GUIDANCE 1 TITLE: INFORMATION GOVERNANCE FRAMEWORK 2 POLICY AREA: INFORMATION GOVERNANCE 3 ACCOUNTABLE DIRECTOR FOR POLICY AREA: DIRECTOR OF QUALITY AND GOVERNANCE 4 GUIDANCE DRAFTED BY: INTEGRATED GOVERNANCE MANAGER 5 SIGNED OFF BY EXECUTIVE MANAGEMENT TEAM 6 RELATED DOCUMENTS: INFORMATION GOVERNANCE AND SECURITY POLICY DOCUMENT CONTROL Date Version Action Amendments INFORMATION GOVERNANCE FRAMEWORK Page 1 of 5
1. Introduction Islington CCG operates within an information governance architecture that is made up of: General overriding statute (for example the Data Protection Act) Healthcare specific legislation (NHS Act 2006 or public health regulations) National Guidance (e.g. the Caldicott Review) CCG policy and guidance The CCG works within this architecture to use data for the delivery of its key objectives and to promote the best possible outcomes for Islington residents and patients. This guidance is designed to act as an introduction for CCG staff to some key information governance concepts and the CCG s vision for good information governance. 2. The CCG s vision Islington CCG will: use wherever possible anonymous or pseudonymised data or; obtain consent from the patient or data subject for the use of their data Always abide by Data Protection Principles. Comply with the Caldicott principles. Ensure good information governance is owned by all staff and member practices. Embody good practice for information governance including confidentiality and data protection, and developing skills and knowledge across the organisation. Recognise the patient or data subject is the owner of their data and has a right to direct the use of their data and how and when it may be shared. Involve patients in the design of systems and projects that may involve using patient data. Work with partners across the Islington health economy, including public health, to achieve the best possible outcomes using data and information. Use data to target healthcare resources at the individuals identified as having the highest clinical risk. 3. Information Governance Framework The CCG has an overarching governance framework that sets out how the CCG approaches and manages the use of information. To deliver this the CCG has put in place assurance arrangements whereby the Audit Committee provides overall assurance of the CCG s information governance systems, with oversight of CCG activities being provided by the Executive Management Team. There are a Senior Information Risk Officer, Caldicott Guardian and Governance Lead to: INFORMATION GOVERNANCE FRAMEWORK Page 2 of 5
Ensure compliance with the Data Protection Act. Identify and manage data protection issues. Inform and deliver the CCG s information governance agenda. Identify and deliver a work programme to improve information governance systems Supporting a culture at the CCG that has ownership of and works to deliver good information governance Ensure all staff are adequately and appropriately trained to manager information governance in their role at the CCG All CCG staff, contractors and commissioned services are expected to comply with information governance requirements. 4. Framework Summary Heading Resources Notes Senior Roles Martin Machray, Senior Information Risk Officer (SIRO) Karen Sennett, Caldicott Guardian Michael Wüstefeld-Gray, Information Governance Lead The SIRO is a member of the Executive Team and the Caldicott Guardian is a general practitioner. Both are members of the CCG s Governing Body. The SIRO is accountable for the CCG s IG systems and policies and the Caldicott Guardian provides advice and support for the CCG. The Information Governance Lead is a direct report to the SIRO and is responsible for the day to day management of IG within the CCG. Key Policies Over-arching Information Governance and Security Policy. Supporting guidance includes: Information Governance Framework Data Protection Information Security Freedom of Information Information Lifecycle Email management Compliance Monitoring The Caldicott Guardian is registered on the national register of Caldicott guardians The CCG s Information Governance and Security Policy was adopted by the CCG s Audit Committee The supporting guidance was approved by the CCG s Executive Management Team and led by the SIRO. INFORMATION GOVERNANCE FRAMEWORK Page 3 of 5
Risk assessment and management guidance Caldicott Work Plan Key Governance Bodies Audit Committee and the Executive Management Team The Audit Committee and Executive Management Team have integrated governance (which includes information governance) in their terms of reference. Resources Training & Guidance A range of resources are available to staff to support information governance: National guidance CCG Policy and guidance Training Privacy Impact Assessment Key Staff (listed above) Risk register and guidance Retention Schedules Business Continuity Plan Information Asset Registers As set out in the CCGs induction pack, all staff will be required to complete at minimum the annual information governance training appropriate for their role. Alongside this the CCG provides in house information governance workshops and risk management training. In addition the CCG provides access to resources such as policy and guidance, and colleagues who can support staff should they have any IG queries or needs. As part of completing and reviewing Privacy Impact Assessments assurances are sought that staff have The key staff involved in the IG agenda below those at Executive Team level should be identified with a description of their roles and responsibilities. For a CCG this is likely to be one or more persons with an operational responsibility for IG, Data Protection, Information Security, Freedom of Information, Corporate and Clinical Governance and data quality. Any dedicated budgets and high level plans for expenditure in-year should also be identified, including outsourcing to external resources or contractors. The CCG s policies and guidance set clear guidelines about how staff are expected to conduct themselves and set out the consequences for breaches of policy. This includes not completing mandatory training. Breaches of the CCG s policies are handled under the CCG s conduct and capability policies. Staff who identify an issue around information governance should follow the process set out in the CCG s whistleblowing policy In addition the CCG runs IG workshops where staff may discuss issues relating to their individual roles, or particular projects, in order to get specific support for their particular IG issues. INFORMATION GOVERNANCE FRAMEWORK Page 4 of 5
completed appropriate training, and identified training needs should be discussed. Incident Management The CCG has guidance on information security and management as well as a business continuity plan that discusses information governance. In addition the CCG has a responsibility to report information governance incidents on the IG toolkit. In the event of an incident it will be investigated in line with Risk assessment and management guidance Action Card 5 of the CCG s business continuity plan sets out the specific roles of the SIRO, IG lead and information asset owners in response to any incident that requires the activation of the CCGs business continuity plan The CCG follows national guidance on the reporting of IG incidents and considers this part of its policy and guidance framework. It is the role of the IG lead to ensure IG incidents are identified, reported and investigated INFORMATION GOVERNANCE FRAMEWORK Page 5 of 5