Information Governance Training Plan v13

Transcription

1 Information Governance Training Plan To meet requirements of IGT v13 Lincolnshire East Clinical Commissioning Group Page 1 of 17

2 Contents Introduction Page 3 Training Provision Page 4 Staff Induction Awareness Training Page 5 Accessing Training Needs Page 6 Monitoring Compliance Page 6 Reporting Page 7 Appendix 1 Training Needs Analysis (TNA) Page 8 Appendix 2 HSCIC Training Tool Guidance page 9 Appendix 3 Documented Action Plan for Raising Staff Awareness of IG Responsibilities page 10 Page 2 of 17

3 Introduction To ensure organisational compliance with the law and central guidelines relating to Information Governance (IG), staff must receive appropriate training. Therefore, annual IG training is mandatory for all staff, including new starters, locums, temporary staff, lay members, student and contract staff members. IG training needs should be routinely assessed, monitored and adequately provided for. IG knowledge and awareness should be at the core of the organisation s objectives, embedded amongst other governance initiatives and should offer a stable foundation for the workforce. Without this knowledge the ability of an organisation to meet legal and policy requirements will be severely impaired. In order to fully meet the IGToolkit standard an organisation should establish a clear plan for IG training appropriately tailored to specific staff groups or job roles. This plan should address how and when each work area and/or staff group will be trained, how training needs beyond the basic level will be assessed and should include induction processes for new staff. This training plan has been created by Greater East Midlands Commissioning Support Unit (GEM CSU) IG Service to support the Clinical Commissioning Group (CCG) in meeting the training requirement for the Information Governance Toolkit (IGT) Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained. In order to be compliant with Department of Health requirements, organisations are expected to ensure that 95% of their staff have received annual mandatory IG training appropriate to their role. This will allow them to reach a compliant level 2 achievement on the Information Governance Toolkit standard relating to staff training (13-134). Where identified with discussions with the CCG GEM CSU IG Service will seek improvements in this requirement from Level 2 to Level 3. Page 3 of 17

4 Training Provision The GEM CSU Human Resources team are rolling out the mandatory IG training modules through the Electronic Staff Record (ESR). All staff will need to undertake a minimum of one of the mandatory modules below annually: For staff that handle personal confidential data including staff information Introduction to Information Governance For staff that have already undertaken the one above (in the previous year) it is recommended that The Refresher Module is completed in years 2 & 3. Staff should register on the ESR system in order to access either of these modules. Instructions are available from the HR team, For those staff who do not have access to ESR such as contractors, agency staff, locums, students, volunteers, trainees, etc. they will need to complete their training via the HSCIC training tool (see appendix 2 - How can I access the HSCIC Training Tool?) It has also been determined by the Department of Health that where staff have already been trained using the NHS IG training Tool, they may in future be trained using approved training materials on a face-to-face basis. The GEM CSU IG team has a centrally approved training presentation and will support the CCG and deliver additional training sessions where online training is not the preferred option. This will provide an alternative method of training where members of staff have been identified as not possessing the required IT skills to complete the training on-line or where staff don t have regularly access to computers. The CCG has opted for the GEM CSU IG team to deliver face to face training sessions to support the CCG in meeting the required training compliance for the IGT. There may be occasions when ad hoc training will need to be delivered by GEM CSU IG Service to CCG staff based on an identified need for e.g. changes in working practices following an incident. Page 4 of 17

5 If staff experience continued problems completing the training modules through ESR, then the HSCIC training tool can be used to complete the mandatory training module to avoid non-compliance, and this approach will require a local decision from each respective CCG. Staff will need to use the HSCIC training tool (see appendix 2) to complete additional training modules as per the Training Needs Analysis (TNA), see appendix 1, as they are not available through ESR. All staff can register to use the HSCIC training tool to complete any IG related training modules that has been identified as appropriate to their staff role. Staff Induction Awareness Training Staff induction needs to address IG training needs as new members of staff may otherwise fail to be picked up by an organisation s rolling training plan. It is vitally important that all new staff (including locums, temporary staff, students, etc.) are made aware of the relevant requirements and in particular given clear guidelines about their own individual responsibilities for compliance. Particular emphasis should be placed on how IG requirements affect their day to day work practices. It is recommended that this guidance is given to new starters on their first day of employment to avoid the risk of information security breaches. Appendix 3 identifies all Information Governance related areas where staff awareness is required. CCGs should have a defined and documented induction policy or process that includes the requirement for staff to complete their IG training prior to use of any systems containing personal or sensitive information. Staff should be made aware of the CCGs Staff Code of Conduct either via a link or given their own copy, along with the links to the IG policies and the IG E-Learning tool through the Electronic Staff Record as part of the induction process. The Induction Process is currently being reviewed by GEMCSU. Page 5 of 17

6 Accessing Training Needs Staff inevitably have different levels of awareness of their responsibilities for safeguarding confidentiality, protecting data and preserving information security. In most cases the mandatory basic training through ESR or the HSCIC training tool will be sufficient to give staff the knowledge that they require. A training needs analysis (TNA) has been created (see appendix 1) that identifies those additional training modules that need to be completed by specific job roles. This information has been taken from the guidance within each requirement of the toolkit. The TNA identifies the training modules that are mandatory, recommended or optional for specific job roles to complete. Please note these training modules are only available through the HSCIC training tool. Please see appendix 2 for guidance on how to access the HSCIC Training Tool. A staff members line manager will undergo appraisals with the staff on an annual basis. At this point, an assessment of current levels of skills and competencies can be undertaken and any further training needs identified. Monitoring Compliance Regular staff updates and s will be circulated to ensure staff are aware of the requirement to undertake the training. If this is not completed by the determined date, line managers will be contacted to cascade the training requirement. The GEM CSU IG team holds a record of staff IG training compliance and reports compliance at the CCG IG working group meetings. It is important that study time is protected so that all staff is able to access or attend training. Page 6 of 17

7 Reporting In order to ensure correct reporting of uptake of the training, reports will be run through both systems (ESR & HSCIC), along with the attendance records of any face to face training delivered. The GEM CSU IG team will administer the HSCIC training tool for the CCG, this will enable GEM CSU IG team to report on training uptake and target staff to complete training where non-compliance is identified. Page 7 of 17

8 Appendix 1 - Training Needs Analysis Job Role Introduction to IG (Year 1) IG-Refresher Module (Years 2 & 3) The Caldicott Guardian in the NHS & Social Care NHS Information Risk Management for SIROs & IAOs NHS Information Risk Management - Introductory NHS Information Risk Management - Foundation Password Management Information Security Guidelines Patient Confidentiality IG Lead (CCG) Mandatory Mandatory Recommended Recommended Recommended Recommended Optional Recommended Optional Caldicott Guardian Mandatory Mandatory Mandatory Optional Optional Optional Optional Recommended Mandatory SIRO Mandatory Mandatory Recommended Mandatory Mandatory Mandatory Optional Mandatory Optional IAO & IAA Mandatory Mandatory Optional Mandatory Mandatory Mandatory Optional Mandatory Optional Records Manager Mandatory Mandatory Optional Optional Optional Optional Optional Recommended Optional Admin/Clerical/ Other Mandatory Mandatory Optional Optional Optional Optional Optional Recommended Optional Job Role Access to Health Records Records Management and the NHS Code of Practice Records Management in the NHS Secure Transfers of Personal Data Business Continuity Management NEW-Access to Information & Information Sharing in the NHS - NEW-Secure Handling of Confidential Information NEW- Information Security Management IG Lead (CCG) Optional Optional Optional Optional Recommended Recommended Optional Optional Caldicott Guardian Optional Optional Optional Optional Optional Mandatory Recommended Optional SIRO Optional Optional Optional Optional Recommended Recommended Recommended Mandatory IAO & IAA Optional Optional Optional Optional Optional Recommended Recommended Mandatory Records Manager Mandatory Mandatory Mandatory Optional Optional Optional Optional Optional Admin/Clerical/ Other Optional Optional Optional Optional Optional Optional Optional Optional Page 8 of 17

9 Appendix 2 How can I access the HSCIC Training Tool? 1.0 To access the Training Tool follow this link: To register as a new user: Select Register Now When the Organisation Search box appears type in your organisation code 03T From this point onwards, please follow the instructions on screen 3.0 To access training modules Log in using your username & password Select Learning Tools from the top menu Select the module you wish to complete, and then select Launch You can print your certificate when you have passed the module 4.0 I have already registered onto the site and forgotten my password. What should I do? Select reset my password from the homepage Page 9 of 17

10 DOCUMENTED ACTION PLAN FOR RAISING STAFF AWARENESS 1) The Health and Social Care Information Centre Information Governance Toolkit (IGT) requires organisations providing health and social care services to have a documented action to promote staff awareness of information governance standards, inform staff of their responsibilities and the consequences of misconduct and advise staff their compliance with IG requirements will be checked and monitored 2) Requirement states Clinical Commissioning Groups (CCGs) are required to have a documented action plan for raising awareness of and compliance with information governance standards and to inform staff of their responsibilities and the consequences of misconduct. Staff may be informed through team meetings, awareness sessions or staff briefing materials. In all cases, staff refers all staff (new and existing), including new starters, locum, temporary, student and contract staff members). 3) The IGT Requirements listed below, will be incorporated into the CCG s Information Governance Work plan for completing IG Toolkit Governance Return V12 and forms part of the CCG s IG Training Plan. 4) The relevant IG Toolkit Requirements which require the CCG to promote staff awareness are as follows:- IGT Req Level Key messages to be communicated to staff and made available throughout the organisations Examples of suitable evidence Delivery Method a IG Policies have been communicated to appropriate staff and made available throughout the organisation Selection of Policies Overarching Information Governance Policy; Confidentiality and Data Protection Policy; Information Security Policy; Corporate Governance Policy (incl. FOI); Information Lifecycle Management Policy (incl. Records management and Information Quality) Intranet/Internet Copies given to staff on induction Page 10 of 17

11 c/2a Guidelines and training materials for staff setting out the CCG's expectations for working practices and behaviours related to information governance (for new and existing staff) Staff Code of Conduct; Training materials; IG Handbook; Induction Programme for New Starters Intranet/Internet a/1b/1c/2c Information Governance Awareness and Mandatory Training for everyone! And additional training for staff in key roles TNA to cover mandatory IG Training/ additional training for key staff groups/ Induction Programme for New Starters/ Training materials/ documented training programme/training Records /Test of Comprehension /Reports evidencing numbers of staff trained ESR/ HSCIC e-learning Tool/ Face to Face b All staff assigned responsibility for co-ordinating and implementing the confidentiality and data protection work programme (Caldicott Function) have been appropriately trained to carry out their role TRAINING EVIDENCE as above b/2a There is staff guidance on keeping personal information secure, on respecting the confidentiality of service users and on the duty to share information for care purposes. Documented/ IG Handbook/ Leaflet /Staff Induction Materials/ Review of TNA Intranet/Internet Page 11 of 17

12 b/2a/2b There are guidelines for staff on when it is both lawful and appropriate to share confidential personal information and on respecting service user wishes and all staff members have been informed of the guidance and in particular of their own responsibility for compliance. as above as above a/2b All staff members are aware of their responsibility to support subject access requests and where in the organisation such requests are ultimately handled. Front-line staff to be provided with more detailed guidance about the procedure to follow. Documented procedure for processing SAR requests/ TNA/ training attendance lists/ staff briefing materials/ presentations Intranet/ Internet/ agendas/ notes/ minutes/ briefing materials a All staff members with the potential to access confidentiality personal information have been informed that monitoring and auditing of access is being carried out, of the need for compliance with confidentiality and security procedures and the sanctions for failure to comply. Documented confidentiality audit procedure Intranet/ Internet /team meetings, awareness sessions, staff briefing materials or staff may be provided with their own copy of the procedures a All staff members that are likely to introduce new information processes or information assets are effectively informed about the requirement to obtain approval from the IG forum (or equivalent) at the proposal stage of the new process or information asst. Privacy Impact Assessment procedure Intranet/ Internet /team meetings, awareness sessions, staff briefing materials Page 12 of 17

13 a/2a Employees are informed of the nature and source of any information stored about them, how it will be used, who it will be disclosed to; and their data protection rights regarding access and sharing of the personal information Documented Policy; Copy of Information Provided; The CCG's Website to provide information on how personal information about patients or other service users is stored, used and shared and informs individuals about their rights in relation to that information A copy of the relevant web pages b All staff assigned responsibility Information Security have been appropriately trained to carry out their role Information Governance Management Framework Policy Training attendance lists/ training materials/ existing qualifications/ training evaluation records Page 13 of 17

14 a The training needs of RA staff have been analysed and a training programme has been implemented to ensure that all staff assigned responsibility for managing and implementing the RA function have access to the latest software and RA Process Guidance and are appropriately trained to carry out their role RA Policy TNA/ training attendance certificates/ training materials/ existing qualifications/ training evaluation records a/2b Procedure advising Smartcard users of the Terms and Conditions they sign up to upon acceptance of a Smartcard. All NHS Smartcard users, including new, temporary and contract staff members are aware that compliance with the T&Cs of NHS Smartcard usage is monitored and of the procedures for breach and disciplinary measures RA Plan/Procedure setting out Terms and Conditions of Smartcard usage & documented audits showing processes for monitoring NHS Smartcard usage and compliance with T&Cs; audit report on the outcome of checking that all NHS Smartcard users have electronically signed their T&Cs; Intranet/ Internet/ Staff Handbook/ Staff briefing materials and induction materials Page 14 of 17

15 a The SIRO and all other staff assigned responsibility for coordinating and implementing information risk management have been appropriately trained to carry out their role TNA/ training attendance lists/ training materials/ existing qualifications or training evaluation records c All relevant staff are made aware of business continuity plans and any implications for their role - all staff are aware of their roles and responsibilities Business Continuity Plans for individual Information Assets Minutes/ team meeting notes, staff briefing materials or materials of awareness sessions b Approved procedure and controls are made available at appropriate points in the organisation and all relevant staff have been informed of their responsibilities to maintain network security. Network Security Policy Intranet/ Internet/ Staff Handbook/ Staff briefing materials and 'IT User' induction materials a/2b There are documented procedures for mobile working or teleworking that provide guidelines for staff on expected behaviours AUP for and internet use, data handling procedures, safe haven procedures, training materials or other staff guidance Intranet/ Internet Page 15 of 17

16 b Staff members have been informed of the incident reporting procedures and in particular of their own responsibilities for reporting incidents and nearmisses Documented incident management and report procedures and a template incident reporting form for staff Minutes/Notes of team meetings/ briefing materials used in awareness sessions c Relevant staff members have been effectively informed of the secure transfer and receipt requirement for personal and sensitive information AUP for and internet use, data handling procedures, safe haven procedures, training materials or other staff guidance (AUP - Documented Policy for approvals and authorisation for mobile and teleworking) Intranet/ Internet b All staff assigned responsibility for Information Quality and Records Management Assurance have been appropriately trained to carry out their role Information Governance Management Framework Training attendance lists, training materials, qualification certificates, or training evaluation records Page 16 of 17

17 c The project plan to support the consistent and comprehensive use of NHS number has been publicised and staff are aware that changes will be introduced to ensure the NHS Number is used as the key identifier in-line with the Safe Practice Notice Comms Plan/ Data Quality Policy advocating the NHS Number Programme Intranet/ Internet Page 17 of 17