IGPr002 - Information Governance Management Framework Page 1 of 10
Table of Contents Information Governance Management Framework... 1 Why we need this Framework... 3 What the Framework is trying to do... 3 Which stakeholders have been involved in the creation of this Framework... 3 Any required definitions/explanations... 3 Key duties... 4 Framework detail... 6 Training requirements associated with this Framework... 8 How this Framework will be monitored for compliance and effectiveness... 9 For further information... 9 Equality considerations... 9 Document control details... 10 Page 2 of 10
Why we need this Framework This document is needed to provide individuals assurance that personal information is dealt with legally, securely, efficiently and effectively, in order to deliver the best possible patient care. The Trust will establish and maintain policies and procedures to ensure compliance with requirements contained in the Northamptonshire Healthcare Foundation Trust, Information Governance Toolkit. What the Framework is trying to do This framework document sets out the approach that The Trust will take to improve and assure its Information Governance related activities and to deliver year on year assurance through the Information Governance Toolkit scores. The strategy within this framework has been developed taking into consideration: The implications of the Trust s performance against national Information Governance requirements as identified in the Information Governance Toolkit (2). The relevant legislative framework. Guidelines for Caldicott Guardians. The requirements and potential requirements of the latest version of the Information Governance Toolkit year on year. Health and Social Care Information Centre priority areas for Information Governance including compliance with the NHS Care Record Guarantee. National and local initiatives around reducing the risk of data, confidentiality and security breaches. Which stakeholders have been involved in the creation of this Framework Information Governance Planning Group IM&T Programme Board Any required definitions/explanations Trust The Trust relates to Northamptonshire NHS Foundation Trust IG Framework The IG framework describes the approach to handling information in a confidential and secure manner to appropriate legislative and best practice standards. Principles The high level principles set out in this procedure are relevant to a wide range of legislation and NHS Policy Guidance relating to the processing of information. Processing Page 3 of 10
Within the context of this procedure, means any activity performed on information (collecting, storing, handling, disclosing etc). Laws and codes of Practice The relevant information governance laws include, but are not limited to, the following: Common law duty of Confidence Data Protection Act 1998 Human Rights Act 1998 Mental Health Act 1983 Mental Capacity Act 2005 Freedom of Information Act 2000 and Environmental Information Regulations 2004 Access to Health Records Act 1990 (where not superseded by the Data Protection Act) Computer Misuse Act 1990 (amended in 2005) Copyright, Designs and Patents Act 1988 Children Act 2004 and the Children and Young Person Act 2008 NHS Trusts and PCT s (Sexually Transmitted Diseases Regulations) 2000 Crime and Disorder Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Re-Use of Public Sector Information Regulations Records Management NHS Code of Practice 2006 Confidentiality NHS Code of Practice 2003 Information Security Management NHS Code of Practice Information Governance Assurance The Information Governance Toolkit is a performance tool produced by NHS Digital. It draws together the legal rules and central guidance set out above and presents them in one place as a set of information governance requirements. The Trust is required to carry out self-assessments of its compliance against the 45 requirements for mental health trusts (2). Key duties Northamptonshire Healthcare Foundation Trust Board It is the role of the Trust Board to define the Trust s policy in respect of information Governance, taking into account legal and NHS requirements. The Board is also responsible for ensuring that sufficient resources are provided to support the requirements of the policy and to support any Service Level Agreements between the Trust and other organisations. Information Governance within the Trust is an organisation wide responsibility providing a focus for the safe, secure and appropriate processing of information across all formats and at all levels within the organisation. The Trust will ensure that the following roles are in place across the organisation. Page 4 of 10
Senior Information Risk Owner (SIRO) The SIRO is responsible for: Overseeing the development of an Information Risk Policy, and a Strategy for implementing the policy within the existing Information Governance Framework. Taking ownership of the risk assessment process for information risk, including review of the annual information risk assessment to support and inform the Statement of Internal Control. Reviewing and agreeing action in respect of identified information risks. Ensuring that the Trust s approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff. Providing a focal point for the resolution and/or discussion of information risk issues. As Chair of the IM&T Programme Board, ensure the Trust Board is adequately briefed on information risk issues. Ensuring the Board is adequately briefed on information risk issues. Deputy SIRO To provide support to the SIRO