INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK POLICY

Transcription

1 INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK POLICY Version: 1.4 Approved by: Date approved: 19 January 2017 Name of Originator/Author: Name of Responsible Committee/Individual: Date issued: Information Governance, Records Management and Caldicott Committee Samantha Hann, Corporate Support Services Officer Information Governance, Records Management and Caldicott Committee 14 October 2014 (original date) Review date: 31 December 2017 Target audience: All staff / members of the public

2

3 INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK POLICY CONTENTS Section Page VERSION CONTROL i 1 INTRODUCTION 1 2 INFORMATION GOVERNANCE PRINCIPLES 1 3 INFORMATION MANAGEMENT FRAMEWORK 5 4 MANAGING INFORMATION RISK 9 5 TRAINING 13 6 REVIEW AND AUDIT 14 7 REFERENCES 15 8 ASSOCIATED SOMERSET CCG DOCUMENTS 15 Appendices APPENDIX 1 Information Governance, Records Management & Caldicott Committee Terms of Reference 17

4

5 INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK POLICY Number assigned to document: IG20 VERSION CONTROL Document Status: Final Version: 1.4 DOCUMENT CHANGE HISTORY Version Date Comments 1.0 July 2014 Initial draft by Samantha Hann 1.0 August 2014 Policy disseminated to Information Governance Records Management and Caldicott Committee for amendments Oct 2014 Amendments received from Committee members. Policy amended to reflect changes. 1.2 September 2015 Director of Strategy and Patient Engagement amended to Quality, Safety and Governance, Head of Patient Safety and Risk Management amended to Head of Patient Safety and Governance, Document reference added. 1.3 March 2016 Interim annual check of policy and review by Leadership Team. 1.4 February 2017 Updated to reflect changes to directorate responsibilities and IGRMCC terms of reference (appendix 1) Approved by Governance Committee 8 February 2017 Equality Impact Assessment (EIA) Form OR EIA Screening Form completed. Date: Screening Form 14 October 2014 Sponsoring Director: Paul Goodwin, Director of Commissioning Reform and Governance i

6 Author(s): Samantha Hann, Corporate Support Services Officer Document Reference: Information Governance Policy v1.4 ii

7 INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK POLICY 1 INTRODUCTION 1.1 Information Governance informs the processes required to ensure all information held by the Somerset CCG adheres to approved levels of confidentiality, security, accountability, standards, policies and procedures. 1.2 The NHS Information Governance Toolkit (IGT) requires all NHS CCGs to develop and maintain information governance standards. As the Toolkit evolves, the Somerset CCG must ensure that it adheres to increasingly stringent criteria. 1.3 The IGT is an online system which allows NHS organisations and partners to assess themselves against the Department of Health Information Governance policies and standards. It also allows members of the public to view participating organisations IGT assessments. 1.4 The Information Commissioners Office (ICO) is the UK s independent public body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. 2 INFORMATION GOVERNANCE PRINCIPLES 2.1 The Somerset CCG recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The Somerset CCG fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to, safeguard both personal information about data subjects and commercially sensitive information. The Somerset CCG also recognises the need to share information with other organisations and other agencies in a controlled manner consistent with the interests of the data subjects and, in some circumstances, the public interest. 2.2 Accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all Somerset CCG employees to ensure and promote the quality of information and to actively use information in decision making processes. 2.3 There are four key interlinked principles to the Information Governance policy: openness information security quality assurance legal compliance including Data Protection compliance 1

8 Openness 2.4 The Somerset CCG recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. 2.5 Information will be defined and where appropriate kept confidential, underpinning the principles of Caldicott and the regulations outlined in the Data Protection Act (DPA) Non-confidential information about the Somerset CCG and services will be available to the public through a variety of means, in line with the Somerset CCG s code of openness and the Freedom of Information Act. 2.6 The Somerset CCG will: establish and maintain policies and ensure compliance with the Freedom of Information Act (FOIA) A publication scheme will be maintained in line with the Information Commissioners Office (ICO) Model Publication Scheme and this is available for all service users on the Somerset CCG website. This will be maintained and updated frequently in line with guidance make sure there will be clear procedures and arrangements for handling queries from data subjects and the public will have clear procedures and arrangements for liaison with the press and broadcasting media ensure integrity of information will be developed, monitored and maintained to ensure that it is appropriate for the purposes intended ensure availability of information for operational purposes will be maintained within set parameters relating to its importance via appropriate procedures and computer system resilience regard all identifiable personal information relating to data subjects as confidential. Compliance with legal and regulatory frameworks will be achieved, monitored and maintained establish and maintain policies and procedures to ensure compliance with the DPA 1998, Human Rights Act, the common law duty of confidentiality and the FOIA ensure awareness and understanding of all staff, with regard to their responsibilities, will be routinely assessed and appropriate training and awareness provided carry out risk assessments, in conjunction with overall priority planning of organisational activity, will be undertaken to determine that appropriate, effective and affordable information governance controls are in place 2

9 Information Security 2.7 The Somerset CCG will: establish and maintain policies for the effective and secure management of its information assets and resources and will ensure appropriate business continuity plans and disaster recovery plans are in place undertake or commission audits to assess information and IT security arrangements report information governance related incidents scoring 2 or above as IG Serious Incidents (SI s) on the information governance incident reporting tool through the IG Toolkit use the Somerset CCG s incident reporting system (DATIX) to report, monitor and investigate all breaches of confidentiality and security. Serious Incidents Requiring Investigation (SIRIs) will be reported as outlined above by the Somerset CCG Senior Information Risk Officer (SIRO) promote effective confidentiality and security practice to its staff through policies, procedures, training and staff briefings Quality Assurance 2.8 The Somerset CCG will: establish and maintain policies for information quality assurance and the effective management of records undertake or commission audits of the Somerset CCG s quality of data and records management arrangements expect Managers to take ownership of, and seek to improve, the quality of data within their services promote data quality through policies, procedures/user manual and training establish and maintain policies and procedures for information quality assurance and the effective management of records and will promote information quality and effective records management through policies, procedures, user manuals and training expect managers to take ownership of, and seek to improve, the quality of information within their services Legal Compliance 2.9 The key principles of legal compliance are that: all identifiable personal information relating to data subjects is confidential annual assessments and audits of the Somerset CCG compliance with legal requirements will be undertaken 3

10 all identifiable personal information relating to staff is confidential except where national policy on accountability and openness requires otherwise policies to ensure compliance with the DPA 1998, Human Rights Act and the common law on confidentiality are referred to in section 8 policies as referred to in section 8 for the controlled and appropriate sharing of patient information with other agencies, will be maintained, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act) Data Protection Compliance 2.10 The Somerset CCG needs to collect and use certain types of information about a variety of people including, but not limited to: current, past and prospective employees providers and external agencies pseudo-anonymised and anonymised patient data sets through arrangements with SCWCS to support commissioning and service development 2.11 In addition, the Somerset CCG may occasionally be required by law to collect and use certain types of information to comply with the requirements of Government departments. However this personal information is collected, recorded and used, whether electronic or manual, it must be dealt with properly. There are safeguards to ensure this in the DPA To ensure that the Somerset CCG treats personal information lawfully and correctly, the Somerset CCG fully endorse and adhere to the Principles of Data Protection, as set out in the DPA Data Protection Principles 2.13 Specifically, the Principles require that personal information: 1) Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met a) at least one of the conditions in Schedule 2 is met, and b) in the case of sensitive personal data at least one of the conditions in Schedule 3 is also met 2) Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes 3) Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed 4

11 4) Shall be accurate and, where necessary, kept up to date 5) Shall not be kept for longer than is necessary for the purpose or those purposes 6) Shall be processed in accordance with the rights of data subjects under the Act 7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 8) Shall not be transferred to a country or territory outside the European Economic Area unless the country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data 2.14 Therefore, the Somerset CCG will, through appropriate management, and strict application of criteria and controls: fully observe conditions regarding the fair collection and use of information meet its legal obligations to specify the purposes for which information is used collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements ensure the quality of information used apply strict checks to determine the length of time information is held. Further guidance on retention periods can be found in the Records Management Strategy and Policy ensure that the rights of people about whom information is held can be fully exercised under the Act. This includes the right: o to be informed that processing is being undertaken o of access to one s personal information o to prevent processing in certain circumstances o to rectify, block or erase information which is regarded as factually inaccurate information take appropriate technical and organisational security measures to safeguard personal information ensure that personal information is not transferred abroad without suitable safeguards 3 INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK 3.1 The responsibilities of specific information governance roles within the Somerset CCG are as follows: 5

12 Managing Director 3.2 The Managing Director has ultimate responsibility for ensuring that the Somerset CCG has suitable arrangements in place for the management of Information Governance. Governing Body 3.3 The Governing Body has ultimate responsibility for ensuring that the Somerset CCG meets the requirements of the Information Governance agenda and monitors the Somerset CCG compliance. Directorates 3.4 Directorates are required to have comprehensive and robust Information Governance arrangements in place, complying with the Somerset CCG policies and procedures and providing evidence for the IGT. Director of Commissioning and Governance 3.5 The Director of Commissioning and Governance is accountable to the Governing Body and has overall responsibility for ensuring that the Information Governance standards set by NHS Digital and the IGT are met. Senior Information Risk Officer (SIRO) 3.6 The SIRO is accountable to the Governing body reporting any information risk issues, addressing any SIRIs and informing the Information Commissioners Office. 3.7 The SIRO ensures that there is a framework to identify information assets, assess rights to those assets and ensure that these are managed appropriately. 3.8 The SIRO for Somerset CCG is the Director of Clinical Collaborative Commissioning. Caldicott Guardian 3.9 The Caldicott Guardian is responsible for upholding the Caldicott Principles and ensuring all requirements of the DPA 1998 are met; this includes being responsible for ensuring access to and the use/sharing of identifiable data, held in any form is managed appropriately The Caldicott Guardian for Somerset CCG is the Director of Quality and Safety. 6

13 Data Protection Officer 3.10 The Data Protection Officer is responsible for monitoring staff and procedural compliance with the DPA The Data Protection Officer for Somerset CCG is the Corporate Governance Manager. Corporate Governance Manager 3.12 The Corporate Governance Manager is accountable to the Director of Commissioning Reform and Governance and is responsible for the Information Governance Officer, monitoring the progress of Information Governance compliance and the IGT. Information Governance Officer 3.13 The Information Governance Officer is accountable to the Corporate Governance Manager and is responsible for: providing support and delivering the appropriate education to all individuals to ensure they are clear about their responsibilities when handling information ensuring legal requirements are met including under DPA 1998, FOIA 2000 and Environmental Information Regulations 2004 meeting the performance assessment requirements of the IGT managing its obligations, issue and support standards, policies and procedures ensuring information is held, obtained, recorded, used and shared correctly co-ordinating the Information Risk Management Framework activities including support for IAO in mapping information flows and maintaining IAR Information Governance Records Management & Caldicott Committee (IGRMCC) 3.14 Information Governance across the organisation is co-ordinated by the IGRMCC. The role of this committee is to: support and drive the broader Information Governance agenda provide the Governing body with the assurance that effective Information Governance best practice mechanisms are in place across the organisation regularly review compliance with Information Governance related policies and any management issues that arise from them oversee the implementation of areas of work that sit within the Information Governance Framework. These are: o Freedom of Information o Information Security o Data Protection 7

14 o Confidentiality o Records Management o Subject Access annual formal verification and sign off of compliance with the IGT 3.15 The committee is accountable to the Director of Commissioning and Governance who is responsible for any changes to Terms of Reference The committee are required to meet quarterly and have additional meetings as and when required. All Staff 3.17 Users of information must: be aware of their responsibilities, both legal and other, and that failure to comply may result in disciplinary action comply with policies and procedures issued by the Somerset CCG, and be aware that failure to comply may result in disciplinary action work within the principles outlined in the Information Governance Framework undertake annual mandatory Information Governance training report any breach of the Information Governance processes Information Governance Responsibilities in Other Roles 3.18 Some Information Governance responsibilities may be delegated to the South, Central and West Commissioning Support Unit (SCWCS). The Somerset CCG must ensure that where such delegation takes place any processing of personal data must be covered by appropriate contract/agreement Information System management Each information system (any multiuser computer based application, potentially including spreadsheets etc) should have an identified manager. The governance role of the manager is to implement the system related processes that govern: management of access to the system audit of user activity system data validation processes (input, internal & output) system administration & supplier support (where applicable) 3.20 The manager is also likely to be an Information Asset Owner/Administrator Physical security responsibilities Physical security of information and IT assets is shared across a number of areas/roles. Perimeter security of sites/buildings is the remit of NHS Property Services. The operation of general physical security such as door locks, entry controls will be the 8

15 responsibility of all staff as it relates to all assets, not just information assets. Assessment and promotion of physical security is the responsibility of the Corporate Governance team. The SCWCS Information Governance team will aid and advise on the threats and impacts of loss of information and IT assets Line managers will be responsible for: managing requests for access to systems, by authenticating the roles and access requirements of staff ensuring staff are educated and aware of their responsibilities monitoring staff compliance with policies liaison with the SWCSU Information Governance team when developing or amending processes for handling information 3.23 HR department have responsibility for: management of staff personal data identity checks for new staff advising SCWCS Information Technology team of the change of conditions regarding changes in access requirements for staff advising SCWCS Information Technology team the leaver s process, so that access privileges can be revoked as soon as possible after a member of staff leaves and equipment recalled ensuring staff are aware of and attend the induction and mandatory education programme that includes core information governance training 3.24 Risk Management The Head of Patient Safety and Risk Management is responsible for ensuring that any incident and risk related to information is not considered in isolation and is an integral part of the organisation s approach to risk management and that where required expert support of Information Governance staff is engaged to advise on incidents. 4 MANAGING INFORMATION RISK 4.1 The organisation places high importance on minimising information risk and safeguarding the interest of patients, staff and the organisation. 4.2 Information risk is inherent in all organisational activities and everyone working for, or on behalf of the organisation, has a responsibility to continuously manage information risk. The aim of information risk management is to provide the means to identify prioritise and manage the risks involved in all of the organisation s activities. 4.3 It requires a balance between the cost of managing and treating information risks with the anticipated benefits that will be derived. 4.4 The Somerset CCG acknowledges that information risk management is an essential element of broader Information Governance and is an 9

16 integral part of good management practice. The intent is to embed information risk management in a practical and achievable way into business processes and functions, so that there is a clear, structured process that staff can easily follow. This is achieved through key approval and the frequent review of processes and controls. Risk management should not be considered as a burdensome extra requirement for the organisation to undertake, but effectively integrated as a matter of routine in working towards achieving best practice management standards. Information Risk Management Assurance Framework 4.5 Information Risk Management Assurance Framework aims to: protect service users, staff and the organisation from information risks where the likelihood of occurrence and the consequences are significant support the strategic approach to the risk management framework in which information risks will be identified, considered and addressed in the approval, review and control processes use the risk assessment methodology (risk matrix) to assess information risks e.g. threats to information encourage pro-active rather than re-active information risk management contribute to the quality of decision making throughout the organisation by supporting robust information meet legal or statutory requirements assist in safeguarding the organisation s information assets Assessment of Information Risk 4.6 The organisation will assess information risk in a number of ways, which will include the following: routine review of flows of personal information to ensure any risks identified with these flows are mitigated, including ensuring appropriate controls are in place for data transferred outside the EEA the organisation s risk management procedures provide clear guidance as to the way in which information risks and incidents are identified, assessed and managed across the organisation, and how the Information Governance risk register supports this process. Investigating and learning from incidents will support the organisation in understanding the real level of risk being experienced and in adjusting the controls in place undertaking privacy impact assessments and system security level risk assessments as methods through which information assets can be risk assessed and assuring compliance with the required standards 10

17 Information Assets & Information Risk Management Framework 4.7 An information asset is information in a number of forms that the organisation is reliant on to undertake its business. Value of the assets will vary, between useful and critical. Typical assets include: information systems, policy sets, data sets, reference documents, project documents and committee papers. Information assets will be listed in a number of registers, including a hardware register and departmental information asset register (linked to continuity plans). 4.8 Ownership of information assets Each identified asset will have an appointed owner who is responsible for the governance of the information asset. Where there is no obvious owner the role will default to the SIRO. Ownership of a system that is used across teams may be vested in a management forum where the strategic development of that system or organisational facility is decided. Reporting Incidents and Near Misses 4.9 Any incident, near miss or potential weakness in processes, relating to the use of information, such as a breach of confidentiality or mistake due to inaccurate or unavailable information, will be reported via the organisations overall incident reporting process. The Head of Patient Safety and Governance is responsible for reporting to the IGRMCC any Information Governance incidents or near misses. Reporting Technical/Software Failures 4.10 If a user is unable to access information due to a system related issue this should be reported to the appropriate IT helpdesk for resolution. In addition, if a system related issue puts either patient care or organisational safety at notable risk then it should also be reported via the incident reporting process. Learning from Incidents 4.11 Changes determined as a result of an incident, near miss or weakness will be cascaded across relevant staff as part of the process to manage the incident. This will include team briefings, newsletters, and bulletins. Relevant actions will be fed through to education programmes. Investigating Misuse of Systems 4.12 If misuse of systems is suspected, the SCWCS Information Technology department will be contacted at the earliest opportunity and will in conjunction with the appropriate line managers and Information Governance staff, determine the need to engage specialist IT support to preserve electronic evidence. Specialist investigation will be considered in the following situations: 11

18 allegation of illegal activity, such as web browsing, to illegal materials or allegations of financial fraud allegation of alteration of clinical information that could have significant impact on safe provision of care Disciplinary Process and Removal of Access Rights 4.13 All staff have a duty to report any breaches to their Line Manager, Data Protection Officer or Information Governance Team. The breach will also be reported through the Somerset CCG Incident Reporting System and logged on the Risk Register Minor or suspected breaches will be addressed by the relevant line manager, the Data Protection Officer, and the Caldicott Guardian. Where the breach has occurred, disciplinary action may be taken and working practices and procedure will be reviewed Serious Breaches, or serious untoward incidents, will be addressed by the Somerset CCG Senior Information Risk Officer (SIRO), by assessing against the IG SI guidance and reporting appropriately through the IG Toolkit. Where a serious breach has occurred, disciplinary action may be taken and working practices and procedure will be reviewed Any investigation, which determines that organisational policy has not been followed, will be subject to formal disciplinary policy. Access to systems for staff under investigation or disciplinary process will be suspended on the request of any senior manager involved. Separate legal proceedings may be necessary, including seeking prosecution under the Computer Misuse Act 1990 (unlawful/unauthorised access) or section 55 of the Data Protection Act (unlawful obtaining and/or disclosure of personal data) Where evidence is required for internal or external support of action against an individual, the processes for collection will incorporate the following minimum standards: retrieval of paper information will note who withdrew it, when it was withdrawn and incorporate procedure to ensure it is not tampered with electronic audit trails will be examined where possible to provide evidence. Depending on the severity of the issue specialist computer forensic support will be engaged via NHS Protect (the Counter Fraud and Security Management Service) Information Classification and Freedom of Information Act Information will be classified in one of three categories: Personally identifiable - Where the information relates to one or more identifiable individuals to a greater or lesser extent, and is subject to 12

19 the terms of the Data Protection Act 1998, common law and Human Rights legislation. Some personally identifiable data may be disclosable under Freedom of Information (FOI) legislation, however no such information will be published or provided without first checking relevant exemptions. FOI does not generally make confidential information about an individual available to others Public information Information that is not personally identifiable is generally accessible via the Freedom of Information Act and either actively published or provided on request. By default all non personal records will be classed as public. However if senior staff responsible for any information have reasonable concerns about the publication or provision of information, then a considered view will be taken as to whether the information should be classed as organisationally sensitive Organisationally sensitive This classification will only be used for information that can justifiably be exempt from provision under Freedom of Information legislation. Any information determined as sensitive will not be routinely published but, if requested, the validity of the classification should be checked. This may include financial information, procurement documents (particularly those where disclosure could affect the process or commercial interests of parties) and draft public policy. The sensitivity is likely to be time limited Information Labelling 4.19 Patient records and staff personnel information on any media will be routinely labelled as confidential. Corporate records will be deemed public unless labelled. In line with NHS records management guidance the correct label is NHS Protect, indicating the information warrants protection, but does not prejudge decisions on disclosure in the way labels such as confidential/sensitive may do. It is noted that the use of a label does not mean that the document is exempt under Freedom of Information. It is guidance for consideration. 5 TRAINING 5.1 Information Governance forms part of the Staff Somerset CCG Induction and Mandatory Training Programme. All staff are required to undertake mandatory annual Information Governance training. 5.2 Staff with additional Information Governance responsibilities will be identified at local induction and annual appraisal. The appropriate training will, if required, then be provided. 5.3 Users will be trained in the use of systems and procedures to ensure the quality and appropriate handling of confidential information, in order to minimise risks to the organisation from poor information governance. 13

20 5.4 All staff will receive mandatory induction training covering all aspects of Information Governance and annual refreshers. Awareness raising of the key information governance principles will be implemented through regular team briefings, team meetings and awareness raising sessions. 5.5 A staff Code of Conduct will be updated annually and be available to all staff via the Intranet and in hard copy where applicable. This gives staff the key points regarding confidentiality and information security and best practice guidance. 5.6 Staff with key roles (e.g. SIRO/Caldicott Guardian/Information Asset Owner) will undertake annual training relevant to their role. 6 REVIEW AND AUDIT 6.1 The IGRMCC will facilitate scheduled review and update of this policy. A full review will be conducted every two years, with an interim check on an annual basis. 6.2 Review may also take place due to the following occurrences: major policy breach identification of new threats or vulnerabilities significant organisational restructuring significant change in technical infrastructure significant change in legal/regulatory framework 6.3 The Somerset CCG will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. As part of the training and awareness programme, employees and third party contractors will also be made aware of definitions of incidents/weaknesses and the process for dealing with them. Audit and Compliance of Information Governance Requirements 6.4 Audit and compliance will be carried out via a number of means: IGT audit The organisation will endeavour to achieve the requirements laid out in the IGT to an appropriate standard as determined by the HSCIC. Audits will be undertaken in line with HSCIC timetables, or in line with contractual requirements as stipulated by standard national commissioning contracts. Formal reports will be provided to the Governing Body for sign off prior to submission Internal/External audit programmes within the organisation Information Governance policy compliance programme featuring ongoing audits of records management, confidentiality in personal data systems, acceptable use of systems and ad-hoc activity determined by the organisation 14

21 7 REFERENCES Data Protection Act 1998 Human Rights Act 1998 Freedom of Information Act 2000 Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 (as amended by the Copyright Computer Programs Regulations 1992) Crime and Disorder Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Review of the Uses of Patient-Identifiable Information 1997 (Caldicott) Information to share or not to share The Information Governance Review 2013 (Caldicott 2) 8 ASSOCIATED SOMERSET CCG DOCUMENTS Caldicott Policy Confidentiality Policy Data Protection Act 1998 Policy Data Protection Act 1998 Employee and Service User Leaflets Data Quality Policy Information Governance Systems Security Policy Freedom of Information Act 2000 Policy Freedom of Information Internal Procedures Policy Privacy Notice Records Management Strategy & Policy Staff Code of Conduct Staff FOIA Leaflet Staff Personal Files Policy Subject Access Requests Policy 15

22 16

23 NHS SOMERSET CLINICAL COMMISSIONING GROUP (CCG) APPENDIX 1 TERMS OF REFERENCE FOR THE INFORMATION GOVERNANCE, RECORDS MANAGEMENT AND CALDICOTT COMMITTEE 1 PURPOSE, SCOPE AND FUNCTION 1.1 The purpose of the Information Governance, Records Management and Caldicott Committee is to ensure that the CCG has: Effective policies and management arrangements covering all aspects of Information Governance in line with the CCG s overarching Information Governance Policy including: Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Security Assurance A process to consider breaches of confidentiality and agree the necessary actions to be taken to resolve conflicts and questions around disclosure of information Oversee the management of records across the organisation ensuring there is a comprehensive systems in place in line with the CCG s Record Management Strategy 2 MEMBERSHIP 2.1 The standing membership of the Committee will consist of the following: Director of Commissioning and Governance Director of Quality and Safety (Caldicott Guardian), CCG Director of Clinical and Collaborative Commissioning (Senior Information Risk Owner (SIRO)) Deputy Director of Commissioning, CCG Senior Performance Manager, Finance and Acute Commissioning, CCG Corporate Governance Manager, CCG Information Governance Officer, CCG 17

24 Head of IM&T, CCG Head of Patient Safety and Risk Management, CCG SIDeR Programme Manager, Directorate of System Transformation GP IT Clinical Advisor, CCG South Central and West Commissioning Support Unit (SCWCS) Information Governance Support Representative(s) SCWCS IT and IT Security Service Representative Caldicott Guardian, Somerset County Council Information Governance Manager, Somerset County Council In Attendance: Other individuals will be invited to attend the group at the discretion of the Chair, or their nominated deputies. EXPECTATIONS OF MEMBERS 2.2 Members are expected to attend all meetings or send an appropriate deputy, unless previously agreed with the Chair. 2.3 When the Director of Director of Commissioning and Governance is unavailable to Chair, the Caldicott Guardian or SIRO may deputise. No other deputisation is required. AUTHORITY 2.4 The committee is authorised by the Governance Committee to act within its Terms of Reference. It is authorised to seek any information it requires to carry out its business from any employee within the CCG. 2.5 The Information Governance, Records Management and Caldicott Committee shall be supported by representatives of South West Commissioning Support, as required and relevant to its remit. 2.6 The Information Governance, Records Management and Caldicott Committee is authorised to obtain outside legal, or other independent professional advice and to secure the attendance of outsiders with relevant experience and expertise, if it considers this necessary. 18

25 3 REPORTING ARRANGEMENTS 3.1 The Information Governance, Records Management and Caldicott Committee reports to the Governance Committee. 3.2 Quarterly progress reports including summary of the key issues and risks identified during each period will be reported to the Governance Committee. 4 REMIT AND FUNCTIONS OF THE GROUP 4.1 Part A of The Information Governance, Records Management and Caldicott Committee will: Information Governance ensure that the CCG has effective policies and management arrangements covering all aspects of Information Governance in line with the Trust s overarching Information Governance Policy, i.e. Openness Legal Compliance Information Security Information Quality Assurance ensure that the CCG undertakes an annual assessment (through completion of the Information Governance toolkit) and review of its Information Governance policies and arrangements establish an annual Information Governance Improvement Plan, secure the necessary implementation resources, and monitor the implementation of that plan co-ordinate the activities of staff given data protection, confidentiality, information security, information quality, records management and Freedom of Information responsibilities receive and consider reports of adverse events concerning breaches of confidentiality and information security and where appropriate undertake or recommend remedial action liaise with other committees, working groups and programme boards in order to promote Information Governance issues co-opt other CCG and Commissioning Support staff to assist with completion of the Information Governance toolkit as required receive and consider reports relevant to performance management information and data quality issues or other issues reported to the Committee by other directorates or organisations as they arise 19

26 oversee audit arrangements are in place and monitored for access to confidential information and to receive reports by exception have oversight of delivery of arrangements for IM&T services for assurance policy and processes covering information security is appropriately implemented responsibility for delivery of information security sits with Information Governance Committee. The Committee will receive minutes from the IM&T Strategy Group and SCWCS, to provide assurance of these arrangements in new developments and core service delivery responsibility for management of information security concerns, assurance of comprehensive risk management, protection and resilience of data processing systems and the digital networks that connect them responsibility for operational delivery of information quality assurance sits with the Clinical Communication and Documentation Group which is overseen by Patient Safety Quality Assurance Committee Information Quality refers to the procedures and processes in place to ensure that information is accurate, up-to-date, free from duplication and free from confusion Records Management oversee implementation of the CCG s Records Management Strategy ensure that a comprehensive system is in place for the completion, use, storage and retrieval of records make decisions on records issues set performance indicators for records and to review compliance review any audits relating to records management review and agree protocols for the sharing and transmission of patient and personal identifiable information review progress in the implementation of the Freedom of Information Policy review breaches of patient confidentiality 20

27 review the corporate training programme for records management and information governance ensure that appropriate policies and procedures are drawn up to support the CCG records management process ensure there are systems in place to meet the requirements of the Freedom of Information Act 2000 ensure that the CCG s records systems are designed so that records will remain accessible, authentic, reliable and usable throughout their retention period ensure that the environment in all record storage areas comply with all current, relevant health and safety legislation and fire regulations ensure the CCG has an appropriate system for an procedure for responding to any requests for access to records Caldicott The Information Governance, Records Management and Caldicott Committee will oversee the CCG s implementation of the Caldicott Principles including the seventh principle developed by Caldicott 2 the duty to share information can be as important as the duty to protect patient confidentiality supporting the organisation in development of new projects which result in new information sharing by its commissioned providers for the purposes of planning and evaluation supporting service providers by providing a co-ordinating function for information sharing agreements resolve conflicts/questions around disclosure or modification of information prepare an annual report for the Governing Body Part B of IGRMCC will consider breaches of confidentiality and any reports of adverse events and agree the necessary actions to be taken 5 FREQUENCY OF MEETINGS 5.1 Meetings will be held on a quarterly basis. 21

28 6 QUORUM 6.1 The Committee shall be quorate if at least 50% of the standing members are present, including either the Chair or Deputy Chair and at least one CSU member. 7 CONDUCT OF MEETINGS 7.1 An agenda will be issued five days prior to the meeting. Requests for items to be included on the Agenda should be sent to the Director of Commissioning and Governance at least twenty one days before the meeting. 7.2 If an item needs to be raised on the day, this will be covered under Any Other Business, subject to there being available time. 7.3 If separate papers require circulation, these should, wherever possible, be issued with the Agenda. This is intended to enable members to have the opportunity to read information in advance. 7.4 At the start of the each meeting, members will be asked to confirm the accuracy of the Declaration of Interests. 7.5 All questions arising will be decided by a simple majority of those present. In the case of equality of votes, the Chair will have a casting vote. 7.6 Minutes shall be kept and the Secretary will record the discussions. The approved Minutes will be issued by the Chair, normally within ten working days of the meeting, and will list the topics discussed, actions agreed and any individual responsible for undertaking the action. 8 REVIEW 8.1 These Terms of Reference shall be reviewed annually or as necessary by the Chair of the committee. Version 1.4 January