NHS Erewash Clinical Commissioning Group

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

Document History

Document Reference: IG01

Document Purpose:The document compliments all other Information Governance policies and sets out the management arrangements for information governance in the CCG

Date Approved: August 2014

Approving Committee: Governing Body – November 2014

Version Number: 1.2

Status: FINAL

Next Revision Due: August 2015

Developed by: Information Governance, Greater East Midlands Commissioning Support Unit (GEM CSU)

Policy Sponsor: Assistant Chief Officer and SIRO

Target Audience:

All Staff within the CCG whether operating directly or providing services to other organisations under a service level agreement or joint agreement and to none executive directors, contracted third parties (including agency staff), locums, students, volunteers, trainees, visiting professionals or researchers, secondees and other staff on temporary placements within the organisation.

Associated Documents: All Information Governance Policies and the Information Governance Toolkit

1

Revision History

Version Revision date Summary of Changes

1.0 August 2013 Revised in line with NHS England Policies and updated to reflect version 11 of the Information Governance Toolkit

1.1 August 2014 Revised in line to reflect Version 12 of the Information Governance Toolkit

FINAL 1.2 August 2014 Approved at IG Product Group

Policy Dissemination information

Reference Number

Title Available from

Information Governance Management Framework

Page 2 of 24

document.docx

CONTENTS

Section Page

1 Introduction 4

2 Purpose & Scope 4

3 Policy Statement 4

4 Senior IG Management Details - Organisation Roles & Accountabilities

4

5 Key Policies 8

6 Governance Arrangements 8

7 Resources 9

8 Training Guidance 9

9 Incident Management 9

10 Equality & Diversity Impact Assessment 9

11 Monitoring & Compliance 9

12 Further Information or Guidance 9

13 References 10

14 Appendix 1 Terms of Reference - Information Governance Working Group

11

15 Appendix 2 Terms of Reference – Information Governance Committee

14

14 Appendix 3 – Information Governance Operational Structure

18

15 Appendix 4 – CCG Toolkit Requirements Training Needs Analysis

19

16 Appendix 5 – Information Governance Related Policies, Procedures & Guidance

21

17 Appendix 6 – CCG Version 12 Requirements List 22

Page 3 of 24

document.docx

Information Governance Management Framework for Erewash CCG1. Introduction

Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources.

The way that an organisation chooses to deliver against these requirements is referred to within the Information Governance Toolkit (IGT) as the organisation’s Information Governance Management Framework.

This Framework must be documented, approved at the most appropriate senior management level in the organisation (e.g. a member of the Executive Team) and reviewed annually. This document sets out Erewash CCG’s approach to embedding robust information governance throughout the CCG.

The IGT is available here: https://nww.igt.hscic.gov.uk. A user name and password is required to access the CCG IG Toolkit Return.

This policy is a standalone document and provides a summary/overview of how the CCG is addressing the IG agenda and reflects the capacity and capability of the CCG.

2. Purpose and scope

The purpose of this policy is to establish employee responsibility and the rules of conduct for all members of staff regarding the CCG’s information governance framework. This policy applies to all staff within the CCG whether operating directly or providing services to other organisations under a service level agreement or joint agreement. and to non-executive directors, contracted third parties (including agency staff), locums, students, volunteers, trainees, visiting professionals or researchers,, secondees and other staff on temporary placements within the organisation.

3. Policy Statement

The Health & Social Care Information Centre (HSCIC) mandates that the Information Governance Toolkit (IGT) version 12 is completed by all organisations that commission or provide services within and to the NHS.

An Information Governance Management Framework (IGMF) is required to be in place to ensure that the Information Governance agenda is owned and implemented in a structured manner.

4. Senior Information Governance Management Details

Organisational Roles & Accountability

4.1 The CCG will:

Page 4 of 24

document.docx

Appoint an IG Lead, Senior Information Risk Owner and Caldicott Guardian. These designated roles will be reported in the CCG IG Toolkit Return under ‘Update Information Governance Senior Management Details’ once appointed

The roles of the Senior Information Risk Owner and Caldicott Guardian will be at Executive Board

The Information Governance Lead is a senior representative in the organisation who leads and co-ordinates the information governance works programme

The Accountable Officer has overall accountability and responsibility for Information Governance and is required to provide assurance through the Statements on Internal Control that all risks to the CCG, including those relating to information, are effectively managed and mitigated

The Records Manager is an individual/s with clear responsibility for the management of the records of an organisation from the time they are created up to their eventual disposal. This may include naming, version control, storing, tracking, securing and destruction (or in some cases, archival preservation) of records

An Information Asset Owner is a senior individual involved in running the relevant business. Their role is to understand and address risks to the information assets they ‘own’ and to provide assurance to the SIRO on the security and use of those assets

Information Asset Administrators are usually operational members of staff who understand and are familiar with information risks in their area or department. Information Asset Administrators ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management and ensure that information asset registers are accurate and up to date

4.2 The CCG Information Governance Lead in conjunction with services provided by GEMCSU will: Develop and maintaining comprehensive and appropriate documentation that

demonstrates commitment to and ownership of IG responsibilities, e.g. an overarching high level strategy document supported by corporate and/or directorate policies and procedures

Ensure that there is senior management awareness and support for IG resourcing and implementation of improvements

Provide direction in formulating, establishing and promoting IG policies

Establish working groups, if necessary, to co-ordinate the activities of staff given IG responsibilities and progress initiatives

Ensure that assessment and improvement plans are prepared for approval by the senior level of management in a timely manner and in line with national reporting requirements

Page 5 of 24

document.docx

Ensure that the approach to information handling is communicated to all staff and made available to the public

Ensuring that appropriate training is made available to staff and completed as necessary to support their duties and in line with IGT requirements

Liaise with other committees, working groups and programme boards in order to promote and integrate IG standards

Monitor information handling activities to ensure compliance with law and guidance

Provide a focal point for the resolution and/or discussion of IG issues

4.3 The SIRO will:

Take ownership of the organisation’s information risk policy and information risk management strategy. All key information assets will be identified and their details included in an Information Asset Register

Ensure that Information Asset owners will be identified for each key information asset

Ensure that all staff assigned responsibility for co-ordinating and implementing information risk management will be appropriately trained to carry out their role

Ensure that Information Asset Owners carry out risk reviews of the assets for which they are accountable, the frequency of review depending upon the importance of the asset and the nature of the risk environment

The SIRO will also lead and implement the information governance risk assessment and advise the Board on the effectiveness of risk management across the organisation

4.4 The Caldicott Guardian will:

Be added to the National Register of Caldicott Guardians

Identify the support necessary to ensure work related to confidentiality and data protection is appropriately carried out

Provide a plan for the Caldicott Function of the CCG

Ensure all staff assigned responsibility for co-ordinating and implementing the confidentiality and data protection work programme have been appropriately trained to carry out their role

Identify the work necessary to provide Confidentiality and Data Protection Assurance

Be a senior person responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing.

Page 6 of 24

document.docx

4.5 The Information Asset Owner will:

Identify and document the scope and importance of all Information Assets they own. This will include identifying all information necessary in order to respond to incidents or recover from a disaster affecting the Information Asset.

Take ownership of their local asset control, risk assessment and management processes for the information assets they own. This includes the identification, review and prioritisation of perceived risks and oversight of actions agreed to mitigate those risks.

Provide support to the organisation’s SIRO and Risk Management Board to maintain their awareness of the risks to all Information Assets that are owned by the organisation and for the organisation’s overall risk reporting requirements and procedures.

Ensure that staff and relevant others are aware of and comply with expected IG working practices for the effective use of owned Information Assets. This includes records of the information disclosed from an asset where this is permitted.

Provide a focal point for the resolution and/or discussion of risk issues affecting their Information Assets.

Ensure that the organisation’s requirements for information incident identification, reporting, management and response apply to the Information Assets they own. This includes the mechanisms to identify and minimise the severity of an incident and the points at which assistance or escalation may be required.

Foster an effective IG culture for staff and others who access or use their Information Assets to ensure individual responsibilities are understood, and that good working practices are adopted in accordance with the organisation’s policy.

4.6 The Information Asset Owner will:

Ensure that policies and procedures are followed when using an information asset

Recognise actual or potential security incidents

Consult their IAO on incident management

Assist the IAO to ensure that information asset registers are accurate and up to date, for example by reporting when an information asset they use is no longer required.

Page 7 of 24

document.docx

5. Key Policies

The CCG via Greater East Midlands Clinical Commissioning Unit (GEMCSU) will provide the following policies (or equivalent) to set out scope and intent in terms of embedding Information Governance processes throughout the Organisation:

An Overarching Information Governance Policy

A Confidentiality and Data Protection Policy

An Information Security Policy

A Corporate Governance Policy (which covers FOI)

An Information Lifecycle Management Policy (Records Management and Information Quality)

In particular the CCG will implement policies as required to support confidentiality, security and records management processes in addition to this Information Governance Management Framework

6. Governance Arrangements

The following governance arrangements have been agreed:

The CCG Governing Body will receive periodic assurance that management and accountability arrangements are adequate and are informed in a timely manner of future changes in the IG agenda by IG updates within the corporate report.

The CCG will be represented at Countywide Information Governance Group. The Governing Body of the CCG will have responsibility for the Information

Governance Agenda supported by identified senior roles i.e. Caldicott Guardian, SIRO, and IG Lead.

Under a service level agreement, the CCG will obtain Information Governance Support through the GEMCSU.

Responsibility and accountability for Information Governance will be cascaded through the organisation via staff contracts, contracts with third parties, Information Asset Owner arrangements and departmental leads.

Key information governance messages will be developed by GEMCSU through a Service Level Agreement and made available to the CCG for onward dissemination.

Page 8 of 24

document.docx

7. Resources

Key staff involved in the Information Governance Agenda, below those at Executive Team level, will be provided to the CCG through a Service Level Agreement between the CCG and GEMCSU.

8. Training Guidance

Staff need clear guidelines on expected working practices and on the consequences of failing to follow policies and procedures.

The approach to ensuring that all staff receive training appropriate to their roles will be detailed and provided by GEMCSU through a Service Level Agreement with the CCG.

Information Governance Services will assist the CCG in achieving 95% take up of mandatory information governance training and advise/manage staff to undertake further specialist information governance training as required.

Mandatory annual Information Governance Training should be completed by all third party contractors.

Training will also be made available via the HSCIC e-learning site (at August 2014 still hosted at): https://www.igtt.hscic.gov.uk/igte/index.cfm?action=logout

9. Incident Management

Clear guidance on incident management procedures will be documented and staff will be made aware of their existence, where to find them and how to implement them through a Service Level Agreement between the CCG and GEMCSU.

All incidents will be reported via the CCG Information Governance Group (or equivalent) on a bi-monthly basis.

10. Equality & Diversity Impact Assessment

None required.

11. Monitoring and Compliance

The IGMF will be reviewed at least annually in line with IG Toolkit requirements or amended as required to reflect changes in organisational ownership.

12. Further Information or Guidance

Contact Information Governance (IG) Services/GEMCSU on debbie.pallant@gemcsu.nhs.uk 01332 868721

Key Roles within IG Services/GEMCSU

Information Governance Consultant (North)

Information Governance Project Officer

Page 9 of 24

document.docx

13. References

NHS Code of Confidentiality:https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice

The IG Toolkit.

https://nww.igt.hscic.gov.uk/requirementsorganisation.aspx?tk=414264250435607&cb=b890a2c3-bfb6-4f8f-9dc2-27aea4159c93&lnv=2&clnav=YES

Checklist for Reporting, Managing and Investigating Information Governance Serious Untoward Incidents (Gateway reference 13177)

http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/links/suichecklist.pdf

NHS Information Risk Management http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/risk/inforiskmgtgpg.pdf

The Caldicott Review: Information Governance in the Health and Social Care System

https://www.gov.uk/government/publications/the-information-governance-review

Page 10 of 24

document.docx

Appendix 1

Terms of Reference for CCG Information Governance Working Group

Terms of Reference

1. Remit and purpose of the group

Information governance is a key component of the clinical and corporate assurance framework and can be defined as: “providing a framework for handling personal and sensitive information in a confidential and secure manner appropriate to ethical and quality standards in a modern health service.” (Connecting for Health).

Greater East Midlands Commissioning Support Unit (GEM CSU) provides Information Governance support, advice and expertise to the Derbyshire CCGs through the IG Services team. The team link into each Clinical Commissioning Group through an operational IG lead.

The purpose of the IG Working Group is to:

1.1. be the operational focal point for CCG IG leads and GEM CSU IG leads to discuss information governance issues (and their resolution), including discussion of queries and incident monitoring, providing advice and recommendations to the CCG Information Governance Committee as required.

1.2. monitor the operational accountability and availability of CCG staff/resources for Information Governance, taking into account national programmes and compliance requirements e.g. Operating Framework, Information Governance Toolkit and making recommendations to the CCG Information Governance Committee as appropriate.

1.3. ensuring compliance with the CCG Information Governance Toolkit and evidence gathering, including exception reporting to the CCG Information Governance Committee as appropriate.

1.4. act as the forum for dissemination of information from the GEM CSU IG team to the CCGs.

2. Accountability

GEM CSU hosts the Information Governance Working Group meetings on behalf of the Derbyshire CCGs.

Overall accountability for Information Governance lies with the CCG Chief Officer, delegated through the role of the Senior Information Risk Officer (SIRO).

Accountability for operational delivery lies with the CCG Information Governance lead reporting to the CCG SIRO, who is responsible for day to day management and delivery of the function.

IG advice and expertise is provided to the CCG through the GEM CSU IG Services team who will liaise with the SIRO, Caldicott Guardian and IG lead/link as appropriate.

3. Membership

Page 11 of 24

document.docx

- GEM CSU North Information Governance Consultant- GEM CSU Information Governance Officers- Members of the GEM CSU Information Governance Team when required.- CCG Information Governance Leads- CCG Governance Officers

Other members will be co-opted to the Committee as required.

Deputising Arrangements

All members may nominate a representative to attend in their absence.

Quorum Arrangements

Two CCG Information Governance leads, plus two other members of the GEM CSU Information Governance team need to be present in order for the Group to be quorate:

Chair of Group: GEM CSU North IG Consultant Deputy Chair: GEM CSU IG Team member

In the event of neither of these members being available a temporary Chair will be elected from those members present.

4. Functions & Responsibilities

i. To support the formulation, implementation and monitoring of compliance of the Information Governance Strategy and Framework for the CCG.

ii. To work proactively to ensure that that the CCG meets all NHS and legal requirements relating to information governance. This includes compliance with the NHS Information Governance Toolkit standards and submission of organisational assessments.

iii. To support the development, implementation and monitoring of the annual CCG Information Governance Improvement plan.

iv. To liaise with Information Governance related groups at local and national levels as appropriate.

v. To support solutions and implementation programmes (including training and awareness raising) to ensure that the CCG complies with developing information governance requirements.

vi. To support the implementation of tailored staff awareness and training programmes for information governance meeting national requirements. vii. To monitor and review the CCG Risk Registers, ensuring risks are appropriately forwarded to the CCG Corporate Risk Register.

5. Reporting arrangements

The group reports to the CCG Information Governance Committee.

Page 12 of 24

document.docx

The minutes of the meeting and regular reports are submitted to the CCG Information Governance Committee meetings.

6. Frequency of meetings

The CCG Information Governance Working Group will meet on a monthly basis with additional meetings as required to meet its responsibilities.

Page 13 of 24

document.docx

Appendix 2

Terms of Reference for CCG Information Governance Committee

1. Remit and purpose of the Committee

Information governance is a key component of the clinical and corporate assurance framework and can be defined as:

“providing a framework for handling personal and sensitive information in a confidential and secure manner appropriate to ethical and quality standards in a modern health service.” (Connecting for Health)

The purpose of the CCG Information Governance Committee (CCG IGC) (using delegated authority from the relevant authorising committee – See addendum) is to:

1.1. be the organisational focal point for information governance issues (and their resolution), providing advice, reports and recommendations to the relevant CCG authorising committee Accountable Officer, Clinical Commissioning Group Governing Body as required.

1.2. monitor the organisational management accountability, compliance arrangements and availability of specialist staff/resources for Information Governance, taking into account national programmes and compliance requirements e.g. Operating Framework, Information Governance Toolkit and making recommendations to the relevant CCG committee as appropriate.

2. AccountabilityOverall accountability for Information Governance lies with the Accountable Officer and the CCG Governing Bodies, delegated through the role of the Senior Information Risk Officers (SIRO). The CCG Information Governance Committee makes recommendations which need to be approved by the individual CCG governance process.

Accountability for operational delivery lies with the CCG Information Governance Lead reporting to the CCG Information Governance Committee, and SIRO who is responsible for day to day management and delivery of the function.

3. Membership- Representation from Erewash CCG, Hardwick CCG, North Derbyshire CCG and

Southern Derbyshire CCG, including:o CCG Caldicott Guardian (x4)o CCG Senior Information Risk Officer (x4)o CCG Information Governance Lead (x4)

- Representation from Greater East Midlands Commissioning Support Unit (GEM CSU)o GEM CSU Information Governance Consultanto GEM CSU Information Governance Officerso Members of the GEM CSU Information Governance Team when required.

Other members may be invited to attend the Committee as required e.g. HR representative, Communications representative, representatives from Public Health, Commissioning etc.

Page 14 of 24

document.docx

Deputising Arrangements

All members can nominate a representative to attend in their absence but the representative must have sign off authority for policies and committee decisions.

In the absence of the relevant CCG Caldicott Guardian the SIRO will sign off and obtain retrospective Caldicott Guardian approval.

Quorum Arrangements

One of the following, plus two other members of the Committee need to be present in order for the CCG IGC to be quorate:

Caldicott Guardian SIRO GEM CSU Information Governance representative Chair of Committee: Southern Derbyshire CCG SIRO Deputy Chair: Hardwick CCG SIRO

In the event of neither of these members being available a temporary Chair will be elected from those members present.

4. Functions & Responsibilities

i. To ensure that a consistent approach is applied to adoption of information governance, information security and records management standards and legislation across the CCGs, independent practitioners and commissioned service providers.

ii. To oversee the formulation, implementation and monitoring of compliance of the Information Governance Strategy and Framework for the CCGs.

iii. To work proactively to ensure that that the CCGs meet all NHS and legal requirements relating to information governance. This includes compliance with the NHS Information Governance Toolkit standards and submission of organisational assessments.

iv. To be the body which assures that all new processes, services and information systems are developed and implemented in a secure and structured manner, comply with Information Governance security accreditation, information quality, confidentiality and data protection requirements.

v. To develop and recommend policies (and monitor user compliance) to meet information governance requirements affecting the Clinical Commissioning Groups for ratification though the relevant CCG authorising body. Policies approved by Committee will be reported to the relevant authorising committee for ratification.

vi. To review incidents, near misses and complaints relating to information governance to enable lessons learnt, share outcomes, and make recommendations where compliance with requirements have been breached or jeopardised. Such investigations will comply with national NHS Guidelines, the CCG Incident Reporting policy and ISO 27001.

