Lauren Hamill, Information Governance Officer

Transcription

1 Document No: IG10a Version: 1.0 Name of Document: General Information Governance Checklist Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L. Hamill New document This document supersedes all previous issues.

2 Contents Section Page 1. Introduction Procedure Scope Purpose of the Procedure 3 4. Using the Checklist Further Guidance. 4 Appendix 1 General Information Governance Checklist 5

3 1. Introduction Introduction of new systems, services or modifications to existing ways of working can have a major impact on Information Governance processes and systems already in place, and it is vitally important that all proposed changes to service delivery and organisational processes are able to maintain the confidentiality, integrity and accessibility of information, in both paper and electronic formats. Implementation of this policy will enable GHNFT to comply with its Information Governance responsibilities and in particular to assure that the following Information Governance Toolkit requirement is met: Requirement 310: All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements. 2. Scope of the Procedure This Procedure covers all Trust sites and applies to any individual employed, in any capacity, by the Trust including employees, students and third party contractors. This Procedure is to be considered in the following circumstances: a) Introduction of a new paper or electronic information system; b) Introduction of a new service or process which may impact on an existing information system; c) A change to a service or process which may impact on an existing information system. For the purpose of this Procedure, information systems include operating systems, infrastructure, business applications, off-the-shelf products, services and userdeveloped applications. Examples of service change could include such circumstances as: a) A new staff member starting with GHNFT leading to a new staff code being added to the system; b) An existing staff member leaving GHNFT leading to the staff code being removed from the system; c) A new service or clinic being commenced; d) Updates or revisions to key systems that might alter the way in which information is monitored or reported. 3. Purpose of the Procedure The purpose of this procedure is to provide an assurance process and checklist for use during the introduction of new ways of working or changes in current ways of working in relation to information. The checklist will enable all potential impacts, both positive and negative on information as a result of changes / introduction of

4 systems to be identified and will allow plans to be developed for ensuring the continued and improved confidentiality, integrity, accessibility and quality of information. 4. Using the Checklist Before the introduction of new processes or changes to existing processes, the attached checklist should be completed in order to identify any potential areas of inadequacy in terms of information governance, and to ensure that the appropriate individuals are informed of changes to current practices. Where IG issues are identified, an action plan should be developed on how these will be mitigated. This will include identified issues, associated actions, related roles and responsibilities and timescales and will be given to the Information Governance Officer for discussion within relevant Information Governance/other groups. Even if there are no issues identified, the Information Governance Officer should still be sent a copy of the completed checklist, as evidence that the process has been completed. The checklist should be used when defining the project approach for any new system and information governance staff brought in as needed in an advisory capacity. 5. Further Guidance Reference documents for different areas of information governance have been identified in the checklist and all IG policies and procedures are available on the intranet. For further guidance and support in completing the checklist please contact the Information Governance Team.

5 Appendix 1 General Information Governance Checklist Project Name: Objective: Background: Why is the new system / change in system required? Name: Benefits: Title: Constraints: Relationships: (for example, with other Trust s, organisations) Cross reference to other projects: Information Asset Owner: (All systems/assets must have an Information Asset Owner (IAO). IAO s are normally the Assistant Divisional Managers and report to the SIRO) Project Manager: Department: Telephone: Name: Information Asset Name: Title: Administrator: Title: (All systems / assets must have an Information Asset Administrator (IAA) who reports the IAO as stated above. IAA s are normally System Managers / Project Leads) Department: Department: Telephone: Telephone: Customers and stakeholders:

6 No Area for consideration Yes/No/NA Further work needed A A1 C C1 C3 C4 General Have staff accessing the information system been given appropriate information governance training? Data Quality Will there be an impact on the quality of the data e.g. its completeness, accuracy, relevance, accessibility, timeliness and validity? Has consideration been given to methods for data validation (and audit)? Are national or locally defined data standards (e.g. NHD Data Dictionary) being used wherever possible? C5 Where different systems are recording the same data, are processes in place to ensure there are no inconsistencies between them? C6 Can changes to records be tracked to identify who has made the change i.e. audit trail in electronic system, signed changes in paper records? C7 Is it possible to identify who has viewed a record (without changes) i.e. audit trail in electronic system, FileFast entry for paper records?

7 No Area for consideration Yes/No/NA Further work needed D D1 D3 D5 D6 E E1 Information Security Are relevant security systems in place to ensure that identifiable information is protected from unlawful or unauthorised access? For example: appropriate access controls to electronic or manual information e.g. strong passwords, folder permissions will information be saved to a restricted network area locked filing cabinets Have Information Asset Owners (IAO) and Information Asset Administrators (IAA) been identified and are they aware of their responsibility? Has the relevant Information Risk Management Tool and Information Asset Register been updated to take into account the system and information flows? Are there appropriate contracts/sla/data processing agreements in place for e.g. secondary storage, confidential waste, clinical systems Records Management Will changes/introduction of new system impact on the ability to dispose, retain or archive information appropriately?

8 No Area for consideration Yes/No/NA Further work needed E2 E3 F F1 Will records be created, maintained and disposed of in accordance with IG05 Records Management Policy and any local records management procedures? Are appropriate tracking systems in place for tracking records? Freedom of Information Will corporate information be accessible if needed for Freedom of Information requests e.g. project meetings? Form completed by: Information Governance Officer Approval: Name: Name: Title: Title: Signature: Signature: Date: Date: