1 Appendix 'A' Lancashire County Council Information Governance Framework
2 Introduction Information Governance provides a framework for bringing together all of the requirements, standards and best practice that apply to the handling of information. It encompasses efficient ways of handling records and information, risk management and compliance. The need for information governance stems first and foremost from the council's responsibility towards its citizens and customers. This is a challenge for all public sector organisations and is high on the council's agenda. Access to reliable information is an indispensable component of meeting our core objectives and there is an increased need to focus on the overall value of information protected and delivered. We often underestimate the value, importance and legal responsibility associated with the information we use every day. There can be a fine balance to maintain between keeping information safe and accurate, and sharing it when needed. The council holds and processes huge volumes of personal and sensitive information which is necessary for the efficient and effective delivery of services. Consequently, and recognising the size and diversity of the council, an information governance framework that is flexible and responsive to changes in risks and to services delivered is essential. The council is committed to preserving the confidentiality, integrity and availability of all its physical and electronic information systems and records in order to provide assurance that the organisation manages its information risks: So that the needs of service users and citizens and the requirements of corporate governance are met; To establish confidence that partnership arrangements involving sharing and exchange of information are legal and secure; To establish that designed and implemented security features are effective; To provide confidence that services and products offered by third parties manage information risks on behalf of the council in a way which is adequate and fit for purpose. The need for a comprehensive information governance framework also arises from: Legal (legislation and common law), regulatory and contractual requirements; Corporate governance; Business and service delivery; Protecting the public purse; Business continuity requirements; Each of these imposes significant demands on the council.
3 Scope of the Framework The scope of information governance, taken at its widest, includes the management of information in all locations and all media. It includes structured information in databases and unstructured information in paper and electronic files. It includes s and transient documents, work in progress and telephone notes. It includes blogs, wikis and discussion threads. It includes vital records essential to the continuation of council business and long-term records that must be preserved through many generations. The framework relates to all of the council's functions that fall within the direct responsibilities of the core directorates, i.e. Office of the Chief Executive; County Treasurer's Department; Directorate for Children and Young People; Adult and Community Services Directorate; Environment Directorate; and; Lancashire County Commercial Group. The framework encompasses all data owned by the council and used in the delivery of its services and statutory responsibilities. This includes any information that is held by the council on behalf of another agency. Each school within Lancashire is responsible for the management and governance of its own information and are also individually registered as data controllers under the Data Protection Act. Schools are therefore treated as separate third party organisations within the context of this framework. One Connect Limited is a joint venture partnership established between Lancashire County Council and BT. One Connect Limited is an essential partner in the implementation of the council's information governance framework.
4 Document purpose and structure This document forms the core of the council's Information Governance Framework and is designed to provide a concise overview of the council's approach to information governance. It includes the Information Governance Strategy, defining the corporate aims and objectives for information governance, and the overarching Information Governance Policy that sets out the policies, standards and best-practice that apply to the handling of information and the provision of information assurance needed to deliver the strategy. The document is structured as follows: Part 1 The Lancashire County Council Information Governance Strategy. 1. Purpose and aim of the strategy. 2. Strategic objectives. 3. Annual priorities and implementation 4. Business considerations and success measures. 5. Strategy governance. Part 2 The Lancashire County Council Information Governance Policy. 1. Scope and principles. 2. Policy governance. 3. Approach Framework definition Maturity assessment Information risk management Training and awareness Information sharing. 4. Compliance. 5. Key roles and responsibilities. Appendix A The Information Assurance Policy Framework. Appendix B Legislative and best practice references.
5 Part 1 The Lancashire County Council Information Governance Strategy. 1. Purpose and aim of the strategy. This strategy recognises the high standards expected of all public bodies as well as the scale of the ongoing task of maintaining appropriate standards of security and to fully embed the security culture throughout the organisation in a rapidly changing and challenging environment. The use of records and information is integral to much of the council's work. Typically this will be a mix of public domain information which should be accessible under the Freedom of Information Act, personal data protected by the Data Protection Act, and other confidential or business sensitive information. The aim of this strategy is to ensure that the council meets its information management and security responsibilities ensuring that internal and external customers, partners and suppliers have the confidence that information, both personal and non-personal, is handled and stored with due regard to its value and risk, where individuals understand the importance of using it correctly, sharing it lawfully and protecting it from improper use. These requirements for security, integrity and accessibility must be met as part of service delivery and the primary means of achieving this is to follow good information handling practices. Although there is an increasing emphasis on the electronic delivery of services and storage of information we continue to retain a significant proportion of our information in more traditional manual formats and this cannot be neglected in our aims and ambitions. 2. Strategic objectives These are the overarching information governance goals of the council from which the council's improvement programme priorities and objectives are derived. To support the realisation of corporate strategy and the continual improvement of council services. To ensure that the infrastructure and processes for service delivery can provide the right information to the right people at the right time for the right purpose. To identify and support effective practice in the management of information across all business areas, including preventing duplication of effort and enabling efficient use of resources. To work with all partner organisations securely and in support of the council's strategic objectives. To work to achieve required standards to comply with legislative, regulatory and contractual obligations and relevant policies. To implement and operate proportionate controls that apply best practice standards to protect information assets and give confidence to all interested parties. To Identify and manage information assets corporately and introduce an information risk management regime that balances risks with opportunities.
6 To provide adequate training and awareness for all staff and key partners and embed a culture of care and responsibility in the handling of all information throughout the council. To implement efficient and effective information sharing arrangements to support service delivery. To implement efficient and effective data quality arrangements. To ensure that the information governance framework acts as an enabler to business and service transformation programmes and that information assurance practices are embedded within the design and roll-out of such programmes. 3. Annual priorities and change programme Continual improvement of the information governance framework is also a key strategic objective. The improvement programme is designed to implement change within the strategic objectives defined in this strategy. The annual improvement programme will define each agreed project for the year and will be implemented in accordance with the stated governance arrangements and the approach detailed within the Information Governance Policy (Part 2 of this document). 4. Business considerations and success measures. Activities undertaken in relation to information governance and assurance must have a relationship with council business and as such all associated activities are to be regarded as support activities to the business. In delivering advice on the governance of information, four key factors are engaged: People Process Information Technology In delivering solutions and services for the council's business, information governance and assurance will have regard to these factors alongside core business requirements such as records and knowledge management. Business Benefits will include: Improved council performance: Consistent and effective management of information across the council. Increased understanding of, and compliance with, relevant legislation. Reduced number of information security breaches. Reduced civil actions and complaints against the council as a result of poor information management, saving staff time and effort. Improved data quality. Clear responsibilities in relation to information governance and assurance. Effective management of information risks. Greater confidence that information risks are effectively managed within transformation programmes.
7 Better Information Sharing: Improved information sharing compliance. Improved protection of children and vulnerable adults. Better deployment of operational resources. Increased willingness of partner agencies to share their information. Less bureaucratic processes for sharing information. Increased public confidence: Improved customer satisfaction. Increased confidence in the management of personal information. Achieving maturity towards the strategic objectives will enable the council to generate greater trust in its information systems and processes, both internally and between trusted partners. This will be particularly important in the context of shared services and collaboration. The success of this strategy will be determined by improvement in maturity as measured using the criteria contained within the NHS IG Toolkit and the IAMM 1 and the business benefits this brings. 5. Strategy governance This strategy is owned by the Senior Information Risk Owner (SIRO) but the Corporate Information Governance Group (CIGG) is responsible for monitoring and reporting progress on the improvement programme throughout the year. The information Governance Strategy will be implemented in line with the agreed approach within the Information Governance Policy. Annually, CIGG will agree the improvement programme for the coming year, based on agreed priorities and available resources. CIGG will assign a lead officer responsible for the day to day management and implementation of each project contained within the programme. The SIRO will annually ratify the improvement programme agreed by CIGG.. 1 The Information Assurance Maturity Model is described in Part 2 section 3.2
8 Part 2 The Lancashire County Council Information Governance Policy 1. Scope and principles This policy is designed to outline the framework and principles of information governance adopted by the council to ensure that its information is properly protected and used effectively. A range of appropriate policies, procedures and management arrangements have been agreed to support the overall policy and ensure that the council can meet the strategic aims 2 of its information governance arrangements. Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a key component of how the council serves its customers. The goal of a holistic approach to information governance is to make information assets available to those who need them, while streamlining management, reducing storage costs and ensuring compliance. This, in turn, allows the council to reduce the legal risks associated with unmanaged or inconsistently managed information and to be more agile in response to changing environments. The Policy must also support the council's compliance with all legislation that is relevant to the use and management of information and to the requirements and best practice defined by the Public Services network, Government Connect and Connecting for Health (N3 Network), all of which require appropriate protection to be in place. Accordingly reference is made to the expectations and requirements contained in relevant legislation, standards and guidance. 3 Implementation of this policy will also enable the SIRO to provide evidenced statements of information assurance as part of the council's Annual Governance Statement. The term information assurance (IA) is used to describe confidence in the processes of information risk management. Effective IA should ensure all information assets have the appropriate levels of: Confidentiality - protecting information from unauthorised access and disclosure. Integrity safeguarding the accuracy and completeness of information and processing methods. Availability ensuring that information and associated services are only available to authorised users when required. Non-repudiation- the inability to deny the integrity and authenticity of information. Authentication ability to verify the identity of a user logging into an information asset. This confidence is particularly important in the present environment, which is subject to unprecedented levels of reduced resources, increased scrutiny and malicious activity. Confidence is also improved through good IA where there exists the risk of nondeliberate loss, such as lost or stolen assets or papers etc. 2 Strategic aims are defined in the council's Information Governance Strategy in Part 1 section 2. 3 Legislative and best practice references Appendix 2
9 IA is often described as a sub-set of information management. In the context of this policy it is taken to include all information management activities including creation, collection, evaluation, organisation, dissemination and disposal. This policy, together with all other related policies, standards and guidance provides a mandate for the performance of all information assurance functions. This policy applies to everyone who has access to the council s information, information assets or IT equipment. These people are referred to as users in the policy. This may include, but is not limited to, employees of the council, councillors, temporary workers, partners and contractual third parties. 2. Policy governance. The SIRO will retain ownership of all information governance activities and allocation of resources. The SIRO is also responsible for briefing Management Team on strategy progress and the management of information risks in line with the council's risk management approach. The SIRO is supported by CIGG whose role is to provide oversight of the council s information governance arrangements and ensure the implementation of the information assurance strategy. The day to day management of specific tasks or projects will be delegated to nominated officers or the Information Governance (IG) Lead. Further details around the key roles and responsibilities can be found in section Approach Framework overview. Information risks will be identified through the information risk management approach. This will inform CIGG of the threats and impacts of issues that may affect the council's information governance framework. CIGG will assess identified risks and issues for impact and likelihood within the risk management approach and agree appropriate remedial actions. These will be ratified as appropriate by the SIRO and will form the basis of the annual improvement programme. All remedial actions and other tasks identified will be treated as individual projects within the annual improvement programme. Responsibility for delivery will assigned to a designated officer(s). Identified risks and issues that require consideration by CIGG will be collated by the IG Lead and reported to CIGG and the SIRO. Reporting will be quarterly but incidents or changes that are likely to have a significant impact upon the council will be reported immediately by the IG Lead. Progress in addressing the projects contained within the annual improvement programme will be reported quarterly to CIGG and the SIRO. CIGG will be responsible for the sign-off of each completed project. Emerging risks or incidents requiring action will be assessed by CIGG at their scheduled meetings for either addendum to the annual improvement programme or consideration for inclusion in subsequent programmes. All changes to the annual improvement programme should be ratified by the SIRO.
10 As part of the review and creation of the annual improvement programme, consideration will be given to the impact of specific projects and the communications necessary to inform and support responsible officers of planned changes and enhancements. The collation of agreed tasks into an annual improvement programme will introduce coordination of the related and interdependent projects that support the common strategic aims, including: A clear vision statement to take the information governance programme forward; A clear description of the benefits to be achieved (and how they will be measured) that is commensurate with the council's objectives; The identification and management of risks and issues; A clear estimation of specific costs, timescales and projects needed to achieve the programme's objectives; Greater stakeholder (i.e. SIRO and CIGG) analysis to clarify the impacts, requirements and achievable benefits across the council. The approach should also provide a high degree of flexibility in how individual elements can be implemented. For example, If the budget is not available projects can be rescheduled within the programme as funding becomes available and, new projects can be adopted into the programme without becoming 'rogue' projects lacking strategic focus. A review of the whole information governance framework, to consider any required changes to the key strategic aims or other content, will be a scheduled project within the annual improvement programme every two years. The review will include the Information Governance Strategy, all policies, standards and procedures, and the Terms of Reference for CIGG. The Information Governance Policy will be implemented through the information assurance policy framework. The specific policies 4 included in this framework will define the standards expected in each area. These will be defined and agreed through CIGG and the SIRO. It is crucial that the standards meet the requirements necessary for the council to fulfil its statutory and other obligations for information sharing, security and quality. Guidelines will provide the 'how to' guidance necessary for responsible managers and staff to implement and comply with the policy framework and therefore ensure the whole information governance framework is effective Maturity assessment. Although the defined strategic objectives within the Information Governance Strategy provide direction for improvement, success will be determined by improvement in maturity as measured using the criteria contained within the Department of Health Information Governance Toolkit and elements of the Information Assurance Maturity Model (IAMM) 5 and the business benefits this brings. The Department of Health requires organisations to carry out information governance assessments to provide an assurance that they are adhering to good information governance practices. This applies to organisations that: 4 Appendix 1 5 Produced by CESG the UK Government's National Technical Authority for Information Assurance
11 have access to NHS patients and/or to their information; provide support services directly to an NHS organisation; or have either direct or indirect access to NHS Connecting for Health services, including N3 - the NHS National Network. In order for the council to meet its obligations for the delivery of social care and public health services it is obliged to meet the criteria specified in the Department of Health Information Governance Toolkit. The purpose of the assessment is to enable organisations to measure their compliance against the law and central guidance and to see whether information is handled correctly and protected from unauthorised access, loss, damage and destruction. The ultimate aim is to demonstrate that the organisation can be trusted to maintain the confidentiality and security of personal information. This in turn increases public confidence that the NHS and its partners can be trusted with personal data. Where partial or non-compliance is revealed, organisations must take appropriate measures, (e.g. assign responsibility, put in place policies, procedures, processes and guidance for staff), with the aim of making cultural changes and raising information governance standards through year on year improvements. The IAMM has been designed to help establish a comprehensive programme of work to achieve progress through clearly identifiable milestones. The levels of maturity defined will assist with measuring progress towards the council's strategic objectives for information governance supporting and supplementing the less definite criteria within the Department of Health Information Governance Toolkit. There are five levels of maturity within the IAMM: Level1 initial Level 2 established Level 3 business enabling Level 4 quantitatively managed Level 5 - optimised Each level of the IAMM aims to build on the achievements of the preceding levels and as such the levels are cumulative. This will provide a standard measure of the level of success and achievement of projects defined within the annual improvement programme, an assessment of the level of maturity of areas still requiring actions and the basis of an assessment of resource required to mitigate risks to an acceptable level Information risk management. A fundamental element of information assurance relates to the delivery of effective information risk management. Without an effective approach that enables the sensible aggregation of information risks being taken across the council, decision makers will be prevented from making informed decisions, particularly relating to the treatment of systemic information risks which have the potential to cause severe disruption of the council s business.
12 The policy also recognises that it is essential that any change that may impact upon policy, standards and guidance issued is captured and risk assessed to ensure appropriate action can be taken, ensuring that the framework remains up to date, relevant and practical. Information handling systems cannot provide total protection and therefore performance needs to be monitored and lessons learned so that the council has robust and sustainable means to meet its responsibilities, support corporate strategy and address any incidents or breaches in an effective and timely manner. This is recognised in the continual improvement approach contained within the Information Governance Strategy. The council's risk management approach is based upon the effectiveness of its governance arrangements and managers' good understanding of their services, service developments and their understanding of what risks it is acceptable to take during the normal course of work. This approach removes unnecessary bureaucracy, in particular by preparing documentation solely to demonstrate (rather than support or enhance) effective management. Accordingly the information governance framework does not contain a separate overarching information risk policy but builds upon the corporate approach to ensure information risks are identified, assessed and managed. The Information Assurance Policy Framework does however include a local information risk management policy that defines the expectations expected in service areas for the identification and management of information risks. It is recognised that the delivery of training, education and awareness will need to consider the identification and treatment of information risks to support the delivery of effective information risk management. As defined in Section 3.1, identified risks and issues will be collated by the IG Lead and reported to CIGG for assessment and inclusion where appropriate in the annual improvement programme. Clear accountability is vital, particularly at senior levels, to ensure that risks to information are considered from the outset. The SIRO and CIGG have a key role in identifying corporate information risks and informing Management Team as well as cascading corporate information risks to directorates and service teams. The following table sets out each of the main categories of risk within the council and the management controls applied for information risks.
13 Management control Evidence of management Emerging issues affecting the council and its services Management Team, with cascade down via the SIRO and CIGG to directorate and service teams as appropriate and as the issues develop. New projects and service developments Corporate strategy and Information Governance Framework Management Team agendas and papers CIGG agendas and papers Directorate management team agendas and papers Directorate management teams, with cascade down to service teams as the issues develop, and up to the SIRO, CIGG and Management Team for information. Corporate strategy and Information Governance Framework Directorate strategy/ business plans Directorate management team agendas and papers Project risk registers CIGG agendas and papers Management Team agendas and papers Current issues or developments within the council's existing services Service management teams, with cascade up to directorate management teams and intervention by the SIRO, CIGG and Management Team as appropriate. Directorate management team agendas and papers Project board agendas and papers as appropriate CIGG agendas and papers Management Team agendas and papers Monitoring of performance measures Performance Working Group Executive, with cascade across to directorate management teams and up to the SIRO, CIGG and Management Team as appropriate. Performance Working Group Executive agendas and papers Directorate management team agendas and papers CIGG agendas and papers On-going provision of the council's services: underlying risks Service teams, with cascade up to directorate management teams as appropriate. Directorate management team agendas and papers Corporate documentation of specific information risk areas and annual improvement plan Internal Audit Service risk and control evaluations with supporting audit work
14 3.4. Training and awareness. Every user is engaged in information assurance and is expected to adopt good information management and handling practices, valuing information as a business asset. Without effective training, education and awareness users will not implement policies and procedures in a way that values and protects information as a core business asset. Cultural change is identified throughout the information governance framework and is key to ensuring compliance with information assurance policies and procedures and improving IA maturity across the council. All training and awareness activities must support the underlying objective of embedding information assurance across the council. Training is an ongoing activity which requires constant attention if information is to be handled and shared appropriately. Training on basic information assurance will be delivered to all users using e-learning and other delivery mechanisms. Training relates to all users with access to council information, as well as specific training for the SIRO and users with specific IA responsibilities, such as users working in joint teams that may need some specific training where confusion may arise from having to comply with different organisations' policies and procedures. Service specific and individual training requirements may be identified within service plans or in individual learning and development plans. Strategic training requirements will be identified by CIGG as part of the information risk management approach and a project for delivery will be included in the annual improvement programme as appropriate. All communications must be carried out in consultation with the corporate Communications Service and supported by the service to ensure the most effective means are applied at all times. It is essential that information assurance and security related communications reach intended audiences and are easy to read, understand and assist with compliance as this will aid the culture change within the council Information sharing. It is a requirement of this policy that information sharing within the council and across organisational boundaries is done securely and proportionately to the value of the information in question. Information will be readily shared within the council and with external stakeholders in an assured and cost-effective way, whilst reducing the business impact should a compromise occur. Where the systematic sharing of data is required with another organisation an agreement must be implemented that follows the council's information sharing code of practice. The code of practice is designed to provide a framework for the secure and confidential sharing of information between the partner organisations that contribute to the wellbeing of residents and ensuring disclosure is in line with statutory requirements. Where it is necessary to share information on an ad hoc or case by case basis this must be carried out in accordance with the guidance contained within the Information Commissioner's Data Sharing Code of Practice.
15 4. Compliance The SIRO and CIGG are responsible for ensuring overall compliance with the Policy. The council's code of conduct for employees sets out the behavioural standards that must be upheld by all employees of the council and forms part of the council's terms and conditions of employment. The Code sets out minimum standards of conduct and in the context of the Information Governance Framework the following standards apply: Adhere to all corporate, Directorate/LCCG and service-specific policies and procedures. Follow any local rules laid down for your work location. Use of facilities - at work, you may have access to facilities, such as office equipment, computers, telephones, transport, etc. These facilities are not intended for private use. Where some personal use is permitted, you must observe any corporate protocols, including the Internet, and Telephone System Acceptable Use Policy. Notify your line manager* of any known or suspected breaches of the law or Council's policies, procedures and regulations, and co-operate with any investigation of such breaches. (* If you feel unable to approach your immediate line manager on a specific matter, you should notify a more senior manager responsible for the area of the service in which you work or use the confidential whistleblowing line ) Undertake training courses and learning/e-learning modules as required by your job role or employment with the Council. Non compliance with the Code may result in action being taken under the council's Disciplinary Procedure and could result in dismissal from employment with the council. A breach of policy involving a partner or third party organisation will be treated as a security incident and investigated in accordance with the Security Incident Management Policy. Appropriate action will be agreed with the SIRO taking into consideration any specific contractual recourse or sanctions available. The Audit Committee holds the council to account for the adequacy of all of its risk management arrangements. It seeks assurance over these arrangements from the council's head of internal audit and requires a periodic statement of the most significant risks facing the county council. In addition, the Internal Audit Service works with individual directors and executive directors to consider the council's assurance needs. Priority is given to providing assurance over the controls which reduce the greatest inherent risks to the greatest degree. 5. Key roles and responsibilities. Senior Information Risk Officer (SIRO) The County Secretary and Solicitor is appointed as the council's SIRO. The SIRO takes ownership of the information governance framework, acts as an advocate for information governance and risk at Management Team and provide evidenced statements of information assurance as part of the council's Annual Governance Statement.
