INFORMATION COMMISSIONER S OFFICE FOLLOW UP DATA PROTECTION AUDIT REPORT. Information Governance Manager. This paper supports:

Transcription

1 FOR DISCUSSION INFORMATION GOVERNANCE COMMITTEE 28 APRIL 2015 AGENDA ITEM 2.6 INFORMATION COMMISSIONER S OFFICE FOLLOW UP DATA PROTECTION AUDIT REPORT Report of Paper prepared by Director of Therapies & Health Science, Quality & Safety Information Governance Manager Purpose of Paper Action/Decision required Link to Doing Well, Doing Better: Standards for Health Services in Wales : Link to Health Board s Annual Plan Acronyms and abbreviations To inform the Information Governance Committee of the final report received from the Information Commissioner s Office following their audit of data protection. To RECEIVE the follow up report. This paper supports: Standard 1: Governance and accountability framework Standard 6: Participating in Quality Improvement Activities Standard 7: Safe and Clinically Effective Care Standard 19: Information Management and Communications Technology Standard 20: Records Management Striving for excellence (delivery) DPA Data Protection Act 1998 FOI Freedom of Information ICO Information Commissioner s Office IGC Information Commissioner s Office Follow-up data protection audit report 28 April 2015 Page 1 of 9 Information Governance Committee 28 April 2015 Agenda Item 2.6

2 FOR DISCUSSION INFORMATION COMMISSIONER S OFFICE FOLLOW UP DATA PROTECTION AUDIT REPORT PURPOSE To inform the Information Governance Committee of the final follow-up report received from the Information Commissioner s Office following their audit of data protection (Appendix 1). POINTS OF NOTE The report provides a summary of the follow-up audit findings. The six areas of work that are reported as outstanding are included within the IG Integrated Work Programme which is overseen by the Information Governance Management Group and work is progressing in all areas. They are currently being RAG rated and any residual risk will be reported on the IG Risk Register. RECOMMENDATION The Committee is requested to NOTE the content of the report. Report prepared by: Name: Carol Phillips Presented By: Name: Amanda Smith Title: Information Governance Manager Title: Director of Therapies & Health Science, Quality & Safety Financial Consequences CCTV likely but to be determined following review. Storage likely but depends on preferred option. Other Resource Implications To be determined Consultees IGC Information Commissioner s Office Follow-up data protection audit report 28 April 2015 Page 2 of 9 Information Governance Committee 28 April 2015 Agenda Item 2.6

3 APPENDIX 1 Powys Teaching Local Health Board Follow-up data protection audit report

4 Auditors: Carol Knights, Lead Auditor Data controller contacts: Distribution: Carol Philips, Information Governance Manager Carol Philips, Information Governance Manager Date issued: 27 November 2014 The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of Powys Teaching Local Health Board. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

5 Contents 1. Background (follow-up assessment) page Follow-up audit conclusion page Summary of follow-up audit findings page 06

6 1. Background APPENDIX The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. 1.2 The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. 1.3 The original audit took place at Powys Teaching Local Health Board (PHB) premises in October 2013 and covered data governance, security of data and data sharing. The ICO s overall opinion was that there was limited assurance that processes and procedures were in place and being adhered to. The ICO identified considerable scope for improvement in existing arrangements in order to achieve the objective of compliance with the DPA recommendations were made in the original audit report. PHB responded to these recommendations positively, agreeing to formally document procedures and implement further compliance measures. 1.5 A desk based follow-up took place in November 2014 to provide the ICO and PHB with a measure of the extent to which PHB had implemented the agreed recommendations. This was based on management updates from PHB provided in August and September 2014.

7 APPENDIX 1 2. Follow-up audit conclusion Scope area Number of recommendations in each scope area from the original audit report Number of actions complete, partially complete and not implemented. Data Governance 13 4 Complete 3 Partially complete 6 Not implemented /incomplete Security of data 10 4 Complete 4 Partially complete 2 Not implemented/incomplete (includes 1 not accepted originally) Data Sharing 18 4 Complete 10 Partially complete 4 Not implemented/incomplete Section 3 below summarises the main findings of this review and highlights any residual high risk areas.

8 APPENDIX 1 3. Summary of follow-up audit findings 3.1 The PHB have submitted a detailed update to the Action Plan that formed part of the PHB audit. Improvements from the original audit and high risk areas still outstanding are set out below: Improvements: PHB have a new IG Manager and details of IG roles and structure has been communicated to staff via newsletter. The Information Sharing Policy has been finalised and approved and it clearly mandates who within PHB has authority to enter into and sign off data sharing agreements. It also clearly covers all personal data, not just patient identifiable data as previously. A Home Enabled Working Policy has now been put in place. The PHB website now contains an updated and detailed fair processing notice and work is underway to distribute fair processing leaflets to reinforce this message. A single log has been developed to enable PHB to have central oversight of data sharing; some agreements however remain unfinalised as at date of follow up. Outstanding: Take up of mandatory IG training is monitored by the key IG groups, however monitoring statistics show uptake is still low (26-29% as at September 2014), therefore the risk remains that if staff do not receive appropriate data protection training in accordance with their role, personal data will not be processed in accordance with the DPA. PHB has not yet completed a data flow mapping exercise or put in place an Information Asset Register which would allow PHB to better understand how they are processing personal data, where the risks of non-compliance are and to apply appropriate mitigation in a structured way. PHB continues to discuss this exercise with Powys County Council and other Health Boards to agree a common approach with a revised implementation date of June PHB may wish to implement interim target dates to ensure that this project does incur any further delay.

9 APPENDIX 1 The IG Team have not implemented a regular programme of data protection audits as required by the PHB Data Protection Policy. Implementation of this requirement has been delayed until April Without robust processes for evaluating the effectiveness of data protection policies and procedures there is a risk that personal data may not be processed in compliance with the DPA. PHB should look at ways of implementing interim project dates to ensure that the programme is not further delayed. PHB has not yet completed the introduction of Privacy Impact Assessments within projects. The date for completion of this has been extended to June 2015 whilst discussions take place with Powys County Council and other Health Boards to determine a common approach. The failure to design and operate appropriate data sharing controls may result in risk of a contravention of the principles of the DPA, which could result in regulatory action, reputational damage to PHB and damage or distress for those individuals who are the subject of the data. Work remains ongoing to identify areas where third party contracts exist and what needs to be done to support compliance. PHB needs to ensure that adequate controls are in place so that personal data is held and processed securely by third party contractors to reduce any risk that they may be lost or used inappropriately. Datix training no longer forms parts of either the induction programme or the Statutory and Mandatory training programme. This increases the risk seen at the date of the original audit and may impact on the ability of staff to promptly and adequately notify information governance incidents. The PHB Datix Manager is liaising with Workforce and Organisational Development to address this issue. 3.2 Any queries regarding this report should be directed to Carol Knights, Lead Auditor. 3.3 Thanks are given to Carol Philips, Information Governance Manager, who was instrumental in providing the information to complete the follow-up audit.