West Kent Clinical Commissioning Group

Transcription

1 West Kent Clinical Commissioning Group Information Governance Strategy Release: Final Approved Date: 27/10/2016 Author: Jamie Sheldrake Senior Associate - Information Governance Owner: SOUTH EAST CSU Client: West Kent Clinical Commissioning Group Version No: 08 NHS West Kent CCG Information Governance Strategy 2013/14 1

2 Document History Document Location This document is only valid on the day it was printed. The original document is held and maintained by the NHS Kent and Medway Information Governance Team in the Assistant Chief Executive Directorate. Revision History Date of this revision: 24/01/17 Date of Next revision: 24/01/18 Revision date Previous revision date Summary of Changes 14/10/15 Removal of archive repository as an overall strategy objective this is in line with NHS agenda for a paperless NHS by 2018 Changes marked Alteration of KMCS to following the merger of KMCS and South London CSU 27/10/15 14/10/16 Addition of information on the new General Data Protection Regulations which could be adopted in /01/17 24/01/18 Addition of paragraph on the General Data Protection Regulations and implications of Brexit vote Approvals This document requires the following approvals. Signed approval forms are filed in the Management section of the project files. Name Signature Title Date of Version Issue West Kent Clinical NA NA Sept 15 7 Commissioning Group Information Governance Steering Group West Kent CCG IGSG Jan 17 8 NHS West Kent CCG Information Governance Strategy 2015/16 2

3 Distribution This document has been distributed to: Name Title Date of Version Issue West Kent Clinical NA Sept 15 7 Commissioning Group Information Governance Steering Group West Kent CCG IGSG Dec 16 8 NHS West Kent CCG Information Governance Strategy 2015/16 3

4 Table of Contents Document History... 2 Table of Contents... 4 Introduction... 5 Scope... 7 External Audit... 7 Aim... 7 Ownership... 7 Compliance... 7 Implementation... 8 Appendix 1: Strategy Implementation... 9 IG Core Work-stream 1: Records Management... 9 Records Management... 9 Privacy Impact Assessments (PIA)... 9 Data Flow Mapping (DFM) Information Governance Toolkit Information Asset Management IG Core Work-stream 2: Statutory Assurance Freedom of Information Act Information Sharing Data Protection Act IG Core Work-stream 3: Information Security IG Serious Incident Management IG Training IG Communications IG Steering Group Primary Care Toolkit IG Risk NHS West Kent CCG Information Governance Strategy 2015/16 4

5 Introduction Information Governance is a core governance work stream for NHS organisations and an integral component of the Integrated Governance Framework. Providing patients and staff with the assurance that their personal and sensitive data is managed professionally and in accordance with legislation is fundamental to the efficient management of services and resources. Information Governance integrates with Clinical Governance with respect to the Caldicott Principles and information sharing and with Corporate Governance with respect to providing overarching assurance through the Information Governance Toolkit. The Information Governance (IG) Team within SOUTH EAST CSU authors, implements and manages this strategy for West Kent Clinical Commissioning Group. The Team structures IG services through three core work-streams, Statutory and Mandatory Assurance, Records Management and Information Security and provides expertise and experience to each. The SOUTH EAST CSU IG Team is committed to providing its customers with robust protocols, sound advice and high levels of compliance and helping to drive a culture of responsibility and accountability when processing personal data. Public and media awareness of data breaches and their consequences has never been higher. This is true for organisations of all types. Whether tackling text spammers, phone hacking or careless management the Information Commissioners Office (ICO) has proven itself relentless in exposing and fining organisations where data protection is not taken seriously. The NHS oversees management of one of the largest combined datasets of personal and sensitive data in the UK and this demands that organisations handling confidential staff and particularly patient data develop both practical and robust safeguards for that data. The awareness of what can be achieved by linking personal datasets from different services in terms of both efficiency and patient care has grown rapidly and Information Governance sits at the heart of these initiatives. Information Governance provides advice on sharing personal data appropriately, with patient awareness and consent and practical protocols and safeguards. Information Governance is an enabler to innovation and provides the tools and perspective for legitimate use of personal data. The new General Data Protection Regulations are due to be introduced next year which will take the place of the Data Protection Act The result of the 23 June 2016 referendum on membership of the EU now means that the Government needs to consider the impact on the GDPR. The SECSU IG team will monitoring the situation and following advice of the ICO. The year could see changes and some new ways of working. Through the use of tools such as Privacy Impact Assessment, Information Asset Control, Staff Training and Data Flow Mapping, Information Governance will work with West Kent CCG to provide clarity and reduction of risk. Risk cannot be eliminated entirely though and IG incidents occur in all organisations that manage personal data. The IG Team is experienced at incident investigation and resolution and provides professional relationship management with the ICO. NHS West Kent CCG Information Governance Strategy 2015/16 5

6 Through this strategy, compliance with statutory requirements and satisfactory achievement of the IG Toolkit, Information Governance provides assurance to the Governing Body that the organisation is effectively and securely managing personal information under its control. NHS West Kent CCG Information Governance Strategy 2015/16 6

7 Scope The scope of this strategy covers governance of Personal Confidential Data (PCD) and Corporate Records Management (CRM) including governance of records under the Freedom of Information Act. The Data Protection Act draws a distinction between Personal Data and Sensitive Data. Sensitive Data forms data about a person rather than just identifying them. The safeguards for both are the same with the key procedural distinction being that the processing of Sensitive Data requires more explicit consent. As Sensitive Data must by default also be accompanied by Personal Data, for ease of use, this document will refer to the management of both categories as Personal Data. External Audit All evidence supplied as part of the IG Toolkit (IGT) is available to selected external organisations who may wish to inspect CCG documentation as part of audit. These organisations include internal and external auditors, the Information Commissioner s Office (ICO), and may include other organisations such as the National Commissioning Board. Aim The aim of this strategy is to clarify and structure the operational Information Governance service offering to West Kent Clinical Commissioning Group along with realistic outcomes and timeframes where applicable. The strategy serves to evidence a planned work programme for the IG Toolkit, an assurance model to the West Kent Clinical Commissioning Group Governing Body and an ongoing assessment model for service delivery. Ownership This strategy is authored, maintained and implemented by the SOUTH EAST CSU Information Governance Team on behalf of its client West Kent Clinical Commissioning Group. The IG team will work closely with West Kent Clinical Commissioning Group as needed to drive attainment of the goals and in particular to evidence the IG Toolkit. IG is an organisation wide imperative and engagement with the aims and objectives of this strategy are required by the West Kent Clinical Commissioning Group Governing Body to ensure successful achievement and effective assurance. Compliance Compliance with IG standards will be monitored and audited on a routine basis and as necessary in response to incidents and concerns. Compliance is the means by NHS West Kent CCG Information Governance Strategy 2015/16 7

8 which the CCG can gain assurance that policies and procedures are fully implemented and working well. Audit and compliance are routine features of achieving a satisfactory score in the IG Toolkit. Compliance with IG progress and standards will be reported to the West Kent CCG Information Governance Lead, the Chief Finance Officer. Where implementation or progress does not meet the high standards required then this will be considered for escalation and inclusion on the statement of internal control. Information Governance Serious Incidents will be notified to the West Kent Clinical Commissioning Group SIRO and Caldicott Guardian and SOUTH EAST CSU Caldicott Guardian and SIRO. Implementation Appendix 1 identifies the goals for each of the key IG themes outlined in the introduction through to March 2014, the end of the financial year and the deadline for submitting the annual IG Toolkit assessment. NHS West Kent CCG Information Governance Strategy 2015/16 8

9 Appendix 1: Strategy Implementation IG Core Work-stream 1: Records Management Records Management Secure processing of records with third parties. Appropriate handling of confidential records. Promote culture of best practice Records Management. Clear understanding of Data Controller / Data Processor relationships and responsibilities. Privacy Impact Assessments (PIA) Contracts with all third party organisations that involve processing of personal data are in place and contain appropriate clauses around Data Controller / Data Processor relationships and responsibilities. Out of hours premises audits for confidential data left on desks, on printers / faxes / unlocked computers / in waste bins and unlocked cupboards. Establish and support Records Champions. Provide training and communications support. Lead training / workshops and issue guidance. Examples of contract clauses provided as evidence to IG Toolkit. Audit reports to customer and used as evidence for IG Toolkit. Training records. Comms and training material provide IG Toolkit evidence. Training attendance records. Training material, records and guidance evidence IG Toolkit. West Kent CCG and High level of awareness of PIAs are completed on a routine basis by customer Report of PIAs received West Kent CCG and value of PIAs and significant staff when proposing new or changes to processes provided to customer. uptake. and systems which process personal data. PIAs form IG Toolkit evidence. PIAs are accurately and SOUTH EAST CSU IG Team work with users to PIAs form a valuable and West Kent CCG and NHS West Kent CCG Information Governance Strategy 2015/16 9

10 comprehensively completed providing maximum benefit. Assurance and confidence in advice and feedback. New initiatives proceed on a legitimate (lawful) basis. review PIAs for accuracy and appropriate detail and challenge incomplete or vague responses. SOUTH EAST CSU IG Steering Group comprising senior and expert IG resources review completed PIAs for recommendation. PIA accurately identifies Data Controller / Data Processor relationships and checks third party Processors ICO registration for validity. enabling service for customers. Customer projects / initiatives proceed with good controls and confidence. Clear customer understanding of data handling relationships. West Kent CCG and Data Flow Mapping (DFM) A clear, effective and supported SOUTH EAST CSU IG Team work closely with DFMs evidence IG Toolkit. West Kent CCG and Data Flow Mapping process customer to map flows of personal data. Updated IG Risk Register High risk data flows are recorded on IG Risk Register. IG Risk Register. Evidences IG Toolkit. Drive implementation of Report data flows graded as high risk to customer Mitigation of IG Risks on IG increased security controls. with recommendations for change. Risk Register. Information Governance Toolkit A prioritised plan of work for achieving IG Toolkit (IGT) compliance. Compliant level two scores for all criteria by March 2013 against all customer organisations. Detailed evidence review ensuring requirements are met. Generic CCG/CSO templates and documentation where appropriate avoiding duplication or extensive rework. Customer IG Toolkit submitted on time, i.e. before the end of March 2017 Clear direction and support. SOUTH EAST CSU IG Team work closely with IG Toolkit evidence and NHS West Kent CCG Information Governance Strategy 2015/16 10

11 Assurance of IG Toolkit from Any Qualified Providers (AQP) and other third parties. Regular IG Toolkit customer performance reporting. Liaise with internal/external auditors to provide evidence for review. Validation of uses of personal data for Secondary Uses, e.g. not for primary care under DH Secondary Uses guidelines. customer to provide customer with policies, templates, direction and support in completing and implementing IG Toolkit standards. IG Team work closely with APQs and other parties commissioned by the customer to develop / validate IG Toolkit completion. Note: Work undertaken with parties other than the customer is on a commercial basis. Clear and accurate reporting on Toolkit progress to Governance and Assurance work streams. Review all uses of personal data for non-primary care processing. Make recommendations for validity. Establish New Safe Haven operational environments where agreed. compliance. Evidence of AQP IG Toolkit compliance. Assurance on legitimacy of processing. IG Performance Report Secondary Uses Caldicott register. As required Independent assurance. Information Asset Management Information Asset Management. Maintain Information Asset Registers across all appropriate organisations with Information Asset Owners identified. Information Asset Register. New Safe Haven operational environments. New initiatives, system changes and security of processing. Interface with Secondary Uses, Data Flow Mapping, IG Risk and Information Sharing to identify where personal data is shared. Implement New Safe Haven operational environments to ensure personal data is processed and stored securely. Maintain a presence; oversight and input into projects to ensure that development of systems and infrastructure maintain appropriate security. New Safe Haven register. - NHS West Kent CCG Information Governance Strategy 2015/16 11

12 Systems access. Work with Information Asset Owners and relevant third parties to ensure that systems access controls are in place and effective. West Kent CCG and IG Core Work-stream 2: Statutory Assurance Freedom of Information Act Provide high level accurate Senior Associate consideration of complex - technical expertise on complex requests and exemptions. requests and exemptions Detailed redaction of data in line with FOI and DPA legislation. Expert Internal Review service. Relationship with the Liaise with the ICO on FOI complaints & co-operate - Information Commissioner s with investigation & resolution. Office (ICO) Requests for Internal Review To carry out internal reviews when requested - Information Sharing Accurate technical Information Sharing expertise for individual requests for advice. Written advice notices issued for individual DPA type requests. Information Sharing and advice logs maintained for reference. Responses within 2 working days for individual DPA type requests. Project level Information Sharing expertise. Risk mitigation. Ongoing advice and expertise for project / larger initiatives via membership of project teams, exploration of complex issues and liaison with third party organisations. Interface with Data Flow Mapping and IG Risk to identify and mitigate poor information sharing practice. - Updated risk register and data flow maps. NHS West Kent CCG Information Governance Strategy 2015/16 12

13 Data Protection Act Responsibility and training Ensure CCG has leads responsible for providing data for DPA requests. - West Kent CCG and Provide training / knowledge for person responsible. Tight control over deadlines, service level agreements and escalation of Subject Access Requests. Provide high level accurate technical expertise on Subject Access requests and exemptions. Caldicott Principles. New requests acknowledged within 2 working days. Statutory compliance within 40 calendar days. Information obtained within 20 working days to allow time for redaction. All issues escalated to Senior Associate Senior Associate consideration of complex requests and exemptions. Detailed redaction of data in line with DPA legislation. Work closely with Caldicott Guardians to assist in understanding and implementation of Caldicott Principles. IG Performance Report. - - Current of annual ICO notification. ICO notification reviewed annually for accuracy. ICO registration compliance Efficient DPA structure and process for IG Performance Report. processing Subject Access Requests. Maintain high levels of knowledge and practice in a fast moving field. DPA policy current with rapidly evolving field. DPA administration maintained with 100% accuracy and updated daily. Senior Associate process overview. Accurate performance data. Regular review of ICO decisions and progress of EU changes to legislation. Liaise with legal and other expert professionals as appropriate. Six monthly policy / process reviews (or as required). - Current policy circulated. NHS West Kent CCG Information Governance Strategy 2015/16 13

14 IG Core Work-stream 3: Information Security IG Serious Incident Management IG Serious Incidents (SI) Accurate and up to date Incident log. IG Performance Report. management. Clear and efficient processes All SI investigations completed within mandated IG Performance Report. for reporting and timeframes (45 or 60 days). investigation of IG SIs and incidents. Investigate using the NPSA SI report template and appropriate tools, ensuring the quality, depth and breadth of the investigation. Trend analysis. Inform IG Risk Register of growing trends to drive mitigation. Re-work processes to drive mitigation. Staff Communications to drive mitigation. IG Risk Register. Relationship with the Information Commissioner s Office (ICO) IG Training Liaise with the on ICO on IG SI notifications and cooperate with investigation and resolution. SI resolution. IG Training Strategy. Minimum 95% staff trained on IG annually. Training online and face to face as required. Maintain accurate and current staff registers for all organisations with training compliance for all staff. IG Performance Report. West Kent CCG and NHS West Kent CCG Information Governance Strategy 2015/16 14

15 IG Communications IG Communications Annual IG Communications Strategy for clear and Strategy. timely IG Communications to effectively brief staff on IG operational issues. Respond to emerging issues, events, SI trends with rapid communication. Evidence for IG Toolkits and audit reviews. IG Steering Group Maintain IG Steering Group to provide cross functional advice and consideration. Primary Care Toolkit Quarterly meetings to review progress against strategy, tackle issues, review Privacy Impact Assessments and provide assurance to all customer of an active process for maintaining statutory compliance and best practice. Consideration Privacy Impact Assessments (PIA). Oversight of IG functionality and statutory compliance. Steering Group minutes. IG Performance Report. PIA review outcomes. Primary Care IG Toolkit Work closely with Primary Care to drive engagement compliance. with and monitor completion of the IG Toolkit throughout Primary Care services Create and enforce IGT action plans for Primary Care organisations resisting engagement with the IGT through the contracting route NHS West Kent CCG Information Governance Strategy 2015/16 15

16 IG Risk Detailed and accurate IG Maintain an accurate register and use as a tool for proactive IG Performance Report. Risk Register. risk mitigation. Evidence for IG Toolkit. Risk identification. Interface with Secondary Uses, Data Flow Mapping and Information Sharing to identify, quantify and accurately record IG risks. Updated Risk Registers Evidence for IG Toolkits NHS West Kent CCG Information Governance Strategy 2015/16 16