Initiative: Information Governance Management

Transcription

1 Royal Devon & Exeter Information Governance Information Governance (IG) Toolkit Action Plan Key Requirements Reporting Date 18/03/2011 Programme Manager Sharon Collingwood Project Start Date 30/07/2010 Project Manager Sharon Rowland Project End Date (baseline) 31/10/2010 Overal Status This Period RED Project End Date (current) 31/03/2011 RAG Status Last Period RED Key to review of evidence Sufficient appropriate and relevant evidence available to meet criteria No evidence provided to meet the criteria Evidence provided insufficient to meet the assurance required Level not attempted Text in Blue denotes actions underway/completed since Internal Audit review Initiative: Information Governance Management Information Governance Management Framework (101) Formal Contractual Arrangements (110) 2 1 2a: examples of signed contract clauses and list of organisations needing additional Personal Identifiable Data (PID) contracts. Action plan in place to deliver by 31 st March. Actions completed since audit Employment Contracts (111) 0 IG Training ( 112) 1 1a: HR senior management statement is pending receipt of confirmation of IG undertakings from staff. 2a: Action plan in place to deliver by 31 st March. Waiting for statement from HR confirming figures in response to reply facility for staff confirmation of IG responsibilities 2a: Requires statement from senior management confirming that an action plan is in place to deliver training to 95% staff by the end of June Currently being prepared for SIRO to approve. SR/Y/IGT WORK1011/IGT Action Plan Key Requirements/Mar 11 v1 1

2 Initiative: Data Protection and Confidentiality IG is supported by adequate confidentiality and data protection knowledge, skills and experience (200) Staff Understanding of the security of personal information and confidentiality of service users (201) Seeking consent to use patient information for reasons other than treatment (202) Information provided on proposed uses of PID information (203) All transfers of personal information to countries outside the UK have been documented, reviewed and tested to determine compliance with the Data Protection Act 1998 and Department of Health guidelines (209) All new processes, services, information systems and other relevant information assets are developed and implemented in a secure and structured manner (210) 2 2 N/a 2 SR/Y/IGT WORK1011/IGT Action Plan Key Requirements/Mar 11 v1 2

3 Initiative: Information Security The IG agenda is supported by adequate information security skills, knowledge and experience (300) A formal information security risk assessment and management programme for key information assets (301) Documented information security incident event reporting, management and procedures (302) Established business processes and procedures that satisfy the organisation s obligations as a Registration Authority (303) Plan for ensuring compliance with the terms and conditions of Smartcard usage, which includes procedures for monitoring and enforcing compliance (304) Documented requirements for access controls for all key information assets and appropriate user access management procedures, technical functionality and management controls for all key information assets (305) b: Report of risk assessments to be made available. Action plan in place to deliver by 31 st March. Report will be presented by SIRO to Information Governance Steering Group on 29/3/11 2b: Evidence of incident reporting in PID contracts not provided. Addendum to contract sent out, pending return of signed addendums. Action plan in place to deliver by 31 st March. Actions completed since audit 2c: List of Smartcard users and audit of use. Action plan in place to deliver by 31 st March. Actions completed since audit 2a/b: System Level Security Policies (SLSPs) for critical systems to be completed. Action plan in place to deliver by 31 st March. Awaiting receipt of outstanding SLSPs for priority one critical systems SR/Y/IGT WORK1011/IGT Action Plan Key Requirements/Mar 11 v1 3

4 An effectively supported Senior Information risk Owner with ownership of the organisation s information risk policy and information risk management strategy (307) Data mapping transfer of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed (308) Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely (313) Policy and procedures ensure that mobile computing and teleworking are secure (314) All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures (323) c: Upload list of assigned Information Asset Owners (IAOs). 2b: Evidence of outcomes of risk assessments for critical systems. Action plan in place to deliver by 31 st March. 1c: Action completed 2b: Report currently being prepared for Information Governance Steering Group on 29/3/11 2a: Completed validation of information flows. Action plan in place to deliver by 31 st March. Data mapping in progress due to complete 24 March 1b: Documented network risk assessment pending. 1c: Confirmation of review of controls to be uploaded. Action plan in place to deliver by 31 st March. 2a: Network procedures should be fully documented and uploaded. 1b: Action completed 1c: Statement from Senior Information Risk Owner ( SIRO) to review/approve risk assessment 2a: Awaiting receipt of Network procedures 2a: List of remote access users. Action plan in place to deliver by 31 st March. Action completed Initiative: Clinical Information There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements (401) 0 1d: Upload systems compatibility risk assessment. 2a/b NHS Number project progress documentation. Action plan in place to deliver by 31 st March. All actions completed SR/Y/IGT WORK1011/IGT Action Plan Key Requirements/Mar 11 v1 4

5 SR/Y/IGT WORK1011/IGT Action Plan Key Requirements/Mar 11 v1 5