Information Governance Management Framework

Size: px
Start display at page:

Download "Information Governance Management Framework"

Transcription

1 Information Governance Management Framework Document Status: Approved Version: v 1.6 DOCUMENT CHANGE HISTORY Version Date Comments (i.e. viewed, or reviewed, amended, approved by person or committee v1.0 8 June 2012 Draft, Phil Stimpson v July 2012 Additions made to draft by Phil Stimpson v August 2012 Include IG Toolkit Workplan as Appendix F Approved by CCG 09/01/2013 Quality Committee v April 2013 Include Information Security Work plan as Appendix G Revised list of IG policies v June 2013 Approved by SDT CCG Quality Committee v1.4 4 July 2014 Updated in compliance with Version 12 of the IG Toolkit v July 2014 Approved by the IG Forum v August 2014 Include Information Risk Assessments and Management Programme as Appendix G in compliance with Version 12 of the IG Toolkit with additional notes to Section 11. v November 2014 Approved by Quality Committee on the basis that the following information is included. Include when and how the document will be audited. v1.5 5 December 2014 Amended as per comments made by Quality Committee to Section v1.6 1 October 2015 Updated to reflect current organisational structure, Cyber Security, IS Toolkit, Cyber Security and Data Sharing Agreements. V November 2015 Approved by the IG Forum V January 2016 Approved by the Quality Committee Authors: Corporate Services Support officer Names and roles of Contributors, committee members etc Document IG Toolkit requirements 130, 131, 134, 230, 231, 232, 233, 341, 345, 349 Reference: Directorate - Corporate Services Approval IG Forum and Quality Committee Review Date of approved document: November 2015 South Devon and Torbay Clinical Commissioning Group promotes equality, diversity and human rights and is committed to ensuring that all people and communities it serves have access to the services we provide. In exercising the duty to address health inequalities, the CCG has made every effort to ensure this policy does not discriminate, directly or indirectly, against patients, employees, contractors or visitors sharing protected characteristics of: age; disability; gender reassignment; marriage and civil partnership; pregnancy and maternity; race; religion and belief; sex (gender); sexual orientation or those protected under Human Rights legislation. All CCG policies can be provided in large print or Braille formats; translations on request; language line interpreter services are available; and website users can use Information Governance Management Framework v1.4 Draft Page 1 of 25

2 contrast, text sizing and audio tools if required. For any other assistance, please contact the CCG at or Information Governance Management Framework v1.4 Draft Page 2 of 25

3 CONTENTS Section Page 1. Introduction 3 2. Definitions & Key Roles 5 3. Key Policies 6 4. Key Governance Bodies 6 5. Resources 6 6. Governance Framework 7 7. Information Governance Toolkit 7 8. Information Governance Training and Guidance 8 9. Incident Management Information Sharing Information Security 9 Appendix A Glossary 10 Appendix B SDT CCG staff in key IG roles 11 Appendix C SDT CCG support arrangements for SIRO 12 Appendix D SDT CCG support arrangements for Caldicott Guardian 13 Appendix E SDT CCG Information Governance Policies 14 Appendix F SDT CCG Information Risk Assessments and Management Programme 15 Linked strategies, policies and other documents Dissemination requirements Information Governance Strategy Confidentiality Data Protection Policy Information Lifecycle Management Policy Information Sharing Strategy The policy will be disseminated via managers to cascade to staff within their remit. This framework will be made available on the CCG s intranet and internet sites. Information Governance Management Framework v1.4 Draft Page 3 of 25

4 1 Introduction 1.1 Introduction The Information Governance Toolkit (IGT) requires NHS South Devon and Torbay Clinical Commissioning Group (CCG) to have an Information Governance Management Framework (IGMF) to bring together all threads of the CCG s Information Governance (IG) activities in an approved document References are made throughout this Framework to the IGT in the format for example , where 13 refers to version 13 for 2015/16 and 130 refers to requirement number Much of the content of this Framework is taken directly from the Health & Social Care Information Centre (HSCIC), to ensure that the CCG produces the precise documentation required for IGT auditing and evidence purposes Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The way that an organisation chooses to deliver against these requirements is referred to within the IGT as the organisation s Information Governance Management Framework. This Framework must be documented, approved at the most appropriate senior management level in the organisation (e.g. the Governing Body, a Committee of the Governing Body or a named Executive Director) and reviewed annually The Information Governance Management Framework adopted by a CCG may be described in a standalone document or may be incorporated within an over-arching Information Governance Policy or an Information Governance Strategy. Whilst many elements of Information Governance Management Frameworks will be similar for different organisations and must cover the headings described in the table below, there is no requirement for frameworks to be identical. The Information Governance Management Framework should provide a summary/overview of how an organisation is addressing the Information Governance agenda, and adapted appropriately to the capacity and capability of the organisation concerned. The Information Governance Management Framework will be reviewed annually to reflect the requirements proposed by the IG Toolkit The elements of an Information Governance Management Framework, as defined by the HSCIC, are shown in the table below: INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK Heading Requirement Notes Senior Roles Senior Information Risk Owner (SIRO) (345) Caldicott Guardian (230) IG Lead These roles should be at Governing Body or the most senior leadership team level. The IG lead and the SIRO may be the same individual but the Caldicott Guardian should be distinct from both of the others Information Governance Management Framework v1.4 Draft Page 4 of 25

5 Key Policies Over-arching IG Policy (131) Data Protection Act 1998/Confidentiality Policy Information Lifecycle Management Policy Corporate Governance Policy Information Security policy - TBC Key Governance Bodies IG Board / Forum / Steering Group Resources Details of key staff roles and dedicated budgets Governance Framework Details of how responsibility and accountability for IG is cascaded through the organisation. (230 & 345) Training & Guidance Staff Code of Conduct (231, 232 & 233) Training for all staff (134) Organisation Security Policy - TBC Training for specialist IG and advisory rather than accountable. Policies set out scope and intent. The over-arching IG policy should reference the three supporting Confidentiality, Security and Records Management policies and might be where the organisation s intended IG Management Framework is documented. A group, or groups, with appropriate authority should have responsibility for the IG agenda. This might be one or more standalone groups or be part of an Integrated Governance Board or Risk Management group. The key staff involved in the IG agenda below those at Governing Body or most senior levels should be identified with a description of their roles and responsibilities. This may include an IG officer, Data Protection Officer, Information Security Officer, Freedom of Information Manager, Corporate and Clinical Governance Leads or Data Quality Leads. Any dedicated budgets and high level plans for expenditure in-year should also be identified, including outsourcing to external resources or contractors. This should include staff contracts, contracts with third parties, Information Asset Owner arrangements, Departmental Leads on aspects of IG etc. Staff need clear guidelines on expected working practices and on the consequences of failing to follow policies and procedures. The approach to ensuring that all staff receive training appropriate to their Information Governance Management Framework v1.4 Draft Page 5 of 25

6 Incident Management roles Documented procedures and staff awareness (341, 342 & 345) roles should be detailed. Clear guidance on incident management procedures should be documented and staff should be made aware of their existence, where to find them and how to implement them. 2 Definitions & Key Roles Information Governance Management Framework documented approach to the organisation and delivery of clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The following roles should be at Governing Body or the most senior leadership team level: Senior Information Risk Owner (SIRO) A member of the Senior Leadership Team (SLT) with overall responsibility for the organisation s information risk policy. The SIRO will also lead and implement the Information Governance risk assessment and advise the SLT on the effectiveness of risk management across the organisation. The SIRO s responsibility is formally added to the job description of this individual, using the standard HSCIC wording. Details of the staff roles directly supporting the SIRO are shown in Appendix C. Information Asset Owners (IAO) - A senior member of staff who is the nominated owner for one or more of the identified information assets of the CCG. The IAO responsibility is formally added to the job description of this individual, using the standard HSCIC wording. Information Governance (IG) Lead A senior representative in the organisation who leads and co-ordinates the Information Governance work programme. This may be the same individual as the SIRO. Information Security Lead - A senior representative supporting the organisation who leads and co-ordinates the Information Technology / Cyber Security work programme. This individual may report directly to the CCG SIRO. Caldicott Guardian - A member of the Senior Leadership Team (SLT) responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing. Caldicott Guardians were mandated for NHS organisations by Health Service Circular HSC 1999/012, and later for social care by Local Authority Circular LAC 2002/2. General Practices are required by regulations to have a confidentiality lead. This position may not be the same individual as the SIRO or the IG lead because the Caldicott Guardian s role should be advisory rather than accountable. Details of the staff roles directly supporting the Caldicott Guardian are shown in Appendix D. Details of senior leadership roles for Information Governance are shown in Appendix B. Information Governance Management Framework v1.4 Draft Page 6 of 25

7 3 Key Policies This is of particular relevance to Policies set out scope and intent. The over-arching IG policy should reference the three supporting Confidentiality, Security and Records Management policies. The CCG s Information Governance policies will be reviewed and agreed by the IG Forum followed by approval by the Quality Committee. Policies will be valid for 3 years from the date of approval. The CCG will plan to review and revise all policies on an annual basis. IT Security policies follow the same basic principles as other Information Governance policies, and the writing, review and approval techniques described here apply equally to IT Security policies. The responsibility for writing a particular policy is normally assigned by a senior manager (Manager or Head of Department) or to a named individual having expertise in that area. For Information Governance policies, the Information Governance Lead is typically tasked with writing appropriate policies. As polices require an update, either because they are near the agreed review date or because legislation, national guidance or working practices have changed, the original author will typically make the necessary changes. The CCG s Information Governance policies are listed in Appendix E. 4 Key Governance Bodies The Quality Committee (having delegated authority from the CCG Governing Body) will be the prime mechanism for directing and approving Information Governance work programmes, receiving reports and approving policies. The IG experts from across the CCG s departments corporate, quality, medicines, business intelligence - meet on a monthly basis at the IG Forum to share learning and best practice and to ensure that IG work programmes are on track, particularly the IG Toolkit plans and submissions for each organisation. 5 Resources The key staff involved in the IG agenda are identified with a description of their roles and responsibilities. These staff may either be directly employed by the CCG or their professional services are provided to the CCG via a contract with other NHS organisations, and include Information Governance Lead, Data Protection Officer, Freedom of Information Lead, Corporate and Clinical Governance leads. Details of key staff roles are described in Appendix B. Information Governance Management Framework v1.4 Draft Page 7 of 25

8 6 Governance Framework This is of particular relevance to 230 and 345. The CCG s Caldicott Guardian is a member of the Senior Leadership Team and Governing Body and is supported in this function as described in Appendix D. The contracts of all CCG staff contain specific Confidentiality and Data Protection clauses that describe staff s responsibilities towards any personal data they process [these clauses will also be included in any new CCG positions created]: CONFIDENTIALITY / DATA PROTECTION You must adhere to the CCG's policy, national legislation and common law in relation to confidential and personal information. You must not disclose any information of a confidential or personal nature relating to the employer or in which the employer has a duty of confidence to any third party other than where you are obliged to disclose such information in the proper course of your employment or required by law. A failure to follow any policy in relation to the collection, keeping, processing or destruction of personal data and / or confidential information, and whether deliberate or accidental, whether regarding a patient, another staff member or other third party, will be regarded as potential misconduct, and may result in disciplinary proceedings being brought. Deliberate or negligent misuse of data, whether by unlawful disclosure or otherwise, may be considered gross misconduct, and may result in summary dismissal in the most serious cases. This clause does not interfere with your rights to make a disclosure under the Public Interest Disclosure Act 1998 ("whistle blowing"), which gives legal protection to employees against being dismissed or penalised by their employers as a result of disclosing information which is considered to be in the public interest and which you believe shows malpractice/wrongdoing within the CCG. If you are making a disclosure under the Public Interest Disclosure Act you must ensure that you follow the procedure laid down in the CCG Whistle blowing Policy. 7 Information Governance Toolkit The CCG aims to achieve level 2 for all Information Governance Toolkit requirements on an annual basis. Wherever possible, this Satisfactory level will be reached as soon as possible after the publication of each year s new requirements. The Information Governance Statement of Compliance (IGSoC) has been signed by the Chief Clinical Officer (CCG s Accountable Officer); this commits the CCG to achieving compliance with the terms and conditions of the statement, including meeting a minimum of level 2 for all IG Toolkit requirements, or having an agreed improvement / action plan in place to achieve that level. Documentary evidence to meet the IG Toolkit requirements is compiled, stored and selfaudited by the Information Governance team, and uploaded onto the IG Toolkit website as appropriate. The CCG will arrange for Audit South West (Internal Audit) to conduct an in-depth audit (8-10 working days duration) of the CCG s IG Toolkit evidence prior to publication Information Governance Management Framework v1.4 Draft Page 8 of 25

9 8 Information Governance Training and Guidance This is of particular relevance to 134, 231, 232 and 233. All staff receive Information Governance training during their first year of employment with the CCG (ideally within the first few weeks of employment) and annual Mandatory refresher training through the self-completion of online IG Training Tool module(s) relevant to each role. The Information Governance team ensure that all staff are undertaking the prescribed online training modules recommended by the HSCIC. Further specific staff training on particular aspects of Information Governance can also be delivered during Departmental development days, Team meetings and other staff events. Details of policies will be cascaded to staff through line management and via the CCG s intranet. Copies of approved policies will be published on the CCG s website. The CCG recognises that dissemination via electronic methods is not always the best approach to ensure that all staff understand the policies relevant to their work, and that other cascade and awareness routes are also available as appropriate, including: a. Inclusion in local induction process/paperwork. b. Corporate induction. c. reminders. d. Staff Newsletters. e. Information on policies and procedures provided with letter of appointment. f. Focus increased within Mandatory Training (refresher). g. Further inclusion of responsibilities of staff included within individual contracts. 9 Incident Management This is of particular relevance to 341, 342 and 345. Guidance has been issued to staff on recording both Clinical and non-clinical Incidents, the latter to include Information Governance incidents such as data loss and breach of confidentiality, and IT/Cyber Security incidents such as theft of a laptop computer and Spam, Spoof or Phishing s that are acted upon. The CCG s Incident Management Policy describes the process for staff to follow, which includes prompt reporting to the Information Governance team followed by recording on the Incidents module held on the CCG s staff intranet site iknow. The CCG will report any level 2 IG incidents to both the Information Governance Incident Reporting Tool and StEIS. The Information Governance Incident Reporting Tool is an online product hosted on the secure Information Governance Toolkit website and it is the Department of Health s and Information Commissioner s Office s (ICO) agreed solution for reporting personal data security breaches within the NHS. For minor incidents, the CCG hosts its own local incident reporting tool on the CCG s intranet page iknow. The CCG will also use the local reporting tool to record incidents reported in primary care that are located within the CCG s geographical area. These are only recorded for the CCG s reference. GP Practices must record their own incidents following their policies accordingly. Incidents will be reported via KPIs to the Information Governance Forum and the Quality Committee, with a summary included in the CCG s Annual Report. Information Governance Management Framework v1.4 Draft Page 9 of 25

10 10 Information Sharing The CCG will actively engage with other organisations to protect and share patient information where there is a clear need and where this is in line with legislation. Each identified information sharing activity must have an identified legal basis. The CCG is a signatory to a number of Data Sharing Agreements. The Corporate Services team retains a list of all the current agreements the CCG holds along with any other relevant agreements held by the CCG s providers and stakeholders. This list is held electronically on iknow and access is restricted to a small number of CCG staff that require it. The Information Sharing Toolkit (IST) was created and approved by the Governing Body in March The IST contains documents and templates which have been designed to provide guidance to staff and to help support the sharing of information between organisations. The IST and all relevant documents are available on both the CCG s intranet and internet. The Centre of Excellence for Information Sharing, the Local Medical Committee and the Information Commissioners Office have also provided their support and approval of this project. The Caldicott Guardian is the nominated CCG signatory to all Information Sharing Protocols with other organisations. 11 Information Security and Cyber Security The CCG operates an Information Security Operational Plan, which forms a part of the CCG s overall Information Governance Plan. Approval and progress-chasing of this plan form standard agenda items on the CCG s IG Forum. The plan is presented to the CCG s Quality Committee at least annually. The CCG use Information Risk Assessments to help provide a means for assessing the potential risks to data confidentiality, availability and integrity through the use of selfassessment questionnaires. These risk assessment questionnaires are designed to assess the risk to Person Identifiable Data (PID), Person Sensitive (sensitive) data and other Confidential information (confidential) e.g. business confidential, in the IT environment. Risk Assessments are completed by, or approved by, the person accountable for the information asset being assessed. The resulting risk assessments may be subject to review by Internal Audit as part of the verification of IG Toolkit evidence. The above are described in the Risk Assessment and Management Programme which is at Appendix G. Cyber Security refers to the technologies and processes designed to protect computers, networks and data from unauthorised access, vulnerabilities and attacks. Cyber-attacks could lead to the compromise of sensitive information, denial of access to computing services or loss of control to systems. The CCG s Head of IT and South Devon Health Informatics Board manage the CCG s defences towards cyber-attacks by reporting and cleansing infected equipment, and providing education and training for staff. A local record of cyber-attacks / incidents are retained and managed by the CCG s Head of IT. Cyber Security is reported to the IG Forum and the Quality Committee via the CCG s KPI s. Information Governance Management Framework v1.4 Draft Page 10 of 25

11 Appendix A Glossary CCG Clinical Commissioning Group CISM Certified Information Security Manager DPA Data Protection Act 1998 EIR Environmental Information Regulations 2005 FOI Freedom of Information Act 2000 HSCIC Health & Social Care Information Centre IAO Information Asset Owner IG Information Governance IGMF Information Governance Management Framework ISP Information Sharing Protocol IGSoC Information Governance Statement of Compliance IGT Information Governance Toolkit IGTT Information Governance Training Tool IS Information Security IT Information Technology NEW Northern, Eastern and Western Devon Clinical Commissioning Group SDHIS South Devon Health Informatics Service SIRO Senior Information Risk Owner SLT Senior Leadership Team SDT South Devon and Torbay Clinical Commissioning Group STEIS Strategic Executive Information System IST Information Sharing Toolkit Information Governance Management Framework v1.4 Draft Page 11 of 25

12 Appendix B CCG staff in key IG roles The following CCG staff are in key Information Governance roles: Role Caldicott Guardian Senior Information Risk Owner (SIRO) Information Governance Leads IG Toolkit Administrator Data Protection Officer Freedom of Information Lead Corporate Governance Lead Clinical Governance Lead Information & Cyber Security Lead Staff working directly for, or contracted to, South Devon & Torbay CCG Gill Gant, Director of Quality Assurance and Improvement Mark Procter, Director of Primary Care and Corporate Services Jenna Ray, Corporate Services Support Officer Jenna Ray, Corporate Services Support Officer Jenna Ray, Corporate Services Support Officer Jenna Ray, Corporate Services Support Officer Vanessa Dunn, Deputy Head of Corporate Services Gill Gant, Director of Quality Governance Gary Kennington, Head of IT Information Governance Management Framework v1.4 Draft Page 12 of 25

13 Appendix C CCG support arrangements for SIRO The following staff are in key roles in support of the Senior Information Risk Owner (SIRO). Role Senior Information Risk Owner (SIRO) Support roles Information Asset Owners for key information assets only Details Mark Procter Director of Primary Care and Corporate Services Member of Senior Leadership Team Formally appointed into role June 2012 Information Governance Lead Jenna Ray Head of IT Gary Kennington Gary Kennington N Drive Theresa Farris Risk Register Information Governance Management Framework v1.4 Draft Page 13 of 25

14 Appendix D CCG support arrangements for Caldicott Guardian The following staff hold key roles in support of the Caldicott Guardian. Role Details Caldicott Guardian Gill Gant Director of Quality Governance Member of Senior Leadership Team Formally appointed into role June 2012 Support roles Information Governance Lead Jenna Ray Head of IT Gary Kennington The Information Governance team react to all reported information / cyber security and confidentiality issues, which are recorded as appropriate. All urgent and serious incidents are discussed where necessary in detail with the Caldicott Guardian and SIRO immediately, and all agreed actions are followed through to closure. A summary report is presented regularly to the Caldicott Guardian and SIRO, and then to the Quality Committee. Information Governance Management Framework v1.4 Draft Page 14 of 25

15 Appendix E CCG Information Governance policies The CCG will write strategies, policies and guidance to cover all aspects of Information Governance and Information Security as required by the IG Toolkit and any other relevant legislation and national guidance. These will be supplemented as a result of new developments in legal or NHS requirements or in response to identified risks or incidents within the CCG. Policies will typically be written by the Information Governance team circulated to the IG Forum for comment and agreement, and then formally approved by the Quality Committee. Approved policies will be published on the CCG s Intranet and Internet sites. Policies will be re-assessed, amended and approved at least every 3 years; policies will be re-written and re-approved sooner where there have been significant changes in organisational arrangements, or the underlying legislation or NHS guidance has changed. The exception to this will be the IT policies where the CCG will adopt the policies currently used by the South Devon Health Informatics Service (SDHIS), and these will be published on the intranet site only. South Devon and Torbay CCG Policies Name Version Approved Information Governance Management Framework 1.4 November 2014 Information Governance Strategy 1.0 June 2013 Information Lifecycle Management Policy (including Information Quality Strategy and Records Management Strategy) 2 September 2015 Confidentiality and Data Protection Policy 2 September 2015 Corporate Governance Policy (including Freedom of Information) 1.1 June 2013 Information Security Policy 1.1 September 2013 Incident Management Policy 1.2 September 2013 Information Risk Policy 1.0 June 2013 Information Governance Management Framework v1.4 Draft Page 15 of 25

16 Appendix F Programme Information Risk Assessment and Management Introduction The CCG has a moral, ethical and legal responsibility to protect the information it collects and uses. In addition to which it is a requirement of the IG Toolkit that information security assets are identified and subject to a formal risk assessment process. This paper provides a means for assessing the potential risks to data confidentiality, availability and integrity through the use of self assessment questionnaires. These risk assessment questionnaires are designed to assess the risk to Person Identifiable Data (PID), Person Sensitive (sensitive) data and other Confidential information (confidential) e.g. business confidential, in the IT environment. They are intended to be applied to all aspects of the delivery of IT to the user community, whether the IT is provided in house or through contracts, SLAs or other means. There are other risk considerations, such as value for money, ease of use and operational effectiveness, however these are not directly included in the scope of these risk assessment questionnaires but may be included, as additional items, if they are deemed to present a significant risk by the risk assessor. Development of the Self Assessment Questionnaires The areas of risk have been identified as: Data confidentiality Data availability Data integrity For each of these areas the specific controls for: Equipment Applications Network Personnel Data Accountability Have been determined and listed, these are shown in Annex 1. This list was then used to create the risk assessment questionnaires as the absence of a control may indicate an active risk factor. A review of the resulting lists of controls indicated that those for Equipment and Network were almost identical and that it was possible to create a single risk assessment to cover both aspects. The resulting two risk assessment questionnaires ( IT Equipment and Network and IT Applications ) are detailed in Annexes 3 and 4. Information Governance Management Framework v1.4 Draft Page 16 of 25

17 The Risk Assessment Process Risk Assessments should be completed by or approved by the person accountable for the information asset being assessed. The process is designed to be electronic and the completed Risk Assessment forms should be ed, as attachments, by the person completing them to Phil Stimpson who will maintain the Risk Assessment register for authentication purposes the must be sent by the person accountable for the risk assessment. Each of the individual Risk Assessment forms will be available without the text of the process on the CCG intranet. Where the same asset e.g. a PC or laptop is acquired a number of times then a single Risk Assessment for each model can be applied to cover all instances of that make and model. It should be borne in mind that although this is a self assessment process the resulting risk assessments may be subject to review by Internal Audit as part of the verification of IG Toolkit evidence. The first question is: Does the Equipment/Application process, store, use/manipulate, allow the passage of or report PID, sensitive or confidential data/information? If the answer to this question is NO then a formal risk assessment does not need to be completed. However, to assist in the maintenance of the risk assessment register please complete the form in Annex 4 and it to Phil Stimpson (jenna.ray@nhs.net) If the answer is it may or yes to any part of the question then one of the following risk assessment forms should be completed: IT Application Risk Assessment Annex 2 This risk assessment form is intended to assess new computer applications (sometimes referred to as systems) or new versions of existing applications. The term Applications is used to include software bought or developed in house, system software for example operating systems and utility software. It is not specifically designed to assess spreadsheets or Access databases that are developed for personal use. However, it may be appropriate when these are used by more than one person please contact Phil Stimpson (Corporate Affairs Manager) for additional details on risk assessing spreadsheets and Access databases. IT Equipment and Network Risk Assessment Annex 3 This risk assessment form is used to assess the information risk posed by computer equipment or other equipment that may store information electronically e.g. photocopiers, including components of the data network. Although network equipment may not store data it is a vital element in the transmission of data and the process of designing the risk assessments demonstrated that equipment and network risk factors were almost identical hence a single risk assessment form has been used for both. Completing a Risk Assessment The first part of each of these risk assessments collects basic information about the information asset. This is followed by a series of questions which require a response in terms of whether the assessor believes the control is: Information Governance Management Framework v1.4 Draft Page 17 of 25

18 Substantially not implemented i.e. Red (R) Unsatisfactory Partially implemented i.e. Amber (A) May/May not be satisfactory Fully implemented i.e. Green (G) Satisfactory Or N/A if the control is not relevant to the asset being assessed. Overall Risk Assessment When the questions have all been responded to; the Assessor needs to make an overall judgement with regard to the overall Risk status of the asset and enter this in the first part of the form. When making this judgement the assessor should take into account: Some controls are essential and a failure to implement these may make the overall assessment RED irrespective of the implementation of other controls, examples are if a mobile piece of device is not encrypted or if an application s data is not backed up or an application does not implement user access controls (RBAC would be expected). The presence of RED assessment on some controls does not necessarily make the overall assessment RED but see above. A large number of AMBER control assessments may make the overall assessment RED. Overall RED assessments will lead to an appropriate entry being included in the IT Risk Register. If RED control assessments occur serious consideration should be given to implementing or improving these controls. It is quite likely that some control assessments will be AMBER or RED and that these may not be improved. The implications of this are that the risks are understood and that the assessor and the Information Asset Owner (IAO) accept the associated risks. Information Governance Management Framework v1.4 Draft Page 18 of 25

19 Information Security Risk Assessment Annex 1 Development of the Self Assessment Questionnaires Confidentiality How is it ensured that only authorised staff can access PID, sensitive and confidential information? Availability: Equipment Physical access controls to IT equipment (e.g. servers) Restricted access to buildings Locked computer facilities i.e. rooms within buildings Role Based Access Controls (RBAC) sometimes referred to as Position Based Access Controls (PBAC) to operating systems, system software and utilities Mobile devices e.g. laptops and memory sticks are encrypted Secure disposal of equipment with memory capability Application: Most applications can only be accessed via the network and access to the network requires the user to have a current user ID and password Only authorised staff have access to computer applications. Access and the level of access is controlled by RBAC NPfIT applications require two factor authentication i.e. use of a smartcard The CCG uses NHS Mail as its system which ensures integrity (including attachments up to 20Mb) during transmission. NB some attachments such as MS Access files are not permitted by NHS mail. Network: Network access controls (RBAC) Equipment and Application controls Use of encryption Firewalls Antivirus/malware protection Intelligent switches and routers Network management and monitoring system Personnel: All staff have signed confidentiality agreements All contactors and 3 rd parties contracts include confidentiality clauses Appropriate policies and procedures are in place Appropriate staff IG/IS training through Induction and annual mandatory training courses Incident management processes in place How is it ensured that the data processing is not interrupted (other than by planned down time), nor delayed beyond specification requirements Equipment Support arrangements are defined and in place UPS Page 19 of 25 July 2014

20 Information Security Risk Assessment Annex 1 Generator capability Redundant equipment Mirrored servers Alternate site (own or contracted) Disaster recovery plan (tested) Change management processes Application/system software Support arrangements are defined Backup of data Off site backup storage Backup of system utilities Application updates applied Anti Virus up to date Encryption applied Change management processes System Level Security Policy in place A defined system/data owner is established BCM plan in place Patch management applied Application updates/releases applied Dependencies identified Data sharing agreements - if needed Network Support arrangements are defined and in place UPS Generator Redundant network routing Redundant equipment Mirroring Backup Disaster Recovery plan BCM plan in place Policies and Procedures Personnel: Appropriate staff Resource (Staff) management Computer User training Information Governance training Recruitment processes Incident management processes in place 3 rd party contracts include defined incident management processes Integrity How is data integrity ensured? Equipment Only authorised staff are allowed physical access to IT equipment Controls include restricted access to buildings Page 20 of 25 July 2014

21 Information Security Risk Assessment Annex 1 locked computer facilities Support arrangements are defined and in place UPS Generator capability Redundant equipment Mirrored servers Alternate site (own or contracted) Disaster recovery plan (tested) Change management processes Application/system software RBAC applied Support arrangements are defined Backup of data Off site backup storage Backup of system utilities Application updates applied Anti Virus up to date Encryption applied Change management processes System Level Security Policy in place A defined system/data owner is established BCM plan in place Audit trails (event logs) Reports including checksums (computerised or manual) Network: Network access controls (RBAC) Network monitoring & management system Audit trails (event logs) Use of encryption, Firewalls, Intelligent switches and routers Policies and Procedures Personnel: Appropriately qualified staff Resource (Staff) management Computer User training Information Governance training Recruitment processes Segregation of duties Incident management processes in place 3 rd party contracts include defined incident management processes Accountability: The information Asset Owner (IAO) has been identified The asset appears on the appropriate Asset Register. Page 21 of 25 July 2014

22 Information Security Risk Assessment Annex 2 IT Application Risk Assessment Risk Assessor: Date: Asset descriptor e.g. Application, system software, utility etc: Supplier: Application etc. name: Asset Register: Recorded (Y/N) Asset location: Information Asset Owner (IAO): Type of information i.e. confidential/non confidential Overall information risk assessed as: Red, Amber,Green(RAG) or N/A: Confidentiality controls: Ref Control RAG or N/A The application can only be accessed via the network and access to the network requires the user to have a unique current user ID and password The application can be accessed through an internet connection from any location and requires the user to log onto the application using a current User ID and password The application requires an N3 connection. Only authorised staff have access to the application If the application uses it uses NHS Mail Availability controls: Ref Control RAG or N/A Support arrangements are defined and documented Backup of application data takes place Backup of the application takes place Off site backup storage is used Application updates/patches are applied Anti Virus software kept up to date Encryption applied if mobile devices used Change management processes are used System Level Security Policy in place A system administrator is in place BCM plan in place User Guides are available to staff Administrator Guides are available for system administrators System dependencies have been identified what this system depends on and what depends on this system Reporting arrangements have been defined Data sharing agreements are in place if data shared outside of the CCG. Page 22 of 25 July 2014

23 Information Security Risk Assessment Annex 2 Integrity controls: Ref Control RAG or N/A Audit trails (event logs) are defined and implemented Reports including checksums (computerised or manual) that specifically report on the integrity of the application and/or data Accountability Ref Control RAG or N/A IAO identified and aware of responsibility for this application The asset is appropriately recorded in an Asset Register Personnel controls: Managers should ensure that all staff, whether permanent employees of the CCG, temporary, contract or Bank staff are considered when completing this section of the Risk Assessment Ref Control RAG or N/A Only appropriately qualified staff should use the application this could be through experience, qualification or training Appropriate line management should be in place Application User and System Administration training should be given to the appropriate staff All staff should have completed annual Information Governance training All staff should have completed the CCGs normal recruitment process, including signing confidentiality clauses. Incident management processes should be in place this may be through the use of iknow and the IGT Reporting Tool 3 rd party contracts should include the requirement for 3 rd party staff to have signed confidentiality clauses and include defined incident management processes Additional controls not included above: Approved by IAO Name: Date: Please this completed form to Phil Stimpson (jenna.ray@nhs.net) Page 23 of 25 July 2014

24 IT Equipment Risk Assessment This template combines Equipment and Network risk assessments as the majority of risk factors/controls are the same. However, there are some that are specific for one or the other and N/A should be entered if the specified control does not apply. Risk Assessor: Date: Asset descriptor e.g. PC, Server etc: Make: Reference or model no.: Asset Register: Recorded (Y/N) Asset location: Information Asset Owner (IAO): Overall information risk assessed as: Red, Amber,Green(RAG) or N/A: Confidentiality controls Ref Control RAG or N/A Is there restricted access to buildings housing the equipment Is there restricted access to the IT area within buildings Is the computer equipment e.g. servers, kept in a restricted access room e.g. locked computer room Does the computer room have appropriate environmental alarms e.g. fire, smoke, flood Does the computer room have an automatic fire suppression in place Are mobile devices e.g. laptops and memory sticks encrypted Are there secure disposal arrangements for equipment with memory capability e.g. PCs/laptops etc Availability controls Ref Control RAG or N/A Support arrangements are defined and in place. This is CCG policy. Adequate UPS arrangements are in place There is a electricity generator capability that cuts in if there is a power failure There is a redundant equipment/spares capability Data servers are mirrored Application servers are mirrored Appropriate backup arrangements are in place e.g. images, firewall rules, configuration details etc Backups are stored off site Backup arrangements have been tested An alternate site is available as part of DR plan (own or contracted) The equipment has been included in the locations Disaster Recovery Plan The Disaster Recovery Plan has been tested within last 12 Page 24 of 25 15/04/2013

25 months Change management processes are used for configuration management Integrity controls Ref Control RAG or N/A Only authorised IT staff are allowed physical access to IT equipment, in particular equipment in restricted access sites or rooms Network management and monitoring system(s) are in place and used to monitor the effective operation and utilisation of network resources additional or new network items are included in these monitoring arrangements The network has benefited from penetration testing within the last 12 months Accountability Ref Control RAG or N/A IAO identified and aware of responsibility for this equipment The asset is appropriately recorded in an Asset Register Personnel Managers should ensure that all staff, whether permanent employees of the CCG, temporary, contract or Bank staff are considered when completing this section of the Risk Assessment Ref Control RAG or N/A Only appropriately qualified staff should use the application this could be through experience, qualification or training Appropriate line management should be in place System Software and System Administration training should be given to the appropriate staff All staff should have completed annual Information Governance training All staff should have completed the CCGs normal recruitment process, including signing confidentiality clauses. Incident management processes should be in place this may be through the use of iknow and the IGT Reporting Tool 3 rd party contracts should include the requirement for 3 rd party staff to have signed confidentiality clauses and include defined incident management processes Additional controls not included above: Approved by IAO Name: Date: Please this completed form to Jenna Ray (jenna.ray@nhs.net) Page 25 of 25 15/04/2013

NHS SOUTH DEVON AND TORBAY CLINICAL COMMISSIONING GROUP INFORMATION LIFECYCLE MANAGEMENT POLICY

NHS SOUTH DEVON AND TORBAY CLINICAL COMMISSIONING GROUP INFORMATION LIFECYCLE MANAGEMENT POLICY NHS SOUTH DEVON AND TORBAY CLINICAL COMMISSIONING GROUP INFORMATION LIFECYCLE MANAGEMENT POLICY Version Control Version: 2.0 dated 17 July 2015 DATE VERSION CONTROL 04/06/2013 1.0 First draft of new policy

More information

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK Document History Document Reference: IG33 Document Purpose: The document complements all other Information Governance policies and sets out the management arrangements

More information

Information Governance Policy and Management Framework

Information Governance Policy and Management Framework Putting Barnsley People First Information Governance Policy and Management Framework Version: 2.0 Approved By: Governing Body Date Approved: February 2014 Name of originator / author: Richard Walker Name

More information

INFORMATION GOVERNANCE STRATEGY AND STRATEGIC VISION

INFORMATION GOVERNANCE STRATEGY AND STRATEGIC VISION INFORMATION GOVERNANCE STRATEGY AND STRATEGIC VISION Policy approved by: Joint Audit and Governance Committee Date: December 2016 Next Review Date: October 2018 Version: 2.0 Information Governance Strategy

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Number IG001 Target Audience CCG/ GMSS Staff Approving Committee CCG Chief Officer Date Approved February 2018 Last Review Date February 2018 Next Review Date February

More information

IG01 Information Governance Management Framework

IG01 Information Governance Management Framework IG01 Information Governance Management Framework 1 INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK Document History Document Reference: IG01 Document Purpose: The document compliments all other Information

More information

IGPr002 - Information Governance Management Framework

IGPr002 - Information Governance Management Framework IGPr002 - Information Governance Management Framework Page 1 of 10 Table of Contents Information Governance Management Framework... 1 Why we need this Framework... 3 What the Framework is trying to do...

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4.0 Ratified by: NHS Bury Clinical Commissioning Group Information Governance Operational Group Date ratified: 19 th September 2017 Name of originator /author (s):

More information

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK NHS South West Lincolnshire Clinical Commissioning Group (CCG) INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK Document History: Document Reference: Document Purpose: IG01 Date Ratified: January 2015 Ratified

More information

Information Governance Assurance Framework

Information Governance Assurance Framework Document Reference POL008 Document Status Approved Version: V4.0 DOCUMENT CHANGE HISTORY Initiated by Date Author IG Toolkit Requirements November 2010 IG Manager Version Date Comments (i.e. viewed, or

More information

Information Security Policy

Information Security Policy Information Security Policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 NHS Business Services Authority Information Security policy Head of Security

More information

INFORMATION GOVERNANCE STRATEGY IMPLEMENTATION PLAN

INFORMATION GOVERNANCE STRATEGY IMPLEMENTATION PLAN INFORMATION GOVERNANCE STRATEGY & IMPLEMENTATION PLAN 2015-2018 Disclaimer The latest version of this document is located on PTHB intranet. Please check the review date and if there are any doubts contact

More information

INFORMATION GOVERNANCE POLICY AND FRAMEWORK

INFORMATION GOVERNANCE POLICY AND FRAMEWORK INFORMATION GOVERNANCE POLICY AND FRAMEWORK Policy approved by: Audit and Governance Committees Date: 9 th October 2017 Next Review Date: September 2018 Version: 4.0 Information Governance Policy & Framework

More information

Data protection (GDPR) policy

Data protection (GDPR) policy Data protection (GDPR) policy January 2018 Version: 1.0 NHS fraud. Spot it. Report it. Together we stop it. Version control Version Name Date Comment 1.0 Trevor Duplessis 22/01/18 Review due Dec 2018 OFFICIAL

More information

Information Governance Management Framework Version 6 December 2017

Information Governance Management Framework Version 6 December 2017 Information Governance Management Framework Version 6 December 2017 Page 1 of 8 Introduction Robust information governance requires clear and effective management and accountability structures, governance

More information

Minor adjustments from IG Steering Group 0.3 Neil Taylor September 2013

Minor adjustments from IG Steering Group 0.3 Neil Taylor September 2013 Author(s) Andrew Thomas Version 0.3 Version Date 21 August 2013 Implementation/approval Date Review Date August 2014 Review Body Governing Body Policy Reference Number 014 Version Author Date Reason for

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Unique Reference / Version Primary Intranet Location Information Management & Governance Secondary Intranet Location Policy Name Information Governance Policy Version Number

More information

Information Governance Strategy and Management Framework

Information Governance Strategy and Management Framework Information Governance Strategy and Management Framework Summary: This strategy sets out the framework, structure, system and accountabilities for Information Governance Management within NHS Eastbourne,

More information

Information Governance Management Framework

Information Governance Management Framework Management Framework Summary: This document sets out the framework, structure, system and accountabilities for Management within West Kent CCG Clinical Commissioning Group. APPROVED BY: Chief Finance Officer

More information

Data Protection Impact Assessment Policy

Data Protection Impact Assessment Policy Data Protection Impact Assessment Policy Version 0.1 1 VERSION CONTROL Version Date Author Reason for Change 0.1 16.07.18 Debby Jones New policy 2 EQUALITY IMPACT ASSESSMENT Section 4 of the Equality Act

More information

This Policy supersedes the following Policy, which must now be destroyed:

This Policy supersedes the following Policy, which must now be destroyed: Document Title Reference Number Lead Officer Author(s) (name and designation) Ratified by Forensic Readiness Policy NTW(O)56 Lisa Quinn Executive Director of Performance and Assurance Sue Proud Information

More information

Information Asset Management Procedure

Information Asset Management Procedure Procedure Number: IG02 Version: 2.0 Approved by: Information Governance Working Group Date approved: July 2016 Ratified by: Audit and Risk Committee Date ratified: September 2016 Name of originator/author:

More information

Humber Information Sharing Charter

Humber Information Sharing Charter External Ref: HIG 01 Review date November 2016 Version No. V07 Internal Ref: NELC 16.60.01 Humber Information Sharing Charter This Charter may be an uncontrolled copy, please check the source of this document

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 20/04/2016 HSCIC Audit of Data Sharing

More information

INFORMATION GOVERNANCE ASSURANCE FRAMEWORK

INFORMATION GOVERNANCE ASSURANCE FRAMEWORK INFORMATION GOVERNANCE ASSURANCE FRAMEWORK Summary This document sets out an overarching framework for the strategic Information Governance agenda in the Business Services Organisation. In particular,

More information

Information Governance Clauses Clinical and Non Clinical Contracts

Information Governance Clauses Clinical and Non Clinical Contracts Information Governance Clauses Clinical and Non Clinical Contracts Policy Number Target Audience Approving Committee Date Approved Last Review Date Next Review Date Policy Author Version Number IG014 All

More information

NHS Sunderland Clinical Commissioning Group. Information Governance Strategy 2016/17

NHS Sunderland Clinical Commissioning Group. Information Governance Strategy 2016/17 NHS Sunderland Clinical Commissioning Group Information Governance Strategy 2016/17 Document Status Equality Impact Assessment Document Ratified/Approved By Final No impact Executive Committee Governing

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Owner Author Information Team Information Governance Manager Reviewed by Approved by and date Council/Committee/EMT Board - Date approved Effective from 24 April 2017 Review

More information

Job Title: Head of Retail Department: Income Generation

Job Title: Head of Retail Department: Income Generation Job Title: Head of Retail Department: Income Generation Reports to: Director of Income Generation Salary: Compton Band 8A 37,020 to 49,055 per annum according to skills and experience Accountable to: Director

More information

Data Quality Policy

Data Quality Policy Cambridgeshire and Peterborough Clinical Commissioning Group (CCG) Data Quality Policy 2017-2019 Ratification Process Lead Author(s): Reviewed / Developed by: Approved by: Ratified by: Associate Director

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Date completed: February 2016 Responsible Director: Approved by/ date: Director of Compliance Review date: October 2017 Amended: Author: Ben Westmancott Information Governance

More information

This Policy supersedes the following Policy, which must now be destroyed:

This Policy supersedes the following Policy, which must now be destroyed: Document Title Reference Number Lead Officer Author(s) (name and designation) Ratified by Forensic Readiness Policy NTW(O)56 Lisa Quinn, Executive Director of Commissioning and Quality Assurance Angela

More information

POLICY MANAGEMENT FRAMEWORK

POLICY MANAGEMENT FRAMEWORK POLICY MANAGEMENT FRAMEWORK October 2012 Author: Responsibility: Janet Young, Governance and Risk Manager All Staff Effective Date: ctober 2012 Review Date: October 2014 Reviewing/Endorsing committees

More information

DATA QUALITY POLICY. Version: 1.2. Management and Caldicott Committee. Date approved: 02 February Governance Lead

DATA QUALITY POLICY. Version: 1.2. Management and Caldicott Committee. Date approved: 02 February Governance Lead DATA QUALITY POLICY Version: 1.2 Approved by: Date approved: 02 February 2016 Name of Originator/Author: Name of Responsible Committee/Individual: Information Governance, Records Management and Caldicott

More information

Privacy Impact Assessment Policy and Procedure

Privacy Impact Assessment Policy and Procedure Privacy Impact Assessment Policy and Procedure This document outlines the Trust s approach and methodology for conducting Privacy Impact Assessments in line with the Information Risk Policy Key Words:

More information

Date: INFORMATION GOVERNANCE POLICY

Date: INFORMATION GOVERNANCE POLICY Date: INFORMATION GOVERNANCE POLICY Information Governance Policy IGPOL/01 Information Systems Corporate Services Division March 2017 1 Revision History Version Date Author(s) Comments 0.1 12/12/2012 Helen

More information

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE STRATEGY INFORMATION GOVERNANCE STRATEGY Document Number 2009/49/V2 Document Title Information Governance Strategy Author Phil Cottis Author s Job Title Information Governance & RA Manager Department IM&T Ratifying

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 21/04/2016 HSCIC Audit of Data Sharing

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date June 2017 Approving Body Audit Committee Date of

More information

SERVICE EQUIPMENT DISPOSAL POLICY

SERVICE EQUIPMENT DISPOSAL POLICY SERVICE EQUIPMENT DISPOSAL POLICY Version 2.1 IT Equipment Disposal Policy COR/047/V2.01 December 2016 updated January 2018 Version 2.1 1 Subject and version number of document: Serial number: Service

More information

Data Protection Policy

Data Protection Policy Data Protection Policy StCH Data Protection Policy - POL 53 vs1 - July 2016 1 Document Control Table Document Title: Data Protection Policy Document Ref: POL 53 Author (name and job title): Karen Anderson,

More information

POLICY. Data Breach Notification Policy. Version Version 1.0. Equality Impact Assessment Status. Date approved 23 rd May 2018

POLICY. Data Breach Notification Policy. Version Version 1.0. Equality Impact Assessment Status. Date approved 23 rd May 2018 POLICY Document Title Data Breach Notification Policy Version Version 1.0 Equality Impact Assessment Status TBC Approved by Senior Management Team Date approved 23 rd May 2018 Effective date 25 th May

More information

Information Governance Management Framework 2016/17

Information Governance Management Framework 2016/17 Information Governance Management Framework 2016/17 Reference: IG12 Compliance with all CCG policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy DOCUMENT CONTROL: Version: 1 Ratified by: Risk Management Sub Group Date ratified: 19 December 2012 Name of originator/author: Information Governance Manager Name of responsible

More information

Equality & Diversity Policy

Equality & Diversity Policy Equality & Diversity Policy 2016-2019 Outlining our commitment to eliminating discrimination, encouraging diversity and inclusion throughout the partnership Leadership, Innovation & Promotion Safeguarding

More information

NHS BARNSLEY CCG DATA QUALITY POLICY SEPTEMBER 2016

NHS BARNSLEY CCG DATA QUALITY POLICY SEPTEMBER 2016 Putting Barnsley People First NHS BARNSLEY CCG DATA QUALITY POLICY SEPTEMBER 2016 Version: 1.0 Approved By: Governing Body Date Approved: 8 September 2016 Name of originator / author: Name of responsible

More information

CCG CO12 Policy and Framework for Partnership Governance

CCG CO12 Policy and Framework for Partnership Governance Corporate CCG CO12 Policy and Framework for Partnership Governance Version Number Date Issued Review Date V2: 21/02/2015 29/04/2015 21/02/2018 Prepared By: Consultation Process: Formally Approved: 25/02/2015

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY CONSULTATION AND RATIFICATION SCHEDULE Document Name: Governance Policy Policy Number/Version: 2.0 Name of originator/author: Midlands & Lancashire CSU Governance Team Ratified

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 20/04/2016 HSCIC Audit of Data Sharing

More information

Findings from ICO audits of 16 local authorities

Findings from ICO audits of 16 local authorities Data protection Findings from ICO audits of 16 local authorities January to December 2013 Introduction This report is based on ICO audits of 16 local authorities between January and December 2013. This

More information

Author s job title Head of Clinical Coding and Data Quality Directorate IM&T

Author s job title Head of Clinical Coding and Data Quality Directorate IM&T Document Control Title Data Quality Policy Author Author s job title Head of Clinical Coding and Data Quality Directorate IM&T Department Clinical Coding Version Date Issued Status Comment / Changes /

More information

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2017/18

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2017/18 NHS Newcastle Gateshead Clinical Commissioning Group Information Governance Strategy 2017/18 Document Status Equality Impact Assessment Document Ratified/Approved By Final No impact Quality, Safety & Risk

More information

Freedom of Information (FOI) Policy

Freedom of Information (FOI) Policy Freedom of Information (FOI) Policy Subject Freedom of Information Act (2000) Policy number Tbc Approved by Trust Executive Group Date approved March 2015 Version 2 Policy owner Director of Communications

More information

Suspension, Exclusion or Transfer Policy

Suspension, Exclusion or Transfer Policy Suspension, Exclusion or Transfer Policy Solent NHS Trust Policies can only be considered to be valid and up-to-date if viewed on the intranet. Please visit the intranet for the latest version. Purpose

More information

Records Management Plan

Records Management Plan Records Management Plan October 2014 1 2 Document control Title The Scottish Funding Council Records Management Plan Prepared by Information Management and Security Officer Approved internally by Martin

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework November 2014 Author: Responsibility: Lynda Harris, Head of Information Governance All Staff Effective Date: November 2014 Review Date: November 2015 Reviewing/Endorsing

More information

NORTH EAST HAMPSHIRE AND FARNHAM CLINICAL COMMISSIONING GROUP POLICY FOR THE MANAGEMENT OF POLICIES AND CORPORATE DOCUMENTS

NORTH EAST HAMPSHIRE AND FARNHAM CLINICAL COMMISSIONING GROUP POLICY FOR THE MANAGEMENT OF POLICIES AND CORPORATE DOCUMENTS NORTH EAST HAMPSHIRE AND FARNHAM CLINICAL COMMISSIONING GROUP POLICY FOR THE MANAGEMENT OF POLICIES AND CORPORATE DOCUMENTS Document Control Sheet Version 1 Date 22 October 2013 Status Draft Author Justina

More information

Information Governance Strategic Management Framework

Information Governance Strategic Management Framework Information Governance Strategic Management Framework 2016-2018 Susan Meakin Information Governance Manager June 2016 Information Governance DOCUMENT CONTROL: Version: 2 Ratified by: Health Informatics

More information

Freedom of Information/Environmental Information Regulations Policy and Procedure

Freedom of Information/Environmental Information Regulations Policy and Procedure Policy Number: 8.3 Version number: 01 Date of issue: Date Archived: Reason for policy: (Redraft/new) New policy to ensure compliance with current legislation Authorised by: On Behalf of Management (Signature)

More information

IDENTIFICATION BADGE POLICY AND PROCEDURE FOR EMPLOYEES JUNE 2017

IDENTIFICATION BADGE POLICY AND PROCEDURE FOR EMPLOYEES JUNE 2017 IDENTIFICATION BADGE POLICY AND PROCEDURE FOR EMPLOYEES JUNE 2017 Important: This document can only be considered valid when viewed on the CCG s website. If this document has been printed or saved to another

More information

Organisational Change Policy

Organisational Change Policy Organisational Change Policy 1 Organisational Change Policy Policy ref no: HR022 Author (inc job Rob Osment, HR Business Partner title) Date Approved 17 May 2016 Approved by Quality and Governance Committee

More information

DISCIPLINARY POLICY UNIQUE REFERENCE NUMBER: RC/XX/030/V2 DOCUMENT STATUS: DATE ISSUED: 2016 DATE TO BE REVIEWED:

DISCIPLINARY POLICY UNIQUE REFERENCE NUMBER: RC/XX/030/V2 DOCUMENT STATUS: DATE ISSUED: 2016 DATE TO BE REVIEWED: DISCIPLINARY POLICY UNIQUE REFERENCE NUMBER: RC/XX/030/V2 DOCUMENT STATUS: Approved by Committee 3 August 2016 DATE ISSUED: August 2016 DATE TO BE REVIEWED: August 2019 AMENDMENT HISTORY VERSION DATE AMENDMENT

More information

Documented and publicly available procedures are in place to ensure compliance with the Freedom of Information Act 2000

Documented and publicly available procedures are in place to ensure compliance with the Freedom of Information Act 2000 Documented and publicly available procedures are in place to ensure compliance with the Freedom of Information Act 2000 Guidance Compliance with the Freedom of Information Act 2000 Introduction 1. The

More information

Records Management Policy and Strategy

Records Management Policy and Strategy Records Management Policy and Strategy Ratified Status Approved Final Issued November 2017 Approved By Governance and Risk Committee Consultation Governance and Risk Committee Equality Impact Assessment

More information

Information Governance Management Framework 2017/18 Reference: IG12

Information Governance Management Framework 2017/18 Reference: IG12 Information Governance Management Framework 2017/18 Reference: IG12 Compliance with all CCG policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Page 1 of 13 INFORMATION GOVERNANCE POLICY EXECUTIVE SUMMARY Key Messages Principles of Information Governance Openness Confidentiality and Legal Compliance Information Security

More information

Humber Information Sharing Charter

Humber Information Sharing Charter External Ref: HIG 01 Insert here the logo of the signatory organisation Review date November 2016 Version No. V07 Internal Ref: ERYC CFS ILS 02 Humber Information Sharing Charter This Charter may be an

More information

Information Governance Strategic Management Framework (Including Policy and Strategy)

Information Governance Strategic Management Framework (Including Policy and Strategy) Information Governance Strategic Management Framework (Including Policy and Strategy) This document sets out the framework that brings together all the requirements, standards and best practice that apply

More information

FIXED TERM CONTRACT POLICY. Recruitment and Selection Policy Secondment Policy. Employment Policy. Officer / CSP

FIXED TERM CONTRACT POLICY. Recruitment and Selection Policy Secondment Policy. Employment Policy. Officer / CSP FIXED TERM CONTRACT POLICY Reference No: UHB 173 Version No: 2 Previous Trust / LHB Ref No: T 297 Documents to read alongside this Policy Recruitment and Selection Policy Secondment Policy Redeployment

More information

Information Security Risk Management Programme and Strategy

Information Security Risk Management Programme and Strategy Information Security Risk Management Programme and Strategy Table of Contents 1. Introduction... 3 2. Purpose... 3 3. Definitions... 3 4. Roles and Responsibilities... 4 4.1. Accountable Officer... 4 4.2.

More information

INFORMATION GOVERNANCE STRATEGY. Documentation control

INFORMATION GOVERNANCE STRATEGY. Documentation control INFORMATION GOVERNANCE STRATEGY Documentation control Reference Date Approved Approving Body Version Supersedes Consultation Undertaken Target Audience Supporting procedures GG/INF/01 TRUST BOARD Information

More information

Tourettes Action Data Protection Policy

Tourettes Action Data Protection Policy Tourettes Action Data Protection Policy Effective date: 01/01/2018 Review date: 01/01/2020 Approved: Suzanne Dobson, CEO Tourettes Action Author: Pippa McClounan, Office Manager Tourettes Action Version

More information

Information Governance Policy

Information Governance Policy Author Darren Rigg Head of Information Governance Corporate Lead Bryan Machin Executive Director of Finance and Resources Document Version 1 Date ratified by Quality Committee 24 th October 2014 Date issued

More information

JOB DESCRIPTION. E-Commerce and Merchandise Manager

JOB DESCRIPTION. E-Commerce and Merchandise Manager JOB DESCRIPTION POST: E-Commerce Team Leader GRADE: Band 3 ACCOUNTABLE TO: RESPONSIBLE TO: BASE: DBS CHECK: Director of Retail & New Business E-Commerce and Merchandise Manager Aylesbury Broadfields Site

More information

Health and Safety Policy

Health and Safety Policy Paragon Asra Housing Limited Health and Safety Policy November 2017 Owning manager Chris Whelan, Executive Director Development & Sales Department Business Development Approved by Board - 24 November 2017

More information

EQUALITY OF OPPORTUNITY POLICY

EQUALITY OF OPPORTUNITY POLICY EQUALITY OF OPPORTUNITY POLICY Updated: June 2013 Version History Date Version Author/Editor Comments 17 Sept 2012 1.1 Draft Anthony Vage 25 Sept 2012 1.2 Draft Anthony Vage 20 March 2013 Initial first

More information

Volunteers within the shop Location: Wordsley Green, Lower Gornal, Shifnal and Wombourne

Volunteers within the shop Location: Wordsley Green, Lower Gornal, Shifnal and Wombourne Job Title: Assistant Shop Manager Department: Retail Reports to: Shop Manager Salary: 7.83 per hour Accountable to: The Area Manager/ Business Operations Manager Hours: Shifnal 15 hours Wombourne: 15 hrs

More information

Information Asset Management Policy

Information Asset Management Policy Information Asset Management Policy 1.0 Purpose 1.1 The purpose of this policy is to outline the management of the Fund s information asset register and the actions that will be taken to provide sufficient

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY 1. CONSULTATION AND RATIFICATION SCHEDULE 1.2. Document Name: Governance Policy 1.4. Policy Number/Version: V4.0 1.6. Name of originator/author: Midlands & Lancashire CSU

More information

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK POLICY

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK POLICY INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK POLICY Version: 1.4 Approved by: Date approved: 19 January 2017 Name of Originator/Author: Name of Responsible Committee/Individual: Date issued: Information

More information

Overarching Information Governance Policy

Overarching Information Governance Policy Document Information Board Library Reference Document Type Document Subject Original Document Author Reviewed By Review Cycle IM&T_01 Policy Information Information IGMG 3 Years Note: This document is

More information

Information Assets: Security and Risk Management Policy. Choice, Responsiveness, Integration & Shared Care

Information Assets: Security and Risk Management Policy. Choice, Responsiveness, Integration & Shared Care s: Security and Risk Management Policy Choice, Responsiveness, Integration & Shared Care Worcestershire Mental Health Partnership NHS Trust Reader Box Document Type: Document Purpose: Unique identifier:

More information

PRIVACY IMPACT ASSESSMENT (PIA) TEMPLATE

PRIVACY IMPACT ASSESSMENT (PIA) TEMPLATE PRIVACY IMPACT ASSESSMENT (PIA) TEMPLATE Reference No: IG40 Version: 1.2 Purpose of Document: Ratified by: Date ratified: 27 th September 2013 Review Date September 2014 Name of originator/author: Contact

More information

EQUALITY & DIVERSITY POLICY

EQUALITY & DIVERSITY POLICY EQUALITY & DIVERSITY POLICY Responsible Senior Manager: Vice Principal Business Services & People Equality Impact Assessed: August 2016 Corporation Approved: December 2016 Related Policies: Teaching and

More information

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00 Human Resources Data Protection Policy IMS HRD 012 Version: 1.00 Disclaimer While we do our best to ensure that the information contained in this document is accurate and up to date when it was printed

More information

Fixed Term Staffing Policy

Fixed Term Staffing Policy Fixed Term Staffing Policy Who Should Read This Policy Target Audience All Trust Staff Version 1.0 October 2015 Ref. Contents Page 1.0 Introduction 4 2.0 Purpose 4 3.0 Objectives 4 4.0 Process 4 4.1 Recruitment

More information

Incremental Pay Progression Policy and Procedure

Incremental Pay Progression Policy and Procedure Incremental Pay Progression Policy and Procedure Date Impact Assessed: Version No: 1 No of pages: 14 Date of Issue: March 2015 Date of next review: March 2016 Distribution: All employees Published: Contents

More information

Lead Employer Flexible Working Policy. Trust Policy

Lead Employer Flexible Working Policy. Trust Policy Lead Employer Flexible Working Policy Type of Document Code: Policy Sponsor Lead Executive Recommended by: Trust Policy Deputy Director of Human Resources Director of Human Resources Date Recommended:

More information

This Policy supersedes the following Policy which must now be destroyed:

This Policy supersedes the following Policy which must now be destroyed: Document Title Reference Number Lead Officer Author(s) (name and designation) Ratified by Environmental Sustainability Policy NTW(O)02 Paul McCabe, Head of Estates and Facilities (NTW Solutions Ltd) Sarah

More information

Environmental Strategy & Sustainability POLICY REFERENCE NUMBER

Environmental Strategy & Sustainability POLICY REFERENCE NUMBER POLICY Security Classification Disclosable under Freedom of Information Act 2000 Yes POLICY TITLE Environmental Strategy & Sustainability POLICY REFERENCE NUMBER A034 VERSION 1.1 POLICY OWNERSHIP DIRECTORATE

More information

TRUST GOVERNANCE POLICY (formerly referenced as the CMFT Governance Strategy) - UPDATED NOVEMBER

TRUST GOVERNANCE POLICY (formerly referenced as the CMFT Governance Strategy) - UPDATED NOVEMBER Review Circulation Application Ratification Originator or modifier Supersedes Title CENTRAL MANCHESTER UNIVERSITY HOSPITALS NHS FOUNDATION TRUST TRUST GOVERNANCE POLICY (formerly referenced as the CMFT

More information

Equality and Diversity Policy

Equality and Diversity Policy Responsible Manager Director of Finance Date of Issue June 2018 Issue Number V4.0 Date for Review June 2021 Summary of Key Points CXK is committed to valuing diversity and eliminating discrimination, harassment

More information

PROCEDURE Data Quality. Number: W 2020 Date Published: 19 March 2015

PROCEDURE Data Quality. Number: W 2020 Date Published: 19 March 2015 1.0 Summary of Changes This is a new procedure, which should be read by all staff, especially those that: Develop, review or amend Force policy and procedures; Enter data into Essex Police IT applications;

More information

PHWIGC framework that addresses the issues raised by the Francis Report. Author: John Morley & Jane Evans Information Governance Managers

PHWIGC framework that addresses the issues raised by the Francis Report. Author: John Morley & Jane Evans Information Governance Managers PHWIGC 17 03 Information Governance Audits Purpose of Document: To describe the process that Public Health Wales Information Governance Managers will follow when undertaking announced and unannounced Information

More information

CAPABILITY AND PERFORMANCE POLICY

CAPABILITY AND PERFORMANCE POLICY CAPABILITY AND PERFORMANCE POLICY UNIQUE REFERENCE NUMBER: RC/XX/029/V2 DOCUMENT STATUS: Approved by Committee 3 August 2016 DATE ISSUED: August 2016 DATE TO BE REVIEWED: August 2019 AMENDMENT HISTORY

More information

Information Governance Training Plan

Information Governance Training Plan Information Governance Training Plan Page 1 of 10 Paper O2 - CCG_IG_Training_Plan_2017-18_V3.0 Final Paper O2 - CCG_IG_Training_Plan_2017-18_V3.0 Final Information Governance Training Plan Derbyshire Clinical

More information

Lisa Quinn Executive Director of Performance and Assurance. Lead Officer

Lisa Quinn Executive Director of Performance and Assurance. Lead Officer Document Title Reference Number Lead Officer Author(s) (name and designation) Ratified by Data Quality Policy NTW(O)26 Lisa Quinn Executive Director of Performance and Assurance Jennifer Illingworth Deputy

More information

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients TECHNICAL RELEASE TECH 05/14BL Data Protection Handling information provided by clients ABOUT ICAEW ICAEW is a world leading professional membership organisation that promotes, develops and supports over

More information

POLICY DEVELOPMENT FRAMEWORK

POLICY DEVELOPMENT FRAMEWORK POLICY DEVELOPMENT FRAMEWORK Lead Manager: Head of Policy Responsible Director: Director of Corporate Planning and Policy Approved by: Policy Planning and Performance Group Date approved: 17 January 2008

More information

MOBILE AND REMOTE WORKING POLICY

MOBILE AND REMOTE WORKING POLICY Policy reference number : IG/21 MOBILE AND REMOTE WORKING POLICY Purpose of document The purpose of this policy is to provide NHS Birmingham Cross City CCG (BCCCG) staff with a framework for mobile and

More information