INFORMATION GOVERNANCE STRATEGY IMPLEMENTATION PLAN

Similar documents
Information Governance Policy

INFORMATION GOVERNANCE STRATEGY AND STRATEGIC VISION

Information Governance Policy

IGPr002 - Information Governance Management Framework

West Kent Clinical Commissioning Group

Information Governance Policy and Management Framework

INFORMATION COMMISSIONER S OFFICE FOLLOW UP DATA PROTECTION AUDIT REPORT. Information Governance Manager. This paper supports:

Information Governance Management Framework

Information Governance Assurance Framework

IG01 Information Governance Management Framework

Overarching Information Governance Policy

Information Governance Strategic Management Framework

NHS Sunderland Clinical Commissioning Group. Information Governance Strategy 2016/17

Information governance strategy

INFORMATION GOVERNANCE POLICY

Information Governance Strategy and Management Framework

The UK legislation is wholly retrospective and applies to all information held by public authorities regardless of its date.

INFORMATION GOVERNANCE ASSURANCE FRAMEWORK

Information Governance Management Framework

Information Asset Management Policy

Information Security Risk Management Programme and Strategy

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK POLICY

Data Quality Policy

INFORMATION GOVERNANCE POLICY

Information Governance Policy

Data Protection Policy

Information Governance Policy

INFORMATION GOVERNANCE STRATEGY. Documentation control

DATA QUALITY POLICY. Version: 1.2. Management and Caldicott Committee. Date approved: 02 February Governance Lead

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

Heart of England NHS Foundation Trust

TRUST GOVERNANCE POLICY (formerly referenced as the CMFT Governance Strategy) - UPDATED NOVEMBER

Information Governance Management Framework Version 6 December 2017

Privacy Impact Assessment Policy and Procedure

Information Governance Management Framework 2016/17

Data Protection Act Policy Statement Status/Version: 0.1 Review Information Classification: Unclassified Effective:

Findings from ICO audits of 16 local authorities

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

INFORMATION GOVERNANCE COMMUNICATION STRATEGY

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

Information Governance Policy

Code of Corporate Governance

PHWIGC framework that addresses the issues raised by the Francis Report. Author: John Morley & Jane Evans Information Governance Managers

United Lincolnshire Hospitals NHS Trust. Governance Statement 2015/16. Scope of responsibility. The governance framework of the organisation

Identifies the risk management structure, roles, responsibilities and authority of staff, committees and groups with responsibility for risk

Information Risk Policy

Information Sharing Policy

Risk Management and Assurance Strategy

INFORMATION GOVERNANCE STRATEGY

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2017/18

Information Governance Policy

Humber Information Sharing Charter

Date: INFORMATION GOVERNANCE POLICY

Documented and publicly available procedures are in place to ensure compliance with the Freedom of Information Act 2000

Information Governance Clauses Clinical and Non Clinical Contracts

Minor adjustments from IG Steering Group 0.3 Neil Taylor September 2013

NHS SOUTH DEVON AND TORBAY CLINICAL COMMISSIONING GROUP INFORMATION LIFECYCLE MANAGEMENT POLICY

Information Governance Management Framework 2017/18 Reference: IG12

Data protection (GDPR) policy

This Policy supersedes the following Policy, which must now be destroyed:

Data Protection Policy

This Policy supersedes the following Policy, which must now be destroyed:

DATA PROTECTION POLICY

Freedom of Information (FOI) Policy

Information Assets: Security and Risk Management Policy. Choice, Responsiveness, Integration & Shared Care

INFORMATION GOVERNANCE POLICY AND FRAMEWORK

Recruitment, Selection and Appointment

Policy:E7. Escalation Policy N/A. Appended below at Appendix B. Version: E7/01

St. Georges Healthcare NHS Trust Freedom of information Publication scheme

Records management policy. Document author Assured by Review cycle. Audit and Risk Committee. 1. Introduction Purpose or aim Scope...

Joint Information Management Strategy

Head of HSE. Group Services, Risk

Hours of Work: 37.5 hours per week (part time hours negotiable)

GOVERNANCE STRATEGY October 2013

CLINICAL & PROFESSIONAL SUPERVISION POLICY (replacing 033/Workforce)

INFORMATION GOVERNANCE POLICY

Leeds Interagency Protocol for Sharing Information

Office of the Police and Crime Commissioner Devon & Cornwall

Records Management Policy

GENERAL DATA PROTECTION REGULATION

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

LONDON BOROUGH OF BARNET CODE OF CORPORATE GOVERNANCE

Job Title: Head of Retail Department: Income Generation

Doncaster Council Data Quality Strategy

Data Protection Impact Assessment Policy

East Riding of Yorkshire Council Data protection audit report. Executive summary March 2014

Health and Safety Management Standards

Audit & Risk Committee Charter

Catch22 policy Health and Safety

Records Management Policy

Humber Information Sharing Charter

BOARD ASSURANCE FRAMEWORK

Business Continuity Management Policy. Date Version Number Planned Review Date Oct 2014 Issue 1 Oct 2017

LONG SERVICE AWARD POLICY. HR Assistant/Finance Systems Manager. Approval Date: 2 September 2015 Document Type: Policy Non-clinical

The Institute of Directors of South Africa ( IoDSA ) is the convener of the King Committee and the custodian of the King reports and practice notes.

The Royal Wolverhampton NHS Trust

Memorandum of understanding between the Competition and Markets Authority and NHS Improvement

Accounting Systems Policy

Transcription:

INFORMATION GOVERNANCE STRATEGY & IMPLEMENTATION PLAN 2015-2018 Disclaimer The latest version of this document is located on PTHB intranet. Please check the review date and if there are any doubts contact the author. Proprietary Information This document contains proprietary information belonging to Powys Teaching Health Board. All or any part of this document should not be reproduced without the permission of the Document Owner.

Document Reference No: Version No: 1 PTHB / IGP 012 Issue Date: June 2015 Review Date: June 2018 Author: Document Owner: Accountable Executive: Approved By: Information Governance Manager Information Governance Manager Director of Therapies & Health Sciences PTHB Board Approval Date: 24 June 2015 Document Type: Strategy Non-clinical Scope: PTHB wide Version Control Version Summary of Changes/Amendments 1 Initial Issue. Previously the Information Governance Strategy was a combination document with the Information Governance Policy - PTHB/IGP 001 Information Governance Strategy & Policy. The following changes were made: Issue Date Jun 2015 Strategy separated from Policy document Removal of Definitions section as integrated within other sections Consolidation of Strategic Objectives Inclusion of Implementation Plan Appendix 4 3 year strategy plan Issue Date: June 2015 Page 2 of 21 Review Date: June 2018

Item Contents Page No. Engagement and Consultation 4 1 Introduction 5 2 Purpose 5 3 Responsibilities 5-8 4 Information Governance Assurance 8-10 5 Strategic Objectives 10-12 6 Information Governance Strategy Implementation 12 7 Information Governance Training 13 8 Conclusion 13-14 App. Appendices Page No. 1 Information Governance Roles and Accountability 15 Chain 2 Information Governance Assurance Framework 16 3 Information Governance Implementation Plan 2015-18 17-21 Issue Date: June 2015 Page 3 of 21 Review Date: June 2018

ENGAGEMENT & CONSULTATION Key Individuals/Groups Involved in Developing this Document Role / Designation Circulated to the following for Consultation Date March 2015 Mar/Apr 2015 April 2015 Role / Designation Information Governance Management Group PTHB wide via Powys Announcement Email Information Governance Committee Evidence Base Please list any National Guidelines, Legislation or Health and Care Standards relating to this subject area? See Appendices 2 & 3. Issue Date: June 2015 Page 4 of 21 Review Date: June 2018

1. INTRODUCTION Information Governance is a series of best practice guidelines and principles of law to be followed by NHS organisations and their employees in relation to the handling of information; it applies to sensitive and personal information of both employees and patients and corporate information. It is the approach within which accountability, standards, policies and procedures are developed and implemented, to ensure all information created, obtained or received by the Health Board is held and used appropriately. Information is a vital asset for the Health Board, supporting day to day clinical and business operations and the effective management of services and resources. The Health Board requires accurate, timely and relevant information to enable it to deliver the highest quality health care and to operate effectively as an organisation. It is the responsibility of all staff to ensure that information is complete and up to date and that it is used proactively to support the business of the organisation. Having accurate relevant information available at the time and place where it is needed is critical in all areas of the Health Board s activities and plays a key part in corporate and clinical governance, strategic risk, service planning and performance management. 2. PURPOSE This strategy covers the period 2015-2018 and includes the continuing development, implementation and embedding of a robust information governance framework needed for the effective management and protection of the Health Board s information. It builds on the previous 2013-15 strategy and outlines the organisation s vision over the next 3 years and acknowledges the ongoing closer working relationship with the Local Authority. The Information Governance arrangements will underpin the Health Board s strategic goals and ensure that the information needed to support and deliver their implementation is available, accurate and understandable 3 RESPONSIBILITIES The summary below sets out the roles and responsibilities and accountabilities relating to the management of information governance see also Appendix 1. Issue Date: June 2015 Page 5 of 21 Review Date: June 2018

3.1 The Chief Executive The Chief Executive is the Accountable Officer of the Health Board and has overall accountability and responsibility for Information Governance. He/she is required to provide assurance, through the Annual Governance Statement, that all risks to the organisation, including those relating to information, are effectively managed and mitigated. 3.2 The Senior Information Risk Owner (SIRO) The Director of Therapies and Health Science, Quality & Safety is the SIRO and has a key understanding of how the strategic goals of the Health Board may be impacted by information risk. They are the Board member leading on information governance. The SIRO provides an essential role in ensuring that identified information security risks are followed up and incidents managed. 3.3 The Caldicott Guardian The Caldicott Guardian plays a key role in ensuring that the Health Board satisfies the highest practical standards for handling patient identifiable information. Within the Health Board the Medical Director is the nominated Caldicott Guardian. Acting as the conscience of the Health Board, the Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information. The Caldicott Guardian also has a strategic role which involves representing and championing confidentiality and information sharing requirements and issues at senior management level. The Medical Director has responsibility for completing the annual Caldicott-Principles into Practice (C-PiP) self assessment. 3.4 Information Governance Lead The Information Governance Manager is the Information Governance Lead and co-ordinates the information governance work programme. The key responsibilities includes developing and maintaining the Health Board s Information Governance Strategy & Policy ensuring top level awareness and support for IG resourcing and implementation of improvements. 3.5 Information Governance Team The Information Governance Manager is responsible for overseeing the information governance systems and processes within the Health Board and carrying out operational duties for the Information Governance Lead. The Information Governance Manager is the Data Protection Officer and designated contact with the Information Commissioner s Office and will ensure that the Health Board s annual Issue Date: June 2015 Page 6 of 21 Review Date: June 2018

Data Protection Registration is maintained and kept up to date. The Team will provide expert advice and guidance on information governance issues and maintain the Integrated IG Work Programme. 3.6 Executive Directors and Locality General Managers. Executive Directors, Locality General Managers and Service Managers have responsibility for the protection of personal identifiable data and for identifying and managing any associated risk. They are responsible for enforcing measures to protect information, including personal data as part of normal/everyday activity, setting and driving forward a culture that properly values, protects and uses data both in planning and delivery of Health Board services. They are responsible for ensuring that breaches and near misses relating to information governance are reported using the Health Board s incident reporting procedure. 3.7 All employees All employees, contractors, volunteers and students working for or supplying services to the Health Board who have access to personal identifiable information are responsible for ensuring that any personal data which they hold are kept securely, are not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party. This is supported by an appropriate confidentiality clause within their contract of employment. Any information governance incidents should be reported on the organisation s Datix incident reporting system. Staff must be familiar with the Health Board s associated information governance policies and procedures (http://howis.wales.nhs.uk/sitesplus/867/searchresultssql/?q=igp ) and comply with these. Staff must actively participate in the Health Board s IG induction training and complete further mandatory refresher/update training relating to information governance. 3.8 NHS Wales Informatics Service (NWIS) NHS Wales Informatics Service has a dedicated team to deal with strategic and operational Information Governance issues that affect the NHS in Wales. Their work includes; coordinating national IG meeting groups, providing advice and support on a number of IG issues including information sharing protocols in accordance with the Wales Accord for Sharing Personal Information (WASPI) framework etc. although currently no national IG strategy exists. 3.9 Third Party Contractors Appropriate contracts and confidentiality agreements shall be in place with third parties where potential or actual access to the Health Board s confidential information assets is identified. Issue Date: June 2015 Page 7 of 21 Review Date: June 2018

