Information Governance Toolkit Assessment 2009/10



Similar documents
Information Governance Toolkit Report 2013/14

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Plan

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY

Further to reports to EAG in February and March 2014, the purpose of this report is to;

A Question of Balance

Information Governance Strategy :

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

Information Governance Policy

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE STRATEGY

Information Governance Strategy

Information Governance Strategy. Version No 2.0

Information Governance Strategy

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

INFORMATION GOVERNANCE POLICY & FRAMEWORK

Information Governance Strategy

UCL Information Governance Framework Trevor Peacock UCL School of Life and Medical Sciences

Information Governance Standards in Relation to Third Party Suppliers and Contractors

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy

Policy: D9 Data Quality Policy

Information Governance Framework

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Information Governance Policy

Information Governance Strategy 2015/16

INFORMATION RISK MANAGEMENT POLICY

INFORMATION GOVERNANCE POLICY

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September Information Governance Manager

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

South East Coast Ambulance Service NHS Trust. Information Governance Working Group. Terms of Reference

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE

Policy Document Control Page

Information Governance Strategy. Version No 2.1

Introduction to the NHS Information Governance Requirements

Information Security Assurance Plan 2015/16

Information Governance and Data Protection Policy

Information Governance Toolkit Policy

Information Governance Policy

Information Governance Framework and Strategy. November 2014

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

Job Description. Information Governance & Health Records Manager

NHS Information Governance: 2010/11 UPDATE

Information Governance Policy

NHS Information Risk Management

INFORMATION GOVERNANCE POLICY

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

INFORMATION GOVERNANCE POLICY

An Approach to Records Management Audit

Information Governance Policy

Information Governance Policy

N3 Protecting the Network through Information Governance and Assurance

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

How To Ensure Information Security In Nhs.Org.Uk

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group. Information Governance Strategy 2015/16

JOB DESCRIPTION. Information Governance Manager

Standard Operating Procedure for the Management of Information Governance Serious Incidents Requiring Investigation (IG SIRI)

Information Governance Policy

INFORMATION GOVERNANCE STRATEGY NO.CG02

Central London Community Healthcare NHS Trust. Data protection audit report

Information Governance Strategy

NHS Commissioning Board: Information governance policy

Date: 30 th May Agenda Item: 5.5. Ian Mackenzie Director of Information and Estates REPORT AUTHOR:

Information Governance Training Plan v13

INFORMATION GOVERNANCE POLICY & STRATEGY FINAL DRAFT

Information Security and Governance Policy

University of Sunderland Business Assurance Information Security Policy

INFORMATION GOVERNANCE POLICY

Information Governance Policy

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

Information Governance Lead

Lancashire County Council Information Governance Framework

28400 POLICY IT SECURITY MANAGEMENT

RECORDS MANAGEMENT POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

IT change management policy

D-CRIS Information Governance Assurance

Report to Trust Board

Trust Informatics Policy. Information Governance. Information Governance Policy

INFORMATION GOVERNANCE POLICY

Information Security Policy. Version 2.0

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

INFORMATION GOVERNANCE POLICY

Best Value toolkit: Information management

IS INFORMATION SECURITY POLICY

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

Lauren Hamill, Information Governance Officer

INFORMATION GOVERNANCE

Information Governance Support Pack

Information Governance Strategy & Policy

Information Governance Strategy Includes Information risk & incident management methodology

Information Governance Management Framework

INFORMATION SECURITY POLICY

How To Ensure Network Security

ULH-IM&T-ISP06. Information Governance Board

Transcription:

Information Governance Toolkit Assessment 2009/10 Document Reference: Version: Ratified by: Date ratified: Name of originator/author: Name of responsible committee/individual: Document owner: Document Profile Box Final Trust Board Rahima Hoque Information Governance Manager Information Governance Working Group Colin Cessford Director of Strategy and Business Development

TABLE OF CONTENTS PAGE 1. EXECUTIVE SUMMARY 1 2. ACTIONS REQUESTED 1 3. INFORMATION GOVERNANCE ASSESSMENT SCORES 1 4. CURRENT POSITION 2 5. ACTION PLAN 3 6. INFORMATION GOVERNANCE TOOLKIT V8 4 APPENDIX A FINAL SUBMISSION FOR INFORMATION GOVERNANCE TOOLKIT VERSION 7 5

1. Executive Summary 1.1. The Information Governance Toolkit (IGT) report is based on the scores achieved in the fiscal year 2009/10 and the scores have been submitted to Connecting for Health for validation. The attainment levels are shown alongside the 2008/09 score for comparison. 1.2. In this fiscal year 2009/10 the IGT results scored an overall 68% whilst in 2008/09 the overall score was 65%. The Trust has an amber status of achievement. 1.3. The final assessment has been approved via the IGWG and each of the initiative leads with recommendation for sign-off by the Trust Board. 1.4. Sunderland Internal Audit Services have concluded that there is significant assurance that there is a generally sound system of internal control designed to meet the organisation s objectives and that controls are generally being applied consistently. 5 IGT requirements were audited. 2. Actions Requested 2.1. The NEAS Board is asked to approve the IGT assessment scores and the action plan for 2010/11. 3. Information Governance Assessment s 3.1. The table below shows the comparative scores over the last 4 years. The IGT scores are based on RAG principles: RED AMBER GREEN. Initiative 2006/07 Version 4 2007/08 Version 5 2008/09 Version 6 2009/10 Version 7 Clinical Information Assurance 33% 41% 50% 58% Confidentiality and Data Protection Assurance 62% 79% 87% 75% Corporate Information Assurance 41% 75% 50% 75% Information Governance Management 74% 69% 71% 71% Information Security Assurance 40% 50% 57% 62% Overall 54% 62% 65% 68% Red 0 39% Amber 40 69% Green 70 100% Page - 1 -

3.2. The individual initiative in the area of Confidentiality and Data Protection has gone down from 87% to 75%. Clinical Information Assurance and Information Security Assurance have risen slightly 50% - 58% and 57% - 62% respectively. There has been a significant increase in Corporate Information Assurance from 50% to 75%. Information Governance Management has maintained the same scores as last year. 3.3. The IGT is also linked to the various assessments which are required to be submitted by the Trust including: Care Quality Commission Core Standards Auditor s Local Evaluation NHSLA assessments 4. Current Position 4.1. The table below shows the number of requirements at each level against each of the 5 initiative areas. Initiative / Level 0 1 2 3 Total Information Governance Management - 3 7 5 15 Confidentiality and Data Protection 1 4 3 8 - Assurance Information Security Assurance 2 1 9 3 15 Clinical Information Assurance - 2 1 1 4 Corporate Information Assurance - - 3 1 4 Total 2 7 24 13 46 The Informatics Planning Guidance 2010/11 states that level 2 performance must be achieved against all requirements by 31 March 2011. Page - 2 -

5. Action Plan The key areas of work for the IGWG for the forthcoming year are: 5.1. Information Governance Management 5.1.1. Requirement 104 - How would you assess your AMT's ability to access expertise across the Information Quality and Records Management Agenda? Information Quality and Records Management arrangements need to be coordinated by the lead manager/officers but incorporated within broader IG arrangements. The IGWG needs to receive routine reports from the Information Quality and Records Management Functions and sign off the appropriate components of the IG assessment before its submission to the Board. 5.1.2. Requirement 106 - Does the AMT have up to date and tested business continuity plans for all critical infrastructure components and core information systems? The SIRO (Senior Information Risk Owner) and IAOs (Information Asset Owners) should ensure ongoing review and testing of Trust business continuity plans for relevance and effectiveness. Training should be provided to all affected staff to ensure that awareness of these plans and competency in the event of their execution can be assured. 5.1.3. Requirement 108: Has the AMT implemented its Information Governance management arrangements to ensure the NHS CFH Statement of Compliance (SoC) is satisfied? The Trust should implement an independent audit and assurance programme to ensure that it continues to be able to comply with the requirements of its current Statement of Compliance 5.2. Confidentiality and Data Protection Assurance 5.2.1. Requirement 210: Does the AMT ensure that all new processes, software and hardware, comply with confidentiality and data protection requirements? The AMT should monitor compliance with the guidance by reviewing any new processes that have been introduced. The approval process must be regularly reviewed to ensure that it continues to be followed. 5.3. Information Security Assurance 5.3.1. Requirement 311: Does the AMT ensure that its information systems are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code? The AMT SIRO and IAOs should routinely review all existing Information Assets to ensure that appropriate controls are in place, are up to date and are operating according to the agreed specification. Alerts should be proactively monitored and investigated, and IAOs should continually review implemented controls and procedures in order to provide effective protection of their information assets. Any instances of implemented anti-virus software being tampered with, switched off or bypassed must be considered a serious security incident and be investigated accordingly with appropriate actions taken. Page - 3 -

5.3.2. Requirement 312: Does the AMT have in place appropriate procedures for ensuring that the development and introduction of any new Information Systems, or other relevant Information Assets of the AMT are conducted in a secure and structured manner? This requirement includes the development and maintenance of appropriate IG accreditation documentation. The SIRO and IAOs should ensure that all Trust Information Assets implementations follow the agreed project management process. This should ensure that security requirements are well defined, selected, and that information security risks and issues are identified early and addressed routinely within the Trust s Information Asset lifecycle process. Robust change control processes should be applied. 5.3.3. Requirement 314: Does the AMT have appropriate procedures for ensuring that mobile computing and teleworking are conducted in a secure manner? The AMT should ensure all relevant staff are effectively informed of the procedures and guidelines and have received appropriate instruction in the use of remote access solutions. The AMT must also ensure that mobile devices and removable media contain adequate information security capability, including reliable data encryption where patient, personal or otherwise confidential information is to be processed. 5.4. Clinical Information Assurance 5.4.1. Requirement 401: Does the AMT have a strategy to ensure the correct NHS Number is recorded for each active patient and ensure that it is used routinely in clinical communications? The AMT must be able to demonstrate commitment to improving NHS number retrieval to achieve the IQAP standard of 100% coverage for active patient records in the MPI. The AMT must ensure that the NHS number is routinely used in all clinical communications. 5.4.2. Requirement 408: Does the AMT have procedures in place to ensure that when new services are provided, or where changes within the system are made, that these do not adversely impact on information quality? Compliance with the procedures should be monitored and enforced and any evidence that the procedures have not been followed should be followed up. 6. Information Governance Toolkit V8 6.1. The 2009/10 submission is based on V7 of the toolkit. Version 8 is due to be released in June 2010 which will now require evidence upload to the site as opposed to a tick box exercise. It is anticipated that there will be a reduction in the IGT scores for 2010/11 submission as much of the level 3 criteria has been mapped to level 2 which is the cause in the drop in scores. Page - 4 -

Appendix A Final submission for Information Governance Toolkit Version 7 No. Standard 08/09 09/10 101 Does the AMT have adequate governance in place to support the current and evolving Information Governance agenda? 3 3 102 How would you assess your AMT's ability to access expertise across the Confidentiality & Data Protection Assurance agenda? 3 3 103 How would you assess your AMT's ability to access expertise across the Information Security agenda? 104 How would you assess your AMT's ability to access expertise across the Information Quality and Records Management Agenda? 2 1 105 Does the AMT have in place comprehensive IG Policy and associated Strategy and Improvement Plans all signed off by the Board? 3 3 106 Does the AMT have up to date and tested business continuity plans for all critical infrastructure components and core information systems? 1 1 107 Does the AMT have a comprehensive Board endorsed Information Lifecycle Management Policy and Strategy / implementation plan? 3 3 108 109 110 111 Has the AMT implemented its Information Governance management arrangements to ensure the NHS CFH Statement of Compliance (SoC) is satisfied? Does the AMT ensure that staff and those working on behalf of the AMT comply with the terms and conditions set out on the RA01 form? Does the AMT ensure that it has formal contractual arrangements that include compliance with information governance requirements, with all contractors and support organisations? Does the AMT ensure that all individuals carrying out work on behalf of the AMT have employment contracts which require compliance with information governance standards? 1 1 1 3 112 Does the AMT's staff induction procedures effectively raise the awareness of Information Governance? 3 2 113 Does the AMT assess staff training needs and ensure job/role specific information governance training is provided to all staff? 3 2 Page - 5 -

No. 120 121 201 202 203 204 Standard Does the AMT ensure that its registration authority (RA) managers, agents and sponsors have sufficient knowledge and skills (including latest software, operational process guidance and its integration into AMT policies and procedures) to discharge its RA responsibilities? Does the AMT have a Board level Senior Information Risk Owner (SIRO) who takes ownership of the AMT s information risk policy, acts as advocate for information risk on the board and provides written advice to the accounting officer on the content of their Statement of Internal Control in regard to information risk? Does the AMT have a confidentiality code of conduct that provides staff with clear guidance on the disclosure of patient personal information? Does the AMT ensure that patients are generally asked before their personal information is used in ways that do not directly contribute to, or support the delivery of, their care and that patients' decisions to restrict the disclosure of their personal information are appropriately respected? Does the AMT ensure that patients are informed about the proposed uses of their personal information and the importance of providing accurate information to NHS staff? Does the AMT have effective procedures for ensuring that detailed questions, raised by patients about how their information may be used, can be answered? 08/09 09/10 1 2 3 3 3 2 3 2 205 Does the AMT have appropriate procedures for recognising and responding to patient requests for access to their health records? 3 3 206 Has the AMT established appropriate confidentiality audit procedures to monitor access to confidential patient information? 208 Has the AMT mapped all flows of person identifiable information, assessed risks in line with Department of Health guidelines and put in place safe haven procedures for all routine flows of person identifiable information to the organisation? 3 3 210 Does the AMT ensure that all new processes, software and hardware, comply with confidentiality and data protection requirements? 2 1 301 302 303 Does the AMT have a formal information security risk assessment and management programme that is adequately documented, implemented and regularly reviewed? Does the AMT have documented and accessible information security event reporting and management procedures in place that are explained to all staff? Has the AMT established business processes that ensure all staff smartcards and access profiles issued are appropriate and satisfy their obligations as Registration Authorities? 3 3 1 3 Page - 6 -

No. 305 Standard Does the AMT ensure that operating and application information systems under its control support appropriate access control functionality? 08/09 09/10 306 Are there defined, documented and agreed access rights for all users of AMT based information systems and services? 307 Has the AMT established a register of all its major information assets and assigned responsibility or ownership for each? 308 Does the AMT ensure that digital information shared with other organisations is secured in transit? 3 2 309 310 311 312 313 Does the AMT have adequate procedures in place to ensure the availability of information assets, data processing facilities, communications services and data? Does the AMT have procedures in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error? Does the AMT ensure that its information systems are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code? Does the AMT have in place appropriate procedures for ensuring that the development and introduction of any new Information Systems, or other relevant Information Assets of the AMT are conducted in a secure and structured manner? This requirement includes the development and maintenance of appropriate IG accreditation documentation. Does the AMT have appropriate procedures in place to ensure that communication networks under the AMT's control operate in a secure manner? 1 1 0 0 314 Does the AMT have appropriate procedures for ensuring that mobile computing and teleworking are conducted in a secure manner? 0 0 315 Does the AMT satisfy its security management requirements to protect the Airwave communications service? 3 3 322 401 403 Does the AMT ensure that Registration Authority equipment (hardware and software) and consumables meet current specifications, is adequately maintained and securely stored? Does the AMT have a strategy to ensure the correct NHS Number is recorded for each active patient and ensure that it is used routinely in clinical communications? Does the AMT have an organisation-wide, multi-professional audit of clinical record keeping standards, including accuracy, for all professional groups in all specialities? Page - 7-1 2 1 1 3 3

No. Standard 08/09 09/10 405 Does the AMT have robust procedures and processes for monitoring all data collection activities across the AMT? 1 2 408 601 602 603 Does the AMT have procedures in place to ensure that when new services are provided, or where changes within the system are made, that these do not adversely impact on information quality? Does the AMT have documented and implemented procedures for the creation and filing of electronic corporate records to enable efficient retrieval and effective records management? Does the AMT have documented and implemented procedures for the creation, filing and tracking/tracing of paper corporate records to enable efficient retrieval and effective records management? Does the AMT have publicly available, documented and implemented procedures to ensure compliance with the Freedom of Information Act 2000? 1 1 1 2 1 2 3 3 604 Has the AMT carried out an inventory of its corporate records and information as part of the information lifecycle management strategy? 1 2 Page - 8 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information