INFORMATION GOVERNANCE STRATEGY Documentation control Reference Date Approved Approving Body Version Supersedes Consultation Undertaken Target Audience Supporting procedures GG/INF/01 TRUST BOARD Information Governance Committee Risk Management Committee Directors Group Directors, Clinical Directors, senior managers, IG leads, Governance leads, Information Governance policies Information Governance action plans Review Date November 008 Lead Executive Director of Health Informatics Author/Lead Manager Specialist Adviser (Caldicott & Data Protection) Further Guidance/Information Specialist Adviser (Caldicott & Data Protection)
CONTENTS Section Title Page 1 Introduction Scope of Information Governance 5 Standards for Better Health 5 4 National Programme for IT Care Records Service 6 5 Aims of the strategy 7 6 Strategy 8 7 Management & Accountability 10 8 Awareness & Training 11 9 Implementation 1 10 Review arrangements 1 11 References 1 Appendices Appendix A 006/007 Information Governance Results for Nottingham University Hospitals NHS Trust Appendix B Information Governance Committee terms of reference Appendix C Information Governance Initiative leads Appendix D Information Governance Toolkit requirements V5 Baseline Assessment Appendix E Employee Record of Having Read the Strategy I define Information Governance as the structures, policies and practice of the DH the NHS and its suppliers to ensure the confidentiality and security of all records, especially patient records, and to enable the ethical use of them for the benefit of individual patients and public good (Harry Cayton, National Director of Patients and the Public, Chair, Care Record Development Board. Information Governance in the Department of Health and the NHS 006)
1. INTRODUCTION Information Governance is a component of the integrated governance framework. 1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of the Trust s services and resources. It plays a key part in Clinical Governance, Corporate Governance, service planning, and risk and performance management. Effective information governance is a necessity to ensure the opportunities and benefits that the National Programme for IT promises will be effectively and safely realised and that the public have confidence in the systems. Trust information is shared with a diverse and growing number of external bodies to deliver care and services or to assure quality, for example: NHS Commissioning organisations GPs and primary care Other Trusts (NHS and Foundation) Independent sector providers Social Care organisations Children s services Voluntary services Regulators and inspectors, for example the Healthcare Commission Audit and fraud investigators Research bodies and researchers The Health and Social Care Information Centre Public sector led government initiatives e.g. police and other public services working together to reduce incidents of drug related crime or domestic violence. Trust information is also shared with the public, either by voluntary and proactive publication through a code of openness, or in response to requests under information rights and access legislation 1 These discussions have confirmed that moving from governing in silos (eg, clinical governance, information governance) to an integrated agenda is both an essential and practical way for Boards to meet their responsibilities. Integrated Governance Handbook 006 Freedom of Information Act 000, Data Protection Act 1998 and Environmental Information Regulations 004
Information Governance is a framework of standards designed to ensure that the Trust handles personal and corporate information ethically, legally, securely, efficiently and effectively to deliver the best possible care, to meet its public accountability responsibilities and to maintain public confidence This strategy sets out the approach to be taken within the Trust to provide a robust Information Governance Framework for the future management of information. Information Governance Leaflet http://information.connectingforhealth.nhs.uk/prod_images/pdfs/945.pdf 4
. SCOPE OF INFORMATION GOVERNANCE In the context of the National Information Governance Board, 'information governance' is considered to be the following: 'The structures, policies and practice used to ensure the confidentiality and security of health and social care services records, especially clinical records, and to enable the ethical use of them for the benefit of the individual to whom they relate and for the public good.' The National Information Governance Board will ensure that ethical, legal and policy issues are consistently applied by all bodies using or holding NHS or Social Care information. They will do this through the analysis of annual information governance returns, analysing trends and setting standards for improvement to ensure the conditions promised to patients in the Care Record Guarantee are being met. The NHS Care Record Guarantee sets out the rules that will govern information held in the NHS Care Records Service. This will form an important part of the public information campaign about NHS Care Records. The Trust s performance will be measured through compliance with the Information Governance Toolkit. The IG Toolkit is a framework that bring together all statutory, mandatory and best practice requirements for information management, ordered into the following initiatives: Information Governance Management Information Security Assurance Confidentiality and Data Protection Assurance Clinical Information Assurance (including Health Records Management) Secondary Use Assurance (including Information Quality) Corporate Records management (including Freedom of Information). STANDARDS FOR BETTER HEALTH The Information Governance Toolkit informs the Healthcare Commission s assessment on Standards for Better Health core standards in data protection, confidentiality and records management. The Healthcare Commission have direct access to the trust s selfassessment audit held on the Information Governance Toolkit to compare the results with the Standards for Better Health declaration to assure compliance. The key areas are: 5
Standard C9 The Trust has systems in place to ensure that records are managed in accordance with the NHS Information Authority's Information Governance Toolkit and the IG Clinical Information Assurance initiative, and Standard 1c Healthcare organisations have systems in place to ensure that staff treat patient information confidentially, except where authorised by legislation to the contrary and the IG Confidentiality and the Data Protection Assurance initiative 4. NATIONAL PROGRAMME FOR IT THE CARE RECORD SERVICE Information Governance is a national priority in the delivery and success of the NpfIT programme. Sound information governance standards will demonstrate that the Trust is capable in delivering the NPfIT agenda. In August 006, Sir Ian Carruthers asked NHS Chief Executives to review their information governance arrangements by March 007 to ensure best possible compliance to the Care Record Guarantee. 4 The Trust s information governance structures, policies and processes and information sharing policies will be of particular relevance to ensure an organisational culture of awareness and responsibility for handling patient information held in the IT systems ethically, legally and securely. The Information Governance Toolkit provides the framework that will enable the Trust to review practice and ensure best possible compliance with the Care Record Guarantee. This strategy therefore should be read in conjunction with the Trust s ICT strategy, the NHS Operating Framework 007/008 5 and local ownership plans. 4 Gateway Ref 704. 1 st August 006 Sir Ian Carruthers National Programme for IT responsibilities and information governance 5 The NHS in England Operating Framework 007/008 6
5. AIMS OF THE STRATEGY 5.1 The aim of the strategy is to ensure that the Trust meets statutory, mandatory and best practice requirements that apply to the handling of its patient s and business information. 5. The strategy is the tool that will help the Trust to achieve the required best standards of practice in the way in which patient and corporate information is handled, leading to improvements in: Information management Patient confidence in the care providers Staff confidence in managing information and sharing it appropriately Reduction and management of risks arising from information management processes Achieving high standards in performance measures and accreditation processes 5. The Trust s strategy on records management will address certain Information Governance standards in the Clinical Information Assurance initiative and Corporate Records Management Assurance initiative. 7
6. STRATEGY Key elements 6.1 There are two key components underpinning this strategy: The Information Governance Policy, which outlines the Trust s information governance principles and objectives, The annual IG Improvement Plan, arising from a baseline assessment against the standards set out in the NHS Connecting for Health Information Governance Toolkit. (Appendix A) 6. The Information Governance Committee has responsibility for overseeing the implementation of this strategy, the Information Governance Policy and the IG improvement plan. All will be subject to periodic review and any changes will be reported in accordance with Trust protocol. 6. The Information Governance Committee is required to report the result of self-assessment audit to the Trust Board for approval prior to its submission to the Department of Health. 6.4 The Director of Health Informatics is the named Director with responsibility for Information Governance. The Trust s Caldicott Guardian is the chairman of the Information Governance Committee. 6.5 Information Governance is a corporate agenda that cannot be seen in isolation as information plays a key part in Clinical and Corporate Governance, service planning and performance management. The strategy therefore links into all of those aspects of the organisation and therefore should be reflected in the Governance Strategy. Strategic objectives 6.6 The Trust will ensure that adequate governance arrangements are in place to support the current and evolving Information Governance Agenda. This will be achieved through compliance with the Information Governance Management Assurance standards. Appropriate organisational and management structures should be in place to support the Information Governance work programme that sustains continuous improvement. 8
6.7 Fundamental to the success of delivering the IG Strategy is developing an IG culture within the Trust. Awareness and training needs to be provided to all Trust staff that utilise information in their day-to-day work to promote this culture. In order to achieve this, a training plan will be developed by the IG Committee. 6.8 The Information Governance Committee will identify any associated resource implications incurred by the implementation of the IG policy and action plan. Business cases will then be developed and submitted to the appropriate committee for approval. 6.9 The Trust s performance will be monitored by the IG Committee and submitted to the Department of Health via the NHS Connecting for Health Information Governance Toolkit on an annual basis. 6.10 The implementation of the IG strategy, policy and action plan will ensure that information is more effectively managed at Nottingham University Hospitals NHS Trust. Each year the policy will be reviewed and an action plan developed against the IG Toolkit to identify risks and key areas for continuous improvement. 6.11 The Trust will develop and maintain a communications strategy to ensure that patients and the public are adequately informed about confidentiality and the way their information is used and shared and their rights as data subjects (in particular how they may access their personal data). Effective procedures will be introduced to ensure that detailed questions raised by patients can be answered. 6.1 The Trust will ensure that patient confidentiality is maintained in accordance with the Department of Health Confidentiality: NHS Code of Practice and legal requirements under the Data Protection Act 1998, European Convention of Human Rights (Article 8) (Human Rights Act 1998) and common law. 6.1 The Trust will protect its information systems through compliance with the Department of Health Information Security Code of Practice an associated standards ISO 17799/007 6.14 The Trust will ensure that Health Records are managed in accordance with the Department of Health Records Management: NHS Code of Practice 9
6.15 The Trust will ensure compliance with the Freedom of Information Act 000 and associated Lord Chancellor s Codes of Practice under sections 45 and 46. 7. MANAGEMENT AND ACCOUNTABILITY 7.1 The Trust is required to have an Information Governance Policy, an associated strategy and improvement plans endorsed by the Trust Board. The Board should be kept up to date on progress against the improvement plans, which will be achieved via the Trust s assurance framework. The Trust Board is required to sign-off the annual self-assessment audit report prior to its submission. 7. The Information Governance Committee will ensure the development, management and review of the information governance agenda across the organisation. The terms of reference are included in Appendix B 7. The Director of Health Informatics is the Executive Director with responsibility for Information Governance 7.4 The chairman of the Information Governance Committee, in conjunction with the Director of Health Informatics will be responsible for the implementation and improvement of the standards in the Information Governance Management Assurance initiative to ensure adequate arrangements are in place to support the programme trust-wide. 7.5 The Information Governance Lead will support the Chairman of the Committee and Director of Informatics to ensure their responsibilities are achieved by: Ensuring a co-ordinated approach to Information Governance across the Trust Advise the Initiative Leads and ensure the development of improvement plans, risk management assessments, completion and reporting of the self-assessment audits Assess and communicate changes, updates and interpretation of the IG standards Promote Information Governance awareness 7.6 An Initiative Lead will be identified for each initiative. The initiative lead will be the Trust s expert in the particular subject. See Appendix C 10
7.7 Patient and Public Involvement and PALS will play a key role in the development and delivery of the communications plan identified in 5.9 7.8 All Directorates will ensure they are adequately represented on the Information Governance Committee and arrangements are in place to communicate, action, measure and report the implementation and progress of the relevant standards within their sphere of responsibility. 7.9 The existing governance arrangements within the Directorates should support the Information Governance programme of work. 7.10 Managers are responsible for ensuring that the policy, supporting standards and guidelines are incorporated into work processes and there is on-going compliance. 7.11 All staff, whether permanent, temporary or contracted, should be aware or their own individual responsibilities for the maintenance of confidentiality, data protection, information security management and information quality. 8. AWARENESS AND TRAINING 8.1 All staff should receive Information Governance awareness training as part of their induction. 8. All staff will receive Information Governance guidance as a conditional part of the training process for access to the Trust s ICT systems 8. Directorate or departmental arrangements should be in place to ensure that staff have received adequate training and understand their responsibilities 8.4 Advice and guidance material will be developed and published on the Trust s intranet 8.5 The Trust will ensure that there is an adequate level of awareness of Information Governance within the organisation. 8.6 The Trust will ensure that there is an adequate level of awareness of Information Governance within the organisation and arrange awareness campaigns to promote compliance 11
9. IMPLEMENTATION 9.1 The Information Governance Committee will oversee the development, implementation and progress of this strategy following its approval by the Trust Board. 9. Each Directorate is required to nominate an Information Governance representative who will be responsible for attending the Information Governance Committee meetings, for two-way communication and ensuring improvement plans are actioned. 9. The Trust s assurance framework will be used to manage risks, report progress and ensure compliance. 9.4 The Information Governance Committee will ensure the completion of a self-assessment audit using the NHS Connecting for Health Information Governance Toolkit. The results of which will be reported to the Trust Board for sign-off prior to the submission of the results to the Department of Health and Healthcare Commission. The due date is the 1 st March of the reporting year. 9.5 The Clinical Effectiveness Committee will be kept informed by the chairman of the Information Governance Committee. 10. REVIEW The Information Governance Committee will ensure this strategy is reviewed on an annual basis. Connecting for Health issue a new toolkit every year between June and September. The Information Governance Committee will review the relevant version and update the improvement plans and risk management reports accordingly. The revised plans will be approved and issued by the Information Governance Committee. 1
11. REFERENCES Connecting for Health Information Governance (IG) http://www.connectingforhealth.nhs.uk/systemsandservices/infogo v National Information Governance Board for Health and Social Care http://www.connectingforhealth.nhs.uk/nigb NHS Care Record Guarantee http://www.connectingforhealth.nhs.uk/nigb/crsguarantee NHS CFH Information Governance Programme Board http://www.connectingforhealth.nhs.uk/systemsandservices/infogo v/board Information Governance in the Department of Health and the NHS (Information Governance review) Harry Cayton then the National Director for Patients and the Public and Chair of the Care Record Development Board, now the Chief Executive of the Council for Healthcare Regulatory Excellence National Programme for IT responsibilities and information governance (Gateway Ref: 704) letter to all CEO s from the Acting NHS Chief Executive, The NHS in England: the operating framework for 007/08 Department of Health Guidance on preparation of local IM&T plans. Gateway Ref 7657 Integrated Governance Handbook 006 1
Appendix A INFORMATION GOVERNANCE IMPROVEMENT ACTION PLANS 007/008 Initial results for 007/008 reporting year (end of year 1/0/08) Overall result 6% (amber) Initiative Information Security Assurance Secondary Use Assurance Confidentiality and Data Protection Assurance Information Governance Management Clinical Information Assurance Corporate Information Assurance Results (based on requirements version 5) 76% (GREEN) 75% (GREEN) 66% (AMBER) 5% (AMBER) 47% (AMBER) 5% (RED) Results for Nottingham University Hospitals NHS Trust 006/007 Overall result 68% (amber) Initiative Information Security Assurance Confidentiality and Data Protection Assurance Secondary Use Assurance Information Governance Management Corporate Information Assurance Clinical Information Assurance Results (based on requirements version 4) 8% (GREEN) 80% (GREEN) 75% (GREEN) 61% (AMBER) 50% (AMBER) 45% (AMBER) 14
OUTLINE IMPROVEMENT PLAN FOR 007/008 (In order of scoring highest scoring initiative first) Initiative INFORMATION SECURITY ASSURANCE Lead Information Security Officer (ICT) Reporting year 006/07 007/08 +/- Overall compliance 8% 76% - 6% Comments Decrease in compliance due release of version 5 and changes to the requirements to align with the Department of Health Information Security Management: NHS Code of Practice issued in April 007. Improvement plan- Awaiting details of improvement plans (November 007) Corresponding standards Corresponding Standards for Better Health standard C9 reported in the 007/08 Assurance Framework report Q ref.8 (line 71) Awaiting outcome of CPPC discussions for funding to complete gap in assurance Standard 0 Statement of Compliance requires the Trust to have a documented strategy for RA business processes. Strategy needs to be completed by 1/0/08 15
Initiative SECONDARY USE ASSURANCE Lead Deputy Head of Information (ICT) Reporting year 006/07 007/08 +/- Overall compliance 75% 75% Same Comments Improvement on this is dependant upon the implementation of new PAS system Improvement Priority - completion of standard 401 plan- Routine procedural documentation needs to be updated Corresponding standards Standard 401 Statement of compliance (SoC) requires the Trust to have a strategy to ensure the correct NHS number is recorded for each active patient and ensure that it is used routinely in all clinical correspondence. Strategy needs to be completed by 1//08 16
Initiative CONFIDENTIALITY AND DATA PROTECTION Lead Specialist Adviser (Caldicott & Data Protection) (ICT) Reporting year 006/07 007/08 +/- Overall compliance 81% 66% -15% Comments 15% decrease in compliance due to increase in requirements for attainment levels concerning the NHS Care Record Guarantee. Improvement plan- Requires communication plan to inform patients of the use of their personal data and a system in place to answer their questions and respond to their concerns about confidentiality and access to health records. Access to health records procedures (data protection subject access rights) have been revised and ready for publishing. Training plan for PALS, patient facilitators under development to support the communications plan, which should be completed by the end of the reporting year. Funding required for leaflets. Confidentiality Policy due for completion December 007 Corresponding standards Corresponding Standards for Better Health standard C9 reported in the 007/08 Assurance Framework report Q ref.49 requirements for assurance as listed above 17
Initiative INFORMATION GOVERNANCE MANAGEMENT Lead Specialist Adviser (Caldicott & Data Protection) (ICT) Reporting year 006/07 007/08 +/- Overall compliance 61% 5% -8% Comments Decrease due to loss of IG Committee members and delays in completion of policies Improvement Improvement requires: plan- Approval of this strategy Completion of the business continuity plans for all critical infrastructure components and core information business systems. Completion and ratification of the Information Lifecycle policy/strategy and implementation plan Completion of a documented system to monitor compliance with Registration Authority terms Implementation of that RA process Corresponding standards Standard 108 requires compliance at level to guarantee the Trust s Statement of Compliance (SoC). Standard 0 Registration Authorities and 410 NHS Number currently do not meet this standard see above 18
Initiative CLINICAL INFORMATION ASSURANCE Lead Records Manager (ICT) Reporting year 006/07 007/08 +/- Overall compliance 50% 47% -% Comments Policies and processes awaiting various approvals Improvement plan- The Information Governance Toolkit Compliance requires work in the following areas: Policy and Strategy on the Management of Non Clinical Records required, including electronic records, naming conventions and e-mails (To be completed and ratified December 007/Jan 008). Policy for the Merging or De-merging of Patient Records (Ratified by IG Committee, currently awaiting ratification by the Board), a Standard Design for the health record across campuses requires ratification and implementation by HRMG and this should be completed by Jan 008, A Health Record Availability Monitoring Procedure has been agreed and implemented (Oct 007), A Corporate Records Audit of Corporate Depts is required and is scheduled to Corresponding standards take place between February and April 008. Corresponding Standards for Better Health standard C9 reported in the 007/08 Assurance Framework report Q ref.8 as above 19
Initiative CORPORATE INFORMATION ASSURANCE Lead Records Manager (ICT) and Corporate Directors for key corporate services Reporting year 006/07 007/08 +/- Overall compliance 45% 5% 0% Comments Key areas identified in IG Framework: Chief Executive s Office & Trust Secretary Finance Human Resources Estates Supplies & Procurement Local records managers established Improvement plan- Policy and Strategy on the Management of Non Clinical Records required, including electronic records, naming conventions and e-mails (To be completed and ratified December 007/Jan 008 to achieve improvement in scoring). Documented and accessible records management procedures Information audit to be completed in one key area by 1//08 with action plans to resolve problems and improve practice Freedom of Information documented processes and publication scheme require updating Corresponding standards Corresponding Standards for Better Health standard C9 reported in the 007/08 Assurance Framework report Q ref.8 as above 0
Appendix B Information Governance Committee The main purpose of the Information Governance Committee is to ensure that the Trust s existing and future information systems (organisational and technical) operate in accordance with the best practice standards set by the Information Governance agenda, and that the organisation can demonstrate year on year improvement through the appropriate accreditation processes The Committee will focus on the following areas of activity: 1. Development and implementation of an Information Governance Strategy and policy. Ensure Information Governance is promoted and supported throughout the organisation. Ensure the divisions/directorates undertake responsibility for implementing the agreed standards of practice to achieve trustwide compliance with the Information Governance standards 4. Provision of appropriate direction on Information Governance matters to the Director of Health Informatics 5. Overseeing the annual Information Governance audit and assurance process The terms of reference are available from the IG Management lead 1
Membership as of 15 th November 007 Chairman Caldicott Guardian HRMG Chair, HRMG HRMG Chair, HRMG INFORMATION GOVERNANCE LEADS Director responsible for IG Director of Health Informatics Initiative lead for IG Management, Caldicott & Data Protection Assurance Specialist Adviser (Caldicott & Data Protection) Initiative lead for Records Manager Clinical Information Assurance Initiative lead for Information Security Officer Information Security Assurance Initiative lead for Deputy Information Manager Secondary Use Assurance CORPORATE DIRECTORATE LEADS Human Resources Divisional HR Manager Corporate Governance Executive Business Manager Finance VACANT Research Governance VACANT Clinical Governance VACANT CLINCIAL DIRECTORATES Diabetic, Renal & Cardiovascular Senior Clinical Nurse Specialist Directorate Family Health representatives Diagnostics and Clinical Support Occupational Therapy Acute Medicine VACANT Musculoskeletal & Neurosciences VACANT Head & Neck VACANT Cancer & Associated specialties VACANT Specialist Support VACANT Digestive Diseases & Thoracic VACANT
Appendix C Initiative leads IG Initiative Lead Directorate Information Governance Management Assurance Specialist Adviser (Caldicott & Data Protection) ICT Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurance Secondary Use Assurance Corporate Records Management Assurance Specialist Adviser (Caldicott & Data Protection) Information Security Officer Records Manager Deputy Information Manager Records Manager and the Trust Secretary ICT ICT ICT ICT ICT & Trust HQ
Appendix D INFORMATION GOVERNANCE TOOLKIT REQUIREMENTS V5 BASELINE ASSESSMENT Information Governance Management Assurance Lead: Specialist Adviser (Caldicott & Data Protection) Ref 101 10 10 104 105 106 Description Does the organisation have adequate governance in place to support the current and evolving Information Governance agenda? How would you assess your organisation s ability to access expertise across the Confidentiality & Data Protection Assurance agenda? How would you assess your organisation s ability to access to expertise across the Information Security agenda? How would you assess your organisation s ability to access expertise across the Information Quality and Records Management Agenda? Does the organisation have in place comprehensive IG Policy and associated Strategy and Improvement Plans all signed off by the Board? Does the Trust have an up to date and tested business continuity plans for all critical infrastructure components and core information systems? Initial for 007/08 1 1 Final Score 4
Ref 107 108 109 110 111 11 11 Description Does the organisation have a comprehensive Board endorsed Information Lifecycle Management Policy/Strategy and implementation plan? Has the Trust implemented its Information Governance management arrangements to ensure the NHS CFH Statement of Compliance (SOC) is satisfied? Does the Trust ensure that staff and those working on behalf of the organisation comply with the terms and conditions set out on the RA01 form? Does the Trust ensure that it has formal contractual arrangements that include compliance with information governance requirements, with all contractors and support organisations? Does the Trust ensure that all individuals carrying out work on behalf of the Trust have employment contracts, which require compliance with information governance standards? Do the organisation's staff induction procedures effectively raise the awareness of information governance? Does the Trust assess staff training needs and ensure job/role specific information governance training is provided to all staff? Initial for 007/08 1 1 0 1 Final Score 5
Confidentiality and Data Protection Assurance Lead: Specialist Adviser (Caldicott & Data Protection) Ref 01 0 0 04 05 06 Description Does the Trust have a Confidentiality Code of Conduct that provides staff with clear guidance on the disclosure of patient personal information? Does the Trust ensure that patients are generally asked before their personal information is used in ways that do not directly contribute to, or support the delivery of, their care and that patients decisions to restrict the disclosure of their personal information are appropriately respected? Does the Trust ensure that patients are informed about the proposed uses of their personal information and the importance of providing accurate information to NHS staff? Does the Trust have effective procedures for ensuring that detailed questions, raised by patients about how their information may be used, can be answered? Does the Trust have appropriate procedures for recognising and responding to patient requests for access to their health records? Has the Trust established appropriate confidentiality audit procedures in line with the requirements of the National Programme for IT? Initial Score for 007/08 1 1 Final 6
Ref 07 08 09 10 Description Has the Trust agreed protocols governing the sharing of patientidentifiable information with other organisations? Has the Trust put in place safehaven procedures for all routine flows of patient personal information to the organisation? Does the Trust comply with data protection requirements in respect of transfers of personal data about patients or staff to countries outside of the EEA? Does the Trust ensure that all new processes, software and hardware comply with confidentiality data protection requirements? Initial Score for 007/08 1 Final 7
Information Security Assurance Lead: Information Security Officer Ref 01 0 0 04 05 06 07 Description Does the Trust have a formal information security risk assessment and management programme, which that is implemented and regularly reviewed? Does the Trust have documented and accessible information security event reporting, investigation and resolution procedures in place that are explained to staff? Has the Trust put in place appropriate registration/authentication processes for staff in line with the requirements of the National Programme? Has the Trust implemented effective Legitimate Relationship access controls? Does the Trust ensure that the Operating and Application and information systems under its control support appropriate access control functionality? Are there defined, documented and agreed access rights for all users of Trust information systems and services? Has the Trust established a register of all its major information assets and assigned responsibility or ownership for each? Initial for 007/08 0 Final 8
Ref 08 09 10 11 1 1 14 Description Is the digital information shared with other organisations secured in transit? Are there adequate procedures in place to ensure the availability of information processing facilities, communications services and data? Does the Trust have procedures in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error? Does the Trust ensure that its Information systems are capable of the rapid detection, isolation and removal of malicious code and unauthorized mobile code? Does the Trust have in place appropriate procedures for ensuring that the development and introduction of any new local information systems, software, IT projects and, more generally, IT support activities are conducted in a secure and structured manner? Does the Trust have appropriate procedures in place to ensure that communication networks under the organisation s control operate in a secure manner? Does the Trust have appropriate procedures for ensuring that mobile computing and teleworking are conducted in a secure manner? Initial for 007/08 Final 9
Clinical Information Assurance Lead: Records Manager Ref 401 40 40 404 405 406 Description Does the Trust have a strategy to ensure the correct NHS Number is recorded for each active patient and ensure that it is used routinely in clinical communications? Does the Trust have documented and implemented procedures for the identification and resolution of duplicate or confused patient records (i.e. where two or more patients share a record)? Does the Trust have trust-wide, multi-professional audit of clinical record keeping standards, including accuracy, for all professional groups in all specialties? Does the Trust have paper health records of a standard design within the Trust, combined with a locally agreed standard format for filing within the health record? Does the Trust have robust procedures and processes for all data collection activities across the Trust? Does the Trust have processes and procedures in place to enable it to regularly monitor measure and trace paper health records? Initial for 007/08 0? 0 Final 0
Ref 407 408 Description Does the Trust ensure that Accident and Emergency records are contained within the main record for patients who are subsequently admitted and is there a system to ensure that the GP is sent a copy of the A&E record? Does the Trust have procedures in place to ensure that when new services are provided or where changes within the system are made, that these do not adversely impact on information quality? Initial for 007/08 1 Final 1
Secondary Use Assurance Lead: Deputy Information Manager Ref 501 50 50 504 505 Description Does the Trust ensure that NHS standard definitions, values and validation programmes are incorporated within key systems and that local documentation is up dated as standards develop? Does the Trust use external data quality reports for monitoring and improving quality? Does the Trust have procedures to ensure that staff routinely checks information about patients with the source so that corrections are made as necessary to appropriate records and does the Trust routinely undertake activity reconciliations between the patient record and data on PAS? Does the Trust have documented procedures for using both local and national benchmarking to identify possible data quality issues and to analyse trends in information over time to ensure that large changes are investigated and explained? Does the Trust have in place a robust programme of internal and external data quality/clinical coding audit in line with the requirements of the Audit Commission and NHS Connecting for Health? Initial for 007/08 1 Final
Ref 506 507 508 509 510 511 Description Does the Trust have a documented procedure and a regular audit cycle for accuracy checks on patient data? Has the Trust completed and passed the Completeness and Validity check for data as detailed in the guidance documents? Is the Trust involving clinical staff in validating information derived from the recording of clinical activity? Does the Trust have (or access) a formal, targeted training programme for all staff involved in the collection and management of patient-related data covering the operation of key systems? Does the Trust use training programmes for clinical coding staff entering coded clinical data that are comprehensive and conform to National Standards? Does the Trust have sufficient governance and process in place to ensure adherence to the principles enshrined in the Code of Conduct for Payment by Results? Initial for 007/08 Final
Corporate Information Assurance Leads: Records Manager & Trust Secretary Ref 601 60 60 604 Description Does the Trust have documented and implemented procedures for the creation and filing of electronic corporate records to enable efficient retrieval and effective records management? Does the Trust have documented and implemented procedures for the creation, filing and tracking/tracing of paper corporate records to enable efficient retrieval and effective records management? Does the Trust have publicly available documented and implemented procedures to ensure compliance with the FOI Act 000? Has the Trust carried out an audit of its corporate records and information as part of the records lifecycle management strategy? Initial for 007/08 0 1 0 Final 4
EMPLOYEE RECORD OF HAVING READ THE POLICY Title of Policy/Procedure: INFORMATION GOVERNANCE STRATEGY I have read and understand the principles contained in the named document. PRINT FULL NAME SIGNATURE DATE 5