3.10 Information Commissioner s Office (ICO) The ICO is the UK's independent body set up to uphold information rights in the public interest. Their role includes regulating key pieces of legislation including the Data Protection Act 1998 and Freedom of Information Act 2000. Part of their role is to improve the information rights practices of organisations by gathering and dealing with concerns raised by members of the public. In cases where a clear and serious breach of the legislation has taken place, they may take enforcement action and in the most serious cases, can serve a monetary penalty of up to 500,000. 3.11 Information Asset Owner (IAO) This role is yet to be formally implemented within the Health Board but is the person who has operational ownership of an information asset. This will primarily be due to them being responsible for purchasing the asset or requiring it for their service. Applications may be provided to users across Powys teaching Health Board but be owned by a designated manager. 3.12 Information Asset Administrator (IAA) The Information Asset Owners will determine a person or persons who will be responsible for the day to day management of an application. Information Asset Administrators will be responsible for the data integrity of applications, user access including auditing of access, ensuring that there are appropriate operational procedures that include backup, business continuity planning. The Information Asset Administrator will liaise with system suppliers to ensure that the asset is maintained so as to be fit for purpose. They may delegate certain tasks to third parties (e.g. to the IT Operations Department) but will have responsibility for ensuring delegated responsibilities are carried out. 4. INFORMATION GOVERNANCE ASSURANCE The Information Governance Assurance Framework (Appendix 2) is the mechanism by which; information governance policies and standards are set; regulators can check an organisation s compliance, and; the organisation can be performance managed. The organisation s information governance structure can be illustrated as follows: Issue Date: June 2015 Page 8 of 21 Review Date: June 2018

Executive Team Board Information Governance Management Group Information Governance Committee Key: Reports/accountable to Provides information to 4.1 Information Governance Committee The purpose of the Information Governance Committee is to provide the Board with evidence based and timely advice to assist it in discharging its functions and meeting its responsibilities with regard to the; quality and integrity; safety and security; and appropriate access and use of information (including patient and personal information) to support its provision of high quality healthcare; and; as well as providing assurance to the Board in relation to the Health Board s arrangements for creating, collecting, storing, safeguarding, disseminating, sharing, using and disposing of information in accordance with its; stated objectives; legislative responsibilities, e.g., the Data Protection Act and Freedom of Information Act; and any relevant requirements and standards determined for the NHS in Wales. 4.2 Information Governance Management Group The Information Governance Management Group (IGMG) supports the work of the Information Governance Committee and reports to the Executive Team. It aims to provide them with assurance that the organisation is making appropriate progress in developing systems and Issue Date: June 2015 Page 9 of 21 Review Date: June 2018

processes to ensure that the Health Board is compliant in discharging its responsibilities relating to Information Governance. 4.3 Legal compliance and other key drivers The work of the IGMG is managed via the Integrated IG Work Programme. This programme highlights areas requiring improvement identified through a number of means including: Internal and external audits Incident and risk management compliance with key legislation e.g. Data Protection Act 1998 and Freedom of Information Act 2000 Compliance with national standards e.g. NHS Codes of Practice, C- PiP assessment, Standards for Health Services 4.4 Caldicott: Principles into Practice (C-PiP) Assessment The C-PiP self assessment has been developed by the NHS Wales Informatics Service (NWIS) for practitioners to use as their primary mechanism for benchmarking compliance with the seven Caldicott principles. The assessment should be undertaken on an annual basis and is mandatory in Wales. 4.5 Integrated IG Work Programme This report was developed in response to recommendations highlighted during a 2012 internal audit of Data Protection, Caldicott, Freedom of Information and Records Management. However, it has evolved over time to include any areas of information governance requiring improvement which have been identified. It provides the focus for the IGC and IGMG who can review priorities based on the associated risks. 5 STRATEGIC OBJECTIVES Through implementing this strategy and policy the Health Board will: 5.1 Audit and monitoring Undertake regular reviews, assessments and audits of how information is recorded, held and used and will be used to identify good practice and opportunities for improvement. 5.2 Policies Ensure that all practice, policies and procedures relating to the handling and holding of personal and Health Board corporate information are legal and conform to best and/or recommended practice and that a review process is in place to monitor their effectiveness so improvements or deterioration in information handling standards can be recognised and addressed. Issue Date: June 2015 Page 10 of 21 Review Date: June 2018

5.3 Training and awareness Work to instil a culture that improves Information Governance in the Health Board through increasing awareness and providing training on all key Information Governance issues. 5.4 Information for service users/the public Ensure that clear advice is given to service users about how their personal information is recorded, handled, stored and shared by the Health Board and its partners. They should be fully informed of their rights in respect of how their personal information is processed and managed and any impact on privacy be assessed where new innovations involve processing personal information. Ensure that non confidential information about the Health Board and its services is readily and easily available through a variety of media, in line with the Health Board s Publication Scheme. 5.5 Data Quality Managers will take ownership of, and seek to improve the quality of information within their services and that information quality is assured at the point of collection. Quality will be maintained through accurate recording and through clear and consistent definition of data items in accordance with national standards. 5.6 Incidents, Risks and Learning Continue to develop and maintain incident and risk reporting procedures. Investigate all reported instances of actual or potential breaches of information security and confidentiality. Learning will be reported and shared to improve compliance and to identify areas of risk in line with the Health Board s Risk Management policy and procedures. 5.7 Information sharing Ensure that, where appropriate and subject to confidentiality constraints, information is shared with other NHS, social care, partner organisations and contractors in order to support patient care. This should be managed in accordance with the Wales Accord for Sharing Personal Information (WASPI) framework in the form of information sharing agreements and/or data processor contracts. 5.8 Information Security Implement effective information security and confidentiality secure practice to all permanent/temporary, contracted staff and third party Issue Date: June 2015 Page 11 of 21 Review Date: June 2018

associates of the Health Board through policies, procedures and training and information awareness documentation. 5.9 Joint/collaborative working Continue to develop a closer working relationship with Powys County Council in respect of information governance. Collaborate over key areas of information governance and adopt a joint approach to tackling areas identified within the Integrated IG Work Programme where possible. Continue to support the NWIS ICT programme and other national/local initiatives as appropriate eg Community Care Information System. Explore links with Primary Care to ensure the appropriate governance and assurance is developed. 5.10 Governance Maintain a clear reporting structure and ensure through management action and training that all staff understand IG requirements. Develop information systems and reporting processes which support effective performance management and monitoring. 5.11 Records and information management Ensure effective processes are in place to manage records and information. Effective management of records will ensure that we know what information is available and where it is stored. This will support the delivery of patient care, enable us to respond promptly to access to information requests and increase openness and transparency about what we do. 6 INFORMATION GOVERNANCE STRATEGY IMPLEMENTATION The Information Governance Committee (IGC) will monitor implementation of this strategy during the next 3 years. This will be achieved through the continual review and development of the Integrated IG Work Programme overseen by the Information Governance Management Group (IGMG). The IGC will review this strategy and policy in 2018 or earlier in response to any significant changes to mandatory requirements or guidance or as a result of significant information governance breaches or incidents. Issue Date: June 2015 Page 12 of 21 Review Date: June 2018

7 INFORMATION GOVERNANCE TRAINING Information Governance training is mandatory and all staff must receive basic IG training. Ongoing awareness and training will be provided to all staff, in all sections of the Health Board in line with the Information Governance training needs analysis. 7.1 Methods of Training Corporate Induction - Introduction to Workforce Systems day for all new employees All new employees are required to attend a Corporate Induction event within 8 weeks of commencing duties. The Introduction to Workforce Systems day includes an Information Governance e-learning module that covers Confidentiality & the Caldicott Principles, Data Protection, Freedom of Information, Record Keeping and Information Security. Statutory and Mandatory training All employees are required to attend a Statutory & Mandatory training course every 2 years. The course includes an e-learning module that covers Confidentiality & the Caldicott Principles, Data Protection, Freedom of Information, Record Management & Quality and Information Security. Specific Additional Information Governance Training Where specific training is required in relation to an area of information governance, this will be delivered either by members of the Information Governance Team, the appropriate e-learning module or external providers as appropriate. Where necessary and possible this training will be cascaded by managers to their teams. 7.2 Monitoring Compliance The Workforce and Organisational Development department will provide regular reports on compliance with the required attendance at both Induction and Statutory & Mandatory training days. These will be reviewed by Directorates, Localities and Departments and where uptake is low; will ensure that employees attend at the earliest opportunity. Managers must also ensure that attendance is monitored through the Personal Development Review process. 8. CONCLUSION Implementation of this strategy and policy will ensure that the Health Board and its staff handle and manage information in a consistent way. Issue Date: June 2015 Page 13 of 21 Review Date: June 2018

This is anticipated to lead to: Improvements in information handling activities Reduction in number of IG incidents and complaints Increased service user confidence in the NHS, the Health Board and its staff. Compliance with the law and professional standards. Implementation of Welsh Government advice and guidance. Year on year improvement. Issue Date: June 2015 Page 14 of 21 Review Date: June 2018

Appendix 1 INFORMATION GOVERNANCE ROLES & ACCOUNTABILITY CHAIN Accountable Officer / Data Controller Chief Executive (Overall responsibility for ensuring that organisation risks are assessed and mitigated to an acceptable level) Caldicott Guardian Medical Director (Provides a focal point for patient confidentiality and information sharing issues. Is concerned with management of patient information and is the advisory and conscience of the organisation) Senior Information Risk Owner (SIRO) Director of Therapies & Health Science (Board level position with lead responsibility for the organisation s information risk) Data Protection Officer / Information security lead Information Governance Manager (Management of IG across the whole organisation, ensuring it complies with statutory requirements in relation to Information security, confidentiality, data protection, Caldicott) Information Asset Owner (IAO) To be confirmed (Assigned owners responsible for a particular information asset/s and responsible for providing assurances to the SIRO on information risks) Information Asset Administrator (IAA) To be confirmed (Board level position with lead responsibility for the organisation s information risk) Issue Date: June 2015 Page 15 of 21 Review Date: June 2018

Appendix 2 Information Governance Assurance Framework Theme Governance Statutory Obligations National Standards Organisational Performance Assurance Requirement Strategy & Policy Quality of data and information Complaints & Learning Incidents & Learning Risks Internal Audits Freedom of Information Act 2000 Data Protection Act 2000 Access to Health Records Act 1990 Caldicott Principles into Practice Welsh code of confidentiality Records management standards Information security standards Workforce training Performance Indicators Assurance Source IG Strategy Implementation Plan Position report against status of IG Policies WAO Clinical Coding Audit Transformation Programme Data and Information Complaints summary and associated learning Incidents summary and associated learning Integrated Risk Register, including audit recommendations Overview of Audits planned and outstanding recommendations FOI Annual Report Key Performance Indicators FOI Policy and Procedures DPA Annual Report Key Performance Indicators DPA Policy and Procedures DPA Annual Report Self-assessment and out-turn report Policy Training uptake Policy Training uptake Incident Reporting Policy Training uptake Incident Reporting DPA Annual Report Training and Development Plan Training uptake IG Performance Report Issue Date: June 2015 Page 16 of 21 Review Date: June 2018

Appendix 3 Key Drivers include (but not limited to): Data Protection Act 1998 and Freedom of Information Act 2000 National standards on; Records Management, Information and ICT Security Caldicott Principles into Practice self assessment Standards for Healthcare Services assessment - 1 (Governance and Accountability), 19 (Information Management and Communications Technology), 20 (Records Management) Internal & External audits (WAO, ICO etc) Wales Accord for Sharing Personal Information (WASPI) Strategic Objective Implementation Plan 5.1 Audit and monitoring Undertake regular reviews, assessments and audits of how information is recorded, held and used and will be used to identify good practice and opportunities for improvement. 5.2 Policies Ensure that all practice, policies and procedures relating to the handling and holding of personal and Health Board corporate information are legal and conform Complete the annual Caldicott Principles into Practice self Assessment and produce an Out-turn report and Improvement Plan Complete the annual Standards for Health Services assessment and identify areas for improvement Participate in ICO surveys to help identify area requiring improvement / to provide a level of assurance Analyse Datix incident and risk management reports to inform opportunities for improvement Follow up any assessments and internal and external audits with relevance to Information Governance and monitor progress via the Information Governance Management Group. Routinely report assurance to the Information Governance Committee. Develop policies and procedures to support the processing of information and which conforms to best practice, legal requirements, national standards and in response to requirements identified through audits and other means Maintain, monitor and routinely report a schedule of related policies to the IGMG/IGC to ensure they are reviewed and developed as appropriate Issue Date: June 2015 Page 17 of 21 Review Date: June 2018

to best and/or recommended practice. Ensure that a review process is in place to monitor their effectiveness so improvements or deterioration in information handling standards can be recognised and addressed. 5.3 Training and awareness Work to instil a culture that improves Information Governance in the Health Board through increasing awareness and providing training on all key Information Governance issues. Support the development and implementation of the mandatory all Wales IG e-learning module to all staff to ensure 100% uptake is achieved Promote and implement the recommended NHS England IG Toolkit e- learning modules identified within the Training Needs Analysis Promote, monitor and report the uptake of information governance training to enable staff to have the necessary skills and confidence to handle information effectively and safely providing assurance to the Board Promote information governance awareness through the work of the IGMG, team/locality meetings, newsletters, site visits and workshops 5.4 Information for service users/the public Ensure that clear advice is given to service users about how their personal information is recorded, handled, stored and shared by the Health Board and its partners. They should be fully informed of their rights in respect of how their personal information is processed and managed and any impact on privacy be assessed where new innovations involve processing personal information. Ensure that non confidential information about the Health Board and its services is readily and easily available through a variety of media, in line with the Health Board s Publication Scheme. Develop, maintain, promote and monitor the organisation s website to ensure as much information as appropriate is available to the public/service user. Support the ongoing development of the Publication Scheme and Disclosure Log which should reduce the number of information requests made under the Freedom of Information Act 2000 Make information leaflets and posters more readily available on an ongoing basis around the service/waiting areas to ensure that service users are fully informed Engage with service users when IG developments impact upon them Develop and publish Privacy Impact Assessments 5.5 Data Quality Implement the Information Asset Owner/Administrator roles to support the IG agenda Issue Date: June 2015 Page 18 of 21 Review Date: June 2018

Managers should take ownership of, and seek to improve the quality of information within their services and that information quality is assured at the point of collection. Quality should be maintained through accurate recording and through clear and consistent definition of data items in accordance with national standards. 5.6 Incidents, Risks and Learning Continue to develop and maintain incident and risk reporting procedures. Investigate all reported instances of actual or potential breaches of information security and confidentiality. Learning should be reported and shared to improve compliance and to identify areas of risk in line with the Health Board s Risk Management policy and procedures. 5.7 Information Sharing Ensure that, where appropriate and subject to confidentiality constraints, information is shared with other NHS, social care, partner organisations and contractors in order to support patient care. This should be managed in accordance with the Wales Accord for Sharing Personal Information (WASPI) framework in the form of information sharing agreements and/or data processor contracts. 5.8 Information Security Develop and implement the Data Quality Policy Promote information quality and effective records management through policies, procedures/user manuals and training Ensure information systems hold the information required to support clinical practice and operational management. Develop information systems and reporting processes which support effective performance management and monitoring Ensure the Datix Incident Reporting System meets the reporting requirements and that users are trained and supported appropriately Maintain an IG Risk Register Routinely report trends and lessons learned to IGMG/IGC to provide assurance Raise awareness and share learning with Health Board colleagues and others as appropriate Identify follow up actions and manage via the Integrated IG Work Programme Develop and maintain an Information Asset Register, identify Information Asset Owners and Administrators Develop and implement an Information Flow Mapping policy to ensure all information flows are comprehensively mapped to identify areas of risk. Information sharing agreements will be developed in accordance with the WASPI framework where possible to support the routine sharing of personal information within and outside of the NHS Maintain, monitor and routinely report a schedule of agreements to the IGMG/IGC to ensure they are reviewed and developed as appropriate Create and maintain a register of 3 rd party contracts and ensure appropriate Data Processor Agreements are developed in support Issue Date: June 2015 Page 19 of 21 Review Date: June 2018

Promote effective information security and confidentiality secure practice to all permanent/temporary, contracted staff and third party associates of the Health Board through policies, procedures, training and information awareness documentation. Support the development and implementation of the all Wales Information Security policy Review the Information Security standards and identify any actions required in support 5.9 Joint/collaborative working Continue to develop a closer working relationship with Powys County Council in respect of information governance. Collaborate over key areas of information governance and adopt a joint approach to tackling areas identified within the Integrated IG Work Programme where possible. Continue to support the NWIS ICT programme and other national/local initiatives as appropriate eg Community Care Information System. Explore links with Primary Care to ensure the appropriate governance and assurance arrangements exist. 5.10 Governance Maintain a clear reporting structure and ensure through management action and training that all staff understand IG requirements. Develop information systems and reporting processes which support effective performance management and monitoring. Attend national groups and utilise virtual networks to discuss issues affecting IG and feedback to the IGMG as appropriate Provide IG support to new national and local initiatives led by NWIS, the Programme Management Office and ICT Projects eg supporting the implementation of the Community Care Information System, Digital Records Service, Mastermind, Casenote Tracking etc. Meet with PCC colleagues to consider a joint approach to key areas of work eg implementing Privacy Impact Assessments, Information Flow Mapping and ownership, the Community Care Information System and a central records storage solution etc as identified within the Integrated IG Work Programme Explore links with Primary Care to ensure the appropriate governance and assurance arrangements exist. Link with the ICT, Information and other teams as necessary and keep abreast of new issues affecting IG Routinely report assurance that information governance arrangements are operating efficiently and effectively to relevant committees and in accordance with their Terms of Reference Ensure the Terms of Reference of relevant committees are reviewed annually Provide comprehensive performance reports to the IGMG / IGC on key areas of IG to include; incidents, concerns, risks and lessons learned, training uptake, status of policies and information sharing agreements etc Explore the IG support requirements and responsibilities for new and existing services eg hosting NISCHR, managing the property of other Health Authorities by attending meetings, reviewing contracts and statutory instruments etc Issue Date: June 2015 Page 20 of 21 Review Date: June 2018

5.11 Records and information management Ensure effective processes are in place to manage records and information. Effective management of records will ensure that we know what information is available and where it is stored. This will support the delivery of patient care, enable us to respond promptly to access to information requests and increase openness and transparency about what we do. This will be achieved by implementing 5.1-5.10 above Issue Date: June 2015 Page 21 of 21 Review Date: June 2018

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback