information governance policy inc the management of ... governance … · information governance...

of 28 Information Governance Policy including the Management of Information Risks Version No 10.0

INFORMATION GOVERNANCE POLICY INCLUDING THE MANAGEMENT OF

INFORMATION RISKS

Document Author Authorised

Written By: Information Governance Lead Officer Date: September 2016

Authorised By: Chief Executive Date: 12th March 2019

Lead Director: Director of Finance Estates and IM&T and Deputy Chief Executive

Effective Date: 12th March 2019

Review Date: 11th March 2022

Approval at: Policy Management Sub Committee

Date Approved: 12th March 2019


DOCUMENT HISTORY (Procedural document version numbering convention will follow the following format. Whole numbers for approved versions, e.g. 1.0, 2.0, 3.0 etc. With decimals being used to represent the current working draft version, e.g. 1.1, 1.2, 1.3, 1.4 etc. For example, when writing a procedural document for the first time – the initial draft will be version 0.1)

Date of Issue

Version No.

Date Approved

Director Responsible

Nature of Change Ratification / Approval

31 Mar 12 29 Mar 12 Director of Finance Logo & wording to meet new organisation

Nov 12 3.1 Director of Finance Updating for NHSLA requirements

Oct 13 4.1 FT Programme Director / Company Secretary

Annual review to comply with IG Toolkit requirements

Oct 14 5.1 FT Programme Director / Company Secretary

Annual review to comply with IG Toolkit requirements

29 Oct 14 5.1 FT Programme Director / Company Secretary

Ratified at IG Steering Group

17 Nov 14 5.1 FT Programme Director / Company Secretary

Ratified via voting buttons at

Risk Management Committee

16 Dec 14 5.1 FT Programme Director / Company Secretary

Ratified at Policy Management Group

15 Dec 14 6 15 Dec 14 FT Programme Director / Company Secretary

Approved at Trust Executive Committee

5 Oct 15 6.1 FT Programme Director / Company Secretary

Putting policy into new format.

16 Dec 15 6.1 FT Programme Director / Company Secretary

For ratification Risk Management Group

19 Jan 16 6.1 FT Programme Director / Company Secretary

For ratification Policy Management Group

28 Jan 16 7.0 28 Jan 16 FT Programme Director / Company Secretary

For Approval Trust Executive Committee

4 Aug 16 7.1 Company Secretary For ratification IG Steering group

13 Sep 16 8 13 Sep 16 Company Secretary For Approval Corporate Governance and Risk Sub Committee

6 Oct 16 9 Company Secretary For interim ratification Information Governance Steering Group

11 Oct 16 9 11 Oct 16 Company Secretary Final approval Corporate Governance and Risk Sub committee

Mar 2019 9.1 Director of Finance Estates and IM&T / Deputy CEO

Policy Review and updated with current changes

12 Mar 19 10 12/03/2019 Director of Finance Estates and IM&T / Deputy CEO

Approved subject to endorsement at IGSC below

Policy Management Sub-Committee

14 Mar 19 10 Director of Finance Estates and IM&T / Deputy CEO

Endorsed at Information Governance Sub-Committee

NB This policy relates to the Isle of Wight NHS Trust hereafter referred to as the Trust.


Contents 1 Executive Summary ....................................................................................................... 4

2 Introduction .................................................................................................................... 4

3 Definitions ...................................................................................................................... 5

4 Scope ............................................................................................................................... 8

5 Purpose ............................................................................................................................ 8

6 Roles and Responsibilities ................................................................................................ 9

7 Policy detail/Course of Action ......................................................................................... 14

7.1 Information Risk Management (please see Trust Risk Management Strategy and Policy) ................................................................................................................... 14

7.2 Subject Access Provisions .................................................................................... 16

7.3 Freedom of Information Act 2000 requests, including Environmental Information Regulations 2004 (please see Freedom of Information Standard Operating Procedure) 17

7.4 Principles............................................................................................................... 17

8 Openness and Transparency ......................................................................................... 18

8.1 NHS Constitution (revised October 15) .................................................................. 18

8.2 NHS Care Records Guarantee .............................................................................. 19

9 Legal Compliance ........................................................................................................... 19

9.1 Information Security .............................................................................................. 20

9.2 Information Quality Assurance (please see Data Quality Policy) ........................... 20

9.3 Records Management (Please see Records Management Policy, Health and Care Records Policy and Records Management Code of Practice for Health and Social Care 2016) ..................................................................................................................... 21

9.4 Safe Transfer and Receipt of Personal information (Please see Partnership Information Sharing Framework, service specific Operational Information Sharing Agreements and Safe Havens Procedure) ....................................................................................... 21

10 Consultation ................................................................................................................... 21

11 Training .......................................................................................................................... 21

12 Monitoring Compliance and Effectiveness ...................................................................... 22

13 Links to other Trust Documents ...................................................................................... 22

14 References ..................................................................................................................... 22

15 Appendices .................................................................................................................... 23


1 Executive Summary The Trust is required to achieve, on an annual basis, ‘standards met’ Compliance with the Data Security Protection Toolkit (DSPT) by demonstrating that its information governance systems and processes are robust and embedded across the organisation. Incorporated within this is the requirement to have an Information Governance Policy in place at the Trust.

The Trust fully acknowledges its responsibilities in relation to information governance and this policy sets out the framework the Trust uses in order to ensure good information governance. The Trust regard defines its Information Governance Framework as the management and accountability structures, governance processes, documented policies and procedures, training requirement and other resources in place to safely, securely and effectively manage information in line with requirements. Therefore this policy sets out the following for the Trust:-

1. Information Governance Management and Accountability Structures

2. Information Governance Processes

3. Linked or Associated Policies and Procedures

4. Training requirements for all staff

5. Additional Resources

The Trust recognises that inherent in delivering healthcare services are risks associated with effective Information Governance, therefore this policy sets out the activities and processes that must be undertaken at all levels across the Trust, to seek to manage these risks, from early identification to mitigation.

The Trust recognises that Information is a vital asset, particularly in relation to the delivery of effective clinical services for our patients and service users, therefore it is imperative that the Trust has in place robust systems and processes to ensure the safety, security and where appropriate accessibility of this information in order to enhance effective patient care, whilst promoting confidence across the full range of stakeholder in relation to our ability to manage information safely, securely and effectively. Information Governance extends beyond simply safeguarding patient health records and employment records relating to staff, indeed Information Governance encompasses numerous other components and these are explained in more detail later in this document.

2 Introduction As indicated above, robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The way that an organisation chooses to deliver against these requirements is referred to within the DSPT as the organisation’s Information Governance Management Framework.

The policy sets out the Trust’s Information Governance Framework, and what staff are required to do in order to comply.


Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. Information Governance (IG) plays a key role in clinical governance, service planning, performance and business management.

It is therefore of paramount importance to ensure that information is efficiently managed and that the Trust has in place appropriate policies, procedures and management accountabilities to ensure that all information risks are identified and addressed at the earliest opportunity. The Trust IG framework provides sets out what staff are required to do in order to process Person Identifiable Data (PID) / Personal Confidential Data (PCD) and business/commercially sensitive information in a confidential and secure manner that complies with the appropriate ethical and quality standards. IG covers an extensive range of information types through what is known as the information lifecycle. This lifecycle essentially relates to the how information is used across the Trust from its initial capturing, through how the information is used, shared and stored and accessed through to archiving and eventual destruction in accordance with the Department of Health Records Retention schedules. Please see Records Management Policy and the Records Management Code of Practice for Health and Social Care 2016 which the Trust has adopted in full.

3 Definitions

The following definitions have been adopted by the Trust:-

3.1 Health Record: A Health Record may be defined as any information (including emails between colleagues), created or gathered about an individual in relation to the delivery of healthcare by health professionals within the NHS. Such information can be held in either paper or electronic format and can include written documents, images, auditory and visual recordings. This variety of media is managed in multiple areas within the Trust depending on the type of care delivered e.g. Acute Health Records and Mental Health records for the same individual may be held in separate locations.

3.2 Data Security Protection Toolkit (DSPT) The DSPT is the newly introduced replacement for the Information Governance Toolkit (IGT). As previously within the IGT the DSPT is an annual self-assessment to be undertaken by health care providers in line with the Department of Health requirement. Its purpose is to evidence the level of compliance an organisation can evidence against very specific IG criteria. The Trust must achieve ‘standards met’ compliance as a minimum on an annual basis.

3.3 Senior Information Risk Officer (SIRO) The Trust SIRO must be an Executive Director or member of the Senior Management Board. The SIRO has overall responsibility for the Trust’s Information Governance Policy. The SIRO is responsible for ensuring that information risks are managed effectively, and advises the Board on the effectiveness of risk management across the Trust.


The SIRO will act as champion for information risk on the Board and provide written advice on the content of the Trust’s Statement of Internal Control in regard to information risk. The SIRO must understand the strategic business goals of the Trust and how other organisation’s business goals may be impacted by information risks, and how those risks may be managed.

3.4 Information Assets Consist of Operating systems; infrastructure; business applications; off-the-shelf products; services; user-developed applications; records and information.

3.5 Information Risks/Issues/incidents The Trust distinguishes between risks, issues, and incidents in order to support effective decision making.

1. Risk = a chance or possibility that an event might happen. 2. Issue = a problem that has arisen, that may cause negative consequences now or into

the future. 3. Incident = Any event (one off) which has given rise to potential or actual harm or injury,

to patient dissatisfaction, or to damage/loss to property’ The Trust defines information risks/issues as those that relate to the safety and security, accessibility, usability, validity, and reliability of information. 3.6 Senior Information Asset Owners (SIAO) Are accountable directly to the SIRO for all IG related work initiatives and assurance/compliance reporting and are responsible for ensuring that they delegate department or business area functions to their nominated Information Asset Owners

3.7 Information Asset Owners (IAOs)/Information Risk Lead The Information Risk Lead is the person assigned lead responsibility for the identification, assessment and control of risk to business information and information systems across their areas of responsibility. Information Asset Owners have been identified as the information risk leads for their portfolios. IAOs are directly accountable to the Senior Information Risk Owner and must provide assurance that information risk is being managed effectively in respect of the information assets that they ‘own’ and across their areas of responsibility. IAOs may be assigned ownership of several assets within the organisation, and this will be captured on the Trust Information Asset Register. The register of IAOs is held and maintained by the Information Governance department, and is available to staff on request. IAO’s operate as Data Custodians across their areas of responsibility.

3.8 Information Asset Administrator's (IAAs): IAAs assist the IAOs in delivering the information risk assurance and have day to day responsibilities for management of information risks affecting specific information assets. IAAs


are operational members of staff who understand and are familiar with information risks in their area or department, e.g. Security Managers, Records Managers, Data Protection Officers, and Internal Audit. IAAs will implement the Trust’s Information Governance Policy, and risk assessment process for those information assets they support. They will provide assurance reports to the relevant IAO as required. The register of IAAs is held and maintained by the Information Governance department, and is available to staff on request.

3.9 Caldicott Guardian / Medical Director The Caldicott Guardian has responsibility for protecting the confidentiality of patient and service user information and enabling appropriate information sharing. Caldicott Guardians were mandated for NHS organisations by Health Service Circular HSC 1999/012 and later for social care by Local Authority Circular LAC 2002/2. General practices are required by regulations to have a confidentiality lead.

3.11 Person Identifiable Data. (PID) PID is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

3.12 Personal Confidential Data (PCD) PCD is personal information about identified or identifiable individuals, which must be kept private or secret and includes both living and deceased individuals. Confidential includes both information 'given in confidence' and 'that which is owed a duty of confidence' and is expanded further to include 'special category data’' as defined in the Data Protection Act 2018.

3.13 General Data Protection Regulations and Data Protection Act 2018

The General Data Protection Regulations (GDPR) and The Data Protection Act 2018 (DPA 2018) sets out the provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, using or disclosing of such information. Under this legislation the Trust is required to register with the Information Commissioner as a Data Controller.

Article 5 of the GDPR and DPA 2018 sets establishes the principles relating to processing of personal data and these replace the previous eight principles under DPA 1998. Article 5

EU GDPR "Principles relating to processing of personal data"

Personal data shall be:

a) processed lawfully, fairly and in a transparent manner in relation to the data subject

('lawfulness, fairness and transparency'); b) collected for specified, explicit and legitimate purposes and not further processed in a

manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation');

http://www.legislation.gov.uk/ukpga/1998/29/contents


c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');

d) accurate and, where necessary, kept up to date; every reasonable step must be taken

to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');

e) kept in a form which permits identification of data subjects for no longer than is

necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');

f) processed in a manner that ensures appropriate security of the personal data,

including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

4 Scope This Policy applies to all staff and volunteers including agency, locum or seconded staff. It also applies to all sub-contractors and those providing a service to the Trust. This policy extends to cover all areas where the Trust owes a statutory duty of care and responsibility to employees, patients and visitors and the public in general. It outlines the process for managing IG and defines the information risk management arrangements in place at the Trust. IG comprises multiple elements of law and policy from which applicable IG standards are derived. It encompasses legal requirements, statutory guidance, best practice in information processing and information sharing including:

The Common Law Duty of Confidentiality

General Data Protection Regulations (GDPR)

Data Protection Act 2018

Freedom of Information Act 2000

Access to Health Records Act 1990

Human Rights Act 1998

Caldicott Principles

Information Security

Information Quality

Records Management Code of Practice for Health and Social Care 2016 .

5 Purpose The purpose of this policy is to set out the management and accountability structures, governance processes, linked policies and procedures, training requirement and other resources in place to safely, securely and effectively manage information in line with requirements. It also sets out the Trusts approach to the management of information risks, from identification through to mitigation.


6 Roles and Responsibilities In order to ensure the Trust has in place a robust IG Management Framework, specific roles or groups have specific responsibilities as set out below:-

6.1 Trust Board The Trust Board are ultimately accountable for ensuring the Trust operates effective IG arrangements, and that information risks are being effectively addressed, however, they have delegated responsibilities to certain individuals and Committees as outlined below.

6.2 Chief Executive (CEO) The CEO has overall responsibility for the standards of IG in the Trust. As the Accountable Officer they are responsible for the management of information, and information risks across the organisation and for ensuring that appropriate mechanisms are in place to support service delivery and continuity. The CEO has delegated operational responsibility for IG to the Director of Finance in the role of SIRO.

6.3 Senior Information Risk Owner (SIRO) The SIRO is responsible for managing information risk in the Trust and will implement and lead the NHS IG risk assessment and management of information risk via the Information Risk Management Structure. They will also advise the Trust Board and other relevant committees on the effectiveness of IG and information risk mitigation and provide written advice to the Accountable Officer regarding the information risk elements of their Annual Governance Statement. The SIRO will advise the Trust on matters relating to IG Risk. The SIRO has delegated responsibility for the production, implementation and on-going monitoring of the Trust IG Policy to the IG Lead Officer.

Trust Board (Strategy)

Trust Leadership Committee

(oversight of strategy)

Assurance Risk & Compliance Committee

(Decision making)

Information Governance Sub-

Committee (Operational)

Information Asset Owner Forum

Performance Commitee (Board

Assurance


The SIRO has delegated responsibility for the oversight and management of compliance with the Trust annual DSPT submission to the Deputy Director of Information

6.4 Trust Leadership Committee The Trust Leadership Committee (TLC), has responsibility for overseeing delivery of the Trust overarching strategy and any underpinning strategies, including the Information Governance Strategy as such they will receive exception based reports from the ARCC in relation to the Trusts Information Governance Framework. Their role will be remove barriers to the successful delivery of the Information Governance Strategy.

6.5 Assurance Risk and Compliance Committee (ARCC) The Assurance Risk and Compliance Committee are responsible for ensuring that sufficient resources are provided to support the requirements of this policy and the wider IG agenda. They will be updated on IG issues via reports from the IGSC or individual IG officers. They will review all corporate risks, including information risks.

6.6 Information Governance Sub Committee (IGSC) The IGSC have a number of responsibilities across the Trust including:-

Monitoring compliance with IG requirements across the Trust, reporting to the Executive Led Governance and Assurance Committee.

o Compliance with statutory timescales for requests for records as permitted under within the Data Protection Act 2018.

o Freedom of Information Act request compliance o Environmental Information Regulations compliance o DSPT (including the annual work plan) o IG related audits o IG incidents. o Information risks

Reviewing IG related policies, and procedures and ensuring they are fit for purpose prior to submission for final ratification and approval.

6.7 Information Asset Owner Forum The Information Asset Owner Forums, are designed to support IAO’s to discharge their duties effectively, therefore they operate as an action learning set for IAO’s to share best practice in a mutually supportive environment. In addition the Information Asset Owner Forums are designed to support the cascade of relevant Information Governance information or developments across the breadth of the organization; with IAO’s taking a lead role in disseminating messages across their areas of responsibility. New policies or procedures relating to IG will be discussed within this forum in order that IAO’s can cascade them across their teams. The IAO Forums will be used to proactively discuss and identify information risks.

6.8 Health Records Group The Health Records Group ratifies and approves clinical forms and templates, including clinical pathways, but may also be consulted in relation to other clinical documents. Therefore they have a fundamental role to play in lifecycle management and robust records management.


6.9 Caldicott Guardian (CG) /Executive Medical Director The CG has a particular responsibility under the Caldicott Recommendations 1997 and Caldicott2 (2013) for reflecting patients’ interest regarding the use of PID and for ensuring PID is only shared appropriately and securely throughout the Trust. The CG acts as the conscience of the Trust in matters regarding data confidentiality and sharing. They work as part of a broader IG function across the Trust and support effective decision making regarding appropriate data sharing.

6.10 Corporate Governance Team Manager The Corporate Governance Team Manager is responsible for overseeing and management of the IG department across the Trust under the leadership and direction of the Head of Corporate Governance.

6.11 Information Governance Lead and Data Protection Officer (IGLO/DPO) The IG Lead Officer provides advice to all staff and on occasion external stakeholders on legal requirements and best practice in information governance. The IGLO will review all identified information risks and provide advice and guidance to risk owners on appropriate mitigation activities. They will actively support the identification of information risks.

6.12 Information Officer The Information Officer is responsible for supporting the Corporate Governance Team Manager to ensure compliance with the IG Toolkit through the effective collation of all supporting evidence.

6.13 Information Asset Owners (IAOs) The IAOs are senior individuals responsible for maintaining good IG arrangements and standards within the relevant business / service areas of the Trust. The roles of the IAOs are set out within the IAO Job Description addendum, which is available via the IAO page on the Trust intranet. Their role included but is not limited to the following:-

Ensure compliance with relevant policies and procedures across their areas of responsibility.

Ensure that staff are clear on what is required of them, through the effective use of policies, standard operating procedures, information sharing agreements etc.

Identify, analyse, record and address the information risks across their areas of responsibility.

Provide assurance to the SIRO, in relation to the security and use of any information assets and that any information risks are being appropriately mitigated.

Ensure that all aspects relating to the information lifecycle of its record holdings (clinical and non-clinical) is appropriately managed.

Maintain their own levels of competence, through attendance at relevant training etc.

6.14 Information Asset Administrators (IAAs)


The IAAs will provide support to their IAOs. To do this they will:

Ensure that policies and procedures are in place and being followed;

Recognise potential or actual security/information incidents;

Consult their IAO on incident management;

Ensure that information asset registers, flow maps and information sharing agreements are accurate, and kept up-to-date;

Assist with DSPT related work plans individual to specific areas.

Support the identification and where appropriate mitigation of information risks.

6.15 Managers Managers are responsible for the following:-

Managers are expected to take ownership of, and seek to improve the quality of information within their services, which may include undertaking or coordinating audits.

Proactive records management, including archiving, destruction in line with the NHS Records Management Code of Practice for Health and Social Care 2016

Review and sign off of IG incidents relating to their areas of responsibility, seeking support from key specialists as required.

Ensuring their staff complete annual mandatory Data Security Awareness training.

Identifying information risks through the annual business planning cycle, or as they arise.

Supporting the IG functions of the Trust namely the Information Risk Management structure and processes.

Engage with and support developments in systems and processes across the Trust.

6.16 Information Communication and Technology (ICT) Support the IG agenda through active participation and ensuring compliance with the DSPT requirements, and communicating requirements effectively across the Trust. Ensure that all systems supported by ICT used across the breadth of the Trust comply with the information security requirements of the DSPT.

6.17 All staff All staff (permanent, temporary or contracted), or volunteers are responsible for ensuring that they are aware of the requirements of this policy and adhere to them including:-

Ensuring compliance with the Confidentiality Code of Practice, including paying due regard to all forms of communication including verbal, email and other forms of records.

Ensuring Compliance with Trust processes relating to requests for records and Freedom of Information requests including coordination of provision of records to the IG department.

Exemplary records management in line with the Trusts Records Management Policy.

Report all IG Incidents in line with the Trusts Incident Management Policy. In order to comply with the DSPT all staff are required to undertake Data Security Awareness training on an annual basis in order to support them in understanding their responsibilities and process information securely.


It is recognised that the majority of Trust staff handle information in one form or another on a daily basis to:-

Provide healthcare services to the general public

Pay healthcare professionals for the care provided

Carry out clinical audit

Teach and train healthcare professionals

Audit NHS accounts and services

Investigate complaints, legal claims or incidents

Ensure services can meet patient’s future needs

Prepare statistics on NHS performance

Conduct health research and development

Manage staff at any point in their tenure with the Trust for example, recruitment, sickness absence, supervision and appraisal, monitoring of mandatory training etc.

Staff, who in the course of their work, create, use or otherwise process information, have a duty to keep up to date and adhere to relevant legislation, case law and national guidance. “All NHS records are public records under the terms of the Public Records Act 1958 sections 3 (1)–(2). The Secretary of State for Health and all NHS organisations have a duty under the Public Records Act to make arrangements for the safekeeping and eventual disposal of all types of their records. This is carried out under the overall guidance and supervision of the Keeper of Public Records, who is answerable to Parliament”. It is imperative that Trust staff keep consistent contemporaneous, accurate, factual records, in order to enable the delivery of excellent patient care.

6.18 Volunteer Coordinator The Volunteer Coordinator will ensure that all volunteers sign a Volunteers Agreement, and understand what is required of them in relation to IG through participating in the appropriate training.

6.19 Volunteers All volunteers will be required to sign a volunteer agreement which will include a statement explaining their responsibilities relating to IG. However, in principle volunteers are required to adhere to all requirements as per other staff listed above.

6.20 Contract and Procurement, including South of England Procurement Service The Contracts and Procurement teams will ensure that all sub-contractors have signed any relevant documentation in relation to how they will comply with IG requirements prior to commencing work for the Trust or on Trust premises. They will also ensure that sub-contractors are aware of how to report incidents, issues or risks.

6.21 Sub-Contractors All sub-contractors are required to show due regard to the requirements of the DPA 2018 and the Common Law Duty of Confidentiality, and will be required to sign either a NHS Contract; a Memorandum of Understanding or a Confidentiality Agreement depending on the nature and degree of their involvement with the Trust.


7 Policy detail/Course of Action The following section of this document sets out the processes to be followed in order to ensure good IG is implemented.

7.1 Information Risk Management (please see Trust Risk Management Strategy and Policy)

The aim of Information Risk Management is to:

Protect the Trust, its staff and its patients from information risks.

Provide a consistent risk management framework in which information risks will be identified, considered and addressed in key approval, review and control processes;

Encourage proactive rather than reactive risk management;

Provide assistance to, and improve the quality of, decision making throughout the Trust;

Meet legal and/or statutory requirements; and

Assist in safeguarding the Trusts information assets The Trust has in place a Risk Management Strategy and Policy which sets out in detail the various stages in effective risk management, which include:-

Recognition or identification of risks.

Evaluation of risks.

Recording of risks.

Responding to risks (tolerate, treat, transfer, terminate).

Reviewing risks.

Reporting and monitoring of risk management activities and performance.

Reviewing the risk management framework

The stages outlined above are also applicable to the management of information risks, and as such IAO’s must ensure they are familiar with the Risk Management Strategy and Policy and able to demonstrate compliance. The Trust Risk Management Strategy and Policy, acknowledges that risk identification should by a dynamic activity, i.e. risks should be identified as they arise, not through an annualised risk assessment process. Therefore IAO’s must remain vigilant to the identification of risks at all times, regular discussion during IAO Forums will support IAO’s to keep information risk management at the forefront of their minds. However, it is acknowledged that certain activities will actively support the proactive identification of information risks, and as such risk and issues identification must be undertaken by the IAO’s or their representatives as part of the following activities:-

Annual Business Planning, and creation of the Business Plan

Annual Business Continuity Planning and creation of the Business Continuity Plan

6 monthly review of the Information Asset Register

6 monthly review of the Information Flow Map

Annual Budget setting process

Quarterly IAO Forum reviews of IG incidents, complaints, and claims

Internal, and external audit findings and action plans


Stakeholder feedback i.e. CQC, commissioners, other providers.

Annual reviews of contractual arrangements. The Trust recognises that information risk is inherent in all administrative and business activities and individuals working for or on behalf of the Trust must continuously seek to mitigate where possible such risks. Further to this the Trust recognises that the aim of information risk management is not to eliminate all information risk, but rather to provide the structural means to identify; prioritise and manage the information risks associated with the Trust’s activities. Successful information risk management requires a balance between the cost of managing and treating information risks with the anticipated benefits that will be derived. Information risk management is an essential element of IG and is an integral part of good management practice. The intention is to embed information risk management in a very practical way into business processes and functions. In line with the Trust Risk Management Strategy and Plan, information risks will be divided into 3 tiers, Principal, Corporate and Operational risks, and will be reported through the Trust Executive meeting structure as below:-

Principal information risks, will be reviewed by the Trust Board

Corporate information risks will be reviewed by the Corporate Governance and Risk Sub Committee, and the Finance, Investment, Information and Workforce Committee.

Operational information risks will be reviewed at the Corporate Governance and Risk Sub Committee, and the Information Governance Steering Group.

7.1.1 Information Risk Management (IRM) The Trust is required to have in place an Information Risk Management structure and associated processes as part of the annual Department of Health (DoH) DSPT requirements. The purpose of this structure is to identify information assets utilised across the Trust and assign ownership of individual assets to senior accountable staff. These accountable staff are in turn required to ensure that all information risks and issues are recorded on the Trust risk management system DATIX, and this must include detail of any associated action plans. Executive Directors will own all Principal information Risks. Information Asset Owners will own all Corporate information risks and Information Asset Administrators will own all Operational information risks.


This structure ensures that responsibility for all aspects of IG and risk are assigned to the appropriate IAO who will be supported by identified IAAs. The latest information Risk Management structure is available from the Information Governance department on request.

7.2 Subject Access Provisions Subject Access Requests (please see Subject Access Request Standard Operating Procedure) Under DPA 2018, data subjects have a right to request any data or information held by the Trust. Within the Trust, all requests are centrally managed and on receipt of any such request it must be directed to the IG Department. Under DPA 2018 the Trust is required to process and complete all valid Subject Access Requests within one calendar month. Access to Health Records Act 1990 (AHRA) Certain individuals have a right to request data or information held by the Trust relating to deceased data subjects. Within the Trust, all such requests are centrally managed and on receipt of any such request it must be directed to the IG Department. Under the Access to Health Records Act the Trust is required to process and complete all valid requests within 40 days. The IG Department follows robust Standard Operating Procedures relating to both of these Acts, and these are available on the Trust intranet within the IG pages. Staff are required to assist in the provision of any identified records/information and supply them in a timely manner to the IG department in order to ensure compliance with the timescales associated with both of these Acts.

Accountable Officer (Chief

Executive)

SIRO (Director of

Finance)

IAO (Senior Managers)

IAA


7.3 Freedom of Information Act 2000 requests, including Environmental Information Regulations 2004 (please see Freedom of Information Standard Operating Procedure)

The Freedom of Information Act 2000 (FOIA) provides access to information held by public authorities subject to a number of exemptions. For the purposes of this Act the Trust is regarded as a public authority. The Trust is obliged to publish certain information about our activities and any individual is entitled to request specific information from the Trust. Within the Trust, FOIA requests are centrally managed and on receipt of any such request it must be directed to the IG Department. All valid requests must be processed and completed within 20 days and as such it is imperative that the IG Department is notified of requests at the earliest opportunity. The Trust has in place a structure of Freedom of Information Leads (FOILs) who as part of their responsibilities are required to provide any identified data/information relating to their areas of responsibility and supply this in a timely manner to the IG department, in order to ensure compliance with the timescales associated with the Act. In addition, the Trust has in place a structure of FOI approvers who will approve the data or information provided by the FOILs in order to respond to a request relating to their areas of responsibility prior to disclosure of the information to the applicant. The Environmental Information Regulations 2004 (EIR) make provision, subject to a number of exceptions, for the dissemination of environmental information by public authorities and for public authorities to make available environmental information in response to a request for information. Within the Trust, all such requests are centrally managed and on receipt of any such request it must be directed to the IG Department. All valid requests must be processed and completed within 20 days and as such it is imperative that the IG Department is notified of requests at the earliest opportunity. FOILs and Approvers are required to assist in the provision of any identified data/information and supply this in a timely manner to the IG department in order to ensure compliance with the timescales associated with this Act.

7.4 Principles The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of information in order to provide patient care and service management, taking into consideration its legal, statutory and best practice obligations. The Trust fully supports the principles of Corporate Governance, and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements required to safeguard both personal information about patients and staff as well as commercially sensitive information. Therefore the Trust adopts the Department of Health Confidentiality Code of Practice, which can be located on the Trust intranet.


Whilst recognising the need for confidentiality the Trust recognises the need to share patient information with other health organisations and agencies in a controlled manner, on a relevant and proportionate basis. This is consistent with the interests of the patient and, in some circumstances, the public interest in line with relevant legislation, including legislation relating to safeguarding children, adults and the public. To support staff in decision making in relation to when it is appropriate to share information the Trust has in place a number of policies and procedures as per the linked document section below, which can be found on the Trust intranet.

The Trust recognises that accurate, timely and relevant information is essential in order that:-

The Trust can deliver high quality healthcare.

The Trust can demonstrate achievement of key performance indicators.

The Trust can meet its financial obligations, including those relating to the reporting of accurate financial information.

As such, it is the responsibility of all staff to ensure the quality of information and to actively use appropriate information in decision-making processes. There are five key interlinked strands to this Information Governance and Risk Policy:

Openness & Transparency

Legal Compliance

Information Security

Quality Assurance

Records Management.

8 Openness and Transparency The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. Information will be defined and where appropriate kept confidential, in line with the principles of Caldicott (as subsumed within the DoH Confidentiality Code of Practice) and the legal responsibilities outlined in the DPA 2018 and the Freedom of Information Act 2000.

8.1 NHS Constitution (revised October 15) The NHS Constitution sets out a number of principles by which all NHS Trusts are expected to comply. Of particular relevance for IG is the Principle relating to Respect, Consent and Confidentiality, which sets out what patients can expect as set out below.

Respect, Consent and Confidentiality

1. You have the right to be treated with dignity and respect, in accordance with your human rights.

2. You have the right to be protected from abuse and neglect, and care and treatment that is degrading.

3. You have the right to accept or refuse treatment that is offered to you, and not to be given any physical examination or treatment unless you have given valid consent. If you


do not have the capacity to do so, consent must be obtained from a person legally permitted to act on your behalf, or the treatment must be in your best interests.

4. You have the right to be provided with information about the test and treatment options available to you, what they involve and their risks and benefits.

5. You have the right of access to your own health records and to have any factual inaccuracies corrected.

6. You have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure.

7. You have the right to be informed about how your information is used. 8. You have the right to request that your confidential information is not used beyond your

own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.

The NHS Constitution states that the NHS pledges to do the following:-

NHS pledges

1. To ensure those involved in your care and treatment have access to your health information so they can care for you safely and effectively;

2. That if you are admitted to hospital, you will not have to share sleeping accommodation with patients of the opposite sex, except where appropriate, in line with details set out in the Handbook to the NHS Constitution;

3. To anonymise the information collected during the course of your treatment and use it to support research and improve care for others;

4. Where identifiable information has to be used, to give you the chance to object wherever possible;

5. To inform you of research studies in which you may be eligible to participate; 6. To share with you any correspondence sent between clinicians about your care; 7. Offer you easily accessible, reliable and relevant information in a form you can

understand, and support to use it. This will enable you to participate fully in your own healthcare decisions and to support you in making choices. This will include information on the range and quality of clinical services where there is robust and accurate information available.

8.2 NHS Care Records Guarantee The NHS Care Records Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It covers individual’s access to their own records; controls on other’s access; how access will be monitored and policed; options individuals have to further limit access; access in an emergency; and what happens when an individual cannot make decisions for themselves. Everyone who works for the NHS, or for organisations delivering services under contract to the NHS, must comply with this guarantee. This is available to staff via the Trust intranet.

The Trust follows established procedures to deal with queries from patients and the public ensuring compliance with IG requirements.

9 Legal Compliance The Trust will:


Regard all PID / PCD relating to patients as confidential;

Regard all PID relating to staff as confidential except where national policy on accountability and openness requires otherwise;

Undertake or commission annual assessments and audits of its compliance with legal requirements;

Establish and maintain policies to ensure compliance with the DPA 2018, Human Rights Act 1998 and the Common Law Duty of Confidentiality, establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act).

9.1 Information Security The key statutory requirement for NHS compliance with the Information Security Management principles is the DPA2018 and in particular

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

In order to ensure compliance with this principle the Trust will:

Ensure all systems used across the breadth of the Trust comply with the requirements of the DSPT;

Establish and maintain policies for the effective and secure management of its information assets and resources;

Commission an internal audit programme which includes an annual audit of compliance with the DSPT.

These responsibilities rest with the Information Security Manager.

9.2 Information Quality Assurance (please see Data Quality Policy) Managers are expected to take ownership of, and seek to improve, the quality of information within their services in line with the Data Quality Policy. Wherever possible the validity and reliability of information should be confirmed at the point of collection or creation. In order to ensure that the Trust is able to utilise data effectively, and communicate with others in a meaningful way it complies with the NHS Data Model and Dictionary. The Trust recognises the importance of high quality data and as such data quality and clinical coding forms part of the annual internal audit programme with reporting through the Trust Performance Committee


9.3 Records Management (Please see Records Management Policy, Health and Care Records Policy and Records Management Code of Practice for Health and Social Care 2016)

All NHS records and most other information held by the Trust are regarded as Public Records under the Public Records Acts. The Trust will take action as necessary to comply with its legal and professional obligations in relation to records management as set out within the Trust Records Management Policy and Records Management Code of Practice for Health and Social Care 2016 available to staff via the Trust intranet. The Trust will ensure that all aspects relating to the information lifecycle of its record holdings (clinical and non-clinical) is appropriately managed. This is a responsibility of the IAOs as part of their ongoing duties associated with the record management expectations under the Information Risk Management Structure.

9.4 Safe Transfer and Receipt of Personal information (Please see Partnership Information Sharing Framework, service specific Operational Information Sharing Agreements and Safe Havens Procedure)

The Trust recognises that in order to provide safe and effective care it will be necessary on occasion to transfer or receive PID from other organisation. The principles associated with this are set out in the Partnership Information Sharing Framework which is available via the Trust intranet. This framework sets out the correct process to follow when considering the sharing of PID, from the original decision making process where a Data Protection Impact Assessment (DPIA) will be required, through to the creation of an Operational Information Sharing Agreement, which sets out the legal basis on which the information can be shared and how this can be achieved safely. Once agreement has been reached regarding the sharing of information, this must then be included in the relevant flow map, owned by the department IAO. The Trust also has in place a safe haven procedure, which sets out how the Trust can receive PID safely; this includes detail on how PID can be received including the transcribing of phone messages, fax in-trays, electronic mailboxes, pigeon holes and in-trays for paper information.

10 Consultation The review of this policy has been in consultation with the SIRO and IAOs who are responsible for supporting the SIRO in delivery of the Information Risk Management agenda.

11 Training The Trust has in place a mandatory training schedule that relates to IG and Data Security Awareness which is role specific, this is reflected in the annual IG Training Needs Analysis document, which is available on request from the IG Department. Required training is also reflected in staff individual training profiles.


12 Monitoring Compliance and Effectiveness The IGSC are tasked with monitoring compliance with this policy, and will exception report to the Corporate Governance and Risk Sub Committee and the Finance, Investment, Information and Workforce Committee as appropriate. .

13 Links to other Trust Documents

Health and Care Records Policy

Misplaced Clinical Records Procedure

Records Management Policy

Records Management Code of Practice for Health and Social Care 2016

Confidentiality - Code of Practice

Incident Reporting and Management Policy (to be read in conjunction with SIRI Policy and Procedures)

Being Open Policy and Process

Information Security Management Code of Practice

Partnership Information Sharing Framework (Multi agency)

Operational Information Sharing Agreements (service specific)

Privacy Impact Assessments

Best Practice in Clinical Record Keeping

Safeguarding Adults – Multi Agency Policy, Guidance and Toolkit

Safeguarding Children and Young People Policy

Information Governance Third Party Policy

Safe Havens Procedure.

Risk Management Strategy and Policy

14 References

Public Records Act 1958 and 1967

Access to Health Records Act 1990

General Data Protection Regulations

Data Protection Act 2018

Freedom of Information Act 2000

Environmental Regulations 2004

The Records Management Code of Practice for Health and Social Care 2016

Caldicott Reviews of Patient Identifiable Information 1997, 2012 and 2016

Department of Health: Confidentiality Code of Practice 2003

Department of Health: Confidentiality Code of Practice Supplementary Guidance – Public Interest Disclosures 2010

NHS Connecting for Health Information Governance Toolkit

Environmental Information Regulations 2004

Human Rights Act 1998

Re-Use of Public Sector Information

The NHS Constitution updated October 2015


15 Appendices Appendix A Financial and Resourcing Impact Assessment Appendix B Equality Impact Assessment


Appendix A

Financial and Resourcing Impact Assessment on Policy Implementation

NB this form must be completed where the introduction of this policy will have either a positive or negative impact on resources. Therefore this form should not be completed where the resources are already deployed and the introduction of this policy will have no further resourcing impact.

Document title

Information Governance and Risk Policy

Totals WTE Recurring £

Non-Recurring £

Manpower Costs (no change) N/A N/A N/A

Training Staff (no change) N/A N/A N/A

Equipment & Provision of resources (no change)

N/A N/A N/A

Summary of Impact: Risk Management Issues:

Benefits / Savings to the organisation: Equality Impact Assessment Has this been appropriately carried out? YES Are there any reported equality issues? NO If “YES” please specify: Use additional sheets if necessary Please include all associated costs where an impact on implementing this policy has been considered. A checklist is included for guidance but is not comprehensive so please ensure you have thought through the impact on staffing, training and equipment carefully and that ALL aspects are covered.

Manpower WTE Recurring £ Non-Recurring £

Operational running costs N/A N/A N/A

Totals:

Staff Training Impact Recurring £ Non-Recurring £

Totals: N/A N/A


Equipment and Provision of Resources Recurring £ * Non-Recurring £ *

Accommodation / facilities needed N/A N/A

Building alterations (extensions/new) N/A N/A

IT Hardware / software / licences N/A N/A

Medical equipment N/A N/A

Stationery / publicity N/A N/A

Travel costs N/A N/A

Utilities e.g. telephones N/A N/A

Process change N/A N/A

Rolling replacement of equipment N/A N/A

Equipment maintenance N/A N/A

Marketing – booklets/posters/handouts, etc. N/A N/A

Totals: N/A N/A

Capital implications £5,000 with life expectancy of more than one year.

Funding /costs checked & agreed by finance: N/A

Signature & date of financial accountant: N/A

Funding / costs have been agreed and are in place: N/A

Signature of appropriate Executive or Associate Director: N/A


Appendix B

Equality Impact Assessment (EIA) Screening Tool

1. To be completed and attached to all procedural/policy documents created within individual

services. 2. Does the document have, or have the potential to deliver differential outcomes or affect in an

adverse way any of the groups listed below? If no confirm underneath in relevant section the data and/or research which provides evidence e.g. JSNA, Workforce Profile, Quality Improvement Framework, Commissioning Intentions, etc. If yes please detail underneath in relevant section and provide priority rating and determine if full EIA is required.

Gender

Positive Impact Negative Impact Reasons

Men NA NA Sets out how the Trust complies with the law

Women NA NA Sets out how the Trust

complies with the law

Race

Asian or Asian British People

NA NA Sets out how the Trust complies with the law

Black or Black British People


Chinese people


People of Mixed Race


Document Title: Information Governance Risk Policy

Purpose of document Set out how the Trust seeks to mitigate IG Risks

Target Audience All staff

Person or Committee undertaken the Equality Impact Assessment

Lucie Johnson


White people (including Irish people)


People with Physical Disabilities, Learning Disabilities or Mental Health Issues


Sexual Orientation

Transgender NA NA Sets out how the Trust


Lesbian, Gay men and bisexual


Age

Children


Older People (60+)


Younger People (17 to 25 yrs.)


Faith Group NA NA Sets out how the Trust


Pregnancy & Maternity NA NA Sets out how the Trust


Equal Opportunities and/or improved relations


Notes: Faith groups cover a wide range of groupings, the most common of which are Buddhist, Christian, Hindus, Jews, Muslims and Sikhs. Consider faith categories individually and collectively when considering positive and negative impacts. The categories used in the race section refer to those used in the 2001 Census. Consideration should be given to the specific communities within the broad categories such as Bangladeshi people and the needs of other communities that do not appear as separate categories in the Census, for example, Polish. 3. Level of Impact If you have indicated that there is a negative impact, is that impact:

YES NO

Legal (it is not discriminatory under anti-discriminatory law) N/A N/A

Intended N/A N/A

If the negative impact is possibly discriminatory and not intended and/or of high impact then please complete a thorough assessment after completing the rest of this form. 3.1 Could you minimise or remove any negative impact that is of low significance? Explain how


below:

N/A

3.2 Could you improve the strategy, function or policy positive impact? Explain how below:

N/A

3.3 If there is no evidence that this strategy, function or policy promotes equality of opportunity or improves relations – could it be adapted so it does? How? If not why not?

Scheduled for Full Impact Assessment Date: N/A

Name of persons/group completing the full assessment.

N/A

Date Initial Screening completed 23/11/15