Information governance policy · Web view4b 25/11/11 Head of Information & Performance Draft Revised to take account of comments from the IGSG 4c 14/05/12 Head of Information & Performance

Ref No: 130

INFORMATION GOVERNANCE POLICY

SECTION 1PROCEDURAL INFORMATION

Version: 7Ratified by: Trust Document Ratification GroupDate ratified: 31 July 2020Title of originator / author: IG Assurance & Security ManagerTitle of responsible committee / individual:

Information Governance Committee (IGC) and Trust Management Committee (TMC)

Date issued: August 2020Review date: 31 July 2023Target audience: Trust Wide

Copyright © 2020 The Rotherham NHS Foundation Trust

INFORMATION GOVERNANCE POLICYVersion 7 Please check the Intranet to ensure you have the latest version Page 1 of 40

Document Change RecordVersion Date Author Status Comment

1.0 18/01/05 S. Reid Approved Initial approved policy1.1 22/02/06 S. Reid Approved Updates in line with review

schedule 2.01 09/10/07 S. Reid Draft Re-formatted in line with new Trust

policy template 2.02 10/10/07 S. Reid Approved Modified after discussion at IGSG

meeting3a 13/07/10 S. Reid Draft Re-formatted in line with new Trust

policy template3b 16/08/10 S. Reid Draft Revised to take account of

comments from the IGSG3c 05/10/10 S. Reid Draft Revised to take account of

comments from the CHISC3d 21/12/10 S. Reid Approved Revised to take account of

comments from the PRG4a 10/08/11 Head of

Information & Performance

Draft Revised to take account of the MEDITECH EPR IG review

4b 25/11/11 Head of Information & Performance

Draft Revised to take account of comments from the IGSG

4c 14/05/12 Head of Information & Performance

Draft Revised to take account of comments from the Information Governance Steering Group

4 24/05/12 Head of Information & Performance

Final Approved by PRG

5A 24/01/2014 IG Assurance and Security Manager

Draft Full Review

5 12/12/2014 Ratified Document Ratification Group6a 20/04/2017 IGA&SM Draft Full review6b 31/05/2017 IGA&SM Draft Full review6c 21/08/2017 IGA&SM Draft Review after comments received6 20/04/2018 IGA&SM Final Ratified by Document Ratification

Group7a 03/03/2020 DPO Draft Update - removing DPA 1998

references whilst keeping references to GDPR.

7b 18/06/2020 DPO Draft Final update

7 31/07/2020 DPO Final Document ratified by DRG


Section 1 ContentsSection Title Page

1 Introduction 5

2 Purpose & Scope 6

2.1 Purpose 6

2.2 Scope 8

3 Roles & Responsibilities 8

4 Procedural Information 11

4.1 Privacy Impact Assessment (PIA) 11

4.2 Information Governance Incidents 12

4.3 Information Governance Training (Data Security Awareness) 12

5 Definitions & Abbreviations 12

5.1 Definitions 12

5.2 Abbreviations 13

6 References 13

7 Associated Documentation 13

Section 1 AppendicesAppendix Title Page

Appendix 1 Privacy Impact Assessment (PIA) Guidance 15-24

Appendix 2 Privacy Impact Assessment (PIA) Form 25-35

Section 2 ContentsSection Title Page

8 Consultation and Communication with Stakeholders 37

9 Document Approval 37

10 Document Ratification 37

11 Equality Impact Assessment 37

12 Review and Revision Arrangements 37

13 Dissemination and Communication Plan 38

14 Implementation and Training Plan 38


Section Title Page

15 Plan to monitor the Compliance with, and Effectiveness of, the Trust Document 39

15.1 Process for Monitoring Compliance and Effectiveness 39

15.2 Standards/Key Performance Indicators 39

Section 2 AppendicesAppendix Title Page

Appendix 1 Completed Equality Impact Assessment 40


1. INTRODUCTION

Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management.

It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability provide a robust governance framework for information management.

Information Governance is an overarching framework which currently includes the following initiatives or work areas.

Data Protection Act 2018|

Freedom of Information Act 2000

UK Re-use of Public Sector Information Regulations 2005

Human Rights Act 1998|

The Confidentiality Code of Practice|

Information Security Management - BS7799|-3

Records Management: NHS Code of Practice for Health and Social Care 2016

Information Quality Assurance Programme|

Caldicott 3 (Review of data security, consent and opt-outs)

General Data Protection Regulation (GDPR 2016/679, introduced May 25 th

2018)

Information Governance has four fundamental aims: -

To support the provision of high quality care by promoting the effective and appropriate use of information. |

To encourage responsible staff to work closely together, preventing duplication of effort and enabling more efficient use of resources. |

To develop support arrangements and provide staff with appropriate tools and support to enable them to discharge their responsibilities to consistently high standards.

To enable organisations to understand their own performance and manage improvement in a systematic and effective way.

The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of information.

The Trust supports the principles of corporate governance and understands its public accountability. It places equal importance on the confidentiality of


and the security arrangements to; safeguard both personal information about patients and/or staff and commercially sensitive information.

The Trust also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.

The Trust believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers to ensure and promote the quality of information and to actively use information in decision-making processes.

This policy covers all aspects of information within the organisation, including (but not limited to):

Patient/Client/Service User information

Staff related information

Organisational information

2. PURPOSE & SCOPE

2.1 Purpose

This policy covers all aspects of handling information, including (but not limited to):

Structured record systems (paper & electronic)

Transmission of information (electronic communication including video/written conferencing, email, post & telephone)

The policy covers all information systems purchased, developed and managed by the organisation and any individual (directly employed or otherwise by the organisation) accessing information ‘owned’ by the organisation.

There are four key interlinked strands to the information governance policy:

2.1.1 Openness

Non-confidential information on the Trust and its services shall be available to the public through a variety of media, in line with the Trust’s Freedom of Information (FOI) policy.

The Trust will establish and maintain policies to ensure compliance with the Freedom of Information Act.

Patients shall have ready access to information relating to their own health care, their options for treatment and their rights as patients.


The Trust will have clear procedures and arrangements for liaison with the press and broadcasting media.

The Trust will have clear procedures and arrangements for handling queries from patients and the public.

2.1.2 Legal Compliance

The Trust regards all identifiable personal information relating to patients as confidential.

The Trust regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise

The Trust will establish and maintain policies to ensure compliance with the Data Protection Act/GDPR, Human Rights Act and the Common Law Duty of Confidentiality.

The Trust will establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act).

The Trust will undertake or commission a rolling programme of assessments and audits of its compliance with legal requirements.

2.1.3 Information Security

The Trust will establish and maintain policies for the effective and secure management of its information assets and resources.

The Trust will undertake or commission a rolling programme of assessments and audits of its information and IT security arrangements.

The Trust will promote effective confidentiality and security practice to its staff through policies, procedures and training.

The Trust has established and maintains incident reporting procedures in line with the Incident and Serious Incident Management policy and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.

2.1.4 Information Quality Assurance

The Trust will establish and maintain policies and procedures for information quality assurance and the effective management of records.

The Trust will undertake or commission a rolling programme of assessments of its information quality and records management arrangements.

Managers are expected to take ownership of, and seek to improve, the quality of information within their services.


Wherever possible, information quality should be assured at the point of collection.

Data standards will be set through clear and consistent definition of data items, in accordance with national standards.

The Trust will promote information quality and effective records management through policies, procedures/user manuals and training and annual Caldicott audits.

2.2 Scope

The policy covers the management of Information Governance (IG) process and activities across Acute and Community Services

3. ROLES & RESPONSIBILITIES

Roles ResponsibilitiesChief Executive Has overall responsibility for the maintenance

and implementation of the policy.

Caldicott Guardian (CG) The Executive Medical Director is the appointed Caldicott Guardian, has lead responsibility for strategy and governance issues (relating to patient information), confidentiality & data protection expertise, internal information processing and information sharing with external bodies.

Information Governance Committee

Has delegated responsibility for the maintenance and implementation of this policy and the Information Governance agenda.

Senior Information Risk Owner (SIRO)

Has lead responsibility to ensure organisational information risk is properly identified, managed and that appropriate assurance mechanisms exist. This entails: Leading and fostering a culture that values,

protects and uses information for the success of the organisation and benefit of its customers.

Owning the organisation’s overall information risk policy and risk assessment processes (co owned with the Chief Nurse) and ensuring they are implemented consistently by Information Asset Owners.

Advising the Chief Executive or relevant accounting officer on the information risk aspects of the statement on internal controls.

Owning the organisation’s information incident management framework.


Roles ResponsibilitiesInformation Governance Manager (IGM)

Is the lead officer for Trust on the development and maintenance of IG related policies and is the central IG resource for the Trust.Supports the DPO in all related IG matters.

Data Protection Officer(DPO)

The DPO monitors internal compliance informing and advising on data protection obligations. Provides advice regarding Data Protection Impact Assessments (DPIAs) and acts as a contact point for data subjects and the supervisory authority.

Caldicott Co-ordinator Supports the Caldicott Guardian, the DPO and the IG Manager in Caldicott related matters

General Managers, Heads of Departments (HODs), the Directorate Triumvirates and Line Managers

Are responsible for the implementation of the policy within their business or clinical area, and for adherence to it by their staff. This includes performing a local induction including IG awareness, ensuring staff complete the IG Training Tool annually (as required by the Trust), and include in job descriptions any appropriate IG responsibilities (namely confidentiality and data quality). Local procedures will be developed which will document specific processes for managing IG activities (e.g. data quality, records management, and information security). These will detail procedures for staff at a local level to ensure all IG activities are clearly documented and monitored. HODs will also be responsible for providing appropriate information for the assessment/completion of the Data Security and Protection Toolkit (DSPT).


Roles ResponsibilitiesInformation Asset Owner (IAO)

An IAO will be identified by the IGM in conjunction with the senior member of staff within the relevant area. They will take the lead on managing the asset, managing risk and controlling access. They will also be responsible for providing appropriate information to the IGM when new systems are proposed and assisting in the completion of a review of appropriate IG standards. Further details on the IAO role can be found at:

http://systems.hscic.gov.uk/infogov

Departments undertaking activity outside the main Trust sites must ensure processes are monitored to ensure compliance with the policy. This must include the movement and storage of paper records and the compliance of electronic systems.

The IAO will document, understand and monitor: What information assets are held, and for

what purposes How information is created, amended or

added to overtime Who has access to the information and why

Director of Health Informatics

Is principal advisor on all Health Informatics matters to the Chief Operating Officer and Trust Board, and accountable for the delivery of a high quality health informatics service.Provides assurance that all directly employed, agency and contracted staff working in the Health Informatics service, adhere to this policyIs responsible for a number of DSPT standards relating to system data access and security. Will ensure that a Privacy Impact Assessment is performed against all new data systems provided through the Health Informatics service either as an IT system or through the provision of project management.Has a responsibility as IAO for the Health Informatics Service.Will provide IG assurance on information data flows


http://systems.hscic.gov.uk/infogov

Roles ResponsibilitiesHead of Governance Has a responsibility as a member of the IG

Committee, is an DSPT Assertion owner and is the IAO for the Corporate Affairs directorate.Will provide IG assurance on corporate data flows.Has a responsibility to maintain and update the Publication Scheme on TRFT website.

Associate Director of Information Services

Is responsible for a number of DSPT Assertions relating to data quality, business intelligence and secondary use assurance.

Data Quality Lead/Clinical Coding Manager

Is responsible for data quality and ensuring the confidentiality of service user information, is protected through use of pseudonymisation and anonymisation techniques where appropriate. Will ensure clinical coding meets CCS standards through use of audit.

Patient Access Manager

Is responsible for a number of DSPT Assertions relating to clinical records, patient contact and clinical record access (SARs). Ensures that procedures are in place for monitoring the availability of paper health/care records and tracing missing records.

All Staff Are responsible for adhering to this policy, and related Trust policies (see Paragraph7). All staff will also complete IG Training annually as per requirements which will be communicated via IG Communication.

4. PROCEDURAL INFORMATION

IG issues will be managed through the development and use of domain specific policies and procedures (see Paragraph7).

4.1 Privacy Impact Assessment (PIA)

A Privacy Impact Assessment (PIA) must be undertaken for all new systems or major system changes which impact on personal information, using the standards detailed in the current DSPT as a measure of requirements. PIAs must include a review date appropriate to the system being introduced, the PIA procedure and template are on appendix 1 and 2. All PIAs must be approved by the IGC or as a minimum, the SIRO, Caldicott Guardian or DPO.


4.2 Information Governance Incidents

All risks and incidents relating to Information Governance i.e. loss of personal identifiable/confidential data – loss, theft or destruction of records held by the Trust in whatever form (paper/electronic) must be reported via Datix, in accordance with the Trust’s standard procedures for risk and incident reporting. Reporting of risks and incidents is important to ensure that appropriate action is taken so that risks/incidents do not reoccur and to learn from them. No constructive action can be taken if the Trust is not notified when things go wrong or there is a near miss.

The Trust’s Incident and Serious Incidents Management policy is available at Incident and Serious Incident Management Policy on the HUB

4.3 Information Governance Training (Data Security Awareness)

Information Governance (Data Security Awareness) training is a core MAST subject that all staff must complete on an annual basis. New staff who have not done IG training have to undertake the ‘Introduction module’ via e-learning, existing staff have to do the ‘Refresher module’ either via e-learning on the ESR system or the alternative paper based exercise/workbook. The Information Governance Team will work with the HR department to ensure departments are equipped to undertake this training, and where applicable, local assistance will be provided. Staff can also attend Face to Face training provided by the Information Governance team.

The Information Governance team will take responsibility for raising the level of IG awareness and training throughout the Trust.

All new staff must be IG training compliant before they start their job.

Information Governance training is compulsory for all staff including volunteers and contractors/temporary staff (who will be in post longer than 3 months), in all staff groups / roles, on an annual basis.

The IG Team and IGC will raise Trust wide awareness of IG issues, common themes in incident reporting, training opportunities and progress etc. via appropriate communications methods.

The IG Team will develop IG communications materials to inform and advise service users and staff on IG issues.

5. DEFINITIONS AND ABBREVIATIONS

5.1 Definitions

IGC - Information Governance Committee is the body responsible for ensuring the Trust complies with information governance requirements and legislation.


https://thehub.rothgen.nhs.uk/DocumentCentre/PoliciesandProcedures/25%20Incident%20and%20serious%20incident%20management%20policy.docx

DSPT – Data Security and Protection Toolkit. The annual audit of IG capability for all Healthcare providers. https://www.dsptoolkit.nhs.uk/

5.2 Abbreviations

CG Caldicott GuardianDPO Data Protection OfficerGDPR General Data Protection RegulationHODs Heads of DepartmentsHR Human ResourcesIAO Information Asset OwnerICO Information Commissioners OfficeIGA&SM Information Governance Assurance and Security ManagerIGC Information Governance CommitteeIGM Information Governance ManagerITIL Information Technology Infrastructure Library MAST Mandatory and Statutory TrainingPECR Privacy and Electronic Communications RegulationsPIA Privacy Impact AssessmentSAR Subject Access RequestSIRO Senior Information Risk Owner

6. REFERENCES

This Policy has been produced in accordance with the following documents:

Data Security and Protection Toolkit Guidance https://www.dsptoolkit.nhs.uk/

Data Protection Act 2018

General Data Protection Regulation


UK Re-use of Public Sector Information Regulations 2005

Human Rights Act 1998|

The Confidentiality Code of Practice|

Records Management: Code of Practice for Health and Social Care 2016

Information Quality Assurance Programme|

Caldicott 2/3

7. ASSOCIATED DOCUMENTATIONDocuments available on Trust Intranet

IT Acceptable Use Policy

Freedom of Information & Environmental Information Regulations Policy


https://www.dsptoolkit.nhs.uk/

Freedom of Information Code of Practice – Requests for Information SOP

Data Quality Policy

Registration Authority Policy

Fax Policy

Safe Haven Policy

Use and Protection of Patient Information Policy (Confidentiality Code of Conduct)

Data Protection Policy

Health Records Policy

Corporate Records Management Policy

Incident and Serious Incident Management Policy

TRFT Information Security Assurance Policy

TRFT Forensic Readiness Policy

Counter Fraud, Bribery and Corruption Policy


Section 1Appendix 1

Privacy Impact Assessment Guidance

1. GUIDANCE

1.1 Introduction

Privacy Impact Assessments serve to ensure that the organisation remains complaint with legislation and NHS requirements such as the Information Governance Toolkit, which determine the use of Personal Confidential Data (PCD). The Information Governance Checklist and Privacy Impact Assessments (PIA) have been developed to provide an assessment prior to new services or new information processing/sharing systems being introduced. They are less effective when key decisions have already been taken.

Privacy Impact Assessments (PIAs) identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy. An effective PIA will allow for the identification and remedy problems at an early stage, reducing potential distress, subsequent complaints and the associated costs and damage to reputation which might otherwise occur.

A PIA aids an organisation in determining how a particular project, process or system will affect the privacy of the individual. It is important to consider whether a PIA is required once you know what it is you are hoping to achieve, what you will require to get there and how you plan to go about doing it.

Conducting a PIA does not have to be complex or time consuming.

1.2 Privacy Impact Assessments

PIAs help identify privacy risks, foresee problems and bring forward solutions. A successful PIA will:

identify and manage risks (see Appendix A for examples) avoid inadequate solutions to privacy risks avoid unnecessary costs avoid loss of trust and reputation inform the organisation’s communication strategy meet or exceed legal requirements

The Information Commissioners Office (ICO) has produced guidance materials on which this procedure is based (see Appendix C).


Consideration as to whether a PIA should be completed is mandated through the Information Governance Toolkit. PIAs ensure that privacy concerns have been considered and serve to assure the organisation regarding the security and confidentiality of the personal identifiable information.

1.3 Purpose of a PIA

A PIA should serve to:

identify privacy risks to individuals identify privacy and Data Protection compliance liabilities protect the organisations reputation instil public trust and confidence in your project/product avoid expensive, inadequate “bolt-on” solutions inform your communications strategy

Following review of the screening questions (Annex A) it may be decided that a PIA is required. Where it is thought that a PIA is required, Annex B should be completed and submitted to the Information Governance Team for a preliminary review. It is recommended that the IG Team review is sought prior to the final PIA being submitted to the IG Committee, SIRO or Caldicott Guardian.

1.4 ResponsibilitiesResponsibility for ensuring that a Privacy Impact Assessment is considered and if appropriate, completed, resides with managers leading the introduction of new systems, sharing or projects.

Line Managers are responsible for ensuring that their permanent and temporary staff and contractors are aware of the Privacy Impact Assessment procedure.

There is an expectation that partner organisations involved in supplying/providing services should provide technical information for the Privacy Impact Assessment, where this is otherwise unclear.

This guidance therefore applies to all staff and all types of information held by the organisation. Further details of responsibilities are to be found in the organisation’s policies and procedures.


1.5 Is a PIA required for every project?

The ICO envisages PIAs being used where a project includes the use of personal data, where there otherwise a risk to the privacy of the individual, utilisation of new or intrusive technology, or where private or sensitive information which was originally collected for a limited purpose is going to be reused in a new and ‘unexpected’ way. The screening questions (see Annex A) help determine if a PIA is required.

1.6 When should I start a PIA?

PIAs are most effective when they are started at an early stage of a project, when: the project is being designed you know what you want to do you know how you want to do it you know who else is involved

It must be completed before: decisions are set in stone you have procured systems you have signed contracts/Memorandum of Understanding/agreements while you can still change your mind

1.7 Publishing PIAsAll PIAs must be approved by the Information Governance Committee and to be included within the organisation’s Publication Scheme and must therefore be presented to the Information Governance Team once they have received approval to arrange publication.

It is acknowledged that PIAs may contain commercial sensitive information such as security measures or intended product development. It is acceptable for such items to be redacted but as much of the document should be published as possible given all information within a public organisation can be requested through the Freedom of Information Act and will be listed in the Publication Scheme.


1.8 Related TRFT Policies

Health Records PolicyBusiness Continuity PlanData Protection PolicyIT Acceptable Use PolicyFreedom of Information and EIR PolicyInformation Governance PolicyReporting, Investigation and Management of Incidents PolicyInformation Security Assurance Policy(Interagency Information Sharing Protocol) – Contact IG.Social Networking PolicyNetwork Security PolicyPrivacy Impact Assessment procedure (this document)Corporate (Non-Clinical) Records Management PolicyMobile Working and Remote Access PolicyRisk Assessment and Risk Register PolicySafe Haven Policy

2. EXAMPLE RISKS

2.1 Risks to individuals i. Inadequate disclosure controls increase the likelihood of information

being shared inappropriately.

ii. The context in which information is used or disclosed can change over time, leading to it being used for different purposes without people’s knowledge.

iii. New surveillance methods may be an unjustified intrusion on their privacy.

iv. Measures taken against individuals as a result of collecting information about them might be seen as intrusive.

v. The sharing and merging of datasets can allow organisations to collect a much wider set of information than individuals might expect.

vi. Identifiers might be collected and linked which prevent people from using a service anonymously.

vii. Vulnerable people may be particularly concerned about the risks of identification or the disclosure of information.

viii. Collecting information and linking identifiers might mean that an organisation is no longer using information which is safely anonymised.

ix. Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, presents a greater security risk.

x. If a retention period is not established information might be used for longer than necessary.


2.2 Corporate risksi. Non-compliance with the DPA or other legislation can lead to

sanctions, fines and reputational damage.

ii. Problems which are only identified after the project has launched are more likely to require expensive fixes.

iii. The use of biometric information or potentially intrusive tracking technologies may cause increased concern and cause people to avoid engaging with the organisation.

iv. Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, is less useful to the business.

v. Public distrust about how information is used can damage an organisation’s reputation and lead to loss of business.

vi. Data losses which damage individuals could lead to claims for compensation.

2.3 Compliance risksi. Non-compliance with the DPA.

ii. Non-compliance with the Privacy and Electronic Communications Regulations (PECR).

iii. Non-compliance with sector specific legislation or standards.

iv. Non-compliance with human rights legislation.

3. Glossary

Item Definition

Anonymity Information may be used more freely if the subject of the information is not identifiable in any way – this is anonymised data. However, even where such obvious identifiers are missing, rare diseases, drug treatments or statistical analyses which may have very small numbers within a small population may allow individuals to be identified. A combination of items increases the chances of patient identification. When anonymised data will serve the purpose, health professionals must anonymise data and whilst it is not necessary to seek consent, general information about when anonymised data will be used should be made available to patients.

Authentication An identifier enables organisations to collate data


Item Definition

Requirements about an individual. There are increasingly onerous registration processes and document production requirements imposed to ensure the correct person can have, for example, the correct access to a system or have a smartcard. These are warning signs of potential privacy risks.

Caldicott Seven Caldicott Principles were established following the original reviewed in 1997 and further development in 2013. The principles include:1. justify the purpose(s)2. don't use patient identifiable information

unless it is necessary3. use the minimum necessary patient-

identifiable information4. access to patient identifiable information

should be on a strict need-to-know basis5. everyone with access to patient identifiable

information should be aware of their responsibilities

6. understand and comply with the law7. the duty to share information can be as

important as the duty to protect patient confidentiality


This Act defines the ways in which information about living people may be legally used and handled. The main intent is to protect individuals against misuse or abuse of information about them. The 6 principles of the Act state the fundamental principles of DPA 2018 specify that personal data must: 1. Used fairly, lawfully and transparently. 2. Used for specified, explicit purposes 3. Used in a way that is adequate, relevant and

limited to only what is necessary. 4. Accurate and where necessary, kept up to

date. 5. Kept for no longer than is necessary.6. Handled in a way that ensures appropriate

security, including protection against unauthorised processing, access, loss, destruction or damage.

European Economic Area (EEA)

The European Economic Area comprises of the EU member states plus Iceland, Liechtenstein and Norway


Item Definition

Explicit consent Express or explicit consent is given by a patient agreeing actively, usually orally (which must be documented in the patients case notes) or in writing, to a particular use of disclosure of information.

IAA (Information Asset Administrator)

There are individuals who ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management and ensure that information asset registers are accurate and up to date. These roles tend to be system managers

IAO (Information Asset Owner)

These are senior individuals involved in running the relevant service/department. Their role is to understand and address risks to the information assets they ‘own’ and to provide assurance to the SIRO on the security and use of those assets. They are responsible for providing regular reports regarding information risks and incidents pertaining to the assets under their control/area.

Implied consent Implied consent is given when an individual takes some other action in the knowledge that in doing so he or she has incidentally agreed to a particular use or disclosure of information, for example, a patient who visits the hospital may be taken to imply consent to a consultant consulting his or her medical records in order to assist diagnosis. Patients must be informed about this and the purposes of disclosure and also have the right to object to the disclosure.

Information Assets

Information assets are records, information of any kind, data of any kind and any format which we use to support our roles and responsibilities. Examples of Information Assets are databases, systems, manual and electronic records, archived data, libraries, operations and support procedures, manual and training materials, contracts and agreements, business continuity plans, software and hardware.

Information Risk An identified risk to any information asset that the organisation holds. Please see the Risk Policy for further information.


Item Definition

Personal Data This means data which relates to a living individual which can be identified:1. from those data, or2. from those data and any other information

which is in the possession of, or is likely to come into the possession of, the data controller.

It also includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual

Privacy and Electronic Communications Regulations 2003

These regulations apply to sending unsolicited marketing messages electronically such as telephone, fax, email and text. Unsolicited marketing material should only be sent if the requester has opted in to receive this information.

Privacy Invasive Technologies

Examples of such technologies include, but are not limited to, smart cards, radio frequency identification (RFID) tags, biometrics, locator technologies (including mobile phone location, applications of global positioning systems (GPS) and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining and logging of electronic traffic. Technologies that are inherently intrusive, new and sound threatening are a concern and hence represent a risk

Pseudonymisation

Where patient identifiers such as name, address, date of birth are substituted with a pseudonym, code or other unique reference so that the data will only be identifiable to those who have the code or reference.

Records Management: NHS Code of Practice

Is a guide to the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England. It is based on current legal requirements and professional best practice. The code of practice contains an annex with a health records retention schedule and a Business and Corporate (non-health) records retention schedule.

Retention Periods Records are required to be kept for a certain


Item Definition

period either because of statutory requirement or because they may be needed for administrative purposes during this time. If an organisation decides that it needs to keep records longer than the recommended minimum period, it can vary the period accordingly and record the decision and the reasons behind. The retention period should be calculated from the beginning of the year after the last date on the record. Any decision to keep records longer than 30 years must obtain approval from The National Archives.

Sensitive Data (Special Category)

This means personal data consisting of information as to the:A. racial or ethnic group of the individualB. the political opinions of the individualC. the religious beliefs or other beliefs of a similar

nature of the individual D. whether the individual is a member of a trade

union E. physical or mental health of the individual F. sexual life of the individual G. Sexual OrientationH. Biometric dataI. Genetic data

SIRO (Senior Information Risk Owner)

This person is an executive who takes ownership of the organisation’s information risk policy and acts as advocate for information risk on the Board

4. FURTHER INFORMATION

Relevant statutory legislation and law:

Common Law Duty of Confidentiality



General Data Protection Regulations (2016/679)

Human Rights Act 1998

Privacy and Electronic Communications Regulations 2015

Counter Fraud Bribery and Corruption Policy (Trust Counter Fraud Policy)Further reading and guidance:

Caldicott 2 Review Report and Recommendations

Review of Data Security, Consent and Opt Outs

Confidentiality Code of Practice


https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200146/Confidentiality_-_NHS_Code_of_Practice.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/535024/data-security-review.PDF

https://www.gov.uk/government/publications/the-information-governance-review

HSCIC Code of practice on confidential information

Information Security Code of Practice

Records Management Code of Practice

The ICO’s Anonymisation: managing data protection risk code of practice may help identify privacy risks associated with the use of anonymised personal data.

The ICO’s Data sharing: code of practice may help to identify privacy risks associated with sharing personal data with other organisations.

The ICO’s Privacy Notices: Code of Practice.


https://ico.org.uk/for-organisations/guide-to-data-protection/principle-1-fair-and-lawful/

https://ico.org.uk/for-organisations/guide-to-data-protection/data-sharing/

https://ico.org.uk/for-organisations/guide-to-data-protection/anonymisation/

https://ico.org.uk/for-organisations/guide-to-data-protection/anonymisation/

https://www.gov.uk/government/publications/records-management-nhs-code-of-practice

http://systems.hscic.gov.uk/infogov/codes/securitycode.pdf

http://systems.hscic.gov.uk/infogov/codes/cop

Section 1Appendix 2

Data Protection Impact Assessment (DPIA) Screening Questions

The below screening questions should be used inform whether a DPIA is necessary. This is not an exhaustive list therefore in the event of uncertainty, completion of a DPIA is recommended.

TitleBrief description

Screening completed by:Name, TitleDepartmentEmailDate

Marking any of these questions is an indication that a DPIA is required:

Screening Questions Tick1 Will the project involve the collection of new identifiable or potentially identifiable data about

individuals? ☐

2 Will the project compel individuals to provide data about themselves or involve the processing of personal data not obtained directly from the individual?i.e. where they will have little awareness or choice or where it is impossible, or would involve disproportionate effort, to inform the individuals that the processing is taking place

☐

3 Will identifiable data about individuals be shared with other organisations or people who have not previously had routine access to the data?

☐

4 Are you using data about individuals for a purpose it is not currently used for or in a new way?i.e. using data collected to provide care for a service evaluation; data matching where data obtained from multiple sources is combined, compared or matched

☐

5 Where data about individuals is being used, would this be likely to raise privacy concerns or expectations?i.e. will it include health records, genetic data, criminal records or other information that people may consider to be sensitive and private and may cause them concern or distress.

☐

6 Will the project require you to contact individuals in ways which they may find intrusive?i.e. telephoning or emailing them without their prior consent.

☐

7 Will the project result in you making decisions in ways which can have a significant impact on individuals?i.e. will it affect the care a person receives? Is it based on automated decision making (including profiling)?

☐

8 Does the project involve you using new technology which might be perceived as being privacy intrusive?i.e. using biometrics, facial recognition, Artificial Intelligence or tracking (such as tracking an individual’s geolocation or behaviour)

☐

9. Is a service/processing activity being transferred to a new supplier/organisation (or re-contracted) and the end of an existing contract

☐

10. Will the project involve systematic monitoring of a publicly accessible area on a large scale?i.e. use of CCTV

☐

11. Will the project involve the targeting of children or other vulnerable individuals?i.e. for marketing purposes, profiling or other automated decision making

☐

DPIA required? Yes ☐ No ☐


Please note that once completed the following sections (1 to 4) should be extracted from the rest of this document prior to being included within the Publication Scheme.

Data Protection Impact Assessment (DPIA)

Please complete all questions with as much detail as possible (liaising with partners/third parties) and then contact the IG Team prior to seeking approval.

Section 1: System/Project General Details

System/project/process (referred to thereafter as ‘project’) title:Objective:Detail:Why is the new system/change in system required? Is there an approved business case?Stakeholders/Relationships/Partners:Please outline the nature of such relationships and the corresponding roles of other organisations.Other related projects:Project lead: Name:

Title:Department:Telephone:Email

Information Asset Owner:All information systems/assets must have an Information Asset Owner (IAO). IAO’s should normally be a Head of Department/Service.

Name: Title:Department:Telephone:Email

Information Asset Administrator:Information systems/assets may have an Information Asset Administrator (IAA) who reports the IAO. IAA’s are normally System Managers/Project Leads.

Name: Title:Department:Telephone:Email


Section 2: Data Protection Impact Assessment Key Questions

Question ResponseData Items1. Will the project use

identifiable or potentially identifiable data in any way?If answered ‘No’ then a DPIA is not normally suggested.

☐ Yes ☐ No

If yes, who will this data relate to:☐ Patient☐ Staff☐ Other: Click here to enter text.

2. Please state purpose for the processing of the data:For example, patient care, commissioning, research, audit, evaluation.

3. Please tick the data items that are held in the system

Personal

Special categories of personal data (sensitive data)

☐ Name ☐ Address ☐ Post Code ☐ Date of Birth ☐ GP Practice ☐ Date of Death ☐ NHS Number ☐ NI Number ☐ Passport Number ☐ Pseudonymised Data ☐ Online Identifiers (e.g. IP Number, Mobile Device ID)

☐ Health Data ☐ Trade Union membership☐ Political opinions ☐ Religion☐ Racial or Ethnic Origin ☐ Sex life and sexual orientation☐ Biometric Data ☐ Genetic Data ☐ Other:

4. What consultation/checks have been made regarding the adequacy, relevance and necessity for the processing of the data for this project?

5. How will the data be kept up to date and checked for accuracy and completeness?

Data processing6. Will a third party be

processing data for TRFT or one of its contractors?

☐ Yes ☐ NoIf no, please go to the Confidentiality section.


Question Response7. Is the third party

contract/supplier of the project registered with the Information Commissioner?

☐ Yes ☐ NoOrganisation: Data Protection Registration Number:

8. Has the third party supplier completed and published a satisfactory Data Security and Protection Toolkit submission?Please note that the Data Security and Protection Toolkit replaced the IG Toolkit from 1 April 2018.

☐ Yes ☐ NoIf yes, please give organisation code:

DSP Toolkit Score:☐ Satisfactory ☐ Not satisfactory☐ Satisfactory with Improvement PlanClick here to enter text.

9. Does the third party/supplier contract(s) include all the necessary Information Governance clauses regarding Data Protection and Freedom of Information?

☐ Yes ☐ No

Is the contract based on or utilise the NHS standard contract?☐ Yes ☐ No

10. Will other third parties (not already identified) have access to the data? Include any external organisations.

☐ Yes ☐ No

If so, for what purpose?

Please list organisations and by what means of transfer:

Confidentiality11. Please outline how

individuals will be informed and kept informed about how their data will be processed.A copy of the privacy notice and/or leaflets must be provided.

12. Does the project involve the collection of data that may be unclear or intrusive?Are all data items clearly defined? Is the data collected limited to a specific set of predefined categories?

☐ Yes ☐ No


Question Response13. Are you relying on

individuals (patients/staff) to explicitly consent to the processing of personal identifiable or sensitive data?Please provide copies of any consent documentation that will be used, including patient information leaflets

☐ Yes ☐ No (Go to next question)How will consent be obtained and by whom?Click here to enter text.

Will the consent cover all proposed processing and sharing/disclosures?☐ Yes ☐ No

If no, please detail:Click here to enter text.

14. If explicit consent is not being sought, what legal basis enables this data processing?For more information about conditions for processing, please see the ICO’s GDPR website.

Personal data (identifiers and potentially identifiable data):☐ Relating to a contract: Click here to enter text.☐ Legal obligation: Click here to enter text.☐ Vital interests: Click here to enter text.☐ Public Interest task: ☐ Other: Click here to enter text.

Special categories of personal data (sensitive data), if applicable:☐ Medical related: Click here to enter text.☐ Public Health: Click here to enter text.☐ Employment related: Click here to enter text.☐ Vital interests: Click here to enter text.☐ Already public: Click here to enter text.☐ Legal claim related: Click here to enter text.☐ Substantial public interest: Click here to enter text.☐ Other: Click here to enter text.

15. Will identifiable data only be handled within the patients’ direct care team (in accordance with the Common Law Duty of Confidentiality)?

☐ Yes ☐ No

16. How will consent, non-consent, objections or opt-outs be recorded and respected?

17. What arrangements are in place to process Subject Access Requests?What would happen if such a request were made?


Question Response18. Will the processing of

data be automated?Will the proposed processing of data involved automated means of processing to determine an outcome for the individual?

☐ Yes ☐ No☐ Not applicable

If yes, please outline what arrangements are available to enable the individual access and to extract data (in a standard file format). Please also detail any profiling that may take place as part through automated processing: Click here to enter text.

19. What process is in place for rectifying/blocking data?What would happen if such a request were made?

Engagement20. Has stakeholder

engagement taken place?Yes ☐ No ☐

If yes, how have any issues identified by stakeholders been considered?

Data Sharing21. Does the project involve

any new data sharing between stakeholder organisations?

☐ Yes ☐ No

If yes, please describe: (The IG department will need to draft a data sharing agreement which will then need approval)

Data Linkage22. Does the project involve

linkage of personal data with data in other collections, or significant change in data linkages?The degree of concern is higher where data is transferred out of its original context (e.g. the sharing and merging of datasets can allow for a collection of a much wider set of information than needed and identifiers might be collected/linked which prevents personal data being kept anonymously)

Yes ☐ No ☐

If yes, please provide a data flow diagram showing how identifiable information would flow and ensure this is added to the TRFT Information Asset and Data Flow Register (see Information Assets and Data Flows section).

Information Security


Question Response23. Who will have access to

the data within the project?Please refer to roles/job titles/organisations.

24. Is there a useable audit trail in place for the project? For example, to identify who has accessed a record?

Yes ☐ No ☐

If yes, please outline the audit plan: Click here to enter text.

25. Where will the data be kept/stored/accessed?Where applicable, please refer to data flow diagram.

26. Please indicate all methods in which data will be transferred

☐ Fax ☐ Email (Unsecure/Personal)☐ Email (Secure/nhs.net) ☐ Internet (unsecure – e.g. http)☐ Telephone ☐ Internet (secure – e.g. https)☐ By hand ☐ Courier☐ Post – track/traceable ☐ Post – normal☐ Other:

27. Does the project involve privacy enhancing technologies?New forms of encryption, two factor authentication and/or pseudonymisation.

Yes ☐ No ☐

If yes, please give details:

28. Is there a documented System Specific Security Policy (SSSP) or process for this project?A SSSP is required for new systems – this is likely to need to be completed by the supplier.

If yes, please provide a copy. (Template available from IG).

Privacy and Electronic Communications Regulations29. Will the project involve

the sending of unsolicited marketing messages electronically such as telephone, fax, email and text?Please note that seeking to influence an individual is considered to be marketing.

☐ Yes ☐ No

If yes, what communications will be sent?Click here to enter text.

Will consent be sought prior to this?

If no, please explain why consent is not being sought first:

Records Management


Question Response30. What are the specific

retention periods for this data? Please refer to the Records Management Code of Practice for Health and Social Care 2016 and list the retention period for identifiable project datasets.

31. Will the data be securely destroyed when it is no longer required?

☐Yes ☐ No

Please detail: Click here to enter text.Information Assets and Data Flows32. Has an Information Asset

Owner been identified and does the Information Asset and Data Flow Register require updating?

☐ Yes ☐ No

If yes, include the name of the completed Information Asset Register.

Does this project constitute a change to existing Information Asset(s) or is this a new Information Asset?☐ New ☐ Existing

Has the Information Asset Register been updated by the IAO?

☐ Yes ☐ No

Business Continuity33. Have the business

continuity requirements been considered?

☐ Yes ☐ No☐ Business Continuity is not applicable

Please explain and either reference how such plans link with the organisational plan or why there are no business continuity considerations that are applicable for this project: Click here to enter text.

Open Data34. Will

identifiable/potentially identifiable from the project be released as Open Data (placed in to the public domain)?

☐ Yes ☐ No

If yes, please describe: Click here to enter text.

Data Processing Outside of the UK and European Union (EU)


Question Response35. Will any personal and/or

sensitive data be transferred to a country outside the UK?

☐ Yes ☐ No

If yes, which data and to which country?Click here to enter text.


Section 3: Data Protection Impact Assessment Information Governance Review

Information Governance Review (for completion by IG) Response (for completion by project lead)

Issue Potential Risk Recommendation Agreed Action Completion (Date and Initials)

1

2

For completion by IG:Residual Risk Main Risk Sources Main Threats Main Potential

ImpactsMain Controls Reducing the Severity and Likelihood

Severity Likelihood

1

2

3

IG review completed by: Review date:Date complete and risk assessed: Consultation with ICO required? Yes / No (delete as appropriate)


Section 4: Review and Approval

Assessment completed by

Name:Title:Date:

Data Protection Officer Approval

Name:Title:DPO advice:DPO should advise on compliance, risks identified and whether processing can proceed.If accepting any residual high risk, consult the ICO before going aheadApproved:Date:

The DPO should also review ongoing compliance with DPIA

SIRO/Caldicott Guardian Approval

Name:Title:DPO advice accepted or overruled:If overruled, you must explain your reasonsApproved: ☐Date:

This DPIA will be kept under review by:


INFORMATION GOVERNANCE POLICY

SECTION 2DOCUMENT DEVELOPMENT, COMMUNICATION, IMPLEMENTATION AND

MONITORING


8. CONSULTATION AND COMMUNICATION WITH STAKEHOLDERS

This document was developed in consultation with:

Information Governance Committee members who have consulted within the areas they represent.

9. APPROVAL OF THE DOCUMENT

This document was approved by: Information Governance Committee and Executive Team Committee (ETC)

10. RATIFICATION OF THE DOCUMENT

This document was ratified by the Trust Document Ratification Group.

11. EQUALITY IMPACT ASSESSMENT STATEMENT

An Equality Impact Assessment has been carried out in relation to this document using the approved initial screening tool; the EIA statement is detailed at Appendix 1 to this section of the document.

The manner in which this policy impacts upon equality and diversity will be monitored throughout the life of the policy and re-assessed as appropriate when the policy is reviewed.

12. REVIEW AND REVISION ARRANGEMENTS

This document will be reviewed every three years by the IG Manager unless such changes occur as to require an earlier review.


13. DISSEMINATION AND COMMUNICATION PLAN

To be disseminated to Disseminated by How When CommentsDRG Admin Support via policies email

Author Email Within 1 week of ratification

Remove watermark from ratified document and inform DRG Admin Support if a revision and which document it replaces and where it should be located on the intranet. Ensure all documents templates are uploaded as word documents.

Communication Team(documents ratified by the Document Ratification Group)

DRG Admin Support Team

Email Within 1 week of ratification

Communication team to inform all email users of the location of the document.

All email users Communication Team

Email Within 1 week of ratification

Communication team will inform all email users of the policy and provide a link to the policy.

Key individuals

Staff with a role / responsibility within the document

Heads of Departments / Matrons

Author Meeting / Email as appropriate

When final version completed

The author must inform staff of their duties in relation to the document.

All staff within area of management

Heads of Departments / Matrons

Meeting / Email as appropriate

As soon as received from the author

Ensure evidence of dissemination to staff is maintained. Request removal of paper copiesInstruct them to inform all staff of the policy including those without access to emails

14. IMPLEMENTATION AND TRAINING PLANThe responsibility for implementing this policy lies with the Information Governance Department. The Information Governance Department are responsible for ensuring that all relevant areas within the Trust are made of aware of any changes required in the policy.

The implementation process will commence upon approval of this policy by the Trust Policy Ratification Group. It is the responsibility of Matrons/Heads of Departments/Service to ensure that new staff receives information about this policy and it should be part of any local inductions. They must also ensure that any changes to this policy are effectively communicated within their areas of responsibility.


15. PLAN TO MONITOR THE COMPLIANCE WITH, AND EFFECTIVENESS OF THE TRUST DOCUMENT

15.1 Process for Monitoring Compliance and Effectiveness

Audit / Monitoring Criteria

Process for monitoring e.g. audit, survey

Audit / Monitoring performed by

Audit / Monitoring frequency

Audit / Monitoring reports distributed to

Action plans approved and monitored by

Reporting of any suspected IG Breaches based on IG knowledge gained from IG Training (MAST compliance)

Trust’s Incident Reporting System

All Staff who will report any suspected incidents/ breaches to a senior member of staff.

As and when incidents occur

IG Incidents report at IGC

As per Trust’s Incident and Serious Incident Management Policy. Where an issue has arisen that requires disciplinary action, Trust Disciplinary Procedures will be followed

Information Technology Infrastructure Library (ITIL) compliance

All new IT systems being audited.Completion of PIA

PMO Manager When new IT systems planned

IGC IGC

IG Training Tool (IGTT)

All staff completing IGTT

IG Department/P&OD

Annual Line Managers

IGC

IG Toolkit Annual Submission

Standard Owners & IG Department

Annual IGC IGC

Rolling programme of assessments of its information quality and records management arrangements including annual Caldicott audits.

Audit IG Department/ Department Managers/ Caldicott Members

Annual Caldicott Group

IGC / Caldicott Group

15.2 Standards/Key Performance Indicators (KPIs) The standard is 100% compliance with standards as set out in the monitoring table.

Data Security and Protection Toolkit

Care Quality Commission Standards


SECTION 2APPENDIX 1

EQUALITY IMPACT ASSESSMENT (EIA) INITIAL SCREENING TOOL

Document Name: Information Governance Policy Date/Period of Document: June 2020 – June 2023

Lead Officer: Data Protection Officer (DPO) Job title: Data Protection Officer (DPO)

Function Policy Procedure Strategy Other: (State)________________Describe the overall purpose / intended outcomes of the above: To provide a consistent approach across the Trust in the Information Governance and to ensure compliance with law, national guidance and related Trust policy.You must assess each of the 9 areas separately and consider how your policy may affect people of different groups within those areas.1. Assessment of possible adverse (negative) impact against a protected characteristicDoes this have a significant negative impact on equality in relation to each area?

Response If yes, please state why and the evidence used in your assessment Yes No

1 Age X2 Disability X3 Gender reassignment X4 Marriage and civil partnership X5 Pregnancy and maternity X6 Race X7 Religion and belief X8 Sex X9 Sexual Orientation XYou need to ask yourself: Will the policy create any problems or barriers to any community or group? Yes No Will any group be excluded because of the policy? Yes No Will the policy have a negative impact on community relations? Yes No

If the answer to any of these questions is Yes, you must complete a full Equality Impact Assessment

2. Positive impact:Could the policy have a significant positive impact on equality by reducing inequalities that already exist?Explain how will it meet our duty to:

Response If yes, please state why and the evidence used in your

assessment Yes No1 Eliminate discrimination, harassment and / or victimisation X2 Advance the equality of opportunity of different groups X3 Foster good relationships between different groups X

3. Summary On the basis of the information/evidence/consideration so far, do you believe that the policy will have a positive or negative adverse impact on equality?

Positive NegativeHIGH MEDIUM LOW NEUTRAL LOW MEDIUM HIGH

Date assessment completed: June 2020 Is a full equality impact assessment required? Yes No

Date EIA approved by Equality and Diversity Steering Group:
