Standard Operating Procedure for the Management of Information Governance Serious Incidents Requiring Investigation (IG SIRI) DOCUMENT CONTROL: Version: V1 Ratified by: Risk Management Sub Group Date ratified: 25 September 2013 Name of originator/author: Sue Meakin, Information Governance Manager Name of responsible Information Governance Steering Group committee/individual: Date issued: 01 November 2013 Review date: September 2016 Target Audience All Trust Staff
1. Aim 1.1 The purpose of this Standard Operating Procedure, (SOP), is to set out a clear process within the Trust for management of the new requirement within the IG Toolkit for reporting Information Governance Serious Incidents Requiring Investigation (IG SIRI). https://www.igt.hscic.gov.uk/whatsnewdocuments/ig%20toolkit%20v11%20change%20release%20note%20(20. 08.13)QC.pdf 1.2 See Appendix 1 for IG Toolkit requirements. 2. Scope 2.1 This SOP applies to:- The Information Governance Team who will be responsible for ensuring that all IG SIRI s are logged onto the Information Governance Toolkit Incident Reporting Tool. All staff that report incidents are required to contribute to the investigation, analysis and learning and improvement of IG SIRIs. This includes staff working directly in clinical services as well as those working in a range of corporate services. 3. Link to overarching policy and/or procedure Policy for the Management of Serious Incidents (SIs) Information Governance Strategy Information Governance Policy 4. Procedure What is the IG Incident reporting Tool? The Information Governance Incident Reporting Tool is an online product hosted on the secure Information Governance Toolkit website. It is the Department of Health (DH) and Information Commissioner s Office agreed solution for reporting personal data security breaches. Organisations can only see incidents recorded against their organisation code. They cannot view other incidents until information is published on the Information Governance Toolkit website. 4.1 What is a SIRI? The Health and Social Care Information Centre state that there is no simple definition of a serious incident. What may at first appear to be of minor importance may, on further investigation, be found to be serious and vice versa. As a guide:- o Any incident which involves actual or potential failure to meet the requirements of the Data Protection Act 1998 and/or the Common Law of Confidentiality. o This includes unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data, information security breaches and inappropriate invasion of people s privacy. Page 2 of 5
o Such personal data breaches which could lead to identity fraud or have other significant impact on individuals. o Applies irrespective of the media involved and includes both electronic media and paper records. 4.2 How to access IG Incident Reporting Tool The Information Governance Team will have access to the Information Governance Incident Reporting Tool via the secure website. 4.3 How to log an IG SIRI The Information Governance Team will be notified of all incidents via the Ulysses Safeguard System and through reporting of Serious Incidents which are related to Information Governance. The Information Governance Team will undertake an assessment by using the Health and Social Care Information Centre checklist guidance. Incidents scored as a Level 2 or above will be treated as a Serious Incident and will follow the Trust s Policy for the Management of Serious Incidents. The Information Governance Team will contact the relevant service manager to undertake a root cause analysis report using the template within the Trust s Policy for the Management of Serious Incidents. 4.4 Monitoring Action Plans Action plans will be monitored via the Serious Incident Reporting Policy. The Information Governance Steering Group will be provided with quarterly reports of all SG SIRIs. 4.5 Closed SIRIs All information recorded under a Closed IG SIRI on the Information Governance Toolkit Incident Reporting Tool will be published quarterly by the Health and Social Care Information Centre. Other IG SIRIs marked as Open, Withdrawn or Duplicate will not be published by the HSCIC. 4.5 Lessons Leant All lessons learnt from SIRI will be discussed at the Trust s Organisational Learning Forum. 4.7 Flow Chart Please refer to Appendix 2 for the flow chart which details the process to be followed within the Trust. Page 3 of 5
Appendix 1 INFORMATION GOVERNANCE TOOLKIT VERSION 11 302 - Information Security Assurance and Incident Management Requirement Details: 11-302 Information Security Assurance There are documented information security incident / event reporting and management procedures that are accessible to all staff. Attainment Levels: Level 0: Insufficient evidence to attain Level 1. Level 1: There are documented and approved processes for reporting, investigating and managing information security Incidents / events. a) There are documented procedures for reporting, investigating and managing information security events, including confidentiality/data loss Serious Untoward Incidents (SUIs). b) The procedures have been approved by the SIRO, and Board or delegated sub-group involving IAOs or equivalent personnel Level 2: The information security event reporting and management procedures have been communicated to staff/relevant third parties. a) The procedures have been effectively communicated to staff and third parties working on behalf of or under contract to the organisation, including the importance of reporting information security events and near misses. b) Contracts or agreements with service providers and business partner organisations have been reviewed to ensure these include clear reporting requirements, enforceable obligations, expectations and references to procedures for the reporting of and response to incidents Level 3: The SIRO and IAOs or equivalent, monitor compliance with the procedures, taking corrective action if evidence of non-compliance is discovered. Incidents are analysed and where necessary, systems and processes are refined to minimise the risk of recurrence a) The SIRO and IAOs (or equivalent) monitor compliance with the security event reporting procedures and instigate remedial action where procedures have not been followed.. b) Reported information security events are analysed and measures implemented to tackle common problems and root causes c) [Only required if Attainment Level 3 was achieved in the previous assessment] It is important that information security event reporting, control and investigation guidance / procedures, training and awareness measures are subject to regular review to ensure they remain effective. Page 4 of 5
Appendix 2 Flow chart for the management of Information Governance Serious Incidents Requiring Investigation:- Ulysses Safeguard System to include tick box to highlight if incident relates to Information Governance Staff report incident on to Ulysses Safeguard System Incident sent to Information Governance Team Serious Incident reported on STEIS which may contain Information Governance elements is sent to the Information Governance Team The Information Governance Team will make an assessment using the IG SIRI checklist Result of assessment re: potential IG SIRI: Level 0 or 1 Result of assessment re: potential IG SIRI: Level 2 or above Manage in accordance with Trust policy for the investigation of incidents, complaints and claims, including analysis and improvement SIRO to Inform Chief Executive and Board of Directors Information Governance Manager will e-mail SIRO, Head of Patient Safety & Experience / Deputy AHP Lead & Head of Corporate Governance to inform of suspected IG SIRI Level 2 Incident to be logged onto STEIS Initial findings results in a down grade of IG SIRI Information Governance Team updates the IG SIRI incident reporting tool. Incident closed on IG Toolkit Website IG Manager will log incident on IG Toolkit website using the STEIS number Page 5 of 5 Information Governance Team initiate incident response plan Root Cause Analysis Investigation undertaken in line with Trust s Policy for the Management of Serious Incidents (SIs). Quarterly reports provided to Information Governance Steering Group On completion of report, the incident is closed on IG Toolkit Website. Lessons learnt discussed at the Organisational Learning form