Information Governance Training Plan

Transcription

1 Information Governance Training Plan Page 1 of 10 Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final

2 Information Governance Training Plan Derbyshire Clinical Commissioning Groups Page 2 of 10 Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final

3 Contents Introduction Page 3 Training Provision Page 4 Staff Induction Awareness Training Page 5 Accessing Training Needs Page 6 Monitoring Compliance Page 6 Reporting Page 7 Appendix 1 Training Needs Analysis (TNA) Page 8 Appendix 2 HSCIC Training Tool Guidance page 9 Page 3 of 10 Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final

4 Introduction To ensure organisational compliance with the law and central guidelines relating to Information Governance (IG), staff must receive appropriate training. Therefore, annual IG training is mandatory for all staff, including new starters, locums, temporary staff, lay members, student and contract staff members. IG training needs should be routinely assessed, monitored and adequately provided for. IG knowledge and awareness should be at the core of the organisation s objectives, embedded amongst other governance initiatives and should offer a stable foundation for the workforce. Without this knowledge the ability of an organisation to meet legal and policy requirements will be severely impaired. In order to fully meet the IG Toolkit standard the organisation should establish a clear plan for IG training appropriately tailored to specific staff groups or job roles. This plan should address how and when each work area and/or staff group will be trained, how training needs beyond the basic level will be assessed and should include induction processes for new staff. This training plan has been created by NHS Arden and Greater East Midlands Commissioning Support Unit (Arden & GEM CSU) IG Service to support the Clinical Commissioning Group (CCG) in meeting the training requirement for the Information Governance Toolkit (IGT) Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained. In order to be compliant with Department of Health requirements, organisations are expected to ensure that 95% of their staff have received annual mandatory IG training appropriate to their role. This will allow the CCG to reach a compliant level 2 achievement on the Information Governance Toolkit standard relating to staff training ( ). Where identified with discussions with the CCG, Arden & GEM CSU IG Service will seek improvements in this requirement from Level 2 to Level 3, where level 3 has been achieved the CSU will support the CCG to maintain this level. Page 4 of 10 Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final

5 Training Provision The HSCIC IG Training tool was decommissioned on the 31 st December 2016 and a new online training platform has been launched, however not all of the modules previously available are available currently. NHS Digital has made available some of the training modules in the form of a workbook, with the mandatory training module now being called, Data Security Awareness level 1. The new module is available for staff to complete their annual mandatory training through the Electronic Staff Record (ESR). Alternatively staff can choose to complete one of the NHS Digital workbooks or attend a face to face session. The CCG IG Lead will ensure staff are aware which training options are available in each CCG. Training Module Data security awareness level 1 The Caldicott Guardian in the NHS & Social Care NHS Information Risk Management for SIROs & IAOs NHS Information Risk Management - Introductory (Year 1) NHS Information Risk Management Foundation (Year 2) Password Management Information Security Guidelines Options Online through ESR NHS Digital Workbook Face to face training NHS Digital Workbook Face to face training covering all 3 modules. Or NHS Digital Workbook To be undertaken as soon as practicable when available. To be undertaken as soon as practicable when available. Page 5 of 10 Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final

6 Patient Confidentiality Access to Health Records Records Management and the NHS Code of Practice Records Management in the NHS Secure Transfers of Personal Data Business Continuity Management Access to Information & Information Sharing in the NHS - Secure Handling of Confidential Information Information Security Management To be undertaken as soon as practicable when available. NHS Digital Workbook To be undertaken as soon as practicable when available. To be undertaken as soon as practicable when available. To be undertaken as soon as practicable when available. To be undertaken as soon as practicable when available. To be undertaken as soon as practicable when available. To be undertaken as soon as practicable when available. To be undertaken as soon as practicable when available. In previous years NHS Digital has provided a training resource for all of the modules highlighted in yellow, however to date all bar one remain unavailable in any format. These training modules are only applicable to a small number of staff within the CCGs and therefore for 17/18 these training modules will require completion every 2 years, any new staff will be required to undertake this training as soon as is practicable. Completed training work books should be submitted to the IG lead for marking and recording against the CCG training log. All staff will need to undertake the Information Governance Data Security Awareness Level 1 training module. Staff should register on the ESR system in order to access this module. Instructions are available from the Arden & GEM CSU HR team. Page 6 of 10 Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final

7 The Arden & GEM CSU IG team has a training presentation which has been reviewed using the HSCIC IG Training materials review report template, and will support the CCG to deliver face to face training sessions where online training is not the preferred option. This will provide an alternative method of training ensuring training opportunities are fully inclusive reflecting the CCGs commitment to diversity. Additionally the face to face training will support members of staff identified as not possessing the required IT skills to complete the training on-line or where staff don t have regular access to computers. There may be occasions when ad hoc training will need to be delivered by Arden & GEM CSU IG Service to CCG staff based on an identified need for example, changes in working practices following an incident. Staff Induction Awareness Training Staff induction needs to address IG training needs as new members of staff may otherwise fail to be picked up by an organisation s rolling training plan. It is vitally important that all new staff (including locums, temporary staff, students, etc.) are made aware of the relevant requirements and in particular given clear guidelines about their own individual responsibilities for compliance. Particular emphasis should be placed on how IG requirements affect their day to day work practices. It is recommended that this guidance is given to new starters on their first day of employment to avoid the risk of information security breaches. CCGs should have a defined and documented induction policy or process that includes the requirement for staff to complete their IG training prior to use of any systems containing personal or sensitive information. Staff should be made aware of the CCGs Staff Code of Conduct either via a link or be given their own copy, along with the links to the IG policies and the IG E-Learning tool as part of the induction process. Page 7 of 10 Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final

8 Assessing Training Needs Staff inevitably have different levels of awareness of their responsibilities for safeguarding confidentiality, protecting data and preserving information security. In most cases the mandatory basic training through ESR will be sufficient to give staff the knowledge they require. A training needs analysis (TNA) has been created (see appendix 1) that identifies those additional training modules that need to be completed by specific job roles. This information has been taken from the guidance within each requirement of the toolkit. The TNA identifies the training modules that are mandatory, or optional for specific job roles to complete. A staff member s line manager will undertake appraisals with the staff at which point an assessment of current levels of skills and competencies can be undertaken and any further training needs identified. Monitoring Compliance Regular staff updates and s will be circulated to ensure staff are aware of the requirement to undertake the training. If this is not completed by the determined date, line managers will be contacted to cascade the training requirement. It is important that study time is protected so that all staff are able to access or attend training Reporting In order to ensure correct reporting of uptake of the training, reports will be run through (ESR), along with the attendance records of any face to face training delivered and records of staff completing the workbook.. This will enable the CCG to regularly report on training uptake and target staff to complete the training where non-compliance is identified. Page 8 of 10 Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final

9 Job Role Data Security Awareness Level 1 The Caldicott Guardian in the NHS & Social Care NHS Information Risk Management for SIROs & IAOs NHS Information Risk Management - Introductory (Year 1) NHS Information Risk Management Foundation (Year 2) Password Management Information Security Guidelines Patient Confidentialit y Frequency Annually Annually Annually Annually Annually Every 2 years Every 2 years Every 2 years IG Lead (CCG) Mandatory Optional Mandatory Mandatory Mandatory Optional Optional Mandatory Caldicott Guardian Mandatory Mandatory Mandatory Mandatory Mandatory Optional Optional Mandatory SIRO Mandatory Optional Mandatory Mandatory Mandatory Optional Mandatory Optional IAO & IAA Mandatory Optional Mandatory Mandatory Mandatory Optional Optional Optional Records Manager Mandatory Optional Optional Optional Optional Optional Optional Optional Admin/Clerical/ Mandatory Optional Optional Optional Optional Optional Optional Optional Admin/ clerical with access to personal information Mandatory Optional Optional Optional Optional Optional Optional Mandatory Job Role Access to Health Records Records Management and the NHS Code of Practice Records Management in the NHS Secure Transfers of Personal Data Business Continuity Management Access to Information & Information Sharing in the NHS - Secure Handling of Confidential Information Information Security Management Frequency Every 2 years Every 2 years Every 2 years Every 2 years Every 2 years Every 2 years Every 2 years Every 2 years IG Lead (CCG) Mandatory Optional Optional Mandatory Optional Mandatory Mandatory Mandatory Caldicott Guardian Mandatory Optional Optional Mandatory Optional Mandatory Mandatory Mandatory SIRO Optional Optional Optional Mandatory Mandatory Optional Mandatory Mandatory IAO & IAA Optional Optional Optional Optional Optional Optional Optional Optional Records Manager Mandatory Mandatory Mandatory Optional Optional Optional Optional Optional Admin/clerical/ Admin/ clerical /with Optional Optional Optional Optional Optional Optional Optional Mandatory Optional Optional Optional Optional Optional Optional Optional Optional access to personal information Page 9 of 10 Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final

10 Page 10 of 10 Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final Paper O2 - CCG_IG_Training_Plan_ _V3.0 Final

11 Compla ints Information Handling Risk Policy Policy Handling Policy

12 Document History INFORMATION RISK POLICY Document Reference: Document Purpose: IG19 Incorporating IG 24 This policy contains details about the organisational responsibilities to manage risks and the processes that are used. Date Approved: September 2017 Approving Committee: Information Governance Committee Version Number: V3.0 Status: Final Next Revision Due: September 2019 Developed by: Policy Sponsor: Target Audience: Associated Documents: Information Governance, Greater East Midlands Commissioning Support Unit (GEM CSU) Caldicott Guardian SIRO All Staff All Information Governance Policies and the Information Governance Toolkit Revision History Version Revision date Summary of Changes 1.0 August September2014 Amended to reflect Caldicott Review and version 11 of the IG Toolkit. 1.2 October 2014 Updated formatting and Equality and Diversity statement. 1.3 November yearly review and to incorporate IG 24 Information Security Risk Plan Page 2 of 14 Information Risk Policy V2.1 Draft

13 1.4 November 2016 Updated following comments at IGWG 2.0 November 2016 Approved by IGC 2.1 August 2017 Information Risk Assurance flow chart added. 3.0 September 2017 Approved by Information Governance Committee Policy Dissemination information Reference Number Title Available from IG19 Information Risk Policy CCG Staff Intranet Page 3 of 14 Information Risk Policy V2.1 Draft

14 Contents 1. Introduction Purpose & Scope Information Risk Policy Objectives Key Responsibilities Information Asset Registers System Level Security Policy Data Flow Mapping Privacy Impact Assessments Confidentiality Audits Communication Training Equality & Diversity Impact Assessment Due Regard Policy Review Contacts Appendix A - Definitions Appendix B Information Asset Owner (IAO) Annual Assurance Statement to SIRO Appendix C - Information Risk Assurance Process Page 4 of 14 Information Risk Policy V2.1 Draft

15 1. Introduction The CCG needs to collect and use certain types of information about its staff and patients in order to carry out its functions, but in doing so needs to ensure that it does this in accordance with the requirements of the Data Protection Act 1998 and, in particular, to note that Section 7 of the Data Protection Act 1998 states that appropriate measures must be undertaken to ensure the security of personal data. The CCG therefore needs to have a framework to ensure that new processes, services, systems and other information assets are introduced that the implementation does not result in an adverse impact on information quality or a breach of information security, confidentiality or data protection requirements. Additionally it needs to ensure that existing processes and procedures remain compliant relevant security and confidentiality legislation and codes of practice. Risks must be effectively managed and previous lessons that have been learnt from risk associated mistakes must be adequately cascaded to ensure that the CCG does not repeat them. All staff should be mindful that risk management responsibilities are not the sole responsibility of I.T. or Information Governance staff. All employees have an important role to play in order to ensure that risks are minimised and when encountered appropriately managed. It is important to remember that risk management is not about apportioning blame, but about promoting a fair and responsible culture, which contributes to learning and improvements when mistakes may occur, but that the consequences of failure to manage information risks adequately can be both corporate and individual. This policy contains details about the organisational responsibilities to manage risks and the processes that are used. 2. Purpose & Scope In order to ensure that information held by CCGs is at a minimum risk of being compromised, the CCG will ensure it has effective, overarching, Information Governance and Risk Management frameworks in place. The Information Risk Policy has been created to: Protect the CCG, its staff (and board members) and its patients from information risks where the likelihood of occurrence and the consequences are significant Provide a consistent risk management framework in which information risks will be fully considered and addressed during key approval, review and control processes Encourage a pro-active approach to managing risks, rather than a re-active risk management method Provide structure, transparency and assistance to improve the quality of decision making throughout the organisation Page 5 of 14 Information Risk Policy V2.1 Draft

16 Meet all legal or statutory requirements Assist in adequately safeguarding the CCG s information assets This policy is applicable to all areas of the CCG and its staff inclusive of contractors and staff that may be provided through external agencies. The necessity of full adherence will be detailed and included within all contracts, and for outsourced or shared services. There are no exclusions. 3. Information Risk The CCG Governing Body has approved the introduction and embedding of information risk management into the key controls and approval processes of all major business processes and functions of the CCG. This decision reflects the high level of importance placed upon minimising information risk and safeguarding the interests of patients, staff and the CCG itself. Information risk is inherent in all administrative and business activities and everyone working for, or on behalf of the CCG must effectively manage information risks for which they are responsible. The Governing Body recognises that the aim of information risk management is not to eliminate risk, but rather to provide a structured approach to accurately identify, prioritise and manage the risks involved in all CCG related activities. It requires a balance between the cost of managing and treating information risks with the anticipated benefits that will be derived. The CCG acknowledges that information risk management is an essential element of broader Information Governance (IG) and is an integral part of good management practice. The intent is to embed information risk management in a practical and achievable way into business processes and functions, so that there is a clear, structured process that staff can easily follow. This is achieved through key approval and the frequent review of processes and controls. Risk management should not be considered as a burdensome extra requirement for the organisation to undertake, but effectively integrated as a matter of routine in working towards achieving best practice management standards. 4. Policy Objectives The principal objectives of the Risk Management function are: To assist with the identification of all reasonably foreseeable risks, particularly which may have potentially adverse effects on the quality of care, confidentiality of patient information, safety of patients, staff and visitors (Risk Identification) To assist and support in the assessment of risks in terms of likelihood and severity (Risk Assessment) To ensure risk ratings are applied to identified risks (Risk Quantification) To identify the appropriate level of management to be responsible for the risk (Risk Owner) To take positive action to eliminate or reduce risks to as low as is reasonably practicable and continually review these actions (Risk Treatment) Page 6 of 14 Information Risk Policy V2.1 Draft

17 To keep the IG Working Group, Governing Body and Senior Management appraised of the significant risks present across the CCG (principally via the Risk Register and Risk reports) To create an escalation and accountability framework to help ensure satisfactory risk mitigation processes and Risk Owners are encouraged and supported in their task. 5. Key Responsibilities The Accountable Officer of the organisation has overall accountability and responsibility for Information Governance within the organisation and will provide assurance, through the Annual Governance Statement, that all risks to the organisation, including those relating to information, are effectively managed and mitigated. The CCG Senior Information Risk Owner (SIRO) is responsible for coordinating the development and maintenance of all information risk management policies, procedures and standards for the CCG. The SIRO will act as an advocate for information risk on the CCG Board and during internal discussions, and will provide written advice to the Accountable Officer on the content of the annual Governance Statement (SIC) in regard to information risk. The SIRO is responsible for the on-going development and day-to-day management of the CCG s Risk Management Programme for information privacy and security. Summary of SIRO key responsibilities are to: Oversee the development of an Information Risk Policy, and a Strategy for implementing the policy within the existing information governance framework Take ownership of the risk assessment process for information risk, including review of an annual information risk assessment to support and inform the Annual Governance Statement Review and agree action in respect of identified information risks Ensure that the organisation s approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff, including the board Provide a focal point for the resolution and/or discussion of information risk issues Ensure the Board is adequately briefed on information risk issues CCG Information Asset Owners (IAOs) The Information Asset Owner (IAO) is a senior member of staff who is the nominated owner for one or more identified information assets of the organisation. IAOs have been appointed and trained; Information Asset Owners are required to ensure the confidentiality, integrity, and availability of all information that their system processes and protect against any anticipated threats or hazards to the security or integrity of such information. IAOs must submit an Annual Assurance Statement to the SIRO (Appendix B). Page 7 of 14 Information Risk Policy V2.1 Draft

18 6. Information Asset Registers Information Assets (IA) are identifiable and definable assets owned or contracted by an organisation which are valuable to the business of that organisation. Information assets are likely to include the computer systems and network hardware, software and supporting utilities and staff that are required to achieve processing of this data. Non-computerised records systems should also have an asset register containing relevant file identifications and storage locations. Business processes and activities, applications and data should all be considered as Information Assets. The CCG will establish a programme to ensure that its Information Assets (IAs) are identified and assigned to an IAO. The SIRO, will oversee a review of the organisation s asset register to ensure it is kept up to date, complete and robust. All critical IAs will be identified and included within the Information Asset Register (IAR), together with details of business criticality, the IAO, the Information Asset Administrator (IAA) and risk reviews to be carried out. In order to improve the usability and maintainability, the Information Asset register may be organised by service, rather than by location. Information Assets will be identified and managed in accordance with the CCG s Information Asset Register Procedure. (IG06) 6. System Level Security Policy The development, implementation and management of an SLSP will help to demonstrate understanding of information governance risks and commitment to address the security and confidentiality needs of a particular system. A System Level Security Policy will be completed as directed in the CCGs Information Asset Register Procedure (IG06). 7. Data Flow Mapping To adequately protect transfers/flows of information, the CCG will identify the transfers, risk assess the transfer methods and consider the sensitivity of the information being transferred. Transfers of all information (including personal information) must comply with the CCG s Safe Haven Procedures and relevant legislation (e.g. Principle 7 of the Data Protection Act 1998 which requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of, and accidental loss or destruction of, or damage to, personal data) 1. Where significant risks are highlighted by the mapping exercise, immediate action will be taken to either suspend the transfer of information until remedial action can be taken, or to 1 From 25 th May 2018 the General Data Protection Regulation (GDPR) will come in to force. Principe 6 will apply Integrity & Confidentiality which requires that Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Page 8 of 14 Information Risk Policy V2.1 Draft

19 transfer the information by another, more secure method. This is a Cabinet Office requirement for all public sector information. In some circumstances the appropriate provision of essential care services may justify a degree of risk but this will be reported to and agreed by the Executive team. The risk will be managed in accordance with the CCGs Risk Management Strategy. The outcomes of the information mapping and identified risks will be used to develop guidance for staff on appropriate and secure methods of transferring personal and sensitive information in any format (hardcopy and electronic). This exercise will be carried out on an annual basis per the Information Governance Toolkit requirements and remedial action taken where risks to information are identified. A data flow mapping report will be agreed and signed by the SIRO. Where a new Information Assets is acquired by the organisation the IAO will ensure, as part of the PIA process that the Data Flows are mapped and the CCGs Data Flow Mapping Register is updated. 8. Privacy Impact Assessments A Privacy Impact Assessment (PIA) is a practical tool to help identify and address the data protection and privacy concerns at the design and development stage of a project, building data protection compliance in from the outset rather than bolting it on as an afterthought. A PIA should be carried out whenever there is a change that is likely to involve a new use or significantly change the way in which personal data is handled, for example a redesign of an existing process or service, or a new process or information asset being is introduced. Privacy Impact Assessments will enable the CCG to comply with the requirements of the Data Protection Act 1998 and in particular Principle 7 of the Act. The CCG aims to embed the PIA process in to the organisation s project management process; this will be supported by raising staff awareness of PIAs through the organisation s Staff Briefing pack and making PIA training available to key staff. Any information risks and mitigations hi-lighted during the PIA process will be reviewed and agreed by the SIRO. 9. Confidentiality Audits The CCG has control mechanisms in place to manage and safeguard confidentiality, including mechanisms for highlighting problems such as incidents, complaints and alerts. The IG Toolkit requires that CCGs ensure access to confidential personal information is monitored and audited locally. The CCG will ensure that confidentiality audits are undertaken in line with the organisation s Confidentiality Audit Procedure (IG25). The SIRO and Caldicott Guardian (CG) will be updated with the findings of any confidentiality audits and will ensure that appropriate action is taken. Page 9 of 14 Information Risk Policy V2.1 Draft

20 10. Communication This policy will be made available to all employees of the CCG and observed by all members of staff, clinical and administrative, both temporary and permanent. 11. Training All users will be trained in the use of systems and procedures to ensure that quality and appropriate handling of information, in order to minimise risks to the organisation from poor information governance. All key roles (SIRO, Caldicott Guardian), IAOs will undertake information risk management training at least annually. 12. Related Documents IG06 - Information Asset Register Procedure IG08 - Privacy Impact Assessment (PIA) suite of documents o Stage 1 Privacy Impact Assessment Screening Questions o Stage 2 - Privacy Impact Assessment o Stage 3 Assessment of Compliance o PIA Guidance Document for staff o PIA IG Lead Supporting Information IG 25 - Confidentiality Audit Procedure IG22 Safe Haven Procedures Data Flow Mapping Template and Guidance Document CCG Risk Management Strategy 13. Equality & Diversity Impact Assessment The CCG aims to design and implement policy documents that meet the diverse needs of the services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act. In carrying out its functions, the CCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all the activities for which the organisation is responsible, including policy development, review and implementation. Page 10 of 14 Information Risk Policy V2.1 Draft

21 14. Due Regard This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to eliminate discrimination, harassment, victimisation; to advance equality of opportunity; and foster good relations. 15. Policy Review This policy will be reviewed by the Information Governance Committee annually. This may be subject to change and the policy may be reviewed in the event of serious untoward incidents or a change in national guidance. 16. Contacts Caldicott Guardian Senior Information Risk Owner CCG IG Lead Jayne Stringfellow, Chief Nurse & Quality Officer (NHS North Derbyshire CCG), Interim Chief Nurse & Director of Quality (NHS Southern Derbyshire CCG), Interim Chief Nurse (NHS Erewash CCG), Interim Chief Nurse (NHS Hardwick CCG) Jayne.stringfellow@nhs.net Telephone: Michael Cawley, Interim Chief Finance Officer mickcawley@nhs.net Telephone: Suzanne Pickering, Head of Governance suzanne.pickering1@nhs.net Telephone: Page 11 of 14 Information Risk Policy V2.1 Draft

22 Appendix A - Definitions Key definitions are: Risk: The chance of something happening, which will have an impact upon objectives. It is measured in terms of consequence and likelihood. Consequence: The outcome of an event or situation, expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. There may be a range of possible outcomes associated with an event. Likelihood: A qualitative description or synonym for probability or frequency. Risk Assessment: The overall process of risk analysis and risk evaluation. Risk Management: The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. Risk Treatment: Selection and implementation of appropriate options for dealing with risk. Conceptually, treatment options will involve one or a combination of the following five strategies: o Avoid the risk o Reduce the likelihood of occurrence o Reduce the consequences of occurrence o Transfer the risk o Retain/accept the risk Risk Management Process: The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk. Annual Governance Statement (AGS): High quality and proportionate internal control systems will help organisations achieve their aims. The Annual Governance Statement (AGS) is a public accountability document that describes the effectiveness of internal controls in an organisation and is personally signed by the Accounting Officer. Page 12 of 14 Information Risk Policy V2.1 Draft

23 Appendix B Information Asset Owner (IAO) Annual Assurance Statement to SIRO This report covers the period From to I can confirm that the following activities relating to my role as an IAO and to the use of my information asset(s), have been conducted/are in place during the period indicated above: 1. I am up to date with my information risk management training (e-learning or equivalent) requirements. 2. I ensure those who have access to my information asset(s) are up to date with their information risk awareness training (e-learning or equivalent) requirements. 3. I ensure all Directorate information asset(s) for which I am owner are recorded on the CCG s Information Asset Register and the entries are up to date. 4. I keep records of the access controls (which adhere to the need to know principle) to my information assets. For my information assets that contain personal data I keep a record of individuals that have access to or handle that personal data. System and user access is granted to individuals or groups / teams on a role specific basis and is regularly reviewed to ensure only those with a specific need are granted access rights 5. I approve and keep a record of instances where my information assets have been saved on a removable media device. 6. I only allow Personal Data contained in my asset(s) to be transferred to personally owned ICT in exceptional circumstances and only when it has been agreed in advance by me or my SIRO. 7. I only allow Personal Data contained in my asset(s) to be transferred to nonencrypted removable media devices in exceptional circumstances and only when it has been agreed in advance by me or my SIRO. 8. Any disposal of information assets is in accordance with the organisation s Information Lifecycle Management Policy. 9. I consider the risks to my information assets; any significant information risks are escalated as set out in the Information Risk Policy. The CCG Risk Register is updated as necessary. 10. I report any misuse, theft or loss of my information asset(s) to the appropriate team. 11. I ensure that any personal data in my information assets is handled in accordance with the Data Protection Act and data sharing agreements are in place where required. 12. I ensure that Privacy Impact Assessments are undertaken where there is a proposal to change how information is shared and used. Signed Date Position Page 13 of 14 Information Risk Policy V2.1 Draft

24 Appendix C - Information Risk Assurance Process Project involves collation, sharing or use of information e.g. Purchase of new software/hardware, development of new services IG08 Stage 1 Privacy Impact (PIA)Assessment Update organisation Data Flow Mapping Register. Flows to be submitted to IG Lead for update IG08 Stage 3 PIA Compliance Assessment. IG08 Stage 2 Complete under direction of IAO Yes IG08 Stage 2 PIA Required? No IG Lead to add to PIA Register Update Project Risk Register and organisation risk registers in accordance with the CCG s Risk Management Policy. Ensure risks are actioned No IG06- IAR Procedure. Asset identified, risk assessed and added to Information Asset Register. Risk score of 9 or above? Yes Asset hosted on shared network No IG06 IAR Procedure Complete Full SLSP Yes Page 14 of 14 Information Risk Policy V2.1 Draft IG06 IAR Procedure. Complete the Short SLSP

25 Standards of Business Conduct and Conflicts of Interest Policy (v2.1) Page 1 of 55

26 Date Issued: Awaiting approval in DRAFT form Date to be reviewed: September 2018 or if statutory changes are required Policy Title: Standards of Business Conduct and Conflicts of Interest Policy Supersedes: Description of Amendment(s): Managing Conflicts of Interest Guidance and Policy v2 Amendments in accordance with new guidance published in December 2014 to incorporate Delegated Commissioning Arrangements Amendments in accordance with new guidance published in June 2016 Amendments in accordance with new guidance published in June 2017 This policy will impact on: Financial Implications: Policy Area: Version No: All NDCCG Employees, Governing Body and NDCCG Members No change. Corporate Final Approved November 2016 V2 with amended appendices Feb 17 Draft V2.1 Issued By: Author: Document Reference: Rosalie Whitehead, Governance Officer Rosalie Whitehead, Governance Officer MCOI/02 Effective Date: November 2017 Review Date: September 2018 Page 2 of 55

27 CONTENTS Page 1. Background Scope Definition of an Interest Principles Declaring Conflicts of Interest Register(s) of Conflicts of Interests Register of Interests Register of Gifts and Hospitality Roles and Responsibilities Appointing Governing Body or committee members and senior employees CCG Lay Members Conflicts of Interest Guardian Other Key Roles Governance Arrangements and Decision Making Secondary Employment Management of meetings and decision making Managing Conflicts of Interest through the Commissioning Cycle Principles General Provisions Designing Service Requirements Transparency in Procurement and awarding grants Raising Concerns and Breaches Constitution, Standing Orders, Scheme of Reservation and Delegation and Prime Financial Policies...35 Appendix 1 Template Declaration of Interests Form...37 Appendix 2 Template Declarations of Gifts and Hospitality Form...41 Appendix 3 Declarations of Interest Checklist...43 Appendix 4 Summary Register for recording any interests during meetings...46 Appendix 5 Interests recorded during meetings...47 Appendix 6 Procurement Decisions and Contracts Awarded Form...48 Appendix 7 Template Procurement Checklist...50 Appendix 8 Breach Declarations Register...54 Appendix 9 Breach Declaration Form...55 Page 3 of 55

28 1. BACKGROUND 1.1 This policy underpins the NHS North Derbyshire Clinical Commissioning Group (the CCG ) constitution and sets out further details of the expected conduct of all those who work within it. 1.2 The CCG is responsible for the stewardship of significant public resources when making decisions about the commissioning of health and social care services. In order to ensure and be able to evidence that these decisions secure the best possible services for the population it serves, the CCG must demonstrate accountability to relevant stakeholders (particularly the public), probity and transparency in the decision-making process. 1.3 A key element of this assurance involves management of conflicts of interest with respect to any decisions made. Although such conflicts of interest are inevitable, having processes to appropriately identify and manage them is essential to maintain the integrity of the NHS commissioning system and to protect the CCG, its Governing Body, its employees and associated GP practices from allegations and perceptions of wrong-doing. 1.4 The policy should be read in conjunction with the following documents: Managing Conflicts of Interest: Revised Statutory Guidance for CCGs 2017 (NHS England June 2017); British Medical Association Guidance on Conflicts of Interest for GPs in their role as commissioners and providers; Royal College of General Practitioners Managing Conflicts of Interest in CCGs; General Medical Council Good Medical Practice (2013); Pharmaceutical Sponsorship Policy for Working with Non-NHS Organisations (NHS Hardwick CCG, 2014) The Public Contract Regulations 2015; The NHS (Procurement, Patient Choice and Competition) (No.2) Regulations 2013; The Bribery Act 2010; National Health Service Act 2006 (as amended by the Health and Social Care Act 2012); Next steps towards primary care co-commissioning (NHS England November 2014); Page 4 of 55

29 Standards for members of NHS Boards and CCGs (Professional Standards Authority, November 2013); Towards Establishment: Creating Responsive and Accountable CCGs Technical Appendix 1 (NHS Commissioning Board, October 2012); Appointments Commission s Code of Conduct and Code of Accountability, Code of Conduct for NHS Managers 2002; The Healthy NHS Board: Principles for Good Governance (NHS Leadership Academy, 2013). In addition, it should be noted that this policy updates and expands upon the provisions contained in the CCG s constitution. 2. SCOPE 2.1 This policy will apply to: CCG employees All employees, including: (a) (b) (c) (d) (e) (f) full and part-time staff; any staff on sessional or short term contracts; any students and trainees (including apprentices); agency staff; seconded staff; any self-employed consultants or other individuals working for the CCG under a contract for services Members of the Governing Body, Committees and Sub-Committees (a) (b) (c) Co-opted members. Appointed deputies. Any members of the committees from other organisations. Where the CCG is participating in a Joint Committee alongside other CCGs, any interests which are declared by the committee members should be recorded on the register(s) of interest of each participating CCG All member practices of the CCG (a) GP Partners (or where the practice is a company, each director). Page 5 of 55

30 (b) (c) (d) Practice Managers. GP Leads. Any individual directly involved with the business or decision-making of the CCG. All those mentioned in paragraph 2.1 will hereafter be referred to as Individuals. 2.2 The CCG will ensure that Individuals are aware of the existence of this policy by: an introduction to the policy being given during the induction process for new starters to the CCG; at a minimum, an annual reminder of the existence and importance of the policy delivered via internal communication methods; and at a minimum, a six-monthly reminder to update, if applicable, Declaration of Interests Forms, Gifts and Hospitality Forms, Procurement Decisions and Contracts Awarded Forms, and Breach Declaration Forms, will be sent to all Individuals. 2.3 Individuals to whom this policy applies will be personally responsible for ensuring that they: are familiar with its provisions; comply with the requirements of the CCG s constitution, the standards of conduct outlined in this policy and be aware of the responsibilities outlined within it; do not knowingly place themselves in a position which creates a potential conflict between their individual and personal interests and their CCG duties; comply with the procedures set out in the policy including making declarations of potential or actual conflicts of interest where necessary; attend any conflicts of interest training made available to them including training offered by NHS England; and if applicable, also refer to their respective professional codes of conduct relating to conflicts of interest. 2.4 References in this policy to committee and sub-committee shall include reference to joint committees where relevant. 2.5 The CCG will view instances where this policy is not followed as serious and may take disciplinary action against Individuals, which may result in removal from office in accordance with the provisions of the CCG s constitution and/or dismissal. The following CCG policies (as amended) will apply to breaches of this policy where appropriate: Raising Concerns at Work (Whistleblowing) Policy; Page 6 of 55

31 2.5.2 Disciplinary Policy. 2.6 Where appropriate the CCG will support its lay members in participating in any governance training programmes offered by NHS England. 2.7 The CCG s Audit Committee and Governing Body are committed to review this policy on an annual basis. 3. DEFINITION OF AN INTEREST 3.1 A conflict of interest is defined as a set of circumstances by which a reasonable person would consider that an Individual s ability to apply judgement or act, in the context of delivering, commissioning, or assuring taxpayer funded health and care services is, or could be, impaired or influenced by another interest they hold (NHS England, 2017). 3.2 Conflicts of interest can arise in many situations, environments and forms of commissioning, with an increased risk in primary care commissioning, out-of-hours commissioning and involvement with integrated care organisations and new care models, as Individuals may here find themselves in a position of being both commissioner and provider of services. Conflicts of interest can arise throughout the whole commissioning cycle from needs assessment, to procurement exercises, to contract monitoring. 3.3 Interests can be captured in four different categories: financial interests; non-financial professional interests; non-financial personal interests; indirect interests. More details can be found on these categories in section 5 below. 4. PRINCIPLES 4.1 This policy reflects principles of good governance and follows the: Good Governance Standards of Public Services (2004), Office for Public Management (OPM) and Chartered Institute of Public Finance and Accountancy (CIPFA); Seven Key Principles of the NHS Constitution; The UK Corporate Governance Code; Page 7 of 55

32 4.1.4 Seven Principles of Public Life promulgated by the Nolan Committee, which include: Selflessness Individuals should act solely in terms of the public interest. They should not do so in order to gain financial or other benefits for themselves, their family or their friends; Integrity Individuals should not place themselves under any financial or other obligation to outside individuals or organisations that might seek to influence them in the performance of their official duties; Objectivity in carrying out public business, including making public appointments, awarding contracts, or recommending Individuals for rewards and benefits, Individuals should make choices on merit; Accountability Individuals are accountable for their decisions and actions to the public and must submit themselves to whatever scrutiny is appropriate to their office; Openness Individuals should be as open as possible about all the decisions and actions they take. They should give reasons for their decisions and restrict information only when the wider public interest clearly demands; Honesty Individuals have a duty to declare any private interests relating to their public duties and to take steps to resolve any conflicts arising in a way that protects the public interest; and Leadership Individuals should promote and support these principles by leadership and example; Equality Act 2010 where: the CCG aims to design and implement policy documents that meet the diverse needs of our services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. This document has been designed to ensure that no one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act; in carrying out its function, the CCG must have due regard to the Public Sector Equality Duty. This applies to all activities for which the CCG is responsible, including policy development, review and implementation. Page 8 of 55

33 4.2 In addition to the above, the CCG will: do business appropriately: conflicts of interest become much easier to identify, avoid and/or manage when the processes for needs assessments, consultation mechanisms, commissioning strategies and procurement procedures are right from the outset, because the rationale for all decision-making will be clear and transparent and should withstand scrutiny; be proactive, not reactive: seek to identify and minimise the risk of conflicts of interest at the earliest possible opportunity; be balanced and proportionate: rules should be clear and robust but not overly prescriptive or restrictive. They should ensure that decision-making is transparent and fair whilst not being overly constraining, complex or cumbersome; be transparent: document clearly the approach and decisions taken at every stage in the commissioning cycle so that a clear audit trail is evident; create an environment and culture where Individuals feel supported and confident in declaring relevant information and raising any concerns. 5. DECLARING CONFLICTS OF INTEREST 5.1 The CCG must make arrangements to ensure Individuals declare any conflict or potential conflict in relation to a decision to be made by the CCG as soon as they become aware of it, and in any event within 28 days. The Declaration of Interests Form is available at Appendix Individuals are given other opportunities to make declarations, which include: on appointment; six-monthly; at meetings; on changing role, responsibility or circumstances. See below for a flowchart detailing the process of declaring conflicts of interest in various settings: Page 9 of 55