INFORMATION GOVERNANCE POLICY

Size: px
Start display at page:

Download "INFORMATION GOVERNANCE POLICY"

Transcription

1 INFORMATION GOVERNANCE POLICY Page 1 of 46

2 Policy Title: Executive Summary: Information Governance Policy This policy seeks to identify the actions required to ensure that information is appropriately and effectively managed, properly controlled, is accessible and available for use. Supercedes: Information Governance Policy Version 5 Description of Amendment(s): This policy will impact on: All staff Financial Implications: None Change to roles and responsibilities in line with Corporate Affairs and Governance organisational restructure Addition of Section 8 on Incident reporting Section 9 Amendment to Training Needs Analysis to reflect mandated training requirements with reference to availability additional modules Policy Area: Corporate Document IG/IGP Reference: Version Number: Version 6 Effective Date: 4 March 2015 Issued By: Author: Director of Corporate Affairs & Governance Deputy Director of Corporate Affairs and Governance Review Date: February 2018 Impact Assessment Date: February 2015 No changes APPROVAL RECORD Consultation: Approved by Director: Ratified by Group: Committees / Group Information Governance Team Deputy SIRO Director of Corporate Affairs & Governance Information Governance & Records Management Group Date February /03/15 24/03/15 Policy Received by: All staff via policy cascade process. March 2015 Page 2 of 46

3 INFORMATION GOVERNANCE POLICY CONTENTS 1. Introduction Background 2 Policy Statement 4 3. Scope 4. Roles & Responsibilities 5 5. General Principles Openness 5.2 Legal Compliance 5.3 Information Security 5.4 Quality Assurance 6. Assessment and Improvement Planning 8 7. Information Governance Management 8 8. Incident Reporting 9. Training 9 Appendix 1 and b Privacy Impact Assessment Guidance Appendix 2 Consultant Assurance Form Page 3 of 46

4 1. INTRODUCTION recognises that information is a vital asset, both in terms of the clinical management of patients and the efficient management of services and resources. Information plays a key part in supporting the whole governance agenda, service planning and performance management. This information governance framework will provide assurance to both the Trust and individuals that personal information is managed legally, securely, efficiently and effectively, in order to deliver the best possible care. The Trust will develop, implement and maintain policies and procedures to ensure compliance with both the law and the requirements contained in the Connecting for health (CfH) Information Governance toolkit. 2. POLICY STATEMENT The recognises and accepts responsibility to ensure both full compliance with the requirements for the management of information as outlined in law, and as a requirement to assist service management as determined by law, statute and best practice. This includes, but is not limited to, the provisions detailed in the Data Protection Act 1998, Freedom of Information Act 2000 and Department of Health Codes of Practice: Confidentiality DH Confidentiality Code of Practice Records Management DH Records Management Code of Practice Information Security DH Information Security Management Code of Practice 3. SCOPE This policy covers all forms of information irrespective of care or business setting within the organisation. Information may relate to patients/clients/service users, staff/ personnel or business/ corporate information. Information types are far ranging e.g. paper, electronic, databases, photographs, s, x-ray films Systems will be introduced to manage and monitor the effective handling of information whether it is the management and structure of records systems, both paper and electronic or secure transmission and receipt. This policy covers all information systems purchased, developed and managed by/or on behalf of the organisation and any individual employed or commissioned by the organisation. This policy also enables the proactive use of information sharing with partner organisations to support care as determined by law, statute and best practice. is committed to making non-confidential information widely available in line with its responsibilities under the Freedom of Information Page 4 of 46

5 Act 2000, and this policy full supports that provision to ensure the Trust meets its obligations in this regard. 4. ROLES & RESPONSIBILITIES 4.1 The Chief Executive is the accountable officer and has overall responsibility for ensuring that information governance is applied through the organisation 4.2 The Director of Corporate Affairs and Governance has Board level responsibility for information governance, to include overall responsibility for the security and quality of information, both corporate and sensitive/personal via the work of the Information Governance & Records Management Group. The Director of Corporate Affairs and Governance is the nominated trust Senior Information Risk Owner (SIRO). 4.3 The Associate Medical Director Clinical Effectiveness will act as the Caldicott Guardian and will take a lead on Confidentiality issues. To act as a champion for data confidentiality and report to Board level via the Medical Director. To develop a knowledge of confidentiality and data protection matters including links with external sources of advice and guidance. To ensure that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff. To oversee all arrangements, protocols and procedures where confidential social care information may be shared with external bodies including disclosures to other public sector agencies and other outside interest 4.4 The Deputy Director of Corporate Affairs and Governance (Deputy SIRO) is responsible for ensuring that systems and processes are in place to ensure sound information governance across the Trust. This includes management of the information governance team budget. 4.5 The Head of Integrated Governance will act as the Data Protection Officer and as such has responsibility for implementing the trust data protection framework, the review and updating of data protection policy and procedures and for providing specialist advice in relation to data protection issues. The Head of Integrated Governance has responsibility for the management of the IG Toolkit. The Head of Integrated Governance has line management responsibility for the Integrated Governance Facilitator. 4.6 The Integrated Governance Facilitator has responsibility for operational management of Information Governance and for the implementation and coordination of the information governance work programme across the Trust although responsibility for specific requirements is devolved to specialist leads and service managers. The Integrated Governance Facilitator also has responsibility for ensuring that all policies and procedures relating to the information governance function are adequate and up to date. This post holder is also responsible for reporting identified serious incidents requiring Page 5 of 46

6 investigation once agree with the SIRO/ Deputy SIRO via the HSCIC IG Incident Reporting Tool. 4.7 Information Governance Officer The Information Governance Officer will support the implementation of Trust IG policies and procedures, through a programme of monitoring and review, incident management, and provision of specialist advice, guidance and training. The IG Officer will maintain the Trust s portfolio of evidence within the IG Toolkit, and where required will facilitate the provision of accurate information for requests made under the Freedom of Information Act. 4.8 Managers and Supervisors will be responsible for ensuring the local implementation of information governance and that they implement this and appropriate information policies within their sphere of responsibility. This includes taking appropriate management action should non-compliance arise, according to the Trust s Disciplinary Policy. Clear accountability arrangements will ensure that staff are held to account for the work that they do and this will be reinforced through contractual arrangements. 4.9 Employees, Volunteers, Contractors, sub-contractors All Trust staff, whether clinical or administrative, employed, sub-contracted or volunteers, have a responsibility to ensure compliance with this and other Information Governance policies and procedures and must undertake annual training via the on line IG Training Toolkit or trust approved workbook. 5 GENERAL PRINCIPLES The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The organisation fully supports the principles of corporate governance and accepts its public accountability. Equally, it places importance on the confidentiality of, and the security arrangements to safeguard both personal information about patients and staff and commercially sensitive information. The Trust also recognises the need to share patient and corporate information with other organisations including health and social care partners in a controlled manner consistent with the interests of the patient and, in some circumstances, the public, in accordance with the principles of the Data Protection Act The Trust believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers to promote the recording of quality information and to actively use this information in decision-making processes. Information governance sits alongside, and is a key enabler for integrated governance. It assures the quality of information which acts as the basis of decisions on financial, corporate or clinical risks within the governance process. Information governance provides a framework to bring together all of the requirements, standards and best practice that apply to the handing of information allowing Implementation of central advice and guidance Compliance with the law Year on year improvement plans Page 6 of 46

7 Information governance is concerned with the standards that should apply when information is processed. Information processing has five broad aspects. These encompass how information is held, obtained, recorded, used and shared. Information Governance provides a consistent way for employees to deal with the many different information handling requirements, including The Data Protection Act 1998 The Freedom of Information Act 2000 ISO/IEC 17799: 2005 The Department of Health Confidentiality Code of Practice The Department of Health Records Management Code of Practice The Department of Health Information Security Code of Practice There are four key interlinked strands to the information governance policy: Openness Legal compliance Information security Quality assurance 5.1 Openness The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. Information will be classified and where appropriate kept confidential. Nonconfidential information about the Trust and its services will be made available to the public through a variety of media, in line with the Trust s code of openness and Freedom of Information Publication Scheme. Patients will have access to information relating to their individual care, options for treatment and their rights as patients, provided to them in a format appropriate to their individual needs. There will be clear procedures and arrangements for handling queries from patients and the general public. The Trust will have clear procedures for liaison with the press and broadcasting media. The Trust will undertake planned assessments and audits of its policies and arrangements for openness. 5.2 Legal Compliance The Trust regards all identifiable personal information as confidential. Compliance with legal and regulatory framework will be achieved, monitored and maintained. The Trust will establish and maintain policies and procedures to ensure compliance with the requirements of the Data Protection Act 1998, Freedom of Information Act 2000, Human Rights Act 1998 and confidentiality in common law. Page 7 of 46

8 The Trust regards all identifiable information relating to staff as confidential except where national policy on accountability and openness requires otherwise. The Trust will develop and maintain policies and procedures to ensure the controlled and appropriate sharing of information with other agencies, taking account of relevant legislation. The Trust will undertake regular review of its compliance with legal requirements. 5.3 Information Security The Trust will establish and maintain policies and procedures for the effective and secure management of its information assets and resources including, o o o o Sensitive information such as business critical or person identifiable data, to be locked away when not in use. Post storage areas should be protected from unauthorised access. Fax machines should be protected from unauthorised use and safe haven faxes made subject to special procedures and protection. Photocopiers, scanners and digital cameras should be protected from unauthorised access Announced and unannounced audits will be undertaken to assess information and information technology (IM&T) security arrangements. If required, appropriate action will be taken in line with HR policy. The Trust s incident reporting system will be used to report, monitor and investigate all breaches of confidentiality and security. The organisation s Information Governance policy should provide written guidance and procedures. These should be made available to staff and contractors through training and awareness sessions and other educational materials (see also requirement 308). The policy should ensure that the following are included: 5.4 Information Quality Assurance The Trust will develop and maintain policies and procedures to support information quality assurance and the effective management of records. Managers will be expected to take ownership of, and seek to improve the quality of information within their services. Data standards will be set through clear and consistent definition of data items, in accordance with national standards. The Trust will participate in annual assessments and audits of its information quality and records management arrangements. Page 8 of 46

9 Wherever possible, information quality should be assured at the point of collection. 5.5 Related Policies/Procedures This policy forms part of a comprehensive range of policies developed to support delivery of the Information Governance agenda. Reference should be made to more specific policies, which further reflect the requirements. Legal and professional guidance should also be considered where appropriate. A number of processes and procedures apply to Information Governance and all staff should be aware of the procedures applicable when implementing any change to the way the Trust collates, processes or shares information. Staff should be aware that there can be no change to service delivery without appropriate Information Governance sign off Privacy Impact Assessment A Privacy Impact Assessment is required when a proposed change to service delivery involves the way the Trust collates, processes or shares information. Guidance is available on the completion of a Privacy Impact Assessment is contained at Appendix 1. Further advice/guidance can be obtained from the Information Governance Manager. Information Sharing/Data Processing Agreement Dependant on the outcome of the Privacy Impact Assessment, it may be necessary to draft an Information Sharing/Data Processing Agreement this to be signed approved by either the Caldicott Guardian or the SIRO. No information is to be shared without an approved Agreement. 6 ASSESSMENT AND IMPROVEMENT PLANNING An assessment of compliance with the requirements within the Information Governance toolkit will be completed on an annual basis. Results will be electronically submitted to Health and Social Care Information Centre (HSCIC) IG Toolkit and used for performance monitoring and year on year improvement planning. Reports on internal progress will be reported to the Information Governance Group prior to any formal submission. A programme of review of information governance strategies, policies and procedures is undertaken in line with the policy schedule via the Information Governance & Records Management Group to ensure coherence and consistency with each other and with current legislation and guidance on information governance. This ensures a structured framework for information governance and key initiatives within it. Implementation plans are being developed for all requirements within the information governance toolkit and lead personnel identified. Page 9 of 46

10 7 INFORMATION GOVERNANCE MANAGEMENT The Head of Integrated Governance is responsible for the management; implementation and coordination of the information governance work programme across the Trust although responsibility for specific requirements is devolved to specialist leads and service managers. Information Governance Management across the organisation will be coordinated by the Information Governance & Records Management Group, a formal sub-committee of the Clinical Management Board. The membership and Terms of Reference for this committee will be reviewed annually. Membership will be: Senior Information Risk Owner (Chair) Associate Medical Director Clinical Effectiveness/Deputy Caldicott Guardian (Deputy Chair) -up to 3 times a year Deputy Caldicott Guardian Deputy Director of Corporate Affairs and Governance (Deputy SIRO) Head of Integrated Governance Integrated Governance Facilitator Information Governance Officer Business Support Representative Interim Head of ICT Associate Director of HR Information Security Specialist (North West Commissioning Support Unit) or Representative Service Manager Outpatient Services Service line representatives Clinical Administration Manager Legal Services Manager Other officers will be co-opted as and when required. The responsibilities of the Information Governance & Records Management Group will include: Co-ordinating and monitoring of the information governance strategy across the organisation. Approving the annual submission of compliance data to HSIC via the IG Toolkit. Approving any information governance related policies and procedures and recommending these for ratification to the responsible Executive Director. Identification of significant risk, including escalation to the Clinical Management Board via the Director of Corporate Affairs and Governance and ultimately, the Trust Board. 8 TRAINING 8.1 All staff must undertake mandatory annual Information Governance new starter or refresher training via the on-line IG Training Toolkit or workbook. In this Page 10 of 46

11 context annual relates to the Financial Year rather than the Calendar Year. Additional IG Toolkit modules identified by the HSIC as mandatory for staff within specific roles must also be undertaken in line with the information governance training needs analysis. 8.2 If you are unsure which job role to follow please ask your Line Manager. They will contact the Information Governance Team for advice if necessary. Additional recommended modules may be undertaken for individuals working in specific roles, however these are not mandated. See Table 1 Information Governance Training Needs Analysis Page 11 of 46

12 Table 1 Ref: Job Role Mandatory Modules to be undertaken Approx. Time to Complete A All Staff Introduction to IG After module has been successfully completed then the following module should be completed in following years Information Governance: The B Directors and Non-Executive Directors Refresher Module 1. Introduction to Information Governance as in A above 30 minutes C D Information Governance Staff Caldicott Guardian 1. Introduction to Information Governance as in A above 3 yearly 2. Information Security Management 3. NHS Information Risk Management for SIROs and IAOs 4. Records Management and the NHS Code of Practice 5. Records Management in the NHS 6. Secure Transfers of Personal Data 7. Access to Information and Information Sharing in the NHS 8. Access to Health Records 9. Information Security Guidelines 10. NHS Information Risk Management: Introductory 11. Access to Information and Information Sharing in the NHS 1. Introduction to Information Governance as in A above 30 minutes 30 minutes 1.5 hours 30 minutes 30 minutes 30 minutes 3 yearly 2. The Caldicott Guardian in the NHS and Social Care 30 minutes Page 12 of 46

13 Ref: Job Role Mandatory Modules to be undertaken Approx. Time to Complete E Senior Information Risk Owner (SIRO) 1. Introduction to Information Governance as in A Above F G H I Information Security Manager and Support Staff Information Technology Management Staff Subject Access Lead and Support Staff Health Records Manager and Support Staff 3 yearly 2. Information Security Management 3. NHS Information Risk Management for SIROs and IAOs 4. Records Management and the NHS Code of Practice 5. Secure Transfer of Personal Data 1. Introduction to Information Governance as in A above 3 yearly 2. Information Security Management 3. NHS Information Risk Management for SIROs & IAOs 4. Records Management in the NHS 5. Records Management and the NHS Code of Practice 6. Secure Transfers of Personal Data 7. Business Continuity Management Foundation 8. Access to Information and Information Sharing in the NHS 1. Introduction to Information Governance as in A above 3 yearly 2. Information Security Management 3. Secure Transfers of Personal Data Introduction to Information Governance as in A above 3 Yearly 1. Information Security Guidelines 2. NHS Information Risk Management Introductory 3. Records Management in the NHS 4. Records Management and the NHS Code of Practice 5. Secure Transfers of Personal Data 6. Access to Information and Information Sharing in the NHS 7. Access to Health Records 1. Introduction to Information Governance as in A above 3 yearly 2. Access to Health Records 3. Access to Information and Information Sharing in the NHS 30 minutes 1.5 hours 30 minutes 30 minutes 1.5 hours 30 minutes 1.5 hours 30 minutes 30 minutes 30 minutes 1.5 hours 30 minutes 30 minutes 30 minutes 30 minutes Page 13 of 46

14 Ref: Job Role Mandatory Modules to be undertaken Approx. Time to Complete 4. Records Management and the NHS Code of Practice 5. Records Management in the NHS 6. Secure Transfers of Personal Data 30 minutes 30 minutes 1.5 hours J Information Asset Owner (IAOs) Annual 1. Introduction to Information Governance as in A above 2. NHS Information Risk Management for SIROs and IAOs K Information Asset Administrator/ Assistant (IAA) Annual 1. Introduction to Information Governance as in A above 2. NHS Information Risk Management Introductory 8. INCIDENT REPORTING A data breach can happen for a number of reasons: Negligence or human error. Unauthorised or inappropriate access, including processing confidential personal data without a legal basis. Loss or theft of information or equipment on which information is stored. Systems or equipment failure. Accidents. Unforeseen circumstances such as fire, flood and other environmental factors Inappropriate access, viewing information for purposes other than specified/authorised e.g. an individual browsing record about an ex-partner to find their current address. Unauthorised access, using other people s user IDs and passwords. Poor physical security. Inappropriate access controls allowing unauthorised use. Lack of training and awareness. Hacking attacks. Blagging offences where information is obtained by deception. All information governance incidents/ data breaches must be reported via the trusts DATIX integrated risk management system in line with internal incident reporting procedures. In addition, where a serious incident may be have occurred or be suspected to have occurred, staff must report the incident directly to the information governance staff. Please refer to the Policy for the Management and Investigation of Incidents via trust Infonet. Information Commissioner s Office has published clear guidance for staff to inform decision making with regards to the assessment of the severity of information governance incidents See ICO Guidance for Incident Reporting. This is based on scale and sensitivity factors. Page 14 of 46

15 Level 0 or 1 confirmed IG SIRI but no need to report to ICO, DH and other central bodies/regulators. Level 2 confirmed IG SIRI that must be reported via the IG Incident Reporting Tool to the Department of Health, HSCIC and Information Commissioner. Note see also Appendix 2 for reporting form for Mis-filed Patient Information 9. MONITORING This policy and staff adherence will be monitored by the Information Governance and Records Management Group via regular reviews of incidents and assurance reports from identified information asset owners and specialist leads. This is outlined within the group s rolling programme. Page 15 of 46

16 10. Appendix 1a Guidance for determining the requirement For a Privacy Impact Assessment (to be managed by the IT Informatics Operational Group) Page 16 of 46

17 Guidance title: Executive Summary: Guidance for determining the need for a Privacy Impact Assessment is committed to ensuring that all areas meet requirements relating to Data Protection Act. This includes the potential for new projects to undertake an assessment of the impact on patient s privacy as the result of implementation and this guidance allows the project lead to determine the level of impact required and to plan accordingly within the PID documentation. Supersedes: V1 Description of None Amendment(s): This policy will impact on: All Trust Staff Financial Implications: None Policy Area: Information Governance Document Reference: Version Number: V2.0 Effective Date: 4 March 2015 Issued By: Author(s): (Full Job title ) Director of Corporate Affairs & Governance Deputy Director of Corporate Affairs & Governance APPROVAL RECORD Committees / Group Review Date: February 2018 Impact Assessment Date: N/A Date Consultation: Information Governance Team February 2015 Approved by Director / SIRO: Received for information: Senior Information Risk Owner (SIRO) March 2015 Information Governance and Records March 2015 Management Group Chair of T Informatics Operational Group Page 17 of 46

18 Types of PIA - Small Scale or Large Scale Not every new project or change to a project will require a Privacy Impact Assessment (PIA). PIAs will be used only where the project is of such a wide scope, or will use personal information of such a nature, that there would be genuine risks to the privacy of the individuals whose information it involves. The IT Informatics Operational Group will use the following points as a guide to decide if a project requires a PIA, and whether the assessment should be Large scale or Small scale, subject to discussion Small Scale PIA A small scale PIA may be required where an incident relating to the information would be graded as moderate, for example: The identifiable information relates to 100 or more individuals The information is not currently encrypted The information contains some very limited clinical information The aims of the project can be achieved by anonymising the data A small scale PIA may also be required where any of the following apply: New technology will be used The project involves another NHS organisation The project involves one none NHS organisation Information will be shared outside the UK but within the EEA or to a country which is deemed by the European Commission to have an adequate level of protection. Large Scale PIA A large scale PIA may be required where an incident relating to the information would be graded as major or catastrophic, for example: The identifiable information relates to 1000 or more individuals The information contains particularly sensitive clinical information such as Sexual Health Details The loss or theft of the information would raise Safeguarding Issues/Risks The loss or theft of the information could result in identify theft The loss of the information would be likely to result in a fine from the ICO A large scale PIA may also be required where any of the following apply: New technology of an intrusive nature will be used, i.e. RFID tags, biometrics, locator technologies, visual surveillance, digital image and video recording. The aims of the project cannot be achieved if the data is anonymised The project involves multiple NHS and/or none NHS organisations The project would require an addition to the Trusts Data Protection Notification Individuals have not been informed that their data may be used in this way Information will be shared outside the EEA or with a country which is not deemed by the European Commission to have an adequate level of protection. Page 18 of 46

19 Dependant on the level of PIA required the appropriate template (Appendix I Small Scale PIA; Appendix II Large Scale PIA) must be completed at the start of the project, in liaison with the IT Informatics Operational Group. Page 19 of 46

20 Appendix 1a Name: Job Title: Small Scale Privacy Impact Assessment Data Protection Compliance Check Date: Title: Reference: Lead: Information Asset Owner: Part 1 Outline of Project/System/Service being reviewed Please provide an overview of the purpose project/system or service. When do you envisage the projects/system to be operational Part 2 Stakeholder Analysis (Internal) Which departments use or are involved with the project/system or service: 2.1 Parties Please give the name of any third parties involved Part 2 Stakeholder Analysis (External) 2.2 Parties Is the third party contract/supplier of the system registered with the Information Commissioner? Yes No Notification Number(s): 2.3 Parties Do contracts contain Information Governance clauses? 2.4 Parties Is an Information Sharing Agreement in place, if yes when was it last reviewed? 2.5 Parties Have the parties completed the IG Toolkit? Yes No Organisation Code(s): Rating: Satisfactory Unsatisfactory Page 20 of 46

21 2.6 Parties Where are the third party/supplier(s) based? I.e. UK, Europe, USA. Part 3 Privacy Considerations: Fair and Lawful Processing 3.1 Data Please specify the type of data being used Staff Other, please specify: Patients 3.2 Data Which of the following items are being be processed for this project/system or service? Name Post Code GP / Consultant Sex Address Date of Birth NI Number NHS Number Hospital Number Other, please specify: 3.3 Sensitive Data Which of the following items are being processed for this project/system or service? Treatment Dates Diagnosis Other, please specify: Medical History Ethnic Origin Religion Sexual Orientation 3.4 Use of Data In relation to the above, what entitles you to process the information (if you are processing sensitive personal data you need to tick two one from section a and one from section b these) Section A Personal Data Consent has been/will be obtained Compliance with a legal obligation (please specify below) To protect the vital interests of a person Other legitimate interests (please specify below) Other (please specify below) Please outline further details here: Page 21 of 46

22 Section B Sensitive Personal Data Medical Purposes including: preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services Explicit Consent has been/will be obtained (complete 2.2.2) Other (please specify below) Please outline further details here: 3.5 Consent If Consent obtained where is the consent be recorded 3.6 Informing Subjects What steps are taken to information individuals how the information will be used 3.7 Notification Is this processing covered under the Trust s current notification, please specify which section: 4.1 Data Quality If an electronic system is used. Does the system link with other systems? If yes, please specify: Section 4 Data Quality & Records Management 4.2 Data Quality How is the information kept up to date and checked for accuracy and completeness? Please provide evidence of compliance: Page 22 of 46

23 4.2 Retention What arrangements are in place to ensure the data is not kept longer than necessary? Please provide evidence of compliance: 4.3 Retention How is the information destroyed when no longer required? Please provide evidence of compliance: 4.4 Rights of Access What steps are in place to ensure information can be provided for a subject access or access to records request? Please provide evidence of compliance: Section 5 Security and Transfers 5.1 Format Where is the information to be kept/stored/accessed? On Paper (not in Medical Patient Records) Patient s Medical Record Folder on Shared Drive Dedicated System (please specify) Other (please specify) 5.2 Format Is there a useable audit trail in place for the system? For example, to identify who has accessed a record? When was the last audit undertaken and what were the results? 5.3 Transfer Is any information sent off site? Yes No If YES, where is the information be sent: Page 23 of 46

24 5.4 Transfer Please state by which method the information is transferred Fax Website By Hand MCHT Post Internal Telephone NHS.net Post External Other, please specify: 5.5 Transfer Where is the information transferred? Inside UK Inside EEA Outside EEA 5.6 Transfer If information is to be transferred outside the EEA what has been done to ensure an adequate level of protection for the data? 5.7 Security Measures Please outline the security measures in place for the information. 5.8 Security Measures What actions were taken as a result of the incident(s) 5.9 Security Measures How are these security measures audited for compliance? Page 24 of 46

25 Section 6 Information Asset (where applicable) Was the asset recorded on the Information Asset Register? YES NO N/A 6.1 Asset Name 6.2 Reference No. 6.3 Asset Category 6.4 Asset Owner 6.4 Asset Administrator 6.5 Risk Assessment Last Review Date A) Potential Severity (1-5) B) Likelihood of Occurrence (1-5) Anti-theft Measures Premises / Security Measures Backups Business Continuity Arrangements Final Risk Rating (A x B = C) Page 25 of 46

26 # Information Governance Use Only # Date: Compliance Check Approved: Yes No Compliance Check Reviewed by: Comments / Feedback: Action Responsibility Due Completed # Information Governance To Complete # Date: Action Plan Completed: Yes No Compliance Check Approved: Yes No Compliance Check Reviewed by: Comments/Feedback: Page 26 of 46

27 Appendix 1b Large Scale PIA Data Protection Act 1998 PRIVACY IMPACT ASSESSMENT (PIA) Compliance Checklist Privacy Privacy has become a much larger consideration for business and government in recent years. New information technologies have increased public concerns about intrusion into their privacy. Beyond the recognition of privacy as a human right, specific laws have been introduced to deal with particular areas of concern. Much of the legislative attention to date has been focused on information about people that is collected, stored, used and disclosed by organisations. The handling of personal data is regulated by the Data Protection Act 1998, which the Information Commissioner's Office oversees. Privacy impact assessment Privacy Impact Assessment (PIA) is a process which enables organisations to anticipate and address the likely impacts of new initiatives, foresee problems, and negotiate solutions. Risks can be managed through the gathering and sharing of information with stakeholders. Systems can be designed to avoid unnecessary privacy intrusion, and features can be built in from the outset that reduce privacy intrusion. This Privacy Impact Assessment (PIA) aims to assist the Trust when proposing change to investigate whether the personal information aspects of their project comply with the data protection principles in Schedule 1 of the Data Protection Act (DPA). The checklist has been designed for use by any employee proposing change. The Information Governance Manager and the Cheshire ICT Service should be consulted about the completion of this checklist. A copy of the completed PIA should also be sent to the AD of the relevant business unit for information (as they are required to report on these as part of their Information Asset Owner responsibilities). It should be noted that many terms used in the principles have meanings specific to the Data Protection Act, and it would be prudent to refer to the Act for definition for those terms. Another useful reference is the specific guidance on the Information Commissioner s website ( General advice is contained in the Commissioner's Legal Guidance. Page 27 of 46

28 I BASIC INFORMATION - New or existing Project, System, Technology or Legislation 1. Lead Directorate and project name Directorate Department Project 2. Contact position and/or name, telephone number and address. (This should be the name of the individual most qualified to respond to the PIA questions) Name Title Phone Number Information Asset Owner Information Asset Assistance 3. Description of the programme / system / technology / legislation (initiative) being assessed. (N.B. if the initiative does not collect, use or disclose personal data* - see definition and statement below). If this is a change to an existing project, system, technology or legislation, describe the current system or program and the proposed changes. 4. Purpose / objectives of the initiative (if statutory, provide citation/reference). Purpose 5. What are the potential privacy impacts of this proposal? IF THERE IS NO PERSONAL DATA INVOLVED, GO TO SECTION III DPA COMPLIANCE - CONCLUSIONS (on the last page) Page 28 of 46

29 *IMPORTANT NOTE: Personal data means data which relate to a living individual who can be identified: (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. (Data Protection Act, section 1) DATA PROTECTION PRINCIPLES (DPPs) PRINCIPLE 1 : FAIR AND LAWFUL PROCESSING Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met For the Information Commissioner s general guidance in relation to this DPP, see Legal Guidance pages Preliminary What type of personal data are you processing? What type of sensitive personal data are you processing? Page 29 of 46

30 1.2 Schedule 2 Conditions relevant for purposes of the first principle: processing of any personal data Describe the purposes for which you will be processing personal data. List which of the grounds in Schedule 2 you will be relying on as providing a legitimate basis for processing personal data. 1.3 Schedule 3 Conditions relevant for purposes of the first principle: processing of any sensitive personal data If this project does not involve the processing of sensitive personal data, please go to section 1.4 Identify the categories of sensitive personal data that you will be processing. Identified the purposes for which you will be processing sensitive personal data. Page 30 of 46

31 Identify which of the grounds in Schedule 3 you will be relying on as providing a legitimate basis for processing sensitive personal data? 1.4 Obtaining consent Are you relying on the individual to provide consent to the processing as grounds for satisfying Schedule 2? If yes, when and how will that consent be obtained? For the processing of sensitive personal data, are you relying on explicit consent as specified in Schedule 3, s1 of the Data Protection Act? Yes Yes No No If yes, when and how will that consent be obtained? Page 31 of 46