function Caldicott Guardian The Caldicott Guardian is responsible for: Acting as the conscience of an organisation, actively supporting work to facilitate and enable information sharing, advising on options for lawful and ethical processing of information as required. Providing a strategic role representing and championing confidentiality requirements and issues at Board level and, where appropriate, at a range of levels within the organisations overall governance framework. Ensuring that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff, and oversee all arrangements, protocols and procedures where confidential patient information may be shared. Deputy Caldicott Guardian The Deputy Caldicott Guardian provides support to the Caldicott Function and deputise where necessary. Information Security Officer (ISO) The Information Security Officer (ISO) is responsible for; Developing, implementing, and enforcing policies and procedures to protect information assets. Managing risk management and business continuity. Reporting to the Forum for Information Governance & Assurance on the information security status of the organisation by means of regular reports and presentation. Page 5 of 10
Information Asset Owners (IAO) Information Asset owners (IAO) are responsible for; Addressing risks to the information assets they own and to provide assurance to the SIRO on the security and use of these assets Ensuring that changes to the information asset are documented with a formal sign off from the IG department following the undertaking of a Privacy Impact Assessment. Being aware what information is held and who has access to it for what purpose Taking steps to ensure compliance with the Trust s Information Governance Management Framework and associated policies. Clinical Safety Officer The Clinical Safety Officer is responsible for ensuring that the Trust has an IT Clinical Safety Management system and it is audited and reviewed throughout the year. Information Governance Planning Group The Information Governance group is responsible for reporting to the IMT board on the implementation, development, and monitoring of the strategic framework. Data Protection Officer The Data Protection Officer is responsible for managing the organisations Information Governance function, including setting and implementing appropriate policy, procedures and codes of conduct; end user training awareness and campaigns; ensuring appropriate audits and monitoring mechanisms and supporting year on year improvements across the Trust. These activities will be reported through the IG Group internally and, externally, through the IG Toolkit and IM&T Programme board. All Staff All staff, whether permanent, temporary or contracted are responsible for ensuring that they are aware and they comply with information governance requirements at all times. This is a legal and professional obligation, which is also set out in Trust employment contracts. Framework detail Information Sharing Information will be used proactively within the Trust, both for patient care and service management as determined by law, statute and best practice. Information will be used proactively between the Trust, other NHS and partner organisations to support patient care as determined by law, statute and best practice. Information sharing protocols setting out formalised mechanisms for the sharing of information with Trust partners will be agreed in line with requirements of the Information Page 6 of 10
Governance Toolkit. Agreed protocols will be placed on the intranet site for staff to access. Robust mechanisms will be used to support the ongoing capture and mapping of data flows into, across and out of the Trust. Openness and Confidentiality Non-confidential information on the Trust and its services should be available to the public through a variety of media, in line with the Trust s policy for the Freedom of Information act (FOI). The Trust will establish and maintain policies to ensure compliance with the FOI. Patients should have ready access to information relating to their own health care, their options for treatment and their rights as patients. The Trust will have clear procedures and arrangements for liaison with the press and broadcasting media. The Trust will have clear procedures and arrangements for handling queries from patients and the public. The Trust will include details of any serious untoward incidents associated with information governance within its public Annual Report. The Trust will pseudonymise information where necessary or use the safe haven approach where not practicable. Information Quality Assurance The Trust will establish and maintain policies and procedures for the effective management of records and Information Quality Assurance, clinical and non-clinical, in line with legislation and codes of practice. Information within the Trust should be of the highest quality in terms of accuracy, timeliness and relevance. Managers are expected to take ownership of and seek to improve the quality of information within their services. The Trust will undertake or commission annual assessments and audits of the Trust s quality of data and records management. Data standards will be set through clear and consistent definition of data items, in accordance with national standards. The Trust will promote information quality and effective records management through policies, procedures/user manuals and training. The Trust uses the Records Management Code of Practice for Health and Social Care 2016(3) as its standard for records management. Legal Compliance Page 7 of 10
The Trust regards all identifiable personal information relating to patients as confidential. The Trust regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise The Trust will establish and maintain policies to ensure compliance with the DPA, Human Rights Act, the Common Law Duty of Confidentiality and the Caldicott Principles The Trust will establish and maintain policies for the controlled and appropriate sharing of personally identifiable information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Mental Health Act, Mental Capacity Act, Crime and Disorder Act, Protection of Children Act). Policies will be available on the staff intranet. Information Security The Trust will establish and maintain policies for the effective and secure management of its information assets and resources. The Trust will undertake or commission annual assessments and audits of its information and IT security arrangements. The Trust will promote effective confidentiality and security practice to its staff through policies, procedures and training. The Trust will establish and maintain incident reporting procedures and will monitor and investigate. Information assets and information flows will be mapped and recorded to assess and prevent the unlawful and unnecessary use of person identifiable information. Contractors and Support Organisations The Trust will work to strengthen current arrangements with contractors and support organisations to maintain the security of Trust information. The Trust will undertake a privacy impact risk assessment prior to entering into an agreement with an external party to process Trust information. Utilise the information Governance Toolkit for third parties where practicable to provide assurance that the third party has appropriate controls, policies and training in place. Training requirements associated with this Framework Information Governance training has been integrated into NHFT s induction programme for all new staff. For existing staff, an ongoing programme of training will be delivered as part of NHFT s Information Governance training programme. Additional campaigns and awareness raising will be undertaken as appropriate. Page 8 of 10
It is the responsibility of all managers to ensure attendance at induction and training programmes and to obtain feedback from staff regarding the knowledge and understanding they have obtained. Individuals have an obligation to seek training, advice and support where uncertain in order to improve information governance practices appropriately. Ad hoc training sessions will be made available based on an individual s training needs as defined within their annual appraisal or job description. How this Framework will be monitored for compliance and effectiveness This framework will be made available to the Public through the Trust Internet site in supporting documentation and upon application. New employees will be made aware of this procedure through the Induction process. Information Governance activity will be reported monthly in Information Governance Highlight Reports to the Information Governance Group and the IMT Programme Board. For further information Please contact the Information Governance Team by emailing information.governance@nhft.nhs.uk Equality considerations The Trust has a duty under the Equality Act and the Public Sector Equality Duty to assess the impact of Framework changes for different groups within the community. In particular, the Trust is required to assess the impact (both positive and negative) for a number of protected characteristics including: Age; Disability; Gender reassignment; Marriage and civil partnership; Race; Religion or belief; Sexual orientation; Pregnancy and maternity; and Other excluded groups and/or those with multiple and social deprivation (for example carers, transient communities, ex-offenders, asylum seekers, sex-workers and homeless people). The author has considered the impact on these groups of the adoption of this Framework and identified that the advice and guidance service offered to patients and staff and reported IG Page 9 of 10
incidents will be monitored. Reference Guide 1. Data Protection Act 1998, http://www.legislation.gov.uk/ukpga/1998/29/contents 2. Information Governance Toolkit, https://www.igt.hscic.gov.uk/ 3. Records Management Code of Practice for Health and Social Care 2016, http://systems.digital.nhs.uk/infogov/iga/rmcop16718.pdf 4. NHS Care Record Guarantee, National Information Governance Board, 2011 5. Guidance for NHS Boards: Information Governance, August 2011 Freedom of Information Act 2000, 6. http://www.legislation.gov.uk/ukpga/2000/36/contents 7. http://www.ico.gov.uk/what_we_cover/freedom_of_information/publicatio n_schemes.aspx 8. Caldicott Review 2013, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2 900774_InfoGovernance_accv2.pdf Document control details Author: Approved by and date: Responsible committee: Any other linked Policies: Framework number: Version control: V.2 Information Governance Team The Information Governance Planning Group IM&T Programme Board IGIS001 Use of Information & Communications Technology Policy IGP107 Health Records Management Policy Version No. Date Ratified/ Amended Date of Implementation Next Review Date Reason for Change (eg. full rewrite, amendment to reflect new legislation, updated flowchart, minor amendments, etc.) V.1 04.11.2014 04.11.2014 04.11.2016 IGP101 has been reclassified as a procedure and has been reformatted in the new structure. Page 10 of 10