16 Key responsibilities of the SIRO are: To take ownership for the development and maintenance of the information governance framework that incorporates the Information Governance Strategy, Information Governance Policy. To consider decisions made by CIGG and ratify those decisions as appropriate. To take ownership of the information risk management approach, including review of the annual improvement programme to support and inform the Annual Governance Statement. To ensure each Directorate and service fulfil their responsibilities and apply the relevant information governance policies and controls. To ensure that council's approach to information governance and risk is effective in terms of resource, commitment and execution and that this is communicated to all staff. To provide a focal point for the resolution and/or discussion of information governance and risk issues. To ensure Management Team is regularly adequately briefed on information governance and risk issues. Corporate Information Governance Group (CIGG) The group is composed of representatives of the council's core directorates and the council's strategic partner (One Connect Limited). Representatives from other specialist areas (e.g. Legal Services and Internal Audit) may be also be required to attend as necessary. The Group is to support and assist the SIRO with the development and maintenance of the information governance framework and to agree all changes to policies, standards and guidance. The Group is to support managers in the implementation of policy and standards, management of information risks and in promoting information security awareness throughout their service areas. The Caldicott Guardian The Caldicott Guardian is responsible for ensuring that processes satisfy the highest practical standards for handling patient/service user information. He/she is responsible for ensuring the safe recording, storing and retention of all personal data and ensuring all information flows are mapped to exclude any leaks of information. The Caldicott Guardian acts as the conscience of the organisation to provide a focal point for patient/service user confidentiality & information sharing issues
17 Information Governance Lead The Information Governance Lead is responsible for: Fully supporting and assisting the SIRO, CIGG and the Caldicott Guardian by overseeing the day to day Information Governance issues, providing guidance to the organisation, assisting with the development and maintenance of all policies, protocols, strategies and procedures within the Information Governance framework. Assisting in raising awareness on an on-going basis to staff of all levels throughout the council. Co-ordinating the Department of Health Information Governance Toolkit annual submission and periodic returns. Conducting or supporting any investigations (with the relevant manager(s)) relating to breaches of confidentiality, either suspected or confirmed. County Data Protection Officer The key role of the Data Protection Officer is to promote the council's compliance with the Data Protection Act Specific responsibilities within the context of this policy are contained within the Data Protection, Freedom of Information and Environmental Information Regulations Policies that are part of the Information Assurance Policy Framework. One Connect Limited ICT Services Provide technical advice; Manage the necessary technical environment and tools to support effective information assurance in accordance with recognised good practice. All Managers All managers are responsible for ensuring that relevant policies and supporting standards and guidance are built into local processes and that there is on-going compliance on a day to day basis. Any breaches or suspected breaches of confidentiality or information security must be reported in accordance with the Incident Management Policy. All managers are responsible for the identification of existing or emerging information risks relating to their service area and either addressing or reporting the issues to CIGG for consideration. All staff This includes permanent, temporary, contractors and any individual who has been given access to the council's network, systems or other information. Individuals are responsible for ensuring that they familiarise themselves with relevant policies and guidance and that they understand the responsibilities set out in them. If individuals are unsure about any aspect of a policy or guidance they must seek clarification from their line manager or the IG Lead. Staff must ensure that they are compliant with legislative and regulatory requirements. Information Governance training is mandatory for all staff and will be delivered in accordance with this policy.
18 Document Control Organisation Lancashire County Council Title Information Governance Framework Author Ian Shipcott Filename Owner County Secretary & Solicitor (SIRO) Subject Information Governance Protective Marking Not Protectively Marked Review date Revision History Version Status Revision Date Summary of Changes Author 0.1 Draft 17/1/13 First Draft I Shipcott 0.2 Draft 18/1/13 Amended Caldicott Guardian R&R Y Byrne 0.3 Draft 23/1/13 Added DPA Officer R&R and compliance for partners & third parties I Shipcott 0.4 Draft 31/1/13 Removed FOI Policy from IAPF Framework I Shipcott 0.5 Draft 7/2/13 Amended IAPF Framework content I Shipcott 0.6 Draft 14/2/13 Update following comments from Deputy CS&S and Head of Efficiency and Business Support; CYP. I Shipcott
19 Review and Approvals Title Name Signature IG Project Lead CIGG SIRO Date Issue of Distribution This document has been distributed to: Name Title Date of Issue Version
Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route
NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION
Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading
Policy Checklist Name of Policy: Information Governance Policy Purpose of Policy: To provide guidance to all staff on their responsibilities regarding information governance and to ensure that the Trust
Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,
Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent
Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version
November 2014 Authorship : Committee Approved : Chris Wallace Information Governance Manager CCG Senior Management Team and Joint Trade Union Partnership Forum Approved Date : November 2014 Review Date
Information Governance Policy REFERENCE NUMBER IG 101 / 0v3 May 2012 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive 4.9.12 REVIEW DUE DATE May 2015 West Lancashire CCG is committed to ensuring
Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:
Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching
INFORMATION GOVERNANCE POLICY POLICY NO IM&T 011 DATE RATIFIED January 2012 NEXT REVIEW DATE January 2015 POLICY STATEMENT/KEY OBJECTIVE: To provide an overarching framework through which Information Governance
Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments
Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact
Information Governance Strategy 2015/16 Ratified Governing Body (November 2015) Status Final Issued November 2015 Approved By Executive Committee (August 2015) Consultation Equality Impact Assessment Internal
Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.
INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title
Author: Susan Hall, Information Governance Manager Owner: Fiona Jamieson, Assistant Director of Healthcare Governance Publisher: Compliance Unit Date of first issue: February 2005 Version: 5 Date of version
Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups
Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:
SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY Report to the Trust Board 22 September 2015 Sponsoring Director: Author: Purpose of the report: Key Issues and Recommendations: Director
Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs NOTE: This is a CONTROLLED Document. Any documents appearing in paper
INFORMATION GOVERNANCE POLICY Version: 3.2 Authorisation Committee: Date of Authorisation: May 2014 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update
Directorate of Performance Assurance INFORMATION GOVERNANCE POLICY Reference: DCP074 Version: 2.5 This version issued: 27/03/15 Result of last review: Minor changes Date approved by owner (if applicable):
JOB DESCRIPTION POST TITLE: Information Governance Manager DIRECTORATE: ACCOUNTABLE TO: BAND: LOCATION: CSS Head of Information Governance 8a CSS Job Purpose The Information Governance Manager will ensure
Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South
INFORMATION GOVERNANCE POLICY Version Version 1 Ratified By Date Ratified PROPOSED FOR APPROVAL 15/11/12 Author(s) Responsible Committee / Officers Date Issue November 2012 Review Date November 2013 Intended
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
NHS Newcastle Gateshead Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Approved No impact NHS Quality, Safety
Information Governance Framework Authorship: Chris Wallace, Information Governance Manager Committee Approved: Integrated Audit and Governance Committee Approved date: 11th March 2014 Review Date: March
Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of
Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise
Information Governance and Data Protection Policy Page 1 of 21 Document Control Sheet Name of document: Version: Owner: File location / Filename: Information Governance and Data Protection Policy Final
INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
Information Governance Policy Policy ID IG02 Version: V1 Date ratified by Governing Body 27/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review date: September
INFORMATION GOVERNANCE POLICY Information Governance Policy_v2.0_060913_LP Page 1 of 14 Information Reader Box Directorate Purpose Document Purpose Document Name Author Corporate Governance Guidance Policy
Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset
RISK MANAGEMENT STRATEGY 2014-17 DOCUMENT NO: Lead author/initiator(s): Contact email address: Developed by: Approved by: DN128 Head of Quality Performance Julia.firstname.lastname@example.org Quality Performance Team
Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information
NHS North Durham Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Final No impact Risk and Audit Committee/Governing
Standard Operations Business Operations process forms the core of all our business activities SMS-GS-O1 Operations December 2014 v1.1 Serco Public Document Details Document Details erence SMS GS-O1: Operations
Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
Title: Reference No: NHSNYYIG - 007 Owner: Author: INFORMATION GOVERNANCE POLICY Director of Standards First Issued On: September 2010 Latest Issue Date: February 2012 Operational Date: February 2012 Review
NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Final No impact Document Ratified/Approved By Hartlepool
INFORMATION GOVERNANCE COMMITTEE DRAFT TERMS OF REFERENCE Name Purpose NHS Lanarkshire Information Governance Committee To provide direction of and oversee the development of NHS Lanarkshire Information
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
This document is uncontrolled once printed. Please refer to the Trusts Intranet site (Procedural Documents) for the most up to date version INFORMATION GOVERNANCE NGH-PO-233 Ratified By: Procedural Document
INFORMATION GOVERNANCE POLICY Name of Policy Author: Name of Review/Development Body: Ratification Body: Ruth Drewett Information Governance Steering Group Committee Trust Board : April 2015 Review date:
INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval
INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic
South East Coast Ambulance Service NHS Trust Information Governance Working Group Terms of Reference 1. Constitution 1.1. The Board hereby resolves to establish a Working Group of the Risk Management &
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
NHS Waltham Forest Clinical Commissioning Group Information Governance Policy Author: Zeb Alam & David Pearce Version 3.0 Amendments to Version 2.1 Updates made in line with National Guidance and Legislation
Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version
Policy: D9 Data Quality Policy Version: D9/02 Ratified by: Trust Management Team Date ratified: 16 th October 2013 Title of Author: Head of Knowledge Management Title of responsible Director Director of
GUIDANCE 1 TITLE: INFORMATION GOVERNANCE FRAMEWORK 2 POLICY AREA: INFORMATION GOVERNANCE 3 ACCOUNTABLE DIRECTOR FOR POLICY AREA: DIRECTOR OF QUALITY AND GOVERNANCE 4 GUIDANCE DRAFTED BY: INTEGRATED GOVERNANCE
INFORMATION RISK MANAGEMENT POLICY DOCUMENT CONTROL: Version: 1 Ratified by: Steering Group / Risk Management Sub Group Date ratified: 21 November 2012 Name of originator/author: Manager Name of responsible
Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of
PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN Records Management Policy Version 4.0 Page 1 of 11 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: File Location: Approval
Preparation of a Rail Safety Management System Guideline Page 1 of 99 Version History Version No. Approved by Date approved Review date 1 By 20 January 2014 Guideline for Preparation of a Safety Management
Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:
Information Governance Policy Version: Revised: Consultation: Ratified by: 1.0 Information Governance Committee Governance Committee Date ratified: 19 March 2008 Name of originator/author: David McGrath
Version 2.0 LOGOLOGO Information Governance Strategy Includes Information risk & incident management methodology Approved by: Quality & Governance Committee Ratification date: May 2014 Review date: May
INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June
Policy Information Management Document Title: Policy Information Management Issue date: October 2013 Document Status: Approved IGC 23 Oct 2013 Review date: October 2014 Page 1 of 17 Document control Document
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
West Dunbartonshire Council Follow-up data protection audit report Auditors: Lee Taylor (Audit Team Manager) Jonathan Kay (Engagement Lead Auditor) Data controller contacts: Michael Butler (Data Protection/Information
Title: Information Governance Policy Date Approved: Approved by: Date of review: Policy Ref: Issue: January 2015 Information Governance Group Division/Department: January 2016 Policy Category: ISP-04 5
National Occupational Standards Compliance NOTES ABOUT NATIONAL OCCUPATIONAL STANDARDS What are National Occupational Standards, and why should you use them? National Occupational Standards (NOS) are statements
RECORDS MANAGEMENT POLICY Version 8.0 Purpose: For use by: This document is compliant with /supports compliance with: To outline the lifecycle of a record and to provide guidance on retention and disposal
Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This
HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of
NCC Records Management and Disposal Policy Issue No: V1.0 Reference: NCC/IG4 Date of Origin: 12/11/2013 Date of this Issue: 14/01/2014 1 P a g e DOCUMENT TITLE NCC Records Management and Disposal Policy
Risk Management Policy and Process Guide Status: pending Next review date: December 2015 Page 1 Information Reader Box Directorate Medical Nursing Patients & Information Commissioning Operations (including