Author Darren Rigg Head of Information Governance Corporate Lead Bryan Machin Executive Director of Finance and Resources Document Version 1 Date ratified by Quality Committee 24 th October 2014 Date issued 31 st October 2014 Review date October 2017 Policy Number PL317
Executive summary Information Governance ensures that information and in particular, confidential, sensitive or identifiable information is dealt with legally, securely, efficiently and effectively thus protecting the Trust its employees and most importantly its patients. The following document sets out the Trusts accountability and responsibility structure, the aims and purpose of Information Governance and outlines the importance of ensuring compliance. The document intends to provide and guidance for staff to follow and compliments existing Trust policies and procedures. Equality Analysis Leeds Community Healthcare NHS Trust's vision is to provide the best possible care to every community. In support of the vision, with due regard to the Equality Act 2010 General Duty aims, Equality Analysis has been undertaken on this policy and any outcomes have been considered in the development of this policy. Page 2 of 10
Contents Section Page 1 Introduction 4 2 Aims and Objectives 4 3 Definitions 4 4 Responsibilities 5 5 Principles 5 6 Risk Assessments 7 7 Training Needs 7 8 Monitoring Compliance and Effectiveness 7 9 Approval and Ratification process 7 10 Dissemination and implementation 7 11 Review arrangements 8 12 Associated documents 8 Policy Consultation Process 9 Page 3 of 10
1 Introduction This document focuses on the data handling elements of Information Governance (IG). It also incorporates policy statements and the Trusts strategic direction regarding information governance compliance. Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. IG is a framework that brings together all of the requirements, standards and best practice that apply to the handling of personal information. It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures, management accountability and structures are in place to provide a robust governance framework for information management. This policy gives assurance to Leeds Community Healthcare NHS Trust (LCH) and individuals that personal information is dealt with legally, securely, efficiently and effectively, in order to deliver the best possible care. Compliance with this policy will be managed through the IG Strategy to ensure the requirements of Connecting for Health s IG Toolkit are met. 2 Aims and Objectives This policy covers: all aspects of information within the organisation, including (not limited to): Patient information Personnel information Organisational information all aspects of handling information, including (but not limited to): Structured record systems - paper and electronic. Transmission of information fax, e-mail, post, telephone and by removable media. all information systems purchased, developed and managed by/or on behalf of, the organisation and any individual directly employed or otherwise by the organisation. 3 Definitions Confidentiality Sometimes referred to as the duty of confidence exists in English Common Law to protect information that has been given on the understanding that it will be kept confidential. If confidential information is disclosed unlawfully, to another person who does not have a right to know, it could constitute a breach of confidence which is actionable in law if it can been shown that some detriment has occurred. Record - A "record" is information created, received, and maintained as evidence by an organization or person in the transaction of business, or in the pursuance of legal obligations, "regardless of media". Movable media any information held in digital form outside of the network drives. Safe Haven - A Safe Haven is a term used to explain either a secure physical location or the agreed set of administration arrangements that are in place within the Trust to ensure confidential patient or staff information is communicated safely and securely. Page 4 of 10
Personal Information - Personal information is information which can identify a person in which the person is the focus of the information and which links that individual to details which would be regarded as private e.g. name and private address, name and home telephone number etc. Sensitive personal information -Sensitive personal information is where the personal information contains details of that person s: Health or physical condition Sexual life Ethnic origin Religious beliefs Political views Criminal convictions For this type of information even more stringent measures should be employed to ensure that the data remains secure. Movable Media- sometimes called removable media is defined as all electronic information that is not held on the Trust network drives. This includes information held on USB memory sticks, CDs, DVDs, desktops, local hard drives, floppy disks, diagnostic equipment. 4 Responsibilities The IG Group is responsible for overseeing day to day IG issues; developing and maintaining policies, standards, procedures and guidance, coordinating and raising awareness of IG in LCH. Managers within LCH are responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is on-going compliance. All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis. Some NHS records are public records under the terms of the Public Records Act 1958 and are legal documents. The Chief Executive and senior managers are personally accountable for the records in their care and the quality of records management within their organisation. 5 Principles LCH believes that accurate, timely and relevant information is essential to deliver the highest quality health care. LCH fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information. LCH also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. There are 4 key interlinked strands to the information governance policy: Page 5 of 10
Openness and Transparency Legal compliance Information security Quality assurance Information Governance Policy Openness and Transparency The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. Information will be defined and where appropriate kept confidential, underpinning the principles of Caldicott and the regulations outlined in the Data Protection Act. Nonconfidential information on the Trust and its services will be available to the public through a variety of means, in line with the Freedom of Information Act 2000. LCH will undertake annual assessments and audits (through the IG Toolkit) of its policies and arrangements for openness. Patients will have ready access to information relating to their own health care under the Data Protection Act 1998 using the Trust s Subject Access Request procedure. LCH will have clear procedures and arrangements for handling queries from patients and the public. LCH will have clear procedures and arrangements for liaison with the press and broadcasting media. Legal Compliance LCH regards all identifiable personal information relating to patients as confidential. Compliance with legal and regulatory requirements will be achieved, monitored and maintained. LCH regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise. LCH will establish and maintain policies to ensure compliance with the Data Protection Act, Human Rights Act, Freedom of Information Act and the common law duty of confidentiality. IG training including awareness and understanding of Caldicott principles and confidentiality, information security and data protection will be mandatory training for all staff. Information Governance will be included in induction training for all new staff. The necessity and frequency of any further training will be appraisal based. LCH will undertake annual assessments and audits of its compliance with legal requirements. LCH has established and maintains a Pan Leeds Information Sharing Protocol to inform the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Data Protection Act, Crime and Disorder Act, Children Act). Information Security LCH will establish and maintain policies for the effective and secure management of its information assets and resources. This includes staff not leaving PC s unlocked when unattended and all PC s will have an automatic lock applied of a maximum period of five minutes. LCH will undertake annual assessments and audits of its information and IT security arrangements. Page 6 of 10
LCH will promote effective confidentiality and security practice to its staff through policies, procedures and training. LCH will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. LCH will appoint a Senior Information Risk Officer (SIRO) and assign responsibility to Information Asset Owners to manage information risk. A SIRO report will be issued to the Audit Committee as part of the IG Report. LCH will use pseudonymisation and anonymisation of personal data where appropriate to further restrict access to confidential information. Pseudonymisation will be the responsibility of the Senior Information Risk Officer. Information Quality Assurance LCH will establish and maintain policies and procedures for information quality assurance and the effective management of records. LCH will undertake annual assessments and audits of its information quality and records management arrangements. Managers are expected to take ownership of, and seek to improve, the quality of information within their services. Wherever possible, information quality should be assured at the point of collection. Data standards will be set through clear and consistent definition of data items, in accordance with national standards. LCH will promote information quality and effective records management through policies, procedures/user manuals and training. 6 Risk Assessments Risk assessments are completed as relevant and incidents reported via the Datix system. These documents are available on Elsie in the risk management section. 7 Training Needs IG is part of mandatory training for all staff - refer to the Statutory and Mandatory Training Policy (including Training Needs analysis). 8 Monitoring Compliance and Effectiveness An assessment of compliance with requirements, within the Information Governance Toolkit (IGT), will be undertaken each year. The Information Governance Group will ensure implementation of the Information Governance Action Plan and monitor performance. It is assumed that Internal Audit will review this and associated procedures. 9 Approval and Ratification process The policy has been approved by the Clinical and Corporate Policies Group and ratified by the Quality Committee on behalf of the Board. 10 Dissemination and Implementation Dissemination of this policy will be via the Clinical and Corporate Policy Group to services and made available to staff via the intranet. Page 7 of 10
Implementation will require: Operational Directors/ Heads of Service/General Managers to ensure staff have access to this policy and understand their responsibilities for implementing it into practice The IG Team will provide appropriate support and advice to staff on the implementation of this policy 11 Review arrangements LCH will monitor this policy every 3 years and the related strategies, policies and guidance through the IG Toolkit. This work will be co-ordinated by the IG Committee. 12 Associated documents Policies Internet Policy Disciplinary Policy Records Management Policy including Health Record Keeping Standards Network Security Policy Legislation and Codes of Practice The Data Protection Act 1998 NHS Confidentiality Code of Practice 2003 Human Rights Act 1998 Freedom of Information Act 2000 Caldicott Report 1997 Computer Misuse Act 1990 Public Records Act 1958 Records Management NHS Code of Practice 2006 Common Law Duty of Confidence NHS Information Security Management Code of Practice 2007 ISO/IEC 27001:2005 Specification for an Information Security Management system ISO/IEC27002:2005 Code of Practice for Information Security Management Care Quality Commission Standards Page 8 of 10
Policy Consultation Process Title of Document Author New / Revised Document Lists of persons involved in developing the policy List of persons involved in the consultation process Information Governance Policy Darren Rigg Revised Head of Information Governance Richard Slough Head of Informatics Susan Fielding Improvement and Development Manager Shelagh Davenport Clinical Effectiveness Facilitator Linda Dobrzanska Research and Responsible Officer Manager Janine Mellows Information Governance Officer Helen Rowland Patient Experience Lead Karen Haw Team Manager Healthy Living Campbell McNeill EPR Development Manager Ian Jones IT Helpdesk Manager David Lane Patient Services Manager Bryan Machin Interim Chief Executive Amanda Thomas Executive Medical Director Martin Harris IT Manager Sam Prince Executive Director of Operations Nick Wood Children s Services General Manager Andrea North Specialist Services General Manager Megan Rowlands Adult Services General Manager Gill Armstrong, Clinical Effectiveness Lead Page 9 of 10
Jo-anne Beresford, Wound Prevention & Management Service Nurse Specialist John Glynn Health & Safety Officer Catherine Scott Service Improvement Project Manager Kath Duggleby Administrator QPD Page 10 of 10