INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK Document History Document Reference: IG33 Document Purpose: The document complements all other Information Governance policies and sets out the management arrangements for information governance for NHS Nottingham North and East CCG, NHS Nottingham West CCG and NHS Rushcliffe CCG (collectively the South Nottinghamshire CCG s). Date Approved: 25 th Approving Committee: Information Governance Management and Technology Committee Version Number: Version 4.0 Status: APPROVED Next Revision Due: September 2016 Developed by: Information Governance, Greater East Midlands Commissioning Support Unit (GEM CSU) Reviewed and refreshed by Head of Information Governance and the Information Governance Officer for NHS Nottingham City CCG on behalf of the South Nottinghamshire CCG s. Policy Sponsor: Director of Outcomes and Information, Nottinghamshire CCGs Target Audience: All Staff Associated Documents: All Information Governance Policies and the Information Governance Toolkit standards
Revision History Version Revision date Summary of Changes 1.0 July 2012 Approved by the Information Governance and Management Technology Committee 2.0 August 2013 Revised in line with NHS England Policies and updated to reflect version 11 of the Information Governance Toolkit 2.1 July 2014 Review for comment 3.0 September 2014 Approved by Information Governance Management and Technology Committee 4.0 Revised Section 8: Training Guidance Inserted an updated version of the IGM&T terms of reference and membership Amended framework to reflect service level agreement with CCG for IG support. Policy Dissemination information Reference Number Title Available from Information Governance Management Framework CCG Intranet
Section Page 1 Introduction 4 2 Purpose & Scope 4 3 Policy Statement 4 4 Organisation Roles & Accountabilities 5 5 Key Policies 6 6 Governance Arrangements 7 7 Resources 8 8 Training Guidance 8 9 Incident Management 8 10 Equality & Diversity 8 11 Monitoring & Compliance 9 12 Further Information or Guidance 9 13 References 9 14 Appendix 1- Information Governance Reporting Framework 10 Appendix 2 Information Governance Operational Structure 11
1 Introduction This framework applies to the three South Nottinghamshire Clinical Commissioning Groups (CCGs), subsequently referred to in this document as the CCGs. They include: NHS Nottingham North and East CCG NHS Nottingham West CCG NHS Rushcliffe CCG Robust information governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. Delivery against these requirements will be carried out in line with the standards documented within the Information Governance Toolkit. The IGT can be accessed via https://nww.igt.hscic.gov.uk using the designated organisational code, user name and password. This Framework must be documented, approved at the most appropriate senior management level in the organisation (e.g. a member of the Executive Team) and reviewed annually. This document sets out the CCG s approach to embedding robust information governance throughout each organisation. This framework is a standalone document and provides a summary/overview of how the CCG is addressing the IG agenda and reflects the capacity and capability of the CCG. 2. Purpose and scope The purpose of this framework is to establish employee responsibility and the rules of conduct for all members of staff regarding the CCG s information governance framework and assurance process. This policy applies to all staff within the CCG whether operating directly or providing services to other organisations under a service level agreement or joint agreement and to non-executive directors, contracted third parties (including agency staff), Governing Body members, locums, students, volunteers, trainees, visiting professionals or researchers, seconded and other staff on temporary placements within the organisation. 3. Policy Statement The Health & Social Care Information Centre (HSCIC) mandates that the Information Governance Toolkit (IGT) version 13 is completed by all organisations that commission or provide services within and to the NHS. An (IGMF) is required to be in place to ensure that the information governance agenda is owned and implemented in a structured manner. Version 4.0 4
4. Organisational Roles & Accountability The CCG will: Appoint a Head of Information Governance, an internal IG Lead, Senior Information Risk Owner (SIRO) and Caldicott Guardian. These designated roles will be reported in the CCG IG Toolkit return under Update Information Governance Senior Management Details once appointed. The roles of Caldicott Guardian and Senior Information Risk Owner (SIRO) will be at Executive level. The Accountable Officer has overall accountability and responsibility for information governance and is required to provide assurance through the Statements on Internal Control that all risks to the CCG, including those relating to information, are effectively managed and mitigated. Maintain policies and procedures to ensure compliance with requirements contained in the NHS Information Governance Toolkit. The SIRO will: Take ownership of the organisation s information risk policy and information risk management strategy. All key information assets will be identified and their details included in an Information Asset Register. Ensure that Information Asset owners will be identified for each key information asset. Ensure that all staff assigned responsibility for co-ordinating and implementing information risk management will be appropriately trained to carry out their role Ensure that Information Asset Owners carry out risk reviews of the assets, for which they are accountable, the frequency of review depending upon the importance of the asset and the nature of the risk environment. The Caldicott Guardian will: Be added to the National Register of Caldicott Guardians. Identify the support necessary to ensure work related to confidentiality and data protection is appropriately carried out. Ensure all staff assigned responsibility for co-ordinating and implementing the confidentiality and data protection work programme have been appropriately trained to carry out their role. Advise and support CCG staff on enabling appropriate information sharing in line with the Caldicott Review recommendations. The Head of Information Governance will: Provide expert support, advice and guidance to the strategic and technical information governance arrangements within each of the CCG s. Version 4.0 5
This will include; Supporting the achievement of satisfactory compliance (level 2 or above) in all Information Governance Toolkit requirements. This will include the provision of specific advice and guidance regarding consent issues, information sharing across partner organisations, and the legal basis for processing information. As part of this, standardised templates will be provided for contracts and agreements in support of information sharing agreements. Produce appropriate information governance training materials and deliver faceto-face training sessions as and when required. Have a monthly meeting with the CCG s IG Leads to discuss and review progress against information governance improvement plans. Prepare and present quarterly information governance update reports to the CCG s IGM&T committee regarding compliance with IG Toolkit requirements. This will include the provision of updates and briefings on all relevant legislative and national developments/guidance. Work collaboratively with the IG leads to map information governance risks for inclusion on the organisational risk register. To include Chairing the bi monthly Information Governance Operational Leads meeting. The Information Governance, Management and Technology committee will: Ensure that an appropriate comprehensive information governance framework and systems are in place throughout the constituent organisations in line with national standards. The specific responsibilities of this Committee are outlined in its terms of reference. 5. Key Policies The CCG will provide the following policies (or equivalent) to set out scope and intent in terms of embedding Information Governance processes throughout the Organisation: A Confidentiality and Data Protection Policy An Information Security Policy A Corporate Governance Policy (which covers FOI) An Information Lifecycle Management Policy (Records Management and Information Quality) In particular the CCG will implement policies as required to support confidentiality, security and records management processes in addition to this The CCG IG Lead Link roles will: Version 4.0 6
Develop and maintain comprehensive and appropriate documentation that demonstrates commitment to and ownership of IG responsibilities, e.g. an overarching high level strategy document supported by corporate and/or directorate policies and procedures. Ensure that there is senior management awareness and support for IG resourcing and implementation of improvements. Provide direction in formulating, establishing and promoting IG policies. Establish working groups, if necessary, to co-ordinate the activities of staff given IG responsibilities and progress initiatives. Ensure that assessment and improvement plans are prepared for approval by the senior level of management in a timely manner and in line with national reporting requirements. Ensure that the approach to information handling is communicated to all staff and made available to the public. Ensure that appropriate training is made available to staff and completed as necessary to support their duties and in line with IGT requirements. Liaise with other committees, working groups and programme boards in order to promote and integrate IG standards Monitor information handling activities to ensure compliance with law and guidance. Provide a focal point for the resolution and/or discussion of IG issues escalating issues to the Head of Information Governance where necessary. 6. Governance Arrangements The following governance arrangements have been agreed: The CCG Governing Body will receive periodic assurance that management and accountability arrangements are adequate and are informed in a timely manner of future changes in the IG agenda by IG updates within the corporate report. The CCG will be represented at the Information Governance Management and Technology Committee, which has delegated authority from each of the CCG Governing Bodies for IG compliance. The shared CCG Information Governance Management and Technology Committee (or equivalent) will have responsibility for the information governance agenda supported by identified senior roles i.e. Caldicott Guardian, SIRO, and IG Lead. Under a service level agreement, the CCG will obtain information governance support from NHS Nottingham City CCG, including, the Head of Information Governance function. Responsibility and accountability for information governance will be cascaded through the organisation via staff contracts, contracts with third parties, Information Asset Owner arrangements and departmental leads. Version 4.0 7
Key information governance messages will be developed by NHS Nottingham City CCG through a Service Level Agreement and made available to the CCGs for onward dissemination. 7. Resources Key staff involved in the information governance agenda, below those at Executive Team level, will be provided to the CCG through a Service Level Agreement between the CCGs and NHS Nottingham City CCG. 8. Training Guidance It is recognised that information governance education, training and awareness are essential for developing and improving staff members Information governance knowledge and skills. Staff need to understand the value of information and their responsibility for it, including data quality, information security, records management, confidentiality, legal duty, information law, rights of access and patients rights in terms of a right of privacy and choice. The completion of annual information governance training is mandatory for all staff, whether permanent, temporary or contracted. Initially, all new starters will complete their information governance training via the HSCIC Information Governance online training tool as part of their induction programme. Refresher information governance training can be completed via the HSCIC information governance training tool, Electronic Staff Record or via face-to-face sessions delivered by the appropriate IG Lead NHS Nottingham City CCG. Information governance services will assist the CCG in achieving 95% take up of mandatory information governance training and advise/manage staff to undertake further specialist information governance training as required. Mandatory annual information governance training should be completed by all third party contractors. 9. Incident Management Clear guidance on reporting of information incidents and their management will be documented and staff will be made aware of their existence, where to find them and how to implement them. 10. Equality & Diversity The CCG aims to design and implement policy documents that meet the diverse needs of the services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate Version 4.0 8
consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act. 11. Monitoring and Compliance The IGMF will be reviewed at least annually in line with IG Toolkit requirements or amended as required to reflect changes in organisational ownership. The CCGs will monitor the staff compliance with the policy internally. 12. Further Information or Guidance Paul Gardner, Head of Information Governance, NHS Nottingham City CCG, paul.gardner@nottinghamcity.nhs.uk 13. References NHS Code of Confidentiality https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200146/confidentiality_ -_NHS_Code_of_Practice.pdf The IG Toolkit.https://www.igtt.hscic.gov.uk/igte/index.cfm Checklist for Reporting, Managing and Investigating Information Governance Serious Untoward Incidents (Gateway reference 13177) http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/links/suichecklist.pdf NHS Information Risk Management http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/risk/inforiskmgtgpg.pdf The Caldicott Review: Information Governance in the Health and Social Care System https://www.gov.uk/government/publications/the-information-governance-review Version 4.0 9
Appendix 1 NOTTINGHAMSHIRE CLINICAL COMMISSIONING GROUP (CCG) INFORMATION GOVERNANCE REPORTING FRAMEWORK CCG GOVERNING BODY Receives minutes and highlight report Risk and Information Security Advisory Group (RISAG) INFORMATION GOVERNANCE, MANAGEMENT AND TECHNOLOGY COMMITTEE NHIS Group East Midlands Strategic Information Governance Committee RECORDS AND INFORMATION GROUP (RIG) (Local Health Community IG Leads) IG LEADS MEETING Nottinghamshire CCG Operational IG Leads/GEM IG Lead SIRO and CALDICOTT Advice The Information Governance, Management & Technology Committee is managed by Rushcliffe Clinical Commissioning Group on behalf of Nottingham West CCG, Nottingham North and East CCG, Mansfield and Ashfield CCG and Newark and Sherwood CCG
Appendix 2 Information Governance Operational Structure Accountable Officer Caldicott Guardian SIRO IG Lead Link role (internal) Information Asset Owner s Information Asset Support Staff Head of IG NHS Notts City CCG