INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY

Transcription

1 Appendix 1 INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Author Information Governance Review Group Information Governance Committee Review Date May 2014 Last Update February 2013 Document No. GV / 02 Issue No. Version 3 UNCONTROLLED WHEN PRINTED Signed:

2 Revision History: Status Action Name Date Completed Version 1 Created Peter McKenzie August 2007 Version 2 Version 2.1 Version 2.2 Version 3 Endorsed by Information Governance Group Endorsed by Information Governance Group Endorsed by Information Governance Group Endorsed by Information Governance Group March 2009 May 2009 August 2011 February 2013 Version 3 Summary of Changes from Version 2.2 Addition of Section CEL NHS Scotland Information Assurance Strategy to reflect the requirements of the CEL and describe how NHS Tayside will meet those requirements. Alteration of Section 2.1 (and throughout) to reflect changes in the Standing Committee responsible for Information Governance from the Improvement and Quality Committee to the Finance and Resource Committee. Alteration of Section 3.2 Compliance and Accountability and Appendix 4 to reflect the current status of the IG Toolkit pending the development of a replacement. Addition to Appendix 1 of Finance and Resource Committee Information Governance responsibilities.

3 Section Page 1. Policy Definition Purpose Scope Regulatory and NHS Requirements CEL NHS Scotland Information Assurance Strategy 4 2. Policy Details Introduction Principles 5 3. Information Governance Arrangements Statement of Principles Management Arrangements 7 Roles and Responsibilities 7 Policy, Planning and Compliance 7 Data Protection, Confidentiality and Information Security 8 Health Information and Records Management 9 Corporate Information and Records Management 10 Groups 11 Caldicott Guardian 11 Director of Human Resources 11 Associate Medical Directors, General Managers and Heads of Department 11 Director of ehealth 12 Information Governance Manager 12 Estates and Facilities Directorate 13 Risk Management 13 Internal Auditor 13 Third Party Contractors 13 Compliance and Accountability Openness Statement of Principles Information Quality Statement of Principles Information Security Statement of Principles 15 NHS Tayside Information Governance Policy February

4 Section Page 7. Education Statement of Principles Appendix 1 NHS Tayside Finance and Resources Committee (F&RC) Appendix 2 Information Governance Infrastructure Appendix 3 - Regulatory and NHS Requirements Appendix 4 The Information Governance Toolkit Appendix 5 Information Security Introduction Objectives, Aims And Scope Roles And Responsibilities Security Principles Network Connections Physical And Logical Security Approved Software Information Sharing Equipment Physical Access Controls Logical Security 33 Glossary 36 Policy/Strategy Approval Checklist 37 Rapid Impact Checklist 39 NHS Tayside Information Governance Policy February

5 1. Policy Definition 1.1 Purpose The purpose of this document is to set out NHS Tayside's Policy framework in relation to Information Governance (IG). 1.2 Scope Information Governance has four fundamental aims: To support the provision of high quality care by promoting the effective and appropriate use of information. To encourage responsible staff to work closely together, preventing duplication of effort and enabling more efficient use of resources. To develop support arrangements and provide staff with appropriate tools and support to enable them to discharge their responsibilities to consistently high standards. To enable organisations to understand their own performance and manage improvement in a systematic and effective way. IG covers the following topics: IG Policy and Planning Data Protection Confidentiality Caldicott - Clinical Information FOISA Information Management Information Security Health Records Administrative Records Information Quality Assurance. 1.3 Regulatory and NHS Requirements NHS Tayside is obliged to abide by all relevant Scottish, UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and contractors of NHS Tayside, who will be held personally accountable for any breaches of information security for which they are held responsible: NHS Tayside regards all identifiable personal information relating to patients as sensitive and confidential and NHS Tayside will establish and maintain policies to ensure compliance with common law confidentiality. Personal information relating to staff is confidential, except where national policy on accountability and openness requires otherwise. NHS Tayside Information Governance Policy February

6 1.3 Regulatory and NHS Requirements (Cont d) NHS Tayside has established policies to maintain controlled and appropriate sharing of patient information with other agencies and will continue to monitor and establish new agreements when necessary. These agreements take into account relevant legislation and regulation as documented in Appendix CEL NHS Scotland Information Assurance Strategy The Information Assurance (IA) Strategy is not a replacement for an Information Governance (IG) strategy (or new branding for Information Governance). NHS Board Chief Executives, however, identified that there was a particular need to improve the availability, integrity and security of information. The IA Strategy emphasises the need for NHS Boards to focus on using the information they hold wisely and well, as well as responsibly and with care. NHS Boards will outline their contribution to achieving these outcomes in local Information Governance strategies and ehealth plans Information Governance Information Governance (IG) is a term used throughout the NHS to describe the entire framework of policies, procedures for decisionmaking, and guidance that relate to the capture, use, re-use, access, sharing and management of all data and information throughout its lifecycle. This framework takes into account the complex mesh of legislation (such as the Data Protection Act 1998 and the Freedom of Information (Scotland) Act 2002) as well as issues such as confidentiality, quality, and staff training Information Assurance 1.5 Comments Information Assurance (IA) is a closely associated but narrower term that describes the set of activities designed to ensure that the availability, integrity and security of data and information is maintained at the agreed level. Given the fast changing ICT environment it has become clear that relying on traditional audit methods (reactive rather than proactive) is no longer adequate. There is a close interdependency between information assurance objectives and all the other components of IG. Any comments on this document should, in the first instance, be addressed to the Information Governance Manager. NHS Tayside Information Governance Policy February

7 2. Policy Details 2.1 Introduction Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources throughout NHS Tayside. It plays a key part in clinical governance, service planning and performance management. It is, therefore, of paramount importance that information is efficiently managed, and that appropriate policies, procedures and management accountability provide a robust governance framework for information management. The Finance & Resources Committee (F&RC) oversees compliance with IG and IA standards and monitors the organisation's improvement plans to achieve compliance. The Committee and Groups remits can be found in Appendix 1. The management framework for carrying out IG and IA Improvement and Action Plans is in Appendix 2. A number of policies will be approved by F&RC but those with a clinical perspective will be approved by I&G. 2.2 Principles There has to be balance between openness and confidentiality in the management and use of information and NHS Tayside recognises the principles of corporate governance and public accountability. The importance of confidentiality, security, and data quality play a role in the safeguarding of information within NHS Tayside. These include patient and staff information as well as commercially sensitive information. NHS Tayside has agreements to share patient information with other healthcare organisations and other agencies in a controlled manner, which ensure the protection of patients' and public interests. It is essential that accurate, timely and relevant information is recorded. This is essential to deliver the highest quality health care. As such it is the responsibility of all staff to promote data quality and confidentiality. There are 4 key areas which this policy brings together: Openness Information Quality Information Security Legal Compliance The IA Strategy further specifies the 4 key areas to delivering successful information assurance: Leadership and Governance Information Risk Management Policy and Operations Monitoring and Compliance NHS Tayside Information Governance Policy February

8 3. Information Governance Arrangements The F&RC is responsible for overseeing IG and IA issues and supports links and reporting with existing groups with responsibilities in these areas. 3.1 Statement of Principles This policy cannot be seen in isolation, it links into all aspects of the organisation. The implementation of this policy will reduce the level of current risk associated with IG and IA issues. Progress on IG and IA issues will be reported to the F&RC as agreed. There is corporate, clinical and delivery representation on the F&RC to ensure that IG and IA is embedded within the organisational structure. The Director of Finance is the Executive Lead with responsibility for Information Governance and Information Assurance. Members of the F&RC include; 10 Non-Executive Members Chairperson NHS Tayside Regular attendees of the F&RC include; Chief Executive Director of Finance Director of Finance Operational Unit Director of Human Resources 2 Assistant Directors of Finance Representative Area Partnership Forum Representative Communications Department Representative from Area Clinical Forum Employee Director Chief Operational Officer Fundamental to the success of delivering IG and IA compliance is developing an IG and IA culture within NHS Tayside. Awareness and training to all NHS Tayside staff utilising information in their day to day work is essential to promote this culture. The methods currently used to facilitate this are detailed in section 7. Any associated resource implications incurred by the implementation of the IG and IA policy and action plan will be identified by the identified groups with IG and IA responsibilities. Business cases will need to be developed and submitted for approval by the relevant committees. NHS Tayside Information Governance Policy February

9 3.2 Management Arrangements Roles and Responsibilities Information Governance Infrastructure, Areas of Responsibilities, Committees and Groups are described in Appendix 2. Specific lead roles are as follows; Policy, Planning and Compliance Initiative/Work Area Executive Lead Responsible Officer(s) Co-ordinator IG and IA Policy and Planning Director of Finance ehealth Programme Manager ehealth Programme Manager IG Toolkit Director of Finance EHealth Programme Manager, Information Governance Manager EHealth Programme Manager, Information Governance Manager NHS Tayside Information Governance Policy February

10 Data Protection, Confidentiality and Information Security Codes of practice on confidentiality of personal health information state that the senior designated Doctor (Medical Director)/Public Health Director within NHS Tayside have clear responsibility for the confidentiality, security and access to personal health information held by NHS Tayside. Initiative/Work Area Executive Lead Responsible Officer(s) Co-ordinator Data Protection Director of Finance Associate Medical Directors, Director of Finance, General Managers, Heads of Department Information Governance Manager Confidentiality Clinical Medical Director/Director of Public Health Associate Medical Directors Information Governance Manager Confidentiality - Non-Clinical Director of Human Resources Human Resources Officers, General Managers, Heads of Department Information Governance Manager Caldicott Medical Director/Director of Public Health Information Governance Manager Information Governance Manager Information Technology Security Director of Finance Associate Medical Directors, General Managers, Heads of Department Information Governance Manager, Technical Services Manager NHS Tayside Information Governance Policy February

11 Health Information and Records Management The Chief Executive has overall responsibility for ensuring that records are managed responsibly within NHS Tayside. The Medical Director is responsible for maintaining all aspects of healthcare records management Heads of corporate and clinical directorates are responsible for ensuring that the policy is implemented within their individual directorates. They will nominate directorate representatives, who will liase with the NHS Tayside Board Secretary on the management of records within their respective directorates, departments and Community Health Partnerships. Records management responsibilities will be written into all accountable individual s job descriptions and clear procedures for retention of key records will be issued. It is the responsibility of all staff to ensure that they keep appropriate records of their work in NHS Tayside and manage those records in keeping with this policy and with any guidance subsequently produced by NHS Tayside. Initiative/Work Area Executive Lead Responsible Officer(s) Co-ordinator Health Records Electronic Medical Director ehealth Programme Manager, Access Service Manager, Medical Records Health Records - Paper-based Medical Director Associate Medical Directors, General Managers, Heads of Department, Health Records Managers ehealth Programme Manager, Access Service Manager, Medical Records ehealth Programme Manager, Access Service Manager, Medical Records Information Quality Assurance - Clinical Medical Director Associate Medical Directors, General Managers, Heads of Department. ehealth Programme Manager Information Management - Clinical Medical Director Associate Medical Directors, Heads of Department ehealth Programme Manager NHS Tayside Information Governance Policy February

12 Corporate Information and Records Management The Chief Executive has overall responsibility for ensuring that records are managed responsibly within NHS Tayside. The NHS Tayside Board Secretary is responsible for co-ordinating corporate records management within the organisation and identifying key corporate records and providing guidance and advice on their management and retention. Heads of corporate and clinical directorates are responsible for ensuring that the policy is implemented within their individual directorates. They will nominate directorate representatives, who will liase with the NHS Tayside Board Secretary on the management of records within their respective directorates, departments and Community Health Partnerships. Records management responsibilities will be written into all accountable individual s job descriptions and clear procedures for retention of key records will be issued. It is the responsibility of all staff to ensure that they keep appropriate records of their work in NHS Tayside and manage those records in keeping with this policy and with any guidance subsequently produced by NHS Tayside. Initiative/Work Area Executive Lead Responsible Officer(s) Co-ordinator Administrative Records Board Secretary Associate Medical Directors, General Managers, Heads of Department Information Governance Manager Information Quality Assurance - Non- Clinical Director of Finance Associate Medical Directors, General Managers, Heads of Department EHealth Programme Manager, Information Governance Manager Information Management Non- Clinical Director of Finance Associate Medical Directors, General Managers, Heads of Department EHealth Programme Manager, Information Governance Manager NHS Tayside Information Governance Policy February

13 Groups The Information Governance Committee remit can be found in Appendix 1 The ehealth Group have responsibility for ensuring that specifications for clinical systems conform to the purposes for which the systems are required as well as ensuring that inhouse developers or suppliers meet the specification. The Business IM&T Group have responsibility for ensuring that specifications for nonclinical systems conform to the purposes for which the systems are required as well as ensuring that in-house developers or suppliers meet the specification. Caldicott Guardian The Caldicott Guardian oversees all access to patient identifiable information. The role is a key component to establish the highest practical standards for handling patient information in NHS Tayside. There are six key principles, as follows:- justify the purpose. use patient identity only where absolutely necessary. use the minimum patient-identifiable information. access to patient-identifiable information should be on a strict need to know basis. everyone should be aware of his or her responsibilities. every use must be lawful. A full and detailed statement of Caldicott arrangements can be accessed via the NHS Tayside Staffnett. Director of Human Resources The Director of Human Resources shall ensure that all contracts of employment and all contracts of agency staff, include a non-disclosure clause. Information Governance responsibilities shall be identified and written into job specifications and terms of reference including sensitive positions. (Defined as those positions which involve ongoing legitimate access to information, tools and functions which could cause significant harm to patients, or significant loss, damage or harm to NHS Tayside s reputation if abused). Associate Medical Directors, General Managers and Heads of Department All managers are required to foster information security and confidentiality awareness in staff and work with others to implement adequate measures to support that. They must strive to adopt fully the values of this and related policies and legislation. Managers must make themselves aware of the business requirements for secure systems access in order to implement and maintain an effective level of control over access to information services, data and information. NHS Tayside Information Governance Policy February

14 Associate Medical Directors, General Managers and Heads of Department (Cont d) Prior to an employee leaving, or to a change of duties, managers must ensure that:- the employee is informed that they continue to be bound by their signed confidentiality agreement. passwords are removed or changed to deny access. relevant departments are informed and the name is removed from authority and access lists. department property is returned e.g. personal identification devices, cards, passes, manuals and documents. Director of ehealth Responsible for:- ensuring that all information systems in use within NHS Tayside are appropriately assessed for security and protected in accordance with NHS Tayside and national policy. appointing an Information Governance Manager to carry responsibility for implementing and monitoring the observance of NHS Tayside and national policy and carry out the day-to-day tasks of promoting and monitoring Information Governance and Information Assurance. ensuring that the appropriate NHS Standards are implemented effectively within NHS Tayside. reporting, at least annually, to the Improvement and Quality Committee on the state of Information Governance in NHS Tayside as part of Information Governance Standards and Information Assurance requirements. Information Governance Manager The Information Governance Manager shall, under the direction of the ehealth Programme Manager, be responsible for the development, maintenance and user compliance with the terms of NHS Tayside and national policy. In particular:- to implement and maintain a compliance programme for evaluating the effectiveness of the IG and IA programme. ensuring that employees within NHS Tayside are made aware of their IG and IA responsibilities. ensuring that appropriate security standards and procedures are in place to support the observance of NHS Tayside and national policy. monitoring observance of NHS Tayside and national policy and their standards and procedures. setting up a procedure for reporting Information Security incidents. investigating Information Security incidents and initiate appropriate action. NHS Tayside Information Governance Policy February

15 Information Governance Manager (Cont d) ensuring that there is a means of carrying out system risk assessment and management. ensuring that appropriate procedures are in place to support compliance with the Data Protection Act 1998 (DPA 98). monitoring observance and reporting on compliance with DPA 98 requirements. ensuring that appropriate procedures are in place to support compliance with the Freedom of Information (Scotland) Act 2002 (FOISA). monitoring observance and reporting on compliance with FOISA requirements. Estates and Facilities Directorate The Estates and Facilities Directorate has responsibility for ensuring that controls are in place to preserve the security of the equipment and environment in which computer systems operate within buildings for which they are responsible. This includes:- fire safety and water damage protection, lightning protection and disaster procedures. power supplies including uninterruptable power supplies where installed. physical access control. Risk Management Information Security risks will be properly identified, assessed, recorded and managed using NHS Tayside s Risk Management procedures. There will be a system security policy developed for all information systems, these policies will be devised by systems managers in conjunction with the Information Governance Team. Internal Auditor Working with relevant NHS Tayside staff, NHS Tayside s Internal Auditors will audit and comment of the existence and implementation of appropriate Information Governance policies and procedures and the extent to which they meet relevant guidelines and practices. Third Party Contractors The use of third party personnel shall be subject to contractual obligations and to NHS Tayside controls. Third parties will be required to produce evidence of their security controls so that NHS Tayside can assess compliance with the requirements of this policy. Third party contractors will not be allowed access to information classified as sensitive without the explicit and signed agreement of the information owner through the Caldicott approval procedure. Such access will be dependent on the implementation of appropriate controls. NHS Tayside Information Governance Policy February

16 Compliance and Accountability The monitoring of NHS Tayside's position in achieving compliance with the IG Standards and IA requirements will be undertaken by employing the IG Toolkit and reporting facilities available in it and those set out in the IA Strategy. Improvement, Action and Implementation Plans will be devised using the information held in the IG Toolkit and in the IA Strategy. Plans will be submitted to the F&RC for approval. Six monthly Progress Reports will be made to the F&RC with Exception Reports being produced where significant impacts occur. ** The following reference to the IG Toolkit are included pending the development of the IG Toolkit as set out in the IA Strategy. It is unclear how the information recorded in the IG Toolkit will now support the Clinical Governance and Risk Management part of the Health Efficiency, Access & Treatment (HEAT) targets. NHS Tayside's Implementation Plan and Quarterly Assessment will be submitted to the Information Governance Team, NSS to the specified timetable (financial year quarters). The Information Governance Team, NSS will then produce a report on NHS Tayside's compliance to the IG Standards. This report will be agreed with NHS Tayside before being sent onto QIS. QIS will then use this information to inform their review of NHS Tayside's compliance to the CGRM. This information will be fed into the SE as the CGRM form part of the HEAT targets, which in turn are a major contributor to the NHS Boards annual Accountability Review. 4. Openness NHS Tayside is obliged to comply with legal and NHS codes of openness, on the operating and performance of business. Access will be provided to enable NHS Tayside employees to make themselves aware of the guidelines and procedures that are in place to deal with requests by staff, patients and members of the public for information. 4.1 Statement of Principles Non-confidential information on NHS Tayside and its services should be available to the public through a variety of media, in line with legal requirements and NHS codes of openness. NHS Tayside also makes this information available through its compliance with the FOISA. Patients will have ready access to information relating to their own health care throughout their care and under DPA 98. Procedures and arrangements are in place for liaison with the press and broadcasting media. Procedures and arrangements are in place for handling requests and queries from patients and the public both under the DPA 98 and FOISA. NHS Tayside Information Governance Policy February

17 5. Information Quality Information Quality is an important part of the Information Governance agenda in terms of data quality/integrity. Quality is generally defined, as fit for purpose and all staff need to ensure that data is relevant and accurate. Good data quality means that data is recorded in full, as accurately as possible and in a timely manner. Timely data entry will help avoid discrepancies and inaccuracies. Where it is not possibility to record data in real time this data should be recorded as soon after the event as possible. 5.1 Statement of Principles NHS Tayside will establish and maintain policies and procedures for information quality assurance and the effective management of records. NHS Tayside will undertake or commission annual assessments and audits of its information quality and records management arrangements Managers are expected to take ownership of, and seek to improve, the quality of information within their services Wherever possible the person responsible for recording information should ensure the quality and accuracy of that information. Data standards will be set through clear and consistent definition of data items, in accordance with national standards. NHS Tayside will promote information quality and effective records management through policies, procedures/user manuals and training. NHS Policies which are managed by IG will be approved by I&Q if it relates to clinical matters and F&RC for all others. 6. Information Security Information security is the responsibility of all managers and staff who must ensure they follow approved guidelines and best practice. NHS Tayside s Information Security policies are set out in Appendix 5. NHS Tayside takes note of and will refer to BS ISO/IEC 17799:2005 and 27001:2005, the standard for Information Security that should be aspired to in line with SGHD plans. 6.1 Statement of Principles NHS Tayside will establish and maintain policies for the effective and secure management of its information assets and resources. NHS Tayside will undertake or commission annual assessments and audits of its information and IT security arrangements. NHS Tayside will promote effective confidentiality and security practice to its staff through policies, procedures and training. NHS Tayside will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. NHS Tayside Information Governance Policy February

18 7. Education NHS Tayside provides training and guidance on Information Governance issues. It is the responsibility of managers and staff to ensure that they have adequate knowledge and access to appropriate resources. 7.1 Statement of Principles NHS Tayside provides guidance on IG issues for all new staff undertaking NHS Tayside induction. This is accomplished via NHS Tayside employee induction processes. Important/new IG issues and information will be communicated. Information and documents relating to IG will be made available on NHS Tayside s Staffnet intranet and at presentations. To support the complexities of the organisation the use of computer and webbased training material and packages will be promoted. The recommendations of the Information Governance in NHSScotland: A Competency Framework will form the basis of NHS Tayside's approach to future IG training and education. NHS Tayside Information Governance Policy February

19 Appendix 1 8. NHS Tayside Finance and Resources Committee (F&RC) Specific IG Responsibilities of the F&RC To ensure that NHS Tayside has effective policies and management arrangements covering all aspects of Information Governance in accordance with the requirements of the Scottish Executive Health Department. The basis of the scope of these requirements is the NHS Quality and Improvement Scotland Clinical Governance and Risk Management Standards and the Information Governance Standards as laid out in the IG Toolkit and the requirements of CEL Information Assurance Strategy. The F&RC will ensure that there arrangements in place to: Ensure that NHS Tayside undertakes or commissions the necessary assessments and audits of its IG and IA policies and arrangements. Establish an annual IG and IA Improvement Plan, identify and seek to secure the necessary implementation resources, and monitor the implementation of that plan. Agree, implement and monitor a communications plan relating to IG and IA matters. Receive and consider reports into breaches of confidentiality and security and where appropriate undertake or recommend remedial action. Liaise with other NHS Tayside committees, working groups and programme boards in order to promote IG and IA issues. NHS Tayside Information Governance Committee The main remit of the Committee is as follows:- Strategic Deal with all matters relating to information governance within NHSTayside covering clinical and business processes ensuring that adequate policies and procedures are in place to ensure the secure use of clinical and business information. Support the provision of high quality care by promoting the effective and appropriate use of information. Encourage staff throughout the Organisation to understand the importance of ensuring that clinical and business information is dealt with in a secure fashion in their daily working environment. Ensure guidelines and protocols are in place to ensure patient confidentiality in line with Data Protection and Caldicott requirements. Ensure that requirements of the National Information Assurance Strategy are met. NHS Tayside Information Governance Policy February

20 Strategic (Cont d) Ensure guidelines and protocols are in place to ensure only authorised staff have access to the clinical and business information that they are entitled to. Ensure guidelines and protocols are in place for the storage, transport and use of clinical and business information across the organisation. Implement revised procedures for reporting of breaches of confidentiality and security and consider reports, recommending remedial action where appropriate. Liaise as appropriate with the undernoted groups Executive Team Medical Directors Area IM&T Business Freedom of Information Disclosure Tayside Data Sharing Partnership LMC/GP Sub-Committee Operational Develop support arrangements and appropriate tools to enable staff to discharge their duties in relation to information governance. Implement the NHS Tayside Information Governance Strategy through the Information Governance assurance improvement plan and report progress to the F&R Committee on a frequent basis and Scottish Government ehealth Department on a six monthly basis. Agree the clinical data which will be shared across the organisation. Manage procedures for reporting of breaches of confidentiality and security and consider reports, recommending remedial action where appropriate. Reporting above breaches to F&R Committee and nationally as appropriate. Ensure agreements are in place for sharing clinical & business information with other partner organisations such as Local Authorities and Universities. Produce an annual work plan covering the resource available. Agree audit rules for National Audit (Fair warning) system. Monitor the Implementation of the National Audit (Fair warning) system. NHS Tayside Information Governance Policy February

21 FREEDOM OF INFORMATION (SCOTLAND) ACT 2002 COMPLIANCE GROUP Remit Policy Monitor the formulation and dissemination of a non-clinical records management policy, strategy and supporting guidelines, taking into account the Information Governance Strategy and policies for Tayside. Advise on the policy in relation to the Freedom of Information (Scotland) Act 2002 (FOISA) and Environmental Information Scotland Regulations 2004 (EIRS) Promote the need to adhere to FOISA and EIRS throughout NHS Tayside by providing guidance and advice through the Board Secretary and Information Security Officer to staff Ensure that the NHS Tayside Publication scheme under FOISA is maintained Establish and maintain links with Information Commissioners Office and Scottish Executive to ensure knowledge of FOISA and EIRS is current Ensure that adequate training and support resources are available for the introduction and maintenance of FOISA and EIRS Consider matters of mutual interest between Primary Care Contractors, Local Authorities and Universities with regard to FOISA and EIRS. Disclosure Compliance Monitor how NHS Tayside applies absolute or qualified exemptions in relation to whether information should be disclosed in line with the Act and EIRS Ensure an NHS Tayside costing policy for the provision of information to the public is in place. Non-Clinical Records Management and Compliance Liaise with the Information Delivery Group regarding the roll out of the electronic document store for NHS Tayside. Monitor and ensure compliance with the records management policy and strategy. Monitor and ensure compliance with Information Governance Strategy as it relates to FOISA.. NHS Tayside Information Governance Policy February

22 9. Information Governance Infrastructure Appendix 2 Director Level IG Lead Director of Finance, Tayside NHS Board IG Co-ordinator Associate ehealth Director Programmes, Governance & Implementation Confidentiality and Caldicott Medical Director, Associate Medical Directors, General Managers, Human Resources Officers, Department Heads. Health Records Medical Director, Associate Medical Directors, Department Heads, Access Service Manager, Clinical Records Managers Data Protection Director of Finance Associate Medical Directors, General Managers, Human Resources Officers, Department Heads. Corporate Records Board Secretary, Associate Medical Directors, General Managers, Department Heads Freedom of Information Board Secretary, Associate Medical Directors, General Managers, Department Heads I.T. Security Director of Finance, Associate Medical Directors, General Mangers, Department Heads NHS Tayside Information Governance Policy February

23 Information Governance Infrastructure Committees and Groups Tayside NHS Board Finance and Resources Committee Information Governance Committee IG Policy and Guidance Delivery Unit ehealth Group Electronic Clinical Records and Systems Area IM&T Business Group Corporate Systems and Infrastructure Freedom of Information Compliance Corporate Records and FOISA Procedures Tayside Data Sharing Partnership Inter-Agency Data Sharing Health Records Committee Clinical Records and Procedures NHS Tayside Information Governance Policy February

24 Appendix Regulatory and NHS Requirements NHS Tayside shall comply with the following legislation and other legislation as appropriate; Abortion Regulations 1991 Access to Health Records Act 1990 (where not superseded by the Data Protection Act1998) Audit & Internal Control Act 1987 Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 (as amended by the Copyright (Computer Programs) Regulations 1992 Crime & Disorder Act 1998 Data Protection (Processing of Sensitive Personal Data) Order 2000 Data Protection Act 1998 Electronic Communications Act 2000 Fraud Act Freedom of Information (Scotland) Act 2002 Health and Safety at Work Act (1974) Human Fertilisation & Embryology Act 1990 Human Rights Act 1998 Lawful Business Practice Regulations National Health Service Act 1977 NHS Sexually Transmitted disease regulations 2000 Police & Criminal Evidence Act Prevention of Terrorism (Temporary Provisions) Act 1989 & Terrorism Act 2000 Public Interest Disclosure Act 1998 Regulation of Investigatory Powers (Scotland) Act 2000 (& Lawful Business Practice Regulations 2000) Responsibility of Directors Act Road Traffic Act 1988 Regulations under Health & Safety at Work Act 1974 NHS Tayside Information Governance Policy February

25 10. Regulatory and NHS Requirements (Cont d) NHS Tayside will abide by the following Guidance and Recommendations; Caldicott Principles Report, audit & improvement on the use of Patient Identifiable Data NHS Code of Practice on Protecting Patient Confidentiality NHS National Services Scotland Information Governance Standards NHS National Services Scotland Information Governance Toolkit NHS Quality Improvement Scotland Clinical Governance and Risk Management Standards NHS Scotland Information Security Policy Scottish Executive Health Department Corporate Governance: Statement of Internal Control May 2007 CEL NHS Scotland Information Assurance Strategy NHS Tayside supports compliance with the above by providing policy, advice and guidance on these relevant topics; NHS Tayside Information Governance Policy NHS Tayside Data Protection Policy NHS Tayside Records Management Policy NHS Tayside Records Retention Schedules NHS Tayside Portable Computer and Removable Media Policy NHS Tayside Usage Policy NHS Tayside Desktop Policy NHS Tayside Home Working Policy General Information Sharing Protocol Information Access Protocols Information Transfer Protocols Caldicott Approval Procedure NHS Tayside Information Governance Policy February

26 Appendix The Information Governance Toolkit ** The following reference to the IG Toolkit are included pending the development of the IG Toolkit as set out in the IA Strategy. It is unclear how the information recorded in the IG Toolkit will now support the Clinical Governance and Risk Management part of the Health Efficiency, Access & Treatment (HEAT) targets. Submission of Supporting Information Each NHS Board is required to submit a number of documents to supplement and support the information collected in the Toolkit. These are: Information Governance Policy Implementation Plan In addition to this NHS Boards are required to submit, on an annual basis, the following: Annual Report Annual Incident Report User Roles There are three different User roles each with different levels of access to the Toolkit: Organisation Administrator the Organisation Administrator is the Information Governance Manager. This role has two main responsibilities: o o Act as main contact between the NHS Board and the Information Governance Team with regards to the IG Toolkit. Set up the local structures for completion of the assessment. This includes setting up access for the other local users of the Toolkit and setting up Divisions (covered in greater detail in the next section). Returning Officer the Returning Officer is the Information Governance Manager. This role has two main responsibilities: o o Manage Returns the Returning Officer is responsible for starting assessments, ensuring that the information recorded is an accurate reflection of the Boards compliance with the Standards, and for ensuring the timely submission of the assessment. Where no Divisions have been set up the Returning Officer will also be responsible for completing the assessment. NHS Tayside Information Governance Policy February

27 User Roles (Cont d) Delegate For each Division that NHS Tayside sets up within the IG Toolkit a Delegate will be established. The Delegate is responsible for completing the assessment for their nominated Division. Approval and Submission Procedure Approval The IG Toolkit will be maintained to support the monitoring of NHS Tayside's compliance with the IG Standards in support of CGRM. The Implementation Plan will further identify what action is required to achieve an acceptable level of compliance, these actions will be prioritised by the relevant groups established within NHS Tayside Information Governance Infrastructure (IG Groups). The prioritised Implementation Plan will be reviewed annually (in line with QIS Review) by the co-ordinators identified in the IG Groups. The prioritised Implementation Plan will be presented by the ehealth Programme Manager to the F&RC for approval. Progress reports based on the Implementation Plan will be presented to the F&RC six monthly by the ehealth Programme Manager and Information Governance Manager. The six-monthly assessments will be approved by the IG Groups prior to submission to the Information Governance Team, NSS NHS Tayside Information Governance Policy February

28 Appendix Information Security 12.1 Introduction NHS Tayside (NHST) has become significantly dependent upon its Information and Communication Technology Systems and Services ( systems ) for both its normal day to day patient care activities and management functions. It is essential, for the successful operation of NHST and the well being of patients and staff, that the availability, integrity and confidentiality of the systems, data and information are maintained at a level appropriate to NHST s needs and in line with current regulatory requirements. It, therefore, follows that it is important that clear guidance is provided to all of NHST s staff and systems users that sets out the limits of operation and their individual and collective responsibilities for ensuring that the provisions of this policy are adhered to. This policy aims to serve that purpose and has been designed to ensure that best practice is adhered to, all relevant NHS standards are met and that NHST s legal obligations are not compromised. NHST will review and update this policy from time to time and publication to NHST staff will be facilitated via NHST Staffnet. Amendments to this policy will be communicated to NHST users via the normal NHST communication channels Objectives, Aims and Scope The objectives of NHS Tayside s Information Security Policy are to preserve: Confidentiality - Access to data and information shall be confined to those with appropriate authority. Integrity Data and information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification. Availability Data and information shall be available and delivered to the right person, at the time when it is needed. Accountability - Information that is delivered cannot be repudiated by the sender. The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by NHS Tayside: Ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies. NHS Tayside Information Governance Policy February

29 12.2 Objectives, Aims and Scope (Cont d) Describing the principles of security and explaining how they shall be implemented in the organisation. Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities. Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business. Protecting information assets under the control of the organisation. This policy has been compiled in line with the instructions set out in NHS HDL (2006) 41 NHS Scotland Information Security Policy, the NHS Scotland Information Security Policy May 2005 and with reference to NHS Connecting for Health: Model Corporate Information Security Policy. This policy supports the principles and requirements set out in the NHS Tayside Information Governance Policy. The policy applies to NHST information assets, whether spoken or written, data that is stored on servers or related components, printed matter or displayed data which is owned or under NHST management. Specific policy objectives include: To provide a set of rules, measures and procedures aimed at ensuring confidentiality, integrity and availability throughout the NHST in line with NHST standards and obligations. To ensure that information is protected from unauthorised access, disclosure, modification or loss and that above all confidentiality of patient data is not compromised. To meet its legal and other requirements and to satisfy obligations to the NHS, patients and staff, NHST must use effective security measures to safeguard its information. In consultation implement such security measures as appropriate, updating whenever necessary. To set out the potential consequences of non-compliance with the provisions of this policy. To make direct reference to supporting Policy and Guidance documents. This policy will be reviewed by the Information Governance Team prior to the date on the cover page of this document or as directed in light of significant change in legislation, organisation or requirements. NHS Tayside Information Governance Policy February

30 12.3 Roles and Responsibilities Ultimate responsibility for the secure operation of all systems used in NHS Tayside rests with the Chief Executive. The responsibility is delegated to all staff involved or using information and information systems. A full description of responsibilities is set out in the NHS Tayside Information Governance Policy. Clinical Managers, Heads of Department and C.H.P. General Managers Managers must ensure that their staff are provided with information systems training as appropriate. Managers must ensure that where the administration of departmental systems has been delegated to a member of their staff that; the role and scope of the systems administrator should be agreed with the relevant parties that the appointee undergoes relevant training that procedures and protocols are developed, documented and implemented by the system administrator that are in line with the requirements of this policy. Systems Administrator This role within each service area or department is responsible for:- acting as liaison between their service area or department and the ICT department preparing a system security policy for systems within their remit. ensuring that all user responsibilities in respect of information security are understood and properly exercised. managing access to particular systems and information and maintain records of authorised system users. administering user security procedures requiring central control including the administration of passwords. reviewing and monitoring day-to-day security control and incidents and identifying unauthorised and unusual use. advising system users on security procedures including briefing new staff. NHS Tayside Information Governance Policy February

31 Systems Administrator (Cont d) maintaining records of security incidents and reporting them to the Administrator/Manager and the Information Security Officer. Periodically reviewing error or incident logs and report frequent occurrences to the Information Security Officer. The application of the above structure, at all levels, represents arrangements to accommodate substantial systems with wide-ranging coverage. However, the tasks and responsibilities still have to be taken on when operating smaller systems, procedures and processes. This may require some alteration to the structure to allow for practicalities Security Principles All NHST security principles are in line with best practice and comply with current legislation and NHS Scotland obligations. Access Access to NHST systems will be logged and monitored to help ensure use is in line with the requirements of this policy. Each member of NHST s staff and its authorised partners will be issued with a unique login identification and password. Any member of staff who requires legitimate access to specific NHST applications e.g. PMS, A&E, Theatres etc will be issued with appropriate and unique application login identification information for those applications and will be given sufficient access rights to undertake their job functions. The login authentication system will require users to change their passwords on a regular basis. Staff and other authorised users are prohibited from disclosing password information whether it be accidentally or purposefully given to another users. In the event that access details are disclosed (either deliberately or accidentally) then the owner of that access information must immediately change their password details. Note: Staff are reminded that as well as a serious breach of this policy it may be a criminal offence under the Computer Misuse Act 1990 if you either take part in a malicious act or know of or suspect that a malicious act has taken place in an NHST IT systems and services and do not report it. Third party support staff will be required to sign confidentiality agreements and adhere to NHST policies. NHS Tayside Information Governance Policy February