INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

Document History

Document Reference:

Document Purpose:

The document complements all other Information Governance policies and sets out the management arrangements for information governance for NHS Mansfield and Ashfield Clinical Commissioning Group and NHS Newark and Sherwood Clinical Commissioning Group

Date Approved: 22nd September 2017

Approving Committee: Information Governance Management and Technology Committee

Version Number: Version 6

Status: Approved

Next Revision Due: Annual

Developed by:

Reviewed and refreshed by Corporate Governance Officer, NHS Mansfield and Ashfield Clinical Commissioning Group and NHS Newark and Sherwood Clinical Commissioning Group.

Policy Sponsor: Director of Outcomes and Information, Nottinghamshire Clinical Commissioning Groups

Target Audience: All Staff

Associated Documents:

All Information Governance Policies and the Information Governance Toolkit standards

Revision History

Version Revision date Summary of Changes

1.0 July 2012 Approved by the Information Governance and Management Technology Committee

2.0 August 2013 Revised in line with NHS England Policies and updated to reflect version 11 of the Information Governance Toolkit

2.1 July 2014 Review for comment

3.0 September 2014 Approved by Information Governance Management and Technology Committee

4.0 September 2015 Revised Section 8: Training Guidance Inserted an updated version of the Information Governance Management and Technology terms of reference and membership Amended framework to reflect service level agreement

4.1 September 2016 Annual review

5.1 September 2017 Annual review

Policy Dissemination information

Reference Number Title Available from Information Governance Management

Framework Clinical Commissioning Group website

Contents Document History........................................................................................................................... 1 1. Introduction ............................................................................................................................. 4 2. Purpose and scope ................................................................................................................. 4 3. Policy Statement ..................................................................................................................... 4 4. Organisational Roles & Accountability .................................................................................... 4 5. Key Policies ....................................................................................................................... 8 6. Governance Arrangements ..................................................................................................... 9 7. Training Guidance.............................................................................................................. 9 8. Incident Management ........................................................................................................... 10 9. Equality & Diversity ............................................................................................................... 10 10. Monitoring and compliance ............................................................................................... 10 11. Further Information or guidance .................................................................................... 10 12. References ................................................................................................................... 10 Appendix 1 .............................................................................................................................. 12 Appendix 2 ..............................................................................................................................13 Appendix 3 .............................................................................................................................. 14

This information can be made available in alternative formats, such as easy read or large print, and may be available in alternative languages, upon request. Please contact 01623 673168 or email maccg.foi@nhs.net.

1. Introduction

This framework applies to NHS Mansfield and Ashfield and NHS Newark and Sherwood Clinical Commissioning Groups.

Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources.

Delivery against these requirements will be carried out in line with the standards documented within the Information Governance Toolkit. The Information Governance Toolkit can be accessed via https://nww.igt.hscic.gov.uk. using the designated organisational code, user name and password. This Framework must be documented, approved at the most appropriate senior management level in the organisation (e.g. a member of the Executive Team) and reviewed annually. This document sets out the Clinical Commissioning Group’s approach to embedding robust information governance throughout each organisation.

This policy is a standalone document and provides a summary/overview of how the Clinical Commissioning Group is addressing the Information Governance agenda and reflects the capacity and capability of the Clinical Commissioning Group.

2. Purpose and scope

The purpose of this framework is to establish employee responsibility and the rules of conduct for all members of staff regarding the Clinical Commissioning Group’s information governance framework.

This policy applies to all staff within the Clinical Commissioning Group whether operating directly or providing services to other organisation’s under a service level agreement or joint agreement. and to non-executive directors, contracted third parties (including agency staff), Governing Body members, locums, students, volunteers, trainees, visiting professionals or researchers, seconded and other staff on temporary placements within the organisation.

3. Policy Statement

NHS Digital (formerly The Health & Social Care Information Centre mandates that the Information Governance Toolkit version 14 is completed by all organisation’s that commission or provide services within and to the NHS.

An Information Governance Management Framework is required to be in place to ensure that the Information Governance agenda is owned and implemented in a structured manner.

4. Organisational Roles & Accountability

The Clinical Commissioning Group will:

• Appoint a Head of Information Governance, an internal Information Governance

Lead, Senior Information Risk Owner and Caldicott Guardian. The

roles will be included in the Clinical Commissioning Group Information Governance Toolkit return under ‘Update Information Governance Senior Management Details’ once appointed;

• The roles of Caldicott Guardian and Senior Information Risk Owner (Senior Information

Risk Owner) will be at Executive level. The Accountable Officer has overall accountability and responsibility for Information Governance and is required to provide assurance through the Statements on Internal Control that all risks to the Clinical Commissioning Group, including those relating to information, are effectively managed and mitigated; and

• Maintain policies and procedures to ensure compliance with requirements contained

in the NHS Information Governance Toolkit. The Senior Information Risk Owner will:

• Take ownership of the organisation’s information risk policy and information risk

management strategy. All key information assets will be identified and their details included in an Information Asset Register;

• Ensure that Information Asset owners will be identified for each key information

asset; • Ensure that all staff assigned responsibility for coordinating and implementing information

risk management will be appropriately trained to carry out their role; • Ensure that Information Asset Owners carry out risk reviews of the assets for which they

are accountable, the frequency of review depending upon the importance of the asset and the nature of the risk environment; and

• Undertake annual training required by the role as identified in the Clinical

Commissioning Group training needs analysis. The Caldicott Guardian will:

• Be added to the National Register of Caldicott Guardians;

• Identify the support necessary to ensure work related to confidentiality and data protection is appropriately carried out;

• Ensure all staff assigned responsibility for coordinating and implementing the

confidentiality and data protection work programme have been appropriately trained to carry out their role;

• Advise and support Clinical Commissioning Group staff on enabling appropriate information sharing in line with the Caldicott Review recommendations; and

• Undertake annual training required by the role as identified in the Clinical

Commissioning Group Training Policy1. The Clinical Commissioning Group Head of Information Governance will:

• Develop and maintaining comprehensive and appropriate documentation that

demonstrates commitment to and ownership of Information Governance responsibilities, e.g. an overarching high level strategy document supported by corporate and/or directorate policies and procedures;

• Ensure that there is senior management awareness and support for Information

Governance resourcing and implementation of improvements; • Provide direction in formulating, establishing and promoting Information Governance

policies; • Establish working groups, if necessary, to co-ordinate the activities of staff given

Information Governance responsibilities and progress initiatives; • Ensure that assessment and improvement plans are prepared for approval by the senior

level of management in a timely manner and in line with national reporting requirements; • Ensure that the approach to information handling is communicated to all staff and made

available to the public; • Ensuring that appropriate training is made available to staff and completed as necessary to

support their duties and in line with Information Governance Toolkit requirements and as detailed in the Clinical Commissioning Groups training policy;

• Liaise with other committees, working groups and programme boards in order to promote

and integrate Information Governance standards; • Monitor information handling activities to ensure compliance with law and guidance;

• Provide a focal point for the resolution and/or discussion of Information Governance

issues; and • Undertake annual training required by the role as identified in the Clinical Commissioning

Group training policy. The Information Asset Owner will:

• Identify and document the scope and importance of all Information Assets they own. This

will include identifying all information necessary in order to respond to incidents or recover from a disaster affecting the Information Asset;

1 http://www.mansfieldandashfieldccg.nhs.uk/about-us/policies-and-procedures/non-clinical/

• Take ownership of their local asset control, risk assessment and management processes for the information assets they own. This includes the identification, review and prioritisation of perceived risks and oversight of actions agreed to mitigate those risks;

• Provide support to the organisation’s Senior Information Risk Owner and the appropriate

risk management group to maintain their awareness of the risks to all Information Assets that are owned by the organisation and for the organisation’s overall risk reporting requirements and procedures;

• Ensure that staff and relevant others are aware of and comply with expected Information

Governance working practices for the effective use of owned Information Assets. This includes records of the information disclosed from an asset where this is permitted;

• Provide a focal point for the resolution and/or discussion of risk issues affecting their

Information Assets; • Ensure that the organisation’s requirements for information incident identification,

r e p o r t i n g , management and response apply to the Information Assets they own. This includes the mechanisms to identify and minimise the severity of an incident and the points at which assistance or escalation may be required;

• Foster an effective Information Governance culture for staff and others who access or use

their Information Assets to ensure individual responsibilities are understood, and that good working practices are adopted in accordance with the organisation’s policy;

• Ensure there is good understanding of the hardware and software composition of their

assigned assets to ensure their continuing operational effectiveness. This includes establishing and maintaining asset records that will help predict when asset configuration changes may be necessary; and

• Undertake annual training required by the role as identified in the Clinical Commissioning

Group training policy. The Information Asset Administrator will:

• Ensure that policies and procedures are followed when using an information asset;

• Recognise actual or potential security incidents;

• Consult their Information Asset Owner on incident management;

• Assist the Information Asset Owner to ensure that information asset registers are accurate

and up to date, for example by reporting when an information asset they use is no longer required; and

• Undertake annual training required by the role as identified in the Clinical Commissioning

Group training policy.

The Information Governance Management and Technology committee will:

• Ensure that an appropriate comprehensive information governance framework and systems are in place throughout the constituent organisations in line with national standards. The specific responsibilities of this Committee are outlined in its terms of reference.

5. Key Policies

The Clinical Commissioning Group will provide the following policies (or equivalent) to set out scope and intent in terms of embedding Information Governance processes throughout the Organisation:

• Confidentiality and Data Protection Policy;

• Information Security Policy;

• Corporate Governance Policy (which covers The Freedom of Information Act 2000

• Information Lifecycle Management Policy (which covers Records Management and Information Quality)

• In particular the Clinical Commissioning Group will implement policies as required to

support confidentiality, security and records management processes in addition to this Information Governance Management Framework

The Clinical Commissioning Groups will:

Develop and maintain comprehensive and appropriate documentation that demonstrates commitment to and ownership of Information Governance responsibilities, e.g. an overarching high level strategy document supported by corporate and/or directorate policies and procedures Ensure that there is senior management awareness and support for Information Governance resourcing and implementation of improvements;

Provide direction in formulating, establishing and promoting Information Governance policies

• Establish working groups, if necessary, to co-ordinate the activities of staff given

Information Governance responsibilities and progress initiatives; Ensure that assessment and improvement plans are prepared for approval by the senior level of management in a timely manner and in line with national reporting requirements;

• Ensure that the approach to information handling is communicated to all staff and made

available to the public;

• Ensure that appropriate training is made available to staff and completed as necessary to support their duties and in line with Information Governance Toolkit requirements;

• Liaise with other committees, working groups and programme boards in order to promote

and integrate Information Governance standards; • Monitor information handling activities to ensure compliance with law and guidance; and

• Provide a focal point for the resolution and/or discussion of Information Governance issues.

6. Governance Arrangements

The following governance arrangements have been agreed:

• The Clinical Commissioning Group Governing Body will receive annual assurance that

management and accountability arrangements are adequate and are informed in a timely manner of future changes in the Information Governance agenda by Information Governance updates from Quality and Risk Committee;

• The Clinical Commissioning Group will be represented at the Information Governance

Management and Technology Committee, which has delegated authority from each of the Clinical Commissioning Group Governing Bodies for Information Governance compliance;

• The shared Clinical Commissioning Group Information Governance Management and

Technology Committee (or equivalent) will have responsibility for the Information Governance Agenda supported by identified senior roles i.e. Caldicott Guardian, Senior Information Risk Owner, and Information Governance Lead;

• Responsibility and accountability for Information Governance will be cascaded through the

organisation via staff contracts, contracts with third parties, Information Asset Owner arrangements and departmental leads.

• Key information governance messages will be developed by the Head of Information

Governance. 7. Training Guidance

It is recognised that Information Governance education, training and awareness are essential for developing and improving staff members’ Information Governance knowledge and skills. Staff needs to understand the value of information and their responsibility for it, including data quality, information security, records management, confidentiality, legal duty, information law, rights of access and patients’ rights in terms of a right of privacy and choice.

The completion of annual Information Governance training is mandatory for all staff, whether permanent, temporary or contracted. Initially, all new starters will complete their Information

Governance training via the NHS Digital Information Governance online training tool2 as part of their induction programme.

Refresher Information Governance training can be completed via the NHS Digital Information Governance training tool, Electronic Staff Record or via face-to-face sessions delivered by the appropriate Information Governance Lead.

Mandatory annual Information Governance Training should be completed by all third party contractors.

8. Incident Management Clear guidance on reporting of information incidents and their management will be documented and staff will be made aware of their existence, where to find them and how to implement them.

9. Equality & Diversity

The Clinical Commissioning Group aims to design and implement policy documents that meet the diverse needs of the services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all.

This document has been designed to ensure that no-one receives less favorable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act

10. Monitoring and compliance The Information Governance Management Framework will be reviewed annually in line with Information Governance Toolkit requirements or amended as required to reflect changes in organisational ownership.

The Clinical Commissioning Groups will monitor the staff compliance with the policy internally.

11. Further Information or guidance Clinical Commissioning Group Corporate Governance Officer.

12. References

Confidentiality: NHS Code of Practice https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice

2 https://www.igtt.hscic.gov.uk/igte/index.cfm

Information Governance Toolkit https://www.igtt.hscic.gov.uk/igte/index.cfm

Checklist for Reporting, Managing and Investigating Information Governance Serious Untoward Incidents http://www.mansfieldandashfieldccg.nhs.uk/index.php/governance-and-policy

Information Risk Management http://systems.digital.nhs.uk/infogov/security/risk

Information: To Share or Not To Share? The Information Governance Review https://www.gov.uk/government/publications/the-information-governance-review

NHS Digital Information Governance http://systems.digital.nhs.uk/infogov

Appendix 1

NOTTINGHAMSHIRE CLINICAL COMMISSIONING GROUP (CCG) INFORMATION GOVERNANCE REPORTING FRAMEWORK

CCG GOVERNING BODY

Receives minutes and highlight report

Corporate Governance Manager, NHIS

INFORMATION GOVERNANCE,

MANAGEMENT AND TECHNOLOGY COMMITTEE

East Midlands Strategic Information Governance Committee

RECORDS AND INFORMATION GROUP (RIG) (Local Health Community IG Leads)

IG LEADS MEETING

Nottinghamshire CCG Operational IG Leads/GEM IG Lead

SIRO and CALDICOTT Advice