Upload
others
View
2
Download
1
Embed Size (px)
Citation preview
Information Governance Strategy v4 1
Policy No: IG01
Version: 4.0
Name of Policy: Information Governance Strategy
Effective From: 30/06/2016
Date Ratified 09/02/2016
Ratified Health Informatics Assurance Group (HIAG)
Review Date 01/02/2018
Sponsor Director of Finance and Information
Expiry date 08/08/2019
Withdrawn Date
Unless this copy has been taken directly from the Trust intranet site (Pandora) there is no assurance that
this is the most up to date version.
This strategy supersedes all previous issues.
Information Governance Strategy v4 2
Version Control
Version Release Author /
Reviewer
Ratified by /
Authorised by
Date Changes
(Please identify
page no.)
1.0
Jan 2012 Kevin Craddock
– IG Lead
Health
Informatics
Assurance
Committee (HIAC)
Jan 2012
2.0 Jan 2013 Lauren Hamill –
IG Lead
Health
Informatics
Assurance
Committee (HIAC)
Jan 2013 Document re-
formatted to comply
with Trust standards
3.0 March 2015 Marie. Galloway
– Information
Governance
Lead
Health
Informatics
Assurance Group
(HIAG)
March 2015 Document re-
formatted to comply
with Trusts IGTK
standards
4.0 30/06/2016 Marie. Galloway
– Information
Governance
Lead
Health
Informatics
Assurance Group
(HIAG)
09/02/2016 Amendments made
to account for the
reconvened Records
Management Group
in Oct 2015 and
changes to the
structure diagrams
in appendices 1 and
2
Information Governance Strategy v4 3
Contents
Page No.
1. Introduction .................................................................................................................................. 4
2. Strategy scope .............................................................................................................................. 4
3. Aim of strategy ............................................................................................................................. 4
4. Duties - roles and responsibilities ................................................................................................ 4
5. not used ........................................................................................................................................ 6
6. Information Governance strategy ................................................................................................ 7
6.1 NHS framework .................................................................................................................. 7
6.2. Objectives of the strategy .................................................................................................. 7
6.3 Principles of the strategy .................................................................................................. 9
6.4 Staff and resources ............................................................................................................ 10
6.5 Management board structure ........................................................................................... 10
6.6 Working groups .................................................................................................................. 10
6.7 The Information Governance Toolkit ................................................................................. 11
6.8 The Information Governance programme deliverables .................................................... 11
6.8.1 The IG policy framework ........................................................................................... 12
6.8.2 The annual work plan ............................................................................................... 12
6.8.3 Contracts ................................................................................................................... 13
6.8.4 Information risk management programme .............................................................. 13
6.8.5 Projects – procurement of systems / change management processes .................... 16
6.8.5.1 Privacy impact assessments………….. ........................................................... 16
6.8.5.2 IT/IG risk assessment…………………….. ........................................................... 16
6.8.6 Integrated working ................................................................................................... 16
6.8.7 Research .................................................................................................................... 17
6.8.8 Information requests ................................................................................................ 17
6.8.9 Management of records ........................................................................................... 17
6.8.10 The management and reporting of security incidents ........................................... 17
6.8.11 Staff training ........................................................................................................... 18
6.8.11.1 E-learning training……………………….. ........................................................... 19
6.8.11.2 Specialist training ………………………… .......................................................... 19
6.8.11.3 Bespoke or departmental training……………………….. .................................. 19
6.8.11.4 The training needs analysis (TNA) matrix………………………… ...................... 20
6.9 Staff disciplinary ................................................................................................................. 20
7. Training ......................................................................................................................................... 20
8. Equality and diversity ................................................................................................................... 20
9. Monitoring the compliance / effectiveness of this strategy ........................................................ 20
10. Consultation and review of this strategy ..................................................................................... 21
11. Implementation of this policy ...................................................................................................... 21
12. References .................................................................................................................................... 21
13. Associated documentation ........................................................................................................... 21
Information Governance Strategy v4 4
Appendix 1 Roles and accountability structure ............................................................................ 23
Appendix 2 Committee / group structure .................................................................................... 24
Appendix 3 Terms of reference for the HIAG ............................................................................... 25
Appendix 3a Membership of the HIAG ........................................................................................ 28
Appendix 4 Information Governance Toolkit controls summary ................................................. 29
Appendix 5 The policy and procedure IG framework................................................................... 31
Appendix 6 The Information Governance work plan ................................................................... 33
Appendix 7 The Trust’s IG specialist training programme ........................................................... 35
Information Governance Strategy v4 5
1. Introduction
Information is a vital asset for any organisation. Our information assets at Gateshead Health NHS
Trust support both the day to day clinical operations and the effective management of our services
and resources. As a provider of health, the Trust is responsible for ensuring that any information
collated is handled and protected securely, whilst always being available at any one time when
needed to ensure the safety and effective care of our patients.
Information Governance provides a secure mechanism for the handling of all types of information
in relation to patients, employees and clients who conduct business with the Trust. It is therefore
critical that the information we hold across the Trust’s business activities is accurate, free from
unauthorised disclosures and is available in a timely manner to aid effective decision making when
needed. Effective information plays a key part in corporate and clinical governance, strategic risk,
service planning and performance management.
2. Strategy scope
This Strategy applies to:-
• Any individual employed, in any capacity, by the Trust including employees, students,
volunteers and third party contractors;
• All paper and electronic information;
• All information systems and information assets managed by or used by the organisation.
For the purpose of this Strategy the term “information asset” will refer to any useful or valuable
store of information in any format, which is processed, held or potentially requires a facility of
transfer.
3. Aim of strategy
This Strategy sets out the Trust’s information governance assurance framework for the handling of
information. It brings together a set of statutory, mandatory and best practice standards as road
mapped in the information governance toolkit. It provides a robust information governance
framework of clear and effective management and accountability structures, governance
processes, documented policies and procedures, trained staff and adequate resources which are
required to ensure any information sourced by the Trust is held appropriately, securely and legally.
By adhering to these requirements, standards and best practice for the processing of personal data
it will help the Trust to:-
• Provide excellent care to our patients;
• Comply with the law;
• Implement the DoH guidelines and standards;
• Plan year on year improvements in the information governance agenda;
• Fulfill the IG Toolkit requirements;
• Provide assurance against international standards such as the ISO 15489 Records
Management Standard and the ISO 27001/27002 Information Security Standard.
4. Duties – roles and responsibilities
Trust Board
The Trust Board will define the requirements of the Information Governance Strategy, taking into
account the legal principles and NHS framework standards. The Board will ensure sufficient
resources are provided to support the requirements of this Strategy.
Information Governance Strategy v4 6
Chief Executive Officer (CEO)
The Chief Executive has overall accountability and responsibility for Trust’s information governance
agenda and will provide assurance through the Statement of Internal Control that all risks, including
those relating to information risks are effectively managed and mitigated, where appropriate. The
CEO will ensure all statutory obligations and any Department of Health Directives are complied
with.
Senior Information Risk Officer (SIRO)
The Director of Finance and Informatics, who is an appointed Executive Director on the Board, is
the Trust’s appointed Senior Information Risk Owner (SIRO) responsible for all aspects of IG and
Information Security. This task has been appointed to the Deputy Director of Informatics.
Caldicott Guardian (Medical Director)
The Medical Director who is the Trust’s appointed Caldicott Guardian will act in a strategic, advisory
and facilitative capacity to provide assurance on all clinical, confidentiality and data sharing
matters. The Caldicott Guardian will approve, monitor and review processes where access to
clinical information is required by other Trust departments and third party organisations, both NHS
and non-NHS. The Caldicott function will be managed through an action plan/ gap analysis for the
IG toolkit.
Information Governance Lead
The Information Governance Lead will provide operational management of the Trust’s Information
Governance framework. The IG Lead will:-
• Provide strategic direction, planning and guidance to ensure compliance with information
governance legislation and the national agenda;
• Ensure work practices are evaluated and supported through the development of
appropriate policy and procedures across the organisation;
• Develop an appropriate IG induction and mandatory programme for all staff;
• Monitor all actual and near miss security incidents within the organisation;
• Complete the Department of Health’s annual IGTK self-assessment and submission in a
timely manner;
• Assist the IT Directory and Security Manager with all IG/IT related matters as and when
necessary.
IT Directory and Security Manager
The Trust’s IT Directory and Security Manager will:-
• Provide IT technical advice on all matters relating to IT security for compliance with the
Information Governance Framework;
• Assist with all reported IG and IT security incidents as and when necessary.
Head of Informatics, Programmes & Projects
The Head of Informatics, Programmes and Projects will work with the IG Team to ensure all new IT
systems and processes are identified and all relevant privacy impact assessments are conducted to
ensure the implementation of any new technology does not give rise to any privacy concerns.
Health Records Manager
The Trust’s Health Records Manager will take full responsibility for:-
• The management of all health records; and
• The undertaken of the Trust’s annual corporate/health record audit programme.
Information Governance Strategy v4 7
Information Asset Owners (IAOs)
The Trust’s appointed Information Asset Owners (IAOs) will support the Information Governance
Lead to ensure all information assets are assigned appropriate ownership. The IAOs are
accountable to the SIRO and will report any information risks to the IG Lead/SIRO to ensure all
information risks are managed effectively for those information assets which they are assigned
ownership. Each IAO will be required:-
• To foster a culture that values the protection and use of information assets;
• Know who has access to their information assets (whether it be paper or electronic) and be
able to demonstrate that access is routinely monitored and reviewed;
• Justify the nature and justification of their information flows to and from the Trust’s
information assets;
• Provide assurance to the SIRO that all risks are monitored through the application of annual
risk assessments.
Information Asset Administrators (IAAs)
The Trust’s appointed Information Asset Administrators (IAAs) will assist the IAOs in their day to
day duties and consult with the IAOs on incident management. This will generally be the nominated
team managers, supervisors or system administrators who manage the information assets and
system processes at a local level. All IAAs will need to ensure:-
• Systems and assets are configured with appropriate controls and are reviewed regularly for
compliance with the Trusts security policy requirements;
• Ensuring appropriate authority is provided before user access is granted;
• Ensure user accounts to systems are deleted as and when necessary.
Managers
All service managers will ensure:-
• They take responsibility for the implementation of appropriate IG standards in local
processes for compliance purposes;
• Job descriptions contain appropriate confidentiality and information security clauses;
• Staff undertake mandatory IG training on an annual basis, including any ongoing training
needs that may affect the Trusts practices;
• Day to day responsibility for their physical environment where information is stored and
processed.
Communication Team
The Communication Team will liaise with all stakeholders to ensure appropriate messages relating
to information governance are communicated.
All Staff
All staff will have adequate IG training in their dedicated area to enable them to carry out their
roles and responsibilities.
Third Parties/Contractors
Appropriate contracts containing confidentiality and information security clauses will be issued and
honoured by all contractors and third parties who have been given rights of access to our
information assets.
(For further information please refer to the Roles and Accountability Structure in Appendix 1).
5. not used
Information Governance Strategy v4 8
6. Information Governance strategy
6.1 NHS framework
The NHS Operating Framework sets out the Trusts approach to Information Governance.
The main legal framework governing the use of personal data includes:-
• The Data Protection Act 1998;
• The Freedom of Information Act 2000;
• The Environmental Information Regulations 2004;
• The NHS Act 2006;
• The Health and Social Care Act 2012;
• The Human Rights Act 1998;
• Re-Use of Public Sector Information Regulations 2005
• The Misuse of Computers Act 1990;
• Copyright, Designs and Patents Act 1988 (as amended by the Copyright Regulations
• 1992);
• Privacy Electronic Communications Act 2003;
• Protection of Freedoms Act 2012.
Codes of Practice:
• The NHS Confidentiality Code of Practice;
• The Caldicott Principles;
• NHS Records Management Code of Practice;
• Lord Chancellor’s Code of Practice on Records Management under 46 of the
Freedom of Information Act 2000;
• Information Security Management: NHS Code of Practice.
The framework pursued by this Strategy will implement the six themes of the IG Toolkit.
• Information Governance (management, accountability, training);
• Confidentiality and Data Protection (use of personal data);
• Information Security;
• Clinical Information Assurance;
• Secondary Use Assurance of Information (data quality, non-direct use of clinical
information);
• Corporate Information Assurance (records management, freedom of information
etc.).
6.2. Objectives of the strategy
The Trust’s key objective of this Strategy is to achieve a standard of excellence in
information governance. Through the implementation of this Strategy, the Trust aims to:-
• Establish and maintain policies and procedures in Data Protection and
Confidentiality, Freedom of Information, Information Security and Data Quality
that defines appropriate standards for the handling of personal and corporate data.
This will lead to improvements in:-
o Information handling activities;
o Record duplication and improved records management;
Information Governance Strategy v4 9
o Patient confidence in the Trust and the NHS;
o Better trained staff.
• Undertake or commission annual assessments and audits of its policies and
arrangements to improve current working practices. This will minimise corporate
risks arising from poor handing activities such as:-
o Increased information security incidents;
o Corporate/patient complaints;
o Patient harm caused by inadequate access to patient information;
o Corporate and clinical negligence claims;
o Audit investigations and monetary fines from the ICO and other public
bodies;
o Negative press and publicity;
o Damage and stress to individuals involved in data breaches;
• Complete the annual information governance toolkit to a level 3 compliance target,
wherever possible, for the next three years.
• Develop an annual IG Improvement Plan and Action Plan arising from the baseline
assessment completed against the IG standards set out in the HSCIC Information
Governance Toolkit. This will be the vehicle used for improving information
governance at the Trust.
• Instill a culture of information governance so that all staff understand their IG
responsibilities and apply best practice and principles when managing data. This
will involve the promotion of effective information governance communication and
training to raise awareness of key security issues in the Trust.
• Develop an information risk management reporting structure to ensure all
associated information risks in the environment are appropriately managed to
support the overall risk management function of the Trust.
• Ensure there is a clear structure and framework for reporting security incidents and
management action in response to all IG requirements. The Trust will foster a
culture of change from documented lessons learnt in response to data breaches.
This will be in accordance with the Trust’s Information Risk Policy, Incident
Management Policy and The Reporting of Serious IG/Cyber Incidents Policy.
• Provide innovative solutions and streamline business processes and systems for the
handling of personal data. It is anticipated this will reduce the number of systems
that hold personal data.
• Encourage multi-disciplinary teams to work closely together to reduce repetitive
working practices by sharing information and standardising procedures and
practices.
• Encourage a culture of openness and transparency by making non-confidential
information readily and easily available through a variety of media, in line with the
Trust’s Publication Scheme. This will build positive relations with our internal and
external clients by providing an efficient and reliable service in all IG matters.
o Clear advice and guidance will be made available via the Trust’s internet to
explain how service users can exploit their legal rights for access to
Information Governance Strategy v4 10
information and how they can raise concerns if they are dissatisfied with
any processing requirements;
o Information will be made available in various formats, subject to a range of
exemptions and restrictions, in response to Subject Access Requests under
the Data Protection Act 1998, FOI requests under the Freedom of
Information Act 2000 and EIR requests under the Environmental
Information Regulations;
o The Trust will publish a fair processing notice via its website to explain how
information is recorded, held and shared;
o Patients will be made aware of the importance of providing accurate and
up to date information about themselves to the Trust so that appropriate
care can be given to them as and when necessary. This will allow the
Trust’s resources to be utilised adequately.
• Ensure all key service data is accurately recorded and maintained, with regular
cross-checking against source data undertaken. Data standards/definitions used
will be clear and consistent per data item in accordance with national standards.
• To regard all personal identifiable data (PID) relating to service users as confidential
except where national policy on accountability and openness requires otherwise.
Any appropriate sharing of information will take account of relevant legislation
such as the Human Rights Act, the Health and Social Care Act, The Crime and
Disorder Act, The Protection of Children Act, the revised Caldicott Principles etc.
and the Common Duty of Confidentiality and its associated guidance.
6.3 Principles of the strategy
The Trust will adopt the Department of Health standards (called the “HORUS Model”),
which requires information to be:-
• Held securely and confidentially;
• Obtained fairly and efficiently;
• Recorded accurately and reliably;
• Used effectively and ethically;
• Shared appropriately and lawfully;
The IG Strategy will take account of the Trust’s Vision and Compact Values when managing
personal data.
The implementation of this Strategy will:-
• Help staff to manage personal information for the benefit of our clients and
patients care;
• Ensure that all practices and procedures relating to the handling and holding of
personal and Trust corporate data is legal and conforms to best and/or
recommended practice. This means the Trust will ensure that its principles of
corporate governance and public accountability do not override any security
arrangements or any duty of confidentiality owed in safeguarding personal
information about service users, families, carers and staff or commercially sensitive
information from our clients. Where appropriate a balance will be addressed
between openness and confidentiality in the management and use of information;
• Where information needs to be shared with our partner organisations (particularly
health organisations) then this will be done in a controlled manner that is
Information Governance Strategy v4 11
consistent with the interests of the service users or clients unless the public
interest test affects our decision making processes and disclosure requirements;
• Ensure procedures are reviewed to monitor their effectiveness so that
improvements or deterioration in information handling standards are recognised
and addressed immediately;
• Ensure that when service developments or modifications are undertaken, a review
is undertaken of all aspects of information governance arrangements to ensure
they are robust, do not infringe on privacy rights and support effective patient care.
6.4 Staff and resources
See paragraph 4 above.
Other staff roles that will support the Trust’s IG Strategy include:-
• Risk Management – Risk Manager
• Legal Services – Legal Services Manager
• Human Resources – HR Manager (staff training/employment contracts)
• Registration Authority – RA Officer (i.e. Smartcard provisions/access controls)
• Head of Safecare (for the roll out of the Clinical Audit programme)
• Clinical Coding Manager (for the roll out of the Clinical Coding Audit Programme)
• Information Manager
QEF staff will provide the following roles:-
• Business Continuity – Business Continuity Manager
• Procurement – Procurement Manager
6.5 Management board structure
The Health Information Assurance Group (HIAG) is the delegated steering group appointed
to oversee the implementation of this Strategy. The group will:-
• Monitor the effectiveness of this Strategy at its monthly meetings to identify
potential gaps and weaknesses in the Trust’s IG accountability arrangements to
ensure the organisation is aligned to best practice and national guidelines;
• Agree an annual IG improvement work plan for review and sign off;
• Identify resource implications for each IG work stream;
• Monitor all quarter and progress reports and action plans;
• Report on serious security incidents and issues to the HIAG and Trust Board. (All
serious incidents will be published and reported via the HSCIC and the ICO);
• Ensure the accurate completion, review and sign off of the DoH Information
Governance Toolkit.
All reports are reported to other committees on an adhoc basis, as and when required. A
summary of the Trusts Committees that support the IG agenda is stipulated in Appendix 2.
Annual membership of the HIAG is stipulated in the Terms of Reference in Appendix 3.
6.6 Working groups
Three working groups will report into the HIAG focusing on the current IG and CQC
arrangements in their respective areas:-
• Records Management Group;
Information Governance Strategy v4 12
• Data Quality and Secondary Use Group;
• Systems Management and Development Group;
The above groups convene on a bi-monthly basis and will present highlighted reports and
action plans to the HIAG, as and when necessary.
The Gateshead Information Network (GIN) will ensure the smooth operation of our
integrated services with other NHS bodies and agencies.
6.7 The Information Governance Toolkit
The Department of Health’s IGTK requires all NHS organisations in England Wales to
achieve a minimum level 2 compliance performance rating against all 45 IG standards. This
mandatory online assessment is used as a key source of information by other organisations
such as the Healthcare Commission and CQC for compliance auditing purposes.
The Trust is very ambitious and will aim to achieve a level 3 compliance rating and a grading
score of over 80%, wherever possible over the next three year period. A framework of
assurance will be allocated to appropriate information asset holders so that the co-
ordination of evidence is in place.
The Trust will submit its online IG performance reports on three separate core submission
dates:-
• 30th July - baseline assessment;
• 31 October - self assessment or improvement plan;
• 31 March – final annual self-assessment report.
All IGTK scores will be verified by the annual Internal Audit review and reported in the End
of Year IGTK Assurance Report and the Annual IG Report to the HIAG and the Trust Board,
along with any action plans necessary to remedy any IG failures.
Note: New versions of the IG Toolkit are released annually and set requirements may
change to reflect current and new standards. This means that the Trust will have to
provide additional evidence to support the changes in order to maintain the score
achieved from the previous year. (Please refer to Appendix 4 for a summary of the IG
Toolkit controls)
6.8 The Information Governance programme deliverables
The Trust will establish a robust information governance programme of deliverables which
conforms to the Department of Health’s IG Toolkit standards and objectives.
Information Governance Strategy v4 13
Table 1: The Information Governance Deliverables
6.8.1 The IG policy framework
Existing policies will be developed and updated every two years and will be
approved in principle by the Director of Finance and Informatics before ratification
by the HIAG Group. All policies will be made available via the staff intranet and
through staff communication emails and newsletters. (Please refer to Appendix 5
for a summary of the Trust’s policies and procedures that support the Trust’s IG
agenda).
Employees will be expected to read the policies in conjunction with their
employment contracts and the IG Staff Handbook (available via the staff intranet).
The policies outline the scope of the IG framework and set out the responsibilities
of all staff in the Trust. The Trust will ensure staff familiarise themselves with these
policies through its IG Staff Training Strategy and the Training and Communication
Plan to ensure they understand what is expected of them.
6.8.2 The annual work plan
An annual IG Improvement Plan arising from the baseline assessment of the IGTK
standards will be developed each year. The work plan will be updated quarterly
follow any progress reports and IGTK submissions. (Please refer to Appendix 6).
Information Governance Strategy v4 14
6.8.3 Contracts
All employment contracts entered into by the Trust will ensure they contain
appropriate IG confidentiality clauses that reference the organisation’s legal
obligations in terms of confidentiality, data protection, freedom of information and
data security. For casual staff the confidentiality agreement for third party
suppliers/individuals will be signed.
All third party contractors of goods and services or consultancy will have an
appropriate contract detailing the information governance requirements. The
contract will contain confidentiality clauses and an undertaking that any
information exchanged or obtained during the performance of a contract is kept
confidential and shall only be used for the sole execution of a contract. All parties
involved will take necessary precaution to ensure that information is kept secure.
This process will be managed by the Head of Procurement. Where a third party
requests access for the sharing of patient identifiable information, an information
risk assessment will be undertaken before granted.
6.8.4 Information risk management programme
To appropriately scope and prioritise the information risks of the Trust the IG Team
will develop an annual information risk management programme to determine
how its information is used and protected through:-
• A series of audits e.g. the corporate/clinical record audit, the RA Audit etc.;
• The compilation of data mapping flows and information asset registers;
• Service ad-hoc IG spot checks on data compliance and best practice;
• Data quality checks;
• Reviews of security incidents;
• Risk assessments and privacy impact assessments.
This will protect the Trust, its staff and its patients from information risks where
the likelihood of occurrence and the consequences are significant. It will ensure the
Trust has a proactive approach to risk rather than a reactive attitude. The focus of
the risk management programme will be to determine whether the Trust’s
implemented policies and procedures are effective in:-
• Regulating the processing and sharing of personal data;
• Identifying and controlling risks to prevent potential security incidents and
data breaches from occurring;
• Testing the adequacy of the IG controls in place;
• To recommend any changes in control, where necessary;
• To act as vehicle in sharing knowledge with trained IG staff.
The IG Strategy will ensure all information assets are:-
• Identified by purpose and service area;
• Classified either as sensitive or as critical assets depending on the format
and type of information held;
• Assigned ownership to an information asset owner (IAO) who will provide
assurance on the security and use of that asset to the Trust’s SIRO (this will
determined by where it is located).
Information Governance Strategy v4 15
Key Responsibility
Ultimate authority over and responsible for overall direction
Oversees the information and data governance programme and makes
all strategic decisionsResponsible for establishing and shaping enterprise information
standards and policies
Executes the information and data governance policy
Supports on-going technical tasks
Table 2: The Information Asset Framework
• Given a risk score i.e. identified as low, medium or high, are supported by
the Trust’s Board and where appropriate, are considered for inclusion onto
the Trust’s Risk Register. This will be determined by how the asset is
managed and who the dependencies are in terms of other systems and
beneficiaries (either internal or external). Risks that cannot be managed by
the IAO will be expected to be escalated to senior management for e.g.
where they are not managed locally. Proposals for risk mitigation measures
will be considered by senior management who will consider whether the
risks are real and the proposals affordable and justified. Where mitigating
actions are necessary, priorities and timescales will be clarified and
monitored.
The Risk Level Matrix to be used will be:
Likelihood
Likelihood
score 1 2 3 4 5
Rare Unlikely Possible Likely Almost certain
5 Catastrophic 5 10 15 20 25
4 Major 4 8 12 16 20
3 Moderate 3 6 9 12 15
2 Minor 2 4 6 8 10
1 Negligible 1 2 3 4 5
Table 3: The Trust’s Risk Matrix
The allocation of information asset ownership will assist the Trust with its Business
Continuity Planning requirements.
The Information Asset Management Task is a significant piece of work which will be
undertaken between 2016-2018. All information asset owners will be required to
Information Governance Strategy v4 16
update their Information Asset Register each time an information asset is created,
amended or replaced.
6.8.5 Projects - procurement of systems / change management processes
Any changes proposed to the way in which information is processed (collected,
stored used or disposed of) in the Trust will be considered in the context of the
IGTK requirements. All reviews and assessments will be conducted in the early
stages of any given project. The IG Strategy will ensure that there are reporting
mechanisms in place to the HIAG and to the Health Informatics Strategy Group
(HISG) where new computer systems or upgrades are proposed, computerised or
manual, that hold personal identification data (i.e. PID), including PID relating to
service users, carers or staff.
The HIAG will consider:-
• The access controls, audit trails and the monitoring of user activity;
• The arrangements for back up data, its resilience and the archiving,
retention and deletion of data;
• Confidentiality clauses in respect of third party contractual arrangements
i.e. the development, installation and maintenance of the system;
• The secure transfer of data;
• System security accreditation during the procurement process;
• The systems forensic investigative readiness procedure.
6.8.5.1 Privacy impact assessments
Privacy Impact Assessments (PIA) will be undertaken by IAOs where new
systems and processes are proposed to determine if the new technology
gives rise to any privacy concerns. This is in accordance with the ICO’s
Privacy Impact Assessment Code of Practice available at: www.ico.gov.uk
and the Trust’s Information Governance Policy for New and Changed
Systems, Processes and Services (IG10) which is published via the staff
intranet.
6.8.5.2 IT/IG risk assessments
All IAO’s procuring new systems will be required to complete an IT/IG
General Checklist Assessment to ensure it complies with current IT/IG
Practices. This risk assessment is available via the staff intranet.
6.8.6 Integrated working
The IG Strategy will take into account the need for integrated working practices
between third party organisations and departmental services. Data sharing
agreements will be used where personal identifiable information (i.e. PID) is
routinely shared between organisations and third parties and will be signed off by
the Trust’s Caldicott Guardian (i.e. the Medical Director) or an equivalent senior
member of staff. All ISAs will state the legal principles and purpose of the
agreement, the consent process, the approved method of transmission, any other
standards associated with secondary use (e.g. re-use of information, retention and
destruction requirements) and general housing keeping practices (e.g. the
administration of information requests, complaints, the media and withdrawal of
agreement terms etc.).
Information Governance Strategy v4 17
ISAs will not be used for adhoc or one off large transfers of personal data for e.g.
where clinical data has been shared for a one-off requirement.
6.8.7 Research
Access to clinical information on a day to day basis for research purposes will be via
the Caldicott Guardian approval procedure process with appropriate sign off by the
Trust’s Caldicott Guardian (i.e. the Medical Director) and the support of the Trust’s
Research and Development Team, where necessary.
6.8.8 Information requests
The IG Strategy will ensure there are designated roles to process all information
requests under the Freedom of Information Act 2000, the Data Protection Act 1998
(including the Access to Health Records Act 1998) and the Environmental
Information Regulations 2004 and those submitted by third parties e.g. the Police.
Responses will be co-ordinated within statutory timescales ensuring that necessary
exemptions are applied, where appropriate.
6.8.9 Management of records
Trust-wide audits on samples of corporate and clinical records will be undertaken
to establish if good record keeping and data quality standards are being achieved
as set out under the Records Management Code of Practice under s46 of the
Freedom of Information Act 2000. This will demonstrate that our patient
information is being recorded and handled in a manner that complies with the
Trusts legislative and regulatory requirements.
The audits will run for a series of months with a final report produced to show the
status of feedback. This will then feedback into the Trusts departments to facilitate
improvement and improved targeted training.
6.8.10 The management and reporting of security incidents
The Trust is very conscious of the repercussions of not managing personal data:-
• A £1,000 fine for not reporting serious security offences to the Information
• Commissioner’s Office (ICO) within 24 hours of an event occurring;
• A monetary fine of up to £500,000 by the ICO per data security offence
with respect to any potential data breaches regarding the loss, theft,
inappropriate disclosure or modification of personal data;
• A monetary fine of up to £500,000 by the ICO for misuse of personal data
regarding the use of email, fax and telephone;
• A compulsory inspection and enforcement notice by the ICO.
The IG Strategy will ensure that there are adequate security arrangements in place
for:-
• Reporting IG events or incidents across the Trust and managing risks where
appropriate via the Trust’s Datix Incident Reporting System (as per protocol
under the Incident/Near-Miss Reporting and Investigation Policy and The
Reporting of Serious IG/Cyber Incidents Policy;
• Analysing, investigating and upward reporting of events/ incidents and
recommendations to senior management;
Information Governance Strategy v4 18
• Dealing with Information Commissioner’s security reporting requirements;
• Ensuring all IG work plans are updated with recommendations and lessons
learned;
• Communicating IG developments and standards to staff
All incidents categorised at level 1 will be monitored in quarterly reports to the
HIAG whilst level 2 and above incidents will be escalated to key staff and once
approved reported to the ICO and DoH via the Trust’s IGTK Incident Reporting
System. For all data breaches the IG Lead will grade the severity of the incident for
sign off by the Trust’s SIRO and Caldicott Guardian.
6.8.11 Staff training
Staff training is fundamental to the success of this Information Governance
Strategy. The Trust will develop an effective induction and mandatory IG training
programme that extends beyond basic principles in confidentiality and security so
as to improve staff awareness and best practices. Staff will be informed of the
Trust’s legal obligations in terms of data processing and their own responsibilities
and rights in terms of privacy, choice and client/patient confidentiality. To ensure
the Trust achieves the 95% compliance rate as stipulated by the IGTK standards all
training sessions will be recorded on the Electronic Staff Record (ESR) and a system
employed to ensure that non-attendance is followed up by O&D.
Training Staff Type of Training Frequency
Corporate Induction IG
Training
New starters Face to face training Monthly
Core Mandatory Annual IG
Training
Existing employees Face to face training or
via the new E-learning
IG training portal
(whichever is
appropriate)
Fortnightly
Specialised IG/Risk
Management Training
SIRO, IAOs and
IAAs
Courses stipulated on
the HSCIC IG e-
learning training tool
(IGTT) will be
completed
Every 3 years
Specialist Training Specialist Teams Face to face
presentations/talks to
key staff involved in IG
matters
As and when necessary
All new starters will attend a face to face session as part of the induction process.
The IG module will cover:-
• The Importance of Information Governance;
• The Data Protection, Confidentiality and the Caldicott Principles;
• Information Risk Reporting;
• Records Management;
• Data Quality;
• Information Security;
IG refresher training will form part of the annual mandatory training programme
for all current staff.
Information Governance Strategy v4 19
6.8.11.1 E-learning training
All staff may now complete their annual IG mandatory training via
the Trust’s new e-learning portal at: http://e-learning/my/. The
portal caters for different learning styles and individual needs and
allows staff to complete their training at a time that is convenient
to them. Users are given appropriate site passwords and logins
once registered.
6.8.11.2 Specialist training
Staff in specialist roles across the Trust will be expected to
undertake further training as stipulated in Appendix 7 within 3
months of taking up post.
The Trust will use the national e-learning Information Governance
Training Tool (IGTT) to deliver this specialist training programme.
The tool is accessed via
https://www.igtt.hscic.gov.uk/igte/index.cfm.
Each module will be expected to be refreshed every three years.
The IG Lead will frequently check that the training has been
undertaken.
It is noted that the Health and Social Care Information Centre
(HSCIC) is the copyright owner responsible for the content and
design of the Information Governance Training Tool (IGTT). It is
not a product of the Trust and therefore any concerns or queries
with any modules will need to be raised with HSCIC via the
Information Governance Team.
The methodology and effectiveness of this training programme will
be monitored closely from evaluations collated and analysed by
O&D and the Information Governance Team.
6.8.11.3 Bespoke or departmental training
Subject to discussions with the Information Governance Team
additional bespoke training sessions is available to teams that
require more indepth training in their own area of specialism. This
will enable:-
• A greater understanding of the application of the Trust’s IG
policies and procedures;
• Provision of specific departmental advice and guidance;
• Facilitation of a more informal Q&A Session.
Training will be delivered in response to demand and serious
information security incidents.
Information Governance Strategy v4 20
6.8.11.4 The training needs analysis (TNA) matrix
Staff training requirements will be outlined in the Training Needs
Analysis (TNA) which will form part of the Trust’s Information
Governance Staff Training Strategy.
All staff training reports from O&D will form the basis of evidence
for compliance with the IGTK and external auditors.
6.9 Staff disciplinary
Staff are forewarned that any breaches of confidentiality for e.g. disclosing data to
unauthorised parties, the theft/loss or tampering of information, viewing records without
authority, transferring personal information electronically without appropriate encryption
or secure procedures, sharing passwords, logins and smart cards, uploading inappropriate
content onto social media, not following security protocol etc. will invoke staff disciplinary
procedures and potentially dismissal and criminal charges, where necessary. Staff will be
advised of their legal responsibilities via the Trusts IG staff training programme.
All security breaches considered serious will be reported immediately to the Information
Governance Lead, SIRO and the Caldicott Guardian.
7. Training
See paragraph 6.8.11 above.
8. Equality and diversity
The Trust is committed to ensuring that, as far as is reasonably practicable, the way we deliver
services to the public and the way we treat our staff reflects their individual needs and does not
discriminate against individuals or groups on the grounds of any protected characteristic (Equality
Act 2010). An equality assessment was undertaken. No equality and diversity issues were
identified.
9. Monitoring the compliance / effectiveness of this strategy
The monitoring and compliance of this Strategy will be responsibility of the Information
Governance Lead.
Standard/Process/Issue Monitoring and Audit
Method By Group Frequency
Compliance with the
Strategy
Is the Strategy
published
IG Lead
HIAG 2 yearly
Completion of IG training No. of staff attending
training sessions
O&D and
IG
Lead
HIAG Quarterly
Completion of the IGTK Annual reports and
final IGTK scores
IG Lead HIAG Quarterly
Compliance with
information requests
No. of requests not
responded to within
statutory timescales
IG Lead /
Health
Records
Mgr.
HIAG Quarterly
Number of IG/IT Incidents Numbers, location, IG Lead/ HIAG Quarterly/
Information Governance Strategy v4 21
severity, type of
incidents
Security
Mgr.
Ongoing
10. Consultation and review of this strategy
This Strategy will comply with all relevant UK and European Union legislation.
The HIAG will formally review this Strategy every two years, although the content may be reviewed
at any time if any significant changes to mandatory requirements, national guidance or the result
of any significant IG breaches or incidents results in any changes to current processes or policies.
11. Implementation of strategy (including raising awareness)
The Trust has developed a communication plan to roll out the deliverables of this
IG Strategy. The key communication tools to be used include:-
External Tools Internal Tools
• Publication Scheme
• Gateshead Trust website
• Patient leaflets
• Fair processing notice (privacy notice)
• Patient surveys
• IG articles in staff newsletters/bulletins
• IG annual staff training programme
• Policy/procedure framework
• Staff surveys
• Staff screensavers
• Staff IG alerts
This list is not exhaustive but represents a sample of communication materials.
The Trust will engage with patients and staff in the development of its information practices This
will be through the completion of anonymised patient/staff surveys where users can provide
feedback on how well they think the Trust manages their data to help improve our services.
12. References
Useful Guides/Reviews
• Privacy Impact Assessment Handbook Version 2.0 (Information Commissioner);
• The Caldicott 2 Review Department of Health September 2013;
• Data Handling Procedures in Government: Final Report June 2008.
Monitoring Bodies
• Information Commissioners Office – www.ico.gov.uk
• Ministry of Justice - http://www.justice.gov.uk/
• General Medical Council - http://www.gmc-uk.org/
• Department of Health - https://www.gov.uk/government/organisations/department-
of-health
13. Associated Documents
Information Risk Policy (IG03);
Freedom of Information Policy (IG04);
Freedom of Information Procedure (IG04a)
Records Management Policy (IG05);
Confidentiality and Data Protection Policy (IG06);
Staff Confidentiality Code of Conduct (IG06a);
Caldicott & Safe Haven Procedure (IG07);
Information Governance Strategy v4 22
Pseudonymisation Policy (IG08);
Clinical Photography and Audio Visual Recording of Patients – Confidentiality & Consent Policy
(IG09);
Information Governance Policy for New and Changed Systems, Processes and Services (IG10);
• General IG Checklist (IG10a);
• IT Systems Information Governance Checklist (IG10b);
• Privacy Impact Assessment Procedure (IG10c);
• Third Party Due Diligence Assessment (IG10d);
• Remote Access Risk Assessment (IG10e);
• Information Governance Contracts Guidance (IG10f);
The Reporting of a Serious IG/Cyber Incident Policy (IG11);
The Re-Use of Public Information Policy (IG12);
Information Governance Staff Training Strategy (IG14);
Data Quality Strategy (IG15);
Records Life Cycle Strategy (IG16);
Confidentiality Audit Procedure (IG17);
The Caldicott Guardian Procedure (for use of PID for secondary purposes) (IG18);
IT and Information Security Policy (OP6B);
Internet, Intranet and Email Acceptable Use Policy (OP17);
Anti-Virus Policy (OP58).
Information Governance Strategy v4 23
Appendix 1: Roles and Accountability Structure
Information Governance Strategy v4 24
Appendix 2: Committee/Group Structure
Information Governance Strategy v4 25
Appendix 3: Terms of Reference for the HIAG
Health Informatics Assurance Group (HIAG)
Terms of Reference (TOR)
Feb 2016 (for Review on 9 Feb 2018)
Name of Steering Group: Health Informatics Assurance Group (HIAG)
Purpose of the HIAG:
The Health Informatics Assurance Group (HIAG) has been established to ensure that the Trust has a consistent
and robust approach for the co-ordination of its informatics agenda and its IG work streams requirements.
In adherence to the conditions of the Data Protection Act 1998 and the revised Caldicott principles, the Trust
recognises that access to patient information is an essential part in providing excellent patient care. Where
conflicting priorities arise between the need to share information and the need to protect patient
confidentiality an appropriate balance will be struck between openness and the Trust’s legal obligations of
accountability and safeguarding data. The Health Informatics Assurance Group will be the accountable body for
such decisions.
The HIAG will report to the Audit Committee who will then report into the Trust Board. The Steering Group is
responsible for ensuring that there are effective policies and management arrangements covering all aspects of
Information Governance in line with the Trust’s Information Governance Strategy and Procedures to ensure the
Trust complies with:-
- Openness
- Legal Compliance
- Information Security
- Information Quality Assurance
Objectives and Key Tasks
• To provide the responsible Director with expert advice on Data Protection and Confidentiality, Records
Management (Corporate and Clinical), IT Security and Data Quality.
• To ensure there is top level awareness and support for IG resourcing and the implementation of
improvements.
• To support the Trust’s Caldicott Guardian in his advisory and facilitative capacity to provide assurance
on all clinical, confidentiality and data sharing matters involving third parties.
• To liaise with the other Trust Steering Groups, Committees and Boards in order to promote and
integrate IG and CQC standards and to provide a focal point for the discussion of information
governance issues.
• To provide direction and support to the development of Trust-wide Information Governance standards,
policies, and staff training programmes in order to promote effective information governance.
• To receive reports from the following dedicated working groups, in order to co-ordinate the activities
of staff allocated IG responsibilities and progress initiatives:-
o Data Quality and Secondary Use Strategy Group
o Systems Management & Development Group
o Records Management Group
• To ensure annual assessments, audits and improvement plans are documented and undertaken by the
dedicated teams for sign off by the Trust Board or an appropriate senior member of staff.
Information Governance Strategy v4 26
• To provide support to the SIRO in managing the strategic risks associated with the Trusts Information
Asset Registers and to ensure actions plans are monitored where gaps have been identified. All actions
will be agreed to mitigate the risk and where appropriate will be added to the Trust Risk Register.
• To ensure that the Informatics Risk Register is maintained and regularly reviewed with any high risk
exceptions reported to the HIAG Members as and when necessary.
• To ensure all existing or proposed databases and data flows regarding corporate and patient
identifiable information comply with the Data Protection Act and the Caldicott Principles. The group
will always in the first instance, promote the use of pseudonymised data flows wherever possible to
restrict access to patient identifiable data.
• To receive, consider and assess reports on all security incidents, complaints and claims relating to
breaches in data confidentiality and IT security and to recommend appropriate action, where possible.
The Group will determine when incidents of a serious nature are to be reported to the ICO and the
HSCIC via the IGTK.
• To monitor the Trusts performance in terms of openness and compliance with Subject Access Requests,
Freedom of Information requests and Environmental Information Regulation Requests, including the
Publication Scheme.
• To monitor the clinical recording and the associated risk of poor data quality across all corporate and
clinical records to ensure the Trust is compliant with the Records Management Code of Practice under
section 45 of the Freedom of Information Act 2000.
• To ensure the approach to information handling is communicated to all staff and made available to the
public.
• To ensure appropriate IG training is made available and completed by all staff, including those in
specialised roles, as and when necessary to support their duties whilst at the Trust.
• To oversee the development and review of protocols governing the sharing and disclosure of patient
information across organisational boundaries.
• To review new processes of how personal identifiable data will be managed when new systems or
system processes are reviewed and approved. The Group will promote the use of privacy impact
assessments to ensure the principles of the Data Protection Act are not compromised by any change of
service or access to a third party.
• To complete the submission of the IG Toolkit baseline assessment in July and October with final
assessments published by 31st
March of each year.
Membership of the HIAG
Membership of the HIAG is stipulated in Appendix 3a.
Meetings
• The HIAG will meet on a bi-monthly basis, with the Director of Finance and Informatics to chair the
Group.
• Expected attendance is 80% of meetings by members or a nominee.
• The group will be deemed quorate when the SIRO, Clinical Safety Officer or Caldicott Guardian is
available, with either the Deputy Director of Informatics or the Head of Information and Data Quality;
in addition to 2 other members or their nominated representatives. The minimum attendance to be
quorate will be 4.
Administration
• The HIAG will have a standing agenda with specific topics added, as authorised by the Chair of the
Group. The standing items to cover will be:-
o Information Governance issues
o Information Requests - to cover all FOI, DP and EIR requests
o Risk reporting
Information Governance Strategy v4 27
o Incident reporting
o ICT
o Records Management
o Data Quality
o Systems Management
• The agenda and any paper attachments will be circulated at least 3 working days prior to the meeting.
• Papers tabled on the day will only be accepted for discussion only, unless agreed by the Chair.
• The minutes and agreed actions will be documented and circulated to all attendees within 5 working
days.
• Attendees will be given 5 working days to query details and submit any comments, after which the
minutes will be considered completed until ratified at the next meeting.
Reporting Structure
• All HIAG reports will feed into the Audit Committee.
Version Date Review Date Summary of Changes Author
V1 None applicable Lauren Hamill –
IG Officer
V2 03/03/2015 03/03/2017 Changes in the group structures. Marie Galloway –
IG Lead
V3 01/06/2015 01/06/2017 Minor changes Marie Galloway –
IG Lead
V4 09/02/2016 9/02/2016 Added the Records Management Group
to ToR
Marie Galloway –
IG Lead
Information Governance Strategy v4 28
Appendix 3a: Membership of the HIAG
Membership of the HIAG includes the following job roles:-
Role Nominated Person
Director of Finance and Informatics John Maddison
Information Governance Lead /Deputy Caldicott Guardian Marie Galloway (Interim)
Caldicott Guardian Keith Godfrey
Clinical Lead for Informatics/ Clinical Safety Officer Rob Allcock
Deputy Director of Informatics Nick Black
Head of Information and Data Quality Michelle Conroy
Head of Risk Management Sue Winn
Health Records Manager Mark Smith
Head of IT Mhairi Rooney
IT Directory and Security Manager Derek Prudhoe
Information Governance Strategy v4 29
Appendix 4: Information Governance Toolkit Controls Summary
No. Description
Information Governance Requirements
101 There is an adequate Information Governance Management Framework to support the current and
evolving Information Governance agenda.
105 There are approved and comprehensive Information Governance policies with associated strategies
and/or improvement plans.
110 Formal contractual arrangements that include compliance with information governance requirements
are in place with all contractors and support organisations.
111 Employment contracts which include compliance with information governance standards are in place for
all individuals carrying out work on behalf of the organisation.
112 Information Governance awareness and mandatory training procedures are in place and all staff are
appropriately trained.
Confidentiality and Data Protection Assurance
200 The Information Governance agenda is supported by adequate confidentiality and data protection skills,
knowledge and experience which meet the organisation’s assessed needs
201 The organisation ensures that arrangements are in place to support and promote information sharing for
coordinated and integrated care, and staff are provided with clear guidance on sharing information for
care in an effective, secure and safe manner
202 Confidential personal information is only shared and used in a lawful manner and objections to the
disclosure or use of this information are appropriately respected
203 Patients, service users and the public understand how personal information is used and shared for both
direct and non-direct care, and are fully informed of their rights in relation to such use.
205 There are appropriate procedures for recognising and responding to individuals’ requests for access to
their personal data.
206 Staff access to confidential personal information is monitored and audited. Where care records are held
electronically, audit trail details about access to a record can be made available to the individual
concerned on request.
207 Where required, protocols governing the routine sharing of personal information have been agreed with
other organisations.
209 All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and
Department of Health guidelines.
210 All new processes, services, information systems, and other relevant information assets are developed
and implemented in a secure and structured manner, and comply with IG security accreditation,
information quality and confidentiality and data protection requirements.
Information Security Assurance
300 The Information Governance agenda is supported by adequate information security skills, knowledge and
experience which meets the organisation’s assessed needs.
301 A formal information security risk assessment and management programme for key information assets
has been documented, implemented and reviewed.
302 There are documented information security incident / event reporting and management procedures that
are accessible to all staff.
303 There are established business processes and procedures that satisfy the organisation’s obligations as a
Registration Authority.
304 Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users
comply with the terms and conditions of use.
305 Operating and application information systems (under the organisation’s control) support appropriate
access control functionality and documented and managed access rights are in place for all users of these
systems.
307 An effectively supported Senior Information Risk Owner takes ownership of the organisation’s
information risk policy and information risk management strategy.
Information Governance Strategy v4 30
308 All transfers of hardcopy and digital person identifiable and sensitive information have been identified,
mapped and risk assessed; technical and organisational measures adequately secure these transfers.
No. Description
309 Business continuity plans are up to date and tested for all critical information assets (data processing
facilities, communications services and data) and service specific measures are in place.
310 Procedures are in place to prevent information processing being interrupted or disrupted through
equipment failure, environmental hazard or human error.
311 Information Assets with computer components are capable of the rapid detection, isolation and removal
of malicious code and unauthorised mobile code.
313 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks
operate securely.
314 Policy and procedures are in place to ensure that mobile computing and teleworking are secure.
323 All information assets that hold, or are, personal data are protected by appropriate organisational and
technical measures.
324 The confidentiality of service user information is protected through use of pseudonymisation and
anonymisation techniques where appropriate.
Clinical Information Assurance
400 The Information Governance agenda is supported by adequate information quality and records
management skills, knowledge and experience.
401 There is consistent and comprehensive use of the NHS Number in line with National Patient Safety
Agency requirements.
402 Procedures are in place to ensure the accuracy of service user information on all systems and /or records
that support the provision of care.
404 A multi-professional audit of clinical records across all specialties has been undertaken.
406 Procedures are in place for monitoring the availability of paper health/care records and tracing missing
records.
Secondary Use Assurance
501 National data definitions, standards, values and validation programmes are incorporated within key
systems and local documentation is updated as standards develop.
502 External data quality reports are used for monitoring and improving data quality.
504 Documented procedures are in place for using both local and national benchmarking to identify data
quality issues and analyse trends in information over time, ensuring that large changes are investigated
and explained.
505 An audit of clinical coding, based on national standards, has been undertaken by a NHS Classifications
Service approved clinical coding auditor within the last 12 months.
506 A documented procedure and a regular audit cycle for accuracy checks on service user data is in place.
507 The completeness and validity check for data has been completed and passed.
508 Clinical/care staff are involved in validating information derived from the recording of clinical/care
activity.
510 Training programmes for clinical coding staff entering coded clinical data are comprehensive and
conform to national standards.
Corporate Assurance
601 Documented and implemented procedures are in place for the effective management of corporate
records.
603 Documented and publicly available procedures are in place to ensure compliance with the Freedom of
Information Act 2000.
604 As part of the information lifecycle management strategy, an audit of corporate records has been
undertaken.
Information Governance Strategy v4
Appendix 5: The Policy and Procedure IG Framework
Framework 100 Series
IG Management
200 Series
Confidentiality/Data
Protection Assurance
300 Series
Information Security
Assurance
400 Series
Clinical
Information
Assurance
500 Series
Secondary User
Assurance
600 Series
Corporate
Information
Assurance
● InformaOon
Governance
Strategy
●InformaOon
Governance Staff
Training Strategy
●ConfidenOality and Data
Protection Policy
●Privacy Impact
Assessment Policy and
Procedures
●InformaOon Governance
Policy for New and
Changed Systems,
Processes and Services
●Staff Confidentiality
Code of Conduct
●The CaldicoQ and Safe
Haven Procedure
●Incident ReporOng
Policy and Procedures
●ReporOng of a Serious
Breach/Cyber Incident
Policy
●Subject Access Request
(SAR) Policy/Procedures
●Protocol for Dealing
with Police Requests for
Information and Evidence
●IT Strategy
●IT and InformaOon
Security Policy
●Internet, Intranet
and Email Policy
●IM&T Disaster
Recovery Policy/Plan
●InformaOon Risk
Policy
●Public Wi-Fi Policy
●PseudonymisaOon
Policy
●RA Policy and
Procedures
●BC Policy / BC
Strategy
●Change Control
Policy
●AnO-Virus Policy
●RouOne Monitoring
of Internet Procedure
●DeleOon of NT/Email
Accounts Procedure
●Data Protector
Configuration
Procedure
●Clinical
Recording and AV
Recording of
Patients
●Clinical
Recording Policy
●Clinical Audit
Policy
●Clinical Coding
Policy
●Data Quality
Strategy/Policy
● Freedom of
Information
Policy
●Freedom of
Information
Procedures
●Re-Use of
Information
Policy
●Records
Management
Policy
●Record Lifecycle
Strategy
●IG Improvement
Plan
●IG Training and
●ICO DPA RegistraOon
●Fair Processing NoOce
●InformaOon Sharing
●ICT Assurance Plan
●Remote Working
Technical Spec
●Annual Clinical
Audit
●Data Quality
Implementation
Plan
●FOI Log
●Record
Management
Strategies / Policies and Procedures /
Related
Documents
Information Governance Strategy v4 32
Communication
Plan
●IG Staff Training
Log
●IG contract
clauses
●IG staff intranet
webpages
●IG Staff
Handbook
● IG Patient
Survey
●Annual IG
Audits/Spotchecks
Protocol and Agreement
Template
●InformaOon Sharing
Agreement Log
●CaldicoQ Approval Log
●SAR Log
●PseudonymisaOon
Plan
●RA Plan
●InformaOon Asset
Registers
● Data Mapping
Registers
●Security Incident Log
●Smart Card Register
●BC Plans
●SSSPs
●Risk Assessments
●New IT Request
Procedure
●Data Quality
Audit
Procedures
●Annual Clinical
Record Audit
●Annual
Corporate Record
Audit
●Health
Informatics
Assurance Group
(HIAG)
●Health
Informatics
Strategy Group
(HISG)
●Gateshead
Information
Network (GIN)
●Audit
Committee
●Health InformaOcs
Assurance Group (HIAG)
●An appointed CaldicoQ
Guardian
●The Systems
Management and
Development Group
●Risk Management
Committee
●Emergency Planning
Response and
Recovery Committee
(EPPR)
●An appointed SIRO
●Appointed IAOs and
IAAs
●SafeCare Board
●Clinical Audit
Committee
●Mortality and
Morbidity
Steering Group
(MMSG)
●Serious Incident
Panel
●Data Quality
and Secondary
User Group
●Medway User
Group
●Health
Informatics
Assurance Group
(HIAG)
●Records
Management
Terms of
Reference Group
PPPP Committees/ Working
Groups/Roles
Information Governance Strategy v4 33
Appendix 6: The Information Governance Work Plan
IG Deliverable IG Requirement Planned
Activity
An Information Governance
Framework
A framework of policies and procedures will be maintained in respect of data security, patient confidentiality, data
protection, freedom of information, data quality and records management. Most existing policies are due for a
revision in March 2017.
Annually
Publication Scheme As per s19 of the Freedom of Information Act 2000, a Publication Scheme will be maintained and reviewed annually
to ensure the content and standards of publication are still appropriate and not out of date. This will establish our
publication standards and support the reputation of the Trust as being an open and accessible organisation.
Annually
Completion of the National
IG Toolkit Assessment
A continual review and refresh of existing evidence, policies and procedures and existing plans will be required to
achieve a level 3 target for the IGTK.
Ongoing -
March, July and
October of each
year
An Information Governance
Training Programme
A review of all training programmes and materials will be undertaken frequently to evaluate if course content is still
relevant and applicable. The roll out of the Trusts staff information governance training programme will cover:-
• Induction – new starters to the Trust;
• Refresher mandatory training for current staff;
• Volunteers/Cadet training;
• Tailored face to face training for specific service requirements;
• Role specific training for e.g. the SIRO, the Caldicott Guardian etc.
An e-learning training tool will be rolled out to assist with the mandatory training programme.
Quarterly
Management of Security
Incidents
A review of security incidents will be undertaken to determine where plans of action are required. Quarterly reports
will review location and types of incidents for trend analysis.
Ongoing
Data Mapping and
Information Asset Registers
All current data mapping and information asset registers that map the information assets and risks of each service
area will be refreshed or completed, where applicable. Security incident reports produced by Datix will feed into this
programme. This is a large piece of work expected to be undertaken between 2015-2016.
Ongoing
An Information Governance
Communication Programme
The Trust will develop a communication programme to raise the profile of information governance in the Trust. This
will be done through the dissemination of staff emails, divisional/corporate newsletters, articles via the QE Weekly,
team meetings and the staff intranet etc.
Periodically
An Information Governance
Hub – Website Presence
An Information Governance hub will be maintained to disseminate clear advice and guidance through the Trusts
website, in terms of policies, procedures, staff leaflets, staff training programmes, awareness posters etc. All
stakeholders will be made aware of the importance of holding accurate data and how this should be managed so
that the appropriate care or service can be continually improved.
Periodically
IG Deliverable IG Requirement Planned
Information Governance Strategy v4 34
Activity
Third Party Contracts A contract supplier list will be reviewed annually by the Procurement Team and the IG Lead/Officer to ensure all
confidentiality clauses are inclusive, and those who do have access to the Trust’s data are risk assessed before any
request is granted. All auditing arrangements will be suitably identified and carried out.
Annually
IG Employment Contract
Clauses
Staff recruitment requirements will be addressed at the recruitment stage with employment contracts containing a
DP/confidentiality clause. For all casual staff a confidentiality statement will be signed. The information security
expectations of staff will be included in their job descriptions and appropriate job definitions.
Annually
Information Governance
Staff Survey
The Trust will publish a staff information governance survey each November to identify public feedback to help
identify staff training needs.
Annually
The Implementation of a
Data Quality Programme
A data quality programme will be explored to ensure the Trust’s data is complete and accurate within our
information systems to support our operational and clinical decision-making. Where possible, the validation of data
entry and data analysis at input stage will be incorporated and maintained. The Trusts approach in the collection
and use of data will be consistent.
Annually
An Audit Compliance
Monitoring Programme
The Trust will undertake appropriate information governance spot checks, compliance reports and audits and risk
assessments to identify where gaps exist in the framework. A work plan has been devised for this.
Annually
Fair Processing Notice A Fair Processing Notice will be published on the Trusts external website to inform service users of how their data
will be held, processed and shared. This will be reviewed annually.
Annually
Procurement/Development
of New IT Systems
Any new proposed information system, computerised or manual, that holds personal identification data (i.e. PID),
including PID relating to service users, carers or staff, will be risk assessed by the Information Governance Team
before being procured and implemented by the Trust.
Ongoing
Collaboration and
Information Sharing
A review of all Information Sharing Agreements will be undertaken annually to ensure clear governance
arrangements for the management of collaborative environments and networks have not expired or terminated. All
agreements will have a clear clarification of roles and responsibilities, auditing and security arrangements.
Annually
Information Governance Strategy v4
Appendix 7: The Trust’s IG Specialist Training Programme
All staff in specialist roles are expected to undertake further training within 3 months of taking up their
post. The modules to be completed are stipulated below and can be accessed via the HSCIC IG Training Tool
at: - https://www.igtt.hscic.gov.uk/igte/index.cfm
Role Information Governance Toolkit Training Frequency
All Staff Regardless
of Role
Mandatory Training – Introduction to Information Governance Every year
SIRO Introduction to Information Governance
NHS Information Risk Management: Foundation
NHS Information Risk Management for SIROs and IAOs
Secure Transfers of Personal Data
Information Security Guidelines
3 years
Caldicott Guardian Introduction to Information Governance
The Caldicott Guardian in the NHS and Social Care
Patient Confidentiality
3 years
Trust Secretary (who
currently covers
corporate records)
Introduction to Information Governance
Information Security Guidelines
Secure Transfers of Personal Data
NHS Information Risk Management for SIROs and IAOs
Records Management and the NHS Code of Practice
Patient Confidentiality
3 years
Information
Governance
Officer/Information
Governance
Assistant
Introduction to Information Governance
Information Security Guidelines
Information Security Management
Secure Transfers of Personal Data
NHS Information Risk Management for SIROs and IAOs
Access to Health Records
Patient Confidentiality
Business Continuity Management
3 years
Information Security
Manager
Introduction to Information Governance
Information Security Guidelines
Password Management
Secure Transfers of Personal Data
NHS Information Risk Management: Foundation
NHS Information Risk Management for SIROs and IAOs
Business Continuity Management
Patient Confidentiality
3 years
Head of Information
and Data Quality
Introduction to Information Governance
NHS Information Risk Management: Foundation
NHS Information Risk Management for SIROs and IAOs
Business Continuity Management
3 years
Health Records
Manager and SAR
Handlers
Introduction to Information Governance
Records Management and the NHS Code of Practice
Records Management in the NHS
Access to Health Records
Patient Confidentiality
The Importance of Good Clinical Record Keeping
3 years
RA Manager Introduction to Information Governance
3 years
Clinical Manager Introduction to Information Governance
The Importance of Good Clinical Record Keeping
3 years
Information Governance Strategy v4 36
Role Information Governance Toolkit Training Frequency
IAO Introduction to Information Governance
NHS Information Risk Management for SIROs and IAOs
NHS Information Risk Management: Foundation
3 years
IAA Introduction to Information Governance
NHS Information Risk Management for SIROs and IAOs
NHS Information Risk Management: Foundation
3 years