Privacy Impact Assessment Policy and Procedure

Transcription

1 Privacy Impact Assessment Policy and Procedure This document outlines the Trust s approach and methodology for conducting Privacy Impact Assessments in line with the Information Risk Policy Key Words: Privacy, Risk, Impact Assessment, Information, Asset, change, system Version: 1.2 Adopted by: Quality Assurance Committee Date Adopted 17 January 2017 Name of Author: Head of Information Governance Name of responsible Committee: Date issued for publication: Records and Information Governance Group January 2017 Review date: July 2018 Expiry date: January 2019 Target audience: All staff Type of Policy Clinical Which Relevant CQC Fundamental Standards? Non Clinical Good Governance

2 Contents Equality Statement 4 Due Regard 4 Definitions Purpose Summary Introduction Information Asset Management and PIA Process Duties of the organisation Trust Board Chief Executive Senior Information Risk Owner (SIRO) Information Governance Lead Information Asset Owners (IAO) Information Asset Administrators Information Security Manager All Trust Employees Management Process The Information Asset Management Process and PIA Privacy Impact Assessment Training Monitoring Compliance with this Procedure Links to Performance Indicators References and associated documentation 13 Page 2 of 21

3 APPENDICES Appendix Privacy Impact Assessment Procedure 15 1 Appendix Training Requirements 17 2 Appendix NHS Constitution 18 3 Appendix Stakeholder Consultation 19 4 Appendix 5 Due Regard Screening 20 Page 3 of 21

4 Version Control and Summary of Changes Version number Date March 2014 May June September 2016 November 2016 Comments (description change and amendments) First draft for consultation Final draft following consultation, for approval Final to Policy Group Draft for review consultation Draft for sign off by Policy Support Team For further information contact: Head of Information Governance Equality Statement Leicestershire Partnership NHS Trust (LPT) aims to design and implement policy documents that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account the provisions of the Equality Act 2010 and promotes equal opportunities for all. This document has been assessed to ensure that no one receives less favourable treatment on the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. In carrying out its functions, LPT must have due regard to the different needs of different protected equality groups in their area. This applies to all the activities for which LPT is responsible, including policy development and review. Due Regard LPT must have due regard to the aims of eliminating discrimination and promoting equality when policies are being developed. Information about due regard can be found on the Equality page on e-source and/or by contacting the LPT Equalities Team. Page 4 of 21

5 Definitions that apply to this Policy Due Regard Privacy Impact Assessment Projects / plans to develop Sensitive Data Having due regard for advancing equality involves: Removing or minimising disadvantages suffered by people due to their protected characteristics. Taking steps to meet the needs of people from protected groups where these are different from the needs of other people. Encouraging people from protected groups to participate in public life or in other activities where their participation is disproportionately low. A risk technique advocated by the Information Commission to enable organisations to address privacy concerns and ensure appropriate safeguards are addressed and built in as projects or plans to develop existing information assets. Privacy impact assessments are required when new projects occur (for example introduction of a new electronic patient record) or where plans are proposed to develop an existing information asset. These can be both paper and electronic. Under the Data Protection Act 1998 is data for example such as patient diagnosis, medical history, ethnicity, sex, religion Personal data Is data for example such as name, postcode, GP, next of kin, address, date of birth etc. Page 5 of 21

6 1.0 Purpose The aim of a Privacy impact Assessment is to ensure that systems and processes within the Trust are fit for purpose. Assurance as to confidentiality and data protection must be assessed and there must also be a comprehensive consideration of potential impacts on information quality and security at the design phase of any new process or procurement of a new information asset. There is a legal requirement under the European Union General Data Protection Regulation (due to come into force in May 2018) for Data Privacy Impact Assessments to be conducted where there is the possibility that the privacy rights of individuals may be impacted by the way that the organisation intends to process personal data. Some of the considerations that must be taken into account are whether a new (or modified) project /process or information asset will: Ensure the necessary consents have been obtained from those whose personal data is being used; Affect the quality of personal information already collected; Allow personal information to be checked for relevancy, accuracy and validity; Incorporate a procedure to ensure that personal information is disposed of through archiving or destruction when it is no longer required in line with Department of Health retention and destruction guidelines; Have an adequate level of security to ensure that personal information is protected from unlawful or unauthorised access and from accidental loss, destruction, breaches of confidentiality or damage; Enable data retrieval to support business continuity in the event of emergencies or disasters; Enable the timely location and retrieval of personal information to meet subject access requests; Alter the way in which the organisation records in or monitors and reports information from a key organisational system. 2.0 Summary Privacy Impact Assessment (PIA) is a process developed by the Information Commissioner s Office (ICO) that will assist the Trust to ensure that privacy concerns and safeguards are addressed and built in as a project or plan develops. Privacy Impact Assessments are covered by the Privacy By Design guidance and is covered by a Code of Practice published by the ICO in June The scope of this document is to outline the Trust s approach and methodology for Privacy Impact Assessments This Policy covers all staff employed by the Trust, private contractors, volunteers and temporary staff. The term Trust includes all Cumbria Partnership NHS Foundation Trust services. Page 6 of 21

7 NB: This policy will equally apply to any organisations where under a Service Level agreement the Trust provides Information Governance support and services. 3.0 Introduction The Government s Data Handling Review report contains a number of recommendations that are mandatory to the wider public sector. Part of the solution to reducing risk lies in on-going culture change to ensure that Information Risk Management is high on the agenda and the process of Privacy Impact Assessment (PIA) is advocated as a means of achieving this. This PIA guidance is effectively applicable to any members of staff who are responsible for project managing a new project or plan to modify any existing system (information asset). Projects that involve personal information or intrusive technologies give rise to privacy issues and concerns. Privacy embraces confidentiality and patient consent and as an overarching principle this policy advocates that respect for patient privacy and dignity should be considered at the outset of any project, which embraces confidentiality and patient consent. To enable an organisation to address the privacy concerns and risks a technique referred to a Privacy Impact Assessment (PIA), as advocated by the Information Commissioner, must be used. The ICO in their Privacy Impact Assessment Handbook version 2.0 outlines two (2) types of PIA: Full-scale PIA Conducts a more in-depth internal assessment of privacy risks and liabilities. Analyses privacy risks, consults widely with stakeholders on privacy concerns and brings forward solutions to accept, mitigate or avoid them. Small-scale PIA Similar to a full-scale PIA, but is less formalised. Requires less exhaustive information gathering and analysis. More likely to be used when focusing on specific aspects of a project Within this Policy you will see that the PIA process is ultimately the same for both PIA types, the level of detail and consideration required is different based on the initial assessments made and can be discussed with the project team and stakeholders. Privacy Impact Assessment guidance is provided for staff members by the Information Governance department, as part of the Information Asset Management Training. The IG team is responsible for ensuring support and guidance is given when staff members are required to fill out the Privacy Impact Assessment. Page 7 of 21

8 4.0 Information Asset Management Process and PIA Inform appropriate leads (Head of Department/Information Governance/IM&T Lead) or complete New Information System Proforma BEFORE PROCUREMENT BEGINS Communication is essential to ensure compliance with the Checklist and process IG Lead will commence the Information Assessment Management Approval process Completion of the New Information System form as the initial IG Security checks PIA Screening will be required once research into the new system/proposed change is underway. Risk Assessments will be undertaken as part of the process and any risks highlighted to the SIRO Procurement process begins informed by the PIA/IG process An action plan ensuring that PIAs are embedded with the lifecycle of the information asset will be produced by the Information Governance Team IG Lead will progress the Information Asset Management Approval documents in line with the Project/Development IG will ensure all the Approval documentation is signed off through the 'Virtual PIA Review Group', and a process of audit and review is put in place In following this process and ensuring that IG are notified and involved at the beginning of the process, we can provide assurance that the Trusts' information is being handled in a secure and responsible way Page 8 of 21

9 Consideration (1): New system/process to use personal and/or sensitive personal information? Consideration (2): Will the proposed change to system/process, significantly change the way in which personal/sensitive personal information is handled? Action (1): If the answer to consideration (1) or (2) is Yes, a PIA is required Action (2): The Head of IG will then ensure that the PIA is approved via the Virtual PIA Review Group and embedded within the lifecycle of the Information Asset 5.0 Duties within the Organisation The adherence to the PIA Policy and Procedures is essential for assuring aspects of the Information Governance agenda, this is maintained and supported by 5.1 Trust Board In his communications with NHS Trusts Chief Executives, the NHS Chief Executive has made it clear that ultimate responsibility for IG in the NHS rests with the Board of each organisation. 5.2 Chief Executive The Trust s Accountable Officer is the Chief Executive who has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risk is handled in a similar manner to other risks such as financial, legal and reputational risks. Reference to the management of information risks and associated information governance practice is now required in the Statement of Internal Control which the Accounting Officer is required to sign annually. 5.3 SIRO (Senior Information Risk Owner) The SIRO is the Chief Nurse/Deputy Chief Executive. The role: Is accountable; Fosters a culture for protecting and using data; Provides a focal point for managing information risk and incidents Is concerned with the management of all information assets. Page 9 of 21

10 The SIRO is an executive Board member with allocated lead responsibility for the Trust s information risks and provides a focus for the management of information risk at Board level. 5.4 Information Governance Lead The Information Governance (IG) Lead is the Head of Information Governance. They are responsible for ensuring the organisation meets is statutory and corporate responsibilities. The Information Governance Lead is accountable for ensuring effective management, accountability, compliance and assurance for all aspects of IG. 5.5 Information Asset Owners (IAO) Divisional Directors The SIRO is supported by IAO s who are involved in running the relevant business. Their role is to understand what information is held, what is added, and what is removed, how information is moved, who has access and why. As a result they are able to understand and address risks to information assets they own and to provide assurance to the SIRO on the security and use of the assets. 5.6 Information Asset Administrators (IAA) LHIS Application Support Team and identified Divisional Leads IAA s work with an information asset on a day to day basis. They have day to day responsibility, ensure that policies and procedures are followed by staff and recognise actual or potential security incidents, and consult the IAO on incident management. 5.7 Information Security The LHIS Information Security Manager is responsible for the provision and management of a high quality, customer focussed, Information Technology Security Advisory Service using expertise to manage security issues, identifying best practice and making recommendations for local implementation. 5.8 All Trust Employees All Trust employees and anyone else working for the organisation (eg. Agency staff, honorary contracts, management consultants etc) who use and has access to Trust information and/or IT Systems must understand their personal responsibilities for information governance and compliance with UK Law. All staff must comply with Trust policies and are responsible for Information Security and the correct use of Information Asset. Page 10 of 21

11 6.0 MANAGEMENT PROCESS 6.1 The Information Asset Management Process and the PIA Privacy Impact Assessments need to be completed at an early stage of the project BEFORE the new proposed system is procured or BEFORE the planned change has taken place as part of the Information Asset Management Process. The diagram at section 4.0 aims to illustrate important stages and/or information for consideration when looking at procuring new systems or changing those already used by the Trust and how the PIA falls into the Asset Management Approval Process and fits in with the Checklist that is used within IG. The aim is to ensure that all elements of a project that may impact upon the ability of the Trust to protect its data are being considered. See diagram at section 4.0 above. As detailed in the diagram, communication between departments and individuals is crucial. The Head of Information Governance must be notified when a new /or a change to an existing process/system/project in order to ensure the correct procedure is followed and can provide the necessary level of support. The Head of Information Governance will ensure that the correct procedures are followed and the process is fully compliant with legislative and IGT requirements for Information Asset Management. 6.2 Privacy Impact Assessment NB: The PIA is only applicable where the proposed new project/system/process or proposed change to a system/process/project is to use personal / sensitive data or significantly change the way in which personal data is handled (See below). The PIA is trying to ensure that all aspects of Privacy are considered in order to give assurance that the security of Trust data can either be improved or maintained. The appointed Information Asset Owner is responsible for ensuring the PIA is completed and that the PIA is carried out with support and guidance from other individuals as relevant, i.e. Information Governance, Information Security, super users of the system. As a result of a completed Privacy Impact Assessment an action plan must be devised and written up for approval and subsequent auditing and monitoring by the relevant Project Team or Information Governance. A summary of the PIAs completed and approved will be incorporated into the Caldicott Report presented to the Clinical Effectiveness Group chaired by the Caldicott Guardian. This ensures that information risks are recorded, mitigation put in place with an annual review to ensure on-going compliance with confidentiality, data protection and security. Page 11 of 21

12 7.0 TRAINING There is a need for training identified within this policy. In accordance with the classification of training outlined in the Trust Human Resources & Organisational Development Strategy this training has been identified as role development training. Guidance on the nature of the PIA, Information Asset Owner and Administrator roles will be covered during Asset management Training provided by the Information Governance Team on request. Training sessions are held on an ad-hoc basis and will be communicated via the Trust enewsletter. 8.0 MONITORING COMPLIANCE WITH THIS DOCUMENT The table below outlines the Trusts monitoring arrangements for this policy/document. The Trust reserves the right to commission additional work or change the monitoring arrangements to meet organisational needs. Aspect of compliance or effectiveness being monitored Monitoring method Individual responsible for the monitoring Frequency of the monitoring activity Group / committee which will receive the findings / monitoring report Group / committee / individual responsible for ensuring that the actions are completed Annual risk assessment of information assets and introduction of PIAs following the introduction of new systems. Risk Assessment Head of Information Governance Annual IM&T Operations Group Chief Nurse/Deputy Chief Executive (SIRO) 9.0 Links to Standards/Performance Indicators 9.1 Standards/Key Performance Indicators need to include standards/kpts in order to match the effectiveness of policy. Page 12 of 21

13 TARGET/STANDARDS PIAs are completed at the commencement of a new system/service change Compliance for standard 201 and 307 within the Information Governance Toolkit KEY PERFORMANCE INDICATOR 90% completion rate demonstrated through a review of Approvals through the year Level 2 compliance met 10.0 References and Associated Documentation This policy was drafted with reference to the following: Key Guidance Title DH: Confidentiality NHS Code of Practice 2003 NHS CFH: Good Practice Guidelines - Application Security DH: Information Security NHS Code of Practice 2007 Data Handling Review Information Commissioner: Privacy Impact Assessment Handbook Details The Code is a guide to required practice for those who work within or under contract to NHS organisations concerning confidentiality and patients' consent to use their information. (NHS Network users only): This guide covers various general user applications and their security The Code is a guide to the methods and required standards of practice in the management of information security for those who work within or under contract to, or in business partnership with NHS organisations in England. It is based on current legal requirements, relevant standards and professional best practice and replaces HSG 1996/15 NHS Information Management and Technology Security Manual. The ICO commissioned a team of experts led by the University of Loughborough to undertake a study of the use of privacy impact assessments (PIA) around the world and then developed a PIA framework that could be used in the UK. This handbook is the centre piece of that work and is intended to be of practical use Page 13 of 21

14 for those wishing to conduct a PIA. DH: Records Management NHS Code of Practice 2006 DH: NHS IG - Information Risk Management - Good Practice Guide 2009 (PDF, 132 KB BS ISO/IEC :2005 Information Technology Service Management Code of Practice Data Protection Act 1998 NHS CFH: Good Practice Guidelines in Information Governance - Information Security Dilys Jones PIA templates The Code is a guide to the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England. It is based on current legal requirements and professional best practice. The guidance applies to all NHS records and contains details of the recommended minimum retention period for each record type. This guidance is aimed at those responsible for managing information risk within NHS organisations. It reflects Government guidelines and is consistent with the Cabinet Office report on Data Handling Procedures in Government. The Code offers assistance to service providers planning service improvements or to be audited against BS ISO/IEC :2005 and can be purchased from the BSI website. The Act that makes provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. (NHS Network users only): The Good Practice Guidelines (GPG) are a series of informational documents which provide best practice advice in technology specific areas of Information Security. Dilys Jones provide PIA templates that encompass all recommendations by the ICO these have been used and adapted for use by CPFT. Page 14 of 21

15 Appendix 1 PRIVACY IMPACT PROCEDURE NB: Only complete the PIA where the Project/System/Process is to use PERSONAL/SENSITIVE DATA or change the way in which PERSONAL and/or SENSITIVE data is handled. STEP 1: INITIAL ASSESSMENT Initial Assessment of the Project and possible scope of the PIA STEP 2: SCREENING QUESTIONS Give consideration to the screening questions amnd on completion, analysis need to be completed to make a decision whether it is the best u=interest of the project to carry out a Full Scale PIA or Small Scale PIA The more Privacy Implications that arise within STEP 2, imply the need for a Full Sclae PIA. If more specific issues arise it may be appropriate to conduct a Small Scale PIA focusinfg on a particular area STEP 3: CONSULTATION Full Scale PIA * Consideration needs to be given to all the issues/possible issues highlighted by STEPS 1&2 * All issues need to be consulted with appropriate parties/documented/evaluated Small Scale PIA * Consideration needs to be given to the main issues highlighted by STEPS 1 &2 if appropriate * Consultation where appropriate on specific issues with individuals/groups; this should be documented and evaluated STEP 4: PIA ACTION PLANS Full Scale PIA * Outcome of Consultations need to be included within an Action Plan to ensure it is documented how the PIA has informed the project and detail changes/amendments made based on the PIA Small Scale PIA * Outcome of Consultations need to be included within an Action Plan to ensure that it is documented how the PIA has informed the project and detail changes/amendments based upon the PIA EVALUATION AND REVIEW Full Scale PIA * Analyse the PIA and complete the Evaluation form * Audit of Action Plans in line with the Asset Management Approval process Small Scale PIA * Analyse the PIA and complete the Evaluation form * Audit of Action Plans in line with the Asset Management Approval process PIA Process and Considerations: Page 15 of 21

16 PIA Templatev3.xlsx PIA Template for use please contact the Head of Information Governance for a version of this template to complete Page 16 of 21

17 Training Requirements Appendix 2 Training Needs Analysis Training Required YES NO Training topic: Type of training: (see study leave policy) Division(s) to which the training is applicable: Staff groups who require the training: Regularity of Update requirement: Who is responsible for delivery of this training? Have resources been identified? Has a training plan been agreed? Privacy Impact Assessment Mandatory (must be on mandatory training register) Role specific Personal development Adult Mental Health & Learning Disability Services Community Health Services Enabling Services Families Young People Children Hosted Services Please specify Project Leads Business Managers On one occasion unless legislation changes Information Governance Team Ad-hoc dependent on numbers Will be discussed at the point of request Where will completion of this training be recorded? ULearn Other (please specify) How is this training going to be monitored? Quality of PIAs completed and signed off Page 17 of 21

18 The NHS Constitution Appendix 3 The NHS will provide a universal service for all based on clinical need, not ability to pay. The NHS will provide a comprehensive range of services Shape its services around the needs and preferences of individual patients, their families and their carers Respond to different needs of different sectors of the population Work continuously to improve quality services and to minimise errors Support and value its staff Work together with others to ensure a seamless service for patients Help keep people healthy and work to reduce health inequalities Respect the confidentiality of individual patients and provide open access to information about services, treatment and performance Page 18 of 21

19 Stakeholders and Consultation Appendix 4 Key individuals involved in developing the document Name Designation Vicky Hill LHIS Security Manager Mary Stait Information Governance Compliance Manager Circulated to the following individuals for comment Name Designation Records & Information Governance Group IM&T Operations Group Page 19 of 21

20 Due Regard Screening Appendix 5 Section 1 Name of activity/proposal Privacy Impact Assessment Date Screening commenced November 2016 Directorate / Service carrying out the Enabling/Information Governance assessment Name and role of person undertaking Sam Kirkland, Head of Information Governance this Due Regard (Equality Analysis) Give an overview of the aims, objectives and purpose of the proposal: AIMS: To ensure that any procurement of new or changes to systems, process, information handling, and exploitation of information technology protects the privacy rights of all individuals who will have contact with the Trust OBJECTIVES: To ensure that information processing remains safe, secure and information integrity maintained Section 2 Protected Characteristic Age Disability Gender reassignment Marriage & Civil Partnership Pregnancy & Maternity Race Religion and Belief Sex Sexual Orientation If the proposal/s have a positive or negative impact please give brief details Positive the principle of conducting a PIA is based on protecting the information rights of individuals Positive the principle of conducting a PIA is based on protecting the information rights of individuals Positive the principle of conducting a PIA is based on protecting the information rights of individuals Positive the principle of conducting a PIA is based on protecting the information rights of individuals Positive the principle of conducting a PIA is based on protecting the information rights of individuals Positive the principle of conducting a PIA is based on protecting the information rights of individuals Positive the principle of conducting a PIA is based on protecting the information rights of individuals Positive the principle of conducting a PIA is based on protecting the information rights of individuals Positive the principle of conducting a PIA is based on protecting the information rights of individuals Other equality groups? Section 3 Does this activity propose major changes in terms of scale or significance for LPT? For example, is there a clear indication that, although the proposal is minor it is likely to have a major affect for people from an equality group/s? Please tick appropriate box below. Yes High risk: Complete a full EIA starting click here to proceed to Part B Section 4 No Low risk: Go to Section 4. Page 20 of 21

21 If this proposal is low risk please give evidence or justification for how you reached this decision: The principle of conducting a PIA is based on protecting the information rights of all individuals Signed by reviewer/assessor Date 16/12/2016 Sign off that this proposal is low risk and does not require a full Equality Analysis Head of Service Signed Date 16/12/2016 Page 21 of 21