Management Framework Summary: This document sets out the framework, structure, system and accountabilities for Management within West Kent CCG Clinical Commissioning Group. APPROVED BY: Chief Finance Officer / SIRO EFFECTIVE FROM: February 2017 REVIEW DATE: February 2018 Framework Roles Key Senior Risk Owner (SIRO) Overall responsibility for IG management IG Lead (Day to Day) Caldicott Guardian IG support Registration Authority Manager(s) Policy Chief Finance Officer, Reg Middleton Chief Finance Officer, Reg Middleton South East CSU CO Gillian Wood CCG Chair, Dr Bob Bowes South East CSU Team South East CSU Registration Authority Team
Policies The IG policy is a statement of intention and approach to fulfilling the CCG s statutory and organisational responsibilities. It enables management and staff to make informed decisions, work effectively and comply with relevant legislation. Security Policy The CCG s Corporate Security Policy is a high-level document that utilises a number of controls to protect the organisation s information. The controls are delivered through policies, standards, processes, procedures, supported by tools and user training. Records Management Policy The CCG s records are its corporate memory, providing evidence of actions and decisions and representing a vital asset to support daily functions and operations. Records support policy formation and managerial decisionmaking, protect the interests of the CCG and the rights of patients, staff and members of the public. They support consistency, continuity, efficiency and productivity and help deliver services in consistent and equitable ways. Data Protection and Confidentiality Policy This policy provides a framework for the CCG to ensure compliance with the Data Protection Act 1998. The CCG, as a Data Controller, has a legal obligation to comply with all appropriate legislation with regard to processing personal data. It also should comply with guidance issued by the Department of Health, NHS England, other advisory groups to the NHS and guidance issued by professional bodies. Subject Access Request Process The Data Protection Act 1998 came into force on 1st March 2000. The Act entitles an individual, with certain exceptions, to a copy of both manual data recorded in a relevant filing system and computer data relating to them that is held by the CCG. A request for such information is known as a Subject Access Request. This process sets out the steps the CCG must take to comply with Subject Access Requests. The Action Plan (arising from the assessment each year of the Toolkit) South East CSU on behalf of the CCG produces an Action Plan each year for completing the IG Toolkit up to Level 3 in all requirements, listing all evidence required for compliance.
Freedom of Policy This policy provides a framework for the CCG to ensure compliance with the FOIA, Re-use of Public Sector Regulations 2005 and the Environmental Regulations 2004. The Chiefs Meeting is a high level Group within the CCG which vets and approves all policies, procedures, systems, documentation before forwarded to the CCG Governing Body for final approval, where appropriate. Key Group A Senior Risk Owner has been appointed and is accountable for ensuring that all information risks are identified and managed in line with legal and organisational requirements. Resources A Caldicott Guardian has been appointed and provides specialist advice on patient records including confidentiality and information sharing. Chief Finance Officer as SIRO has overall responsibility for. Chief Finance Officer and South East CSU have day to day responsibility for providing IG advice and support. Security lead responsibility lies with the supporting South East Commissioning Support Unit. Training resources - E-learning IG training tool and Face to Face training available to all staff. Direct training available to meet specialist, identified need. Freedom of is administered within the Commissioning Support Unit. Overall accountability for ensuring safe practice and adherence to the Data Protection Act 1998 and the Caldicott Principles lies with the Chief Finance Officer and is delegated to the Caldicott Guardian.
Every member of staff and all contracted staff are responsible for ensuring that information governance standards including confidentiality and records management are met. This is a contractual requirement. All information assets within West Kent CCG are documented and an information asset owner is identified. The role of the information asset owner is to ensure that all information assets are held in line with legal and organisational requirements. Risk Annual Statement Risk is managed within the overall risk strategy. A data flows exercise is undertaken annually and when a new information flow is set up. A risk assessment of each of these flows is undertaken. As of 16th September 2009, all organisations submitting an IG Toolkit assessment are required to accept the Assurance Statement. The IG Assurance Statement is binding on the CCG and acceptance should be authorised by an appropriate senior individual in the same way as the IG Toolkit assessment itself. Board Assurance Framework (BAF) and Risk Register or CCG equivalent Annual report Contains any high level IG risks that may affect the delivery of the organisation s strategic objectives. Contains a statement of Serious Incidents involving Data Loss or Breach of Confidentiality. Records Manageme nt and Audit A records management plan is in place to ensure consistency of approach across the CCG in line with the Records Lifecycle Policy. Subject Access monitoring Security Asset Register A robust system is in place to ensure all subject access requests are documented and responded to in line with the Data Protection Act 1998. As Subject Access requests will be handled by the Commissioning Support Service this monitoring will be undertaken by them and an annual report provided to the CCG. The CCG is responsible for ensuring the highest standards of Security. The tasks within this service will be bought in from the CSU. A register of all information assets held by the CCG is continually being developed.
Training and Guidance training is provided to all staff via e-learning or delivered face to face. A target of 95% of all staff is aimed for and monitored by the South East CSU Hub. The Commissioning Support Service will provide targeted training for individual staff members or groups of staff who have a specialist requirement. Face to face training is given on request. A Confidentiality Code of Practice is included in every member s contracts of employment to ensure that all personal and organisational information is kept safely and secure and only shared if legally permissible and that there is an organisational reason to do so. Incident Manageme nt incidents are managed in line with the overall Risk and Incident Management Policy. Review and Monitoring This framework will be reviewed annually by the Senior Associate and then sent to the Chief Finance Office / SIRO for approval.