INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

Transcription

1 INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July

2 Document Control Sheet Name of Document: Information Governance & Data Protection Policy Version: 1 Held by Head of Corporate Affairs: Information File Location / Document Name: Governance & Data Protection Policy Date Of This Version: July 2013 Produced By: NHS Anglia Commissioning Support Unit Reviewed By: Head of Corporate Affairs Synopsis And Outcomes Of Equality and Diversity Impact Assessment: No adverse impact identified Ratified By (Committee): Audit Committee Date Ratified: 24 July 2013 Distribute To: West Norfolk CCG Council of Members, Governing Body Members, All Staff Date Due For Review: July 2014 Enquiries To: Head of Corporate Affairs Revision History Revision Date Summary of changes Author(s) Version Number Approvals This document requires the following approvals either individual(s), group(s) or board. Name Title Date of Issue Version Number WN CCG Information Governance & Data Protection Policy July

3 CONTENTS Part Description Page 1 Introduction 4 2 Scope 4 3 Data Protection Act 4/5 4 Information Governance Management Framework 7 5 Monitoring 10 Appendix A Definitions & Examples of Data Controllers, Data Subject and Data Processors 12 WN CCG Information Governance & Data Protection Policy July

4 1. INTRODUCTION This policy has been drafted by NHS Anglia Commissioning Support Unit (CSU) on behalf of NHS West Norfolk CCG (WN CCG). The Policy takes into account the evolving Commissioning Support Unit (CSU) and its role in providing support to CCGs in discharging their duties as outlined in the Health and Social Care Act 2012 Information is a vital asset and needs to be managed securely by NHS organisations. Appropriate policies, guidance, accountability and structures must be in place to support the governance and confidentiality of information in order to support the organisation s strategic business aims. Information Governance is defined as a framework for handling information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service (Information Security Management: NHS code of Practice, 2007). 2. SCOPE This policy outlines the principles of information governance and Data Protection that are applied to WN CCG and its member practices. The policy applies to both manual and electronic records This policy applies to: all staff who work for WN CCG and the CSU, including consultants and voluntary staff; all members of WN CCG Governing Body and the CSU Board; WN CCG Councils of Members; WN CCG Governing Body sub committees. 3. DATA PROTECTION ACT WN CCG is committed to compliance with the requirements of the Data Protection Act 1998 ( the Act ) and will ensure that all employees, contractors, Governing Body members, agents, consultants and partners who have access to any personal data held by or on behalf of WN CCG are fully aware of and abide by their duties and responsibilities under the Act. In order to operate efficiently, WN CCG and the CSU on behalf of WN CCG have to collect and use information about people with whom it works, including patients, public, employees (current, past and prospective), clients and customers, and suppliers. In addition, it may be required by law to collect and use information in order to comply with the requirements of the Department of Health. This personal information must be handled WN CCG Information Governance & Data Protection Policy July

5 and managed appropriately, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means. The Data Protection Act 1998 governs how we collect, store, process and share data The Act dictates that information should only be disclosed on a need to know basis. Printouts and paper records must be treated carefully and disposed of in a secure manner. Staff must not disclose information outside their line of duty. Each organisation is required to register its data holdings with the Information Commissioner, identifying the purposes for holding the data, how it is used and to whom it may be disclosed. All applications/databases (identified as part of the IAO work) should be registered under the PCT s global registration, complying with this policy and the 8 Data Protection Principles. The Data Protection Act 1998 requires every data controller who is processing personal information in an automated form to notify, unless they are exempt. Failure to notify is a criminal offence. Register entries have to be renewed annually. If you are required to notify but don t renew your registration, you are committing a criminal offence. Any person or organisation that uses personal information is known as a data controller. WN CCG is legally a Data Controller in its own right. A data controller must comply with the 8 principles of the data protection act (see 3.6). The Information Governance Manager (the Head of Corporate Affairs) is the Data Protection Officer and manages the registration. The 8 Data Protection principles: Personal data shall be processed fairly and lawfully Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed Personal data shall be accurate and, where necessary, kept up to date Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998 WN CCG Information Governance & Data Protection Policy July

6 Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data Personal data shall not be transferred to a county or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal Data Subject Access The Data Protection Act also gives rights to a copy of the information held about a person. This is known as a subject access request An individual can request access to information regardless of the media in which it may be held Data Retention schedules are detailed in the DOH Records Management: NHS Code of Practice WN CCG will ensure that the general public, staff, including volunteers, locums, temporary employees and patients are aware of why the NHS needs information about them, how this is used and to whom it may be disclosed by the use of leaflets, the individual organisations web sites. Statements about Data Protection will be included on all forms requesting personal identifiable information. Information Sharing 3.5 There are Acts of Parliament that govern the disclosure/sharing of personal patient information - some make it a legal requirement to disclose and others that state information cannot be disclosed. WN CCG has signed up to an overall Norfolkwide Information Sharing Protocol and has a number of supporting sharing agreements with a wide range of third parties, reviewed regularly by the Audit Committee. The document is managed and held by Norfolk County Council who hold a current list of signatories. 4. INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK This IG Management Framework provides an overview of how WN CCG addresses the IG agenda and is formally approved by the Audit Committee, as delegated by the Governing Body. WN CCG Information Governance & Data Protection Policy July

7 Senior roles Key Policies IG Management Framework The Senior Information Risk Owner, Caldicott Guardian and IG lead: Together they are accountable for:- ensuring effective management, accountability, compliance and assurance for all aspects of IG ensuring there is top level awareness and support for IG providing direction in formulating, establishing and promoting IG policies chairing and co-ordinating the IG committee ensuring assessments and audits for IG policies reporting regularly to the Governing Body on IG ensuring the approach to IG is communicated to all staff ensuring appropriate training is made available to staff ensuring compliance with law and national guidance promoting risk assessment and mitigation of IG/IT risks, using a risk management processes and escalating to the Corporate Risk Register and Governing Body Assurance Framework as required providing advice to staff on using, maintaining, transferring and sharing sensitive information act as the conscience of the organisation in relation to handling and sharing of patient identifiable information and advising on lawful and ethical processing of information Roles and responsibilities are outlined fully in the Information Governance Strategy. The following policies are in place or are being prepared and regularly reviewed Norfolk Overarching Sharing Protocol Information and IT Security Policies Health & Corporate Records Policy (Lifecycle management) Code of Confidentiality Disciplinary Policy Staff leavers Policy Data Quality Policy Incident Management Policy SUI Policy WN CCG Information Governance & Data Protection Policy July

8 Key Governance Bodies Resources Risk Management Policy FOI Policy RA Policy Homeworking Policy Information Governance and Data Protection Policy All policies and staff resources will be available on the staff intranet At WN CCG, the Audit Committee oversees the IG agenda, is chaired by the Lay Member (Audit) and is the main steering group for IG/Information Security. The Audit Committee reports to the Governing Body. Key staff (responsibilities highlighted in Job Descriptions):- Senior Information Risk Owner (SIRO) (Chief Financial Officer) Information Governance Manager (also the Data Protection Officer maintains the Data Protection registration with the Information Commissioner) and IG Facilitator (Head of Corporate Affairs) IT Security (Chief Financial Officer) Health & Corporate Records Head of Corporate Affairs oversees complaints Head of Business Intelligence is responsible for Data Quality RA Manager PALS for patients/public to raise queries on their health records/uses of their personal information and for subject access requests Information Asset Owners (IAOs) and Administrators (IAAs) Governance Framework Information Asset Owners (IAOs) will be identified, provided with training and support and will carry out risk assessments on the information assets, to protect against unauthorised access or disclosure, within their area to support the SIRO IAOs will ensure the integrity of information within their area; they will understand what information is held, what is added and what is removed, and who has access and why. As a result they will understand and address risks to the information. Information Asset Administrators are tasked with ensuring all Information Assets are recorded, mapped and risked assessed within their area. All third party contracts will be clear with regard to IG expectations WN CCG Information Governance & Data Protection Policy July

9 Training Guidance Incident Management & All managers and staff will have key IG responsibilities as part of their job descriptions and contracts. They will be familiar with the relevant policies, have attended appropriate training, support the IAOs and ensure that all patient/personal identifiable information is accurate, relevant, up-to-date and used appropriately, both electronic and manual and kept secure. The WN CCG Disciplinary policies clearly outline the procedures for managing breaches with contracts and policies. A failure to adhere to the Policy and its associated procedures may result in disciplinary action The Data Protection Work Programme ensures compliance with all aspects of the Data Protection Act and related provisions and promotes awareness throughout the organisation and ensures service users are provided with information on their rights under data protection legislation IG Mandatory e-learning training for all staff using the DH IG Training Tool (IGTT) available at Training is role-specific. Specialised IG and Data Protection Act training is available according to Training Needs analysis from annual appraisal and PDPs, including the Caldicott Guardian, SIRO and Information Asset Owners (IAOs) FOI training is available to all staff WN CCG intranet will have specific areas devoted to IG for all staff and regular newsletters and bulletins will be issued to support the IG culture. Newsletters and support will be provided to clients and member practices for all aspects of information governance and completion of their IG toolkits. WN CCG Staff have ready access to organisational IG policies and guidance on the shared drive. WN CCG training data is regularly reviewed by the Executive Team and a staff survey carried out to test knowledge and awareness. The Incident Management Policy outlines the WN CCG approach to reporting and investigating all incidents, including actual and potential breaches of confidential and person identifiable information, IT security issues, and RA incidents (including loss of Smartcards) in line with the guidance provided within the Checklist for Reporting, Managing and Investigation IG SUIs Gateway Lessons learnt are widely shared across the organisation. Data security loss and confidentiality breach incidents are reported in the WN CCG Information Governance & Data Protection Policy July

10 Governance Statement and in the Annual Report, in accordance with SIRO guidance, Gateway 9571 and the IG toolkit requirement 302. There is an up to date business continuity plan for the organisation, including specific plans for IT and information systems. 5. MONITORING The Audit Committee formally monitors the implementation of the IG Strategy and supporting policies. It regularly reviews progress against the IG Toolkit (toolkit action plan), discusses IG risk mitigation plans and internal/external audit recommendations. The Audit Committee reviews the mitigation of information governance and security risks, ensures a programme of internal/external audit reviews (including audit of the IG toolkit self-assessment) and monitors implementation of recommendations from internal/external auditors. The Governing Body signs off the IG Toolkit submission. Breaches of data and information security, and of this policy, must be reported using the Incident Reporting system (see Incident Management Policy) and/or Serious Incident Policy (depending on severity). Incident trend reports are regularly reviewed by the Audit Committee. There is an annual programme of internal and external audits in place which provides validation and assurance of the information governance systems. The SIRO receives an annual review of information risk to support their written advice to the Accountable Officer, as detailed in the Governance Statement. A programme of record audits is in place to review compliance with the respective Records management Policy. Business continuity plans for IT and information systems are regularly tested and reported to the Audit Committee WN CCG uses the complaints system to effectively respond to complaints in connection with the Data Protection Act and information governance. If the WN CCG Information Governance & Data Protection Policy July

11 complainant is dissatisfied with the conduct of the CCG, then they can be referred to the Information Commissioner and Health Service Ombudsman. Training data is regularly reviewed by the Audit Committee and executive team and a staff survey carried out annually to test knowledge and awareness. WN CCG Information Governance & Data Protection Policy July

12 Appendix A Definitions & Examples of Data Controllers, Data Subject and Data Processors Data Controller means a person who [either alone or jointly or in common with other persons] determines the purpose for which, and the manner in which any personal data are, or are to be, processed. A data controller must be a person recognised in law, that is to say: individuals; organisations; and other corporate and unincorporated bodies of persons. Data controllers will usually be organisations, but can be individuals, for example selfemployed consultants. Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which will be the data controller. In relation to data controllers, the term jointly is used where two or more persons (usually organisations) act together to decide the purpose and manner of any data processing. The term in common applies where two or more persons share a pool of personal data that they process independently of each other. Data controllers must ensure that any processing of personal data for which they are responsible complies with the Act. Failure to do so risks enforcement action, even prosecution, and compensation claims from individuals. Example A network of town-centre CCTV cameras is operated by a local council jointly with the police. Both are involved in deciding how the CCTV system is run and what the images it captures are used for. The council and the police are joint data controllers in relation to personal data processed in operating the system. Example A government department sets up a database of information about every child in the country. It does this in partnership with local councils. Each council provides personal data about children in its area, and is responsible for the accuracy of the data it provides. It may also access personal data provided by other councils (and must comply with the data protection principles when using that data). The government department and the councils are data controllers in common in relation to the personal data on the database. WN CCG Information Governance & Data Protection Policy July

13 Data Subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about. The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others. Data processor, in relation to personal data, means any person [other than an employee of the data controller] who process the data on behalf of the data controller WN CCG Information Governance & Data Protection Policy July