32 1.5 Lawful processing How is compliance with the Human Rights Act being assessed? Are you assessing whether your Yes processing is subject to any other legal or regulatory duties? If yes, how is that assessment being made? If no, please indicate why not. 1.6 Fair processing How are individuals being made aware of how their personal data is being used? How are individuals offered the opportunity to restrict processing for other purposes? When is that opportunity offered? No Page 32 of 46

33 1.7 Exemptions from the first data protection principle The Act requires that in order for personal data to be processed fairly, a data controller must provide the data subject with the following information:- 1. the identity of the data controller 2. the identify of any nominated data protection representative, where one has been appointed 3. the purpose(s) for which the data are intended to be processed 4. any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair Data Protection Act, Schedule 1, Part II, para. 2 (3) Do you provide individuals with all of the information in the box above? Yes No If no, which exemption to these provisions is being relied upon? PRINCIPLE TWO: THE PURPOSE OR PURPOSES FOR PROCESSING PERSONAL DATA Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. For the Information Commissioner s general guidance in relation to this DPP, see Legal Guidance pp Use of personal data within the organisation What procedures are in place for maintaining a comprehensive and upto-date record of use of personal data? Is any data processing carried out on your behalf (e.g. by a subcontractor)? Yes No Page 33 of 46

34 If yes: please identify: Is there a contract with confidentiality/information security/incident reporting provisions (please supply copy if available). Are they registered with the Information Commissioner? Have they completed the third party IG toolkit? 2.2 Use of existing personal data for new purposes Does the project involve the use of existing personal data for new purposes? Yes No If no, go to section 2.3 If yes, How is the use of existing personal data for new purposes being communicated to:- a) the data subject: b) the Data Protection Officer (responsible for Notification) 2.3 Disclosure of data How are individuals / data subjects made aware of disclosures of their personal data? PRINCIPLE 3: ADEQUACY AND RELEVANCY a) b) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. For the Information Commissioner s general guidance in relation to this DPP, see Legal Guidance pp Adequacy and relevance of personal data How is the adequacy of personal data for each purpose determined? How is an assessment made as to the relevance (i.e. no more than the minimum required) of personal data for the purpose for which it is collected? Page 34 of 46

35 What procedures are in place for periodically checking that data collection procedures are adequate, relevant and not excessive in relation to the purpose for which data are being processed? PRINCIPLE 4: ACCURATE AND UP TO DATE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. For the Information Commissioner s general guidance in relation to this DPP, see Legal Guidance pp Accuracy of personal data How often is personal data being checked for accuracy? How is the accuracy of the personal data being checked with the Data Subject? 4.2 Keeping personal data up to date How is personal data evaluated to a) establish the degree of damage to: (a) the data subject or (b) the data controller b) that could be caused through being out of date? PRINCIPLE 5 NO LONGER THAN NECESSARY Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. For the Information Commissioner s general guidance in relation to this DPP, see Legal Guidance p Retention policy Is the project subject to any statutory / sectoral requirements on retention? Yes No Page 35 of 46

36 If yes please state relevant requirements 5.2 Review and deletion of personal data When data is no longer necessary a) for the purposes for which it was collected: a) How is a review made to determine whether the data b) should be deleted? b) How often is the review conducted? c) Who is responsible for c) determining the review? d) If the data is held on a computer, does the application d) include a facility to flag records for review / deletion? If yes, please explain Are there any exceptional circumstances for retaining certain data for longer than the normal period? If yes, please provide justification Yes No PRINCIPLE 6 SUBJECTS RIGHTS/SUBJECT ACCESS Personal data shall be processed in accordance with the rights of data subjects under this Act. For the Information Commissioner s general guidance in relation to this DPP, see Legal Guidance pp Subject access How do you locate all personal data relevant to a request (including any appropriate accessible records)? 6.2 Withholding of personal data in response to a subject access request Are there any circumstances where you would withhold personal data from a subject access request? Yes No Page 36 of 46

37 If yes, on what ground. If no, go to 6.3 How are the grounds for doing so identified? If yes, please provide justification 6.3 Processing that may cause damage or distress Do you assess how to avoid causing unwarranted or substantial damage or unwarranted and substantial distress to an individual? If yes, please specify proposed procedures. If no, please indicate why not. Do you take into account the possibility that such damage or distress to the individual could leave your organisation vulnerable to a compensation claim in a civil court? If yes, please explain 6.4 Right to object Is there a procedure for complying with an individual s request to prevent processing for the purposes of direct marketing? If yes, please explain Yes Yes Yes N/A No No No Other 6.5 Automated decision Are any decisions affecting individuals Yes made solely on processing by automatic means? No If yes, what will be Page 37 of 46

38 the procedure(s) for notifying an individual that an automated decision making process has been used? 6.6 Rectification, blocking, erasure and destruction What is the a) procedure for responding to data subject s notice (in respect of accessible b) records) or a court order requiring: a) rectification; c) b) blocking; c) erasure or; d) destruction of personal d) data? PRINCIPLE 7 SECURITY OF PERSONAL DATA Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. For the Information Commissioner s general guidance in relation to this DPP, see Legal Guidance pp Security Policy Is the level of security appropriate for the type of personal data processed? Yes No If yes please explain 7.2 Unauthorised or unlawful processing of data Describe security measures that a) are in place to prevent any unauthorised or unlawful processing of: Page 38 of 46

39 a) Data held in an automated format e.g. password controlled access to PCs b) Data held in a manual record e.g. locked filing cabinets b) Is there a higher degree of security to protect sensitive personal data from unauthorised or unlawful processing? If yes, please describe the planned procedures. If no, please indicate why not. Describe the procedures in place to detect breaches of security (remote, physical or logical)? *logical (such as hacking etc) 7.4 Destruction of personal data Describe the procedures in place to ensure the destruction of personal data no longer necessary? 7.5 Contingency planning Is there a contingency plan to manage the effect(s) of an unforeseen event? Yes Yes No No If yes, please give details Describe the risk management procedures to recover data (both automated and manual) which may be damaged/lost through: a) human error b) computer virus c) network failure d) theft e) fire f) flood g) other disaster. 7.6 Choosing a data processor How do you ensure that the Data Processor complies with these measures? a) b) c) d) e) f) g) Page 39 of 46

