Information Governance Policy

Transcription

1 Information Governance Policy Date completed: February 2016 Responsible Director: Approved by/ date: Director of Compliance Review date: October 2017 Amended: Author: Ben Westmancott Information Governance Working Group (11 March 2016) The reading, understanding of and compliance with this policy is mandatory and a contractual obligation for all employees, interims and contractors. Failure to do so is a disciplinary offence and may lead to actions up to and including dismissal. Page 1 of 13

2 Information Governance Policy For more information on this document, please contact: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative 15 Marylebone Road, London NW1 5JD Version Control Version Date Issued Brief Summary of Changes Owners name 1.0 July 2013 Amended to reflect CWHHE procedures Ben Westmancott 2.0 August 2013 Circulated to local CCG IT Committee for Comment Ben Westmancott 3.0 October 2015 Review by Beryl Bevan Ben Westmancott 3.1 February 2016 CWHHE Governance amendments, pre-approval Ben Westmancott 3.2 March 2016 Chairs action Approved - Tony Willis Ben Westmancott Document Imprint Copyright Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups, 2016: All rights reserved Re-use of all or part of this document is governed by copyright and the Re-use of Public Sector Information Regulations SI2005 No 1515 Information on re-use can be obtained from: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative Page 2 of 13

3 Tel: , Page 3 of 13

4 Contents 1. Introduction Purpose Aim of the Policy Scope Clinical Commissioning Group s Information Governance Aims Legal and Regulatory Framework Responsibilities of the CCG Responsibilities of Users Information Governance Framework Key Elements of the Information Governance Framework Freedom of Information (FOI) Personal Information and Legal Compliance Information Security Information Quality Assurance Records Management Management of Information Governance Information Governance Arrangements... 9 Appendix A: Legal and Regulatory Framework Appendix B: Information Governance Work Areas Page 4 of 13

5 1. Introduction 1.1 This is a CWHHE Collaborative policy covering the Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups (the CCGs). 1.2 Information is a vital asset and resource, both in terms of the clinical management of individual patients and the efficient management of services and its support. It plays a key part in clinical governance, service planning and performance management. Moreover, we often deal with information of an extremely sensitive personal and commercial nature, which is placed in trust with us. Failure to live up to that trust has the potential to do real damage to individual s lives and damage fundamentally our reputation as a competent public body. 1.3 It is of paramount importance, therefore, that information is managed efficiently, effectively and appropriately and that proper appropriate accountabilities, standards, policies and procedures provide a robust governance framework for information management. 2. Purpose 2.1 To describe how we, the CWHHE Clinical Commissioning Groups, meet our responsibilities for the management of information assets and resources i.e. how we use, maintain and protect the information we employ to do our jobs. This high-level policy sets out our corporate information governance arrangements and their role in ensuring the best commissioning of healthcare for those we serve. 2.2 The CCG is committed to the legally-compliant management and use of information, taking account of the relevant Codes of Practice. As stated on the front page, it is a condition of employment that all CCG polices are adhered to; non-compliance may result in disciplinary action. 3. Aim of the Policy 3.1 The policy aims to provide a framework that ensures that the CCG complies with Information Governance requirements; adopts - as far as possible - best practice; and, overall, protects and maintains the public s trust and confidence to do so. To that end, this policy underpins the Information Governance Management Strategy. 4. Scope All information used by the CCG (includes staff/patient/service user; business and operational information; audit and reporting data); the information governance arrangements between the CCG and providers acting on the CCG s behalf; all information systems managed by the CCG, and providers acting on the CCG s behalf; any individual using information 'owned' by the CCG; and any individual requiring access to information 'owned' by the CCG. Page 5 of 13

6 4.1 This policy covers: all formats and modes of information processing and both paper and electronic information; and all information systems purchased, developed and managed by/or on behalf of the CCG and any individual directly employed or engaged by the organisation. 5. Clinical Commissioning Group s Information Governance Aims 5.1 The CCG s Information Governance Aims are to: hold information securely and confidentially; obtain information fairly and efficiently; record information accurately and reliably; use information effectively and ethically; and share information appropriately and lawfully. 6. Legal and Regulatory Framework 6.1 There are a number of legal obligations placed upon the CCG for the use and security of personally identifiable information. [Appendix A] 6.2 There are requirements to appropriately disclose information when required. There is an NHS regulatory and performance framework for the management of information. [Appendix A] 6.3 There are NHS Codes of Conduct for the use of information. There are operating procedures and codes of practice adopted by the NHS. [ 7. Responsibilities of the CCG 7.1 All information used in the NHS is subject to handling by individuals and it is necessary for these individuals to be clear about their responsibilities and for the CCG to ensure and support appropriate education and training. 7.2 The CCG must ensure legal requirements are met. 7.3 The CCG must make arrangements to meet the requirements of the Information Governance Toolkit (IGT). 7.4 To manage its obligations the CCG will issue and support standards, policies and procedures ensuring information is held, obtained, recorded, used and shared correctly. The CCG will promote and expect good information governance practice within member Practices. Each Practice has a responsibility to complete the Information Governance Toolkit for General Practice, as set out by the Health and Social Care Information Centre (formerly Connecting for Health): [ Page 6 of 13

7 8. Responsibilities of Users 8.1 Users of information must: be aware of their responsibilities; comply with policies and procedures issued by the CCG; and work within the principles outlined in the information governance framework for the CCG. 9. Information Governance Framework 9.1 The CCG recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The CCG fully supports the principles of corporate governance and recognises its public accountability duties. These have to be considered alongside the equal responsibilities of maintaining confidentiality (and the arrangements for ensuring such) and whether personal information about patients and staff, or commercially sensitive information, necessary for the operation of the CCG. 9.2 The CCG also recognises the need to share information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. 9.3 The CCG will generally not collect or hold personal information in relation to patients or service users and will use pseudonymised or anonymised data as far as is practicable. 9.4 The CCG believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians, professionals and managers to ensure and promote the quality of information and to actively use information in decision-making processes. This is both within the CCG and the services that it commissions. 10. Key Elements of the Information Governance Framework 10.1 Freedom of Information (FOI) non-confidential information about the CCG and its services will be available to the public through a variety of media and the CCG will establish and maintain policies to ensure compliance with the Freedom of Information Act 2000; the CCG will undertake or commission regular assessments and audits of its Freedom of Information policies and arrangements; the CCG will have clear procedures and arrangements for handling queries from patients and the public; the CCG will have clear procedures and arrangements for liaison with the press and broadcasting media; and where aspects of the FOI arrangements are provided by a third party on behalf of the CCG, these will be set out clearly in the Freedom of Information Policy. Page 7 of 13

8 10.2 Personal Information and Legal Compliance The CCG: regards all identifiable personal information relating to individuals as confidential; will undertake or commission regular assessments and audits of its compliance with legal requirements; regards all identifiable personal information relating to individuals as confidential except where national policy on accountability and openness requires otherwise; will establish and maintain policies to ensure compliance with the Data Protection Act, Human Rights Act, the common law duty of confidentiality and NHS Code of Confidentiality ; will carry out Privacy Impact Assessment (PIA) for new projects, policies and systems; will establish and maintain policies for the controlled and appropriate sharing of personal information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act); and will ensure that there is a Caldicott Guardian appointed (for CWHHE CCGs, this is this is the Director of Quality and Patient Safety - a member of the Governing Body) Information Security The CCG will: establish and maintain standards and policies for the effective and secure management of its information assets and resources; undertake or commission regular assessments and audits of its information and IT security arrangements; undertake or commission risk assessments to determine appropriate security controls are in place for existing or potential information systems; promote effective confidentiality and security practice to its staff through policies, procedures and training; establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security; use ISO/IEC & as the basis of its Information Security management arrangements; acknowledge the requirements of Connecting for Health in Data and Process Mapping and ensure strong security and encryption for all Personal Identifiable Data (PID) transmitted by laptops and mobile storage devices; and ensure that there is a Senior Information Risk Owner (in CWHHE CCGs, this is the Chief Officer - a member of the Governing Body) Information Quality Assurance The CCG will establish and maintain policies and procedures for information quality assurance (the Data Quality Policy); the CCG will undertake or commission regular assessments and audits of its Page 8 of 13

9 information quality; managers will to take ownership of, and seek to improve, the quality of information within their services; wherever possible, information quality should be assured at the point of collection; data standards will be set through clear and consistent definition of data items, in accordance with national standards; and the CCG will promote information quality through policies, procedures, user manuals and training Records Management The CCG will establish and maintain policies and procedures for the effective management of all records; the CCG will undertake or commission regular assessments and audits of its records management; managers will ensure effective records management within their service areas; the CCG will promote records management through policies, procedures and training; and the CCG will use The Code of Practice for Records Management and the Code of Practice in Section 46 in the Freedom of Information Act 2000 as its standard for records management. 11. Management of Information Governance 11.1 The CCG Governing Body will be responsible for implementing the Information Governance Policy and Management Framework The Director of Compliance will monitor the policy function within the CCG and report regularly to the CCG Governing Body. Where some of the membership of the Committee, and some of the Information Governance functions, are provided by a third party arrangement, this will be clearly documented The Information Governance Working Group will implement the Information Governance Strategy and policy with other appropriate teams. 12. Information Governance Arrangements 12.1 The CCG will set out clearly the IG arrangements and responsibilities in relation to each organisation that is party to them and report regularly to the appropriate corporate forum The Senior Information Risk Owner will be responsible for ensuring that the Information Governance Toolkit is completed and submitted (the requirements are set out in the Information Governance Working Group Action Plan) The arrangements relating to the Information Governance Toolkit submissions will be subject to scrutiny by the Governing Body and/or its committees, as appropriate. The Page 9 of 13

10 results of the submission will be reported directly to the Governing Body at the earliest opportunity after each submission date. Page 10 of 13

11 Appendix A: Legal and Regulatory Framework a) Legal and Statutory Framework The CCG is bound by the provisions of a number of items of legislation affecting the stewardship and control of information. The main relevant legislation is: Data Protection Act 1998 (and subsequent Special Information Notices) Human Rights Act 1998 Access to Health Records Act 1990 (where not superseded by the Data Protection Act 1998) Criminal Justice and Immigration Act 2008 Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 (as amended by the Copyright (Computer Programs) Regulations 1992 Crime & Disorder Act 1998 Electronic Communications Act 2000 Environmental Information Regulations 2004 Freedom of Information Act 2000 Health and Social Care Act 2001 Regulation of Investigatory Powers Act 2000 (& Lawful Business Practice Regulations 2000) Public Interest Disclosure Act 1998 NHS Sexually transmitted disease regulations 2000 National Health Service Act 1977 Human Fertilisation & Embryology Act 1990 Abortion Regulations 1991 Prevention of Terrorism (Temporary Provisions) Act 1989 & Terrorism Act 2000 Regulations under Health & Safety at Work Act 1974 b) Regulatory Framework The regulatory elements are: The Information Governance Toolkit issued annually since 2003 which requires CCGs to assess their progress against set criteria. Caldicott - Report, audit & improvement on the use of Patient Identifiable Data 1997 and HSC 1999/012 ISO/IEC 27002:2005 ISO/IEC 27002: British Standard for Information Security Management, mandated for the NHS in 2001 Information Quality Assurance NHS Confidentiality Code of Practice NHS guidance on Consent to Treatment Information: To Share or Not to Share? The Information Governance Review Page 11 of 13

12 c) Wider NHS and national regulation elements Clinical Negligence Scheme for CCGs (CNST) - via NHS Litigation Authority Also related but not NHS specific - 'Clinical Professionals Regulatory Framework' In response to many of the above requirements the NHS has set out and mandated a number of elements of regulation that constitute the 'Information Governance Assurance Framework'. The detail of the Framework can be viewed in the briefing note: g.pdf Page 12 of 13

13 Appendix B: Information Governance Work Areas Information Governance is: "a framework for handling personal information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service" Information Governance currently encompasses the following initiatives or work areas: Caldicott and Confidentiality Data Protection Act 1998 Records Management Caldicott Function (Control 102, IGT) UK Caldicott Guardian Council developments 2005 Information Security (ISO/IEC27001, ISO/IEC27002, BS7799-3) Business Continuity (BS25999) Policies, procedures, standards, protocols and codes of practice Human Rights Act 1998 Freedom of Information Act Environmental Information Regulations Re-use of Public Sector Information The Health and Social Care Act 2001 (Section 60) ICT strategic developments (Connecting for Health programme) 2005 onwards Mental Capacity Act 2005 The Cayton Review of Information Governance 2006 The Caldicott Guardian Manual 2010 Equality Act 2006 Information Quality Assurance (Data Accreditation) Page 13 of 13