s: Security and Risk Management Policy Choice, Responsiveness, Integration & Shared Care
Worcestershire Mental Health Partnership NHS Trust Reader Box Document Type: Document Purpose: Unique identifier: Title: Target Audience: Description: Superseded Documents: Ratified by: Corporate Policy Best Practice Guidance TC0120 s: Security and Risk Management Policy All Staff risk management is a register and an assessment of the Trust s information systems. systems are known as s (IA) because they are valuable to the clinical and business functions of the organisation. None Quality Committee Ratification date: 7 th February 2011 Implementation date: February 2011 Review period: 1 year1 Version update date: Review date: February 2012 Owner: Responsible group: Contact Details: Director of Resources Governance Director of Resources Isaac Maddox House Shrub Hill Road Worcester WR4 9RW The electronic copy of this document is the only version that is maintained. Printed copies may not be relied upon to contain the latest updates and amendments.
Worcestershire Mental Health Partnership NHS Trust Diagram 1 Risk Management Structure Trust Board Quality Committee Senior Risk Owner through Governance Strategy Group Upholding the Data Protection Act and the NHS Code of Confidentiality through information risk management. 1.0 Introduction 1.1 This policy sets out Worcestershire Mental Health Partnership NHS Trust s (WMHPT) Risk Management Policy. risk management is a register and an assessment of the Trust s information systems. systems are known as s (IA) because they are valuable to the clinical and business functions of the organisation. Page 1 of 7
1.2 Objectives The objectives of this policy are to: Protect patients and staff from information. Protect the Trust s corporate records. Protect the systems and environments where information is stored. Protect the processes by which information is accessed. Provide a consistent risk management framework. Encourage pro-active rather than re-active information risk management. In compliance of legislative and Governance Assurance Framework. 1.3 What are s (IA)? There are various categories of s including: Databases. Current and archived. Paper records. Current and archived. Software. Applications, programs, systems development tools and utilities. Physical. Infrastructure, equipment, furniture and accommodation used for data processing. Services. Computing and communications, heating, lighting, power, air-conditioning used for data processing. People. Qualifications, skills and experience. Policies. Procedures, guidance and training Intangibles. Public confidence in the organisation s compliance to the Data Protection Act and NHS Code of Confidentiality 1.4 What is the Register? An Register is a single document listing all the Trust s valuable information systems and which records all assessed risks. Appendix 2 illustrates the format of the information asset register. Page 2 of 7
The SIRO will oversee the Trust s information asset register to ensure it is complete and robust. 2.0 Roles and Responsibilities 2.1 The Role of the Senior Risk Owner The Senior Risk Owner (SIRO) is responsible for coordinating the information standards within the Trust through the membership and activities of the Governance Group. 2.2 (IAO) It is important that ownership of each is linked to a post rather than a named individual. This ensures responsibility for each asset is passed on when IAOs leave or changes roles. (IAOs) shall ensure information risk assessments are performed at least annually. It is important that each IAO should know: What information is held and the nature of and justification for information flows to and from each asset. Who has access and the purpose of access? As a result they should be able to understand and address any risks and to ensure assets comply with the Data Protection Act. IAOs will provide reports to the SIRO, at least annually on assurance and usage of their asset. Page 3 of 7
2.3 Administrators Large information systems may nominate key functions to Administrators (IAAs) to assist the IAO in the operational management of an asset. 2.4 All staff All staff have a contractual obligation to ensure confidential and Person Identifiable Data is secure all at times. The framework for this obligation is defined in: The Code of Conduct for Employees in Respect of Confidentiality The NHS Code of Practice on Confidentiality 2003 The Data Protection Act 1998 The Caldicott Guardian principles. Trust Governance Policies. 3.0 Training Training and awareness is the primary influence in ensuring information is appropriately managed and information breaches do not happen. Training should be a tiered approach, appropriate to the organisational needs and individual s roles and responsibilities. Appendix one illustrates the Trust s Governance training needs assessment and states the minimum requirement. 4.0 Incident Reporting All incidents of confidential and or Person Identifiable Data breaches must be recorded on the Trust s reporting system as per the Trust s Risk Management Policy. Security Breach Impact on Reputation Security Breach Impact on Individual Page 4 of 7
5.0 Monitoring This policy will be monitored against the Governance Toolkit requirements and: Receiving reports form IAO Reviewing Governance related incident reports Reviewing the Register By the information Governance Strategy Group 6.0 Further Guidance Further guidance on the arrangements for Risk Management can be accessed via Connecting for Health s Governance web page: https://nww.igt.connectingforhealth.nhs.uk/requirementslist.aspx?tk=4052061282200 35&lnv=4&cb=14%3a42%3a39&sViewOrgType=5&sDesc=Mental%20Health%20Trust Page 5 of 7
Appendix 1 Risk Management Training Needs Assessment Description Process Monitoring Tier 1 All staff must receive basic Governance training at induction. and Work place induction Mandatory attendance at Trust Induction Work place induction Monitored by Practice Development Service Improvement Tier 2* In line with the NHS Operating Framework 2010/2011, 95% of the Trust s workforce (including all permanent staff and staff on temporary contracts of more than 3 months) must completed the Introduction to Governance and The Beginners Guide to Governance training utilising the NHS Governance Training Tool (NHS IGTT) by 31 st March 2010. This is a mandatory requirement has been imbedded in the Trust s training matrix. These modules are accessible via the e learning application in ESR. This applies to employed staff, contracted staff, volunteers, temporary staff, students etc. Completion of: Introduction to Governance & The Beginners Guide to Governance Via e learning modules in ESR Monitored by Practice Development Service Improvement Tier 3* Recommended modules defined by role in Connecting for Health IG Training Tool. Senior Risk Owner (SIRO) Caldicott Guardian Governance Manager Administrators Records Manager MHA Administrator Head of & contracting Manager Directors Non exec directors Admin staff with access to PID/Confidential information Admin non access to PID/Confidential information Clinical staff Students Volunteers These modules are currently only accessible via logging directly onto Connecting for Health Governance Training Tool and registering as a user. Connecting for Health IGTT generated report. *Guidance on accessing tier 2 and 3 training is available on the Trust s Governance Appendix 2 Format of of Register Risk Assessment Informat ion Systems System Managem ent (Local / National or Independ ent) WMHPT s Informati on owner Trust Departme ntal Managem ent Administra tors (IAA) where appropriate Acces s contr ols (Ref IGT 305) Key Dependen cies Maintenan ce History or (who has contractu al responsibi lity to maintain system) Typ e of dat a Is data process ed outside of the UK? Ref IGT 209 (Yes / No) Descripti on of Risk Conseque nce 0-5 Likeliho od 0 5 Risk Rati ng Page 6 of 7
EQUALITY IMPACT ASSESSMENT FORM (EIAF) SECTION ONE: SCREENING / PRIORITISING FOR FULL IMPACT ASSESSMENT Name of the Function/Policy/Procedure: Risk Management Policy If any of these are relevant box below (for the equality area) and continue with screening. If it does not apply add x and cease the process. Which of the 3 parts does it apply to (if any) 1. Eliminating discrimination 2. promoting equal opportunities 3. Promoting good community relations 1 Is there evidence or reason to believe that some groups could be differently affected? Which groups are affected? 2 How much evidence do you have? 0 2 None or little 3 4 Some 5 6 Substantial 3 Is there any public concern that the function or policy is being carried out in a discriminatory way? 0 2 None or little 3 4 Some 5 6 Substantial 4 Priority (add columns 3 & 4) RACE 1,2 & 3 No 0 0 0 RELIGION/BELIEF No 0 0 0 1,2 & 3 DISABILITY No 0 0 0 1,2 & 3 GENDER 1,2 & 3 No 0 0 0 AGE 1,2 & 3 No 0 0 0 SEXUAL ORIENTATION 1,2 & 3 No 0 0 0 HEALTH INEQUALITIES 1,2 & 3 No 0 0 0 HUMAN RIGHTS 1,2 & 3 No 0 0 0 5 Section 2: ACTION PLAN None required Page 7 of 7