Document No: IG10f Version: 1.0 Name of Procedure: Information Governance Contracts Guidance Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L. Hamill 2012 New document This document supersedes all previous issues.
Contents Section Page 1. Introduction 3 2. Scope... 4 3. Purpose 4 4. Definitions.. 4 5. Guidance....... 5 Appendix 1 Third Party Confidentiality Agreement 8
1. Introduction Information is an important asset for the Trust in order to provide high quality services to patients and service users. In addition to this the requirement to ensure the confidentiality and security of both staff and patient information under the Data Protection Act 1998 necessitates that Gateshead Health NHS Foundation Trust (GHNFT) secures personal data to a high level. Since April 2010 the Information Commissioner has had the power to fine organisations and/or individual members of staff up to 500,000 for serious data protection breaches that are deliberate or are negligent because reasonable preventative steps were not taken. As the data controller, the GHNFT would potentially be held responsible for loss of, damage to or inappropriate disclosure of personal information due to contractor error and this must be taken into account when drawing up contracts. The 2008 Data Handling Procedures in Government report outlined a number of new mandatory standards for data handling, in order to provide the minimum baseline for protection and handling of data. GHNFT must therefore make sure that it is meeting these standards by ensuring that information governance and particularly the confidentiality of personal information is adequately addressed in third party contracts. There will be a number of third party contractors who will undoubtedly have access to personal information (patient and staff) or commercially sensitive information (e.g. finance information) held by GHNFT. For example, contractors: with access to systems such as software maintenance providers; undertaking data processing; or providing records storage or similar services In addition to these more obvious types of third party contracts, some will have occasional or inadvertent access to such information due to them accessing GHNFT premises e.g. where files are left on desks overnight. Although the third party contractors in such circumstances have no direct connection to information management all such contracts should also contain the necessary requirements dealing with confidentiality and information governance. Any contracts where the third party contractor will or may have access to personal or commercially sensitive information must contain appropriate clauses such that they ensure that the contractor: is aware of their information governance obligations; understands that failure to deliver these obligations (e.g. data loss or inappropriate disclosure) will be at their risk; and is required to fully indemnify GHNFT for any such failures.
2. Scope This guidance should be used by the Supplies Department in conjunction with the Projects Department as well as the relevant Divisional or Service Managers and IAOs. All third party contracts for services are covered by this guidance whether or not the contractor s staff work GHNFT premises and regardless of the period of the contract. This guidance should be used for all applicable new third party contracts immediately and consideration should be given to whether existing contracts meet the criteria set out herein with a view to reviewing (and where possible renegotiating) those that do not. 3. Purpose The purpose of this guidance is to: 4. Definitions ensure that GHNFT consistently meets its Information Governance requirements in relation to third party contracts (both clinical and nonclinical); provide guidance to staff in the Supplies and Projects departments (as well as Managers and IAOs) who are involved in procuring and/or monitoring third party contracts; and ensure that third party contractors are aware of and fully understand their obligations in relation Information Governance. Personal Information Any factual information or expressions of opinion relating to an individual who can be identified directly from that information or in conjunction with any other information coming into the possession of the data holder. Confidential Information Any information or combination of information that contains details about an organisation or an individual person that was provided in confidence. This includes non-personal corporate or technical information that is commercially sensitive, drafts of documents that are not ready for publication, restricted information & documents, etc. Contract Any agreement between one or more of the PCOs for the provision of services by an external non PCO organisation, company or individual, including Service Level Agreements (SLAs). Third Party Contractor Any external non PCO organisation, company or individual providing services under contract to one or more of the three PCOs. This includes (but is not limited to): ICT support services, etc. Auditors, accountants, management consultants, etc.
Health or social welfare providers. Painters & decorators, cleaning and security companies, etc. Confidential waste collection. Removal firms, secondary storage and scanning companies. Agencies supplying temporary staff Information Asset Owners (IAOs) Is a mandated role, and the individual appointed is responsible for ensuring that specific information assets are handled and managed appropriately. This means making sure that information assets are properly protected and that their value to the organisation is fully exploited. IAO s are normally the Assistant Divisional Managers and report to the SIRO. Information Asset Administrators (IAAs) Ensure that policies and procedures are followed, recognise actual or potential security incidents /threats, consult their IAO on incident management, and ensure that information asset registers are accurate and up to date. IAA s are normally System or Department/Ward Managers. 5. Guidance 5.1. Tenders/Pre-Contracting Stage The likelihood of and extent to which a third party contractor has access to personal and/or confidential information will determine the Information Governance requirements to be set out in the contract. It therefore follows that this should be considered at the outset during any pre-contract tendering process. In particular, consideration should be given to: any potential threats to GHNFT s information such as its networks, IT systems and physical records; whether access to personal and/or confidential information is part of the contracted services or whether any such access would be incidental or accidental due to the third party s employees working on GHNFT sites; and whether the third party contractor is likely to sub-contract all or part of the service. Information Governance requirements should be detailed in pre-contract tender documents where possible. Information Governance is covered in the Pre- Qualification Questions at a high level but further detail should be supplied in any detailed tender documentation. If it is not possible to include detailed requirements at the tender stage, full details must be provided to the third party contractor as early as possible at the contracting stage. 5.2. Types of Contracts & Contract Requirements The vast majority of third party contracts for service will require basic Information Governance clauses detailing the secure handling and use of personal and/or confidential information. The only exception to this would be third party contracts for
services where there is no access to such information and which do not require the third party contractor s staff to enter GHNFT premises. Example of such services would be gardeners and external window cleaners. Incidental Access Only Where the third party contractor s staff will be working inside GHNFT premises there is the possibility for them to have incidental or accidental access to personal and/or confidential information and the following must be included: Basic Information Governance clauses (such as those used in the standard NHS Terms and Conditions) Third Party Confidentiality Agreement (copy available at Appendix 1): o Temporary or contract staff (including self-employed individuals) with regular access to GHNFT premises should each individually sign the agreement. o Depending on the nature of the service, it may not be necessary a contractor s staff to each individually sign the agreement in which case the third party contractor may sign it on behalf of all their staff (e.g. cleaners, painters and decorators etc). o Signed copy(s) should be held with the final contract. Specific Access Where the third party contractor is specifically required to access or use personal and/or confidential information in order to perform the service more detailed Information Governance requirements may need to be included. Consideration should be given as to whether a Data Processing Agreement is required in addition to the standard contract. This will be dependent on a number of factors: the amount of personal and/or confidential information being disclosed to the third party contractor; the type of access that the third party contractor will have; and the length of time that the contract is due to run. In addition to this, Caldicott Guardian sign off should be considered where large amounts of personal data are being transferred to the third party contractor and/or remote access into GHNFT s systems is required by them. Any transfers of personal data outside the UK must also have the prior approval of the Senior Information Risk Owner. 5.3. Incidents & Monitoring Any beaches by the third party contractor or near miss situations should be reported to the Supplies department or relevant IAO. The incident should then be logged using DATIX.
5.4. Due Diligence In order to ensure that only appropriate Third Party Contractors are used and that the Trust s information is secure their suitability should be assessed using the various assessments (as appropriate) contained within IG10 Information Governance Policy for New and Changed Systems, Processes & Services: General Information Governance Checklist (IG10a) IT Systems Information Governance Checklist (IG10b) Privacy Impact Assessment (IG10c) Third Party Due Diligence Assessment (IG10d) Remote Access Risk Assessment (IG10e)
Appendix 1 Third Party Confidentiality Agreement Third_Party_Confide ntiality_agreement_v