INFORMATION RISK MANAGEMENT POLICY



Similar documents
Data Quality Policy. DOCUMENT CONTROL: Version: 4.0

Policy Document Control Page

Scanning of Physical Documentation Policy

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Financial Procedures

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

Information Governance Policy

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

Information Governance Strategy. Version No 2.0

Information Governance Policy

INFORMATION GOVERNANCE POLICY

Information Governance Framework and Strategy. November 2014

Information Governance Management Framework

INFORMATION GOVERNANCE POLICY

Information Governance Strategy

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September Information Governance Manager

INFORMATION GOVERNANCE POLICY & FRAMEWORK

Information Governance Strategy

Information Governance Policy

NETWORK SECURITY POLICY

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Information Governance Strategy. Version No 2.1

Standard Operating Procedure for the Management of Information Governance Serious Incidents Requiring Investigation (IG SIRI)

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy

Information Governance Strategy :

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

Information Governance Policy

NHS Commissioning Board: Information governance policy

Information Governance Policy

Information Governance Policy

INFORMATION GOVERNANCE STRATEGY

Information Governance Policy

Policy: D9 Data Quality Policy

Information Governance Policy

INFORMATION GOVERNANCE POLICY

Information Security and Governance Policy

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

POLICY. Use of Text Messages (SMS) to Communicate With Patients

NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Information Risk Management

INFORMATION GOVERNANCE POLICY

Data Protection Policy

How To Ensure Network Security

RISK MANAGEMENT STRATEGY

Information Governance Plan

INFORMATION GOVERNANCE POLICY

INFORMATION SECURITY POLICY

Information Governance Strategy

Information Governance Training Plan v13

INFORMATION GOVERNANCE POLICY

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

Information Governance Policy

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE

Information Governance Strategy & Policy

Information Governance Policy

Information governance strategy

Data Protection Policy

Highland Council Information Security Policy

Information Governance Policy

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Governance Management Framework

EXIT INTERVIEW AND QUESTIONNAIRE POLICY

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE STAFF HANDBOOK

Corporate Information Security Management Policy

Network Security Policy

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

Transcription:

INFORMATION RISK MANAGEMENT POLICY DOCUMENT CONTROL: Version: 1 Ratified by: Steering Group / Risk Management Sub Group Date ratified: 21 November 2012 Name of originator/author: Manager Name of responsible Executive Director of Business Assurance committee/individual: Date issued: 20 December 2012 Review date: November 2015 Target Audience It is the responsibility of all staff to adhere to the principles set out in this document.

CONTENTS SECTION PAGE NO 1. INTRODUCTION 3 2. PURPOSE 3 3. SCOPE 3 4. RESPONSIBILITIES, ACCOUNTABILITIES AND DUTIES 4 5. PROCEDURE/IMPLEMENTATION 5.1 Framework 5.2 Communication 6 6 6 6. TRAINING IMPLICATIONS 7 7 MONITORING ARRANGEMENTS 8 8. EQUALITY IMPACT ASSESSMENT SCREENING 8.1 Privacy, Dignity and Respect 8.2 Mental Capacity Act 8 8 9 9. LINKS TO ANY ASSOCIATED DOCUMENTS 9 10. REFERENCES 9 11. APPENDIX 1 - EXAMPLES OF INFORMATION ASSETS 11 Page 2 of 11

1. INTRODUCTION 1.1 This policy outlines how Rotherham Doncaster and South Humber NHS Foundation Trust will implement the NHS Risk Management Guidelines. These guidelines are based on NHS guidance materials and are compliant with the NHS adopted ISO/IEC27001 and ISO/IEC27002 information security management standards. 1.2 The Trust Board fully endorse the proposals to introduce and embed information Risk management into the key controls and approval process of all major processes and functions of the Trust. 1.3 The Trust Board confirm that information risk is inherent in all administrative and business activities and everyone working for or on behalf of the Trust continuously manages information risk. The Board also recognises that the aim of information risk management is not to eliminate risk, but to provide the structural means to identify prioritise and manage the risks involved in all Trust activities to an acceptable level. It requires a balance between the cost of managing and treating information risks with the anticipated benefits that will be derived. 1.4 The Trust Board acknowledges that information risk management is an essential element of broader information governance and is an integral part of good management practice. The intent is to embed information risk management in a very practical way into business processes and functions. This will be achieved through key approval and review processes/controls and not to impose risk management as an extra requirement. 2. PURPOSE 2.1 The purpose of the policy is to protect patient, staff and corporate information and ensure that it is held securely and used appropriately. 2.2 The following provides some examples of information risk. Loss of data held on portable data storage devices (e.g. laptops, memory sticks and Dictaphone (electronic and tapes) Incorrect use of passwords Incorrect use of smartcards Inappropriate access to personal information Insecure transfer of personal information 2.3 The above list is not exhaustive or comprehensive; if further advice is required please contact the Department. 3. SCOPE 3.1 This policy covers information held and processed by Rotherham Doncaster and South Humber NHS Foundation Trust. 3.2 The information and guidelines within this policy are important and apply to; All full-time and part-time employees of the organisation, and to non- Page 3 of 11

executive directors, contracted third parties (including agency staff), locums, students and trainees, secondees and other staff on temporary placements with the organisation, and staff of partner organisations with approved access; Other individuals and agencies who may gain access to data, such as volunteers, visiting professionals or researchers, and companies providing IT services to the organisation. All records in any format or medium: current, non-active, or archived; clinical or non clinical; held by, or under the control of, Rotherham Doncaster and South Humber NHS Foundation Trust. 4. RESPONSIBILITIES, ACCOUNTABILITIES AND DUTIES 4.1 The Chief Executive The Accounting Officer (Chief Executive) has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. risks should be handled in a similar manner to other major risks such as financial, legal and reputational risks. 4.2 The Senior Risk Owner (SIRO) The Trust s Senior Risk Owner (SIRO) is an executive who is responsible for coordinating the development and maintenance of information risk management policies, procedures and standards for the Trust. The SIRO is responsible for the ongoing development and day-to-day management of the Trust s Risk Management programme for information privacy and security. The SIRO chairs the Steering Group and is supported by the Caldicott Guardian, Manager, Officer, and Informatics Security Specialist. 4.3 Executive Directors and Strategic Business Unit Directors Executive Directors are responsible for the implementation of the standards of compliance specified in this policy within their areas of responsibility. 4.4 Steering Group The Steering Group is responsible for collating all identifiable information risks and maintaining the organisation s Risk Log. The Steering Group is responsible for communicating identified risks and their assessed impacts and suggested mitigation to the SIRO and the Risk Management Sub Group and the Performance and Assurance Group. 4.5 Organisational Learning Forum The Organisational Learning Forum is responsible for developing and managing a structured approach to active organisational learning, where lessons learned are embedded in the Trust s culture and practice. The Organisational Learning Forum includes membership from Page 4 of 11

and Records Management 4.6 The Caldicott Guardian The Trust s Medical Director is the Caldicott Guardian who plays a key role in ensuring that NHS and partner organisations satisfy the highest practical standards for handling patient information. Acting as the conscience of an organisation, the Guardian should also actively support work to facilitate and enable information sharing, advising on options for lawful and ethical processing of information as required. However, this post is advisory in nature, rather than accountable, as the SIRO is. 4.7 Informatics Security Specialist The Informatics Security Specialist shall work with the Asset Owners (IAO s) and Asset Administrators (IAAs) in order to achieve compliance with this policy and report to the Steering Group and SIRO as required. 4.8 Records Manager The Records Manager is responsible for records management within the Trust. The Records Manager plays a key role in providing advice and guidance on handling information and associated risks 4.9 Asset Owners Trust Asset Owners (IAO s) are senior individuals who shall ensure that all key information assets are identified and recorded on the Asset Register; and that information risk assessments are performed regularly on all information assets where they have been assigned ownership, following guidance from the SIRO and Manager on assessment method, format, content, and frequency. Risk assessments will include data flow analysis i.e. studying the flow of data to identify risks. IAO s shall submit the risk assessment results and associated mitigation plans to the SIRO for review, along with details of any assumptions or external dependencies. Mitigation plans shall include specific actions with expected completion dates, as well as an account of residual risks. IAOs will ensure that System Specific Security Policies are written and maintained for critical systems. IAOs may delegate responsibility for one or more information assets to Asset Administrators (IAAs) who will support the IAO in the activities set out in this document.. 4.10 Asset Administrators The Asset Administrators (IAAs) are operational staff with day to day responsibility for managing risks to their information asset and shall work with the IAO and the Informatics Security Specialist to manage information risk to their asset. 4.11 Managers The Trust will ensure that Managers are responsible for making sure that: Staff are aware of their roles and responsibilities in relation to managing information risk Staff carry out their roles in accordance with this policy They identify the level of training required for each member of staff Page 5 of 11

