Finance, Performance and Risk Committee 2014/2015

Transcription

1 Finance, Perfrmance and Risk Cmmittee 2014/2015 Date f Meeting: 17 December 2014 Agenda Item: Click here t enter text. Subject: Infrmatin Gvernance Plicy Reprting Officer: Paul Byrne Lead IG Manager Aim f Paper: Review and ratificatin f the Infrmatin Gvernance Plicy Gvernance rute prir t this Cmmittee Meeting Date Objective/Outcme CCG Gverning Bdy Select date f meeting. Click t Select Quality and Safety Cmmittee Select date f meeting. Click t Select Clinical Cmmissining Cmmittee Select date f meeting. Click t Select Patient Experience Assurance Cmmittee Select date f meeting. Click t Select Finance, Perfrmance and Risk Cmmittee 17 December 2014 Click t Select Audit Cmmittee Select date f meeting. Click t Select Remuneratin Cmmittee Select date f meeting. Click t Select Lcality Engagement Grup Select date f meeting. Click t Select Health and Wellbeing Bard Select date f meeting. Click t Select Other APPROVED by the Infrmatin Gvernance Operatinal Grup Sept 2014 FPR Reslutin Required: Select Reslutin Required Recmmendatin Review and Ratificatin f the Infrmatin Gvernance Plicy Link t Strategic Objectives SO1: T secure additinal years f life fr peple f the Brugh with treatable mental and physical health cnditins SO2: T imprve the health related quality f life fr peple with lng term cnditin(s) including mental health cnditins SO3: T reduce the amunt f time peple spend avidably in hspital thrugh better and mre integrated care in the cmmunity, utside hspital SO4: T increase the prprtin f lder peple living independently at hme fllwing discharge frm hspital SO5: T increase the number f peple with mental and physical health cnditins having a psitive experience f hspital care and care utside f hspital (including General Practice and the Cmmunity) SO6: T make significant prgress twards eliminating avidable deaths in ur hspitals, and all care settings, caused by prblems in care. SO7: T develp integrated wrking and partnerships t ensure the best pssible care fr the brugh SO8: T be a high perfrming CCG, deliver ur statutry duties and use ur available resurces innvatively t deliver the best utcmes fr ur ppulatin. Cntributes t: (Select Yes r N) Click t Select Click t Select Click t Select Click t Select Click t Select Click t Select Click t Select Click t Select Risk Level: (T be reviewed in line with Risk Plicy) Cmments (Dcument shuld detail hw the risk will be mitigated) Click here t enter text. Nt Applicable

2 Cntent Apprval/Sign Off: The cntents f this paper have been reviewed and apprved by: Clinical Cntent signed ff by: Financial cntent signed ff by: Click t Select Apprving Officer Click t select. Click t select. Clinical Engagement taken place Patient and Public Invlvement Patient Data Impact Assessment Equality Analysis / Human Rights Assessment cmpleted Cmpleted: Nt Applicable Nt Applicable Nt Applicable Nt Applicable Executive Summary This Plicy prvides guidance t all Heywd, Middletn and Rchdale CCG n Infrmatin Gvernance. Infrmatin Gvernance is a framewrk fr handling persnal infrmatin in a cnfidential and secure manner t apprpriate ethical and quality standards in a mdern health service.

3 Infrmatin Gvernance Plicy Versin V2.0 Apprving Cmmittee : Finance, Perfrmance and Risk Cmmittee Date ratified: December 2014 Reference Number: Name/Department f riginatr/authr: Paul Byrne Name/Title f respnsible Finance, Perfrmance and Risk Cmmittee cmmittee/individual: Date issued: December 2014 Review date: December 2015 Target audience: All HMR CCG Emplyees Versin Date Cntrl Reasn V0.1 July 2013 Created by IG Team V0.2 Sept 2013 Issued t IGOG. APPROVED V0.3 Oct 2013 Issued t Finance, Perfrmance and Risk Cmmittee. V1.0 Dec 2013 APPROVED Versin. V1.1 Sept 2014 Issued t IGOG V1.2 Oct 2014 Minr amendments made t reflect cmments made after a review -APPROVED by the IGOG. V2.0 Dec 2014 Issued t Finance, Perfrmance and Risk Cmmittee t be reviewed and apprved APPROVED..

4 Cntents 1. Intrductin and Aims Scpe Infrmatin Gvernance Plicy Framewrk Principles Rles, Respnsibilities and Accuntabilities Infrmatin Tlkit and Annual Perfrmance Training and Cmmunicatin Mnitring and review Legislatin and related dcuments... 11

5 1. Intrductin and Aims 1.1. The purpse f this Plicy is t prvide guidance t all Heywd, Middletn and Rchdale CCG (hencefrth referred t as the CCG ) staff n Infrmatin Gvernance Infrmatin Gvernance (IG) is a framewrk fr handling persnal infrmatin in a cnfidential and secure manner t apprpriate ethical and quality standards in a mdern health service The CCG recgnises the rle Infrmatin Gvernance plays in ensuring the rganisatin prcesses and handles its persnal, sensitive and business infrmatin in accrdance with UK laws and Department f Health Plicy, thus prtecting the CCG, its emplyees and mst imprtantly, its patients Infrmatin Gvernance affects ALL emplyees, including anyne prviding a service n behalf f the CCG, whether permanent r temprary. EVERYBODY has respnsibilities fr IG n a day-t-day basis, regardless f their wrking envirnment (clinical r nn-clinical). Cntractrs wrking fr the CCG are respnsible fr ensuring that they are aware f the requirements incumbent upn them and fr ensuring that they cmply It is f paramunt imprtance t ensure that infrmatin is efficiently and legally managed, and that the apprpriate plicies, prcedures, guidance and management accuntability and structures prvide a rbust gvernance framewrk fr infrmatin management The Infrmatin Gvernance Agenda f this CCG will be managed by the Nrth West Cmmissining Supprt Unit (NWCSU), Infrmatin Gvernance department The NWCSU will establish and maintain plicies and prcedures n behalf f the CCG t ensure cmpliance with requirements cntained in the Department f Health Infrmatin Gvernance Tlkit Infrmatin Gvernance sits alngside Clinical Gvernance, Research Gvernance and Crprate Gvernance. It prvides a framewrk t bring tgether all f the requirements, standards and best practice that apply t the handling f persnal infrmatin ensuring: Cmpliance with the law; infrmatin is available, secure and cnfidential at all times; educating, influencing and advising gd practice; audit, investigate, enfrce and supprt crrective actin where required; and year n year imprvement plans It als prvides a cnsistent way fr emplyees t deal with the many different infrmatin handling requirements including: Infrmatin gvernance management clinical infrmatin assurance; cnfidentiality and data prtectin assurance; infrmatin security assurance secndary use assurance.

6 1.9. Cre t Infrmatin Gvernance is setting infrmatin handling standards and giving the CCG the tls t achieve the standards. Its purpse is t supprt the CCG and individuals t be cnsistent in the way they handle persnal and crprate infrmatin and avid duplicatin f effrt, leading t imprvement in: Infrmatin handling activities; patient and service user cnfidence in care prviders; and emplyee training and develpment Infrmatin Gvernance perates under fur fundamental aims: Supprt the prvisin f high quality care, by prmting the effective and apprpriate use f infrmatin; encurage respnsible staff t wrk clsely tgether, preventing duplicatin f effrt and enabling mre efficient use f resurces; develp supprt arrangements, prvide staff with apprpriate tls and supprt them t discharge their respnsibilities t cnsistently high standards; and enable rganisatins t understand their wn perfrmance, and manage imprvement in a systematic and effective way The Infrmatin Gvernance framewrk and this plicy sets ut aims t ensure that infrmatin is used, effectively, efficiently, securely and legally, in rder t deliver the best pssible care The aims f this dcument are: t maximise the value f rganisatinal assets by ensuring that data is: held securely and cnfidentially; btained fairly and lawfully; recrded accurately and reliably; used effectively and ethically; and shared and disclsed apprpriately and lawfully. t prtect the rganisatins infrmatin assets frm all threats, whether internal r external, deliberate r accidental. The CCG will ensure: infrmatin will be prtected against unauthrised access; cnfidentiality f infrmatin will be assured; integrity f infrmatin will be maintained; infrmatin will be supprted by the highest quality data; regulatry and legislative requirements will be met; business cntinuity plans will prduced, maintained and tested; infrmatin security training will be available t all staff; and all breaches f infrmatin security, actual r suspected, will be reprted t, and investigated by the Infrmatin Gvernance Manager. 2. Scpe 2.1 This plicy applies t thse members f staff that are directly emplyed by the CCG and fr whm the CCG has legal respnsibility. Fr thse staff cvered by a letter f authrity/hnrary cntract r wrk experience the rganisatins plicies are als applicable whilst undertaking duties fr r n behalf f the CCG. Further, this plicy applies t all third parties and thers authrised t undertake wrk n behalf f the CCG.

7 2.2 This plicy cvers all aspects f infrmatin within the rganisatin, including (but nt limited t): Emplyee/Patient/Client/Service User infrmatin; staff infrmatin (persnnel); rganisatinal infrmatin. 2.3 This plicy cvers all aspects f handling the way the rganisatin hlds, btains, recrds, uses and shares infrmatin, including (but nt limited t): Structured recrds systems paper and electrnic; transmissin f infrmatin fax, , pst and telephne. 2.4 This plicy cvers all infrmatin systems purchased, develped and managed by r n behalf f, the CCG and any individual directly emplyed r therwise by the CCG. 2.5 Accurate, timely and relevant infrmatin is essential in cntinuing t deliver the highest quality care thrughut the area. As such it is the respnsibility f all staff at all levels t ensure and prmte the quality f infrmatin and t actively use infrmatin effectively in decisin making prcesses. 3. Infrmatin Gvernance Plicy Framewrk 3.1. The CCG will maintain an Infrmatin Gvernance Management Framewrk. This will be supprted by a set f Infrmatin Gvernance related plicies and prcedures t cver all aspects f Infrmatin Gvernance which are aligned with the NHS Operating Framewrk and the Infrmatin Gvernance tlkit requirements The Plicy framewrk will encmpass the fllwing plicies: Infrmatin Security Plicy; Data Prtectin Plicy and Cnfidentiality Plicy; Recrds Management Plicy In additin, the fllwing plicies will be part f the Infrmatin Security suite f plicies which will be supprted by thse framewrk dcuments abve: Encryptin Plicy; Acceptable Use Plicy; Acceptable Use Plicy (Internet and equipment); Agile Wrking Plicy; Infrmatin Risk Plicy This plicy list is nt exhaustive and will be expanded as the CCG Infrmatin Gvernance framewrk is further develped. 4. Principles 4.1. The CCG recgnises the need fr an apprpriate balance between penness and cnfidentiality in the management and use f infrmatin. The CCG fully supprts the principles f crprate, clinical and infrmatin gvernance and recgnises its public accuntability, but equally places imprtance n the cnfidentiality f, and the security arrangements t safeguard, bth persnal infrmatin abut patients and staff and infrmatin f a cmmercially sensitive nature. The CCG als recgnises the need t share infrmatin with ther health and scial care rganisatins and ther agencies in a cntrlled manner cnsistent with the interests f the patients and, in sme circumstances, the public interest, in the line with the Freedm f Infrmatin Act 2000.

8 Fur key strands supprt the Infrmatin Gvernance Plicy: Openness: legal cmpliance; infrmatin security; infrmatin quality assurance Openness Infrmatin will be defined and where apprpriate kept cnfidential, underpinning the principles f Caldictt and the regulatins utlined in the Data Prtectin Act 1998; nn-cnfidential infrmatin n the CCG and its services shuld be available t the public thrugh a variety f media, in line with the Freedm f Infrmatin Act 2000; patients shuld have ready access t infrmatin relating t their wn health care, their ptins fr treatment and their rights as patients; the CCG will have clear prcedures and arrangements fr handling queries frm patients and public; the CCG will have clear prcedures and arrangements fr liaisn with the press and bradcasting media Legal Cmpliance The CCG regards all identifiable persnal infrmatin relating t patients and staff as cnfidential; the CCG will undertake r cmmissin annual assessments and audits f its cmpliance with legal requirements; the CCG is required t establish and maintain plicies t ensure cmpliance with the Data Prtectin Act, Human Rights Act and the cmmn law f cnfidentiality; the CCG will establish and maintain plicies fr the cntrlled and apprpriate sharing f patient infrmatin with ther agencies, taking accunt f relevant legislatin (e.g. Health and Scial Care Act, Crime and Disrder Act, Prtectin f Children Act) Infrmatin Security The CCG will establish and maintain plicies fr the effective and secure management f its infrmatin assets and resurces; the CCG will undertake r cmmissin annual assessments and audits f its infrmatin and IT security arrangements; the CCG will prmte effective cnfidentiality and security practice t its staff thrugh plicies, prcedures and training; the CCG will establish and maintain incident reprting prcedures and will mnitr and investigate all reprted instances f actual r ptential breaches f cnfidentiality and security Infrmatin Quality Assurance The CCG will establish and maintain plicies and prcedures fr infrmatin quality assurance and the effective management f recrds; the CCG will undertake r cmmissin annual assessments and audits f its infrmatin quality and recrds management arrangements; managers are expected t take wnership f, and seek t imprve, the quality f infrmatin within their services; wherever pssible, infrmatin quality shuld be assured at the pint f cllectin; data standards will be set thrugh clear and cnsistent definitin f data items, in accrdance with natinal standards; the CCG will prmte infrmatin quality and effective recrds management thrugh plicies, prcedures/user manuals and training.

9 5. Rles, Respnsibilities and Accuntabilities 5.1. The CCG Gverning Bdy It is the rle f the CCG Gverning Bdy t define the CCG s plicy in respect f Infrmatin Gvernance, taking int accunt legal and NHS requirements. The CCG Gverning Bdy is als respnsible fr ensuring that sufficient resurces are prvided t supprt the requirements f the plicy. T fulfil its bligatins, the Bard has delegated authrity fr Infrmatin Gvernance t the Finance Perfrmance & Risk Cmmittee, The Caldictt Guardian and Senir Infrmatin Risk Owner wh are bth members f the CCG Gverning Bdy Legal Cmpliance The Accuntable Officer f the CCG has verall accuntability and respnsibility fr Infrmatin Gvernance in the CCG and is required t prvide assurance, thrugh the Statement f Internal Cntrl that all risks t the CCG, including thse relating t infrmatin, are effectively managed and mitigated Senir Infrmatin Risk Officer (SIRO) The Chief Financial Officer f the CCG Gverning Bdy is the nminated SIRO. The SIRO is respnsible fr ensuring that rganisatinal infrmatin risk is prperly identified, managed and that apprpriate assurance mechanisms exist. They shuld be familiar with risk management and the rganisatins respnse t risk The rle f the SIRO is t take wnership f the CCG s Infrmatin Risk Plicy, act as advcate fr infrmatin risk at the bard and prvide written advice n the Statement f Internal Cntrl in regard t infrmatin risk Infrmatin Asset Owners (IAO s)/administratrs (IAA S) under the respnsibility f the SIRO: Infrmatin Asset Owners (IAO s) will be identified, prvided with training and supprt and will carry ut risk assessments n the infrmatin assets, t prtect against unauthrised access r disclsure, within their area will ensure the integrity f the infrmatin within their area and restrict the use t nly authrised users wh require access; will be respnsible fr the Infrmatin Asset assigned t them; will ensure that all persnal data can at all times be btained prmptly frm the Infrmatin Asset when required Caldictt Guardian The Caldictt Guardian is respnsible fr ensuring that the CCG prcess satisfies the highest practical standards fr handling patient infrmatin. The safe recrding; string and retentin f all persnal data and ensuring all infrmatin flws are mapped t exclude any infrmatin breaches Infrmatin Gvernance Leads The Infrmatin Gvernance Lead will be supprted by the Nrth West Cmmissining Supprt Unit (NWCSU) Infrmatin Gvernance department and will be accuntable fr ensuring effective management, accuntability, cmpliance and assurance fr all aspects f Infrmatin Gvernance The management f the annual Infrmatin Gvernance wrk prgramme will be delegated frm the Infrmatin Gvernance Lead t the NWCSU.

10 5.6. Infrmatin Gvernance Operatinal Grup The Infrmatin Gvernance Operatinal Grup (IGOG) versees the implementatin f the Infrmatin Gvernance strategy, plicy, cmpletin f the annual baseline assessment and assciated wrk prgramme, and ad hc Infrmatin Gvernance related wrk streams r prjects. The Caldictt Guardian and the SIRO are members f the IGMG. Representatin at the grup shuld reflect the structure f the rganisatin. The IGMG will prvide any relevant cmmittees with regular updates and reprts and highlight any risks t cmpliance Line Managers/Senir Managers All managers are respnsible fr ensuring that staff are cmpliant with, and wrking t, all relevant plicy and prcedure in relatin t Infrmatin Gvernance. Managers shuld ensure that supprting standards and guidelines are built int lcal prcesses and that there is nging cmpliance n a day t day basis. Any incidents r plicy breaches relating t cnfidentiality r infrmatin security are reprted immediately. In additin, managers will ensure that anyne prviding a service n behalf f the CCG cmplete a cnfidentiality statement befre cmmencing emplyment All Staff All staff, whether permanent, temprary r cntracted, wrking in a clinical r nn-clinical envirnment are respnsible fr ensuring that they are aware f the Infrmatin Gvernance requirements incumbent upn them and fr ensuring that they cmply with these n a day t day basis. Any incident invlving a breach r suspected breach f the Data Prtectin Act will be reprted t their line manager immediately, and where they are nt available the CCG Infrmatin Gvernance Lead All staff have a respnsibility t ensure they cmplete the mandatry training requirements f the rganisatin, Infrmatin Gvernance is part f these training requirements The CCG will ensure that all emplyees including cntractrs have access t and are trained n the Infrmatin Gvernance strategy/plicy and are given sufficient infrmatin and/r guidance t be able t perfrm their duties in line with Infrmatin Gvernance plicy and the assciated laws/regulatins that gvern it. Where apprpriate, a cnfidentiality statement will be read and signed by emplyees and cntractrs alike Elements f Infrmatin Gvernance, particularly cnfidentiality shuld be written in all cntracts f emplyees, SLAs and Cntracts fr services. Infrmatin Gvernance cnsideratins shuld frm part f any prcurement f a service, piece f sftware r infrmatin sharing agreement. 6. Infrmatin Tlkit and Annual Perfrmance 6.1. An assessment f cmpliance f requirements, within the Infrmatin Gvernance Tlkit will be undertaken each year. A prpsed actin/wrk prgrammes will be maintained, and annual assessments will be presented t the CCG fr apprval. 7. Training and Cmmunicatin 7.1. T ensure all Infrmatin Gvernance plicies and prcedures are effective the CCG must make all staff aware f their Infrmatin Gvernance bligatins. Infrmatin Gvernance training is mandatry fr all members f staff. Any new staff members including temprary, cntractrs will be required t cmplete Infrmatin Gvernance training as part f their inductin. Staff with additinal respnsibilities will be required t undertake additinal training in line with the CCG Training Needs Analysis (TNA).

11 Infrmatin Gvernance training is mandated t be undertaken n an annual basis Where staff have specific Infrmatin Gvernance rles within the CCG i.e. Caldictt Guardian, SIRO etc. additinal Infrmatin Gvernance training will be required T maintain high staff awareness the CCG will direct staff t a number f surces: Plicy/strategy and prcedure manuals; line manager; specific training curse; ther cmmunicatin methds, fr example, team meetings; and staff intranet 7.3. All staff will be reminded that it is their respnsibility t adhere t the plicy. 8. Mnitring and review 8.1. The CCG will undertake r cmmissin frm the NW CSU regular assessments and audits f its framewrk, plicies and prcedures t mnitr cmpliance and make imprvements where identified Where Infrmatin Gvernance incidents have been reprted via the CCG s incident reprting prcess investigatins will be initiated This Plicy will be reviewed within 12 mnths f its ratificatin. Where there are n significant alteratins required, this Plicy shall remain fr a perid f n lnger than tw years f the ratificatin date. An earlier review may be warranted if ne f mre f the fllwing ccurs: legislative changes; gd practice guidance; case law; significant incidents reprted; new vulnerabilities; and changes t rganisatin infrastructure. 9. Legislatin and related dcuments 9.1. Legal Acts Data Prtectin Act 1998; Freedm f Infrmatin Act 2000; Envirnmental Infrmatin Regulatins; Access t Health Recrds Act 1990; Regulatin f Investigatry Pwers Act; Health and Scial Care Act 2006; Human Rights Act Supprting Dcuments NHS Infrmatin Gvernance: Guidance n Legal and Prfessinal Obligatins; NHS Cde f Cnfidentiality; Infrmatin Security Management: NHS Cde f Practice April 2007; Caldictt Guardian Manual 2010; NHS Infrmatin Risk Management; Recrds Management Cde f Practice (prduced under S46 f the Freedm f Infrmatin Act 2000); The Infrmatin Gvernance Tlkit.