IG01 Information Governance Management Framework

Transcription

1 IG01 Information Governance Management Framework 1

2 INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK Document History Document Reference: IG01 Document Purpose: The document compliments all other Information Governance policies and sets out the management arrangements for information governance in the CCG Date Approved: Approving Committee: Version Number: 1.7 Status: Draft Next Revision Due: June 2017 Developed by: Information Governance, NHS Arden & Greater East Midlands Commissioning Support Unit (Arden & GEM CSU) Policy Sponsor: Head of Information Governance Services Target Audience: All Staff within the CCG whether operating directly or providing services to other organisations under a service level agreement or joint agreement and to none executive directors, contracted third parties (including agency staff), locums, students, volunteers, trainees, visiting professionals or researchers, secondees and other staff on temporary placements within the organisation. Associated Documents: All Information Governance Policies and the Information Page 2 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

3 Governance Toolkit Page 3 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

4 Revision History Version Revision date Summary of Changes 1.0 August 2013 Revised in line with NHS England Policies and updated to reflect version 11 of the Information Governance Toolkit 1.1 August 2014 Revised in line to reflect Version 12 of the Information Governance Toolkit FINAL 1.2 August 2014 Approved at IG Product Group FINAL 1.3 September 2014 Amended not circulated FINAL 1.4 October 2014 Appendix 3 training matrix amended - circulated Draft 1.5 June 2015 Revised to reflect Version 13 of the Information Governance Toolkit.. Reference to GEM CSU changed to Arden & GEM CSU, contact details and web links updated. Draft 1.6 July 2015 Amended in line with comments from CCG IG Leads Draft 1.7 June 2016 Annual review Policy Dissemination information Reference Number IG01 Title Information Governance Management Framework Available from Page 4 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

5 Contents Information Governance Management Framework for North Derbyshire CCG... 7 Introduction... 7 Purpose and scope... 7 Policy Statement... 7 Senior Information Governance Management Details Organisational Roles & Accountability The CCG Information Governance Lead in conjunction with services provided by Arden & GEMCSU will: The SIRO will: The Caldicott Guardian will: The Information Asset Owner will: The Information Asset Administrator will: Key Policies Governance Arrangements Resources Training Guidance Incident Management Equality & Diversity Impact Assessment Monitoring and Compliance Further Information or Guidance References Appendix Terms of Reference for Information Governance Committee Appendix 2 Information Governance Operational Structure Committee Reporting Structure Appendix 3 Training Needs Analysis Page 5 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

6 Appendix 4 Information Governance Related Policies, Procedures & Guidance Dissemination Process Appendix 5 Clinical Commissioning Group Version 1 ( ) Requirements List Page 6 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

7 Information Governance Management Framework for North Derbyshire CCG Introduction Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The way that an organisation chooses to deliver against these requirements is referred to within the Information Governance Toolkit (IGT) as the organisation s Information Governance Management Framework. This Framework must be documented, approved at the most appropriate senior management level in the organisation (e.g. a member of the Executive Team) and reviewed annually. This document sets out the CCGs approach to embedding robust information governance throughout the CCG. The IGT is available here: A user name and password is required to access the CCG IG Toolkit Return. This policy is a standalone document and provides a summary/overview of how the CCG is addressing the IG agenda and reflects the capacity and capability of the CCG. Purpose and scope The purpose of this policy is to establish employee responsibility and the rules of conduct for all members of staff regarding the CCG s information governance framework. This policy applies to all staff within the CCG whether operating directly or providing services to other organisations under a service level agreement or joint agreement. and to nonexecutive directors, contracted third parties (including agency staff), locums, students, volunteers, trainees, visiting professionals or researchers,, secondees and other staff on temporary placements within the organisation. Policy Statement NHS Digital (formerly HSCIC) mandates that the Information Governance Toolkit (IGT) version 14 is completed by all organisations that commission or provide services within and to the NHS. An Information Governance Management Framework (IGMF) is required to be in place to ensure that the Information Governance agenda is owned and implemented in a structured manner. Page 7 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

8 Senior Information Governance Management Details 4.1 Organisational Roles & Accountability The CCG will appoint an IG Lead, Senior Information Risk Owner and Caldicott Guardian. These designated roles will be reported in the CCG IG Toolkit Return under Update Information Governance Senior Management Details once appointed The roles of the Senior Information Risk Owner and Caldicott Guardian will be undertaken by senior members of the organisation s management team and will be members of the Governing Body. The Information Governance Lead is a senior representative in the organisation who leads and co-ordinates the information governance works programme and is line managed by a member of the senior management team. The Accountable Officer has overall accountability and responsibility for Information Governance and is required to provide assurance through the Statements on Internal Control that all risks to the CCG, including those relating to information, are effectively managed and mitigated. The Records Manager is an individual/s with clear responsibility for the management of the records of an organisation from the time they are created up to their eventual disposal. This may include naming, version control, storing, tracking, securing and destruction (or in some cases, archival preservation) of records An Information Asset Owner is a senior individual involved in running the relevant business. Their role is to understand and address risks to the information assets they own and to provide assurance to the SIRO on the security and use of those assets Information Asset Administrators are usually operational members of staff who understand and are familiar with information risks in their area or department. Information Asset Administrators ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management and ensure that information asset registers are accurate and up to date 4.2 The CCG Information Governance Lead in conjunction with services provided by Arden & GEMCSU will: Develop and maintaining comprehensive and appropriate documentation that demonstrates commitment to and ownership of IG responsibilities, e.g. an overarching high level strategy document supported by corporate and/or directorate policies and procedures Ensure that there is senior management awareness and support for IG resourcing and implementation of improvements Provide direction in formulating, establishing and promoting IG policies Page 8 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

9 Establish working groups, if necessary, to co-ordinate the activities of staff given IG responsibilities and progress initiatives Ensure that assessment and improvement plans are prepared for approval by the senior level of management in a timely manner and in line with national reporting requirements Ensure that the approach to information handling is communicated to all staff and made available to the public Ensuring that appropriate training is made available to staff and completed as necessary to support their duties and in line with IGT requirements and as detailed in the CCGs training needs analysis Liaise with other committees, working groups and programme boards in order to promote and integrate IG standards Monitor information handling activities to ensure compliance with law and guidance Provide a focal point for the resolution and/or discussion of IG issues Undertake annual training required by the role as identified in the CCG training needs analysis 1.3 The SIRO will: Take ownership of the organisation s information risk policy and information risk management strategy. All key information assets will be identified and their details included in an Information Asset Register Take ownership of the risk assessment process for information and cyber security risks, including review of an annual information risk assessment to support and inform the Annual Governance Statement. Ensure that Information Asset owners will be identified for each key information asset. Ensure that all systems information assets have an assigned information asset owner. Ensure that all staff assigned responsibility for co-ordinating and implementing information risk management will be appropriately trained to carry out their role Ensure that Information Asset Owners carry out risk reviews of the assets for which they are accountable, the frequency of review depending upon the importance of the asset and the nature of the risk environment but at least annually Lead and implement the information governance risk assessment and advise the Governing Body on the effectiveness of risk management across the organisation Page 9 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

10 Undertake annual training required by the role as identified in the CCG training needs analysis 4.4 The Caldicott Guardian will: Be added to and maintain registration of the National Register of Caldicott Guardians Identify the support necessary to ensure work related to confidentiality and data protection is appropriately carried out Provide a plan for the Caldicott Function of the CCG Ensure all staff assigned responsibility for co-ordinating and implementing the confidentiality and data protection work programme have been appropriately trained to carry out their role Identify the work necessary to provide Confidentiality and Data Protection Assurance Be a senior person responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing Undertake annual training required by the role as identified in the CCG training needs analysis 4.5 The Information Asset Owner will: Identify and document the scope and importance of all Information Assets they own. This will include identifying all information necessary in order to respond to incidents or recover from a disaster affecting the Information Asset. Take ownership of their local asset control, risk assessment and management processes for the information assets they own. This includes the identification, review and prioritisation of perceived risks and oversight of actions agreed to mitigate those risks. Provide support to the organisation s SIRO and the appropriate risk management group to maintain their awareness of the risks to all Information Assets that are owned by the organisation and for the organisation s overall risk reporting requirements and procedures. Ensure that staff and relevant others are aware of and comply with expected IG working practices for the effective use of owned Information Assets. This includes records of the information disclosed from an asset where this is permitted. Provide a focal point for the resolution and/or discussion of risk issues affecting their Information Assets. Ensure that the organisation s requirements for information incident identification, reporting, management and response apply to the Information Assets they own. This includes the mechanisms to identify and minimise the severity of an incident and the points at which assistance or escalation may be required. Page 10 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

11 Foster an effective IG culture for staff and others who access or use their Information Assets to ensure individual responsibilities are understood, and that good working practices are adopted in accordance with the organisation s policy. Ensure there is good understanding of the hardware and software composition of their assigned assets to ensure their continuing operational effectiveness. This includes establishing and maintaining asset records that will help predict when asset configuration changes may be necessary. Undertake annual training required by the role as identified in the CCG training needs analysis 4.6 The Information Asset Administrator will: Ensure that policies and procedures are followed when using an information asset. Recognise actual or potential security incidents. Consult their IAO on incident management. Assist the IAO to ensure that information asset registers are accurate and up to date, for example by reporting when an information asset they use is no longer required. Undertake annual training required by the role as identified in the CCG training needs analysis. 5. Key Policies The CCG via NHS Arden & Greater East Midlands Clinical Commissioning Unit (Arden & GEM CSU) will provide the following policies (or equivalent) to set out scope and intent in terms of embedding Information Governance processes throughout the Organisation: An Overarching Information Governance Policy A Confidentiality and Data Protection Policy An Information Security Policy A Corporate Governance Policy (which covers FOI) An Information Lifecycle Management Policy (Records Management and Information Quality) In particular the CCG will implement policies as required to support confidentiality, security and records management processes in addition to this Information Governance Management Framework Page 11 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

12 6. Governance Arrangements The following governance arrangements have been agreed: The CCG Governing Body will receive periodic assurance that management and accountability arrangements are adequate and are informed in a timely manner of future changes in the IG agenda by IG updates within the corporate report. The CCG will be represented at the Derbyshire Clinical Commissioning Group Information Governance Committee (CCG IGC) and the Derbyshire Information Governance Working Group. The Risk and Governance Committee (or equivalent) of the CCG will have responsibility for the Information Governance Agenda supported by identified senior roles i.e. Caldicott Guardian, SIRO, and IG Lead. Under a service level agreement, the CCG will obtain Information Governance Support through the Arden & GEM CSU. Responsibility and accountability for Information Governance will be cascaded through the organisation via staff contracts, contracts with third parties, Information Asset Owner arrangements and departmental leads. Key information governance messages will be developed by Arden & GEM CSU through a Service Level Agreement and made available to the CCG for onward dissemination. 7. Resources Key staff involved in the Information Governance Agenda, below those at Executive Team level, will be provided to the CCG through a Service Level Agreement between the CCG and Arden & GEM CSU. 8. Training Guidance Staff need clear guidelines on expected working practices and on the consequences of failing to follow policies and procedures. The approach to ensuring that all staff receive training appropriate to their roles will be detailed and provided by Arden & GEM CSU through a Service Level Agreement with the CCG. Information Governance Services will assist the CCG in achieving 95% take up of mandatory information governance training and advise/manage staff to undertake further specialist information governance training as required. Mandatory annual Information Governance Training should be completed by all third party contractors. Training will also be made available via the NHS Digital (formerly HSCIC) e- learning Page 12 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

13 9. Incident Management Clear guidance on incident management procedures will be documented and staff will be made aware of their existence, where to find them and how to implement them through a Service Level Agreement between the CCG and Arden & GEM CSU. All incidents will be discussed at the CCG Information Governance Committee (or equivalent) on a bi-monthly basis. 10. Equality & Diversity Impact Assessment None required. 11. Monitoring and Compliance The IGMF will be reviewed at least annually in line with IG Toolkit requirements or amended as required to reflect changes in organisational ownership. 12. Further Information or Guidance Contact Information Governance (IG) Services/Arden & GEMCSU AGCSU.IGDerbyshire@nhs.net 13. References NHS Code of Confidentiality: The IG Toolkit. bfb6-4f8f-9dc2-27aea4159c93&lnv=2&clnav=yes Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation dance.pdf NHS Information Risk Management The Caldicott Review: Information Governance in the Health and Social Care System Page 13 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

14 Appendix 1 Information Governance Committee Terms of Reference 1. Introduction The Information Governance Committee (IGC) is established on behalf of NHS Southern Derbyshire, NHS North Derbyshire, NHS Hardwick and NHS Erewash CCGs in accordance with the joint arrangements detailed in their respective Constitutions and referred to in these terms of reference the CCG. Information governance is a key component of the clinical and corporate assurance framework and can be defined as: providing a framework for handling personal and sensitive information in a confidential and secure manner appropriate to ethical and quality standards in a modern health service. (Connecting for Health) The purpose of the IGC is to support and drive the broader Information Governance (IG) and Information Management and Technology agendas: Ensuring that key risks relating to Information Governance and health informatics which impact on our organisations are identified and managed Leading the development of Derbyshire-wide IG strategy as supported by policy and procedures Monitor the organisational management accountability, compliance arrangements and availability of specialist staff/resources for Information Governance, taking into account national programmes and compliance requirements e.g. Operating Framework, Information Governance Toolkit and reporting to the relevant CCG committee as appropriate. 2. Accountability Overall accountability for Information Governance lies with the Chief Officers and the CCG Governing Bodies, delegated through the role of the Senior Information Risk Officers (SIRO). The IGC has delegated authority from the CCGs Governing Bodies to manage risk, make recommendations and approve policies which need to be ratified by the individual CCG governance process Accountability for operational delivery lies with the CCG Information Governance Lead reporting to the CCG Information Governance Committee, and SIRO who is responsible for day to day management and delivery of the function. 3. Membership The membership of the IGC includes: One representative from each CCG either the CCG s SIRO or Caldicott Guardian Page 14 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

15 CCG Governance Lead Members of staff from the Arden & GEM CSU will attend the meeting in an advisory capacity, namely the: Arden & GEM Information Governance Consultant Arden & GEM CSU Information Governance Manager Arden & GEM CSU IT Services Senior IT Manager Other members will be invited to the IGC as required e.g. HR representative, Communications representative, representatives from Public Health, Commissioning or any other representative as appropriate. Deputising Arrangements All members can nominate a representative to attend in their absence but the representative must have sign off authority for policies and committee decisions. In the absence of the relevant CCG Caldicott Guardian the SIRO will sign off and obtain retrospective Caldicott Guardian approval. Quorum Arrangements One of the following, plus two other members of the IGC need to be present in order for the meeting to be quorate: Caldicott Guardian SIRO 3 out of the 4 CCGs are to be represented. Chair of Group: Southern Derbyshire CCG SIRO Deputy Chair: Hardwick CCG SIRO In the event of neither of these members being available, a temporary Chair will be elected from those members present. 4. Functions & Responsibilities Information Governance i. Ensure that an appropriate comprehensive Information Governance framework and systems are in place throughout the constituent organisations in line with national standards ii. iii. Receive regular action plans and updates with regard to the organisation s progress on the annual Information Governance Toolkit submission Ensure that information is effectively managed and that appropriate policies, procedures and management accountability are provided in relation to confidentiality, security and records management Page 15 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

16 iv. To develop and approve policies to meet information governance requirements affecting the Clinical Commissioning Groups so that they can be ratified by the CCGs governing body v. Ensure that information risks are identified, assessed and managed in line with the Information Governance Assurance Framework and recommend actions to the Senior Information Risk Owner (SIRO) to ensure risks are mitigated. vi. vii. viii. ix. To authorise programmes of risk assessments and audits relating to information governance, security and confidentiality; review results and make recommendations to the relevant authorising committee. To provide expertise and advice and to make recommendations relating to information access requests received by the CCGs. Specifically, to make recommendations to the Chief Operating Officers on the disclosure of information (under the terms of the Data Protection, Freedom of Information Acts or Environmental Information Regulations and associated legislation e.g. Human Rights or Access to Health Records Acts) where the issues are complex and possibly contentious. To develop and approve suitable information sharing protocols for all organisations involved in routinely and regularly sharing information with the CCGs. To provide advice and recommendations relating to records management requirements, procedures and practices. x. To oversee the formulation, ratification, approval and implementation and monitoring of policies and procedures to ensure that the organisations have the capability of meeting NHS and statutory Information Governance requirements xi. xii. xiii. xiv. xv. xvi. To develop, implement and monitor the annual Information Governance Improvement plan and approve the Information Governance Toolkit submissions. To liaise with Information Governance related groups at local and national levels as appropriate e.g. EM SIGN etc.to enable the sharing of best practice between such groups and reporting back to the IGC To develop solutions and implementation programmes (including training and awareness raising) to ensure that the CCGs comply with developing information governance requirements. To ensure that tailored staff awareness and training programmes are in place and delivered for information governance meeting national requirements. To assist in providing assurance to CCGs on new initiatives where a shared view would be beneficial. This would not be to approve but to act as a sounding board. To provide support and advice to the organisation information governance leads as requested or required. xvii. To communicate to staff and the population served by the CCGs, the organisations approaches to information handling Page 16 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

17 xviii. Support the Caldicott function, working with the Caldicott Guardian to ensure work related to confidentiality and data protection is appropriately carried out and any risks reported appropriately. Information Management and Technology i. Provide assurance to the CCG s governing bodies that sufficient attention is being placed on data quality and security and provide CCGs with assurances around the information security standards of the IG Toolkit ii. Ensure appropriate business continuity arrangements are in place relating to information technology Receive assurances from Arden & GEM IT Services around the Department of Health Cyber Security compliance levels, via the IG Toolkit and by providing evidence on the related Cyber Security IG Toolkit requirements and cyber alerts. iii. iv. Facilitate development and local implementation of health informatics policies ensuring they are consistent with national and local strategy Provide a forum for the CCGs and Arden & GEM CSU IT Services to determine IM&T priorities and discuss implementation of new technologies. v. Monitor and review data and hardware security arrangements. 5. Reporting arrangements The IGC will report to each CCG s Governing Body and, or relevant individual committee via a highlight report (including an Annual Report) along with minutes that have been ratified at the following IGC meeting. Representative from CCGs attending the IGC will draw to the attention of their Governing Bodies and, or relevant individual committees any issues or risks that require disclosure, or require action. Specific issues of concern or matters requiring escalation to the Governing Bodies will be the subject of reports by CCGs representative. 6. Frequency of meetings The IGC will meet on a bi-monthly basis with additional meetings as required to meet its responsibilities. 7. Review of Terms of Reference The Information Governance Committee Terms of Reference will be reviewed on an annual basis from the date that they were approved by the CCGs, unless it is deemed necessary for them to be reviewed earlier. Any resulting changes to these terms of reference or membership of the Information Governance Committee must be approved by the CCGs before they shall be deemed to take effect. Page 17 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

18 8. Secretary Secretarial support is provided by Arden and GEM CSU who will be responsible for: Providing support to the Chair Arranging meetings Agreeing the agenda with the Chair Collating and circulating all necessary papers for the Committee Any resulting changes to these terms of reference or membership of the Information Governance Committee must be approved by the CCGs before they shall be deemed to take effect. Version: V2.0 Approved: May 2016 Reviewed by: Information Governance Committee Review Date: May 2017 Page 18 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

19 Appendix 2 Information Governance Operational Structure Accountable Officer Caldicott Guardian SIRO IG Lead Records Management Lead Information Asset Owner s Information Asset Administrator s Arden & GEMCSU IG Lead Page 19 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

20 Committee Reporting Structure CCG Information Governance Working Group 5. Remit and purpose of the group Terms of Reference 2. Information governance is a key component of the clinical and corporate assurance framework and can be defined as: providing a framework for handling personal and sensitive information in a confidential and secure manner appropriate to ethical and quality standards in a modern health service. (Connecting for Health). NHS Arden & Greater East Midlands Commissioning Support Unit (Arden & GEM CSU) provides Information Governance support, advice and expertise to the Derbyshire CCGs through the IG Services team. The team link into each Clinical Commissioning Group through an operational IG lead. The purpose of the IG Working Group is to: 5.1. be the operational focal point for CCG IG leads and Arden & GEM CSU IG leads to discuss information governance issues (and their resolution), including discussion of queries and incident monitoring, providing advice and recommendations to the CCG Information Governance Committee as required monitor the operational accountability and availability of CCG staff/resources for Information Governance, taking into account national programmes and compliance requirements e.g. Operating Framework, Information Governance Toolkit and making recommendations to the CCG Information Governance Committee as appropriate ensuring compliance with the CCG Information Governance Toolkit and evidence gathering, including exception reporting to the CCG Information Governance Committee as appropriate act as the forum for dissemination of information from the Arden & GEM CSU IG team to the CCGs. 1.5 To provide the main point of reference and escalation for the management of issues and risks related to Derbyshire-wide information governance strategy to the Information Governance Committee. 6. Accountability Arden & GEM CSU hosts the Information Governance Working Group meetings on behalf of the Derbyshire CCGs. Page 20 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

21 Overall accountability for Information Governance lies with the CCG Chief Officer, delegated through the role of the Senior Information Risk Officer (SIRO). Accountability for operational delivery lies with the CCG Information Governance lead reporting to the CCG SIRO, who is responsible for day to day management and delivery of the function. IG advice and expertise is provided to the CCG through the Arden & GEM CSU IG Services team who will liaise with the SIRO, Caldicott Guardian and IG lead/link as appropriate. 7. Membership - Arden & GEM CSU Information Governance Manager or deputy - CCG Information Governance Leads - CCG Governance Officers Any other manager or lead may be invited to attend the Working Group, particularly when discussing specific areas of Information Governance which relate to the Toolkit that are the responsibility of that manager or lead. Deputising Arrangements All members may nominate a representative to attend in their absence. Quorum Arrangements Two CCG Information Governance leads, plus one member of the Arden & GEM CSU Information Governance team need to be present in order for the Group to be quorate: Chair of Group: Arden & GEM CSU Information Governance Manager Deputy Chair: CCG IG Lead In the event of neither of these members being available a temporary Chair will be elected from those members present. 8. Functions & Responsibilities i. To support the formulation, implementation and monitoring of compliance of the Information Governance Strategy and Framework for the CCG. ii. iii. iv. To work proactively to ensure that that the CCG meets all NHS and legal requirements relating to information governance. This includes compliance with the NHS Information Governance Toolkit standards and submission of organisational assessments. To support the development, implementation and monitoring of the annual CCG Information Governance Improvement plan. Arden & GEM IG Team to liaise with Information Governance related groups at local and national levels as appropriate. v. To support solutions and implementation programmes (including training and awareness raising) to ensure that the CCG complies with developing information governance Page 21 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

22 requirements. vi. To support the implementation of tailored staff awareness and training programmes for information governance meeting national requirements. vii. viii. ix. To monitor and review the CCG Risk Registers, ensuring risks are appropriately forwarded to the CCG Corporate Risk Register. Monitor and review the business continuity arrangements in place relating to information technology Monitor and review Arden & GEM IT Service compliance around the Department of Health Cyber Security compliance, via the IG Toolkit/ 9. Reporting arrangements The group is accountable to the CCG Information Governance Committee. The minutes of the meeting and regular reports are submitted to the CCG Information Governance Committee meetings. 10. Frequency of meetings The CCG Information Governance Working Group will meet at least quarterly with additional meetings as required to meet its responsibilities. Page 22 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

23 Appendix 3 Training Needs Analysis Job Role Introduction to IG (Year 1) IG-Refresher Module (Years 2 & 3) (Complete either Introduction to IG or Refresher as required) The Caldicott Guardian in the NHS & Social Care NHS Information Risk Management for SIROs & IAOs NHS Information Risk Management - Introductory (Year 1) NHS Information Risk Management Foundation (Year 2) Password Management Information Security Guidelines IG Lead (CCG) Mandatory Mandatory Recommended Recommended Recommended Recommended Optional Recommended Optional Patient Confidentiality Caldicott Guardian Mandatory Mandatory Mandatory Recommended Optional Optional Optional Optional Recommended SIRO Mandatory Mandatory Recommended Mandatory Mandatory Mandatory Optional Recommended Optional IAO & IAA Mandatory Mandatory Optional Mandatory Mandatory Mandatory Optional Optional Optional Records Manager Mandatory Mandatory Optional Optional Optional Optional Optional Optional Optional Admin/Clerical/ Other Admin/ clerical /Other with access to personal information Mandatory Mandatory Optional Optional Optional Optional Optional Optional Optional Mandatory Mandatory Optional Optional Optional Optional Optional Optional Recommended Job Role Access to Health Records Records Management and the NHS Code of Practice Records Management in the NHS Secure Transfers of Personal Data Business Continuity Management Access to Information & Information Sharing in the NHS - Secure Handling of Confidential Information IG Lead (CCG) Optional Optional Optional Recommended Recommended Recommended Optional Optional Caldicott Guardian Optional Optional Optional Recommended Optional Recommended Recommended Optional Information Security Management SIRO Optional Optional Optional Recommended Optional Optional Optional Mandatory IAO & IAA Optional Optional Optional Optional Optional Optional Optional Optional Records Manager Mandatory Recommended Optional Optional Optional Optional Optional Optional Admin/clerical/other Optional Optional Optional Optional Optional Optional Optional Optional Admin/ clerical /Other Optional Optional Optional Recommended Optional Optional Optional Optional with access to personal information 23

24 Appendix 4 Information Governance Related Policies, Procedures & Guidance Name of Policy Corporate Information Security Policy Confidentiality & Data Protection Policy Data Protection Policy Data Quality Policy Policy Freedom of Information (FOI) Policy Incident Reporting Policy Information Governance Management Framework (IGMF) Information Governance Policy Information Lifecycle Policy (including information quality) Information Risk Policy Information Security Policy IT Acceptable Use Policy Network Security Policy Records Management Policy Policy Approval Date Approving Body/Individual Name of Procedure Confidentiality Audit Process Electronic Remote Working Guidance (see IG Briefing Pack/Handbook Incident Reporting Procedure Mobile Working Procedure Privacy Impact Assessment (PIA) Procedure Safe Haven Procedure Subject Access Request (SAR) Procedure Local Guidance Fair Processing Notice Privacy Notice Staff Code of Conduct Procedure Approval Date Approval Date Approving Body/Individual Approving Body/Individual Dissemination Process All the above policies and procedural documentation will be disseminated to staff by the CCG via the staff intranet. 24

25 Appendix 5 Clinical Commissioning Group Version 1 ( ) Requirements List Req No Information Governance Management Description There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda There are approved and comprehensive Information Governance Policies with associated strategies and/or improvement plans Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained Confidentiality and Data Protection Assurance The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation s assessed needs Staff are provided with clear guidance on keeping personal information secure, on respecting the confidentiality of service users, and on the duty to share information for care purposes Confidential personal information is only shared and used in a lawful manner and objections to the disclosure or use of this information are appropriately respected There are appropriate procedures for recognising and responding to individuals requests for access to their personal data Staff access to confidential personal information is monitored and audited. Where care records are held electronically, audit trail details about access to a record can be made available to the individual concerned on request All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements Individuals are informed about the proposed uses of their personal information Information Security Assurance The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation s assessed needs A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed There are established business processes and procedures that satisfy the organisation s obligations as a Registration Authority Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use Operating and application information systems (under the organisation s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems Page 25 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

26 An effectively supported Senior Information Risk Owner takes ownership of the organisation s information risk policy and information risk management strategy Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely Policy and procedures ensure that mobile computing and teleworking are secure There are documented incident management and reporting procedures All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate Clinical Information Assurance The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements Page 26 of 26 Paper F - IG01_CCG_IGMF_July 2016_ Final V1_8

27 IG02 Information Governance Policy Page 1 of 13 Information Governance Policy version 2.1

28 Information Governance Policy version 2.1 Page 2 of 13

29 NHS North Derbyshire Clinical Commissioning Group Document History Information Governance Policy Document Reference: Document Purpose: Date Approved: Approving Committee: IG02 An Information Governance Policy is a statement of the organisations approach and intentions to fulfilling statutory and organisational responsibilities. It will enable management and staff to make correct decisions, work effectively and comply with relevant legislation and the organisations aims and objectives Information Governance Product Group Version Number: 2.1 Status: Draft Next Revision Due: July 2016 Developed by: Information Governance, Arden & GEM Greater East Midlands Commissioning Support Unit (AGEM CSU) Policy Sponsor: Head of Information Governance Services Target Audience: The procedure applies to all permanent, temporary staff and secondees of the CCG. Associated Documents: All Information Governance Policies and the Information Governance Toolkit Revision History Version Revision Summary of Changes date 1 July 2013 Amended in line with Caldicott Review and CCG Information Governance Toolkit version July 2014 Review for CCG comments and in line with version 12 of the IG Toolkit 1.2 August Review at IG Product Group and approval as FINAL Sept 2014 Reviewed at IGC 2.1 July 2016 Draft for review Policy Distribution and Implementation Reference Title Available from Number IG02 Information Governance Policy NDCCG Intranet Information Governance Policy version 2.1 Page 3 of 13

30 Contents Number Page 1. Introduction 3 2. Policy Statement 3 3. Scope 3 4. Organisational Responsibility under the Policy 4 5. Governance 5 6. Information Governance Strategy 5 7. Roles and Responsibility 5 8. Use of Information 7 9. Openness Legal Compliance Information Security Information Quality Assurance Equality and Diversity 9 14 Due Regard 9 15 Monitoring Compliance and Effectiveness, Auditing and Reviewing 9 16 Review and revision of the Policy 9 17 Training References 10 Information Governance Policy version 2.1 Page 4 of 13

31 1 Introduction 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management. 1.2 It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability provide a robust governance framework for information management. 1.3 The Information Governance (IG) framework for health and social care is formed by those elements of law and policy from which applicable information governance standards are derived, and the activities and roles which individually and collectively ensure that the set standards are clearly defined and met. 2 Policy Statement 2.1 An Information Governance Policy is a statement of an organisation s approach and intentions to fulfilling its statutory and organisational responsibilities. It will enable management and staff to make correct decisions, work effectively and comply with relevant legislation and the organisation s aims and objectives. 2.2 This document sets out the high level principles across North Derbyshire Clinical Commissioning Group (CCG) for confidentiality, integrity and availability of information (information governance) to promote and build a level of consistency across the community on these principles. Information Governance is defined as: the structures, policies and practice of the DH, the NHS and its suppliers to ensure the confidentiality and security of all records, and especially patient records and to enable the ethical use of them for the benefit of individual patients and the public good. ( Information Governance in the Department of Health and the NHS, 2006) 2.3 Failure by any employee of the CCG to adhere to corporate policy and its associated procedures and guidelines will be viewed as a serious matter and may result in disciplinary action in line with the CCG HR disciplinary policy. 3 Scope 3.1 It is the responsibility of the CCG Executives, Heads of Service and Senior Managers to ensure that the Information Governance Policy is brought to the attention of all staff and that staff have appropriate training on information security and confidentiality on induction and annually thereafter. 3.2 The Information Governance Policy is supported by a range of corporate policies covering the key areas of Information Governance: Confidentiality and Data Protection Information security and risk Information lifecycle management including records management and information quality Page 5 of 13 Information Governance Policy version 2.1

32 Corporate governance including requirements under the Freedom of Information Act The Information Governance Management Framework details the arrangements for compliance with the legal and national regulatory framework. 3.3 This policy covers all aspects of processing activities that relate to (but is not limited to): Patient/client/service user information Staff and personnel information Organisational, business and operational information Research, audit and reporting information 3.4 This policy covers all aspects of handling the way the organisation holds, obtains, records, uses and shares information. 3.5 This policy covers all information systems, purchased, developed or managed by or on behalf of the CCG and any individual directly employed or otherwise by the CCG. 4 Organisational responsibility under the Policy 4.1 The CCG fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal confidential information about patients and staff and business sensitive information. 4.2 The CCG also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. 4.3 The CCG will sustain a robust Information Governance Framework by: Demonstrating compliance with the key IG standards through achievement of at least level 2 performance in the requirement within the NHS IG Toolkit and ensuring plans are in place to progress beyond this minimum where it has been achieved; Mandating all staff to complete basic IG training annually appropriate to their role through the online NHS IG Training Tool or other method approved by the Department of Health; Continuing to report on the management of the information risks in statements of internal controls and to include details of data loss and confidentiality breach incidents in annual reports; 4.4 The CCG aims to ensure organisations contracted to deliver services also achieve a compliant information governance standard (IG Toolkit compliance). This includes commissioned services delivering both clinical and non-clinical services. Information Governance Policy version 2.1 Page 6 of 13

33 5 Governance 5.1 Whilst the CCG recognises its accountability for information governance, the CCG s strategy is to use the services of the Arden & Greater East Midlands Commissioning Support Unit (AGEM CSU) to deliver specialised information governance advice and expertise. 5.2 Service providers (AGEM CSU) will be responsible for delivering a robust IG support service which provides a full range of expert advice, guidance, training and support in data protection and confidentiality, information risk management, security, data quality, information management. 5.3 Provider performance will be monitored through contracts and service level agreements as outlined in the agreed management arrangements. 5.4 Reporting from AGEM CSU will be in accordance with Service Specification. 6 Information Governance Strategy/Improvement Plan 6.1 The CCG has an associated Information Governance Management Framework (IGMF) which details the way that the CCG will deliver against the national and legal information governance requirements. This document provides a summary/overview and sets out an overarching framework for the strategic Information Governance agenda at the CCG and is supported by an Information Governance improvement plan, which is monitored by the Information Governance Working Group or equivalent. 7 Roles and Responsibilities Overall accountability across the organisation lies with the Accountable Officer who has overall responsibility for establishing and maintaining an effective information governance assurance framework for meeting all statutory requirements and adhering to guidance issued in respect of procedural documents. All staff must adhere to CCG policies and procedures relating to the processing of personal information. All staff members are responsible for maintaining compliance with the Data Protection Principles and for reporting non-compliance through the CCG incident reporting process. 7.1 Senior Information Risk Owner (SIRO) The SIRO will take overall ownership of the organisation s information risk policy; act as champion for information risk on the Board and provide written advice to the Accounting Officer on the content of the organisation s statement of internal control in regard to information risk; understand how the strategic business goals of The CCG may be impacted by information risks, and how those risks may be managed; implement and lead the NHS information governance risk assessment and management processes within The CCG advise the Board on the effectiveness of information risk management across The CCG receive training as necessary to ensure they remain effective in their role as SIRO. The SIRO will be supported in this role by the IG team in AGEM CSU Information Governance Policy version 2.1 Page 7 of 13

34 7.2 Caldicott Guardian 1 The Caldicott Guardian acts as the conscience of an organisation, actively supporting work to facilitate and enable information sharing, advising on options for lawful and ethical processing of information as required. The Guardian will: ensure that the CCG satisfies the highest practical standards for handling patient identifiable information; facilitate and enable information sharing and advise on options for lawful and ethical processing of information; represent and champion information governance requirements and issues at Board level; ensure that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff; and oversee all arrangements, protocols and procedures where confidential patient information may be shared with external bodies both within, and outside The CCG. Undertake necessary training as set out in the CCGs Training needs analysis. The Caldicott Guardian will be supported in this role by the IG Team in AGEM CSU. 7.3 Information Asset Owners Information Asset Owners (IAOs) will: lead and foster a culture that values, protects and uses information for the benefit of patients; know what information comprises or is associated with the asset, and understands the nature and justification of information flows to and from the asset; know who has access to the asset, whether system or information, and why, and ensures access is monitored and compliant with policy; and understand and address risks to the asset, and providing assurance to the SIRO. Undertake necessary training as set out in the CCGs Training needs analysis. Information Asset Administrators, or equivalents, will be appointed. These are operational staff with a day to day responsibility for managing risks to their information asset. 7.4 Line Managers Line managers will take responsibility for ensuring that the information governance policy is implemented within their group or directorate. Information Governance Policy version 2.1 Page 8 of 13

35 7.5 Staff It is the responsibility of each employee to: adhere to the policy. complete annual information governance training. report any information incidents through the incident recording mechanism. All staff must make sure that the organisation s information systems are used and operated appropriately and as set out in the standard operating procedures of the organisation. 8 Use of Information The CCG recognises that as a Clinical Commissioning Group it does not have legal rights to personal confidential data for commissioning purposes and will use anonymised, pseudonymised and aggregated data for that purpose. 8.1 The CCGs will: proactively use information within the organisation and with partner agencies, both for the care of service users and for service management as determined by law, statute and best practice; put in place effective arrangements to ensure the confidentiality, security and quality of personal confidential information and other sensitive information; ensure information within the organisation is of the highest quality in terms of completeness, accuracy, relevance, accessibility and timeliness. 9 Openness 9.1 Non-confidential information on the CCG and its services should be available to the public through a variety of media, in line with the CCG s code of openness. 9.2 All members of staff working within the CCG are bound by the Common Law Duty of Confidentiality, in addition to their contract of employment, code of professional practice or other applicable ethical standards and as such, can be held personally liable for any breaches of confidentiality. If service user confidentiality is breached, this may lead to disciplinary action, a personal fine, and/or employees can be held personally responsible for a civil action. 9.3 The CCG will establish and maintain policies to ensure compliance with the Freedom of Information Act (2000). A Publication Scheme will be maintained in line with the Information Commissioner s Office (ICO) model Publication Scheme and this is available for all service users on each CCG Internet site. This will be maintained and updated frequently in line with the guidance. 9.4 Patients should have ready access to information relating to their own health care, their options for treatment and their rights as patients. This information will inform patients of the use of their information, which agencies their information will be shared with and the circumstances where explicit consent will be sought. Information Governance Policy version 2.1 Page 9 of 13

36 9.5 The CCG will, where there is a defined purpose (or set of) that are beneficial and justifiable, sign up to information sharing protocols with partner organisations, provided these protocols are set out within the boundaries of applicable legislation and regulation and do not compromise the organisation or the confidentiality of the personal/sensitive data that it holds. 10 Legal Compliance 10.1 The CCGs regards all personal confidential information relating to staff and service users as confidential except where national policy on accountability and openness requires otherwise The CCGs will establish and maintain policies to ensure compliance with the Data Protection Act 1998, Human Rights Act and the Common Law Duty of Confidentiality The CCGs will establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act. 11 Information Security 11.1 The CCG will promote effective confidentiality and security practice to its staff through policies, procedures and training. Contractual arrangements with third parties and suppliers will include agreement on the classification of confidentiality, and how this will be applied. This will ensure the CCGs maintain the security of organisational information processing facilities and information assets, 11.2 CCG staff will be trained in the use of systems and procedures, to ensure the quality and appropriate handling of information, in order to minimise risks to the organisation from poor information governance Guidance from the Department of Health (DH) states specifically that no patient/person information should be held on any mobile devices unless the device is encrypted to the approved standard. This includes data held on USB memory sticks, CD-ROM, DVD, and mobile phones. Safe Haven Procedures will be implemented for the secure transfer of any person identifiable information. 12 Information Quality Assurance 12.1 The CCG will establish and maintain policies and procedures for information quality assurance and the effective management of records and will promote information quality and effective records management through policies, procedures, user manuals and training Managers are expected to take ownership of, and seek to improve, the quality of information within their services Information Governance Policy version 2.1 Page 10 of 13

37 13 Equality and Diversity 13.1 The CCG aims to design and implement policy documents that meet the diverse needs of the services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act In carrying out its functions, the CCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all the activities for which the organisation is responsible, including policy development, review and implementation. 14 Due Regard 14.1 This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to eliminate discrimination, harassment, victimisation; to advance equality of opportunity; and foster good relations. 15 Monitoring compliance and effectiveness, auditing arrangements 15.1 Compliance with the Information Governance Assurance Framework will be assessed by the annual completion of the Information Governance Toolkit. Formal reports will be provided to the Governance Committee (or delegated authority) throughout the year. The toolkit will be signed off by the CCG SIRO prior to submission The CCG will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. As part of the training and awareness programme, employees and third party contractors will also be made aware of definitions of incidents/weaknesses and the process for dealing with them. 16 Review and revision arrangements 16.1 This policy will be reviewed as per the review data on the policy front sheet; however it will be reviewed particularly where it is affected by major internal or external changes such as: Legislation Practice change or change in system/technology Changing methodology Information Governance Policy version 2.1 Page 11 of 13

38 17 Training Requirements 17.1 Users will be trained in the use of systems and procedures to ensure the quality and appropriate handling of confidential information, in order to minimise risks to the organisation from poor information governance All staff will receive mandatory induction training covering all aspects of Information Governance and annual refresher updates using the NHS Health and Social Care Information Centre e-learning tool where applicable. Awareness raising of the key information governance principles will be implemented through regular team briefings, team meetings and awareness raising sessions A staff Code of Conduct for Information Security and Confidentiality will be updated annually and be available to all staff via the Intranet and in hard copy where applicable. This gives staff the key points regarding confidentiality and information security and best practice guidance Staff with key roles (eg SIRO/Caldicott Guardian/Information Asset Owner) will undertake annual training relevant to their role. 18 References Handbook to the NHS Constitution. NHS Information Governance: Guidance on Legal and Professional Obligations Confidentiality: NHS Code of Practice The Information Governance Toolkit. NHS Care Record Guarantee Information Security Management: NHS Code of Practice Records Management Code of Practice (produced under S46 of the Freedom of Information Act 2000) Caldicott Guardian Manual Checklist for Reporting, Managing and Investigating Information Governance Serious Untoward Incidents (Gateway reference 13177) Page 12 of 13 Information Governance Policy version 2.1

39 Checklist%20Guidance.pdf NHS Information Risk Management The Caldicott Review: Information Governance in the Health and Social Care System Information Governance Policy version 2.1 Page 13 of 13

40 LEGISLATION & GUIDELINES Data Protection Act 1998 Data must be: 1 Fairly and lawfully processed 2 Used only for specified and lawful purposes 3 Adequate, relevant and not excessive 4 Kept accurately and up to date 5 Not kept for longer than necessary 6 Processed in accordance with the rights of the data subject, including rights of access 7 Kept securely and protected against accidental disclosure, loss or damage 8 Not transferred to countries without adequate data protection legislation Common Law Duty of Confidence Information given or received in confidence, obtained for one purpose, must not be disclosed or used for another purpose without the consent of the provider of the information Article 8 HUMAN RIGHTS ACT 1998 Everyone has the right to respect for his private and family life, home and correspondence. It is unlawful for a public authority to act in a way that is incompatible with a Convention right. FOR FURTHER ADVICE OR INFORMATION CONTACT: Information Governance Lead Suzanne Pickering Caldicott Guardian Jayne Stringfellow Senior Information Risk Owner (SIRO) Mark Smith USEFUL WEBSITES department-of-health Staff IG Code of Conduct The NHS Care Record Guarantee The NHS Care Record Guarantee sets out the rules that govern how patient information is used in the NHS and the control the patient can have over this. It looks at an individual s rights of access to their own information, how information will be shared and how decisions on sharing information will be made. Everyone who works for the NHS must comply with this guidance. NHS Constitution for England Gives citizens rights in how their information is used. A Guide to Confidentiality in Health & Social Care Includes 5 rules on confidentiality that staff must adhere to. North Derbyshire CCG Nightingale Close Off Newbold Road Chesterfield S407PF Acknowledgement : Adapted with kind permission from Lisa Welbourne, Derbyshire Healthcare NHS Foundation Trust Version 2.4 Draft July 2016 Review July 2017 Information Security and Confidentiality of Personal Confidential Information

41 INTRODUCTION All employees of the CCG are responsible for maintaining confidentiality of staff and patients, and this duty of confidentiality is written into employment contracts. Under normal circumstances staff do not have access to personal confidential data however where that is required as part of their role, and where there is a legal basis for handling the data, staff should ensure the basic principles of Data Protection and Caldicott are upheld. Accessing data that is not needed to carry out work or passing data to someone who is not authorised to receive it is a breach of confidentiality which could result in disciplinary action. Serious breaches of the Data Protection Act 1998 may result in monetary penalties from the Information Commissioners Office (ICO). The Caldicott Principles The Information Governance Review March 2013 built on the previous Caldicott Report to look at the balance between safeguarding patients sensitive information and encouraging responsible information sharing. It resulted in a few amendments to the principles and the addition of a further principle : 1. Justify the purpose for using personal confidential data 2. Do not use personal confidential data unless it is absolutely necessary 3. Use the minimum necessary personal confidential data 4. Access to personal confidential data should be on a strict need-to-know basis 5. Everyone with access to personal confidential data must be aware of their responsibilities 6. Every use of personal confidential data must be lawful 7. The duty to share information can be as important as the duty to protect patient confidentiality. The term personal confidential data refers to any information held about an individual who can be identified from that information. For example, name, address, postcode, NHS number, etc. Any personal confidential data, non-clinical or clinical, must be treated as confidential. BASIC PRINCIPLES Any personal confidential data given for one purpose must not be used for another purpose without the consent of the individual concerned. An individual s right to confidentiality is protected by ethics and law. Individuals using CCG services or employed by the CCG have a legal right to know what data is being collected and why, as well as the purposes for sharing that data. An individual has the right to choose whether or not to disclose their personal data and can change their decision at any point. In some circumstances they have a right to choose how their personal data may be used or who is allowed to see it. Every member of staff has an obligation to protect confidentiality and a duty to verify the authorisation of another individual requesting data. This ensures data is only passed on to those who have a legal right to see it. All staff should understand their responsibility to protect the confidential data they collect and follow the rules and guidance available to them. The rules are there to protect both the service user and staff from breaches of confidentiality. However, rules should not be applied so rigidly that they are impractical to follow or detrimental to the health and social care of the individual concerned. CONSENT To be valid, consent must be given voluntarily and freely. A patient must be fully informed and know what the proposed use or disclosures of their personal data will be. Explicit consent must always be sought from a patient in order to use their personal data in ways that do not directly contribute to their healthcare. It may be lawful in certain circumstances to share personal data without consent (such as investigating serious crime, safeguarding children, or justified in the public interest). For further advice see the CCG policies and procedures. All reasonable care should be taken to protect the physical security of confidential data from accidental loss, damage or destruction and from unauthorised or accidental disclosure. INFORMATION SECURITY Do not use someone else s password to gain access to information held on computers No person identifiable data should be held on any mobile devices (e.g. laptops, PDA s, memory sticks) unless it is encrypted to the approved standard. (Contact IT for encryption to be installed on devices containing person identifiable information.) Faxing is not secure. Confidential data should be faxed only when there is no alternative and immediate receipt is necessary for clinical purposes. Safe Haven * procedures should be followed. Envelopes containing confidential data must be securely sealed, labelled confidential and clearly addressed to a known contact. Telephone validation procedures must be followed to confirm the identity of callers before information is given to them. Staff must always ensure that CCG policy is followed when sending person identifiable data by both inside and outside of the network. Follow the CCG s policies and procedures relating to Data Protection, confidentiality, information security and seek advice when in doubt. If you are unsure whether to disclose information, consult your line manager and/or if necessary obtain advice from your organisation s Caldicott Guardian, SIRO or Information Governance Lead. * A Safe Haven is an agreed set of administrative and physical security procedures for minimising the risk of breach of confidentiality when sending information via fax.

42 IG05 Records Management Policy Page 1 of 8 Paper F - IG05 -CCG Records Management Policy

43 Clinical Commissioning Groups (CCG) Records Management Policy Document History Document Reference: IG05 This policy sets out the practice that NHS Clinical Commissioning Group expect from all staff, including those Document Purpose: working on behalf of the CCG, when creating, holding, using, retaining and disposing of records in all forms. Date Approved: Approving Information Governance Committee Committee: Version Number: 2.2 Status: Draft Next Revision Due: August 2018 Developed by: Information Governance Services, Arden & Greater East Midlands Commissioning Support Unit (AGEM CSU) Policy Sponsor: Head of Information Governance Services This policy applies to any person directly employed, Target Audience: contracted, working on behalf of the CCG or volunteering with the CCG Associated Documents: All Information Governance Policies and the Information Governance Toolkit Page 2 of 8 Paper F - IG05 -CCG Records Management Policy

44 Revision History Version Revision date Summary of Changes 1.1 July 2013 Amended references to patient/client information to personal confidential information throughout. Added section on access to information through the DPA (section 8.5) Added Equality and Diversity Statement (13) Added References (15) Updated appendices with organisational changes. 1.2 May 2014 Reviewed in line with IG Toolkit requirements and NHS England Policy. Procedural text removed and referred to the Information Lifecycle Policy. 2.0 August 2014 Reviewed at IG Product Group and approved as a template for CCGs. 2.1 June 2016 Annual review Policy Dissemination information Reference Number Title Available from IG05 Records Management Policy CCG Intranet/ Copies disseminated to staff Page 3 of 8 Paper F - IG05 -CCG Records Management Policy

45 Contents Page 1. Introduction 5 2. Scope 5 3. Responsibility for NHS Records 6 4. Legal Obligations and Standards 7 5. Requests for Information 7 6. Incident Reporting 7 7. Training 7 8. Equality and Diversity 7 9. Due Regard 10. Review and Monitoring References Appendix list of retention periods (to be added) Page 4 of 8 Paper F - IG05 -CCG Records Management Policy

46 1 Introduction 1.1 This policy applies to North Derbyshire Clinical Commissioning Group (CCG). 1.2 Effective records management requires that an organisation is able to identify and retrieve information when and where it is needed. The CCG must have records management procedures in place that cover the creation, filing, location, retrieval, appraisal, archive and destruction of records in accordance with the Records Management: NHS Code of Practice, and other relevant guidance and legislation. 1.3 The CCG s records are their corporate memory, providing evidence of actions and decisions and representing a vital asset to support its daily functions and operations. They support policy formation and managerial decision-making, protect the interests of the CCG and the rights of patients, staff and members of the public who have dealings with the CCG. They support consistency, continuity, efficiency and productivity and help to deliver services in consistent and equitable ways. 1.5 Effective records management ensures that information is properly managed and is available whenever and wherever there is a justified need for information, and in whatever media: To support the rights of service users, staff and members of the public To support policy making and managerial decision making, as part of the knowledge base for NHS services To meet legal requirements and assist in audit To ensure any decisions made can be justified or reconsidered at a later date. To help commission services in consistent and equitable ways. 1.6 All NHS records are public records under the terms of the Public Records Act 1958 sections 3 (1) (2). The Secretary of State for Health and all NHS organisations have a duty under the Public Records Act to make arrangements for the safe keeping and eventual disposal of all types of their records. This is carried out under the overall guidance and supervision of the Keeper of Public Records, who is answerable to Parliament. 2 Scope 2.1 This policy sets out the practice that the CCG expects, from all staff that are directly employed by the CCG and for whom the CCG has legal responsibility. This policy is also applicable to staff on work experience, working under an honorary contract and those authorised to undertake work on behalf of the CCG. 2.2 This policy applies to all records of the CCG held in any format (for example paper, electronic, audio visual). These include, but are not limited to, records relating to the administration of the CCG, personnel, finance, estates, complaints, legal, commissioning, continuing healthcare funding. Health records or patients/service users used for the direct delivery of care are outside the scope of this policy. Page 5 of 8 Paper F - IG05 -CCG Records Management Policy

47 2.3 The policy should be read in conjunction with the following CCG documents: Confidentiality and Data Protection Policy Information Security Policy Safe Haven Procedures Information Lifecycle Policy Freedom of Information and Environmental Information Regulations Policy Subject Access Procedure 3 Responsibility for NHS Records 3.1 It needs to be clearly understood by all employees and those authorised to work on behalf of the CCG, that under the Public Records Act 1958, they have a degree of responsibility for any record they create or use and may be subject to both legal and professional obligations. 3.2 The Chief Officers and senior managers of all NHS organisations are personally accountable for records management within their organisation The Caldicott Guardian is responsible for approving and ensuring that national and local guidelines and protocols on the handling and management of personal confidential information are in place. 3.4 The Information Governance Lead at Arden & Greater East Midlands Commissioning Support Unit (AGEM CSU) is responsible for advising the CCG on compliance with the Data Protection Act and acts as a resource for staff and Governing Body Members. 3.5 Freedom of Information requests and requests for information are processed by AGEM CSU staff in accordance with the current Service Level Agreement, and in line with the requirements of the Freedom of Information Act All Heads of Service and line managers are responsible for ensuring that the records management policy is implemented in their individual departments and those members of staff comply with the guidance in the policy. 3.7 All CCG staff and Governing Body Members are responsible for ensuring that they keep appropriate records of their work for the CCG and manage those records in accordance with this and other related CCG policies, maintaining the security of the records they create or use. 3.8 It is vital that everyone understands their record management responsibilities as set out in this policy. Managers will ensure that staff responsible for managing records are appropriately trained or experienced and that all members of staff understand the need for appropriate records management. New starters will be offered records management and confidentiality and security training as part of their mandatory induction programme. 1 NHS Code of Practice: Records Management Parts 1 & 2, 2009 Page 6 of 8 Paper F - IG05 -CCG Records Management Policy

48 4 Legal Obligations and Standards 4.1 The key legislation and guidance supporting the Records Management policy are: DH: Records Management NHS Code of Practice 2009 Data Protection Act 1998 The Access to Health Records Act 1990 Freedom of Information Act 2000 Public Records Acts 1958 The Caldicott Review 2012 The Common Law Duty of Confidentiality 5 Requests for information 5.1 Records may be requested either under the Freedom of Information Act (2000). If such a request is received, the enquiry should be forwarded to the CCG Freedom of Information team at Arden & GEM CSU who will deal with it appropriately. There are strict legal timeframes for processing these requests in order to be compliant with the Freedom of Information Act 5.2 Under the Data Protection Act, an individual can ask to see information held about them, either computerised or manual records, this applies to staff and patient information. If a request is received for copies of information, this should be forwarded to the CCG Information Governance Lead for processing in accordance with the organisations Subject Access Procedure. 6 Incident Reporting 6.1 All staff have an obligation to report an incident when personal confidential information for which they are responsible for is missing or stolen. They must complete an incident reporting form and inform their line manager so that an initial investigation can be started. 6.2 Stolen records must be reported following the Incident Reporting Policy and Procedure and the Policy on reporting Untoward Incidents. 7 Training 7.1 The CCG must ensure that all staff undertake appropriate records management training on information governance issues soon after joining the CCG and that existing staff receive periodic update training. 7.2 Staff who have responsibility for records management should undertake records management training on an annual basis. Modules are provided by the NHS Digital (formerly HSCIC) e-learning tool. 8 Equality and Diversity 8.1 The CCG aims to design and implement policy documents that meet the diverse needs of the services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, Page 7 of 8 Paper F - IG05 -CCG Records Management Policy

49 including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. 8.2 This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act. 8.3 In carrying out its functions, the CCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all the activities for which the organisation is responsible, including policy development, review and implementation. 9 Due Regard 9.1 This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to eliminate discrimination, harassment, victimisation; to advance equality of opportunity; and foster good relations. 10 Review and Monitoring 10.1 All managers are responsible for regular monitoring of the quality of records and documentation and managers should periodically undertake quality control checks to ensure that the standards as detailed in this policy are maintained This policy will be reviewed every two years unless new legislation, codes of practice or national standards are introduced. 11 References Data Protection Act 1998 available from Freedom of Information available from Record Management available from NHS For the Record available from en/publicationsandstatistics/publications/publicationspolicyandguidance/dh_ END OF DOCUMENT.. Page 8 of 8 Paper F - IG05 -CCG Records Management Policy

50 IG06 Information Asset Register Procedure Page 1 of 18