Career Break Policy 1

Transcription

1 Career Break Policy 1

2 Career Break Policy HR Policy: HR05 Date Issued: 1/4/2013 Date to be reviewed: Periodically or if legislation changes 2

3 Policy Title: Supersedes: Description of Amendment(s): This policy will impact on: Financial Implications: Career Break Policy All previous Career Break Policies New Policy for NHS North Derbyshire CCG employees All staff. No change. Policy Area: HR Version No: 2 Issued By: Governance Team Author: HR Services GEM Document Reference: Effective Date: December 2014 Review Date: November 2015 APPROVAL RECORD Consultation: Approved by Committees: Committees / Groups / Individual Consultative Committee Specialist Advice (if required) Management / Staff Side Consultative Committee Governing Body Governing Body Assurance Committee Date N/A November 2013 November 2014 Revision History Version Revisions Date 3

4 ASSISTANCE WITH THE APPLICATION OF THIS POLICY AND UPDATES This policy has been prepared so as to reflect the law as at 1st November The policy will require periodic review to reflect subsequent changes to the law. Changes to employment law have generally been made on 1 February, 1 April and 1 October in any given year. For advice and assistance in relation to the application of this policy and to obtain updates please contact: Your line manager in the first instance or GEM Human Resources Business Partners. This policy has been prepared by North Derbyshire Clinical Commissioning Group in partnership with Beachcroft LLP and GEM Human Resources Business Partners. 4

5 Contents 1. POLICY STATEMENT EQUALITY STATEMENT PRINCIPLES DUE REGARD 8 5. MONITORING AND REVIEW 8 Part 2 1. Procedure 9 Appendix 1 Career Break Scheme - Application Form 10 Appendix 2 Career Break Financial Agreement 11 5

6 1. POLICY STATEMENT NHS North Derbyshire Clinical Commissioning Group (NDCCG) recognises that during an employee s working life there will be times when personal commitments take priority over work. The Career Break Policy has been designed to allow employees the opportunity to take an unpaid break from their employment, of up to 5 years. 2. EQUALITY STATEMENT NDCCG aims to design and implement policy documents that meet the diverse needs of our services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to socio-economic status, immigration status and the principles of the Human Rights Act. In carrying out its function, NDCCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all activities for which NDCCG is responsible, including policy development, review and implementation. 3. PRINCIPLES 3.1 For statutory purposes, the period of the break will count towards continuous employment, however all other terms and conditions of employment with NDCCG will be suspended. The period of the career break will therefore not count as reckonable service when calculating contractual entitlement to benefits such as annual leave, sick pay, contractual redundancy payments and any other benefits dependent upon length of service. There will be no entitlement to benefits, such as sick pay, during the period of the break. 3.2 To qualify for a Career Break, employees must:- have been employed by NDCCG, continuously, on a permanent basis for a period of twelve months or more; have demonstrated a commitment to continuing their career with NDCCG ; have the approval of an appropriate authorising manager. 3.3 Subject to business needs, applications will normally be approved for the purpose of; caring for a sick or dependent relative; caring for children; extended periods of travel, or voluntary services; personal reasons e.g. following ill health; undertaking further education. Any other reason will be considered on its merit. 3.4 The length of the career break will normally be for a minimum of 3 months up to a maximum of 5 years. More than one career break may be granted in the course of employment provided that the combined length of the breaks does not exceed the maximum of 5 years. 3.5 Managers, where appropriate, should make every opportunity to maintain contact with those staff taking career breaks. The amount and level of contact will vary depending on the length of the career break and the individual circumstances relating to the break. 6

7 3.67 Employees will be expected to maintain contact with their manager, and should inform NDCCG of any changes to personal circumstances, i.e. change of home address. 3.7 Employees should also demonstrate their commitment to NDCCG by; not undertaking any other paid employment with another employer during the career break except where, for example, work overseas or charitable work could broaden experience. In such circumstances written permission from NDCCG should be sought prior to the start of the career break. Employees who may need to obtain employment to support themselves financially, for example whilst travelling abroad, may do so, but on a casual basis; returning to NDCCG on the agreed return date. 3.8 Employees considering a career break should be aware of the following: Annual Leave - all accrued annual leave must be taken before commencement of the career break. No payment in lieu of outstanding leave will be made, neither will any carry over of leave be allowed. There is no entitlement to annual leave during the career break. On return to work, entitlement to annual leave would be the same as when the break started, and the period of the career break will not count as reckonable service for leave purposes Trade Union Membership should an individual wish to continue their trade union membership during the break, they must make their own arrangements for subscriptions to be paid Pay - on return to work, employees would resume, for pay purposes, at the same pay point which had been reached at the time the career break began, subject to restructuring or substantial organisational change. If applicable, incremental dates will be deferred accordingly, to ensure that the employee s terms remain unchanged Occupational Maternity Pay - employees commencing a career break immediately following a period of maternity leave will be liable to repay any Occupational Maternity Pay received should they fail to return to work for a period of 3 months after the break Pensions - an employee may choose to continue making contributions to the NHS Pension Scheme during a career break. The form at Appendix 2 must be completed prior to the break to determine the employee s option in respect of their pension. Arrangements for continuing payments must be made prior to commencement of the break. For the first 6 months contributions are payable, by both the employee and employer, as if the employee was at work. An individual, who has paid contributions regularly during the first 6 months of a break, may continue to contribute to the Scheme for a further period of up to 18 months (maximum of 2 years). During the extended period, the employee will be responsible for paying both their own and the employer s contributions. Contributions will be based on the employee s normal pensionable pay. They must continue to be paid monthly, by standing order or Direct Debit; arrears will not be allowed to accumulate. Further information is available from the Pensions Officer, HR Adviser or the NHS Pensions website Long Service Award the term of the career break will not count towards qualifying service for the Long Service Award Company Property - prior to an employee commencing a career break, where applicable, managers must ensure that appropriate arrangements have been made in respect of company property, i.e. Return (or otherwise) of a lease car; 7 Issue No 144 Page 2 of 444

8 Return of NDCCG property, such as mobile telephones, lap tops, keys, etc Applying for other Positions - when on a career break, an employee is free to apply for other positions within NDCCG. However, employees should note that, should they be successful, continuation of the career break cannot be guaranteed as it will depend upon the business needs and exigencies of the service in the area in which the new post sits. It is advised that a discussion is held with the recruiting manager prior to an application being submitted All records of applications and decisions will be kept on an employee s file and a record kept centrally in Human Resources as appropriate under Data Protection and retention of data information regulations. 4. DUE REGARD This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to: eliminate discrimination, harassment and victimisation; to advance equality of opportunity; and foster good relations. Evidence that due regard has been given is shown in section 3.3 of this policy. 5. MONITORING & REVIEW 5 This policy and procedure will be reviewed periodically by NDCCG with GEM/HR support in conjunction with Trade Union representatives. Where review is necessary due to legislative change, this will happen immediately. 8

9 Part 2 1. PROCEDURE 1.1 Employees wishing to apply for a career break should complete the application form at Appendix 1, in conjunction with the authorising manager. Both the proposed commencement date and return to work date should be included. 1.2 Applications must be submitted to the authorising manager, at least 3 months prior to commencement of the intended break. Requests made less than 3 months before, will be considered only in exceptional circumstances. In deciding whether to support an applicant, the authorising manager should satisfy themselves that the individual has a clear commitment to continuing a career with NDCCG, and that the reasons for requesting the break are valid. 1.3 Applicants will be notified in writing of the decision within 21 days of the date of submission of their application. 1.4 The individual must also complete the form at Appendix 2 to confirm their option in respect of their pension membership during the break (see 2.9.5). 1.5 Employees may follow the Grievance Policy if a request for a break is refused. 1.6 Employees will be required to give written notification of their return to work. Where the career break is for less than a year, two months notice of return is required. For breaks of longer than a year, six months notice of return is required. Employees wishing to return earlier than originally anticipated must give two months notice in writing. Employees wishing to extend the length of their career break must apply in writing, at least two months before the agreed end, so that appropriate consideration can be given to an extension. 1.7 Where an employee returns to work within a year, they will return to the same post they held when the career break started, as far as is reasonably practicable. If this is not possible, due to restructuring etc., or if the break has been for longer than a year, then every effort will be made to find the employee a post with similar duties and responsibilities to those of the previous post held. Should it not be possible to find a suitable similar position then redundancy may be considered. For further information refer to the Organisational Change and Redundancy Policy 1.8 Employees may be required to undertake a period of training on their return to work. The content and duration will depend on the length of the break, the post, and any changes in working practices, legislation or policy. 9 Issue No 1 Page 3 of 4

10 Appendix 1 CAREER BREAK SCHEME APPLICATION FORM FULL NAME ORGANISATION SERVICE AREA PERSONAL NUMBER START DATE WITH THE ORGANISATION THIS FORM SHOULD BE SUBMITTED AT LEAST 3 MONTHS BEFORE THE CAREER BREAK IS TO START I would like my career break to start on I would like to return to work on Reason for career break My contact details (including phone number) during the break will be I wish to apply for an extended period of unpaid leave under the Career Break Scheme. I confirm that: I have read and fully understood the conditions detailed within the Career Break Policy; I will complete and submit a Career Break Financial Agreement prior to my break. SIGNATURE OF EMPLOYEE DATE To be completed by the Authorising Manager I support / do not support this application for a career break from the Organisation. I have attached a written statement outlining the reasons why this application has been accepted / rejected (delete as applicable). SIGNATURE OF MANAGER DATE MANAGER S NAME (Block letters) 10

11 Appendix 2 CAREER BREAK FINANCIAL AGREEMENT FULL NAME ORGANISATION SERVICE AREA PERSONAL NUMBER START DATE WITH THE ORGANISATION START DATE OF CAREER BREAK DATE OF RETURN TO WORK I confirm that: I understand that I have the option to decide whether my career break should be pensionable for a period of up to two years; I understand that, should I decide that I would like my career break to be pensionable, I remain liable for monthly pension contributions for the period and that, for the first six months of the career break, I will pay my own contributions and that the Organisation will continue to pay employer s contributions; I understand that, if I pay my contributions continuously for the first six months of the career break, I may continue to pension the break for a further period of up to 18 months. During this additional period, I will be liable to pay both my own, and the Organisation s contributions; I understand that contributions will be based on my normal earnings; I agree to make monthly payments to Organisation via standing order/direct Debit. I understand that, if I fail to make my contributions as agreed, my pension record will be closed down at the date of the last contribution made. Please select ONE of the following four options Option 1 Option 2 Option 3 Option 4 I do not wish my career break to be treated as pensionable service and understand that my pension record will be closed down at the start of my break with no contributions payable OR I wish to treat up to the initial six months of my career break as pensionable and undertake to pay monthly employee contributions via standing order/direct Debit OR I wish to treat my career break as pensionable for a period of months. I undertake to pay monthly employee contributions for the first six months and both employee s and employer s contributions for the remainder of the period. All contributions will be made via standing order/direct Debit OR I wish to treat my career break as pensionable for the maximum period of two years. I undertake to pay monthly employee contributions for the first six months and both employee s and employer s contributions for the remaining 18 months of the period. All contributions will be made via standing order/direct Debit. SIGNATURE OF EMPLOYEE DATE 11

12 Close Personal Relationships 1

13 Close Personal Relationships Policy HR Policy: Date Issued: Date to be reviewed: Old PCT Policy Periodically or if statutory changes are required

14 Policy Title: Supersedes: Description of Amendment(s): This policy will impact on: Financial Implications: Policy Area: Close Personal Relationships Policy All previous Close Personal Relationships Policies New Policy for NHS North Derbyshire CCG employees All staff No change HR Version No: 2 Issued By: Author: Governance Team HR Services Document Reference: Effective Date: December 2014 Review Date: November 2015 APPROVAL RECORD Committees / Groups / Individual Date Consultation: Consultative Committee Specialist Advice (if required) Approved by Committees: Management / Staff Side Consultative Committee Governing Body Governing Body Assurance Committee November 2013 November 2014 Revision Changes Version Revisions Date

15 ASSISTANCE WITH THE APPLICATION OF THIS POLICY AND UPDATES This policy has been prepared so as to reflect the law as at 1st November The policy will require periodic review to reflect subsequent changes to the law. Changes to employment law have generally been made on 1 February, 1 April and 1 October in any given year. For advice and assistance in relation to the application of this policy and to obtain updates please contact: Your line manager in the first instance or GEM Human Resources Business Partners. This policy has been prepared by North Derbyshire Clinical Commissioning Group in partnership with Beachcroft LLP and GEM Human Resources Business Partners.

16 CONTENTS 1. Background Aim/Purpose Equality Statement 7 4. Definitions and an Explanation of Terms Used Intended Users FULL DETAIL OF POLICY Principles Recruitment Where a Line Management Relationship Exists Where there is no Line Management Relationship Forming of Relationships at Work Job Evaluation/Promotion/Pay Disciplinary/Grievance Issues Managing Situations when a Personal Relationship Adversely Affects the Workplace Relationships with Clients/Patients Relationships with Contractors Confidentiality Raising Concerns Breaches of Policy Appeals Process Support and Additional Contacts References and Associated Documentation References Associated Documentation CCG Accountability /Responsibilities Chief Officer

17 9.2 Policy Sponsor Managers Role Employees Role HR Business Partners Role Staff Partnership / Trade Union / Professional Organisation Representatives Role Monitoring and Performance Management of the policy Equality Impact Statement Ensuring The Policy Is Accessible To All Staff Due Regard..14 6

18 1. BACKGROUND 1.1 It is recognised that close personal relationships can and are sometimes formed at work and, that as an employer; situations will arise within NHS North Derbyshire Clinical Commissioning Group (NDCCG) where related persons or individuals with a close personal relationship are employed within the same team, establishment or work area. 1.2 Whilst respecting the right of employees to privacy and family life and will not interfere unduly in an employee s private life, NDCCG has a legitimate right to protect the interest of NDCCG, patients / service users and other employees and to take action when close personal relationships either have the potential to or do impact upon the services. 2. AIM/PURPOSE 2.1 To minimise the risk of problems arising through those with a close personal relationship working together in the same working environment. To provide employees and managers with clear guidance as to their responsibilities and ensure that issues arising from or involving close personal relationships are dealt with promptly, sensitively and effectively: To protect employees against potential claims of favoritism where one has a supervisory or managerial responsibility for the other; To avoid situations where there is potential for conflict of interest; To ensure that situations do not develop where other employees feel unable to speak openly and honestly, or feel that a relationship is having an adverse impact on their own employment; To avoid the potential for abuse of patients; To avoid the potential for fraudulent activity; To facilitate and encourage the development of an organisational culture where employees feel confident to voluntarily declare personal relationships. 2.2 To ensure that all employees feel confident of fair and consistent treatment without the concern that a close personal relationship, including if they are part of such a relationship, will adversely influence their or other employees treatment at work or wider working relationships. 2.3 To ensure that all employees are clear as to the standards of behavior that are expected of them in their dealings with patients and service users and the professional boundaries that must be respected in that relationship. 3 EQUALITY STATEMENT NDCCG aims to design and implement policy documents that meet the diverse needs of our services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. This document has been designed to ensure that no-one receives less favorable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to socio-economic status, immigration status and the principles of the Human Rights Act. In carrying out its function, NDCCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all activities for which NDCCG is responsible, including policy development, review and implementation. 7

19 4. DEFINITIONS AND AN EXPLANATION OF TERMS USED Close Personal Relationships For the purposes of this policy a close personal relationship can be defined as a family, sexual or romantic relationship and includes: Spouses or partners Parents, including in-laws and step-parents Children, including in-laws and step-children Siblings Grandparents and grandchildren Aunts, uncles, nephews, nieces and cousins Separated or divorced people Other personal and stable relationships, both same sex or heterosexual Any personal relationship whether long or short-term The relationship may be between existing employees or between an employee and an applicant, a contractor, a secondee into NDCCG, volunteer or student on placement within NDCCG. 5. INTENDED USERS This policy applies to all employees of NDCCG. The policy also applies to applicants, volunteers, trainees, placement students or seconded staff from other organisations working in NDCCG premises when a situation arises where a line manager / supervisor relationship is established between them and an employee of NDCCG or they are placed in the same work area of NDCCG as someone with whom they have a close personal relationship. This policy applies to all business areas of NDCCG. 6. FULL DETAIL OF POLICY 6.1 Principles Although the existence of a close personal relationship does not constitute a bar to employment or promotion, employees are required to declare to their line manager any relationship that may give rise to a real or perceived conflict of interest, or breaches of confidentiality Employees may normally continue to work together in the same team or department either as colleagues or in a line management relationship for so long as they both maintain the highest standards of behavior and conduct in not allowing that relationship to adversely affect the functioning of the team, the treatment of other employees or the provision of services. In summary, it is expected that employees will behave responsibly and not put themselves in a position where their close personal relationships may adversely impact on their employment or NDCCG and the services it provides. 6.2 Recruitment As required by NDCCG Declaration of Interest Policy all applicants for positions within NDCCG must declare any personal relationships with NDCCG employees on their application. It is worth re-iterating that no employee may participate in the recruitment process for any post where an applicant has declared a relationship with them Once appointed, if an employee is found to have failed to declare a relationship on their application form with an employee who was involved in the recruitment process or with whom they now have a line management or subordinate working relationship, this will be investigated under NDCCG Disciplinary Policy and may lead to disciplinary action which could include dismissal. 8

20 6.2.3 If an individual is appointed to a position where they will either generate or authorise the ordering of goods or services, including the payment of invoices of another employee with who they have a close personal relationship, this must be brought to the attention of their line manager immediately to enable alternative authorising arrangements to be made Agency workers should be asked by their respective supervisor or line manager to declare if they have a close personal relationship with any employee of NDCCG in the department/service in which it is intended to place them before they commence duties Where a current employee applies for a position, including secondments and acting up arrangements which will result in them being immediately subordinate to another employee with whom they have a close personal relationship, the position must have been properly advertised. The interview panel must include an impartial manager from another service area or a representative from Human Resources Where an applicant, if appointed, would work in the same team with another employee with whom they have a close personal relationship, the implications of this should be considered and discussed as part of the selection process. This is to ensure that, assuming they are otherwise the most suitable candidate for the post, their appointment would also be appropriate, taking into account operational issues such as shift/working patterns and requirements for annual leave. There is no guarantee of matching annual leave or working patterns. Any decision not to appoint must be on the basis of service needs and documented accordingly Managers may not provide official organisational references for any other employee with whom they have a close personal relationship. Any such reference requests received should be referred upwards to their own line manager. 6.3 Where a Line Management Relationship Exists Where an existing/new employee is knowingly appointed to a position in which they will be line managed by another employee with whom they have a close personal relationship then arrangements must be made for them to report to another manager for supervision. This may include removing management activities such as appraisal, recruitment and selection, promotion or awards. Any timesheets, expenses claims and annual leave requests must be verified and authorised by another manager. They should not countersign any official documentation for each other, e.g. travel claims Where a relationship develops between two employees who are also in a line management relationship it is the responsibility of the manager to disclose this to their line manager, who will then discuss with both employees alternative arrangements for supervision and authorisation of leave and expenses claims and also what, if any, information should be communicated to other colleagues Where a relationship develops between two employees who are also in a line management relationship, NDCCG may consider moving either party to a different team or department, which may be possible depending on whether a suitable post is available and on the employee s skills, knowledge and experience. The employees may also decide not to continue working in the same service and in this situation they will be supported in looking for an alternative role. 6.4 Where there is no Line Management Relationship Employees are expected to behave in a professional manner respecting all NDCCG policies and confidentiality requirements regarding information one employee may have access to but not the other. Any adverse impact on their own work, the team s work or the functioning of the team is not acceptable, such as: Neglecting work. Communicating confidential information to each other. 9

21 Behaving in a way that may cause difficulty or embarrassment to others, for example arguing in the workplace or open displays of affection. Not communicating with each other as a result of disagreement or the breakdown of the relationship. Inflexibility in working arrangements, this may be of particular importance within small teams where cover is already difficult. It is the negative impact of the relationship and not the relationship itself which is not acceptable, which is why all employees are expected to behave in a professional manner at all times Where employees have identified to their line manager the existence of a relationship, discussion should take place as to the possible risks to themselves and the team. Consideration should be given to working patterns and practices that would protect those employees from unfounded accusations of impropriety by colleagues Employees in a close personal relationship may feel uncomfortable remaining working together in the same team and in this situation they will be supported in looking for an alternative role. The resolution may include consideration of redeployment to a position which requires similar skills, experience and competencies and is, wherever possible, on similar terms and conditions. The two members of staff affected by the personal/work relationship will be consulted about who should transfer but NDCCG reserves the right to make the final decision in the event that agreement cannot be reached or if service needs are put at risk.6.5 Forming of Relationships at Work Friendships quite naturally are formed in the work place. Employees are expected to exercise judgment in determining whether or not a friendship has developed to such an extent that it can be described as a close personal relationship. Where two employees within a team form a stable personal relationship it is their responsibility to consider whether this places them at risk of being compromised and they are encouraged inform their immediate line manager in confidence of the existence of the relationship. Factors they should consider include: Whether they are at risk of having or being perceived as having conflict of interest. Whether they could be perceived as having or be accused of bias, favoritism or prejudice. Whether they are at risk of accusations of fraud or financial irregularities They may not, under any circumstances, countersign any official documentation for each other. If the situation will arise where countersigning will be necessary the relationship must be declared. 6.6 Job Evaluation/Promotion/Pay Employees must not be involved in the authorisation or evaluation of any job description for another employee with whom they have a close personal relationship and are expected to declare any such interest immediately if they are approached to participate in the job evaluation process. They should not be involved in any decisions relating to the promotion or pay of another employee with whom they have a close personal relationship. Failure to declare an interest may result in action under NDCCG Disciplinary Policy. 6.7 Disciplinary/Grievance Issues Employees must not be involved in any investigation, hearing or other decisions involving another employee with whom they have a close personal relationship. This conflict of interest should be declared as soon as the employee is approached to participate in proceedings. Failure to do so may result in action under NDCCG Disciplinary Policy In situations when one employee in a relationship is subject to investigation under NDCCG procedures such as disciplinary or grievance, consideration should be given to the temporary redeployment of the other employee in the relationship whilst the investigation takes place. This is 10

22 both to ensure that a thorough and fair investigation is possible and also to protect that employee from false accusations that they might be impeding the investigation Where issues arise that involve one employee in a relationship, any discussions will remain confidential to that employee. The other employee in the relationship may attend any meetings to provide support but may not intervene, speak on behalf of or represent the other party. 6.8 Managing Situations when a Personal Relationship Adversely Affects the Workplace In most cases where a personal relationship causes issues in the workplace these should initially be capable of being addressed and resolved informally. Issues arising should be dealt with promptly and sensitively by the relevant manager and not allowed to continue unchecked. Where action is necessary, consideration should be given to re-arrangement of the work or working patterns if this is a viable first option Where a close personal relationship has been identified as adversely affecting the workplace, normally as the result of complaint, specific documented incidents or formal investigation such as under the Disciplinary or Grievance Policy then options for resolution may include the re-deployment of one or both employees depending on the extent to which the functioning of the team has been affected. In these circumstances excess mileage will not be paid on redeployment Both employees will be consulted to identify who should be re-deployed if only one party is to be moved. In the majority of cases their wishes will be honored but consideration will be given to the knowledge, skills and experience of both employees, also the impact upon their careers and therefore the relative ease with which each might be redeployed If agreement cannot be reached between both employees as to which should be redeployed, for example where a relationship has broken down then NDCCG will make that decision based on the best interests of the service, patient care and relative impact upon each employee Where investigation has clearly identified a particular loss of trust from the team in one employee then NDCCG will act in accordance with that finding and redeploy that employee in the interests of the team Consideration should also be given to the use of mediation if appropriate to the circumstances advice can be sought from NDCCG s Occupational Health / Counselling Service Provider as to the appropriateness of mediation. 6.9 Relationships with Clients/Patients Employees must not use their position to cultivate a personal relationship with a patient, client or service user The highest standards of personal conduct and integrity are expected in order to maintain the confidence of patients, clients and service users in the professionalism of NDCCG employees Relationships with Contractors No special favour should be shown in the tendering process to any business run by or employing, friends, partners or relatives. If an employee is asked to participate in the tendering process, for example by providing expert advice, they should declare any such relationships beforehand Confidentiality Where ever possible confidentiality regarding the existence of a close personal relationship will not be disclosed, however should this prove necessary then no disclosure will be made without consultation with the line manager, employees concerned and Human Resources. If alternate working practices or 11

23 patterns are necessary then it may be necessary to inform other members of the team regarding these arrangements and the reasons for them Raising Concerns Any employee who feels that a close personal relationship is adversely affecting their employment, the functioning of the team or the provision of services is encouraged to share their concerns at the earliest opportunity with their line manager or more senior manager if they prefer. Where an employee is not comfortable with either of these options they may consider raising their concerns under the Raising Concerns at Work (Whistleblowing) Policy. This also applies to employees in a close personal relationship who feel they are being disadvantaged because of the relationship Breaches of Policy Alleged breaches of this policy will be investigated under the relevant NDCCG policy Appeals Process Employees have the right to appeal against any action taken under this policy using NDCCG Grievance Policy. 7. SUPPORT AND ADDITIONAL CONTACTS Contact details for GEM CSU HR, Occupational Health and the Employee Assistance Provider can be found on the GEM Contact Details document. 8. REFERENCES AND ASSOCIATED DOCUMENTATION 8.1 References Code of Conduct for NHS Managers 2002 The NHS Constitution Equality Act 2010 Human Rights Act 8.2 Associated Documentation Standards of Business Conduct and Declaration of Interest Policy Bullying and Harassment (NHS) Policy Policy on Fraud Standing Financial Instructions (SFI s) General Code of Conduct Raising Concerns at Work (Whistle Blowing) Policy Protocol for Local Counter Fraud Specialist (LCFS) and Human Resources Co-operation Disciplinary Policy Grievance Policy 9. NDCCG ACCOUNTABILITY /RESPONSIBILITIES 9.1 Chief Officer The Chief Officer has responsibility from the NDCCG Governing Body for ensuring that there are safe and effective systems in place to deliver high quality services. 12

24 9.2 Policy Sponsor The Policy Sponsor is responsible for the ongoing maintenance and compliance with current and new legislation. 9.3 Managers Role It is the role of line managers: To ensure they are familiar with this and other NDCCG policies relating to the conduct of business within their service area of NDCCG. To abide by the principles contained within the Code of Conduct for NHS Managers 2002 and the NHS Constitution. To provide advice and support to employees regarding the standards of behaviour expected of them. To deal promptly and sensitively with issues arising from or involving close personal relationships at work maintaining confidentiality where possible. To declare any relationships formed with a direct report employee. Not to provide official organisational references for any employee with whom they have a close personal relationship. 9.4 Employees Responsibilities Employees responsibilities are: To make themselves familiar with the provisions of this policy. They should speak to their line manager if they are unsure of any aspect of their responsibilities. To ensure that any close personal relationships do not interfere with their duties and responsibilities at work. To declare the existence of close personal relationships or when they develop as required under this policy to the relevant manager. To take all steps that are reasonable and practical to ensure that any close personal relationship at work does not interfere with or prejudice their employment. 9.5 HR Business Partners Role It is the role of HR Business Partners to: Advise managers and employees on the application and interpretation of this policy. Assist in any investigations into alleged breaches of this policy. 9.6 Staff Partnership / Trade Union / Professional Organisation Representatives Role It is the role of Staff Partnership/Trade Union/Professional Organisation Representatives to: Advise, support and represent where required by employees. Assist support/co-operate with any investigations into alleged breaches of this policy. Ensure equity of application and compliance with statutory requirements and local frameworks. 10. MONITORING AND PERFORMANCE MANAGEMENT OF THE POLICY GEM CSU HR Team may also monitor on an anonymised basis, by equality profile employees who are subject to formal processes upon request. 13

25 11. EQUALITY IMPACT STATEMENT Feedback on this policy and the way it operates is welcomed. NDCCG are interested to know of any possible or actual adverse impact that this policy may have on any groups in respect of gender or marital status, race, disability, sexual orientation, religion or belief, age, deprivation or other characteristics. 12. ENSURING THE POLICY IS ACCESSIBLE TO ALL STAFF NDCCG is committed to ensuring that the guidance in this policy is accessible to all staff. This means that as required (for example, when staff have a disability or find communication more difficult) additional support will be provided to help ensure that the information in this policy can be understood and its guidance followed. This support includes (but is not limited to): Making reasonable adjustments, in discussion with the member of staff or their representative, to procedures where these are necessary to ensure their accessibility (for example, where a member of staff has a hearing impairment, facilities such as a hearing induction loop and a suitably quiet environment would be provided for meetings which form part of the policy s procedures) 13. DUE REGARD This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to: eliminate discrimination, harassment and victimisation; to advance equality of opportunity; and foster good relations. Evidence that due regard has been given is shown in Sections 3, 4 and 12 of this policy. 14

26 Professional Registration Policy 1

27 Professional Registration Policy HR Policy: HR24 Date Issued: 1/4/2013 Date to be reviewed: Periodically or if statutory changes are required 2

28 Policy Title: Supersedes: Description of Amendment(s): This policy will impact on: Financial Implications: Policy Area: Professional Registration Policy All previous Professional Registration Policies New Policy for NHS North Derbyshire CCG employees All staff No change HR Version No: 2 Issued By: Author: Governance Team HR Services GEM Document Reference: Effective Date: December 2014 Review Date: November 2015 APPROVAL RECORD Committees / Groups / Individual Date Consultation: Consultative Committee Specialist Advice (if required) N/A Approved by Committees: Management / Staff Side Consultative Committee Governing Body Governing Body Assurance Committee November 2013 November 2014 Revision History Version Revisions Date 3

29 This policy has been prepared so as to reflect the law as at 1st November The policy will require periodic review to reflect subsequent changes to the law. Changes to employment law have generally been made on 1 February, 1 April and 1 October in any given year. For advice and assistance in relation to the application of this policy and to obtain updates please contact: Your line manager in the first instance or GEM Human Resources Business Partners. This policy has been prepared by North Derbyshire Clinical Commissioning Group in partnership with Beachcroft LLP and GEM Human Resources Business Partners. 4

30 Contents 1 POLICY STATEMENT 6 2 PRINCIPLES 6 3 EQUALITY STATEMENT MONITORING AND REVIEW DUE REGARD 7 7 Part 2 PROCEDURE

31 1. POLICY STATEMENT 1.1 NHS North Derbyshire Clinical Commissioning Group (NDCCG) has a responsibility to ensure that professional standards are met. Recognising the importance of conducting both pre and post-employment checks for all persons working in or for the NHS in order to meet its legal obligations, complement good employment practices, and to ensure as appropriate, existing employees are registered with a relevant regulatory/licensing body in order to continue to practice. 1.2 For the purposes of this policy, the term professional registration refers to all posts which require the employee to be qualified in their field as a requirement of their post and to periodically renew their registration with their respective professional bodies. 1.3 The policy aims to ensure that all staff required to be registered with a statutory regulatory organisation/body to practice their speciality/field, are fully aware of their contractual obligation to be registered. The document sets out the role and responsibilities, the monitoring arrangements and the procedure for and implications for lapsed registration. 1.4 In accordance with NHS Employment Check Standards, NDCCG will undertake document checks on every prospective employee and member of staff in ongoing NHS employment. This includes permanent staff, staff on fixed term contracts, volunteers, students, trainees, contractors and members of staff supplied by agencies. 2. PRINCIPLES 2.1 In order to protect the public and ensure high standards of clinical practice, it is a legal requirement that NDCCG may only employ registered practitioners in qualified clinical positions. This includes the following posts that have been accepted onto the register of the statutory regulatory bodies outlined in the NHS Employment Check Standards. Medical and Dental Nurses and Midwives Allied Health Professionals Healthcare Scientists Hearing Aid Dispensers Practitioner Psychologists Pharmacy Technicians 2.2 Employees are responsible for maintaining their registration with their relevant professional body. 2.3 Individuals who are not directly employed by the organisation (e.g. NHS Professionals, Agency and Locum workers) but who nevertheless are engaged in work that requires professional registration must also hold current registration. The organisation will ensure that there are processes in place to check the ongoing registration of such workers. 2.4 Training and support will be provided as requested to all Line Managers in the implementation and application of this policy 6

32 3. EQUALITY NDCCG aims to design and implement policy documents that meet the diverse needs of our services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. This document has been designed to ensure that no-one receives less favorable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to socio-economic status, immigration status and the principles of the Human Rights Act. In carrying out its function, NDCCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all activities for which NDCCG is responsible, including policy development, review and implementation. 4. MONITORING & REVIEW The policy and procedure will be reviewed periodically by NDCCG with GEM/HR support in conjunction with Trade Union representatives. Where review is necessary due to legislative change, this will happen immediately. 5. DUE REGARD This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to: eliminate discrimination, harassment and victimisation; to advance equality of opportunity; and foster good relations. 7

33 Part 2 1. PROCEDURE 1.1 Employees Responsibility It is ultimately the responsibility of all employees who require professional registration to practice to ensure that registration with their professional body remains current at all times and that they abide by their professional code of conduct Employees/contractors must disclose to the organisation any conditions attached to their registration at the earliest available opportunity During the course of their employment employees must, on request by management, provide evidence that their registration has been renewed in accordance with procedures laid down To provide proof of renewal to their Manager Failure to maintain professional registration and comply with the requirements of the registration may result in disciplinary action All personal data, particularly name changes, must be communicated to both the line manager and professional body to ensure accuracy of data Lapsed registrations amount to a breach of terms and conditions of employment and may result in dismissal The registration lapse will be recorded in the employee s personnel file Repeated lapses in registration may lead to disciplinary action under the Disciplinary Policy. 1.2 Registration of Temporary Staff from External Agencies It is essential that all Contractors / Agencies the NDCCG engages with fully meet all legal and regulatory requirements. These include, but are not limited to, the Data Protection Act (1998), the NHS Confidentiality Code of Practice (Approved DoH Guidance 2003), all Criminal Records Bureau / Disclosure and Barring Service requirements, Registration with the appropriate Professional Bodies where appropriate, confirmation of Fitness to Work, Home Office status if applicable and working within the EWTD regulations (Working Time Directive 1993 and Working Time Regulations 1998) In this respect the onus must be placed on the supplier (Contractor / Agency) to ensure all relevant workers fulfil all legal and regulatory requirements. NDCCG will ensure it is protected contractually in the event of a supplier not fulfilling these obligations In order to facilitate this, all Managers must use the services of Agency suppliers awarded Preferred Supplier status by NDCCG unless there are exceptional circumstances. All suppliers on the approved supplier list meet legal and regulatory requirements, through the national sourcing process undertaken by Buying Solutions (formerly PASA) Where agency staff are being used that are not on the approved supplier list, the line manager will be responsible for ensuring written assurance is sought from the supplier that they are abiding by NHS Employers Employment Check Standards NDCCG will conduct audits periodically to ensure compliance. 1.3 Procedure for Checking Registration Pre Employment 8

34 1.3.1 All successful candidates who have a professional registration with a licensing or regulatory body in the UK or another country relevant to their role, are required to provide documentary evidence of up to date registration prior to appointment. GEM CSU HR will check with the relevant regulatory body (e.g. GMC, NMC, HCPC, GPhC) to determine that the registration is valid Where professional registration is a requirement of the post, ongoing registration as outlined above will be monitored by NDCCG in line with this Policy Alert Database checks will be undertaken in line with local NDCCG recruitment procedures Alert letters are sent to all NHS bodies to make them aware of a doctor or other registered health professional whose performance or conduct could place patients or staff at serious risk. Alert letters are communicated to NHS bodies for those health professionals who are regulated by one or more of the following regulatory bodies: General Medical Council Nursing and Midwifery Council Health and Care Professionals Council General Dental Council General Optical Council The General Pharmaceutical Council (GPhC) General Chiropractic Council General Osteopathic Council NDCCG is responsible for managing Alert Letters according to Healthcare Professionals Alert Notice Directions 2006, transferring alert letter details to a secure database and retaining paper copies within a secure location which is locked and accessible to a limited number of appropriate staff. NDCCG is also responsible for cross-referencing job offers to registered health professionals with the relevant professional body. 1.4 Procedure for Monitoring Ongoing Registration NDCCG will monitor all professionally registered staff to highlight staff due to renew their professional registration and any staff whose registration has lapsed. 1.5 Procedure for Dealing with Lapsed Registrations Line Managers Managers who identify a lapsed registration must take immediate action in accordance with NDCCG procedure. Immediate actions will include: Contacting the member of staff immediately. Ensuring the person is withdrawn from undertaking the duties of a qualified clinician or professional with immediate effect. Discussing the options with GEM CSU HR and the employee. Checking re-registration with the relevant regulatory body, receiving proof of renewal and to evidence this in the personnel file When considering action to be taken, managers will take account of the following factors: Length of time since registration has lapsed. Reason(s) put forward for non-renewal. 9

35 Whether the individual has knowingly continued to practice without registration and has failed to notify management. Any previous occasions when the individual has allowed their registration to lapse. Whether the individual has attempted to conceal the fact that their registration has lapsed The manager in consultation with a GEM HR representative should consider the following options: Employees Allow the individual to take annual leave or time owing until their registration is renewed within an agreed time frame. Allow the individual to take unpaid leave where no annual leave is available. Suspend the individual from duty without pay, invoke disciplinary process. Where feasible, consider transferring the individual staff member to another area within the organisation that offers a non-patient contact role that is of equal value. Temporarily downgrade into a non-qualified post specific to service need. Employees who recognise that their registration has lapsed must take immediate action in accordance with this Policy. Immediate actions will include: Informing their line manager immediately. Re-registering with the professional body (in most cases this will be achievable within 1 or 2 working days). Withdrawing from clinical/professional practice with immediate effect in discussion with their manager. Providing proof of renewal to the Manager. Providing proof and clarification of pin number if there is a discrepancy in data. Failure to comply with maintaining professional registration may result in disciplinary action against the employee. 10

36 Secondment Policy 1

37 Secondment Policy HR Policy: HR30 Date Issued: 1/4/2013 Date to be reviewed: Periodically or if statutory changes are required 2

38 Policy Title: Supersedes: Description of Amendment(s): This policy will impact on: Financial Implications: Policy Area: Secondment Policy All previous Secondment Policies New Policy for NHS North Derbyshire CCG employees All staff No change HR Version No: 2 Issued By: Author: Governance Team HR Services GEM Document Reference: Effective Date: December 2014 Review Date: November 2015 APPROVAL RECORD Committees / Groups / Individual Date Consultation: Consultative Committee Specialist Advice (if required) Governing Body Governing Body Assurance Committee N/A November 2013 November 2014 Revision Changes Version Revisions Date 3

39 This policy has been prepared so as to reflect the law as at 1st November The policy will require periodic review to reflect subsequent changes to the law. Changes to employment law have generally been made on 1 February, 1 April and 1 October in any given year. For advice and assistance in relation to the application of this policy and to obtain updates please contact: Your line manager in the first instance or GEM Human Resources Business Partners. This policy has been prepared by North Derbyshire Clinical Commissioning Group in partnership with Beachcroft LLP and GEM Human Resources Business Partners. 4

40 Contents 1 POLICY STATEMENT 6 2 PRINCIPLES 6 3 EQUALITY STATEMENT MONITORING AND REVIEW DUE REGARD 7 7 Part 2 1 PROCEDURE 8-9 5

41 1. POLICY STATEMENT 1.1 This policy facilitates the secondment of NHS North Derbyshire Clinical Commissioning Group (NDCCG) staff both internally within NDCCG and externally within the wider NHS and exceptionally with other non NHS Bodies. It is also designed to encourage staff from external organisations to take up a secondment where available within NDCCG. 1.2 A secondment may be arranged to assist with individual development needs as a result of an appraisal or KSF review or be specifically requested for project work where specific skills or specialist knowledge are required. 1.3 This Policy will apply to all employees within NDCCG. 2. PRINCIPLES 2.1 Secondment requests will be considered in line with business needs and may be refused on that basis. 2.2 Staff who enter into secondment agreements will be asked to sign a secondment agreement outlining the terms and parameters of the secondment. 2.3 Any individual who agrees to undertake a secondment will be expected to keep any information, which may be made available to them as a direct result of the secondment, (e.g. personnel, salary, business sensitive information) confidential. 2.4 Employees on secondment with an external organisation will retain all of their continuity of service rights with NDCCG. 2.5 Staff who undertake a secondment will be entitled to return to their substantive post on completion of the secondment. Should the substantive post be subject to organisational change this will be dealt with in line with the normal NDCCG procedure. 2.6 The duration of a secondment will vary depending on the circumstances. However the minimum is 3 months and a maximum 24 months with exceptions to be arranged with the relevant line manager and support from GEM CSU HR. 2.7 Training and support will be provided as requested to all Line Managers in the implementation and application of this policy. 3. EQUALITY NDCCG aims to design and implement policy documents that meet the diverse needs of our services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to socio-economic status, immigration status and the principles of the Human Rights Act. In carrying out its function, NDCCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all activities for which NDCCG is responsible, including policy development, review and implementation. 6

42 4. MONITORING & REVIEW The policy and procedure will be reviewed periodically by NDCCG with GEM/HR support in conjunction with Trade Union representatives. Where review is necessary due to legislative change, this will happen immediately. 5. DUE REGARD This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to: eliminate discrimination, harassment and victimisation; to advance equality of opportunity; and foster good relations. Evidence that due regard has been given is shown in sections: Part 2: of this policy. 1. PROCEDURE 1.1 Requesting and organisation of Internal Secondments within NDCCG Where a Department within NDCCG identifies that a secondment opportunity exists, consideration should be given to the length of vacancy, any training required and the skills set or specialist knowledge required of staff undertaking the secondment Depending on the nature of secondment, the vacancy will either be advertised in line with the relevant Recruitment and Selection Policy or a request will be made directly to the relevant department/ organisation if the secondment requires specialist skills or knowledge There is no explicit obligation on the manager to release an individual but proper consideration should be given to such a request. Any refusal to allow an individual to uptake a secondment opportunity should be carefully considered and the potential long term benefits to NDCCG should not be overlooked. An explanation should be given to the employee if a request is turned down Once agreed, GEM CSU HR will liaise with the departments to facilitate an agreement and agree what parameters will be applied to it If the secondee is from an external organisation, GEM CSU HR will liaise with NDCCG to facilitate an agreement and agree what parameters will be applied to it, detailing very clearly what funding arrangements have been agreed. 1.2 Organisation for secondments of NDCCG Staff to external organisations Where an individual manager is approached by an external organisation regarding a secondment opportunity for an employee, contact should be made with GEM/HR. The opportunity may be advertised depending on the nature of the request. If the secondment is feasible, GEM/HR will facilitate the agreement between all parties involved Where an employee wishes to pursue a secondment opportunity with an external organisation they should approach their manager indicating that they have applied or wish to apply for an external secondment Agreement must be reached on how the secondee/placement individual's salary will be paid and which body will be responsible for meeting any additional expenses such as travel and subsistence allowances During the period of the secondment the individual s Terms and Conditions will remain the same and continue to be subject to NDCCG policies and procedures. Exceptions to this will be agreed in advance between NDCCG and the secondee/organisation. 7

43 1.2.5 Secondees are responsible for reporting any reasons for absence directly to both the external organisation and NDCCG in accordance with their own absence management policies Whilst on any secondment, employees will continue to accrue annual leave entitlements and be permitted to take annual leave to their entitlement limit with the agreement of the host organisation. Where an employee takes a period of Maternity or Adoption Leave during the course of the secondment, accrual of their annual leave entitlements will continue to apply. 1.3 Funding Arrangements Prior to the secondment taking place, the appropriate manager(s) must liaise with the Chief Finance Officer to agree who will be funding the secondment and how the payment arrangements are to be facilitated. Depending on the individual agreements it may be appropriate to submit a NDCCG change form or arrange for a debtors invoice to be raised Where the grade of the secondment post is higher than the grade of the employee s substantive post, the full salary cost will be paid by NDCCG and recovered from the host organisation. On return to NDCCG the employee will revert to their substantive grade and salary. 1.4 Working Arrangements For the duration of the secondment or work placement the individual will be required to comply with the working/cover arrangements of the department or host employer. Any agreement to exceed/reduce their contractual working hours will be subject to agreement at the initiation of the secondment and the conditions of Working Time Regulations. 1.5 Communication When a secondment is confirmed it must be agreed by all parties, that three way communication between the secondee, host organisation and the employer is maintained Any secondee from NDCCG should be kept informed of and consulted about any organisational change that takes place during their period of secondment. 1.6 Managers responsibilities For managers who are accountable for managing the secondee, it will be their responsibility to outline at the start what their objectives are for the duration of the secondment. Managers must also conduct performance reviews/appraisals in line with NDCCG policies. 1.7 Termination or Extension of Secondment A request for an extension of an existing secondment should be considered in accordance with the needs of the service, and be mutually agreed by all parties and confirmed in writing. If an extension is refused, an explanation should be given to the employee The secondment may be terminated by either party in writing within the appropriate or previously agreed notice period. 1.8 Secondment resulting in Permanent Appointment Where a full recruitment process was carried out for the secondment, the individual may be offered 8

44 the post should it become permanent If a full recruitment process was not followed then a recruitment and selection process will need to be carried out in line with the NDCCG Recruitment and Selection Policy. 2. APPEAL An employee may use the Grievance Procedure if they feel that they have been treated unfairly in relation to application of this policy. 9

45 Substance Misuse Policy 1

46 Substance Misuse Policy HR Policy: HR31 Date Issued: 1/4/2013 Date to be reviewed: Periodically or if statutory changes are require 2

47 Policy Title: Supersedes: Description of Amendment(s): This policy will impact on: Financial Implications: Policy Area: Substance Misuse Policy All previous Substance Misuse Policies New Policy for NHS North Derbyshire CCG employees All staff No change HR Version No: 2 Issued By: Author: Governance Team HR Services GEM Document Reference: Effective Date: December 2014 Review Date: November 2015 APPROVAL RECORD Committees / Groups / Individual Date Consultation: Consultative Committee Specialist Advice (if required) Governing Body Governing Body Review N/A November 2013 November 2014 Revision History Version Revisions Date 3

48 This policy has been prepared so as to reflect the law as at 1st November The policy will require periodic review to reflect subsequent changes to the law. Changes to employment law have generally been made on 1 February, 1 April and 1 October in any given year. For advice and assistance in relation to the application of this policy and to obtain updates please contact: Your line manager in the first instance or GEM Human Resources Business Partners. This policy has been prepared by North Derbyshire Clinical Commissioning Group in partnership with Beachcroft LLP and GEM Human Resources Business Partners. 4

49 Contents 1.0 POLICY STATEMENT PRINCIPLES EQUALITY STATEMENT MONITORING AND REVIEW DUE REGARD 7 7 Part 2 PROCEDURE AND INVESTIGATION 8-9 APPENDIX 1 USEFUL CONTACTS 10 5

50 1. POLICY STATEMENT 1.1 NHS North Derbyshire Clinical Commissioning Group (NDCCG) is committed to promoting the well-being of all its employees, and recognises that substance misuse cannot only affect their health but also attendance, work performance and relationships with colleagues. 1.2 The purpose of this policy is to provide managers with guidance for managing the effects of substance misuse by employees. All such matters must be handled by managers with sensitivity and in confidence, with any information being released to other parties on a "need to know" basis only. 1.3 Occupational Health will be involved at all times and other relevant parties (for example GP s, Social Services, Alcoholics Anonymous etc) where appropriate. 1.4 Useful contacts for can be found in Appendix PRINCIPLES 2.1 This policy applies to all employees and any agency or contract staff whilst they are working for NDCCG. 2.2 The misuse of any substance in the context of this policy is defined as: Behaviours resulting from the misuse of alcohol, drugs and other substances which harm or have the potential to harm the individual (both physically or mentally) and, through the individual s actions, other people and the environment. 2.3 The misuse of any substance may result in the following effects:- lateness and absenteeism; loss of productivity and poor performance; health and safety concerns; unacceptable behaviour or poor conduct; adverse effects on team morale and morale of colleagues; adverse effects on NDCCG image and customer relations. This list is not exhaustive. 2.4 No alcohol, drugs or other substances which harm or have the potential to harm should be brought into or consumed on NDCCG premises. 2.5 The consumption of alcohol or use of any substance, that may impede an employee s working capability, is prohibited. Drinking alcohol during lunch breaks is therefore not permitted. 2.6 All employees are individually responsible for taking all reasonable precautions to ensure their fitness for work. Managers may, however, periodically wish to remind employees of their individual responsibility for this. 2.7 Training and support will be provided to all Line Managers in the implementation and application of this policy. 6

51 3. EQUALITY STATEMENT NDCCG aims to design and implement policy documents that meet the diverse needs of our services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to socio-economic status, immigration status and the principles of the Human Rights Act. In carrying out its function, NDCCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all activities for which NDCCG is responsible, including policy development, review and implementation. 4. MONITORING & REVIEW The policy and procedure will be reviewed periodically by NDCCG with GEM CSU HR support in conjunction with Trade Union representatives. Where review is necessary due to legislative change, this will happen immediately. 5. DUE REGARD This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to: eliminate discrimination, harassment and victimisation; to advance equality of opportunity; and foster good relations. 7

52 PART 2 1. PROCEDURE AND INVESTIGATION 1.1 Substance misuse can affect the performance of staff in several ways and it may not be appropriate to deal with every situation in the same way. There may be an immediate situation requiring resolution or an ongoing performance issue to be managed. For example: an incident may occur as a result of a member of staff being under the influence of alcohol, drugs or other substances; a pattern of regular absences may emerge or a complaint may be received about a member of staff which indicates there may be a substance misuse problem; performance may gradually deteriorate over a period of time. 1.2 All employees must be fit to commence their duties and must remain so throughout their working day. If an employee is unfit or becomes unfit, in the manager s opinion, because of substance misuse, they will not be allowed to commence work or will be sent home to recover. On return to work they will be subject to a return to work interview which may, according to the circumstances, result in disciplinary action being instigated. (Please refer to the NDCCG Disciplinary Policy). 1.3 Some acts of misconduct while under the influence of any substance may be so serious that they must be considered as acts of gross misconduct rendering the employee liable to dismissal. (Please refer to NDCCG Disciplinary Policy). This will include endangering the health and safety of themselves, colleagues or other persons. 1.4 Misconduct will also include being found to be illegally in possession of, the supply of, or taking of a controlled or uncontrolled drug at work or outside of work if that has a bearing on their suitability to continue in post. 1.5 Employees who have a substance misuse problem, or who suspect they may have a problem, are encouraged to seek help either by discussing the matter confidentially with their immediate manager, or an external agency (see appendix 1), Occupational Health, GEM CSU HR or their General Practitioner. 1.6 Staff can also make a confidential self-referral to Occupational Health for help and support. Clinical details and advice to staff are kept in the strictest confidence and Occupational Health only divulge details with written agreement from the member of staff, except in cases where there may be a serious risk to that person, patients, other staff or the public. Requests for assistance will be treated in strict confidence and will no way affect the employee s job security, benefits etc. Information will only be released to third parties on a "need to know" basis. 1.7 Managers or colleagues who suspect an employee of having a substance misuse problem should discuss their suspicions with GEM CSU HR before approaching the individual. 1.8 As with any problem affecting ability to work, initial action must be taken by the line manager. It is important to identify any ongoing problem at an early stage when help can be made available. It would not normally be necessary to suspend an employee pending investigation, unless there could be a risk to themselves, a patient or another member of staff. Suspension (if necessary) must be carried out in accordance with NDCCG Disciplinary Policy. 1.9 Managers, following discussion with the employee, should refer cases of suspected or admitted substance misuse to Occupational Health. The written consent of the member of staff should normally be obtained, but if there is a serious concern and they refuse to give their consent, then a management referral should proceed Dealing in or possession of illegal substances will be reported immediately to the Police and will be managed under the NDCCG Disciplinary Policy. 8

53 1.11 Managers are encouraged to recognise that staff may be adversely affected by the drinking, drug taking or substance misuse of others. Information about internal and external sources of advice and support is available from the Occupational Health, Staff Representatives or from GEM CSU HR If an alcohol or substance misuse problem is admitted, managers should advise the member of staff what support can be provided. Consideration may need to be given to re-allocation to other duties during and after rehabilitation, depending on the circumstances. If, after help and support, the situation does not improve, the member of staff should be advised of the implications of continuing problems with their performance or behaviour or absence and should be given an indication of how the situation will be monitored and over what time scale Staff may deny having a drink or substance misuse problem. If this happens, the situation should be dealt with by making clear what improvement is required in their performance, behaviour or absence, within a stated timescale and how the situation will be monitored. The member of staff should also be advised who they can approach confidentially for help and advice. Please refer to NDCCG Attendance Matters and Disciplinary policies Following an investigation interview, if there is no improvement within the timescales given, the relevant line manager must contact Human Resources(?), who will provide further advice and support on how to proceed in accordance with NDCCG Attendance Matters and Disciplinary policies Should any individual refuse help or discontinue a programme of treatment, this should not in itself be grounds for disciplinary action. However, unacceptable behaviour and standards of work, or actions endangering patients, members of the public or other staff will be dealt with through normal disciplinary procedures. Every case will be individually considered If a programme of rehabilitation is introduced then the employee can take sick leave whilst being helped and will therefore be entitled to the benefits that accrue If an employee is required to complete a rehabilitation period in line with the Attendance Matters Policy, then normal arrangements (as outlined in that Policy) will apply. Where a rehabilitation period is attached as a sanction to a formal warning (for example reduced hours) the employee will be responsible for complying with this condition NDCCG will endeavour to offer help and assistance with any employee who has a substance misuse issue, however, it is also the responsibility of the employee to accept this help and assistance to improve their condition. If they choose not to accept this help and assistance and their condition continues to be cause for concern, disciplinary action may be considered Every effort will be made to ensure the employee returns to their job on completion of the rehabilitation programme. In cases where the employee is not considered fit to return to the same job or where doing so, may undermine recovery, efforts will be made to find suitable alternative employment. This may include, if necessary, a period of retraining If, after returning to employment during or following the rehabilitation programme there is a recurrence of the substance misuse issue, each individual case will be considered on its merits at that time. A further opportunity may be given to commence an additional rehabilitation programme if appropriate, however, disciplinary action may be considered if all avenues have been exhausted and no improvement has been made. This could include dismissal If, whilst under the influence of alcohol, drugs or other substances at work, a member of staff were to behave in a way which could be regarded as gross misconduct, for example carries out an assault, behaves indecently, causes malicious damage to property or threatens in any way the health or safety of a patient, a member of the public or another member of staff then, irrespective of whether support may also be appropriate for an underlying problem, disciplinary action will be taken which could result in dismissal. 9

54 Appendix 1- Useful Contacts: 10

55 Information Governance Management Framework 1

56 INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK Document History Document Reference: IG01 Document Purpose: The document compliments all other Information Governance policies and sets out the management arrangements for information governance in the CCG Date Approved: August 2014 Approving Committee: Information Governance Product Group Version Number: 1.4 Status: FINAL Next Revision Due: August 2015 Developed by: Information Governance, Greater East Midlands Commissioning Support Unit (GEM CSU) Policy Sponsor: Head of Information Governance Services Target Audience: All Staff within the CCG whether operating directly or providing services to other organisations under a service level agreement or joint agreement and to none executive directors, contracted third parties (including agency staff), locums, students, volunteers, trainees, visiting professionals or researchers, secondees and other staff on temporary placements within the organisation. Associated Documents: All Information Governance Policies and the Information Governance Toolkit Page 2 of 27 IG Final CCG IGMF Template October 2014 V1 4

57 Revision History Version Revision date Summary of Changes 1.0 August 2013 Revised in line with NHS England Policies and updated to reflect version 11 of the Information Governance Toolkit 1.1 August 2014 Revised in line to reflect Version 12 of the Information Governance Toolkit FINAL 1.2 August 2014 Approved at IG Product Group FINAL 1.3 September 2014 Amended not circulated FINAL 1.4 October 2014 Appendix 3 training matrix amended - circulated Policy Dissemination information Reference Title Number Information Governance Management IG01 Framework Available from Page 3 of 27 IG Final CCG IGMF Template October 2014 V1 4

58 Contents Information Governance Management Framework for North Derbyshire CCG Introduction Purpose and scope Policy Statement Senior Information Governance Management Details The CCG will: The CCG Information Governance Lead in conjunction with services provided by GEM CSU will: The SIRO will: The Caldicott Guardian will: The Information Asset Owner will: The Information Asset Owner will: Key Policies Governance Arrangements Resources Training Guidance Incident Management Equality & Diversity Impact Assessment Monitoring and Compliance Further Information or Guidance References Appendix Terms of Reference for Information Governance Committee and Information Governance Working Group CCG Information Governance Committee Appendix 2 Information Governance Operational Structure Committee Reporting Structure Appendix 3 CCG Training Needs Analysis Appendix 4 Information Governance Related Policies, Procedures & Guidance Dissemination Process Page 4 of 27 IG Final CCG IGMF Template October 2014 V1 4

59 20. Appendix 5 Clinical Commissioning Group Version 12 ( ) Requirements List Page 5 of 27 IG Final CCG IGMF Template October 2014 V1 4

60 Information Governance Management Framework for North Derbyshire CCG 1. Introduction Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The way that an organisation chooses to deliver against these requirements is referred to within the Information Governance Toolkit (IGT) as the organisation s Information Governance Management Framework. This Framework must be documented, approved at the most appropriate senior management level in the organisation (e.g. a member of the Executive Team) and reviewed annually. This document sets out North Derbyshire CCG s approach to embedding robust information governance throughout the CCG. The IGT is available here: A user name and password is required to access the CCG IG Toolkit Return. This policy is a standalone document and provides a summary/overview of how the CCG is addressing the IG agenda and reflects the capacity and capability of the CCG. 2. Purpose and scope The purpose of this policy is to establish employee responsibility and the rules of conduct for all members of staff regarding the CCG s information governance framework. This policy applies to all staff within the CCG whether operating directly or providing services to other organisations under a service level agreement or joint agreement. and to nonexecutive directors, contracted third parties (including agency staff), locums, students, volunteers, trainees, visiting professionals or researchers,, secondees and other staff on temporary placements within the organisation. 3. Policy Statement The Health & Social Care Information Centre (HSCIC) mandates that the Information Governance Toolkit (IGT) version 12 is completed by all organisations that commission or provide services within and to the NHS. An Information Governance Management Framework (IGMF) is required to be in place to ensure that the Information Governance agenda is owned and implemented in a structured manner. Page 6 of 27 IG Final CCG IGMF Template October 2014 V1 4

61 4. Senior Information Governance Management Details Organisational Roles & Accountability 4.1 The CCG will: Appoint an IG Lead, Senior Information Risk Owner and Caldicott Guardian. These designated roles will be reported in the CCG IG Toolkit Return under Update Information Governance Senior Management Details once appointed The roles of the Senior Information Risk Owner and Caldicott Guardian will be at Executive Board The Information Governance Lead is a senior representative in the organisation who leads and co-ordinates the information governance works programme The Accountable Officer has overall accountability and responsibility for Information Governance and is required to provide assurance through the Statements on Internal Control that all risks to the CCG, including those relating to information, are effectively managed and mitigated The Records Manager is an individual/s with clear responsibility for the management of the records of an organisation from the time they are created up to their eventual disposal. This may include naming, version control, storing, tracking, securing and destruction (or in some cases, archival preservation) of records An Information Asset Owner is a senior individual involved in running the relevant business. Their role is to understand and address risks to the information assets they own and to provide assurance to the SIRO on the security and use of those assets Information Asset Administrators are usually operational members of staff who understand and are familiar with information risks in their area or department. Information Asset Administrators ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management and ensure that information asset registers are accurate and up to date 4.2 The CCG Information Governance Lead in conjunction with services provided by GEM CSU will: Develop and maintaining comprehensive and appropriate documentation that demonstrates commitment to and ownership of IG responsibilities, e.g. an overarching high level strategy document supported by corporate and/or directorate policies and procedures Ensure that there is senior management awareness and support for IG resourcing and implementation of improvements Provide direction in formulating, establishing and promoting IG policies Establish working groups, if necessary, to co-ordinate the activities of staff given IG responsibilities and progress initiatives Page 7 of 27 IG Final CCG IGMF Template October 2014 V1 4

62 Ensure that assessment and improvement plans are prepared for approval by the senior level of management in a timely manner and in line with national reporting requirements Ensure that the approach to information handling is communicated to all staff and made available to the public Ensuring that appropriate training is made available to staff and completed as necessary to support their duties and in line with IGT requirements Liaise with other committees, working groups and programme boards in order to promote and integrate IG standards Monitor information handling activities to ensure compliance with law and guidance Provide a focal point for the resolution and/or discussion of IG issues 4.3 The SIRO will: Take ownership of the organisation s information risk policy and information risk management strategy. All key information assets will be identified and their details included in an Information Asset Register Ensure that Information Asset owners will be identified for each key information asset Ensure that all staff assigned responsibility for co-ordinating and implementing information risk management will be appropriately trained to carry out their role Ensure that Information Asset Owners carry out risk reviews of the assets for which they are accountable, the frequency of review depending upon the importance of the asset and the nature of the risk environment The SIRO will also lead and implement the information governance risk assessment and advise the Board on the effectiveness of risk management across the organisation 4.4 The Caldicott Guardian will: Be added to the National Register of Caldicott Guardians Identify the support necessary to ensure work related to confidentiality and data protection is appropriately carried out Provide a plan for the Caldicott Function of the CCG Ensure all staff assigned responsibility for co-ordinating and implementing the confidentiality and data protection work programme have been appropriately trained to carry out their role Identify the work necessary to provide Confidentiality and Data Protection Assurance Be a senior person responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing. Page 8 of 27 IG Final CCG IGMF Template October 2014 V1 4

63 4.5 The Information Asset Owner will: Identify and document the scope and importance of all Information Assets they own. This will include identifying all information necessary in order to respond to incidents or recover from a disaster affecting the Information Asset. Take ownership of their local asset control, risk assessment and management processes for the information assets they own. This includes the identification, review and prioritisation of perceived risks and oversight of actions agreed to mitigate those risks. Provide support to the organisation s SIRO and Risk Management Board to maintain their awareness of the risks to all Information Assets that are owned by the organisation and for the organisation s overall risk reporting requirements and procedures. Ensure that staff and relevant others are aware of and comply with expected IG working practices for the effective use of owned Information Assets. This includes records of the information disclosed from an asset where this is permitted. Provide a focal point for the resolution and/or discussion of risk issues affecting their Information Assets. Ensure that the organisation s requirements for information incident identification, reporting, management and response apply to the Information Assets they own. This includes the mechanisms to identify and minimise the severity of an incident and the points at which assistance or escalation may be required. Foster an effective IG culture for staff and others who access or use their Information Assets to ensure individual responsibilities are understood, and that good working practices are adopted in accordance with the organisation s policy. 4.6 The Information Asset Owner will: Ensure that policies and procedures are followed when using an information asset Recognise actual or potential security incidents Consult their IAO on incident management Assist the IAO to ensure that information asset registers are accurate and up to date, for example by reporting when an information asset they use is no longer required. 5. Key Policies The CCG via Greater East Midlands Clinical Commissioning Unit (GEMCSU) will provide the following policies (or equivalent) to set out scope and intent in terms of embedding Information Governance processes throughout the Organisation: Page 9 of 27 IG Final CCG IGMF Template October 2014 V1 4

64 An Overarching Information Governance Policy A Confidentiality and Data Protection Policy An Information Security Policy A Corporate Governance Policy (which covers FOI) An Information Lifecycle Management Policy (Records Management and Information Quality) In particular the CCG will implement policies as required to support confidentiality, Security and records management process in addition to this Information Governance Management Framework 6. Governance Arrangements The following governance arrangements have been agreed: The CCG Governing Body will receive periodic assurance that management and accountability arrangements are adequate and are informed in a timely manner of future changes in the IG agenda by IG updates within the corporate report. The CCG will be represented at the Derbyshire Clinical Commissioning Group Information Governance Committee (CCG IGC) and the Derbyshire Information Governance Working Group. The Risk and Governance Committee (or equivalent) of the CCG will have responsibility for the Information Governance Agenda supported by identified senior roles i.e. Caldicott Guardian, SIRO, and IG Lead. Under a service level agreement, the CCG will obtain Information Governance Support through the GEMCSU. Responsibility and accountability for Information Governance will be cascaded through the organisation via staff contracts, contracts with third parties, Information Asset Owner arrangements and departmental leads. Key information governance messages will be developed by GEMCSU through a Service Level Agreement and made available to the CCG for onward dissemination. 7. Resources Key staff involved in the Information Governance Agenda, below those at Executive Team level, will be provided to the CCG through a Service Level Agreement between the CCG and GEMCSU. 8. Training Guidance Staff need clear guidelines on expected working practices and on the consequences of failing to follow policies and procedures. Page 10 of 27 IG Final CCG IGMF Template October 2014 V1 4

65 The approach to ensuring that all staff receive training appropriate to their roles will be detailed and provided by GEMCSU through a Service Level Agreement with the CCG. Information Governance Services will assist the CCG in achieving 95% take up of mandatory information governance training and advise/manage staff to undertake further specialist information governance training as required. Mandatory annual Information Governance Training should be completed by all third party contractors. Training will also be made available via the HSCIC e-learning site (at August 2014 still hosted at): 9. Incident Management Clear guidance on incident management procedures will be documented and staff will be made aware of their existence, where to find them and how to implement them through a Service Level Agreement between the CCG and GEMCSU. All incidents will be reported via the CCG Information Governance Group (or equivalent) on a bi-monthly basis. 10. Equality & Diversity Impact Assessment None required. 11. Monitoring and Compliance The IGMF will be reviewed at least annually in line with IG Toolkit requirements or amended as required to reflect changes in organisational ownership. 12. Further Information or Guidance Contact Information Governance (IG) Services/GEMCSU on or or or Debbie.Pallant@gemcsu.nhs.uk, Brownyn.Jackson@gemcsu.nhs.uk, Karen.McBride@gemcsu.nhs.uk Debbie Pallant GEM CSU IG North Consultant Bronwyn Jackson GEM CSU IG Officer Karen McBride GEM CSU IG Project Officer 13. References NHS Code of Confidentiality: The IG Toolkit. bfb6-4f8f-9dc2-27aea4159c93&lnv=2&clnav=yes Page 11 of 27 IG Final CCG IGMF Template October 2014 V1 4

66 Checklist for Reporting, Managing and Investigating Information Governance Serious Untoward Incidents (Gateway reference 13177): NHS Information Risk Management The Caldicott Review: Information Governance in the Health and Social Care System Page 12 of 27 IG Final CCG IGMF Template October 2014 V1 4

67 14. Appendix 1 Terms of Reference for Information Governance Committee and Information Governance Working Group 1. Remit and purpose of the Committee CCG Information Governance Committee Terms of Reference 15. Information governance is a key component of the clinical and corporate assurance framework and can be defined as: providing a framework for handling personal and sensitive information in a confidential and secure manner appropriate to ethical and quality standards in a modern health service. (Connecting for Health) The purpose of the CCG Information Governance Committee (CCG IGC) (using delegated authority from the relevant authorising committee See addendum) is to: 1.1. be the organisational focal point for information governance issues (and their resolution), providing advice, reports and recommendations to the relevant CCG authorising committee Accountable Officer, Clinical Commissioning Group Governing Body as required monitor the organisational management accountability, compliance arrangements and availability of specialist staff/resources for Information Governance, taking into account national programmes and compliance requirements e.g. Operating Framework, Information Governance Toolkit and making recommendations to the relevant CCG committee as appropriate. 2. Accountability Overall accountability for Information Governance lies with the Accountable Officer and the CCG Governing Bodies, delegated through the role of the Senior Information Risk Officers (SIRO). The CCG Information Governance Committee makes recommendations which need to be approved by the individual CCG governance process. Accountability for operational delivery lies with the CCG Information Governance Lead reporting to the CCG Information Governance Committee, and SIRO who is responsible for day to day management and delivery of the function. 3. Membership Representation from Erewash CCG, Hardwick CCG, North Derbyshire CCG and Southern Derbyshire CCG, including: CCG Caldicott Guardian (x4) CCG Senior Information Risk Officer (x4) Page 13 of 27 IG Final CCG IGMF Template October 2014 V1 4

68 CCG Information Governance Lead (x4) Representation from Greater East Midlands Commissioning Support Unit (GEM CSU) GEM CSU Information Governance Consultant GEM CSU Information Governance Officers Members of the GEM CSU Information Governance Team when required. Other members may be invited to attend the Committee as required e.g. HR representative, Communications representative, representatives from Public Health, Commissioning etc. Deputising Arrangements All members can nominate a representative to attend in their absence but the representative must have sign off authority for policies and committee decisions. In the absence of the relevant CCG Caldicott Guardian the SIRO will sign off and obtain retrospective Caldicott Guardian approval. Quorum Arrangements One of the following, plus two other members of the Committee need to be present in order for the CCG IGC to be quorate: Caldicott Guardian SIRO GEM CSU Information Governance representative Chair of Committee: Southern Derbyshire CCG SIRO Deputy Chair: Hardwick CCG SIRO In the event of neither of these members being available a temporary Chair will be elected from those members present. 4. Functions & Responsibilities i. To ensure that a consistent approach is applied to adoption of information governance, information security and records management standards and legislation across the CCGs, independent practitioners and commissioned service providers. ii. iii. iv. To oversee the formulation, implementation and monitoring of compliance of the Information Governance Strategy and Framework for the CCGs. To work proactively to ensure that that the CCGs meet all NHS and legal requirements relating to information governance. This includes compliance with the NHS Information Governance Toolkit standards and submission of organisational assessments. To be the body which assures that all new processes, services and information systems are developed and implemented in a secure and structured manner, comply with Information Governance security accreditation, information quality, confidentiality and data protection requirements. v. To develop and recommend policies (and monitor user compliance) to meet information governance requirements affecting the Clinical Commissioning Groups for ratification though the relevant CCG authorising body. Policies approved by Committee will be reported to the relevant authorising committee for ratification. Page 14 of 27 IG Final CCG IGMF Template October 2014 V1 4

69 vi. vii. viii. ix. To review incidents, near misses and complaints relating to information governance to enable lessons learnt, share outcomes, and make recommendations where compliance with requirements have been breached or jeopardised. Such investigations will comply with national NHS Guidelines, the CCG Incident Reporting policy and ISO To authorise programmes of risk assessments and audits relating to information governance, security and confidentiality; review results and make recommendations to the relevant authorising committee. To provide expertise and advice and to make recommendations relating to information access requests received by the CCGs. Specifically, to make recommendations to the Accountable Officer on the disclosure of information (under the terms of the Data Protection, Freedom of Information Acts or Environmental Information Regulations and associated legislation e.g. Human Rights or Access to Health Records Acts) where the issues are complex and possibly contentious. To develop and approve suitable information sharing protocols for all organisations involved in routinely and regularly sharing information with the CCGs. x. To provide advice and recommendations relating to records management requirements, procedures and practices. xi. xii. xiii. xiv. xv. xvi. xvii. xviii. To oversee the formulation, ratification, implementation and monitoring of policies and procedures to ensure that the organisations have the capability of meeting NHS and statutory Information Governance requirements. To develop, implement and monitor the annual Information Governance Improvement plan and approve the Information Governance Toolkit submissions. To liaise with Information Governance related groups at local and national levels as appropriate e.g. EM SIGN etc. To develop solutions and implementation programmes (including training and awareness raising) to ensure that the CCGs comply with developing information governance requirements. To liaise with independent monitors e.g. Internal/External Audit, NHS Litigation Authority and to oversee the implementation of recommendations and action plans as required. To ensure that tailored staff awareness and training programmes are in place and delivered for information governance meeting national requirements. To provide support and advice to the organisation information governance specialists as requested or required. To communicate to staff and the population served by the CCGs, the organisations approaches to information handling. 5. Reporting arrangements The CCG IGC is accountable to the relevant individual CCG authorising committees. The CCG IGC will provide minutes of meetings and regular reports (including an Annual Report) to the relevant authorising committee in accordance with the agreed reporting schedule. Page 15 of 27 IG Final CCG IGMF Template October 2014 V1 4

70 It is the responsibility of the individual CCG IGC Committee members to forward any relevant reports and meeting minutes to the appropriate CCG Governing Bodies. 6. Frequency of meetings The Information Governance Committee will meet on a bi-monthly basis with additional meetings as required to meet its responsibilities. 7. Review These Terms of Reference will be reviewed at least annually by the Information Governance Committee or sooner if required to ensure that the Committee is carrying out its functions effectively. Page 16 of 27 IG Final CCG IGMF Template October 2014 V1 4

71 Addendum List of Relevant Authorising Committees. Erewash CCG Hardwick CCG North Derbyshire CCG Southern Derbyshire CCG Governance, Finance and Performance Committee Hardwick CCG Governing Body North Derbyshire CCG Governing Body Assurance Committee Southern Derbyshire CCG Governing Body Page 17 of 27 IG Final CCG IGMF Template October 2014 V1 4

72 CCG Information Governance Working Group 1. Remit and purpose of the group Terms of Reference 16. Information governance is a key component of the clinical and corporate assurance framework and can be defined as: providing a framework for handling personal and sensitive information in a confidential and secure manner appropriate to ethical and quality standards in a modern health service. (Connecting for Health). Greater East Midlands Commissioning Support Unit (GEM CSU) provides Information Governance support, advice and expertise to the Derbyshire CCGs through the IG Services team. The team link into each Clinical Commissioning Group through an operational IG lead. The purpose of the IG Working Group is to: 3.1. be the operational focal point for CCG IG leads and GEM CSU IG leads to discuss information governance issues (and their resolution), including discussion of queries and incident monitoring, providing advice and recommendations to the CCG Information Governance Committee as required monitor the operational accountability and availability of CCG staff/resources for Information Governance, taking into account national programmes and compliance requirements e.g. Operating Framework, Information Governance Toolkit and making recommendations to the CCG Information Governance Committee as appropriate ensuring compliance with the CCG Information Governance Toolkit and evidence gathering, including exception reporting to the CCG Information Governance Committee as appropriate act as the forum for dissemination of information from the GEM CSU IG team to the CCGs. 2. Accountability GEM CSU hosts the Information Governance Working Group meetings on behalf of the Derbyshire CCGs. Overall accountability for Information Governance lies with the CCG Chief Officer, delegated through the role of the Senior Information Risk Officer (SIRO). Page 18 of 27 IG Final CCG IGMF Template October 2014 V1 4

73 Accountability for operational delivery lies with the CCG Information Governance lead reporting to the CCG SIRO, who is responsible for day to day management and delivery of the function. IG advice and expertise is provided to the CCG through the GEM CSU IG Services team who will liaise with the SIRO, Caldicott Guardian and IG lead/link as appropriate. 3. Membership GEM CSU North Information Governance Consultant GEM CSU Information Governance Officers Members of the GEM CSU Information Governance Team when required. CCG Information Governance Leads CCG Governance Officers Other members will be co-opted to the Committee as required. Deputising Arrangements All members may nominate a representative to attend in their absence. Quorum Arrangements Two CCG Information Governance leads, plus two other members of the GEM CSU Information Governance team need to be present in order for the Group to be quorate: Chair of Group: GEM CSU North IG Consultant Deputy Chair: GEM CSU IG Team member In the event of neither of these members being available a temporary Chair will be elected from those members present. 4. Functions & Responsibilities xix. xx. xxi. xxii. To support the formulation, implementation and monitoring of compliance of the Information Governance Strategy and Framework for the CCG. To work proactively to ensure that that the CCG meets all NHS and legal requirements relating to information governance. This includes compliance with the NHS Information Governance Toolkit standards and submission of organisational assessments. To support the development, implementation and monitoring of the annual CCG Information Governance Improvement plan. To liaise with Information Governance related groups at local and national levels as appropriate. Page 19 of 27 IG Final CCG IGMF Template October 2014 V1 4

74 xxiii. xxiv. xxv. To support solutions and implementation programmes (including training and awareness raising) to ensure that the CCG complies with developing information governance requirements. To support the implementation of tailored staff awareness and training programmes for information governance meeting national requirements. To monitor and review the CCG Risk Registers, ensuring risks are appropriately forwarded to the CCG Corporate Risk Register. 5. Reporting arrangements The group reports to the CCG Information Governance Committee. The minutes of the meeting and regular reports are submitted to the CCG Information Governance Committee meetings. 6. Frequency of meetings The CCG Information Governance Working Group will meet on a monthly basis with additional meetings as required to meet its responsibilities. Page 20 of 27 IG Final CCG IGMF Template October 2014 V1 4

75 15. Appendix 2 Information Governance Operational Structure Accountable Officer Caldicott Guardian SIRO IG Lead Records Manager Information Asset Owner s Information Asset Administrator s GEMCSU IG Lead Page 21 of 27 IG Final CCG IGMF Template October 2014 V1 4

76 16. Committee Reporting Structure Addendum List of Relevant Authorising Committees. Erewash CCG Hardwick CCG North Derbyshire CCG Southern Derbyshire CCG Governance, Finance and Performance Committee Hardwick CCG Governing Body North Derbyshire CCG Governing Body Assurance Committee Southern Derbyshire CCG Governing Body Page 22 of 27 IG Final CCG IGMF Template October 2014 V1 4

77 17. Appendix 3 CCG Training Needs Analysis Job Role Introduction to IG (Year 1) IG-Refresher Module (Years 2 & 3) The Caldicott Guardian in the NHS & Social Care NHS Information Risk Management for SIROs & IAOs NHS Information Risk Management - Introductory NHS Information Risk Management - Foundation Password Management Information Security Guidelines Patient Confidentiality IG Lead Mandatory Mandatory Recommended Recommended Recommended Recommended Optional Recommended Optional Caldicott Guardian Mandatory Mandatory Mandatory Recommended Optional Optional Optional Optional Recommended SIRO Mandatory Mandatory Recommended Mandatory Recommended Mandatory Optional Recommended Optional IAO & IAA Mandatory Mandatory Optional Mandatory Recommended Mandatory Optional Optional Optional Records Manager Mandatory Mandatory Optional Optional Optional Optional Optional Optional Optional Admin/Clerical Mandatory Mandatory Optional Optional Optional Optional Optional Optional Optional 23

78 Job Role Access to Health Records Records Management and the NHS Code of Practice Records Management in the NHS Secure Transfers of Personal Data Business Continuity Management NEW-Access to Information & Information Sharing in the NHS - NEW-Secure Handling Confidential Information of NEW- Information Security Management IG Lead Optional Optional Optional Optional Recommended Recommended Optional Optional Caldicott Guardian Optional Optional Optional Optional Optional Recommended Recommended Optional SIRO Optional Optional Optional Optional Optional Optional Optional Optional IAO & IAA Optional Optional Optional Optional Optional Optional Optional Optional Records Manager Recommended Recommended Optional Optional Optional Optional Optional Optional Admin/Clerical Optional Optional Optional Optional Optional Optional Optional Optional Page 24 of 27 IG Final CCG IGMF Template October 2014 V1 4

79 18. Appendix 4 Information Governance Related Policies, Procedures & Guidance Name of Policy Corporate Information Security Policy Confidentiality & Data Protection Policy Data Protection Policy Data Quality Policy Policy Freedom of Information (FOI) Policy Incident Reporting Policy Information Governance Management Framework (IGMF) Information Governance Policy Information Lifecycle Policy (including information quality) Information Risk Policy Information Security Policy IT Acceptable Use Policy Network Security Policy Records Management Policy Policy Approval Date Approving Body/Individual Name of Procedure Confidentiality Audit Process Electronic Remote Working Guidance (see IG Briefing Pack/Handbook Incident Reporting Procedure Mobile Working Procedure Privacy Impact Assessment (PIA) Procedure Safe Haven Procedure Subject Access Request (SAR) Procedure Local Guidance Fair Processing Notice Privacy Notice Staff Code of Conduct Procedure Approval Date Approval Date Approving Body/Individual Approving Body/Individual 25

80 19. Dissemination Process All the above policies and procedural documentation will be disseminated to staff by the North Derbyshire CCG Intranet. 20. Appendix 5 Clinical Commissioning Group Version 12 ( ) Requirements List Req No Description Information Governance Management There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda There are approved and comprehensive Information Governance Policies with associated strategies and/or improvement plans Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained Confidentiality and Data Protection Assurance The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation s assessed needs Staff are provided with clear guidance on keeping personal information secure, on respecting the confidentiality of service users, and on the duty to share information for care purposes Personal information is only used in ways that do not directly contribute to the delivery of care where there is a lawful basis to do so and objections to the disclosure of confidential personal information are appropriately respected There are appropriate procedures for recognising and responding to individuals requests for access to their personal data There are appropriate confidentiality audit procedures to monitor access to confidential personal information All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements Individuals are informed about the proposed uses of their personal information Information Security Assurance The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation s assessed needs A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed There are established business processes and procedures that satisfy the organisation s obligations as a Registration Authority IG Final CCG IGMF Template October 2014 V1 4 Page 26 of 27

81 Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use Operating and application information systems (under the organisation s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems An effectively supported Senior Information Risk Owner takes ownership of the organisation s information risk policy and information risk management strategy Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely Policy and procedures ensure that mobile computing and teleworking are secure There are documented incident management and reporting procedures All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate Clinical Information Assurance The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements IG Final CCG IGMF Template October 2014 V1 4 Page 27 of 27

82 Information Governance Policy Page 1 of 11 Information Governance Policy version 2.0 August 2014

83 Document History Document Reference: Document Purpose: Information Governance Policy IG02 Date Approved: August 2014 An Information Governance Policy is a statement of the organisations approach and intentions to fulfilling statutory and organisational responsibilities. It will enable management and staff to make correct decisions, work effectively and comply with relevant legislation and the organisations aims and objectives Approving Committee: Information Governance Product Group Version Number: 2.0 Status: FINAL Next Revision Due: July 2016 Developed by: Policy Sponsor: Target Audience: Associated Documents: Revision History Information Governance, Greater East Midlands Commissioning Support Unit (GEM CSU) Head of Information Governance Services The procedure applies to all permanent, temporary staff and secondees of the CCG. All Information Governance Policies and the Information Governance Toolkit Version Revision Summary of Changes date 1 July 2013 Amended in line with Caldicott Review and CCG Information Governance Toolkit version July 2014 Review for CCG comments and in line with version 12 of the IG Toolkit 1.2 August 2014 Review at IG Product Group and approval as FINAL. Policy Distribution and Implementation Reference Title Available from Number IG02 Information Governance Policy North Derbyshire CCG Intranet Information Governance Policy version 2.0 August 2014 Page 2 of 11

84 Contents Number Page 1. Introduction 4 2. Policy Statement 4 3. Scope 4 4. Organisational Responsibility under the Policy 5 5. Governance 5 6. Information Governance Strategy 6 7. Roles and Responsibility 6 8. Use of Information 7 9. Openness Legal Compliance Information Security Information Quality Assurance Equality and Diversity 9 14 Due Regard 9 15 Monitoring Compliance and Effectiveness, Auditing and Reviewing 9 16 Review and revision of the Policy Training References 10 Information Governance Policy version 2.0 August 2014 Page 3 of 11

85 1 Introduction 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management. 1.2 It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability provide a robust governance framework for information management. 1.3 The Information Governance (IG) framework for health and social care is formed by those elements of law and policy from which applicable information governance standards are derived, and the activities and roles which individually and collectively ensure that the set standards are clearly defined and met. 2 Policy Statement 2.1 An Information Governance Policy is a statement of an organisation s approach and intentions to fulfilling its statutory and organisational responsibilities. It will enable management and staff to make correct decisions, work effectively and comply with relevant legislation and the organisation s aims and objectives. 2.2 This document sets out the high level principles across NHS North Derbyshire Clinical Commissioning Group (CCG) for confidentiality, integrity and availability of information (information governance) to promote and build a level of consistency across the community on these principles. Information Governance is defined as: the structures, policies and practice of the DH, the NHS and its suppliers to ensure the confidentiality and security of all records, and especially patient records and to enable the ethical use of them for the benefit of individual patients and the public good. ( Information Governance in the Department of Health and the NHS, 2006) 2.3 Failure by any employee of North Derbyshire CCG to adhere to corporate policy and its associated procedures and guidelines will be viewed as a serious matter and may result in disciplinary action. 3 Scope 3.1 It is the responsibility of North Derbyshire CCG Directors, Assistant Directors, Heads of Service and Senior Managers to ensure that the Information Governance Policy is brought to the attention of all staff and that staff have appropriate training on information security and confidentiality on induction and annually thereafter. 3.2 The Information Governance Policy is supported by a range of corporate policies covering the key areas of Information Governance: Confidentiality and Data Protection Information security and risk Information lifecycle management including records management and information quality Corporate governance including requirements under the Freedom of Information Act Page 4 of 11 Information Governance Policy version 2.0 August 2014

86 The Information Governance Management Framework details the arrangements for compliance with the legal and national regulatory framework. 3.3 This policy covers all aspects of processing activities that relate to (but is not limited to): Patient/client/service user information Staff and personnel information Organisational, business and operational information Research, audit and reporting information 4 Organisational responsibility under the Policy 4.1 North Derbyshire CCG fully supports the principles of Corporate Governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal confidential information about patients and staff and business sensitive information. 4.2 The CCG also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. 4.3 The CCG believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers to ensure and promote the quality of information and to actively use information in decision-making processes. 4.4 The CCG will sustain a robust Information Governance Framework by: Demonstrating compliance with the key IG standards through achievement of at least level 2 performance in the requirement within the NHS IG Toolkit and ensuring plans are in place to progress beyond this minimum where it has been achieved; Mandating all staff to complete basic IG training annually appropriate to their role through the online NHS IG Training Tool or other method approved by the Department of Health; Continuing to report on the management of the information risks in statements of internal controls and to include details of data loss and confidentiality breach incidents in annual reports; 4.5 North Derbyshire CCG aims to ensure organisations contracted to deliver services also achieve a compliant information governance standard (IG Toolkit compliance). This includes commissioned services delivering both clinical and non-clinical services. 5 Governance 5.1 Whilst North Derbyshire CCG recognises its accountability for Information Governance, the CCG s strategy is to use the services of the Greater East Midlands Commissioning Support Unit (GEM CSU) to deliver specialised information governance advice and expertise. 5.2 Service providers (GEM CSU) will be responsible for delivering a robust IG support service which provides a full range of expert advice, guidance, training and support in data protection and confidentiality, information risk management, security, data quality, information management. Information Governance Policy version 2.0 August 2014 Page 5 of 11

87 5.3 Provider performance will be monitored through contracts and service level agreements as outlined in the agreed management arrangements. 5.4 Reporting from GEM CSU will be in accordance with Service Specification. 6 Information Governance Strategy/Improvement Plan 6.1 North Derbyshire CCG has an associated Information Governance Management Framework (IGMF) which details the way that the CCG will deliver against the national and legal information governance requirements. This document provides a summary/overview and sets out an overarching framework for the strategic Information Governance agenda at the CCG and is supported by an Information Governance improvement plan, which is monitored by the Information Governance Working Group or equivalent. 7 Roles and Responsibilities Overall accountability across the organisation lies with the Accountable Officer who has overall responsibility for establishing and maintaining an effective information governance assurance framework for meeting all statutory requirements and adhering to guidance issued in respect of procedural documents. All staff must adhere to CCG policies and procedures relating to the processing of personal information. All staff members are responsible for maintaining compliance with the Data Protection Principles and for reporting non-compliance through the CCG incident reporting process. 7.1 Senior Information Risk Owner (SIRO) The SIRO will take overall ownership of the organisation s information risk policy; act as champion for information risk on the Board and provide written advice to the Accounting Officer on the content of the organisation s statement of internal control in regard to information risk; understand how the strategic business goals of North Derbyshire CCG may be impacted by information risks, and how those risks may be managed; implement and lead the NHS information governance risk assessment and management processes within North Derbyshire CCG; advise the Board on the effectiveness of information risk management across North Derbyshire CCG; and receive training as necessary to ensure they remain effective in their role as SIRO. The SIRO will be supported in this role by the IG team in GEM. 7.2 Caldicott Guardian 1 The Caldicott Guardian acts as the conscience of an organisation, actively supporting work to facilitate and enable information sharing, advising on options for lawful and ethical processing of information as required. The Guardian will: ensure that North Derbyshire CCG satisfies the highest practical standards for handling patient identifiable information; Information Governance Policy version 2.0 August 2014 Page 6 of 11

88 facilitate and enable information sharing and advise on options for lawful and ethical processing of information; represent and champion information governance requirements and issues at Board level; ensure that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff; and oversee all arrangements, protocols and procedures where confidential patient information may be shared with external bodies both within, and outside North Derbyshire CCG. The Caldicott Guardian will be supported in this role by the IG Team in GEM. 7.3 Information Assets Information Asset Owners (IAO) will: lead and foster a culture that values, protects and uses information for the benefit of patients; know what information comprises or is associated with the asset, and understands the nature and justification of information flows to and from the asset; know who has access to the asset, whether system or information, and why, and ensures access is monitored and compliant with policy; and understand and address risks to the asset, and providing assurance to the SIRO. Information Asset Administrators, or equivalents, will be appointed. These are operational staff with a day to day responsibility for managing risks to their information asset. 7.4 Line Managers 7.5 Staff Line managers will take responsibility for ensuring that the information governance policy is implemented within their group or directorate. It is the responsibility of each employee to: o adhere to the policy. o complete annual information governance training. o report any information incidents through the incident recording mechanism. All staff must make sure that the organisation s information systems are used and operated appropriately and as set out in the standard operating procedures of the organisation. 8 Use of Information North Derbyshire CCG recognises that as a Clinical Commissioning Group it does not have legal rights to personal confidential data for commissioning purposes and will use anonymised, pseudonymised and aggregated data for that purpose. 8.1 The CCGs will: proactively use information within the organisation and with partner Information Governance Policy version 2.0 August 2014 Page 7 of 11

89 9 Openness agencies, both for the care of service users and for service management as determined by law, statute and best practice; put in place effective arrangements to ensure the confidentiality, security and quality of personal confidential information and other sensitive information; ensure information within the organisation is of the highest quality in terms of completeness, accuracy, relevance, accessibility and timeliness. 9.1 Non-confidential information on the CCG and its services should be available to the public through a variety of media, in line with the CCGs code of openness. 9.2 All members of staff working within the CCGs are bound by the Common Law Duty of Confidentiality, in addition to their contract of employment, code of professional practice or other applicable ethical standards and as such, can be held personally liable for any breaches of confidentiality. If service user confidentiality is breached, this may lead to disciplinary action, a personal fine, and/or employees can be held personally responsible for a civil action. 9.3 North Derbyshire CCG will establish and maintain policies to ensure compliance with the Freedom of Information Act (2000). A Publication Scheme will be maintained in line with the Information Commissioner s Office (ICO) model Publication Scheme and this is available for all service users on each CCG Internet site. This will be maintained and updated frequently in line with the guidance. 9.4 Patients should have ready access to information relating to their own health care, their options for treatment and their rights as patients. This information will inform patients of the use of their information, which agencies their information will be shared with and the circumstances where explicit consent will be sought. 9.5 The CCG will, where there is a defined purpose (or set of) that are beneficial and justifiable, sign up to information sharing protocols with partner organisations, provided these protocols are set out within the boundaries of applicable legislation and regulation and do not compromise the organisation or the confidentiality of the personal/sensitive data that it holds. 10 Legal Compliance 10.1 The CCGs regard all personal confidential information relating to staff and service users as confidential except where national policy on accountability and openness requires otherwise The CCGs will establish and maintain policies to ensure compliance with the Data Protection Act 1998, Human Rights Act and the Common Law Duty of Confidentiality The CCGs will establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act. 11 Information Security 11.1 The CCGs will promote effective confidentiality and security practice to its staff through policies, procedures and training. Contractual arrangements with third Information Governance Policy version 2.0 August 2014 Page 8 of 11

90 parties and suppliers will include agreement on the classification of confidentiality, and how this will be applied. This will ensure the CCGs maintain the security of organisational information processing facilities and information assets, 11.2 CCG staff will be trained in the use of systems and procedures, to ensure the quality and appropriate handling of information, in order to minimise risks to the organisation from poor information governance Guidance from the Department of Health (DH) states specifically that no patient/person information should be held on any mobile devices unless the device is encrypted to the approved standard. This includes data held on USB memory sticks, CD-ROM, DVD, and mobile phones. Safe Haven Procedures will be implemented for the secure transfer of any person identifiable information. 12 Information Quality Assurance 12.1 The CCGs will establish and maintain policies and procedures for information quality assurance and the effective management of records and will promote information quality and effective records management through policies, procedures, user manuals and training Managers are expected to take ownership of, and seek to improve, the quality of information within their services 13 Equality and Diversity The CCG aims to design and implement policy documents that meet the diverse needs of the services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act In carrying out its functions, the CCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all the activities for which the organisation is responsible, including policy development, review and implementation. 14 Due Regard 14.1 This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to eliminate discrimination, harassment, victimisation; to advance equality of opportunity; and foster good relations. 15 Monitoring compliance and effectiveness, auditing arrangements 14.1 Compliance with the Information Governance Assurance Framework will be assessed by the annual completion of the Information Governance Toolkit. Formal reports will be provided to the Governing Bodies (or delegated authority) for sign off prior to submission. Information Governance Policy version 2.0 August 2014 Page 9 of 11

91 14.2 The CCG will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. As part of the training and awareness programme, employees and third party contractors will also be made aware of definitions of incidents/weaknesses and the process for dealing with them. 16 Review and revision arrangements 16.1 This policy will be reviewed as per the review data on the policy front sheet; however it will be reviewed particularly where it is affected by major internal or external changes such as: Legislation Practice change or change in system/technology Changing methodology 17 Training Requirements 17.1 Users will be trained in the use of systems and procedures to ensure the quality and appropriate handling of confidential information, in order to minimise risks to the organisation from poor information governance All staff will receive mandatory induction training covering all aspects of Information Governance and annual refresher updates using the NHS Health and Social Care Information Centre e-learning tool where applicable. Awareness raising of the key information governance principles will be implemented through regular team briefings, team meetings and awareness raising sessions A staff Code of Conduct for Information Security and Confidentiality will be updated annually and be available to all staff via the Intranet and in hard copy where applicable. This gives staff the key points regarding confidentiality and information security and best practice guidance Staff with key roles (eg SIRO/Caldicott Guardian/Information Asset Owner) will undertake annual training relevant to their role. 18 References NHS Information Governance: Guidance on Legal and Professional Obligations Handbook to the NHS Constitution /handbook-to-the-nhs-constitution.pdf Confidentiality: NHS Code of Practice The Information Governance Toolkit. NHS Care Record Guarantee Information Governance Policy version 2.0 August 2014 Page 10 of 11

92 Information Security Management: NHS Code of Practice Records Management Code of Practice (produced under S46 of the Freedom of Information Act 2000) Caldicott Guardian Manual Checklist for Reporting, Managing and Investigating Information Governance Serious Untoward Incidents (Gateway reference 13177) NHS Information Risk Management The Caldicott Review: Information Governance in the Health and Social Care System Information Governance Policy version 2.0 August 2014 Page 11 of 11

93 LEGISLATION There are 8 Data Protection Principles (Data Protection Act 1998) which the CCG must adhere to. Data must be: 1 Fairly and lawfully processed 2 Used only for specified and lawful purposes 3 Adequate, relevant and not excessive 4 Kept accurately and up to date 5 Not kept for longer than necessary 6 Processed in accordance with the rights of the data subject, including rights of access 7 Kept securely and protected against accidental disclosure, loss or damage 8 Not transferred to countries without adequate data protection legislation Common Law Duty of Confidence Information given or received in confidence, obtained for one purpose, must not be disclosed or used for another purpose without the consent of the provider of the information Article 8 HUMAN RIGHTS ACT 1998 Everyone has the right to respect for his private and family life, home and correspondence. It is unlawful for a public authority to act in a way that is incompatible with a Convention right. The NHS Care Record Guarantee The NHS Care Record Guarantee sets out the rules that govern how patient information is used in the NHS and the control the patient can have over this. It looks at an individual s rights of access to their own information, how information will be shared and how decisions on sharing information will be made. Everyone who works for the NHS must comply with this guidance. FOR FURTHER ADVICE OR INFORMATION CONTACT: Information Governance Lead Suzanne Pickering Caldicott Guardian Jayne Stringfellow Senior Information Risk Owner (SIRO) Mark Smith USEFUL WEBSITES department-of-health North Derbyshire CCG Nightingale Close Off Newbold Road Chesterfield S407PF * Acknowledgement : Adapted with kind permission from Lisa Welbourne, Derbyshire Mental Health Trust Version 1.2 August 2014 Review August 2015 Staff Code of Conduct Information Security and Confidentiality of Personal Confidential Information

94 INTRODUCTION All employees of the CCG are responsible for maintaining confidentiality of staff and patients, and this duty of confidentiality is written into employment contracts. Under normal circumstances staff do not have access to personal confidential data however where that is required as part of their role, and where there is a legal basis for handling the data, staff should ensure the basic principles of Data Protection and Caldicott are upheld. Accessing data that is not needed to carry out work or passing data to someone who is not authorised to receive it is a breach of confidentiality which could result in disciplinary action. Serious breaches of the Data Protection Act 1998 may result in monetary penalties from the Information Commissioners Office (ICO). The Caldicott Principles The Information Governance Review March 2013 built on the previous Caldicott Report to look at the balance between safeguarding patients sensitive information and encouraging responsible information sharing. It resulted in a few amendments to the principles and the addition of a further principle : 1. Justify the purpose for using personal confidential data 2. Do not use personal confidential data unless it is absolutely necessary 3. Use the minimum necessary personal confidential data 4. Access to personal confidential data should be on a strict need-to-know basis 5. Everyone with access to personal confidential data must be aware of their responsibilities 6. Every use of personal confidential data must be lawful 7. The duty to share information can be as important as the duty to protect patient confidentiality. The term personal confidential data refers to any information held about an individual who can be identified from that information. For example, name, address, postcode, NHS number, etc. Any personal confidential data, non-clinical or clinical, must be treated as confidential. BASIC PRINCIPLES Any personal confidential data given for one purpose must not be used for another purpose without the consent of the individual concerned. An individual s right to confidentiality is protected by ethics and law. Individuals using CCG services or employed by the CCG have a legal right to know what data is being collected and why, as well as the purposes for sharing that data. An individual has the right to choose whether or not to disclose their personal data and can change their decision at any point. In some circumstances they have a right to choose how their personal data may be used or who is allowed to see it. Every member of staff has an obligation to protect confidentiality and a duty to verify the authorisation of another individual requesting data. This ensures data is only passed on to those who have a legal right to see it. All staff should understand their responsibility to protect the confidential data they collect and follow the rules and guidance available to them. The rules are there to protect both the service user and staff from breaches of confidentiality. However, rules should not be applied so rigidly that they are impractical to follow or detrimental to the health and social care of the individual concerned. CONSENT To be valid, consent must be given voluntarily and freely. A patient must be fully informed and know what the proposed use or disclosures of their personal data will be. Explicit consent must always be sought from a patient in order to use their personal data in ways that do not directly contribute to their healthcare. It may be lawful in certain circumstances to share personal data without consent (such as investigating serious crime, safeguarding children, or justified in the public interest). For further advice see the CCG policies and procedures. All reasonable care should be taken to protect the physical security of confidential data from accidental loss, damage or destruction and from unauthorised or accidental disclosure. INFORMATION SECURITY Do not use someone else s password to gain access to information held on computers No person identifiable data should be held on any mobile devices (e.g. laptops, PDA s, memory sticks) unless it is encrypted to the approved standard. (Contact IT for encryption to be installed on devices containing person identifiable information.) Faxing is not secure. Confidential data should be faxed only when there is no alternative and immediate receipt is necessary for clinical purposes. Safe Haven * procedures should be followed. Envelopes containing confidential data must be securely sealed, labelled confidential and clearly addressed to a known contact. Telephone validation procedures must be followed to confirm the identity of callers before information is given to them. Staff must always ensure that CCG policy is followed when sending person identifiable data by both inside and outside of the network. Follow the CCG s policies and procedures relating to Data Protection, confidentiality, information security and seek advice when in doubt. If you are unsure whether to disclose information, consult your line manager and/or if necessary obtain advice from your organisation s Caldicott Guardian or Information Governance Lead. * A Safe Haven is an agreed set of administrative and physical security procedures for minimising the risk of breach of confidentiality when sending information via fax.

95 Information Lifecycle Management Policy Page 1 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_2014

96 Information Lifecycle Management Policy (Information Lifecycle Strategy) Document History Document Reference: Document Purpose: IG04 This document sets out the organisational policy regarding all types of clinical and corporate records. The CCG will develop (through its Corporate Governance mechanisms), appropriate processes and procedures for the management of its records, including the secure destruction of records. Date Approved: August 2014 Approving Committee: Information Governance Committee Version Number: 2.0 Status: FINAL Next Revision Due: August 2016 Developed by: Policy Sponsor: Target Audience: Associated Documents: Information Governance, Greater East Midlands Commissioning Support Unit (GEM CSU) Head of Information Governance Services This policy applies to any person directly employed, contracted or volunteering to the CCG, including those working under an honorary contract and those authorised to undertake work on behalf of the CCG. All Information Governance Policies and the Information Governance Toolkit Page 2 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_2014

97 Revision History Version Revision date Draft August 2013 New Policy Developed in line with NHS England guidance, Caldicott Review and version 11 of the IG Toolkit 0.1 May 2014 Reviewed for CCGs 0.2 June 2014 Revised in line with CCGs comments V2.0 FINAL August 2014 Approved at IG Product Group Policy Dissemination information Reference Title Number Available from IG04 Information Lifecycle Management Policy ND CCG Intranet Page 3 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_2014

98 CONTENTS Section Page 1 Scope 5 2 Objectives 5 3 Accountability and Responsibilities 5 4 The Six Phases of the Information Lifecycle 6 5 Equality and Diversity 10 6 Due Regard 10 7 Policy Review and Monitoring References Summary of Corporate Retention Periods Page 4 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_2014

99 1. Scope 1.1 This policy applies to NHS North Derbyshire Clinical Commissioning Group (CCG). 1.2 This document covers all information types; clinical, non-clinical, person identifiable or confidential and corporate information irrespective of the media on which they are held. 1.3 This policy applies to all employees (permanent, seconded, contractors, management and clinical trainees, apprentices, temporary staff and volunteers) of the CCG. Third Parties with whom the CCG may agree information sharing protocols will be governed by the associated information sharing agreements and will be made aware of this policy. 2. Objectives 2.1 This combined policy and strategy for North Derbyshire Clinical Commissioning Group (the CCG) ensures that the organisation s information is safely managed through every phase of its existence. 2.2 It will be supported by separate procedures that can be used by staff to ensure that this is effectively implemented in practice. 2.3 The Information Lifecycle Management principles apply to any information that may be held whether on paper or any other format e.g. electronic, audio, video etc. 2.4 The objective of this policy and strategy is to provide an explanation of these phases to ensure that the CCG can meet legal and regulatory requirements. 3. Accountability and Responsibilities 3.1 It is the responsibility of all CCG employees to adhere to the requirements of this document when handling all types of CCG information. 3.2 Training will be provided as part of the staff induction process. 3.3 Adherence to this policy and strategy forms part of the employee s employment contract. 3.4 Records created by the CCG are in effect public records and are therefore subject to both legal and professional obligations e.g. Public Records Act, Freedom of Information Act, Data Protection Act etc. 3.5 The CCG Senior Information Risk Owner (SIRO) will lead on Records Management (supported by the CCG Information Governance (IG) Lead and the GEMCSU IG Team as appropriate). Page 5 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_2014

100 4. The Six Phases of the Information Lifecycle The Information Lifecycle covers 6 different phases: Creation Naming Filing Structure Filing/organisation Tracking and tracing Retention/disposal 4.1 Creation Record creation is one of the most important processes in records management and all staff within the organisation should aim to create good records that can be used in an effective manner It is important that records are kept in context and the best way to achieve this is to file or classify them. Records cannot be tracked or used efficiently if they are not classified or have been classified inappropriately Records captured or filed in a corporate filing system must be regarded as authentic or reliable A common format for the creation of records will ensure that those responsible for record retrieval are able to locate records more easily When staff create corporate records a common format should always be used that as a minimum includes: The difference between a document and a record The referencing to be applied to any new records The version control standards to be followed The agreed naming conventions in use within the CCG Where an original record should be filed To ensure quality and continuity of operational services, all records should be kept accurate and up to date. All CCG staff who are responsible for recording information in both paper and electronic format must ensure they fully understand their responsibilities as set out in this policy and remember that records may be used in a court of law. 4.2 Naming All staff must ensure that naming conventions: Give a unique name to each record Give a meaningful name which closely reflects the records content Locate the most specific information at the beginning of the name and the most general at the end Page 6 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_2014

101 Provide a similarly structured and worded name to all records which are linked e.g. an earlier and a later version 4.3 Filing Structure A clear and logical filing structure that aids the retrieval of records must be used The filing structure for electronic records should reflect the way in which paper records are filed to ensure consistency If this is not possible the names allocated to files and folders should allow intuitive filing Filing of the primary corporate record to local drives on PC s is not allowed and should be filed on the network within a shared folder that is appropriately access controlled Final versions of appropriate documents will be circulated or placed onto the local Intranet or Internet to ensure that all staff can have access to the approved versions of policies and procedures. Documents must be given a review date when appropriate. The relevant responsible person or committee for any updates and reviews must also be identified when relevant. 4.4 Filing/Organisation A referencing system that meets the needs of the CCG must be used Several types of systems may be used e.g. alphanumeric, alphabetical, numeric, keyword etc. In some circumstances it may be more feasible to give a unique reference to the file or folder in which the record is kept and identify the record by reference to date and format Under no circumstances should personal confidential information be left out in the open e.g. on a desk or on a computer screen when not at a desk or any place visible to the public e.g. when in the car. Where rooms containing records are left unattended, they must be locked (see Information Security Policy) 4.5 Tracking and Tracing The movement of records is the point at which information is at the greatest risk of being lost or inappropriately accessed In this circumstance, staff may have a requirement to hold personal confidential information outside of NHS premises. This should only be done if the service has been given Caldicott approval for this process and there is no alternative way of working. This should be discussed with the responsible line manager. Page 7 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_2014

102 The Department of Health has directed that there should be no transfers of unencrypted personal confidential data held in electronic format across the NHS. This is the default position to ensure that patient and staff personal data are protected. Any data stored on a PC or other removable device in a non-secure area or on a portable device such as a laptop, PDA or mobile phone should also be encrypted to the recommended NHS standard (See Information Security Policy). Tracking and tracing procedures that are implemented must enable the movement and location of records to be controlled. This provides an auditable trail of record transactions Tracking mechanisms to be used include: The item reference number of identifier A description of the item e.g. title The person, position or operational area/team who may have possession of the item The date and time of movement that took place Systems that may be used in order to monitor the physical movement of records include electronic document management systems and tracking or tracer cards. Regular records audits should take place. 4.6 Retention/Disposal Records must be secure from unauthorised or inadvertent alteration or erasure. Access and disclosure must be properly controlled and audit trails should track all use and changes. Records must be held in a robust format, which remains readable for as long as records are required; The CCG is adopting the retention/disposal procedure and the retention schedules detailed within the Department of Health Records Management: NHS Code of Practice, which is available here : Records selected for archival preservation that are no longer in use by the CCG are to be transferred as soon as possible to an archival institution e.g. a Place of Deposit Non-active records should be transferred no later than 30 years from creation of the record as required by the Public Records Act 1958 A record of the destruction of the records, showing their reference, description and date of destruction will be maintained and preserved so that the CCG can accurately identify which of those records have been destroyed and are no longer available Page 8 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_2014

103 Disposal schedules will constitute the basis of such a record 5. Equality and Diversity 5.1 The CCG aims to design and implement policy documents that meet the diverse needs of the services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. 5.2 This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act. 5.3 In carrying out its functions, the CCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all the activities for which the organisation is responsible, including policy development, review and implementation. 6. Due Regard 6.1 This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to eliminate discrimination, harassment, victimisation; to advance equality of opportunity; and foster good relations. 7. Review and Monitoring 7.1 All managers are responsible for regular monitoring of the quality of records and documentation and managers should periodically undertake quality control checks to ensure that the standards as detailed in this policy are maintained. 7.2 This policy will be reviewed every two years unless new legislation, codes of practice or national standards are introduced. 8. References Data Protection Act 1998 available from Freedom of Information available from Record Management available from NHS For the Record available from Page 9 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_2014

104 uk/en/publicationsandstatistics/publications/publicationspolicyandguidance/ DH_ Summary of Corporate Retention Periods TYPE/SUBTYPE OF RECORD Accident register (Reporting of Injuries, Diseases and Dangerous Occurrences register) - see also Incident forms Accounts (minor records such as paying in slips, receipts, minor vouchers) Adoption records (i.e. administrative records relating the adoption process) Advance letters (e.g. DH Guidance) Agendas (others) Agendas of Board meetings, committees, sub-committees (master copies including associated papers) Annual/corporate reports Appointment Records (GP) Assembly/Parliamentary questions, MP enquiries Audit Records (e.g. Organisational Audits, Records Audits, Systems Audits) - Internal & External in any format (paper, electronic etc.) Audit records (internal and external audit) - original documents Audit reports - internal and external (including management letters, value for money reports and system/final accounts memoranda) Business Plan, including local delivery plans Commissioning decisions -appeal decisions -decision documentation Complaints (See also litigation dossiers)correspondence, investigation and outcomes Returns made to DH MINIMUM RETENTION PERIOD 10 years Page 10 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_ years 75th anniversary of the date of birth of the child to whom it relates or, if the child dies before attaining the age of 18,15 years beginning with the date of the 18th birthday 6 years 2 years 30 years 3 years 2 years (Provided that any patient-relevant information has been transferred to the patient record)at the end of the 2 year retention period GP practices should consider if there is an on-going administrative need to keep the records/books for longer. If there IS an on-going need to retain these records/books, then a further review date should be set (either 1 or 2 more years) 10 years 2 years from the date of completion of the audit 2 years from completion of audit 2 years after formal completion by statutory auditor 20 years 6 years from date of appeal 6 years from date of decision 8 years from completion of action Files closed annually and kept for 6 years following closure NB: Current policy on the handling of complaints is under

105 TYPE/SUBTYPE OF RECORD MINIMUM RETENTION PERIOD review and further guidance will be issued in due course Contractor Records (e.g. Ophthalmic Opticians, Ophthalmic Medical Practitioners, Pharmacists, Pharmacy Premises, General Optical Council amendments to the register, Previous Pharmacy rotas and supporting information (prior to new regulations), Copies of previous Pharmacy and Ophthalmic local lists, Correspondence relating to pharmacies supplying oxygen and visiting Residential/Nursing homes (prior to new regulations) Contracts - financial Copyright declaration forms (Library Service) Data Input Forms (where the data/information has been input to a computer system) Diaries (office) Doctors Postgraduate Educational Allowance/ Personal Development Plan files and supporting general correspondence - Records kept by PCT's Equipment - records of non-fixed equipment, including specification, test records, maintenance records and logs Flexi working hours GP retirements/moved away Incident forms Inventories of furniture, medical and surgical equipment not held on store charge and with a minimum life of 5 years Leavers' dossiers 7 years Approval files - 15 years Approved suppliers lists - 11 years 6 years 2 years 1 year after the end of the calendar year to which they refer GP Seniority (prior to new regulations) 11 years If the records relate to vehicles (ambulances, responder cars, fleet vehicles etc.) and where the vehicle no longer exists, providing there is a record that it was scrapped, the records can be destroyed 6 months 6 years after individual leaves service, at which time a summary of the file must be kept until the individual's 70th birthday 10 years Keep until next inventory 6 years after individual has left Summary to be retained until individual's 70th birthday or until 6 years after cessation of employment if aged over 70 years at the time. The summary should contain everything except attendance books, annual leave records, duty rosters, clock cards, timesheets, study leave applications, training plans Page 11 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_2014

106 TYPE/SUBTYPE OF RECORD Manuals - policy and procedure (administrative and clinical, strategy documents Meetings and minutes of papers (other including reference copies) Meetings and minutes of papers of major committees and subcommittees Non-exchequer funds records (i.e. funding received by the organisation that does not directly relate to patient care e.g. charitable funds) Paper of minor importance not referenced elsewhere Patient Advice & Liaison Service (PALS) records Patient information leaflets Patient Surveys (re access to services etc.) Pension Forms (all) Personnel/human resources records - minor (e.g. attendance books, annual leave records, duty rosters (i.e. duty rosters held on the individual's record not the organisation or departmental rosters), clock cards, timesheets (relating to individual staff members)) NB Includes locum doctors Personnel/human resources records - major (e.g. personal files, letters of appointment, contracts, references and related correspondence, registration authority forms, training records, equal opportunity monitoring forms (if retained)) NB Includes locum doctors Phone Message Books Press Releases Project files (over 100,00) on termination, including abandoned and deferred projects Public Consultations e.g. about future provision of services Quality and Outcomes Framework (QOF) documents (GP Practice records) Quality assurance records (e.g. audit commission) reports (major) MINIMUM RETENTION PERIOD 10 years after the life of the system (or superseded) 2 years 30 years 30 years 2 years 10 years after closure of the case 6 years after the leaflet has been superseded 2 years 7 years 2 years after the year to which they relate 6 years after individual leaves service, at which time a summary of the file must be kept until the individual's 70th birthday Summary to be retained until individual's 70th birthday or until 6 years after cessation of employment if aged over 70 years at the time. The summary should contain everything except attendance books, annual leave records, duty rosters, clock cards, timesheets, study leave applications, training plans 2 years NB Any clinical information should be transferred to the patient health record 7 years 6 years 5 years 2 years 12 years 30 years Page 12 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_2014

107 TYPE/SUBTYPE OF RECORD Research and development (organisation) i.e. the entire organisation's records associated with research and development and not individual trial records or information on patients. Research ethics committee records Serious incident files Structure plans (organisational charts) i.e. the structure of the building plans Timesheets (for individual members of staff) MINIMUM RETENTION PERIOD 30 years 3 years from date of decision 30 years Lifetime of building 2 years after the year to which they relate NB Timesheets (for all individuals including locum doctors) held on the personnel record are minor records - retain for 2 years. Timesheets held elsewhere - i.e. on the ward retain for 6 months (as the master timesheet is held on the personnel file) Page 13 of 13 IG04_Information_Lifecycle_Management_Policy_V2_August_2014

108 Records Management Policy Page 1 of 8 IG05_CCG_Records_Management_Policy_V2.0. Nov

109 Records Management Policy Document History Document Reference: Document Purpose: IG05 Date Approved: August 2014 This policy sets out the practice that NHS Clinical Commissioning Group expect from all staff, including those working on behalf of the CCG, when creating, holding, using, retaining and disposing of records in all forms. Approving Committee: Information Governance Product Group Version Number: 2.0 Status: FINAL Next Revision Due: August 2016 Developed by: Policy Sponsor: Target Audience: Associated Documents: Information Governance Services, Greater East Midlands Commissioning Support Unit (GEM CSU) Head of Information Governance Services This policy applies to any person directly employed, contracted, working on behalf of the CCG or volunteering with the CCG All Information Governance Policies and the Information Governance Toolkit Page 2 of 8 IG05_CCG_Records_Management_Policy_V2.0. Nov

110 Revision History Version Revision date Summary of Changes 1.1 July 2013 Amended references to patient/client information to personal confidential information throughout. Added section on access to information through the DPA (section 8.5) Added Equality and Diversity Statement (13) Added References (15) Updated appendices with organisational changes. 1.2 May 2014 Reviewed in line with IG Toolkit requirements and NHS England Policy. Procedural text removed and referred to the Information Lifecycle Policy. 2.0 August 2014 Reviewed at IG Product Group and approved as a template for CCGs. Policy Dissemination information Reference Number Title Available from IG05 Records Management Policy CCG Intranet Page 3 of 8 IG05_CCG_Records_Management_Policy_V2.0. Nov

111 Contents Page 1. Introduction 5 2. Scope 5 3. Responsibility for NHS Records 6 4. Legal Obligations and Standards 7 5. Requests for Information 7 6. Incident Reporting 7 7. Training 7 8. Equality and Diversity Due Regard Review and Monitoring Appendix list of retention periods (to be added) Page 4 of 8 IG05_CCG_Records_Management_Policy_V2.0. Nov

112 1. Introduction 1.1 This policy applies to North Derbyshire Clinical Commissioning Group (CCG). 1.2 Effective records management requires that an organisation is able to identify and retrieve information when and where it is needed. The CCGs must have records management procedures in place that cover the creation, filing, location, retrieval, appraisal, archive and destruction of records in accordance with the Records Management: NHS Code of Practice, and other relevant guidance and legislation. 1.3 The CCG s records are their corporate memory, providing evidence of actions and decisions and representing a vital asset to support its daily functions and operations. They support policy formation and managerial decision-making, protect the interests of the CCG and the rights of patients, staff and members of the public who have dealings with the CCG. They support consistency, continuity, efficiency and productivity and help to deliver services in consistent and equitable ways. 1.4 This policy relates to all records, including health records - The term health record applies to a record relating to the physical or mental health of a given patient/client who can be identified from that information and has been recorded by or on behalf of a health professional in connection with the care of that patient/client. 1.5 Effective records management ensures that information is properly managed and is available whenever and wherever there is a justified need for information, and in whatever media: To support patient care and continuity of care To support day to day business which underpins delivery of care To support sound administrative and managerial decision making, as part of the knowledge base for NHS services To meet legal requirements and assist in audit Any decisions made can be justified or reconsidered at a later date. 1.6 All NHS records are public records under the terms of the Public Records Act 1958 sections 3 (1) (2). The Secretary of State for Health and all NHS organisations have a duty under the Public Records Act to make arrangements for the safe keeping and eventual disposal of all types of their records. This is carried out under the overall guidance and supervision of the Keeper of Public Records, who is answerable to Parliament. 2. Scope 2.1 A record is defined as anything which contains information (in any media) which has been created or gathered as a result of any aspect of the work of NHS employees This policy sets out the practice that the CCG expects, from all staff that are directly employed by the CCG and for whom the CCG has legal responsibility. This policy is also applicable to staff on work experience, working under an honorary contract and those authorised to undertake work on behalf of the CCG. 1 NHS Code of Practice: Records Management Part 1, 2009 Page 5 of 8 IG05_CCG_Records_Management_Policy_V2.0. Nov

113 2.3 This policy relates to all clinical and non-clinical operational records held in any format, by the CCG. They include (the list is not exhaustive): Administrative records (including personnel, estates, financial and accounting records, contract records, litigation and records associated with complainthandling) Patient health records, including those concerning all specialities, multi-agency services and private patients seen on NHS premises, but excluding records of other NHS organisations and of independent sector providers. Photographs, X-Rays and other images Memory cards for digital devices Records in all electronic formats, including s, databases Faxes 2.4 Records not included are: health or other records held by independent contractors and copies of documents created by other organisations such as the Department of Health, which are kept for reference and information only. 2.5 The policy should be read in conjunction with the following CCG documents: Confidentiality and Data Protection Policy Information Security Policy Safe Haven Procedures Information Lifecycle Policy Freedom of Information and Environmental Information Regulations Policy 3. Responsibility for NHS Records 3.1 It needs to be clearly understood by all employees and those authorised to work on behalf of the CCG, that under the Public Records Act 1958, they have a degree of responsibility for any record they create or use and may be subject to both legal and professional obligations. 3.2 The Chief Officers and senior managers of all NHS organisations are personally accountable for records management within their organisation The Caldicott Guardian is responsible for approving and ensuring that national and local guidelines and protocols on the handling and management of personal confidential information are in place. 3.4 The Information Governance Lead at Greater East Midlands Commissioning Support Unit (GEM CSU) is responsible for advising the CCG on compliance with the Data Protection Act and acts as a resource for staff and Governing Body Members. 3.5 Freedom of Information requests and requests for information are processed by GEM CSU appropriate staff in accordance with the current Service Level Agreement, and in line with the requirements of the Freedom of Information Act All Heads of Service and line managers are responsible for ensuring that the records management policy is implemented in their individual departments and those members of staff comply with the guidance in the policy. 2 NHS Code of Practice: Records Management Parts 1 & 2, 2009 Page 6 of 8 IG05_CCG_Records_Management_Policy_V2.0. Nov

114 3.7 All CCG staff and Governing Body Members are responsible for ensuring that they keep appropriate records of their work for the CCG and manage those records in accordance with this and other related CCG policies, maintaining the security of the records they create or use. 3.8 It is vital that everyone understands their record management responsibilities as set out in this policy. Managers will ensure that staff responsible for managing records are appropriately trained or experienced and that all members of staff understand the need for appropriate records management. New starters will be offered records management and confidentiality and security training as part of their mandatory induction programme. 4. Legal Obligations and Standards 4.1 The key legislation and guidance supporting the Records Management policy are: DOH: Records Management NHS Code of Practice 2009 Data Protection Act 1998 The Access to Health Records Act 1990 Freedom of Information Act 2000 Public Records Acts 1958 The Caldicott Review 2012 The Common Law Duty of Confidentiality 5. Requests for information 5.1 Records may be requested either under the Freedom of Information Act (2000). If such a request is received, the enquiry should be forwarded to the CCG Information Governance lead who will deal with it appropriately. There are strict legal timeframes for processing these requests in order to be compliant with the Freedom of Information Act 5.2 Under the Data Protection Act, an individual can ask to see information held about them, either computerised or manual records, this applies to staff and patient information. If a request is received for copies of information, this should be forwarded to the CCG Information Governance Lead for processing. 6. Incident Reporting 6.1 All staff have an obligation to report an incident when personal confidential information for which they are responsible for is missing or stolen. They must complete an incident reporting form and inform their line manager so that an initial investigation can be started. 6.2 Stolen records must be reported following the Incident Reporting Policy and Procedure and the Policy on reporting Untoward Incidents. If the record is subsequently found, the record of the incident should be updated and temporary files merged with the permanent record. 7. Training 7.1 The CCGs must ensure that all staff undertake appropriate records management training on information governance issues soon after joining the CCG and that existing staff receive periodic update training. Page 7 of 8 IG05_CCG_Records_Management_Policy_V2.0. Nov

115 7.2 Staff who have responsibility for records management should undertake Records Management Training on Information Governance issues on an annual basis. Modules are provided by the Health and Social Care Information Centre e-learning tool Equality and Diversity 8.1 The CCG aims to design and implement policy documents that meet the diverse needs of the services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. 8.2 This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act. 8.3 In carrying out its functions, the CCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all the activities for which the organisation is responsible, including policy development, review and implementation. 9. Due Regard 9.1 This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to eliminate discrimination, harassment, victimisation; to advance equality of opportunity; and foster good relations. 10. Review and Monitoring 10.1 All managers are responsible for regular monitoring of the quality of records and documentation and managers should periodically undertake quality control checks to ensure that the standards as detailed in this policy are maintained This policy will be reviewed every two years unless new legislation, codes of practice or national standards are introduced. 11. References Data Protection Act 1998 available from Freedom of Information available from Record Management available from NHS For the Record available from en/publicationsandstatistics/publications/publicationspolicyandguidance/dh_ Page 8 of 8 IG05_CCG_Records_Management_Policy_V2.0. Nov

116 Information Asset Register Procedure Page 1 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

117 Information Asset Register Procedure Document Reference: Document Purpose: IG06 Date Approved: August 2014 This document sets out the procedure to ensure that all information assets are identified and regularly assessed to ensure the confidentiality and security of the organisations information is maintained.. Approving Committee: Information Governance Product Group Version Number: 1.3 Status: FINAL Next Revision Due: August 2016 Developed by: Policy Sponsor: Target Audience: Associated Documents: Information Governance Services, Greater East Midlands Commissioning Support Unit (GEM CSU) Head of Information Governance Services This policy applies to any person directly employed, contracted, working on behalf of the CCG or volunteering with the CCG All Information Governance Policies and the Information Governance Toolkit Page 2 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

118 Revision History Version Revision date Comments Draft 1.1 May 2014 Developed in line with NHS England guidance, Caldicott Review and the Information Governance Toolkit Sent for consultation Draft 1.2 June 2014 Revised in line with CCG comments FINAL 1.3 August 2014 Approved at IG Product Group Policy Dissemination information Reference Number Title Available from IG06 Information Asset Register Procedure CCG Intranet Page 3 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

119 Contents Page Number 1 Introduction 5 2 Objectives 5 3 Scope 6 4 Information Asset Owners 6 5 Information Assets 5 6 Information Asset Register 7 7 Identification of new assets 7 8 Risk 7 9 Equality Impact Assessment 8 10 Due Regard 8 11 Procedure Review 8 Appendices Appendix 1 Information Asset Register Tool 9 Appendix 2 Key Information Assets 10 Appendix 3 Information Asset Risk Assessment Process 12 Appendix 4 Risk Assessment Reporting Form 13 Appendix 5 Risk Assessment Matrix 16 Page 4 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

120 1 Introduction This policy applies to North Derbyshire Clinical Commissioning Group (CCG), subsequently referred to in this document as the CCG. 1.2 Information and information systems are important corporate assets and it is essential to take all the necessary steps to ensure they are protected at all times and are available and accurate to support the operation of the organisation. The CCG must ensure that all information assets that hold or process personal data are protected by technical and organisational measures appropriate to the nature of the asset and the sensitivity of the data. There should be formal information security risk assessment and management programme and operating systems under the organisations control must support appropriate access control functionality 1.3 All information assets of the CCG should be identified and the CCG must have a nominated Senior Information Risk Owner (SIRO). The SIRO is required to ensure owners are identified for all Information Assets, Information Asset Owners (IAOs), with responsibility for managing the risks to those assets. Whilst responsibility for implementing and managing Information Asset controls may be delegated to Information Asset Administrators (IAAs) or equivalent, accountability should remain with the nominated owner of the asset. 1.4 The Department of Health has issued guidance to all NHS organisations on the process to be followed in identifying information assets, and allocating local ownership and responsibility for assessing any risk of data loss or information security for these assets. It is part of the guidance that risk assessments are performed regularly to ensure that the organisation complies with the Information Governance Assurance Programme and regular risk assessments are a requirement in the Information Governance Toolkit (IGT), which is mandated for all NHS organisations. 1.5 Potential losses arising from breaches of IT and information security include physical destruction or damage to the organisations computer systems, loss of systems availability and the theft, disclosure or modification of information due to intentional or accidental unauthorised actions. In addition, healthcare organisations process personal confidential data (PCD) of particular sensitivity, which needs to be protected from loss or inappropriate disclosure. 2 Objectives 2.1 All information assets should be accounted for, understood, have a designated owner and be appropriately protected. This will ensure compliance with: The Data Protection Act 1998 The Caldicott Report and subsequent review on personal confidential data The Information Security standard ISO 27001/2 Page 5 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

121 2.2 e Department of Health has issued a standard template which can be used for capturing a list of assets, their owners and risk assessments. This is found at Appendix 1 and is available in Excel format. 3 Scope 3.1 The Information Asset Register Procedure applies to all business functions across the CCG, and covers information, information systems, networks, physical environment and relevant people who support those functions. It relates to both manual and electronic information, whether transmitted across networks or telephone lines, sent by fax, spoken in conversations or printed as hard copy (see Appendix 2 for examples of information assets). 4 Information Asset Owners (IAOs) 4.1 Information Asset Owners are directly accountable to the SIRO and must provide assurance that information risk is being managed effectively in respect of the information assets that they own. The SIRO/IAO hierarchy identifies accountability and authority to effect change where required to mitigate identified risk (see risk assessment process at appendix 3). 4.2 The role of the Information Asset Owner is to understand what information is held, what is added and what is removed, how information is moved, who has access and why. As a result they should be able to understand and address risks to the information and to ensure that information is fully used within the law for the public good. The Information Asset Owner will also be responsible for providing or informing regular written reports to the SIRO, a minimum of annually on the assurance and usage of their asset (see appendix 4). 4.3 The information asset owner will: ensure access to the asset is appropriately controlled in accordance with its classification and the CCG s policies on information security, confidentiality, access and information sharing. ensure that the backup and business continuity arrangements are appropriate in accordance with its classification ensure that the asset is managed in accordance with the Data Protection Act data protection principles and Caldicott Principles if the information asset processes PCD. 5 Information Assets 5.1 Information Assets (IA) are identifiable and definable assets owned or contracted by an organisation which are valuable to the business of that organisation. Information assets are likely to include the computer systems and network hardware, software and supporting utilities and staff that are required to achieve processing of this data. Non-computerised records systems should also have an asset register containing relevant file identifications and storage locations. Page 6 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

122 5.2 Business processes and activities, applications and data should all be considered as Information Assets; however, their importance to the CCG may vary (appendix 2). 6 Information Asset Register 6.1 Information Assets should be documented in a CCG asset register (IG Toolkit requirement, template at Appendix 1). In practice, a number of CCG asset registers may exist (e.g. departmental, HR Register, hardware register), and many will be ad hoc. As a priority, it is essential that all critical Information Assets are identified and included in this asset register, together with details of the Information Asset Owner and risk reviews undertaken. The corporate Business Continuity Plan will also list these as critical information assets. 6.2 Each Information Asset Owner should be aware of what information is held and the nature and justification of information flows to and from the assets they are responsible for. 7 Identification of New Assets 7.1 The Information Governance Toolkit has a requirement for a documented plan to be developed to investigate and identify all remaining information assets that comprise or hold personal data and to assign responsibility for any identified, including details in the information asset register. 7.2 The Plan will be implemented by: Ensuring that Privacy Impact Assessments (PIAs) are included in any procurement process where new systems are implemented. This has a data mapping form within the template to ensure new assets are captured. The asset register will be reviewed by the CCG on a regular basis (at least annually) and circulated to all staff for them to review and refresh the asset register. The Asset Register will be reviewed at the Information Governance Committee or equivalent. 8 Risk 8.1 Appropriate security measures must be viewed as necessary for protection against a risk of an event occurring or to reduce the impact of such an event. Some of these events may be deliberate acts of damage and others may be accidental. Nevertheless, a range of security measures can be deployed to address: The Threat The Impact The Chance Of something damaging the confidentiality, integrity or availability of information held on systems or manual records. That such a threat would have if it occurred. Of such a threat occurring. Page 7 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

123 8.2 All new projects and procurements of IT systems will have a risk assessment as part of the project, and any existing systems should have periodic risk assessments, including those carried out by local management and internal/external audit services. Any risks identified as high must be reported to the Information Governance, Management and Technology Committee (or equivalent) and if appropriate recorded on the IG risk register and/or escalated to the CCG s corporate risk registers and Governing Bodies. 8.3 Controls can then be implemented to reduce the assessed risks in one of the following ways: Avoid the Risk Transfer the Risk Reduce the Threats Reduce the Vulnerabilities Reduce the Possible Impact Detect Unwanted events, react and recover from them. There will always be residual risks and these should be reviewed on a regular basis to ensure that additional controls are having an effect on the likelihood rating. Risk Assessment Process is Appendix 3. 9 Equality Impact Assessment 9.1 The CCG aims to design and implement policy documents that meet the diverse needs of our services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act. In carrying out its functions, the CCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all the activities for which the organisation is responsible, including policy development, review and implementation. 10 Due Regard 10.1 This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to eliminate discrimination, harassment, victimisation; to advance equality of opportunity; and foster good relations. 11 Procedure Review 11.1 This procedure will be reviewed in line with Information Governance Toolkit requirements or where changes occur in national policy or legislation. Page 8 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

124 Appendix 1 Guidance for use of Information Asset Register Tool The IAR spreadsheet is compatible with Microsoft Excel 2002 or later versions. It contains both free text cells and other cells that will be automatically populated from dropdown menus. These dropdown menus will be identifiable when a cell is clicked and an icon appears to the right hand side of that cell. Clicking on the icon will open the dropdown list for that cell and the appropriate cell entry can be selected by moving the cursor over it. The IAR tool will allow IAOs to build up a comprehensive view of information assets they own along with details of the local risk management needs. Page 9 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

125 Appendix 1 Information Asset Register Template Information Asset Register North Derbyshire CCG Information Asset name or unique descriptor Location of the Asset or its components Informatio n Asset Type Information Asset Components Information Asset classification System Owner /Administrator Information Asset Owner (IAO) Included on BCP? y/n Date of review Processing Overseas Confidentiality Rating (Likelihood) Confidentiality Rating (Impact) Confidentiality Grading Integrity Rating (Likeliho od) Integrity Rating (Impact) Integrity Grading Availability Rating (Likelihood) Availability Rating (Impact) Availability Grading 3rd Party Confidentiality Agreement /Contract Signed Remote Access Access Controls Risk assessment frequency Additional comments (may include details of safeguards/networked resources / servers / drives etc.) Page 10 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

126 Appendix 2 EXAMPLE CCG ASSETS Information Asset name or unique descriptor Assurance, Strategy and Planning Risk Register Location of the Asset or its components Networked resource (Shared Drive) Information Asset Type Functional Management Information System Business Continuity Planning Networked resource (Shared Drive) Governing Body, Clinical Networked resource Cabinet, People's Council, (Shared Drive) Audit Committee, Finance and Information Group Minutes and Papers Patient Experience Functional Management Information System Functional Management Information System PALS Database and related documents Complaints Database and related documents Quality and Patient Safety Serious Incidents Database Health & Safety Database (RIDDOR) Safeguarding Databases Contract Documents Data Warehouse - CCGs shared information resource Internet/Intranet and systems Networked resource (Shared Drive) Networked resource (Shared Drive) Networked resource (Shared Drive) Networked resource (Shared Drive) Networked resource (Shared Drive) Networked resource (Shared Drive) Hosted System Hosted System Patient Information System Patient Information System Other Information System Functional Management Information System Other Information System Functional Management Information System Other Information System Other information System Page 11 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

127 Other Asset Types People/staff Computer Hardware Other Hardware (furniture) Software Human Resources IT Provider Estates IT Provider Personnel, health and Pension records Company Financial Records Integra SBS Human Resources Finance Page 12 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

128 Appendix 3 INFORMATION ASSET RISK ASSESSMENT PROCESS Process The information asset is risk assessed using the form below on a regular basis (determined by the type of asset involved and whether there have been any major organisational changes). The risk report is reviewed by the Senior Information Risk Owner and any moderate or high risks assessed for reporting on the CCG corporate risk register. The risk assessment forms are sent out to the IAOs for refresh and update on a regular basis and also for addition of any newly identified information assets. Overview of Risk Assessment Process IAOs identified and trained Use Asset Register Tool to identify key information assets Assets are risk assessed Risk assessed by SIRO/appropriate committee and added to corporate risk register if risk is medium or high rated. Assets continue to be monitored and risk assessed. Security requirements; Controls are identified to reduce Risk Residual Risk Identified Any new processes, systems or information assets that are introduced will be identified by the IAO in order to ensure that any impacts to information security, confidentiality or integrity are identified prior to implementation and initiation of any new system. Privacy Impact Assessments screening is performed if appropriate using the Information Governance Risk Assessment forms and these are reviewed and approved by the appropriate committee or senior manager. Page 13 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

129 Appendix 4 Information Asset Risk Reporting Template Date Asset Reference Information Asset Name Information Asset Owner Initial Risk Rating Impact Likelihood Total Confidentiality Integrity Availability Actions taken to eliminate/mitigate risk Current Risk Rating Impact Likelihood Total Confidentiality Integrity Availability Further actions required to eliminate/mitigate risk Page 14 of 17 IG06_CCG_Information_Asset_Register_Procedure_V1.3

130 Appendix 4 Further risk assessment questions Reference Action Target/ Deadline 1 Are procedures in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error etc.? 2 Have all flows of PCD been mapped, assessed risks in line with DoH guidelines and put in place safe haven procedures for all routine flows of PCD in the organisation? 3 Does access to the system(s) have documented user access procedures and controls (is access granted only to authorised individuals and is this access reviewed regularly?) Risk Assessment and Comments Date Completed 4 Are there standard operating procedures for the system and/or system level security policies? 5 Do all staff understand incident reporting arrangements relating to information governance incidents / loss of equipment or data? 6 Is a backup log maintained and assignment of responsibility for system upgrades and applications? 7 Have all new users to the system had adequate training? (In system use and confidentiality) IG06_CCG_Information_Asset_Register_Procedure_V1.3 Page 15 of 17

131 RISK ASSESSMENT MATRIX Risk Priority Key: Red High Risk Amber Medium Risk Green Low Risk RISK MATRIX 5 - Very High A A/R R R R 4 - High A A A/R R R 3 - Medium A/G A A A/R A/R 2 - Low G A/G A/G A A 1 - Very low G G G G G Impact 1 - Rare 2 - Unlikely 3 - Possible 4 - Likely 5 - Almost Certain Likelihood Risk Matrix Likelihood Likelihood rating Description 5 Almost Certain this type of event will happen frequently 4 Likely this type of event will happen, but its not a persistent concern 3 Possible this type of event may well happen (e.g. 50/50 chance) 2 Unlikely unlikely that this type of event will happen 1 Rare cannot believe that an event of this type will occur in the foreseeable future Page 16 of 17

132 DESCRIPTOR INSIGNIFICANT MINOR MODERATE MAJOR CATASTROPHIC Injury Minor injury not requiring first aid Minor injury or illness, first aid treatment needed Over three days off sick Major injuries, or long = RIDDOR reportable. 10 term incapacity / days to report to the HSE. disability (loss of limb) Death or major permanent incapacity Patient Experience Complaint/ Claim Potential Unsatisfactory patient experience not directly related to patient care Locally resolved complaint Unsatisfactory patient experience - readily resolvable Justified complaint Justified complaint peripheral to clinical care involving lack of appropriate care Mismanagement of patient Mismanagement of care short term effects patient care long term effects Multiple justified complaints Totally unsatisfactory patient outcome or experience Multiple claims or single major claim Objectives/ Projects Insignificant cost increase/schedule slippage. Barely noticeable reduction in scope or quality < 5% over budget/schedule slippage. Minor reduction in quality/scope 5-10% over budget/schedule slippage. Reduction in scope or quality requiring client approval 10-25% over budget/schedule slippage. Doesn't meet secondary objectives > 25% over budget/schedule slippage. Doesn't meet primary objectives Service/ Business Interruption Human Resources/ Organisational Development Loss/interruption > 1 hour Loss/interruption > 8 hours Short term low staffing Ongoing low staffing level temporarily reduces level reduces service service quality (< 1 day) quality Loss/interruption > 1 day Loss/interruption > 1 week Late delivery of key objective/service due to lack of staff (recruitment, retention or sickness). Minor error due to insufficient training. Ongoing unsafe staffing level Uncertain delivery of key objective/ service due to lack of staff. Serious error due to insufficient training Permanent loss of service or facility Non-delivery of key objective/ service due to lack of staff. Loss of key staff. Very high turnover. Critical error due to insufficient training Financial Small loss (> 100) Loss > 1,000 Loss > 10,000 Loss > 100,000 Loss > 1,000,000 Inspection/ Audit Minor recommendations. Minor non-compliance with standards Recommendations given. Non-compliance with standards Reduced rating. Challenging recommendations. Noncompliance with core standards Enforcement Action. Prosecution. Zero Low rating. Critical Rating. Severely report. Multiple critical report challenging recommendations. Major non-compliance with core standards Adverse Publicity/ Reputation Rumours Local Media - short term Local Media - long term National Media < 3 Days National Media > 3 Days. MP Concern (Questions in House) Risk Matrix Descriptor of Impact Page 17 of 17

133 Freedom of Information and EIR Protection Policy Page 1 of 19 IG07_CCG_FOI_Policy_template_July_2014_V2.0