Date: INFORMATION GOVERNANCE POLICY

Similar documents
Information Governance Policy

Information Governance Policy and Management Framework

INFORMATION GOVERNANCE POLICY

Information Governance Management Framework

Data protection (GDPR) policy

DATA QUALITY POLICY. Version: 1.2. Management and Caldicott Committee. Date approved: 02 February Governance Lead

IG01 Information Governance Management Framework

NHS SOUTH DEVON AND TORBAY CLINICAL COMMISSIONING GROUP INFORMATION LIFECYCLE MANAGEMENT POLICY

INFORMATION GOVERNANCE STRATEGY IMPLEMENTATION PLAN

IGPr002 - Information Governance Management Framework

Corporate policy. Business Continuity Management Policy. Issue sheet

Data Protection Policy

Information Governance Assurance Framework

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

Data Quality Policy

Information Governance Strategic Management Framework

INFORMATION GOVERNANCE STRATEGY. Documentation control

Records management policy. Document author Assured by Review cycle. Audit and Risk Committee. 1. Introduction Purpose or aim Scope...

Humber Information Sharing Charter

Information Governance and Records Management Policy March 2014

INFORMATION GOVERNANCE POLICY

Data Protection Policy

Records Management Policy

Freedom of Information (FOI) Policy

Information Governance Policy

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK POLICY

Risk Management Strategy

DATA QUALITY POLICY Review Date: CONTENT

General Optical Council. Data Protection Policy

Minor adjustments from IG Steering Group 0.3 Neil Taylor September 2013

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

Records Management Plan

CAPITA PLC POLICY. Environmental [PUBLIC] Classification Version 2.0

Field/Mobile Working Policy

GOVERNANCE STRATEGY October 2013

INFORMATION AND RECORDS MANAGEMENT POLICY

Managing personal relationships in the workplace

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

Loch Lomond & The Trossachs National Park Authority. Annual internal audit report Year ended 31 March 2015

LOCATION: Alpha Plus Fostering, Oldham

Information Governance Strategy and Management Framework

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

Facilities Controller Job Description

Data Protection. Policy

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018

Assistant Business Manager Job Description

Data Protection/ Information Security Policy

RISK MANAGEMENT STRATEGY

Training Policy & Procedure Page 1 of 11

JOB DESCRIPTION. Practitioner Young People (YP) subject to Job Evaluation. Service Manager SPOC and YP DIRECT REPORTS: - Purpose of Job

Health and Safety Management Standards

S.D.F ELECTRICAL PTY LTD ABN EMPLOYEE POLICY BOOKLET

King IV Application Register

Stellenbosch University Records Management Policy

Author s job title Head of Clinical Coding and Data Quality Directorate IM&T

THE HARBOUR MEDICAL PRACTICE EASTBOURNE

Conducting privacy impact assessments code of practice

CODE OF PRACTICE Appointment to Positions in the Civil Service and Public Service

CORPORATE GOVERNANCE King III - Compliance with Principles Assessment Year ending 31 December 2015

An Industry Code of Conduct Maritime Autonomous Systems (Surface) MAS(S)

PostNL group procedure

Code of Conduct. Human Resources Policies and Procedures. UCD/HRO/Conduct/048

Bury Local Care Organisation Provider Alliance

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Freedom of Information: Guide to information available from Brentford School for Girls under the Model Publication Scheme

ON ARM S LENGTH. 1. Introduction. 2. Background

NHSLA Risk Management Standards for NHS Trusts Providing Community Services 2011/12

RISK MANAGEMENT POLICY

ARTICLE 29 DATA PROTECTION WORKING PARTY

POLICY ON MANAGING POLICIES, PROCEDURES AND GUIDANCE DOCUMENTS

Conducting privacy impact assessments code of practice

Disclosure & Barring Service (DBS) Check Policy

Internal Audit Policy and Procedures Internal Audit Charter

EU General Data Protection Regulation (GDPR)

Gwybodaeth Dan Reolaeth. Gwynedd Council DATA PROTECTION POLICY FINAL 2.0. September Information Management Service. Approved

Fixed Term Staffing Policy

Regulation pertaining to disciplinary & related procedures for academic staff

HSCIC Audit of Data Sharing Activities:

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

NHS BARNSLEY CCG DATA QUALITY POLICY SEPTEMBER 2016

NHS HEALTH SCOTLAND PARTNERSHIP AGREEMENT

1. Each employee is responsible for managing college records in a responsible and professional manner.

INTERNAL AUDIT DIVISION REPORT 2017/022. Audit of knowledge and records management at the United Nations Framework Convention on Climate Change

Safer Recruitment Policy

Thomson House School Freedom of Information Policy

Lead Employer Flexible Working Policy. Trust Policy

Review date: July 2018 Responsible Manager: Head of Human Resources. Accessible to Students: No. Newcastle College: Group Services:

Group Environment Policy

Information Governance Management Framework Version 6 December 2017

Information Governance Management Framework

Disciplinary Policy and Procedure

JOB DESCRIPTION SALARY: 36,004

King lll Principle Comments on application in 2013 Reference in 2013 Integrated Report

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

HUMAN RESOURCES RECRUITMENT POLICY. Last Modified: August Review Date: August Version Number: 1.6

Role Title: Chief Officer Responsible to: CCG chairs - one employing CCG Job purpose/ Main Responsibilities

ASSURANCE FRAMEWORK. A framework to assure the Board that it is delivering the best possible service for its citizens SEPTEMBER 2010.

Freedom of Information Act Publication Scheme for Academies

Data Protection Policy

Honorary Contracts Procedure

Transcription:

Date: INFORMATION GOVERNANCE POLICY Information Governance Policy IGPOL/01 Information Systems Corporate Services Division March 2017 1

Revision History Version Date Author(s) Comments 0.1 12/12/2012 Helen Kerr (Records Manager) 0.2 12/03/2012 Helen Kerr (Records Manager) 0.3 10/04/2012 Helen Kerr (Records Manager) 0.4 10/04/2012 Helen Kerr (Records Manager) 1.0 20/04/2012 Helen Kerr (Records Manager) Review date: Biennially Approval: Information Governance Group and SMT Draft by Records Manager Minor amendments following meeting of the Information Governance Group Minor amendments by Julia O Sullivan Minor amendments by Louise Frayne Final- published. 2.0 30/07/2014 Helen Dodd Review of Policy 2.1 09/10/2014 IGG Minor amendments made by the Information Governance Group 2.2 13/12/2016 Adele Picken (Information Governance Manager) Review and structural amendments 2.3 15/12/2016 Alan McMahon Minor amendments (Head of IS) 2.4 15/12/2016 AP Further amendments following AM comments 2.5 01/02/2017 AP Minor Amendments Name Date Version Comments Information 10/02/2017 2.5 Approved by email Governance Group SMT 14/03/2017 2.5 Approved by email Information Governance Group 2

Relevant Policies, Templates & Forms The following policies, procedures, and guidance should be used or referred to when necessary alongside this policy. All policies and templates will be made available on the intranet once finalised and approved. Reference Document Name Status IGPOL/01 Information Governance Final- Published Policy IGPOL/02 Information Security Policy Final-Published IGPOL/03 Data Protection Policy Final- Published IGPOL/04 Information Sharing Policy Final- Published IGPOL/06 IGPOL/07 IGPOL/09 IGPRO/01 IGPRO/02 IMNOTE/01 IMNOTE/02 IMNOTE/03 Corporate Retention Schedule Corporate Classification Scheme Paper Records- Secure Handling and Transit Policy Security Incident Procedure Subject Access Request Procedure SAR guidance- what information to provide SAR guidance- what information to withhold Checklist when handling personal or sensitive data Final- Published Final- Published Final- Published Final- Published Final- Published Final- Published Final- Published Final- Published IMNOTE/04 Checklist- How to process a Subject Access Request Final- Published IMNOTE/05 Naming Convention Final- Published Guidance IMNOTE/06 Version Control Guidance Final- Published IMNOTE/07 Email Management Guidance Final-Published 3

AUP Acceptable Use Policy Final- Published 4

CONTENTS 1 INTRODUCTION... 6 2 PURPOSE OF THE POLICY... 6 3 SCOPE... 7 4 INFORMATION GOVERNANCE PRINCIPLES... 7 5 LEGISLATIVE FRAMEWORK... 8 6 RESPONSIBILITIES... 9 6.3 RESPONSIBILITIES OF MANAGERS... 9 6.4 RESPONSIBILITIES OF USERS... 10 6.5 RESPONSIBILITIES OF THE INFORMATION GOVERNANCE GROUP... 10 6.6 RESPONSIBILITIES OF THE INFORMATION GOVERNANCE MANAGER... 10 6.7 RESPONSIBILITIES OF THE SENIOR INFORMATION RISK OWNER... 11 6.8 RESPONSIBILITIES OF INFORMATION ASSET ADMINISTRATORS... 12 7 INFORMATION GOVERNANCE FRAMEWORK... 12 8 MAIN THEMES... 12 8.4 INFORMATION RISK MANAGEMENT... 15 8.5 BUSINESS CONTINUITY AND VITAL RECORDS MANAGEMENT... 16 8.7 ACCESS AND SECURITY... 17 9 ESCALATION... 17 5

1 Introduction 1.1 This policy establishes RCPCH s Information Governance Framework Policy. 1.2 It provides a statement of RCPCH s intentions and approach to fulfilling its statutory and organisational responsibilities with regards to Information Governance. 2 Purpose of the policy 2.1 The purpose of this document is to provide a clear statement of the RCPCH s policy relating to the management of its information assets and the information governance framework within which the RCPCH will operate 2.2 Information Governance is defined as A holistic approach to managing information that seeks to minimise the risks to the organisation and maximise the opportunities in the use of information, whilst protecting the rights of the individual. It enables a strategic approach to managing information assets and resources throughout the information lifecycle by developing appropriate tools, standards and processes, whilst seeking to build organisational cultures that value information resources. 2.3 Information is a key asset which must be managed both strategically and operationally to leverage opportunity and manage risk. 2.4 At its heart it supports two outcomes critical to the success of any modern organisation: Efficiency and accountability: Efficiency so that those working in the organisation are able to easily locate the right information needed to deliver services and to make decisions. Accountability so that the organisation can justify and successfully demonstrate to stakeholders that it is fulfilling its legal, democratic and community obligations 2.5 The key aspects of Information Governance are data protection and confidentiality; information security; 6

information quality; information and records management 3 Scope 3.1 This Policy applies to all RCPCH staff, members and contractors who undertake any activity within the organisation in the course of RCPCH s service and business operations. 3.2 The policy sits within a framework of information management policies, procedures and guidance which are listed at Appendix A. 3.3 The policy applies to all information irrespective of the technology used to create and store it. It includes, therefore, paper and electronic records, but also line of business and information systems, for example the corporate CRM (Care) and the content of the intranet and internet sites. 4 Information Governance Principles 4.1 The RCPCH will adopt the Department of Health model as its principles for managing information. Information should be: Held securely and confidentially Obtained fairly and efficiently Recorded accurately and reliably Used effectively and ethically Shared appropriately and lawfully 7

4.2 The College aims to maintain and expand its Information Governance framework, supported by a foundation level of IG literacy within the College. This will primarily focus on five things: Developing practical record keeping solutions to ensure that all records assist in helping the College meet its objectives Maintain and continue to develop a training and guidance framework to support staff and make them aware of their responsibilities, as well as an understanding that there may be disciplinary action in the event of non-compliance Develop processes and monitoring tools to ensure our information is secure and risks are managed proactively Maintain and regularly review the policy framework to ensure it is still relevant. Thisdemonstrates the College s commitment to Information Management and establishes good practice Where appropriate, take advantage of technological developments to support effective records management 4.3 This should ultimately help foster an organisational culture that promotes good record keeping and information governance, and create an efficient, forward facing organisation that can manage risks proactively. 5 Legislative framework 5.1 Often legislation will either explicitly or implicitly establish requirements upon the RCPCH to manage information. At a minimum the College will be required to provide documentary evidence that legislative requirements are being adhered to. Other legislation is specifically concerned with how the organisation keeps its information and provides access to it: The Data Protection Act (DPA) 1998 (this will be the General Data Protection Regulation from May 2018) Copyright Designs and Patents Act 1988 Human Rights Act 1998 and the European Convention on human Rights Common law tort of breach of confidence Computer Misuse Act 1990 8

Section 251 of the Health and Social Care Act 2006 5.2 The RCPCH will aim to comply with national standards relating to the management of information, including: The International Standards for Records Management BS ISO 15489-1 and BS ISO 15489-2 British Standard for Legal Admissibility and Evidential Weight of Information Stored Electronically BIP0008 (previously known as PD0008) Caldicott principles ISO 27001 and ISO 27002 The NHS Information Governance Toolkit Records Management Code of Practice for Health and Social Care (July 2016) The NHS Information Security Management Code of Practice 2007 6 Responsibilities 6.1 Information management is the responsibility of everyone at the RCPCH. All employees regardless of the seniority of their role make decisions that commit the organisation to some course of action or other. 6.2 In order to fulfil the organisations priorities, it is critical that there is an organisational culture which ensures that employees understand the need to make records of their actions and where the organisation itself manages those records in ways that recognise their importance as an asset to the RCPCH and the wider community. 6.3 Responsibilities of managers 6.3.1 Directors across the college must ensure that their area is compliant with RCPCH Policies regarding the management of information and records. 6.3.2 Each Division will appoint Information Asset Owners to carry out the duties detailed in section 8 of this Policy, and nominate two representatives to attend the Information Governance Group. 6.3.3 Directors will ensure that managers and employees are fulfilling 9

their information management accountabilities and ensure that their staff are sufficiently aware of this policy and the associated guidance, protocols and agreements to carry out their role. 6.3.4 Each Division will ensure that they have sufficient resource to carry out their Information Management responsibilities and that their staff are made available for information management training 6.4 Responsibilities of Users 6.4.1 All employees, including temporary staff, interns and contractors are responsible for ensuring that they comply with the RCPCH s Information Governance policies. 6.4.2 Employees must undertake mandated training to ensure understanding of information and records management responsibilities appropriate to their post. 6.4.3 Employees will appropriately create, classify, and retain authentic records appropriate to their post and dispose of records only when authorised by the appropriate Information Asset Owner or Information Governance Manager. 6.4.4 Employees will report any breach of the above policies, and any near misses to the Information Governance Manager or the Head of Information Systems. Any adverse trends will be analysed and reported to the Information Governance Group. 6.5 Responsibilities of the Information Governance Group 6.5.1 The Information Governance Group will support the integration and embedding of Information Governance across the organisation and enable decisions to be made (and supported) from a corporate perspective. 6.5.2 The group will be responsible for overseeing overall information governance at the college; consideration of existing legislation and compliance, and consideration of Document and Records Management procedures. 6.5.3 The group is authorised to make recommendations to SMT in the first instance, who may then further refer to the Finance and Risk Committee. 6.6 Responsibilities of the Information Governance Manager 10

6.6.1 Develop and maintain Information Management policies, procedure and guidance as necessary. 6.6.2 Develop Information security policy and develop processes to mitigate risk. 6.6.3 Maintain and further develop the RCPCH information management architecture, including the Information Asset Register. 6.6.4 Ensuring systems developed by the RCPCH are compliant with information rights legislation and with the organisation s Information Management Policies. 6.6.5 Develop Record Keeping systems and processes to ensure that information is proactively exploited 6.6.6 Develop the Corporate retention schedule, access models and vital records markings 6.6.7 Co-ordinate all requests for information under the Data Protection Act, and where applicable the Freedom of Information Act 6.6.8 Develop and ensure that information and records management training is delivered to all employees. 6.6.9 Manage and provide access to the historical records of the College 6.7 Responsibilities of the Senior Information Risk Owner 6.7.1 To lead and foster a culture that values, protects and uses information proactively for the benefit of the organisation and its members 6.7.2 To own the overall risk policy and risk assessment process, test its outcome, and ensure that it is used. 6.7.3 To cover information risk explicitly in the statement of internal control. 11

6.8 Responsibilities of Information Asset Administrators 6.8.1 Know what information the asset holds, and what enters and why. 6.8.2 Know who has access and why, and ensures that their use is monitored 7 Information Governance Framework RCPCH has developed a framework for its Information Governance Policy. This is supported by a set of Infomration Governance Policies and related procedures and guidelines to cover all aspects of Information Governance (appendix A). 8 Main Themes Management of Information and Records Partnerships and Contracts Information Quality Assurance Information Risk Management Business Continuity and Vital Records Management Legal Compliance Access and Security Training and Awareness 12

8.1 Management of information and records 8.1.1 Records Management is the process by which an organisation manages all the aspects of records whether internally or externally generated and in any format or media type, from their creation, all the way through their lifecycle to their eventual disposal. 8.1.2 The RCPCH records are its corporate memory, providing evidence of actions and decisions and representing a vital asset to support daily functions and operations. Records support policy formation and managerial decision-making, protect the interests of the organisation and its members. They support consistency, continuity, efficiency and productivity and help deliver services in consistent and equitable ways. 8.1.3 The RCPCH will develop systems and processes for the effective management of both electronic and paper records. 8.1.4 Classification 8.1.4.1 The classification scheme includes details of records series kept in paper and electronic formats 8.1.4.2 The Information Governance Manager alongside teams will further develop and regularly review the Retention and Disposal Schedule, and will apply retention periods to all information assets and systems. 8.1.4.3 The Information Governance Manager will appraise records for their historical worth, and maintain the RCPCH s Archive in perpetuity. 8.1.5 Information Assets 8.1.5.1 An Information Asset is a set of records, data or information maintained in relation to a business process. This could be a set of paper case files or an electronic business system. 8.1.5.2 A complete list of Information Assets held across all business functions, including those outsourced by third parties, is maintained by the Information Governance Manager. This identifies a member of staff (an Information asset administrator) with responsibility for each asset. 8.1.5.3 A process of annual information audit will be established and the asset register updated accordingly. 13

8.1.5.4 The Information Asset Register will be a corporate resource and used to support information, system and service development; business continuity and disaster recovery arrangements. 8.1.5.5 A procedure will be developed to ensure the secure disposal of all information assets once they are no longer required by the organisation. 8.2 Partnerships and contracts 8.2.1 Where the RCPCH enters into partnership, ranging from ongoing supplier relationships through to contracting out of major functions appropriate information governance arrangements must be in place. 8.2.2 In all cases consideration must be given to the attendant information management and record keeping issues at the time the contract is agreed. This includes identifying who owns the data, minimum security arrangements and escalation procedures in case of an information management security breach. 8.2.3 The organisations accountabilities in respect of information continue even when activity is carried out on its behalf by a third party. Therefore, all contractors must be made aware that they are data processors on behalf of the organisation. 8.2.4 The Information Governance Manager must be consulted prior to the undertaking of any contract where personal or sensitive information is held by a third party on behalf of the RCPCH 8.2.5 All contracts where personal and sensitive information is processed, must comply with the requirements of the GDPR, including the provision of security guarantees. 8.3 Information Quality Assurance 8.3.1 The RCPCH will establish and maintain standards and policies to help assure the quality of information that the organisation creates and maintains 8.3.2 In order to ensure data quality, Managers are expected to take ownership of, and seek to improve, the quality of information within their services 8.3.3 Wherever possible, information quality should be assured at 14

the point of collection. 8.3.4 The RCPCH is committed to holding one version of any record, document or information set and reducing duplication across its information systems. 8.4 Information Risk Management 8.4.1 The RCPCH will ensure stronger accountability with the Senior Information Risk Owner (currently the Director of Corporate Services). Information Management Risks will be monitored by the Information Governance Manager and inform the service planning process. 15

8.4.2 The Information Security Policy defines the RCPCH s policy with regard to information, systems and communications security. 8.4.3 RCPCH will undertake a review of the information asset register and, as a result of this, assess where penetration testing is needed and the frequency required, incompliance with NHS IG toolkit 8.5 Business Continuity and Vital Records Management 8.5.1 The RCPCH will develop systematic, monitored and tested business continuity planning in relation to its records and core business information which identifies and manages risks prior to any given disruption to business continuity and which assists the fastest possible recovery afterwards. 8.5.2 Business continuity plans need to address risks associated with both digital and paper based records. There are obvious differences in risks which must be treated differently. 8.5.3 Identifiers of vital and important records, will be developed in conjunction with classification schemes. 8.5.4 The business continuity plan should identify vital and or important records that should be retrieved if necessity and opportunity allow. The plan should include lists and indexes that indicate where these records are (including their physical location within an electronic environment). 8.6 Legal Compliance 8.6.1 Data Protection and Confidentiality 8.6.1.1 The RCPCH complies with the Data Protection Act 1998. As part of this the Information Commissioner has been notified of all personal data held by RCPCH. 8.6.1.2 Any member of staff breaching the RCPCH's Information Governance Policy will be subject to the established disciplinary procedure, and in cases of deliberate or reckless negligence may be subject to criminal sanctions. 8.6.1.3 The organisation will ensure that procedures are in place to ensure that the organisation can provide personal information to data subjects under section 7 of the Data Protection Act in 16

a timely and thorough manner. 8.6.2 Freedom of Information 8.6.2.1 The Freedom of Information Act 2000 does not apply to the Royal College of Paediatrics and Child Health as we are not a public authority. However, there are some College projects where the funding body requires compliance because the project s functions are of a public nature and the funding body wishes to be as transparent as possible. 8.6.3 Where the Freedom of Information Act applies through externally funded projects, standard operating procedures will be developed per project (and in accordance with contractual terms) in order to ensure that the organisation can provide information when requested under the Freedom of Information Act in a timely and thorough manner 8.7 Access and Security 8.7.1 The RCPCH will establish and maintain standards and policies for the effective and secure management (including access) of its information assets and resources 8.7.2 The RCPCH records and information will be properly controlled through access rights provided to Members, Partners and staff. 8.7.3 Access rights and models will be developed with service areas and will be based on the security requirements of each information series. The College will provide external access to its non-confidential historical records through the Archives as requested. 8.8 Training and awareness 8.8.1 Staff will be made aware of this policy upon publication and on a regular basis afterwards via the intranet 8.8.2 New staff will be informed of this policy and undergo training as part of the induction process. Staff will also be required to undertake refresher training every 2 years. 9 Escalation Failure to comply with this Policy may lead to staff disciplinary action being considered in accordance with the College s Conduct and Disciplinary Policy. 17

Appendix A Corporate Plan Corporate Services Plan Information Governance Policy Information Security Policy Data Protection Policy Records Management Policy Information Sharing Policy Acceptable Use Policy Security Incident Procedure Paper Records Transfer Policy SAR Procedure Corporate Retention Schedule Corporate Classificatio n Scheme Procedures Guidance Small Numbers Policy SAR Guidance Procedures for off site storage Naming Conventions Key: Published Withholding information Providing Information Handling information checklist Procedures for Record Disposal Version Control Email guidance In draft 1

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback