information security policy · policies and procedures which cover all aspects data protection,...
TRANSCRIPT
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 0 of 18
1
Camden CCG
Information Governance Policy and
Framework
SUMMARY Policy has been developed to support the adoption and implementation of appropriate information governance across the CCG.
2 RESPONSIBLE PERSON: IG Manager
3 ACCOUNTABLE DIRECTOR: Director of Sustainable Insights
4 APPLIES TO: All staff in Camden CCG.
5 GROUPS/ INDIVIDUALS WHO HAVE OVERSEEN THE DEVELOPMENT OF THIS POLICY:
Nicholas Murphy-O’Kane, IG Manager
6 GROUPS WHICH WERE CONSULTED AND HAVE GIVEN APPROVAL:
Executive Management and Senior Management teams Camden CCG Information Governance Group
7 EQUALITY IMPACT ANALYSIS COMPLETED:
Policy Screened 15.01.15 Template completed
15.01.15
8 RATIFYING COMMITTEE(S) & DATE OF FINAL APPROVAL:
Audit Committee, 27th September 2015
9 External Standards
ISO 9001 – Quality Management ISO 27001 – Information Security ISO 31000 – Risk Management NHS Code of Practice – Information Security
10 VERSION: 2.0F
11 AVAILABLE ON: Intranet Yes Website No
12 RELATED DOCUMENTS:
Information Governance Policy
Information Security Policy
Information Management
Confidentiality and Data Protection Act
Internet & Email
NHS Information Risk Management Guidance
13 DISSEMINATED TO: ALL Staff
14 DATE OF IMPLEMENTATION: 01st October 2015
15 DATE OF NEXT FORMAL REVIEW: 01st March 2017
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 1 of 18
Camden CCG
Information Governance Policy and Framework
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 2 of 18
DOCUMENT CONTROL
Date Version Action Amendments
04/09/2013
0.1 New Policy Sent out for consultation
20/01/2015 0.2 Consultation within the CCG Updated following feedback from consultation.
01/04/15 1.0 Final Approved Approved by Audit Committee
01/08/15 1.1 Update to reflect changes in IG Assurance.
Consultation with Exec, And SMT
27/09/15 2.0 Final Approved Approved by Audit Committee
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 3 of 18
Contents
TABLE OF CONTENTS
1. SUMMARY ------------------------------------------------------------------------------------------------------------------------- 4
2. SCOPE------------------------------------------------------------------------------------------------------------------------------ 4
3. PURPOSE ------------------------------------------------------------------------------------------------------------------------- 5
4. DEFINITIONS --------------------------------------------------------------------------------------------------------------------- 5
5. ROLES AND RESPONSIBILITIES ------------------------------------------------------------------------------------------ 6
6. POLICY PRINCIPLES ---------------------------------------------------------------------------------------------------------- 7
6.1. OBJECTIVES ---------------------------------------------------------------------------------------------------------------------- 7 6.2. REPORTING ----------------------------------------------------------------------------------------------------------------------- 8 6.3. THE IG ASSURANCE FRAMEWORK -------------------------------------------------------------------------------------------- 9
6.3.1 Information Governance Toolkit ........................................................................................... 9 6.3.2 Information Governance Education, Training and Development ......................................... 9 6.3.3 Induction ............................................................................................................................. 10 6.3.4 On-Going ............................................................................................................................ 10 6.3.5 Additional Roles ................................................................................................................. 10 6.3.6 Other Training .................................................................................................................... 10 6.3.7 Risk Assessment and Management Process .................................................................... 11 6.3.8 Information Asset Register ................................................................................................. 11
6.4. IMPLEMENTATION ---------------------------------------------------------------------------------------------------------------11 6.5. INFORMATION GOVERNANCE PLAN ------------------------------------------------------------------------------------------11 6.6. NHS CODE OF OPENNESS ----------------------------------------------------------------------------------------------------12 6.7. IG INCIDENTS -------------------------------------------------------------------------------------------------------------------12
6.7.1 Escalation of IG Incidents and Events ............................................................................... 12 6.7.2 IT Security Incidents and Events ........................................................................................ 13
7. EQUALITY AND DIVERSITY ------------------------------------------------------------------------------------------------13
8. DISSEMINATION AND IMPLEMENTATION ----------------------------------------------------------------------------13
9. NON-CONFORMANCE WITH THIS POLICY ----------------------------------------------------------------------------13
10. MONITORING AND REVIEW ------------------------------------------------------------------------------------------------14
10.1. MONITORING OF INDIVIDUALS -------------------------------------------------------------------------------------------------14
APPENDICES ------------------------------------------------------------------------------------------------------------------------------------15
APPENDIX A. EVALUATION PROTOCOL -------------------------------------------------------------------------------------------------------15 APPENDIX B. EQUALITY ANALYSIS -----------------------------------------------------------------------------------------------------------16
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 4 of 18
1. Summary
This policy and framework is a medium term vision for Information Governance Assurance within
Camden CCG. The NHS having gone through a period of radical change in the last 2 years, is still
in some aspects settling into its new roles and functions. As a result, this policy will be supported by
an annual improvement IG Toolkit plan focussing on changing compliance framework requirements,
new legislation and guidance and areas specifically identified for improvement by the NHS Camden
Clinical Commissioning Group (referred to from herein as ‘the CCG’).
The policy and framework is also supported by the Information Governance Policy and other related
policies and procedures which cover all aspects Data Protection, Confidentiality, Information
Security (including areas of holding, obtaining, recording, using, sharing and disclosing of
data/information or records, held in a manual/paper or electronic format, by or on behalf of the CCG)
as well as records management.
This document continues to ensure that core aspects of the IG framework are embedded effectively
within the current and evolving organisation but also support implementation and application of IG
across the organisation.
In the NHS, information is a vital yet potentially vulnerable asset, both in terms of the clinical
management of individual patients and the efficient commissioning and management of services
and resources. It plays a key part in clinical governance, service planning and performance
management.
It is therefore of paramount importance to ensure that information is efficiently managed and that
appropriate policies, processes and procedures, with management accountability and structures
provide a robust information governance framework for information management.
This document outlines how the CCG will address its Information Governance (IG) agenda since its
last IGT Assessment in 2015.
2. Scope
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 5 of 18
3. Purpose
The purpose of this policy is to define how the CCG manages its information risk within the
organisation and how the effectiveness of risk management is assessed and measured.
The objective of this policy is to embed Information Risk Management into all Directorate processes
and functions through a key approval and control process.
The objectives of this Policy are as follows:-
To protect the CCG, its key stakeholders, patients and staff from information risks where the
likelihood of occurrence and the consequences are significant;
In line with the Risk Strategy, to support and provide a consistent risk management framework
in which information risks will be identified, considered and addressed in key approval, review
and control processes;
To encourage a pro-active rather than re-active approach to risk management;
To provide assistance to and improve the quality of decision making throughout the
organisation;
To meet legal or statutory requirements while assisting in safeguarding the organisations
information assets.
4. Definitions
Throughout this policy the following terms will have the agreed definitions
Term Description of Term
IGA Information Governance Alliance – established under the Health and Social Care Act 2016 as a central body of authority in regards to IG.
IG Information Governance – a framework of standards and levels of compliance for the use of Personal confidential Data, process and procedures
IGT IG Toolkit – a central reporting tool provided by the HSC IC to support organisations in measuring compliance
HSC IC Health and Social Care Information Centre
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 6 of 18
5. Roles and Responsibilities
Security is everybody's business and therefore it is everybody’s responsibility to ensure information
is secure. This section describes the expected responsibilities in relation to Information Security of
persons processing information. It is noted that some individuals will hold more than one role.
Role Responsibilities
Senior
Information Risk
Owner (SIRO)
Has overall responsibility for ensuring that effective systems and processes are in
place to address the Information Governance agenda.
• Foster a culture for protecting and using data.
• Ensure information risk requirements are included in the Corporate Risk Management Policy.
• To take ownership of the annual review of information flows and information asset registers and any advised recommendations.
• Ensure Information Asset Owners (IAOs) undertake risk assessments of their assets.
• Be responsible for the Incident Management process ensuring identified information security risks are followed up, incidents managed and lessons learnt.
• Provide a focal point for the management, resolution and/or discussion of information risk issues.
• Ensure that the CCGs approach to information risk is effective in its deployment in terms of resource, commitment and execution and that this is communicated to all staff.
• Ensure the organisation is adequately briefed on information risk issues.
• Be accountable for information risk.
Caldicott
Guardian
The role of the Caldicott Guardian is an advisory role acting as the “conscience” of the
organisation for management of patient information and a focal point for patient
confidentiality & information sharing issues.
The Caldicott Guardian is supported in this role by the IG Manager.
Information
Asset Owners
(IAOs)
All senior staff at Director level and some senior managers are required to act as
Information Asset Owners (IAO) for the information assets within their remit. They will
provide assurance to the SIRO that information risk is managed effectively for the
information assists identified as within their remit.
Ensure all Information Assets and flows of data within their remit are
identified and logged ensuring each has a legal basis to be processed.
Identify, manage and escalate all information security (for example,
dependencies and access control) and information risks as appropriate.
The IAOs will be supported by Information Asset Administrators (IAAs) who will ensure
the above takes place and the IG Manager.
Information
Asset
Administrators
(IAA)
Information Asset Administrators (IAAs) are the most senior individual user or direct
users of systems can information and have an understanding as to how it works and
how it is used.
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 7 of 18
Role Responsibilities
They will ensure there are procedures for using them, control access to them and
understand their limitations.
Information
Governance
Management at
the CCG
Overall accountability for the delivery of sound Information Governance and
assurance within the CCG, supporting all elements of the business to comply with
relevant aspects of the IG assurance framework and this policy.
The IG Manager will develop close working partnerships with other employees that
have direct responsibility for aspects of the IG Framework (e.g. Corporate Governance
and IT) to ensure compliance with relevant IG Standards.
In addition the role will work with the NEL CSU IG support and other elements within
the services and other external organisations such as NHS England, IG Alliance and
HSC IC to ensure compliance across all areas accountable to the CCG.
All Staff All those working for the CCG have clear levels of responsibility outlined with their
terms and conditions covering information governance standards. These will cover
the legal responsibilities under the Data Protection Act, common law of confidentiality,
and professional obligations, for example the Confidentiality NHS Code of Practice
and professional codes of conduct.
Third parties The same responsibilities as identified for “all staff” apply to those working on behalf
of the organisations whether they are volunteers, students, work placements,
contractors or temporary employees. Those working on behalf of the organisation are
required to sign a third party agreement outlining their duties and obligations.
CSU Support The NEL CSU have been commissioned to provide administrative support for IG to
the CCG. Working closely with the IUG manager, the CSU will provide a level of
support, advice and guidance based on approved Service Level agreements.
6. Policy Principles
6.1. Objectives
This framework seeks to provide a high level of support to the CCG and its corporate objectives.
This will be achieved by the following:
• Ensure that the CCG complies with the relevant UK and European information privacy and
confidentiality laws, and regulations as well as contractual requirements and internal policies on
information and systems security and protection, and provide transparency on the level of
compliance (via the IG Toolkit);
• Maintain a detailed information risk register ensuring risks are managed within the CCG acceptable
risk appetite and protect information against unauthorised disclosure, unauthorised or inadvertent
modifications, and possible intrusions;
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 8 of 18
• To minimise the risks to the CCG arising from information handling processes and the subsequent
damage or stress to the organisation or an individual using approved and appropriate information
assurance techniques and measurements
• Ensure that appropriate reporting of incidents relating to information and Information Security are
completed in a timely manner including investigation and root cause analysis and sharing of any
lesson learnt across the CCG and its wider community.
• Provide confidence of robust and appropriate information governance assurance to our patients
and stakeholders and NHS Camden Commissioning Partnership Partners, namely:
• Camden Clinical Commissioning Group (CCCG)
• Royal Free Hospital (RFH)
• University College London Hospital (UCLH)
• Camden and Islington Mental Health Foundation CCG (C&I FT)
• NHS England (including it Regional and Local teams)
• London Borough of Camden (LBC)
• Camden GP Practices
• To ensure that all staff (including Contractors and temps and agency staff) achieve a minimum
level of IG skills and knowledge to ensure they understand their personal and organisational
responsibilities for managing the confidentiality, integrity, availability and security of information and
systems belonging to or used by the CCG in line with current UK and European appropriate
legislation.
6.2. Reporting
The following profile describes how the CCG incorporate Information Governance assurance into
the organisation.
The Camden IG Group which has representation from both internal resources and key stakeholders
including patient engagement, will provide a regular report to the Executive Management Team and
Audit Committee (and subsequently the Governing Body) following each meeting.
In addition the CCG will take support form and interact with a number of external sources in regards
to delivering both its own and the wider IG compliance including but not limited to:
• HSC IC - IG Alliance (IGA)
• Local / Regional and National IG Forums / Focus Groups
• London Borough of Camden
• Camden Health Partnerships
• LMC
• NHS England (Including its Area Teams)
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 9 of 18
• Health and Social Care Information Centre
• North East London Commissioning Support Unit
6.3. The IG Assurance Framework
This policy and framework is based on the principles of the Information Governance Assurance
Framework for health and social care which is designed by those elements of law and policy from
which applicable information governance standards are derived, and the activities and roles which
individually and collectively ensure that these standards are clearly defined and met.
The principles of the NHS Information Governance Assurance Framework are based on the
response to the original NHS IG Assurance Programme in 2001 as well as the Cabinet Office
Information Assurance standards. This document establishes the overall direction of IG and the
baseline principles and objectives for a robust IG organisational culture within the CCG.
6.3.1 Information Governance Toolkit
The IG Toolkit is an online tool developed from the original Government response to the Information
Assurance Maturity Models which allows NHS organisations working with the wider Health and
Social Care setting and private organisations to assess themselves against current UK Legislation
and relevant Department of Health Information Governance policies and standards.
Our self-assessment each year will be independently reviewed by our Internal Auditors to confirm
our assessment and supporting evidence based on effectiveness and completeness. The toolkit
and its overall scoring, will then be available via the internet allowing assurance to members of the
public who can view any published assessments.
The standards for the CCG are grouped into the following 4 initiatives:
• Information Governance Management
• Confidentiality and Data Protection Assurance
• Information Security Assurance
• Clinical Information Assurance
6.3.2 Information Governance Education, Training and Development
Information Governance Education, Training and Development is essential for the continual
development and improvement of our staff knowledge and skills relating to the wider IG agenda.
Since April 2013 training has been included as part of the CCG’s Mandatory Training policy where
CCG staff are reminded of the need to understand the value of information and their responsibility
for it by undertaking mandatory IG training.
As part of the assurance, the CCG commit that over 95% of employees working for or on behalf of
the CCG have received a satisfactory level of IG training within the last financial calendar year.
This training will be provided via the NHS IG Training tool (e-learning) to support variable work
patterns and demands of our services. The training will be broken into the following approach.
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 10 of 18
6.3.3 Induction
All staff working within or on behalf of the CCG are expected to have completed the following courses
as part of their induction and must be signed off by their line manager prior to completion of
probationary periods.
• Introduction to IG
• Secure Handling of Confidentiality Information
• NHS Information Risk Management – Introduction
• Information Security Guidelines
All training MUST be completed prior to sign off from probationary periods. Reports of these will be
provided by the IG Training administrator (CCG IG Manager) upon request from line management.
6.3.4 On-Going
Following on from the mandatory induction training, all staff working on behalf or within the CCG will
be required to complete a minimum of two additional modules in year as part of their continuous
professional development. The course will include the IG Refresher module, and a further module
approved via the Executive Management team. This will be published and circulate to all employees
by June of each year.
Measurement of compliance will be managed via the IG Training Tool administrator (currently IG
manager) and circulated to Directors (IAO’s) for cascade.
Although this is based on e-learning training, ad-hoc bespoke training can be provided by the IG
manager or nominated support upon request by relevant Information Asset Administrators
6.3.5 Additional Roles
Certain other roles within the organisations will need to complete additional training suitable to their
role, these are for the SIRO, Caldicott Guardian, Information Asset Owners (Directors) and named
Information Asset Administrators.
Other local roles responsible for Registration Authority (RA) and Records management will also be
required to attend / complete relevant subject matter training.
6.3.6 Other Training
This policy recognises that NOT all training relevant to the operations of the CCG and compliance
with the standards outlined within the NHS IG Assurance Framework are provided. In these cases
the nominate Information Asset Owner must ensure that relevant training is provided and report
against these on an annual basis.
The table below provides a list (not exhaustive) of those critical systems that are managed by the
CCG that must be included
• Registration Authority (Smartcards)
• Camden Integrated Digital Record
• Accredited Safe Have (ASH)
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 11 of 18
6.3.7 Risk Assessment and Management Process
The CCG utilises Datix to record and manage all risks within the business. For risks associated with
Information Governance or its related services such as Data protection, Confidentiality and Security,
all these will be reported against relevant directorates, but mitigation and action plans will be
supported by the IG Lead.
Clear guidance will be documented and issued to all CCG employees and staff are also made aware
of the CCG’s risk management reporting procedures at induction or as part of local updates.
Where risks relating to NEL CSU or any other 3rd party organisation and the services provided are
identified, these will be recorded within the CCG agreed policy and procedures and will have a
nominated lead within the CCG to coordinate and agree management actions.
6.3.8 Information Asset Register
All information assets of the CCG have been identified and have a nominated Information Asset
Owner (IAO) and Information Asset Administrator (IAA). Accountability for assets ensures that
appropriate protection is maintained and any risks to data loss are minimised.
The role of the Information Asset Owner is to understand what information is held, what is added
and what is removed, how information is moved, who has access and why. As a result they are able
to understand and address risks to the information and to ensure that information is fully used within
the law for the public good. The Information Asset Owner will also be responsible for providing
regular reports to the SIRO, a minimum of annually on the assurance and usage of their information
assets. Identified key risks (those rated as medium or high), once assessed by the SIRO – supported
by the Information Governance Group will be considered for inclusion on the Divisional Risk
Register.
The Information Asset Register is kept under review and updated as necessary by the appropriate
IAA. The Information Asset Register is updated each time there is a change or additional information
assets created or amended.
6.4. Implementation
The implementation of this IG policy and framework, along with the IG policy and IG Toolkit plan will
ensure that information is more effectively managed in the CCG. Each year the IG policy and
framework will be reviewed and a revised IG Toolkit plan will be developed against the IG Toolkit
attainment levels and scores, thus identifying the key areas for a working programme of continuous
improvement.
6.5. Information Governance Plan
An overarching annual IG work plan will be overseen by Information Governance Group. It will
require active engagement with all areas of the organisation.
The plan will ensure compliance with the Information Governance Toolkit assessment to level 2
(satisfactory), as part of best practice. A summary of the activities required to be undertaken is
contained within the work plan in Appendix B - CCG IG Overview Plan.
The IG Toolkit report will be submitted to the Information Governance Group (Fiona please amend
to your local IG committee if this has changed) on a quarterly basis and the Executive Management
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 12 of 18
Leadership Team (please amend to your local committee if this has changed) will receive a 6 monthly
IG update report. Detailed planning will be included in the Information Governance Toolkit working
documents and plans.
6.6. NHS Code of Openness
As a method of demonstrating the Camden CCG approach to the NHS Code of Openness, Camden
CCG promotes transparency about its information risks and incidents internally and externally with
its clients and members of the public.
The CCG publishes an Information Charter setting out how it handles information as well as setting
out in its annual report a Statement of Internal Control summary which lists material on Information
Risk e.g. the number of incidents and serious untoward incidents including the number of people
potentially affected and actions taken to contain the breach and prevent recurrence.
As part of this policy, Camden CCG will ensure that all processes and procedures that are developed
within its services will include a Privacy Impact Assessment, considering the impact of any proposed
new system / change will hold on personal data. Where the impact assessments have a negative
impact, these will be used to redevelop the planned process.
6.7. IG Incidents
As part of the Camden CCG Incident Management Policy, all information incidents must be reported
as soon as the issue is detected using Camden CCG’s DATIX system
The template is based on the grading system used in the recently released HSCIC IG incident
reporting guidance – see Appendix A. HSCIC – IG SIRI Checklist Guidance
These IG incidents cover:
• Near misses of information incidents
• Suspected information incidents (such as losses of data or breaches of confidentiality)
• Information Incidents (data losses and breaches of confidentiality)
• Patient Identifiable Data sent to the wrong individual
If the incident is assessed at level two or higher, it must be reported via the IG Incident Reporting
tool by the IG manager
The incident should be investigated in accordance with Camden CCG’s Incident Policy.
6.7.1 Escalation of IG Incidents and Events
There is a requirement that certain incidents once assessed using the IG Incident assessment
template be escalated within NHS England, Information Commissioners Office and Department of
Health.
Other areas could potentially include customers, NEL CSU and other NHS organisations. This
should be considered and continually reviewed in line with contractual requirements and the
investigation process. Where this decision is to be taken it should be taken by the SIRO or where
not available a director in conjunction with the IG Manager.
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 13 of 18
6.7.2 IT Security Incidents and Events
It is helpful to acknowledge that some of the above incidents involve IT as a component and in such
cases IT should be involved and the Information Security Manager also to be informed. It is only
where there is actual or suspected harm that the Information Incident should be reported as such
individuals should ensure they continue to also report any IT support requirements where required
to the IT helpdesk.
The IT helpdesk will advise of any additional steps that are required, including initiating policy and
procedure as outlined in the relevant Incident and Serious Incident and Investigation procedure.
Please see Information Security Policy for further details on which IT security incidents to report.
7. Equality and Diversity As part of its development, this policy and its impact on staff, patients and the public have been reviewed in
line with expected Legal Equality Duties. The purpose of the assessment is to improve service delivery by
minimising and if possible removing any disproportionate adverse impact on employees, patients and the
public on the grounds of protected characteristics such as race, social exclusion, gender, disability, age,
sexual orientation or religion/belief.
The equality impact assessment has been completed and has identified impact or potential impact as
“minimal impact”.
8. Dissemination and Implementation
This policy will be made available to all staff via the CCG internet site. Additionally they will be made
aware via email and this policy will be included for reference where necessary.
The policy will be supported by additional related policies and resources to support implementation.
This will include the availability of, and access to, written and verbal advice, guidance and
procedures where necessary.
9. Non-Conformance with this Policy
Should it not possible to meet the requirements within this policy and associated guidelines this
must be brought to the attention of the department’s Information Asset Owner. Any issues will need
to be documented as a risk and either:
Accepted and reviewed in line with this policy
Accepted with a view to implementing an action plan to reduce the risk
Not accepted and the practice will stop until such time as the risk can be reduced
Failure to comply with the standards and appropriate governance of information as detailed in this
policy, supporting protocols and procedures can result in disciplinary action. All staff are reminded
that this policy covers several aspects of legal compliance that as individuals they are responsible
for.
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 14 of 18
10. Monitoring and Review Performance against the policy will be monitored against
Availability and dissemination of policy and in alternative formats where requested or need identified
Acceptance and understanding of audience (training, spot checks, surveys)
Reports of non-conformance i.e. incidents or risks
Compliance against the Information Governance Toolkit
This policy will be reviewed on an annual basis, and in accordance with the following on an as and when required basis:
Legislative or case law changes;
Changes or release of good practice or statutory guidance;
Identified deficiencies, risks or following significant incidents reported;
Changes to organisational infrastructure.
10.1. Monitoring of individuals
In order to ensure compliance with the Law, organisational policies (including this one) the CCG
reserves the right to monitor usage and content where it suspects that there has been a breach of
policy. The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of
employees’ electronic communications (including telephone communications) for the following
reasons:
Establishing the existence of facts
Investigating or detecting unauthorised use of the system
Preventing or detecting crime
Ascertaining or demonstrating standards which are achieved or ought to be achieved by
persons using the system (quality control and training)
In the interests of national security
Ascertaining compliance with regulatory or self-regulatory practices or procedures
Ensuring the effective operation of the system.
In addition, communications may be monitored (but not recorded) for the purpose of checking
whether those communications are relevant to the purpose of the CCG’s business, and the
employee’s position with the CCG. Any monitoring will be undertaken in accordance with the above
act and the Human Rights Act.
This will include the use or access to any Network or where the property of the Organisation is used
in the communication or is accessed remotely from outside the Organisation. This includes the use
of portable computers and mobile devices, including mobile phones issued to the employee by the
Organisation
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 15 of 18
Appendices
Appendix A. Evaluation protocol
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 16 of 18
Appendix B. Equality Analysis
This is a checklist to ensure relevant equality and equity aspects of proposals have been addressed either in the main body of the document or in a separate equality & equity impact assessment (EEIA)/ equality analysis. It is not a substitute for an EEIA which is required unless it can be shown that a proposal has no capacity to influence equality. The checklist is to enable the policy lead and the relevant committee to see whether an EEIA is required and to give assurance that the proposals will be legal, fair and equitable.
The word ‘proposal’ is a generic term for any policy, procedure or strategy that requires assessment.
Challenge questions Yes/ No
What positive or negative impact do you assess there may be?
1. Does the proposal affect one group more or less favourably
than another on the basis of:
No
Race No
Ethnic origin (including gypsies and travellers, refugees
& asylum seekers)
No
Nationality No
Gender No
Culture No
Religion or belief No
Sexual orientation (including lesbian, gay bisexual and
transgender people)
No
Age No
Disability (including learning disabilities, physical
disability, sensory impairment and mental health
problems)
No
2.
Will the proposal have an impact on lifestyle?
(e.g. diet and nutrition, exercise, physical activity, substance
use, risk taking behaviour, education and learning)
No
3.
Will the proposal have an impact on social environment?
(e.g. social status, employment (whether paid or not),
social/family support, stress, income)
No
Camden CCG Information Governance and Framework Policy v2 0F (3) Page 17 of 18
Challenge questions Yes/ No
What positive or negative impact do you assess there may be?
4.
Will the proposal have an impact on physical environment?
(e.g. living conditions, working conditions, pollution or climate
change, accidental injury, public safety, transmission of
infectious disease)
No
An answer of ‘Yes’ to any of the above question will require the Policy lead to undertake a full Equality &
Equity Impact Assessment (EEIA) and to submit the assessment for review when the policy is being
approved.