Information Governance Standards in Relation to Third Party Suppliers and Contractors

Transcription

1 Information Governance Standards in Relation to Third Party Suppliers and Contractors Document Summary Ensure staff members are aware of the standards that should be in place when considering engaging with third party suppliers DOCUMENT NUMBER POL/002/068 DATE RATIFIED DATE IMPLEMENTED NEXT REVIEW DATE June 2017 ACCOUNTABLE DIRECTOR POLICY AUTHOR Director of Strategy and Support Services Information Governance Performance Manager Important Note: The Intranet version of this document is the only version that is maintained. Any printed copies should therefore be viewed as uncontrolled and, as such, may not necessarily contain the latest updates and amendments.

2 TABLE OF CONTENTS 1 SCOPE Introduction Statement of Intent Definitions Duties Details of the Policy Training Monitoring compliance with this policy References/ Bibliography Related Trust Policy/Procedures... 8 Appendix

3 1 SCOPE This Policy is intended for all staff members who would like guidance for Trust standards in relation to third party suppliers and their compliance levels and also details processes in relation to contractors working on behalf of the Trust in some guise. This Policy can also be used by any member of staff working for an organisation who has Information Governance provided by Cumbria Partnership NHS Foundations by way of a Service Level Agreement. Procedures will be added as appendices to this Policy as developments are made to ensure processes are detailed and can be easily followed to give protection to the Trust when dealing with suppliers in meeting contractual requirements. 2 INTRODUCTION The Trust is currently trying to ensure that all third party suppliers that are engaged by the organisation meet a minimum standard of compliance with information governance standards. This includes not only new third party suppliers but also striving to ensure as many existing third party suppliers are identified and checked against the same compliance criteria. 3 STATEMENT OF INTENT To ensure that third party suppliers meet a minimum standard of IG compliance To ensure appropriate agreements and contractual terms are in place with third party suppliers and contractors. To ensure the compliance with legislative and regulatory requirements to give assurance that appropriate safeguards are in place to protect the Trust s information. 4 DEFINITIONS Third Party Supplier: Contractor: IGT: DPA: ICO: Any organisation that provides services to the Trust Any individual or organisation that is involved in the business of the Trust. This can be a contractor/agency worker via the HR department or an organisation involved in a piece of work (e.g. charitable organisation providing support to a project) Information Governance Toolkit Data Protection Act Information Commissioner s Office Page 3 of 9

4 5 DUTIES Senior roles within the organisation supporting the Information Governance agenda are held by the Organisation s Senior Information Risk Owner (SIRO), the Caldicott Guardian, the Head of Information Governance; all are supported by the IG Team. 5.1 Trust Board In his communications with NHS Trusts Chief Executives, the NHS Chief Executive has made it clear that ultimate responsibility for IG in the NHS rests with the Board of each organisation. 5.2 Chief Executive The Trust s Accountable Officer is the Chief Executive who has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. 5.3 Caldicott Guardian It is the responsibility of the Caldicott Guardian to feedback any IG issues to the Senior Management Team. 5.4 SIRO (Senior Information Risk Owner) The SIRO is the Director of Strategy and Support Services (Michael Smillie). The role: Is accountable; Fosters a culture for protecting and using data; Provides a focal point for managing information risk and incidents Is concerned with the management of all information assets. The SIRO is an executive Board member with allocated lead responsibility for the Trust s information risks and provides a focus for the management of information risk at Board level. The SIRO chairs the Information Governance Board. 5.5 Information Asset Owners (IAO) Service Heads / Senior Managers The SIRO is supported by departmental / section IAOs who are senior managers involved in running the relevant business. Their role is to understand what information is held, what is added, and what is removed, how information is moved, who has access and why. As a result they are able to understand and address risks to information assets they own and to provide assurance to the SIRO on the security and use of the assets. Page 4 of 9

5 5.6 Information Asset Administrators (IAA) IAA s work with an information asset on a day to day basis. They have day to day responsibility, ensure that policies and procedures are followed by staff and recognise actual or potential security incidents, and consult their IAO on incident management. 5.7 Information Governance Lead The Information Governance (IG) Lead is the Head of Information Governance (Yvonne Salkeld). The Head of Information Governance is responsible for ensuring the organisation meets is statutory and corporate responsibilities and engender trust from the public in the management of their personal information. 5.8 Information Security The Head of IT (with delegated responsibility to the Network and Security Manager) are responsible for the provision and management of a high quality, customer focussed, Information Technology Security Advisory Service using expertise to manage security issues, identifying best practice and making recommendations for local implementation. 5.9 All Trust Employees All Trust employees and anyone else working for the organisation (e.g. Agency staff, honorary contracts, management consultants etc.) who use and has access to Trust information must understand their personal responsibilities for information governance and comply with UK Law. All staff must comply with Trust policies, procedures and guidance and attend relevant education and training events in relation to IG. 6 INFORMATION GOVERNANCE STANDARDS AND REQUIREMENTS 6.1 Third Party Suppliers The most stringent Information Governance standards need to be applied to those third party suppliers who have access to information and/or systems containing information. The Trust needs to be assured that information is as secure as possible and access and/or processing is only available to third parties who meet a required standard. As a minimum standard IG check that the third party supplier is: registered, if applicable, on the Data Protection Register via the ICO s (Information Commissioner s Office) Page 5 of 9

6 registered with the IG Toolkit via the Health and Social Care Information Website. submits annually to the IG Toolkit to give assurance of their compliance levels signs an appropriate contract (e.g. a Data Processing Agreement) to increase security arrangements for information further. The Trust is going through a process of ensuring that all contracts and suppliers are identified so the Trust has clear visibility on the overall compliance levels of those engaged with the Trust. The details above detail only the minimum standard and suppliers who can demonstrate high levels of security assurance through other accreditation processes (e.g. accredited ISO via UKAS approved accreditation centre) would need to be investigated further and a risk assessment to ascertain whether the safeguards in place are appropriate to ensure the organisation, and ultimately the SIRO (Senior Information Risk Officer) that the supplier is a secure organisation. As part of the compliance checks, and so we have more information about the supplier, we ask them, once identified, to complete a security checklist (Appendix 1) and make declarations about their organisation. We use this checklist as an audit tool and on a monthly basis spot check a third party engaged with the organisation. We ask them to provide evidence on the declarations they have made so we can ensure that suppliers are open and honest about their levels of compliance and this is working practice not only in theory. Non-compliance overall, or risks identified via the spot check audits will be followed up by the IG team to allow supplier the opportunity to improve and contextualise the issues experienced. If experienced issues cannot be resolved there will be escalation to the SIRO via a highlight report presented to the IG Board. Highlight reports are produced on a bi-monthly basis to inform the IG Board of the progress in identification of suppliers, levels of compliance and also any risk areas that need to be addressed by the SIRO (Senior Information Risk Officer). 6.2 Contractors If an individual or group external to the Trust is involved with any business process and has access to personal identifiable information and / or business critical information we need to ensure that an appropriate agreement is in place to give assurance that safeguards are in place to protect the Trust s information. Contractors that are engaged and delivering services in line as an employee of the Trust have appropriate clauses included in their contracts by the Trust s Human Resource department. For more information on the Trust s requirements for contractors and agency staff please read the following policies: Page 6 of 9

7 POL/004/003/001 Recruitment and Selection POL/004/033 Recruitment of Agency Staff If an individual or organisation is granted access to Trust information and or systems but is not a direct employee; processes and safeguards need to be in place to ensure that the Trust s security is maintained. In these circumstances an honorary contract would be issued to the individual detailing the level of involvement in Trust business and also ensures confidentiality clauses are in place and bind the individual and organisation. This requirement is in line with the Data Protection Act and the necessity to ensure that as a data controller there are stringent and controlled security mechanism in place for ensuring you know what the Trust s data is being used for and can give assurance that appropriate safeguards are in place to protect that data from unlawful processing and/or access. The aim of the organisation is to ensure that the processes are flexible enough to allow information to be used and appropriately accessed but with security mechanisms in place to show reasonable steps have been taken to put safeguards in place. 6.3 Storage and Access In line with the Information Asset Management System being put in place all information relating to suppliers will be stored within Alloy (an IT application currently available to the Trust) which is to be used an Information Asset Register. SharePoint will be used as a document storage facility for all the contractual documents and audit evidence. Access to the documentation can be requested via appropriate Information Asset Owners. Any queries and/or concerns can be escalated to the Information Governance department: Information.Governance@cumbria.nhs.uk 7 TRAINING Training is provided via the Information Asset Management System that is in place and advice provided via contact with Information Governance. Mandatory training is not required for this requirement. Page 7 of 9

8 8 MONITORING COMPLIANCE WITH THIS DOCUMENT The table below outlines the Trusts monitoring arrangements for this policy/document. The Trust reserves the right to commission additional work or change the monitoring arrangements to meet organisational needs. Aspect of compliance or effectiveness being monitored Compliance Reports Spot Checks [insert name of mandatory training] Monitoring method Individual responsible for the monitoring Frequency of the monitoring activity Group / committee which will receive the findings / monitoring report Group / committee / individual responsible for ensuring that the actions are completed Written Report IG Lead Bi-Monthly IG Board IG Board SIRO Spot Checks IG Lead Monthly IG Board IG Board Audits on SIRO Supplier Declarations Training will be monitored in line with the Learning and Development Policy. 9 REFERENCES/ BIBLIOGRAPHY The preferred references method is the Harvard system: AUTHOR(S) (Year) Title. Edition if not the 1st. Place of publication: Publisher. 10 RELATED TRUST POLICY/PROCEDURES POL/004/003/001 Recruitment and Selection POL/004/033 Recruitment of Agency Staff Page 8 of 9

9 Appendix 1 Information Security Checklist: IG guidance to the questions can be found in the comments section please add details for all questions in the comments section relating to your organisation Security Question Yes No Comments 1 It is a legal requirement to register with the Are you registered with ICO, you will be given a data protection number and review date. the ICO (Information Commissioner s Office) under Data Protection Act 1998? Please supply registration number and review date 2 Are you compliant with the Information Governance Toolkit? As a Trust we require that contractors dealing with information and potential access to our systems or data be compliant with the IG Toolkit. Annual submissions of evidence are required. Please supply registration number and IGT compliance percentage. 3 Are all staff screened prior to starting work? 4 Please advise of the screening process and the checks that are carried out. 5 Are all staff trained in confidentiality and data protection? This can include DBS (formally CRB) / references etc. Any in-house or externally sourced training that is provided as mandatory and optional to staff members 6 Please give details of training that is provided NB: Please be advised the Trust reserves the right to request evidence of the above security measures and ensure compliance in these areas. Page 9 of 9