides Dudley CCG staff with a framewrk in regards t the reprting f Serius Infrmatin Gvernance Incidents. 2.2 The purpse f this plicy is twfld. Firstly t prvide effective guidance t all managers and members f staff s as t ensure that they are fully aware f their individual rles and respnsibilities regarding the reprting and learning frm infrmatin gvernance incidents, and secndly t utline the gvernance structures and prcesses within Dudley CCG fr reprting f infrmatin gvernance incidents, analysis f events, disseminatin f relevant infrmatin cncerning trends and ensuring that lessns are learnt bth internally and externally t Dudley CCG. 3.0 Wh this Plicy applies t 3.1 The plicy applies t any persn directly emplyed by, cntracted r vlunteering with Dudley CCG. 3.2 The plicy applies t all staff, including thse n temprary cntracts and will be universally applied acrss all services within Dudley CCG t actively enhance the verall effectiveness and efficiency f rganisatinal learning frm infrmatin gvernance incidents s as t benefit bth staff and service users. THE POLICY 4.0 Definitin f Serius Infrmatin Gvernance Incident 4.1 As a guide, any incident invlving the actual r ptential lss f persnal infrmatin that culd lead t identity fraud r cause ther significant distress t individuals shuld be cnsidered as serius. 4.2 The abve definitin applies irrespective f the media invlved and includes lss f bth electrnic and paper recrds. 5.0 Immediate Respnse t Serius Infrmatin Gvernance Incident 5.1 In the first instance reprt the incident t yur line manager wh will then reprt it t the Infrmatin Gvernance Team. The incident will then be graded and reprted via the Infrmatin Gvernance Incident Reprting Tl fr the reprting f infrmatin gvernance serius incidents requiring investigatin t the Department f Health, Infrmatin Cmmissiner s Office and ther regulatrs, when apprpriate. 5 P age

6 5.2 If the incident invlves the lss f infrmatin regarding children r vulnerable adults the lcal Safeguarding Lead must be infrmed immediately. 5.3 Dudley CCG shuld have rbust plicies in place t ensure that apprpriate senir staff are ntified immediately f all incidents invlving data lss r breaches f cnfidentiality. 5.4 Where incidents ccur ut f hurs, n-call Directrs r ther nminated individuals shuld be infrmed f the incident and they shuld take actin t infrm the apprpriate cntacts. 6 P age

7 6.0 Identifying a Serius Infrmatin Gvernance Incident 6.1 The immediate respnse t the incident and the escalatin prcess fr reprting and investigating will vary accrding t the severity f the incident. Fllwing review f the table belw if the incident is nt classed as serius it shuld still be reprted via the n line reprting system. 6.2 Risk assessment methds cmmnly categrise incidents accrding t the likely cnsequences, with the mst serius being categrised as a 5 e.g. an incident shuld be categrised at the highest level that applies when cnsidering bth the characteristics and the risk f the incident. The table belw has been devised by the Department f Health specifically t grade infrmatin gvernance incidents, which is different frm the risk assessment matrix used fr ther types f incident) N significant reflectin n any individual r bdy. Media interest very unlikely Damage t an individual s reputatin. Pssible media interest e.g. celebrity invlved Damage t a team s reputatin. Sme lcal media interest that may nt g public Damage t a service s reputatin / lw key lcal media cverage Damage t an rganisatin s reputatin / lcal media cverage Damage t NHS reputatin / natinal media cverage Minr breach f cnfidentiality. Only a single individual affected Ptentially serius breach. Less than 5 peple affected r risk assessed as lw e.g. files were encrypted Serius ptential breach and risk assessed high e.g. unencrypted clinical recrds lst. Up t 20 peple affected Serius breach f cnfidentiality e.g. up t 100 peple affected Serius breach with either particularly sensitive infrmatin e.g. sexual health details, r, up t 1000 peple affected Serius breach with ptential fr ID theft r ver 1000 peple affected 7 P age

8 7.0 Reprting t the Infrmatin Gvernance Team 7.1 The serius infrmatin gvernance incident (all incidents rated as 1 5 as per the table n page 7) shuld be reprted t the Infrmatin Gvernance team. The prcess is s that this can be lgged and given a reference number. The 24 hur reprt and investigatin cmmence. The fllwing infrmatin shuld be prvided in each case:- Date, time and lcatin f the incident Type f Incident: Cnfidential Infrmatin Leak Cntact details fr lcal incident manager Cnfirmatin that apprpriate and dcumented incident management prcedures are being fllwed and that disciplinary actin will be invked where apprpriate fllwing the investigatin Descriptin f what happened: Theft, accidental lss, inapprpriate disclsure, prcedural failure, etc The number f patients/staff (individual data subjects) invlved The number f recrds invlved The media (paper, electrnic) f the recrds If electrnic media, whether encrypted r nt The type f recrd r data invlved and sensitivity Whether the SUI is in the public dmain Whether the media (press etc) are invlved r there is a ptential fr media interest Whether there are legal implicatins fr the CCG Initial assessment f level f SUI (see table at Annex A and 4.2 Assessing the Incident Level ). Whether the fllwing have been ntified (frmally r infrmally): Data subjects Caldictt Guardian Senir Infrmatin Risk Owner Chief Executive Accunting Officer Infrmatin Cmmissiner fr SUI level 3 and abve Plice, Cunter Fraud Branch, etc Immediate actin taken, including whether any staff have been suspended pending the results f the investigatin 7.2 Reprting f the incident shuld be undertaken as sn as practically pssible (and n later than 24 hurs f the incident during the wrking week). 7.3 If there is any dubt as t whether r nt an incident meets the SUI reprting criteria, the Infrmatin Gvernance team shuld be cntacted fr advice. 7.4 Early infrmatin, n matter hw brief, is better than full infrmatin that is t late. Dudley CCG shuld keep the Infrmatin Gvernance team infrmed f any significant develpments in internal/external investigatins, as apprpriate. 8.0 Reprting t the Department f Health 8.1 Health and Scial Care rganisatins have an nging respnsibility t reprt infrmatin gvernance incidents t the Department f Health and histrically this was thrugh Strategic Health Authrities (SHAs) and Primary Care Trusts (PCTs), but as these 8 P age

9 establishments n lnger exist frm April 2013, there will be n representatin t take respnsibility fr ensuring the Department f Health are kept infrmed mving frward. The nline infrmatin gvernance reprting f SUIs via the Infrmatin Gvernance Tlkit has been develped jintly with the Infrmatin Cmmissiner s Office t reduce the rganisatinal burden f reprting incidents and an attempt has been made t align Department f Health and Infrmatin Cmmissiner Office prcesses. Once an incident is recrded as a Level 2 severity by using this tl an autmated ntificatin will be sent t Department f Health, the Infrmatin Cmmissiner s Office and relevant regulatrs if required. 8.2 The Department f Health will review the incident and determine the need t brief Ministers and/r take ther actin at a natinal level. 9.0 Infrming Patients 9.1 Cnsideratin shuld always be given t infrming patients when persnal cnfidential data abut them has been lst r inapprpriately placed in the public dmain. Where there is any risk f identity theft it is strngly recmmended that this is dne. 9.2 Being pen (please refer t lcal Being Open Plicy) when things g wrng is an essential element within ensuring effective partnership between patients and Dudley CCG. The Natinal Health Service Litigatin Authrity strngly advcates prfessinals t be hnest and transparent with patients and their relatives, especially when supprting them pst incident. 9.3 The NHS Litigatin Authrity states that it is bth natural and desirable t sympathise and express srrw r regret f the harm caused. Such an expressin wuld nt cnstitute an admissin f liability. In additin it is nted that many patients and relatives ften ask fr a detailed explanatin f the circumstances surrunding an incident, therefre it wuld be deemed gd practice t prvide the facts. Such penness can ften prevent incidents frm becming frmal cmplaints and litigatin claims. Staff are advised that further guidance in respect t this issue can be btained frm the Infrmatin Gvernance team Maintaining Infrmatin Gvernance Incident File 10.1 A cpy f all reprts shuld be sent t the Infrmatin Gvernance team wh will ensure that all serius infrmatin gvernance incidents are apprpriately filed within the department s as t ensure effective tracking f incident investigatins, rbust risk management prcess and apprpriate rganisatinal learning takes places A cpy f the final reprt f the investigatin shall be placed within the relevant investigatin file held by the Infrmatin Gvernance team and the Infrmatin Gvernance Tlkit reprt will be updated t indicate lessns learnt Securing Key Infrmatin including Healthcare Recrds 11.1 Clinical and Dudley CCG dcumentatin can play an imprtant part in understanding the rt causes f an adverse incident. Therefre it is essential t preserve such infrmatin at the earliest pprtunity Advice shuld be taken frm the Infrmatin Gvernance team t determine which dcuments shuld be retained. 9 P age

10 11.3 If the data lss is due t criminal activity the site where the lss ccurred shuld be preserved until the Plice arrive Strage and Cpying f Secured Recrds 12.1 The senir representative will be respnsible fr making suitable arrangements fr the strage and cpying f secured recrds Respnsibilities f the Senir Representative 13.1 Fr the purpse f this plicy, the fllwing individuals are cnsidered t have the apprpriate levels f respnsibility and experience t undertake the rle f senir representative:- Chief Officer On Call Directr Heads f 13.2 Senir representatives are als respnsible fr ensuring all staff invlved in the incident are apprpriately supprted, and this may include:- Visiting the site and talking with staff Ensuring access t debriefing/cunselling as required Arranging practical and emtinal supprt and cnsidering whether staff are fit t cntinue wrking their shift fr that day Ensuring arrangements are made fr patients and their carers/relatives are infrmed f the incident, and are given supprt. Patients rights t cnfidentiality must be cnsidered and any cnsent t disclsure f infrmatin is dcumented within their ntes The ptin f staff side/unin assistance is available fr supprt The senir representative will als discuss the serius incident with the Infrmatin Gvernance team t agree if the incident is a serius incident r can be classed as an incident r near miss The Infrmatin Gvernance team will als liaise with relevant Directrs/Managers t determine the mst apprpriate CCG respnse t the event, and this will be either: Stand the incident dwn, r Cmmence an investigatin 13.5 Once this decisin has been reached a cnfirmatin will be generated and sent t the relevant parties Incidents and Disciplinary Actins 14.1 It is essential that as part f the serius incident prcess that attentin is paid t determining whether r nt any disciplinary actin may be required Disciplinary Prcess 15.1 Attentin is drawn t hw the investigatinal prcess shuld never be utilised as part f a disciplinary prcess; indeed if any grunds fr disciplinary actin are identified these must be addressed separately fllwing guidance identified in lcal disciplinary plicies. 10 P age

11 15.2 Attentin is als drawn t hw, in exceptinal circumstances, the incident may need referral t the Plice. This decisin shuld be made in cnsultatin with the Chief Accuntable Officer, Senir Incident Reprting Officer (SIRO), Human Resurces lead and the Infrmatin Gvernance team Dcumenting Decisin Making 16.1 Please nte that in all circumstances when a decisin is made t either undertake an investigatin r stand dwn the incident, a full recrd f the ratinale fr this must be dcumented by the Infrmatin Gvernance team Onging Cmmunicatin with the Infrmatin Gvernance Team 17.1 If it has been agreed that an investigatin is required, the Infrmatin Gvernance team shuld be infrmed f the fllwing:- Team members (name and psitin) and cntact details Terms f Reference fr the investigatin Deadlines fr cmpletin f investigatin, including changes t deadline if applicable Media interest Final reprt 18.0 Embedding the Actins and Learning 18.1 Individuals/teams wh led the investigatin and the senir team representative f the department where the incident ccurred are t meet with the Head f Infrmatin Gvernance t discuss findings and actins Reprting Arrangements and Assurances 19.1 The final investigatin reprt and agreed actins shuld be reprted t the lcal Audit Cmmittee as per lcal prcess The Head f Infrmatin Gvernance t bring t the attentin f the SIRO fr infrmatin and actin as apprpriate External Reprting Mechanisms 20.1 The Infrmatin Gvernance team will ensure that all reprting f serius infrmatin gvernance incidents t rganisatins external t the health service, i.e. Infrmatin Cmmissiner s Office takes place in a timely and efficient manner Dealing with the Media 21.1 Any member f staff receiving such enquires (especially thse relating t serius incidents) directly frm a member f the press must decline t supply any details. In such circumstances staff are advised t direct all calls t Dudley CCG s Cmmunicatins Department. This will ensure security is nt breached and patients, relatives and emplyees are prtected. The Chief Accuntable Office and Head f Cmmunicatins will determine hw ften they will require updates, dependent n media interest The Cmmunicatins Team shuld then infrm the Infrmatin Gvernance team if there has been any media interest regarding the serius infrmatin gvernance incident. 11 P age

12 22.0 Mnitring Cmpliance 22.1 Staff are expected t cmply with the requirements set ut within the Serius Infrmatin Gvernance Incident Plicy and related plicies. Cmpliance will be mnitred via Manager and IG Team reprts f spt checks, cmpletin f staff questinnaires, incidents reprted, electrnic audit trails and submissin f the Infrmatin Gvernance Tlkit Nn adherence t the Serius Infrmatin Gvernance Incident Plicy and related plicies will result in lcal disciplinary plicies being implemented. 12 P age