Information Governance Policy

Size: px
Start display at page:

Download "Information Governance Policy"

Transcription

1 Information Governance Policy Version Number: Name of originator/author: V3 Head of Information Governance and Records Name of responsible committee: I&IT Committee Name of executive lead: Director of Strategy, Transformation and Performance Date V2 issued: September 2011 Last Reviewed: December 2013 Next Review date: December 2015 Scope: Trust wide MMHSCT Document Code: CO28 Page 1 of 24

2 Document Title / Ref: Lead Executive Director Author and Contact Number Document Control Sheet Information Governance Policy Director of Strategy, Transformation and Performance Head of Information Governance and Records Type of Document Policy Broad Category Corporate Document Purpose The purpose of this Information Governance Policy is to be the definitive policy which sets out clear and robust Information Governance at the Trust. Scope All Staff including locums, Version number V3 trainees, students etc. Consultation None required Approving Committee I&IT Committee Approval Date January 2014 Ratification and Date Lead Executive Ratification Director of Strategy, Transformation and Performance Date of Ratification January 2014 V2 Valid from Date September 2011 Current version is valid from approval date Date of Last Review December 2013 Date of Next Review December 2015 Procedural Documents to be read in n/a conjunction with this document: Training Needs Analysis Impact All staff are required to familiarise themselves with this policy Financial Resource Impact None Document Change History Changes to this document in different versions must be detailed below. Rationale for the change should also be given Version Number / Name of procedural document this supersedes Information Governance Policy Type of Change i.e. Review / Legislation / Claim / Complaint Review Date December 2013 Details of Change and approving group or Executive Lead (if done outside of the formal revision process) Amended format to be in new Trust format for policy documentation and policy review External references used in the creation of this document: If these include monitoring duties upon the Trust for this policy the specific details should be recorded on the Monitoring and Compliance Requirements sheet Information Governance Toolkit v 11, HSCIC 2013 Privacy Impact Assessment submitted Fraud Proofing submitted Previous PIA 21/07/11 - no major changes Previous fraud proofing 02/08/11 - Any issues? Any issues? no major changes If not relevant to this procedural document give rationale: Review of a previous policy - no major changes None None Page 2 of 24

3 Policy authors are asked to consider each of the nine protected characteristics under the Equality Act We expect you to demonstrate that throughout the policy process you have had regard to the aims of the Equality Duty: 1. Eliminate unlawful discrimination, harassment and victimisation and any other conduct prohibited by the Act; 2. Advance equality of opportunity between people who share a protected characteristic and people who do not share it; and 3. Foster good relations between people who share a protected characteristic and people who do not share it. Please provide a brief account of how you have done this, further work to be completed and any support you have had in considering the aims and working in compliance with the Equality Duty. If you are unclear on how to do this or would like further advice and support then you may contact It is the responsibility of the approving group to ensure this statement reflects the Trusts objectives and position with compliance as set out within the NHS Equality Delivery System This previous version of this policy was subject to a full equality and diversity impact assessment in line with the Equality Duty which was approved by the Equality and Diversity Committee. The Equality Duty has however been considered during the review of the policy but as the policy changes are very minor they do not have any impact the policy complies with the Equality Duty In line with the Trust values we may publish this document on our External Website. Is there any reason you would prefer this is not done? No It is the Authors responsibility to ensure all procedural documents comply with the Trust values If you are unclear on any of the requirements in the document control sheet then please before proceeding Page 3 of 24

4 Monitoring and Compliance Requirements Sheet For audit, Registration and NHSLA purposes all procedural documents must have monitoring requirements or key performance indicators set by the authors, Committees or Lead Directors. This allows the Trust to routinely monitor the effectiveness and impact of their procedural documents on a regular basis. Procedural Document Title: Information Governance Policy V3 Does this procedural document offer support or evidence for the Trusts registered activities and outcomes? Yes Primarily IG Toolkit Additional Not Applicable Additional Not Applicable Is this an NHSLA Document? No Which Standard does this relate to? n/a Which Criterion If other Monitoring requirements are necessary i.e. Health & Safety Act and you should include them here and record them in the External References section Specify where the requirement originates IG Toolkit Version 11 HSCIC Additional Details i.e. Section number, Code of : policies Minimum Requirement / Standard / Indicator to be monitored & Section of document it appears Level \ 1b Policies Policy, approvals, procedure and guidelines in place Process for monitoring Responsible Individual / Group Practice Frequency of Monitoring Responsible Group for review of results / action plan approval / implementation Review Head of IG and Records Biannual I&IT Committee Comments NB: If you have selected audit you should complete the required audit registration form and standards document and submit these with your expected timescales for completing the audit to as soon as possible and no later than 4 weeks prior to the audit commencing. The Group / Committee should also ensure the monitoring work is added to their yearly schedule of monitoring and action logs as appropriate. Page 4 of 24

5 CONTENTS 1. Introduction Page 6 2. Policy purpose Page 7 3. Scope Page 7 4. Policy Objective Page 7 5. Legal Requirements Page 8 6. Principles of Information Use Page 8 7. Responsibilities Page Other Relevant Policies Page IG Assurances Page Training and awareness Page Monitoring, evaluation and review Page Counter Fraud Measures Page Accessibility of Documents Page References/Supporting Information Page 19 Appendix B Caldicott Principles Page 20 Appendix B - LEGAL & REGULATORY FRAMEWORK Page 21 Page 5 of 24

6 Information Governance Policy 1. Introduction Manchester Mental Health & Social Care Trust s (the Trust) uses large amounts of data /information in order to support the delivery of health and social care services. Most of this is service user s confidential personal information which they provide in support of their health and social care. They have rights under the law to expect the Trust to keep it confidential and therefore securely. To do this effectively what is needed is a cohesive, practical framework that governs and supports the legally compliant use of information. Information assets, such as data and the information systems it is processed on, have become vitally necessary in order to provide modern health and social care services. Such information assets must continue to work well in order to provide the entire scope of services and support that are now expected. There are strong legal requirements and NHS directives that necessitate working in an IG-compliant manner:- Confidential data must be kept confidential, adequately protected, only shared when legal and safe to do so and used (processed) in accordance with the law, notably the Data Protection Act. Information assets (e.g. data and systems) must be available when necessary for service provision and support Information assets must have the appropriate integrity and quality e.g. applications must work as expected and data must be as accurate as necessary In order to achieve the above a wide scoping IG risk management framework has developed over the years, comprising: law, ethics, directives, guidelines, controls, technology, standards etc. This document is the Trust s Information Governance Policy and is a key part of the IG Framework (IGF). The IGF is a broad framework of risk management implemented to manage the risks associated with using/processing data, especially of confidential data in order to facilitate and ensure its continued, appropriate and legally compliant use. It is firmly based on legislation, NHS policy, directives and guidelines, international information security standards and best practice in many areas (i.e. Informatics and IT, records management, information security, Data Protection etc). This policy is directed and guided by the Trust s Information Governance Framework and supported by related policies, procedures and processes. It is intended to be fully consistent and compatible with the policies and practices throughout the NHS and has been developed to achieve compliance with the legal, regulatory and ethical frameworks. All staff must read and comply with this policy, raising any points that are not understood with their management or the relevant staff whose contact details can be found in the Contacts section of this document. 2. Policy Purpose The purpose of this Information Governance Policy is to be the definitive policy which sets out clear and robust Information Governance at the Trust. This policy will not discriminate, either directly or indirectly, on the grounds of gender including gender reassignment, race, ethnic or national origin, sexual orientation, marital Page 6 of 24

7 status, religion or belief, age, disability, union membership, offending background and any unjustified grounds. 3. Scope This policy applies to the following: All staff and any others such as any individual, group, company, legal body or entity engaged in work/service provision, support or any other function relating to the Trust. This includes students, locums, maintenance staff, experts, support services, service providers, third parties, software developers, testers, system hosting providers or any others that use, process or have any access to, transmission of, or storage of confidential Trust data or information All information assets such as information systems and data processing facilities purchased, developed and managed by or on behalf of the Trust and its partners. All data and information used by the Trust that it has a legal or ethical requirement to meet and maintain. This is irrespective of how it is stored or transmitted e.g. , databases, fax, files on networks, paper records All kinds of Trust data and information including:- service users, staff and organisational information. Most importantly this is confidential data but also any supporting data is included. It applies to any data the Trust processes on behalf of another organisation or entity under an agreement or contract All uses and handling of such information as e.g. structured paper and electronic records and file systems processing, usage and handling All transmission and sharing of such information file-sharing, , fax, post and telephone. This includes such as database transactions that do not necessarily move anywhere except through electronic registers 4. Policy Objective The objective of this policy is to set out what must be complied with in order to implement the Information Governance (IG) Framework so as to enable the Trust to meet its responsibilities for the secure and appropriate management of information assets and resources. Furthermore, to set out the principles of IG in a clear and structured way that supports IG implementation with clear and practical rules. The aims of this policy and its supporting policies are to ensure and preserve:- Confidentiality limiting access to data to those authorised to view it. Integrity safeguarding the accuracy and completeness of information and ensuring the correct operation of all information assets (e.g. systems and networks). Accessibility ensuring that information is available and delivered to the right person, at the time it is needed. Authenticity ensuring information and records are credible and authoritative. Reliability ensuring information and records can be trusted as a full and accurate representation of the transactions, activities or facts. Page 7 of 24

8 5. Legal Requirements The legal framework on which this information governance policy is based is as follows; Data Protection Act 1998 Caldicott 2 Information: To share or not to share Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 Regulation of Investigatory Powers Act 2000 Human Rights Act 1998 Electronic Communications Act 2000 Freedom of Information Act 2000 Health and Social Care Act 2001 Access to Records Act 1990 The Caldicott Committee Report on the Review of Patient Identifiable Information (1997) Common Law Duty of Confidentiality Fraud Act 2006 Bribery Act Principles of Information Use The Trust endorses and promotes the following key principles, which are predicated from Data Protection Principles, for the effective use and management of its confidential information, requiring that staff observe and implement them in their use of data and information. Data/information must be:- Held securely and confidentially o Management must control access to information assets through correct, approved authorisation. o Confidential data must be kept securely. Staff work in appropriately secure premises and have lockable rooms, cupboards and cabinets in which to store confidential information. o Security credentials must be required for staff to access computers and applications. These must be kept secret by the authorised user granted access. Obtained fairly and efficiently. Staff must:- o have legitimate grounds for collecting and using the personal data they do o not use the data in ways that have an adverse effects on the individual(s) concerned o be transparent about how you (the care team etc) intend to use the data, and give individuals appropriate privacy notices when collecting their personal data o handle people s personal data only in ways they would reasonably expect Page 8 of 24

9 o make sure you do not do anything unlawful with the data. Recorded accurately and reliably. Staff must:- Take reasonable steps to ensure the accuracy of any personal data you obtain o o o ensure that the source of any personal data is clear carefully consider any challenges to the accuracy of information consider whether it is necessary to update the information Used effectively and ethically. Staff must:- o o Strive to achieve the maximum value from the resources used Not use information dishonestly, unethically or unsafely Shared appropriately and lawfully. Staff must:- o o Share confidential information with consent where legal, appropriate and, where possible, respect the wishes of those who do not consent to share confidential information. You may still share information without consent if, in your judgment, that lack of consent can be overridden in the public interest. This means applying the Public Interest Test and management should be consulted on this if there is any doubt that it is debatable or weak. Such sharing must be justifiable under the law and therefore it is advisable for staff to keep a record of their decision(s). Staff must understand that the law, notably the Data Protection Act, should not be a barrier to sharing information but provides a framework to ensure that personal information about living persons is shared in a legally compliant manner. Whenever there is any doubt or uncertainty about whether information can be shared or not then reference must be made to the Trust s Information Sharing Policy and Procedure and if necessary Information Governance advice sought (see Contacts section of this document). 7. Responsibilities 7.1 Staff Staff use information assets in their work e.g. paper records and computer systems. Due to the Trust being a health and social care provider there is naturally a lot of personal identifiable data collected, stored and used constantly on information assets such as Amigos. Therefore it is vitally important that staff know what kind of data and systems etc they use and how to access and use them safely and securely. The Data Protection Act 1998 defines and sets out the principles for using personal data and staff are advised to understand this and can read it by following this link:- Page 9 of 24

10 px All the following are really saying is Do the right thing when it comes to data and systems security. If you apply the golden rule of treating other people s personal data how you would want them to treat your personal data. N.B. (It should be noted that this must comply with UK law.) Staff must:- Comply with the law, notably the Data Protection Act, which contains eight principles. These specify that personal data must be:- 1. Processed fairly and lawfully. 2. Obtained for specified and lawful purposes. 3. Adequate, relevant and not excessive. 4. Accurate and up to date. 5. Not kept any longer than necessary. 6. Processed in accordance with the data subject s (the individual s) rights. 7. Securely kept. 8. Not transferred to any country outside the EEA without adequate protection in situ. Staff must comply with the following Caldicott Principles:- Justify the purpose(s) of every proposed use or transfer Don't use it unless it is absolutely necessary Use the minimum necessary Access to it should be on a strict need-to-know basis Everyone with access to it should be aware of their responsibilities Understand and comply with the law The duty to share information can be as important as the duty to protect patient confidentiality to share or not to share Staff must:- Comply with the Common Law Duty of Confidence This tort of common law obliges staff to secure and maintain the confidentiality of their service user s confidences. Information that is obtained may very well be confidential, and must not be used for the benefit of persons not authorised by the individual it is about. Staff must also be aware that such a confidence could, if compelled by law, be overturned. It is best to notify the individual about this prior to a duty of confidence being entered into. Page 10 of 24

11 Comply with Trust Information Governance policies and procedures A list of Trust policies is set out in its own section (IG Policy) in this policy to be referred to. A brief explanation of what is covered in each is provided. Work to Information Governance Guidelines Guidelines are available and issued from time to time. Be aware that there are legal penalties for breaking the law and that failure to comply with policy may result in disciplinary action or dismissal Please refer to the Legal & Regulatory Framework section in this document Complete Information Governance training as mandated or required The Trust mandates and will maintain the Information Governance Training Tool for the effective delivery of Information Governance training, awareness and education. It is available to all staff with computer access. The Trust will provide Information Governance induction training to all new members of staff. The Trust provides general Information Governance awareness and training material on the Intranet Evaluation of Information Governance training will be undertaken to assess the effectiveness of the training and influence changes to future training. Abide by their Terms of Employment, Contracts and/or Agreements The Trust will:- establish staff responsibilities in Terms & Conditions and Contracts of Employment establish sufficient IG content in contracts and agreements with Third Parties The Trust will:- appoint a Senior Information Risk Officer (SIRO) at Board level. This has already been done. establish and maintain standards and policies for the effective and secure use and management of its information assets and resources. establish and maintain standards and guidance for the effective and secure transfer of information into and out of the Trust. establish and maintain standards and policies for the disclosure of information. undertake or commission timely assessments and audits of its information and IT security arrangements. promote effective confidentiality and security practice to its staff through policies, procedures and training. Page 11 of 24

12 establish and maintain incident reporting procedures, and monitors and investigates all reported instances of actual or potential breaches of confidentiality and security. Staff must ensure:- Confidentiality Confidentiality is about managing and controlling access to data so that only those authorised to view it can do. Conversely it is also about ensuring unauthorised persons cannot access information assets. Authorised users are the only persons permitted to use Trust information assets. Any unauthorised use will usually constitute a breach of policy. N.B. Information asset administration staff must ensure confidentiality is kept and therefore must not access confidential data inappropriately. All staff must ensure that confidential information is not accessible to unauthorised persons. Precautions for information assets depend on the asset:- For paper assets such as: records, case notes etc please refer to the Service User Records Management Policy and procedure for details. For computer assets: files, applications and hardware please refer to the Information Security Policy for further details. For both above points: staff must ensure that security is implemented and maintained for the assets they use and share. Anything less could be construed as negligence. Integrity Integrity means safeguarding the accuracy and completeness of information and ensuring the correct operation of all information assets (e.g. systems and networks). Staff must work to the best of their ability and in compliance with Data Quality Policy to ensure that information is as accurate and complete as necessary. Where information assets are systems, computers etc staff must ensure their operation is not jeopardised and any potentials for such are reported to the line manager/ IT Help Desk. Accessibility Accessibility is about ensuring that information is available and delivered to the right person, at the time it is needed. This is primarily an operational issue regarding access to paper records and computer equipment, networks and data. Therefore staff must ensure that assets are accessible by authorised staff who need such access e.g. premises are open, computers are available. Administration staff must ensure such access is granted in an authorised and timely manner. Page 12 of 24

13 Authenticity Authenticity is about ensuring that data, information and records are credible and authoritative. All staff involved in processing data, records etc must implement the available checks and balances regarding this and comply with relevant policy. Reliability Reliability is about ensuring information and records can be trusted as a full and accurate representation of the transactions, activities or facts. Staff must implement the available checks and balances regarding this and comply with relevant policy, raising queries if thought necessary. 8. Other Relevant Polices and Associated Documents This policy should be read in conjunction with other relevant Trust policies and procedures as follows: A. Information Governance Framework B. Access to Records Policy C. Service User Record Management Policy D. Records Management Policy E. Use Policy F. Safe Haven Policy G. Registration Authority Policy H. Confidentiality NHS Code of Conduct I. Freedom of Information Policy J. Information Sharing Policy K. Removable media Policy L. Portable Devices Policy M. Trust Confidentiality Code of Conduct N. Trust SUI and Incident Reporting Policy O. Disciplinary Policy P. Home working Policy Q. Mobile Phone Policy R. Data Quality Policy S. Trust Risk Management Strategy T. Information Governance Strategy U. Individual System Security Policies V. Counter Fraud & Corruption Policy W. Counter Fraud & Corruption Response Plan These policies and other such policies that may be published from time to time shall be regarded as forming part of this policy document. Page 13 of 24

14 9. I G Assurances 9.1 Confidentiality and Data Protection Assurance Please refer to the Legal & Statutory Framework section of this policy. Information Sharing & Encryption Staff must ensure that information is disclosed and shared in accordance with the law and policy e.g. if an is to be sent that will contain confidential information then that must not be put in the message body of the but in an encrypted attachment. The password to open it must be sent in a separate or provided by phoning The Trust will ensure that Information Sharing Protocols and Agreements are available to be used in facilitating information sharing in a considered and controlled manner. Protective Marking Scheme There are 3 types of data categories at the Trust set out in the following grid. CONFIDENTIAL INTERNAL PUBLIC The Trust regards all identifiable personal information relating to patients and staff as confidential except and will keep it confidential unless compelled by law (e.g. the public interest ) to release it. Service User and Patient data, case notes, Amigos files, staff personnel records, financial records Statistics, work-a-day internal s with nonconfidential messages Communications advertising, internet site Safe Haven Guidelines The term Safe Haven applies to the handling of confidential information such as confidential faxes which must be sent securely. It also applies to staff that work in safe havens such as secure locations or between secure computers/systems. This is covered more extensively in the following documents:- The Trust has produced Safe Haven Policy and Service User Records Management Policy and Procedure. Staff must comply with these in their daily data use. Legal Compliance Please refer to the Legal & Statutory Framework in this document for further information. All staff must comply with the law and proactively help the Trust to continue in its compliance. The Trust will undertake or commission annual assessments and audits of its compliance with legal requirements. Page 14 of 24

15 Service users/ patients can apply for access to information relating to their own health care, their options for treatment and their rights as patients under the Data Protection Act The public may apply for information in the Public category under the Freedom of Information Act 9.2 Information Security Assurance All staff are expected to safeguard the information assets that they use e.g. their Trust laptop and access to the data that is accessible through it. Therefore staff must work in such a way as not to jeopardise the asset or put it at risk and ensure that it is secure. Where there is a risk to found then it must be reported to the IAO or IAA of the asset it is about. Staff must comply with the Information Security Policy and supporting procedures. The Trust will continue to manage risk in a proactive way and therefore put in place the appropriate:- Policies and procedures the Trust will govern and strive to prevent a range of potential security incidents and ensure that critical services can be resumed in a timely manner. It will therefore ensure much work and many policies, procedures, controls and countermeasures exist and more are proposed for update or development. Awareness Training the Trust has put in place, and monitors an IG Awareness training programme. Information Security Management The Trust will ensure it minimises or diminishes the compromise or loss of information through carelessness, theft, fraud, deliberate leak or attack. Therefore the Trust will work in accordance with best practice guidelines and NHS directives and adopted standards. Staff must do their bit in this, always seeking to look after the information assets around them and reporting anything untoward. Information Security Incident Management - Significant incidents and risks must be escalated to the Head of IG and SIRO for consideration/investigation on behalf of the Trust Board. The level of acceptable risk will be agreed by the Trust Board by consideration of the Trust's Risk Registers that they have oversight of and kept under review. Information security risks will be reviewed, evaluated, and risk management principles embedded as part of day-to-day business. Departmental approaches must be flexible and capable of adapting to fast moving or unpredictable events that require dynamic decision-making. Information security needs to be approached in a structured manner to ensure that risks are managed appropriately. The following approach to information risk management will be taken:- Page 15 of 24

16 Identify Assets: To identify its assets such as people, information, systems and services. Understand their values in terms of how they support health and social care services provision and what the impact of compromise or loss may be. Identify/engage Information Asset Owners: For the SIRO to nominate and engage Information Asset Owners over the Trust's information assets. (Note: This will include shared services assets.) Threat Assessment: To identify threats to the Trust s information assets on an ongoing basis, assessing the likelihood and scale of the threat and impact of a occurrence Vulnerability Assessment: To consider the vulnerability of assets, systems and services, including an assessment of the adequacy of existing safeguards; Risk Tolerance: understand the level of risk that the Trust is prepared to tolerate. Implement Controls: select proportionate security controls as necessary to reduce the risk to an acceptable level. Risks should be continuously monitored and corrective action taken where necessary. NB: The above will be done over all information assets, including shared infrastructure ones e.g. the computer network. 9.3 Clinical Information Assurance Staff must comply with all applicable Records Management policies and procedures. Information and records management Records Management The Trust will establish and maintain policies and procedures for the effective management of records. The Trust will undertake or commission timely assessments and audits of its records management. Managers are expected to ensure effective records management within their service areas. The Trust promotes records management through policies, procedures and training. The Trust uses Records Management: NHS Code of Practice as its standard for records management. 9.4 Secondary Use Assurance Staff must comply with all applicable Data Quality Policy and supporting procedures and raise related matters to the relevant management and Informatics staff. Information quality assurance Data Quality Assurance The Trust will establish and maintain policies and procedures for information quality assurance. The Trust will undertake or commission annual assessments and audits of its information quality. Page 16 of 24

17 Managers are expected to take ownership of, and seek to improve, the quality of information within their services. Wherever possible, information quality should be assured at the point of collection. Data standards will be set through clear and consistent definition of data items, in accordance with national standards. The Trust will promote information quality through policies, procedures/ user manuals and training 9.5 Corporate Information Assurance Business continuity and disaster recovery plans Physical security incident management/ Disaster Recovery The Trust has Disaster Recovery and Business Continuity Plans (please refer to them on the Intranet) so they will not be dealt with here but to say that e.g. break-ins, terrorist attack, flooding), electronic attacks, compromise of communications security or disruption of online services must be reported to the relevant Information Asset Owner (IAO) who reports to the SIRO Monitoring and compliance assurance Freedom of Information Non-confidential information about the Trust and its services will be available to the public through a variety of media. The Trust has established and will maintain policies to ensure compliance with the Freedom of Information Act. The Trust undertakes or commissions annual assessments and audits of its freedom of information policies and arrangements. The Trust has clear procedures and arrangements for liaison with the press and broadcasting media (Please refer to Communications Departmental policy etc) The Trust has clear procedures and arrangements for handling queries from patients and the public. 10 Training and Awareness In line with the Trust Mandatory Training policy, the Trust will ensure that all users of Trust information systems and assets are provided with the necessary information governance guidance, awareness and training as appropriate to discharge their IG responsibilities based on the outcome of the training needs analysis undertaken by the Learning and Development Department. This information is available on the Trust intranet. Page 17 of 24

18 11 Monitoring, Evaluation and Review of the Policy The process for monitoring both the compliance with this policy and its effectiveness will be through the use of audit in accordance with the Trust Audit Plan. All Audit Reports and action plans will be subject to regular monitoring by the I&IT Committee. In addition external and internal audits will be commissioned as appropriate. The Trust will also complete and submit the NHS Statement of Assurance and the IG Toolkit which monitors attainment against NHS Information Governance standards. The policy will be reviewed on a bi-annual basis by the Information Governance Manager and the Trust Information Governance Group and any amendments or additions will be made. However, where review is necessary due to legislative change this will happen immediately 12 Counter Fraud Measures In accordance with the Trust s counter fraud & corruption plan any suspicious activity, within the scope of this policy, will be referred to and subsequently investigated by the Trust s Local Counter Fraud Specialist. The results of any such investigation could lead to internal disciplinary and/or civil/criminal prosecution proceedings being instigated against the appropriate person/persons involved. 13 Dissemination, Implementation and Access to this Document This policy and associated procedural guidance once ratified will be disseminated by the Head of Regulation Compliance and Quality Improvement through the Trust Communication Channels as agreed with the Communications Department. The document will be made available on the Trust intranet site. 14 References and Supporting Information NHS Code of Practice for Information Security 2007, DoH Information Governance Toolkit v 11, HSCIC 2013 Page 18 of 24

19 Appendix A Caldicott Principles The Caldicott Principles - Revised September 2013 Principle 1. Justify the purpose(s) for using confidential information Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian. Principle 2. Don t use personal confidential data unless it is absolutely necessary Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s). Principle 3. Use the minimum necessary personal confidential data Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out. Principle 4. Access to personal confidential data should be on a strict need-to-know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes. Principle 5. Everyone with access to personal confidential data should be aware of their responsibilities Action should be taken to ensure that those handling personal confidential data - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality. Principle 6. Comply with the law Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements. Principle 7. The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies. Page 19 of 24

20 Appendix B LEGAL & REGULATORY FRAMEWORK The Trust acknowledges the complexity of the Legal and Regulatory Framework described in this section seeking at all times to work in a compliant manner. Much legislation exists over the use of information, mostly pertaining to personal identifiable data (PID) as it has the highest risk rating and therefore needs most robust protection and secure handling. The Trust has implemented an appropriate management structure, as set out in the IG Management Framework section of this document, to govern all of this with the goal of achieving and sustaining legal compliance in all its data use. It is essential that relevant legislation is understood and applied sufficiently over the spectrum of IG, e.g. data loss incidents, breaches of confidentiality, technical security implementations etc. This requires that:- (a) (b) In-house IG expertise will need timely updating and that the Trust s strategic stance on this is to employ experts and update skills on an ongoing basis via PDPs External expertise may at times need to be called upon for this, the Trust has well established links with solicitors. The Trust will engage experts as and when necessary. The Legislative Framework is set out next:- LEGISLATIVE FRAMEWORK The Data Protection Act This Act sets out the principles and statutory requirements for guiding and enforcing legally compliant personal data use. The Trust s use (processing) of personal identifiable data must comply with the following principles:- Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with individual rights Secure Not transferred to other countries without adequate protection Secondly, the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records. Moreover, all staff should be familiar with their own professional codes relating to Page 20 of 24

21 ethical aspects of information governance (i.e. respect for patient privacy and dignity). Data Protection The Trust will process requests for individual s personal data under the Act. Confidential data - Health records are defined under the Data Protection Act as sensitive personally identifiable information which therefore requires rigorous controls to be in place to support service user s expectation that their information will be held securely and shared only in a legally, ethically compliant manner. Data considered by the Trust and the law, to be commercially confidential will be safeguarded accordingly. Personal data access for patients, service users and staff etc - The Trust will give patients ready access to information relating to their own care in accordance with legislation, and will have clear procedures for handling queries from patients, service users and the public. Further the Trust will make available to staff, information relating to their employment subject to the Data Protection Act (NB: The Information Commissioner s Office (ICO) has the ability to set monetary penalties against organisations up to 500,000 for serious breaches of the Data Protection Act. This liability rests with the legal entity responsible for the processing of the data, even where this has been contracted out. The Trust needs to be aware of its obligations to ensure that information flows have a sound legal basis and ensure that they remain compliant with the law.) The Freedom of Information Act This Act is about information which (a) the Trust has agreed to make public or (b) provide in meeting a request under the FOI Act. FOI requests - The Trust will process requests under the Act. Publicly available information - The Trust will make available non-confidential information about the Trust and its services to the public through a variety of media, and has developed clear procedures for liaison with the press and media. Common Law: Duty of Confidence this tort of law relates to there being a reasonable expectation of the patient/service user to expect their personal data to be kept confidential by the clinician/staff they divulge it to. Access to Health Records Act 1990 (unless superseded by the Data Protection Act) regarding the right to apply for copies of deceased patients/service users clinical records. Living patients/service users apply under the Data Protection Act Computer Misuse Act 1990 about cybercrime/hacking The Human Rights Act Access to Health Records Act Caldicott review of Patient Identifiable Information 1997 Page 21 of 24

22 ance/dh_ Caldicott 2 There are many other laws and the following list is not exhaustive:- Copyright, Designs and Patents Act 1988 Copyright (Computer Programs) Regulations 1992 Crime and Disorder Act 1998 Electronic Communications Act 2000 Environmental Information Regulations 2004 Health and Social Care Act Regulation of Investigatory Powers Act 2000 (and Lawful Business Practice Regulations) Public Interest Disclosure Act 1998 NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases) Directions 2000 Human Fertilisation and Embryology Act 1990 Abortion Regulations 1991 Public Records Act 1958 Regulations under the Health and Safety at Work Act 1974 Re-use of Public Sector Information Regulations 2005 REGULATORY FRAMEWORK Further to legislation the NHS has mandated a number of elements of regulation that are an intrinsic part of Information Governance via a national programme. This area is developing at a fast changing pace and the focus within this section will need significant periodical review. Information Governance Toolkit which requires trusts to assess their progress against set criteria NHS Operating Framework - Since version 9 of the IG Toolkit, all requirements are 'key' and the Trust is expected to attain level 2 against all the requirements in its assessment set. Caldicott a report for the audit and improvement on the use of patient identifiable data (1997) and HSC 1999/012. The Caldicott Principles were derived from this. ISO 27001: Information Security Management Standard & CoP Information Quality Assurance, QIPP and the quality agenda generally. Confidentiality: NHS Code of Practice (2003) Page 22 of 24

23 Information Security Management: NHS Code of Practice f NHS Guidance on Consent to Treatment Records Management: NHS Code of Practice ance/dh_ Clinical Negligence Scheme for Trusts (CNST) via NHS Litigation Authority NHS Code of Confidentiality The Trust s Annual Governance Statement this mentions the work undertaken around IG and the completion and submission of the IG Toolkit self-assessment which is audited. Care Quality Commission Regulations and NHSLA compliance particularly Care Quality Commission, Outcome 21 (and 6): Records - This is one of the core 16 quality and safety standards and relates entirely to records management and handling. It is closely related to Regulation 20 of the Health and Social Care Act 2008 (Regulated Activities). Both require appropriate and legal records management. Information Technology As information technology progresses there needs to be information governance in place over it. Payment by Results/ Service Line reporting Pressure from clinical communities and Ministers to produce high quality information on the quality of care. Increased risk that clinical care will be undermined due to reliance on poor quality records made readily accessible through electronic means. Pressure from central government to assure the security of data transfers as a result of data losses. Monitor IG assurance agency Annual Governance Statement - IG assurance is a recognised part of the Trust s overall governance framework. ETHICAL FRAMEWORK The right to expect confidentiality to be kept when it can reasonably be expected entitles a patient to the exercise of control over the content, uses of and disclosures of their personal information. Respect for that privacy is an essential part of the patient/staff relationship. The ethical framework is enshrined by the following:- Common Law: Duty of Confidence a tort of UK Law Confidentiality: NHS Code of Practice which includes the following principles:- Protect look after patient s information Page 23 of 24

24 Inform ensure patients are aware of how their information is used; there should be no surprises Provide Choice allow patients to decide whether their information can be disclosed and used in particular ways. Improve practice by always looking for better ways to protect, inform and provide choice. Further to the above the following points are covered:- Openness The Trust will further enhance its transparency of arrangements, by the use of Information Charters which provide clarity to citizens about the use and handling of personal data, and a range of other measures to improve information security across the Trust. NHS Care Record Service and the NHS Care Record Guarantee Applicable law and ethics are enshrined in these. To implement what can practically be done in order to monitor access to patient data is appropriate and enable patients to restrict access to part or all of their information either by making a decision about which groups certain information may be shared with, or via the patient sealed envelope. Refer to:- Page 24 of 24

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy. Title: Reference No: NHSNYYIG - 007 Owner: Author: INFORMATION GOVERNANCE POLICY Director of Standards First Issued On: September 2010 Latest Issue Date: February 2012 Operational Date: February 2012 Review

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE STRATEGY INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Information Governance Policy

Information Governance Policy Author: Susan Hall, Information Governance Manager Owner: Fiona Jamieson, Assistant Director of Healthcare Governance Publisher: Compliance Unit Date of first issue: February 2005 Version: 5 Date of version

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South

More information

NHS Commissioning Board: Information governance policy

NHS Commissioning Board: Information governance policy NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Trust Informatics Policy. Information Governance. Information Governance Policy

Trust Informatics Policy. Information Governance. Information Governance Policy Trust Informatics Policy Information Governance Policy Reference: TIP/IG/IGP I:\IG\IGM\IGT\March 2011\Document Library\Policies\Approved/ - 1 Document Control Policy Title Author/Contact Document Reference

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1 Policies for: Information Governance Information Quality Information Management Information Security Approved by: None this version Date approved: Name of originator/author: Ade Oduntan, Mike Hellier,

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY Directorate of Performance Assurance INFORMATION GOVERNANCE POLICY Reference: DCP074 Version: 2.5 This version issued: 27/03/15 Result of last review: Minor changes Date approved by owner (if applicable):

More information

How To Ensure Network Security

How To Ensure Network Security NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

Information Governance Strategy 2015/16

Information Governance Strategy 2015/16 Information Governance Strategy 2015/16 Ratified Governing Body (November 2015) Status Final Issued November 2015 Approved By Executive Committee (August 2015) Consultation Equality Impact Assessment Internal

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Information Governance Policy_v2.0_060913_LP Page 1 of 14 Information Reader Box Directorate Purpose Document Purpose Document Name Author Corporate Governance Guidance Policy

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version: 3.2 Authorisation Committee: Date of Authorisation: May 2014 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying

More information

JOB DESCRIPTION. Information Governance Manager

JOB DESCRIPTION. Information Governance Manager JOB DESCRIPTION POST TITLE: Information Governance Manager DIRECTORATE: ACCOUNTABLE TO: BAND: LOCATION: CSS Head of Information Governance 8a CSS Job Purpose The Information Governance Manager will ensure

More information

Information Governance Policy

Information Governance Policy BEXLEY CARE TRUST MANAGEMENT MANUAL Title: INFORMATION GOVERNANCE POLICY Originating Department: IT DEPARTMENT Authorised by: Risk Management Committee June 2008 Reference no: CA12 Date of Issue: JANUARY

More information

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE.

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE. Title: Information Governance Policy Date Approved: Approved by: Date of review: Policy Ref: Issue: January 2015 Information Governance Group Division/Department: January 2016 Policy Category: ISP-04 5

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

Information Governance Framework

Information Governance Framework Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information

More information

INFORMATION RISK MANAGEMENT POLICY

INFORMATION RISK MANAGEMENT POLICY INFORMATION RISK MANAGEMENT POLICY DOCUMENT CONTROL: Version: 1 Ratified by: Steering Group / Risk Management Sub Group Date ratified: 21 November 2012 Name of originator/author: Manager Name of responsible

More information

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS Newcastle Gateshead Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Approved No impact NHS Quality, Safety

More information

Information Governance Policy

Information Governance Policy Information Governance Policy REFERENCE NUMBER IG 101 / 0v3 May 2012 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive 4.9.12 REVIEW DUE DATE May 2015 West Lancashire CCG is committed to ensuring

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy ID IG02 Version: V1 Date ratified by Governing Body 27/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review date: September

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY Moorland is committed to ensuring that, as far as it is reasonably practicable, the way we provide services to the public and the way we treat

More information

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS North Durham Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Final No impact Risk and Audit Committee/Governing

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY. December 2014

CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY. December 2014 CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY December 2014 DOCUMENT INFORMATION Author: Barbara Sansom Information Governance Manager Equality Impact Assessment Consultation & Approval

More information

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY Report to the Trust Board 22 September 2015 Sponsoring Director: Author: Purpose of the report: Key Issues and Recommendations: Director

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

NHS Business Services Authority Information Governance Policy

NHS Business Services Authority Information Governance Policy NHS Business Services Authority Information Governance Policy NHS Business Services Authority Corporate Secretariat NHSBSAIGM002 Issue Sheet Document reference NHSBSAIGM002 Document location F:\CEO\IGM\Info

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading

More information

Information Governance Policy

Information Governance Policy Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:

More information

NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Final No impact Document Ratified/Approved By Hartlepool

More information

Policy: D9 Data Quality Policy

Policy: D9 Data Quality Policy Policy: D9 Data Quality Policy Version: D9/02 Ratified by: Trust Management Team Date ratified: 16 th October 2013 Title of Author: Head of Knowledge Management Title of responsible Director Director of

More information

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of

More information

RD SOP17 Research data management and security

RD SOP17 Research data management and security RD SOP17 Research data management and security Version Number: V2 Name of originator/author: Dr Andy Mee, R&I Manager Name of responsible committee: R&I Committee Name of executive lead: Medical Director

More information

A Question of Balance

A Question of Balance A Question of Balance Independent Assurance of Information Governance Returns Audit Requirement Sheets Contents Scope 4 How to use the audit requirement sheets 4 Evidence 5 Sources of assurance 5 What

More information

Safe Haven Policy. Equality & Diversity Statement:

Safe Haven Policy. Equality & Diversity Statement: Title: Safe Haven Policy Reference No: 010/IT Owner: Deputy Chief Officer Author Information Governance Lead First Issued On: November 2012 Latest Issue Date: March 2015 Operational Date: March 2015 Review

More information

E-Mail and Internet Policy

E-Mail and Internet Policy E-Mail and Internet Policy Document reference Title: E-Mail and Internet Policy Product ID: Version Number: 8.0 Status: Live Distribution / Issue date: 12 November 2014 Author: K. Fairbrother Review Period:

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

How To Ensure Information Security In Nhs.Org.Uk

How To Ensure Information Security In Nhs.Org.Uk Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:

More information

Subject Access Request (SAR) Procedure

Subject Access Request (SAR) Procedure Subject Access Request (SAR) Procedure East and North Hertfordshire Clinical Commissioning Group Page 1 of 16 DOCUMENT CONTROL SHEET Document Owner: Chief Finance Officer Document Author(s): Anne Ephgrave

More information

Information Governance and Data Protection Policy

Information Governance and Data Protection Policy Information Governance and Data Protection Policy Page 1 of 21 Document Control Sheet Name of document: Version: Owner: File location / Filename: Information Governance and Data Protection Policy Final

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Information governance policy

Information governance policy Information governance policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSAIGM002a S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review IG Policy\Current

More information

Control of Asbestos Policy

Control of Asbestos Policy Control of Asbestos Policy Version Number: V1D Name of originator/author: Estates Manager 0161 277 1235 Name of responsible committee: Estates and Facilities Committee Name of executive lead: Director

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

USE OF PERSONAL MOBILE DEVICES POLICY

USE OF PERSONAL MOBILE DEVICES POLICY Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014

More information

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy NHS Waltham Forest Clinical Commissioning Group Information Governance Policy Author: Zeb Alam & David Pearce Version 3.0 Amendments to Version 2.1 Updates made in line with National Guidance and Legislation

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY Version 8.0 Purpose: For use by: This document is compliant with /supports compliance with: To outline the lifecycle of a record and to provide guidance on retention and disposal

More information

Information Governance Strategy. Version No 2.1

Information Governance Strategy. Version No 2.1 Livewell Southwest Information Governance Strategy Version No 2.1 Notice to staff using a paper copy of this guidance. The policies and procedures page of LSW Intranet holds the most recent version of

More information

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs NOTE: This is a CONTROLLED Document. Any documents appearing in paper

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: Revised: Consultation: Ratified by: 1.0 Information Governance Committee Governance Committee Date ratified: 19 March 2008 Name of originator/author: David McGrath

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment

More information

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff. Information Governance Policy 1 SUMMARY This policy is intended to ensure that staff are fully aware of their Information Governance (IG) responsibilities, so that they can effectively manage and best

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY ENFIELD CLINICAL COMMISSIONING GROUP INFORMATION GOVERNANCE POLICY PLEASE DESTROY ALL PREVIOUS VERSIONS OF THIS DOCUMENT Enfield CCG Information Governance Policy Information Governance Policy (Policy

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY POLICY NO IM&T 011 DATE RATIFIED January 2012 NEXT REVIEW DATE January 2015 POLICY STATEMENT/KEY OBJECTIVE: To provide an overarching framework through which Information Governance

More information

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Appendix 1 INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Author Information Governance Review Group Information Governance Committee Review Date May 2014 Last Update February 2013 Document No. GV

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version Version 1 Ratified By Date Ratified PROPOSED FOR APPROVAL 15/11/12 Author(s) Responsible Committee / Officers Date Issue November 2012 Review Date November 2013 Intended

More information

Policy Checklist. Head of Information Governance

Policy Checklist. Head of Information Governance Policy Checklist Name of Policy: Information Governance Policy Purpose of Policy: To provide guidance to all staff on their responsibilities regarding information governance and to ensure that the Trust

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

Information Incident Management and Reporting Procedures

Information Incident Management and Reporting Procedures ` Information Incident Management and Reporting Procedures Compliance with all CCG policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

JOB DESCRIPTION. Executive Director of Nursing, Quality and Governance

JOB DESCRIPTION. Executive Director of Nursing, Quality and Governance JOB DESCRIPTION JOB TITLE: RESPONSIBLE TO: BAND: LOCATION: HOURS OF WORK: DISCLOSURE REQUIRED: Deputy Director of Nursing Executive Director of Nursing, Quality and Governance 8d To be agreed with postholder

More information

Information Governance Plan

Information Governance Plan Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.

More information

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Date of review: Information Governance Group January 2016. Policy Category: CONTENT SECTION DESCRIPTION PAGE

Date of review: Information Governance Group January 2016. Policy Category: CONTENT SECTION DESCRIPTION PAGE Title: Date Approved: January 2015 Division/Department: Corporate Services Corporate Records Policy Approved by: Date of review: Information Governance Group January 2016 Author (post-holder): Interim

More information

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Management Policy CCG Policy Reference: IG 2 v4.1 Information Management Policy CCG Policy Reference: IG 2 v4.1 Document Title: Policy Information Management Document Status: Final Page 1 of 15 Issue date: Nov-2015 Review date: Nov-2016 Document control

More information

JOB DESCRIPTION. Enhanced CRB with Both Barred Lists Check

JOB DESCRIPTION. Enhanced CRB with Both Barred Lists Check JOB DESCRIPTION JOB TITLE: Service Manager (Access) BAND: Agenda for Change Band (Band 8b) HOURS AND: DURATION As specified in the job advertisement and the Contract of Employment AGENDA FOR CHANGE (reference

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

IS INFORMATION SECURITY POLICY

IS INFORMATION SECURITY POLICY IS INFORMATION SECURITY POLICY Version: Version 1.0 Ratified by: Trust Executive Committee Approved by responsible committee(s) IS Business Continuity and Security Group Name/title of originator/policy

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Name of Policy Author: Name of Review/Development Body: Ratification Body: Ruth Drewett Information Governance Steering Group Committee Trust Board : April 2015 Review date:

More information

CCG: IG06: Records Management Policy and Strategy

CCG: IG06: Records Management Policy and Strategy Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of

More information

Information Security and Governance Policy

Information Security and Governance Policy Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information

More information

Information Incident Management. and Reporting Policy

Information Incident Management. and Reporting Policy Information Incident Management and Reporting Policy Policy ID IG10 Version: 1 Date ratified by Governing Body 21/3/2014 Author South CSU Date issued: 21/3/2014 Last review date: N/A Next review date:

More information

Information Incident Management and Reporting Procedures

Information Incident Management and Reporting Procedures Information Incident Management and Reporting Procedures Compliance with all policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may result

More information

HORIZON OIL LIMITED (ABN: 51 009 799 455)

HORIZON OIL LIMITED (ABN: 51 009 799 455) HORIZON OIL LIMITED (ABN: 51 009 799 455) CORPORATE CODE OF CONDUCT Corporate code of conduct Page 1 of 7 1 Introduction This is the corporate code of conduct ( Code ) for Horizon Oil Limited ( Horizon

More information