Information Assets: Security and Risk Management Policy. Choice, Responsiveness, Integration & Shared Care

Similar documents
INFORMATION GOVERNANCE STRATEGY

IGPr002 - Information Governance Management Framework

Information Governance Assurance Framework

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

IG01 Information Governance Management Framework

Information Governance Policy

Information Governance Management Framework

INFORMATION GOVERNANCE POLICY

Information Governance Management Framework Version 6 December 2017

Information Governance Policy and Management Framework

INFORMATION GOVERNANCE STRATEGY IMPLEMENTATION PLAN

Information Governance Management Framework

Data Quality Policy

Heart of England NHS Foundation Trust

Information Governance Strategy and Management Framework

DATA QUALITY POLICY. Ref No:

Information Governance Strategic Management Framework

Technology & Telecommunications. Electronic Data Backup Policy

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

NHS SOUTH DEVON AND TORBAY CLINICAL COMMISSIONING GROUP INFORMATION LIFECYCLE MANAGEMENT POLICY

Data Protection Policy

Information Governance Policy

Lisa Quinn Executive Director of Performance and Assurance. Lead Officer

INFORMATION GOVERNANCE STRATEGY. Documentation control

Minor adjustments from IG Steering Group 0.3 Neil Taylor September 2013

Freedom of Information (FOI) Policy

Honorary Contracts Procedure

INFORMATION GOVERNANCE POLICY

Information Governance Training Plan

DATA QUALITY POLICY. Version: 1.2. Management and Caldicott Committee. Date approved: 02 February Governance Lead

The Royal Wolverhampton NHS Trust

Date ratified June, Implementation Date August, Date of full Implementation August, Review Date Feb, Version number V02.

Role Title: Chief Officer Responsible to: CCG chairs - one employing CCG Job purpose/ Main Responsibilities

EQUALITY AND DIVERSITY COMMITTEE. Terms of Reference

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK POLICY

Records management policy. Document author Assured by Review cycle. Audit and Risk Committee. 1. Introduction Purpose or aim Scope...

Induction Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose or Aim Scope...

HUMAN RESOURCES POLICY

Annual leave and bank holiday policy

NHS BARNSLEY CCG DATA QUALITY POLICY SEPTEMBER 2016

Medical & Dental Staff ON-CALL POLICY FOR DOCTORS IN TRAINING (MD5)

Fixed Term Staffing Policy

1.1 Contributes to the Trust s Organisational Development strategy to improve overall organisational performance and effectiveness

Directorate of Finance, Information & Performance Management DATA QUALITY POLICY

Data protection (GDPR) policy

Code of Corporate Governance

Daytime and On-Call Cover Remuneration Policy for Non Training Grade Medical Staff

Department HR Operations. Approved by Pay and Reward Sub Group. Approval and Review Process Workforce & Organisational Development Committee

Additional Annual Leave Purchase Scheme V3.0

Information Governance Management Framework 2017/18 Reference: IG12

Risk Management Strategy

RISK MANAGEMENT COMMITTEE TERMS OF REFERENCE

Type of Change. V01 New Mar 16 New Documentation. This Policy supersedes the following Policy which must now be destroyed:

DATA QUALITY POLICY Review Date: CONTENT

JOB DESCRIPTION. E-Commerce and Merchandise Manager

Information Governance Management Framework

Induction policy and procedure HR08

WORCESTERSHIRE MENTAL HEALTH PARTNERSHIP NHS TRUST JOB EVALUATION AND REBAND POLICY

Incremental Pay Progression Policy and Procedure

Risk Management Strategy, Policy and Guidance

Author s job title Head of Clinical Coding and Data Quality Directorate IM&T

ANNUAL WORKFORCE & ORGANISATION DEVELOPMENT REPORT

UNCLASSIFIED. ISO27002 Organising Information Security. Restrictions? If Y please give the reason for the restriction below.

Protection of Pay and Conditions of Service (As a Result of Organisational Change)

Directorate of Strategy & Planning DATA QUALITY POLICY

Controlled Document Number: Version Number: 002. On: October Review Date: October 2020 Distribution: Essential Reading for: Page 1 of 12

STAFF APPRAISAL AND MANAGEMENT SUPERVISION POLICY

Prevent Training and Competencies Framework

Burton Hospitals NHS Foundation Trust. On: 22 January Review Date: December Corporate / Directorate. Department Responsible for Review:

Date: INFORMATION GOVERNANCE POLICY

Acting Up and Secondment Policy and Procedures

FIXED TERM CONTRACT POLICY. Recruitment and Selection Policy Secondment Policy. Employment Policy. Officer / CSP

Provision of Use of Work Equipment Policy

Scanning Documents Policy

HERTFORDSHIRE PARTNERSHIP UNIVERSITY NHS FOUNDATION TRUST JOB DESCRIPTION

Pay Protection Policy V2.0

Special Leave Policy. Special Leave Policy

Position Description

WORCESTERSHIRE MENTAL HEALTH PARTNERSHIP NHS TRUST PROCEDURE FOR STAFF RETURNING TO WORK ON REDUCED HOURS AS PART OF A REHABILITATION PROGRAMME

HSCIC Audit of Data Sharing Activities:

DOCUMENT CONTROL PAGE. Health and Safety Policy Statement

Policy for Pay Progression Using Gateways

JOB DESCRIPTION. Department: Hertfordshire and West Essex Sustainability and Transformation Partnership.

Information Asset Management Procedure

JOB DESCRIPTION. Audiology, Dermatology, ENT, Oral Services & Plastic Surgery

MOBILE AND REMOTE WORKING POLICY

Draft Internal Audit Plan 2012/13 Audit Committee (September 2012) Airedale NHS Foundation Trust

DATA QUALITY POLICY. Written By: Deputy Director of Information. Authorised By: Chief Executive. Date: September Date: 11 October 2016

Lead Employer Flexible Working Policy. Trust Policy

HONORARY EMERITUS STATUS FOR RETIRING CONSULTANT STAFF (MD10)

Doncaster Council Data Quality Strategy

Reckonable Service Policy

Hours of Work: 37.5 hours per week (part time hours negotiable)

Beltane Fire Society Equality and Diversity Policy

The Newcastle upon Tyne Hospitals NHS Foundation Trust. Employment Policies & Procedures

PROCESS APPRAISAL OF CHAIR

The Newcastle upon Tyne Hospitals Foundation NHS Trust. Employment Policies and Procedures

Sponsorship of Clinical Research Studies

The Newcastle upon Tyne Hospitals NHS Foundation Trust. Energy Policy

Grievance Policy and Procedure

Transcription:

s: Security and Risk Management Policy Choice, Responsiveness, Integration & Shared Care

Worcestershire Mental Health Partnership NHS Trust Reader Box Document Type: Document Purpose: Unique identifier: Title: Target Audience: Description: Superseded Documents: Ratified by: Corporate Policy Best Practice Guidance TC0120 s: Security and Risk Management Policy All Staff risk management is a register and an assessment of the Trust s information systems. systems are known as s (IA) because they are valuable to the clinical and business functions of the organisation. None Quality Committee Ratification date: 7 th February 2011 Implementation date: February 2011 Review period: 1 year1 Version update date: Review date: February 2012 Owner: Responsible group: Contact Details: Director of Resources Governance Director of Resources Isaac Maddox House Shrub Hill Road Worcester WR4 9RW The electronic copy of this document is the only version that is maintained. Printed copies may not be relied upon to contain the latest updates and amendments.

Worcestershire Mental Health Partnership NHS Trust Diagram 1 Risk Management Structure Trust Board Quality Committee Senior Risk Owner through Governance Strategy Group Upholding the Data Protection Act and the NHS Code of Confidentiality through information risk management. 1.0 Introduction 1.1 This policy sets out Worcestershire Mental Health Partnership NHS Trust s (WMHPT) Risk Management Policy. risk management is a register and an assessment of the Trust s information systems. systems are known as s (IA) because they are valuable to the clinical and business functions of the organisation. Page 1 of 7

1.2 Objectives The objectives of this policy are to: Protect patients and staff from information. Protect the Trust s corporate records. Protect the systems and environments where information is stored. Protect the processes by which information is accessed. Provide a consistent risk management framework. Encourage pro-active rather than re-active information risk management. In compliance of legislative and Governance Assurance Framework. 1.3 What are s (IA)? There are various categories of s including: Databases. Current and archived. Paper records. Current and archived. Software. Applications, programs, systems development tools and utilities. Physical. Infrastructure, equipment, furniture and accommodation used for data processing. Services. Computing and communications, heating, lighting, power, air-conditioning used for data processing. People. Qualifications, skills and experience. Policies. Procedures, guidance and training Intangibles. Public confidence in the organisation s compliance to the Data Protection Act and NHS Code of Confidentiality 1.4 What is the Register? An Register is a single document listing all the Trust s valuable information systems and which records all assessed risks. Appendix 2 illustrates the format of the information asset register. Page 2 of 7

The SIRO will oversee the Trust s information asset register to ensure it is complete and robust. 2.0 Roles and Responsibilities 2.1 The Role of the Senior Risk Owner The Senior Risk Owner (SIRO) is responsible for coordinating the information standards within the Trust through the membership and activities of the Governance Group. 2.2 (IAO) It is important that ownership of each is linked to a post rather than a named individual. This ensures responsibility for each asset is passed on when IAOs leave or changes roles. (IAOs) shall ensure information risk assessments are performed at least annually. It is important that each IAO should know: What information is held and the nature of and justification for information flows to and from each asset. Who has access and the purpose of access? As a result they should be able to understand and address any risks and to ensure assets comply with the Data Protection Act. IAOs will provide reports to the SIRO, at least annually on assurance and usage of their asset. Page 3 of 7

2.3 Administrators Large information systems may nominate key functions to Administrators (IAAs) to assist the IAO in the operational management of an asset. 2.4 All staff All staff have a contractual obligation to ensure confidential and Person Identifiable Data is secure all at times. The framework for this obligation is defined in: The Code of Conduct for Employees in Respect of Confidentiality The NHS Code of Practice on Confidentiality 2003 The Data Protection Act 1998 The Caldicott Guardian principles. Trust Governance Policies. 3.0 Training Training and awareness is the primary influence in ensuring information is appropriately managed and information breaches do not happen. Training should be a tiered approach, appropriate to the organisational needs and individual s roles and responsibilities. Appendix one illustrates the Trust s Governance training needs assessment and states the minimum requirement. 4.0 Incident Reporting All incidents of confidential and or Person Identifiable Data breaches must be recorded on the Trust s reporting system as per the Trust s Risk Management Policy. Security Breach Impact on Reputation Security Breach Impact on Individual Page 4 of 7

5.0 Monitoring This policy will be monitored against the Governance Toolkit requirements and: Receiving reports form IAO Reviewing Governance related incident reports Reviewing the Register By the information Governance Strategy Group 6.0 Further Guidance Further guidance on the arrangements for Risk Management can be accessed via Connecting for Health s Governance web page: https://nww.igt.connectingforhealth.nhs.uk/requirementslist.aspx?tk=4052061282200 35&lnv=4&cb=14%3a42%3a39&sViewOrgType=5&sDesc=Mental%20Health%20Trust Page 5 of 7

Appendix 1 Risk Management Training Needs Assessment Description Process Monitoring Tier 1 All staff must receive basic Governance training at induction. and Work place induction Mandatory attendance at Trust Induction Work place induction Monitored by Practice Development Service Improvement Tier 2* In line with the NHS Operating Framework 2010/2011, 95% of the Trust s workforce (including all permanent staff and staff on temporary contracts of more than 3 months) must completed the Introduction to Governance and The Beginners Guide to Governance training utilising the NHS Governance Training Tool (NHS IGTT) by 31 st March 2010. This is a mandatory requirement has been imbedded in the Trust s training matrix. These modules are accessible via the e learning application in ESR. This applies to employed staff, contracted staff, volunteers, temporary staff, students etc. Completion of: Introduction to Governance & The Beginners Guide to Governance Via e learning modules in ESR Monitored by Practice Development Service Improvement Tier 3* Recommended modules defined by role in Connecting for Health IG Training Tool. Senior Risk Owner (SIRO) Caldicott Guardian Governance Manager Administrators Records Manager MHA Administrator Head of & contracting Manager Directors Non exec directors Admin staff with access to PID/Confidential information Admin non access to PID/Confidential information Clinical staff Students Volunteers These modules are currently only accessible via logging directly onto Connecting for Health Governance Training Tool and registering as a user. Connecting for Health IGTT generated report. *Guidance on accessing tier 2 and 3 training is available on the Trust s Governance Appendix 2 Format of of Register Risk Assessment Informat ion Systems System Managem ent (Local / National or Independ ent) WMHPT s Informati on owner Trust Departme ntal Managem ent Administra tors (IAA) where appropriate Acces s contr ols (Ref IGT 305) Key Dependen cies Maintenan ce History or (who has contractu al responsibi lity to maintain system) Typ e of dat a Is data process ed outside of the UK? Ref IGT 209 (Yes / No) Descripti on of Risk Conseque nce 0-5 Likeliho od 0 5 Risk Rati ng Page 6 of 7

EQUALITY IMPACT ASSESSMENT FORM (EIAF) SECTION ONE: SCREENING / PRIORITISING FOR FULL IMPACT ASSESSMENT Name of the Function/Policy/Procedure: Risk Management Policy If any of these are relevant box below (for the equality area) and continue with screening. If it does not apply add x and cease the process. Which of the 3 parts does it apply to (if any) 1. Eliminating discrimination 2. promoting equal opportunities 3. Promoting good community relations 1 Is there evidence or reason to believe that some groups could be differently affected? Which groups are affected? 2 How much evidence do you have? 0 2 None or little 3 4 Some 5 6 Substantial 3 Is there any public concern that the function or policy is being carried out in a discriminatory way? 0 2 None or little 3 4 Some 5 6 Substantial 4 Priority (add columns 3 & 4) RACE 1,2 & 3 No 0 0 0 RELIGION/BELIEF No 0 0 0 1,2 & 3 DISABILITY No 0 0 0 1,2 & 3 GENDER 1,2 & 3 No 0 0 0 AGE 1,2 & 3 No 0 0 0 SEXUAL ORIENTATION 1,2 & 3 No 0 0 0 HEALTH INEQUALITIES 1,2 & 3 No 0 0 0 HUMAN RIGHTS 1,2 & 3 No 0 0 0 5 Section 2: ACTION PLAN None required Page 7 of 7

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback