Information governance policy · Web view4b 25/11/11 Head of Information & Performance Draft Revised to take account of comments from the IGSG 4c 14/05/12 Head of Information & Performance
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Ref No: 130
INFORMATION GOVERNANCE POLICY
SECTION 1PROCEDURAL INFORMATION
Version: 7Ratified by: Trust Document Ratification GroupDate ratified: 31 July 2020Title of originator / author: IG Assurance & Security ManagerTitle of responsible committee / individual:
Information Governance Committee (IGC) and Trust Management Committee (TMC)
Date issued: August 2020Review date: 31 July 2023Target audience: Trust Wide
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 4 of 40
1. INTRODUCTION
Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management.
It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability provide a robust governance framework for information management.
Information Governance is an overarching framework which currently includes the following initiatives or work areas.
Data Protection Act 2018|
Freedom of Information Act 2000
UK Re-use of Public Sector Information Regulations 2005
Human Rights Act 1998|
The Confidentiality Code of Practice|
Information Security Management - BS7799|-3
Records Management: NHS Code of Practice for Health and Social Care 2016
Information Quality Assurance Programme|
Caldicott 3 (Review of data security, consent and opt-outs)
General Data Protection Regulation (GDPR 2016/679, introduced May 25 th
2018)
Information Governance has four fundamental aims: -
To support the provision of high quality care by promoting the effective and appropriate use of information. |
To encourage responsible staff to work closely together, preventing duplication of effort and enabling more efficient use of resources. |
To develop support arrangements and provide staff with appropriate tools and support to enable them to discharge their responsibilities to consistently high standards.
To enable organisations to understand their own performance and manage improvement in a systematic and effective way.
The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of information.
The Trust supports the principles of corporate governance and understands its public accountability. It places equal importance on the confidentiality of
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 5 of 40
and the security arrangements to; safeguard both personal information about patients and/or staff and commercially sensitive information.
The Trust also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.
The Trust believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers to ensure and promote the quality of information and to actively use information in decision-making processes.
This policy covers all aspects of information within the organisation, including (but not limited to):
Patient/Client/Service User information
Staff related information
Organisational information
2. PURPOSE & SCOPE
2.1 Purpose
This policy covers all aspects of handling information, including (but not limited to):
Structured record systems (paper & electronic)
Transmission of information (electronic communication including video/written conferencing, email, post & telephone)
The policy covers all information systems purchased, developed and managed by the organisation and any individual (directly employed or otherwise by the organisation) accessing information ‘owned’ by the organisation.
There are four key interlinked strands to the information governance policy:
2.1.1 Openness
Non-confidential information on the Trust and its services shall be available to the public through a variety of media, in line with the Trust’s Freedom of Information (FOI) policy.
The Trust will establish and maintain policies to ensure compliance with the Freedom of Information Act.
Patients shall have ready access to information relating to their own health care, their options for treatment and their rights as patients.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 6 of 40
The Trust will have clear procedures and arrangements for liaison with the press and broadcasting media.
The Trust will have clear procedures and arrangements for handling queries from patients and the public.
2.1.2 Legal Compliance
The Trust regards all identifiable personal information relating to patients as confidential.
The Trust regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise
The Trust will establish and maintain policies to ensure compliance with the Data Protection Act/GDPR, Human Rights Act and the Common Law Duty of Confidentiality.
The Trust will establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act).
The Trust will undertake or commission a rolling programme of assessments and audits of its compliance with legal requirements.
2.1.3 Information Security
The Trust will establish and maintain policies for the effective and secure management of its information assets and resources.
The Trust will undertake or commission a rolling programme of assessments and audits of its information and IT security arrangements.
The Trust will promote effective confidentiality and security practice to its staff through policies, procedures and training.
The Trust has established and maintains incident reporting procedures in line with the Incident and Serious Incident Management policy and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.
2.1.4 Information Quality Assurance
The Trust will establish and maintain policies and procedures for information quality assurance and the effective management of records.
The Trust will undertake or commission a rolling programme of assessments of its information quality and records management arrangements.
Managers are expected to take ownership of, and seek to improve, the quality of information within their services.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 7 of 40
Wherever possible, information quality should be assured at the point of collection.
Data standards will be set through clear and consistent definition of data items, in accordance with national standards.
The Trust will promote information quality and effective records management through policies, procedures/user manuals and training and annual Caldicott audits.
2.2 Scope
The policy covers the management of Information Governance (IG) process and activities across Acute and Community Services
3. ROLES & RESPONSIBILITIES
Roles ResponsibilitiesChief Executive Has overall responsibility for the maintenance
and implementation of the policy.
Caldicott Guardian (CG) The Executive Medical Director is the appointed Caldicott Guardian, has lead responsibility for strategy and governance issues (relating to patient information), confidentiality & data protection expertise, internal information processing and information sharing with external bodies.
Information Governance Committee
Has delegated responsibility for the maintenance and implementation of this policy and the Information Governance agenda.
Senior Information Risk Owner (SIRO)
Has lead responsibility to ensure organisational information risk is properly identified, managed and that appropriate assurance mechanisms exist. This entails: Leading and fostering a culture that values,
protects and uses information for the success of the organisation and benefit of its customers.
Owning the organisation’s overall information risk policy and risk assessment processes (co owned with the Chief Nurse) and ensuring they are implemented consistently by Information Asset Owners.
Advising the Chief Executive or relevant accounting officer on the information risk aspects of the statement on internal controls.
Owning the organisation’s information incident management framework.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 8 of 40
Is the lead officer for Trust on the development and maintenance of IG related policies and is the central IG resource for the Trust.Supports the DPO in all related IG matters.
Data Protection Officer(DPO)
The DPO monitors internal compliance informing and advising on data protection obligations. Provides advice regarding Data Protection Impact Assessments (DPIAs) and acts as a contact point for data subjects and the supervisory authority.
Caldicott Co-ordinator Supports the Caldicott Guardian, the DPO and the IG Manager in Caldicott related matters
General Managers, Heads of Departments (HODs), the Directorate Triumvirates and Line Managers
Are responsible for the implementation of the policy within their business or clinical area, and for adherence to it by their staff. This includes performing a local induction including IG awareness, ensuring staff complete the IG Training Tool annually (as required by the Trust), and include in job descriptions any appropriate IG responsibilities (namely confidentiality and data quality). Local procedures will be developed which will document specific processes for managing IG activities (e.g. data quality, records management, and information security). These will detail procedures for staff at a local level to ensure all IG activities are clearly documented and monitored. HODs will also be responsible for providing appropriate information for the assessment/completion of the Data Security and Protection Toolkit (DSPT).
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 9 of 40
An IAO will be identified by the IGM in conjunction with the senior member of staff within the relevant area. They will take the lead on managing the asset, managing risk and controlling access. They will also be responsible for providing appropriate information to the IGM when new systems are proposed and assisting in the completion of a review of appropriate IG standards. Further details on the IAO role can be found at:
http://systems.hscic.gov.uk/infogov
Departments undertaking activity outside the main Trust sites must ensure processes are monitored to ensure compliance with the policy. This must include the movement and storage of paper records and the compliance of electronic systems.
The IAO will document, understand and monitor: What information assets are held, and for
what purposes How information is created, amended or
added to overtime Who has access to the information and why
Director of Health Informatics
Is principal advisor on all Health Informatics matters to the Chief Operating Officer and Trust Board, and accountable for the delivery of a high quality health informatics service.Provides assurance that all directly employed, agency and contracted staff working in the Health Informatics service, adhere to this policyIs responsible for a number of DSPT standards relating to system data access and security. Will ensure that a Privacy Impact Assessment is performed against all new data systems provided through the Health Informatics service either as an IT system or through the provision of project management.Has a responsibility as IAO for the Health Informatics Service.Will provide IG assurance on information data flows
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 10 of 40
Roles ResponsibilitiesHead of Governance Has a responsibility as a member of the IG
Committee, is an DSPT Assertion owner and is the IAO for the Corporate Affairs directorate.Will provide IG assurance on corporate data flows.Has a responsibility to maintain and update the Publication Scheme on TRFT website.
Associate Director of Information Services
Is responsible for a number of DSPT Assertions relating to data quality, business intelligence and secondary use assurance.
Data Quality Lead/Clinical Coding Manager
Is responsible for data quality and ensuring the confidentiality of service user information, is protected through use of pseudonymisation and anonymisation techniques where appropriate. Will ensure clinical coding meets CCS standards through use of audit.
Patient Access Manager
Is responsible for a number of DSPT Assertions relating to clinical records, patient contact and clinical record access (SARs). Ensures that procedures are in place for monitoring the availability of paper health/care records and tracing missing records.
All Staff Are responsible for adhering to this policy, and related Trust policies (see Paragraph7). All staff will also complete IG Training annually as per requirements which will be communicated via IG Communication.
4. PROCEDURAL INFORMATION
IG issues will be managed through the development and use of domain specific policies and procedures (see Paragraph7).
4.1 Privacy Impact Assessment (PIA)
A Privacy Impact Assessment (PIA) must be undertaken for all new systems or major system changes which impact on personal information, using the standards detailed in the current DSPT as a measure of requirements. PIAs must include a review date appropriate to the system being introduced, the PIA procedure and template are on appendix 1 and 2. All PIAs must be approved by the IGC or as a minimum, the SIRO, Caldicott Guardian or DPO.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 11 of 40
4.2 Information Governance Incidents
All risks and incidents relating to Information Governance i.e. loss of personal identifiable/confidential data – loss, theft or destruction of records held by the Trust in whatever form (paper/electronic) must be reported via Datix, in accordance with the Trust’s standard procedures for risk and incident reporting. Reporting of risks and incidents is important to ensure that appropriate action is taken so that risks/incidents do not reoccur and to learn from them. No constructive action can be taken if the Trust is not notified when things go wrong or there is a near miss.
The Trust’s Incident and Serious Incidents Management policy is available at Incident and Serious Incident Management Policy on the HUB
4.3 Information Governance Training (Data Security Awareness)
Information Governance (Data Security Awareness) training is a core MAST subject that all staff must complete on an annual basis. New staff who have not done IG training have to undertake the ‘Introduction module’ via e-learning, existing staff have to do the ‘Refresher module’ either via e-learning on the ESR system or the alternative paper based exercise/workbook. The Information Governance Team will work with the HR department to ensure departments are equipped to undertake this training, and where applicable, local assistance will be provided. Staff can also attend Face to Face training provided by the Information Governance team.
The Information Governance team will take responsibility for raising the level of IG awareness and training throughout the Trust.
All new staff must be IG training compliant before they start their job.
Information Governance training is compulsory for all staff including volunteers and contractors/temporary staff (who will be in post longer than 3 months), in all staff groups / roles, on an annual basis.
The IG Team and IGC will raise Trust wide awareness of IG issues, common themes in incident reporting, training opportunities and progress etc. via appropriate communications methods.
The IG Team will develop IG communications materials to inform and advise service users and staff on IG issues.
5. DEFINITIONS AND ABBREVIATIONS
5.1 Definitions
IGC - Information Governance Committee is the body responsible for ensuring the Trust complies with information governance requirements and legislation.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 12 of 40
DSPT – Data Security and Protection Toolkit. The annual audit of IG capability for all Healthcare providers. https://www.dsptoolkit.nhs.uk/
5.2 Abbreviations
CG Caldicott GuardianDPO Data Protection OfficerGDPR General Data Protection RegulationHODs Heads of DepartmentsHR Human ResourcesIAO Information Asset OwnerICO Information Commissioners OfficeIGA&SM Information Governance Assurance and Security ManagerIGC Information Governance CommitteeIGM Information Governance ManagerITIL Information Technology Infrastructure Library MAST Mandatory and Statutory TrainingPECR Privacy and Electronic Communications RegulationsPIA Privacy Impact AssessmentSAR Subject Access RequestSIRO Senior Information Risk Owner
6. REFERENCES
This Policy has been produced in accordance with the following documents:
Data Security and Protection Toolkit Guidance https://www.dsptoolkit.nhs.uk/
Data Protection Act 2018
General Data Protection Regulation
Freedom of Information Act 2000
UK Re-use of Public Sector Information Regulations 2005
Human Rights Act 1998|
The Confidentiality Code of Practice|
Records Management: Code of Practice for Health and Social Care 2016
Information Quality Assurance Programme|
Caldicott 2/3
7. ASSOCIATED DOCUMENTATIONDocuments available on Trust Intranet
IT Acceptable Use Policy
Freedom of Information & Environmental Information Regulations Policy
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 13 of 40
Freedom of Information Code of Practice – Requests for Information SOP
Data Quality Policy
Registration Authority Policy
Fax Policy
Safe Haven Policy
Use and Protection of Patient Information Policy (Confidentiality Code of Conduct)
Data Protection Policy
Health Records Policy
Corporate Records Management Policy
Incident and Serious Incident Management Policy
TRFT Information Security Assurance Policy
TRFT Forensic Readiness Policy
Counter Fraud, Bribery and Corruption Policy
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 14 of 40
Section 1Appendix 1
Privacy Impact Assessment Guidance
1. GUIDANCE
1.1 Introduction
Privacy Impact Assessments serve to ensure that the organisation remains complaint with legislation and NHS requirements such as the Information Governance Toolkit, which determine the use of Personal Confidential Data (PCD). The Information Governance Checklist and Privacy Impact Assessments (PIA) have been developed to provide an assessment prior to new services or new information processing/sharing systems being introduced. They are less effective when key decisions have already been taken.
Privacy Impact Assessments (PIAs) identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy. An effective PIA will allow for the identification and remedy problems at an early stage, reducing potential distress, subsequent complaints and the associated costs and damage to reputation which might otherwise occur.
A PIA aids an organisation in determining how a particular project, process or system will affect the privacy of the individual. It is important to consider whether a PIA is required once you know what it is you are hoping to achieve, what you will require to get there and how you plan to go about doing it.
Conducting a PIA does not have to be complex or time consuming.
1.2 Privacy Impact Assessments
PIAs help identify privacy risks, foresee problems and bring forward solutions. A successful PIA will:
identify and manage risks (see Appendix A for examples) avoid inadequate solutions to privacy risks avoid unnecessary costs avoid loss of trust and reputation inform the organisation’s communication strategy meet or exceed legal requirements
The Information Commissioners Office (ICO) has produced guidance materials on which this procedure is based (see Appendix C).
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 15 of 40
Consideration as to whether a PIA should be completed is mandated through the Information Governance Toolkit. PIAs ensure that privacy concerns have been considered and serve to assure the organisation regarding the security and confidentiality of the personal identifiable information.
1.3 Purpose of a PIA
A PIA should serve to:
identify privacy risks to individuals identify privacy and Data Protection compliance liabilities protect the organisations reputation instil public trust and confidence in your project/product avoid expensive, inadequate “bolt-on” solutions inform your communications strategy
Following review of the screening questions (Annex A) it may be decided that a PIA is required. Where it is thought that a PIA is required, Annex B should be completed and submitted to the Information Governance Team for a preliminary review. It is recommended that the IG Team review is sought prior to the final PIA being submitted to the IG Committee, SIRO or Caldicott Guardian.
1.4 ResponsibilitiesResponsibility for ensuring that a Privacy Impact Assessment is considered and if appropriate, completed, resides with managers leading the introduction of new systems, sharing or projects.
Line Managers are responsible for ensuring that their permanent and temporary staff and contractors are aware of the Privacy Impact Assessment procedure.
There is an expectation that partner organisations involved in supplying/providing services should provide technical information for the Privacy Impact Assessment, where this is otherwise unclear.
This guidance therefore applies to all staff and all types of information held by the organisation. Further details of responsibilities are to be found in the organisation’s policies and procedures.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 16 of 40
1.5 Is a PIA required for every project?
The ICO envisages PIAs being used where a project includes the use of personal data, where there otherwise a risk to the privacy of the individual, utilisation of new or intrusive technology, or where private or sensitive information which was originally collected for a limited purpose is going to be reused in a new and ‘unexpected’ way. The screening questions (see Annex A) help determine if a PIA is required.
1.6 When should I start a PIA?
PIAs are most effective when they are started at an early stage of a project, when: the project is being designed you know what you want to do you know how you want to do it you know who else is involved
It must be completed before: decisions are set in stone you have procured systems you have signed contracts/Memorandum of Understanding/agreements while you can still change your mind
1.7 Publishing PIAsAll PIAs must be approved by the Information Governance Committee and to be included within the organisation’s Publication Scheme and must therefore be presented to the Information Governance Team once they have received approval to arrange publication.
It is acknowledged that PIAs may contain commercial sensitive information such as security measures or intended product development. It is acceptable for such items to be redacted but as much of the document should be published as possible given all information within a public organisation can be requested through the Freedom of Information Act and will be listed in the Publication Scheme.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 17 of 40
1.8 Related TRFT Policies
Health Records PolicyBusiness Continuity PlanData Protection PolicyIT Acceptable Use PolicyFreedom of Information and EIR PolicyInformation Governance PolicyReporting, Investigation and Management of Incidents PolicyInformation Security Assurance Policy(Interagency Information Sharing Protocol) – Contact IG.Social Networking PolicyNetwork Security PolicyPrivacy Impact Assessment procedure (this document)Corporate (Non-Clinical) Records Management PolicyMobile Working and Remote Access PolicyRisk Assessment and Risk Register PolicySafe Haven Policy
2. EXAMPLE RISKS
2.1 Risks to individuals i. Inadequate disclosure controls increase the likelihood of information
being shared inappropriately.
ii. The context in which information is used or disclosed can change over time, leading to it being used for different purposes without people’s knowledge.
iii. New surveillance methods may be an unjustified intrusion on their privacy.
iv. Measures taken against individuals as a result of collecting information about them might be seen as intrusive.
v. The sharing and merging of datasets can allow organisations to collect a much wider set of information than individuals might expect.
vi. Identifiers might be collected and linked which prevent people from using a service anonymously.
vii. Vulnerable people may be particularly concerned about the risks of identification or the disclosure of information.
viii. Collecting information and linking identifiers might mean that an organisation is no longer using information which is safely anonymised.
ix. Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, presents a greater security risk.
x. If a retention period is not established information might be used for longer than necessary.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 18 of 40
2.2 Corporate risksi. Non-compliance with the DPA or other legislation can lead to
sanctions, fines and reputational damage.
ii. Problems which are only identified after the project has launched are more likely to require expensive fixes.
iii. The use of biometric information or potentially intrusive tracking technologies may cause increased concern and cause people to avoid engaging with the organisation.
iv. Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, is less useful to the business.
v. Public distrust about how information is used can damage an organisation’s reputation and lead to loss of business.
vi. Data losses which damage individuals could lead to claims for compensation.
2.3 Compliance risksi. Non-compliance with the DPA.
ii. Non-compliance with the Privacy and Electronic Communications Regulations (PECR).
iii. Non-compliance with sector specific legislation or standards.
iv. Non-compliance with human rights legislation.
3. Glossary
Item Definition
Anonymity Information may be used more freely if the subject of the information is not identifiable in any way – this is anonymised data. However, even where such obvious identifiers are missing, rare diseases, drug treatments or statistical analyses which may have very small numbers within a small population may allow individuals to be identified. A combination of items increases the chances of patient identification. When anonymised data will serve the purpose, health professionals must anonymise data and whilst it is not necessary to seek consent, general information about when anonymised data will be used should be made available to patients.
Authentication An identifier enables organisations to collate data
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 19 of 40
Item Definition
Requirements about an individual. There are increasingly onerous registration processes and document production requirements imposed to ensure the correct person can have, for example, the correct access to a system or have a smartcard. These are warning signs of potential privacy risks.
Caldicott Seven Caldicott Principles were established following the original reviewed in 1997 and further development in 2013. The principles include:1. justify the purpose(s)2. don't use patient identifiable information
unless it is necessary3. use the minimum necessary patient-
identifiable information4. access to patient identifiable information
should be on a strict need-to-know basis5. everyone with access to patient identifiable
information should be aware of their responsibilities
6. understand and comply with the law7. the duty to share information can be as
important as the duty to protect patient confidentiality
Data Protection Act 2018
This Act defines the ways in which information about living people may be legally used and handled. The main intent is to protect individuals against misuse or abuse of information about them. The 6 principles of the Act state the fundamental principles of DPA 2018 specify that personal data must: 1. Used fairly, lawfully and transparently. 2. Used for specified, explicit purposes 3. Used in a way that is adequate, relevant and
limited to only what is necessary. 4. Accurate and where necessary, kept up to
date. 5. Kept for no longer than is necessary.6. Handled in a way that ensures appropriate
security, including protection against unauthorised processing, access, loss, destruction or damage.
European Economic Area (EEA)
The European Economic Area comprises of the EU member states plus Iceland, Liechtenstein and Norway
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 20 of 40
Item Definition
Explicit consent Express or explicit consent is given by a patient agreeing actively, usually orally (which must be documented in the patients case notes) or in writing, to a particular use of disclosure of information.
IAA (Information Asset Administrator)
There are individuals who ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management and ensure that information asset registers are accurate and up to date. These roles tend to be system managers
IAO (Information Asset Owner)
These are senior individuals involved in running the relevant service/department. Their role is to understand and address risks to the information assets they ‘own’ and to provide assurance to the SIRO on the security and use of those assets. They are responsible for providing regular reports regarding information risks and incidents pertaining to the assets under their control/area.
Implied consent Implied consent is given when an individual takes some other action in the knowledge that in doing so he or she has incidentally agreed to a particular use or disclosure of information, for example, a patient who visits the hospital may be taken to imply consent to a consultant consulting his or her medical records in order to assist diagnosis. Patients must be informed about this and the purposes of disclosure and also have the right to object to the disclosure.
Information Assets
Information assets are records, information of any kind, data of any kind and any format which we use to support our roles and responsibilities. Examples of Information Assets are databases, systems, manual and electronic records, archived data, libraries, operations and support procedures, manual and training materials, contracts and agreements, business continuity plans, software and hardware.
Information Risk An identified risk to any information asset that the organisation holds. Please see the Risk Policy for further information.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 21 of 40
Item Definition
Personal Data This means data which relates to a living individual which can be identified:1. from those data, or2. from those data and any other information
which is in the possession of, or is likely to come into the possession of, the data controller.
It also includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual
Privacy and Electronic Communications Regulations 2003
These regulations apply to sending unsolicited marketing messages electronically such as telephone, fax, email and text. Unsolicited marketing material should only be sent if the requester has opted in to receive this information.
Privacy Invasive Technologies
Examples of such technologies include, but are not limited to, smart cards, radio frequency identification (RFID) tags, biometrics, locator technologies (including mobile phone location, applications of global positioning systems (GPS) and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining and logging of electronic traffic. Technologies that are inherently intrusive, new and sound threatening are a concern and hence represent a risk
Pseudonymisation
Where patient identifiers such as name, address, date of birth are substituted with a pseudonym, code or other unique reference so that the data will only be identifiable to those who have the code or reference.
Records Management: NHS Code of Practice
Is a guide to the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England. It is based on current legal requirements and professional best practice. The code of practice contains an annex with a health records retention schedule and a Business and Corporate (non-health) records retention schedule.
Retention Periods Records are required to be kept for a certain
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 22 of 40
Item Definition
period either because of statutory requirement or because they may be needed for administrative purposes during this time. If an organisation decides that it needs to keep records longer than the recommended minimum period, it can vary the period accordingly and record the decision and the reasons behind. The retention period should be calculated from the beginning of the year after the last date on the record. Any decision to keep records longer than 30 years must obtain approval from The National Archives.
Sensitive Data (Special Category)
This means personal data consisting of information as to the:A. racial or ethnic group of the individualB. the political opinions of the individualC. the religious beliefs or other beliefs of a similar
nature of the individual D. whether the individual is a member of a trade
union E. physical or mental health of the individual F. sexual life of the individual G. Sexual OrientationH. Biometric dataI. Genetic data
SIRO (Senior Information Risk Owner)
This person is an executive who takes ownership of the organisation’s information risk policy and acts as advocate for information risk on the Board
4. FURTHER INFORMATION
Relevant statutory legislation and law:
Common Law Duty of Confidentiality
Data Protection Act 2018
Freedom of Information Act 2000
General Data Protection Regulations (2016/679)
Human Rights Act 1998
Privacy and Electronic Communications Regulations 2015
Counter Fraud Bribery and Corruption Policy (Trust Counter Fraud Policy)Further reading and guidance:
Caldicott 2 Review Report and Recommendations
Review of Data Security, Consent and Opt Outs
Confidentiality Code of Practice
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 23 of 40
HSCIC Code of practice on confidential information
Information Security Code of Practice
Records Management Code of Practice
The ICO’s Anonymisation: managing data protection risk code of practice may help identify privacy risks associated with the use of anonymised personal data.
The ICO’s Data sharing: code of practice may help to identify privacy risks associated with sharing personal data with other organisations.
The ICO’s Privacy Notices: Code of Practice.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 24 of 40
Data Protection Impact Assessment (DPIA) Screening Questions
The below screening questions should be used inform whether a DPIA is necessary. This is not an exhaustive list therefore in the event of uncertainty, completion of a DPIA is recommended.
Marking any of these questions is an indication that a DPIA is required:
Screening Questions Tick1 Will the project involve the collection of new identifiable or potentially identifiable data about
individuals? ☐
2 Will the project compel individuals to provide data about themselves or involve the processing of personal data not obtained directly from the individual?i.e. where they will have little awareness or choice or where it is impossible, or would involve disproportionate effort, to inform the individuals that the processing is taking place
☐
3 Will identifiable data about individuals be shared with other organisations or people who have not previously had routine access to the data?
☐
4 Are you using data about individuals for a purpose it is not currently used for or in a new way?i.e. using data collected to provide care for a service evaluation; data matching where data obtained from multiple sources is combined, compared or matched
☐
5 Where data about individuals is being used, would this be likely to raise privacy concerns or expectations?i.e. will it include health records, genetic data, criminal records or other information that people may consider to be sensitive and private and may cause them concern or distress.
☐
6 Will the project require you to contact individuals in ways which they may find intrusive?i.e. telephoning or emailing them without their prior consent.
☐
7 Will the project result in you making decisions in ways which can have a significant impact on individuals?i.e. will it affect the care a person receives? Is it based on automated decision making (including profiling)?
☐
8 Does the project involve you using new technology which might be perceived as being privacy intrusive?i.e. using biometrics, facial recognition, Artificial Intelligence or tracking (such as tracking an individual’s geolocation or behaviour)
☐
9. Is a service/processing activity being transferred to a new supplier/organisation (or re-contracted) and the end of an existing contract
☐
10. Will the project involve systematic monitoring of a publicly accessible area on a large scale?i.e. use of CCTV
☐
11. Will the project involve the targeting of children or other vulnerable individuals?i.e. for marketing purposes, profiling or other automated decision making
☐
DPIA required? Yes ☐ No ☐
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 25 of 40
Please note that once completed the following sections (1 to 4) should be extracted from the rest of this document prior to being included within the Publication Scheme.
Data Protection Impact Assessment (DPIA)
Please complete all questions with as much detail as possible (liaising with partners/third parties) and then contact the IG Team prior to seeking approval.
Section 1: System/Project General Details
System/project/process (referred to thereafter as ‘project’) title:Objective:Detail:Why is the new system/change in system required? Is there an approved business case?Stakeholders/Relationships/Partners:Please outline the nature of such relationships and the corresponding roles of other organisations.Other related projects:Project lead: Name:
Title:Department:Telephone:Email
Information Asset Owner:All information systems/assets must have an Information Asset Owner (IAO). IAO’s should normally be a Head of Department/Service.
Name: Title:Department:Telephone:Email
Information Asset Administrator:Information systems/assets may have an Information Asset Administrator (IAA) who reports the IAO. IAA’s are normally System Managers/Project Leads.
Name: Title:Department:Telephone:Email
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 26 of 40
Section 2: Data Protection Impact Assessment Key Questions
Question ResponseData Items1. Will the project use
identifiable or potentially identifiable data in any way?If answered ‘No’ then a DPIA is not normally suggested.
☐ Yes ☐ No
If yes, who will this data relate to:☐ Patient☐ Staff☐ Other: Click here to enter text.
2. Please state purpose for the processing of the data:For example, patient care, commissioning, research, audit, evaluation.
3. Please tick the data items that are held in the system
Personal
Special categories of personal data (sensitive data)
☐ Name ☐ Address ☐ Post Code ☐ Date of Birth ☐ GP Practice ☐ Date of Death ☐ NHS Number ☐ NI Number ☐ Passport Number ☐ Pseudonymised Data ☐ Online Identifiers (e.g. IP Number, Mobile Device ID)
☐ Health Data ☐ Trade Union membership☐ Political opinions ☐ Religion☐ Racial or Ethnic Origin ☐ Sex life and sexual orientation☐ Biometric Data ☐ Genetic Data ☐ Other:
4. What consultation/checks have been made regarding the adequacy, relevance and necessity for the processing of the data for this project?
5. How will the data be kept up to date and checked for accuracy and completeness?
Data processing6. Will a third party be
processing data for TRFT or one of its contractors?
☐ Yes ☐ NoIf no, please go to the Confidentiality section.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 27 of 40
Question Response7. Is the third party
contract/supplier of the project registered with the Information Commissioner?
☐ Yes ☐ NoOrganisation: Data Protection Registration Number:
8. Has the third party supplier completed and published a satisfactory Data Security and Protection Toolkit submission?Please note that the Data Security and Protection Toolkit replaced the IG Toolkit from 1 April 2018.
☐ Yes ☐ NoIf yes, please give organisation code:
DSP Toolkit Score:☐ Satisfactory ☐ Not satisfactory☐ Satisfactory with Improvement PlanClick here to enter text.
9. Does the third party/supplier contract(s) include all the necessary Information Governance clauses regarding Data Protection and Freedom of Information?
☐ Yes ☐ No
Is the contract based on or utilise the NHS standard contract?☐ Yes ☐ No
10. Will other third parties (not already identified) have access to the data? Include any external organisations.
☐ Yes ☐ No
If so, for what purpose?
Please list organisations and by what means of transfer:
Confidentiality11. Please outline how
individuals will be informed and kept informed about how their data will be processed.A copy of the privacy notice and/or leaflets must be provided.
12. Does the project involve the collection of data that may be unclear or intrusive?Are all data items clearly defined? Is the data collected limited to a specific set of predefined categories?
☐ Yes ☐ No
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 28 of 40
Question Response13. Are you relying on
individuals (patients/staff) to explicitly consent to the processing of personal identifiable or sensitive data?Please provide copies of any consent documentation that will be used, including patient information leaflets
☐ Yes ☐ No (Go to next question)How will consent be obtained and by whom?Click here to enter text.
Will the consent cover all proposed processing and sharing/disclosures?☐ Yes ☐ No
If no, please detail:Click here to enter text.
14. If explicit consent is not being sought, what legal basis enables this data processing?For more information about conditions for processing, please see the ICO’s GDPR website.
Personal data (identifiers and potentially identifiable data):☐ Relating to a contract: Click here to enter text.☐ Legal obligation: Click here to enter text.☐ Vital interests: Click here to enter text.☐ Public Interest task: ☐ Other: Click here to enter text.
Special categories of personal data (sensitive data), if applicable:☐ Medical related: Click here to enter text.☐ Public Health: Click here to enter text.☐ Employment related: Click here to enter text.☐ Vital interests: Click here to enter text.☐ Already public: Click here to enter text.☐ Legal claim related: Click here to enter text.☐ Substantial public interest: Click here to enter text.☐ Other: Click here to enter text.
15. Will identifiable data only be handled within the patients’ direct care team (in accordance with the Common Law Duty of Confidentiality)?
☐ Yes ☐ No
16. How will consent, non-consent, objections or opt-outs be recorded and respected?
17. What arrangements are in place to process Subject Access Requests?What would happen if such a request were made?
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 29 of 40
Question Response18. Will the processing of
data be automated?Will the proposed processing of data involved automated means of processing to determine an outcome for the individual?
☐ Yes ☐ No☐ Not applicable
If yes, please outline what arrangements are available to enable the individual access and to extract data (in a standard file format). Please also detail any profiling that may take place as part through automated processing: Click here to enter text.
19. What process is in place for rectifying/blocking data?What would happen if such a request were made?
Engagement20. Has stakeholder
engagement taken place?Yes ☐ No ☐
If yes, how have any issues identified by stakeholders been considered?
Data Sharing21. Does the project involve
any new data sharing between stakeholder organisations?
☐ Yes ☐ No
If yes, please describe: (The IG department will need to draft a data sharing agreement which will then need approval)
Data Linkage22. Does the project involve
linkage of personal data with data in other collections, or significant change in data linkages?The degree of concern is higher where data is transferred out of its original context (e.g. the sharing and merging of datasets can allow for a collection of a much wider set of information than needed and identifiers might be collected/linked which prevents personal data being kept anonymously)
Yes ☐ No ☐
If yes, please provide a data flow diagram showing how identifiable information would flow and ensure this is added to the TRFT Information Asset and Data Flow Register (see Information Assets and Data Flows section).
Information Security
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 30 of 40
Question Response23. Who will have access to
the data within the project?Please refer to roles/job titles/organisations.
24. Is there a useable audit trail in place for the project? For example, to identify who has accessed a record?
Yes ☐ No ☐
If yes, please outline the audit plan: Click here to enter text.
25. Where will the data be kept/stored/accessed?Where applicable, please refer to data flow diagram.
26. Please indicate all methods in which data will be transferred
☐ Fax ☐ Email (Unsecure/Personal)☐ Email (Secure/nhs.net) ☐ Internet (unsecure – e.g. http)☐ Telephone ☐ Internet (secure – e.g. https)☐ By hand ☐ Courier☐ Post – track/traceable ☐ Post – normal☐ Other:
27. Does the project involve privacy enhancing technologies?New forms of encryption, two factor authentication and/or pseudonymisation.
Yes ☐ No ☐
If yes, please give details:
28. Is there a documented System Specific Security Policy (SSSP) or process for this project?A SSSP is required for new systems – this is likely to need to be completed by the supplier.
If yes, please provide a copy. (Template available from IG).
Privacy and Electronic Communications Regulations29. Will the project involve
the sending of unsolicited marketing messages electronically such as telephone, fax, email and text?Please note that seeking to influence an individual is considered to be marketing.
☐ Yes ☐ No
If yes, what communications will be sent?Click here to enter text.
Will consent be sought prior to this?
If no, please explain why consent is not being sought first:
Records Management
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 31 of 40
Question Response30. What are the specific
retention periods for this data? Please refer to the Records Management Code of Practice for Health and Social Care 2016 and list the retention period for identifiable project datasets.
31. Will the data be securely destroyed when it is no longer required?
☐Yes ☐ No
Please detail: Click here to enter text.Information Assets and Data Flows32. Has an Information Asset
Owner been identified and does the Information Asset and Data Flow Register require updating?
☐ Yes ☐ No
If yes, include the name of the completed Information Asset Register.
Does this project constitute a change to existing Information Asset(s) or is this a new Information Asset?☐ New ☐ Existing
Has the Information Asset Register been updated by the IAO?
☐ Yes ☐ No
Business Continuity33. Have the business
continuity requirements been considered?
☐ Yes ☐ No☐ Business Continuity is not applicable
Please explain and either reference how such plans link with the organisational plan or why there are no business continuity considerations that are applicable for this project: Click here to enter text.
Open Data34. Will
identifiable/potentially identifiable from the project be released as Open Data (placed in to the public domain)?
☐ Yes ☐ No
If yes, please describe: Click here to enter text.
Data Processing Outside of the UK and European Union (EU)
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 32 of 40
Question Response35. Will any personal and/or
sensitive data be transferred to a country outside the UK?
☐ Yes ☐ No
If yes, which data and to which country?Click here to enter text.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 33 of 40
Section 3: Data Protection Impact Assessment Information Governance Review
Information Governance Review (for completion by IG) Response (for completion by project lead)
Issue Potential Risk Recommendation Agreed Action Completion (Date and Initials)
1
2
For completion by IG:Residual Risk Main Risk Sources Main Threats Main Potential
ImpactsMain Controls Reducing the Severity and Likelihood
Severity Likelihood
1
2
3
IG review completed by: Review date:Date complete and risk assessed: Consultation with ICO required? Yes / No (delete as appropriate)
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 34 of 40
Section 4: Review and Approval
Assessment completed by
Name:Title:Date:
Data Protection Officer Approval
Name:Title:DPO advice:DPO should advise on compliance, risks identified and whether processing can proceed.If accepting any residual high risk, consult the ICO before going aheadApproved:Date:
The DPO should also review ongoing compliance with DPIA
SIRO/Caldicott Guardian Approval
Name:Title:DPO advice accepted or overruled:If overruled, you must explain your reasonsApproved: ☐Date:
This DPIA will be kept under review by:
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 35 of 40
INFORMATION GOVERNANCE POLICY
SECTION 2DOCUMENT DEVELOPMENT, COMMUNICATION, IMPLEMENTATION AND
MONITORING
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 36 of 40
8. CONSULTATION AND COMMUNICATION WITH STAKEHOLDERS
This document was developed in consultation with:
Information Governance Committee members who have consulted within the areas they represent.
9. APPROVAL OF THE DOCUMENT
This document was approved by: Information Governance Committee and Executive Team Committee (ETC)
10. RATIFICATION OF THE DOCUMENT
This document was ratified by the Trust Document Ratification Group.
11. EQUALITY IMPACT ASSESSMENT STATEMENT
An Equality Impact Assessment has been carried out in relation to this document using the approved initial screening tool; the EIA statement is detailed at Appendix 1 to this section of the document.
The manner in which this policy impacts upon equality and diversity will be monitored throughout the life of the policy and re-assessed as appropriate when the policy is reviewed.
12. REVIEW AND REVISION ARRANGEMENTS
This document will be reviewed every three years by the IG Manager unless such changes occur as to require an earlier review.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 37 of 40
13. DISSEMINATION AND COMMUNICATION PLAN
To be disseminated to Disseminated by How When CommentsDRG Admin Support via policies email
Author Email Within 1 week of ratification
Remove watermark from ratified document and inform DRG Admin Support if a revision and which document it replaces and where it should be located on the intranet. Ensure all documents templates are uploaded as word documents.
Communication Team(documents ratified by the Document Ratification Group)
DRG Admin Support Team
Email Within 1 week of ratification
Communication team to inform all email users of the location of the document.
All email users Communication Team
Email Within 1 week of ratification
Communication team will inform all email users of the policy and provide a link to the policy.
Key individuals
Staff with a role / responsibility within the document
Heads of Departments / Matrons
Author Meeting / Email as appropriate
When final version completed
The author must inform staff of their duties in relation to the document.
All staff within area of management
Heads of Departments / Matrons
Meeting / Email as appropriate
As soon as received from the author
Ensure evidence of dissemination to staff is maintained. Request removal of paper copiesInstruct them to inform all staff of the policy including those without access to emails
14. IMPLEMENTATION AND TRAINING PLANThe responsibility for implementing this policy lies with the Information Governance Department. The Information Governance Department are responsible for ensuring that all relevant areas within the Trust are made of aware of any changes required in the policy.
The implementation process will commence upon approval of this policy by the Trust Policy Ratification Group. It is the responsibility of Matrons/Heads of Departments/Service to ensure that new staff receives information about this policy and it should be part of any local inductions. They must also ensure that any changes to this policy are effectively communicated within their areas of responsibility.
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 38 of 40
15. PLAN TO MONITOR THE COMPLIANCE WITH, AND EFFECTIVENESS OF THE TRUST DOCUMENT
15.1 Process for Monitoring Compliance and Effectiveness
Audit / Monitoring Criteria
Process for monitoring e.g. audit, survey
Audit / Monitoring performed by
Audit / Monitoring frequency
Audit / Monitoring reports distributed to
Action plans approved and monitored by
Reporting of any suspected IG Breaches based on IG knowledge gained from IG Training (MAST compliance)
Trust’s Incident Reporting System
All Staff who will report any suspected incidents/ breaches to a senior member of staff.
As and when incidents occur
IG Incidents report at IGC
As per Trust’s Incident and Serious Incident Management Policy. Where an issue has arisen that requires disciplinary action, Trust Disciplinary Procedures will be followed
Information Technology Infrastructure Library (ITIL) compliance
All new IT systems being audited.Completion of PIA
PMO Manager When new IT systems planned
IGC IGC
IG Training Tool (IGTT)
All staff completing IGTT
IG Department/P&OD
Annual Line Managers
IGC
IG Toolkit Annual Submission
Standard Owners & IG Department
Annual IGC IGC
Rolling programme of assessments of its information quality and records management arrangements including annual Caldicott audits.
Audit IG Department/ Department Managers/ Caldicott Members
Annual Caldicott Group
IGC / Caldicott Group
15.2 Standards/Key Performance Indicators (KPIs) The standard is 100% compliance with standards as set out in the monitoring table.
Data Security and Protection Toolkit
Care Quality Commission Standards
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 39 of 40
Document Name: Information Governance Policy Date/Period of Document: June 2020 – June 2023
Lead Officer: Data Protection Officer (DPO) Job title: Data Protection Officer (DPO)
Function Policy Procedure Strategy Other: (State)________________Describe the overall purpose / intended outcomes of the above: To provide a consistent approach across the Trust in the Information Governance and to ensure compliance with law, national guidance and related Trust policy.You must assess each of the 9 areas separately and consider how your policy may affect people of different groups within those areas.1. Assessment of possible adverse (negative) impact against a protected characteristicDoes this have a significant negative impact on equality in relation to each area?
Response If yes, please state why and the evidence used in your assessment Yes No
1 Age X2 Disability X3 Gender reassignment X4 Marriage and civil partnership X5 Pregnancy and maternity X6 Race X7 Religion and belief X8 Sex X9 Sexual Orientation XYou need to ask yourself: Will the policy create any problems or barriers to any community or group? Yes No Will any group be excluded because of the policy? Yes No Will the policy have a negative impact on community relations? Yes No
If the answer to any of these questions is Yes, you must complete a full Equality Impact Assessment
2. Positive impact:Could the policy have a significant positive impact on equality by reducing inequalities that already exist?Explain how will it meet our duty to:
Response If yes, please state why and the evidence used in your
assessment Yes No1 Eliminate discrimination, harassment and / or victimisation X2 Advance the equality of opportunity of different groups X3 Foster good relationships between different groups X
3. Summary On the basis of the information/evidence/consideration so far, do you believe that the policy will have a positive or negative adverse impact on equality?
Positive NegativeHIGH MEDIUM LOW NEUTRAL LOW MEDIUM HIGH
Date assessment completed: June 2020 Is a full equality impact assessment required? Yes No
Date EIA approved by Equality and Diversity Steering Group:
INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 40 of 40