Date: INFORMATION GOVERNANCE POLICY

Transcription

1 Date: INFORMATION GOVERNANCE POLICY Information Governance Policy IGPOL/01 Information Systems Corporate Services Division March

2 Revision History Version Date Author(s) Comments /12/2012 Helen Kerr (Records Manager) /03/2012 Helen Kerr (Records Manager) /04/2012 Helen Kerr (Records Manager) /04/2012 Helen Kerr (Records Manager) /04/2012 Helen Kerr (Records Manager) Review date: Biennially Approval: Information Governance Group and SMT Draft by Records Manager Minor amendments following meeting of the Information Governance Group Minor amendments by Julia O Sullivan Minor amendments by Louise Frayne Final- published /07/2014 Helen Dodd Review of Policy /10/2014 IGG Minor amendments made by the Information Governance Group /12/2016 Adele Picken (Information Governance Manager) Review and structural amendments /12/2016 Alan McMahon Minor amendments (Head of IS) /12/2016 AP Further amendments following AM comments /02/2017 AP Minor Amendments Name Date Version Comments Information 10/02/ Approved by Governance Group SMT 14/03/ Approved by Information Governance Group 2

3 Relevant Policies, Templates & Forms The following policies, procedures, and guidance should be used or referred to when necessary alongside this policy. All policies and templates will be made available on the intranet once finalised and approved. Reference Document Name Status IGPOL/01 Information Governance Final- Published Policy IGPOL/02 Information Security Policy Final-Published IGPOL/03 Data Protection Policy Final- Published IGPOL/04 Information Sharing Policy Final- Published IGPOL/06 IGPOL/07 IGPOL/09 IGPRO/01 IGPRO/02 IMNOTE/01 IMNOTE/02 IMNOTE/03 Corporate Retention Schedule Corporate Classification Scheme Paper Records- Secure Handling and Transit Policy Security Incident Procedure Subject Access Request Procedure SAR guidance- what information to provide SAR guidance- what information to withhold Checklist when handling personal or sensitive data Final- Published Final- Published Final- Published Final- Published Final- Published Final- Published Final- Published Final- Published IMNOTE/04 Checklist- How to process a Subject Access Request Final- Published IMNOTE/05 Naming Convention Final- Published Guidance IMNOTE/06 Version Control Guidance Final- Published IMNOTE/07 Management Guidance Final-Published 3

4 AUP Acceptable Use Policy Final- Published 4

5 CONTENTS 1 INTRODUCTION PURPOSE OF THE POLICY SCOPE INFORMATION GOVERNANCE PRINCIPLES LEGISLATIVE FRAMEWORK RESPONSIBILITIES RESPONSIBILITIES OF MANAGERS RESPONSIBILITIES OF USERS RESPONSIBILITIES OF THE INFORMATION GOVERNANCE GROUP RESPONSIBILITIES OF THE INFORMATION GOVERNANCE MANAGER RESPONSIBILITIES OF THE SENIOR INFORMATION RISK OWNER RESPONSIBILITIES OF INFORMATION ASSET ADMINISTRATORS INFORMATION GOVERNANCE FRAMEWORK MAIN THEMES INFORMATION RISK MANAGEMENT BUSINESS CONTINUITY AND VITAL RECORDS MANAGEMENT ACCESS AND SECURITY ESCALATION

6 1 Introduction 1.1 This policy establishes RCPCH s Information Governance Framework Policy. 1.2 It provides a statement of RCPCH s intentions and approach to fulfilling its statutory and organisational responsibilities with regards to Information Governance. 2 Purpose of the policy 2.1 The purpose of this document is to provide a clear statement of the RCPCH s policy relating to the management of its information assets and the information governance framework within which the RCPCH will operate 2.2 Information Governance is defined as A holistic approach to managing information that seeks to minimise the risks to the organisation and maximise the opportunities in the use of information, whilst protecting the rights of the individual. It enables a strategic approach to managing information assets and resources throughout the information lifecycle by developing appropriate tools, standards and processes, whilst seeking to build organisational cultures that value information resources. 2.3 Information is a key asset which must be managed both strategically and operationally to leverage opportunity and manage risk. 2.4 At its heart it supports two outcomes critical to the success of any modern organisation: Efficiency and accountability: Efficiency so that those working in the organisation are able to easily locate the right information needed to deliver services and to make decisions. Accountability so that the organisation can justify and successfully demonstrate to stakeholders that it is fulfilling its legal, democratic and community obligations 2.5 The key aspects of Information Governance are data protection and confidentiality; information security; 6

7 information quality; information and records management 3 Scope 3.1 This Policy applies to all RCPCH staff, members and contractors who undertake any activity within the organisation in the course of RCPCH s service and business operations. 3.2 The policy sits within a framework of information management policies, procedures and guidance which are listed at Appendix A. 3.3 The policy applies to all information irrespective of the technology used to create and store it. It includes, therefore, paper and electronic records, but also line of business and information systems, for example the corporate CRM (Care) and the content of the intranet and internet sites. 4 Information Governance Principles 4.1 The RCPCH will adopt the Department of Health model as its principles for managing information. Information should be: Held securely and confidentially Obtained fairly and efficiently Recorded accurately and reliably Used effectively and ethically Shared appropriately and lawfully 7

8 4.2 The College aims to maintain and expand its Information Governance framework, supported by a foundation level of IG literacy within the College. This will primarily focus on five things: Developing practical record keeping solutions to ensure that all records assist in helping the College meet its objectives Maintain and continue to develop a training and guidance framework to support staff and make them aware of their responsibilities, as well as an understanding that there may be disciplinary action in the event of non-compliance Develop processes and monitoring tools to ensure our information is secure and risks are managed proactively Maintain and regularly review the policy framework to ensure it is still relevant. Thisdemonstrates the College s commitment to Information Management and establishes good practice Where appropriate, take advantage of technological developments to support effective records management 4.3 This should ultimately help foster an organisational culture that promotes good record keeping and information governance, and create an efficient, forward facing organisation that can manage risks proactively. 5 Legislative framework 5.1 Often legislation will either explicitly or implicitly establish requirements upon the RCPCH to manage information. At a minimum the College will be required to provide documentary evidence that legislative requirements are being adhered to. Other legislation is specifically concerned with how the organisation keeps its information and provides access to it: The Data Protection Act (DPA) 1998 (this will be the General Data Protection Regulation from May 2018) Copyright Designs and Patents Act 1988 Human Rights Act 1998 and the European Convention on human Rights Common law tort of breach of confidence Computer Misuse Act

9 Section 251 of the Health and Social Care Act The RCPCH will aim to comply with national standards relating to the management of information, including: The International Standards for Records Management BS ISO and BS ISO British Standard for Legal Admissibility and Evidential Weight of Information Stored Electronically BIP0008 (previously known as PD0008) Caldicott principles ISO and ISO The NHS Information Governance Toolkit Records Management Code of Practice for Health and Social Care (July 2016) The NHS Information Security Management Code of Practice Responsibilities 6.1 Information management is the responsibility of everyone at the RCPCH. All employees regardless of the seniority of their role make decisions that commit the organisation to some course of action or other. 6.2 In order to fulfil the organisations priorities, it is critical that there is an organisational culture which ensures that employees understand the need to make records of their actions and where the organisation itself manages those records in ways that recognise their importance as an asset to the RCPCH and the wider community. 6.3 Responsibilities of managers Directors across the college must ensure that their area is compliant with RCPCH Policies regarding the management of information and records Each Division will appoint Information Asset Owners to carry out the duties detailed in section 8 of this Policy, and nominate two representatives to attend the Information Governance Group Directors will ensure that managers and employees are fulfilling 9

10 their information management accountabilities and ensure that their staff are sufficiently aware of this policy and the associated guidance, protocols and agreements to carry out their role Each Division will ensure that they have sufficient resource to carry out their Information Management responsibilities and that their staff are made available for information management training 6.4 Responsibilities of Users All employees, including temporary staff, interns and contractors are responsible for ensuring that they comply with the RCPCH s Information Governance policies Employees must undertake mandated training to ensure understanding of information and records management responsibilities appropriate to their post Employees will appropriately create, classify, and retain authentic records appropriate to their post and dispose of records only when authorised by the appropriate Information Asset Owner or Information Governance Manager Employees will report any breach of the above policies, and any near misses to the Information Governance Manager or the Head of Information Systems. Any adverse trends will be analysed and reported to the Information Governance Group. 6.5 Responsibilities of the Information Governance Group The Information Governance Group will support the integration and embedding of Information Governance across the organisation and enable decisions to be made (and supported) from a corporate perspective The group will be responsible for overseeing overall information governance at the college; consideration of existing legislation and compliance, and consideration of Document and Records Management procedures The group is authorised to make recommendations to SMT in the first instance, who may then further refer to the Finance and Risk Committee. 6.6 Responsibilities of the Information Governance Manager 10

11 6.6.1 Develop and maintain Information Management policies, procedure and guidance as necessary Develop Information security policy and develop processes to mitigate risk Maintain and further develop the RCPCH information management architecture, including the Information Asset Register Ensuring systems developed by the RCPCH are compliant with information rights legislation and with the organisation s Information Management Policies Develop Record Keeping systems and processes to ensure that information is proactively exploited Develop the Corporate retention schedule, access models and vital records markings Co-ordinate all requests for information under the Data Protection Act, and where applicable the Freedom of Information Act Develop and ensure that information and records management training is delivered to all employees Manage and provide access to the historical records of the College 6.7 Responsibilities of the Senior Information Risk Owner To lead and foster a culture that values, protects and uses information proactively for the benefit of the organisation and its members To own the overall risk policy and risk assessment process, test its outcome, and ensure that it is used To cover information risk explicitly in the statement of internal control. 11

12 6.8 Responsibilities of Information Asset Administrators Know what information the asset holds, and what enters and why Know who has access and why, and ensures that their use is monitored 7 Information Governance Framework RCPCH has developed a framework for its Information Governance Policy. This is supported by a set of Infomration Governance Policies and related procedures and guidelines to cover all aspects of Information Governance (appendix A). 8 Main Themes Management of Information and Records Partnerships and Contracts Information Quality Assurance Information Risk Management Business Continuity and Vital Records Management Legal Compliance Access and Security Training and Awareness 12

13 8.1 Management of information and records Records Management is the process by which an organisation manages all the aspects of records whether internally or externally generated and in any format or media type, from their creation, all the way through their lifecycle to their eventual disposal The RCPCH records are its corporate memory, providing evidence of actions and decisions and representing a vital asset to support daily functions and operations. Records support policy formation and managerial decision-making, protect the interests of the organisation and its members. They support consistency, continuity, efficiency and productivity and help deliver services in consistent and equitable ways The RCPCH will develop systems and processes for the effective management of both electronic and paper records Classification The classification scheme includes details of records series kept in paper and electronic formats The Information Governance Manager alongside teams will further develop and regularly review the Retention and Disposal Schedule, and will apply retention periods to all information assets and systems The Information Governance Manager will appraise records for their historical worth, and maintain the RCPCH s Archive in perpetuity Information Assets An Information Asset is a set of records, data or information maintained in relation to a business process. This could be a set of paper case files or an electronic business system A complete list of Information Assets held across all business functions, including those outsourced by third parties, is maintained by the Information Governance Manager. This identifies a member of staff (an Information asset administrator) with responsibility for each asset A process of annual information audit will be established and the asset register updated accordingly. 13

14 The Information Asset Register will be a corporate resource and used to support information, system and service development; business continuity and disaster recovery arrangements A procedure will be developed to ensure the secure disposal of all information assets once they are no longer required by the organisation. 8.2 Partnerships and contracts Where the RCPCH enters into partnership, ranging from ongoing supplier relationships through to contracting out of major functions appropriate information governance arrangements must be in place In all cases consideration must be given to the attendant information management and record keeping issues at the time the contract is agreed. This includes identifying who owns the data, minimum security arrangements and escalation procedures in case of an information management security breach The organisations accountabilities in respect of information continue even when activity is carried out on its behalf by a third party. Therefore, all contractors must be made aware that they are data processors on behalf of the organisation The Information Governance Manager must be consulted prior to the undertaking of any contract where personal or sensitive information is held by a third party on behalf of the RCPCH All contracts where personal and sensitive information is processed, must comply with the requirements of the GDPR, including the provision of security guarantees. 8.3 Information Quality Assurance The RCPCH will establish and maintain standards and policies to help assure the quality of information that the organisation creates and maintains In order to ensure data quality, Managers are expected to take ownership of, and seek to improve, the quality of information within their services Wherever possible, information quality should be assured at 14

15 the point of collection The RCPCH is committed to holding one version of any record, document or information set and reducing duplication across its information systems. 8.4 Information Risk Management The RCPCH will ensure stronger accountability with the Senior Information Risk Owner (currently the Director of Corporate Services). Information Management Risks will be monitored by the Information Governance Manager and inform the service planning process. 15

16 8.4.2 The Information Security Policy defines the RCPCH s policy with regard to information, systems and communications security RCPCH will undertake a review of the information asset register and, as a result of this, assess where penetration testing is needed and the frequency required, incompliance with NHS IG toolkit 8.5 Business Continuity and Vital Records Management The RCPCH will develop systematic, monitored and tested business continuity planning in relation to its records and core business information which identifies and manages risks prior to any given disruption to business continuity and which assists the fastest possible recovery afterwards Business continuity plans need to address risks associated with both digital and paper based records. There are obvious differences in risks which must be treated differently Identifiers of vital and important records, will be developed in conjunction with classification schemes The business continuity plan should identify vital and or important records that should be retrieved if necessity and opportunity allow. The plan should include lists and indexes that indicate where these records are (including their physical location within an electronic environment). 8.6 Legal Compliance Data Protection and Confidentiality The RCPCH complies with the Data Protection Act As part of this the Information Commissioner has been notified of all personal data held by RCPCH Any member of staff breaching the RCPCH's Information Governance Policy will be subject to the established disciplinary procedure, and in cases of deliberate or reckless negligence may be subject to criminal sanctions The organisation will ensure that procedures are in place to ensure that the organisation can provide personal information to data subjects under section 7 of the Data Protection Act in 16

17 a timely and thorough manner Freedom of Information The Freedom of Information Act 2000 does not apply to the Royal College of Paediatrics and Child Health as we are not a public authority. However, there are some College projects where the funding body requires compliance because the project s functions are of a public nature and the funding body wishes to be as transparent as possible Where the Freedom of Information Act applies through externally funded projects, standard operating procedures will be developed per project (and in accordance with contractual terms) in order to ensure that the organisation can provide information when requested under the Freedom of Information Act in a timely and thorough manner 8.7 Access and Security The RCPCH will establish and maintain standards and policies for the effective and secure management (including access) of its information assets and resources The RCPCH records and information will be properly controlled through access rights provided to Members, Partners and staff Access rights and models will be developed with service areas and will be based on the security requirements of each information series. The College will provide external access to its non-confidential historical records through the Archives as requested. 8.8 Training and awareness Staff will be made aware of this policy upon publication and on a regular basis afterwards via the intranet New staff will be informed of this policy and undergo training as part of the induction process. Staff will also be required to undertake refresher training every 2 years. 9 Escalation Failure to comply with this Policy may lead to staff disciplinary action being considered in accordance with the College s Conduct and Disciplinary Policy. 17

18 Appendix A Corporate Plan Corporate Services Plan Information Governance Policy Information Security Policy Data Protection Policy Records Management Policy Information Sharing Policy Acceptable Use Policy Security Incident Procedure Paper Records Transfer Policy SAR Procedure Corporate Retention Schedule Corporate Classificatio n Scheme Procedures Guidance Small Numbers Policy SAR Guidance Procedures for off site storage Naming Conventions Key: Published Withholding information Providing Information Handling information checklist Procedures for Record Disposal Version Control guidance In draft 1