Staff have time to carry out the appropriate level of training and have access to appropriate supervision and support 4.12 All Staff It is the responsibility of all staff to abide by the conditions detailed within this policy. Any staff member found to have breached this policy could face disciplinary action that may lead to dismissal. 5. PROCEDURE/IMPLEMENTATION 5.1 Framework Rotherham Doncaster and South Humber NHS Foundation Trust Board (Chief Executive / Accounting Officer) Performance & Assurance Group (1.Chaired by Chief Executive 2. SIRO member of group) Risk Management Sub Group Chaired by SIRO Business Intelligence Group, (BIG) SIRO is a member of BIG. (IG) Steering Group Chaired by SIRO Manager (Member of IG Steering Group) Asset Owners Senior Staff responsible for Asset Register Caldicott Guardian (Member of IG Steering Group) Informatics Security Specialist (Member of IG Steering Group) Asset Administrators Manage information risk on a daily basis 5.2 Communication This policy is to be made available to all personnel as listed above and will be made publicly available on the Trust s intranet. 5.3 Trust Asset Owners (IAO s) are senior individuals who shall ensure that all key information assets are identified and recorded on the Asset Register; and that information risk assessments are performed regularly on all information assets where they have been assigned ownership, following guidance from the SIRO and Manager on assessment method, format, content, and frequency. Risk assessments will include data flow analysis i.e. studying the flow of data to identify risks. IAO s shall submit the risk assessment results and associated Page 6 of 11

mitigation plans to the SIRO for review, along with details of any assumptions or external dependencies. Mitigation plans shall include specific actions with expected completion dates, as well as an account of residual risks. IAOs will ensure that System Specific Security Policies are written and maintained for critical systems. IAOs may delegate responsibility for one or more information assets to Asset Administrators (IAAs) who will support the IAO in the activities set out in this document. 5.4 The SIRO shall advise the Chief Executive and the Trust Board on information risk management strategies and provide periodic reports and briefing on program progress including an annual report for inclusion in the Statement on Internal Control (SIC). 5.5 All Serious Incidents relating to will be reported through the Strategic Electronic System (STEIS) and all incidents are reported to the Steering Group. 5.6 The output from risk assessments and lessons learned from SI reports will be used to create and maintain improvement plans. Incidents will be discussed at the Trust s Organisation Learning Forum. 6. TRAINING IMPLICATIONS 6.1 Training for this policy is part of the Trust s training needs analysis and is part of the mandatory risk management training policy. 6.2 All line managers are responsible for ensuring that all staff training with regards to is up to date and relevant to their staff. 6.3 Specific training requirements are outlined below:- INFORMATION RISK POLICY Staff groups requiring training Caldicott Guardian and supporting staff Senior Asset Owner and Asset Owners How often should this be undertaken Annually Annually Length of training It should take about 1 hour and there is a short assessment at the end. It should take about 1 hour and there is a short assessment at the end. Delivery method Via Connecting for Health Training Site. Via Connecting for Health Training Site. Training delivered by whom If you are IT competent and happy to work unassisted If you are IT competent and happy to work unassisted Where are the records of attendance held? Electronic Staff Record system (ESR) Electronic Staff Record system (ESR) Page 7 of 11

As a Trust policy, all staff need to be aware of the key points that the policy covers. Staff can be made aware through: Team Brief Weekly Newsletter Team meetings Local Induction The Training Needs Analysis (TNA) for this policy is required to be monitored for the NHS Litigation Authority. The TNA can be found in the Training Needs Analysis documentation which is part of the Mandatory Risk Management Training Policy in the Trust Extranet publications section. 7. MONITORING ARRANGEMENTS 7.1 The Steering Group will:- Area for Monitoring How Who by Reported to Frequency Risk Policy Reviewed following publication of Toolkit or to implement any changes in legislation Manager Steering Group Annually Incidents Review incidents for trends or patterns and impacts on controls in place Manager Steering Group Quarterly 8. EQUALITY IMPACT ASSESSMENT SCREENING - The completed Equality Impact Assessment for this Policy has been published on the Equality and Diversity webpage of the RDaSH website click here 8.1 Privacy, Dignity and Respect The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi s review of the NHS, identifies the need to organise care around the individual, not just clinically but in terms of dignity and respect. Indicate how this will be met As a consequence the Trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone Page 8 of 11

with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided). 8.2 Mental Capacity Act Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals capacity to participate in the decision making process. Consequently, no intervention should be carried out without either the individuals informed consent, or the powers included in a legal framework, or by order of the Court Indicate How This Will Be Achieved. All individuals involved in the implementation of this policy should do so in accordance with the Guiding Principles of the Mental Capacity Act 2005. (Section 1) Therefore, the Trust is required to make sure that all staff working with individuals who use our service are familiar with the provisions within the Mental Capacity Act. For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act 2005 to ensure that the interests of an individual whose capacity is in question can continue to make as many decisions for themselves as possible. 9. LINKS TO ANY ASSOCIATED DOCUMENTS Strategy Policy Data Protection Policy Lifecycle and Records Management Policy Informatics Security Policy Policy for the Secure Storage and Transfer of Person Identifiable Data Laptop and Mobile Working Policy Policy for the Investigation of Untoward and Serious Untoward Incidents Trust Risk Management Framework 10 REFERENCES The Data Protection Act (1998) The Freedom of Act (2000) Environmental Regulations (2004) European Directive 2003/4/EC Access to Health Records Act (1990) Human Rights Act (1998) European Directive 95/46C (Data Protection Directive) Crime and Disorder Act (1998) Criminal Procedures and Investigations Act (1996) Regulatory and Investigatory Powers Act (2000) ICO Framework Code of Practice for Sharing Personal Page 9 of 11

(2007) Children Act (2004) Working together to Safeguard Children (2006) NHS Act (2006) Multi-Agency Public Protection Arrangements (MAPPA) Mental Capacity Act 2005 and Code of Practice (2007) Sharing Guidance for Practitioners and Managers (2008) Confidentiality NHS Code of Practice (2003) Confidentiality Guidance for Doctors (GMC 2009) Confidentiality and Disclosure of Health Toolkit (BMA 2008) The NMC Code of Professional Conduct: Standards for Conduct, Performance and Ethics (NMC 2004) No Secrets: Guidance on developing and implementing multiagency policies and procedures to protect vulnerable adults from abuse. Data Protection and Sharing Guidance for Emergency Planners and Responders (HMG 2007) Data Sharing Review Report (Thomas and Walport 2008) Health and Social Care Act (2001) Caldicott Guidance (2010) Computer Misuse Act 1990 Department of Health, Records Management: NHS Code of Practice (2006) NHS Connecting for Health NHS, Guidance on Legal and Professional Obligations (Department of Health, 2007) Page 10 of 11

APPENDIX 1 - EXAMPLES OF INFORMATION ASSETS Personal Content Databases and data files Back-up and archive data Audit data Paper records (patient case notes/staff records) Paper reports Software Applications and System Software Data encryption utilities Development and Maintenance tools Other Content Databases and data files Back-up and archive data Audit data Paper records and reports Hardware Computing hardware including PCs, Laptops, communications devices e.g. blackberry and removable media System/Process Documentation System information and documentation Operations and support procedures Manuals and training materials Contracts and agreements Business continuity plans Miscellaneous Environmental services e.g. power and air-conditioning People skills and experience Shared service including Networks and Printers Computer rooms and equipment Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information