Information Governance Strategic Management Framework

Similar documents
IG01 Information Governance Management Framework

Information Sharing Policy

Information Governance Strategy and Management Framework

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

INFORMATION GOVERNANCE STRATEGY AND STRATEGIC VISION

Information Governance Assurance Framework

Information Governance Policy

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

IGPr002 - Information Governance Management Framework

Information Governance Policy

INFORMATION GOVERNANCE STRATEGY IMPLEMENTATION PLAN

Information Governance Policy and Management Framework

NHS Sunderland Clinical Commissioning Group. Information Governance Strategy 2016/17

Information Governance Management Framework

Information Governance Management Framework

Information Security Risk Management Programme and Strategy

Privacy Impact Assessment Policy and Procedure

INFORMATION GOVERNANCE POLICY

Information Governance Policy

INFORMATION GOVERNANCE STRATEGY. Documentation control

INFORMATION GOVERNANCE STRATEGY

West Kent Clinical Commissioning Group

Information governance strategy

INFORMATION GOVERNANCE POLICY

Information Governance Management Framework Version 6 December 2017

Overarching Information Governance Policy

Information Governance Strategic Management Framework

Information Governance Strategic Management Framework (Including Policy and Strategy)

Identifies the risk management structure, roles, responsibilities and authority of staff, committees and groups with responsibility for risk

Data Quality Policy

Information Governance Policy

INFORMATION GOVERNANCE POLICY

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2017/18

Information Governance Management Framework 2016/17

INFORMATION GOVERNANCE POLICY

TRUST GOVERNANCE POLICY (formerly referenced as the CMFT Governance Strategy) - UPDATED NOVEMBER

Findings from ICO audits of 16 local authorities

DATA QUALITY POLICY. Version: 1.2. Management and Caldicott Committee. Date approved: 02 February Governance Lead

Information Governance Management Framework 2017/18 Reference: IG12

Information Governance Policy

GENERAL DATA PROTECTION REGULATION

This Policy supersedes the following Policy, which must now be destroyed:

Information Governance Policy

This Policy supersedes the following Policy, which must now be destroyed:

Doncaster Council Data Quality Strategy

INFORMATION GOVERNANCE POLICY

Risk Management Strategy

Recruitment, Selection and Appointment

NOT PROTECTIVELY MARKED

Policy:E7. Escalation Policy N/A. Appended below at Appendix B. Version: E7/01

Data Protection Impact Assessment Policy

United Lincolnshire Hospitals NHS Trust. Governance Statement 2015/16. Scope of responsibility. The governance framework of the organisation

Information Asset Management Policy

Minor adjustments from IG Steering Group 0.3 Neil Taylor September 2013

NHS DIGITAL Records and Document Management Policy

Honorary Contracts Procedure

Information Governance Clauses Clinical and Non Clinical Contracts

HSCIC Audit of Data Sharing Activities:

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK POLICY

Risk Management and Assurance Strategy

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST STRENGTHENING GOVERNANCE ARRANGEMENTS. Report to the Trust Board 24 May 2016

Date: INFORMATION GOVERNANCE POLICY

Lisa Quinn Executive Director of Performance and Assurance. Lead Officer

NHS SOUTH DEVON AND TORBAY CLINICAL COMMISSIONING GROUP INFORMATION LIFECYCLE MANAGEMENT POLICY

GOVERNANCE STRATEGY October 2013

For: Information Assurance Discussion and input Decision/approval. Ellen Bull, Deputy Director of Quality Author Contact Details: 3531

Directorate of Strategy & Planning DATA QUALITY POLICY

JOB DESCRIPTION per week.

INFORMATION GOVERNANCE ASSURANCE FRAMEWORK

DATA QUALITY POLICY Review Date: CONTENT

The Information Commissioner s Office, the Information Governance Alliance and several other organisations are issuing guidance on an on-going basis.

RISK MANAGEMENT COMMITTEE TERMS OF REFERENCE

Risk Management Strategy, Policy and Guidance

Data Protection Policy

Issues Management Policy and process

Information Assets: Security and Risk Management Policy. Choice, Responsiveness, Integration & Shared Care

INFORMATION GOVERNANCE POLICY AND FRAMEWORK

This Policy supersedes the following Policy which must now be destroyed:

Information Governance Training Plan

Future-Focused Finance Accreditation

HEALTH AND SAFETY STRATEGY

JOB DESCRIPTION. Medical Director

CARBON REDUCTION AND SUSTAINABILITY POLICY

Directorate of Finance, Information & Performance Management DATA QUALITY POLICY

Code of Corporate Governance

Board Assurance and Escalation Framework

Information Risk Policy

Board Governance Statements for Self Certification

Records management policy. Document author Assured by Review cycle. Audit and Risk Committee. 1. Introduction Purpose or aim Scope...

Draft Internal Audit Plan 2012/13 Audit Committee (September 2012) Airedale NHS Foundation Trust

General Data Protection Regulation (GDPR) Strategy

Registration Authority Policy. (Smartcard Access to National Programme Systems)

HSCIC Audit of Data Sharing Activities:

CCG CO12 Policy and Framework for Partnership Governance

Relocation/Removal Expenses Policy

Volunteer Services Policy

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RISK MANAGEMENT STRATEGY. Report to the Board 27 September Director of Strategy and Corporate Affairs.

Heart of England NHS Foundation Trust

Job Title: Head of Retail Department: Income Generation

INDUCTION, MANDATORY AND STATUTORY TRAINING POLICY

Transcription:

Information Governance Strategic Management Framework 2016-2018 Susan Meakin Information Governance Manager June 2016 Information Governance

DOCUMENT CONTROL: Version: 2 Ratified by: Health Informatics Sub Group Date ratified: 11 July 2016 Name of originator/author: Information Governance Manager Name of responsible committee/individual: Information Governance and Records Management group Date issued: 2 September 2016 Review date: July 2018 Target Audience All trust staff Page 2 of 14

Contents Section Page No. 1.0 Introduction 4 2.0 Strategic Aim 5 3.0 Scope 6 4.0 Duties and Key Responsibilities 6 4.1 Board of Directors 6 4.2 The Chief Executive 6 4.3 Senior Information Risk Owner 7 4.4 Caldicott Guardian 7 4.5 IG Officer 7 4.6 Information Asset Owner 8 4.7 Information Governance Team 8 4.8 All Staff 9 4.9 Committee Structure 10 5.0 Key Project Areas 10 5.1 GDPR (General Data Protection Regulations) 10 5.1.1 Data Protection/Privacy by Design 11 5.1.2 Privacy Impact Assessment 11 5.2 Information Governance Training 11 5.3 Cyber Security 11 5.4 Data Flow mapping 12 5.5 Information Asset Management 12 5.6 Unity 12 6.0 Procedure/Implementation 12 7.0 Monitoring Arrangements 13 8.0 Privacy, Dignity and Respect 13 9.0 Links to Associated Documents 14 10.0 References 14 Page 3 of 14

1. Introduction Information plays a key part in the clinical and corporate governance of Rotherham Doncaster and South Humber NHS Foundation Trust (referred to hereinafter as the Trust ) and the quality in the provision of patient services, planning, performance measurement, assurance, and financial management relies upon accurate and available information. The aim of the Information Governance (IG) Team is to provide a high quality IG specialist advice and support service which broadly consists of IT/IG Security, Access to Information, Caldicott, Records Management, Freedom of Information Act, and Data Protection Act (from the 28 th July 2018 this will be known as the General Data Protection Regulations (GDPR). The Information Governance Assurance Framework (IGAF) is the national framework of standards that brings together all statutory, mandatory, and best practice requirements concerning information management. The standards are set out in the Information Governance Toolkit as a road map enabling organisations to plan and implement standards of best practice and to measure and report compliance on an annual basis. Performance against these standards is mandated by and reported to the Department of Health (DoH) and the Care Quality Commission (CQC) and forms part of the assurance processes associated with Risk Management Standards. Compliance is also required for the Quality Framework for Monitor. Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The way that an organisation chooses to deliver against these requirements is referred to within the Information Governance Toolkit as the organisation s Information Governance Management Framework (IGMF). The Information Governance Management Framework brings together all the requirements, standards and best practice that apply to the processing of personal information to ensure: Compliance with the law; Implementation of DoH guidelines; Planned year on year improvement; IG Toolkit requirements. This document also provides a summary / overview and sets out an overarching framework for the strategic Information Governance agenda within this Trust. National Context The NHS Information Governance Assurance Programme (IGAP) was established in February 2008 in response to the Cabinet Office Data Handling review. The Prime Minister commissioned the review following Page 4 of 14

the high-profile data losses in 2007. IGAP developed a number of principles to support and strengthen the existing Information Governance agenda. The principles are: All NHS organisations should be part of the same Information Governance Assurance Framework Information Governance should be as much as possible integrated into the broader governance of an organisation, and regarded as being as important as financial and clinical governance in organisational culture The Framework will provide assurance to the several audiences interested in the safe custody and use of sensitive personal information in healthcare. This involves greater transparency in organisational business processes around Information Governance IGAF to be built on the strong foundations of the existing Information Governance agenda and is the mechanism by which: 2. Strategic Aims o IG policies and standards are set o Regulators can check an organisation s compliance o An organisation can be performance managed This strategic framework sets out the approach taken by the Trust to provide clear and effective management and accountability structures, governance processes, documented policies and procedures, a comprehensive IG training programme and adequate resources to manage and embed Information Governance throughout the Trust. The Trust will satisfy IG by: Establishing robust IG processes that conform to NHS England and the Health and Social Care Information Centre (HSCIC) (to be known as NHS Digital from July 2016) standards and comply with relevant legislation. Establishing, implementing and maintaining policies for the effective management of information. Providing clear advice and guidance to staff to ensure that they understand and apply the principles of IG to their working practice. Sustaining an IG culture through increasing awareness and promoting IG, thus minimising the risk of breaches of confidentiality. Assessing the Trust s performance using the IG Toolkit and Internal Audits and developing and implementing action plans to ensure continued compliance. Completing the annual information governance assessment and gain sign off within set timescale. Developing an effective team dedicated to the promotion and implementation of the Information Governance agenda. Page 5 of 14

Evidencing lessons learnt through internal and external sources and new initiatives by proactively ensuring policies and procedures reflect the latest requirements and by directing Trust wide cultural change. Supporting the provision of high quality care by promoting the ethical, legal, effective and appropriate use of information and the development of wider sharing agreements. Supporting the Trust in completing its Local Digital Road Map. 3. Scope The Information Governance Strategic framework is to be adhered to by anyone processing information for or on behalf of the Trust, including all staff employed by the Trust or on an Honorary contract, Non-Executive Directors, Governors, Contracted Third Parties (including Agency Staff), Students and Trainees, Secondees, Locum staff and Other Staff on temporary placements within the Trust, and Staff of Partner Organisations with approved access, Agencies who may gain access to data, such as Volunteers, Visiting Professionals or Researchers, and Companies providing IT services to the Trust. 4. Duties Key Responsibilities 4.1 The Board of Directors In his communications with NHS Trusts Chief Executives, the NHS Chief Executive has made it clear that ultimate responsibility for IG in the NHS rests with the Board of each organisation, who should note that; The major NHS organisations must update the Toolkit assessment at three intervals during the year (end of July, October and March) to enable performance and actions to be tracked by commissioners and other monitoring bodies. The NHS Operating Framework requires organisations to achieve level 2 performance against all key requirements identified in the Information Governance Toolkit. Organisations must provide assurance that they are meeting these key requirements and must have robust improvement plans to address any shortfalls against other requirements. Details of serious incidents involving actual or potential loss of personal data or breach of confidentiality must be published in annual reports and reported via HSCIC to the Information Commissioner s Office. 4.2 The Chief Executive The Trust s Accountable Officer is the Chief Executive who has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risk is handled in a similar manner to other risks such as financial, legal and reputational risks. Reference to the management of information risks and associated IG practice is now required Page 6 of 14

in the Statement of Internal Control which the Accounting Officer is required to sign annually. 4.3 Senior Information Risk Owner (SIRO) The SIRO for the Trust is the Executive Director of Health Informatics. The role is accountable for the overall development and maintenance of information governance throughout the Trust, which includes; Promoting a culture for protecting and using data; Provides a focal point for managing information risk and incidents; Is concerned with the management of all information assets. Reporting the management of information risk directly to the Board The SIRO chairs the Information Governance and records Management Group. 4.4 Caldicott Guardian The Caldicott Guardian also holds the position of the Trust s Medical Director. The Caldicott Guardian role: Is advisory; Is the conscience of the organisation; Provides a focal point for patient confidentiality and information sharing; Is concerned with the management of patient information. The Caldicott Guardian is the person with overall responsibility for protecting the confidentiality of person identifiable data (PID). The Caldicott Guardian plays a key role in ensuring that the Trust abides by the highest level in standards for handling PID and ensures that PID is shared in an appropriate and secure manner and in accordance with relevant legislation. The Caldicott Guardian is a member of the Information Governance and Records Management Group. 4.5 Information Governance Manager The IG Manager is responsible for ensuring the Trust complies with all aspects of IG and the Data Protection Act. The IG Manager will ensure all tasks are undertaken in order to meet the required standards. Key tasks will include:- Developing and maintaining the currency of comprehensive and appropriate documentation that demonstrates commitment to and ownership of IG responsibilities, for example, the production of an overarching high level framework document supported by relevant policies and procedures; Page 7 of 14

Ensuring that there is top level awareness and support for IG resourcing and implementation of improvements within the Trust; Establishing working groups, to co-ordinate the activities of staff given IG responsibilities and progress initiatives; Ensuring annual assessments and audits of IG and other related policies are carried out, documented and reported; Ensuring that the annual assessment and improvement plans are prepared for approval by Health Informatics Sub Committee in a timely manner; Ensuring that the approach to information handling is communicated to all staff and made available to the public; Ensuring that appropriate training is made available to staff and completed as necessary to support their duties. Liaising with other committees, working groups and programme boards in order to promote and integrate IG standards; Monitoring information handling activities to ensure compliance with law and guidance; Providing a focal point for the resolution and / or discussion of IG issues. 4.6 Information Asset Owners Information Asset Owners are responsible for: Providing assurance that information risk is managed effectively in relation to information assets that they are responsible for; Identifying and documenting all information assets they own; Identifying and documenting all information flows within their teams. Taking ownership of their local asset control, risk assessment and management process for the information assets they own; Providing support to the Senior Information Risk Owner to maintain awareness of risk to information assets; Ensuring that staff are aware of and comply with information governance and record management standards for the effective use of information assets. 4.7 Information Governance Team Staff roles which support the Information Governance agenda are identified in the organisation chart. Page 8 of 14

Information Governance Manager IG Security Specialist IG Officer x2 Records Manager The Team provide a valuable service to both Trust staff and external agencies providing support and advice on current legislation. The team processes, as a central point all Freedom of Information requests and requests made under the Data Protection Act (GDPR) on behalf of the Trust. All information sharing agreements with external providers are monitored through the team. The IG Security Specialist role creates a bridge between IG and the Information Technology team. The Records Manager provides a single point of access for all records management queries for both in-trust held records and off-site held records. Other lead roles to support the IG agenda are as follows. Senior Information Risk Owner Caldicott Guardian RA Team: smart card, access controls and ID card services Human Resources Head of Workforce Emergency Planning Officer Head of Procurement and Purchase Ledger Clinical Systems and Business Change Manager Senior Information Analyst Network and Service Manager IT Support Manager Information Systems Development Manager 4.8 All Staff It is the responsibility of all staff to adhere to the principles set out in this document and any relevant policy/procedure to help maintain the availability, effectiveness, security and confidentiality of information. Page 9 of 14

4.9 Committee Structures Finance and Performance Committee Health Informatics Sub Committee The SIRO, IG Manager, IG Security Specialist are all members. Information Governance and Records Management Group The SIRO chairs the meeting with key IG Team members attending Organisational Learning Forum Attended by both the IG Manager and Records Manager Forum for discussing Lessons Learnt Records Management Co-ordinators Group Chaired by the Records Manager 5.0 Key Project Areas/Workstreams 5.1 GDPR (General Data Protection Regulations The GDPR comes in to force on the 28 th May 2018 and will support the current Data Protection Act 1998 regulation. The Trust has started to identify key areas of work which will need to be carried out ensure that it is able to adopt the new regulation in 2018, these currently are; Provide awareness training across the Trust. Review the data processing that is undertaken by the Trust and identify a legal basis. Review all processing and sharing which relies on consent to establish if it will meet the requirements of the GDPR. Consider the implications to children s data which the Trust holds under the GDPR Page 10 of 14

Review the data breach notification process Create a culture of Data Protection/Privacy by design and undertaking Privacy Impact Assessments (PIAs) 5.1.1 Data Protection/Privacy by Design Taking a DP/Privacy by design approach is an essential tool in minimising privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind at the outset can lead to benefits which include: Potential problems are identified at an early stage, when addressing them will often be simpler and less costly. The Trust is more likely to meet their legal obligations and less likely to breach the Data Protection Act/GDPR. Actions are less likely to be privacy intrusive and have a negative impact on individuals. 5.1.2 Privacy Impact Assessments Privacy Impact Assessments (PIAs) are to be an integral part of taking a Data Protection/Privacy by Design approach. Privacy Impact Assessments (PIAs) are a tool that the Trust will use to identify and reduce the privacy risks of our projects. A PIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help to design more efficient and effective processes for handling personal data. 5.2 Information Governance Training Information Governance Training and Development is essential for the development and improvement of staff knowledge and skills relating to IG not only within the IG team but across the Trust. Information Governance training is a mandatory requirement for all staff and is included on induction and as an annual refresher. Staff requiring access to the clinical systems will not be given access rights until an IG training certificate can be produced. 5.3 Cyber Security The Information Governance Team is actively working alongside the Information Technology Department to ensure that in the ever changing world of cyber-attacks that the organisation s resilience is sufficient. Page 11 of 14

5.4 Data Flow Mapping The IG Team are responsible for ensuring that all transfers of hard copy and digital person identifiable and sensitive information have been identified, mapped and risk assessed. It is the responsibility of the organisation to ensure that transfers of personal information for which they are responsible are secure at all stages and therefore as an outcome of this process technical and organisational measures can be put in place to secure these transfers. This is completed by engaging with operational services throughout the organisation via an audit tool which they are required to complete. This is escalated to the operational services via the Information Asset owners. This will also enable the Information Governance Team to identify data flows which require an Information Sharing Agreement (ISA). 5.5 Information Asset Management 5.6 Unity In order to appropriately scope and prioritise risk management efforts, it is necessary to ensure that a complete and accurate information asset register exists. As part of the identification process all information assets should be located and identified. In addition, information assets need to be classified in terms of sensitivity and criticality to the organisation s Records Management. The Trust states that; Unity is more than just a new IT system it is a clinical IT system which will deliver real change and transform the way we care for our patients and how we work together. The Information Governance Team will work with and provide guidance to the Unity Project Team to ensuring that any decisions which may impact on IG are identified at an early stage. 6.0 Procedure/Implementation The Trust will ensure that this Information Governance Strategic Framework is implemented through the detailed policies and procedures that are produced to support the Information Governance agenda. Page 12 of 14

7.0 Monitoring Arrangements Area for Monitoring Submission Reports Continual progress against the annual publication of the Information Governance Toolkit with a minimum score level 2 against all standards Internal Audit Report Compliance with annual publication of the Information Governance Toolkit Current work objectives, IG incidents and the number of requests made under the Data Protection and Freedom of Information Act. How Who by Reported to Frequency Monitoring reports to assess compliance with the IG toolkit in preparation for the annual assessments. Internal Audit will carry out a yearly audit against the annual publication of the IG Toolkit and other audits as and when required. Quarterly reports Information Governance Manager Internal Audit and Information Governance Manager Information Governance Manager Information Governance and Records Management Steering Health Informatics Sub Committee Information Governance and Records Management Group Health Informatics Sub Committee Information Governance and Records Management Group Health Informatics Sub Committee To coincide with the submission in July, October and March. Annually Quarterly 8.0 Privacy, Dignity and Respect The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi s review of the NHS, identifies the need to organise care around the individual, not just clinically but in terms of dignity and respect. As a consequence the Trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided). Indicate how this will be met No issues have been identified in relation to this policy. Page 13 of 14

9. Links to Associated Documents 9.1 There are various key policies underpinning this strategic framework, these are listed below and are available on the Trust Intranet site. Information Governance policy Freedom of Information policy Environmental Information Regulations policy Data Protection policy Access to Health Records policy Records Management policy Information Risk Management policy Information Sharing policy Informatics Security Policy Confidentiality Audit Procedures policy Management of Information Governance Serious Incidents requiring Investigation Policy Reporting of Errors and Anomalies with patient records Privacy Impact Assessment policy 10.0 References 10.1 The national and legal framework for Information Governance includes:- ISO/IEC 27001 Information Security Management Standard, Code of Practice for Information Security Management Data Protection Act 1998 General Data Protection Regulation 2018 - text Data Protection Audit Manual, Information Commissioner Freedom of Information Act 2000 The Caldicott Guardian Manual Common Law duty of confidentiality and DH: Confidentiality NHS Code of Practice (2003) DH: Records Management NHS Code of Practice (2006) and Records Management Roadmap Access to Health Records Act 1990 DH: Information Security NHS Code of Practice (2007) NHS Operating Framework for England 2010/11 Connecting for Health (CfH) Information Governance Toolkit CfH IG web pages Human Rights Act 1998 CQC Regulations, December 2009 NHS Care Record Guarantee Page 14 of 14

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback