Information Governance Strategy and Management Framework Summary: This strategy sets out the framework, structure, system and accountabilities for Information Governance Management within NHS Eastbourne, Hailsham and Seaford Clinical Commissioning Group (CCG) and NHS Hastings and Rother CCG. APPROVED BY: Ratified by the Governing Bodies January 2017 EFFECTIVE FROM: 1 st February 2017 REVIEW DATE: 1 st November 2017
1. INTRODUCTION. 1.1. Eastbourne Hailsham and Seaford (EHS) Clinical Commissioning Group (CCG) and Hastings and Rother (HR) CCG have a joint staff structure. This policy covers both organisations and they are referred to jointly as the CCG. 1.2. This document sets out the approach to be taken within the CCG to provide a robust Information Governance (IG) framework for managing personal and organisational information. 1.3. The purpose of this document is to detail how the CCG will ensure that clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and resources are in place to ensure that all legal obligations are met and information is managed efficiently and effectively. 1.4. All statutory NHS organisations are required to ensure that information is managed in such a way that it supports and enables the organisation to hold, obtain, record, use and share information across the organisation to support its business objectives, in line with legal requirements. 2. KEY ACTIONS. 2.1. IG will be considered regularly at the CCG Quality and Governance Committees. 2.2. Information Governance Policies will be refreshed in line with best practice guidance from the Commissioning Support Unit as part of the annual policy review process. 2.3. A full submission of the IG toolkit for the CCG will be made by 31 st March each year. As activity moves from creation of a sound IG infrastructure towards effective audit and monitoring of its effectiveness, it is planned to increase the number of requirements against which level three is reached. The Risk and Business Planning Manager will monitor progress against these plans and report any exceptions to the Quality and Governance Committee. 2.4. All staff will be required to complete IG training annually, either by attendance at face to face training or by completing equivalent online training. If a specific need is identified, specialist training face to face training will be provided. 2.5. The production and annual review of a comprehensive set of IG policies and procedures. The management and accountability structures reflect the legal and operational IG requirements. 2.6. All staff within the CCG will receive information regularly concerning IG. This will promote information being held, obtained, recorded, used, shared and destroyed in line with all relevant legal and ethical requirements. It will include learning from the CCGs and other organisations. 2017 IG Strategy and Management Framework Page 2 of 5
Information Governance Framework Information Governance Roles Key Information Governance Policies Senior Information Risk Owner (SIRO) Overall responsibility for IG management IG Lead (Day to Day) Caldicott Guardians IG support Registration Authority Manager(s) Chief Operating Officer Information Governance Policy Information Security Policy Head of Governance and Business Planning Risk and Business Planning Manager Chair (EHS) and a GP Governing Body Member (HR) Commissioned function from South Central and West Commissioning Support Unit (SCW CSU) Head of Information Management and Technology Records Management and Information Lifecycle Policy Data Protection Policy Confidentiality Policy Freedom of Information Policy Key Information Governance Group Resources Quality and Governance Committees (supported by the Information Governance Steering Group). Senior Information Risk Owner accountable for ensuring that all information risks are identified and managed in line with legal and organisational requirements. Caldicott Guardian provides specialist advice on patient records including confidentiality and information sharing. Head of Governance and Business Planning has day to day responsibility for providing IG advice and support (utilising expertise from the CSU). Head of Strategic IM&T has lead responsibility for Information Security. Training resources - E-learning IG training tool, will be available to all staff early 2017. IG element of mandatory induction training. Direct training available to meet specialist, identified need. 2017 IG Strategy and Management Framework Page 3 of 5
Governance Framework Freedom of Information and Subject Access Request activities are supported by SCW CSU. This service is overseen by the Head of Governance and Business Planning. Overall accountability for ensuring safe practice and adherence to the Data Protection Act 1998 and the Caldicott Principles lies with the Chief Officer and is delegated to the Chief Operating Officer. Every member of staff and all contracted staff are responsible for ensuring that information governance standards including confidentiality and records management are met. This is a contractual requirement. Information Risk Annual Governance Statements Assurance Frameworks (AF) and Risk Registers Annual reports Records Management and Audit Subject Access monitoring Privacy Impact Assessment (PIA) monitoring Information Security All information assets within the CCG are documented and an information asset owner has been identified. The role of the information asset owner is to ensure that all information assets are held in line with legal and organisational requirements. Information Risk is managed within the overall risk strategy. A data flows exercise is undertaken annually and when a new information flow is set up. A risk assessment of each of these flows is undertaken. Contain annual statements of the organisational approach to the management of IG and its position with regard to its IG Toolkit submission and IG Statements of Compliance (IGSOC). Contain any high level IG risks that may affect the delivery of the CCG strategic objectives. Contain statements of Serious Incidents involving Data Loss or Breach of Confidentiality. A records management plan is being developed to ensure consistency of approach across the CCG in line with the Records Management Information Lifecycle Policy. A robust system is in place to ensure all subject access requests are documented and responded to in line with the Data Protection Act 1998. Subject Access Requests and Access to Health Records processes are supported by a CSU and monitoring information is reported to the CCG. This data will be included within the annual Information Governance report produced every April. Ensure that a PIA is completed for projects, new initiatives or substantially revised working practices, policies and processes. PIAs will be considered and approved by the Information Governance Steering Group [IGSG]. The CSU will provide recommendations for changes to proposed processes to ensure they are in line with statute. The CCG is responsible for ensuring the highest standards of Information Security. The tasks within this service will be supported by a CSU. 2017 IG Strategy and Management Framework Page 4 of 5
Asset Register Training and Guidance Incident Management A register of all information assets held by the CCG is maintained. Information Governance training is available quarterly for all staff to complete face to face. Alternative training is available to all staff via e-learning. A minimum target of 95% of all staff having completed IG training is required and a higher level of compliance is aimed for and monitored by the Organisational Development team. A CSU will provide targeted training for individual staff members or groups of staff who have a specialist requirement, e.g. specific sessions will be arranged for Governing Body members and for Continuing Healthcare Staff. A Confidentiality Code of Practice is included in every contract of employment to ensure that all personal and organisational information is kept safely and secure and only shared if legally permissible and there is an organisational reason to do so. Information incidents are managed in line with the overall Incident Reporting Policy and specialist support received from a Commissioning Support Unit. 3. IG Training Training requirements, by staff role, are set out within the Information Governance policy. 4. Review and Monitoring This framework will be reviewed annually by the Risk and Business Planning Manager and the outcome of the review reported to the Quality and Governance Committees. 2017 IG Strategy and Management Framework Page 5 of 5