PHWIGC framework that addresses the issues raised by the Francis Report. Author: John Morley & Jane Evans Information Governance Managers

Transcription

1 PHWIGC Information Governance Audits Purpose of Document: To describe the process that Public Health Wales Information Governance Managers will follow when undertaking announced and unannounced Information Governance Audits Information Governance Committee: To decide- Paper will outline recommendations or issues to be approved by the Board or Committee. To discuss- Board or Committee will be asked to discuss and scrutinise the paper and provide feedback and comments. To inform- Board or Committee will be asked to note the paper for information only Other relevant information The Committee is invited to give approval for the commencement of site-based announced and unannounced Information Governance Audits, as described in the paper. Next Steps Audits will be undertaken by the Information Governance Managers, as described in the paper. These will be evaluated and discussed by the Information Governance Working Group (IGWG). This will result in the audits continuing or for recommendations for further development. The results of the audits will also be summarised and reported to IGWG and to the Committee. Link to Public Health Wales commitment and priorities for action: (please tick which commitment(s) is/are relevant) X X Priorities for action Put in place a comprehensive governance framework that addresses the issues raised by the Francis Report Author: John Morley & Jane Evans Information Governance Managers Date: 19 October 2014 Version:0d Sponsoring Executive Director: Mark Dickinson Who will present: (If appropriate) John Morley Documents attached: Audit, News Item Date of meeting: 27 October 2014 Committee/Groups that have Information Governance Working Group received or considered this paper: Date: 19/10/14 Version: 0d Page: 1 of 8

2 Link to standards for health services Link to risk register Equality impact assessment Financial implications Service user engagement Standard 9: Patient Information and Consent Standard 19: Information Management and Technology Risk of harm to staff or service users, reputational damage and / or financial penalties caused by a failure to meet statutory duties. (DATIX 310 Corporate risk register) Failure to ensure appropriate governance of information. This includes: loss or inappropriate release of PII; inappropriate withholding of data/information that should be released/shared; inaccurate and/or incomplete data leading to inappropriate action; inappropriate web use (DATIX 88) N/A Primarily opportunity costs only (Information Governance Managers time). There may be some additional travel required. N/A Date: 19/10/14 Version: 0d Page: 2 of 8

3 Information Governance Compliance Audits Author: John Morley, Jane Evans Information Governance Managers Date: 19 October 2014 Publication/ Distribution: Public (Internet) NHS Wales (Intranet) Public Health Wales (Intranet) Review Date: July 2015 Purpose and Summary of Document: Version: 0d To describe the process that Public Health Wales Information Governance Managers will follow when undertaking announced and unannounced Information Governance Audits. Date: 19/10/14 Version: 0d Page: 3 of 8

4 1 Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. Public Health Wales Information Governance Managers have been tasked by the Information Governance Committee to produce proposals for a series of announced and unannounced Information Governance (IG) audits. This document describes the audits proposed. 2 Scope of the audits The IG Managers will focus on the following areas: a. Data protection governance The extent to which data protection responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor DPA compliance are in place and in operation throughout the organisation. b. Training and awareness The provision and monitoring of staff Information governance training and the awareness of data protection requirements relating to their roles and responsibilities. c. Records management (manual and electronic) The processes in place for managing both manual and electronic records containing personal data. This will include controls in place to monitor the creation, maintenance, storage, movement, retention and destruction of personal data records. d. Security of personal data The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form. e. Subject access requests - The procedures in operation for recognising and responding to individuals requests for access to their personal data. f. Freedom of information governance - The extent to which responsibilities, policies and procedures, performance measurement controls, and reporting mechanisms to monitor compliance with the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR) are in place and in operation throughout the organisation. g. Data sharing - The design and operation of controls to ensure the sharing of personal data complies with the principles of the Data Protection Act 1998 and the good practice recommendations. Date: 19/10/14 Version: 0d Page: 4 of 8

5 3 Announced audits In the case of an announced audit, the IG managers will focus their activities on the team /division/ directorate s compliance with all points (a-g) above. 4 Unannounced Audits In the case of unannounced audits, the IG managers will focus on general IT security, building security and what information (especially patient/client/staff identifiable information (PII)) is visible on desks. These audits will normally take place towards the end of the normal working day. 5 Audit follow up Working on a colour score card system, each audit will be categorised as follows: Green Audits rated green - no follow up Yellow Audits rated yellow IG Managers will conduct a follow up check at three months Red Audits rated red IG Managers will report findings to the Information Governance Committee and to the Executive Lead for IG and Chief Executive for immediate action. 6 Information Governance Audit checklist During announced audits, IG Managers will check staff s knowledge and compliance with the following: 6.1 Keeping patient, staff and other personal information secure Number Test Score 1 to keep passwords secure to change regularly, no sharing? 2 to lock (ctrl,alt,del) or log off computers when away from desks? Passwords not visible, written down anywhere except under lock and key Check system settings and user practice Date: 19/10/14 Version: 0d Page: 5 of 8

6 3 to ensure computer screens are sited away from the view of others to prevent unlawful disclosure of sensitive information? 4 to secure of confidential paper waste securely in the confidential bins provided? 5 to prevent virus attacks by taking care when opening and attachment or visiting new websites? 6 about working to a clear desk basis by securely storing hard copy personal information when it is not being used? 7 to maintain an awareness of who should be allowed in areas normally restricted to staff and to keep those areas secure? 8 that if personal or sensitive data is held on any portable storage device eg laptop, USB pen, it must be encrypted? Check how rooms and desks are arranged especially in any reception areas Check any contracts in place for confidential waste disposal and that staff actually dispose of waste appropriately Check systems have appropriate virus software installed correctly Check current office practices Are visitors challenged Check all memory devices found in the office 6.2 Meeting the reasonable expectation of patients and staff whose data we handle Number Test Score 1 to collect only the personal information you need for a particular business purpose? 2 records should be updated promptly to ensure accuracy 3 that you should only be viewing patient or staff data for a legitimate business purpose principles principles principles Date: 19/10/14 Version: 0d Page: 6 of 8

7 4 that you may be committing an offence if you are disclosing patient or staff information without consent this includes verbal disclosure and which may lead to disciplinary action? 5 that you should inform the Information Governance Managers of any potential information sharing agreements? 6 when transporting personal data, we ensure that it is kept secure at all times? 7 that records in all formats should be stored, handled and retained in accordance with the Public Health Wales Records Management Policy? principles Check staff awareness of DATIX Check awareness of the transport of PI Iprocedure Check staff awareness of the policy and where to find it 6.3 Disclosing personal information over the telephone or via Number Test Best Practice Score 1 to be aware that there are people who will try and trick you to give out personal information? 2 that to prevent these disclosures, we should carry out identity checks before giving out personal information to someone making an incoming call? 3 to ensure that sensitive conversations are not overheard by others? 4 that when leaving answer phone messages, you should not disclose sensitive information? just leave your name and contact details Check staff awareness of blaggers Safe Haven techniques employed Check office situation, i.e. quiet areas, meeting rooms available etc Safe Haven techniques employed Date: 19/10/14 Version: 0d Page: 7 of 8

8 6.4 Handling requests from patients and staff for their personal information (subject access requests) Number Test Score 1 that patients, staff and other individuals have a right to a copy of the personal information held by the trust under the Data Protection Act, subject to certain conditions 2 Requests should be sent to the Information Governance Department 3 Public Health Wales must meet a statutory time limit of 40 days to complete the requests but in many cases must respond within 21 days? principles especially what a Subject Access Request (SAR) is and what to do if one is received. principles especially what a SAR is and what to do if one is received. principles especially what a SAR is and what to do if one is received. 6.5 Caldicott guardian Public Health Wales has an appointed Caldicott Guardian (Dr Quentin Sandifer) who plays a key role in ensuring that NHS and partner organisations satisfy the highest practical standards for handling patient information. Acting as the conscience of an organisation, the Guardian actively supports work to facilitate and enable information sharing, and is available to advise on options for lawful and ethical processing of information as required. 6.6 Information Governance breach reporting All breaches or near misses relating to the above and other Information Governance issues will also be reported on a DATIX incident report. Date: 19/10/14 Version: 0d Page: 8 of 8