INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

Transcription

1 NHS South West Lincolnshire Clinical Commissioning Group (CCG) INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK Document History: Document Reference: Document Purpose: IG01 Date Ratified: January 2015 Ratified by: Version Number: 1.3 The document complements related Information Governance policies and sets out the management arrangements for information governance in the CCG NHS South West Lincolnshire Commissioning Group Governing Body Status: Final Next Revision Due: January 2018 Developed by: Information Governance Optum Commissioning Support Services Policy Sponsor: Pam Palmer, Executive Nurse and Quality Lead Target Audience: All Staff within the CCG whether operating directly or providing services to other organisations under a service level agreement or joint agreement and to non-executive directors, contracted third parties (including agency staff), locums, students, volunteers, trainees, visiting professionals or researchers, seconded and other staff on temporary placements within the organisation. Associated Documents: Distributed Via: All Information Governance Policies and the Information Governance Toolkit Intranet and Internet Page 1 of 15

2 Revision History Version Revision date Summary of Changes 1.0 August 2013 Revised in line with NHS England Policies and updated to reflect version 11 of the Information Governance Toolkit 1.1 November 2013 Addendum added to incorporate staffing structure and an overview of all IG policies and their approval date. Page 2 of 15

3 FINAL 1.2 Final 1.3 August 2014 September 2014 Approved at IG Product Group Amended version number - Added - Contents 4. Senior IG Management details, 15, 16, 17, 18, & Removed - Para 14 Working Group for CCGs - Removed - Introduction This policy allows the following IGT requirements to be evidenced 130,230,231,232,234,341, Added para 4.1, The IG Lead etc., The Records Manager etc., An Information Asset etc., Information Asset Administrator etc. - Removed para 4.1 Chief Operating Officer - Added para Added para 4.3 The SIRO will also etc. - Added para 4.4 Be a senior person etc. - Added para 4.5, Added para 6. and the Risk and Governance Committee - Updated para 8 web site link - Updated para 13 web site link - Updated Appendix 1 - Updated Appendix 2 - Updated Appendix 3 - Updated Appendix 4 - Updated Appendix 5 - Updated Appendix 6 Removal of AGEM logo/references and updated header/footer Minor wording updates Update IGT website link Updated references i.e. use of NHS Digital to replace Health and Social Care Information Centre, insertion of Optum Commissioning Support Services as appropriate Removal of inappropriate references Updated reference to training requirements Page 3 of 15

4 CONTENTS Section Page 1 Introduction 5 2 Purpose & Scope 5 3 Policy Statement 5 4 Senior IG Management Details - Organisation Roles & Accountabilities 6 5 Key Policies 9 6 Governance Arrangements 9 7 Resources 10 8 Training Guidance 10 9 Incident Management Equality & Diversity Impact Assessment Monitoring & Compliance Further Information or Guidance References Appendix 1- Terms of Reference of Information Governance Working Group for CCGs 15 Appendix 2 Clinical Commissioning Group Constitution 16 Appendix 3 Information Governance Operational Structure Page 4 of 15

5 Information Governance Management Framework for NHS South West Lincolnshire CCG 1. Introduction Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The way that an organisation chooses to deliver against these requirements is referred to within the Information Governance Toolkit (IGT) as the organisation s Information Governance Management Framework (IGMF). This framework is required to be documented, approved at the most appropriate senior management level in the organisation and reviewed annually. This document sets out NHS South West Lincolnshire CCG s approach to embedding robust information governance throughout the CCG. The IGT is available here: A user name and password is required to access the CCG IG Toolkit Return. This policy is a standalone document and provides a summary/overview of how the CCG is addressing the IG agenda and reflects the capacity and capability of the CCG. 2. Purpose and scope The purpose of this policy is to establish employee responsibility and the conduct required for all members of staff regarding the CCG s information governance framework. This policy applies to all staff within the CCG whether operating directly or providing services to other organisations under a service level agreement or joint agreement. and to nonexecutive directors, contracted third parties (including agency staff), locums, students, volunteers, trainees, visiting professionals or researchers,, seconded and other staff on temporary placements within the organisation. 3. Policy Statement NHS Digital mandates that the Information Governance Toolkit (IGT) is completed by all organisations that commission or provide services within and to the NHS. An IGMF is required to be in place to ensure that the Information Governance agenda is owned and implemented in a structured manner. Page 5 of 15

6 4. Senior Information Governance Management Details Organisational Roles & Accountability 4.1 The CCG will: Appoint an Information Governance (IG) Lead, Senior Information Risk Owner (SIRO) and Caldicott Guardian. These designated roles will be reported in the CCG IG Toolkit Return under Update Information Governance Senior Management Details once appointed. The Senior Information Risk Owner and Caldicott Guardian will be members of the CCG Governing Body. The IG Lead is a senior representative in the organisation who leads and co-ordinates the information governance works programme. The Accountable Officer has overall accountability and responsibility for Information Governance and is required to provide assurance through the Statements on Internal Control that all risks to the CCG, including those relating to information, are effectively managed and mitigated. The Records Manager is an individual/s with clear responsibility for the management of the records of the organisation from the time they are created up to their eventual disposal. This may include naming, version control, storing, tracking, securing and destruction (or in some cases, archival preservation) of records. An Information Asset Owner is a senior individual involved in running the relevant business. Their role is to understand and address risks to the information assets they own and to provide assurance to the SIRO on the security and use of those assets. Information Asset Administrators are members of staff who understand and are familiar with information risks in their area or department. Information Asset Administrators ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management and ensure that information asset registers are accurate and up to date. 4.2 The CCG Information Governance Lead in conjunction with services provided by Optum Commissioning Support Services will: Develop and maintaining comprehensive and appropriate documentation that demonstrates commitment to and ownership of IG responsibilities, e.g. an overarching high level strategy document supported by appropriate policies and procedures Ensure that there is senior management awareness and support for IG resourcing and implementation of improvements Provide direction in formulating, establishing and promoting IG policies Page 6 of 15

7 Establish working groups, if necessary, to co-ordinate the activities of staff given IG responsibilities and progress initiatives Ensure that assessment and improvement plans are prepared for approval by the senior level of management in a timely manner and in line with national reporting requirements Ensure that the approach to information handling is communicated to all staff and made available to the public Ensure that appropriate training is made available to staff and completed as necessary to support their duties and in line with IGT requirements Liaise with other committees, working groups and programme boards to promote and integrate IG standards Monitor information handling activities to ensure compliance with law and guidance Provide a focal point for the resolution and/or discussion of IG issues 4.3 The SIRO will: Take ownership of the organisation s information risk policy and information risk management strategy. All key information assets will be identified and their details included in an Information Asset Register Ensure that Information Asset owners are identified for each key information asset Ensure that all staff assigned responsibility for co-ordinating and implementing information risk management are appropriately trained to carry out their role Ensure that Information Asset Owners carry out risk reviews of the assets for which they are accountable, the frequency of review depending upon the importance of the asset and the nature of the risk environment Lead and implement information governance risk assessments and advise the Governing Body on the effectiveness of risk management across the organisation 4.4 The Caldicott Guardian will: Be added to the National Register of Caldicott Guardians Identify the support necessary to ensure work related to confidentiality and data protection is appropriately carried out Provide a plan for the Caldicott Function of the CCG Ensure all staff assigned responsibility for co-ordinating and implementing the confidentiality and data protection work programme are appropriately trained to carry out their role Page 7 of 15

8 Identify the work necessary to provide Confidentiality and Data Protection Assurance Be a senior person responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing. 4.5 Information Asset Owner s will: Identify and document the scope and importance to the business of all Information Assets they own. This will include identifying all information necessary in order to respond to incidents or recover from a disaster affecting the Information Asset. Take ownership of their local asset control, risk assessment and management processes for the information assets they own. This includes the identification, review and prioritisation of perceived risks and oversight of actions agreed to mitigate those risks. Provide support to the organisation s SIRO and Risk and Governance Committee to maintain their awareness of the risks to all Information Assets that are owned by the organisation and for the organisation s overall risk reporting requirements and procedures. Ensure that staff and relevant others are aware of and comply with expected IG working practices for the effective use of owned Information Assets. This includes records of the information disclosed from an asset where this is permitted. Provide a focal point for the resolution and/or discussion of risk issues affecting their Information Assets. Ensure that the organisation s requirements for information incident identification, reporting, management and response apply to the Information Assets they own. This includes the mechanisms to identify and minimise the severity of an incident and the points at which assistance or escalation may be required. Foster an effective IG culture for staff and others who access or use Information Assets to ensure individual responsibilities are understood, and that good working practices are adopted in accordance with organisational policy. 4.6 Information Asset Owner s will: Ensure that policies and procedures are followed when using an information asset Recognise actual or potential security incidents Consult their IAO on incident management Assist the IAO to ensure that information asset registers are accurate and up to date, for example by reporting when an information asset they use is no longer required. Page 8 of 15

9 5. Key Policies The CCG via Optum Commissioning Support Services will provide the following policies to set out scope and intent in terms of embedding Information Governance processes throughout the Organisation: Information Governance Policy Confidentiality and Data Protection Policy Information Security Policy Corporate Governance Policy (which covers FOI) Information Lifecycle Management Policy (Records Management and Information Quality) The CCG will implement policies as required to support confidentiality, security and records management processes in addition to this Information Governance Management Framework 6. Governance Arrangements The following governance arrangements have been agreed: The CCG Governing Body will receive periodic assurance that management and accountability arrangements are adequate and are informed in a timely manner of future changes in the IG agenda by IG updates. The Governing Body of the CCG has responsibility for the Information Governance agenda supported by identified senior roles i.e. Caldicott Guardian, SIRO, and IG Lead. Through the Lead Provider Framework (LPF) the CCG will obtain Information Governance Support from Optum Commissioning Support Services. Responsibility and accountability for Information Governance will be cascaded through the organisation via staff contracts, contracts with third parties, Information Asset Owner arrangements and departmental leads. Key information governance messages will be developed by Optum Commissioning Support Services and made available to the CCG for onward dissemination. Page 9 of 15

10 7. Resources Key staff involved in the Information Governance agenda, below those at Governing Body/Senior Team level, will be provided to the CCG through the LPF contract between the CCG and Optum Commissioning Support Services. 8. Training Guidance Staff need clear guidelines on expected working practices and on the consequences of failing to follow policies and procedures. The approach to ensuring that all staff receives training appropriate to their roles will be detailed and provided by Optum Commissioning Support Services. Information Governance Services will assist the CCG in achieving NHS Digital s requirements for information governance training and advise/manage staff to undertake further specialist information governance training as required. Training will also be made available via the HSCIC e-learning site (at August 2014 still hosted at): 9. Incident Management Clear guidance on incident management procedures will be documented and staff will be made aware of their existence, location and responsibility for implementation. All IG incidents will be reported via the CCG Information Governance Working Group on a bi-monthly basis. 10. Equality & Diversity Impact Assessment None required. 11. Monitoring and Compliance The IGMF will be reviewed at least annually in line with IG Toolkit requirements or amended as required to reflect changes in organisational ownership. Page 10 of 15

11 12. For further Information or Guidance Contact the Information Governance Team at Optum Commissioning Support Services Lynne Wray Information Governance Manager: June Emptage Information Governance Officer: 13. References Confidentiality: NHS Code of Practice The IG Toolkit. Checklist for Reporting, Managing and Investigating Information Governance Serious Untoward Incidents (Gateway reference 13177). %20Guidance.pdf The Caldicott Review: Information Governance in the Health and Social Care System Page 11 of 15

12 Appendix 1 Information Governance Working Group for NHS Lincolnshire East CCG; NHS Lincolnshire West CCG; NHS South Lincolnshire CCG and NHS South West Lincolnshire CCG Note Information Governance Manager, Optum Commissioning Support Services Head of Performance and Delivery, NHS Lincolnshire West CCG SIRO and IG Lead Information Governance Consultant NHS Arden and Greater East Midlands Commissioning Support Unit Chief Finance Officer, South Lincolnshire CCG and SIRO Information Governance Officer, Optum Commissioning Support Services Executive Lead Nurse and Midwife Quality and Governance, NHS Lincolnshire West CCG. Caldicott Guardian Executive Nurse and Quality Lead, NHS South Lincolnshire CCG and Caldicott Guardian Deputy Chief Finance Officer, NHS Lincolnshire East CCG. Deputy SIRO and Deputy IG Lead Executive Nurse and Quality Lead, NHS South West Lincolnshire CCG. Caldicott Guardian Corporate Assistant and Office Manager, South West Lincolnshire Clinical Commissioning Group Deputy Head of Quality, Governance and Engagement, NHS Lincolnshire East CCG. Delegated Caldicott Guardian representative Chief Finance Officer, NHS South West Lincolnshire CCG. SIRO and IG Lead Other members of staff in Optum Commissioning Support Services, NHS Arden & GEM CSU and the CCGs may be called upon to attend as appropriate. Frequency of Meetings/Meeting Administration Meetings will be held on a monthly basis at a venue to be agreed between the representatives. Administrative support will be provided by Optum Commissioning Support Services. Meeting papers will be distributed electronically at least 5 working days prior to each meeting. Deadline for papers is 10 working days prior to each meeting. Optum Commissioning Support Services will be the prime record holder for meeting papers. In addition to the members of the group, meeting papers will be copied to the following individuals for information. Chief Nurse, NHS Lincolnshire East CCG Board Secretary NHS Lincolnshire East CCG Board Secretary, Officer Manager NHS South Lincolnshire CCG Board Secretary - NHS South West Lincolnshire CCG Board Secretary - NHS Lincolnshire West CCG. Page 12 of 15

13 Meeting Quoracy Meetings will be quorate with the attendance of a CCG representative from each organisation, or their nominated deputy and one representative from the Optum Commissioning Support Services (CSS) Team and one representative from the NHS Arden & GEM CSU Information Governance Team. Meetings will proceed where a quorum representation is not available but decisions will not be taken on behalf of any CCG not represented. The relevant CSS/CSU IG representatives will undertake best endeavours to follow up relevant issues with members not present at meetings so that the decision making process can be facilitated. Group Purpose 1. To promote a holistic approach to Information Governance across the Lincolnshire Clinical Commissioning Groups. To facilitate the development of best practices which are acceptable, practicable, owned and therefore better supported across the CCGs to work together to influence the integration and inclusion of Information Governance standards with other governance strategies, work programmes and projects. 2. To provide assurances to the CCG s Executive Teams, via its CCG representatives, that Information Governance management and accountability arrangements are appropriate and adequate, and inform those teams in a timely manner of key changes in the IG Agenda or risks that require escalation. 3. To provide a CCG focussed group to discuss responsibility for IG Toolkit standards, develop and monitor the Information Governance Toolkit work plan and discuss key information governance operational issues 4. To share approaches and learning which relate to the Information Governance Standards incorporated into the IG Toolkit. 5. To discuss and reach agreement on the way forward on information sharing issues which are impacting upon the business of member organisations, for example, related to Lincolnshire Health and Social Care Integration (LHAC), data sharing, Contract Data issues, Risk Stratification and GEMIMA. 6. To achieve a common understanding and interpretation of the law, guidelines and principles applying to information governance and information processing. 7. To collaborate to promote good information governance practice through, for example, joint events, training, advice and support. The IGWG will also give due regards to promoting and monitoring IG related issues externally within its commissioning system. 8. Policies presented to this Group will be agreed in principle as working drafts by CCG group members but will require formal approval for adoption by each CCG Governing Body or equivalent as appropriate. 9. Group Members can approve in principle advice and guidance offered by OPTUM CSS and NHS Arden & GEM CSU, but the ultimate decisions will be made by each CCG s Governing Body or equivalent as appropriate 10. The Group will be chaired by a CCG representative determined at the commencement of each meeting. These arrangements will be reviewed on a regular basis to reflect the agreement for services detailed in the Information Governance Service Specification between OPTUM CSS, NHS Arden & GEM CSU and the CCG s. Page 13 of 15

14 11. Representatives on the Group will submit CCG IG Working Group Minutes to their respective Committees for noting and action where appropriate. Appendix 2 Clinical Commissioning Group Constitution The NHS South West Lincolnshire CCG ensures that policies will be reviewed at least annually. The Clinical Commissioning Group will promote good governance and proper stewardship of public resources in pursuance of its goals. The Governing Body has responsibility for ensuring that the Clinical Commissioning Group has appropriate arrangements in place to exercise its functions effectively, efficiently and economically and in accordance with the Groups principles of good governance, overseeing governance and particularly ensuring that the Governing Body and the wider group behaves with the utmost transparency and responsiveness at all times. Page 14 of 15

15 Appendix 3 Information Governance Operational Structure Accountable Officer Caldicott Guardian SIRO IG Lead Records Manager Information Asset Owner s Information Asset Administrator s Optum CSS IG Lead Page 15 of 15