40 PRINCIPLE 8 OVERSEAS TRANSFER (OUTSIDE OF THE EEA) Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. For the Information Commissioner s general guidance in relation to this DPP, see Legal Guidance pp Adequate levels of protection Are you transferring personal data to a country or territory outside of the EEA 1? 1 The European Economic Area (EEA) comprises the 27 EU member states plus Iceland, Liechtenstein and Norway. If no, go to Part III If yes, where? What types of data are transferred? (e.g. contact details, employee records) Are sensitive personal data transferred abroad? Yes Yes No No If yes, please give details Are measures in place to ensure an adequate level of security when the data are transferred to another country or territory? If yes, please describe. If no, please indicate why not. Yes No Have you checked whether any non-eea states to which data is to be transferred have been deemed as having adequate protection? If yes, please give details, If no, please indicate why not. Yes No Page 40 of 46

41 III DPP COMPLIANCE - CONCLUSIONS Please provide a summary of the conclusions that have been reached in relation to this project s overall compliance with the DPPs. This could include indicating whether some changes or refinements to the project might be warranted. Action 1: Proponent Name Proponent signature Date IG Manager/DPO Name IG Manager/DPO Signature Date Project Manager PM Signature Date Page 41 of 46

Privacy Impact Assessment and Information Governance Checklist

Privacy Impact Assessment and Information Governance Checklist Privacy Impact Assessment and Information Governance Checklist Review and Amendment Log / Control Sheet Responsible Officer: Clinical Chief Officer Clinical Lead: Author: Dr. Dave Mitchell Medical Director/Caldicott

More information

Information Governance Checklist and Privacy Impact Assessments

Information Governance Checklist and Privacy Impact Assessments Information Governance Checklist and Privacy Impact Assessments Authorship: Committee Approved: Chris Wallace Information Governance Manager Quality and Clinical Governance Committee Approved date: 1 Feb

More information

Information Governance Policy

Information Governance Policy Author: Susan Hall, Information Governance Manager Owner: Fiona Jamieson, Assistant Director of Healthcare Governance Publisher: Compliance Unit Date of first issue: February 2005 Version: 5 Date of version

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY Directorate of Performance Assurance INFORMATION GOVERNANCE POLICY Reference: DCP074 Version: 2.5 This version issued: 27/03/15 Result of last review: Minor changes Date approved by owner (if applicable):

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE STRATEGY INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

INFORMATION GOVERNANCE HANDBOOK

INFORMATION GOVERNANCE HANDBOOK INFORMATION GOVERNANCE HANDBOOK SECTION ONE Author Tracey Burrows Role Information Governance Manager (CSCSU) Date / Version February 2015 Version FINAL V1.0 Approved by IM&T Board Date 27 February 2015

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

NHS Commissioning Board: Information governance policy

NHS Commissioning Board: Information governance policy NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy ID IG02 Version: V1 Date ratified by Governing Body 27/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review date: September

More information

Information Governance Policy

Information Governance Policy Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Name of Policy Author: Name of Review/Development Body: Ratification Body: Ruth Drewett Information Governance Steering Group Committee Trust Board : April 2015 Review date:

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading

More information

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

Information Governance and Data Protection Policy

Information Governance and Data Protection Policy Information Governance and Data Protection Policy Page 1 of 21 Document Control Sheet Name of document: Version: Owner: File location / Filename: Information Governance and Data Protection Policy Final

More information

Information Governance Policy

Information Governance Policy Information Governance Policy REFERENCE NUMBER IG 101 / 0v3 May 2012 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive 4.9.12 REVIEW DUE DATE May 2015 West Lancashire CCG is committed to ensuring

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version Version 1 Ratified By Date Ratified PROPOSED FOR APPROVAL 15/11/12 Author(s) Responsible Committee / Officers Date Issue November 2012 Review Date November 2013 Intended

More information

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy NHS Waltham Forest Clinical Commissioning Group Information Governance Policy Author: Zeb Alam & David Pearce Version 3.0 Amendments to Version 2.1 Updates made in line with National Guidance and Legislation

More information

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs NOTE: This is a CONTROLLED Document. Any documents appearing in paper

More information

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy. Title: Reference No: NHSNYYIG - 007 Owner: Author: INFORMATION GOVERNANCE POLICY Director of Standards First Issued On: September 2010 Latest Issue Date: February 2012 Operational Date: February 2012 Review

More information

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE.

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE. Title: Information Governance Policy Date Approved: Approved by: Date of review: Policy Ref: Issue: January 2015 Information Governance Group Division/Department: January 2016 Policy Category: ISP-04 5

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version: 3.2 Authorisation Committee: Date of Authorisation: May 2014 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: Revised: Consultation: Ratified by: 1.0 Information Governance Committee Governance Committee Date ratified: 19 March 2008 Name of originator/author: David McGrath

More information

Information Security and Governance Policy

Information Security and Governance Policy Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY ENFIELD CLINICAL COMMISSIONING GROUP INFORMATION GOVERNANCE POLICY PLEASE DESTROY ALL PREVIOUS VERSIONS OF THIS DOCUMENT Enfield CCG Information Governance Policy Information Governance Policy (Policy

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching

More information

Information Governance Plan

Information Governance Plan Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.

More information

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

Information Governance Framework and Strategy. November 2014

Information Governance Framework and Strategy. November 2014 November 2014 Authorship : Committee Approved : Chris Wallace Information Governance Manager CCG Senior Management Team and Joint Trade Union Partnership Forum Approved Date : November 2014 Review Date

More information

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff. Information Governance Policy 1 SUMMARY This policy is intended to ensure that staff are fully aware of their Information Governance (IG) responsibilities, so that they can effectively manage and best

More information

INFORMATION GOVERNANCE

INFORMATION GOVERNANCE This document is uncontrolled once printed. Please refer to the Trusts Intranet site (Procedural Documents) for the most up to date version INFORMATION GOVERNANCE NGH-PO-233 Ratified By: Procedural Document

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Date of review: Information Governance Group January 2016. Policy Category: CONTENT SECTION DESCRIPTION PAGE

Date of review: Information Governance Group January 2016. Policy Category: CONTENT SECTION DESCRIPTION PAGE Title: Date Approved: January 2015 Division/Department: Corporate Services Corporate Records Policy Approved by: Date of review: Information Governance Group January 2016 Author (post-holder): Interim

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Information Governance Policy_v2.0_060913_LP Page 1 of 14 Information Reader Box Directorate Purpose Document Purpose Document Name Author Corporate Governance Guidance Policy

More information

NHS Waltham Forest Clinical Commissioning Group Information Governance Strategy

NHS Waltham Forest Clinical Commissioning Group Information Governance Strategy NHS Waltham Forest Clinical Commissioning Group Governance Strategy Author: Zeb Alam, CCG IG Lead, (NELCSU) David Pearce, Head of Governance, WFCCG Version 3.0 Amendments to Version 2.1 Annual Review Reference

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY POLICY NO IM&T 011 DATE RATIFIED January 2012 NEXT REVIEW DATE January 2015 POLICY STATEMENT/KEY OBJECTIVE: To provide an overarching framework through which Information Governance

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT 9.7 Date of the meeting 15/07/2015 Author Sponsoring Clinician Purpose of Report Recommendation J Green - Head

More information

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY Moorland is committed to ensuring that, as far as it is reasonably practicable, the way we provide services to the public and the way we treat

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

INFORMATION GOVERNANCE POLICY (INCORPORATING INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK)

INFORMATION GOVERNANCE POLICY (INCORPORATING INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK) Ref No: IN-101 INFORMATION GOVERNANCE POLICY (INCORPORATING INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK) AREA: POLICY SPONSOR: Trust Wide Director of Finance IMPLEMENTED: October 2009 REVISED: June 2011

More information

Information Governance Standards in Relation to Third Party Suppliers and Contractors

Information Governance Standards in Relation to Third Party Suppliers and Contractors Information Governance Standards in Relation to Third Party Suppliers and Contractors Document Summary Ensure staff members are aware of the standards that should be in place when considering engaging

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Information Governance Strategy

Information Governance Strategy Policy No: IG01 Version: 3.0 Name of Policy: Information Governance Strategy Effective From: 02/06/2015 Date Ratified 06/05/2015 Ratified Health Informatics Assurance Group (HIAG) Review Date 01/05/2017

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

Information Governance Policy

Information Governance Policy BEXLEY CARE TRUST MANAGEMENT MANUAL Title: INFORMATION GOVERNANCE POLICY Originating Department: IT DEPARTMENT Authorised by: Risk Management Committee June 2008 Reference no: CA12 Date of Issue: JANUARY

More information

Information Security Assurance Plan 2015/16

Information Security Assurance Plan 2015/16 Information Security Assurance Plan 2015/16 Policy number: N/A Version 2.0 Approved by Name of author/originator Owner (Exec Director) Date of approval August 2015 Date of last review July 2015 Next due

More information

Policy Checklist. Head of Information Governance

Policy Checklist. Head of Information Governance Policy Checklist Name of Policy: Information Governance Policy Purpose of Policy: To provide guidance to all staff on their responsibilities regarding information governance and to ensure that the Trust

More information

How To Ensure Network Security

How To Ensure Network Security NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY Version 8.0 Purpose: For use by: This document is compliant with /supports compliance with: To outline the lifecycle of a record and to provide guidance on retention and disposal

More information

Information Governance Strategy. Version No 2.1

Information Governance Strategy. Version No 2.1 Livewell Southwest Information Governance Strategy Version No 2.1 Notice to staff using a paper copy of this guidance. The policies and procedures page of LSW Intranet holds the most recent version of

More information

How To Protect Your Personal Information At A College

How To Protect Your Personal Information At A College Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information

More information

Introduction to the NHS Information Governance Requirements

Introduction to the NHS Information Governance Requirements Introduction to the NHS Information Governance Requirements 2 Version April 2014 Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information. The widely

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Safe Haven Policy. Equality & Diversity Statement:

Safe Haven Policy. Equality & Diversity Statement: Title: Safe Haven Policy Reference No: 010/IT Owner: Deputy Chief Officer Author Information Governance Lead First Issued On: November 2012 Latest Issue Date: March 2015 Operational Date: March 2015 Review

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

JOB DESCRIPTION. Information Governance Manager

JOB DESCRIPTION. Information Governance Manager JOB DESCRIPTION POST TITLE: Information Governance Manager DIRECTORATE: ACCOUNTABLE TO: BAND: LOCATION: CSS Head of Information Governance 8a CSS Job Purpose The Information Governance Manager will ensure

More information

Information Governance Framework

Information Governance Framework Information Governance Framework Authorship: Chris Wallace, Information Governance Manager Committee Approved: Integrated Audit and Governance Committee Approved date: 11th March 2014 Review Date: March

More information

Lancashire County Council Information Governance Framework

Lancashire County Council Information Governance Framework Appendix 'A' Lancashire County Council Information Governance Framework Introduction Information Governance provides a framework for bringing together all of the requirements, standards and best practice

More information

DATA PROTECTION AUDIT GUIDANCE

DATA PROTECTION AUDIT GUIDANCE DATA PROTECTION AUDIT GUIDANCE CONTENTS Section I: Section II: Audit of Processing of Personal Data Audit Procedure Appendices: A B C D E Audit Form List of Purposes List of data subjects List of data

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

GSK Public policy positions

GSK Public policy positions Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable

More information

Information Incident Management and Reporting Procedures

Information Incident Management and Reporting Procedures ` Information Incident Management and Reporting Procedures Compliance with all CCG policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may

More information

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom

More information

IP-PGN-14 Part of NTW(O)05 Incident Policy

IP-PGN-14 Part of NTW(O)05 Incident Policy Incident Policy Practice Guidance Note Information Governance Incident Reporting Management V01 Date Issued Planned Review PGN No: Issue 1 October 2014 October 2017 IP-PGN-14 Part of NTW(O)05 Incident

More information