Information Governance Management Framework

Transcription

1 Information Governance Management Framework November 2014 Author: Responsibility: Lynda Harris, Head of Information Governance All Staff Effective Date: November 2014 Review Date: November 2015 Reviewing/Endorsing committees Approved by Governance and Risk Sub Group Date Ratified by CCG Executive Team Risk Management Group 3 November November 2014 Version Number 3 Information Governance Management Framework Page 1

2 Introduction Robust information governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and resources. The way Bedfordshire Clinical Commissioning Group chooses to deliver against these requirements is referred to within the Information Governance toolkit as the organisation s Information Governance Management Framework. Senior roles: Chief Operating Officer who is the Senior Information Risk Owner (SIRO) John Rooke Is the organisation s lead for Information Risk Fosters a culture for protecting and using data Provides a focal point for managing information risks and incidents Is concerned with the management of all information assets Caldicott Guardian Dr Nick Curt This is an advisory role to the CCG. Acts as the conscience of the organisation and actively supports work to enable information sharing where it is appropriate to share and advises on options for lawful and ethical processing of information. The Caldicott Guardian also has a strategic role which involves representing and championing confidentiality and information sharing requirements and issues at senior management level and where appropriate, at a range of levels within the organisation s overall governance framework. Provide routine reports to the senior management on Confidentiality and Data Protection issues. Head of Information Governance Lynda Harris and IG team Developing and maintaining information governance policies To work closely with the Caldicott Guardian, Senior Information Risk Owner (SIRO) on any Confidentiality or Data Protection issues to support patient confidentiality and assure public confidence in the CCG s governance processes and safeguards. Manage the IG performance framework and provide clear statements of the CCG s compliance with sound IG standards and to ensure that the organisation meets both its statutory and legal obligations. Key Policies and Procedures in place Information Governance Policy Confidentiality Policy Confidentiality Code of Conduct Information Lifecycle Policy Information Governance Serious Incidents Requiring Investigation Policy Information Governance Management Framework Page 2

3 Committees with core information governance functions Governing Body Executive Team Risk Management Group The Risk Management Group is the CCG forum with delegated authority to oversee information governance issues in Bedfordshire CCG. The committee meets every four weeks, is chaired by the SIRO and reports to the Executive team and to the Governing Body. Membership of the Risk Management Group is diverse and across all departments. Information Governance Management Framework Page 3

4 Bedfordshire CCG Information Governance structure Chief Operating Officer Caldicott Guardian Executive Team Senior Information Risk Owner Information Asset Owners IG team Risk Management Group Information Asset Owners (IAOs) The IAO is expected to understand the overall business goals of the organisation and how the information assets they own contribute to and affect these goals. IAOs are identified through an annual information mapping exercise. The exercise ascertains who in the organisation receives and sends person identifiable data and it also captures who is responsible for databases within each Department. The IAOs would normally be at Director level, although they can delegate this role to a responsible deputy. Training and Guidance All staff are required to undertake annual mandatory IG training appropriate to their role within the organisation. Training can be via the portal, the H.R OLM training portal or by contacting the IG team on extn 6005 All staff need to demonstrate they are compliant in the handling and processing of person identifiable data. The CCG and or a member of staff could be subject to a fine if a serious data breach occurred and appropriate training had not taken place. Fines of up to 500,000 for organisations and up to 5000 personal fines are available for issue by the Information Commissioner s Office (ICO) in the event of a breach of the Data Protection Act. Information Governance Management Framework Page 4

5 Staff should read and adhere to the Information Security Policy and Serious Incidents which Require Investigation Policy (which can be found on the staff extranet or available from the Information Governance team) and report any breaches in the handling of person identifiable data. Incident Management Bedfordshire CCG needs to receive information in relation to Serious Incidents (SI s) in order to identify learning opportunities for improving patient safety and to ensure that NHS organisations have robust arrangements in place to investigate incidents and prevent reoccurences. An information Governance SI would be classified as: Any incident involving the actual or potential loss of personal information that could lead to identify fraud or have other significant impact on individuals should be considered a serious. IG incidents are recorded by the IG team onto the CCG IG toolkit incident reporting tool. Any incidents rated level 2 are flagged to the ICO and DH. The Serious Incident Requiring Investigation Guidance is available to all staff via the extranet, however, advice or queries can also be directed to the Head of Information Governance, who can be contacted at: LyndaHarris2@nhs.net or extn Information Governance Management Framework Page 5

6 POLICY DEVELOPMENT PROCESS Information Governance Management Framework Page 6