Author(s) Andrew Thomas Version 0.3 Version Date 21 August 2013 Implementation/approval Date Review Date August 2014 Review Body Governing Body Policy Reference Number 014 Version Author Date Reason for review 0.0 Andrew Thomas July 2013 0.1 Neil Taylor August 2013 Formatting Adjustments to match CCG Policy on Polices 0.2 Neil Taylor August 2013 Minor adjustments from IG Steering Group 0.3 Neil Taylor September 2013 Minor adjustments from Policy Review Group Page 1 of 29
Contents Page 1.0 Summary... 3 2.0 Introduction... 3 3.0 Principles and Primary Objectives of Information Governance... 4 4.0 NHS IG Guidance... 5 4.01 Everyone Counts... 5 4.02 Caldicott Review... 5 4.03 Information Governance Toolkit... 7 4.04 The NHS Care Record Guarantee... 8 4.05 Information Governance Education, Training and Development... 8 4.06 Risk Assessment and Management Process... 8 4.07 Information Asset Register... 9 5.0 Key Responsibilities and Governance... 9 5.01 The Governing Body... 9 5.02 Chief Officer (Accountable Officer)... 10 5.03 Caldicott Guardian... 10 5.04 Senior Information Risk Owner (SIRO) Chief Finance Officer... 11 5.05 Information Asset Owners (IAO)... 11 5.06 Information Asset Administrators (IAA)... 11 5.07 Information Governance Management... 11 5.08 All CCG Employees... 12 5.09 Information Governance Steering Group... 12 6.0 Information Governance Policies and Procedures... 13 7.0 Information Governance Objectives... 14 8.0 Implementation and dissemination of document... 14 9.0 Training Requirements... 14 10.0 Latest Version... 14 11.0 Associated Documents... 14 12.0 Appendices... 15 Appendix 1 Equality & Equity Impact Assessment Checklist... 16 Appendix 2 Consultation History... 17 Appendix 3 Guidance for IAO and Information Asset Administrator... 18 Appendix 4 Caldicott Guardian Job Description... 26 Appendix 5 Information Governance Structure... 29 Page 2 of 29
1.0 Summary Information plays a key part in governance of NHS Greenwich Clinical Commissioning Group (CCG) and the quality of commissioning, planning, performance measurement, assurance and financial management relies upon accurate and available information. The approach of the CCG is to use the standards set out in the Information Governance Toolkit (IGT) and other guidance as issued by the Health and Social Care Information Centre (HSCIC) as a road map enabling the organisation to plan and implement best practice and to measure and report compliance on an annual basis. The Information Governance Assurance Framework (IGAF) is the framework for achieving this. The CCG s performance against these standards is mandated by and reported to the HSCIC and forms part of our broader assurance and risk management standards. Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The way that an organisation chooses to deliver against these requirements is referred to within the Information Governance Toolkit as the organisation s Information Governance Management Framework (IGMF). This document provides a summary/overview and sets out an overarching framework for the strategic Information Governance agenda within the CCG. GP and Dental practices within NHS Greenwich CCG catchment area are encouraged to implement their own framework and they are free to model their framework on this if they wish. In this case NHS Greenwich CCG will waive their copyright on this framework. 2.0 Introduction Information Governance (IG) provides a framework for the CCG to be assured that information processes are appropriately secure and legal. The CCG relies on good quality information being available in order to support commissioning. Staff need to have confidence in the quality of data they use to make commissioning decisions and the way in which we use resources and run our business. The importance of good information governance was highlighted during 2008 when public concerns about high-profile data losses and protection of privacy resulted in the Cabinet Office commissioning a Data Handling Review. A range of standards for managing information risk were subsequently recommended and are now incorporated into the NHS Connecting for Health IG Toolkit. The associated NHS review led to the existing IG agenda being strengthened to become the NHS Information Governance Assurance Framework (IGAF). IGAF is formed by elements of law and policy from which IG standards are derived, and the activities and roles which individually and collectively ensure that those standards are clearly defined and met. Page 3 of 29
In addition to improving operational standards of security, the IGAF concerns information sharing within the NHS and across organisational boundaries to other, public, private and third sector organisations working in partnership to provide healthcare services. It establishes clear accountability arrangements and increases the inspection and assurance measures and these standards are now reflected in the NHS IG Toolkit. A particular feature of IGAF was to introduce a framework of accountability for information risk with the mandated appointment of a board level Senior Information Risk Owner (SIRO) to take responsibility for managing information risk within the organisation and for providing assurance to the Accountable Officer (Chief Officer) on the content of the annual Statement of Internal Control in regards to IG. Where they have a legal basis to access patient confidential data, all staff should understand their individual responsibilities for recording information to a consistently high standard and for keeping patient information secure and confidential. Public confidence in our ability to handle data responsibly and efficiently is based on a good reputation for keeping confidential data securely. At a local level the IGMF enables the organisation to set annual objectives to achieve the required standards and to report organisational performance measures and assurance of compliance to national accreditation bodies, the CCG s governing body and the general public. 3.0 Principles and Primary Objectives of Information Governance The IG Management Framework ensures the primary objectives of IG are achieved: Information will be organised and managed in accordance with mandated and statutory standards and kept confidential where required. The integrity of information is assured, monitored and maintained, to ensure that it is of good quality and reliable for use for the purposes that it is collected and used for. Information required for operational purposes is kept secure and available to those who need it as part of their role. Compliance with legal and regulatory frameworks is achieved, monitored and maintained. All staff will have access to mandatory annual IG training to ensure they understand their personal and organisational responsibilities for managing information and how to follow appropriate legislation. An information risk management strategy is implemented to ensure ownership of and accountability for the CCG s information assets and the mitigation of associated risks. The principles of the NHS Information Governance Assurance Framework are based on the response to the IG Assurance Programme. This document (the IGMF) establishes the overall direction of IG and the baseline principles and objectives for a robust IG organisational culture within the CCG. Page 4 of 29
4.0 NHS IG Guidance 4.01 Everyone Counts Everyone Counts: Planning for Patients 2013/14 set out the new approach to planning clinically led commissioning from April 2013, and set out three key principles: Empowered local clinicians delivering better outcomes Increased information for patients to make choices; and Greater accountability to the communities the NHS serves. The information element of the guidance focuses on improving data quality through use of an NHS Standard Contract requiring all providers to submit data sets that comply with published information standards. It also sets out a vision for the care.data programme, a knowledge service to provide commissioners with timely and accurate data to support decision making. Commissioners are also expected to ensure that providers publish detailed information on the quality if services, including data at consultant level for key specialties in acute hospitals. CCGs themselves are expected to publish information allowing the public to judge the quality of services commissioned on their behalf. CCGs are expected to commission appropriate GP information services to provide clinical assurance and safety. In support of this agenda, commissioners are expected to ensure that all providers use the NHS number as the primary identifier. CCG s are expected to have a strategy in place to achieve this by 30 September 2013. 4.02 Caldicott Review The independent Caldicott Review report Information: To share or not to share?, published in April 2013, addresses the balance between sharing people s health and care information to improve services and develop new treatments while respecting the privacy and wishes of the patient. The report set out new parameters for the use of patient data for commissioning purposes. The review panel rejected the concept of a consent deal between the NHS and its service users, whereby in return for receiving treatment the patient would be agreeing to allow data to be used for a variety of purposes, including commissioning. In effect, this was the basis upon which Primary Care Trusts, as commissioners until April 2013, had accessed patient data for commissioning purposes. The panel determined that if identifiable data is to be used, a clear justification and a legal basis for doing so must be established and made known to patients. Therefore, systems based on the use of patient confidential data which may have been in place to support commissioning within Primary Care Trusts prior to April 2013 cannot be used by CCGs without addressing this point. The Review Panel also rejected the concept that it was appropriate for members of CCGs to access personal confidential data because they were providing a form Page 5 of 29
of direct care. The panel s view was that this is not the function of clinical commissioning groups, as set out in the Health and Social Care Act 2012. The panel determined that commissioners would need to establish a legitimate relationship with the patients concerned and would not be able to use section 251 of the NHS Act 2006 to utilise personal confidential data on the basis of exceptional disclosure. Section 251(6) of the NHS Act 2006 prohibits the Health Service (Control of Patient Information) Regulations from being used to require processing of confidential patient information solely or principally for the purpose of determining the care and treatment to be given to particular individuals. The Review Panel acknowledged that there are a number of situations when commissioners may need personal confidential data to help people deal with specific problems. For example patients may want to ask the NHS to provide continuing care so they do not have to pay themselves for care in their own homes after leaving hospital. They may make individual funding requests for drugs that are not generally available on the NHS in that area. They may have specialist commissioning needs or other reasons why the CCG needs to look in detail at their individual circumstances. In each case, the individual is asking for specific assistance and it is therefore reasonable for the NHS to ask for the patient s consent for NHS staff involved in handling the case to look at the patient s personal confidential data, without which help cannot be forthcoming. The panel also made a set of recommendations for how commissioners can ensure access to the data necessary to support commissioning. The recommendations were that this issue could be handled: by asking for the consent of individual patients; by ensuring that commissioners, when assessing performance across whole care pathways, should require the analysis to be provided by the providers as part of the contract (see figure 2 in section 12.10); by improving data quality; and by anonymising data so that commissioners can get the information they need without being able to identify individuals. The Review Panel urged NHS England and other commissioning bodies to adopt the following principles when the commissioning architecture as set out in the Health and Social Care Act is implemented from April 2013: All personal confidential data used for commissioning purposes must be processed legally, kept to a minimum and anonymised data must be used whenever possible. Robust safeguards must be created to ensure that commissioning bodies are processing personal confidential data legally. Such safeguards include that staff from DSCs who are working in the Information Centre s Data Service for Commissioners must be accountable to and overseen by the Information Centre. They must work according to the rules set out for the Information Centre in the Health and Social Care Act 2012. Any necessary disciplinary action should be solely determined by the Information Centre. Page 6 of 29
The Information Centre s Data Service for Commissioners will process personal confidential data for DSCs and CSUs. Any other processing of personal confidential data by a DSC or CSU must be justified according to its own definitive legal basis and is not covered by the general legal powers available to the Information Centre. There needs to be clarity about data controllership and clear lines of accountability both between data controllers, and between data controllers and the bodies they contract as data processors. Should individual data controllers, such as GP practices, wish to use a commissioning support unit or data management integration centre as a data processor, then a robust legal framework and contractual arrangement must be in place. The risk of unlawfulness must be reduced, if necessary by use of section 251 exceptions, but these must be kept to the absolute minimum and subject to explicit fixed time limits. 4.03 Information Governance Toolkit The planning guidance for CCGs does not stipulate that CCGs must undertake the IG Toolkit. However, the Health and Social Care Information Centre has updated the IG Toolkit for 2013/14, and this includes a CCG specific IG Toolkit. The IG Toolkit is an online tool which allows NHS organisations and partners to assess themselves against Health and Social Care Information Centre Information Governance policies and standards. It also allows members of the public to view IG Toolkit assessments. The annual information governance assessment is measured via a self-assessment process of compliance and is verified by internal audit. The standards for CCGs are grouped into the following initiatives: Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurance This IGMF has adopted the principle that the IG Toolkit remains the most appropriate and comprehensive tool available to CCGs to assess and assure themselves of adherence to information governance standards. Additionally, completion of the IG Toolkit is a prerequisite for approval as an Accredited Safe Haven (ASH), which the CCG has decided to pursue. Within the IG Toolkit, all standards are now viewed as equally important and therefore the CCG s aim is to achieve Level 2 on all requirements. Level 2 is regarded as the minimum level that can give assurance to the governing body of the CCG that robust information governance is in place. Wherever Level 2 is not achieved, an action plan will be put in place to remedy this. The CCG s Information Governance Steering Group will, through the development and routine reporting of agreed key performance indicators; identify risks, measure progress, Page 7 of 29
oversee remedial action required and provide effective and regular reporting to the CCG s governing body on the completion of the IG Toolkit. 4.04 The NHS Care Record Guarantee The NHS Care Record Guarantee sets out the rules that govern patient information held within the NHS Care Record Service, but as they are derived from statute and common law the guarantee also applies to patient data held on legacy systems. It is owned by the National Information Governance Board for Health and Social Care. The Guarantee covers: Peoples right of access to their own records How access will be monitored and policed Options people have to limit access Access in an emergency The procedure regarding control and use of information when someone is unable to make decisions for themselves. The 2010 version of the Guarantee emphasises and strengthens the NHS s clear commitment to confidentiality and security of patient information, which the CCG shall adhere to by compliance with the Confidentiality and Data Protection Assurance standards set out in the Information Governance Toolkit. 4.05 Information Governance Education, Training and Development Information Governance Education, Training and Development is essential for the development and improvement of staff knowledge and skills relating to IG. One of the key findings of the Cabinet Office Data Handling Review was an overall lack of awareness and training on the subject of IG, which increased the risk of error and incidents of data breaches. Annual IG training has been included as part of the CCG s Mandatory Training. Staff are informed of the need to understand the value of information and their responsibility for it by undertaking either face-to-face training delivered by an IG representative or by undertaking the mandatory IG module on the national online training module. This training covers the importance of data quality, information security, corporate and medical records management, confidentiality, their legal duty, information laws, rights of access, and the patient s rights in terms of a right to privacy and choice. The SIRO is responsible for ensuring the development and delivery of IG Training, and is supported in its implementation by the CCG s IG Steering Group. IG Training is also included as part of induction. Tailored training can also be delivered on an ad-hoc basis dependent on staff roles. 4.06 Risk Assessment and Management Process Potential losses arising from breaches of data include the physical destruction or damage to the organisation s computer systems, loss of system s availability and /or the theft, disclosure or modification of data due to intentional or accidental Page 8 of 29
unauthorised actions. In addition, healthcare organisations may control and process person identifiable data of particular sensitivity, which needs to be protected from loss or inappropriate disclosure. Clear guidance is documented and issued to all employees and staff are also made aware of the CCG s incident reporting procedures at induction or as part of their annual update. Information risk management is supported by the CCG s IG policy, protocols and procedures which can be found on the CCG s Intranet. 4.07 Information Asset Register All information assets of the CCG have been identified and have a nominated Information Asset Owner (IAO) and where appropriate a separate Information Asset Administrator (IAA). Accountability for assets ensures that appropriate protection is maintained and any risks to data loss are minimised. The role of the Information Asset Owner is to understand what information is held, what is added and what is removed, how information is moved, who has access and why. As a result they are able to understand and address risks to the information and to ensure that information is fully used within the law for the public good. The Information Asset Owner will also be responsible for providing regular reports to the SIRO, a minimum of annually on the assurance and usage of their information assets. Identified key risks (those rated as medium or high), once assessed by the SIRO will be considered for inclusion on the Risk Register. The Information Asset Register is kept under review and updated as necessary by the appropriate IAA. The Information Asset Register is updated each time there is a change or additional information assets created or amended. Detailed guidance for IAOs and IAAs is detailed at Appendix 3, including job descriptions for the key roles, including that of SIRO. In addition to this any new system and their associated processes will be assigned an IAO and IAA within the CCG. This will ensure that any new impacts to the information security, confidentiality or integrity of data are identified prior to implementation and initiation of any new system/change and these will be appropriately risk assessed and mitigated. In addition to this Privacy Impact Assessments will be included as part of project rollouts and signed off by the SIRO. All new key systems/changes to current systems will also be reviewed by the CCG s Information Governance Steering Group. 5.0 Key Responsibilities and Governance 5.01 The Governing Body Ultimate responsibility for IG rests with the Governing Body, who should note that: Page 9 of 29
The CCG must update the IG Toolkit to enable performance and actions to be tracked by the Health and Social Care Information Centre. The CCG must achieve level 2 compliance against all requirements identified in the Information Governance Toolkit. The CCG must provide assurance that it is meeting the requirements and must have robust improvement plans to address any shortfalls against identified requirements. Details of serious incidents involving actual or potential losses of personal data, or breaches of confidentiality should be published in the CCG s Annual Reports and through NHS incident reporting mechanisms, and where necessary, to the Information Commissioner. 5.02 Chief Officer (Accountable Officer) The Chief Officer is responsible for: Defining the CCG s policy in respect of Information Governance and records management, taking into account legal and NHS requirements Ensuring that information risks are assessed and mitigated to an acceptable level, information risks should be handled in a similar manner to other major risks such as financial, legal and reputational risks Ensuring that sufficient resources are provided to support Information Governance. 5.03 Caldicott Guardian The Caldicott Guardian (governing body member with Caldicott responsibilities as appointed by the Governing Body) is responsible for: The protection and confidentiality of patient confidential information, both within the CCG and when sharing with other organisations Agreeing levels of access to the CCG s patient information systems. The Caldicott Guardian is supported by the Information Governance Manager (the Caldicott Function). The key responsibilities of the Caldicott Function are to: ensure the confidentiality and data protection work programme is successfully co-ordinated and implemented; ensure compliance with the principles contained within the Confidentiality: NHS Code of Practice and that staff are made aware of individual responsibilities through policy, procedure and training; complete the Confidentiality and Data Protection Assurance component of the Information Governance Toolkit, contributing to the annual assessment; provide routine reports to the senior management on Confidentiality and Data Protection issues. A job description for the Caldicott Guardian role is detailed in Appendix 4 Page 10 of 29
5.04 Senior Information Risk Owner (SIRO) Chief Finance Officer The Senior Information Risk Owner (SIRO) will: Understand how strategic business goals of the CCG may be impacted by information risks and act as advocate for information risk on the Governing Body Take ownership of information risk assessment processes, including the review of the annual information risk assessment and agree actions in respect of any risks identified Ensure that the CCG s approach to information risk is effective in terms of resources, commitment and execution and that this is communicated to all staff. A job description for the SIRO role is detailed in Appendix 3 5.05 Information Asset Owners (IAO) Information Asset Owners will: Understand and address risks to the information assets they own and to provide assurance to the SIRO on the security and use of these assets Ensure that changes to the information asset are documented with a formal sign off following the undertaking of a Privacy Impact Assessment (if necessary) Knows what information is held and who has access to it for what purpose Takes visible steps to ensure compliance with the CCG s Information Governance Management Framework and associated policies. 5.06 Information Asset Administrators (IAA) Information Asset Administrators will: Ensure that policies and procedures are followed, recognise actual or potential security incidents; consult their IAO on incident management, and ensure that information asset registers are accurate and up to date. 5.07 Information Governance Management Under the approved arrangements the IG Manager (The Associate Director for Strategy, Performance & QIPP) is accountable for ensuring effective management, accountability, compliance and assurance for all aspects of IG. The key tasks of an IG Manager include: To take responsibility for delivering a high quality specialist Information Governance Service to the CCG. To provide strategic direction, planning and guidance to ensure compliance with Information Governance legislation and the national agenda Page 11 of 29
To ensure that all existing projects and new developments are compliant with all relevant Information Governance legislation To lead, develop and provide specialist IG training sessions for all levels of staff in response to Health Community requirements and the changing Information Governance Agenda To undertake Information Risk Assessments, monitor Information Security incidents, investigate and resolve complex breaches of security and confidentiality identifying areas for improvement and development of appropriate reports. Close liaison with the Caldicott Guardian is also required in order to ensure continued support of the Caldicott function To assist and advise all customer organisations in connection with and implementation of local and national legislation, policies and procedures including the completion of the Information Governance Toolkit Ensure work practices are evaluated and supported through the development of appropriate policy and procedures. In delivering against these tasks, the IG Manager will be supported by: The Head of Analytical Support technical support and advice on information security, pseudonymisation, information asset management, data flow mapping. The Compliance Manager completion and upload of IG Toolkit, records management and FOI. The Senior Strategy Manager strategy and policy development, project management of IG work programme. 5.08 All CCG Employees All CCG employees and anyone else working on behalf of the CCG (e.g. agency staff, honorary contracts, management consultants etc.) who process and have access to CCG information must understand their personal responsibilities for information governance requirements and comply with UK law. All staff must comply with CCG policies, protocols, procedures and guidance and undertake mandatory annual IG training.the CCG s IG Steering Group and the Greenwich Executive Committee review and approve IG work plans throughout the year. The committee reporting structure is attached at Appendix 5. 5.09 Information Governance Steering Group The ultimate responsibility for Information Governance in the CCG lies with the Governing Body. The Governing Body discharges its functions in this through the Greenwich Executive Committee and the Information Governance Steering Group, which is a sub-committee of the Finance, Performance & QIPP Committee for assurance and the Greenwich Executive Group. The Information Governance Steering Group has overall responsibility for overseeing the development and implementation of this framework, the Information Governance Page 12 of 29
Policy and the Information Governance Work Plan. These will be subject to a periodic review and progress reports and any identified risks will be highlighted to the Greenwich Executive Committee. The Terms of Reference and associated roles and responsibilities are reviewed annually to ensure that there are no gaps or weaknesses in the CCG s IG accountability arrangements and that roles and responsibilities are current and in line with national guidelines and requirements. A key function of the Information Governance Steering Group is to monitor and review untoward occurrences and incidents relating to IG and ensure that effective remedial and preventative action is taken. The Group is responsible for scoping and developing education on IG for all CCG staff and communicating IG developments and standards to appropriate forums and groups. The group is responsible for monitoring full compliance with the Freedom of Information (FOI) Act 2000 and Records Management 2006 legislation within NHS Greenwich Clinical Commissioning Group, to include: Facilitating and ensuring implementation of Records Management (RM) audits to ensure that the CCG meets all national requirements; including those set out in the Information Governance Toolkit Identifying areas within the CCG to receive awareness training regarding FOI and RM i.e. to highlight staff responsibilities Providing feedback to the Group on changes to processes and issues surrounding FOI and RM 6.0 Information Governance Policies and Procedures Policies outline scope and intent and provide staff with a robust IG framework whilst setting out their responsibilities as employees of the CCG. The CCG is committed to ensuring that all staff and those working with the CCG are familiar with the organisation s objectives and what is expected of staff in order to achieve these objectives. Policies and procedures are one of the key means the CCG uses to communicate these expectations to staff. The Policy for the Development, Authorisation, Dissemination and Control of Policies and Procedures defines the standard approach for communicating these requirements across the CCG. IG policies are reviewed by the Information Governance Steering Group for content and relevance to current national policy and are then formally ratified by the policy Review Group or Governing Body. Staff are informed and the policies and procedures made available in line with the same policy. Page 13 of 29
7.0 Information Governance Objectives The Information Governance Manager is responsible for the creation and implementation of an approved IG work plan, in line with the organisational gap analysis and following approval of the Risk Management Committee. The Information Governance Steering Group approves all areas of the IG work plan; including changes to priorities when these occur. Performance against the IG work plan is monitored through the IG Steering Group, and by exception reports upwards to the Greenwich Executive Group and where necessary the Governing Body. The IG work plan for 2013/14 is focused on delivery of the requirements of the Information Governance Toolkit version 11 and on the achievement of Accredited Safe Haven status 8.0 Implementation and dissemination of document The Framework, once approved by the CCG s governing body, or delegated group, will be shared with all staff through the all staff email, updated on the intranet, and shared with the CCG s Management Board. A team briefing will be provided to support this dissemination. 9.0 Training Requirements Training will be carried out for this framework under the CCG Information Governance Training Needs Assessment. 10.0 Latest Version The audience of this document should be aware that a physical copy may not be the latest version. The latest version, which supersedes all previous versions, is available on the CCG Internet and Intranet. 11.0 Associated Documents As a new organisation, the CCG is still developing a broad range of policies, protocols and procedures, which will be subject to further updates and additions. Related CCG policies, protocols and procedures currently include: Consent to use PCD Policy E-mail Policy Information Governance Policy Internet Policy Records Management Policy Acceptable Use Protocol Confidentiality Code of Conduct Protocol Freedom of Information Protocol Information Lifecycle Protocol Page 14 of 29
Information Sharing Protocol Pseudonymisation Protocol Safe Haven Protocol Subject Access to Health Records Procedure Supporting documentation also includes: Information Governance Strategy Information Governance Acronyms Document Information Governance Policy, Protocol and Procedure Summary Document Information Governance Roles & Responsibilities Document Information Governance Steering Group Terms of Reference 12.0 Appendices List here documents included within the Appendix. Appendix 1 Equality Impact Assessment Checklist Appendix 2 Consultation history Appendix 3 Guidance for IAO and Information Asset Administrators Appendix 4 Caldicott Guardian Job Description Appendix 5 Information Governance Structure Page 15 of 29
Appendix 1 Equality & Equity Impact Assessment Checklist This is a checklist to ensure relevant equality and equity aspects of proposals have been addressed either in the main body of the document or in a separate equality & equity impact assessment (EEIA)/ equality analysis. It is not a substitute for an EEIA which is required unless it can be shown that a proposal has no capacity to influence equality. The checklist is to enable the policy lead and the relevant committee to see whether an EEIA is required and to give assurance that the proposals will be legal, fair and equitable. The word proposal is a generic term for any policy, procedure or strategy that requires assessment. Challenge questions Yes/No What positive or negative impact do you assess there may be? 1. Does the proposal affect one group more or less favourably than another on the basis of: Race No Pregnancy and Maternity No Sex No Gender and Gender Re-Assignment No Marriage or Civil Partnership No Religion or belief No Sexual orientation (including lesbian, gay bisexual and transgender people) Age No Disability (including learning disabilities, physical disability, sensory impairment and mental health problems) 2. Will the proposal have an impact on lifestyle? (e.g. diet and nutrition, exercise, physical activity, substance use, risk taking behaviour, education and learning) 3. Will the proposal have an impact on social environment? (e.g. social status, employment (whether paid or not), social/family support, stress, income) 4. Will the proposal have an impact on physical environment? (e.g. living conditions, working conditions, pollution or climate change, accidental injury, public safety, transmission of infectious disease) 5. Will the proposal affect access to or experience of services? (e.g. Health Care, Transport, Social Services, Housing Services, Education) Document Author 28.8.13 No No No No No No Equalities Lead (Carol Berry) 28.8.13 Signature: Signature: Page 16 of 29
Appendix 2 Consultation History Stakeholders Area of Name expertise Date sent Date received Comments Changes made Page 17 of 29
Appendix 3 Guidance for IAO and Information Asset Administrator Contents Section Description Page 1 Introduction 15 2 Background 15 3 Scope 15 4 Information Assets 15 5 Information Asset Register 17 6 Key Roles and Ownership 17 7 Accountability 18 8 Information Governance Toolkit Requirements 18 9 Disposal of an Information Asset 19 10 Audit of Information Asset Register 19 11 Privacy Impact Assessments 19 12 SIRO Job Description 20 13 IAO Job Description 20 14 IAA Job Description 21 1. Introduction This document provides guidance to achieve and maintain appropriate protection of the CCG s information assets (IAs). All major IAs must be identified, have a responsible owner and maintenance responsibilities assigned to that owner. Accountability for IAs helps to ensure that appropriate information security measures are devised, implemented and monitored. Owners are required to be identified for all IAs and the responsibility for the maintenance of the appropriate controls should also be assigned. Responsibility for implementing and managing controls may be delegated, although accountability must remain with the nominated owner of the IA. 2. Background The Information Governance (IG) Toolkit has been produced to assist organisations to achieve four fundamental aims of Information Governance. The IG Toolkit for CCGs asks whether the CCG has established a register of all its information assets, assigned responsibility or ownership for each and whether the Information Asset Owner s (IAOs) and Information Asset Administrator s (IAAs) are actively risk assessing in order to provide regular reports and assurance to the Senior Information Risk Owner (SIRO). In order to achieve compliance with the IG Toolkit, ownership and accountability for IAs needs to be assigned appropriately within the CCG and structured reporting arrangements should be documented and approved at Governing Body level. Page 18 of 29
3. Scope The purpose of this document is to define the need for identifying information assets within the CCG, assigning ownership, and formalising the reporting structure for information risk management. 4. Information Assets Information assets come in all shapes and forms but some of the component categories include: information / documents / processes software hardware / removable media services / knowledge Key IAs are those that are central to the efficient running of departments within the CCG e.g. financial information, employee information, medicines management etc. IAs will also include the computer systems, network hardware and software which are used to process this data. Non-computerised systems holding information must also be documented with relevant file identifications and storage locations. There are four main categories of assets in the CCG: Information Assets: Standard Operating Procedures Policies / procedures Training materials Contracts and agreements Business continuity plans Databases Archived information Software Assets: Systems software (i.e. Microsoft windows) Non-clinical systems (i.e. Electronic Staff Record) Clinical systems (i.e. Continuing Care database) Data encryption (i.e. SafeBoot, EndPoint) Development and maintenance tools South London CSU are responsible for installation and management of software. No software is to be purchased or installed without the involvement of South London CSU. Hardware / removable assets: Hardware assets South London CSU will be responsible for issuing hardware IAs and keeping a record of the equipment issued. Page 19 of 29
No physical assets that have any capability for holding information can be purchased without involvement of South London CSO. South London CSU should be advised of new assets acquired through other routes and / or changes to existing assets. Removable assets - i.e. data CDs / DVDs, laptops, desktop personal computer (PC), portable hard drives, mobile phone / smart phone, memory stick, scanner, fax machine, ipad. Services assets: Access controls People skills and knowledge The service itself. Please note: these lists are illustrative and not exhaustive. 5. Information Asset Register IAs must be documented as part of the CCG s Information Asset Register (IAR); without which it would be impossible to implement the required controls across the CCG. The IAR will be held by the CCG Head of Analytical Support and populated by the CCG s nominated Information Asset Owners (IAOs) and Administrators (IAAs). The IAR will need to be updated regularly and submitted annually in line with the requirements of the IG Toolkit. 6. Key Roles and Ownership There are four key roles required to ensure structured management arrangements for information risk, these include:- Accountable Officer Senior Information Risk Owner (SIRO) Information Asset Owner (IAO) Information Asset Administrator (IAA) The Accountable Officer (Chief Officer) has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risks must be handled in a similar manner to other major risks such as financial, legal and reputational risks. The SIRO is an executive who is familiar with information risks and their mitigations; including risk assessment methodology. The SIRO also provides the focus for the assessment and management of information risk at Governing Body level, providing briefings and reports on matters of performance, assurance and cultural impact. IAOs must be a member of staff who is senior enough to make decisions concerning the asset at the highest level. The owner can assign day to day responsibility for each information asset to an administrator or manager, which should be formalised in job descriptions. Their role is also to understand and address risks to the IAs they own and to provide assurance to the SIRO on the security and use of these assets. Page 20 of 29
IAAs provide support to their IAO by ensuring that policies and procedures are followed, recognising actual or potential security incidents /threats, consulting their IAO on incident management and ensuring that Information Asset Registers are accurate and kept up to date. Structural Model Accountable Officer SIRO (Governing Body level) IAOs IAAs (at least one needed for each IAO) Role within CCG Chief Officer Chief Finance Officer All Directors Managers/ staff responsible for one or more IAs. 7. Accountability The role of the IAO is to understand what information is held, what is added and what is removed, how information is moved, who has access and why. As a result they should be able to understand and address risks to the information and to ensure that information is fully used within the law for the public good. The IAO will also be responsible for providing or informing regular written reports to the SIRO (or equivalent), a minimum of annually on the assurance and usage of their asset. Each owner is accountable for the implementation and maintenance of IAs relating to their system or work area. This role can be delegated to system management staff (IAAs). Each owner is responsible for ensuring that the relevant IAA is advised of any new assets or changes to existing assets, in order for the Information Asset Register to be updated accordingly. Each key information asset should have IG accreditation documentation that includes a rules regarding its access control. The system level documentation should be approved by the Information Asset Owner (or individual with equivalent responsibilities), and the Information Governance Steering Group, be available to all users who are granted access to the system and should be reviewed on a regular basis. The integrity and availability of information should be considered by the Information Asset Owner (e.g. system owner or individual with equivalent responsibilities). The need to know principle of access should be supplemented with additional controls for altering or deleting information. File storage systems should be constructed with these criteria in mind as, in many cases, access to a folder allows the user to view, alter, copy or delete files in the folder (and sub-folders) unless they are protected. The documentation should also identify the need for and existence of a formal registration / deregistration procedure, with restricted authorisation for registering / deregistering users. The IAO should ensure that effective procedures are in place for deregistering users who no longer need access to the system e.g. they no longer work for the CCG or have changed jobs. For deregistration to work effectively, the IAO, supported by the IAA should establish a formal agreement with the Human Resources department, to ensure the latter provides timely details of leavers and movers to the former. Page 21 of 29
IAOs should review user access to ensure users remain active and their access rights are allocated correctly. Six months is the recommended maximum period between such reviews although access reviews are best undertaken on a frequent basis and may be aligned with staff recruitment or movement cycles. 8. Information Governance Toolkit Requirements Responsibilities and procedures for the management and operation of all information assets should be defined and agreed by a senior person that leads on information risk (eg in the NHS, the Senior Information Risk Owner - SIRO and Information Asset Owners - IAOs). To ensure that there is effective implementation of Information Risk processes, there should be a comprehensively scoped and formally documented plan and programme that considers the security risks to Information Assets, including the systems and media used in processing or storing that information. Consideration of the potential impacts on the continued delivery of services eg care, the protection of personal data and corporate data are all essential elements of the plan and programme. Access to information assets, information processing facilities, and business processes should be controlled on the basis of business need and security policy requirements. Access control rules should take account of both local and national policies, where these exist, for information dissemination and authorisation. IAOs must ensure that business data and software applications of their information assets are regularly backed-up and tested using the system supplier s recommended technology and configuration. IAOs must develop a risk based back-up strategy that documents the procedures to be followed for each relevant Information Asset. Organisations that use the services of third parties for data backup should ensure arrangements conform to both the organisation s information governance standards, information risk policy and the system supplier s recommended practices. 9. Disposal of an Information Asset There must be a system in place to ensure that all acquisitions, disposals and transfers of IAs are identified and that the Information Asset Register is amended accordingly. There should be: An IAA responsible for updating the relevant Information Asset Register A mechanism in place to ensure that the IAA is informed of all relevant acquisitions, transfers and disposals (i.e. the completion of a standard form) A process is in place in respect to recording and monitoring of work-in-progress and IAs in development. Page 22 of 29
10. Audit of Information Asset Register To ensure the Information Asset Register remains current, accurate and complete it will be subject to regular audits and spot checks. IAOs should undertake regular reviews to manage the IG risks associated with their respective IAs. 11. Privacy Impact Assessments Projects that involve collecting personal information inevitably give rise to privacy concerns. A Privacy Impact Assessment (PIA) is a self-assessment process that has been developed by the Information Commissioner s Office (ICO) to help organisations to foresee the likely privacy impacts to individuals and to weigh these risks against the benefits to the public in the collection, use and secure disclosure of the information. A PIA helps to identify privacy risks, foresee problems and bring forward solutions. It is a process for evaluating a proposal to identify its potential effects upon individual privacy and data protection compliance; to examine how any detrimental effects might be overcome and to ensure that new projects comply with the data protection principles. The Information Commissioner has also identified the above in his detailed guidance for undertaking PIA s (http://www.ico.gov.uk/upload/documents/pia handbook html v2/index.html). This provides organisations with a baseline for undertaking reviews and a procedure that meets legislative compliance. 12. Job Description: Senior Information Risk Owner (SIRO) Purpose of the Job: The SIRO will implement and lead the NHS Information Governance (IG) risk assessment and management processes within the CCG and advise the Governing Body on the effectiveness of information risk management across the CCG. Specific Responsibilities: The key roles of the SIRO are: Understand how strategic business goals of the CCG may be impacted by information risks Acts as an advocate for information risk on the Governing Body Take ownership of risk assessment processes for information risk, including the review of the annual information risk assessment Review and agree actions in respect of identified information risk Ensure that the CCG s approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff Ensure the Governing Body is adequately briefed on information risk issues The SIRO will be required to undertake strategic information risk management training at least annually. Page 23 of 29
13. Job Description: Information Asset Owner (IAO) Purpose of the Job: Information Asset Owners are senior individuals involved in running the relevant business. The IAO s role is to: Understand and address risks to the information they own Provide assurance to the SIRO on the security and use of these assets. Specific Responsibilities: Maintains understanding of owned assets and how they are used Approves information transfers and assures the SIRO that these transfers are secure Approves and oversees the disposal mechanisms for the information asset when no longer needed Knows what information is held and who has access to it for what purpose Takes visible steps to ensure compliance with the CCG s Information Governance strategy and policies Undertakes quarterly reviews to document any IG risks associated with the information asset Understands and addresses risks to the information asset and provides assurance to the SIRO. Receives, logs and controls requests from other staff for access to the information asset Ensures that changes to the information asset are documented with a formal sign off from the IG Steering Group following the undertaking of a Privacy Impact Assessment (if necessary). 14. Job Description: Information Asset Administrator (IAA) Purpose of the Job: Information Asset Administrators will provide support to their IAO to: Ensure that IG policies and procedures are followed Recognise potential or actual security incidents and escalate Consult their IAO on incident management Ensure their information asset registers are accurate and up to date. Specific Responsibilities: Maintenance of Information Asset Registers Ensure compliance with data sharing agreements within the local area Ensure information handling procedures are fit for purpose and properly applied Under the direction of the IAO, ensure that personal information is not lawfully exploited Recognise new information handling requirements and the relevant IAO is consulted over appropriate procedures Page 24 of 29