Page 15 of 24

document.docx

vii. To authorise programmes of risk assessments and audits relating to information governance, security and confidentiality; review results and make recommendations to the relevant authorising committee.

viii. To provide expertise and advice and to make recommendations relating to information access requests received by the CCGs. Specifically, to make recommendations to the Accountable Officer on the disclosure of information (under the terms of the Data Protection, Freedom of Information Acts or Environmental Information Regulations and associated legislation e.g. Human Rights or Access to Health Records Acts) where the issues are complex and possibly contentious.

ix. To develop and approve suitable information sharing protocols for all organisations involved in routinely and regularly sharing information with the CCGs.

x. To provide advice and recommendations relating to records management requirements, procedures and practices.

xi. To oversee the formulation, ratification, implementation and monitoring of policies and procedures to ensure that the organisations have the capability of meeting NHS and statutory Information Governance requirements.

xii. To develop, implement and monitor the annual Information Governance Improvement plan and approve the Information Governance Toolkit submissions.

xiii. To liaise with Information Governance related groups at local and national levels as appropriate e.g. EM SIGN etc.

xiv. To develop solutions and implementation programmes (including training and awareness raising) to ensure that the CCGs comply with developing information governance requirements.

xv. To liaise with independent monitors e.g. Internal/External Audit, NHS Litigation Authority and to oversee the implementation of recommendations and action plans as required.

xvi. To ensure that tailored staff awareness and training programmes are in place and delivered for information governance meeting national requirements.

xvii. To provide support and advice to the organisation information governance specialists as requested or required.

xviii. To communicate to staff and the population served by the CCGs, the organisations’ approaches to information handling.

5. Reporting arrangements

The CCG IGC is accountable to the relevant individual CCG authorising committees.

The CCG IGC will provide minutes of meetings and regular reports (including an Annual Report) to the relevant authorising committee in accordance with the agreed reporting schedule.

Page 16 of 24

document.docx

It is the responsibility of the individual CCG IGC Committee members to forward any relevant reports and meeting minutes to the appropriate CCG Governing Bodies.

6. Frequency of meetings

The Information Governance Committee will meet on a bi-monthly basis with additional meetings as required to meet its responsibilities.

7. Review

These Terms of Reference will be reviewed at least annually by the Information Governance Committee or sooner if required to ensure that the Committee is carrying out its functions effectively.

Page 17 of 24

document.docx

Appendix 3

Information Governance Operational Structure

Page 18 of 24

document.docx

Accountable Officer

Records ManagerIG LeadSIROCaldicott Guardian

Information Asset Owner’s

Information Asset Administrator’s

GEMCSUIG Lead

Appendix 4

CCG Training Needs Analysis Job Role Introduction to

IG (Year 1)IG-Refresher Module (Years 2 & 3)

The Caldicott Guardian in the NHS & Social Care

NHS Information Risk Management for SIROs & IAOs

NHS Information Risk Management - Introductory

NHS Information Risk Management - Foundation

Password Management

Information Security Guidelines

Patient Confidentiality

IG Lead Mandatory Mandatory Recommended Recommended Recommended Recommended Optional Recommended Optional

Caldicott Guardian Mandatory Mandatory Mandatory Recommended Optional Optional Optional Optional Recommended

SIRO Mandatory Mandatory Recommended Mandatory Recommended Mandatory Optional Recommended Optional

IAO & IAA Mandatory Mandatory Optional Mandatory Recommended Mandatory Optional Optional Optional

Records Manager Mandatory Mandatory Optional Optional Optional Optional Optional Optional Optional

Admin/Clerical Mandatory Mandatory Optional Optional Optional Optional Optional Optional Optional

19

Job Role Access to Health Records

Records Management and the NHS Code of Practice

Records Management in the NHS

Secure Transfers of Personal Data

Business Continuity Management

NEW-Access to Information & Information Sharing in the NHS -

NEW-Secure Handling of Confidential Information

NEW-Information Security Management

IG LeadOptional Optional Optional Optional Recommended Recommended Optional Optional

Caldicott GuardianOptional Optional Optional Optional Optional Recommended Recommended Optional

SIROOptional Optional Optional Optional Optional Optional Optional Optional

IAO & IAAOptional Optional Optional Optional Optional Optional Optional Optional

Records ManagerRecommended Recommended Optional Optional Optional Optional Optional Optional

Admin/ClericalOptional Optional Optional Optional Optional Optional Optional Optional

20

Appendix 5

Information Governance Related Policies, Procedures & Guidance

Name of PolicyPolicy Approval

Date(A)

Approving Body/Individual

(B)

Date approved at IGC(C)

Corporate Information Security Policy 4th December 2014

Governing Body Nov 2014

Confidentiality & Data Protection Policy 4th December 2014

Governing Body Oct 2014

Data Protection Policy 4th December 2014

Governing Body Included in above

Data Quality Policy 4th December 2014

Governing Body Oct 2014

Email Policy 4th December 2014

Governing Body Oct 2014

Freedom of Information (FOI) Policy 6th November 2014

Governing Body Sept 2014

Incident Reporting Policy See reporting icon and email

Sent to staff 16th October 2014

Local policy

Information Governance Management Framework (IGMF)

6th November 2014

Governing Body Sept 2014

Information Governance Policy 6th November 2014

Governing Body Sept 2014

Information Lifecycle Policy (including information quality)

6th November 2014

Governing Body Sept 2014

Information Risk Policy 4th December 2014

Governing Body Oct 2014

IT Acceptable Use Policy 4th December 2014

Governing Body Oct 2014

Network Security Policy TBA Jan 2015 Jan 2015Records Management Policy 6th November

2014Governing Body Sept 2014

Name of Procedure Procedure Approval Date

Approving Body/Individual

Date approved at IGC

Confidentiality Audit Process October 2014 Information Governance Committee

Oct 2014

Electronic Remote Working Guidance (see IG Briefing Pack/Handbook

TBA Jan 2015 In IT AUP Jan 2015

Incident Reporting Procedure See reporting icon and email

Sent to staff 16th October 2014

Local

Mobile Working Procedure TBA Jan 2015 In IT AUP Jan 2015

Privacy Impact Assessment (PIA) Procedure

September 2014 Information Governance Committee

Sept 2014

Safe Haven Procedure November 2014 N/A Information Governance

21

Committee Nov 2014

Subject Access Request (SAR) Procedure

TBA Jan 2015 Jan 2015

Local Guidance Approval Date Approving Body/Individual

Date approved at IGC

Fair Processing Notice Uploaded to Internet 21st January 2015

N/A Local

Privacy Notice Sent to all staff 21st January 2015

N/A Local

Staff Code of Conduct 6th November 2014

Governing Body Sept 2014

Staff Briefing Pack Sent to staff 5th November 2014

N/A October 2014

Dissemination Process

All the above policies and procedural documentation will be disseminated to staff by the CCG via the intranet or placed on the “shared drive” with instructions issued to staff how to access the documents.

Page 22 of 24

document.docx

Appendix 6

Clinical Commissioning Group Version 12 (2014-2015) Requirements List

Req No Description

Information Governance Management

12-130 There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda

12-131 There are approved and comprehensive Information Governance Policies with associated strategies and/or improvement plans

12-132 Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations

12-133 Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation

12-134 Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained

Confidentiality and Data Protection Assurance

12-230 The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation’s assessed needs

12-231 Staff are provided with clear guidance on keeping personal information secure, on respecting the confidentiality of service users, and on the duty to share information for care purposes

12-232 Personal information is only used in ways that do not directly contribute to the delivery of care where there is a lawful basis to do so and objections to the disclosure of confidential personal information are appropriately respected

12-234 There are appropriate procedures for recognising and responding to individuals’ requests for access to their personal data

12-235 There are appropriate confidentiality audit procedures to monitor access to confidential personal information

12-236 All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines

12-237 All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements

12-250 Individuals are informed about the proposed uses of their personal information

Information Security Assurance

12-340 The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation’s assessed needs

12-341 A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed

12-342 There are established business processes and procedures that satisfy the organisation’s obligations

Page 23 of 24

document.docx

as a Registration Authority

12-343 Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use

12-344 Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems

12-345 An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy

12-346 Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place

12-347 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely

12-348 Policy and procedures ensure that mobile computing and teleworking are secure

12-349 There are documented incident management and reporting procedures

12-350 All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers

12-351 All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures

12-352 The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate

Clinical Information Assurance

12-420 The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience

12-421 There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements

Page 24 of 24

document.docx