INFORMATION GOVERNANCE STRATEGY Page 1 of 10
Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying Committee Information Governance Forum Date of Approval 19 September 2013 Date of Review 19 September 2014 Document History Version Date Name Revision Description 1.0 Final 11/2007 First issue 2007-2008 2.0 Final 01/2009 Gillian Pearce Annual strategy review for 2008-9. Issued in January 3.0 Final 02/2011 Sandre Jones/ Annual strategy review for 2011-2012 Valerie Penn 3.1 Draft 08/08/2013 Caroline Law Annual Strategy Review for 2013/2014 3.2 Draft 13/09/2013 Caroline Law Updated following comments from Information Governance Forum members 3.3 Draft 16/09/2013 Julie Andrews Quality Assurance 4.0 Final 16/09/2013 Caroline Law Final version following minor amendments Page 2 of 10
Contents Section N o. Section Name Page N o. 1. Purpose of Strategy 4 2. Context and Approach 4 3. Responsibility for Information Governance 5 4. Key Priorities for 2013-2014 5 4.1 Policy Development 5 4.2 Organisational Processes 6 4.3 Openness 6 4.4 Legal Compliance 6 4.5 Awareness, Education and Training 6 4.6 Communication and Update 7 5 Strategy Implementation 7 6 Monitoring and Review 7 7 Related Policies, Procedures and Standards 8 Appendix 1 Information Governance Management Framework 9 Management and Accountability Appendix 2 Equality Impact Assessment Stage 1 Screening 10 Appendix 3 Privacy Impact Assessment Stage 1 Screening 11 Page 3 of 10
1. Purpose of Strategy Information Governance (IG) Management Framework is the structure that integrates standards and best practice that apply to the safe and effective processing and protection of information. This Information Governance Strategy sets out in broad terms the approach and mechanisms the East and North Hertfordshire Clinical Commissioning Group (ENH CCG, or the CCG) will use to assure the delivery of a robust Information Governance Framework. The CCG is committed to achieving a standard of excellence in Information Governance by ensuring information is dealt with legally, securely, efficiently and effectively in the course of CCG business. Information Governance covers Data Protection & IT Security (including smart cards), Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality, Freedom of Information Regulations and Information Quality Assurance. 2. Context and Approach 2.1 The current position is that some policies, procedures, guidance and strategies relating to IG are from the predecessor organisation. The CCG will systematically review, update and integrate all policies relating to Information Governance from predecessor organisation, to develop new overarching required documents that will underpin the key elements of Information Governance Management Framework, Confidentiality and Data Protection, Information Security and Clinical Information Assurances. Existing gaps in procedural documents will also be addressed. 2.2 The IG Strategy cannot be seen in isolation as information plays a key part in corporate and clinical governance, risk management, performance and business management. This strategy is therefore, closely linked with other CCG strategies to ensure integration with all aspects of the CCGs business activities. 2.3 There are three key components underpinning this strategy. These are:- The annual action plan arising from base line assessment against the standards and controls set out in the NHS Information Governance Toolkit (IGT) The Information Governance Management Framework which outlines how the CCG is addressing the Information Governance agenda. The IG Policy which outlines the objectives for information governance 2.4 The over-riding critical success factor for effective IG will be to develop and maintain a good management of information governance awareness and practice, achieved by an effective programme of IG awareness, training and monitoring. 2.5 This strategy is applicable to everyone working for the CCG including permanent, temporary and contract staff. Page 4 of 10
3. Responsibility for Information Governance 3.1 Ultimate responsibility for IG lies with the CCG Governing Body. The Governing Body is responsible for ensuring that the CCG is able to sign off the statement of compliance with the National Information Governance Toolkit. 3.2 The Accountable Officer has overall accountability and responsibility for Information Governance. 3.3 The Senior Information Risk Owner (SIRO), also the IG Lead at Governing Body level has responsibility for overseeing all diverse aspects of Information Governance. Currently the SIRO is the Chief Finance Officer. 3.4 The Caldicott Guardian (the Guardian) is the senior person responsible for protecting the confidentiality of patient and service user information. The Caldicott Guardian who is an Executive Governing Body member is the Director of Nursing and Quality. 3.5 The Head of Governance is the named data controller on behalf of the CCG and as specified in relevant policies has responsibility for monitoring, advising on, or processing, lawful and procedural requirements relating to applications for personal data under the Data Protection Act, applications for disclosure under the Freedom of Information Act and Records Management. 3.6 Managers within the CCG are responsible for ensuring that the IG Strategy, policy and supporting processes are built into local procedures and that there is on-going compliance. 