Page 1 of 19 [PROTECT: DRAFT] Confidentiality Audit Procedure Document references Version 1.0 Date April 2014 Author Anna Zollino-Biscotti, Information Governance Officer Change History Version Date Description 1.0 Draft With Thanks to: Wolverhampton City Council acknowledges the work undertaken by Greenwich Clinical Commissioning Group, on which this document is based.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1 of 19 [PROTECT: DRAFT]
Confidentiality Audit Procedure
Document references
Version 1.0
Date April 2014
Author Anna Zollino-Biscotti, Information Governance Officer
Change History
Version Date Description
1.0 Draft
With Thanks to:
Wolverhampton City Council acknowledges the work undertaken by Greenwich Clinical Commissioning Group, on which this document is based.
[PROTECT: DRAFT] Page 2 of 19
Contents Page
2.0 Monitoring Confidential Information ................................................................. 3 3.0 Auditing Access to Confidential Information .................................................... 4 4.0 Audit Method ................................................................................................... 4 5.0 Frequency ....................................................................................................... 4
1.0 Introduction With advances in the electronic management of health and social care information, such as the electronic social care record and similar information management systems, the requirement to monitor access to such confidential information has become increasingly important.
With the large number of staff using these systems, it is imperative that access is strictly monitored and controlled. Furthermore, with the increased use of electronic communications, the movement of confidential information via these methods poses the threat of information falling into the hands of individuals who do not have a legitimate right of access to it.
Failure to implement adequate controls to manage and safeguard confidentiality may result in a breach of that confidentiality, therefore contravening the requirements of the following:
Caldicott Principles
Data Protection Act 1998
Human Rights Act 1998
Common Law Duty of Confidentiality
These procedures provide an assurance mechanism by which the effectiveness of controls implemented within the local authority are audited; areas for improvement and concern are highlighted and recommendations are made for improved control and management of confidentiality within Community Directorate of Wolverhampton City Council.
2.0 Monitoring Confidential Information
In order to provide assurance that access to confidential information is gained only by those individuals that have a legitimate right of access, it is necessary to ensure appropriate monitoring is undertaken on a regular basis. Monitoring will be carried out by the Information Governance Team in order that irregularities regarding access to confidential information can be identified and reported to the Caldicott Guardian and Information Governance Board and action taken to address the situation, either through the implementation of additional controls, disciplinary action, or other remedial action as necessary. Any breach or suspected breach involving confidentiality, integrity or availability of information (hardcopy or digital) must be reported using the corporate information incident contact point. Please refer to the corporate Information Incident Policy.
[PROTECT: DRAFT] Page 4 of 19
3.0 Auditing Access to Confidential Information The Caldicott Guardian will ensure that audits of security and access arrangements within each area are conducted on a regular basis; as a minimum these should be carried out once a year. Areas to be audited are to include:
Security applied to manual files e.g. storage in locked cabinets / locked rooms
Arrangements for recording access to manual files e.g. access requests by solicitors, police, data subjects etc.
Evidence that checks have been carried out to ensure that the person requesting access has a legitimate right to do so
Retention and disposal arrangements
The location of fax machines and answer phones which receive confidential information – are they designated safe haven faxes?
Confidential information sent or received via email, security applied and email system used
Information removed from the workplace – has authorisation from the appropriate person been gained either for long term or short term removal?
Security arrangements applied i.e. transportation in secure containers
The understanding of staff within the department of their responsibilities with regard to confidentiality and restrictions on access to confidential information
Security applied to laptops, compliance with the local authority’s IT Security Policy.
Verbal conversations with personal data exchange Passwords being used within the area being audited
4.0 Audit Method
The audit should be carried out through a series of interviews with Heads of Service/Team managers and staff and can be conducted on a one to one basis or as a focus group. The use of questionnaires/observations can also be used to assist and supplement the audit It is important to note that some audits may be undertaken out of normal office hours and may be unannounced; therefore the use of questionnaires may not always be required.
5.0 Frequency
Prior to commencing the audit process it will be necessary to decide how frequently this audit will be carried out. It is recommended that each area is audited at least once a year.
[PROTECT: DRAFT] Page 5 of 19
6.0 Pre-Audit Questionnaires
It will assist the audit process for the area being audited to complete a pre-audit questionnaire (Appendix 1) which will enable the auditor to gain an understanding of the function of the department and the processes carried out relating to confidential information, this will allow the auditor to ask informed questions when conducting the audit and be referenced in the Audit Checklist (Appendix 2).
The pre-audit questionnaire should include the name of the department or area and a contact name and number should be returned to the auditor in advance of the scheduled audit date. The questions asked in the pre-audit questionnaire should assist the auditor in setting the context to the audit and should include:
Roles and responsibilities within the team The types of information that the team deal with The data flows in and out of the team. Awareness of general confidentiality issues within the team Understanding of Data Protection Principles directly relating to jobs/roles within
the team.
Understanding the requirements of policies, protocols and procedures relating to confidentiality
Training received within the team.
7.0 Pre-Audit Meeting
The auditor should arrange a brief pre-audit meeting with the Head of Service/Team Manager with the aim of discussing who will be involved in the audit, how long the audit is likely to take, what documentation will be required, what facilities will be required and what feedback will be provided to them. The required documentation should be forwarded to the auditor prior to the audit commencing, along with any local procedures which are in place, that are of relevance. 8.0 Audit Checklist
An audit checklist (see appendix 2 for template) should be comprised of specific questions relating to the department/team being audited and will enable the auditor to ensure that all aspects of the audit are covered, to track progress of the audit, and to record and evidence the responses to the questions. The audit checklist should be linked to the pre-audit questionnaire.
[PROTECT: DRAFT] Page 6 of 19
9.0 Conducting the Audit 9.1 Completion of Audit Checklist The audit checklist (Appendix 2) should be completed as part of the interview:
Column A – question/check This should list the sub-questions relevant to the pre-audit questionnaire and as minimum should cover the examples outlined in section 3.0.
Column B - documentary evidence This should be used to record evidence put forward to support the responses to questions asked. Where documents form the evidence provided, the unique reference number of the document(s) should be included for ease of reference
Column C – findings and observations
This should be used to record the auditor’s assessment as to how the evidence demonstrates compliance with the requirement/question and the link with the Data Protection Act 1998, the Caldicott Principles, the Common Law Duty of Confidentially and similar legislation.
Column D - Result
This should be used to record the auditor’s grading of the response to each question.
The following RAG rating codes should be used when grading responses:
RED evidence demonstrates major non-compliance AMBER evidence demonstrates minor non-compliance
GREEN evidence demonstrates fully compliance OBS no evidence of non-compliance was found, but an observation was
made that there was the potential for problems to occur and for improvements to be made.
9.2 Staff Awareness Interviews Staff awareness interviews give an opportunity for the auditor to assess the level of awareness of confidentiality issues. Interviews can be conducted either on a one to one basis or as a focus group the duration of which should be between 15 and 30 minutes.
The interview will be conducted using directed questioning techniques, whereby the auditor opens with a broad question relating to a specific topic, this is then followed up with further questions which gradually narrow the scope of the question until finally the member or members of staff give a specific answer to the question posed.
The auditor’s questions and the interviewee(s) responses should be recorded separately and should be linked to the audit checklist.
[PROTECT: DRAFT] Page 7 of 19
10.0 Reporting A formal report should be provided to the area being audited, detailing the outcome of the audit. This can be valuable to the department or area being audited, as it provides information as to their compliance with confidentiality requirements and should include:
details about functions or processes which comply,
details about functions or processes which do not comply and an improvement programme to ensure that the department or area fulfills all requirements.
10.1 Non-Compliance Where non-compliance is observed this should be recorded and referenced in the confidentially audit action plan (see Appendix 3 for template). The action plan should detail the following: ID/ref - linked to the audit checklist Description of non-compliance and area of risk Recommendation/action required (long term and short term as necessary) Responsible owner Proposed deadline Completion date.
Each area of non-compliance observed should have an associated recommendation which should be discussed and agreed with the Head of Service or Team manager. Each recommendation should also include a target date for completion and a named individual who will be responsible for ensuring that the recommendation is implemented. A follow up meeting or completion date should be agreed between the auditor and Head of Service/Manager to ensure that the action is completed and full compliance has been achieved. Recommendations will be tracked and managed by the IG Board. Non-compliance can fall into one of two categories:
RED: this would indicate that the non-compliance has occurred on a regular
basis or is an area where no measures or controls are in place which could potentially expose the business area to serious risk/consequence
AMBER: these could include one off occurrences of non- compliance, where there is little risk of the non-compliance causing more than a minor irritation
Where a number of minor instances of non-compliance (AMBER) are observed in the same functional area or department, this may indicate a more serious problem within that area. If this is the case, these instances of non-compliance should be combined into a major non-compliance (RED).
[PROTECT: DRAFT] Page 8 of 19
11.0 Audit Report This should be produced once the audit has been completed, regardless of the fact whether any non-compliance or concerns have been observed. This will include a summary of the findings of the audit, together with observations of non-compliance. Recommendations which have been made should also be included and the action plan should be provided as supporting documentation. Any follow up required and date of follow up should also be included in the report. The audit report should include an indication as to the scope. Please see Appendix 4 for the report template.
12.0 Closing Meeting
This meeting will allow the auditor to present the findings from the audit. The audit summary will be presented along with detailed findings, as should recommendations for improvement and timescales within which those improvements should be made. Finally, agreement should be gained from the Head of Service concerned, with the non-compliance observations made. Any comments expressing disagreement should also be noted on the audit documentation. Where there is disagreement with a recommendation, these should be escalated to the Caldicott or IG Board (as applicable) for a solution.
13.0 Audit Follow Up
Once the audit process is complete, arrangements should be made for follow-up where non-compliance has been observed, as per the action plan which will allow the auditor to confirm that the recommended corrective action has been implemented.
14.0 Audit Closure
Once corrective action has been checked and agreed as compliant by the auditor, the audit can be formally closed.
15.0 Review
A review of this procedure will be undertaken 12 months following implementation and subsequently every 2 years until withdrawn or superseded.
16.0 Non-compliance Non-compliance with this procedure by staff will be brought to the attention of the Caldicott Guardians and Information Governance Board.
[PROTECT: DRAFT] Page 9 of 19
17.0 Implementation and dissemination of document The Procedure, once approved by the In format ion Governance Board , will be shared with all staff via email or via the intranet. A team briefing will be provided to support this dissemination.
18.0 Associated documents and related policies
Please refer to Wolverhampton City Council’s Information Governance policies and procedures:
Information Governance Policies and Procedures: http://www.wolverhampton.gov.uk/igov