information security policy · policies and procedures which cover all aspects data protection,...

Camden CCG Information Governance and Framework Policy v2 0F (3) Page 0 of 18

1

Camden CCG

Information Governance Policy and

Framework

SUMMARY Policy has been developed to support the adoption and implementation of appropriate information governance across the CCG.

2 RESPONSIBLE PERSON: IG Manager

3 ACCOUNTABLE DIRECTOR: Director of Sustainable Insights

4 APPLIES TO: All staff in Camden CCG.

5 GROUPS/ INDIVIDUALS WHO HAVE OVERSEEN THE DEVELOPMENT OF THIS POLICY:

Nicholas Murphy-O’Kane, IG Manager

6 GROUPS WHICH WERE CONSULTED AND HAVE GIVEN APPROVAL:

Executive Management and Senior Management teams Camden CCG Information Governance Group

7 EQUALITY IMPACT ANALYSIS COMPLETED:

Policy Screened 15.01.15 Template completed

15.01.15

8 RATIFYING COMMITTEE(S) & DATE OF FINAL APPROVAL:

Audit Committee, 27th September 2015

9 External Standards

ISO 9001 – Quality Management ISO 27001 – Information Security ISO 31000 – Risk Management NHS Code of Practice – Information Security

10 VERSION: 2.0F

11 AVAILABLE ON: Intranet Yes Website No

12 RELATED DOCUMENTS:

Information Governance Policy

Information Security Policy

Information Management

Confidentiality and Data Protection Act

Internet & Email

NHS Information Risk Management Guidance

13 DISSEMINATED TO: ALL Staff

14 DATE OF IMPLEMENTATION: 01st October 2015

15 DATE OF NEXT FORMAL REVIEW: 01st March 2017


Camden CCG

Information Governance Policy and Framework


DOCUMENT CONTROL

Date Version Action Amendments

04/09/2013

0.1 New Policy Sent out for consultation

20/01/2015 0.2 Consultation within the CCG Updated following feedback from consultation.

01/04/15 1.0 Final Approved Approved by Audit Committee

01/08/15 1.1 Update to reflect changes in IG Assurance.

Consultation with Exec, And SMT

27/09/15 2.0 Final Approved Approved by Audit Committee


Contents

TABLE OF CONTENTS

1. SUMMARY ------------------------------------------------------------------------------------------------------------------------- 4

2. SCOPE------------------------------------------------------------------------------------------------------------------------------ 4

3. PURPOSE ------------------------------------------------------------------------------------------------------------------------- 5

4. DEFINITIONS --------------------------------------------------------------------------------------------------------------------- 5

5. ROLES AND RESPONSIBILITIES ------------------------------------------------------------------------------------------ 6

6. POLICY PRINCIPLES ---------------------------------------------------------------------------------------------------------- 7

6.1. OBJECTIVES ---------------------------------------------------------------------------------------------------------------------- 7 6.2. REPORTING ----------------------------------------------------------------------------------------------------------------------- 8 6.3. THE IG ASSURANCE FRAMEWORK -------------------------------------------------------------------------------------------- 9

6.3.1 Information Governance Toolkit ........................................................................................... 9 6.3.2 Information Governance Education, Training and Development ......................................... 9 6.3.3 Induction ............................................................................................................................. 10 6.3.4 On-Going ............................................................................................................................ 10 6.3.5 Additional Roles ................................................................................................................. 10 6.3.6 Other Training .................................................................................................................... 10 6.3.7 Risk Assessment and Management Process .................................................................... 11 6.3.8 Information Asset Register ................................................................................................. 11

6.4. IMPLEMENTATION ---------------------------------------------------------------------------------------------------------------11 6.5. INFORMATION GOVERNANCE PLAN ------------------------------------------------------------------------------------------11 6.6. NHS CODE OF OPENNESS ----------------------------------------------------------------------------------------------------12 6.7. IG INCIDENTS -------------------------------------------------------------------------------------------------------------------12

6.7.1 Escalation of IG Incidents and Events ............................................................................... 12 6.7.2 IT Security Incidents and Events ........................................................................................ 13

7. EQUALITY AND DIVERSITY ------------------------------------------------------------------------------------------------13

8. DISSEMINATION AND IMPLEMENTATION ----------------------------------------------------------------------------13

9. NON-CONFORMANCE WITH THIS POLICY ----------------------------------------------------------------------------13

10. MONITORING AND REVIEW ------------------------------------------------------------------------------------------------14

10.1. MONITORING OF INDIVIDUALS -------------------------------------------------------------------------------------------------14

APPENDICES ------------------------------------------------------------------------------------------------------------------------------------15

APPENDIX A. EVALUATION PROTOCOL -------------------------------------------------------------------------------------------------------15 APPENDIX B. EQUALITY ANALYSIS -----------------------------------------------------------------------------------------------------------16


1. Summary

This policy and framework is a medium term vision for Information Governance Assurance within

Camden CCG. The NHS having gone through a period of radical change in the last 2 years, is still

in some aspects settling into its new roles and functions. As a result, this policy will be supported by

an annual improvement IG Toolkit plan focussing on changing compliance framework requirements,

new legislation and guidance and areas specifically identified for improvement by the NHS Camden

Clinical Commissioning Group (referred to from herein as ‘the CCG’).

The policy and framework is also supported by the Information Governance Policy and other related

policies and procedures which cover all aspects Data Protection, Confidentiality, Information

Security (including areas of holding, obtaining, recording, using, sharing and disclosing of

data/information or records, held in a manual/paper or electronic format, by or on behalf of the CCG)

as well as records management.

This document continues to ensure that core aspects of the IG framework are embedded effectively

within the current and evolving organisation but also support implementation and application of IG

across the organisation.

In the NHS, information is a vital yet potentially vulnerable asset, both in terms of the clinical

management of individual patients and the efficient commissioning and management of services

and resources. It plays a key part in clinical governance, service planning and performance

management.

It is therefore of paramount importance to ensure that information is efficiently managed and that

appropriate policies, processes and procedures, with management accountability and structures

provide a robust information governance framework for information management.

This document outlines how the CCG will address its Information Governance (IG) agenda since its

last IGT Assessment in 2015.

2. Scope


3. Purpose

The purpose of this policy is to define how the CCG manages its information risk within the

organisation and how the effectiveness of risk management is assessed and measured.

The objective of this policy is to embed Information Risk Management into all Directorate processes

and functions through a key approval and control process.

The objectives of this Policy are as follows:-

To protect the CCG, its key stakeholders, patients and staff from information risks where the

likelihood of occurrence and the consequences are significant;

In line with the Risk Strategy, to support and provide a consistent risk management framework

in which information risks will be identified, considered and addressed in key approval, review

and control processes;

To encourage a pro-active rather than re-active approach to risk management;

To provide assistance to and improve the quality of decision making throughout the

organisation;

To meet legal or statutory requirements while assisting in safeguarding the organisations

information assets.

4. Definitions

Throughout this policy the following terms will have the agreed definitions

Term Description of Term

IGA Information Governance Alliance – established under the Health and Social Care Act 2016 as a central body of authority in regards to IG.

IG Information Governance – a framework of standards and levels of compliance for the use of Personal confidential Data, process and procedures

IGT IG Toolkit – a central reporting tool provided by the HSC IC to support organisations in measuring compliance

HSC IC Health and Social Care Information Centre


5. Roles and Responsibilities

Security is everybody's business and therefore it is everybody’s responsibility to ensure information

is secure. This section describes the expected responsibilities in relation to Information Security of

persons processing information. It is noted that some individuals will hold more than one role.

Role Responsibilities

Senior

Information Risk

Owner (SIRO)

Has overall responsibility for ensuring that effective systems and processes are in

place to address the Information Governance agenda.

• Foster a culture for protecting and using data.

• Ensure information risk requirements are included in the Corporate Risk Management Policy.

• To take ownership of the annual review of information flows and information asset registers and any advised recommendations.

• Ensure Information Asset Owners (IAOs) undertake risk assessments of their assets.

• Be responsible for the Incident Management process ensuring identified information security risks are followed up, incidents managed and lessons learnt.

• Provide a focal point for the management, resolution and/or discussion of information risk issues.

• Ensure that the CCGs approach to information risk is effective in its deployment in terms of resource, commitment and execution and that this is communicated to all staff.

• Ensure the organisation is adequately briefed on information risk issues.

• Be accountable for information risk.

Caldicott

Guardian

The role of the Caldicott Guardian is an advisory role acting as the “conscience” of the

organisation for management of patient information and a focal point for patient

confidentiality & information sharing issues.

The Caldicott Guardian is supported in this role by the IG Manager.

Information

Asset Owners

(IAOs)

All senior staff at Director level and some senior managers are required to act as

Information Asset Owners (IAO) for the information assets within their remit. They will

provide assurance to the SIRO that information risk is managed effectively for the

information assists identified as within their remit.

Ensure all Information Assets and flows of data within their remit are

identified and logged ensuring each has a legal basis to be processed.

Identify, manage and escalate all information security (for example,

dependencies and access control) and information risks as appropriate.

The IAOs will be supported by Information Asset Administrators (IAAs) who will ensure

the above takes place and the IG Manager.

Information

Asset

Administrators

(IAA)

Information Asset Administrators (IAAs) are the most senior individual user or direct

users of systems can information and have an understanding as to how it works and

how it is used.


Role Responsibilities

They will ensure there are procedures for using them, control access to them and

understand their limitations.

Information

Governance

Management at

the CCG

Overall accountability for the delivery of sound Information Governance and

assurance within the CCG, supporting all elements of the business to comply with

relevant aspects of the IG assurance framework and this policy.

The IG Manager will develop close working partnerships with other employees that

have direct responsibility for aspects of the IG Framework (e.g. Corporate Governance

and IT) to ensure compliance with relevant IG Standards.

In addition the role will work with the NEL CSU IG support and other elements within

the services and other external organisations such as NHS England, IG Alliance and

HSC IC to ensure compliance across all areas accountable to the CCG.

All Staff All those working for the CCG have clear levels of responsibility outlined with their

terms and conditions covering information governance standards. These will cover

the legal responsibilities under the Data Protection Act, common law of confidentiality,

and professional obligations, for example the Confidentiality NHS Code of Practice

and professional codes of conduct.

Third parties The same responsibilities as identified for “all staff” apply to those working on behalf

of the organisations whether they are volunteers, students, work placements,

contractors or temporary employees. Those working on behalf of the organisation are

required to sign a third party agreement outlining their duties and obligations.

CSU Support The NEL CSU have been commissioned to provide administrative support for IG to

the CCG. Working closely with the IUG manager, the CSU will provide a level of

support, advice and guidance based on approved Service Level agreements.

6. Policy Principles

6.1. Objectives

This framework seeks to provide a high level of support to the CCG and its corporate objectives.

This will be achieved by the following:

• Ensure that the CCG complies with the relevant UK and European information privacy and

confidentiality laws, and regulations as well as contractual requirements and internal policies on

information and systems security and protection, and provide transparency on the level of

compliance (via the IG Toolkit);

• Maintain a detailed information risk register ensuring risks are managed within the CCG acceptable

risk appetite and protect information against unauthorised disclosure, unauthorised or inadvertent

modifications, and possible intrusions;


• To minimise the risks to the CCG arising from information handling processes and the subsequent

damage or stress to the organisation or an individual using approved and appropriate information

assurance techniques and measurements

• Ensure that appropriate reporting of incidents relating to information and Information Security are

completed in a timely manner including investigation and root cause analysis and sharing of any

lesson learnt across the CCG and its wider community.

• Provide confidence of robust and appropriate information governance assurance to our patients

and stakeholders and NHS Camden Commissioning Partnership Partners, namely:

• Camden Clinical Commissioning Group (CCCG)

• Royal Free Hospital (RFH)

• University College London Hospital (UCLH)

• Camden and Islington Mental Health Foundation CCG (C&I FT)

• NHS England (including it Regional and Local teams)

• London Borough of Camden (LBC)

• Camden GP Practices

• To ensure that all staff (including Contractors and temps and agency staff) achieve a minimum

level of IG skills and knowledge to ensure they understand their personal and organisational

responsibilities for managing the confidentiality, integrity, availability and security of information and

systems belonging to or used by the CCG in line with current UK and European appropriate

legislation.

6.2. Reporting

The following profile describes how the CCG incorporate Information Governance assurance into

the organisation.

The Camden IG Group which has representation from both internal resources and key stakeholders

including patient engagement, will provide a regular report to the Executive Management Team and

Audit Committee (and subsequently the Governing Body) following each meeting.

In addition the CCG will take support form and interact with a number of external sources in regards

to delivering both its own and the wider IG compliance including but not limited to:

• HSC IC - IG Alliance (IGA)

• Local / Regional and National IG Forums / Focus Groups

• London Borough of Camden

• Camden Health Partnerships

• LMC

• NHS England (Including its Area Teams)


• Health and Social Care Information Centre

• North East London Commissioning Support Unit

6.3. The IG Assurance Framework

This policy and framework is based on the principles of the Information Governance Assurance

Framework for health and social care which is designed by those elements of law and policy from

which applicable information governance standards are derived, and the activities and roles which

individually and collectively ensure that these standards are clearly defined and met.

The principles of the NHS Information Governance Assurance Framework are based on the

response to the original NHS IG Assurance Programme in 2001 as well as the Cabinet Office

Information Assurance standards. This document establishes the overall direction of IG and the

baseline principles and objectives for a robust IG organisational culture within the CCG.

6.3.1 Information Governance Toolkit

The IG Toolkit is an online tool developed from the original Government response to the Information

Assurance Maturity Models which allows NHS organisations working with the wider Health and

Social Care setting and private organisations to assess themselves against current UK Legislation

and relevant Department of Health Information Governance policies and standards.

Our self-assessment each year will be independently reviewed by our Internal Auditors to confirm

our assessment and supporting evidence based on effectiveness and completeness. The toolkit

and its overall scoring, will then be available via the internet allowing assurance to members of the

public who can view any published assessments.

The standards for the CCG are grouped into the following 4 initiatives:

• Information Governance Management

• Confidentiality and Data Protection Assurance

• Information Security Assurance

• Clinical Information Assurance

6.3.2 Information Governance Education, Training and Development

Information Governance Education, Training and Development is essential for the continual

development and improvement of our staff knowledge and skills relating to the wider IG agenda.

Since April 2013 training has been included as part of the CCG’s Mandatory Training policy where

CCG staff are reminded of the need to understand the value of information and their responsibility

for it by undertaking mandatory IG training.

As part of the assurance, the CCG commit that over 95% of employees working for or on behalf of

the CCG have received a satisfactory level of IG training within the last financial calendar year.

This training will be provided via the NHS IG Training tool (e-learning) to support variable work

patterns and demands of our services. The training will be broken into the following approach.


6.3.3 Induction

All staff working within or on behalf of the CCG are expected to have completed the following courses

as part of their induction and must be signed off by their line manager prior to completion of

probationary periods.

• Introduction to IG

• Secure Handling of Confidentiality Information

• NHS Information Risk Management – Introduction

• Information Security Guidelines

All training MUST be completed prior to sign off from probationary periods. Reports of these will be

provided by the IG Training administrator (CCG IG Manager) upon request from line management.

6.3.4 On-Going

Following on from the mandatory induction training, all staff working on behalf or within the CCG will

be required to complete a minimum of two additional modules in year as part of their continuous

professional development. The course will include the IG Refresher module, and a further module

approved via the Executive Management team. This will be published and circulate to all employees

by June of each year.

Measurement of compliance will be managed via the IG Training Tool administrator (currently IG

manager) and circulated to Directors (IAO’s) for cascade.

Although this is based on e-learning training, ad-hoc bespoke training can be provided by the IG

manager or nominated support upon request by relevant Information Asset Administrators

6.3.5 Additional Roles

Certain other roles within the organisations will need to complete additional training suitable to their

role, these are for the SIRO, Caldicott Guardian, Information Asset Owners (Directors) and named

Information Asset Administrators.

Other local roles responsible for Registration Authority (RA) and Records management will also be

required to attend / complete relevant subject matter training.

6.3.6 Other Training

This policy recognises that NOT all training relevant to the operations of the CCG and compliance

with the standards outlined within the NHS IG Assurance Framework are provided. In these cases

the nominate Information Asset Owner must ensure that relevant training is provided and report

against these on an annual basis.

The table below provides a list (not exhaustive) of those critical systems that are managed by the

CCG that must be included

• Registration Authority (Smartcards)

• Camden Integrated Digital Record

• Accredited Safe Have (ASH)


6.3.7 Risk Assessment and Management Process

The CCG utilises Datix to record and manage all risks within the business. For risks associated with

Information Governance or its related services such as Data protection, Confidentiality and Security,

all these will be reported against relevant directorates, but mitigation and action plans will be

supported by the IG Lead.

Clear guidance will be documented and issued to all CCG employees and staff are also made aware

of the CCG’s risk management reporting procedures at induction or as part of local updates.

Where risks relating to NEL CSU or any other 3rd party organisation and the services provided are

identified, these will be recorded within the CCG agreed policy and procedures and will have a

nominated lead within the CCG to coordinate and agree management actions.

6.3.8 Information Asset Register

All information assets of the CCG have been identified and have a nominated Information Asset

Owner (IAO) and Information Asset Administrator (IAA). Accountability for assets ensures that

appropriate protection is maintained and any risks to data loss are minimised.

The role of the Information Asset Owner is to understand what information is held, what is added

and what is removed, how information is moved, who has access and why. As a result they are able

to understand and address risks to the information and to ensure that information is fully used within

the law for the public good. The Information Asset Owner will also be responsible for providing

regular reports to the SIRO, a minimum of annually on the assurance and usage of their information

assets. Identified key risks (those rated as medium or high), once assessed by the SIRO – supported

by the Information Governance Group will be considered for inclusion on the Divisional Risk

Register.

The Information Asset Register is kept under review and updated as necessary by the appropriate

IAA. The Information Asset Register is updated each time there is a change or additional information

assets created or amended.

6.4. Implementation

The implementation of this IG policy and framework, along with the IG policy and IG Toolkit plan will

ensure that information is more effectively managed in the CCG. Each year the IG policy and

framework will be reviewed and a revised IG Toolkit plan will be developed against the IG Toolkit

attainment levels and scores, thus identifying the key areas for a working programme of continuous

improvement.

6.5. Information Governance Plan

An overarching annual IG work plan will be overseen by Information Governance Group. It will

require active engagement with all areas of the organisation.

The plan will ensure compliance with the Information Governance Toolkit assessment to level 2

(satisfactory), as part of best practice. A summary of the activities required to be undertaken is

contained within the work plan in Appendix B - CCG IG Overview Plan.

The IG Toolkit report will be submitted to the Information Governance Group (Fiona please amend

to your local IG committee if this has changed) on a quarterly basis and the Executive Management


Leadership Team (please amend to your local committee if this has changed) will receive a 6 monthly

IG update report. Detailed planning will be included in the Information Governance Toolkit working

documents and plans.

6.6. NHS Code of Openness

As a method of demonstrating the Camden CCG approach to the NHS Code of Openness, Camden

CCG promotes transparency about its information risks and incidents internally and externally with

its clients and members of the public.

The CCG publishes an Information Charter setting out how it handles information as well as setting

out in its annual report a Statement of Internal Control summary which lists material on Information

Risk e.g. the number of incidents and serious untoward incidents including the number of people

potentially affected and actions taken to contain the breach and prevent recurrence.

As part of this policy, Camden CCG will ensure that all processes and procedures that are developed

within its services will include a Privacy Impact Assessment, considering the impact of any proposed

new system / change will hold on personal data. Where the impact assessments have a negative

impact, these will be used to redevelop the planned process.

6.7. IG Incidents

As part of the Camden CCG Incident Management Policy, all information incidents must be reported

as soon as the issue is detected using Camden CCG’s DATIX system

The template is based on the grading system used in the recently released HSCIC IG incident

reporting guidance – see Appendix A. HSCIC – IG SIRI Checklist Guidance

These IG incidents cover:

• Near misses of information incidents

• Suspected information incidents (such as losses of data or breaches of confidentiality)

• Information Incidents (data losses and breaches of confidentiality)

• Patient Identifiable Data sent to the wrong individual

If the incident is assessed at level two or higher, it must be reported via the IG Incident Reporting

tool by the IG manager

The incident should be investigated in accordance with Camden CCG’s Incident Policy.

6.7.1 Escalation of IG Incidents and Events

There is a requirement that certain incidents once assessed using the IG Incident assessment

template be escalated within NHS England, Information Commissioners Office and Department of

Health.

Other areas could potentially include customers, NEL CSU and other NHS organisations. This

should be considered and continually reviewed in line with contractual requirements and the

investigation process. Where this decision is to be taken it should be taken by the SIRO or where

not available a director in conjunction with the IG Manager.


6.7.2 IT Security Incidents and Events

It is helpful to acknowledge that some of the above incidents involve IT as a component and in such

cases IT should be involved and the Information Security Manager also to be informed. It is only

where there is actual or suspected harm that the Information Incident should be reported as such

individuals should ensure they continue to also report any IT support requirements where required

to the IT helpdesk.

The IT helpdesk will advise of any additional steps that are required, including initiating policy and

procedure as outlined in the relevant Incident and Serious Incident and Investigation procedure.

Please see Information Security Policy for further details on which IT security incidents to report.

7. Equality and Diversity As part of its development, this policy and its impact on staff, patients and the public have been reviewed in

line with expected Legal Equality Duties. The purpose of the assessment is to improve service delivery by

minimising and if possible removing any disproportionate adverse impact on employees, patients and the

public on the grounds of protected characteristics such as race, social exclusion, gender, disability, age,

sexual orientation or religion/belief.

The equality impact assessment has been completed and has identified impact or potential impact as

“minimal impact”.

8. Dissemination and Implementation

This policy will be made available to all staff via the CCG internet site. Additionally they will be made

aware via email and this policy will be included for reference where necessary.

The policy will be supported by additional related policies and resources to support implementation.

This will include the availability of, and access to, written and verbal advice, guidance and

procedures where necessary.

9. Non-Conformance with this Policy

Should it not possible to meet the requirements within this policy and associated guidelines this

must be brought to the attention of the department’s Information Asset Owner. Any issues will need

to be documented as a risk and either:

Accepted and reviewed in line with this policy

Accepted with a view to implementing an action plan to reduce the risk

Not accepted and the practice will stop until such time as the risk can be reduced

Failure to comply with the standards and appropriate governance of information as detailed in this

policy, supporting protocols and procedures can result in disciplinary action. All staff are reminded

that this policy covers several aspects of legal compliance that as individuals they are responsible

for.


10. Monitoring and Review Performance against the policy will be monitored against

Availability and dissemination of policy and in alternative formats where requested or need identified

Acceptance and understanding of audience (training, spot checks, surveys)

Reports of non-conformance i.e. incidents or risks

Compliance against the Information Governance Toolkit

This policy will be reviewed on an annual basis, and in accordance with the following on an as and when required basis:

Legislative or case law changes;

Changes or release of good practice or statutory guidance;

Identified deficiencies, risks or following significant incidents reported;

Changes to organisational infrastructure.

10.1. Monitoring of individuals

In order to ensure compliance with the Law, organisational policies (including this one) the CCG

reserves the right to monitor usage and content where it suspects that there has been a breach of

policy. The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of

employees’ electronic communications (including telephone communications) for the following

reasons:

Establishing the existence of facts

Investigating or detecting unauthorised use of the system

Preventing or detecting crime

Ascertaining or demonstrating standards which are achieved or ought to be achieved by

persons using the system (quality control and training)

In the interests of national security

Ascertaining compliance with regulatory or self-regulatory practices or procedures

Ensuring the effective operation of the system.

In addition, communications may be monitored (but not recorded) for the purpose of checking

whether those communications are relevant to the purpose of the CCG’s business, and the

employee’s position with the CCG. Any monitoring will be undertaken in accordance with the above

act and the Human Rights Act.

This will include the use or access to any Network or where the property of the Organisation is used

in the communication or is accessed remotely from outside the Organisation. This includes the use

of portable computers and mobile devices, including mobile phones issued to the employee by the

Organisation


Appendices

Appendix A. Evaluation protocol


Appendix B. Equality Analysis

This is a checklist to ensure relevant equality and equity aspects of proposals have been addressed either in the main body of the document or in a separate equality & equity impact assessment (EEIA)/ equality analysis. It is not a substitute for an EEIA which is required unless it can be shown that a proposal has no capacity to influence equality. The checklist is to enable the policy lead and the relevant committee to see whether an EEIA is required and to give assurance that the proposals will be legal, fair and equitable.

The word ‘proposal’ is a generic term for any policy, procedure or strategy that requires assessment.

Challenge questions Yes/ No

What positive or negative impact do you assess there may be?

1. Does the proposal affect one group more or less favourably

than another on the basis of:

No

Race No

Ethnic origin (including gypsies and travellers, refugees

& asylum seekers)

No

Nationality No

Gender No

Culture No

Religion or belief No

Sexual orientation (including lesbian, gay bisexual and

transgender people)

No

Age No

Disability (including learning disabilities, physical

disability, sensory impairment and mental health

problems)

No

2.

Will the proposal have an impact on lifestyle?

(e.g. diet and nutrition, exercise, physical activity, substance

use, risk taking behaviour, education and learning)

No

3.

Will the proposal have an impact on social environment?

(e.g. social status, employment (whether paid or not),

social/family support, stress, income)

No


Challenge questions Yes/ No

What positive or negative impact do you assess there may be?

4.

Will the proposal have an impact on physical environment?

(e.g. living conditions, working conditions, pollution or climate

change, accidental injury, public safety, transmission of

infectious disease)

No

An answer of ‘Yes’ to any of the above question will require the Policy lead to undertake a full Equality &

Equity Impact Assessment (EEIA) and to submit the assessment for review when the policy is being

approved.

information security policy · policies and procedures which cover all aspects data protection,...

Documents