INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Transcription

1 INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE 5 VERSION: 1.1 SEE SECTIONS SEVEN AND EIGHT 6 RELATED DOCUMENTS: The Information Governance and Security Policy should also form part of the CCG s Business Continuity Plan 7 DATE OF IMPLEMENTATION: 1 October DATE OF NEXT REVIEW: On or before 30 September 2016 DOCUMENT CONTROL Date Version Action Amendments 19/08/ DRAFT N/A INFORMATION GOVERNANCE AND SECURITY Page 1 of 8

2 1. Introduction The successful running of the CCG depends in part on proper information governance. To maintain the trust and confidence of key stakeholders and above all patients and the public, in the CCG it will always comply with its legal duties and follow national and local guidance on information governance; but also be mindful if the spirit underpinning good information governance and how it seeks to protect the rights of people about whom data are collected, stored and transmitted. 2. Policies statement Islington CCG s policies set out the organisation s standards and intentions, and are written with the aim of being as clear and comprehensive as possible. However, we operate in a dynamic and evolving work environment and attention should be paid to the spirit of the policy as well as the letter. Policies by themselves cannot guarantee effective behaviour or the delivery of key objectives. While they are designed to support the CCG, and the people working within it, our success depends on continuous, high quality effort by everyone the policy covers. Therefore thought must be given to good practice when applying or interpreting any of the CCG s policies, and you should read any guidance or supporting documentation that relates to this policy to help you do this. 3. Purpose and Scope of the Policy This policy sets out the CCG s attitudes and approach to information governance and acts as an introduction to the national and local guidance on specific areas. It aims to empower staff to identify and manage information governance issues, and signpost them to resources and support they can call on to help them make appropriate decisions about data and information. The purpose of this policy is to set out a single, over-arching information governance policy for Islington CCG that is both readable and understandable; but also has sufficient depth to be a useful, applicable resource for all the CCG s staff. It will introduce the reader to key information governance concepts, key roles in information governance, the staff responsibilities for information governance. By doing so it seeks to help staff to apply good practice and make appropriate judgements when managing personal, sensitive, commercial and any other data. This policy covers all CCG activity and all data owned, stored, transmitted or manipulated by the organisation. 4. Who this policy applies to The policy applies to all staff, including but not limited to CCG employees, joint appointments, temporary staff, contractors, consultants or anyone who has any form of access to any of the CCG s information assets, and this is regardless of where they are based or the medium or form in which that access takes place. INFORMATION GOVERNANCE AND SECURITY Page 2 of 8

3 5. Information Governance and Security at Islington CCG The CCG recognises that good information governance is central to achieving its objectives. Therefore appropriate information governance systems and processes are important and all staff are accountable for their compliance at all times. The CCG also recognises that the most appropriate approach to information governance and security is the development and maintenance of a culture that: sets out clear and easy to follow standards; educates staff about information governance and security; empowers staff to take informed decisions about information governance and security, including seeking advice and support; learns from information governance issues and seeks to continually improve its approach; recognises information governance should not be used as an excuse not to do things. a. The CCG s approach to getting, storing and using data The overarching principles that will always be applied in every case are: When there is a need for the CCG to have access to personal data it will: o seek the permission of the data subjects; or o attempt to achieve the desired outcome using data that are anonymised or pseudonymised; or o access the data where doing so is in line with statue or a court order; or o do so where there is a clear and overriding public interest that has been identified and agreed at director level or above (see 5 (c) below). The CCG will always manage data in line with the Data Protection Act. The CCG will always manage data in line with guidance including Caldicott, and the NHS Code of Confidentiality. The CCG will strive to achieve the highest scores on every part of the Information Governance Toolkit. The CCG recognises the common law duty of confidentiality places on staff the same standards and duties of confidentiality as those placed on medical practitioners. The CCG will never accept receipt of or store data that are sent to it in breach of legislation or guidance. The CCG will always be mindful of people s rights to control their data and have a say in how they are processed. b. Standards of staff conduct Details of day to day information governance at Islington CCG are set out in supporting guidance. Key policy points are: At the time of writing the CCG s IT system offered staff three locations or drives where they can save information: C, H and N INFORMATION GOVERNANCE AND SECURITY Page 3 of 8

4 The N Drive is the appropriate drive for work related documents. The H drive is the appropriate place for draft documents, and personal documents like appraisals. Because it is a physical part of the computer, and because there is a risk of loss or theft, the C drive should never be used to store any documentation. is not to be used for document management. Staff should refer to specific guidance for tips and tricks on managing , but in general s (and their attachments) can always either be saved on the N drive or deleted. Staff are encouraged to aim for a completely clear system. Staff must never share their password with anyone. Staff must never transmit any personal identifiable data or other sensitive information to or from an unsecure system; or transport it in an unencrypted USB stick. The removal from the office of hard-copy papers that contain personal information or other sensitive data is strictly prohibited. Staff must also never accept personal identifiable data or other sensitive information from an unsecure system; on an unencrypted USB stick; or in hard-copy form. In the event that a member of staff receives personal or sensitive data from an unsecure source the member of staff must: delete or destroy the received data (using confidential waste disposal as appropriate) and inform the sender that this has happened; and remind them of the need to send the information securely. If staff use any cloud computing apps they must do so with due regard to the principles of the Data Protection Act. Staff are encouraged to discuss any cloud computing applications they use or wish to use with the lead for information governance. c. Overriding confidentiality The CCG recognises there are certain, limited circumstances when a person s right to confidentiality may be overridden. There are three main circumstances when this can take place: The public interest: There may be limited circumstances where the CCG may be required in conjunction with other organisations or independently, to perform an action in the public interest that requires access to personal data but where it may not be practicable to obtain consent and where using anonymised or pseudonymised data would prevent the CCG from doing what is required. To ensure patient safety: From time to time the CCG may, in conjunction with other organisations or independently, be required to undertake work relating to patient safety (including the safeguarding of vulnerable people). Where there is a clear duty on the CCG to INFORMATION GOVERNANCE AND SECURITY Page 4 of 8

5 undertake this work, and it is not practicable to obtain patient consent or use effectively anonymised data, the CCG can override patient confidentiality. Criminality: The disclosure of personal information is allowed in order to support the prevention, detection, investigation and prosecution of crime and staff should always seek advice if they judge a crime against the person or fraud in the NHS is going to be committed or has been committed. When we override confidentiality we will always: record the instance where confidentiality was overridden, detailing the circumstances and the reasons why it was agreed that this approach was necessary. Continue to apply the principles of the Data Protection Act. Continue to abide by the standards set out in this policy and supporting guidance. Consider obtaining consent retrospectively. Please note that the definition of the public interest for the purposes of overriding a person s right to confidentiality cannot apply to activities that can be reasonably considered the day to day work of the CCG. 6. Roles and Responsibilities Every member of staff has the following responsibilities: Abide by legislation, national guidance, local policy and the common law duty of confidentiality for the purposes of information governance and security. Be aware of and follow policies and guidance including the clear desk policy. To not keep data longer than necessary. Share data on a strict need to know basis only. Be mindful of data protection and data security at all times, To comply with requests to find and produce information necessary to comply with requests under the Freedom of Information Act or Environment Impact Regulations, including recognising and reporting requests made to staff directly. Complete mandatory information governance training. Seek support and guidance on information governance as needed. To ensure that records including s are reviewed and deleted as appropriate at the earliest appropriate time. Report breaches of the policy, data/asset losses, potential security problems etc Specific roles and responsibilities include: The Governing Body Set the strategic direction for information governance for the CCG. Define the organisation s risk appetite around information governance. INFORMATION GOVERNANCE AND SECURITY Page 5 of 8

6 Accountable Officer Accountable for the management and security of information assets Accountable for delivery or responses to requests under the Freedom of Information Act or Environmental Impact Regulations. Accountable for the CCG s compliance with the statutory framework setting out standards for information governance. Caldicott Guardian Approve audited and documented data flows Contribute to the development of information governance and security policies and procedures Act as the CCG s representative for the purposes of championing confidentiality and information governance Senior Information Risk Owner (SIRO) Support the development of a culture that supports the proper use of internal and external information assets to achieve organisational objectives Act as the focal point for information risk management for the CCG Support the ability of information asset owners to identify and manage information risks. Initiate and oversee a comprehensive programme of work that identifies, prioritises and addresses risk for all parts of the CCG, with particular regard to information systems that process personal data. Ensure that the organisation has implemented an effective information incident management and response capability that supports the sharing of lessons learned. Ensure that information governance and the management of information assets would be adequately managed under the provisions of the CCG s business continuity plan. Sign off the completed Information Governance Toolkit and other assessments of information governance as and when they may be undertaken, and if they have reached a standard with which he is content. Take overall responsibility for the management of laptops, tablets, mobile phones and any other portable media. Managers Acting as department heads or team leads they are accountable to the SIRO for the effective mitigation of information risks. Managing information assets, including maintaining a familiarity with the contents of those assets. Accountable for knowing who has access to the information asset, and ensuring that people who have access abide by this policy. Proactively manage, with a view to minimising, the need to transfer data between organisations by any medium INFORMATION GOVERNANCE AND SECURITY Page 6 of 8

7 Information Governance Lead Ensure the CCG is registered with the Information Commissioner s Office. Ensure annual completion of the Information Governance Toolkit. Support the day-to-day work of the Caldicott Guardian. Identify and manage information governance risks. Lead for responses to requests for information made under the Freedom of Information Act and Environmental Impact Regulations ensuring they are met within statutory timescales and that as appropriate public interest tests are appropriately applied and passed. Lead for responses to subject access requests made under the Data Protection Act. Conducting audits of data management and security. Lead the review and development of information governance policies and guidance. Support the resolution of information governance issues. Provide on request any of the supporting information, and as necessary help staff develop their understanding of that supporting information, set out in section 8, below. 7. Breaches of Policy Staff should be aware they are personally liable to be prosecuted and fined by the Information Commissioner for misuse and inappropriate handling of data. Breaches of this policy, and the misuse of or other media provided for work purposes by the CCG, will be managed under the CCG s conduct and capability policy. If staff identify an information governance or information security policy breach or practices that are likely to lead to a breach they should raise it following the CCG s Whistleblowing Policy. Any member of staff who feels they have been unfairly treated either for their own approach to information governance and security, or for trying to raise an issue about information governance and security, should use the CCG s grievance procedure. 8. Dissemination This policy is part of the suite of information governance policies and guidance that are on the intranet available for all staff to access. Staff are directed to these policies and guidance as part of their induction and in-house information governance training. INFORMATION GOVERNANCE AND SECURITY Page 7 of 8

8 9. References Readers should also make themselves familiar with: Supporting guidance underpinning this policy: o IG Framework o Data protection o Freedom of Information o Information lifecycle o Risk assessment and management The CCG s Business Continuity Plan The CCG s Complaints Policy The CCG s Absence and Attendance Policy The CCG s Whistleblowing Policy Document retention schedules Guidance on remote working or working at home Guidance on the management of and cloud computing applications Guidance issued by the Information Commissioner s Office on: o Privacy Impact Assessments; o Data Protection. The Freedom of Information Act The Data Protection Principles set out in Schedule 1 of the Data Protection Act The duties of confidentiality set out in Schedules 2 and 3 of the Data Protection Act The NHS Code of Confidentiality The Caldicott Principles The guidance on confidentiality, information governance or data protection issued by other relevant bodies e.g. the GMC s guidance on confidentiality for doctors. INFORMATION GOVERNANCE AND SECURITY Page 8 of 8