3.7 Managers must ensure that all staff, whether permanent, temporary or contracted, and contractors are made aware of their responsibility for ensuring that they are aware of the IG requirements incumbent upon them and for ensuring that they comply with these on a day-to-day basis. 3.8 The CCG has established the IG Forum (Forum) which is accountable to the Governing Body. The Forum has specific terms of reference, and membership includes the SIRO (also the Chair), the Caldicott Guardian, The Head of Governance and representatives from across the Departments. The diagram Appendix 1 depicts the Information Governance Management Framework management and accountability. 4. Key Priorities for 2013-2014 4.1 Policy Development A clear policy framework is essential to the implementation of the Information Governance Strategy. The IG Framework includes the Information Governance Policy, Information Security Policies, Data Protection Policy, Information Lifecycle Policy and other relevant policies. The CCG will systematically review, update and integrate all policies relating to IG from predecessor organisations, to develop new overarching policies that will underpin the key strands of IG Management, Confidentiality and Data Protection, Information Security and Clinical Information Assurance. Page 5 of 10
4.2 Organisational Processes It is vital that clear processes and procedures are designed to meet information governance requirements. The CCG will:- Review the processes and procedures in place to ensure they meet information governance requirements and where applicable produce additional assurance documentation. Undertake or commission assessment and audit of its information and IT security arrangements in line with its assessment of risk. Maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. 4.3 Openness Non-confidential information on the CCG and its services are made available to the public through a variety of media, in line with the openness and transparency programme. The CCG will review and develop policies and processes to ensure compliance with the Freedom of Information Act and the Environmental Regulation Act. These will be made available on the CCGs website Scheme of Publication as required under the Acts. The CCG will provide clear procedures and processes for handling queries from the press and broadcasting media and from service users and the public. 4.4 Legal Compliance The CCG will comply with relevant legislation, codes, of practice and guidance, including the Data Protection Act 1998, Freedom of Information Act 2000, Computer Misuse Act 1990, the NHS Confidentiality Code of Practice, the NHS Records Management Code of Practice, proceeding guidance from the NHS, the Information Commissioners Office and any other relevant legislation, standards and guidelines. The CCG will systematically review and develop policies, procedures and processes to ensure compliance with relevant legislations. 4.5 Awareness, Education and Training Training on Information Governance will form part of the annual training plan and be included in the induction programme for new staff. All staff are required to carry out the mandatory IG Training through the on-line NHS Information Governance Training Tool. Further training and development will be in accordance with the Education, Learning and Development Policy. 4.6 Communication and Updates This strategy will be published in the intranet. Any changes, updates to or introduction of new Information Governance policies, processes or procedures will be communicated to ensure awareness of and compliance to those changes and understanding of individual responsibilities. 5. Strategy Implementation 5.1 Implementation of this strategy and its associated work programmes will be monitored by the Information Governance Forum. Page 6 of 10
5.2 The CCG will complete the IG Toolkit and ensure it attains the required level of assurance. 5.3 Information Governance policies, processes and procedures will be reviewed, where applicable approved and communicated. 5.4 The Head of Governance will:- Agree an annual work programme to ensure year on year improvement in performance Ensure the development of strategies, policies and procedures required for Information Governance Identify resources required for implementation Monitor and report on progress made, incidents and issues to the IG Forum. Complete the annual self-assessment toolkit 6. Monitoring and Review 6.1 The Information Governance Strategy shall be monitored by the Information Governance Forum with progress reported to the Governing Body. 6.2 Audits will be undertaken or commissioned to ensure adequacy. 6.3 Incident reports and results of risk assessments will be used for monitoring. 6.4 The Information Governance strategy will be reviewed annually or in response to any significant changes to mandatory requirements or guidance or as a result of significant information governance breaches or incidents. 6.5 Each year a revised work programme will be developed against the IG Toolkit attainment levels and scores, thus identifying the key areas for a programme of continuous improvement. 7. Related Policies and Documents Include but are not limited to:- Business Continuity Policy Confidentiality Code of Conduct Data Quality Policy E-mail and Internet Policy Emergency Planning Policy Freedom of Information Act Policy Incident Management Policy Information Governance Policy Information Lifecycle Policy Information Security Policy Research Governance Policy Risk Management Framework Serious Incidents Requiring Investigation (SIRI) Policy Related documents Caldicott Guardian Manual FOI Appeals and Complaints Procedure Information Governance Forum Terms of Reference Information Governance Management Framework Subject Access Request Procedure Page 7 of 10
Appendix 1 - Information Governance Management Framework Management and Accountability Chief Executive (Accountable Officer) Overall accountability and responsibility for Information Governance Director of Nursing and Quality Caldicott Guardian (Governance Board) Confidentiality & Data Protection Assurance Initiative Caldicott Function 6 Caldicott Principles Information sharing protocols NHS Care Record Guarantee Confidentiality: NHS Code of Practice Chief Finance Officer Senior Information Risk Owner (Governance Board) Information Risk Management Information Governance Lead (Governance Board) Annual Report: Statement of Control Management of Information Risk Registration Authority Requests for Information (FOI, SAR, EIR) Information Governance Management Framework Information Asset Owners (IAOs) ICT IT Security Information Security Assurance Initiative Information Risk Management Information Security Management: NHS Code of Practice Registration Authority: (Integrated HR/ICT Process) Head of Governance Data Protection Lead Information Governance Information Governance Toolkit Confidentiality & Data Protection Assurance Initiative Information Governance Mandated Training Information Governance Awareness Raising Internal Communications Requests for Information (FOI, SAR, EIR) Annual report: Statement of Control Personal Data Related Incidents (loss & breaches) Records Management: NHS Codes of Practice NHS Information Governance: legal & professional obligations Human Resource & Learning & Development Employment Practice Code Mandatory & Statutory Training Registration Authority: (Integrated HR/ICT Process)
Appendix 2 Equality Impact Assessment Stage 1 Screening 1. Policy EIA Completion Details Title: Information Governance Strategy Proposed Existing Date of Completion: August 2013 Names & Titles of staff involved in completing the EIA: Valerie Penn - Head of Governance Caroline Law IG Project Manager Review Date: March 2014 2. Details of the Policy. Who is likely to be affected by this policy? Staff Patients Public 3. Impact on Groups Race, ethnicity, nationality, language etc. Gender (inc. transgender) Probable impact on group? Positive Adverse None High, Medium or Low Please explain your answers Disability, inc. learning difficulties, physical disability, sensory impairment etc. Sexual Orientation Religion or belief Human Rights Age Other: No impact on any of the groups above. Please explain and provide evidence 4. Which equality legislative Act applies to the policy? Human Rights Act 1998 Sex Discrimination Act Race Relations Act Disability Discrimination Act Gender Recognition Act 2004 Mental Health Act 1983 Equality Act 2006 Mental Capacity Act 2005 Age Equality Regulations 2006 Equal Pay Act Sexual Orientation Regulations 2003 Religion or Belief Regulations 2003 Health & Safety Regulations Part time Employees Regulations Civil Partnership Act 2004 5. How could the identified adverse effects be minimised or eradicated? N/A 6. How is the effect of the policy on different Impact Groups going to be monitored? N/A Page 9 of 10
Appendix 3 Privacy Impact Assessment Stage 1 Screening 1. Policy PIA Completion Details Title: Information Governance Strategy Proposed Existing Date of Completion: 15/08/2013 Names & Titles of staff involved in completing the PIA: Valerie Penn - Head of Governance Caroline Law IG Project Manager Review Date: March 2014 2. Details of the Policy. Who is likely to be affected by this policy? Staff Patients Public Yes No Please explain your answers Technology Does the policy apply new or additional information technologies that have the potential for privacy intrusion? (Example: use of smartcards) Identity By adhering to the policy content does it involve the use or re-use of existing identifiers, intrusive identification or authentication? (Example: digital signatures, presentation of identity documents, biometrics etc.) By adhering to the policy content is there a risk of denying anonymity and de-identification or converting previously anonymous or de-identified data into identifiable formats? Multiple Organisations Does the policy affect multiple organisations? (Example: joint working initiatives with other government departments or private sector organisations) Data By adhering to the policy is there likelihood that the data handling processes are changed? (Example: this would include a more intensive processing of data than that which was originally expected) If Yes to any of the above have the risks been assessed, can they be evidenced, has the policy content and its implications been understood and approved by the department? Service Level Agreements with outside agencies under strict controls. Risks are assessed prior to Service Level Agreements with outside or third party organisations Page 10 of 10