Document Information Board Library Reference Document Type Document Subject Original Document Author Reviewed By Review Cycle IM&T_01 Policy Information Information IGMG 3 Years Note: This document is electronically controlled. The master copy is maintained by the author department within the document library on OurSpace. Once printed, this document becomes uncontrolled. Version Tracking Version Date Revision Description Editor Approval Status 1.00 21/12/2004 Version 1 Information 1.01 12/06/2009 Administrative review Information 1.02 10/08/2009 Legal Framework updated Information Approved Approved Draft 1.03 03/11/2009 Standardisation of Archiving of Master Documents 2.00 01/12/2009 Approved by Quality and Healthcare Committee 2.01 30/09/2010 Review for compliance with Information Management Framework 2.02 22/12/2010 Incorporate comments from Executive Management Team Information Company Secretary Information Information Draft Approved Draft Draft 3.00 22/12/2010 Approved by Executive Management Team Information Approved
Table of Contents 1. Introduction... 3 2. Purpose... 3 3. Scope... 4 4. Roles and Responsibilities... 4 4.1. The Chief Executive... 4 4.2. The Senior Information Risk Owner... 4 4.3. The Caldicott Guardian... 5 4.4. The Information... 5 4.5. The Data Protection Officer... 6 4.6. The Freedom of Information Lead... 6 4.7. The Information Security Specialist... 6 4.8. Line s... 6 4.9. All staff... 6 4.10. Management Arrangements... 6 4.11. Information Management Group (IGMG)... 7 5. Policy Statement... 8 6. Implementation... 8 7. Standards... 9 8. Monitoring and Audit... 9 9. Archiving of Master Documents... 9 10. References... 10 http://ourspace/trust/policies/ 3.00 Approved 22/12/2010 2 of 11
1. Introduction 1.1. Avon and Wiltshire Mental Health Partnership NHS Trust (AWP) is bound by the provisions of a considerable number of items of legislation and regulation affecting the stewardship of data and information. 1.2. Information (IG) ensures the Trust s compliance with applicable legislation, the regulatory framework, Common Law, and mandated Best Practice. In short, IG exists to ensure the Integrity, Availability, Confidentiality of the Trust s operational, patient, staff and management information. 1.3. The AWP Overarching Information Policy defines the Trust s mandated base-line strategy for compliance and effective management in each of the following six areas of Information. 1.3.1. Confidentiality & Data Protection Assurance 1.3.2. Information Management Assurance 1.3.3. Clinical Information Assurance 1.3.4. Information Security Assurance 1.3.5. Secondary Use Assurance 1.3.6. Corporate Information Assurance 1.4. The overarching and other information governance policies constitute the top level documentation of the Trust s Information Management System (IGMS). 1.5. Compliance with all Policies, Procedures and Guidelines contained in the IGMS is mandatory for all persons and organisations operating under the auspices of, or delivering a service to the Trust, whether they are staff, students, volunteers, contractors or partner organisations. 1.6. Staff should be aware that IGMS Policies are intended to protect the Trust and staff from adverse outcomes in terms of compliance with the law. Where IGMS policies are breached by staff it may be necessary for managers to consider retraining staff, or following the Trust s Disciplinary Procedures. Staff should also note that legal penalties could also be imposed upon the Trust or its employees for non-compliance with relevant legislation and NHS guidance, and in serious cases individuals may not be immune from prosecution or civil legal action by virtue of their employment within the Trust. 2. Purpose 2.1. To set out the Trust s policy for compliance with specified and applicable national standards of Information, and, http://ourspace/trust/policies/ 3.00 Approved 22/12/2010 3 of 11
2.2. To formally document the key principles which shall be enacted through associated detailed procedures. 3. Scope 3.1. This is a Trust-wide Policy and applies to all Information and Communication Technology (ICT) systems and the data held, processed or transmitted by them, including staff, service user, management, audit and all other types of information used by the Trust. 3.2. This is a Trust-wide Policy and applies to all staff and personnel operating under the auspices of the Trust, including employees, locums, contractors, temporary staff, students, service user representatives, volunteers and partner agency staff. 3.3. Where a third party has an organisational policy that differs from this Policy, a formal agreement as to which policy statement applies shall be outlined and agreed in an appropriate protocol if necessary. In the absence of such an agreement, this Policy shall be deemed to have precedence. 4. Roles and Responsibilities 4.1. The Chief Executive 4.1.1. The Chief Executive is responsible for the Trust s compliance with applicable legislation and regulation. 4.2. The Senior Information Risk Owner 4.2.1. The Executive Director of Finance and Commerce and Deputy Chief Executive shall be the Trust SIRO and shall represent any relevant information risk issues to the Board. 4.2.2. The SIRO shall receive specialist information governance advice from Company Secretary and the Information Manger. 4.2.3. The Board shall receive an annual Information report sponsored by the SIRO. 4.2.4. Fosters a culture for protecting and using data 4.2.5. Provides a focal point for managing information risks and incidents 4.2.6. The SIRO works closely with the Caldicott Guardian to jointly deliver their respective roles. 4.2.7. Is concerned with the management of all information assets http://ourspace/trust/policies/ 3.00 Approved 22/12/2010 4 of 11
4.3. The Caldicott Guardian 4.3.1. The Caldicott Guardian role has the key role in ensuring that the Trust can satisfy the highest practical standards for handling patient-identifiable information and acts as the conscience of the organisation. 4.3.2. The Caldicott Guardian has the strategic role in representing and championing Information requirements and issues in the Board and Executive Management Team, 4.3.3. The Caldicott Guardian role is advisory and accountable for that advice. 4.3.4. The Caldicott Guardian role provides a focal point for patient confidentiality & information sharing issues 4.3.5. The Caldicott Guardian role is concerned with the management of patient/service user information. 4.3.6. The Board will receive an annual report from the Caldicott Guardian in relation to the delivery of the role. 4.3.7. The Caldicott Guardian works closely with the SIRO to jointly deliver their respective roles. 4.4. The Deputy Caldicott Guardian 4.4.1. Through delegation, supports the Caldicott Guardian in the delivery of their roles, including reporting and assurance of delivery in practice. 4.4.2. Leads the delivery of the Caldicott Guardian advisory role. 4.4.3. Acts as lead senior manager in relation to the Caldicott Guardian functions, ensuring that they are planned, delivered and reported through the Mental Health Legislation and Safeguarding Management Group. 4.5. The Information 4.5.1. Is responsible for the management of the Information Toolkit Action Plan and shall provide specialist advice to the organisation and staff regarding information governance incidents. http://ourspace/trust/policies/ 3.00 Approved 22/12/2010 5 of 11
4.6. The Data Protection Officer 4.6.1. Shall ensure that the Trust s Data Protection Notification is accurate and up to date on an annual basis and provide specialist data protection advise to the organisation and staff were necessary 4.7. The Freedom of Information Lead 4.7.1. Shall ensure that the Trust s Freedom of Information Publication Scheme is accurate and up to date. 4.7.2. Shall ensure that all requests for information are processed in accordance with the Freedom of Information Act and Trust policy and procedures 4.8. The Information Security Specialist 4.8.1. Shall manage the Trust s technical safeguards against the risks of loss, corruption, misuse or unauthorised disclosure of data and protect the systems and infrastructure used to store, process and transmit this information whilst monitoring and improving their usage and effectiveness. re and processes. 4.9. Line s 4.9.1. Line s are responsible for ensuring compliance with this policy through appropriate managerial arrangements including supervision, training, performance management and the use of disciplinary procedures where necessary. 4.9.2. It is the responsibility of Line s to enable their staff to attend suitable information governance training. 4.10. All staff 4.10.1. All users of AWP ICT systems are responsible for ensuring that their use of these systems is conducted in compliance with this policy and have a duty to report any instances of non-compliance they witness to their managers. 4.11. Management Arrangements 4.11.1. The Head of Information Systems and Technology shall be the Trust lead for the provision of Information advice and is supported the Information who is the Data Protection Officer in the provision of expert advice and guidance on standards and compliance for Information,. 4.11.2. The Medical Director and Executive Director of Strategy and Business Development is the nominated Trust Data Quality Lead, http://ourspace/trust/policies/ 3.00 Approved 22/12/2010 6 of 11
and is supported in this role by the Deputy Director of Strategy, Performance and Business Development. 4.11.3. Executive Directors and Strategic Business Unit Directors are responsible for the implementation of the standards of Information specified in the IGMS. 4.12. Information Management Group 4.12.1. The Trust shall establish an Information Management Group (IGMG) which shall: 4.12.1.1. provide the Senior Information Risk Owner (SIRO) with advice and guidance on information policy and risk management, 4.12.1.2. ensure the Trust s Information Management System, including its processes, procedures, protocols, training and awareness programmes, is in compliance with applicable Standards, Legislation, Department of Health NHS Directives, and Connecting for Health Guidelines and Policies, 4.12.1.3. monitor the implementation of the Trust s Information Management System (IGMS) and associated Information Action Plans, 4.12.1.4. monitor the Trust s achievement of compliance with the Information Toolkit and associated Key Lines of Enquiry for Care Quality Commission. 4.12.1.5. The IGMG reports to Performance EMT and to the Quality & Healthcare Committee for the purposes of reporting and approving Trust documents and policies. 4.13. Mental Health Legislation & Safeguarding Management Group 4.13.1. The Trust shall establish a Mental Health Legislation and Safeguarding Management Group which shall: 4.13.1.1. provide the Caldicott Guardian with advice and guidance on policy and management of patient/service user information 4.13.1.2. ensure the Trust s Caldicott Guardian and information systems, including processes, procedures, protocols, training and awareness programmes, is in compliance with applicable Standards, Legislation, Department of Health NHS Directives in the management of patient/service user information., http://ourspace/trust/policies/ 3.00 Approved 22/12/2010 7 of 11
4.13.1.3. monitor the delivery of the Caldicott Guardian advisory function and Caldicott Guardian Action Plans, 4.13.1.4. monitor the Trust s achievement of compliance with the relevant sections of the Information Toolkit and the relevant Care Quality Commission Quality Essential Standards of Quality and Safety 4.13.1.5. reports to Performance EMT and to the Quality & Healthcare Committee for the purposes of reporting and approving relevant Trust documents and policies. 5. Policy Statement 5.1. The Trust shall implement Information systems, measures and provisions to ensure the integrity of information and systems in compliance with the national standards defined in the Connecting for Health Information Toolkit. 5.2. The Trust shall aim to demonstrate compliance with key Information standards through achievement of at least level 2 performance and shall provide an action plan to progress beyond this minimum where this has been achieved. 5.3. This shall include a suite of policies, procedures, protocols and management responsibilities which constitute the Trust s Information Management System (IGMS). 5.4. The key Information Policies forming the procedural element of the IGMS are: 6. Implementation 5.4.1. Data Protection Policy 5.4.2. Freedom of Information Policy 5.4.3. Information Security Policy 5.4.4. Records Management Policy 5.4.5. Health and Social Care Records Policy 5.4.6. Information Sharing Agreements 5.4.7. Acceptable Use Policy 6.1. A policy alert will be issued using the Trust s standard policy alert system. http://ourspace/trust/policies/ 3.00 Approved 22/12/2010 8 of 11
6.2. Implementation of the policy in practice will be conducted by managers with responsibility for ensuring compliance. 6.3. Compliance with this policy will be monitored and assessed as described in section 7 6.4. The Policy will be made available on the Trust Intranet. 7. Standards 7.1. This policy will be assessed against the Information Toolkit standards 8. Monitoring and Audit 8.1. The Information Security Specialist is responsible for monitoring that the requirements of this policy have been met. 8.2. Compliance with this policy will be monitored and measured by: 8.3. An annual assurance report to the Information Management Group. 8.4. The Trust s arrangements for auditing records will be evaluated annually against various external standards to include the annual Information Toolkit, Care Quality Commission and National Health Service Litigation Authority (NHSLA) Risk Management Standards. 8.5. The annual assurance report will specifically provide information, critique and evaluate: 8.5.1. compliance with the IGMS 8.6. Any issues arising from auditing this policy will be added to the directorate risk register and lead to the creation of an action plan, the implementation of which will be monitored by the Information Management Group. 8.7. Any issues arising from the audit and monitoring that will aid and inform wider learning will be communicated via the Trust s programme of thematic reviews and Head of Professions. 9. Archiving of Master Documents 9.1. This policy document form part of a formal Trust record, and is to be managed in accordance with the Trust s records management policies and retention and disposal schedules. Users must familiarise themselves with the national standards defined by the Department of Health in the Records Management: NHS Code of Practice. The Code can be read online by clicking on this link which opens the Department of Health website in a web browser window (use ctrl + left-click). http://ourspace/trust/policies/ 3.00 Approved 22/12/2010 9 of 11
9.2. The Board Policy Document Library on OurSpace is the only recognised repository for master versions of policy documents. Copies of this document must therefore not be stored elsewhere on the system, e.g. in workgroups. 9.3. The OurSpace document library system shall provide records management functionality to allow for the retrieval of previous versions of policy documents for audit purposes. 10. References 10.1. Access to Health Records Act 1990 (where not superseded by the Data Protection Act 1998) 10.2. Computer Misuse Act 1990 10.3. Copyright, Designs and Patents Act 1988 (as amended by the Copyright (Computer Programs) Regulations 1992 10.4. Crime & Disorder Act 1998 10.5. Criminal Justice & Court Services Act 2000 (where Multi Agency Public Protection Panels & Information exchange is set out) 10.6. Data Protection Act 1998 10.7. Electronic Communications Act 2000 10.8. Freedom of Information Act 2000 10.9. Lawful Business Practice Regulations 2000 10.10. Regulation of Investigatory Powers Act 2000The Directive on Privacy and Electronic Communications (2002/58/EC) 10.11. A full list of legislation can be reviewed within the NHS Information Guidance on Legal and Professional Obligations at the following link: http://www.dh.gov.uk/en/publicationsandstatistics/publications/publications PolicyAndGuidance/DH_079616 10.12. Additionally, the NHS has mandated a number of relevant regulations including: 10.13. BS10012:2009 Data Protection: Specification for a Personal Information Management System 10.14. Confidentiality: NHS Code of Practice 10.15. Connecting for Health s Information Toolkit http://ourspace/trust/policies/ 3.00 Approved 22/12/2010 10 of 11
10.16. Data Quality Assurance to include NHS Data Dictionary, Hospital Episode Statistics (HES) and Mental Health Minimum Data Set (MHMDS) 10.17. Information Security Management: NHS Code of Practice 10.18. NHS Records Management: Code of Practice 10.19. The Caldicott Report 1998 10.20. The Caldicott Guardian Manual 2010 10.21. The Care Record Guarantee 10.22. The International Standards Organisation Standard for Information Security Management, http://ourspace/trust/policies/ 3.00 Approved 22/12/2010 11 of 11