Staff Information Governance Manual. All you need to know about Information Governance in one place

Transcription

1 Staff Information Governance Manual All you need to know about Information Governance in one place

2 CONTENTS Page 1. The roles of the Caldicott Guardian and the Senior Information Risk Owner 1 2. Fair Processing Notice 2 3. Information Governance Training 5 4. Information Governance Compliance Staff Code of Conduct 7 5. NHSmail - Safe, Secure and Encrypted s 9 6. Facsimile Machines and Safe Havens Confidential Waste Privacy Impact Assessments - Data Protection Act Smartcard A Mini Guide to the NHS Number Information Governance Spot Checks Your s could be disclosed under the Freedom of Information Act Information Governance Incidents Information Governance Incidents Feedback and Lessons Learnt Information Governance Policies 25

3 E-Brief article: Role of Caldicott Guardian and SIRO The roles of the Caldicott Guardian and the Senior Information Risk Owner The above roles are a statutory requirement for all NHS bodies. Locally: John Wharton also has CCG Board level responsibility as Caldicott Guardian. Nick Armstrong also has CCG Board level responsibility as Senior Information Risk Owner. In summary, these roles include the following responsibilities: The Caldicott Guardian The Senior Information Risk Owner Is advisory Is the conscience of the organisation Provides a focal point for patient confidentiality and information sharing issues Is concerned with the management of patient information Is accountable Fosters a culture for protecting and using data Provides a focal point for managing information risks and incidents Is concerned with the management of all information assets For example, the Caldicott Guardian will oversee and approve Information Sharing Protocols. For serious information governance breaches the Senior Information Risk Owner will approve closure on reported information governance incidents, and will oversee and review Information Risk Assessments. Both John Wharton and Nick Armstrong are members of the CCG Quality Committee, which is the forum for dealing with all CCG information governance matters. Further Help Information Governance Manager NHS CWW Commissioning Support Unit suzanne.crutchley@nhs.net

4 E-Brief article: Fair Processing Notice Fair Processing Notice: Your Information - What you need to know What this Fair Processing Notice is about This notice tells you how the Clinical Commissioning Group (CCG) and the Cheshire and Merseyside Commissioning Support Unit (CSU) processes non clinical information about you, e.g. your name, address, date of birth, etc and reminds you of your rights under the Data Protection Act What do we use your Information for? We only use your information for lawful purposes in order for us to effectively administer the business of the CCG and the CSU. For example: Pay and Pension Work Management Staff Training Internal Telephone Directory Administration of access to information systems s Website & Intranet The CCG and/or the CSU may use, in current day to day business, your: Name Job title Work Phone number Work address Office base This may include minutes of meetings, reports, action plans, newsletter articles, etc which may be published on the website and/or the Intranet. The CCG and CSU have a duty to protect all their employees and if you have any concerns about where this information is published; or feel you will be put at risk by the disclosure of this information, please discuss this with your manager, or the CCG Senior Information Risk Owner (SIRO), or the CSU Information Governance Manager. How do I know my information will be kept Confidential and Secure? Everyone working for the NHS has a legal, ethical and contractual duty to keep information confidential - the obligation is not restricted to patient data. Information held about you, whether on paper or computerised is protected from unauthorised access. Will you give my personal details to anyone? We will not routinely disclose any information about you without your express permission. Your information may be shared, in strict confidence, with other CCG/CSU departments where this is necessary to administer your employment. There may be circumstances where we are bound to share information about you owing to a legal obligation, e.g. tax returns. Whenever we can we will remove personal details which identify you. Anyone who receives information from us is also under a legal duty to keep it confidential.

5 Can I see my Information? The Data Protection Act 1998 gives you the general right to apply to see or to be given a copy of personal data held about you. Maximum fees for access and providing copies are set down by law. For further information please contact the CSU Information Governance Manager. Complaints/Appeals In the event that you believe we have not complied with the Act, either in responding to a request, or in our general processing of your personal information, and if you have had no satisfaction from the CSU Information Governance Manager, you should contact the CCG Senior Information Risk Owner (SIRO). Of course you always have the right to complain to, appeal or raise your concerns with the Office of the Information Commissioner by writing to: Information Commissioner Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF You can call the ICO helpline on or It is open between 9am and 5pm, Monday to Friday. Or visit the ICO website at: Further Information This notice does not give a full explanation of the Law. If it doesn t answer your questions or you would like more detailed information, contact the Office of the Information Commissioner (see details above). This notice is only concerned with non-clinical information relating to you, as an employee of the CCG/CSU. Should you wish to know more about any information that is held about you as a patient, please contact your local health care provider. Further Help Senior Governance Manager (Information Governance) Cheshire and Merseyside Commissioning Support Unit suzanne.crutchley@cmcsu.nhs.uk

6 E-Brief article: Information Governance Training Mandatory Information Governance Training to be completed every 12 months through the National Learning Management System Mandatory Information Governance Course There are a variety of courses available on the National Learning Management System (NLMS), many of which will also count towards completion of your Statutory and Mandatory Training. All staff are required to complete the mandatory course module: Introduction to Information Governance and then a refresher module once a year thereafter: Information Governance Refresher What is Information Governance? Information Governance is a framework concerning the way that information about patients, employees and contractors is handled. It is particularly concerned with personal and sensitive information, but it also incorporates corporate confidential information about the NHS organisation. Questions and Answers 1. Why do I have to complete an e-learning module? It is a Department of Health requirement that all staff complete the Introduction to Information Governance e-learning module (and the Refresher every year thereafter). The module has been designed to be user friendly and promote consistency and good practice across the NHS. 2. What does the module cover? 1

7 The Introduction to Information Governance module covers Data Protection, confidentiality, Freedom of Information, good record keeping and information security. 3. When do I have to complete it by and how long will it take? For all staff, the training must be completed once a year. It should take around one hour and there is a short assessment at the end. The module will automatically bookmark if you do not get a chance to finish it in one go. NLMS Overview The National Learning Management System (NLMS) is the nationally developed e- learning solution providing a web based e-learning tool for the NHS with an integrated learning management system connected to the Electronic Staff Record. E-learning is now being increasingly used in the NHS, as an alternative to classroom based training. Getting Started on NLMS Staff should access the National Learning Management System login page at: If this link does not work, please contact the IT Service Desk to report the problem. The following link takes you directly to the Information Governance modules: nance NLMS Instructions to enrol on to a course The following web link, takes you through to a helpful tutorial to enrol on to a course: The courses that you are required to complete are: 000 Introduction to Information Governance (once) 000 Information Governance: The Refresher Module (annually) Further Help with Information Governance Senior Governance Manager (Information Governance) Cheshire and Merseyside Commissioning Support Unit suzanne.crutchley@cmcsu.nhs.uk 2

8 E-Brief article: Information Governance Compliance Staff Code of Conduct What is Information Governance? Information Governance is a framework concerning the way that information about patients and employees is handled. It is particularly concerned with personal and sensitive information, but it also incorporates corporate confidential information about the NHS organisation i.e. your CCG. Data Protection Act 1998 What you see here, What you hear here, When you leave here, Let it stay here. The Act was passed to protect the rights of the individual whom information is obtained, shared, processed or supplied. It includes all information and data which can identify a person, held in any format: visual verbal paper computer filmed recorded imaging photograph etc Information and data is safeguarded by the Data Protection Act, which is underpinned by eight principles: The 8 Data Protection Principles 1. Processed fairly and lawfully. 2. Processed for specified purposes. 3. Adequate, relevant and not excessive. 4. Accurate and kept up to date. 5. Not kept for longer than necessary. 6. Processed in accordance with the rights of data subjects. 7. Protected by appropriate security (practical and organisational). 8. Not transferred outside the EEA without adequate protection. Caldicott Reports 1997 and 2013 The first report was produced for the Department of Health by a committee, chaired by Dame Fiona Caldicott. The Caldicott committee made 16 recommendations aimed at improving the way that the NHS handles and protects patient information. The second report, Information: To share or not to share? The Information Governance Review (March 2013) contains 26 recommendations and a revision of the previous Caldicott Principles. It is available at: 2/ _InfoGovernance_accv2.pdf As with the Data Protection Principles, the Caldicott Principles outline best practice in patient Information Management. Confidentiality is part of your day to day activity and must be rigorously observed, no matter what your role or where you happen to be. Do you know who your Caldicott Guardian is? If not, make it your business to find out!

9 The revised 7 Caldicott Principles 1. Justify the purpose(s) 2. Don t use personal confidential data unless it is absolutely necessary 3. Use the minimum necessary personal confidential data 4. Access to personal confidential data should be on a strict need-to-know basis 5. Everyone with access to personal confidential data should be aware of their responsibilities 6. Comply with the law 7. The duty to share information can be as important as the duty to protect patient confidentiality. Remember - information must be: Think about your responsibilities with Caldicott H eld securely and confidentially. O btained fairly and efficiently. R ecorded accurately and reliably. U sed effectively and ethically. S hared appropriately and lawfully. Personal Confidential Data (PCD) Remember, this includes all information and data which can identify a person, held in any format. NHS Codes of Practice There are three Codes of Practice that cover: Those who work within the NHS Those under contract to the NHS Confidentiality: NHS Code of Practice (November 2003) Records Management: NHS Code of Practice (April 2006) Information Security Management: NHS Code of Practice (April 2007) Click below to access copies: NHS Codes of Practice and legal obligations Further Help Senior Governance Manager (Information Governance) Cheshire and Merseyside Commissioning Support Unit suzanne.crutchley@cmcsu.nhs.uk

10 E-Brief article: NHSmail - Safe, Secure and Encrypted s Exchanging sensitive data the safe way Best practice when using your NHSmail account In this staff briefing we focus on the extremely important subject of making sure that you are handling sensitive data in the safest possible way when using NHSmail. All staff are reminded of the risks associated with sending, forwarding and receiving s which contain sensitive and/or confidential information, which may be patient, carer, staff, contractor or business related. What do you send by ? In the subject line? In the message? As an attachment? When you forward an on The NHSmail service has been specifically designed with the needs of NHS staff in mind and apart from being able to access it from any computer or device, the top requirement is to enable staff to exchange sensitive, and confidential, data. The service is accredited to Government RESTRICTED status for this purpose, it is highly secure and has been endorsed by the British Medical Association, Royal College of Nursing and Chartered Society of Physiotherapy. However users must play their part in ensuring that they handle sensitive data correctly way when using NHSmail. Below are some points which are not so much tips, but musts, when using NHSmail. Ensure you understand which accounts are secure for exchanging information with NHSmail NHSmail (@nhs.net) to NHSmail is a secure route. NHSmail to nhs.uk addresses is NOT a secure route and sensitive data is at risk if sent this way without additional protection. Other equivalent encrypted accounts There are other statutory organisations which have equivalent encrypted accounts which are interoperable with NHSmail accounts: NHSmail is part of the Government Secure Intranet, a secure network for public sector organisations which encompasses the police, local and central government and criminal justice services. These public sector workers have access to addresses connected to the network which CAN be used to exchange information with NHSmail. So if an address ends in one of the following, you're safe to send sensitive data For

11 safe, secure & encrypted s from and accounts not safe, not secure s not e.g. to Further Help Senior Governance Manager (Information Governance) Cheshire and Merseyside Commissioning Support Unit

12 E-Brief article: Fax Safe Havens Facsimile Machines and Safe Havens The term Safe Haven is a term recognised throughout the NHS to describe the administrative arrangements to safeguard the confidential transfer of patient identifiable information and other sensitive information between organisations or sites. When information is disclosed through a designated safe-haven point to an equivalent point in another organisation, staff can be confident that agreed protocols will govern the use of the information from that point on. Safe Haven facsimile machines should be sited in areas where the general public and, if possible, staff from other organisations do not have physical access. Also, local arrangements should be in place for the confidential handling of transmitted data / information, which may be received outside of normal working hours. Alternatively, newer facsimile machine models can be set to store information stopping the fax printing out, until a designated member of staff activates the machine by entering a secure PIN. The machine is set to store the information when no designated members of staff are physically in the immediate area of the machine. This way the facsimile machine is classified as Safe Haven. If you have reason to send and/or receive a fax which contains patient identifiable information and/or other sensitive information, please ensure that a Safe Haven facsimile machine is used at both ends, whenever possible. All staff should familiarise themselves with the location and number of their nearest Safe Haven fax. Further Help Senior Governance Manager (Information Governance) Cheshire and Merseyside Commissioning Support Unit suzanne.crutchley@cmcsu.nhs.uk

13 E-Brief article: Confidential Waste Confidential Waste In this data-intensive age, the risk of confidential and sensitive information falling into the wrong hands remains a constant threat. Information security matters now more than ever before. All staff are asked to ensure that: Confidential waste is either placed in the confidential waste sacks/console units provided, which must be located in a position out of direct view of the door/window; Or, confidential waste is shredded, using the shredding machines provided. Confidential waste sacks/console units Only papers and computer discs that contain confidential person identifiable information, or confidential corporate information, are to be placed in this console. Ok to go in: patient data (e.g. name, address, date of birth, phone number, NHS Number, clinical information, etc); individual staff data (e.g. sickness records); any documents with restricted access ; drafts of contentious documents; diaries which contain personal details; job application forms.

14 X Do not put in: anything already available to the public (e.g. on the website) such as minutes of meetings, policies, strategies, reports, action plans, or leaflets. As the CCG have to pay for this type of waste to be shredded to confidentiality standard, please ensure that domestic waste is not put in to these sacks/console units. Only papers and discs that contain confidential person identifiable information, or confidential corporate information, are to be included. This would mean, for example, that if only a few pages of a paper document are confidential, then ONLY those pages are put in to these sacks/units the remainder of the document can go out as domestic waste in the black bags, or can be recycled. Further Help Senior Governance Manager (Information Governance) Cheshire and Merseyside Commissioning Support Unit suzanne.crutchley@cmcsu.nhs.uk

15 E-Brief article: Privacy Impact Assessments and Information Sharing Protocols Privacy Impact Assessments and Information Sharing Protocols "Privacy matters more than ever before, especially as so much of our personal information is now collected and shared. There has been significant media interest over the last few years, of missing data and breaches of confidentiality. News stories appear almost every week. One measure that the CCG has introduced to help to prevent this from happening is to mandate that a Privacy Impact Assessment (PIA) for all new work which involves person identifiable data (PID) is completed. A PIA is also needed for all major changes to existing procedures which use personal data e.g. moving from paper to electronic systems. This will give the CCG Governing Body assurance that every aspect of data protection has been considered and managed, before work begins. Privacy Impact Assessment is a process which enables organisations to anticipate and address the likely impacts of new initiatives, foresee problems, and negotiate solutions. Risks can be managed through the gathering and sharing of information with stakeholders. Systems can be designed to avoid unnecessary privacy intrusion, and features can be built in from the outset to reduce this. The Privacy Impact Assessment aims to assist the CCG when proposing change to investigate whether the personal information aspects of the project / work comply with the statutory data protection principles in the Data Protection Act Without completing a PIA, you may be prevented or delayed in starting your work. Information Sharing Protocols On completion of the PIA, this will indicate if an Information Sharing Protocol (ISP) is needed or not. An ISP is generally needed when person identifiable data (PID) is being shared with non-nhs organisations, and/or when PID is being held on a hosted website outside of the NHS. Further Help

16 Senior Governance Manager (Information Governance) Cheshire and Merseyside Commissioning Support Unit

17 E-Brief article: Smartcard A Mini Overview of Smartcards The NHS Care Records Service (NCRS) and related National Programme for Information Technology (NPfIT) services are accessed using an NCRS Smartcard. A Smartcard is a chip and pin device used as a means of securely identifying a user. For healthcare professionals to be issued with a Smartcard they must be registered through the Registration Authority. Full details can be found at: User Identity Manager and Integrated Identity Management User Identity Manager (UIM) is new registration software to manage NCRS access control and facilitate the Interface to the Electronic Staff Record (ESR). Position Based Access Control (PBAC) PBAC is the set of Access Positions that exist within User Identity Manager (UIM) which can be applied to a user s smartcard profile. Each Access Position is made up of a set of access codes which are taken from the National PBAC Database. The PBAC is agreed locally to reflect what is required for staff groups accessing data via smartcard within an organisation. The Registration Authority Manager is responsible for maintaining and updating the Access Positions on UIM to meet the needs of smartcard users. Smartcard Misuse and Incident Reporting All Smartcard users are responsible for the safety, security and use of their own Smartcard as per the terms and conditions set out in the RA01 form. In particular Smartcard users must: Never share their Smartcard passcode Never allow another user to use their Smartcard Never leave their Smartcard unattended unless it is stored securely Only access patient information that they require to carry out their role Failure to comply with these terms and conditions will be treated as serious misconduct and dealt with through the HR disciplinary procedure. Any member of staff must report incidents where they feel there is a risk to patient health, confidentiality or their organisation s reputation. Incidents should be reported to the Sponsor and Registration Authority Manager and the local incident reporting procedure must also be completed immediately.

18 Certificate Expiry and Renewal Smartcard certificates are valid for two years after which the smartcard will need to be renewed. Cheshire ICT Servicedesk All Registration Authority requests should be directed through the Cheshire ICT Servicedesk: Telephone: Reference Documents All RA documents can be found on the documents page of the Integrated Identity Management section of the Connecting for Health website: Further Help Information Governance Manager NHS CWW Commissioning Support Unit

19 E-Brief article: NHS Number A Mini Guide to the NHS Number By taking up the NHS Number as the national identifier for patients, organisations will significantly improve safety by ensuring that patients are correctly identified. All healthcare organisations must make sure that they have the necessary measures in place for safe, secure transfer of clinical information. Who has an NHS number? Everyone in England and Wales has been given a NHS number. New numbers are issued by the NHS Central Register which holds demographic information on all persons who are registered with a General Practitioner in England and Wales. Using the NHS number to link data The NHS number provides the means to use computer data more effectively to combine data from different sources through automated matching of records. The requirements to do this are extensive and range from linking data about a single patient, such as when sending pathology requests or results, to matching multiple records by combining two patient registers so that the patient data is consistent between the two. Using the NHS number as the main currency of communication The NHS number should replace local identifiers such as hospital numbers in all communications between organisations about patients. This will enable everyone to communicate across the country using a common currency and avoid reliance on a local number which prevents efficient linkage of data once the patient is treated outside of a limited geographic area. For the number to become the common currency it needs to be displayed on all patient based correspondence and communications within the NHS. Safeguarding the security and confidentiality of patient data In exchanging information one of the most significant risks to confidentiality is when the information contains patient-identifiable data, typically: name address and postcode date of birth gender The robustness and reliability of the NHS number which in itself does not include any patient identifiable data, allows it to be used as the key patient identifier to counter security risks. Everyone working for the NHS has a legal duty to keep information about patients confidential and to only use or pass on information about a patient if there is a genuine need to do so to support the patient s interest. Whenever possible, details which identify a person should be removed.

20 The security of the NHS number The NHS number is the most secure patient identifier available. You cannot ascertain anything about an individual through their number alone because the number is randomly generated. Even when it is the main currency of communication about patients throughout the NHS it is unlikely that staff will associate a number with an individual in the same way that they would a name. Are there circumstances when the NHS number should not be used? Where steps are taken to aggregate or anonymise information to safeguard confidentiality (e.g. removing name and address) the NHS number should also be removed if staff do not need to know the identity of the individual(s) concerned. Further Help Information Governance Manager NHS CWW Commissioning Support Unit suzanne.crutchley@nhs.net

21 E-Brief article: Spot Checks Information Governance Spot Checks Overall compliance with Information Governance standards amongst staff is generally found to be very good. It is important that adequate safeguards are in place to keep personal and sensitive information that we hold secure. Without adequate safeguards in place, there is the potential for a data security breach to occur. From time to time, independent Information Governance spot checks will be conducted at random across the CCG, without prior notice. Some areas of risk together with general recommendations for best practice are set out in the table below. These aim to address general areas of Information Governance risk, and not specific to the CCG. Further Help with Information Governance Senior Governance Manager (Information Governance) Cheshire and Merseyside Commissioning Support Unit suzanne.crutchley@cmcsu.nhs.uk

22 Areas of risk and general recommendations RISK AREA CLEAR DESK PROCEDURE POST CONFIDENTIAL WASTE COMPUTERS FACSIMILE MACHINES OTHER ELECTRONIC MEDIA LOCKING ROOMS AND STORAGE ARRANGEMENTS TRAINING AND POLICY ADMINISTRATION RECOMMENDATIONS 1. Reminder to staff to lock away manual records containing patient data or other confidential information. 2. Reminder to staff that confidential information should not be left unattended within reach or sight of the public or visitors. 3. Consider fitting keypads on doors into sensitive areas where needed. 1. Post held in post trays should be locked away at the end of the day if not being collected until the following day. 1. Reminder to staff to place all confidential waste in the sacks/console units provided. 1. Staff to be reminded to lock or log off from their computer when they leave their desk for any length of time. 2. Computer screens to be angled to prevent being viewed by the public or visitors; alternatively, fit a privacy screen. 1. Fax machines that receive confidential faxes should be programmed (sleep mode) to store faxes in its memory to prevent them being printed outside of office hours. 2. Frequently used numbers should be programmed into the memory dial facility in order to reduce the risk of misdialling. 1. Mobile devices should be locked away when not in use. 2. Where possible, photocopiers should not be sited in an area where the general public or visitors have access. 1. Offices and rooms that contain confidential information should be locked when not in use. 2. Adequate lockable drawers/cabinets should be provided for staff to lock away confidential files/notes/documents, etc. 3. Drawers/cabinets that contain confidential information should be locked when not in use. 1. Reminder to staff (and line managers) to ensure that their Information Governance training is kept up to date every year.

23 E-Brief article: s and FOIA Your s could be disclosed under the Freedom of Information Act 2000 The Freedom of Information Act confers two general rights on the public: 1. A right to be informed whether a public body holds certain information. 2. A right to obtain a copy of that information. All staff are reminded that, under the terms of the Act, the s that you send and receive are disclosable in law. You are therefore asked that particular care be taken if an is in connection with a patient or a member of the public, especially if this is in connection with a complaint, an appeal panel or litigation. These are just a few examples of the type of s that are requested to be disclosed. s that concern new services or significant changes to existing services are another typical example of the types of Freedom of Information requests that we receive. It is therefore advisable that personal opinions and throw away comments are avoided. If you receive a request (by , as a letter or fax) for information under the Freedom of Information Act, you must send it without delay to the CSU Customer Solution Centre, who process all FoI requests for the CCG. Further Help Senior Governance Manager (Information Governance) Cheshire and Merseyside Commissioning Support Unit suzanne.crutchley@cmcsu.nhs.uk

24 E-Brief article: Information Governance Incidents Reporting Information Governance Incidents Staff should report any incidents or concerns about any aspect of confidentiality and security, whether a breach has taken place or a near miss has occurred. Near misses are indicators of potential problems, so should also be reported. Security Incidents Affecting Confidentiality There are several ways in which patient, members of the public, staff or contract workers confidentiality may be breached. All breaches should be reported and investigated accordingly. A confidentiality incident is defined as any event that has resulted or could result in: the disclosure of confidential information to any unauthorised individual the integrity of the manual system or data being put at risk the availability of the manual system or information being put at risk An adverse impact can be defined for example as: threat to personal safety or privacy legal obligation or penalty financial loss disruption of CCG business an embarrassment to the CCG Types of Security Incidents The types of non-computer security incidents likely to affect confidentiality are variable. Data security incidents may take many forms including the following: Theft of equipment holding confidential information laptop computers, ipads, BlackBerrys, mobile-phones, etc. Unauthorised access to a building or areas containing unsecured confidential information. Access to patient data by an authorised user who has no work requirement to access the data. Authorised access which is misused (staff). Misuse of equipment such as faxes, text messages on mobiles and ansaphones. Inadequate disposal of confidential material (paper, files, etc). Car theft / break-ins to staff carrying confidential records. Unauthorised access to data away from premises (e.g. when travelling between meetings, etc). Careless talk (e.g. in the corridor or car park)

25 Reporting Arrangements All incidents or information indicating a suspected or actual data security / confidentiality breach should initially be reported to the immediate line manager and then reported on Datix. The CCG Locality Lead for the Customer Solution Centre can help you with this. If an actual serious data security / confirdentiality breach has occurred, the incident should be reported immediately to an appropriate CCG Senior Manager, who will consider if it is necessary to inform the Senior Information Risk Owner and/or the Caldicott Guardian. It may also be necessary to report the incident to others depending on the type and likely consequences of the incident, e.g. the Police, local Counter Fraud specialists, or the Information Commissioner. Further Help with Information Governance Senior Governance Manager (Information Governance) Cheshire and Merseyside Commissioning Support Unit suzanne.crutchley@cmcsu.nhs.uk

26 E-Brief article: Information Governance Incident Feedback lessons learnt Information Governance Incidents Feedback and Lessons Learnt As a new organisation from 1 st April 2013 we have yet to have any Information Governance incidents reported. The lessons learnt and feedback to all staff are will be listed in this section of the manual as soon as any incidents and lessons have been identified. Summary of Incident Lessons Learnt Reporting Arrangements Remember, all incidents or information indicating a suspected or actual data security breach should initially be reported to the immediate line manager and then reported on an IR1 Form. Further Help Information Governance Manager NHS CWW Commissioning Support Unit Fax: suzanne.crutchley@nhs.net

27 E-Brief article: Information Governance Policies Information Governance Policies The Following CCG policies are available on the CCG website or the CCG Internal Intranet - GP TeamNet at Information Governance Strategy Information Governance Policy Freedom of Information Act Policy (this includes Environmental Information Regulations) Confidentiality and Data Protection Policy (this includes staff guidance) Subject Access Requests Policy. Corporate Records Retention Policy (this includes Information Lifecycle) The associated Cheshire ICT Service policies include: Information Security Policy Acceptable Use Policy RA Policy and procedures Network Security Policy Mobile Computing and Teleworking Policy System Level Security Policy Further Help Information Governance Manager NHS CWW Commissioning Support Unit suzanne.crutchley@nhs.net