INFORMATION GOVERNANCE HANDBOOK

Size: px
Start display at page:

Download "INFORMATION GOVERNANCE HANDBOOK"

Transcription

1 INFORMATION GOVERNANCE HANDBOOK SECTION ONE Author Tracey Burrows Role Information Governance Manager (CSCSU) Date / Version February 2015 Version FINAL V1.0 Approved by IM&T Board Date 27 February 2015 Review date April 2017 This handbook may be made available to the public and persons outside of the CCG as part of the CCG s compliance with the Freedom of Information Act Information Governance Policy Handbook V1.0 Page 1

2 DOCUMENT CONTROL SUMMARY Title Lead Officer Purpose of document Status Information Governance Handbook Head of Corporate Affairs IG is the practice used by all organisations to ensure that information is efficiently managed and that appropriate policies, system processes and effective management accountability provides a robust governance framework for safeguarding information. This handbook is to acquaint employees with the framework, policies and procedures covering all aspects of the Information Governance (IG) agenda so that staff understand both the spirit and the detail of what is expected of them. FINAL Version No. 1.0 Date February 2015 Author(s) Date of approval by Governing Body Information Governance Manager CSCSU 27 February 2015 Review Date April 2017 VERSION CONTROL SUMMARY Version Date Status Comment/Changes /02/15 DRAFT Draft IG Handbook /2/15 FINAL Final document approved by IM&T Board Information Governance Policy Handbook V1.0 Page 2

3 CONTENTS Section Title Page 1 Information Governance Handbook 1 1 Introduction 5 1 Scope 5 1 Responsibilities 6 1 Dissemination 6 1 Non-Compliance 7 1 Related Policies and Procedures 7 1 Related Guidance 7 1 Policy Review 7 1 Public Sector Equality Duty 7 Policies/Frameworks 2 Information Governance Framework 8 3 Information Governance Policy 13 4 Data Protection and Confidentiality Policy 18 5 Information Security Policy 32 6 Records Management Policy (NEW) 36 7 Freedom of Information Act Policy (NEW) 43 8 Subject Access Request Policy & Procedures (NEW) 49 9 Business Continuity Framework & Plan Mobile Information Technology Policy (NEW) Incident Management Policy (TBC) Training and Awareness Plan (NEW) 98 Procedures 13 Confidentiality Audit Procedures Transfer of Personal Information Procedure 120 Information Governance Policy Handbook V1.0 Page 3

4 Appendices A Useful Contacts 126 B Roles & Responsibilities 127 C Data Protection Act Principles 133 D Schedule 2 Conditions to the Data Protection Act 134 E Countries Within The EEA 135 F Model Fair Processing Notice 136 G Caldicott Principles 139 H Freedom of Information - Model Publication Scheme 140 I Freedom of Information Act Exemptions 142 J Related Policies, Procedures, Guidance, References 143 K Legal Framework 145 L IG Training Matrix 146 M Equality Impact Assessment Tool 149 Information Governance Policy Handbook V1.0 Page 4

5 For the purposes of this handbook, Windsor, Ascot & Maidenhead CCG, Bracknell & Ascot CCG and Slough CCG will be referred to as the CCGs. 1. INTRODUCTION It is essential to have the organisation s policies and procedures documented to comply with corporate and clinical governance standards, statutory, legal and insurance requirements and ensure standardisation of practice and therefore efficiency, consistency and safety throughout the organisation. This Information Governance Handbook evidences the CCGs intentions and approach to fulfilling its statutory and organisational information governance (IG) responsibilities. It will enable management and staff to make correct decisions, work effectively and comply with relevant legislation and guidance (Appendix J & K) and the organisation s aims and objectives. This handbook will cover all aspects of IG detailing how the different initiatives are managed and linked. This handbook and policies and procedures within are approved by the IM&T Board. 2. SCOPE This handbook and policies and procedures within apply to all CCG staff and other personnel working for and on behalf of the CCGs, including agency staff and contractors, to ensure that the CCG meets its legal requirements. This handbook will include policies and procedures to evidence compliance with the Department of Health s (DoH) IG Toolkit and will include the below IG Policies: Policy/Procedure Requirement Information Governance Management Framework 130, 131, 133, 230, 231, 232, 340, 345 Information Governance Policy 131, 231 Data Protection and Confidentiality Policy 131, 231, 235, 250 Information Security Policy 131, 340, 341 Records Management Policy 131 Freedom of Information Act Policy 131 Subject Access Request Policy & Procedures 234, 250 Business Continuity Framework & Plan 340, 346 Confidentiality Audit Procedures 235 Transfer of Personal Information Procedures 131, 231, 232, 236, 350 Business Continuity Framework and Plan 346 Mobile Information Technology Policy 348 Incident Management Policy 349 Records Management Policy 420 Training and Awareness Plan 133, 134, 135, 231, 234, 345 Information Governance Policy Handbook V1.0 Page 5

6 The below policies are out of scope as they are provided by CSCSU: CSCSU Policies/Procedures IT Change Control Policy 237 HR Induction Policy 250 IT Security Policy 340, 344, 348 System Level Security Policy 340, 344, 346, 348, 352 Risk Management Strategy and Policy 341 RA Policy 342, 343 System Level Security Policy Networked 344, 346, 347, 348 Services System Level Security Policy (Infrastructure 344, 346, 347, 348 Perimeter Security) Access Control Policy 344 Business Continuity Policy 340, 346 Business Continuity Framework and Plan 346 Informatics Business Continuity Plan V IT Disaster Recovery Plan V IT Daily Backup Policy V System Level Security Policy (Backup 346 Infrastructure) IT Disaster Recovery Plan V IT Mobile Working Policy V Transfer of Personal Information Procedures 350 Acceptable Use of IT Policy 350 Pseudonymisation & Anonymisation of Data 352 Policy (NHS BSA) 3. RESPONSIBILITIES It is the role of the CCGs Governing Bodies to define the policies in respect of IG and ensure that sufficient resources are provided to support the requirements of those policies. IG policies apply to all staff who handle information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B. On commencement of employment all staff are provided with a Staff Contract which includes information governance clauses outlining legal responsibilities. Staff should be aware that failure to comply with this policy will be seen as a breach of contract which may result in disciplinary action. 4. DISSEMINATION The IG Handbook will be published on the CCGs intranet site and staff will be informed by of its existence and when any changes are made to this document. Information Governance Policy Handbook V1.0 Page 6

7 5. NON-COMPLIANCE Non-compliance with the policies within may result in:- A breach of the law A breach of professional codes of conduct A breach of contract Damage to personal and organisational reputation Damage to public confidence in the CCGs Embarrassment of data subjects Compensation claims by data subjects ICO taking enforcement action, including issuing penalty notices of up to 500,000 Operational activities being affected due to a failure to ensure that appropriate information is available when required. Failure to comply with any of these policies may result in disciplinary action. Any non-compliance issues will be handled in accordance with the CCG s Human Resources Policies and Procedures. Where non-compliance relates to partner organisations and third party organisations, this will be handled in accordance with contractual agreements and data sharing agreements. 6. RELATED POLICIES AND PROCEDURES The policies and procedures within this IG Handbook should be read in conjunction with related documents as detailed in Appendix J & K. Some additional policies and procedures may also be referenced within the policy itself. 7. RELATED GUIDANCE For the purpose of this IG Handbook other relevant legislation and appropriate guidance may be referenced as detailed in Appendix J & K. Some additional legislation and guidance may be referenced within the policy itself. 8. POLICY REVIEW This IG Handbook and the policies and procedures within will be reviewed every two years, to ensure they are in line with best practice and legislative requirements and will be presented to the IM&T Board for approval. 9. PUBLIC SECTOR EQUALITY DUTY The CCGs aim to design and implement services, policies and measures that are fair and equitable. An equality analysis has been completed (Appendix N) for this policy and no adverse impact was identified. Should any adverse impact on equality be subsequently detected or highlighted by staff and other users of the policy then this will be analysed and remedial action taken as appropriate. Information Governance Policy Handbook V1.0 Page 7

8 INFORMATION GOVERNANCE FRAMEWORK SECTION TWO 1. INTRODUCTION This document sets out the CCGs approach to Information Governance (IG) which requires clear, effective and robust: Management and leadership Accountability structures Governance processes Documented policies and procedures In addition: Appropriately trained staff Adequate resources The Department of Health (DoH) has developed a set of standard IG requirements. The CCGs are required to submit evidence via the IG Toolkit (IGT) which confirms compliance with those requirements. The IGT covers many aspects of IG including: Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurance 2. STRATEGIC AIMS The aim of this Framework is to set out how the CCGs will effectively manage IG. Each CCG will achieve compliance by: Information Governance Policy Handbook V1.0 Page 8

9 Establishing robust IG processes that conform to DoH standards and comply with relevant legislation. Establishing, implementing and maintaining policies for the effective management of information. Ensuring that clear information is provided for service users, families and carers about how their personal information is recorded, handled, stored and shared. Ensuring that IG responsibilities are included in all third party contracts and assurance is obtained with regard to the robustness of third party IG practices during tendering and other negotiations. Providing clear advice and guidance to staff to ensure that they understand and apply the principles of IG to their working practice and ensuring IG responsibilities are included in staff employment contracts. Sustaining an IG culture through increasing awareness and promoting IG, thus minimising the risk of breaches of personal data. Assessing the CCGs performance using the IG Toolkit and Internal Audits and developing and implementing action plans to ensure continued improvement. 3. RESPONSIBILITIES The CCGs Governing Bodies have overall responsibility for ensuring that the organisation complies with all laws, standards, policies, codes of practice and national guidance and are also responsible for ensuring that sufficient resources are provided to support the requirements of this Framework. Senior roles and CCG Governing Bodies responsibilities are outlined in more detail in Appendix B. 4. RESOURCES The CCGS currently contract with CSCSU for the provision of specific subject matter expertise and resource. Where relevant this is indicated in the following sections. Head of Information Governance - CSCSU The Head of Information Governance provides support in accordance with the Central Southern Commissioning Support Unit (CSCSU) Corporate Services Service Specification. The Head of Information Governance will oversee the provision of the IG and Subject Access Request (SAR) Service in line with the Corporate Services Service Specification. Information Governance Team - CSCSU The IG Team are the subject matter experts with regards to IG and are responsible for the provision of professional advice and support to the CCGs on all aspects of IG Information Governance Policy Handbook V1.0 Page 9

10 including legal and professional compliance, risk assessment and management, incident management, IG Toolkit Management, document development and maintenance. The CCGs will be allocated an IG Manager as a first point of contact for IG related queries but the CCGs can also call upon any member of the IG Team for IG support. The IG Team will be responsible for ensuring all tasks delegated to the CSCSU meet the required standards in line with the agreed service specification. Key tasks delegated to the CSCSU include:- Developing and maintaining the currency of comprehensive and appropriate documentation that support this framework, including relevant policies and procedures. Ensuring that there is senior level awareness and support for IG resourcing and implementation of improvements within the CCGs Governing Bodies. Establishing working groups, if necessary, to co-ordinate the activities of staff given IG responsibilities and progress initiatives. Ensuring annual assessments and IG audits are carried out, documented and reported. Ensuring that the annual assessment and improvement plans are prepared for approval by the Chief Officer and CCGs Governing Bodies in a timely manner. Ensuring that the approach to information handling is communicated to all staff. Ensuring that appropriate training is made available to staff. Liaising with other committees, working groups and programme boards in order to promote and integrate Information Governance standards. Monitoring information handling activities to ensure compliance with law and guidance. Providing a focal point for the resolution and/or discussion of IG issues, including incident management and reporting. Establishing, implementing and maintaining policies, procedures and guidance for the effective management of information. Freedom of Information Team CSCSU (This applies to Subject Access Requests only) The FOI Team (CSCSU) are responsible for co-ordinating completed Subject Access Request (SAR) responses in respect of requests received from individuals ( Data Subjects ) wishing to access their own personal data ( Subject Access ). The FOI Team (CSCSU) will ensure SARs are administered in line with the Subject Access Provisions of the Data Protection Act 1998 and in accordance with the Corporate Services Service Specification. The FOI Team (CSCSU) will co-ordinate completed responses in line with the requirements of the Access to Health Records Act 1990 in respect of access requests received in respect of deceased patients. Information Security Lead - CSCSU Head of ICT The Head of ICT (CSCSU) is responsible for ensuring that CSU Information Systems provided to the CCGs comply with IG requirements. Information Governance Policy Handbook V1.0 Page 10

11 Human Resources (HR) Manager - CSCSU The HR Manager is responsible for ensuring that appropriate Information Assurance clauses are included within staff employment contracts and Staff Handbooks. 5. TRAINING AND GUIDANCE All staff must complete mandatory IG training appropriate to their role via the online HSCIC Information Governance Training Tool or via locally developed face-to-face information governance training. CCGs mandate all staff to complete annual IG training relevant to their role identified in the Training Matrix (Appendix L). Staff must be aware of their responsibilities and complete additional training specific to their role which should be monitored by managers. In addition to staff training and workshops, staff will be informed of the latest information governance matter through internal communications and will be published on the IG Intranet pages. Leaflets and posters will be distributed around the organisation to remind staff of their responsibilities. Information Governance Policy Handbook V1.0 Page 11

12 CCG IG Framework Policy and Procedure IG Framework APPENDIX B IG Policy Data Protection Act Policy FoI Act Policy Information Security Policy Subject Access Request Policy Leaflets, Posters Internal Process Leaflets, Posters Acceptable Use Policy* Leaflets, Posters Information Sharing Protocols Training Packages & IGTT Admin Transfer of Information Process Leaflets, Posters, Guidance Records Management Policy Privacy Impact Assessments Pro-forma Data Flow Mapping Risk Assessment Asset Registers Risk Assessment Training Packages & IGTT Admin Staff Awareness Regular Updates Information Governance Policy Handbook V1.0 Page 12

13 INFORMATION GOVERNANCE POLICY SECTION THREE 1. INTRODUCTION Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management. It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management. 2. SCOPE This policy covers all aspects of information, regardless of format, within the CCGs including but not limited to: Personal Information (including that of patients and staff) Organisational Information This policy applies to handling information including, but not limited to: Processing (including saving, storage, etc.) Transmission (including , fax, portable media etc.) The policy also applies to all information systems purchased, developed and managed by or on behalf of the CCGs and any individual directly employed or otherwise by the CCGs. This policy is underpinned by the standards set out in the IG Toolkit. This policy should not been seen in isolation, as information supports all aspects of the CCG s business, including corporate governance, risk management, clinical governance, performance management, etc. Therefore IG should be adequately reflected in all relevant strategies, policies and procurement exercises. Information Governance Policy Handbook V1.0 Page 13

14 3. RESPONSIBILITY It is the responsibility of the CCGs Governing Bodies to define the CCGs policy in respect of IG, taking into account legal and NHS requirements. The CCGs Governing Bodies are also responsible for ensuring that sufficient resources are provided to support the requirements of the policy. The IG Policy applies to all staff who handle personal information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B. On commencement of employment all staff are provided with a Staff Contract which includes IG clauses including IG responsibilities. 4. PRINCIPLES The CCGs recognise the need for an appropriate balance between openness and confidentiality in the management and use of information. The CCGs fully support the principles of corporate governance and recognises its public accountability; however it equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information. The CCGs also recognise the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. The CCGs believe that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers (and ultimately, all employees of the CCGs) to ensure and promote the quality of information and to actively use information in decision making processes. By quality of information we mean information that is accurate, up to date, fit for purpose information that can be grouped when used to make decisions, whether these decisions are clinical or non-clinical (such as service planning or commission). It must also be readily available when it is needed. Information that cannot be retrieved or understood is of no use. To support the principles set out in this policy, the CCGs acknowledge the importance that training and awareness plays in guiding staff to operation appropriately, therefore the CCGs mandate the following training: Annual information governance training for all staff. An information governance element in induction training / pack. There are 5 key interlinked strands to the information governance policy: Openness Legal compliance Information security Quality assurance Confidentiality Information Governance Policy Handbook V1.0 Page 14

15 Openness Non-confidential information on the CCGs and their services should be available to the public through a variety of media, in line with the code of openness. The CCGs will establish and maintain policies to ensure compliance with the Freedom of Information Act and will review the contents of the Publication Scheme on a regular basis. The CCGs will undertake or commission annual assessments and audits of its policies and arrangements for openness. Patients will have ready access to information relating to their own health care, their options for treatment and their rights as patients. The CCGs will have clear procedures and arrangements for liaison with the press and broadcasting media. The CCGs will have clear procedures and arrangements for handling queries from patients and the public. Legal Compliance The CCGs regard all identifiable personal information relating to patients as confidential. The CCGs will undertake or commission annual assessments and audits of its compliance with legal requirements. The CCGs regard all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise. The CCGs will establish and maintain policies to ensure compliance with the Data Protection Act, Human Rights Act, Freedom of Information Act and the common law duty of confidentiality. The CCGs will establish and maintain policies and protocols for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Acts, Crime and Disorder Act, Protection of Children Act this list is not exhaustive). Information Governance Policy Handbook V1.0 Page 15

16 Information Security The CCGs will establish and maintain policies and procedures for the effective and secure management of its information assets and resources. The CCGs will undertake or commission annual assessments and audits of its information and IT security arrangements. The CCGs will promote effective confidentiality and security practice to its staff through policies, procedures and training. The CCGs will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security and action the findings of these investigations, complete with appropriate recommendations. Information Quality Assurance The CCGs will establish and maintain policies and procedures for information quality assurance and the effective management of records. The CCGs will undertake or commission annual assessments and audits of its information quality and records management arrangements. Managers will take ownership of, and seek to improve, the quality of information within their services. Wherever possible, information quality should be assured at the point of collection. Data standards will be set through clear and consistent definition of data items, in accordance with national standards. The CCGs will promote information quality and effective records management through policies, procedures/user manuals and training. Confidentiality The CCGs will establish and maintain policies that support a confidential way of working The CCGs will put in place regular training sessions to ensure staff understand the concepts of confidentiality The CCGs will ensure new technology and working practices support a confidential way of working. Information Governance Policy Handbook V1.0 Page 16

17 The CCGs will establish information sharing protocols with partner organisations whilst observing fully its common law duty of confidence and any other associated legal requirement. The CCGs will maintain a log and investigate all breaches of confidentiality. All staff will discharge their duties in a manner that is in line with the common law duty of confidence and all other aspects of legal compliance. The CCGs will ensure that when person identifiable information is shared, the sharing complies with the law, guidance and best practice and both service users rights and the public interest are respected. Information Governance Policy Handbook V1.0 Page 17

18 DATA PROTECTION AND CONFIDENTIALITY POLICY SECTION FOUR 1. INTRODUCTION The CCGs have a legal obligation to comply with all appropriate legislation in respect of data, information and IT security. It also has a duty to comply with guidance issued by the Department of Health (DoH), the Information Commissioner (ICO) and other advisory groups to the NHS and guidance used by professional bodies. This Data Protection and Confidentiality Policy aims to detail how the CCGs will meet its legal obligations and NHS requirements concerning confidentiality and information security standards and detail how they will ensure that those responsible for processing personal information are aware of their legal responsibilities. The requirements within this policy are primarily based upon the Data Protection Act 1998 which is the key piece of legislation covering security and confidentiality of personal information. 2. POLICY STATEMENT The CCGs believes that an individual s right to confidentiality is of vital importance and regards the law ensuring the correct treatment of personal information, recognising the importance of maintaining confidence of those whose information it uses. The CCGs intend to meet its legal obligations and NHS requirements and to support this they fully endorse adherence to the eight Data Protection Principles as outlined in the Data Protection Act 1998 (Appendix C). In addition, the CCGs will ensure that all staff: managing and handling personal information understand that they are contractually responsible for following good data protection practice managing and handling personal information are appropriately trained and supervised and know who to contact, should they have any queries Information Governance Policy Handbook V1.0 Page 18

19 regularly evaluate and review the methods for handling personal information are aware of their responsibilities when disclosing personal data and follow agreed procedures ensure that data sharing is carried out under written agreement, clearly setting out the scope, limits and conditions for sharing complete mandatory IG training on an annual basis and complete additional specialised training appropriate to their role are aware of incident reporting procedures and know how to report an information security or data breach recognise requests for information made under the Freedom of Information Act and ensure these requests are dealt with within required timescales recognise requests from data subjects around how their data is being used (Subject Access Requests) and ensure these requests are dealt with within required timescales 3. SCOPE This policy covers all personal data processed by the CCGs, including data relating to staff, patients and members of the public regardless of what format the information is held in and outlines the CCGs approach to meeting the responsibilities and obligations specified within the Data Protection Act 1998 and associated legislation and guidance. 4. RESPONSIBILITIES The Data Protection and Confidentiality Policy applies to all staff who handle personal information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B. On commencement of employment all staff are provided with a Staff Contract which includes information governance clauses including data protection responsibilities. 5. DATA PROTECTION ACT 1998 The Data Protection Act 1998 became law in March 2000 and sets standards which must be satisfied when obtaining, recording, holding, using or disposing of personal data which are summarised by the 8 Data Protection Principles. The Act applies to all person identifiable information about living individuals held in manual files, computer databases, videos and other automated media (this list is not exhaustive). The Information Commissioner holds a register of Data Controllers and unless exempt, the Act requires organisations which processes personal information to register with the Information Commissioner Office (ICO). On registration, organisations must outline how information is held, purposes for holding the data, how it is used and whom it may be disclosed to. Failure to register is a criminal offence. Information Governance Policy Handbook V1.0 Page 19

20 The CCGs ensure the Data Protection Notification is regularly reviewed for accuracy and any changes to the register must be notified to the Information Commissioner, within 28 days and managers are responsible for notifying and updating the SIRO and Caldicott Guardian of the processing within their area of responsibility. Compliance with the Data Protection Act is regulated by the Information Commissioner s Office. The Information Commissioner s Office website can be found at 6. EIGHT DATA PROTECTION PRINCIPLES The Eight Data Protection Principles state that personal data must be: Principle 1: Processed fairly and lawfully Personal data shall not be processed unless they meet at least one of the conditions in Schedule 2 (Appendix D) to the Data Protection Act. For sensitive data, they must also meet at least one of the conditions in Schedule 3 (Appendix D). For processing to be fair CCGs must be transparent clear and open with individuals about how their information will be used. Fairness requires you to: be open and honest about your identity inform individuals how you intend to use their personal data handle their personal data only in ways they would reasonably expect not use their information in ways that may have a negative effect on them The oral or written statement that individuals are given when information about them is collected is often called a Fair Processing Notice (FPN) (Appendix F) or more recently a privacy notice. In general terms, a privacy notice should state: the organisations identity the purpose or purposes for which information will be processed any additional information for individuals to enable you to process the information fairly The Act does not define lawful ; however, lawful refers to statute and to common law, whether criminal or civil. An unlawful act may be committed by a public or private-sector organisation if it results in: a breach of a duty of confidence an organisation exceeding or exercising its legal powers improperly Information Governance Policy Handbook V1.0 Page 20

21 an infringement of copyright a breach of an enforceable contractual agreement a breach of industry-specific legislation or regulations a breach of the Human Rights Act 1998 which gives individuals the right to respect for private and family life, home and correspondence Principle 2: Processed for specified purposes The second data protection principle means that you must: be clear from the outset why you are collecting personal data and what you intend to do with it comply with the Act s fair processing requirements including the duty to give privacy notices to individuals when collecting their personal data comply with what the Act says about notifying the Information Commissioner ensure that if you wish to use or disclose the personal data for any purpose that is additional or different to the originally specified purpose, the new use or disclosure is fair, this includes notification to the ICO where relevant. Principle 3: Adequate, relevant and not excessive in relation to the purpose(s) This third principle, in practice, means you should ensure that: you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual you do not hold more information than you need for that purpose So you should identify the minimum amount of personal data you need to properly fulfil your purpose but hold no more You should not hold personal data on the off-chance that it might be useful in the future. However, it is permissible to hold information for a foreseeable event that may never occur Principle 4: Accurate and kept up-to-date This is the fourth data protection principle and although it sounds straightforward, the law recognises that it may not be practical to double-check the accuracy of every item of personal data you receive. So the Act makes special provision about the accuracy of information that individuals provide about themselves, or that is obtained from third parties. Information Governance Policy Handbook V1.0 Page 21

22 To comply with these provisions you should: take reasonable steps to ensure the accuracy of any personal data you obtain ensure that the source of any personal data is clear carefully consider any challenges to the accuracy of information consider whether it is necessary to update the information If an individual challenges the accuracy of information and where necessary delete or correct it. If an individual is not satisfied that you have taken appropriate action to keep their personal data accurate, they may apply to the court for an order that you rectify, block, erase or destroy the inaccurate information. Principle 5: Not be kept for longer than necessary The Act does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. In practice, it means that you will need to: review the length of time you keep personal data (refer to Records Management Policy and DoH Records Management - NHS Code of Practice) consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it securely delete information that is no longer needed for this purpose or these purposes update, archive or securely delete information if it goes out of date Where personal data is shared between organisations, those organisations should agree about what to do once they no longer need to share the information. In some cases, it may be best to return the shared information to the organisation that supplied it, without keeping a copy. Principle 6: Processed in accordance with the rights of Data Subjects The sixth data protection principle gives certain rights to individuals such as: a right to access their own personal data a right to object to processing which may cause or is causing damage or distress a right to prevent processing for direct marketing a right to object to decisions being taken by automated means a right in to have inaccurate personal data rectified, blocked, erased or destroyed a right to claim compensation for damages caused by a breach of the Act. An individual has the right to access their own personal data, this topic is covered under subject heading Subject Access Requests. Information Governance Policy Handbook V1.0 Page 22

23 The Act refers to the right to prevent processing and this only applies if it causes unwarranted and substantial damage of distress to an individual. The Act does not define what is meant by unwarranted and substantial damage or distress but in most cases substantial damage would be financial loss or physical harm and/or substantial distress would be a level of upset, or emotional or mental pain that goes beyond annoyance or irritation, strong dislike, or a feeling that the processing is morally abhorrent. The Act gives individuals the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give you written notice to stop (or not begin) using their personal data for this purpose. Any individual can exercise this right if the CCGs receive a notice it must be complied with within a reasonable timeframe. The right of subject access allows an individual access to information about the reasoning behind any decisions taken by automated means. An individual can give written notice requesting that their personal data is not be used for automated decisions and even if notice is not given, individuals should be informed when such a decision has been taken. Individuals have a right to compensation if they suffer damage which can only be enforced through the courts. The Act allows organisations to defend claims on the basis that all reasonable care was taken to avoid the breach. Principle 7: Protected by appropriate security (practical and organisational) The seventh data protection principle, in practice, means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to: design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach be clear about who in your organisation is responsible for ensuring information security make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff be ready to respond to any breach of security swiftly and effectively The security measures you put in place should seek to ensure that: only authorised people can access, alter, disclose or destroy personal data those people only act within the scope of their authority if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned Information Governance Policy Handbook V1.0 Page 23

24 The level of security should be appropriate to the nature of the information in question and the harm that might result from its improper use, or from its accidental loss or destruction. The Data Protection Act does not define the security measures you should have in place. However, it is essential that organisation s focus on physical and technological security as well as management and organisational security measures. Principle 8: Not transferred outside the EEA without adequate protection Data principle 8 is relevant to sending personal data overseas. Those considering sending personal data outside the EEA, should go through the below checklist to help decide if the eighth principle applies and, if so, how to comply with it to make a transfer. 1. Do you need to transfer personal data abroad? Can you achieve your objectives without processing personal data at all? For example, could the information be anonymised? 2. Are you transferring the data to a country outside the EEA or will it just be in transit through a non-eea country? If data is only in transit through a non-eea country, there is no transfer outside the EEA. Note that if you add personal data to a website based in the EU that is accessed in a country outside the EEA, there will be a transfer of data outside the EEA. 3. Have you complied with all the other data protection principles? If you transfer personal data outside the EEA, you are required to comply with all the principles and the Act as a whole, not just the eighth principle relating to international data transfers. 4. Is the transfer to a country outside the EEA? There are no restrictions on the transfer of personal data to EEA countries. 5. Is the transfer to a country on the EU Commission s list of countries or territories providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data? Transfers may be made to any country or territory in respect of which the Commission has made a positive finding of adequacy. 6. If the transfer is to the United States of America, has the US recipient of the data signed up to the US Department of Commerce Safe Harbor Scheme? The Safe Harbor scheme is recognised by the European Commission as providing adequate protection for the rights of individuals in connection with the transfer of their personal data to signatories of the scheme in the USA. 7. Is the personal data passenger name record information (PNR)? The agreement made between the EU and the USA (to legitimise and regulate the transfer of PNR from EU Airlines to the US Department of Homeland Security) is regarded as providing adequate protection for the rights of the data subjects whose personal data (in the form of PNR) is transferred. Arrangements also exist between the European Commission, Canada and Australia. If you decide you need to transfer personal data outside the EEA, and the recipient is not in a country subject to a Commission positive finding of adequacy nor signed up to the Safe Harbor Scheme, you will need to assess whether the Information Governance Policy Handbook V1.0 Page 24

25 proposed transfer will provide an adequate level of protection for the rights of the data subjects in connection with the transfer/processing of their personal data. 8. Can you make an assessment that the level of protection for data subjects rights is adequate in all the circumstances of the case? nsfers.pdf 9. If not, can you put in place adequate safeguards to protect the rights of the data subjects whose data is to be transferred? Adequate safeguards may be put in place in a number of ways including using Model Contract Clauses, Binding Corporate Rules or Binding Corporate Rules for Processors (BCRs) or other contractual arrangements. Where adequate safeguards are established, the rights of data subjects continue to be protected even after their data has been transferred outside the EEA. 10. Can you rely on another exception from the restriction on international transfers of personal data? Schedule 4 DPA concerns Cases where the Eighth Principle does not apply. It covers BCRs, model contract clauses, and the use of other contractual clauses as well as a number of other exceptions to the restriction on overseas data transfers. If you are able to rely on an exception, the transfer may take place even though there is no other protection for individuals rights. 7. CALDICOTT PRINCIPLES The term Caldicott refers to a review commissioned by the Chief Medical Officer. In 1997 a review committee, investigated ways in which patient information is used within the NHS under the chairmanship of Dame Fiona Caldicott, who devised six key principles of information governance that could be used by all NHS organisations with access to patient information. In January 2012 a second review took place to ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care. This is known as the Caldicott 2 Review which resulted in seven key principles (Appendix G) As well as the Data Protection Act, staff should also comply with these principles when processing personal information: Principle 1: Justify the purpose(s) of using confidential information Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate person such as an Information Asset Owner (IAO). Principle 2: Only use when absolutely necessary Information Governance Policy Handbook V1.0 Page 25

26 Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s). Principle 3: Use the minimum necessary that is required Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out. Principle 4: Access should be on a strict need-to-know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes. Principle 5: Everyone must understand their responsibilities Action should be taken to ensure that those handling personal confidential data both clinical and non-clinical staff are made fully aware of their responsibilities and obligations to respect patient confidentiality. Principle 6: Understand and comply with the law Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements. Principle 7: The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They Information Governance Policy Handbook V1.0 Page 26

27 should be supported by the policies of their employers, regulators and professional bodies. These principles should underpin information governance across the health and social care services. 8. THIRD PARTIES Most CCGs will in the course of their business, contract or make arrangements with third parties The NHS Standard Contract is mandated by NHS England for use by commissioners for all contracts for healthcare services other than primary care. These contracts include the following clauses which enforce third parties to: ensure the reliability of their staff who will have access to personal data and confirm that their staff are appropriately qualified and trained and aware of their responsibilities ensure their Staff are aware of the relevant policies and procedures governing the use of personal data and not cause or allow personal data to be transferred outside the European Economic Area without the prior consent of the Commissioner. ensure that they comply with NHS Employment Check Standards and other checks as required by the DBS which are to be undertaken ensure that confidential information remains confidential and only be used for the purposes for which it obtained and not disclosed unless required by law or with prior agreement from the CCGs Ensure they acknowledge their obligations arising under the Freedom of Information Act, Data Protection Act, Health Records Act and under the common law duty of confidentiality Ensure they achieve a minimum level 2 against all requirements in the NHS Information Governance Toolkit and complete an annual information governance assessment Ensure they nominate an IG Lead responsible for providing the Governing Body with IG reports which include details of IG incidents and ensure they follow procedures for reporting Serious Incidents Requiring Investigation (SIRI). Ensure a Caldicott Guardian and Senior Information Risk Owner is nominated who must be a member of their Governing Body Ensure they adopt and implement recommendations of the Caldicott 2 Review. Ensure they publish, maintain and operate policies relating to confidentiality, data protection and information disclosures that comply with the law, Caldicott Principles and good practice. Ensures it only provides anonymised, pseudonmysed or aggregated data to the CCGs where it is required for the purposed of quality management of care processes and must not disclose personal data unless written consent is obtained or lawful basis for disclosure is provided (such as s251 Regulations) Ensure Sub-Contractors can provide sufficient guarantees in respect of its technical and organisational security measures governing the data processing to be carried out and take reasonable steps to ensure compliance with those measures. Ensure Sub-Contractors process personal data only in accordance with the third parties instructions and comply at all times with obligations equivalent to those imposed on the Provider by virtue of the Seventh Data Protection Principle. Information Governance Policy Handbook V1.0 Page 27

28 Ensure that where they act as a Data Processor on behalf of the CCGs, personal data is only processed to the extent necessary to perform its obligations under Contract and take appropriate technical and organisational measures against any unauthorised or unlawful processing of that Personal Data as well as against the accidental loss or destruction of or damage Ensure they understand the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage. 9. TRANSFER OF PERSONAL INFORMATION Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian. The CCGs have developed a Transfer of Personal Information Procedure to assist staff in understanding what requirements should be in place to ensure the transfer is lawful. 10. SUBJECT ACCESS REQUESTS Under a provision of the Data Protection Act an individual can request access to their personal information regardless of the media in which this information may be held / retained. This is referred to as a Subject Access Request (SAR). SARs are processed in line with the Subject Access Request Policy and Procedure by the CSCSU FOI Team on behalf of the CCGs to ensure that they are processed in accordance with the law. To support the CSCSU with this role, the CCGs will ensure that all staff are able to recognise when they receive a Subject Access Request (SAR) ensure they are forwarded in a timely manner to the FOI Team. The CSCSU FOI Team will ensure that: requests are logged and recorded on the SARs database the applicant is sent a pre-acknowledgement letter identity documents, fee and consent are requested where applicable identity documents are vetted and verified required information is gathered from relevant parties quality assurance and final sign off is obtained from the CCGs a final response letter is sent to the applicant and information provided in the format requested the SARs database is kept up to date and records are maintained the CCGs are provided with monthly reports evidencing requests received 11. RECORDS RETENTION All staff must ensure they are familiar with the Records Management Policy which describes the standards of practice required by the CCGs in the management of its documents and records. It is based on current legal requirements and professional best practice. Information Governance Policy Handbook V1.0 Page 28

29 This policy is mandatory and applies to all information in all formats. It covers all stages within the information lifecycle, including create/receive, maintain/use, document appraisal, declare as a record, record appraisal, retention and disposition. Staff members must not alter, deface, block, erase, destroy or conceal records with the intention of preventing disclosure under a request relating to the Freedom of Information Act 2000 or the Data Protection Act Staff members are expected to manage records about individuals in accordance with the policy irrespective of their race, disability, gender, age, sexual orientation, religion or belief, or socio-economic status. 12. DATA FLOW MAPPING To adequately protect personal information, organisations need to know who holds the information, how the information is held and transferred, what information comes into and out of the organisation, where the information is transferred to and frequency of these transfers. To comply with professional standards and relevant legislation the CCGs will ensure that: All staff adhere to the Transfer of Personal Information procedures All routine flows of information are mapped, e.g. those that occur on a regular basis All routine flows are risk assessed and reviewed regularly or should any changes to the process or flows occur All elements including data, format, transfer method, location of recipient are considered for every transfer Any risks identified are documented on departmental Risk Registers and appropriate safeguards are implemented to minimise the risk and protect the information Any significant risks are reported to the SIRO and immediate action taken to either suspend the transfer or identify another secure method 13. INFORMATION ASSET REGISTER Organisations must ensure that all of their information assets that hold or are personal data are protected by technical and organisational measures appropriate to the nature of the asset and the sensitivity of the data. The CCGs will ensure that all information assets are: Formally recorded on the information asset register Allocated an Information Asset Owner Formally risk assessed and SIRO informed of any risks Reviewed regularly and assessed should any changes to processes or assets occur Safeguarded against unauthorised access Encrypted in line with mandatory requirements and standards Disposed of securely Backed up regularly Information Governance Policy Handbook V1.0 Page 29

30 Audited to evidence compliance 14. SHARING INFORMATION Under the right circumstances and for the right reasons, data sharing across and between organisations can play a crucial role in providing a better, more efficient service to customers in a range of sectors both public and private. But citizens and consumers rights under the Data Protection Act must be respected. Whilst there is a public expectation of appropriate sharing of information between organisations providing health care services to them and with other organisations providing related services, the public rightly expect that their personal data will be properly protected. When sharing personal information, CCG staff must ensure that the Principles of the DPA 1998, the Human Rights Act 1998, the Caldicott Principles (including Caldicott 2) and the Common Law Duty of Confidentiality are upheld. The ICO has published a Data Sharing Code of practice which explains how the Data Protection Act 1998 (DPA) applies to the sharing of personal data and provides good practice advice that will be relevant to all organisations that share personal data. The CCG recognises that Information sharing agreements provide the basis for facilitating the exchange of information between organisations but do not make the sharing legal. Prior to sharing information the CCGs will ensure that: CCGs have the legal power to share and the sharing of personal information is justified the sharing of personal information achieves its objective and could not be achieved without the sharing taking place and is proportionate to the issue that needs addressing the potential benefits/risks to individuals and/or society whether to share or not to share have been assessed CCGs are able to share with the organisations that have been identified a data sharing agreement is in place covering what information will be shared and who it will be shared with a communication plan is in place to inform individuals that there information will be shared and consent obtained where applicable privacy impact assessments have been completed and adequate securities are in place to protect the data assets registers have been updated, data flows have been mapped and risk assessed processes are in place to provide individuals with access to their personal data retention periods for the data have been agreed and processes are in place to ensure secure deletion takes place an IG checklist has been completed and sharing has been authorised by the information governance team business continuity plans are in place Information Governance Policy Handbook V1.0 Page 30

31 15. INCIDENT RISK AND REPORTING All staff members are responsible for maintaining compliance with the Data Protection Principles and for reporting non-compliance through the CCG s incident reporting process. The CCGs will ensure that all incidents and risks are: reported in a timely manner on the incident reports form and in line with the CCGs Incident Risk Reporting Process reported to the Information Governance Manager reported to the Head of Corporate Affairs, SIRO and Caldicott Guardian investigated to identify root cause assessed to determine whether it is a Serious Incident Requiring Investigation (SIRI) monitored to identify weaknesses and ensure that lessons can be learnt reported to the IM&T Board In addition, where the incident is deemed to be a SIRI, CCGs will ensure that incidents are:- Reported within 24 hours via the Information Governance Toolkit Incident Reporting Tool Reviewed to determine whether HR should be involved to proceed with disciplinary action Assess any risk and take action to prevent further occurence 16. MONITORING AND AUDIT The effectiveness of this policy will be monitored through analysis of information related incidents and complaints which will be further supplemented by audits, assessments and spot checks undertaken by the Information Governance Manager. This policy and associated procedures will be monitored by the IM&T Board and who will provide assurance to the Governing Bodies. Compliance will also be monitored through the Information Governance Toolkit submission and Internal Audit process. Information Governance Policy Handbook V1.0 Page 31

32 INFORMATION SECURITY POLICY SECTION FIVE 1. INTRODUCTION Information is an asset which, like other important business assets, has value to an organisation and consequently needs to be suitably protected. This information security policy sets out how the CCGs information should be protected in order to ensure its: Confidentiality That information is only available to those with a legitimate reason to see it. Integrity That information can be trusted to be of good quality. Availability That information is available to those that need it, when they need it. If any of these are compromised, then this can have a direct impact on the ability of the CCGs to fulfil their objectives and may lead to consequences to patient care, the local health economy and to the reputation of the CCGs. The CCGs have legal obligations to maintain security and confidentiality, notably under the: Data Protection Act (1998) Human Rights Act (1998) Copyright Patents and Designs Act (1988) Computer Misuse Act (1990) In addition, the Caldicott Committee's Report on the Review of Patient-Identifiable Information, published in 1997, led to the establishment of a set of clear principles, reflecting best practice in the handling of confidential patient Information. The report called for regular and routine testing of Information flows against these principles and this would be developed and overseen by a network of Caldicott Guardians who would act, within each organisation, in a strategic, advisory and facilitative capacity. Information Governance Policy Handbook V1.0 Page 32

33 Caldicott 2 was published in May 2013 and featured 23 recommendations which should be adhered to. The policy aims to ensure that: - Information systems, whether electronic or manual are properly assessed for security Confidentiality, integrity and availability are maintained Staff and managers are aware of their responsibilities The risk to the information resource of the CCGs is effectively managed 2. SCOPE This policy covers all information processed and information systems utilised by the CCGs and covers all staff employed by or acting on behalf of the CCGs. 3. RESPONSIBILITIES It is the role of the CCGs Governing Bodies to define the policy in respect to the Information Security and ensure that sufficient resources are provided to support the requirements of the policy. This policy applies to all staff who handle information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B. 4. PRINCIPLES The CCGs will maintain an Information Security Policy supported by appropriate linked policies, codes of practice, protocols and guidance documents that reflect best practice. It will ensure that that all staff have access to that policy and its subordinate documents by cascading information to managers and posting copies on the intranet. The CCGs will comply with whatever legislative requirements apply. It will further seek to maintain compliance with national guidance. The CCGs will expect compliance with the Information Security Policy together with the associated linked policies, codes of practice, protocols and guidance. The CCGs will have procedures in place to evaluate security measures systematically with the greatest emphasis being given to areas where the potential impact of a security breach would be most serious. The CCGs will assign responsibility to key personnel to ensure a sound and robust security and information management infrastructure. The acknowledge that where appropriate resources are identified, it will need to carefully consider the balance of risk between action and inaction. Information Governance Policy Handbook V1.0 Page 33

34 The CCGs will measure its compliance against this policy with an annual Information Governance Toolkit return. 5. PROCESS CHANGES The CCGs will ensure that when changes take place that may impact on information assets: A risk assessment will be undertaken, with respect to information security best practice. The SIRO will be informed of any risks to such assets. Guidance will be sought from the CSCSU Information Governance team. 6. THIRD PARTIES The CCGs will ensure that all contracts with third parties will: Identify inbound and outbound flows of personal data. Confirm that the third party has robust processes in place to comply fully with the Data Protection Act. Adhere to the guidance provided by the CSCSU Information Governance Team on safe information sharing. 7. TRANSFER OF PERSONAL INFORMATION The CCGs will ensure that all that: All Staff adhere to the Transfer of Personal Information Procedure and the Data Protection Act policy. The transfer is Lawful. 8. INCIDENT AND RISK REPORTING The CCGS will ensure that all incidents and risks are: Reported promptly to the SIRO and Caldicott Guardian. Recorded within a formal process to ensure they can be learnt from or mitigated. Reported in line with the CCG s Incident and Risk reporting processes. 9. INFORMATION ASSET REGISTER The CCGS will ensure that all information assets are: Formally recorded on the information Asset Register. Allocated an Information Asset Owner. Formally risk assessed with the SIRO informed of all risks. Reviewed regularly Risk assessed again should any changes to processes or assets occur. Information Governance Policy Handbook V1.0 Page 34

35 10. BUSINESS CONTINUITY PLAN The CCGS will ensure that: Tested Business Continuity Plans are adopted. Business Continuity Plans covers all assets identified on the Information Asset Register. Business Continuity Plans will prioritise assets identified in the risk assessment plan. Business Continuity Plans are reviewed regularly. Information Governance Policy Handbook V1.0 Page 35

36 RECORDS MANAGEMENT POLICY SECTION SIX 1. INTRODUCTION This policy sets out how CCGs will approach the management of its business records. This policy is part of a Records Framework that includes additional procedures, guidance audit and training modules. The records framework fits into the wider context of Information Management and Governance. 2. PURPOSE This policy sets out roles and responsibilities for records management and the key operating principles for record keeping across the business. A records management policy is a requirement of the Records Management: NHS Code of Practice. The NHS IG Toolkit specifies broad requirements for records management provision and policy in an organisation, records being a key component of our information governance landscape. Managing records well will help our staff to do their jobs and contributes to effective healthcare and business efficiencies; good quality records are vital if we are to be accountable to the public. The CCGs have a statutory duty to provision for the safekeeping, accessibility and eventual disposal of their records. 3. SCOPE The CCGs define records as any form of information which has been created or gathered as a result of any aspect of our work. This shall include administration records as well as health records are processed and maintained. This policy covers all CCG business areas and record formats. The CCGs records, including those of customers, are the property of the NHS and are Public Records as defined by the Public Records Act. Information Governance Policy Handbook V1.0 Page 36

37 Records can be manual (paper) and, most commonly, electronic. Examples include invoices, correspondence, faxes, contracts, datasets and spreadsheets. Broadly speaking, records are finalised evidence of the CCGs work. Work-in-progress documents, although not final, are in scope of this policy because they are an information resource and may still be used to support litigation or requests for information e.g. Freedom of Information, Subject Access Requests. Another organisation s records are also in scope as they can support our activities and may need to be retained by us for a period of time. Records Management is the formal process of managing records as information resources throughout their life. 4. RESPONSIBILITIES It is the role of the CCGs Governing Bodies to define this policy in respect of Records Management, taking into account legal and NHS requirements. The CCGs Governing Bodies are also responsible for ensuring that sufficient resources are provided to support the requirements of the policy. The Records Management Policy applies to all staff who handle information on behalf of the CCGs. Staff responsibilities including those in key roles are outlined in more detail in Appendix B. 5. RECORDS LIFECYCLE The CCGs will manage records in the context of a records lifecycle: Lifecycle Stage Description 1. Planning At a corporate level the CCGs shall develop and implement policy, procedures and functionality to deliver compliant records management. Departments shall ensure they have identified key records that must be captured as a result of their activities and that these are managed following policy. 2. Creation & receipt 3. Use / Distribute This is where a record is born and is saved, the CCGs shall ensure that records are properly captured into approved filing systems, and that they are protected from unauthorised access or change and named following an agreed standard. The CCGs records shall be appropriately available so that they support current business and decision making as well as statutory access requirements. Wherever possible the CCGs shall share one version of records rather than create duplicates. 4. Retention The CCGs shall retain non-current and superseded records in filing systems so to support ongoing business needs and compliance requirements. Disposal schedules shall govern how long records are retained which shall continue to be protected and accessible with storage facilities meeting appropriate standards. 5. Disposal The CCGs records shall not be retained indefinitely. At the end of the retention, records shall be disposed of. In most cases this will mean Information Governance Policy Handbook V1.0 Page 37

38 controlled destruction; a small percentage of records may become archived meaning that they will be retained indefinitely under the Public Records Act. Good Quality Records Records are evidence of what the CCGs did and thought at a point in time; they may be required for litigation, audits, statutory enquiries and as a basis for decision making. CCG records need to be accurate, reliable and complete. Process managers shall be clear on what records are required to sufficiently document business activities, and ensure that staff capture them following policy and procedure. The quality and accuracy of records that relate to patient care and significant changes to services and policy are particularly important. Manual / paper records In keeping with wider NHS agenda, the CCGs shall endeavour to be as paper-light as is practicable and consider the electronic version of a record to be the primary version. Paper copies should be maintained by exception and shall be destroyed at the earliest convenience. Where it is practical to do so, the CCGs shall scan new or legacy paper records following the scanning procedure. The original copies of scanned records should then be securely destroyed. In some cases it might be desirable to hold original ink signed records. This is permissible, although scanning such documents is acceptable so long as their legal admissibility has been protected by following the scanning procedure. Any paper records held by the CCGs shall be securely held in appropriate local filing cabinets. Significant collections of closed manual records should be stored with a specialist off-site storage company. Access to paper files whether they are sensitive or not shall be controlled and monitored; in some cases, particularly if the record is sensitive, it may be appropriate to use a simple sign-out log so that a record is held of who has borrowed a file. Records Inventory and Records File Plan The CCGs shall organise records into a Records File Plan that lists business activities and the records that they create. Regular inventories shall be carried out of these records so that clear metrics covering what is held and the format it is in. The Information Asset Register shall be used to inform this along with File Share content reports. Disposal Schedules and Legal Holds The CCGs shall not retain all records indefinitely. Disposal is the process that leads to records being destroyed or transferred elsewhere. Records shall be retained and disposed of following agreed disposal schedules and procedure that are based on NHS requirements and business needs. Disposal schedules are added to the Records File Plan and are approved by SIRO and the IM&T Group. Disposal shall always be carried out following confidentiality and sensitivity requirements. Information Governance Policy Handbook V1.0 Page 38

39 Disposal of any records shall be held if they pertain to an existing / emerging legal matter or request for information this is known as a Legal Hold. Unilateral disposal of records, particularly if done contrary to disposal schedules or legal holds, is a serious breach of policy. Accredited File Shares Electronic records (not including those in databases) shall be saved to approved and managed file shares. The file share should be broadly structured following the Records File Plan and include folders that assist with disposal management and protection of sensitive information. Customer records shall be stored and organised in such a way that they are easily distinguishable from the CCGs own and can be transferred to the customer if required. Original records shall not be saved to offline storage such as computer hard drives, USB memory sticks or optical media. Only in exceptional circumstances should final records be saved to a staff member s private network drive. Record Naming Electronic records along with holding folders shall be named following agreed electronic document naming standard. This shall also include Version controls so that it is clear what the status and iteration of the record is. Records Security and Access The CCGs shall use security classifications to mark records that contain personal or commercially sensitive information. Records shall not be saved to private (home) computers nor shall private e.g. Hotmail, be used to transmit records or carry out NHS business. Accredited File Shares shall include protected folders and permission protocols where sensitive records are held e.g. records containing personal data. Access restrictions to records shall be proportionate; wherever possible, records should be available to all staff so to aid information sharing, and reduce duplication and risks. Line of Business Systems / Databases Many of our records are held within databases. These may be in the form of uploaded documents e.g. a PDF or , or as data streams, e-transactions and system actions. This policy applies to these records. System owners and project managers shall consider the requirements of this policy when implementing, procuring or using databases. Electronic records that are uploaded to databases e.g. an , should be deleted from local systems e.g. Inbox or File Share it is bad practice to duplicate information across systems. Data Backups All data including electronic records are backed-up to offline storage following the CSCSU Daily Backup Policy. It is vital that rescued records are complete copies and are not changed in any way, this includes embedded metadata. Information Governance Policy Handbook V1.0 Page 39

40 Backups are within scope of statutory access to information requests and legal disclosure. Records deleted from user front-end storage e.g. file shares, shall also be deleted from the back-up. Current back-up policy is that any iteration of electronic data is backed-up for 1 year before being overwritten / deleted. In short, records that have been deleted from front-end systems within the last year may still be available in the back-up this needs to be considered when dealing with any access to information requests. New technologies Cloud and Collaboration / Sharing The use of new technologies to improve working practices, process monitoring and collaboration is becoming increasingly popular. These are characterised by services such as cloud storage and collaboration spaces being held outside of the traditional on-site technology infrastructure. The requirements of this policy shall apply to such technology as they are handling the CCGs information and records. It is also advisable not to assume information held in commercial Cloud environments will be accessible over the long term the likelihood of losing access to records during a given retention period should be risk assessed and mitigated. Records / Electronic Communication is a key record keeping tool for the CCGs and many s will qualify as records and so must be retained. NHS Mailboxes and Mailbox Archives shall not be used for the long term storage of records. records shall be filed to the relevant and approved file share or database alongside related records as messages (.MSG) rather than as Archive (.PST) format. Staff shall regularly housekeep their Mailboxes so that transitory and spam type s are disposed of. Managers shall ensure all required records are transferred from a leaver s Mailbox to the approved store. Other forms of electronic communication such as Instant Messaging and video conferencing will likely become more commonplace these recordings, if retained, qualify as records and so shall be managed under this policy. Additional policy / procedure will be produced as required. Long term access and protection record preservation The CCGs shall take steps to ensure that records remain accessible and are not damaged during their retention; for some records this could be many decades such lengths of time require preservation management. Records shall be protected from unauthorised access and natural risks such as flooding and fire. Electronic records are at a particular risk of digital obsolescence and degradation of media. The CCGs shall undertake precautions to ensure the long term accessibility of electronic content including: using ubiquitous and open formats e.g. PDF, DOCx; regular refreshing and error-checking of storage media; maintain all records on networked and backed-up drives rather than removable media storage e.g. CDs, USBs; and assess the digital preservation risks of any new system. Information Governance Policy Handbook V1.0 Page 40

41 6. TRAINING REQUIREMENTS All staff and contractors shall complete records management training. On induction all staff whether contractors or permanent shall be introduced to the basic principles of records management policy and procedures. To embed records keeping requirements and reinforce good practice staff shall complete the Foundation Records Management and the NHS Code of Practice training module via the HSCIC Training Tool. Those staff who have heightened records management responsibilities shall complete the Practitioner Records Management in the NHS module via the HSCIS Training Tool. 7. RECORDS FRAMEWORK Name Records Management Policy / Procedures / Guidance Records Retention and Disposal Schedules Compliance Audit Training modules Purpose Define the CCGs approach to records and relevant rules. Scope includes all information types including and line-of-business systems The NHS Records Management Code of Practice sets out the minimum periods for which the various records created within the NHS or by predecessor bodies should be retained, either due to their ongoing administrative value or as a result of statutory requirement. Improving records management maturity is dependent upon regular audits both in terms of compliance with policy but also inventories as of existing record stores. To equip staff with the knowledge they need to effectively keep records or to manage the system. Training will be mandatory. 8. KEY RECORDS MANAGEMENT REQUIREMENTS Public Records Act All NHS records are Public Records. All NHS organisations must make arrangements for the safe keeping and disposal of their information and records. Recent changes have reduced the 30 year public records disposal rule to 20 years. Data Protection Act This Act regulates the processing of personal data relating to living persons. Principle 5 of the act notes the requirement not to retain data for longer than necessary records must be identified, consistently stored and have disposal schedules to meet Principle 5. Freedom of Information Act (including Section 46 Code of Practice for Records Management) This Act provides provisions for disclosure of information held by public authorities and includes a Records Management Code of Practice to support the Act which gives guidance on good practice in records management. It applies to all authorities subject to Information Governance Policy Handbook V1.0 Page 41

42 the Act, to the Public Records Act 1958 or to the Public Records Act (Northern Ireland) Access to Health Records Act This Act regulates access to the records of a deceased person. Records Management: NHS Codes of Practice (Part 1 and 2) A guide to the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England. They are based on legal requirements and professional best practice particularly the FOI Code of Practice for Records Management. 9. MONITORING COMPLIANCE AND EFFECTIVENESS The Information Governance Lead will be responsible for performance in records management and compliance shall be audited following a scheduled plan using a defined audit methodology. Results of audits shall be reported to the IM&T Group. Where non-compliance or improvements could be made then these shall be agreed with process owners / managers and subsequently followed up. Information Governance Policy Handbook V1.0 Page 42

43 FREEDOM OF INFORMATION ACT POLICY SECTION SEVEN 1. INTRODUCTION This policy explains the principles which underpin the commitment of the CCGs to openness and transparency in the decisions which we make about the provision of health care to the local community. It sets out our commitment to full implementation of the Freedom of Information Act (FOIA). It acknowledges that the CCGs at the same time, and in conjunction with this Policy, adopts and manages equivalent procedures for the provision of Environmental Information under the Environmental Information Regulations. The CCGs recognises the general right of access to information. In accordance with the CCGs Equality and Diversity Policies it is important for all members of staff to remember that applicants may be unable to write to the CCGs as they may not have English as their first language or may suffer from disabilities which make it difficult for them to express their complaint in writing. Assistance and support will be made available to those people who require it from the FOI Co-ordinator and/or Head of Corporate Affairs. 2. SCOPE Within the context of the FOIA, information means every piece of information held by the CCGs, whether paper or electronic. It includes all draft documents, agendas, minutes, s and handwritten notes. There is an interface between FOIA and the Data Protection Act (DPA), with regard to information about living individuals. The FOIA applies to information held by the CCGs; this could include information created by other organisations, such as providers, contractors, etc. FOIA makes it an offence to alter, deface, block, erase, destroy or conceal any information held by the CCGs with the intention of preventing disclosure to all or part of it. Information Governance Policy Handbook V1.0 Page 43

44 Penalties can be imposed on both the CCGs and employees for non-compliance under FOIA. The policy will underpin any operational procedures and activities connected with the implementation of the legislation and provide a framework within which the organisation will ensure compliance with requirements of the legislation. The policy provides a framework within which the CCGs will ensure compliance with the requirements of the Act. The Policy is applicable to all the activities which the CCGs conducts with other public, bodies including other NHS organisations, partnership bodies as well as voluntary organisations and commercial suppliers of goods and services. All staff are responsible to the Chief Officer for their compliance with the policy, for ensuring the adoption of appropriate procedures in managing a request for information and for monitoring the effectiveness of those procedures and the implementation of this policy. All individual employees responsible for responding to requests for information need to be aware of the responsibilities of the CCGs under the Act and, in particular, the continuing duty to advise and assist any member of the public. Freedom of Information should be adequately reflected in all relevant strategies, policies and procurement exercises. 2. RESPONSIBILITIES It is the role of the CCGs Governing Bodies to define the policy in respect of Freedom of Information, taking into account legal and NHS requirements. The CCGs Governing Bodies are also responsible for ensuring that sufficient resources are provided to support the requirements of the policy. The FOIA Policy applies to all staff who handle information on behalf of the CCGs. Staff responsibilities including those in key roles are outlined in more detail in Appendix B. 3. PRINCIPLES The CCGs will use all appropriate and necessary means to ensure that it complies with the Freedom of Information Act. The CCGs will deploy appropriate systems and procedures to ensure that the organisation complies with its duty to confirm or deny and to provide requested information within 20 working days or within a reasonable period of time where a public interest test has to be considered. All staff, GP director and governing body members will be required to comply with the requirements and failure to do so may result in disciplinary action. The CCGs will provide a Records Management Policy so that requests for information can be handled efficiently and effectively. Information Governance Policy Handbook V1.0 Page 44

45 The CCGs will ensure that all staff receive appropriate and relevant training such that they are able to identify a Freedom of Information Request and be able to support any request that the organisation may receive. The CCGs will ensure that its Publication Scheme is periodically reviewed and updated. The CCGs will not agree to hold information received from third parties in confidence which is not confidential in nature. Acceptance of any confidentiality provisions must be for good reasons, capably of being justified to the Information Commissioner. The CCGs will ensure that exemptions are applied appropriately, consistently and a refusal notice will be issued detailing why the exemption applies (Appendix I). The CCGs will advise and assist requesters, as set out within the Act. The CCGs Freedom of Information Lead (Head of Corporate Affairs) will ensure that training in relation to the Act is available to all staff. The CCGs will ensure that awareness raising material is made available to all staff. The CCGs will monitor the effectiveness of its compliance with the FOIA and its performance and implementation of this policy. The CCGs will adopt similar standards and policies in relation to the implementation of the Environmental Information Regulations. 4. PUBLICATION SCHEME Section 19 of the FOIA makes it a duty for every Public Authority to adopt and maintain a scheme relating to the publication of information by that authority, which is approved by the Information Commissioner. The CCGs use the approved model issued by the Information Commissioners Officer (ICO) in January The Outline for this scheme can be found in Appendix H. 5. REQUESTS FOR INFORMATION WITH THE PUBLICATION SCHEME If a request is received for information that is covered by the scope of the publication scheme, the requester will be directed to download the information from the CCGs website. 6. REQUEST TO RE-USE INFORMATION PROVIDED Information that the CCGs publish as part of its publication scheme and website will be the list of information available for re-use. Any published document can be re-used without charge, provided the CCG is credited as the source and retains copyright where appropriate. Information Governance Policy Handbook V1.0 Page 45

46 7. MANAGING AND DEFINING REQUESTS The CCGs are responsible for logging and processing all FOIA requests received. A Request for Information (RFI) must meet the following criteria: Be in writing such as s, letters, etc. Contain a name and address for correspondence including . Has sufficient detail to enable the CCGs to identify the information requested. Is a request for information that is not already part of the CCGs Publication Scheme. Is a request for information from a member of the public or an organisation outside the local NHS. Once the request that fulfils the above criteria is received the CCGs have a maximum of 20 working days to respond. There is no provision for extending the 20 working day limit, unless consideration needs to be given to a Public Interest Test. The CCGs have a duty to advise and assist under the Act and must take reasonable steps to help a requester appropriately compile a request that means the criteria. The timing for response does not begin until sufficient detail has been received to consider a response. Any communications to clarify a request will be undertaken without necessary delay. All requests that have not expressly asked for the information to be re-used will have a clause in place, stating that permission must be sought before the information may be reused. Requests for re-use must be authorised by a Director of CCGs, taking advice from Communications and Information Governance professionals, as appropriate. 8. VEXATIOUS REQUESTS Should an applicant make vexatious or repeated requests for identical or substantially similar information, the CCGs will inform the applicant in writing, stating that they will not be fulfilling the request and outlining why they consider the request to be vexatious. They will also advise the applicant of how to proceed if they are not satisfied with the response. Guidance is available on the Information Commissioners website on how to decide whether an applicant s requests may be considered vexatious. The FOI Administrator will determine if the request is considered vexatious. 9. APPLYING EXEMPTION Whilst a response is being compiled, if there is a concern raised about release, then consideration should be given to if an exemption may apply. Information Governance Policy Handbook V1.0 Page 46

47 The Act details 23 legally complex exemptions. This are separated into absolute and qualified. An absolute exemption applies in all cases and is not subject to a public interest test. If the exemption is absolute then the response should be completed within the usual 20 working day limit. A qualified exemption is subject to a public interest test, which determines whether the public interest is best served by applying an exemption or disclosing the information. When a Public Interest Test is being applied, the response time should be paused and the requester should be informed that a public interest test is being undertaken. Public Interest Tests must be conducted objectively and it is not sufficient to merely state that the public interest is best served by an exemption. Should the requester challenge the exemption, the CCGs would be required to demonstrate that both sides of the argument had been sufficiently explored and that those with relevant experience, skills and knowledge had engaged with the Public Interest Test. Therefore the discussions around disclosure v non-disclosure and where the interests of the public are best served should be documented. The response will usually detail why the CCGs believes that an exemption applies and which exemption is being used. The FOI Administrator will provide technical assistance in determining whether an exemption applies. A full list of exemptions is attached in Appendix I. 10. REQUESTS FROM THE MEDIA Requests under the FOIA are both motive and applicant blind. However, it may be appropriate for the CCGs Communications Lead to be informed of requests from the media and the CCGs may wish to consider handling them as a media request. Requests that are likely to be of media interest should also be copied to the CCGs Communications Lead, in order that the CCGs can consider any response they may wish to make. This does not alter the requester s rights under the Act. 11. REQUESTS FOR INTERNAL REVIEW / COMPLAINTS PROCESS The FOIA response to the requester will detail what steps the requester can take if they are unhappy with the response received by the CCGs. The steps to resolve a complaint are: 1. Request for internal review to the CCGs. 2. Complaint to the Information Commissioner. Both routes will be identified in all responses. If the requester asks for an internal review, then the following aspects will be considered: How the request was handled including meeting timescales. Whether the response addressed key aspects of the Act including advising the requester whether the information was held. Whether any exemption has been applied appropriately. Information Governance Policy Handbook V1.0 Page 47

48 The composition of the review team will include: A senior member of CCGs management, ideally a Director or senior manager. A subject matter expert well versed in the information requested, ideally not the person originally responsible for responding, although this may be unavoidable. The CCGs FOI Lead (Head of Corporate Affairs) The outcome of the review will be prepared within 40 days of the original request for review. If the outcome of the review is to release previously withheld information, then ideally this should be sent with the review, or no longer than 20 days after the completion of the review. Should the CCGs receive any notices served by the Information Commissioner it will endeavour to comply unless it feels the need to appeal to the Information Tribunal. 12. INFORMATION PROVIDED BY OTHER ORGANISATIONS The FOIA covers information held by the CCGs. The CCGs would generally have to disclose the information requested, however it may be appropriate to advise the originator of the information that it will be released. If the information is known to be available more readily from another source, i.e. a website, it may be appropriate to advise the requester of this. Guidance should be sought from the FOI Administrator if the CCGs believe that the release of information may impact on the other party. 13. CONTRACTS WITH OTHER ORGANISATIONS All operational contracts the CCGs have a clause detailing that information may be disclosed under the terms of FOIA. The CCGs will give consideration to FOIA during procurement processes and ensure that those who wish to tender understand that information may be disclosed under the Act. 14. ENVIRONMENTAL REGULATIONS Many similarities exist between the FOIA and the Environmental Information Regulations (EIR). The EIR relates to any information that the CCGs hold around our impact on the environment this includes impact on any of the elements (air, water, etc.), substances released into the environment, planning policies and plans that may impact the environment and any impact on humans. The main difference between FOIA and EIR is that requests for EIR do not have to be in writing and may be made verbally. The CCGs will handle EIR requests within the FOIA process. Should the CCGs receive an EIR request then specialist advice will be sought from the FOI Administrator. Information Governance Policy Handbook V1.0 Page 48

49 SUBJECT ACCESS REQUEST POLICY & PROCEDURE 1. INTRODUCTION SECTION EIGHT It is the policy of the CCGs to comply with all relevant legislation and regulation in every aspect as it applies to their duties as commissioners of secondary healthcare and as employers. The Data Protection Act the Act ) became effective from 1st March 2000 superseding the Act of 1984 and the Access to Health Records Act 1990, the exception to the latter being that medical records of the deceased are still governed by the Access to Health Records Act. The Act gives every living person, or their authorised representative, the right to apply for access to records of their personal information held by a registered organisation irrespective of when they were compiled. These are referred to as Subject Access Requests (SARs) and the person to whom the data relates is referred to as the Data Subject. This applies equally to Staff Records as well as Health Records where: Personnel / Staff records are defined as the personal information held by the CCGs relating to a member of staff, present, past or prospective, whether permanent, temporary or a volunteer. Health records are defined as a record consisting of information about the physical or mental health of an identifiable individual made by, or on behalf of, a health professional in connection with the care of that individual. The Act also gives subjects who now reside outside the UK the right to apply for access to their former UK health and employment records. As a general rule a person with parental responsibility will have the right to apply for access to their child s health record. A copy of the requested information will, whenever possible, be provided to the applicant within 21 days and by no later than 40 days. However, where a fee is to be charged or the data subject has provided insufficient information to identify themselves, the 40-day clock will not begin to run until the fee is paid or the relevant information is supplied. Information Governance Policy Handbook V1.0 Page 49

50 If compliance is not possible within this period, this must be in exceptional cases only, and the applicant advised accordingly within the 40-day period. 2. SCOPE This policy applies to all staff who work for the CCGs including contractors and members of the Governing Body. It is recognised that the CCGs, due to the introduction of the Health and Social Care Act 2012 and the organisation s decreasing direct involvement with patient records, is less likely to receive SARs for medical records than preceding bodies. However this policy and procedure will apply to any request from a member of staff for access to their personal information held by the CCGs and to requests from members of the public about information held about them. The CCGs will commission the service of the Commissioning Support Unit (CSU) to process requests for subject access from an individual or their legal representatives, in accordance with the relevant IG and FOI Service Specification. However the response will need to be approved by the CCGs as Data Controller. The SAR will be processed as per Appendices 1 and 2 found at the end of this Policy. 3. RIGHT OF SUBJECT ACCESS The Data Subject A data subject is entitled to make a request in writing to see any personal data held about them under the Act. On Behalf of the Data Subject Anyone applying for Data Subject Access on behalf of someone else must apply in writing together with written authorisation from the data subject, which must be signed by the data subjects themselves. A Person with Parental Responsibility An individual can only request access if they have either parental responsibility or legal guardianship of the child. Parental responsibility is defined in the Children Act 1989 and updated by the Adoption & Children Act A person with parental responsibility is: the natural mother; the natural father, if married to the mother either before or after the birth, even if divorced or separated; the natural father, if unmarried, and he registered the birth along with the mother after December 2003; the natural father, if unmarried, by agreement with the mother (evidenced by a form provided by a solicitor, signed by both parents and witnessed by an Officer of the Court) or by a court order (parental responsibility order); the natural father, if unmarried, and appointed as the child s guardian on the death of the natural mother; an individual (generally a family member) with a residence order for the child (if the order is for a period of time, then parental responsibility is removed at the end of the period); Information Governance Policy Handbook V1.0 Page 50

51 an individual who has legally adopted the child; a local authority under a care order - individual acting as a Children s Guardian. If the application for access to a child s record is made by someone having parental responsibility access shall only be given where: the child is capable of understanding what the application is about and has consented to it. the child is not capable of understanding the nature of the application and giving access would be in his/her best interests. The relevant Health Professional will decide on the child s capacity to understand the application. If an individual is claiming parental responsibility then they must provide a copy of the necessary evidence such as a parental responsibility order or birth certificate. A Person Appointed by the Courts Where a patient is incapable of managing their affairs someone appointed to act on their behalf by a court of law may submit a subject access request. Proof of the court order must be given. Solicitors acting on behalf of a Client or Insurance Companies Where a solicitor, lawyer or other legal professional requests access on behalf of a client they are representing, the signed consent of their client must be obtained and evidenced. The request must be dealt with in the same way as if it had come direct from the Data Subject. Other Agencies In some circumstances the Trust may be asked to provide information to other agencies. Unless there is a legal requirement to disclose, the Data Subject will be informed and their consent obtained in writing. Appointed Representative of the Deceased Health records relating to deceased patients will be treated with the same level of confidentiality as those relating to living people. Under the Access to Health Records Act 1990 a request to see a deceased patient s health record or to have a copy thereof can be made by the patient s personal representative or any person who may have a claim arising out of the patient's death. The personal representative (executor or next of kin who may be a relative, friend or solicitor) or anyone having a claim resulting from the death has the right to apply for access to the relevant part(s) of the deceased s health record under the Access to Health Records Act Where the requestor is not acting in a legal capacity, they should detail why they need access in pursuing a claim. Where they are the executor or administrator they must provide proof of appointment under the Will/Grant of probate. 4. RECEIVING THE ACCESS REQUEST A member of staff, patient or their representative, with consent, has the right to apply for access to personal records. Unless an applicant is very well known to the member of staff receiving the request, and unless the member of staff is fully conversant with the Information Governance Policy Handbook V1.0 Page 51

52 intricacies of the Act, all requests must be passed to the CSCSU FOI team in the first instance to be processed. They will determine the applicant s entitlement to access a record before passing the request to the relevant department (i.e. HR, CHC, etc.) who will determine if any part of the record is subject to restrictions as set out in the Act. The Act allows for requests to be made in writing or electronically; requests in writing from patients should be made using the Patient Authority Consent (PAC) Form to ensure that absolute clarity about the nature and legitimacy of the request exists; electronic requests should only be accepted with an electronic signature. If this last is not possible, the applicant should be advised to complete a manual PAC Form as described above. In cases where consent can only be taken verbally, the details of this consent should be recorded on the individual s file. Please go to Appendix 3 for a copy of the PAC. Once the SAR is received, you must be able to verify the identity of the applicant. For both members of staff and patients (in addition to the PAC Form, which will bear a signature from the data subject) requesting the release of their records, ensure that you have the following: A copy of some form of identity that shows the applicant s name and current address. At least two forms of Identification (ID) are necessary. Acceptable forms of ID include: photocopy of passport or driving licence bank statement electricity bill gas bill council tax bill any other bill in your full name Note: Bills should not be more than six months old. If an employee s or a patient s representative, e.g. solicitor, is applying for access, ensure that you have the signature of the data subject (i.e. staff member or patient) to do this. In some circumstances the FOI Officer processing the request may wish to contact the data subject to clarify that he/she understands fully that they will be consenting to release their health or personnel records to a third party. If a parent, or person authorised with parental responsibility, is applying for access to their child s records, the HR / Health Professional should consider if the child is of an age to be capable of making his or her own judgement about their personal information (see section 7 for further information. If they are, their consent should be sought before their application is accepted. Issues to be considered when processing applications from those with parental responsibility are discussed in Section 7. After obtaining consent and identification for an access request, ensure you have enough information to identify the data relating to the data subject in question. Such details would include: Full name including previous names Full address including any recent previous address Date of birth NHS number, if known (where relevant) Information Governance Policy Handbook V1.0 Page 52

53 Under the Act, there is no obligation to comply with an access request unless you have sufficient information to identify the applicant and locate the information. Check with the applicant if they require access to the entire personal record and, if not; confirm what material the applicant requires before processing their request. Note: The applicant does not have to give a reason for applying for access. Once you have all the relevant and necessary information, including ID and consent to comply with the access request, you must comply promptly and by no later than forty days after the request has been made; sign and date the PAC Form on receipt to ensure that you keep track of time-scales. In exceptional circumstances, if it is not possible to comply within this period, the applicant should be informed. The Senior Manager charged with reviewing the personal record prior to release is normally the person who is, or was responsible, for the HR Records of the employee or the Healthcare Professional responsible for the clinical care of the patient during the period to which the application refers. It is not necessary to approach every individual professional associated with the subject; Each CCG has the authority to determine what may or may not be released, taking into account two key factors why access could be denied: Where the information released may cause serious harm to the physical or mental health or condition of the employee/patient, or any other person Where access would disclose information relating to or provided by a third party, who is not a professional engaged in the provision of the patient s healthcare. In terms of the second statement, access may be given if the third party gives their consent to the disclosure, although the Act does not require the CCG to approach a third party for this purpose. The following are common examples, relating to the health records, of when a third party may be involved; they may also be interpreted for staff records: Example 1 A parent may apply for access to their 14 year-old child s health records. Contained within the health record may be some reference to his/her parents (third party) made by the child, which the child would not want disclosed. The doctor or community health professional may withhold this information from the child s parents. Example 2 A son (third party) contacts the doctor or community health professional because he is concerned about his elderly mother who is having problems with memory loss and self-care. The doctor makes notes in his mother s health records of the visit, but if for any reason the mother decided to apply for access to her health records, the doctor may withhold any information relating to her son s visit, unless the son gives his consent to disclose the information. Information Governance Policy Handbook V1.0 Page 53

54 NB: There is no requirement to disclose to the applicant the fact that certain information may have been withheld. 5. SUBJECTS LIVING/MOVING ABROAD REQUIRING ACCESS TO THEIR PERSONAL RECORDS Employees are legally entitled to request their personal records and may take them outside of the UK at their own discretion and liability. Original health records should not be given to people to keep/take outside the UK. A GP or community health professional may be prepared to provide the patient with a summary of treatment; alternatively the patient may make a request for access in the usual way. If the patient has moved abroad and the health record has been archived, direct the patient to them, and they will manage the request. Health records are kept for a minimum of 10 years in these circumstances (CCG records for 8 years). 6. PARENTAL RESPONSIBILITY Although unlikely to be received by the CCG, as a general rule a person with parental responsibility will have the right to apply for access to a child s record. It is important that staff who are dealing with a request for access to a child s record from someone who says that they have parental responsibility, secure evidence that will have been provided by the Courts to that effect. Parental responsibility for a child is defined in the Children s Act 1989 as all the rights, duties, powers, responsibilities and authority, which by law a parent of a child has in relation to a child and his property. Although not defined specifically, responsibilities would include safeguarding and promoting a child s health, development and welfare, including if relevant their employment records. Included in the parental rights which would fulfil the parental responsibilities above are: Having the child live with the person with responsibility, or having a say in where the child lives If the child is not living with her/him, having a personal relationship and regular contact with the child Controlling, guiding and directing the child s upbringing It is important to note that foster parents are not ordinarily awarded parental responsibility for a child. It is more likely that this responsibility rests with the child s social worker and appropriate evidence of identity should be sought in the usual way. As a child grows older he/she will be able to make decisions about his/her own life. The law regards young people aged 16 to 17 to be adults for the purposes of consent to employment or treatment and the right to confidentiality. Therefore, if a 16 year old wishes HR or a medical practitioner to keep their information confidential then that wish must be respected. In certain cases, children under the age of 16 who have the capacity and undertaking to take decisions about their own treatment are also entitled to decide whether personal information may be passed on and generally to have their confidence respected. Case Information Governance Policy Handbook V1.0 Page 54

55 law has established that such a child is Gillick Competent or meets the Fraser guidelines. Where a child is considered capable of making decisions, e.g. about his/her employment or medical treatment, the consent of the child must be sought before a person with parental responsibility may be given access. Where, in the view of the appropriate professional, the child is not capable of understanding the nature of the application, the holder of the record is entitled to deny access if it is not felt to be in the patient s best interests. 7. POWER OF ATTORNEY A person with Power of Attorney for another is entitled to be given access to that person s staff or medical record subject to the proper scrutiny of appropriate evidence. Appropriate evidence is sight of the original document giving Power of Attorney, a photocopy of which should be retained. 8. DECEASED PERSONS Should a SAR be received relating to a deceased member of staff, the FOI Officer must ensure that the person making the request is entitled to receive the information, such as Power of Attorney (see above) or as their Executor (see below). Despite the passing into law of the Act, the terms of the Access to Health Records Act 1990 (AHRA 90) still apply with regard to the health records of the deceased. The requirements of the AHRA 90 are precisely the same as those contained within the Act apart from one key area; the period of time from when records may be disclosed. Under the AHRA 90, health records made since 1 st November 1991 may be released; there is no requirement whatsoever to release records from any date earlier than this. An applicant wishing to access the health records of a deceased person must either be: The executor of the deceased s Will; Someone who has been appointed as Administrator of the Estate by the Courts; Someone who has the written consent of either of the above to be given access; or Someone who is in the process of challenging the deceased s Will. In all circumstances, evidence must be secured that confirms the status described above. 9. DISPROPORTIONATE EFFORT The term disproportionate effort is not defined in the Act; what does or does not amount to disproportionate effort is a question of fact to be determined in each and every case. The fact that the CCG (the data controller) may have had to expend substantial effort/cost in responding to an access request does not permit an argument to be made that the request may be denied or the permissible fees increased. The Information Commissioner considers that quite considerable effort can reasonably be expected. Information Governance Policy Handbook V1.0 Page 55

56 10. FEES TO ACCESS AND COPY RECORDS A subject can be charged to view their health records or to be provided with a copy of them. To provide copies of patient health records, the maximum costs are: Health records held totally on computer; up to a maximum of 10 charged Health records held in part on computer, and in part manually; up to a maximum of 50 charged Health records held totally manually; up to a maximum of 50 charged These are maximum charges, to include postage and packaging costs. Any charges for access should not be seen to make a financial gain. To allow patients to view their health records (i.e. where no copies are required), the maximum costs are: Health records held totally on computer; up to a maximum 10 charge Health records held in part on computer, and in part manually; up to a maximum 10 charge Health records held totally manually; up to a maximum 10 charge NB: If the records have been added to in the last 40 days, no charge may be made for viewing these particular entries. If a person who has viewed their record, then wishes to be provided with a copy of any of the information held, this should be regarded as one access request. The 10 maximum fee for viewing, notwithstanding the exceptions outlined above, would be included in the maximum fees detailed for the provision of copies, not charged as an extra fee. In addition you should note that, whilst the Act states that you are under no obligation to comply with an access request unless the requisite fee has been paid, in practice an organisation may choose not to ask for the fee until the release stage of the access request. 11. THE RELEASE STAGE Once you have received the relevant fee, release those copies of the records that are adjudged appropriate to release. On no account must the original record be released. If you are denying or restricting access, you do not have to give a reason for the decision but you should be willing to direct the subject through the appropriate complaints channels. Where information in not readily intelligible, an explanation (e.g. of abbreviations or terminology) must be given. If it is agreed that the subject or their representative may directly inspect the record, a health professional or HR administrator must supervise the access. If supervised by a lay administrator, this person must not comment or advise on the content of the record if the Information Governance Policy Handbook V1.0 Page 56

57 applicant raises enquiries, an appointment with a HR administrator or health professional must be offered. 12. RECTIFYING ENTRIES Data Subjects, or those acting for them, have the right to request the erasure or amendment of any entries in a personal record that they believe to be factually incorrect and the record holder must consider any such petition made by the data subject. If, however, the record holder believes the statements in question to be accurate, and is therefore unwilling to amend them, the subject has the right to have recorded in the employee or medical record the fact of this dispute. 13. DEALING WITH COMPLAINTS If an applicant is unhappy with the outcome of their access request, the following complaints channels should be offered: The HR or health professional may wish to have an informal meeting in an effort to resolve the complaint locally If the HR or health professional feels that they cannot do anything for the data subject locally a patient should be advised to make a complaint through the NHS complaints process. A staff member may wish to consult with their trade union representative. The data subject may not wish to take this route and, alternatively, may make a complaint direct to the Information Commissioner at: The Information Commissioner s Office Wycliffe House, Water Lane Wilmslow Cheshire, SK9 5AF Website notification@ico.org.uk Telephone Information Line FURTHER ADVICE Further advice may be obtained from the Information Governance Manager. Information Governance Policy Handbook V1.0 Page 57

58 APPENDIX 1: Relative CSU / CCG Responsibilities for Subject Access Requests Information Governance Policy Handbook V1.0 Page 58

59 APPENDIX 2: Information Governance Policy Handbook V1.0 Page 59

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY Directorate of Performance Assurance INFORMATION GOVERNANCE POLICY Reference: DCP074 Version: 2.5 This version issued: 27/03/15 Result of last review: Minor changes Date approved by owner (if applicable):

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy

More information

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE STRATEGY INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy ID IG02 Version: V1 Date ratified by Governing Body 27/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review date: September

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY Moorland is committed to ensuring that, as far as it is reasonably practicable, the way we provide services to the public and the way we treat

More information

Information Governance and Data Protection Policy

Information Governance and Data Protection Policy Information Governance and Data Protection Policy Page 1 of 21 Document Control Sheet Name of document: Version: Owner: File location / Filename: Information Governance and Data Protection Policy Final

More information

Information Governance Policy

Information Governance Policy Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version: 3.2 Authorisation Committee: Date of Authorisation: May 2014 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

Information Governance Policy

Information Governance Policy Information Governance Policy REFERENCE NUMBER IG 101 / 0v3 May 2012 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive 4.9.12 REVIEW DUE DATE May 2015 West Lancashire CCG is committed to ensuring

More information

Information Governance Policy

Information Governance Policy Author: Susan Hall, Information Governance Manager Owner: Fiona Jamieson, Assistant Director of Healthcare Governance Publisher: Compliance Unit Date of first issue: February 2005 Version: 5 Date of version

More information

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South

More information

A Question of Balance

A Question of Balance A Question of Balance Independent Assurance of Information Governance Returns Audit Requirement Sheets Contents Scope 4 How to use the audit requirement sheets 4 Evidence 5 Sources of assurance 5 What

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy NHS Waltham Forest Clinical Commissioning Group Information Governance Policy Author: Zeb Alam & David Pearce Version 3.0 Amendments to Version 2.1 Updates made in line with National Guidance and Legislation

More information

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs NOTE: This is a CONTROLLED Document. Any documents appearing in paper

More information

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE.

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE. Title: Information Governance Policy Date Approved: Approved by: Date of review: Policy Ref: Issue: January 2015 Information Governance Group Division/Department: January 2016 Policy Category: ISP-04 5

More information

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff. Information Governance Policy 1 SUMMARY This policy is intended to ensure that staff are fully aware of their Information Governance (IG) responsibilities, so that they can effectively manage and best

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

Information Governance Strategy 2015/16

Information Governance Strategy 2015/16 Information Governance Strategy 2015/16 Ratified Governing Body (November 2015) Status Final Issued November 2015 Approved By Executive Committee (August 2015) Consultation Equality Impact Assessment Internal

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Information Governance Policy_v2.0_060913_LP Page 1 of 14 Information Reader Box Directorate Purpose Document Purpose Document Name Author Corporate Governance Guidance Policy

More information

Trust Informatics Policy. Information Governance. Information Governance Policy

Trust Informatics Policy. Information Governance. Information Governance Policy Trust Informatics Policy Information Governance Policy Reference: TIP/IG/IGP I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 1 Document Control Policy Title Author/Contact Document Reference

More information

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS Newcastle Gateshead Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Approved No impact NHS Quality, Safety

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy. Title: Reference No: NHSNYYIG - 007 Owner: Author: INFORMATION GOVERNANCE POLICY Director of Standards First Issued On: September 2010 Latest Issue Date: February 2012 Operational Date: February 2012 Review

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Information Governance Plan

Information Governance Plan Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version Version 1 Ratified By Date Ratified PROPOSED FOR APPROVAL 15/11/12 Author(s) Responsible Committee / Officers Date Issue November 2012 Review Date November 2013 Intended

More information

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS North Durham Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Final No impact Risk and Audit Committee/Governing

More information

Information Governance Framework and Strategy. November 2014

Information Governance Framework and Strategy. November 2014 November 2014 Authorship : Committee Approved : Chris Wallace Information Governance Manager CCG Senior Management Team and Joint Trade Union Partnership Forum Approved Date : November 2014 Review Date

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

Information Governance Policy

Information Governance Policy BEXLEY CARE TRUST MANAGEMENT MANUAL Title: INFORMATION GOVERNANCE POLICY Originating Department: IT DEPARTMENT Authorised by: Risk Management Committee June 2008 Reference no: CA12 Date of Issue: JANUARY

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY ENFIELD CLINICAL COMMISSIONING GROUP INFORMATION GOVERNANCE POLICY PLEASE DESTROY ALL PREVIOUS VERSIONS OF THIS DOCUMENT Enfield CCG Information Governance Policy Information Governance Policy (Policy

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Final No impact Document Ratified/Approved By Hartlepool

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Gloucestershire Hospitals

Gloucestershire Hospitals Gloucestershire Hospitals NHS Foundation Trust TRUST POLICY In the case of hard copies of this policy the content can only be assured to be accurate on the date of issue marked on the document. The Policy

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Information Governance Policy. Church Road Medical Practice

Information Governance Policy. Church Road Medical Practice Information Governance Policy Church Road Medical Practice Version No: 1.0 Issue Date: March 2015 INFORMATION GOVERNANCE POLICY 1. Summary Information is a vital asset, both in terms of the clinical management

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

SALISBURY NHS FOUNDATIONTRUST

SALISBURY NHS FOUNDATIONTRUST SALISBURY NHS FOUNDATIONTRUST PAPER SHC 1738 TITLE Information Governance Policy PURPOSE OF PAPER The Information Governance Policy was first approved in April 2005. It is currently due for review to ensure

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

Information Governance Standards in Relation to Third Party Suppliers and Contractors

Information Governance Standards in Relation to Third Party Suppliers and Contractors Information Governance Standards in Relation to Third Party Suppliers and Contractors Document Summary Ensure staff members are aware of the standards that should be in place when considering engaging

More information

Information Governance Strategy. Version No 2.1

Information Governance Strategy. Version No 2.1 Livewell Southwest Information Governance Strategy Version No 2.1 Notice to staff using a paper copy of this guidance. The policies and procedures page of LSW Intranet holds the most recent version of

More information

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

INTERNATIONAL SOS. Data Protection Policy. Version 1.05 INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Page 1 of 46 Policy Title: Executive Summary: Information Governance Policy This policy seeks to identify the actions required to ensure that information is appropriately

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

Information Incident Management and Reporting Procedures

Information Incident Management and Reporting Procedures ` Information Incident Management and Reporting Procedures Compliance with all CCG policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: Revised: Consultation: Ratified by: 1.0 Information Governance Committee Governance Committee Date ratified: 19 March 2008 Name of originator/author: David McGrath

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

NHS Commissioning Board: Information governance policy

NHS Commissioning Board: Information governance policy NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION

More information

Date of review: Information Governance Group January 2016. Policy Category: CONTENT SECTION DESCRIPTION PAGE

Date of review: Information Governance Group January 2016. Policy Category: CONTENT SECTION DESCRIPTION PAGE Title: Date Approved: January 2015 Division/Department: Corporate Services Corporate Records Policy Approved by: Date of review: Information Governance Group January 2016 Author (post-holder): Interim

More information

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Appendix 1 INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Author Information Governance Review Group Information Governance Committee Review Date May 2014 Last Update February 2013 Document No. GV

More information

INFORMATION GOVERNANCE

INFORMATION GOVERNANCE This document is uncontrolled once printed. Please refer to the Trusts Intranet site (Procedural Documents) for the most up to date version INFORMATION GOVERNANCE NGH-PO-233 Ratified By: Procedural Document

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Corporate Policy and Strategy Committee

Corporate Policy and Strategy Committee Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Name of Policy Author: Name of Review/Development Body: Ratification Body: Ruth Drewett Information Governance Steering Group Committee Trust Board : April 2015 Review date:

More information

Information Integrity & Data Management

Information Integrity & Data Management Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY POLICY NO IM&T 011 DATE RATIFIED January 2012 NEXT REVIEW DATE January 2015 POLICY STATEMENT/KEY OBJECTIVE: To provide an overarching framework through which Information Governance

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY Report to the Trust Board 22 September 2015 Sponsoring Director: Author: Purpose of the report: Key Issues and Recommendations: Director

More information

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE GUIDANCE 1 TITLE: INFORMATION GOVERNANCE FRAMEWORK 2 POLICY AREA: INFORMATION GOVERNANCE 3 ACCOUNTABLE DIRECTOR FOR POLICY AREA: DIRECTOR OF QUALITY AND GOVERNANCE 4 GUIDANCE DRAFTED BY: INTEGRATED GOVERNANCE

More information

CCG: IG06: Records Management Policy and Strategy

CCG: IG06: Records Management Policy and Strategy Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of

More information

How To Understand The Data Protection Act

How To Understand The Data Protection Act DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

Information Governance Framework

Information Governance Framework Information Governance Framework Authorship: Chris Wallace, Information Governance Manager Committee Approved: Integrated Audit and Governance Committee Approved date: 11th March 2014 Review Date: March

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Management Policy CCG Policy Reference: IG 2 v4.1 Information Management Policy CCG Policy Reference: IG 2 v4.1 Document Title: Policy Information Management Document Status: Final Page 1 of 15 Issue date: Nov-2015 Review date: Nov-2016 Document control

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading

More information