Information Governance Strategic Management Framework

Transcription

1 Document Summary Information Governance Strategic Management Framework This framework sets out the Cumbria Partnership NHS Foundation Trust (the organisation) Strategic Management Framework and is therefore a working document. The purpose of this framework is to provide clear and effective management and accountability structures, governance processes, documented policies and procedures, a comprehensive IG training programme and adequate resources to manage and embed Information Governance throughout the organisation. It pulls together all the requirements for information governance to ensure that personal information is processed legally, securely, efficiently and effectively in order to deliver the best possible care to patients. Please complete the table below and use the prescribed form of words underneath POLICY NUMBER POL/002/007 DATE RATIFIED May 2017 DATE IMPLEMENTED May 2017 NEXT REVIEW DATE May 2019 ACCOUNTABLE DIRECTOR POLICY AUTHOR Director of Finance, Strategy and Support Services (Michael Smillie) Head of Information Governance (Yvonne Salkeld) Important Note: The Intranet version of this document is the only version that is maintained. Any printed copies should therefore be viewed as uncontrolled and, as such, may not necessarily contain the latest updates and amendments.

2 Contents Introduction to this document Scope Statement of Intent Definitions Duties Key Responsibilities Trust Board Chief Executive Caldicott Guardian Senior Information Risk Owner Information Asset Owners (IAO) Senior Heads / Senior Managers Information Asset Administrators (IAA) Information Governance Lead Information Security All Trust Employees Information Governance Team Resources Information Governance Key Project Areas Head of Information Governance IG Compliance Framework Data Protection Officer (DPO) IG Toolkit Policies Strategic Lead for Teams under the umbrella of IG IG Performance Management Performance IG Compliance Team Asset Management Data Mapping Audit and Spot Check Compliance Contracts

3 5.3.5 Risk Assessment and Incident Management Process Projects Human Resources Information Security Management Registration Authority Team Registration Authority Service Information Rights Team Information Rights Training and Development Communication Fairwarning Information Sharing Gateway Data Quality Team Data Quality Strategy Health Records Team Health Records Corporate Records Information Governance Governance Arrangements National Requirements (i.e. Operating Framework, Monitor, NHS Digital, ICO) IG Toolkit IG Arrangements Monitoring compliance with this Framework References/ Bibliography Related Trust Policy/Procedures Appendix A IG Board Terms of Reference Appendix B IG Performance Group Terms of Reference Appendix C GDPR Task and Finish Group Appendix D Service Catalogue / Service Portfolio

4 Introduction to this document Information plays a key part in the clinical and corporate governance of Cumbria Partnership NHS Foundation Trust (referred to from herein as the organisation ) and the quality in the provision of patient services, planning, performance measurement, assurance, and financial management relies upon accurate and available information. The aim is to provide high quality IG support services which broadly consist of IG services, IT Security and Access to Information specialist advice and support. Should the organisation provide an Information Governance Service to other organisations this will be via a SLA (Service Level Agreement) in line with service catalogue / portfolio of services (see appendix D). The Information Governance Assurance Framework (IGAF) is the national framework of standards that brings together all statutory, mandatory, and best practice requirements concerning information management. The standards are set out in the Information Governance Toolkit as a road map enabling organisations to plan and implement standards of best practice and to measure and report compliance on an annual basis. This is due to be significantly reviewed in 2017 due to a number of national initiatives, i.e. National Data Guardian Report, Records Management Code of Practice and more notably the preparation towards the General Data Protection Regulations due to be enforced from May GDPR is the latest step in the recognition of the value and importance of personal information and this IG framework has been reviewed as step towards protecting the rights and freedoms of our data subjects. Performance against these standards is mandated by and reported to the Department of Health (DoH) via the CQC (Care Quality Commission) and forms part of the assurance processes associated with Risk Management Standards. Compliance is also required for the Quality Framework for Monitor. Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The way that an organisation chooses to deliver against these requirements is referred to within the Information Governance Toolkit as the organisation s Information Governance Management Framework (IGMF). The Information Governance Management Framework brings together all the requirements, standards and best practice that apply to the processing of personal information to ensure: Compliance with the law; Implementation of DoH guidelines; Planned year on year improvement; IG Toolkit requirements. This framework sets out the approach the organisation is taking to provide a robust approach to IG standards. 3

5 1. Scope This framework applies to: - All staff of the organisation, including temporary staff and contractors, sub-contractors; - All information used by the organisation; - All information systems managed by or used by the organisation; - Any individual using information owned by the organisation; - Any individual requiring access to information owned by the organisation. - Any organisation that through a Service Level Agreement purchases IG advice and support. - Increased partnership working with other local health care organisations 2. Statement of Intent The vision of the IG department is to enable high quality care by facilitating the ethical, legal, effective and appropriate use of accurate and reliable information that maintains confidentiality, integrity and availability. The statement of intent for the IG Management Framework is to ensure the primary objectives of IG below are achieved: 1. Provide provision of specialist IG support through, CCG, the success regime, and Digital roadmap work 2. Implement a robust data quality monitoring service providing the tools to enable staff to correct their own errors at source. 3. The Information Rights Service will ensure that the Trust meets its legal duties and NHS requirements concerning subject access and freedom of information requests and satisfy the organisation's obligations in the areas of information sharing, privacy monitoring and IG training 4. To ensure the RA service continue to provide the existing quality level of service. 5. Delivery of a sustainable and robust records management service (corporate & health records) 6. Be aware of and react accordingly to changes to the IG toolkit 7. Work with IAO to complete accreditation documents providing assurance for use, or decommissioning documents to provide assurance that assets have been securely decommissioned. 8. Ensure alignment with changes to GDPR (General Data Protection Regulations) 9. All team members are knowledgeable in their roles to deliver an excellent IG service with positivity, motivation and a good work life balance based on the Trust's values and behaviour framework. 4

6 3. Definitions Information Governance is an umbrella term that forms the elements of law and policy from which applicable information governance standards are derived. It encompasses legal requirements, ethical considerations, national guidance and best practice in information handling, including: - The common law duty of confidentiality - General Data Protection Regulations (replacement to the Data Protection Act Information Security - Information Quality - Records Management - Freedom of Information Act 2000 Whilst a key focus of information governance is the use of information about service users, it applies to information recording and information processing in its broadest sense and underpins both clinical and corporate governance. Accordingly, it should be afforded appropriate priority and is increasingly having a higher profile following national incidents where information about members of the public have been mislaid. General Data Protection Regulation Directive 95/46/EC [to give it the full title: Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data] has been in force in the European Union (EU) since In the UK, the Data Protection Act 1998 (DPA) was enacted to fulfil the obligation to introduce the Directive 95/46/EC within domestic legislation. The EU determined that the divergent implementation approaches around Europe has led to inconsistent personal data processing and led to legal uncertainty and compliance issues. This, together with the advances in technology, and changes in the way in which individuals and organisations communicate and share data led to an EU review. Following the EU review, and after several years of negotiation with all Member States, a single set of rules have been agreed to harmonise the approach to be taken when processing personal data. This set of rules are in the form of a Regulation as this requires EU Member States to implement it in its agreed format and removes the scope for individual Member States own interpretation at the implementation stage. The aim is to enable easier movement or processing of data across borders within Europe, to enhance business. The full title of the new Regulation is: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of the natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). This Regulation comprises of Recitals (descriptive text) and Articles (the rules and/or obligations). The short working title is General Data Protection Regulation or GDPR. It should be noted that there are also two additional Directives relating to personal data that will be implemented at the same time 5

7 - Directive 2016/680 which relates to processing of personal data for prevention, detection, investigation etc of criminal offences and penalties, and; - Directive 2016/681 which relates to the use of Passenger Name Records for prevention, detection of terrorist offences and serious crime. A further determination on the impact of these additional Directives is to be undertaken. Asset management the types of attributes that we record to ensure we manage assets appropriately are: Ownership: the organisation owning the asset, asset owners, asset administrators etc Documentation: information governance accreditation documentation details and status Technical: hosting information, servers, access methods etc Suppliers: supplier (including supply chain), contracts, licenses etc Relationships: relationships between other organisations (sharing agreements etc). 4. Duties Key Responsibilities Senior roles within the organisation supporting the Information Governance agenda are held by the Organisation s Senior Information Risk Owner (SIRO), the Caldicott Guardian, the Head of Information Governance and supported by the IG Team. 4.1 Trust Board In his communications with NHS Trusts Chief Executives, the NHS Chief Executive has made it clear that ultimate responsibility for IG in the NHS rests with the Board of each organisation, who should note that: The major NHS organisations must update the Toolkit assessment at three intervals during the year (end of July, October and March) to enable performance and actions to be tracked by commissioners and other monitoring bodies. The NHS Operating Framework requires organisations to achieve level 2 performance against all key requirements identified in the Information Governance Toolkit. Organisations must provide assurance that they are meeting these key requirements and must have robust improvement plans to address any shortfalls against other requirements. Details of serious incidents involving actual or potential loss of personal data or breach of confidentiality must be published in annual reports and reported via HSCIC and to the Information Commissioner. 4.2 Chief Executive The Trust s Accountable Officer is the Chief Executive who has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risk is handled in a similar manner to other risks such as financial, legal and reputational risks. Reference to the management of information risks and associated information governance practice is now required in the Statement of Internal Control which the Accounting Officer is required to sign annually. 6

8 4.3 Caldicott Guardian The Caldicott Guardian also holds the position as Medical Director (Dr Andrew Brittlebank, Medical Director). The Caldicott Guardian role: Is advisory Is the conscience of the organisation Provides a focal point for patient confidentiality and information sharing issues Is concerned with the management of patient information. The Caldicott Guardian is the person with overall responsibility for protecting the confidentiality of person identifiable data (PID). The Caldicott Guardian plays a key role in ensuring that the organisation and partner organisations abide by the highest level for standards for handling PID and adherence to the Caldicott Principles. It is the responsibility of the Caldicott Guardian to feedback any IG issues to the Senior Management Team. The Caldicott Guardian (or designated individual) is a member of the Information Governance Board. For North Cumbria Clinical Commissioning Group the Caldicott Guardian is David Rodgers. 4.4 Senior Information Risk Owner The SIRO is the Director of Strategy and Support Services (Michael Smillie). The role: Is accountable; Fosters a culture for protecting and using data; Provides a focal point for managing information risk and incidents Is concerned with the management of all information assets. The SIRO is an Executive Board member with allocated lead responsibility for the Trust s information risks and provides a focus for the management of information risk at Board level. The SIRO chairs the Information Governance Board. For North Cumbria Clinical Commissioning Group the SIRO is Charles Welbourn. 4.5 Information Asset Owners (IAO) Senior Heads / Senior Managers IAOs are senior / responsible individuals working in a relevant business area. Their role is to understand what information is held, what is added and what is removed, how information is moved, who has access and why. As a result they are able to understand and address risks to the information and ensure that information is fully used within the Law for the public good, and provider written input to the SRIO annually on the security and use of their assets. The Trust when identifying an IAO, will consider the risks of the information asset rather than the size of the asset. The IAO need not be the creator or even the primary user of the asset, but they must have a good understanding of what the business needs from the asset and how it is used. For assets that have significant risks associated with them, consideration should be given to have a senior IAO assigned in certain circumstances. For 7

9 example, RIO (senior IAO will be the Director of Nursing with the IAO using the management structure in place will be the General Manager, with IAA (information asset administrator) being the management lead. See example hierarchy below: (Senior) IAO RIO (Director of Nursing) IAO RIO (children Services) - Lyn Moore IAO RIO (Mental Health - Pam Travers IAA - Bus Manager (Chair of Childrens Systems Board) For other specific information assets (i.e. SOEL dental system) the Clinical Director responsible for the service will be the IAO. An IAO will be responsible for an information asset in terms of: Identifying risks associated with the information asset; Managing and operating the asset in compliance with policies and standards; and Ensuring controls manage all risks appropriately. The role is flexible and will undoubtedly be performed in addition to existing duties and for some responsibilities may be shared between many individuals. 4.6 Information Asset Administrators (IAA) IAA s work on a day to day basis with information contained in an information asset (see definition above). They have day to day responsibility, ensure that policies and procedures are followed by staff and recognise actual or potential security incidents, and consult their IAO on incident management. The IAAs are senior individuals and are usually head of department or with ultimate responsibility for the information asset. 4.7 Information Governance Lead The Information Governance (IG) Lead is the Head of Information Governance (Yvonne Salkeld). The Head of Information Governance is responsible for ensuring the organisation meets is statutory and corporate responsibilities and engender trust from the public in the management of their personal information. The Head of IG is accountable for ensuring effective management, accountability, compliance and assurance for all aspects of IG. The key tasks include: Responsibility for delivering a high quality specialist Information Governance Service to the Trust and its customers (i.e. North Cumbria Clinical Commissioning Group); To provide strategic direction, planning and guidance to ensure compliance with information governance legislation and the national agenda 8

10 Ensure work practices are evaluated and supported through the development of appropriate policy and procedures across the organisation. Acts as Data Protection Officer for the Trust. This is an independent and protected role as documented in Article 37 of the General Data Protection Regulations. 4.8 Information Security The Head of IT with delegated responsibility to the Information Security Manager is responsible for the provision and management of a high quality, customer focussed, Information Technology Security Advisory Service using expertise to manage security issues, identifying best practice and making recommendations for local implementation. These individuals must work closely with the Information Governance team. 4.9 All Trust Employees All Trust employees and anyone else working for the organisation (eg. Agency staff, honorary contracts, management consultants etc) who use and has access to Trust information must understand their personal responsibilities for information governance and comply with UK Law. All staff must comply with Trust policies, procedures and guidance and attend relevant education and training events in relation to IG Information Governance Team Resources Staff roles which support the Information Governance agenda are identified in the organisation chart below. The ehealth Department (under the Strategy and Support Services Directorate) holds the dedicated budget for delivering Information Governance. Other lead roles to support the IG agenda are as follows: Risk management IT for technical security advice Business Continuity Manager Senior Information Risk Owner Caldicott Guardian 9

11 IG Performance Management Officer IG Performance Management Assistant IG Compliance Officer IG Compliance Manager IG Data Officer IG Asset Management Officer RA Manager RA Agent X3 Head of IG Information Sharing / Privacy Officer Information Rights Coordinator Information Rights Assistants Information Rights Officer Data Quality Manager Data Quality Facilitators X3 Data Quality Assistants X3 Health Records Manager Health records Facilitators X2 health Records Supervisor Health records Assistants 10

12 5. Information Governance Key Project Areas Information Governance is based on a series of best practice guidance and adherence to a legal and regulatory framework. Detailed below are the main areas that the Information Governance cover linked to the relevant teams which forms our portfolio of services as part of the CPFT s IG team s offering in line with our Service Catalogue/ Service Portfolio 5.1 Head of Information Governance Head of Information Governance Head of Information Governance The Head of Information Governance provides the strategic leadership in IG, to be the prime source of expert advice and policy development, to create and maintain high level awareness, profile and understanding of the strategic and practical importance of IG and to assure the Trust Board that it is meeting its statutory and mandatory obligations. The Head of Information Governance takes a lead in the following areas IG Compliance Framework The General Data Protection Regulation has a specific requirement that Data Controllers should taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons (.) implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed an updated where necessary (Ref GDPR Article 24(1). This clause is, in effect saying that organisation should put in place a compliance framework which ensures they are implementing appropriate technical and organisational measures to ensure that data processing is performed in compliance with the GDPR. The Head of IG is responsible for pulling this compliance framework together which is defined as a structured set of guidelines, practices that bring together the regulatory compliance requirements that apply to an organisation and the business processes that meet these requirements. This includes supporting other national initiatives, i.e. sustainability and transformation plans, National Data Guardian report etc. Technical measures include specific procedures as well as staff training, audits and all technical and physical security controls that form part of an effective security management system. These processes, policies and controls will generally outline how the organisation manages communication, risk and governance relevant to the compliance frameworks. Because there will often be some overlap between the different compliance requirements, the framework should identify this in order to eliminate redundancies and uncertainties. All compliance frameworks have to include three categories in the activity, namely 11

13 People (staff training and awareness, professional skills and qualficiations, competent resources) Technology (you can't deploy tecchnology without competent people, support processes or an overall plan) IG Compliance Framework Processes (management systems, governance framework, best practice, IT audit) The IG framework uses the principles of a continual improvement process, namely Plan (establish objectives and processes necessary to deliver results in accordance with expected outputs (i.e. targets, goals, KPIs), Do (implement the plan, execute the process etc), Check (study the actual results of the Do phase and compare them to expected results (your targets, goals from the plan stage) to check for differences) and Act (request corrective action to eliminate significant differences between the planned results and those you have achieved) Data Protection Officer (DPO) The Data Protection Officer is a protected and independent role. The DPO is responsible for ensuring that the controller, processor and employees who process personal data understand their obligations, and for providing advice on meeting those obligations. The DPO should have oversight of the compliance framework and should produce evidence of effective use of the DPO, including records, reports, schedules. This is needed to confirm the efficacy of the organisation s compliance programme. A key function of the role is to provide advice where requested regarding data protection impact assessments and monitor their performance. The DPO is essentially the organisation s immediate liaison point with the supervisory authority (ICO). As a public body due to the significant amounts of processing large volumes of personal data this is subject to increased attention with the supervisory authority in line with GDPR (General Data Protection Regulations). The DPO contact details are published as a point of contact for data subjects IG Toolkit Ensure satisfactory assurance with IG Toolkit. 12

14 5.1.4 Policies Ensure all information governance policies are approved by the IG Board. This mechanism is in accordance with the Organisation s policy and resource pack. All policies are made available to staff via the Intranet / Internet site and are communicated via the communication plan (see Communication). Existing policies are updated and new policies introduced in line with current information governance agenda. These policies provide the organisation s Staff Code of Conduct and must be read in conjunction with the Organisation s Staff Handbook and Staff employment contracts. Policies outline scope and intent and provide staff with a robust IG framework whilst setting out their responsibilities as employees of the Trust. The Trust is committed to ensuring that all staff and those working with the Trust are familiar with the organisation s objectives and what is expected of staff in order to achieve these objectives. Policies and procedures are one of the key means the Trusts uses to communicate these expectations to staff. The attached framework for is embedded see page 56/ policy structure.xlsx Strategic Lead for Teams under the umbrella of IG Ensuring the teams deliver the IG work plan and ensuring operational service requirements are met in line with a clear strategic plan. 13

15 5.2 IG Performance Management IG Performance Management Officer IG Performance Assistant IG Performance Team IG Performance Team The IG Performance Team provide first line support and advice to the various IG teams via the delivery of a performance improvement culture in the development of an Information Governance performance management framework in line with strategic priorities and regulatory requirements. They offer the independence and quality assurance to the various initiatives Performance We are committed to the principle that Performance Management is not solely concerned with the monitoring of key performance indicators (KPIs) but is a tool to drive improvement on performance across the organisation. It is a process which contributes to the effective management of individuals and teams in order to achieve high levels of performance. As such, it establishes shared understanding about what is to be achieved and an approach to leading and developing people which will ensure success. The Information Governance performance model has been developed to provide a consistent approach to the way IG performance and quality is managed, monitored, reviewed and reported. This model is based on 5 key stages: Strategic Planning Development of a plan/strategy with clear objectives these have been designed to follow the golden thread principle that is that they should link from the highest level (CE objectives) right down to the team member objectives set at appraisal. Nine (9) Information Governance Objectives have been developed and a series of tasks identified that will ensure these objectives will be achieved. These tasks have been allocated to individuals ensuring that everyone understands what is required from them and how they contribute to the overall performance of the team, department and organisation. Performance measurement and monitoring Design of key performance indicators (KPIs) and tasks to measure and monitor how well we are delivering on the strategic objectives set out in stage 1. Most important is to ensure the metrics are relevant, meaningful, and SMART (Specific, Measurable, Achievable, Realistic and Timely). A full work plan has been developed containing tasks and KPI s each of which has been allotted milestones and or targets to ensure that progress can be measures and monitored on a monthly basis. Business Intelligence (BI), Analytics and Modelling - use the performance data and metrics to analyse performance. This step is all about creating a solid evidence-base to inform decision making. Performance updates will be collated on a monthly basis and tools developed with which to analyse the data. 14

16 Reporting and reviewing Performance - Translating the insights gained from performance information into management reports and dashboards and put the review processes in place to act on the data. Once the data has been analysed the results will be presented to senior managers, and stakeholders using a suite of reports and dashboards currently under development. Aligning People and culture - Ensuring the people, culture and leadership approaches are focused on performance improvement. This means closing the knowing/doing gap and acting on the insights gained and decisions made in order to generate real performance improvements. Why is performance management important? if you don t measure results, you can t tell success from failure if you can t see success, you can t learn from it if you can t recognise failure, you can t correct it what gets measured gets done 15

17 5.3 IG Compliance Team IG Compliance Officer IG Data Officer IG Asst Management Officer IG Compliance Manager IG Compliance Team IG Compliance Team The IG Compliance team aim is to ensure that patient information is processed legally, securely, efficiently and effectively in order to support the delivery of care through a number of project areas identified below: Asset Management In order to appropriately scope and prioritise risk management efforts, it is necessary to ensure that a complete and accurate information asset register exists. As part of the identification process, it is imperative that all instances of information assets be located. 16 In addition, information assets need to be classified in terms of sensitivity and criticality to the Trust. This information is recorded on the Information Asset Register (Alloy system) which is linked to a sharepoint library where all supporting documentation is stored. It is also essential to ensure that all information assets have an identified owner. Information Asset Owners are senior individuals involved in running the relevant business. Their role is to understand and address risks to the information assets they own and to provide assurance to the SIRO on the security and use of those assets. Identified key risks (those rated medium or high), once assessed by the SIRO, supported by the IG Board, will be considered for inclusion on the Corporate Risk Register. In addition any policies related to information asset ownership should reflect the need for succession planning consistent with any BCP (Business continuity plans) drawn up. This will help promote accountability for complying with policy compliance and risk management and PIA / data protection impact assessment requirements throughout the organisation. System level security policies requiring information asset ownership should be in place, as well as processes established to assign ownership as information assets are acquired, transferred or created. A designated post has been in the structure since 2015, to facilitate this framework for information asset management which is a key task for improvement in due to the introduction of new systems and processes (i.e. EPR) and to ensure legacy systems are archived appropriately. The data protection impact assessment (DPIA) is one of the specific processes mandated by the GDPR. DPIAs are used to identify specific risks to personal data as a result of processing activities and focus on data protection and privacy.

18 The three primary conditions identified in GDPR for when a DPIA is required could be paraphrased as below (ref Derived from GDPR Article 35, Clause 3 and Recital 91) a) When evaluating a natural person using automated processing (including profiling) in order to make decisions or have legal impacts on the subject b) When processing large quantities of special categories of data, or personal data relating to criminal convictions and offences c) When systematically monitoring a publicly accessible areas on a large scale (i.e. when new algorithm to sort large quantities of personal data, high risk to data subjects rights and freedoms, collecting information on someone s medical history, monitoring publicly accessible areas (i.e. CCTV), The minimum to be recorded are: Description of the processing and purposes Legitimate interests pursued by Data Controller An assessment of the necessity and proportionality of the processing An assessment of the risks to the rights and freedoms of the data subjects The measures envisaged to address the risks All safeguards and security measures to demonstrate compliance An indication of timeframes if processing relates to erasure An indication of any data protection by design and default measures A list of recipients of personal data Confirmation of compliance with approved codes of practice Details of whether data subjects have been consulted Data Mapping The IG Team are responsible for ensuring that all transfers of hard copy and digital person identifiable and sensitive information have been identified, data mapped and risk assessed. It is a legal responsibility of an organisation to ensure that transfers of personal information for which they are responsible (Data Controller) are secure at all stages and therefore as an outcome of this process technical and organisational measures can be put in place to secure these transfers. This is completed by engaging with operational services through a workshop, mapping the flows and risk assessing through the Information Sharing Gateway. The Head of IG with relevant escalation of SIRO / Caldicott Guardian will authorise these flows within the Trust. The aim is that in the coming two years these flows form part of the care stream IG dashboard so that the IAO (information asset owner) for the relevant clinical / corporate system has visibility of the flows of information from their information asset and the IAO will assist the IG team in putting in appropriate technical and organisations measures against unauthorised or unlawful processing of and accidental loss or destruction of or damage to personal data. 17 Data mapping is generally considered best practice for any data protection or privacy compliance programme, because you can t protect your information if you don t know a) that it exists, b) where it is and c) the conditions under which it is kept. Regular data mapping exercises are essential to protect personal data in line with

19 GDPR under the four elements of data items (what data fields are being used), formats (how stored digital, paper), transfer methods (moving from one location to another) and location (sites where data are stored and where processing happens) Audit and Spot Check Compliance Using the ICO Guide to Data Protection Audits as a guide, the IG Team have developed an audit and spot check compliance document. This pulls together the tools required to complete audits in various areas (i.e. 360 degree audits on subject access requests, health records audit, spot check visits checklists). The aim of this approach is to: - Help to raise awareness of Data Protection and the legal framework of which Information Governance is based; - Showing the organisation s (i.e. care groups, corporate services) commitment to and recognition of the importance of data protection in day to day working practices; - Provide some self-assessment on our compliance to support the trajectory of level 3 compliance; - Identification of data protection risks to enable practical, pragmatic and operational specific recommendations - Another vehicle in which to share knowledge with trained IG staff; - Details in a central place the audit methodology for the spot checks undertaken by the dept. The focus of the audit approach will be to determine whether the organisation policies and procedures are being followed operationally with staff in order to reinforce and educate, regulate the processing of personal data; also to ensure that processing is carried out in accordance with such policies and procedures. When an organisation complies with its requirements, it is effectively identifying and controlling risks to prevent breaching the DPA. An audit will typically assess the organisation s procedures, systems, records and activities in order to: ensure the appropriate policies and procedures are in place; verify that those policies and procedures are being followed; test the adequacy controls in place; detect breaches or potential breaches of compliance; and recommend any indicated changes in control, policy and procedure Contracts The Information Governance Team has a work stream plan to ensure that contractors meet the required IG standards in order to meet the IG Toolkit requirements. Initially this will focus upon a systematic process of identifying all contracts in place throughout the trust (this includes new contracts and those already in place) and evaluating the supplier s level of compliance with IG standards as detailed in the Information Governance Standards for Contractors Policy. The aim for the IG Compliance Team for the updated year to ensure progression is made in the compliance standards for CPFT contractors and ensure a robust escalation procedure is in place for those who do not meet the required standard and pose a risk to the Trust s information. 18

20 19 The role of the Data Controller and Data Processor are central to the GDPR and it is crucial to differentiate roles as early as possible. Organisations must retain records to prove their compliance should the supervisory authority (ICO) request evidence. Organisations involved in processing data typically produce a large number of records from processing and establishing compliance with the regulation by way of fair processing notices, retention policies, evidence of consent, DPIA reports and so on, all of which can be used as evidence of compliance. Add in about data processing agreements in contracts and transfer agreements Risk Assessment and Incident Management Process Potential losses arising from breaches of IT and information security include physical destruction or damage to the organisation s computer systems, loss of system availability and the theft, disclosure or modification of information due to intentional or accidental unauthorised actions. In addition, healthcare organisations process person identifiable data of particular sensitivity, which needs to be protected from loss or inappropriate disclosure. Clear guidance has been documented and issued to staff and all should be made aware of the organisation s incident reporting and management procedures (currently via Ulysses). This process is supported by the Trust s IG policies and procedures regarding information risk management. The process for the investigation of Serious Untoward Incidents are in line with the HSCIC Information Governance SUI Checklist published in February The Head of IG is responsible for ensuring that adequate arrangements are in place for: Reporting IG events or incidents; Managing IG risks; Analysing, investigating and upward reporting of events/ incidents and recommendations in collaboration with STEIS and Information Commissioner s Office reporting. IG work plans progress recommendations and learn the lessons (identified as a separate IG objective) Communicating IG developments and standards to staff Ensuring completion of improvement plans as a result of a SUI investigation. In addition, when business cases are development the IG team have a checklist to follow in terms of ensuring that all privacy risks are identified at the start of the project and considered for inclusion; effectively putting privacy by design into the system. In the GDPR a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed (Ref GDRP Article 4, Clause 12). Information can be compromised in a number of ways (i.e. theft, ransomware etc). These are violations of the information s confidentiality, integrity or availability also called the CIA of information security. The GDPR has specific rules regarding when and how an incident must be reported to the supervisory authority (ICO via IG Toolkit) and to the affected data subjects. The data controller is required to notify as soon as the controller becomes aware that a personal data breach has occurred (.) without any due delay and, where feasible, not later than 72 hours after having become aware of it (GDPR Rectial 85).

21 5.3.6 Projects The Information Governance Team is part of the E-Health Department which holds the Programme Management Office. When projects are justified and a business case developed, the IG team receive a work package (in line with agreed template) and we complete the relevant checks from cradle to grave (i.e. pre procurement, contractor compliance checks (DPA / IG Toolkit compliant), ensuring accreditation documentation in place for services to use in terms of standard operating procedures, training etc. The templates used will be the same as referenced in the asset section above Human Resources The IG Compliance Team works effectively with the HR department to ensure all the required evidence is available to provide assurance that information governance issues relating to our staff are in place and in line with ICO Employment Practice Code. In addition to this, through active engagement with HR and the progression by the Information Commissioner s Office becoming more involved in organisational audits it has been agreed that IG will monitor HR s performance against defined objectives detailed within the ICO s Employment Practices Code. The detail of this will be confirmed with HR but seeks to provide evidence that the Trust is ensuring compliance with legislative and regulatory requirements across the board. In terms of GDPR there is a need to work with the HR department on their processing activities to ensure that processed on lawful basis. There is a need to liaise with the supplier of the HR and payroll systems to ensure they are compliant with GDPR (including the recording of withdrawal of any consent), ensure all policies and procedures for recruitment, the course of employment and when contracts terminated are compliant with GDPR an example is rewriting of IG section in employment contracts of employment Information Security Management Information Security and its management deals with all aspects of security whether spoken, written, printed, electronic or relegated to any other medium, regardless of whether it is being created, viewed, transported, stored or destroyed. This is in contrast with IT security (managed under Head of IT), which is concerned with security of information within the boundaries of the technology domain, usually in a custodial capacity. Following good practice there are six basic outcomes of effective information security governance: 20 Strategic alignment aligning information security management to the Trusts strategy and in support of its organisational objectives. Risk management executing appropriate measures to mitigate risk and reduce potential impacts on information resources to an acceptable level. Value delivery optimising security investments in support of the Trusts business objects.

22 Resource optimisation using information security knowledge and infrastructure efficiently and effectively. Performance measurement monitoring and reporting on information security processes to ensure that objectives are achieved. Integration integrating all relevant assurance factors to ensure that processes operate as intended from end to end. There is a designated IT security arm managed under the Head of IT who works closely with the IG department to ensure standards are met. The Security Manager feeds into the IG toolkit requirements by ensuring relevant assurance is in place. 21

23 5.4 Registration Authority Team RA Agents x 3 RA Manager RA Team Registration Authority Team The team are responsible for the registration process by which users of Smartcardenabled IT applications are authenticated (proven who they say they are beyond reasonable doubt) and authorised (enabled to have particular levels of access to particular patient data) Registration Authority Service The Registration Authority Service Team currently provide the RA service within CPFT and aim to deliver a quality and efficient service to Trust employees. The Team provide RA services also to primary care and CCG. The Registration Authority is the governance framework within which the Trust can register individuals as users to access the NHS Smartcard enabled system(s) - maintaining the confidentiality and security of patient information at all times. Having a common and rigorous approach to how users are registered and are given access to the national services, and other services, is an integral part of protecting the confidentiality and security of every patient's personal and health care details. In light of the work of introducing a new EPR an access control strategy will be compiled with the identified positions for staff within the Trust detailed for Caldicott ratification. 22

24 5.5 Information Rights Team Information Rights Assistants x 3 Information Rights Officer Information Rights Co- Ordinator Information Sharing and Privacy Officer Information Rights Team Information Rights Team The Information Rights Team are responsible for overseeing the Trust s management of all requests for information made under the Data Protection Act (to be replaced by General Data Protection Regulations in May 2018), the Freedom of Information Act, the Access to Health Records Act and the Environmental Information Regulations and ensure all processes are fully compliant. They ensure that data subjects and staff are provided with information and training on their rights taking a lead in communication and IG training monitoring. The information sharing and privacy officer supported by the team is responsible for ensuring relevant information sharing agreements are in place and privacy monitoring activities are undertaken Information Rights 23 The Information Governance Team has a designated Information Rights Arm that deals purely with the copious amount of Freedom of Information Act requests and Subject Access Requests (under the Data Protection Act or in future General Data Protection Regulations). They respond to all requests received by acknowledging, finding the relevant information within the Trust, co-ordinating into a suitable response, ensure that necessary exemptions are applied whilst meeting the various legislative requirements in terms of timescales etc. This team are also responsible for providing the advice and support to services in terms of disclosure decisions and where necessary apply other Laws (i.e. Access to Health Records for deceased patients, Section 29(3) requests for the Police. Under GDPR the team will be responsible for ensuring that the organisation provides transparency on their data processing methods and restore individuals sense of control over their personal data under the following main headings: The Right to Information the team provides information to data subjects to demonstrate that their personal data is fairly collected and processed. This is confirmation that their data is fairly processed by the Trust or third party processor, to access a copy of that data to find out the purpose of processing their data including how long it will be stored by the controller and be provided with supplementary information about the processing. This is provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. Responses for both requests under Freedom of Information Act and Subject Access Requests will be free of charge (SARs from April 2018) because there is a need to respond to a SAR without undue delay and in the event within one month of receipt of the request (GDPR Article 12, Clause 3).

25 The right to access - This is confirmation that their data is fairly processed by the Trust or third party processor, to access a copy of that data to find out the purpose of processing their data including how long it will be stored by the controller and be provided with supplementary information about the processing. GDPR extends this right to give data subjects access to additional information, including the period of time for which the data will be stored and if this is not possible the criteria used to determine the retention period. The Right to Rectification Supporting the Head of Information Governance in dealing with queries from data subjects who require rectification of any inaccuracies in the personal data held about them. The Team are liaising with the Patient Experience Team in this regard so consistent process irrespective of how these requests are received. The Right to be forgotten Supporting the Head of Information Governance in dealing with queries from data subjects who request that information be erased if they withdraw consent or there is an issue with the underlying legality of the processing. It is anticipated that an appropriate derogation to the GDPR articles will be received for health / sensitive information. The implications of this process need developed in in preparation for GDPR. The right to restriction of processing The right to restriction of processing effectively allows data subjects under certain specific circumstances, to prevent controllers from conducting specific purposes of their data. It means that although an organisation can store the personal data it cannot process the data unless the individual gives their consent to life the restriction or the processing is necessary for the establishment of legal claims, to protect the rights of another person or in the wider public interest. This team provides the administrative support under the direction of Head of Information Governance to these queries. The right to notification If a controller alters, restricts, or removes personal data, it must inform the data subject unless this proves impossible or involves disproportionate effort the use of information notices act in support of the principle of transparency, (GDPR (Article 19). The right to data portability Under the rights of data portability, data subjects can request copies of their personal data in a useful electronic format. This right aims to improve the accessibility of information and is staged in the GDPR as the data subject shall have the right to receive the personal data concerning him or her, which he or she has proved to the a Data Controller, in a structured, commonly used and machine readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (Ref GDPR, Article 20, Clause 1). This right only applies where the processing is based on the data subject s consent or fulfilment of a contract they are party to. With the transfer of contractual responsibilities in the NHS to one provider to another this will become more an issue. 24

26 The right to object Under GDPR once a data subject raises an objection, the onus is on the data controller to demonstrate legitimate grounds for the processing which overrides the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Until the justification is provided, processing of that personal data must be suspended. The right to appropriate decision making data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning (them) or similarly significantly affects them (GDPR Article 22, Clause 1) Training and Development Information Governance is a mandatory training requirement set by the Department of Health and contained within the NHS Operating Framework Informatics Planning where it states that all staff should receive annual basic IG training appropriate to their role. This is delivered as indicated above. Key individuals within the IG team and wider (SIRO, Caldicott Guardian, Information Asset Owners) need more in depth IG training dependent on their role and this forms part of a separate training needs analysis held by the Information Governance department (for IG staff) following appraisal and identification of development needs. The training for SIRO Caldicott Guardian and Information Asset Owners are in line with HSCIC IG Toolkit standards. The IG department monitor compliance in terms of ensuring that staff have attended which is via the Trust s agreed Trust process. IG training must extend beyond basic confidentiality and security awareness in order to develop and follow best practice. Staff must understand the value of information and their responsibility for it, which includes data quality, information security, records management, confidentiality, legal duty, information law and rights of access, and patient s rights in terms of a right of privacy and choice. To ensure that different learning styles are catered for, each year a different focus in terms of delivering training is found. Previously the Trust has had a series of face to face trainings ( ), e-learning and IG Code of Conduct Workbook ( ), e-learning tools (with video podcasts) ( ) with an updated IG Code of Conduct. This training will be translated onto a video for use in induction sessions and to ensure that this is open to all staff this will be transferred onto a pod cast based on the Trust s website that can be used in team meetings to cater for staff (i.e. domestics, porters etc) who don t necessarily have open access to PCs. Information Governance training is a mandatory requirement for all staff and is included on induction and on annual refresher. The Trust has been successful for five years running in achieving over 95% compliance with mandatory training and to support this KPI on an on-going basis, methodology has been developed to monitor this closely. 25

27 5.5.3 Communication The E-Health Dept has a separate communication strategy. The Head of IG has developed a communication plan that feeds into this strategy indicating the tasks that they are responsible for, namely: - Publication Scheme (FOI) - Updating of Intranet and Internet Sites relating to IG - Targeted communication in terms of specific projects (i.e. clear desk policy) - Production of leaflets - Fair Processing Notices (or Privacy Notices) - Development of IG Code of Conduct This list is not exhaustive but represents a sample of communication materials that are available. See detailed plan. In line with the GDPR, the principles of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and additionally, where appropriate visualisation will be used (GDPR Recital 58) hence the Trust will have a published privacy notice Fairwarning The Trust has implemented a patient privacy monitoring system to further ensure that patient information is protected and secure. The new patient privacy system called Fair Warning will identify any patterns of breaches of inappropriate and illegitimate access to a patient s health record and will alert managers. It gives patients the confidence that subject to their consent only people involved in their care can access their records. The system will identify any patterns of breaches of inappropriate and illegitimate access to a patient s health record, for example employees accessing: Records of patients who may be neighbours Records of family members Their own records (self-examination) Celebrity patient records The Head of IG is the information asset owner of the Fairwarning system with the Privacy Officer / Information Sharing Officer working with operational services in terms of verifying information in order that appropriate action can be taken (i.e. education and awareness, disciplinary etc) Information Sharing Gateway The Head of IG has been instrumental in the development of an Information Sharing Gateway via a sub group of the Lancashire and Cumbria IG leads meeting. Funding has been provided via the LPRES initiative and the North West Coast Academic Health Science Network. 26

28 The solution known as the information sharing gateway provides a tool for IG professionals to work electronically with the ability to register recipient organisations and provides a level of assurance against their compliance (i.e. IG Toolkit, PSN etc). It also signs these organisations up to a common information sharing agreement framework (Tier 1). The solution allows data mapping to take place capturing the frequency of data transfer, how its being transferred, when its being transferred, why it being transferred etc. This enables a risk assessment rating so that as Data Controller we can confirm that flows are lawfully and fairly processed. This information sharing gateway provides details on where flows of data are coming from (i.e. which information asset) and complements the work being done on information asset management. 27

29 5.6 Data Quality Team Data Quality Assistants x 3 Data Quality Facilitators x 3 Data Quality Manager Data Quality Team The Data Quality Team Any activity using data will be affected by data quality. The team provide root cause analysis and problem solving, provide training on problem areas and facilitate the remediation process for services. The team ensure clinical coding is assigned and support the configuration of systems to minimise data quality errors Data Quality Strategy There is an approved Data Quality Strategy in place with a published data quality toolkit indicating the analysis and evaluation of data and data quality, upon which specific work is undertaken in intervention training, assisting care groups with amending SOPs and correcting data set to care groups staff to amend. The team are responsible for: Root cause analysis and problem solving with the care groups Assist with data protection impact assessments when a data quality element. Reconciliation of board report figures through audit Training on problem areas (i.e. RTT) and ensuring that this training is having a positive impact on future data quality aspects Facilitation of the remediation process for services Ensuring that all patient clinical coding is assigned. Ensuring all relevant notifications are placed in electronic patient records by the relevant clinicians / care group Work with ehealth colleagues to build mechanisms to monitor data quality Work with colleagues (internal to ehealth and Trust wide) to ensure systems are configured to minimise data quality errors Raise the profile of the importance of data quality within the Trust. Monitored via the Data Quality Strategy Implementation Group 28

30 5.7 Health Records Team Health Records Supervisor and Health Records Assistants Health Records Facilitators x 2 Health Records Manager Health Records Team Health Records Team The Health Records Team are a dedicated team to support the management of health records (paper or electronic) from cradle to grave (i.e. records creation, through to records destruction) Health Records The Health Records function is managed via the Head of Information Governance. The team are responsible for: Supporting the replacement of the current reliance on paper records within the integrated Electronic Patient Record to provide a single record of the care provided across the Trust. To manage the legacy paper records to ensure they are accessible and available when required and retained for the appropriate length of time in safe and secure storage facilities both within and outside the Trust. To implement the health records policy and standard operating procedures for the management of health records in all care group services. To establish a single system of cataloguing, archiving, appraising and disposing of paper health records. This will ensure that all paper records are identified, located, catalogued and dispatched to long term storage. This is through a separate mini strategy for archive. To have in place a system for identifying when retention periods for health records have expired and then appraise and dispose of permanently either by destruction of permanently archiving. Establish within care groups responsibility for local health record management in accordance with policies and procedures Comply with performance management system to demonstrate that records are being managed effectively and efficiently across all care groups and in line with national policy and regulatory standards through the regular health records audits. 29

31 5.7.2 Corporate Records The Trust has made a decision not to invest in resource for managing corporate records and therefore under the responsibility of the Information Asset Owner (Daniel Scheffer), the Health Records team will, on a best endeavour basis, support him in providing advice for any queries that may arise. This is a light touch arrangement only as no designated resource available. 6. Information Governance Governance Arrangements 6.1 National Requirements (i.e. Operating Framework, Monitor, NHS Digital, ICO) The NHS Operating Framework for the NHS in England sets out the key priority areas for systematically improving quality across the NHS. The IG element details the legal framework governing the use of personal confidential data in health care is complex. It includes the NHS Act 2006, the Health and Social Care Act 2012, the Data Protection Act 1998, and the Human Rights Act 1998, General Data Protection Regulations. The Law allows personal data to be shared between those offering care directly to patients but it protects patients confidentiality when data about them are used for other purposes. These secondary uses of data are essential if organisations are to run a safe, efficient, and equitable health service. It also includes the requirement for all NHS organisations to achieve a minimum of level 2 performance against all key requirements in the IG Toolkit as set out by the Department of Health (DoH). The Trust is ambitious and wishing to be high performing in this regard with the ambition to get to Level 3 compliance. 30

32 6.2 IG Toolkit The annual information governance assessment is measured via a self-assessment process of compliance against the standards set out in the IG Toolkit and verified by Internal Audit Review (Audit One). The standards are ordered into the following initiatives: Information Governance Management Information Security Assurance Confidentiality and Data Protection Assurance Clinical Information Assurance Secondary Use Assurance Corporate Information Assurance. NHS organisation are required to submit online IG performance reports to the Department of Health which can be tracked by monitoring bodies (i.e. CQC, Monitor). There are three submissions: 30 July baseline assessment for organisations; 31 October self assessment or improvement report; 31 March final annual self-assessment report. The final performance assessment is submitted by 31 March each year and shared with the Care Quality Commission, and the Audit Commission. The results are reported on the DoH website and made available to the general public. The Trust also provides its own internal End of Year Report. In it is proposed nationally that there is a major overhaul of the IG Toolkit which the Trust s will need to be prepared for. 6.3 IG Arrangements The ultimate responsibility for Information Governance in the organisation lies with the Trust Board. The Board discharges its function through to the Clinical Governance Group. The IG Board is a sub-committee of the Trust s Clinical Governance Group. The IG Board will through the development and routine reporting of agreed key performance indicators, identify risks, measure progress, oversee any necessary remedial action is taken and effective and provide a report to the Trust s Clinical Governance Committee on a regular basis through the Head of Information Governance who is a member of the group. The IG Board has overall responsibility for overseeing the development and implementation of this framework, the IG policy and IG work plan / performance framework. This will be subject to periodic review and progress reports and any identified risks highlighted. The e-health department also has a monthly heads of service meeting with the Director of Finance, Strategy and Support Services and any items affecting the e-health department only will be raised through this Forum. Key representatives meet on an monthly basis as the IG Performance Group to act as focal point for the monitoring and performance management of business plan objectives. 31

33 A GDPR task and finish group has been established to support the Trust s compliance towards its introduction in May The terms of reference and key responsibility of each Group is as detailed at Appendix A: In with the changes in CCG structure there will be a need to split compliance per the relevant organisations. 7. Monitoring compliance with this Framework The audit and spot check document outlines the Trusts monitoring arrangements for the IG framework arrangements within the Trust. The Trust reserves the right to commission additional work or change the monitoring arrangements to meet organisational needs. In addition, the Information Governance toolkit requirements are reviewed each year by Audit One (approved Trust auditors). In addition the IG Performance Model in place also supports independent compliance against this framework. The monitoring arrangements for the various areas of IG are detailed in the separate document using the ICO guide to Data Protection Audits Aspect of compliance or effectiveness being monitored Monitoring method Individual responsible for the monitoring Frequency of the monitoring activity Group / committee which will receive the findings / monitoring report Group / committee / individual responsible for ensuring that the actions are completed Monitored via the arrangements in the document Audit and Spot Check Compliance Various (see document) Head of Information Governance Various (see separate document See governance arrangements (i.e. IG Board, Clinical Governance group etc) Director of Finance, Strategy and Support Services Monitored on a monthly basis via Inphase Monthly review against KPI and tasks with associated evidence in place Head of Information Governance Various See Inphase / Performance section of framework. Director of Finance, Strategy and Support Services 32

34 8. References/ Bibliography Information Commissioner (2015) ICO Guide to Data Protection Audits HSCIC (February 2015) Information Governance Serious Untoward Incident Checklist Data Protection Act 1998 Freedom of Information Act 2000 Human Rights Act Related Trust Policy/Procedures See IG section on policy page 33

35 Appendix A IG Board Terms of Reference Name of Committee IG Board Connectivity Reports to: Committees reporting to this group Clinical Governance Group Lancashire and Cumbria IG Leads IG Performance Group GDPR Task and Finish Group Minutes from ad hoc project groups where relevant issues (i.e. Technical Design Authority, Data Quality Implementation Group) Chair Deputy Chair Membership Director of Strategy and Support Services (SIRO) Executive Director of Quality and Nursing Director of Strategy and Support Services (SIRO) Medical Director (Caldicott Guardian or deputy) Head of Information Governance Associate Director of ehealth Head of IT / Security Manager IG Compliance Manager Rotating attendance by IG team managers (Registration Authority, IG Performance, Data Quality, Health Records Manager, Information Rights Co-ordinator or Information Sharing / Privacy Officer) depending on issues being escalated to the group for attention) Designated Care Group representatives to take back relevant issues through clinical governance routes: Specialist Services Lesley Dodd Children Services Lyn Moore Mental Health Services Kath Watts / Katherine McGleenan 34

36 Community Services Sarah Sproat Ad hoc representation from other organisations on invitation basis by Chair - Audit North - Cumbria Clinical Commissioning Group - Representative from NCUH as increased partnership working takes place. In attendance - Designated Admin support. File Reference Number Functions of Committee Information Governance Board Oversight Committee for General Data Protection Regulations (to be implemented May 2018) Sign off the IG Framework and associated compliance programme. Ensure the assurance processes are in place via the IG performance Group to review the IG Toolkit assessment and ratify its submission. Sign off the Information Governance work programme. Ensure the Trust s approach to information handling is reflective of national standards and is communicated to all staff and made available to the public. Approve and sign off on behalf of the Board of Directors the standards for each element of the Information Governance Toolkit prior to submission to HSCIC Ensure that there is robust evidence (assurance) in place to support compliance against information governance standards. Provide an assessment of risk against information governance standards and the action being taken to manage and mitigate against the risks to the Clinical 35

37 Governance Group. Ensure the national policy, strategy and guidance relating to information governance is implemented and evaluated appropriately. To provide linkages to the relevant registration requirements with the Care Quality Commission and other regulatory bodies, i.e. Monitor To assist the SIRO (Senior Information Risk Owner) in his responsibilities and develop information risk policies, advise of information risk issues as appropriate. Similarly for the Caldicott Guardian in terms of protecting personal identifiable information. Review all information security and confidentiality incidents that are reported in line with HSCIC guidance. To provide a focal point for the resolution and / or discussion of information governance issues. Approval of IG strategies and policies Outputs from the Group Formal minutes Achievement of Service Catalogue (see separate appendix Achievement of 9 IG objectives: 36 - Provide provision of specialist IG support through relevant CCG, the Success Regime and Digital Roadmap work; - Implement a robust data quality monitoring service providing the tools to enable staff to correct their own errors at source; - The Information Rights Service will ensure that the Trust meets its legal duties and requirements concerning subject access and freedom of information requests and satisfy the organisation s obligations in the areas of information sharing, privacy monitoring and IG training;

38 - To ensure the RA service continues to provide the existing quality level of service; - Delivery of a sustainable and robust records management service (corporate and health records) - Be aware of and react accordingly to changes to the IG toolkit - Work with IAO to complete accreditation documents, providing assurance for use, or decommissioning documents to provide assurance that assets have been securely decommissioned. - Ensure alignment with changes to GDPR (General Data Protection Regulations) - All team members are knowledgeable in their roles to deliver an excellent IG service with positivity, motivation and a good work life balance based on the Trust s values and behaviour framework. Quorum One third of membership Review date Yearly - May 2018 Frequency of meetings Quarterly. 37

39 Appendix B IG Performance Group Terms of Reference Name of Committee IG Performance Group Connectivity Reports to: Committees reporting to this group IG BOard Relevant issues that need discussion prior to escalation to IG Board ehealth issues. Chair Deputy Chair Membership Head of Information Governance Data Quality Manager Head of Information Governance Yvonne Salkeld Data Quality Manager Gill Coward RA Manager Pauline Tyler Health Records Manager Helen Charnley IG Compliance Manager Paul Corrie Information Rights Co-Ordinator Justine Gatehouse Information Sharing / Privacy Officer Tony Atkinson IG Performance Officer (or deputy) Ruth Bunn / Eileen Osborne Head of Performance Natalie Karam or Team Leader for the Business Intelligence Analysts Apps Manager Lead Emma Watson Infrastructure Lead Steve Dobie Information Security Representative Dave Patterson Designated deputies are allowed to attend in the absence of relevant manager. Ad hoc representation from other organisations on invitation basis by Chair 38

40 - Representative from NCUH as increased partnership working takes place. In attendance - Designated Admin support. File Reference Number Functions of Committee Information Governance Performance Group Draft and comment on the IG framework and IG compliance programme (work plans) prior to Sign off by the IG Board. Co-ordinate the activities of staff given data protection, confidentiality, information security, data quality, records management, RA and FoI and SAR responsibilities to support achievement of objectives which may need to be across teams. Act as a focal point for the monitoring and performance management of the improvement plan for information governance standards and to provide assurance to the IG Board / Clinical Governance Groups (as appropriate) on progress against the standards Ensure that the Trust has the key evidence to demonstrate the Trust is maintaining all standards at a minimum of level 2 used to measure IG assurance with a stretched target to achieve level 3 compliance in line with agreed trajectories. Operationally implement national policy, strategy and guidance relating to information governance escalating any issues to the IG Board for decision making. Monitor and performance manage the development and maintenance of information sharing agreements with partners and other third parties to ensure the safe and secure sharing of personal identifiable information for both primary and secondary care purposes. Monitoring the development and implementation of registration authority procedures to ensure that access to systems through smartcards are 39

41 undertaken in a way that is safe and secure. Monitoring IG training that is available to staff and its completion in line with requirements detailed in the Informatics Planning component of the NHS operating framework. To monitor compliance with the information governance service level agreement with North Cumbria Clinical Commissioning Group To provide an ehealth focal point for the resolution and / or discussion of information governance issues. Comment and draft IG strategies and policies prior to IG Board ratification. Assist the GDPR task group in work associated with GDPR. Although via the relevant Project Group dealings with future projects take place, this group will deal with any business as usual items coming from these projects to ensure swift transfer into Business as usual. Ensure relevant changes to ISDN letters and data quality issues are picked up. Monitoring of risks prior to presentation to ehealth heads of service and supporting in ensuring recorded in consistent manner in line with SOP and reviewing risks for improvement. Ensure completion of all project areas as detailed in this framework which forms part of the Service Catalogue: - Asset management - Audit and spot check compliance - Communication - Contracts - Corporate records - Fairwarning - Health records audit - Human resources - Information rights 40

42 - Information security management - Information sharing - Performance - Policies - Projects - Registration authority services - Risk management and incident management process - Training and Development Outputs from the Group Formal minutes Achievement of Service Catalogue (see separate appendix Supporting achievement of 9 IG objectives: 41 - Provide provision of specialist IG support through relevant CCG, the Success Regime and Digital Roadmap work; - Implement a robust data quality monitoring service providing the tools to enable staff to correct their own errors at source; - The Information Rights Service will ensure that the Trust meets its legal duties and requirements concerning subject access and freedom of information requests and satisfy the organisation s obligations in the areas of information sharing, privacy monitoring and IG training; - To ensure the RA service continues to provide the existing quality level of service; - Delivery of a sustainable and robust records management service (corporate and health records) - Be aware of and react accordingly to changes to the IG toolkit - Work with IAO to complete accreditation documents, providing assurance for use, or decommissioning documents to provide assurance that assets have been securely

43 decommissioned. - Ensure alignment with changes to GDPR (General Data Protection Regulations) - All team members are knowledgeable in their roles to deliver an excellent IG service with positivity, motivation and a good work life balance based on the Trust s values and behaviour framework. Quorum One third of membership Review date Yearly - May 2018 Frequency of meetings Monthly Appendix C GDPR Task and Finish Group Name of Committee GDPR Task and Finish Group Connectivity Reports to: IG Performance Group (operational group) IG Board (oversight committee) Lancashire and Cumbria IG Leads (use of multiagency forums) Committees reporting to this group Chair Deputy Chair Membership None Head of Information Governance IG Compliance Manager Head of Information Governance (Yvonne Salkeld) IG Compliance Manager (Paul Corrie) Information Rights Co-Ordinator (Justine Gatehouse Information Governance Manager NCUH (Anne Gadsden) to support partnership working. 42

44 To be added to once initial meeting has taken place. File Reference Number Functions of Committee General Data Protection Regulation Task and Finish Group Overall Objective Project Group / Board for the implementation of General Data Protection Regulations using the ICO 12 step approach. Reporting to IG Board as the oversight committee and IG Performance Group were additional work may be commissioned to be undertaken. Risk Register - Production of Project (GDPR) Risk Register and monitoring escalating areas of concern via the relevant governance route. - Ensure regular (monthly) review. Step 1 - Awareness - Ensure GDPR communication plan in place with relevant stakeholder analysis - Implement GDPR Communication Plan - Constant raising of awareness to ensure all understand impact / any compliance problems. Step 2 Information You Hold - Ensure full inventory of record processing activities across the Trust (where it comes from and who you share it with). - Review of data mapping processes to ensure compliant with GDPR accountability principles and new principles (i.e. noting changes in consent). Step 3 -Communicating Privacy Information - Review of current privacy notice - Review following completion of GDPR preparation work at end of the process. Step 4 Individual Rights - Check and refine procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data 43

45 electronically and in a commonly used format. - Particular attention to new rights (i.e. right to data portability, how would we respond if patient asks to delete personal data). Step 5 Subject Access Requests - Update SAR procedures and plan on how to implement requests within new timescales and provision of additional information (retention periods and right to have information corrected). - Progress the option (cost benefit analysis) of providing online access. Step 6 Legal basis for processing personal data - Put in place assurance mechanisms to confirm that the legal basis for processing personal data. Step 7 Consent - Review how you are seeking, obtaining and recording consent and whether any changes are required to be made to policy, configuration of information assets. Step 8 Children - Put systems in place to verify individuals ages and to gather parental or guardian consent for the data processing activities remembering that consent has to be verifiable Step 9 Data Breaches - Ensure right procedures in place to detect, report and investigate a personal data breach Step 10 Data Protection by Design and Data Protection Impact Assessments - Ensure a privacy by design approach with the outcome of a data protection impact assessment is mandated throughout the organisation. Step 11 Data Protection Officer 44 - Designate a data protection officer and put in place relevant assurances if this is considered

46 appropriate to be across organisations. Step 12 International Outputs from the Group Quorum Review date Frequency of meetings - Review any flows outside of UK noting any patients whose habitual base is outside the UK where may be implications with another supervisory authority. Compliance with General Data Protection Regulations in advance of implementation date (May 2018) One third of membership Yearly - May 2018 with view to ceasing group. Monthly 45

47 Appendix D Service Catalogue / Service Portfolio Document Summary This service catalogue is intended to establish and agreement between the Service Delivery Organisation (Cumbria Partnership NHS Foundation Trust) and the customers of this Service (i.e. North Cumbria Clinical Commissioning Group). The service may be a package of processes, people tools, technologies and measurements and clearly defines what the customer will receive, when they will receive it and therefore what the customer can provide in turn to their own organisation. It is the vehicle used to understand the following: - How Do I as CPFT IG, offer services to external businesses? - How do I as a consumer (i.e. North Cumbria Clinical Commissioning Group) know what IG has to offer. General Information Governance is an increasingly high profile area within the NHS and the service pays particular emphasis towards compliance and the Information Governance Toolkit requirements of Trusts, independent practitioners and third party contractors. In particular, the service provides strategic advice and expertise and manages the development and coordination of effective information governance standards and compliance for organisations. The Information Governance (IG) Service:- Embeds an information governance culture and strategy throughout Trusts, General Practices and third party contractors promoting the value and importance of effective IG throughout organisations. Manages an organisational wide information governance framework which ensures that organisations meet their statutory, regulatory, and performance obligations in relation to data protection, confidentiality, record management, information security and information governance management. Provides expert advice on national strategies and complex legal/ ethical matters ensuring that compliance is adhered with in regard to associated legislation and standards. Advises and supports organisations and their staff at all levels with expert advice and practical support to enable them to develop and implement appropriate policies, procedures and standards to meet legal, best practice and organisational requirements. Develops strategies, plans and establishes organisational policies to improve and develop good IG practices within organisations. 46

48 Ensure that data sharing initiatives (data flows) both internal and external are in accordance with legislative requirements and that data is allowed to flow freely. Overall Scope IG Service delivery impacts upon all areas of Trust business to varying degrees and fully supports the following broad information governance areas: Information Governance Management Confidentiality and Data Protection Management Information Security Management Information Governance Risk and Incident Management Clinical Information Management Secondary Use Assurance Corporate Information Management Data Quality Improvements Records Management IG Service Key Deliverables Data Protection Officer The GDPR effective 25 May 2018 will provide a modernised accountability based compliance framework for data protection in Europe. Data Protection Officers (DPOs) will be at the heart of this new legal framework for many organisations facilitating compliance with GDPR. It is mandatory for a public authority or body to have a designated DPO where its core activities will require the regular and systematic monitoring of data subjects on a large scape. The Trust will consider through a SLA based on customers requirements whether it can provide Data Protection Officer provisions in line with Article 38 Position of DPO and Article 39, Tasks of the DPO. Information Governance Toolkit - Strategically lead, manage, support, implement and advise of the requirements necessary to deliver the information governance agenda for organisations. - Provide strategic support, leadership and management to deliver and support the requirements necessary to underpin the IG Toolkit requirements to ensure organisations achieve the necessary IG standards of compliance. - Prepare and submit annual Information Governance Toolkit returns and submissions in conjunction with customer organisations and third party providers where necessary - Support Trust staff, General Practice and third party agencies / contractors to put forward their Information Governance Statement of Compliance assessments and submissions - Co-ordinate third party contractors IG Toolkit submissions - Establish Information Governance (IG) networks both internal and external to ensure that work stream leads in all areas of IG are adequately represented and to ensure that Caldicott Guardians, SIROs and IAOs/ IAAs are fully supported. 47

49 - Provides guidance and recommendations to service development and improvement to ensure that standards are achieved and maintained. - Manage associated risk assessments and registers ensuring that organisations are fully informed of IG related risks and that these are appropriately managed NB: CPFT will not submit Information Governance submissions for general practice but will support general practice staff in the process (if required). Information Asset Register - The service is responsible for maintaining the Trust s information asset register ensuring that these are appropriately risk assessed and maintained. - Provide support to SIROs/ IAOs and IAAs in the management of their information assets. - Identify, log and maintain a comprehensive database of the Trust s information assets. NB: Primary care organisations need to hold their own information asset registers. Privacy Officer Role / Alerts - Assess, analyse and investigate legitimate relationship alerts ensuring that these are appropriately managed and escalated where necessary. - Establish and support staff with Privacy Impact Assessment requirements and their associated consequences. Audit, Investigations, Risks and Reports - Ensure organisations successfully manage the risks associated with IG through compliance with organisational standards and compliance with those standards. - Review and analyse IG related risks and incidents reporting these through organisations reporting mechanisms as necessary. - Prepare, implement and undertake internal audits and risk assessments against information governance standards and requirements. - Provide detailed reports, recommendations and implementation / action plans as necessary. - Audit and assess organisations and third party contractors against the Information Governance Toolkit requirements, general IG and record management standards and compliance and submitted assessments. - Conduct audits and inspections as required against local, national or regulatory requirements including systems audits to ensure compliance standards are upheld. - Investigate security breaches, incidents, weaknesses, and vulnerabilities which involve personal data and records management undertaking assessment, risk management strategies and audits - Undertake incident investigations and risk management assessment/ strategies with IG implications and prepare necessary reports 48

50 Expert advice and support - Provide subject matter expert knowledge, practical advice and support to all staff on relevant legislation and best practice guidance in relation to:- o Data protection legislation o Confidentiality o Information security o Information governance standards o Environmental regulations o Freedom of information legislation o Caldicott principles o Records management - Provide strategic direction, advice and policy formulation to ensure that organisations have the necessary IG policies and procedures necessary to underpin the IG agenda. - Staff updates promote information governance services and alerts via use of appropriate communication methods, i.e. , intranet and workshop training. - Provide a centralised information governance support service to all staff via the services generic mailbox information.governance@cumbria.nhs.uk and telephone support. Research Proposals - Responsible for vetting, approving or making recommendations for national, international and local research proposals on behalf of Trusts in respect of organisational statutory obligations under the Data Protection Act, Human Rights Act and other associated legislation. Policy Creation - Formulation and establishment of information governance related policies, procedures and documented guidance for staff. Project Management - Lead and support IG relates projects or initiatives to facilitate NHS, DoH, CfH or local requirements Information Governance Training - Promote and maintain staff awareness of information governance by developing and delivering formal and informal training and awareness programmes to support all aspects of Information Governance. o Information Governance Training Induction training Mandatory training (e-learning) Bespoke training courses / workshops (tailored to individual requirements) o e-learning Information Governance Training Organisational administrator responsible for the management of Connecting for Health s Information Governance e-learning training tool its deployment and reporting. 49

51 Access to Electronic Systems - Information Governance Toolkit set up user accounts Privacy Impact / Data Protection Impact Assessments - Conduct and report on privacy impact assessments in accordance with DoH and organisational policy requirements. Data Protection Notification - Maintain the organisations appropriate notification with the Information Commissioner and deal with Commissioner Directives, complaints and enquiries as appropriate. - Prepare organisations for changes with GDPR if notification abolished. NB: Primary care organisations need to maintain their own registrations. Caldicott Guardian and SIRO - Provide expert support and advice to the respective Directors in fulfilment of these responsibilities within these specialised roles. Information Sharing - Provide expert support and advice and ensure valid information sharing agreements are in place via Information Sharing Gateway. IM&T Security Key Deliverables Description The provision and management of high quality, customer focused, Information Technology Security Advisory Service utilising subject matter experts to manage security issues, identify best practice and make recommendations for local implementation for customer organisations. The service is critical to the Trusts in providing high level technical expertise on both IT Security and Information Governance to ensure all data assets and systems are safe from unauthorised access, theft, loss and corruption. This service also plays a significant role in helping customer organisations achieve their IG Statement of Compliance to the Department of Health and fulfil statutory and NHS policy directives. Scope 50 Subject matter expert providing solutions for safe ways of working regarding IT security. Responsible for identifying and managing IT security risks and vulnerabilities. IT Security and Information Governance advisory service for: o Organisational IG SoC compliance

52 o o o o o o o o o o o o o New and existing projects Changes to existing systems Day to day operational support to all staff Creation and maintenance of security policy documents Representation on regional security committees Security incident investigation and reporting IT Security and Information Governance training Advice and support of the NHS IG Toolkit Conducting Audits Information Asset management Implementation of ISO in accordance with NHS directives and targets Encryption technologies. Work with information assets owners to ensure business continuity and disaster recovery plans are in place Access to Information Key Deliverables Description and Scope Liaison and Advice Provision of highly specialised advice to members of the public, service users, Trust staff, agents, police, PALs, Solicitors etc in relation to: o Access to Health Records Act 1990 (AHRA) o Data Protection Act 1998 (DPA) o Freedom of Information Act 2000 (FOI) o Health Records Management o Corporate Records Management Supporting GP Practices with advice on matters of confidentiality and access to information. Support service users by giving guidance, advice and access to information. The following are out with the scope of this agreement as CCG have indicated that this will be provided via NECS: Subject Access Requests (DPA and AHRA) Manage and process all subject access requests in accordance with organisational and statutory obligations. Ensure that all subject access requests are processed within the defined statutory period. Receipt and analysis of information requests. Ascertaining what information / records are required, sourcing and gathering all relevant information pertaining to the access request. Analyse information received checking its fitness for purpose and intended disclosure, thus allowing an appropriate and compliant level of exposure Redacting information as appropriate 51

53 Reproducing, collating and distribution of hard copy records following requests for subject access, returning original notes by way of the most secure form of transportation available in each individual case. Assessing costs involved and collecting appropriate fees. Providing advice and services in relation to Section 29 (3) requests and guiding the police and staff in order to bring to fruition appropriate and not excessive information disclosure Reporting to customer organisations. Freedom of Information Act Requests and Management of FOI Publication Scheme Manage and process all Freedom of Information Act requests in accordance with organisational and statutory obligations. Ensure that all FOI requests are complied with within the defined statutory period. Advise and claim relevant exemptions under the Act where appropriate. Receipt and analysis of information requests. Ascertaining what information / records are required, sourcing and gathering all relevant information pertaining to the access request. Analyse information received checking its fitness for purpose and intended disclosure, thus allowing an appropriate and compliant level of exposure. Redacting information as appropriate. Reproducing, collating and distribution of hard copy records following request for access. Assessing costs involved and collecting appropriate fee if appropriate or exemption on cost production basis. Reporting to customer organisations. Establish and maintain FOI publication schemes in accordance with statutory obligations. Information Governance Training Promotion of information governance strategies which underpin the transfer and use of information required to support high quality care, in order to maintain standards of confidentiality, security and public trust. Corporate Records Provide expert support and advice in fulfilment of these responsibilities within these specialised roles. Customer Responsibilities - Immediate notification of security incidents or near misses in accordance with Trust policies via the appropriate incident reporting process and where appropriate to the IT Service Desk. - Adherence to organisational policy requirements. - Information IG Services of any changes that may have security implications - Nominate points of contact for IG communications. 52

54 - Adherence to organisational policy requirements. - Nominate points of contact for IG communications. Service Hours Mon Fri Saturday Sunday and Bank Holidays General Service No Service No Service Service Levels Reporting Period Minimum Notes Information Governance Toolkit and IG Soc Submission Quarterly Requests will be responded to within 7 days Information Asset Register Respond to Privacy Breaches Audit, Investigation, Risks and Reports Expert advice and support Process Research Proposals 53 Quarterly As required Quarterly As required As required Requests will be responded to within 7 days Requests will be responded to within 7 days, with investigation reports completed within 1 month. Requests will be responded to within 7 days Requests will be responded to within 5 days Requests will be responded to within 14 days Induction Training Quarterly Requests will be responded to within 7 days Responding to requests Service Hours As required Requests will be responded to within 5 days Mon Fri Saturday Sunday and Bank Holidays General Advisory Service No Service No Service

55 FINANCIAL MODEL An annual price will be provided where it is a contract and ongoing services (i.e. North Cumbria Clinical Commissioning Group). Where it is one off work the attached costing model will be used based on the specific scope of the piece of work to be undertaken IG Simple Costing Model for NT&W work See page 57 54

56 IG Frame work (drafted due for review June 2017) Registration Authority IG performance Team IG Compliance Team Health Records Information Rights Data Quality POL/002/077/077 - Access Control Policy POL/002/066 - (due Dec 2017) Registration needs written in Authority Smartcard conjunction with Policy Information Security dept. IG Performance Management Frame work IG Performance mangement monitoring Guide IG Compliance Monitoring (work plan) Third Party POL / 002/ Contracts and Asset Contractors Management Audit and Spot Policy Policy (due for Check (compliant for review Sept Compliance (not _) Needs policy) but will need changed - reviewed due to GDPR) GDPR. Data Mapping (no policy) do we need Risk Assessment Incident Management Processes Projects Human Resources Health Records Strategy (complete but require mini strategies to feed revision of review SOPs, i.e. archiving POL / 002/ POL / 002/018 POL / 001/ Confidentiality Information Data Protection POL/002/003 Consent policy Policy (due June Sharing Policy Policy (due for FOI Policy needs reviewed review by June 2017) waiting (check in date in line with 2017) needs (compliant for new guidance for ) reviewed in line with GDPR due to GDPR GDPR Data Quality Strategy Clinical Coding Strategy (on ehealth strategy) to be progressed Registration Authority Procedures (need updating in line with RiO etc) How to input data How to navigate Reports POL / 002/067 - IG Assessment (due for review Sept 2017) Needs changed GDPR and title amended to Data Protection Impact Assessments Using ICO Guide to Data Protection Audits as a guide with localised IG procedures Data Mapping Procedures Incident POL / 002/094 Internal ehealth Management Reference ICO (needs changed POL/002/061 Viewing Risk Process need for Employment CCTV policy Summary Care GDPR to Management GDPR to reflect Practices Code reflect Procedures localised procedures (compliant for Records Policy (need for GDPR of coding / reporting processing ) (due for review (drafted) in 72 hours) to be reviewed) activities) June 2017 POL/002/008 Health Records Management Policy (compliant except where revisions may be required due to change in Strategy POL POL/002/018/001- /002/003/001 Subject Access FOI Standard Request procedures (due by June 2017) Operating needs reviewed in Procedures line with GDPR. (compliant for ) POL/002/081 Anonymisation and New Safe Haven Policy (due June 2017) POL/002/064 - Data Quality Policy (compliant for ) POL/002/093 Clinical Coding Policy (due Jul 2017) but requires strategy first POL/001/019 Photography and Video Recording Policy and Procedures (needs finalised out of date Feb 2017) POL/002/008/0 11 SOP Creation of Health Record POL/002/008/0 POL/002/008/0 02 SOP 01 SOP - Use Health Record of Health Keeping Records Standards POL/002/008/00POL / 002/ 008/022 POL / 002/ POL / POL/002/008/0 POL POL/002/008/0 SOP Appraisal, POL/002/008/0 008/022 SOP POL/002/008/0 POL/002/008/0 002/008/ SOP /002/008/ Managing Disposal and 12 SOP Multi Requesting 03 SOP 19 Scanning of Retrieval and Missing and Transportation Destruction of disciplinary Health records Alerts Health Records tracking of unavailable of Health Health Records 9 paper Health record keeping when moving SOP Retention and Records for health records - records Records Archiving of Health audit) Audits Records SOPs will be required as a result of implementing data quality strategy within data quality team but with operational services (to do)

57 IG Frame work (drafted due for review June 2017) Information Security Corporate Records (IAO Daniel Scheffer) POL / 002/ policy (due Dec 2017) POL/002/077 Information Security Policy (due for review Dec 2017 POL / 002/075 Encryption Policy (due for review Dec 2017) POL/002/77/004 Mobile Computing and Remote Access Procedure (due Dec 2017 POL/002/037 Acceptable Use (due for review Dec 2017) POL/002/101 End User Devices (due for review Dec 2017) POL / 002/077/003 Forensic Readiness Monitoring System, Access and Use POL/002/102 Network Security Policy (due Dec 2017) POL/002/077/006 Clear Desk POL/002/103 Change Management (due Dec 2017) POL/ 002/104 Anti Malware Policy POL/002/104 Management of Servers and Services POL/002/105 Data Centre and Comms Access Policy New in Progress Guest Internet Access (Wifi Spark) due Dec 2017 POL / 002/ 106 User Data Archive Policy (due Dec 2017) POL/002/077/007 IT Secure Disposal Policy (due Dec 2017) POL/002/038 Corporate Records Policy (due for review April 2017) POL/002/017 Corporate Records Procedures (due for review April 2017)