INFORMATION GOVERNANCE HANDBOOK

Transcription

1 INFORMATION GOVERNANCE HANDBOOK SECTION ONE Author Tracey Burrows Role Information Governance Manager (CSCSU) Date / Version February 2015 Version FINAL V1.0 Approved by IM&T Board Date 27 February 2015 Review date April 2017 This handbook may be made available to the public and persons outside of the CCG as part of the CCG s compliance with the Freedom of Information Act Information Governance Policy Handbook V1.0 Page 1

2 DOCUMENT CONTROL SUMMARY Title Lead Officer Purpose of document Status Information Governance Handbook Head of Corporate Affairs IG is the practice used by all organisations to ensure that information is efficiently managed and that appropriate policies, system processes and effective management accountability provides a robust governance framework for safeguarding information. This handbook is to acquaint employees with the framework, policies and procedures covering all aspects of the Information Governance (IG) agenda so that staff understand both the spirit and the detail of what is expected of them. FINAL Version No. 1.0 Date February 2015 Author(s) Date of approval by Governing Body Information Governance Manager CSCSU 27 February 2015 Review Date April 2017 VERSION CONTROL SUMMARY Version Date Status Comment/Changes /02/15 DRAFT Draft IG Handbook /2/15 FINAL Final document approved by IM&T Board Information Governance Policy Handbook V1.0 Page 2

3 CONTENTS Section Title Page 1 Information Governance Handbook 1 1 Introduction 5 1 Scope 5 1 Responsibilities 6 1 Dissemination 6 1 Non-Compliance 7 1 Related Policies and Procedures 7 1 Related Guidance 7 1 Policy Review 7 1 Public Sector Equality Duty 7 Policies/Frameworks 2 Information Governance Framework 8 3 Information Governance Policy 13 4 Data Protection and Confidentiality Policy 18 5 Information Security Policy 32 6 Records Management Policy (NEW) 36 7 Freedom of Information Act Policy (NEW) 43 8 Subject Access Request Policy & Procedures (NEW) 49 9 Business Continuity Framework & Plan Mobile Information Technology Policy (NEW) Incident Management Policy (TBC) Training and Awareness Plan (NEW) 98 Procedures 13 Confidentiality Audit Procedures Transfer of Personal Information Procedure 120 Information Governance Policy Handbook V1.0 Page 3

4 Appendices A Useful Contacts 126 B Roles & Responsibilities 127 C Data Protection Act Principles 133 D Schedule 2 Conditions to the Data Protection Act 134 E Countries Within The EEA 135 F Model Fair Processing Notice 136 G Caldicott Principles 139 H Freedom of Information - Model Publication Scheme 140 I Freedom of Information Act Exemptions 142 J Related Policies, Procedures, Guidance, References 143 K Legal Framework 145 L IG Training Matrix 146 M Equality Impact Assessment Tool 149 Information Governance Policy Handbook V1.0 Page 4

5 For the purposes of this handbook, Windsor, Ascot & Maidenhead CCG, Bracknell & Ascot CCG and Slough CCG will be referred to as the CCGs. 1. INTRODUCTION It is essential to have the organisation s policies and procedures documented to comply with corporate and clinical governance standards, statutory, legal and insurance requirements and ensure standardisation of practice and therefore efficiency, consistency and safety throughout the organisation. This Information Governance Handbook evidences the CCGs intentions and approach to fulfilling its statutory and organisational information governance (IG) responsibilities. It will enable management and staff to make correct decisions, work effectively and comply with relevant legislation and guidance (Appendix J & K) and the organisation s aims and objectives. This handbook will cover all aspects of IG detailing how the different initiatives are managed and linked. This handbook and policies and procedures within are approved by the IM&T Board. 2. SCOPE This handbook and policies and procedures within apply to all CCG staff and other personnel working for and on behalf of the CCGs, including agency staff and contractors, to ensure that the CCG meets its legal requirements. This handbook will include policies and procedures to evidence compliance with the Department of Health s (DoH) IG Toolkit and will include the below IG Policies: Policy/Procedure Requirement Information Governance Management Framework 130, 131, 133, 230, 231, 232, 340, 345 Information Governance Policy 131, 231 Data Protection and Confidentiality Policy 131, 231, 235, 250 Information Security Policy 131, 340, 341 Records Management Policy 131 Freedom of Information Act Policy 131 Subject Access Request Policy & Procedures 234, 250 Business Continuity Framework & Plan 340, 346 Confidentiality Audit Procedures 235 Transfer of Personal Information Procedures 131, 231, 232, 236, 350 Business Continuity Framework and Plan 346 Mobile Information Technology Policy 348 Incident Management Policy 349 Records Management Policy 420 Training and Awareness Plan 133, 134, 135, 231, 234, 345 Information Governance Policy Handbook V1.0 Page 5

6 The below policies are out of scope as they are provided by CSCSU: CSCSU Policies/Procedures IT Change Control Policy 237 HR Induction Policy 250 IT Security Policy 340, 344, 348 System Level Security Policy 340, 344, 346, 348, 352 Risk Management Strategy and Policy 341 RA Policy 342, 343 System Level Security Policy Networked 344, 346, 347, 348 Services System Level Security Policy (Infrastructure 344, 346, 347, 348 Perimeter Security) Access Control Policy 344 Business Continuity Policy 340, 346 Business Continuity Framework and Plan 346 Informatics Business Continuity Plan V IT Disaster Recovery Plan V IT Daily Backup Policy V System Level Security Policy (Backup 346 Infrastructure) IT Disaster Recovery Plan V IT Mobile Working Policy V Transfer of Personal Information Procedures 350 Acceptable Use of IT Policy 350 Pseudonymisation & Anonymisation of Data 352 Policy (NHS BSA) 3. RESPONSIBILITIES It is the role of the CCGs Governing Bodies to define the policies in respect of IG and ensure that sufficient resources are provided to support the requirements of those policies. IG policies apply to all staff who handle information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B. On commencement of employment all staff are provided with a Staff Contract which includes information governance clauses outlining legal responsibilities. Staff should be aware that failure to comply with this policy will be seen as a breach of contract which may result in disciplinary action. 4. DISSEMINATION The IG Handbook will be published on the CCGs intranet site and staff will be informed by of its existence and when any changes are made to this document. Information Governance Policy Handbook V1.0 Page 6

7 5. NON-COMPLIANCE Non-compliance with the policies within may result in:- A breach of the law A breach of professional codes of conduct A breach of contract Damage to personal and organisational reputation Damage to public confidence in the CCGs Embarrassment of data subjects Compensation claims by data subjects ICO taking enforcement action, including issuing penalty notices of up to 500,000 Operational activities being affected due to a failure to ensure that appropriate information is available when required. Failure to comply with any of these policies may result in disciplinary action. Any non-compliance issues will be handled in accordance with the CCG s Human Resources Policies and Procedures. Where non-compliance relates to partner organisations and third party organisations, this will be handled in accordance with contractual agreements and data sharing agreements. 6. RELATED POLICIES AND PROCEDURES The policies and procedures within this IG Handbook should be read in conjunction with related documents as detailed in Appendix J & K. Some additional policies and procedures may also be referenced within the policy itself. 7. RELATED GUIDANCE For the purpose of this IG Handbook other relevant legislation and appropriate guidance may be referenced as detailed in Appendix J & K. Some additional legislation and guidance may be referenced within the policy itself. 8. POLICY REVIEW This IG Handbook and the policies and procedures within will be reviewed every two years, to ensure they are in line with best practice and legislative requirements and will be presented to the IM&T Board for approval. 9. PUBLIC SECTOR EQUALITY DUTY The CCGs aim to design and implement services, policies and measures that are fair and equitable. An equality analysis has been completed (Appendix N) for this policy and no adverse impact was identified. Should any adverse impact on equality be subsequently detected or highlighted by staff and other users of the policy then this will be analysed and remedial action taken as appropriate. Information Governance Policy Handbook V1.0 Page 7

8 INFORMATION GOVERNANCE FRAMEWORK SECTION TWO 1. INTRODUCTION This document sets out the CCGs approach to Information Governance (IG) which requires clear, effective and robust: Management and leadership Accountability structures Governance processes Documented policies and procedures In addition: Appropriately trained staff Adequate resources The Department of Health (DoH) has developed a set of standard IG requirements. The CCGs are required to submit evidence via the IG Toolkit (IGT) which confirms compliance with those requirements. The IGT covers many aspects of IG including: Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurance 2. STRATEGIC AIMS The aim of this Framework is to set out how the CCGs will effectively manage IG. Each CCG will achieve compliance by: Information Governance Policy Handbook V1.0 Page 8

9 Establishing robust IG processes that conform to DoH standards and comply with relevant legislation. Establishing, implementing and maintaining policies for the effective management of information. Ensuring that clear information is provided for service users, families and carers about how their personal information is recorded, handled, stored and shared. Ensuring that IG responsibilities are included in all third party contracts and assurance is obtained with regard to the robustness of third party IG practices during tendering and other negotiations. Providing clear advice and guidance to staff to ensure that they understand and apply the principles of IG to their working practice and ensuring IG responsibilities are included in staff employment contracts. Sustaining an IG culture through increasing awareness and promoting IG, thus minimising the risk of breaches of personal data. Assessing the CCGs performance using the IG Toolkit and Internal Audits and developing and implementing action plans to ensure continued improvement. 3. RESPONSIBILITIES The CCGs Governing Bodies have overall responsibility for ensuring that the organisation complies with all laws, standards, policies, codes of practice and national guidance and are also responsible for ensuring that sufficient resources are provided to support the requirements of this Framework. Senior roles and CCG Governing Bodies responsibilities are outlined in more detail in Appendix B. 4. RESOURCES The CCGS currently contract with CSCSU for the provision of specific subject matter expertise and resource. Where relevant this is indicated in the following sections. Head of Information Governance - CSCSU The Head of Information Governance provides support in accordance with the Central Southern Commissioning Support Unit (CSCSU) Corporate Services Service Specification. The Head of Information Governance will oversee the provision of the IG and Subject Access Request (SAR) Service in line with the Corporate Services Service Specification. Information Governance Team - CSCSU The IG Team are the subject matter experts with regards to IG and are responsible for the provision of professional advice and support to the CCGs on all aspects of IG Information Governance Policy Handbook V1.0 Page 9

10 including legal and professional compliance, risk assessment and management, incident management, IG Toolkit Management, document development and maintenance. The CCGs will be allocated an IG Manager as a first point of contact for IG related queries but the CCGs can also call upon any member of the IG Team for IG support. The IG Team will be responsible for ensuring all tasks delegated to the CSCSU meet the required standards in line with the agreed service specification. Key tasks delegated to the CSCSU include:- Developing and maintaining the currency of comprehensive and appropriate documentation that support this framework, including relevant policies and procedures. Ensuring that there is senior level awareness and support for IG resourcing and implementation of improvements within the CCGs Governing Bodies. Establishing working groups, if necessary, to co-ordinate the activities of staff given IG responsibilities and progress initiatives. Ensuring annual assessments and IG audits are carried out, documented and reported. Ensuring that the annual assessment and improvement plans are prepared for approval by the Chief Officer and CCGs Governing Bodies in a timely manner. Ensuring that the approach to information handling is communicated to all staff. Ensuring that appropriate training is made available to staff. Liaising with other committees, working groups and programme boards in order to promote and integrate Information Governance standards. Monitoring information handling activities to ensure compliance with law and guidance. Providing a focal point for the resolution and/or discussion of IG issues, including incident management and reporting. Establishing, implementing and maintaining policies, procedures and guidance for the effective management of information. Freedom of Information Team CSCSU (This applies to Subject Access Requests only) The FOI Team (CSCSU) are responsible for co-ordinating completed Subject Access Request (SAR) responses in respect of requests received from individuals ( Data Subjects ) wishing to access their own personal data ( Subject Access ). The FOI Team (CSCSU) will ensure SARs are administered in line with the Subject Access Provisions of the Data Protection Act 1998 and in accordance with the Corporate Services Service Specification. The FOI Team (CSCSU) will co-ordinate completed responses in line with the requirements of the Access to Health Records Act 1990 in respect of access requests received in respect of deceased patients. Information Security Lead - CSCSU Head of ICT The Head of ICT (CSCSU) is responsible for ensuring that CSU Information Systems provided to the CCGs comply with IG requirements. Information Governance Policy Handbook V1.0 Page 10

11 Human Resources (HR) Manager - CSCSU The HR Manager is responsible for ensuring that appropriate Information Assurance clauses are included within staff employment contracts and Staff Handbooks. 5. TRAINING AND GUIDANCE All staff must complete mandatory IG training appropriate to their role via the online HSCIC Information Governance Training Tool or via locally developed face-to-face information governance training. CCGs mandate all staff to complete annual IG training relevant to their role identified in the Training Matrix (Appendix L). Staff must be aware of their responsibilities and complete additional training specific to their role which should be monitored by managers. In addition to staff training and workshops, staff will be informed of the latest information governance matter through internal communications and will be published on the IG Intranet pages. Leaflets and posters will be distributed around the organisation to remind staff of their responsibilities. Information Governance Policy Handbook V1.0 Page 11

12 CCG IG Framework Policy and Procedure IG Framework APPENDIX B IG Policy Data Protection Act Policy FoI Act Policy Information Security Policy Subject Access Request Policy Leaflets, Posters Internal Process Leaflets, Posters Acceptable Use Policy* Leaflets, Posters Information Sharing Protocols Training Packages & IGTT Admin Transfer of Information Process Leaflets, Posters, Guidance Records Management Policy Privacy Impact Assessments Pro-forma Data Flow Mapping Risk Assessment Asset Registers Risk Assessment Training Packages & IGTT Admin Staff Awareness Regular Updates Information Governance Policy Handbook V1.0 Page 12

13 INFORMATION GOVERNANCE POLICY SECTION THREE 1. INTRODUCTION Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management. It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management. 2. SCOPE This policy covers all aspects of information, regardless of format, within the CCGs including but not limited to: Personal Information (including that of patients and staff) Organisational Information This policy applies to handling information including, but not limited to: Processing (including saving, storage, etc.) Transmission (including , fax, portable media etc.) The policy also applies to all information systems purchased, developed and managed by or on behalf of the CCGs and any individual directly employed or otherwise by the CCGs. This policy is underpinned by the standards set out in the IG Toolkit. This policy should not been seen in isolation, as information supports all aspects of the CCG s business, including corporate governance, risk management, clinical governance, performance management, etc. Therefore IG should be adequately reflected in all relevant strategies, policies and procurement exercises. Information Governance Policy Handbook V1.0 Page 13

14 3. RESPONSIBILITY It is the responsibility of the CCGs Governing Bodies to define the CCGs policy in respect of IG, taking into account legal and NHS requirements. The CCGs Governing Bodies are also responsible for ensuring that sufficient resources are provided to support the requirements of the policy. The IG Policy applies to all staff who handle personal information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B. On commencement of employment all staff are provided with a Staff Contract which includes IG clauses including IG responsibilities. 4. PRINCIPLES The CCGs recognise the need for an appropriate balance between openness and confidentiality in the management and use of information. The CCGs fully support the principles of corporate governance and recognises its public accountability; however it equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information. The CCGs also recognise the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. The CCGs believe that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers (and ultimately, all employees of the CCGs) to ensure and promote the quality of information and to actively use information in decision making processes. By quality of information we mean information that is accurate, up to date, fit for purpose information that can be grouped when used to make decisions, whether these decisions are clinical or non-clinical (such as service planning or commission). It must also be readily available when it is needed. Information that cannot be retrieved or understood is of no use. To support the principles set out in this policy, the CCGs acknowledge the importance that training and awareness plays in guiding staff to operation appropriately, therefore the CCGs mandate the following training: Annual information governance training for all staff. An information governance element in induction training / pack. There are 5 key interlinked strands to the information governance policy: Openness Legal compliance Information security Quality assurance Confidentiality Information Governance Policy Handbook V1.0 Page 14

15 Openness Non-confidential information on the CCGs and their services should be available to the public through a variety of media, in line with the code of openness. The CCGs will establish and maintain policies to ensure compliance with the Freedom of Information Act and will review the contents of the Publication Scheme on a regular basis. The CCGs will undertake or commission annual assessments and audits of its policies and arrangements for openness. Patients will have ready access to information relating to their own health care, their options for treatment and their rights as patients. The CCGs will have clear procedures and arrangements for liaison with the press and broadcasting media. The CCGs will have clear procedures and arrangements for handling queries from patients and the public. Legal Compliance The CCGs regard all identifiable personal information relating to patients as confidential. The CCGs will undertake or commission annual assessments and audits of its compliance with legal requirements. The CCGs regard all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise. The CCGs will establish and maintain policies to ensure compliance with the Data Protection Act, Human Rights Act, Freedom of Information Act and the common law duty of confidentiality. The CCGs will establish and maintain policies and protocols for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Acts, Crime and Disorder Act, Protection of Children Act this list is not exhaustive). Information Governance Policy Handbook V1.0 Page 15

16 Information Security The CCGs will establish and maintain policies and procedures for the effective and secure management of its information assets and resources. The CCGs will undertake or commission annual assessments and audits of its information and IT security arrangements. The CCGs will promote effective confidentiality and security practice to its staff through policies, procedures and training. The CCGs will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security and action the findings of these investigations, complete with appropriate recommendations. Information Quality Assurance The CCGs will establish and maintain policies and procedures for information quality assurance and the effective management of records. The CCGs will undertake or commission annual assessments and audits of its information quality and records management arrangements. Managers will take ownership of, and seek to improve, the quality of information within their services. Wherever possible, information quality should be assured at the point of collection. Data standards will be set through clear and consistent definition of data items, in accordance with national standards. The CCGs will promote information quality and effective records management through policies, procedures/user manuals and training. Confidentiality The CCGs will establish and maintain policies that support a confidential way of working The CCGs will put in place regular training sessions to ensure staff understand the concepts of confidentiality The CCGs will ensure new technology and working practices support a confidential way of working. Information Governance Policy Handbook V1.0 Page 16

17 The CCGs will establish information sharing protocols with partner organisations whilst observing fully its common law duty of confidence and any other associated legal requirement. The CCGs will maintain a log and investigate all breaches of confidentiality. All staff will discharge their duties in a manner that is in line with the common law duty of confidence and all other aspects of legal compliance. The CCGs will ensure that when person identifiable information is shared, the sharing complies with the law, guidance and best practice and both service users rights and the public interest are respected. Information Governance Policy Handbook V1.0 Page 17

18 DATA PROTECTION AND CONFIDENTIALITY POLICY SECTION FOUR 1. INTRODUCTION The CCGs have a legal obligation to comply with all appropriate legislation in respect of data, information and IT security. It also has a duty to comply with guidance issued by the Department of Health (DoH), the Information Commissioner (ICO) and other advisory groups to the NHS and guidance used by professional bodies. This Data Protection and Confidentiality Policy aims to detail how the CCGs will meet its legal obligations and NHS requirements concerning confidentiality and information security standards and detail how they will ensure that those responsible for processing personal information are aware of their legal responsibilities. The requirements within this policy are primarily based upon the Data Protection Act 1998 which is the key piece of legislation covering security and confidentiality of personal information. 2. POLICY STATEMENT The CCGs believes that an individual s right to confidentiality is of vital importance and regards the law ensuring the correct treatment of personal information, recognising the importance of maintaining confidence of those whose information it uses. The CCGs intend to meet its legal obligations and NHS requirements and to support this they fully endorse adherence to the eight Data Protection Principles as outlined in the Data Protection Act 1998 (Appendix C). In addition, the CCGs will ensure that all staff: managing and handling personal information understand that they are contractually responsible for following good data protection practice managing and handling personal information are appropriately trained and supervised and know who to contact, should they have any queries Information Governance Policy Handbook V1.0 Page 18

19 regularly evaluate and review the methods for handling personal information are aware of their responsibilities when disclosing personal data and follow agreed procedures ensure that data sharing is carried out under written agreement, clearly setting out the scope, limits and conditions for sharing complete mandatory IG training on an annual basis and complete additional specialised training appropriate to their role are aware of incident reporting procedures and know how to report an information security or data breach recognise requests for information made under the Freedom of Information Act and ensure these requests are dealt with within required timescales recognise requests from data subjects around how their data is being used (Subject Access Requests) and ensure these requests are dealt with within required timescales 3. SCOPE This policy covers all personal data processed by the CCGs, including data relating to staff, patients and members of the public regardless of what format the information is held in and outlines the CCGs approach to meeting the responsibilities and obligations specified within the Data Protection Act 1998 and associated legislation and guidance. 4. RESPONSIBILITIES The Data Protection and Confidentiality Policy applies to all staff who handle personal information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B. On commencement of employment all staff are provided with a Staff Contract which includes information governance clauses including data protection responsibilities. 5. DATA PROTECTION ACT 1998 The Data Protection Act 1998 became law in March 2000 and sets standards which must be satisfied when obtaining, recording, holding, using or disposing of personal data which are summarised by the 8 Data Protection Principles. The Act applies to all person identifiable information about living individuals held in manual files, computer databases, videos and other automated media (this list is not exhaustive). The Information Commissioner holds a register of Data Controllers and unless exempt, the Act requires organisations which processes personal information to register with the Information Commissioner Office (ICO). On registration, organisations must outline how information is held, purposes for holding the data, how it is used and whom it may be disclosed to. Failure to register is a criminal offence. Information Governance Policy Handbook V1.0 Page 19

20 The CCGs ensure the Data Protection Notification is regularly reviewed for accuracy and any changes to the register must be notified to the Information Commissioner, within 28 days and managers are responsible for notifying and updating the SIRO and Caldicott Guardian of the processing within their area of responsibility. Compliance with the Data Protection Act is regulated by the Information Commissioner s Office. The Information Commissioner s Office website can be found at 6. EIGHT DATA PROTECTION PRINCIPLES The Eight Data Protection Principles state that personal data must be: Principle 1: Processed fairly and lawfully Personal data shall not be processed unless they meet at least one of the conditions in Schedule 2 (Appendix D) to the Data Protection Act. For sensitive data, they must also meet at least one of the conditions in Schedule 3 (Appendix D). For processing to be fair CCGs must be transparent clear and open with individuals about how their information will be used. Fairness requires you to: be open and honest about your identity inform individuals how you intend to use their personal data handle their personal data only in ways they would reasonably expect not use their information in ways that may have a negative effect on them The oral or written statement that individuals are given when information about them is collected is often called a Fair Processing Notice (FPN) (Appendix F) or more recently a privacy notice. In general terms, a privacy notice should state: the organisations identity the purpose or purposes for which information will be processed any additional information for individuals to enable you to process the information fairly The Act does not define lawful ; however, lawful refers to statute and to common law, whether criminal or civil. An unlawful act may be committed by a public or private-sector organisation if it results in: a breach of a duty of confidence an organisation exceeding or exercising its legal powers improperly Information Governance Policy Handbook V1.0 Page 20

21 an infringement of copyright a breach of an enforceable contractual agreement a breach of industry-specific legislation or regulations a breach of the Human Rights Act 1998 which gives individuals the right to respect for private and family life, home and correspondence Principle 2: Processed for specified purposes The second data protection principle means that you must: be clear from the outset why you are collecting personal data and what you intend to do with it comply with the Act s fair processing requirements including the duty to give privacy notices to individuals when collecting their personal data comply with what the Act says about notifying the Information Commissioner ensure that if you wish to use or disclose the personal data for any purpose that is additional or different to the originally specified purpose, the new use or disclosure is fair, this includes notification to the ICO where relevant. Principle 3: Adequate, relevant and not excessive in relation to the purpose(s) This third principle, in practice, means you should ensure that: you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual you do not hold more information than you need for that purpose So you should identify the minimum amount of personal data you need to properly fulfil your purpose but hold no more You should not hold personal data on the off-chance that it might be useful in the future. However, it is permissible to hold information for a foreseeable event that may never occur Principle 4: Accurate and kept up-to-date This is the fourth data protection principle and although it sounds straightforward, the law recognises that it may not be practical to double-check the accuracy of every item of personal data you receive. So the Act makes special provision about the accuracy of information that individuals provide about themselves, or that is obtained from third parties. Information Governance Policy Handbook V1.0 Page 21

22 To comply with these provisions you should: take reasonable steps to ensure the accuracy of any personal data you obtain ensure that the source of any personal data is clear carefully consider any challenges to the accuracy of information consider whether it is necessary to update the information If an individual challenges the accuracy of information and where necessary delete or correct it. If an individual is not satisfied that you have taken appropriate action to keep their personal data accurate, they may apply to the court for an order that you rectify, block, erase or destroy the inaccurate information. Principle 5: Not be kept for longer than necessary The Act does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. In practice, it means that you will need to: review the length of time you keep personal data (refer to Records Management Policy and DoH Records Management - NHS Code of Practice) consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it securely delete information that is no longer needed for this purpose or these purposes update, archive or securely delete information if it goes out of date Where personal data is shared between organisations, those organisations should agree about what to do once they no longer need to share the information. In some cases, it may be best to return the shared information to the organisation that supplied it, without keeping a copy. Principle 6: Processed in accordance with the rights of Data Subjects The sixth data protection principle gives certain rights to individuals such as: a right to access their own personal data a right to object to processing which may cause or is causing damage or distress a right to prevent processing for direct marketing a right to object to decisions being taken by automated means a right in to have inaccurate personal data rectified, blocked, erased or destroyed a right to claim compensation for damages caused by a breach of the Act. An individual has the right to access their own personal data, this topic is covered under subject heading Subject Access Requests. Information Governance Policy Handbook V1.0 Page 22

23 The Act refers to the right to prevent processing and this only applies if it causes unwarranted and substantial damage of distress to an individual. The Act does not define what is meant by unwarranted and substantial damage or distress but in most cases substantial damage would be financial loss or physical harm and/or substantial distress would be a level of upset, or emotional or mental pain that goes beyond annoyance or irritation, strong dislike, or a feeling that the processing is morally abhorrent. The Act gives individuals the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give you written notice to stop (or not begin) using their personal data for this purpose. Any individual can exercise this right if the CCGs receive a notice it must be complied with within a reasonable timeframe. The right of subject access allows an individual access to information about the reasoning behind any decisions taken by automated means. An individual can give written notice requesting that their personal data is not be used for automated decisions and even if notice is not given, individuals should be informed when such a decision has been taken. Individuals have a right to compensation if they suffer damage which can only be enforced through the courts. The Act allows organisations to defend claims on the basis that all reasonable care was taken to avoid the breach. Principle 7: Protected by appropriate security (practical and organisational) The seventh data protection principle, in practice, means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to: design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach be clear about who in your organisation is responsible for ensuring information security make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff be ready to respond to any breach of security swiftly and effectively The security measures you put in place should seek to ensure that: only authorised people can access, alter, disclose or destroy personal data those people only act within the scope of their authority if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned Information Governance Policy Handbook V1.0 Page 23

24 The level of security should be appropriate to the nature of the information in question and the harm that might result from its improper use, or from its accidental loss or destruction. The Data Protection Act does not define the security measures you should have in place. However, it is essential that organisation s focus on physical and technological security as well as management and organisational security measures. Principle 8: Not transferred outside the EEA without adequate protection Data principle 8 is relevant to sending personal data overseas. Those considering sending personal data outside the EEA, should go through the below checklist to help decide if the eighth principle applies and, if so, how to comply with it to make a transfer. 1. Do you need to transfer personal data abroad? Can you achieve your objectives without processing personal data at all? For example, could the information be anonymised? 2. Are you transferring the data to a country outside the EEA or will it just be in transit through a non-eea country? If data is only in transit through a non-eea country, there is no transfer outside the EEA. Note that if you add personal data to a website based in the EU that is accessed in a country outside the EEA, there will be a transfer of data outside the EEA. 3. Have you complied with all the other data protection principles? If you transfer personal data outside the EEA, you are required to comply with all the principles and the Act as a whole, not just the eighth principle relating to international data transfers. 4. Is the transfer to a country outside the EEA? There are no restrictions on the transfer of personal data to EEA countries. 5. Is the transfer to a country on the EU Commission s list of countries or territories providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data? Transfers may be made to any country or territory in respect of which the Commission has made a positive finding of adequacy. 6. If the transfer is to the United States of America, has the US recipient of the data signed up to the US Department of Commerce Safe Harbor Scheme? The Safe Harbor scheme is recognised by the European Commission as providing adequate protection for the rights of individuals in connection with the transfer of their personal data to signatories of the scheme in the USA. 7. Is the personal data passenger name record information (PNR)? The agreement made between the EU and the USA (to legitimise and regulate the transfer of PNR from EU Airlines to the US Department of Homeland Security) is regarded as providing adequate protection for the rights of the data subjects whose personal data (in the form of PNR) is transferred. Arrangements also exist between the European Commission, Canada and Australia. If you decide you need to transfer personal data outside the EEA, and the recipient is not in a country subject to a Commission positive finding of adequacy nor signed up to the Safe Harbor Scheme, you will need to assess whether the Information Governance Policy Handbook V1.0 Page 24

25 proposed transfer will provide an adequate level of protection for the rights of the data subjects in connection with the transfer/processing of their personal data. 8. Can you make an assessment that the level of protection for data subjects rights is adequate in all the circumstances of the case? nsfers.pdf 9. If not, can you put in place adequate safeguards to protect the rights of the data subjects whose data is to be transferred? Adequate safeguards may be put in place in a number of ways including using Model Contract Clauses, Binding Corporate Rules or Binding Corporate Rules for Processors (BCRs) or other contractual arrangements. Where adequate safeguards are established, the rights of data subjects continue to be protected even after their data has been transferred outside the EEA. 10. Can you rely on another exception from the restriction on international transfers of personal data? Schedule 4 DPA concerns Cases where the Eighth Principle does not apply. It covers BCRs, model contract clauses, and the use of other contractual clauses as well as a number of other exceptions to the restriction on overseas data transfers. If you are able to rely on an exception, the transfer may take place even though there is no other protection for individuals rights. 7. CALDICOTT PRINCIPLES The term Caldicott refers to a review commissioned by the Chief Medical Officer. In 1997 a review committee, investigated ways in which patient information is used within the NHS under the chairmanship of Dame Fiona Caldicott, who devised six key principles of information governance that could be used by all NHS organisations with access to patient information. In January 2012 a second review took place to ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care. This is known as the Caldicott 2 Review which resulted in seven key principles (Appendix G) As well as the Data Protection Act, staff should also comply with these principles when processing personal information: Principle 1: Justify the purpose(s) of using confidential information Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate person such as an Information Asset Owner (IAO). Principle 2: Only use when absolutely necessary Information Governance Policy Handbook V1.0 Page 25

26 Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s). Principle 3: Use the minimum necessary that is required Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out. Principle 4: Access should be on a strict need-to-know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes. Principle 5: Everyone must understand their responsibilities Action should be taken to ensure that those handling personal confidential data both clinical and non-clinical staff are made fully aware of their responsibilities and obligations to respect patient confidentiality. Principle 6: Understand and comply with the law Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements. Principle 7: The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They Information Governance Policy Handbook V1.0 Page 26

27 should be supported by the policies of their employers, regulators and professional bodies. These principles should underpin information governance across the health and social care services. 8. THIRD PARTIES Most CCGs will in the course of their business, contract or make arrangements with third parties The NHS Standard Contract is mandated by NHS England for use by commissioners for all contracts for healthcare services other than primary care. These contracts include the following clauses which enforce third parties to: ensure the reliability of their staff who will have access to personal data and confirm that their staff are appropriately qualified and trained and aware of their responsibilities ensure their Staff are aware of the relevant policies and procedures governing the use of personal data and not cause or allow personal data to be transferred outside the European Economic Area without the prior consent of the Commissioner. ensure that they comply with NHS Employment Check Standards and other checks as required by the DBS which are to be undertaken ensure that confidential information remains confidential and only be used for the purposes for which it obtained and not disclosed unless required by law or with prior agreement from the CCGs Ensure they acknowledge their obligations arising under the Freedom of Information Act, Data Protection Act, Health Records Act and under the common law duty of confidentiality Ensure they achieve a minimum level 2 against all requirements in the NHS Information Governance Toolkit and complete an annual information governance assessment Ensure they nominate an IG Lead responsible for providing the Governing Body with IG reports which include details of IG incidents and ensure they follow procedures for reporting Serious Incidents Requiring Investigation (SIRI). Ensure a Caldicott Guardian and Senior Information Risk Owner is nominated who must be a member of their Governing Body Ensure they adopt and implement recommendations of the Caldicott 2 Review. Ensure they publish, maintain and operate policies relating to confidentiality, data protection and information disclosures that comply with the law, Caldicott Principles and good practice. Ensures it only provides anonymised, pseudonmysed or aggregated data to the CCGs where it is required for the purposed of quality management of care processes and must not disclose personal data unless written consent is obtained or lawful basis for disclosure is provided (such as s251 Regulations) Ensure Sub-Contractors can provide sufficient guarantees in respect of its technical and organisational security measures governing the data processing to be carried out and take reasonable steps to ensure compliance with those measures. Ensure Sub-Contractors process personal data only in accordance with the third parties instructions and comply at all times with obligations equivalent to those imposed on the Provider by virtue of the Seventh Data Protection Principle. Information Governance Policy Handbook V1.0 Page 27

28 Ensure that where they act as a Data Processor on behalf of the CCGs, personal data is only processed to the extent necessary to perform its obligations under Contract and take appropriate technical and organisational measures against any unauthorised or unlawful processing of that Personal Data as well as against the accidental loss or destruction of or damage Ensure they understand the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage. 9. TRANSFER OF PERSONAL INFORMATION Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian. The CCGs have developed a Transfer of Personal Information Procedure to assist staff in understanding what requirements should be in place to ensure the transfer is lawful. 10. SUBJECT ACCESS REQUESTS Under a provision of the Data Protection Act an individual can request access to their personal information regardless of the media in which this information may be held / retained. This is referred to as a Subject Access Request (SAR). SARs are processed in line with the Subject Access Request Policy and Procedure by the CSCSU FOI Team on behalf of the CCGs to ensure that they are processed in accordance with the law. To support the CSCSU with this role, the CCGs will ensure that all staff are able to recognise when they receive a Subject Access Request (SAR) ensure they are forwarded in a timely manner to the FOI Team. The CSCSU FOI Team will ensure that: requests are logged and recorded on the SARs database the applicant is sent a pre-acknowledgement letter identity documents, fee and consent are requested where applicable identity documents are vetted and verified required information is gathered from relevant parties quality assurance and final sign off is obtained from the CCGs a final response letter is sent to the applicant and information provided in the format requested the SARs database is kept up to date and records are maintained the CCGs are provided with monthly reports evidencing requests received 11. RECORDS RETENTION All staff must ensure they are familiar with the Records Management Policy which describes the standards of practice required by the CCGs in the management of its documents and records. It is based on current legal requirements and professional best practice. Information Governance Policy Handbook V1.0 Page 28

29 This policy is mandatory and applies to all information in all formats. It covers all stages within the information lifecycle, including create/receive, maintain/use, document appraisal, declare as a record, record appraisal, retention and disposition. Staff members must not alter, deface, block, erase, destroy or conceal records with the intention of preventing disclosure under a request relating to the Freedom of Information Act 2000 or the Data Protection Act Staff members are expected to manage records about individuals in accordance with the policy irrespective of their race, disability, gender, age, sexual orientation, religion or belief, or socio-economic status. 12. DATA FLOW MAPPING To adequately protect personal information, organisations need to know who holds the information, how the information is held and transferred, what information comes into and out of the organisation, where the information is transferred to and frequency of these transfers. To comply with professional standards and relevant legislation the CCGs will ensure that: All staff adhere to the Transfer of Personal Information procedures All routine flows of information are mapped, e.g. those that occur on a regular basis All routine flows are risk assessed and reviewed regularly or should any changes to the process or flows occur All elements including data, format, transfer method, location of recipient are considered for every transfer Any risks identified are documented on departmental Risk Registers and appropriate safeguards are implemented to minimise the risk and protect the information Any significant risks are reported to the SIRO and immediate action taken to either suspend the transfer or identify another secure method 13. INFORMATION ASSET REGISTER Organisations must ensure that all of their information assets that hold or are personal data are protected by technical and organisational measures appropriate to the nature of the asset and the sensitivity of the data. The CCGs will ensure that all information assets are: Formally recorded on the information asset register Allocated an Information Asset Owner Formally risk assessed and SIRO informed of any risks Reviewed regularly and assessed should any changes to processes or assets occur Safeguarded against unauthorised access Encrypted in line with mandatory requirements and standards Disposed of securely Backed up regularly Information Governance Policy Handbook V1.0 Page 29

30 Audited to evidence compliance 14. SHARING INFORMATION Under the right circumstances and for the right reasons, data sharing across and between organisations can play a crucial role in providing a better, more efficient service to customers in a range of sectors both public and private. But citizens and consumers rights under the Data Protection Act must be respected. Whilst there is a public expectation of appropriate sharing of information between organisations providing health care services to them and with other organisations providing related services, the public rightly expect that their personal data will be properly protected. When sharing personal information, CCG staff must ensure that the Principles of the DPA 1998, the Human Rights Act 1998, the Caldicott Principles (including Caldicott 2) and the Common Law Duty of Confidentiality are upheld. The ICO has published a Data Sharing Code of practice which explains how the Data Protection Act 1998 (DPA) applies to the sharing of personal data and provides good practice advice that will be relevant to all organisations that share personal data. The CCG recognises that Information sharing agreements provide the basis for facilitating the exchange of information between organisations but do not make the sharing legal. Prior to sharing information the CCGs will ensure that: CCGs have the legal power to share and the sharing of personal information is justified the sharing of personal information achieves its objective and could not be achieved without the sharing taking place and is proportionate to the issue that needs addressing the potential benefits/risks to individuals and/or society whether to share or not to share have been assessed CCGs are able to share with the organisations that have been identified a data sharing agreement is in place covering what information will be shared and who it will be shared with a communication plan is in place to inform individuals that there information will be shared and consent obtained where applicable privacy impact assessments have been completed and adequate securities are in place to protect the data assets registers have been updated, data flows have been mapped and risk assessed processes are in place to provide individuals with access to their personal data retention periods for the data have been agreed and processes are in place to ensure secure deletion takes place an IG checklist has been completed and sharing has been authorised by the information governance team business continuity plans are in place Information Governance Policy Handbook V1.0 Page 30

31 15. INCIDENT RISK AND REPORTING All staff members are responsible for maintaining compliance with the Data Protection Principles and for reporting non-compliance through the CCG s incident reporting process. The CCGs will ensure that all incidents and risks are: reported in a timely manner on the incident reports form and in line with the CCGs Incident Risk Reporting Process reported to the Information Governance Manager reported to the Head of Corporate Affairs, SIRO and Caldicott Guardian investigated to identify root cause assessed to determine whether it is a Serious Incident Requiring Investigation (SIRI) monitored to identify weaknesses and ensure that lessons can be learnt reported to the IM&T Board In addition, where the incident is deemed to be a SIRI, CCGs will ensure that incidents are:- Reported within 24 hours via the Information Governance Toolkit Incident Reporting Tool Reviewed to determine whether HR should be involved to proceed with disciplinary action Assess any risk and take action to prevent further occurence 16. MONITORING AND AUDIT The effectiveness of this policy will be monitored through analysis of information related incidents and complaints which will be further supplemented by audits, assessments and spot checks undertaken by the Information Governance Manager. This policy and associated procedures will be monitored by the IM&T Board and who will provide assurance to the Governing Bodies. Compliance will also be monitored through the Information Governance Toolkit submission and Internal Audit process. Information Governance Policy Handbook V1.0 Page 31

32 INFORMATION SECURITY POLICY SECTION FIVE 1. INTRODUCTION Information is an asset which, like other important business assets, has value to an organisation and consequently needs to be suitably protected. This information security policy sets out how the CCGs information should be protected in order to ensure its: Confidentiality That information is only available to those with a legitimate reason to see it. Integrity That information can be trusted to be of good quality. Availability That information is available to those that need it, when they need it. If any of these are compromised, then this can have a direct impact on the ability of the CCGs to fulfil their objectives and may lead to consequences to patient care, the local health economy and to the reputation of the CCGs. The CCGs have legal obligations to maintain security and confidentiality, notably under the: Data Protection Act (1998) Human Rights Act (1998) Copyright Patents and Designs Act (1988) Computer Misuse Act (1990) In addition, the Caldicott Committee's Report on the Review of Patient-Identifiable Information, published in 1997, led to the establishment of a set of clear principles, reflecting best practice in the handling of confidential patient Information. The report called for regular and routine testing of Information flows against these principles and this would be developed and overseen by a network of Caldicott Guardians who would act, within each organisation, in a strategic, advisory and facilitative capacity. Information Governance Policy Handbook V1.0 Page 32

33 Caldicott 2 was published in May 2013 and featured 23 recommendations which should be adhered to. The policy aims to ensure that: - Information systems, whether electronic or manual are properly assessed for security Confidentiality, integrity and availability are maintained Staff and managers are aware of their responsibilities The risk to the information resource of the CCGs is effectively managed 2. SCOPE This policy covers all information processed and information systems utilised by the CCGs and covers all staff employed by or acting on behalf of the CCGs. 3. RESPONSIBILITIES It is the role of the CCGs Governing Bodies to define the policy in respect to the Information Security and ensure that sufficient resources are provided to support the requirements of the policy. This policy applies to all staff who handle information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B. 4. PRINCIPLES The CCGs will maintain an Information Security Policy supported by appropriate linked policies, codes of practice, protocols and guidance documents that reflect best practice. It will ensure that that all staff have access to that policy and its subordinate documents by cascading information to managers and posting copies on the intranet. The CCGs will comply with whatever legislative requirements apply. It will further seek to maintain compliance with national guidance. The CCGs will expect compliance with the Information Security Policy together with the associated linked policies, codes of practice, protocols and guidance. The CCGs will have procedures in place to evaluate security measures systematically with the greatest emphasis being given to areas where the potential impact of a security breach would be most serious. The CCGs will assign responsibility to key personnel to ensure a sound and robust security and information management infrastructure. The acknowledge that where appropriate resources are identified, it will need to carefully consider the balance of risk between action and inaction. Information Governance Policy Handbook V1.0 Page 33

34 The CCGs will measure its compliance against this policy with an annual Information Governance Toolkit return. 5. PROCESS CHANGES The CCGs will ensure that when changes take place that may impact on information assets: A risk assessment will be undertaken, with respect to information security best practice. The SIRO will be informed of any risks to such assets. Guidance will be sought from the CSCSU Information Governance team. 6. THIRD PARTIES The CCGs will ensure that all contracts with third parties will: Identify inbound and outbound flows of personal data. Confirm that the third party has robust processes in place to comply fully with the Data Protection Act. Adhere to the guidance provided by the CSCSU Information Governance Team on safe information sharing. 7. TRANSFER OF PERSONAL INFORMATION The CCGs will ensure that all that: All Staff adhere to the Transfer of Personal Information Procedure and the Data Protection Act policy. The transfer is Lawful. 8. INCIDENT AND RISK REPORTING The CCGS will ensure that all incidents and risks are: Reported promptly to the SIRO and Caldicott Guardian. Recorded within a formal process to ensure they can be learnt from or mitigated. Reported in line with the CCG s Incident and Risk reporting processes. 9. INFORMATION ASSET REGISTER The CCGS will ensure that all information assets are: Formally recorded on the information Asset Register. Allocated an Information Asset Owner. Formally risk assessed with the SIRO informed of all risks. Reviewed regularly Risk assessed again should any changes to processes or assets occur. Information Governance Policy Handbook V1.0 Page 34

35 10. BUSINESS CONTINUITY PLAN The CCGS will ensure that: Tested Business Continuity Plans are adopted. Business Continuity Plans covers all assets identified on the Information Asset Register. Business Continuity Plans will prioritise assets identified in the risk assessment plan. Business Continuity Plans are reviewed regularly. Information Governance Policy Handbook V1.0 Page 35

36 RECORDS MANAGEMENT POLICY SECTION SIX 1. INTRODUCTION This policy sets out how CCGs will approach the management of its business records. This policy is part of a Records Framework that includes additional procedures, guidance audit and training modules. The records framework fits into the wider context of Information Management and Governance. 2. PURPOSE This policy sets out roles and responsibilities for records management and the key operating principles for record keeping across the business. A records management policy is a requirement of the Records Management: NHS Code of Practice. The NHS IG Toolkit specifies broad requirements for records management provision and policy in an organisation, records being a key component of our information governance landscape. Managing records well will help our staff to do their jobs and contributes to effective healthcare and business efficiencies; good quality records are vital if we are to be accountable to the public. The CCGs have a statutory duty to provision for the safekeeping, accessibility and eventual disposal of their records. 3. SCOPE The CCGs define records as any form of information which has been created or gathered as a result of any aspect of our work. This shall include administration records as well as health records are processed and maintained. This policy covers all CCG business areas and record formats. The CCGs records, including those of customers, are the property of the NHS and are Public Records as defined by the Public Records Act. Information Governance Policy Handbook V1.0 Page 36

37 Records can be manual (paper) and, most commonly, electronic. Examples include invoices, correspondence, faxes, contracts, datasets and spreadsheets. Broadly speaking, records are finalised evidence of the CCGs work. Work-in-progress documents, although not final, are in scope of this policy because they are an information resource and may still be used to support litigation or requests for information e.g. Freedom of Information, Subject Access Requests. Another organisation s records are also in scope as they can support our activities and may need to be retained by us for a period of time. Records Management is the formal process of managing records as information resources throughout their life. 4. RESPONSIBILITIES It is the role of the CCGs Governing Bodies to define this policy in respect of Records Management, taking into account legal and NHS requirements. The CCGs Governing Bodies are also responsible for ensuring that sufficient resources are provided to support the requirements of the policy. The Records Management Policy applies to all staff who handle information on behalf of the CCGs. Staff responsibilities including those in key roles are outlined in more detail in Appendix B. 5. RECORDS LIFECYCLE The CCGs will manage records in the context of a records lifecycle: Lifecycle Stage Description 1. Planning At a corporate level the CCGs shall develop and implement policy, procedures and functionality to deliver compliant records management. Departments shall ensure they have identified key records that must be captured as a result of their activities and that these are managed following policy. 2. Creation & receipt 3. Use / Distribute This is where a record is born and is saved, the CCGs shall ensure that records are properly captured into approved filing systems, and that they are protected from unauthorised access or change and named following an agreed standard. The CCGs records shall be appropriately available so that they support current business and decision making as well as statutory access requirements. Wherever possible the CCGs shall share one version of records rather than create duplicates. 4. Retention The CCGs shall retain non-current and superseded records in filing systems so to support ongoing business needs and compliance requirements. Disposal schedules shall govern how long records are retained which shall continue to be protected and accessible with storage facilities meeting appropriate standards. 5. Disposal The CCGs records shall not be retained indefinitely. At the end of the retention, records shall be disposed of. In most cases this will mean Information Governance Policy Handbook V1.0 Page 37

38 controlled destruction; a small percentage of records may become archived meaning that they will be retained indefinitely under the Public Records Act. Good Quality Records Records are evidence of what the CCGs did and thought at a point in time; they may be required for litigation, audits, statutory enquiries and as a basis for decision making. CCG records need to be accurate, reliable and complete. Process managers shall be clear on what records are required to sufficiently document business activities, and ensure that staff capture them following policy and procedure. The quality and accuracy of records that relate to patient care and significant changes to services and policy are particularly important. Manual / paper records In keeping with wider NHS agenda, the CCGs shall endeavour to be as paper-light as is practicable and consider the electronic version of a record to be the primary version. Paper copies should be maintained by exception and shall be destroyed at the earliest convenience. Where it is practical to do so, the CCGs shall scan new or legacy paper records following the scanning procedure. The original copies of scanned records should then be securely destroyed. In some cases it might be desirable to hold original ink signed records. This is permissible, although scanning such documents is acceptable so long as their legal admissibility has been protected by following the scanning procedure. Any paper records held by the CCGs shall be securely held in appropriate local filing cabinets. Significant collections of closed manual records should be stored with a specialist off-site storage company. Access to paper files whether they are sensitive or not shall be controlled and monitored; in some cases, particularly if the record is sensitive, it may be appropriate to use a simple sign-out log so that a record is held of who has borrowed a file. Records Inventory and Records File Plan The CCGs shall organise records into a Records File Plan that lists business activities and the records that they create. Regular inventories shall be carried out of these records so that clear metrics covering what is held and the format it is in. The Information Asset Register shall be used to inform this along with File Share content reports. Disposal Schedules and Legal Holds The CCGs shall not retain all records indefinitely. Disposal is the process that leads to records being destroyed or transferred elsewhere. Records shall be retained and disposed of following agreed disposal schedules and procedure that are based on NHS requirements and business needs. Disposal schedules are added to the Records File Plan and are approved by SIRO and the IM&T Group. Disposal shall always be carried out following confidentiality and sensitivity requirements. Information Governance Policy Handbook V1.0 Page 38

39 Disposal of any records shall be held if they pertain to an existing / emerging legal matter or request for information this is known as a Legal Hold. Unilateral disposal of records, particularly if done contrary to disposal schedules or legal holds, is a serious breach of policy. Accredited File Shares Electronic records (not including those in databases) shall be saved to approved and managed file shares. The file share should be broadly structured following the Records File Plan and include folders that assist with disposal management and protection of sensitive information. Customer records shall be stored and organised in such a way that they are easily distinguishable from the CCGs own and can be transferred to the customer if required. Original records shall not be saved to offline storage such as computer hard drives, USB memory sticks or optical media. Only in exceptional circumstances should final records be saved to a staff member s private network drive. Record Naming Electronic records along with holding folders shall be named following agreed electronic document naming standard. This shall also include Version controls so that it is clear what the status and iteration of the record is. Records Security and Access The CCGs shall use security classifications to mark records that contain personal or commercially sensitive information. Records shall not be saved to private (home) computers nor shall private e.g. Hotmail, be used to transmit records or carry out NHS business. Accredited File Shares shall include protected folders and permission protocols where sensitive records are held e.g. records containing personal data. Access restrictions to records shall be proportionate; wherever possible, records should be available to all staff so to aid information sharing, and reduce duplication and risks. Line of Business Systems / Databases Many of our records are held within databases. These may be in the form of uploaded documents e.g. a PDF or , or as data streams, e-transactions and system actions. This policy applies to these records. System owners and project managers shall consider the requirements of this policy when implementing, procuring or using databases. Electronic records that are uploaded to databases e.g. an , should be deleted from local systems e.g. Inbox or File Share it is bad practice to duplicate information across systems. Data Backups All data including electronic records are backed-up to offline storage following the CSCSU Daily Backup Policy. It is vital that rescued records are complete copies and are not changed in any way, this includes embedded metadata. Information Governance Policy Handbook V1.0 Page 39

40 Backups are within scope of statutory access to information requests and legal disclosure. Records deleted from user front-end storage e.g. file shares, shall also be deleted from the back-up. Current back-up policy is that any iteration of electronic data is backed-up for 1 year before being overwritten / deleted. In short, records that have been deleted from front-end systems within the last year may still be available in the back-up this needs to be considered when dealing with any access to information requests. New technologies Cloud and Collaboration / Sharing The use of new technologies to improve working practices, process monitoring and collaboration is becoming increasingly popular. These are characterised by services such as cloud storage and collaboration spaces being held outside of the traditional on-site technology infrastructure. The requirements of this policy shall apply to such technology as they are handling the CCGs information and records. It is also advisable not to assume information held in commercial Cloud environments will be accessible over the long term the likelihood of losing access to records during a given retention period should be risk assessed and mitigated. Records / Electronic Communication is a key record keeping tool for the CCGs and many s will qualify as records and so must be retained. NHS Mailboxes and Mailbox Archives shall not be used for the long term storage of records. records shall be filed to the relevant and approved file share or database alongside related records as messages (.MSG) rather than as Archive (.PST) format. Staff shall regularly housekeep their Mailboxes so that transitory and spam type s are disposed of. Managers shall ensure all required records are transferred from a leaver s Mailbox to the approved store. Other forms of electronic communication such as Instant Messaging and video conferencing will likely become more commonplace these recordings, if retained, qualify as records and so shall be managed under this policy. Additional policy / procedure will be produced as required. Long term access and protection record preservation The CCGs shall take steps to ensure that records remain accessible and are not damaged during their retention; for some records this could be many decades such lengths of time require preservation management. Records shall be protected from unauthorised access and natural risks such as flooding and fire. Electronic records are at a particular risk of digital obsolescence and degradation of media. The CCGs shall undertake precautions to ensure the long term accessibility of electronic content including: using ubiquitous and open formats e.g. PDF, DOCx; regular refreshing and error-checking of storage media; maintain all records on networked and backed-up drives rather than removable media storage e.g. CDs, USBs; and assess the digital preservation risks of any new system. Information Governance Policy Handbook V1.0 Page 40

41 6. TRAINING REQUIREMENTS All staff and contractors shall complete records management training. On induction all staff whether contractors or permanent shall be introduced to the basic principles of records management policy and procedures. To embed records keeping requirements and reinforce good practice staff shall complete the Foundation Records Management and the NHS Code of Practice training module via the HSCIC Training Tool. Those staff who have heightened records management responsibilities shall complete the Practitioner Records Management in the NHS module via the HSCIS Training Tool. 7. RECORDS FRAMEWORK Name Records Management Policy / Procedures / Guidance Records Retention and Disposal Schedules Compliance Audit Training modules Purpose Define the CCGs approach to records and relevant rules. Scope includes all information types including and line-of-business systems The NHS Records Management Code of Practice sets out the minimum periods for which the various records created within the NHS or by predecessor bodies should be retained, either due to their ongoing administrative value or as a result of statutory requirement. Improving records management maturity is dependent upon regular audits both in terms of compliance with policy but also inventories as of existing record stores. To equip staff with the knowledge they need to effectively keep records or to manage the system. Training will be mandatory. 8. KEY RECORDS MANAGEMENT REQUIREMENTS Public Records Act All NHS records are Public Records. All NHS organisations must make arrangements for the safe keeping and disposal of their information and records. Recent changes have reduced the 30 year public records disposal rule to 20 years. Data Protection Act This Act regulates the processing of personal data relating to living persons. Principle 5 of the act notes the requirement not to retain data for longer than necessary records must be identified, consistently stored and have disposal schedules to meet Principle 5. Freedom of Information Act (including Section 46 Code of Practice for Records Management) This Act provides provisions for disclosure of information held by public authorities and includes a Records Management Code of Practice to support the Act which gives guidance on good practice in records management. It applies to all authorities subject to Information Governance Policy Handbook V1.0 Page 41

42 the Act, to the Public Records Act 1958 or to the Public Records Act (Northern Ireland) Access to Health Records Act This Act regulates access to the records of a deceased person. Records Management: NHS Codes of Practice (Part 1 and 2) A guide to the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England. They are based on legal requirements and professional best practice particularly the FOI Code of Practice for Records Management. 9. MONITORING COMPLIANCE AND EFFECTIVENESS The Information Governance Lead will be responsible for performance in records management and compliance shall be audited following a scheduled plan using a defined audit methodology. Results of audits shall be reported to the IM&T Group. Where non-compliance or improvements could be made then these shall be agreed with process owners / managers and subsequently followed up. Information Governance Policy Handbook V1.0 Page 42

43 FREEDOM OF INFORMATION ACT POLICY SECTION SEVEN 1. INTRODUCTION This policy explains the principles which underpin the commitment of the CCGs to openness and transparency in the decisions which we make about the provision of health care to the local community. It sets out our commitment to full implementation of the Freedom of Information Act (FOIA). It acknowledges that the CCGs at the same time, and in conjunction with this Policy, adopts and manages equivalent procedures for the provision of Environmental Information under the Environmental Information Regulations. The CCGs recognises the general right of access to information. In accordance with the CCGs Equality and Diversity Policies it is important for all members of staff to remember that applicants may be unable to write to the CCGs as they may not have English as their first language or may suffer from disabilities which make it difficult for them to express their complaint in writing. Assistance and support will be made available to those people who require it from the FOI Co-ordinator and/or Head of Corporate Affairs. 2. SCOPE Within the context of the FOIA, information means every piece of information held by the CCGs, whether paper or electronic. It includes all draft documents, agendas, minutes, s and handwritten notes. There is an interface between FOIA and the Data Protection Act (DPA), with regard to information about living individuals. The FOIA applies to information held by the CCGs; this could include information created by other organisations, such as providers, contractors, etc. FOIA makes it an offence to alter, deface, block, erase, destroy or conceal any information held by the CCGs with the intention of preventing disclosure to all or part of it. Information Governance Policy Handbook V1.0 Page 43

44 Penalties can be imposed on both the CCGs and employees for non-compliance under FOIA. The policy will underpin any operational procedures and activities connected with the implementation of the legislation and provide a framework within which the organisation will ensure compliance with requirements of the legislation. The policy provides a framework within which the CCGs will ensure compliance with the requirements of the Act. The Policy is applicable to all the activities which the CCGs conducts with other public, bodies including other NHS organisations, partnership bodies as well as voluntary organisations and commercial suppliers of goods and services. All staff are responsible to the Chief Officer for their compliance with the policy, for ensuring the adoption of appropriate procedures in managing a request for information and for monitoring the effectiveness of those procedures and the implementation of this policy. All individual employees responsible for responding to requests for information need to be aware of the responsibilities of the CCGs under the Act and, in particular, the continuing duty to advise and assist any member of the public. Freedom of Information should be adequately reflected in all relevant strategies, policies and procurement exercises. 2. RESPONSIBILITIES It is the role of the CCGs Governing Bodies to define the policy in respect of Freedom of Information, taking into account legal and NHS requirements. The CCGs Governing Bodies are also responsible for ensuring that sufficient resources are provided to support the requirements of the policy. The FOIA Policy applies to all staff who handle information on behalf of the CCGs. Staff responsibilities including those in key roles are outlined in more detail in Appendix B. 3. PRINCIPLES The CCGs will use all appropriate and necessary means to ensure that it complies with the Freedom of Information Act. The CCGs will deploy appropriate systems and procedures to ensure that the organisation complies with its duty to confirm or deny and to provide requested information within 20 working days or within a reasonable period of time where a public interest test has to be considered. All staff, GP director and governing body members will be required to comply with the requirements and failure to do so may result in disciplinary action. The CCGs will provide a Records Management Policy so that requests for information can be handled efficiently and effectively. Information Governance Policy Handbook V1.0 Page 44

45 The CCGs will ensure that all staff receive appropriate and relevant training such that they are able to identify a Freedom of Information Request and be able to support any request that the organisation may receive. The CCGs will ensure that its Publication Scheme is periodically reviewed and updated. The CCGs will not agree to hold information received from third parties in confidence which is not confidential in nature. Acceptance of any confidentiality provisions must be for good reasons, capably of being justified to the Information Commissioner. The CCGs will ensure that exemptions are applied appropriately, consistently and a refusal notice will be issued detailing why the exemption applies (Appendix I). The CCGs will advise and assist requesters, as set out within the Act. The CCGs Freedom of Information Lead (Head of Corporate Affairs) will ensure that training in relation to the Act is available to all staff. The CCGs will ensure that awareness raising material is made available to all staff. The CCGs will monitor the effectiveness of its compliance with the FOIA and its performance and implementation of this policy. The CCGs will adopt similar standards and policies in relation to the implementation of the Environmental Information Regulations. 4. PUBLICATION SCHEME Section 19 of the FOIA makes it a duty for every Public Authority to adopt and maintain a scheme relating to the publication of information by that authority, which is approved by the Information Commissioner. The CCGs use the approved model issued by the Information Commissioners Officer (ICO) in January The Outline for this scheme can be found in Appendix H. 5. REQUESTS FOR INFORMATION WITH THE PUBLICATION SCHEME If a request is received for information that is covered by the scope of the publication scheme, the requester will be directed to download the information from the CCGs website. 6. REQUEST TO RE-USE INFORMATION PROVIDED Information that the CCGs publish as part of its publication scheme and website will be the list of information available for re-use. Any published document can be re-used without charge, provided the CCG is credited as the source and retains copyright where appropriate. Information Governance Policy Handbook V1.0 Page 45

46 7. MANAGING AND DEFINING REQUESTS The CCGs are responsible for logging and processing all FOIA requests received. A Request for Information (RFI) must meet the following criteria: Be in writing such as s, letters, etc. Contain a name and address for correspondence including . Has sufficient detail to enable the CCGs to identify the information requested. Is a request for information that is not already part of the CCGs Publication Scheme. Is a request for information from a member of the public or an organisation outside the local NHS. Once the request that fulfils the above criteria is received the CCGs have a maximum of 20 working days to respond. There is no provision for extending the 20 working day limit, unless consideration needs to be given to a Public Interest Test. The CCGs have a duty to advise and assist under the Act and must take reasonable steps to help a requester appropriately compile a request that means the criteria. The timing for response does not begin until sufficient detail has been received to consider a response. Any communications to clarify a request will be undertaken without necessary delay. All requests that have not expressly asked for the information to be re-used will have a clause in place, stating that permission must be sought before the information may be reused. Requests for re-use must be authorised by a Director of CCGs, taking advice from Communications and Information Governance professionals, as appropriate. 8. VEXATIOUS REQUESTS Should an applicant make vexatious or repeated requests for identical or substantially similar information, the CCGs will inform the applicant in writing, stating that they will not be fulfilling the request and outlining why they consider the request to be vexatious. They will also advise the applicant of how to proceed if they are not satisfied with the response. Guidance is available on the Information Commissioners website on how to decide whether an applicant s requests may be considered vexatious. The FOI Administrator will determine if the request is considered vexatious. 9. APPLYING EXEMPTION Whilst a response is being compiled, if there is a concern raised about release, then consideration should be given to if an exemption may apply. Information Governance Policy Handbook V1.0 Page 46

47 The Act details 23 legally complex exemptions. This are separated into absolute and qualified. An absolute exemption applies in all cases and is not subject to a public interest test. If the exemption is absolute then the response should be completed within the usual 20 working day limit. A qualified exemption is subject to a public interest test, which determines whether the public interest is best served by applying an exemption or disclosing the information. When a Public Interest Test is being applied, the response time should be paused and the requester should be informed that a public interest test is being undertaken. Public Interest Tests must be conducted objectively and it is not sufficient to merely state that the public interest is best served by an exemption. Should the requester challenge the exemption, the CCGs would be required to demonstrate that both sides of the argument had been sufficiently explored and that those with relevant experience, skills and knowledge had engaged with the Public Interest Test. Therefore the discussions around disclosure v non-disclosure and where the interests of the public are best served should be documented. The response will usually detail why the CCGs believes that an exemption applies and which exemption is being used. The FOI Administrator will provide technical assistance in determining whether an exemption applies. A full list of exemptions is attached in Appendix I. 10. REQUESTS FROM THE MEDIA Requests under the FOIA are both motive and applicant blind. However, it may be appropriate for the CCGs Communications Lead to be informed of requests from the media and the CCGs may wish to consider handling them as a media request. Requests that are likely to be of media interest should also be copied to the CCGs Communications Lead, in order that the CCGs can consider any response they may wish to make. This does not alter the requester s rights under the Act. 11. REQUESTS FOR INTERNAL REVIEW / COMPLAINTS PROCESS The FOIA response to the requester will detail what steps the requester can take if they are unhappy with the response received by the CCGs. The steps to resolve a complaint are: 1. Request for internal review to the CCGs. 2. Complaint to the Information Commissioner. Both routes will be identified in all responses. If the requester asks for an internal review, then the following aspects will be considered: How the request was handled including meeting timescales. Whether the response addressed key aspects of the Act including advising the requester whether the information was held. Whether any exemption has been applied appropriately. Information Governance Policy Handbook V1.0 Page 47

48 The composition of the review team will include: A senior member of CCGs management, ideally a Director or senior manager. A subject matter expert well versed in the information requested, ideally not the person originally responsible for responding, although this may be unavoidable. The CCGs FOI Lead (Head of Corporate Affairs) The outcome of the review will be prepared within 40 days of the original request for review. If the outcome of the review is to release previously withheld information, then ideally this should be sent with the review, or no longer than 20 days after the completion of the review. Should the CCGs receive any notices served by the Information Commissioner it will endeavour to comply unless it feels the need to appeal to the Information Tribunal. 12. INFORMATION PROVIDED BY OTHER ORGANISATIONS The FOIA covers information held by the CCGs. The CCGs would generally have to disclose the information requested, however it may be appropriate to advise the originator of the information that it will be released. If the information is known to be available more readily from another source, i.e. a website, it may be appropriate to advise the requester of this. Guidance should be sought from the FOI Administrator if the CCGs believe that the release of information may impact on the other party. 13. CONTRACTS WITH OTHER ORGANISATIONS All operational contracts the CCGs have a clause detailing that information may be disclosed under the terms of FOIA. The CCGs will give consideration to FOIA during procurement processes and ensure that those who wish to tender understand that information may be disclosed under the Act. 14. ENVIRONMENTAL REGULATIONS Many similarities exist between the FOIA and the Environmental Information Regulations (EIR). The EIR relates to any information that the CCGs hold around our impact on the environment this includes impact on any of the elements (air, water, etc.), substances released into the environment, planning policies and plans that may impact the environment and any impact on humans. The main difference between FOIA and EIR is that requests for EIR do not have to be in writing and may be made verbally. The CCGs will handle EIR requests within the FOIA process. Should the CCGs receive an EIR request then specialist advice will be sought from the FOI Administrator. Information Governance Policy Handbook V1.0 Page 48

49 SUBJECT ACCESS REQUEST POLICY & PROCEDURE 1. INTRODUCTION SECTION EIGHT It is the policy of the CCGs to comply with all relevant legislation and regulation in every aspect as it applies to their duties as commissioners of secondary healthcare and as employers. The Data Protection Act the Act ) became effective from 1st March 2000 superseding the Act of 1984 and the Access to Health Records Act 1990, the exception to the latter being that medical records of the deceased are still governed by the Access to Health Records Act. The Act gives every living person, or their authorised representative, the right to apply for access to records of their personal information held by a registered organisation irrespective of when they were compiled. These are referred to as Subject Access Requests (SARs) and the person to whom the data relates is referred to as the Data Subject. This applies equally to Staff Records as well as Health Records where: Personnel / Staff records are defined as the personal information held by the CCGs relating to a member of staff, present, past or prospective, whether permanent, temporary or a volunteer. Health records are defined as a record consisting of information about the physical or mental health of an identifiable individual made by, or on behalf of, a health professional in connection with the care of that individual. The Act also gives subjects who now reside outside the UK the right to apply for access to their former UK health and employment records. As a general rule a person with parental responsibility will have the right to apply for access to their child s health record. A copy of the requested information will, whenever possible, be provided to the applicant within 21 days and by no later than 40 days. However, where a fee is to be charged or the data subject has provided insufficient information to identify themselves, the 40-day clock will not begin to run until the fee is paid or the relevant information is supplied. Information Governance Policy Handbook V1.0 Page 49

50 If compliance is not possible within this period, this must be in exceptional cases only, and the applicant advised accordingly within the 40-day period. 2. SCOPE This policy applies to all staff who work for the CCGs including contractors and members of the Governing Body. It is recognised that the CCGs, due to the introduction of the Health and Social Care Act 2012 and the organisation s decreasing direct involvement with patient records, is less likely to receive SARs for medical records than preceding bodies. However this policy and procedure will apply to any request from a member of staff for access to their personal information held by the CCGs and to requests from members of the public about information held about them. The CCGs will commission the service of the Commissioning Support Unit (CSU) to process requests for subject access from an individual or their legal representatives, in accordance with the relevant IG and FOI Service Specification. However the response will need to be approved by the CCGs as Data Controller. The SAR will be processed as per Appendices 1 and 2 found at the end of this Policy. 3. RIGHT OF SUBJECT ACCESS The Data Subject A data subject is entitled to make a request in writing to see any personal data held about them under the Act. On Behalf of the Data Subject Anyone applying for Data Subject Access on behalf of someone else must apply in writing together with written authorisation from the data subject, which must be signed by the data subjects themselves. A Person with Parental Responsibility An individual can only request access if they have either parental responsibility or legal guardianship of the child. Parental responsibility is defined in the Children Act 1989 and updated by the Adoption & Children Act A person with parental responsibility is: the natural mother; the natural father, if married to the mother either before or after the birth, even if divorced or separated; the natural father, if unmarried, and he registered the birth along with the mother after December 2003; the natural father, if unmarried, by agreement with the mother (evidenced by a form provided by a solicitor, signed by both parents and witnessed by an Officer of the Court) or by a court order (parental responsibility order); the natural father, if unmarried, and appointed as the child s guardian on the death of the natural mother; an individual (generally a family member) with a residence order for the child (if the order is for a period of time, then parental responsibility is removed at the end of the period); Information Governance Policy Handbook V1.0 Page 50

51 an individual who has legally adopted the child; a local authority under a care order - individual acting as a Children s Guardian. If the application for access to a child s record is made by someone having parental responsibility access shall only be given where: the child is capable of understanding what the application is about and has consented to it. the child is not capable of understanding the nature of the application and giving access would be in his/her best interests. The relevant Health Professional will decide on the child s capacity to understand the application. If an individual is claiming parental responsibility then they must provide a copy of the necessary evidence such as a parental responsibility order or birth certificate. A Person Appointed by the Courts Where a patient is incapable of managing their affairs someone appointed to act on their behalf by a court of law may submit a subject access request. Proof of the court order must be given. Solicitors acting on behalf of a Client or Insurance Companies Where a solicitor, lawyer or other legal professional requests access on behalf of a client they are representing, the signed consent of their client must be obtained and evidenced. The request must be dealt with in the same way as if it had come direct from the Data Subject. Other Agencies In some circumstances the Trust may be asked to provide information to other agencies. Unless there is a legal requirement to disclose, the Data Subject will be informed and their consent obtained in writing. Appointed Representative of the Deceased Health records relating to deceased patients will be treated with the same level of confidentiality as those relating to living people. Under the Access to Health Records Act 1990 a request to see a deceased patient s health record or to have a copy thereof can be made by the patient s personal representative or any person who may have a claim arising out of the patient's death. The personal representative (executor or next of kin who may be a relative, friend or solicitor) or anyone having a claim resulting from the death has the right to apply for access to the relevant part(s) of the deceased s health record under the Access to Health Records Act Where the requestor is not acting in a legal capacity, they should detail why they need access in pursuing a claim. Where they are the executor or administrator they must provide proof of appointment under the Will/Grant of probate. 4. RECEIVING THE ACCESS REQUEST A member of staff, patient or their representative, with consent, has the right to apply for access to personal records. Unless an applicant is very well known to the member of staff receiving the request, and unless the member of staff is fully conversant with the Information Governance Policy Handbook V1.0 Page 51

52 intricacies of the Act, all requests must be passed to the CSCSU FOI team in the first instance to be processed. They will determine the applicant s entitlement to access a record before passing the request to the relevant department (i.e. HR, CHC, etc.) who will determine if any part of the record is subject to restrictions as set out in the Act. The Act allows for requests to be made in writing or electronically; requests in writing from patients should be made using the Patient Authority Consent (PAC) Form to ensure that absolute clarity about the nature and legitimacy of the request exists; electronic requests should only be accepted with an electronic signature. If this last is not possible, the applicant should be advised to complete a manual PAC Form as described above. In cases where consent can only be taken verbally, the details of this consent should be recorded on the individual s file. Please go to Appendix 3 for a copy of the PAC. Once the SAR is received, you must be able to verify the identity of the applicant. For both members of staff and patients (in addition to the PAC Form, which will bear a signature from the data subject) requesting the release of their records, ensure that you have the following: A copy of some form of identity that shows the applicant s name and current address. At least two forms of Identification (ID) are necessary. Acceptable forms of ID include: photocopy of passport or driving licence bank statement electricity bill gas bill council tax bill any other bill in your full name Note: Bills should not be more than six months old. If an employee s or a patient s representative, e.g. solicitor, is applying for access, ensure that you have the signature of the data subject (i.e. staff member or patient) to do this. In some circumstances the FOI Officer processing the request may wish to contact the data subject to clarify that he/she understands fully that they will be consenting to release their health or personnel records to a third party. If a parent, or person authorised with parental responsibility, is applying for access to their child s records, the HR / Health Professional should consider if the child is of an age to be capable of making his or her own judgement about their personal information (see section 7 for further information. If they are, their consent should be sought before their application is accepted. Issues to be considered when processing applications from those with parental responsibility are discussed in Section 7. After obtaining consent and identification for an access request, ensure you have enough information to identify the data relating to the data subject in question. Such details would include: Full name including previous names Full address including any recent previous address Date of birth NHS number, if known (where relevant) Information Governance Policy Handbook V1.0 Page 52

53 Under the Act, there is no obligation to comply with an access request unless you have sufficient information to identify the applicant and locate the information. Check with the applicant if they require access to the entire personal record and, if not; confirm what material the applicant requires before processing their request. Note: The applicant does not have to give a reason for applying for access. Once you have all the relevant and necessary information, including ID and consent to comply with the access request, you must comply promptly and by no later than forty days after the request has been made; sign and date the PAC Form on receipt to ensure that you keep track of time-scales. In exceptional circumstances, if it is not possible to comply within this period, the applicant should be informed. The Senior Manager charged with reviewing the personal record prior to release is normally the person who is, or was responsible, for the HR Records of the employee or the Healthcare Professional responsible for the clinical care of the patient during the period to which the application refers. It is not necessary to approach every individual professional associated with the subject; Each CCG has the authority to determine what may or may not be released, taking into account two key factors why access could be denied: Where the information released may cause serious harm to the physical or mental health or condition of the employee/patient, or any other person Where access would disclose information relating to or provided by a third party, who is not a professional engaged in the provision of the patient s healthcare. In terms of the second statement, access may be given if the third party gives their consent to the disclosure, although the Act does not require the CCG to approach a third party for this purpose. The following are common examples, relating to the health records, of when a third party may be involved; they may also be interpreted for staff records: Example 1 A parent may apply for access to their 14 year-old child s health records. Contained within the health record may be some reference to his/her parents (third party) made by the child, which the child would not want disclosed. The doctor or community health professional may withhold this information from the child s parents. Example 2 A son (third party) contacts the doctor or community health professional because he is concerned about his elderly mother who is having problems with memory loss and self-care. The doctor makes notes in his mother s health records of the visit, but if for any reason the mother decided to apply for access to her health records, the doctor may withhold any information relating to her son s visit, unless the son gives his consent to disclose the information. Information Governance Policy Handbook V1.0 Page 53

54 NB: There is no requirement to disclose to the applicant the fact that certain information may have been withheld. 5. SUBJECTS LIVING/MOVING ABROAD REQUIRING ACCESS TO THEIR PERSONAL RECORDS Employees are legally entitled to request their personal records and may take them outside of the UK at their own discretion and liability. Original health records should not be given to people to keep/take outside the UK. A GP or community health professional may be prepared to provide the patient with a summary of treatment; alternatively the patient may make a request for access in the usual way. If the patient has moved abroad and the health record has been archived, direct the patient to them, and they will manage the request. Health records are kept for a minimum of 10 years in these circumstances (CCG records for 8 years). 6. PARENTAL RESPONSIBILITY Although unlikely to be received by the CCG, as a general rule a person with parental responsibility will have the right to apply for access to a child s record. It is important that staff who are dealing with a request for access to a child s record from someone who says that they have parental responsibility, secure evidence that will have been provided by the Courts to that effect. Parental responsibility for a child is defined in the Children s Act 1989 as all the rights, duties, powers, responsibilities and authority, which by law a parent of a child has in relation to a child and his property. Although not defined specifically, responsibilities would include safeguarding and promoting a child s health, development and welfare, including if relevant their employment records. Included in the parental rights which would fulfil the parental responsibilities above are: Having the child live with the person with responsibility, or having a say in where the child lives If the child is not living with her/him, having a personal relationship and regular contact with the child Controlling, guiding and directing the child s upbringing It is important to note that foster parents are not ordinarily awarded parental responsibility for a child. It is more likely that this responsibility rests with the child s social worker and appropriate evidence of identity should be sought in the usual way. As a child grows older he/she will be able to make decisions about his/her own life. The law regards young people aged 16 to 17 to be adults for the purposes of consent to employment or treatment and the right to confidentiality. Therefore, if a 16 year old wishes HR or a medical practitioner to keep their information confidential then that wish must be respected. In certain cases, children under the age of 16 who have the capacity and undertaking to take decisions about their own treatment are also entitled to decide whether personal information may be passed on and generally to have their confidence respected. Case Information Governance Policy Handbook V1.0 Page 54

55 law has established that such a child is Gillick Competent or meets the Fraser guidelines. Where a child is considered capable of making decisions, e.g. about his/her employment or medical treatment, the consent of the child must be sought before a person with parental responsibility may be given access. Where, in the view of the appropriate professional, the child is not capable of understanding the nature of the application, the holder of the record is entitled to deny access if it is not felt to be in the patient s best interests. 7. POWER OF ATTORNEY A person with Power of Attorney for another is entitled to be given access to that person s staff or medical record subject to the proper scrutiny of appropriate evidence. Appropriate evidence is sight of the original document giving Power of Attorney, a photocopy of which should be retained. 8. DECEASED PERSONS Should a SAR be received relating to a deceased member of staff, the FOI Officer must ensure that the person making the request is entitled to receive the information, such as Power of Attorney (see above) or as their Executor (see below). Despite the passing into law of the Act, the terms of the Access to Health Records Act 1990 (AHRA 90) still apply with regard to the health records of the deceased. The requirements of the AHRA 90 are precisely the same as those contained within the Act apart from one key area; the period of time from when records may be disclosed. Under the AHRA 90, health records made since 1 st November 1991 may be released; there is no requirement whatsoever to release records from any date earlier than this. An applicant wishing to access the health records of a deceased person must either be: The executor of the deceased s Will; Someone who has been appointed as Administrator of the Estate by the Courts; Someone who has the written consent of either of the above to be given access; or Someone who is in the process of challenging the deceased s Will. In all circumstances, evidence must be secured that confirms the status described above. 9. DISPROPORTIONATE EFFORT The term disproportionate effort is not defined in the Act; what does or does not amount to disproportionate effort is a question of fact to be determined in each and every case. The fact that the CCG (the data controller) may have had to expend substantial effort/cost in responding to an access request does not permit an argument to be made that the request may be denied or the permissible fees increased. The Information Commissioner considers that quite considerable effort can reasonably be expected. Information Governance Policy Handbook V1.0 Page 55

56 10. FEES TO ACCESS AND COPY RECORDS A subject can be charged to view their health records or to be provided with a copy of them. To provide copies of patient health records, the maximum costs are: Health records held totally on computer; up to a maximum of 10 charged Health records held in part on computer, and in part manually; up to a maximum of 50 charged Health records held totally manually; up to a maximum of 50 charged These are maximum charges, to include postage and packaging costs. Any charges for access should not be seen to make a financial gain. To allow patients to view their health records (i.e. where no copies are required), the maximum costs are: Health records held totally on computer; up to a maximum 10 charge Health records held in part on computer, and in part manually; up to a maximum 10 charge Health records held totally manually; up to a maximum 10 charge NB: If the records have been added to in the last 40 days, no charge may be made for viewing these particular entries. If a person who has viewed their record, then wishes to be provided with a copy of any of the information held, this should be regarded as one access request. The 10 maximum fee for viewing, notwithstanding the exceptions outlined above, would be included in the maximum fees detailed for the provision of copies, not charged as an extra fee. In addition you should note that, whilst the Act states that you are under no obligation to comply with an access request unless the requisite fee has been paid, in practice an organisation may choose not to ask for the fee until the release stage of the access request. 11. THE RELEASE STAGE Once you have received the relevant fee, release those copies of the records that are adjudged appropriate to release. On no account must the original record be released. If you are denying or restricting access, you do not have to give a reason for the decision but you should be willing to direct the subject through the appropriate complaints channels. Where information in not readily intelligible, an explanation (e.g. of abbreviations or terminology) must be given. If it is agreed that the subject or their representative may directly inspect the record, a health professional or HR administrator must supervise the access. If supervised by a lay administrator, this person must not comment or advise on the content of the record if the Information Governance Policy Handbook V1.0 Page 56

57 applicant raises enquiries, an appointment with a HR administrator or health professional must be offered. 12. RECTIFYING ENTRIES Data Subjects, or those acting for them, have the right to request the erasure or amendment of any entries in a personal record that they believe to be factually incorrect and the record holder must consider any such petition made by the data subject. If, however, the record holder believes the statements in question to be accurate, and is therefore unwilling to amend them, the subject has the right to have recorded in the employee or medical record the fact of this dispute. 13. DEALING WITH COMPLAINTS If an applicant is unhappy with the outcome of their access request, the following complaints channels should be offered: The HR or health professional may wish to have an informal meeting in an effort to resolve the complaint locally If the HR or health professional feels that they cannot do anything for the data subject locally a patient should be advised to make a complaint through the NHS complaints process. A staff member may wish to consult with their trade union representative. The data subject may not wish to take this route and, alternatively, may make a complaint direct to the Information Commissioner at: The Information Commissioner s Office Wycliffe House, Water Lane Wilmslow Cheshire, SK9 5AF Website [email protected] Telephone Information Line FURTHER ADVICE Further advice may be obtained from the Information Governance Manager. Information Governance Policy Handbook V1.0 Page 57

58 APPENDIX 1: Relative CSU / CCG Responsibilities for Subject Access Requests Information Governance Policy Handbook V1.0 Page 58

59 APPENDIX 2: Information Governance Policy Handbook V1.0 Page 59

60 APPENDIX 3: Patient Authority Consent Form Subject Access Request for Access to Health Records Data Protection Act 1998/Access to Health Records Act 1990 Full Name of Patient Former Name (Names) Date of Birth NHS Number (if known) Current Address (Optional) Telephone Number (including area code) Former Address (if applicable) Evidence of Identity Attached? Requests for Access from Third Parties Full Name of Applicant Address (Optional) Telephone Number (including area code) Relationship to Patient (e.g., Executor; Parent; Legal Advisor) Evidence of Identity and Relationship Enclosed NB: the application cannot be processed without evidencing both your own identity and the relationship to the patient see notes on Requests for Access from Third Parties I am applying for access to view the health record specified above* I am applying for copies of the health record specified above* * Delete as appropriate Information Governance Policy Handbook V1.0 Page 60

61 IMPORTANT INFORMATION Under the Data Protection Act 1998 and the Access to Health Records Act 1990, you do not have to give a reason for applying for access to your/a (if you are a third party applicant) health record. However, to save time and resources, if you wish, it would be helpful if you could provide details below informing us of parts of your health records you require, along with details which you may feel have relevance, i.e. consultant name, location, dates, etc. Optional ~ please use this space below to inform us of certain periods and parts of your health record you may require to see/have copies of. Information Governance Policy Handbook V1.0 Page 61

62 I am applying to access my records under the Data Protection Act 1998/Access to Health Records Act I understand that under this legislation, there may be a charge for me to view, or to be provided with, a copy of the health records identified. Signed:..Date:. Witnessed by: Name:.. Signature:.Date:... Information Governance Policy Handbook V1.0 Page 62

63 BUSINESS CONTINUITY FRAMEWORK & PLAN SECTION NINE This document contains the Business Continuity framework and plan for the CCGs. This document incorporates the business continuity plan which contains the procedures and practical steps required to ensure that the business of the CCGs can continue. The Business continuity framework and plans contain details of all internal and external dependencies and interactions, as well as details on how and under what circumstances key interested parties will be communicated with. This framework and plan has been developed in line with the Central Southern Commissioning Support Unit (CSCSU) business continuity plans and NHS Property Company plans, as well as aligning where appropriate, with other local CCGs and NHS organisations business continuity management (BCM) plans. The Business Continuity Framework and Plan sits alongside other key Emergency Preparedness and Resilience documentation including the CCGs Major Incident Plan, On-Call Pack and Escalation Framework. SECTION 1: BUSINESS CONTINUITY FRAMEWORK 1. Introduction Business continuity planning forms an important element of good business management and service provision. All business activity can be subjected to disruptions from more minor forms such as technology failure to more extreme forms such as flooding, utility disruption and terrorism. Business Continuity Management (BCM) provides the capability to adequately react to operational disruptions, while protecting the welfare and safety of staff. Business continuity management (BCM) involves managing the recovery or continuation of business activities in the event of a business disruption. BCM also covers the management of the overall programme through training, exercises and review, to ensure that the business continuity plans are updated and kept current. Information Governance Policy Handbook V1.0 Page 63

64 For the NHS, business continuity management is defined as the management process that enables a NHS organisation 1 : to identify those key services which, if interrupted for any reason, would have the greatest impact upon the community, the health economy and the organisation to identify and reduce the risks and threats to the continuation of these key services to develop plans which enable the organisation to recover and/or maintain core services in the shortest possible time. The benefits of an effective BCM programme An effective BCM programme within the Clinical Commissioning Group will help the organisation to 2 : Anticipate Prepare for Prevent Respond to Recover From disruptions whatever their source and whatever part of the business they effect. The outcomes of an effective BCM programme The outcomes of an effective BCM programme within the Clinical Commissioning Group include: key products and services that are identified and protected, ensuring their continuity the organisation s understanding of itself and its relationships with other organisations, relevant regulators or government departments, local authorities and the emergency services is properly developed, documented and understood staff are trained to respond effectively to an incident or disruption through training and emergency planning exercises staff receive adequate support and communications in the event of a disruption the organisations supply chain is secured the organisations information, data, financial and HR systems are protected and secured the organisations reputation is protected the organisation remains compliant with its legal and regulatory obligations. Elements of the business continuity management lifecycle The industry standard, ISO22301 Business Continuity Management, characterises business continuity management as a series of six lifecycle elements: BCM programme management understanding the organisation determining business continuity strategy 1 NHS Resilience and Business Continuity Management Guidance, Interim Strategic National Guidance for NHS organisations. First published: June 2008; Prepared by Emergency Preparedness Division 2 NHS Commissioning Board Business Continuity Management Framework (service resilience) 7 th January 2013 Information Governance Policy Handbook V1.0 Page 64

65 developing and implementing a BCM response BCM exercising, maintaining and reviewing BCM arrangements embedding BCM in the organisations culture Figure 1: The Business Continuity Management Lifecycle (BSI 2006: 09) 2. DUTIES FOR BUSINESS CONTINUITY AND RECOVERY This policy should be read in conjunction with the four key documents detailed in Appendix J & K that outline the need for NHS organisations to establish a business continuity management system: Civil Contingencies Act 2004 The Civil Contingencies Act 2004 outlines a single framework for civil protection in the United Kingdom. Part 1 of the Act establishes a clear set of roles and responsibilities for those involved in emergency preparation and response at local level. The Act divides local responders into two categories, imposing a different set of duties on each. Category 1 responders are those organisations at the core of the response to most emergencies, and are subject to the full set of civil protection duties. Category 2 organisations (the Health and Safety Executive, transport and utility companies) are co-operating bodies. They are less likely to be involved in the heart of planning work, but will be heavily involved in incidents that affect their own sector. Category 2 responders have a lesser set of duties - co-operating and sharing relevant information with other Category 1 and 2 responders. All clinical commissioning groups are listed as category 2 responders, and as such the Clinical Commissioning Group is subject to the following civil protection duties Information Governance Policy Handbook V1.0 Page 65

66 NHS Commissioning Board Emergency Planning framework The purpose of this document is to provide a framework for all NHS funded organisations to meet the requirements of the Civil Contingencies Act (2004), the Health and Social Care Act (2012), the NHS standard contracts and the NHS CB EPRR Core Standards (2013), NHS CB Command and Control(2013) and NHS CB Business Continuity Management Framework (2013). The core standards provide the minimum standards which NHS organisations and subcontractors must meet. NHS Commissioning Board Business Continuity Management Framework (service resilience) This highlights the need for business continuity management in NHS organisations. It lists the relevant standards and indicated the guidance organisations need to follow. It promotes joint working arrangements between NHS organisations when planning for and responding to disruptions. International Standards for Business Continuity Planning There are a number of national and international standards relating to guidance for business continuity management that can be found in: ISO Societal Security - Business Continuity Management System requirements ISO Societal Security Business Continuity Management System Guidance PAS 2015 Framework for Health Services Resilience This plan currently conforms to the business continuity management system in line with BS However this standard has now been replaced by ISO NHS England plan to publish a Business Continuity Management Toolkit in 2013 to help organisations meet these international and national standards. At that time the Clinical Commissioning Group will update its plan to ensure all these standards are met. 3. BUSINESS CONTINUITY POLICY AND PLANNING FRAMEWORK Aim of Business Continuity Policy and Planning Framework The policy and planning framework aims to ensure that the principles of business continuity management are embedded throughout the organisation and provides assurance to staff, members, patients, stakeholders and the local population that key services during a disruption event can continue. Objectives of the Business Continuity Policy and Planning Framework is to: to ensure a comprehensive Business Continuity Management System is established and maintained to ensure key services, together with their supporting critical activities, processes and resources, will be identified by undertaking business impact analysis to ensure risk mitigation strategies will be applied to reduce the impact of disruption on key services Information Governance Policy Handbook V1.0 Page 66

67 to ensure plans will be developed to enable continuity of key services at a minimum acceptable standard following disruption to outline how business continuity plans will be invoked and the relationship with the CCG Major Incident Plan to ensure plans are subject to on-going exercising and revision to ensure the Clinical Commissioning Group Governing Body is assured that the Business Continuity Management System remains up to date and relevant Scope The Business Continuity Management System, which includes the Business Continuity Policy and Planning Framework and Business Continuity Plan, addresses those services which are provided by the CCG teams; Joint Management Team and CSCSU: CCG Teams: Bracknell and Ascot CCG Slough CCG Windsor, Ascot and Maidenhead CCG - Operations and project management - Administration including Governing Body meetings Joint Management Team supported by the CSCSU Corporate Services including HR, Governance, information governance, information, management and technology (IM&T), communications and public engagement Quality Improvement services including Safeguarding and Individual Funding Requests, complaints and Patient Advice and Liaison Service (PALS) Finance services including contracting Strategy and Planning including winter planning functions; QIPP and Performance services including service redesign. The Joint Management Team also includes the Accountable Emergency Officer role with responsibility for emergency planning. 4. ROLES AND RESPONSIBILITIES Ownership of business continuity management is required at every level of the CCG. Each team must ensure that the business activities of each individual service under its jurisdiction are maintained if this service is identified as critical to the Team s function. Where a service is provided by another organisation such as the CSCSU or an external supplier, the responsibility remains with the CCG team / Joint Management Team to ensure continuity. The overall lead for Business Continuity (Head of Corporate Affairs) needs to seek assurance that suppliers and contractors also have robust business continuity arrangements in place e.g. NHS Property Company, CSCSU etc. Chief Officer: has overall accountability for the successful implementation of business continuity. Information Governance Policy Handbook V1.0 Page 67

68 Accountable Emergency Officer (Associate Director of Business Planning & QIPP): has overall responsibility for the successful implementation of business continuity. Chief Financial Officer: will be responsible for identifying resources for business continuity management systems where necessary and setting up unique cost codes and budget codes to track costs Directors: responsible for drawing up team business continuity plans and ensuring the successful implementation of contingency arrangements for critical services within their directorates. This may be delegated to a Business Continuity Lead. Heads of Operation and Managers: responsible for successful implementation of business continuity within their area of responsibility. Individual CCG employees: each individual member of staff is responsible for ensuring they are familiar with the Business Continuity Plan and their role within it. Business Impact Analysis Business impact analysis (BIA) is the process of analysing business functions and determining the effect that a business disruption might have upon them, and how these vary over time. The aim of the business impact analysis is to ensure the Clinical Commissioning Group has identified those activities that support its key services in advance of an incident, so that robust business continuity plans can be put into place for those identified critical activities. Strategic Aims of the Clinical Commissioning Group The strategic aims of the organisation are taken into account when teams determine critical activities. The CCG s strategic aims can be found in the CCG s Commissioning plan CCG-Commissioning-Plan pdf. Risk Assessment The community risk register 3 is considered when undertaking business impact analysis in order to enable the organisation to understand the threats to, and vulnerabilities of, critical activities and supporting resources, including those provided by suppliers and outsource partners. 3 Community Risk Registers (CRR) are developed across the UK by emergency services and other responders as a means of assessing the risks that a particular area may contend with and the impact that these will have on that area. Information Governance Policy Handbook V1.0 Page 68

69 5. BUSINESS IMPACT ANALYSIS TOOL Business impact analysis assists each team to identify critical activities/services, maximum tolerable period of disruption, critical interdependencies and recovery objectives. The Maximum Acceptable Downtime (MAD) is the timeframe during which the recovery of systems, processes and activities must be achieved to prevent the risk of a significant impact arising if the downtime is exceeded i.e. what is the maximum down time which could be tolerated without incurring one or more of the consequences below? For the purposes of business continuity, the Clinical Commissioning Group defines a significant impact as any situation that could give rise to one or more of the following situations: an unacceptable risk to the safety and/or welfare of patients and staff a major breach of a legal or regulatory requirement a major breach of a contract, service level agreement or similar formal agreement the risk of significant financial impact, and/or a threat to the reputation of the CCG as a competent NHS organisation For the purposes of business continuity, the Clinical Commissioning Group defines the following scale of maximum acceptable downtimes: Scale Timeframe Rationale Immediate restart Typically used only for clinical and in-patient services where any A interruption raises an immediate and unacceptable risk to people B One working day An unacceptable risk will arise if this activity is not fully restored within 24 hours C Three working days The norm for service recovery - recovery within this timeframe will not jeopardise patient safety or welfare D One working The timeframe for most non-clinical activity week E Seven days plus Typically training and similar activities that can be suspended without significant impact in the short term Business Continuity Management Plans The outcome of each team s business impact analysis has been used to prepare a team business continuity plan (see Section 2). 6. IMPLEMENTING THE BUSINESS CONTINUITY PLAN Triggers for activation of plan The CCG Business Continuity Plan is likely to be activated in the following circumstances although the list is not exhaustive and the need to activate the plan will be decided by the Director / Manager on call for the CCG. Information Governance Policy Handbook V1.0 Page 69

70 Loss of access to King Edward VII Hospital the CCG Headquarters (due to fire, flood or other incident effecting either the hospital or surrounding roads) for longer than the determined maximum acceptable downtime (MAD) Loss of amenities that support KEVII Hospital including power, water or gas for longer than the determined maximum acceptable downtime (MAD) Loss of Information Communication Technology (ICT) access or services for longer than determined MAD Loss of key staff Significant changes in the operating risk level necessitating a change in the operating environment. Activating the plan The Business Continuity Plan will be activated by the Director / Manager on call when the major incident plan has been activated or is on standby, and there is an incident that has the potential to cause business disruption and affect critical activities. Depending on the type of disruption, it is possible that not all teams will need to activate their business continuity plan. Figure 1 Activating and escalating business continuity plans. Managing Business Continuity during an incident This is detailed in the business continuity plan in Section 2 and is led by the Director / Manager on Call Standing down When there is no further risk to business continuity from the incident, the Director / Manager on Call together with the Chief Officer will declare the event over (stand down). 7. TRAINING AND EXERCISING Training On call directors and managers will be provided with business continuity training appropriate to their role. All other staff will require business continuity awareness training in relation to continuity plans for each service and this will be provided by the staff member s line manager. Exercising The CCG will undertake business continuity exercises on a regular basis. These may take the form of self-directed exercises by individual services using scenarios on the Information Governance Policy Handbook V1.0 Page 70

71 emergency planning intranet, directorate table top exercises facilitated by the Accountable Emergency Officer and multi-agency exercises. Exercising can take various forms, from a test of the communications plan, a desk-top walk through, to a live exercise. However in all cases, exercises should be realistic, carefully planned and agreed with stakeholders, so that there is minimum risk of disruption to business processes. Records A record of training and exercising undertaken within the CCG will be kept by the Accountable Emergency Officer so that the organisation has a central record of training undertaken. 8. AUDIT AND MONITORING CRITERIA The Head of Corporate Affairs is responsible for ensuring policy and guidance on all business continuity arrangements is developed, including the production and maintenance of the Commissioning Group Business Continuity Policy and Plan which is approved by the CCG Governing Body. The Head of Corporate Affairs is responsible for ensuring the policy and plan is reviewed on an annual basis or earlier as a result of changes to legislation or changes to CCG structures and/or procedures. Each team will undertake an annual business impact analysis and review the team business continuity plan accordingly. Within the Clinical Commissioning Group, the Head of Corporate Affairs will ensure that an annual assurance report is submitted to the CCG Governing Body outlining the current status of the Clinical Commissioning Group emergency preparedness. Continuous Improvement Business Continuity Plans will be updated in light of feedback from: actual incidents and disruptions to business activities exercises and audits re-assessment of risks organisational, facility or systems changes external change including change to partner organisations Management reviews of the effectiveness of the business continuity process. Distribution This policy and plan is distributed to designated manual holders and is available on the intranet. Information Governance Policy Handbook V1.0 Page 71

72 SECTION 2: BUSINESS CONTINUITY PLAN FOR THE CCGs 1. Introduction This plan should be followed should the need to activate the Business Continuity Plan in the Clinical Commissioning Group be triggered. It may not be necessary to activate the whole plan and it will be possible to activate certain elements. 2. Activating the Plan The Business Continuity Plan will be activated by the Director / Manager on Call when the major incident plan has been activated or is on standby, and there is an incident that has the potential to cause business disruption and affect critical activities. Depending on the type of disruption, it is possible that not all directorates will need to activate their business continuity plan. 3. Managing the plan Role and Responsibilities The Director / manager on call is responsible for activating and coordinating the plan. However it should be noted that there may also be a major incident which they will be leading on behalf of the organisation. In this scenario it is possible to delegate the leadership of the business continuity plan to a suitable delegate. If there is an incident that requires evacuation King Edward VII Hospital this will be coordinated by (NHS Property Services) Facilities Team working alongside the CCG s Fire Marshalls. The Head of Corporate Affairs is the overall Business Continuity Lead and the key link with the Director / Manager on call. Each business area has a business continuity lead (e.g. for CCG team it is the Head of Operations) who is responsible for ensuring that the team s business continuity plan is activated and that all staff in are kept informed and updated. Action required The Action cards for the Director / Manager on call and the Business Continuity Lead / Business Area leads should be followed; these can be found in the Major Incident Plan. Each Team has a comprehensive business impact analysis and service continuity plan in place which details the critical functions and key recovery objectives in order to minimise disruption to essential services. Incident Management Team If the incident looks like it may be prolonged it may be necessary to set up an Incident Management Team to ensure the CCG critical activities are continued. The team may meet in the Incident control centre or communicate via telecom Information Governance Policy Handbook V1.0 Page 72

73 Key individuals involved would be Director / Manager on call Business Continuity Lead and BC leads for each Business area Communication Managers Co-opted members may also include NHS Property Services Ltd (Thames Valley), CSCSU and the local authority. Information recording It is important that there is a clear record of decisions taken which should be recorded in the on call directors log book. As a minimum this information will include: The nature of the decision The reason for the decision The date and time of the decision Who has taken the decision The extent of consultation and advice from external stakeholders Who has been notified of decisions made Any review dates of the decision Finance and resources If necessary a separate cost centre will be set up with a budget in agreement with the Chief Financial Officer. The Scheme of Delegation will apply and can be found in the Oncall Pack. Staff safety Staff safety remains a high priority. If it is not safe for staff to be in KEVII Hospital or travelling to and from the hospital or on CCG business then staff should remain at home. This decision will be taken by the Director / Manager on call or another Director. In the unlikely event that some staff are not able to travel home due to distance then they should stay with a colleague where possible. Overnight accommodation is also available at the Holiday Inn Express Windsor 71 Alma Rd, Windsor Tel: This is reasonably priced accommodation within the centre of Windsor. Outsourced activity The CCG currently outsources a number of activities to Central Southern Commissioning Support Unit (CS CSU). This includes critical activities such as human resources, financial services and information management and technology. A business continuity plan for these services has been requested and will be integrated within this over-arching CCG business continuity management plan. Other critical outsources activities include the management of King Edward VII Hospital managed by NHS Property Services and business continuity plans have been requested Information Governance Policy Handbook V1.0 Page 73

74 from the Facilities Services (NHS Property Services) which will be integrated within this over-arching CCG BCM plan. Communications Communication team involvement is essential when activating the business continuity plan. Communication support will be provided by the Head of Communications and Engagement CSCSU; Communication Support is available out of hours for an incident or major incident through the communications pager for the consistency of internal and external messages see the on-call pack and on-call rota for details. Staff messages are especially important and will be primarily through the Business Continuity Lead or via to all CCG staff. When there are long periods of time when staff are working from home then consideration will be given to daily directorate teleconferences to ensure staff are kept up to date with events and can liaise over business critical activities External communications will be coordinated by the Head of Communications and Engagement who will liaise with colleagues in NHS England Thames Valley, Acute Trusts and providers, and other communication colleagues (as appropriate) to ensure consistency of messages. 4. Specific actions Loss of access to King Edward VII Hospital; CCG Headquarters In the event of a disruption to business operations at King Edward VII Hospital it is expected most staff would work from home until they were relocated to alternative accommodation. All staff are aware of evaluation points in the case of a fire alarm and this should be the first port of call for all staff so that the fire marshals can ensure staff are accounted for. In the unlikely event that the normal evacuation points are not available, staff should wait in the main car park near the exit until further information is provided. In conjunction with CCG Directors and the Business Continuity Leads for each team, the Director / Manager on-call would seek ensure that essential staff members from each team were promptly relocated. Alternate accommodation in cases of prolonged disruption to accessing King Edward VII Hospital could be: the Royal Berkshire Clinic at Brants Bridge, Bracknell for BACCG staff; Slough Borough Council for Slough CCG staff and the Royal Borough of Windsor and Maidenhead for WAM CCG staff. Other staff will be relocated once suitable accommodation can be identified and prepared. This may take between one to twelve weeks and in the interim each team will need to identify staff members who may be able to work from home and ensure that communication with staff is maintained. Loss of utilities to King Edward VII Hospital Information Governance Policy Handbook V1.0 Page 74

75 The following disruption to utilities in KEVII Hospital could affect the CCG s business: Water outage Power failure-electricity and gas Air conditioning failure In this situation NHS Property Services will ensure utilities are restored as soon as possible. If necessary, staff will be advised to work from home. Technology failure In the event of an IT failure the CCG would contact the CSCSU IT Helpdesk to report the issue. CCG files are stored on shared drives. If the server fails, there ll be no immediate access to files until it s fixed or replaced. Files are stored on numerous disks within the server and they are backed up. The CSCSU business continuity management plans have been requested and will be appended to the CCGs BCMP. In the meantime the CSU IM&T service has provided assurances on the back-up arrangements that are in place to protect the servers and back up files. Network Computer Storage Mirrored Replication Backup and Recovery Network is provided to the data centre by a 300mb N3 circuit which is in a triangulated topology ensuring that access is still maintained to N3 even if one the main core locations are down. Internally there is a pair of active/passive firewalls provided by Cisco, managed and maintained by CS-CSU Technology Support Services. Behind the firewalls are dual core switches allowing for a failure of a switch and still having a functional data-centre. All INFOHUB servers are configured as virtual machines, utilising the hypervisor of VMWare 5.1. There are 12 back-end physical blade servers manufactured by HP, managed and maintained by CS-CSU Technology Services. In the event of a physical server failing, all virtual machines would seamlessly migrate to another piece of hardware within the data-centre resulting in 99.9% uptime. Working with the virtual machines, all data is stored on a SAN (storage area network) this is connected into the blade server chassis using dual fibre connectivity. The disks within the SAN are configured that they can tolerate 2 disks failing at any one time and still perform to capacity. Key services within the data centre are automatically mirrored to an offsite data-centre which has similar technology as describe above albeit in a smaller scale configuration. In the event of a major incident i.e. building explosion, severe data centre flooding or terrorist attack to the site these key services could be brought online from the mirror data-centre. A robust backup policy is in place and all key services backed up to tape nightly, manually checked for errors or extreme change i.e. rapid data growth and a weekly backup taken and stored off-site. Some technologies such as active directory (which controls the logon accounts) are not backed up nightly, but weekly due to them having redundancy and replication built into their design. Information Governance Policy Handbook V1.0 Page 75

76 Reduced staff levels If staff levels were reduced to below 75% the Business Continuity Lead for each team will redeploy staff to support critical functions. If staffing levels reduced to below 30% further reorganisation of the joint management team and CCG staff will be required and discussions with the CSCSU will be undertaken to ensure that there is sufficient staffing in place to cover the critical aspects of the CCG s business. 5. Extra Ordinary Events Fuel shortage Each team (through the team s Business Continuity Lead) holds information on which staff do not rely on personal cars to reach King Edward VII Hospital and can travel to work on public transport. As soon as practicable and is safe, staff will be expected to travel to the Hospital. The list is maintained by the Head of Corporate Affairs. All staff in the CCG are able to access their work s from home via if they have a home personal computer with internet access. Staff members with access (via VPN) to files stored on the network will be able work files to staff members with no access to the network. If there is a need for staff to work for a prolonged period of time at home, then it is possible for the CSCSU to set up VPN remotely. This would be coordinated by the Business Continuity Lead, the Head of Corporate Affairs. Severe weather In the event of severe weather which prevents staff from being able to travel to work, the arrangements for working remotely would be the same as for fuel shortages. If staff members live in areas that experience heavy and or prolonged snow that make travelling to work dangerous they are advised to work from home until it is safe to travel to their work base. The arrangements for severe weather apply to flooding, storms and gales. Industrial Action In the event of industrial action where staff levels are affected, the director will reprioritise the critical activities and these functions will be the focus of the workforce. Pandemic Flu In the event of pandemic flu where staff levels are affected, the CCG directors together with the business continuity lead will reprioritise the critical activities and these functions will be the focus of the workforce. A skills register has been developed, and is held by each directorate, to understand how mutual aid can be offered or received in an emergency response to a disease outbreak or similar clinical event. 6. Recovery During the recovery period, the emphasis will be on getting services back to normal. It may be that it is easier for some services to return to normal and others will remain restricted dependent on the incident. Information Governance Policy Handbook V1.0 Page 76

77 The following should be considered during the recovery phase: Reduced availability of staff Loss of skill and experience Uncertainty, fear and anxiety of staff Public displacement and disorder in hospitals Breakdown of community support mechanisms Disruption to daily life (e.g. effect on transport system, schools etc.) Disruption to utilities and essential services Disruption to internal /ICT services /communication systems Buildup of infected waste Contaminated areas Disruption to supplies Management of finances Stopping and starting targets Change in competitive position Reputation damage Organisational fatigue Economic downturn 7. Standing Down When there is no further risk to business continuity from the incident, the Director / Manager on call together with the Chief Officer will declare the event over (stand down). 8. De-brief In order to identify lessons learned, a series of debriefs post incident are seen as good practice. Hot debrief: Immediately after incident with incident responders (at each location); Organisational debrief: hours post incident; Multi-agency debrief: within one month of incident; Post incident reports: within six weeks of incident. These will be supported by action plans and recommendations in order to update the CCG plans and provide any training and further exercising required. SECTION 3: DIRECTORATE SPECIFIC PLANS The completion of the Business impact Analysis has led to the development of the following Service Continuity Plans for the CCG Teams and Joint Management Team (Federation). Information Governance Policy Handbook V1.0 Page 77

78 Corporate Services Business Continuity Plan Business Continuity Lead Head of Corporate Affairs; Joint Management Team Update: November 2013 Next Update: October 2014 CSCSU Maddie Walters Human Resources Business Partner CSCSU Andy Ferrari Head of IT east Berkshire CSCSU Ally Green Head of Communications and Engagement Critical Activities: Critical Activities Communications and engagement with staff, stakeholders, patients Corporate policies, procedures, committee / meetings functioning Liaison with CSCSU with regard to Business Continuity Liaison with estates and facilities Liaison with CSCSU on IT hardware and software support; NHS Mail etc Liaison with CSCSU Human Resources Person(s) Responsible Head of Communications and Engagement CSCSU Head of Corporate Affairs CSCSU IG Lead Head of Corporate Affairs Head of Corporate Affairs Head of Facilities Head of Corporate Affairs East Berks IT Lead Head of Corporate Affairs HR Business Partner Critical Outsourced Activities There are a range of services that are outsourced through the CSCSU; critically they are human resources, IT including hardware and software and communications and engagement. These services are provided for the three CCGs in east Berkshire. The governance service is provided both by the Head of Corporate Affairs working for the three CCGs in east Berkshire as part of the internal joint management team. Accommodation and Relocation The HR team is based in a number of locations across central southern and can work from another CCG location or from home; the IT team is predominantly based at Bath Road but could be located at one of the many sites available to the CSCSU including Newbury. The same applies to the communications team. The Head of Corporate Affairs is based at King Edward VII Hospital but logistically could work from another location within Thames Valley or from home. Working off site All staff have access to s remotely via as long as they have Wi-Fi. Fuel Shortage / heavy snow storms and gales The majority of staff do not live within the vicinity of the KEVII Hospital to travel to work on foot or bike; some staff members could travel via public transport the remaining staff would work at home. Information Governance Policy Handbook V1.0 Page 78

79 Technology Failure Access to the network Staff would be able to do some of the tasks in the short term without a networked computer, but in the longer term, networked computers would be absolutely necessary Staff Contact Information The Business Continuity Lead for this team will ensure that the following resources are in place: Telephone Cascade list with work mobile, and personal mobile numbers (where provided) for staff members within the team, stored on and off site. Checked by: Christina Gradowski; Head of Corporate Affairs Information Governance Policy Handbook V1.0 Page 79

80 The Quality Team Business Continuity Plan Update: November 2013 Next Update: October 2014 Business Continuity Leads CCG Quality Joint Management Team Sarah Bellars, Director of Nursing, Quality Lead Debbie Hartrick, Safeguarding Manager Liz Rushton, Head of Continuing Healthcare Suzanne Awadallah, Continuing Healthcare Team Leader Jane Robb, Personal Assistant Quality CSCSU staff Sara Whittaker; Associate Director of Quality Chris Sneller, Quality Improvement Manager Sarah Robson, IFR Lead Malcolm Mackenzie, Complaints / PALS Manager Critical Activities: Critical Activities Quality and Safety of commissioned services SIRI s Safeguarding Continuing Healthcare Person(s) Responsible Sarah Bellars Sara Whittaker Chris Sneller Debbie Hartrick Liz Rushton / Suzanne Awadallah Critical Outsourced Activities The Quality Team is based at King Edward VII Hospital and at Bath Road, Reading and provides services for the three CCGs in east Berkshire. The in house Quality Team works closely with the CSCSU quality team and also NHS England (Thames Valley). The team also deal directly with some of the providers, for example, HWPFT and FPH. Accommodation and Relocation The core team members live within the local area and can work from home or from Bath Road is this is unaffected namely: Sarah Bellars Debbie Hartrick Chris Sneller Working off site All staff have access to s remotely via as long as they have Wi-Fi. Staff members are able to work remotely as they have access to files on server via the VPN and the vast majority of staff have laptops rather than desktop computer; other staff members will be equipped with VPN (RAS tokens) to log on remotely from home and with laptops during a prolonged period of disruption. Fuel Shortage/ Bad Weather The majority of staff travel to work by car and would work from home during a fuel shortage or very bad weather. Technology Failure Access to the network The team would be able to do some of the tasks in the short term without a networked computer, but in the longer term, networked computers would be absolutely necessary. Information Governance Policy Handbook V1.0 Page 80

81 Staff Contact Information The Business continuity lead for the team will ensure that the following resources are in place: Telephone Cascade list with work mobile, and personal mobile numbers (where provided) for staff members within the directorate, stored on and off site. Checked by: Sarah Bellars Information Governance Policy Handbook V1.0 Page 81

82 Business Continuity Leads BACCG Mary Purnell, Head of Operations Alex Tilley, CCG Manager Performance and Operations BACCG Business Continuity Plan Update: November 2013 Next Update: October 2014 Critical Activities: Critical Activities Contracts Monitoring Service Redesign Performance Information CCG business, project management CCG Administration, meeting management Person(s) Responsible This is outsourced from the CSCSU. This is provided by Joint Management Team member Mary Purnell and Alex Tilley Kate Kitto and Darryl Braham Faiza Baig / Karen Hay Critical Outsourced Activities Contracts and Service Redesign is provided by CSCSU; performance management and information is provided by the Joint Management Team in-house. Accommodation and Relocation The CCG business management / administration team can be relocated to the Royal Berkshire Clinic in Brants Bridge, Bracknell as follows Head of Operations Mary Purnell CCG Manager Alex Tilley CCG Project Manager Darryl Braham CCG Administrator- Karen Hay Working off site All staff have access to s remotely via as long as they have Wi-Fi. 4 staff members are able to work remotely via the VPN and laptops; the administrative staff can work remotely provided VPN and laptop are provided. Fuel Shortage/ Bad Weather 1 staff members is able to get to work via public transport Technology Failure Access to the network The BACCG Team would be able to do some of the tasks in the short term without a networked computer, but in the longer term, networked computers would be absolutely necessary. Staff Contact Information The Business continuity lead for the team will ensure that the following resources are in place: Telephone Cascade list with work mobile, and personal mobile numbers (where provided) for staff members within the directorate, stored on and off site. Checked by: Mary Purnell Information Governance Policy Handbook V1.0 Page 82

83 Performance and Operations Slough CCG Business Continuity Plan Update: November 2013 Next Update: October 2014 Business Continuity Leads Slough CCG Sangeeta Saran, Head of Operations Narinder Bedi, CCG Manager Critical Activities: Critical Activities Contracts Monitoring Service Redesign Performance Information CCG business, project management CCG Administration, meeting management Person(s) Responsible This is outsourced from the CSCSU. This is provided by Joint Management Team member Sangeeta Saran Narinder Bedi Rashida Sultana Heather Thomas / Surrinder Randhawa Critical Outsourced Activities Contracts and Service Redesign is provided by CSCSU; performance management and information is provided by the Joint Management Team in-house. Accommodation and Relocation The CCG business management / administration team live within the Slough area; for a prolonged period of disruption to accessing the building the team could be relocated to Slough Borough Council. Working off site All staff have access to s remotely via as long as they have Wi-Fi. 3 staff members are able to work remotely via the VPN and laptops; the administrative staff can work remotely provided VPN and laptop are provided. Fuel Shortage/ Bad Weather All 5 staff members can travel to the hospital using public transport; however in bad weather such as heavy snow staff can work at home and access the network via the VPN. Technology Failure Access to the network The Slough CCG Team would be able to do some of the tasks in the short term without a networked computer, but in the longer term, networked computers would be absolutely necessary. Staff Contact Information The Business continuity lead for the team will ensure that the following resources are in place: Telephone Cascade list with work mobile, and personal mobile numbers (where provided) for staff members within the directorate, stored on and off site. Checked by: Sangeeta Saran Information Governance Policy Handbook V1.0 Page 83

84 Performance and Operations WAM CCG Business Continuity Plan Business Continuity Leads WAM CCG Viki Wadd, Head of Operations Nadia Barakat, CCG Manager Critical Activities: Critical Activities Contracts Monitoring Service Redesign Performance Information CCG business, project management CCG Administration, meeting management Update: November 2013 Next Update: October 2014 Person(s) Responsible This is outsourced from the CSCSU. This is provided by Joint Management Team member Viki Wadd Nadia Barakat Marianne Hiley Anna Pardoe / Kathryn Kneale Critical Outsourced Activities Contracts and Service Redesign is provided by CSCSU; performance management and information is provided by the Joint Management Team in-house. Accommodation and Relocation One staff member lives relatively near to KEVII Hospital and can travel via public transport to the hospital; one staff member lives in London and the remaining three live with miles of the Hospital. Working off site All staff have access to s remotely via as long as they have Wi-Fi. All staff members are able to work remotely via the VPN and laptops; the administrative staff can work remotely provided VPN and laptop are provided. Fuel Shortage/ Bad Weather 1 staff members is able to get to work via public transport Technology Failure Access to the network The WAM CCG Team would be able to do some of the tasks in the short term without a networked computer, but in the longer term, networked computers would be absolutely necessary. Staff Contact Information The Business continuity lead for the team will ensure that the following resources are in place: Telephone Cascade list with work mobile, and personal mobile numbers (where provided) for staff members within the directorate, stored on and off site. Checked by: Viki Wadd Information Governance Policy Handbook V1.0 Page 84

85 Finance Team Business Continuity Plan Update: November 2013 Next Update: October 2014 Business Continuity Leads Finance Joint Management Team Nigel Foster, Chief Financial Officer Debbie Fraser, Deputy Chief Financial Officer Critical Activities: Critical Activities Invoices Payment Allocation of resources for business continuity Person(s) Responsible Debbie Fraser and other members of the Joint Management Team and CCG Teams can authorise invoices but need access to the ISFE system Nigel Foster Critical Outsourced Activities Critical activities which are used outsourced for the Finance Team are from the CSCSU, Consult HR and also from SBS (The Ledger System Shared Business Services). Accommodation and Relocation The core team members for this service live within the Berkshire area and can work remotely from home via VPN and laptops. Working off site All staff have access to s remotely via as long as they have Wi-Fi. 2 staff members are able to work remotely. Fuel Shortage/ Bad Weather 1 member of staff could potentially travel to work via public transport; the other staff member would work from home. Technology Failure Access to the network The team would be able to complete some tasks without access to a networked computer. However, it is crucial for the finance team to have access to a networked computer so that they can approve invoices through SBS, allocate resources to the business continuity to ensure that staff have the resources they need to continue business. Staff Contact Information The business continuity lead for the team will ensure that the following resources are in place: Telephone Cascade list with work mobile, and personal mobile numbers (where provided) for staff members within the directorate, stored on and off site. Checked by: Nigel Foster Information Governance Policy Handbook V1.0 Page 85

86 Finance Team Business Continuity Plan Update: November 2013 Next Update: October 2014 Business Continuity Leads Finance Joint Management Team Nigel Foster, Chief Financial Officer Debbie Fraser, Deputy Chief Financial Officer Critical Activities: Critical Activities Invoices Payment Allocation of resources for business continuity Person(s) Responsible Debbie Fraser and other members of the Joint Management Team and CCG Teams can authorise invoices but need access to the ISFE system Nigel Foster Critical Outsourced Activities Critical activities which are used outsourced for the Finance Team are from the CSCSU, Consult HR and also from SBS (The Ledger System Shared Business Services). Accommodation and Relocation The core team members for this service live within the Berkshire area and can work remotely from home via VPN and laptops. Working off site All staff have access to s remotely via as long as they have Wi-Fi. 2 staff members are able to work remotely. Fuel Shortage/ Bad Weather 1 member of staff could potentially travel to work via public transport; the other staff member would work from home. Technology Failure Access to the network The team would be able to complete some tasks without access to a networked computer. However, it is crucial for the finance team to have access to a networked computer so that they can approve invoices through SBS, allocate resources to the business continuity to ensure that staff have the resources they need to continue business. Staff Contact Information The business continuity lead for the team will ensure that the following resources are in place: Telephone Cascade list with work mobile, and personal mobile numbers (where provided) for staff members within the directorate, stored on and off site. Checked by: Nigel Foster Information Governance Policy Handbook V1.0 Page 86

87 ACTION CARD Activating the Business Continuity Plan For Action by CCG Director / Manager on Call Scope The Business Continuity Plan will be activated by the Director / Manager on Call when the major incident plan has been activated or is on standby, and there is an incident that has the potential to cause business disruption and affect critical activities. Depending on the type of disruption, it is possible that not all teams will need to activate their business continuity plan. Activating and escalating business continuity plans No. Actions: Time Complet ed Responsible for activating the Business Continuity Plan for the CCG and ensuring all Directorates take the necessary actions 1 Set up a meeting or a teleconference with key business continuity leads 2 Alert key members of staff 3 Agree with key staff the activities needed and implement recovery plan 4 Advice other staff where to report through team cascade plans 5 Notify key contacts. This will include NHS England (Thames Valley) Central Southern Commissioning Support Unit Communications ( and request they inform others in CSCSU) Thames Valley Emergency Access Local Providers HWPFT, BHFT, SCAS, NHS 111 Local authorities including Bracknell Forest Council, Slough Borough Council and Royal Borough Windsor and Maidenhead. Consider other partners 6 Establish immediate business needs 7 Maintain a log of all decisions / events/ action taken 8 Consider working arrangements with staff 9 Consider moving key staff to other facilities as required such as Brants Bridge, Upton hospital, local authorities 10 Establish a communication plan both internally and externally with the support of Central Southern CSU Head of Communications and Engagement out of hours contact communications pager 11 Lead the organisation on the restoration of services to normal levels of delivery Relevant Plans Central Southern Commissioning Support Unit Business Continuity Framework and Plans NHS Property Services Business Continuity Framework and Plans East Berkshire CCG On-call pack and Escalation Framework East Berkshire CCGs Major Incident Plan Information Governance Policy Handbook V1.0 Page 87

88 ACTION CARD Directorate Business Continuity Plan Activation For Action by Team Business Continuity Lead Scope The Business Continuity Plan will be activated by the Director / Manager on Call when the Major Incident Plan has been activated or is on standby, and there is an incident that has the potential to cause business disruption and affect critical activities. Depending on the type of disruption, it is possible that not all directorates will need to activate their business continuity plan. Activating and escalating business continuity plans No. Actions: Time Complet ed Responsible for activating the Team Business Continuity Plan and ensuring appropriate actions are taken and staff are aware 1 Alerted to the need to activate business continuity plan by Director / Manager on call Ensure that Director / Manager on call knows that business continuity plans are activated 2 Alert staff through cascade system 3 Agree with key staff the activities needed and implement 4 Become the directorate link with the Director / Manager on call Attend any agreed briefings on behalf of the team 6 Establish any immediate business needs along with Director / Manager on-call 7 Maintain a log of all decisions / events/ action taken 8 Ensure staff have working arrangements 9 Maintain communication channels with all staff through regular teleconferences if necessary 10 Ensure normal business is established as soon as feasible 11 Contribute to the incident debrief run by the Director / Manager on call Relevant Plans Business Continuity Policy and Framework and Business Continuity Plan Action card: Activating Business Continuity Plan Action card: How to set up a teleconference Information Governance Policy Handbook V1.0 Page 88

89 MOBILE INFORMATION TECHNOLOGY POLICY 1. INTRODUCTION SECTION TEN Mobile Working is a form of organising/performing work - using information technology - where work, which could also be performed at the employer s premises, is carried out away from those premises on a regular basis. The essential feature is the use of information and communication technologies to enable remote working for employees for all or part of their hours with a computer or telecommunication link to their employing organisation. The use of portable computing and telephone devices and the accessing of information from a variety of remote locations is now commonplace within the NHS. On behalf of the CCGs, Central Southern Commissioning Support Unit (CSCSU) is required to ensure that information security for mobile computing and tele-working facilities are robust enough to ensure work is conducted in a secure manner. Mobile computing presents a very real risk to the security and integrity of the CCGs information. Moreover the legislation which surrounds the way in which the organisation uses and is responsible for information makes it potentially liable for any breach or failing in security. From patient information held on laptops, to the contact details on a mobile phone to the financial spreadsheet ed to a home PC, the inherent risks to information should be apparent to all staff. By recognising that the risks exist, and by implementing the controls set out in this policy, t h e C C G s a n d Central Southern CSU and its staff will aim to play their part in controlling them at a manageable level. 2. PURPOSE The purpose of this policy is to provide direction for staff when working from remote locations or using mobile computer equipment throughout the organisation, to ensure compliance with acceptable standards. 3. POLICY AIMS The aims of this policy are: Information Governance Policy Handbook V1.0 Page 89

90 To ensure that the CCGs comply with legal obligations. To promote the safe and secure use of mobile equipment in support of the clinical and operational work of the organisation. To ensure that ICT resources provided to staff are not misused. To ensure that the security of computer systems and the information they contain is not compromised in any way. To prevent the CCGs reputation from being damaged by the inappropriate or improper use of its information resources. The policy applies to all full-time and part-time employees of the CCGs, nonexecutive directors, contracted third parties (including agency staff), students/trainees, bank staff, staff on secondment and other staff on placement within the organisation, volunteers and staff of partner organisation s with approved access. It applies to all areas in support of the business objectives, both clinical and corporate. Within the work environment a considerable effort in terms of money, technical knowledge and working time is expended to ensure that an appropriate level of security is maintained around the information which belongs to t h e C C G s. Much of this information is sensitive, some of it containing clinical data and other personal details. The Seventh Principle of the Data Protection Act states that Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. This provision applies to information that is owned or under the control of t h e C C G s within the workplace and, very importantly, also applies to information taken away from the workplace. As the use of mobile computing resources grows it is vital that the data held on these devices is not compromised by poor security practices. Mobile devices are by their very nature vulnerable to being both mislaid as well as being attractive to a potential criminal. It is important therefore that all users of mobile equipment are aware of the inherent risks associated with their use. It is now mandatory that all mobile equipment capable of storing or transporting the CCGs data is encrypted to the required security standards before use. If you are unsure whether or not your equipment has the necessary security applied to it please contact the ICT Service Desk for advice and assurance. Digital cameras may be used for clinical photography and cannot be encrypted, therefore a risk assessment regarding their use has been undertaken by CSCSU. The CSCSU recommend the risk is accepted until a satisfactory encryption solution to digital images in transit is found. This policy is in place to ensure information is kept securely when working from remote locations or from home and utilising mobile computing technology. W o r k i n g f r o m h o m e and working offsite must be authorised and controlled by management and suitable arrangements must be in place for this way of working to be secure. The term "offsite working" includes any remote working e.g. at home, on a train, in a hotel. Information Governance Policy Handbook V1.0 Page 90

91 All staff using mobile computing equipment or working offsite are required to comply with this policy. Failure to do so may result in this facility being removed or disciplinary action being taken against individuals. 4. RESPONSIBILITIES It is the role of the CCGs Governing Bodies to ensure that a mobile computing policy is in place and that sufficient resources are provided to support the requirements of this policy. This policy applies to all staff who handle information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B. The CCGs are supported by the CSCSU whose responsibilities include: TITLE RESPONSIBILITIES Head of ICT Ensures that technical staff provide solutions for information (CSCSU) security in respect of mobile devices, removable media, encryption etc. Head of Information Governance (CSCSU) Advises the IG Manager in ensuring that the CCGs have solutions in place for any information security to be implemented and monitored Information Technology Security Manager (CSCSU) ICT Services (CSCSU) 10. MOBILE COMPUTING Ensures the security and integrity of systems owned and operated by Central Southern CSU. ICT Services are to ensure that all mobile computing devices are configured in accordance with baseline measures and if used for processing patient information, that the device complies with the requirements in Appendix 2 found at the end of this Policy. General Security: It is important to take all reasonable steps to ensure that any mobile computer device is not misplaced or stolen. This should include leaving it out of sight when away from the workplace, particularly when travelling in a car when it should be locked in the boot. In busy areas such as bus stops, railway stations or if travelling on the London Underground, it should not be placed on the ground, beside you on a counter, or left unattended at any time. Staff must ensure that the mobile computer device is secured in a safe or other locked facility at all times when the system is left unattended especially in vulnerable locations such as an hotel or conference (if practicable). As home environments can also be vulnerable to theft, staff are required to take appropriate precautions to reduce any risks. Mobile working devices should, where possible, be located so that they are not visible through windows from Information Governance Policy Handbook V1.0 Page 91

92 outside the home. Laptops/notebook and PDA s in particular must be placed in a secure location when not in use. Mobile Equipment Security: Equipment owned and purchased through the ICT Department which is configured in accordance with base-line security measures may be used to conduct the C C G s business a n d can be connected to the CSCSU network. This includes all mobile working devices including: Laptop or notebook computers Personal Digital Assistants (PDA s) Smartphone s and other mobile phones External hard disk drives, USB memory sticks/flash drives Audio recording, photographic and video equipment - all cameras and dictation machines etc. All mobile working equipment capable of storing and transporting any CCG data, as listed above, MUST be encrypted to the standard and asset tagged as per the asset management policy by ICT Services prior to use. All mobile laptop/notebook computers must be owned by the CCGs and purchased through the ICT Department and configured in accordance with base-line security measures at Appendix 1, before being used. Smartphone s and mobile phones must NOT be connected to the CSCSU network unless they have been specifically configured and approved for this purpose by the Head of ICT & the IT Security Manager. Modifications to the configuration of mobile communication devices owned by the CCGs must only be carried out by authorised IT personnel. Users must not attempt to reconfigure, Jailbreak or otherwise alter the security or configuration of any mobile communication device owned by the CCGs. External Network Connections: Remote access to internal systems will only be authorised for CCG owned or managed equipment. All usage is to be in line with the CSCSU Remote Access to IT Policy. Remote access to the CSCSU network must be via CSCSUs current authentication standard such as the Remote Access Server/VPN which provides strong authentication. These services are controlled by the Network Manager. VPN tokens should not be carried in the same bag as the device to which they provide access. Any losses should be reported to the IG Manager who will report the loss on the CSCSU Incident Reporting System and reported to the CCG following their internal reporting procedures. Confidential data must not be ed to / from a home account or personal account. NHS mail (nhs.net) provides the only solution for this. Access to nhs.net on a home computer must be in accordance with the CSCSU Acceptable Use of IT Policy. Staff must ensure that they do not download any attachments to their home pc. They must also ensure that CCG information cannot be accessed or viewed by members of their family/visitors. Information Governance Policy Handbook V1.0 Page 92

93 Computers must never be left unattended whilst access is open to nhs.net. Staff are to be aware of the guidelines for the sending of confidential information via fax. Further information is detailed in the Transfer of Personal Information Policy. Staff who have a need to use a mobile computing device to work on CCG information offsite and have been given line manager authority, are required to comply with the following: The equipment must be encrypted. The device should be afforded all reasonable protection at all times and especially whilst mobile and located away from CCG premises. Mobile devices must not be left unattended where it can be seen and open to theft (Appendix 2). The authorised user will be held responsible for the correct operation of the device and for all data processing, back-ups and storage. 11. DATA SECURITY MEASURE Security measures are taken, within the workplace, to protect CCG information and many of these are legal requirements, such as the Data Protection Act. It is therefore unacceptable for staff who wish to carry on working on CCG information within the home to simply , or remove on disk/flash drive, CCG documents to their personal equipment. Staff are not to work on any CCG information which is classed as either NHS Confidential or NHS Restricted on any equipment not owned by the NHS. NHS confidential information relates to patient data and NHS restricted relates to sensitive business information. The use of strong password security is mandatory for all mobile computing and phone devices wherever they are used. In conjunction with this security feature the system should be configured to power off after a pre-determined period. A vital aspect of mobile computing is back-ups and synchronisation. The user must ensure that adequate and regular back up measures are in place and implemented. Staff must ensure that anti-virus software, supplied and installed by the ICT Department, is used on all mobile devices. It must be updated regularly by connecting to CSCSU network where it will automatically update on connection. This software must never be de-activated. Data Storage: All sensitive data is to be stored/and or synchronised to a CSCSU network or other approved secure storage system to ensure that it is backed up daily or when mobile working permits. CCG sensitive or confidential information is not to be stored on to or copied to any removable storage device unless this is appropriately encrypted to the correct security requirements. (E.g. encrypted data stick/flash drive). In certain circumstances it may be necessary to seek the permission of the relevant Information Governance Policy Handbook V1.0 Page 93

94 Information Asset Owner (IAO) to hold such data in this format and if in doubt please seek their advice/approval. In circumstances where there is a clear business case and the IAO consent has been given, such data may be stored on the mobile computer equipment or removable storage device providing they meet the criteria of this policy. All data which has been approved for storage on the mobile device is to be copied to an appropriate network drive, or other approved secure storage device, as soon as practicable to ensure that data is backed up. 12. HEALTH AND SAFETY CONSIDERATIONS Staff must work within the guidance as set out in the Display Screen Equipment Procedure (HS012), ensuring the relevant risk assessments have been completed including any remedial actions Staff using mobile computing equipment must take precautions to ensure that they are working in a safe and secure manner. Mobile equipment must always be physically secured when unattended. Staff should ensure that they are applying good moving and handling techniques when carrying portable equipment. Ensure manual handing training has been undertaken in accordance with CCG policy. 13. CONFIDENTIALITY Staff must be aware that they have a legal duty to maintain the confidentiality of data/information taken out of CCG working offsite or at home, whether it is paper based or as computer files. When confidential data has been authorised, by your line manager, to be processed offsite, users are subject to CCG confidentiality agreements and must ensure they meet the requirements of this policy, the Data Protection Act, Information Security Policy and the Confidentiality and Data Protection Policy. Staff are to Log out if they move away from the mobile device at any time, it should never be left unattended and accessible. Information Governance Policy Handbook V1.0 Page 94

95 APPENDIX 1: BASE-LINE LAPTOP COMPUTER SECURITY REQUIREMENT For the configuration of a laptop computer for the processing and storage of confidential information: 1. All mobile computers, laptops/notebooks/tablets etc., are to use the Microsoft Windows operating system and are to be configured in accordance with baseline security measures by the ICT Department. 2. All mobile computers are to be configured to ONLY boot from the C drive to ensure that the operating system is loaded automatically therefore enforcing the security policy. The boot sequence in the Bios setting is to be changed from A C to just C. This will also protect the system from a boot sector virus and will prevent the machine from being booted from a floppy disk or other internal or external drive i.e. CD or DVD. 3. All mobile computers must be encrypted by ICT to meet the required encryption standard which must always be active to prevent unauthorised access and to protect data should the device be lost or stolen. 4. To prevent unauthorised personnel from altering the boot-up sequence, either a Bios access password or an encryption password is to be set. 5. A dedicated folder or partition is to be created for the storage of data. Full disk encryption must be applied. Information Governance Policy Handbook V1.0 Page 95

96 APPENDIX 2: REQUIREMENTS FOR THE USE OF PORTABLE EQUIPMENT (e.g. laptops, palmtops) DO Portable equipment must have an asset number and must be recorded in an asset register before release to users. Always store portable equipment securely when not in use. Wherever possible, transport portable equipment in non-identifiable containers between sites, home or other locations. Ensure files containing personal or confidential data are adequately protected using approved encryption software installed by the ICT Department (such as SafeBoot) Log off when leaving any device unattended. Use anti-virus software and never de-activate it. Regularly update anti-virus software by connecting to CSCSU network. Regularly backup data stored on the portable equipment. ICT Services will maintain a register where portable equipment is used in a "pool" to enable tracking of current user and location. Ensure a nominated person is responsible for all portable equipment within a department. Obtain authorisation prior to the removal of portable equipment from the premises. Report any missing portable equipment to the IG Manager who will report the loss via the CSCSUs and CCGs incident reporting system. Ensure any stolen portable equipment is promptly and appropriately reported to the IG Manager who will report the stolen equipment via the CSCSU and CCGs incident reporting system. DO NOT Leave portable equipment unattended or in places where it can be easily stolen. Leave portable equipment visible in the car when travelling between locations. Leave portable equipment visible in an unattended car. Leave portable equipment in the boot of a car for long periods of time or overnight. Install any software without authorisation from the ICT department. Disable the virus protection software at any time. Remove IT equipment without authorisation. For further information or advice please contact the IG Department. Information Governance Policy Handbook V1.0 Page 96

97 INCIDENT MANAGEMENT POLICY SECTION ELEVEN POLICY UNDER DEVELOPMENT Information Governance Policy Handbook V1.0 Page 97

98 IG TRAINING AND AWARENESS PLAN SECTION TWELVE 1. INTRODUCTION The provision of a comprehensive Information Governance Training and Awareness Plan (IGTAP) (Appendix 3) for staff is vital in ensuring that information governance is fully embedded within the organisation s culture. Failure to address the training needs of staff results in increased risk of:- data protection breaches reputational damage to the organisation, patients, service users and clients it serves enforcement action taken by the Information Commissioners Office (ICO) penalties levied by the ICO for data protection breaches increased complaints due to inappropriate handling of personal data staff feeling ill-equipped to make information handling decisions loss of public confidence in the organisation s ability to appropriately handle confidential information interruption of business processes, due to the inability to locate and access necessary information when required 2. SCOPE The IGTAP outlines the methods by which staff will be equipped with the necessary understanding of information governance principles and the confidence to apply them within their day-to-day work. 3. OBJECTIVES The objectives of the IGTAP are to:- Ensure that all staff are equipped with sufficient understanding of their responsibilities to enable them to handle all types of information confidently, and in line with their legal and professional obligations. Make staff aware of the principles and processes they should be following in order to handle information appropriately in any given situation Information Governance Policy Handbook V1.0 Page 98

99 Ensure that staff are aware of the sanctions which may be applied in cases where information is handled inappropriately Comply with legal and professional obligations to provide training to staff with regard to the handling of information Reduce the potential risks to individuals associated with the handling of personal information Reduce potential risks to the organisation with regard to the inappropriate handling of information 4. IDENTIFICATION OF TRAINING NEEDS The Training Needs Assessment has been based on generic job roles identified within the HSCIC IG Training Tool. The CCGs intend to implement a more tailored approach which will require the need for Training Needs Assessments (Appendix 1) to be carried out on all staff. This is to effectively identify and address training needs applicable to each role, rather than taking a more general approach. It is important to clearly identify the expected competencies of staff across the organisation, in terms of achieving the organisation s goals, ensuring that the organisation remains compliant with its legal and professional obligations and enabling staff to meet the standards of information handling required within their role. This can be achieved through:- Reviewing organisational goals Reviewing the requirements of individual job roles Identification of training needs as part of the recruitment process Reviewing staff responsibilities outlined in policies and procedures Although for many staff, training needs will be met by a general information governance training programme, some staff may require specific training either to address particular issues which have been identified through:- incident reports complaints spot checks audits personal development reviews other training delivery surveys/questionnaires staff/management requests for training on particular areas/issues or where staff have specialist roles which require either training to a more advanced level, or who require a broader range of training to cover the areas for which they are responsible. Staff training needs should be assessed on an annual basis as part of staff Personal Development Reviews or when a new member of staff is recruited. Where new roles are developed or amended, the required competencies for the role should be identified. Where staff change roles within the organisation, their information governance training needs will need to be re-assessed in order to identify knowledge gaps in relation to the new role. Any knowledge gaps identified, should be addressed through either completion of relevant on-line training modules, face to face training, or via externally provided training courses. Information Governance Policy Handbook V1.0 Page 99

100 5. APPROACH In order to ensure that the IGTAP meets the needs of all staff, it is important to ensure that a variety of delivery methods are employed in order to motivate staff to want to learn more, improve retention of the things learned, enable positive transference of the knowledge and skills gained to their daily work, encouraging good practice and eliminating bad practice. The ability and/or desire of individuals to learn and apply new skills can be affected by many factors including:- Social background Educational background Expectations/preconceptions Whether they are receiving training because they want it or because they have been forced to attend Personal opinions about the subject area The opinions of others In order for the training to be effective, it needs to be interesting, informative and appeal to different learning styles. The IGTAP will consist of a blend of online training and face-to-face, classroom based sessions. Online Training Information Governance induction training will be completed via the HSCIC IG Training Tool on completion of an Introduction to Information Governance Training (for staff who have access to personal data) or Beginners Information Governance module (for staff who do not have access to personal data). Mandatory Information Governance Training via the IG Training Tool is included within the Manager s Induction Checklist which can be found on the CCGs Intranet. See the full list of Information Governance Training Tool Modules at Appendix 2. Where staff have previously successfully completed the relevant mandatory module on the Information Governance Training Tool, they will be required to complete the Information Governance: The Refresher module within each subsequent financial year. In some instances, where staff either do not have access to the online training materials, or find it difficult to learn using online materials, arrangements will be made to deliver the material on a face-to-face basis using approved materials available on the IG Training Tool. Successful completion of each module will be assessed through a set of questions presented following completion of the training element of that module. In order to successfully complete the module, the individual must achieve at least 80%, after which time they will receive a certificate, which can either be saved as a file, or printed out. If the individual does not achieve 80% first time, they are able to re-take the training and assessment, each re-take attempt is recorded. Face to Face Training Face to face training will be delivered to supplement the online training provision in order to focus on local issues and specific training needs and topics. Face to face training will incorporate multiple delivery methods in order to appeal to different learning styles, visual, oral and kinaesthetic. This will include the use of powerpoint presentations supported by case studies, personal experience (outlining real world examples), interactive discussions, and group activities. Information Governance Policy Handbook V1.0 Page 100

101 Each training session must incorporate the ability to confirm that attendees have correctly understood the areas covered within the session. This may be through observing activities, listening to group discussions, feedback from case studies, question and answer sessions, quizzes etc. Staff should be given the opportunity to ask questions throughout the session and/or at the end. They should also be provided with contact details in order that they can raise questions after the session has finished. Staff should be informed of the arrangements for asking questions at the beginning of the session. Prior to the training session taking place, staff may be sent a pre-training questionnaire in order to assist in the identification of gaps in knowledge and to allow staff to identify any particular issues they would like to be addressed within the session. The pre-training questionnaire will allow staff to provide anonymous input into the design of the session, thus ensuring that it can be tailored to meet staff needs. Rooms used for training should be well ventilated, have the ability to adjust heat and light, with sufficient seating to accommodate the number of attendees comfortably. Staff should sign an Attendance Sheet at the beginning of the session evidencing attendance, and should be asked to complete an anonymous session Evaluation Sheet at the end of the session. Completed Evaluation Sheets are invaluable in the development of sessions, ensuring that they appropriately meet the learning needs of staff. Externally Provided Training In certain circumstances it may be necessary for staff to attend specialist information governance training provided by external companies; examples may include Senior Information Risk Owner, Information Asset Owner, Caldicott Guardian, Information Risk Management, or Information Security Training. This may be appropriate where the individual requires more in depth training than that provided by the IG Training Tool, or where the subject area is not covered within the IG Training Tool, or as part of a local training programme. Awareness Materials A rolling programme of awareness materials should be provided to staff covering all aspects of information governance. Materials may be in the form of booklets, leaflets, posters, s etc., and may be presented in physical form, via , or located on the Information Governance area of the Intranet. Awareness materials should also be developed to complement the online and face to face training being delivered. 6. MONITORING Staff Surveys Anonymous surveys will be sent to staff on a six monthly basis, covering different aspects of information governance. Feedback from staff will allow the CCG to gain assurance with regard to the level of understanding of staff and to identify areas where further training is required. Information Governance Policy Handbook V1.0 Page 101

102 Review of Complaints, Incidents Regular analysis of complaints and incidents will be undertaken in order to identify whether training has been effective in reducing the number of incidents and complaints relating to the inappropriate handling of information within the organisation. The results will also assist in identifying any other areas where training is required. Spot Checks/Observation and Audit Regular spot checks/observations and audits will be undertaken in order to identify whether staff are applying the things they have learned, particularly with regard to information sharing and the secure handling of information. This will also assist in the identification of any additional training requirements. Information Governance Training Reports Staff should be reminded of their responsibilities to complete mandatory training throughout each financial year. IG Training Reports should be provided monthly in order to monitor completion rates, identify staff who have not completed their training and identify situations where staff have not been able to meet the minimum level of understanding. Where staff have not completed the mandatory modules within the financial year, this should be followed up with their respective managers. Where staff have difficulty learning using the online modules, they should be provided with face to face training. To ensure that all staff have received information governance training, training records should be cross checked with Starters/Leavers Reports provided by ConsultHR. Where gaps are identified, these should be addressed with the relevant manager. Regular reports will be provided to the IG Lead (Head of Corporate Affairs) as well as reported to the IM&T Group by the IG Manager detailing completion rates and highlighting any issues which have been identified. 7. REVIEW Training and awareness materials should be reviewed as a minimum on an annual basis, unless legislation or other changes necessessitate an earlier review or revision. 8. ROLES AND RESPONSIBILITIES It is the role of the CCGs Governing Bodies to ensure that an IG Training and Awareness Plan is in place and that staff are aware of their training responsibilities. CCGs shall ensure that sufficient resources are provided to support the requirements of this policy. These procedures affect to all staff and their responsibilities including those in key roles are outlined in more detail in Appendix B. 9. COST Direct Where training is provided via the IG Training Tool, there will be no direct cost, see the section entitled Indirect (below) for associated costs, however, there is the potential that this may change in the future. Information Governance Policy Handbook V1.0 Page 102

103 Where the training is provided on a face to face basis, there will be a cost associated with the trainer. Where training is provided by members of the Information Governance Team, this will generally be covered within the Service Agreement between the CCGs and the CSU. Where training is provided by an external organisation, either onsite or off site, there will be a direct cost associated with the trainer. Additionally, there will be costs asssociated with the use of the room and associated equipment in terms of heat, light, wear and tear on equipment, consumables such as flipchart paper and pens, handouts etc. Where training is provided off site, there will also be travel costs, potentially accommodation and subsistence in addition to the actual cost of training. Indirect Where staff have to be back-filled in order to ensure service continuity, there will be an associated cost in terms of human resource provision, either through overtime payments or through employment of agency staff. 10. ASSUMPTIONS, RISKS, CONSTRAINTS, DEPENDENCIES It is assumed that:- Staff will be released for Information Governance Training in accordance with the IGTAP An appropriate training environment will be provided both for online and face to face delivery of training Trainees will have the pre-requisite skills and knowledge required, eg computing skills. Where advanced training is being delivered, delegates should have completed basic training modules prior to attending the advanced level Where staff do not attend training without prior cancellation, this will be addressed with the relevant line manager Staff are mandated to complete identified IG Training within the organisation Managers are mandated to ensure that all temporary and contracting staff complete the mandatory online Information Governance Toolkit modules within their first week of employment with the organisation ConsultHR are responsible for mandating managers to include the requirement to complete an IG Training Needs Assessment at staff Personal Development Review and when new staff are recruited Managers are mandated to perform IG Training Needs Assessments as part of staff Personal Development Review and when new staff are recruited Risks associated with non-delivery of appropriate training to staff could include:- Damage to organisational reputation due to poor handling of information Damage to public confidence in the organisation s ability to handle information appropriately Failure of the organisation and individuals employed by it to comply with their legal obligations Additional costs associated with the investigation of data protection breaches and defending court action associated with the oganisation s failure to handle information appropriately Additional costs associated with penalties levied by the Information Commissioner s Office for non-compliance with legal obligations Increased costs associated with the investigation of complaints relating to poor information handling practices Information Governance Policy Handbook V1.0 Page 103

104 Increased vulnerability to information security breaches due to poor information handling practices Successful training provisions are constrained by and dependent upon:- The availability of internal staff to deliver the training The availability of staff to receive training The costs associated with external training provision Availability of suitable training rooms Availability of suitable equipment, projectors/smart boards, laptops etc Allocation of an appropriate budget to cover any necessary costs 11. COMMUNICATION PLAN The IGTAP will be electronically communicated to staff via and publicised on the CCGs intranet site. 12. NEXT STEPS The next steps in order to progress the IGTAP further within the CCGs will be to consult with identified stakeholders on the implementation of the IGTAP 13. CONSULTATION Consultation has/will be undertaken with the following stakeholders: Consultee CSCSU Information Governance Team Information Governance Lead SIRO Caldicott Guardian Freedom of Information Administrator ConsultHR IM&T Group Response Deadline 14. TARGET AUDIENCE AND SCOPE This IGTAP applies to all staff (temporary and permanent), contractors, and volunteers working for the CCGs. The Training Plan covers the following areas:- Introduction to Information Governance Common Law Duty of Confidentiality and Caldicott Data Protection responsibilities Information sharing Information security responsibilities Records management responsibilities Freedom of Information responsibilities Incident reporting responsibilities Information Governance Policy Handbook V1.0 Page 104

105 Minimal Involvement Medium Level of Involvement High Level of Involvement Departmental Responsibility Organisational Responsibility IG TRAINING NEEDS ASSESSMENT APPENDIX 1 Name: Job Title: Department/Team: Date of Assessment: Brief Overview of Job Role: The following table should be completed for each role to identify the competencies required in order to comply with legal and professional obligations and responsibilities in relation to the handling of information within the job role. For each activity identified, tick the appropriate column to indicate the level of involvement in the stated activity. The completed form should be ed to the Information Governance Manager via NHS.net . Activity Evidence of Training Undertaken INFORMATION HANDLING Handling non-personal information Handling patient confidential information Handling personal information relating to staff, the general public etc. Handling commercially sensitive information (contracts, tenders etc.), no access to personal data Provision of direct care to patients PROCUREMENT Procurement RECORDS MANAGEMENT Records Management Policy/Strategy Development and/or Implementation GENERAL ACTIVITIES Disposal of electronic equipment PROJECTS, SYSTEMS, PROCESS AND PROCEDURE Information Governance Policy Handbook V1.0 Page 105

106 Minimal Involvement Medium Level of Involvement High Level of Involvement Departmental Responsibility Organisational Responsibility Activity Evidence of Training Undertaken DESIGN AND TESTING Developing, evaluating, testing systems, redesigning services/processes, project work INFORMATION GOVERNANCE MANAGEMENT AND INFORMATION RISK MANAGEMENT Management of information N/A N/A related incidents Identification and Management of N/A N/A Information Risks Caldicott Guardian (CG) N/A N/A N/A N/A Senior Information Risk Owner (SIRO) Information Asset Owner/Information Asset Administrator Information Governance Management Provision of Advice on and processing AHRA and SARs requests Provision of Advice on and processing of FOI and EIR requests N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Please identify any specific training needs identified over and above those covered in the above table in the following box:- Information Governance Policy Handbook V1.0 Page 106

107 IG TRAINING MODULE DESCRIPTIONS APPENDIX 2 Training Module Name 1 Patient Confidentiality 2 The Caldicott Guardian in the NHS & Social Care 3 Secure Handling of Confidential Information 4 Introduction to Information Governance 5 Information Governance: The Beginner s Guide Overview This is a foundation level module aimed at all staff that have access to patient confidential information. How can you ensure that you maintain patient confidentiality and that patients wishes regarding the use of their confidential information are respected? This module will help you to work within the law by providing you with information about the common law duty of confidence, consent and situations when it might be appropriate to disclose information without consent. What does the Caldicott Guardian do and who can help them in their role? This practitioner level module will answer these and other questions such as, why the role should be allocated to a senior member of staff and how it fits into the wider Information Governance Assurance framework. The module is designed to assist Guardians to arrive at lawful and practical decisions regarding the protection and sharing of patient and service user information. This is an Introductory Level e-learning module on the secure handling of confidential information. The module is aimed at medical students and newly qualified doctors but the content is also relevant to and appropriate for all healthcare professionals either in training or already qualified. Its purpose is to raise awareness of personal responsibilities for protecting the confidentiality and security of confidential information. Learners will gain a greater understanding of the possible risks to confidential information and how these risks can be reduced or avoided. How do you stay on the right side of the law? And what support do you have in protecting sensitive data? The answer is, through good Information Governance (IG). This module describes good IG and introduces the IG Toolkit to help you. A powerpoint version is available see "Trainer Materials" - "Introduction to Information Governance for NHS presentation" What would you do if you picked up a piece of litter at work and found it was a sheet of confidential information from a HR file or a patient record? Would you react differently if it was from your HR file or you were the patient? This introductory level e-learning module explains: Time Estimate 1 Hour 1 Hour 1 Hour 2 Hours 0.5 Hours The difference between 'personal information' and 'sensitive' personal information What 'confidentiality' means, what information it applies to and how confidentiality is maintained What security means, how good security is planned and how it involves all employees Identifying and reporting confidentiality and security incidents and weaknesses to highlight issues and help organisations improve It includes scenarios to help staff recognise and deal with everyday situations which involve spoken and written information. Information Governance Policy Handbook V1.0 Page 107

108 Training Module Name 6 Access to Information & Information Sharing in the NHS 7 NHS Information Risk Management: Introductory 8 NHS Information Risk Management: Foundation 9 NHS Information Risk Management for SIROs and IAOs 10 Password Management 11 Information Security Guidelines 12 Secure Transfers of Personal Data 13 Information Security Management 14 Business Continuity Management 15 Records Management & the NHS Code of Practice 16 Records Management in the Overview A powerpoint version is available see "Trainer Materials"-"Information Governance: The Beginner's Guide" Organisations will need to share confidential person-identifiable information with a range of others for a range of purposes. When sharing, both the disclosing and receiving organisations should have procedures that meet the requirements of law and guidance and make clear to staff the appropriate working practices. This foundation level module will discuss some of the requirements of law and guidance, and provide advice on appropriate working arrangements. The module was developed in conjunction with the NHS Information Centre for Health and Social Care. This is an e-learning module on Information Risk Management at an Introductory level. The module is intended to provide an overview of the key elements of Information risk management. Staff whose roles involve the handling of personal data will benefit from a greater understanding of Information Risk Management principles, and an insight into how these principles relate to their own roles. This is an e-learning module on Information Risk Management at a Foundation level. The module is intended to assist staff whose roles involve responsibility for the Confidentiality, Security and Availability of Information Assets, in understanding and fulfilling their duties. Content opens in a new window. Please note there is a bookmarking function which allows you to enter and exit the learning as you wish. This is an e-learning module for SIROs and IAOs and is at an Introductory level. The module describes key responsibilities for the SIRO and IAO roles, and outlines the structures required within organisations to support those staff with SIRO or IAO duties. SIROs should also review the IRM Foundation module. Please note there is a bookmark function which allows you to return to the last page visited should you wish. Please note there is a bookmarking function which allows you to enter and exit the learning as you wish. The first line of defence in protecting sensitive data is choosing a good password. This module tells you how. How do you prevent people from looking at sensitive data while you're away from your computer? What are the security risks of using your work computer for personal use? And how do you keep your password secret? This module shows you how. There are times when sensitive data has to be transferred from place to place. The question is: how can this be done securely? How can you be sure that is safe from theft or accidental loss? This module also tells you how to dispose of sensitive data when it's no longer needed. Robust information security management arrangements are needed for the protection of patient records and information services generally. This e-learning module has been designed to provide staff with a level of awareness regarding their interaction with information security and its management. It is aimed at newly appointed staff and those needing to know a little more about the role of ISM. However, everyone within the organisation would benefit from undertaking this learning. This foundation level module is aimed at newly appointed staff and those who need to know a little more about BCM. It specifically focuses on ways to address the continuity of information assets as a core component of your organisation s overall approach to business continuity. Everyone within the organisation would benefit from this learning. Good records management is crucial in all NHS organisations. In this foundation level e-learning module you will find out why it's so important. You will also find out how you can ensure that you comply with the NHS Code of Practice. In this practitioner level e-learning module you will discover practical information and advice about how to create and implement records management policies and strategies in your organisation. Time Estimate 0.5 Hours 1 Hour 1 Hour 1 Hour 0.5 Hour 1 Hour 1.5 Hours 1 Hour 2.5 Hours 0.5 Hours 0.5 Hours Information Governance Policy Handbook V1.0 Page 108

109 Training Module Name NHS 17 Access to Health Records 18 The Importance of Good Clinical Record Keeping 19 Information Governance: The Refresher Module Overview At times you will have to deal with requests for access to patient records, both from the patient themselves and their friends and family. This practitioner level e-learning module will let you know how to deal with these requests. This is an Introductory Level e-learning module on the Importance of good clinical record keeping. The module provides an overview of the benefits of good practice in record keeping. It relates primarily to hospital in-patients, although the standards apply to all health records. All staff whose role may involve writing in patients medical notes should conform to the generic standards highlighted in this module. Staff members will get a greater understanding of the standards they should maintain and how record keeping can impact on their clinical role List of job roles Mandatory: Junior doctors. Recommended: Medical Students; Consultants; Nurses; Midwives; Allied Health Professionals, Clinical Coders, Clinical Audit Staff, Managers of Clinical Departments, Clinical Governance Risk Managers Optional: Clinical Contract Managers. This is an Introductory Level e-learning module on the Importance of good clinical record keeping. The module provides an overview of the benefits of good practice in record keeping. It relates primarily to hospital in-patients, although the standards apply to all health records. All staff whose role may involve writing in patients medical notes should conform to the generic standards highlighted in this module. Staff members will get a greater understanding of the standards they should maintain and how record keeping can impact on their clinical role List of job roles Mandatory: Junior doctors. Recommended: Medical Students; Consultants; Nurses; Midwives; Allied Health Professionals, Clinical Coders, Clinical Audit Staff, Managers of Clinical Departments, Clinical Governance Risk Managers Optional: Clinical Contract Managers. Time Estimate 0.5 Hours 1 Hour 0.5 Hour Information Governance Policy Handbook V1.0 Page 109

110 IG TRAINING AND AWARENESS IMPLEMENTATION PLAN APPENDIX 3 Ref Action Lead Frequency Target Completed Status 1 Training & Awareness Plan: IG Manager N/A 27/02/2015 Obtain approval from IM&T Group for Training and Awareness Plan 2 Training & Awareness Plan: IG Lead N/A 31/03/2015 Consult with ConsultHR on requirement to: mandate managers to complete Training Need Assessments as part of Personal Development reviews and on recruitment of new staff mandate managers to ensure all temporary/contracting staff successfully complete required IGTT module(s) within first week of employment. 3 Training & Awareness Plan: IG Lead N/A 14/04/2015 Update T&A Plan following Consultation 4 Training & Awareness Plan: ConsultHR N/A 30/04/2015 Confirm agreement to mandate managers to complete Training Needs Assessment and ensure required training completed within first week of employment by planned date. 5 Training & Awareness Plan: IG Lead / N/A 15/05/2015 Inform staff of mandatory requirements in relation to Training Needs Analysis and Training Communications 6 Staff Training Reminder: Send reminder to all staff to ensure IGTT IG Manager Monthly 31/03/2016 training is completed 7 Training Needs Assessment: IG Manager/FOI Administrator to review complaints, incidents, KPIs and update training needs following review IG Manager/FOI Administrator Monthly 31/03/2016 Information Governance Policy Handbook V1.0 Page 110

111 Ref Action Lead Frequency Target Completed Status 8 Face to Face Training: IG Manager Quarterly 31/03/2016 Provide face to face training on quarterly basis 9 Monitor Training Uptake: IG Manager Monthly 31/03/2016 Obtain staff list from ConsultHR 10 Monitor Training Uptake: IG Manager Monthly 31/03/2016 Regularly monitoring of training completed 11 Monitor Training Uptake: IG Manager Monthly 31/03/2016 Provide regular reports to IG Lead to enable escalation to managers for action 12 Update IM&T Group: IG Manager Quarterly 31/03/2016 Provide statistical reports to IM&T Group in relation to training completed 13 IG Staff Surveys: Staff to complete anonymous surveys covering various IG topics in order to identify knowledge gaps IG Manager / FOI Administrator / Communications April and September each year 31/03/ Training Needs Assessment: Complete Training Needs Assessments for all staff as part of Personal Development Reviews/Staff Development Reviews 15 Address Training Need: Source external specialist training where applicable and obtain approval from IM&T Group 16 Compliance Checks and Monitoring: Develop Audit Plan and carry out audits to obtain assurance that staff understand their responsibilities and identify any additional training requirements. 17 Training Provision Review: Review existing training provision to ensure that it reflects current legislation and guidance Managers and Team Leads Annually 31/03/2016 IG Lead Annually 31/03/2016 IG Manager IG Managers Annually (in each operational area) Every two years (earlier if legislation or guidance changes) 31/03/ /03/2017 Information Governance Policy Handbook V1.0 Page 111

112 CONFIDENTIALITY AUDIT PROCEDURES SECTION THIRTEEN 1. INTRODUCTION Good practice requires that all organisations that handle personal information put in place control mechanisms to manage and safeguard confidentiality, including mechanisms for highlighting problems such as incidents, complaints and alerts. Organisations should have processes to highlight actual or potential confidentiality breaches in their systems, particularly where person identifiable information is held. They should also have procedures in place to evaluate the effectiveness of controls within these systems. This policy establishes appropriate confidentiality audit procedures to ensure that the CCGs operate good practice in managing and handling personal confidential information in compliance with guidance and legislation. Assurances that these controls are working effectively should be part of the organisation s overall assurance framework. 2.0 SCOPE All work areas within the CCGS which handle personal confidential data (PCD) will be subject to the confidentiality audit procedures. Confidentiality audits will focus primarily on controls within electronic records management systems, but should not exclude paper record systems: the purpose being to discover whether confidentiality has been breached, or put at risk through deliberate misuse of systems, or as a result of weak, non-existent or poorly applied controls. Access to electronic and manual personal identifiable data will be audited. Audits across the CCG s sites will be undertaken and this will capture any inconsistencies in practices. Information Governance Policy Handbook V1.0 Page 112

113 3.0 RESPONSIBILITIES It is the role of the CCGs Governing Bodies to ensure that Confidentiality Audit Procedures are in place and that sufficient resources are provided to support the requirements of this policy. These procedures affect to all staff who handle information obtained and processed on behalf of the CCGs but particularly relate to those staff responsible for carry out confidentiality audits. These responsibilities including those in key roles are outlined in more detail in Appendix B. 4.0 AUDIT APPROACH The Audits will seek to evidence compliance in the following topic areas: Staff awareness of the CCGs policies and guidance in relation to confidentiality Appropriate recording of consent Appropriate staff access to physical areas Secure storage of and appropriate access to filed hard copy person-identifiable notes and information Security of post handling areas Security of confidential fax handling Security of recorded telecommunications and message books Appropriate use and security of the telephone in open areas Storage of personal confidential data (PCD) in public areas Monitoring of incident reports in relation to confidentiality breaches e.g. stolen/lost computers, disclosure of confidential material, complaints etc.; Notified audit visits using structured templates Spot checks to random work areas using structured templates e.g. to assess confidential use of PCD Confidentiality Interviews with staff using structured templates Assessing staff knowledge and understanding using surveys e.g. Opinio or SurveyMonkey Staff completion of mandatory training Review of IT security e.g. failed log-in reports, inappropriate access, use/ abuse of passwords The CSCSU Information Governance Team will provide the following deliverables: Detailed audit procedures and auditor specifications A nominated lead responsible for implementation Experienced auditors Planned and implemented audit programme A spread sheet or database to record audit findings and outcomes Audit reports and recommendations for the IM&T Board Support for action plans to address any areas requiring review Information Governance Policy Handbook V1.0 Page 113

114 Follow up process for IM&T Board Reports to the Senior Information Risk Owner (SIRO) concerning any identified breaches. 5.0 MONITORING and AUDITING The Information Governance Lead has overall responsibility for monitoring and auditing access to confidential information. The Information Governance Lead will work with the Information Governance Manager to ensure that regular auditing is carried out across the organisation. Audits will be carried out using standard templates (Appendix 1) and results will be collected and held for future reporting and analysis. The monitoring of information systems will be covered under the IT Security Policy and reports will be made available to the Information Governance Lead and Information Governance Manager for auditing purposes and will be checked for frequency, circumstances, location of: Failed attempts to access confidential information Repeated attempts to access confidential information Successful access of confidential information by unauthorised persons Evidence of share login sessions/passwords Disciplinary actions taken The Caldicott Guardian and Senior Information Risk Owner (SIRO) have joint responsibility for the investigation of confidentiality events and will ensure that any incidents which have been identified as a result of an audit, will be reported in line with the management and reporting of serious incidents requiring investigation (SIRIs) 6.0 AUDIT FINDINGS Audit findings will be reported to the IM&T Board and any areas requiring further development will be highlighted so that recommendations and corrective actions can be identified. Any risks identified from an audit, will be logged on the Corporate Risk Register so that recommendations can be made to mitigate those risks. 7.0 DISCIPLINARY POLICY AND PROCEDURES In the event that there has been an incident of gross misconduct, HR will invoke the Disciplinary Procedure. The CCGs are committed to the avoidance of formal disciplinary procedures wherever possible by addressing problems as soon as they arise. Information Governance Policy Handbook V1.0 Page 114

115 Information Governance Compliance Audit APPENDIX 1 Site Location Auditor: Directorate Date: Section: ICT Security Documents Referenced Comments Result How many PC s within the area? How many PCs are within a public area? How many are secured against theft? How are they secured against inappropriate access? (Password/Smartcard) Do you share your password/smartcard with anyone else? Are any covered by CCTV or infra-red security sensor? Check to see if any are logged in and left unattended observation Are smartcards left unattended in machines? Is the screen viewable by the public? Are all PCs linked to the network? Information Governance Policy Handbook V1.0 Page 115

116 Random check of C drives for confidential information observation Random check of keyboards and draws to find passwords written down observation Is the equipment security marked? Is the equipment protected against malicious software or code? Is virus software up-to-date? Communications Documents Referenced Comments Result Where are the main calls to the dept. routed to? Is this the main reception area? Is there facility for calls to be taken in privacy? Check to see if calls can be heard from the public area observation Is there an answer phone in the public area? Is this listened to whilst the public are present? Where is the fax machine Information Governance Policy Handbook V1.0 Page 116

117 located? Is this in a public area? Is there a safe haven poster situated by the fax machine? Check to see if any confidential information is on the machine observation Is it possible to reach across and remove a fax from the public area? Is the fax machine sited correctly? i.e. away from windows, away from counter etc. Physical Security Documents Referenced Comments Result Is access to staff only areas restricted by a security device? Is the device used or is the door left open or ajar? Are there any public areas which are closed for any period i.e. lunch? Is the area secured against entry during these periods? Is there any CCTV coverage of the area? Information Governance Policy Handbook V1.0 Page 117

118 If CCTV used is appropriate sign present? Are Security staff present in the area? Are there environmental controls to avoid damage via flooding, environmental issues? Records Security Documents Referenced Comments Result Do you have a records management policy? How are the records stored? Where are supplementary records stored? How do you archive your records? Are records ever taken offsite? Do you have permission from a senior member of staff to take records off-site How are records transported/stored when taken off site? Disposal of Confidential Information Do you use Confidential waste Bags? Documents Referenced Comments Result Do you use Confidential waste Information Governance Policy Handbook V1.0 Page 118

119 Bins? Do you use Shredder? Additional Training Requirements Have you completed mandatory IG Training which applies to your role? Do you require training in any areas that we have covered today? Documents Referenced Comments Result <certificate><igtt> If answered yes to the question above, what areas of training would you require? Information Governance Policy Handbook V1.0 Page 119

120 TRANSFER OF PERSONAL INFORMATION PROCEDURE SECTION FOURTEEN 1. INTRODUCTION This document has been written to support the CCGs staff with the transfer of Personal Information between organisations, allowing them to do this securely, safely and in confidence. Following these procedures ensures that the CCGs comply with: The Data Protection Act (1998) The Caldicott Principles The Requirements set out in the Confidentiality: NHS Code of Practice Further details of the Data Protection Act and the Caldicott Principles can be found in Appendix C & G. These procedures also underpin the following CCG policies: Data Protection Act Policy Information Governance Policy These procedures apply to all CCG staff and have been adopted by the CCGs Governing Bodies. 2. SCOPE These procedures cover all personal information processed by the CCGs, including data relating to both Staff and Patients. The CCGs recognise the importance of correct and lawful handing of Personal Data, as specified in the Data Protection Act 1998 and these procedures support this. Information Governance Policy Handbook V1.0 Page 120

121 3. RESPONSIBILITIES It is the role of the CCGs Governing Bodies to define the CCG s policy in respect to the Data Protection Act. The CCGs Governing Bodies are also responsible for ensuring that sufficient resources are provided to support the requirements of the policy. This policy applies to all staff who handle information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B. 4. WHAT IS PERSONAL IDENTIFIABLE INFORMATION? Personal Identifiable Information includes (although is not limited to) such data as: Name and date of birth Name and address Full name (though not usually forename or surname alone) Full address NHS number Personal identifiable information does not just mean patient information; it can mean information held about staff or other people who have dealings with the CCGs. This could include: Details of a Freedom of Information Act requester. A complainant. Somebody who has tendered to run a service. 5. SAFE HAVEN A Safe Haven originally referred to the siting of fax machines within NHS organisation so that personal information could be sent securely into an NHS Trust. However this meaning has now been expanded to encompass all secure methods of transmitting or transferring personal identifiable information. Location/security arrangements It should be a room that is locked or accessible via a coded key pad known only to authorised staff or The office or workspace should be sited in such a way that only authorised staff can enter that location i.e. it is not an area which is readily accessible to any member of staff who work in the same building or office, or any visitors. If sited on the ground floor any windows should have locks on them. The room should conform to health and safety requirements in terms of fire, safety from flood, theft or environmental damage. Information Governance Policy Handbook V1.0 Page 121

122 Manual paper records containing person-identifiable information should be stored in locked cabinets. Computers should be not left on view or accessible to unauthorised staff and have a secure screen saver function and be switched off when not in use. 6. COMPUTERS Access to any computer (including computer, laptop and mobile devices, such as ipads) must be password protected; this must not be shared in any circumstances. If access is needed to someone s diary or , then the IT Service Desk will be able to advise you how to do this. Computer screens must not be left on view so members of the general public or staff who do not have a justified need to view the information can see personal data. Computers or laptops not in use should be switched off or have a secure screen saver device in use. Alternatively, the computer should be locked. Information should be held on the organisation s network servers (such as the G: drive), not stored on local hard drives (such as your C: drive) or other local media (such as CDs and USB memory sticks). Departments should be aware of the high risk of storing information locally and take appropriate security measures. In addition, folders set up on the network servers should have controlled access to only those staff that need it, if they contain personal identifiable information e.g. access to the directory should be restricted to those members of the team that need access to it not simply allow blanket access for all the team. Non-CCG equipment (such as employees own personal computers, laptops and mobile devices, such as ipads), should never be used to store personal identifiable information as this compromises the CCGs position as data controller. Further guidance on appropriate use of , internet etc. can be found in policies on the CCGs intranet. 7. SHARING INFORMATION WITH NON-NHS ORGANISATIONS Employees of the CCGs authorised to disclose information to other organisations outside the NHS must seek an assurance that these organisations have a designated safe haven point for receiving personal information. The CCGs must be assured that these organisations are able to comply with the safe haven ethos and meet certain legislative and related guidance requirements including: Data Protection Act 1998 Common Law Duty of Confidence NHS Code of Practice: Confidentiality Staff sharing personal information with other non-nhs agencies should be aware of protocol agreements made with various local organisations. Information Governance Policy Handbook V1.0 Page 122

123 If you need to share information with other organisations and are unsure whether a protocol is needed, then advice should be sought from the CSCSU Information Governance team. 8. PROCEDURE FOR SHARING INFORMATION BY POST 1. Confirm the name, department and address of recipient 2. Seal the information in a robust envelope 3. Mark the envelope Private and Confidential to be opened by Addressee Only 4. When appropriate, send the information by recorded delivery. 5. When necessary, ask the recipient to confirm receipt. This procedure relates to Data Protection Principles 6 and 7 (Appendix C) and Caldicott Principle 4 (Appendix G). 9. PROCEDURE FOR SHARING INFORMATION BY FAX 1. Telephone the recipient of the fax (or their representative) to let them know you are going to send confidential information 2. Ask them to acknowledge receipt of the fax 3. Double check the fax number 4. Use pre-programmed numbers wherever possible 5. Make sure your fax cover sheet states who the information is for and mark it Private and Confidential 6. If appropriate, request a report sheet to confirm that transmission was successful. This procedure relates to Data Protection Principles 7 (Appendix C) and Caldicott Principle 4 (Appendix G). 10. PROCEDURE FOR SHARING INFORMATION BY TELEPHONE 1. Confirm the name, job title, department and organisation of the person requesting the information 2. Confirm the reason for the information request if appropriate 3. Take a contact telephone number (e.g. main switchboard number) but never a direct line or mobile phone number 4. Check whether the information can be provided. If in doubt tell the enquirer you will call them back 5. Provide the information only to the person who has requested it do not leave messages unless certain it is appropriate to do so. Information Governance Policy Handbook V1.0 Page 123

124 6. Ensure that you record your name, date and the time of disclosure, the reason for it and who authorised it. Also record the recipient s name, job title, organisation and telephone number to provide an audit trail. This procedure relates to Data Protection Principle 7 (Appendix C) and Caldicott Principle 4 (Appendix G). 11. TRANSPORTING PERSONAL INFORMATION 1. Personal identifiable information should only be taken off site when absolutely necessary, or in accordance with local policy 2. Record what information you are taking off site and why, and if applicable, where and to whom you are taking it. 3. Information must be transported in a sealed container 4. Never leave personal identifiable information unattended such as in a car. 5. Ensure the information is returned back on site as soon as possible 6. Record that the information has been returned. This guidance relates to Data Protection Principle 7 (Appendix C) and Caldicott Principles 4 and 6 (Appendix G). 12. PROCEDURE FOR SHARING INFORMATION BY is not a secure method of transferring information it is the equivalent of sending information on a post card, rather than a sealed envelope. Personal information and other sensitive information (this could include information that is not personal, such as Trust financial information) should not be sent by unless it has been encrypted to the standards approved by the NHS. When sending personal identifiable data to a colleague by , the data must be properly protected if the data is detailed enough that individuals can be identified from it. Personal identifiable information must only be sent between NHSmail accounts. Therefore information should only be sent from one NHSmail account to another NHSmail. This is because NHSmail encrypts both the and its attachments and therefore requires no additional protection. Therefore personal information should be sent from NHS.NET accounts to NSH.NET accounts. NHSmail accounts to any other address, will not be encrypted and are therefore not protected sufficiently and should not be relied upon to protect personal identifiable data. Other partner organisations, such as social care, can apply for an NHSmail account to facilitate the exchange of information. Some partner organisations also have similar secure addresses that interface with NHSmail including those listed below: Information Governance Policy Handbook V1.0 Page 124

125 GSi (*.gsi.gov.uk) GSE (*.gse.gov.uk) GSX (*.gsx.gov.uk) GCSX (*.gcsx.gov.uk) Password protection on Word, Excel, etc documents is very simple and not sufficient to protect the data included in the document. Therefore, personal identifiable information should not be sent when this is the only level of protection available. It should be noted that although NHSmail protects the mail during transit, the user must ensure its security once it has arrived care should especially be taken when opening NHSmail on a computer at home as the information may well be cached (a hidden store on the computer) onto the computer s hard-drive and could still be accessed once the is deleted. 13. PORTABLE MEDIA It is strictly prohibited to copy any personal identifiable data onto portable media that is not encrypted to an agreed standard. Personal identifiable data can be information relating to staff or patients and can be as little as a postcode or other demographic data. Portable media includes USB memory sticks, CDs, DVDs, MP3 players, PDAs, etc. This list is not exhaustive. Guidance and policy in this area will be under continuous review during the lifespan of this policy; therefore latest guidance should be sought from the CSCSU Information Governance Team If you are in any doubt, then do not copy onto the portable media without seeking explicit guidance from the CCGs SIRO (Chief Financial Officer) or Caldicott Guardian (Director of Nursing). Information Governance Policy Handbook V1.0 Page 125

126 APPENDIX A USEFUL CONTACTS Accountable Officer Caldicott Guardian Senior Information Risk Owner Information Governance Lead Information Governance Manager Freedom of Information Administrator Freedom of Information Team (CSCSU) (Subject Access Requests only) Matthew Tait, Chief Officer [email protected] Sarah Bellars, Director of Nursing [email protected] Nigel Foster, Chief Finance Officer [email protected] Christina Gradowski, Head of Corporate Affairs [email protected] Tracey Burrows (CSCSU) [email protected] Claire Williams [email protected] Anthea York (CSCSU) [email protected] Information Governance Policy Handbook V1.0 Page 126

127 ROLES & RESPONSIBILITIES APPENDIX B ROLES CCG Governing Bodies IM&T Board Accountable Officer ROLE IS TO. Define CCGs policies in respect legislation and guidance (Appendix J & K) Ensure the organisation complies with policies, laws, standards, codes of practice and national guidance Ensure sufficient resources are provided to support the requirements of CCGs policies Cascade policies to respective departments and to support implementation Uphold oversight of confidentially issues and requirements Responsible to the CCGs Governing Bodies: To review and approve information governance policies and procedures Recommend to CCGs Governing Bodies approval of IG policies and procedures Promote IG best practice across the CCGs To identify ways of utilising information technology and information management to improve the efficiency and effectiveness of CCG work e.g. paperless meetings, information dashboard etc. To identify and address any IG implications when identifying ways of utilising information technology and information management to improve efficiency and effectiveness of CCG work including introduction of new products/technology. Monitor information governance issues and risks Ensure risks are appropriately prioritised and adequately controlled, communicating any high or extreme risks to the CCGs Governing Bodies Oversee day to day FOI issues and promoting compliance with FOI Act best practice across the CCGs Recommend to CCGs Governing Bodies approval of the FOI Policy and FOI Publication Scheme Recommend to CCGs Governing Bodies approval of the yearly IG Toolkit Submissions Review IG Toolkit procedures and progress with meeting the standards Monitor IG incidents, Serious Incidents Requiring Investigation (SIRI), complaints and ensuring appropriate action has been taken by the CCGs Receive reports, audits and training data relating to information governance The Chief Officer is the Accountable Officer for the CCGs responsible for management of the organisation and for ensuring appropriate mechanisms are in place to support service delivery and continuity. Accept accountability for Information Governance, Information Security, Business Continuity Ensure CCGs are compliant with legislation such as Data Protection Act and Freedom of Information Act as well Information Governance Policy Handbook V1.0 Page 127

128 Caldicott Guardian (Director of Nursing) as raising awareness and setting a culture of openness, transparency and compliance Develop and maintain policies, standards, procedures and guidance Sign the annual Statement of Internal Control (SIC) which includes the management of information risk and information governance practice providing assurance that all risks to the CCGs including those relating to information, are effectively managed and mitigated. Guide the CCGs on matters of confidentiality relating to patient information and acts as a conscience on its use. The role is pivotal in ensuring the balance between maintaining confidentiality and the delivery of care. Protect the confidentiality of person confidential data (PCD) and for ensuring it is shared appropriately and in a secure manner. Maintain oversight of confidentially issues and requirements. Act as a champion for information governance at all levels within the organisation and advise on all aspects of information sharing and both the lawful and ethical processing of information. Ensure staff comply with Caldicott Principles (See Appendix G) and the NHS Confidentiality Code of Practice. Formally register on the National Register of Caldicott Guardians. Provide guidance when a FOI Act request raises Caldicott issues Provide feedback of any IG issues to the CCGs Governing Bodies and will advise on progress and major issues that may arise. Cascade requirements of the policy to respective departments and to support its implementation. Provide guidance when a Freedom of Information Act request raises the issue of confidentiality. Provides guidance when a FOI Act request raises issues of information risk Senior Information Risk Owner (SIRO) NOTE: The SIRO is the Chief Financial Officer for the CCGs Governing Bodies and is an executive Board member with allocated lead responsibility for the organisation s information risks. This role is supported by the Caldicott Guardian, Information Governance Manager, Information Asset Owners, Information Asset Administrators Ensure the CCGs have robust policies and procedure in place and reviewing and approving those policies and procedures ensuring security of information at all times. Understand how the strategic business goals of the CCGs will be impacted by information and cyber security risk and acts as an advocate for information and cyber security risk and providing focus for management of information risk at Board level. Provide the Accountable Officer with assurance that information risks including security threats are being managed appropriately and effectively across the organisation and for any services contracted by the organisation. Information Governance Policy Handbook V1.0 Page 128

129 Ensure the CCG Governing Bodies and the Chief Officer are kept up to date on all information risk issues and provide written advice to the Chief Officer on the content of their Annual Statement of Internal Controls (SIC). Provide an essential role in ensuring that identified information security threats are investigated and incidents managed. Provide guidance and leadership, although the ownership of information risk assessment process will remain with the SIRO. Provide guidance when a FOI Act request raises issues of information risk Information Governance Lead (IGL) NOTE: The IGL is the Head of Corporate Affairs is accountable for ensuring effective accountability, management, compliance and assurance in relation to all aspects of the development and implementation of the Information Governance Management Framework. Accept accountability for day-to-day operational management of the Records Management programme, drafting policies and procedures, conducting audits and supporting staff training with the Records Management functionality Ensure the adequacy of the Information Governance Framework and informing the Executive team of any anticipated changes to the Information Governance Agenda. Develop and arrange an information governance audit programme annually with the Internal Audit Service. Information Governance Manager (CSCSU) Support the Caldicott Guardian in fulfilling their role. Provide expert advice with regard to compliance with information governance legislation and guidance. Ensure that the information governance programme is implemented throughout the CCGs Develop, review, maintain IG policies, procedures, guidance including maintaining the IG intranet pages Ensure that the CCGs have solutions in place for information security and policies and procedures are implemented and adhered to. Develop, collate and upload evidence to the IG Toolkit to support the organisation compliance statement and complete annual IG Toolkit submissions on behalf of the CCGs Develop and manage improvement plans to ensure continued compliance with IGT at Level 2 Develop training and awareness materials and provide additional training to support IG training which should be completed via the HSCIC Training Tool. Monitor staff s compliance with mandatory training and specialist training and produce training reports to the Information Governance Lead and IM&T Board Assist with the investigation of IG incidents and provide support with Serious Incidents Requiring Investigation (SIRIs) and report via IG Toolkit where necessary to ensure the CCGs comply with legislation, policies and Information Governance Policy Handbook V1.0 Page 129

130 Freedom of Information (FOI) Coordinator Freedom of Information (FOI) Team (CSCSU) procedures. Report IG incidents to IG Lead, SIRO, Caldicott Guardian and update IM&T Board at monthly meetings. Develop an annual confidentiality audit plan and report any risks identified through audits and assessment processes to IG Lead, SIRO, Caldicott Guardian and IM&T Board Support Information Asset Owners (IAOs) with completing Data Flow Mapping and Risk Assessments and act as a central repository for Risk Registers which are submitted on a quarterly basis by IAOs. Review Risk Registers and provide the SIRO with summarised reports highlighting any risks to the organisation. Ensure compliance and conformance with the FOIA 2000 by responding to requests for information made by staff, patients or members of the public within mandated timescales. Develop FOI policies, procedures and guidance Develop and publish approved FOI Publication Schemes on CCGs internet sites and proactively publish certain information via the Publication Scheme. Complete specialised training in relation to FOI Develop and maintain FOI Training Materials and ensure staff receive FOI Training Responsible for Subject Access Requests Only Process requests made by staff, patients to access to their own personal information (Subject Access Requests). Provide assurance to the Head of Corporate Affairs that Subject Access Requests received have been dealt with in accordance with the requirements of the Data Protection Act IT Configure technology so that its meets the requirements of information governance policies and procedures; collaborating on wider data management / lifecycle issues. All Managers Ensure all staff (including casual staff e.g. contractors, temps etc) who have access to information or computer systems necessary to carry out their role, have access to relevant policies and guidelines regarding information governance. Ensure that policies and procedures are built into local processes to ensure compliance and that compliance is regularly audited and reported to the IM&T Board. Ensure staff follow the records management policy and have completed records management training. Ensure that staff comply and respond to Subject Access Requests and Freedom of Information Act requests within required timescales Co-ordinate training and development of staff and ensuring they receive induction training and complete IG mandatory training on an annual basis and complete additional specialised training relevant to their role. Address any training needs at personal development session or during process change or a change in duties. Promote a culture of good information governance and are responsible for reporting actual or suspected incidents which may affect the ongoing security and confidentiality of information within the CCG and will cooperate fully with any investigation into information governance breaches. Information Governance Policy Handbook V1.0 Page 130

131 All staff (permanent, temporary, contracted, voluntary etc) Understand importance of Business Continuity Plans and that staff are aware of procedures to follow in the event of potential threats to the operation of the CCG to minimise interruption to the CCG activities (e.g. data processing and communications). Ensure all staff have appropriate and secure access to the IT systems necessary for their role and ensure that access is removed/equipment returned when staff leave the organisation. Ensure that personnel allocated mobile ICT equipment have a genuine need for mobile computing and that if authorised to work from home, all other staff regulations are met e.g. Health and Safety requirements. Ensure all equipment allocated for mobile working is encrypted to the required standard and that all their staff have access to a network drive or other secure backup devices to backup and store confidential information. Promote a culture that supports transparency and openness as set out within the FOI Act. Ensure awareness of the requirements incumbent on them and keep abreast of legislation, guidance and standards and for ensuring they comply with these on a day to day basis. Access policies and guidelines regarding information Governance and seeking further guidance if required. Sign up to conform to the terms of the CCGs Information Governance policy in signing their contract of employment. Undertake mandatory IG training via the HSCIC IG Training Tool and complete any additional IG specialised training specific to their role. Ensure they complete information governance refresher training every year and alert their manager should they feel additional training or guidance is required. Preserve security of assets and information of the CCGs by behaving responsibly and according to guidance when access is given to any information /IT systems. Maintain the availability of all the data by ensuring that equipment is protected from security risks and stored safely at all times. Take all reasonable measures to safeguard mobile computing equipment and ensure it is used in accordance with the CCGs policies and procedures. Ensure that mobile equipment is encrypted in line with standard policies and procedures and that all information stored on this equipment is backed up appropriately before becoming mobile and seek support and assurance from the ICT Service Desk. Highlight risks or concerns they encountered whilst undertaking their duties that may threaten security of information and report to line managers. Be aware of his or her responsibilities when using information that is personal and may only be used in accordance with the Data Protection Act 1998 and must maintain the confidentiality and security of data within the CCG by ensuring that only authorised people can gain access to the information and systems and not disclosing or allowing access to information to anyone who has no right to know or see it. Information Governance Policy Handbook V1.0 Page 131

132 Maintain the integrity of all the data within the CCG by taking care over data input, learning how the systems should be used and keeping up-to-date with changes which may affect how it works and reporting apparent errors. Understand that all staff are record keepers and are expected to create and file records in line with the CCGs Records Management Policy. Create and maintain records, which are accurate, appropriate and retrievable and ensuring that requests for information and possible re-use are passed in a timely manner to the FOI Co-Ordinator for processing. Ensure that documents relevant to or required for the CCG s FOI Publication Scheme are provided for publication. Ensure immediate action is taken in the receipt of a FOI requests from the FOI Co-ordinator and response provided within the required timescales. Ensure that disclosures to formal FOIA requests are not made outside the defined processes, so that inappropriate disclosures are avoided. Report actual or suspected incidents which may affect the ongoing security and confidentiality of information within the organisation. Information Asset Owners (IAO) IAOs are those in senior positons such as Directors or Heads of Departments or equivalent who are directly accountable to the SIRO in relation to information assets and information risks and are supported by the IG Manager in fulfilling their role. Understand what information is held, why it is held, how it is handled and who has access and why for their own area. Complete and maintain Data Flow Mapping and Risk Assessments, Asset and Risk Registers and Business Continuity Plans for their assets. Understand and address risks to the information assets they own and to provide assurance to the SIRO on the security and use of the assets which includes provision of mitigation plans with specific actions and completion dates and will include any external dependencies. Submit Risk Registers to the IG Manager on a quarterly basis, so summarised reports can be provided to the SIRO. Adhere to Records Management and IG frameworks. Information Governance Policy Handbook V1.0 Page 132

133 APPENDIX C DATA PROTECTION ACT PRINCIPLES The Data Protection Act 1998 became law in March It sets standards which must be satisfied when obtaining, recording, holding, using or disposing of personal data. These are summarised by 8 Data Protection Principles The Data Protection Act Principles Personal data must be: 1. Processed fairly and lawfully. 2. Process for specified purposes. 3. Adequate, relevant and not excessive in relation to the purpose(s). 4. Accurate and kept up-to-date. 5. Not be kept for longer than necessary. 6. Processed in accordance with the rights of Data Subjects. 7. Protected by appropriate security (practical and organisational). 8. Not transferred outside the EEA without adequate protection. As well as information held on computers, the Data Protection Act 1998 also covers most manual records e.g. Health, Finance, Personnel, Suppliers, Occupational Health, Contractors, Volunteers, Card Indices. Information Governance Policy Handbook V1.0 Page 133

134 SCHEDULE 2 CONDITIONS TO THE DATA PROTECTION ACT APPENDIX D Personal data shall not be processed unless they meet at least one of the conditions in Schedule 2. Sensitive data shall not be processed unless they meet at least one condition in Schedule 2 and Schedule 3. Schedule 2 Conditions: The individual whom the personal data is about has consented to the processing. The processing is necessary: o in relation to a contract which the individual has entered into; or o the individual has asked for something to be done so they can enter into a contract. The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract). The processing is necessary to protect the individual s vital interests. This condition only applies in cases of life or death, such as where an individual s medical history is disclosed to a hospital s A&E department treating them after a serious road accident. The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions The processing is in accordance with the legitimate interests condition. Schedule 3 Conditions: The individual whom the sensitive personal data is about has given explicit consent to the processing. The processing is necessary so that you can comply with employment law. The processing is necessary to protect the vital interests of: o the individual (in a case where the individual s consent cannot be given or reasonably obtained), or o another person (in a case where the individual s consent has been unreasonably withheld). The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition. The individual has deliberately made the information public. The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights. The processing is necessary for administering justice, or for exercising statutory or governmental functions. The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality. The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals. Information Governance Policy Handbook V1.0 Page 134

135 APPENDIX E COUNTRIES WITHIN THE EEA This relates to Data Protection Act Principle 8. Below are a list of countries in the EEA (e.g. EU countries) plus Iceland, Liechtenstein and Norway: Countries in the EEA: Austria Germany Malta Belgium Greece Netherlands Bulgaria Hungary Norway Croatia Iceland Poland Cyprus Ireland Portugal Czech Republic Italy Romania Denmark Latvia Slovakia Estonia Liechtenstein Slovenia Finland Lithuania Spain France Luxembourg Sweden United Kingdom Information Governance Policy Handbook V1.0 Page 135

136 APPENDIX F MODEL FAIR PROCESSING NOTICE The below is a Model Fair Processing Notice which is used by the CCGs and published on their internet sites: Model Fair Processing Notice NHS [Name of CCG] Clinical Commissioning Group (CCG) treats the confidentiality of the data we hold about people living in [Name of CCG area] very seriously. This page provides an overview of the information we hold, why we hold it and how we store it securely. We are a commissioning organisation, which means we are involved in high level planning of healthcare, not the individual care of patients. However, in some instances we receive information from health and social care providers and other public sector organisations such as the police or local authorities. You must also be aware of the following documents: NHS Constitution The NHS pledge to service users that it will respect you, provide opportunities for informed consent and treat your personal data with confidentiality. Furthermore you have the right of complaint should things go wrong. NHS Care Record Guarantee Emphasises the rights you have to request copies of your personal data; the NHS duty to retain accurate records and how that data is protected under the Data Protection Act It requires good practice by NHS staff to discuss with you and agree what information they will keep about you. The Guarantee provides 12 commitments about the use of your personal data in line with NHS confidentiality requirements. Your health details Your own personal health information is only used by those who are looking after you to provide what you need as an individual patient. The CCG may use this information for Continuing Health Care; Individual Funding Requests and NHS Funded Nursing Care. There are other circumstances, which are described below, when your patient-related information is used and held in a secure system, so your identity is protected. This sort of information is used in a variety of ways: 1. To plan for future local healthcare needs 2. To identify patients who may be at risk of developing particular health problems The type of information shared, and how it is shared, is controlled by law and strict confidentiality rules. An example of such use is Risk Stratification where we look at the potential risk of patients developing certain health problems. The legal basis under which the information/data was supplied We will only use personal information when this is needed to provide your care. You will be requested when necessary to provide your consent for a specific type of healthcare. Alternatively, it may be provided by clinicians involved in your care. Information Governance Policy Handbook V1.0 Page 136

137 How we protect your privacy We use security controls to protect against the loss, misuse and alteration of data used on our systems. These security controls represent best practice for data in transit and at rest and are reviewed on a frequent basis through our service provider NHS Central Southern Commissioning Support Unit. Sharing and Usage We will never share, sell, or rent your personal information with anyone without your advance permission or unless ordered by a court of law. Information submitted to us is only available to employees managing this information for purposes of contacting you or sending you s based on your request for information and to contracted service providers for purposes of providing services relating to our communications with you. Typically your healthcare data is used as follows: look after the health of the general public, e.g. notifying central NHS groups of outbreaks of infectious diseases undertake clinical audit of the quality of services provided risk profiling to identify patients who would benefit from proactive intervention case management where the NHS offers intervention and an integrated care programme involving multiple health and social care providers report and investigate complaints, claims and untoward incidents prepare statistics on our performance for the Department of Health. review our care to make sure that it is of the highest standard Your NHS number is processed on backing invoice information to validate payment for healthcare services provided. e.g. you receive emergency treatment on holiday in the UK The CCG is supported in a number of its functions by its service provider NHS Central Southern Commissioning Support Unit. This is an NHS organisation which operates to the same standards of data protection and information security as the CCG. We don t process any patient data overseas. Through sharing information ethically and lawfully the NHS is able to improve its understanding of the most important health needs and the quality of the treatment and care provided. Disclosure, for what purposes and associated security measures We disclose the minimum necessary information to health and social care providers where this is necessary to provide direct patient care. We may from time to time disclose information where there is a statutory requirement to do so, for example to assist the police in investigating certain crimes, to prevent child abuse and other such similar reasons. We communicate in the public sector using secure systems. Where secure Information Governance Policy Handbook V1.0 Page 137

138 exchange isn t possible, we encrypt outgoing information to AES256 standard. Personal information communicated in hard copy is sent via internal mail within the NHS in [name of CCG] or by secure mail. Data Protection Act 1998 In accordance with the Data Protection Act 1998, we have a legal duty to protect any information we collect from you. We will only use your information for the purpose as described and we do not pass on your details to any third party unless you have given us permission to do so. You have a right to access your personal data and rectify any inaccuracies. You have the right to access your information and you can request this information from: [Name of CCG] Clinical Commissioning Group [Any Road Anytown Anywhereshire ZZ1 2YY] Tel: [xxxx xxxxxx] [[email protected]] Information Governance Policy Handbook V1.0 Page 138

139 APPENDIX G CALDICOTT PRINCIPLES The term Caldicott refers to a review commissioned by the Chief Medical Officer. A review committee, under the chairmanship of Dame Fiona Caldicott, investigated ways in which patient information is used in the NHS. The review committee also made a number of recommendations aimed at improving the way the NHS handles and protects patient information. These are summarised by seven information management principles known as The Seven Caldicott Principles. The Caldicott Principles 1. Justify the purpose(s) of using confidential information. 2. Only use it when absolutely necessary 3. Use the minimum that is required 4. Access should be on a strict need-to-know basis 5. Everyone must understand his or her responsibilities 6. Understand and comply with the law 7. The duty to share can be as important as the duty to protect patient confidentiality Information Governance Policy Handbook V1.0 Page 139

140 FREEDOM OF INFORMATION - MODEL PUBLICATION SCHEME: Classes of Information APPENDIX H 1 - Who we are and what we do. [ORGANISATION NAME] is being led by clinicians, mainly GPs. This is important because GPs are the first point of contact with the NHS for most people and are the clinicians who know most about their patients health and wellbeing needs. Approximately 80% of NHS contacts are with GPs. When decisions are being made about how the budget should be spent or which services should be developed or changed, it will be GPs and other clinicians leading the way. A key priority for local GPs is to have a greater focus on the quality of services. It is also expected that CCGs will be more accountable to the public. The [ORGANISATION NAME] has been provided with a budget that reflects the health needs of this area. As with all public services, we need to make our money work well for us. We will make sure we make the best use of the money available and that local people have access to good quality services that they need. Further information is available here: On "Who we are page" of website: [HYPERLINK] 2 - What we spend and how we spend it. In this section we will add information on how to access financial information about the CCG. [HYPERLINK] 3 - What our priorities are and how we are doing. The GP practices in [LOCATION] have been considering what should be the priorities for the WAM CCG for the coming year. They have been looking and the evidence about the health needs of the population and a number of priorities have been identified: [HYPERLINK] 4 - How we make decisions. Details about membership of the CCG Board can be found here: [HYPERLINK] Dates of Board Meetings Being Held in Public can be found here: [HYPERLINK] 5 - Our policies and procedures. In this section we will add information on how to access current written protocols for delivering our functions and responsibilities. [HYPERLINK] 6 - Lists and Registers. In this section we will add information on how to access information held in registers required by law and other lists and registers relating to the functions of the authority. [HYPERLINK] Information Governance Policy Handbook V1.0 Page 140

141 7 - The Services we Offer. In this section we will add information on how to access information about the NHS services available in the CCG area can be found here: [HYPERLINK] Written Requests Information held by a public authority that is not published under this scheme can be requested in writing, when its provision will be considered in accordance with the provisions of the Freedom of Information Act. Details of how to make such a request can be found here: [HYPERLINK] Information Governance Policy Handbook V1.0 Page 141

142 FREEDOM OF INFORMATION ACT EXEMPTIONS: APPENDIX I There are two types of class exemption: a) Absolute, which do not require a test of prejudice or the balance of public interest to be in favour of non-disclosure. b) Qualified by the public interest test, which require the public body to decide whether any public interest in disclosure is outweighed by the public interest in non-disclosure. With the exception of S21 (information available by other means) qualified exemptions require organisations to consider whether it is in the public interest not to disclose information. The absolute exemptions under the Act are: Section 21, Information accessible to applicant by other means Section 23, Information supplied by, or relating to, bodies dealing with security matters Section 32, Court Records Section 34, Parliamentary Privilege Section 36, Prejudice to effective conduct of public affairs (so far as relating to information held by the House of Commons or the House of Lords) Section 40, Personal Information (where disclosure may contravene the Data Protection Act 1998) Section 41, Information provided in confidence Section 44, prohibitions on disclosure The exemptions that are qualified by the public interest test are: Section 22, Information intended for future publication Section 24, National Security Section 26, Defence Section 27, International Relations Section 28, Relations within the United Kingdom Section 29, The Economy Section 30, Investigators and proceedings conducted by public authorities Section 31, Law Enforcement Section 33, Audit Functions Section 35, Formulation of Government Policy Section 36, Prejudice to effective conduct of public affairs (for all public authorities except the House of Commons and the House of Lords) Section 37, Communications with Her Majesty, etc. and honours Section 38, Health and Safety Section 39, Environmental Information Section 42, Legal Professional Privilege Section 43, Commercial Interests Information Governance Policy Handbook V1.0 Page 142

143 Data Protection & Confidentiality Policy Business Continuity Framework & Plan Confidentiality Audit Procedures Freedom of Information Act Policy Incident Management Policy Information Governance Framework Information Governance Policy Information Security Policy Information Security Policy IT Security Policy (CSCSU) Mobile Information Technology Policy Records Management Policy Risk Management Strategy and Policy (CSCSU) Subject Access Request Policy & Procedures Training & Awareness Plan Transfer of Personal Information Procedures RELATED POLICIES, PROCEDURES & GUIDANCE, REFERENCES These policies should be read in conjunction with: APPENDIX J Data Protection & Confidentiality Policy X X X X X X X Business Continuity Framework & Plan Confidentiality Audit Procedures Freedom of Information Act Policy Incident Management Policy X X Information Governance Framework Information Governance Policy X X X X X X X X X X Information Security Policy X X X X X IT Security Policy (CSCSU) X Mobile Information Technology Policy Records Management Policy X Risk Management Strategy and Policy (CSCSU) Subject Access Request Policy & Procedures Training & Awareness Plan Transfer of Personal Information Procedures X X Other policies and procedures may become available during the lifespan of this policy: Information Governance Policy Handbook V1.0 Page 143

144 Data Protection & Confidentiality Policy Business Continuity Framework & Plan Confidentiality Audit Procedures Freedom of Information Act Policy Incident Management Policy Information Governance Framework Information Governance Policy Information Security Policy IT Security Policy (CSCSU) Mobile Information Technology Policy Records Management Policy Records Management Policy Risk Management Strategy and Policy (CSCSU) Subject Access Request Policy & Procedures Training & Awareness Plan Transfer of Personal Information Procedures RELATED GUIDANCE: A Guide to Confidentiality in Health and Social Care (HSCIC) Checklist Guidance for Reporting, Managing and Investigating Information Governance Civil Contingencies Act 2004 Serious Incidents Requiring Investigation (IG SIRI) (HSCIC) Code of Practice on Confidential Information (HSCIC) Data Sharing Code of Practice (Information Commissioners Office) Fair Processing Strategy (NHS England) Information Governance Guidance on Legal and Professional Obligations (Department of Health) X X X X Information Governance Toolkit X X X X Information Security Management - NHS Code of Practice (Department of Health) Information: To share or not to share? - Information Governance Review (Caldicott 2) Records Management - NHS Code of Practice (Department of Health) NHS Care Records Guarantee NHS Commissioning Board Emergency Preparedness Framework 2013 X X X X X X X X X X X X X X X X X NHS Commissioning Board Business Continuity Management Framework (service resilience) (2013) NHS Confidentiality Code of Practice (DoH) PAS 2015 Framework for Health Services Resilience X X X X X X X X REFERENCES Information Commissioners Office Department of Health Health and Social Care Information Centre (HSCIC) NHS England X X X X IT Daily Backup Policy (CSCSU) X Information Governance Policy Handbook V1.0 Page 144

145 Data Protection & Confidentiality Policy Business Continuity Framework & Plan Confidentiality Audit Procedures Freedom of Information Act Policy Incident Management Policy Information Governance Framework Information Governance Policy Information Security Policy IT Security Policy (CSCSU) Mobile Information Technology Policy Records Management Policy Risk Management Strategy and Policy (CSCSU) Subject Access Request Policy & Procedures Training & Awareness Plan Transfer of Personal Information Procedures LEGAL FRAMEWORK APPENDIX K Legislation that can have a bearing on the way information should be handled, include:- Access to Health Records Act 1990 X Common Law Duty of Confidentiality X X Computer Misuse Act 1990 Copy right, Designs and Patents Act 1988 X X Crime and Disorder Act 1998 X Data Protection Act 1998 X X X Electronic Communications Act 2000 Freedom of Information Act 2000 X X Health and Social Care Act 2012 Human Rights Act 1998 X X Privacy Electronic Communications Regulations 2003 Regulation and Investigatory Powers Act 2000 X Mental Capacity Act 2005 X Public Interest Disclosure Act 1998 Public Records Act 1958 X Human Fertilisation and Embryology Act 1990 Abortion Regulations 1991 Terrorism Act 2000 Regulations under Health and Safety at Work Act 1974 Health and Social Care Act 2012 International information security standard: ISO/IEC 27002: 2005 X Information Governance Policy Handbook V1.0 Page 145

146 Introduction to Information Governance 4 Information Governance: The Beginners Guide 5 Information Governance: The Refresher Module 6 Patient Confidentiality Caldicott Guardian in the NHS & Social Care Secure Handling of Confidential Information Access to Information & Information Sharing in the NHS NHS Risk Management: Introductory NHS Risk Management: Foundation NHS Risk Management for SIROs and IAOs Password Management Information Security Guidelines Secure Transfers of Personal Data Information Security Management Business Continuity Management Records Management & The NHS Coe of Practice Records Management in the NHS Access to Health Records IG TRAINING MATRIX APPENDIX L Basic Mandatory Modules Role Specific Modules Job Roles Admin/Clerical - Access to Personal Information Clinical - Allied Health Professional Clinical - Dentistry Staff Clinical Optometry Staff Clinical Pharmacy Staff Health Care Assistant/Auxiliary Nurse Information Technology Support Staff Operational Mgr/Support -Access to Personal Info Data Protection & Confidentiality Responsibilities Caldicott Guardian Director/Senior Manager Access to Personal Information Freedom of Information Lead or Support Staff Year 1 Year 1 Year 1 Year 1 Year 1 Year 2 on Year 2 on Year 2 on Year 2 on Year 4 Mandatory for staff (temporary and permanent), contractors, volunteers, executive directors, non-executive directors, lay members who have access to personal data to be completed in the first financial year. 5 Mandatory for staff (temporary and permanent), contractors, volunteers, executive directors, non-executive directors, lay members who do not have access to personal data to be completed in the first financial year. 6 To be completed by all staff (temporary and permanent), contractors, volunteers, executive directors, non-executive directors, lay members regardless of whether they have access to personal information for each subsequent year following previous completion of either the Introduction to Information Governance or Information Governance: The Beginner s Guide in the first year. Information Governance Policy Handbook V1.0 Page 146

147 Introduction to Information Governance 4 Information Governance: The Beginners Guide 5 Information Governance: The Refresher Module 6 Patient Confidentiality Caldicott Guardian in the NHS & Social Care Secure Handling of Confidential Information Access to Information & Information Sharing in the NHS NHS Risk Management: Introductory NHS Risk Management: Foundation NHS Risk Management for SIROs and IAOs Password Management Information Security Guidelines Secure Transfers of Personal Data Information Security Management Business Continuity Management Records Management & The NHS Coe of Practice Records Management in the NHS Access to Health Records Basic Mandatory Modules Role Specific Modules Job Roles Health Records Manager and Support Staff Information Asset Administrator Information Asset Owner Information Governance Manager or Support Information Risk Manager Information Security Officer Lead or Support Information Technology Management Records Manager and Support Staff SIRO Senior Information Risk Owner Social Care Staff Year 1 Year 1 Year 1 Year 1 Year 1 Year 1 Year 1 Year 1 Year 1 Year 1 2 on Year 2 on Year 2 on Year 2 on Year 2 on Year 2 on Year 2 on Year 2 on Year 2 on Year 2 on Year Information Governance Policy Handbook V1.0 Page 147

148 Introduction to Information Governance 4 Information Governance: The Beginners Guide 5 Information Governance: The Refresher Module 6 Patient Confidentiality Caldicott Guardian in the NHS & Social Care Secure Handling of Confidential Information Access to Information & Information Sharing in the NHS NHS Risk Management: Introductory NHS Risk Management: Foundation NHS Risk Management for SIROs and IAOs Password Management Information Security Guidelines Secure Transfers of Personal Data Information Security Management Business Continuity Management Records Management & The NHS Coe of Practice Records Management in the NHS Access to Health Records Basic Mandatory Modules Role Specific Modules Job Roles Admin/Clerical - Other Estates/Maintenance Eg. Porters,Domestics,Laundry and Voluntary Staff Director/Senior Manager - Other Non Clinical Staff Non-Executive Director Operational Manager and Support Staff Year 1 Year 1 Year 1 Year 1 Year 1 Year 1 2 on Year 2 on Year 2 on Year 2 on Year 2 on Year 2 on Year 2 on Information Governance Policy Handbook V1.0 Page 148

149 Checklist for the Review and Approval of Procedural Document Equality Impact Assessment Tool Title of document being reviewed: Yes/No Comments 1. Does the policy/guidance affect one group less or more favourably than another on the basis of: Race No Ethnic origins (including gypsies No and travellers) Nationality No Gender No Culture No Religion or belief No Sexual orientation including No lesbian, gay and bisexual people Age No Disability learning disabilities, No physical disability, sensory impairment and mental health problems 2. Is there any evidence that some groups are affected differently No APPENDIX M 3. If you have identified potential discrimination, are any exceptions valid, legal and/or justifiable? 4. Is the impact of the policy/guidance likely to be negative? N/A No 5. If so can the impact be avoided? N/A 6. What alternatives are there to achieving the policy/guidance without the impact? 7. Can we reduce the impact by taking different action? N/A N/A If you have identified a potential discriminatory impact of this procedural document, please refer it to the Head of Corporate Affairs, together with any suggestions as to the action required to avoid/reduce this impact. Information Governance Policy Handbook V1.0 Page 149