Embed Size (px)
Citation preview
Improvement Plan and Evidence Report
Sheffield University: Version 10 (2012-2013) AssessmentPrepared on 08/07/2013Report Type: Improvement plan (including completed items) - showing items up to target level
Report Options: Include evidence, actions and general comments
Requirement 10-120Responsibility for Information Governance has been assigned to an appropriate member, or members,of staff
Requirement Owner(s): Andy Irving
Current Level: 3Target Level: 3
Attainment Criterion 1aResponsibility has been assigned for Information Governance
Achieved: Yes
Comments:Study Chief investigator is Professor Steve Goodacre. He is named as Information Governance leadand has signed the Information Governance Policy (v1, 12.04.13) and the Information GovernanceImprovement Plan (both attached).
Evidence Required Obtained Location Details
Named individual(s) jobdescription, or signednote or email assigningresponsibility.
Yes Uploaded PAINTEDInfoGovernanceImprovePlanVer1.pdf
This is theinformationgovernanceimprovementplan, whichclearly indicatesthatresponsibility foroversight ofinformationgovernancematters is in thehands of theChiefInvestigator.
The study InformationGovernance Policy
Yes Uploaded Painted Information Governance Policy v121.6.13.pdf
Attainment Criterion 1bThe named Information Governance staff have been provided with sufficient training to carry out theirrole.
Achieved: Yes
Comments:All members of the research team complete INFORMATION SECURITY TRAINING via an intranetbased module including "1. Information Security Awareness Training", followed by "2. InformationSecurity for Research" & "3. Information Security Awareness Statement" E-MAIL evidence confirming allresearch team have completed Information Security training.
Evidence Required Obtained Location Details
IG Training tool reports, certificates of Yes Uploaded
attendance and attainments, or evidence of self-directed study.
1b Info Securitytraining emailconfirmation.pdf
Attainment Criterion 1cThe is an IG improvement plan that documents both the current level of compliance with the NHS IGrequirements and the targets identified to progress to the next level of compliance.
Achieved: Yes
Comments:IG improvement plan uploaded.
Evidence Required Obtained Location Details
Documented IGImprovement plan.
Yes Uploaded PAINTEDInfoGovernanceImprovePlanVer1.pdf
Attainment Criterion 2aThe IG improvement plan has been signed off by a senior staff member.
Achieved: Yes
Comments:The IG improvement plan signed by Professor Steve Goodacre
Evidence Required Obtained Location Details
Sign off should bedocumented on the IGimprovement plan, forexample the date that itwas signed-off and bywhom
Yes Uploaded PAINTEDInfoGovernanceImprovePlanVer1.pdf
Attainment Criterion 2bThe IG improvement plan has been implemented and gaps or weaknesses in current IG arrangementsare being addressed.
Achieved: Yes
Comments:An IG improvement plan will be implemented contingent on approvals by the IG toolkit administrators.
All project staff will have access to, and must read, the IG improvement plan. Any new personnel will bedirected to the IG improvement plan as part of their induction. For actions regarding the implementationof the plan please see sections headed "The Improvement Plan" and "Actions Pending for Improvment".
Evidence Required Obtained Location Details
New guidance for staff ornew organisationalprocedures of new ways orworking
Yes Uploaded PAINTEDInfoGovernanceImprovePlanVer1.pdf
Attainment Criterion 3aProgress against the improvement plan is monitored in-year and reports are made to senior members ofstaff.
Achieved: Yes
Comments:Surveillance of information governance matters (while the study is in its hibernation phase) are the jointresponsibilities of the Chief Investigator (in his capacity as the Information Governance lead) and thestudy Steering Group, to whom the Chief Investigator will present the IG progress reports. Any issuesarising from this monitoring will also be included in the annual progress reports that the ChiefInvestigator makes to the Dean's Office.
Evidence Required Obtained Location Details
Progress reports or briefing documents of meetingnotes or emails.
No [notspecified]
Attainment Criterion 3bThe adequacy of the IG arrangements needs to be reviewed at least annually to ensure they remain fitfor purpose.
Achieved: No
Evidence Required Obtained Location Details
Minutes/meeting notes including the decisionsmade and any changes required.
No [notspecified]
Requirement 10-121There is an information governance policy that addresses the overall requirements of informationgovernance
Requirement Owner(s): Andy Irving
Current Level: 3Target Level: 3
Attainment Criterion 1aThe IG lead(s) has/have reviewed current policies to determine where they can be adapted to form thebasis of an Information Governance Policy.
Achieved: Yes
Comments:An policy for the study has been developed (See PAINTED Information Governance Policy (v121.06.13)).
Evidence Required Obtained Location Details
An IG policy document tailored to the requirementsof the team.
Yes Uploaded PaintedInformationGovernancePolicy v121.6.13.pdf
Attainment Criterion 1bThe IG policy has been signed off by a senior manager.
Achieved: Yes
Comments:See PAINTED information Governance Policy (v1 12.04.13) signed by Prof Steve Goodacre(Information Governance Lead) and Richard Wilson (Study Manager)
Evidence Required Obtained Location Details
Sign off documented on the policy document (forexample - the date that it was signed-off and bywhom).
Yes Uploaded PaintedInformationGovernancePolicy v121.6.13.pdf
Attainment Criterion 2aThe IG policy has been made available to all staff.
Achieved: Yes
Comments:The IG policy is available on the PAINTED project folder, in sub-folder DATABASE accessible by all theresearch team.
See Declaration Form detailing which staff have signed to say they have read and understood the
Information Governance policy. In the post-hibernation phase all new staff coming onto the study will berequired to read the current version of the Policy and complete the Declaration Form. This requirementis detailed in the study Continuity Management Plan.
Evidence Required Obtained Location Details
Inclusion in a staff handbook or by placing it onthe intranet, or staff may be provided with theirown copy of the policy. In the latter case theremay be a list of staff signatures confirming staffhave read and understood the policy.
No Uploaded Painted IGdeclarationformSigned.pdf
Attainment Criterion 3aStaff understanding of the policy and its relevance to the way they work is tested to ensure that there isfull compliance with the IG policy. Therefore, compliance spot checks and routine monitoring areconducted.
Achieved: Yes
Comments:In this early stage in the life of the study there has not yet been time to develop or deploy monitoring andcompliance checking instruments. These are in the process of development. With the study going intohibernation there seems little purpose in assessing any of the current staff as it is unlikely that thesesame persons will be involved if and when the pandemic occurs. That said, the Continuity ManagementPlan includes as part of the pandemic activation, that records of IG training are scrutinised (seeContinuity Management Plan, section 2.2 "Initial Action") and the then-existing systems of data areassessed by the Information Governance lead to ensure that they comply with the Policy. A record ofthis compliance check will be presented to the study Management Committee and study SteeringGroup.
Evidence Required Obtained Location Details
Completed monitoring form, or a report on theoutcome of staff compliance checks.
No [notspecified]
Attainment Criterion 3bThe adequacy of the IG policy needs to be reviewed regularly to ensure it remains fit for purpose.
Achieved: No
Evidence Required Obtained Location Details
Minutes/meeting notes including the decisionsmade and any changes required.
No [notspecified]
Requirement 10-122All contracts (staff, contractor and third party) contain clauses that clearly identify informationgovernance responsibilities.
Requirement Owner(s): Andy Irving
Current Level: 3Target Level: 3
Attainment Criterion 1aAn audit of personnel records, and contractor and other third party contracts has been undertaken todetermine how many have written contracts that contain clauses that identify IG responsibilities.
Achieved: Yes
Comments:No audit of staff contracts (research team) has taken place as these contracts do not contain clausesthat directly identifying IG responsilbities. Nevertheless, ALL university staff must abide by University ofSheffield Policies as noted in the Terms and Conditions of Service document (uploaded) which do coverthe maintenance of confidentiality and other related matters.
Evidence Required Obtained Location Details
Documented evidence ofthe audit and its findings.
No [not specified]
Terms and Conditions ofService document
Yes Uploaded terms_conditionsnonstatutesgrades19oct11.pdf
Attainment Criterion 1bAppropriate contractual clauses covering compliance with IG linked to disciplinary procedures (whereappropriate) have been drafted and signed off by senior management.
Achieved: Yes
Comments:It is not possible to amend the University's contracts of employment for research staff to explicitlyaddress IG compliance. Nor is it possible to take account of changes to contracts of this kind that mayoccur during the study's hibernation phase. For the time being the approach adopted will be to issue(under the authority of the study Chief Investigator and Information Governance lead) a Memorandum ofInformation Governance Compliance to staff engaged on the study (i.e. at the time when hibernationceases) containing the text given below if by such time the standard terms and conditions in researchercontracts do not contain a clause (or clauses) the effect of which is equal to (or greater than) theMemorandum.
The text for the Memorandum: "You may not during or after the termination of your employment discloseto anyone other than in the proper course of your employment or where required by law, any informationof a confidential nature relating to the organisation or its business or customers. Breach of this clausemay lead to dismissal without notice. Guidance on standards expected can be found in the University'sTerms and Conditions of Service."
During the hibernation phase the Chief Investigator will remain responsible for assessing whetherUniversity contracts of employment offer sufficiently robust safeguards as to render superfluous the useof the Memorandum and to report this back to the Management Group and Steering Group as part ofhis/her annual reporting.
See University of Sheffield Disciplinary Procedure including reference to 'breach of confidentiality' as anexample of gross misconduct and triggering disciplinary procedures as outlined.
Evidence Required Obtained Location Details
Examples of contractclauses.
Yes Uploaded MemorandumOfInformationGovernanceVer0.2.pdf
Meeting notes showingapproval or personalendorsement in writing(eg by email) from anappropriate seniormanager.
No [not specified]
University of SheffieldDisciplinary Procedure
Yes Uploaded UoS Disciplinary Procedure.pdf
Attainment Criterion 1cAn action plan has been developed to update existing contracts, where necessary, and ensure all newcontracts include compliance with IG requirements as part of employment/service engagementprocesses.
Achieved: Yes
Comments:As discussed in section (b) a Memorandum of Information Governance Compliance will be drawn upand held available as amendments to existing contracts of employment are the responsibility of theUniversity's Human Resources department and cannot be altered by the research team managers. Thisis the situation as it stands now, in 2013. Representations will be made to the higher levels of theUniversity management to suggest that researcher contracts do, as a matter of routine, include a clauseor clauses, along the lines outlined in section (b). During the course of the hibernation phase it ispossible that University policy may change and the contracts be amended accordingly. Actions here willbe to review the situation (annually) with regard to contracts and this will form part of the ContinuityManagement Plan hibernation phase actions (section 1.14, "Memorandum of Information GovernanceCompliance" refers).
EvidenceRequired
Obtained Location Details
Documented actionplan.
Yes Uploaded PaintedContinuityPlanVer1PointZeroNoAppendices.pdf
The studyContinuityManagementPlan (minus allappendices, toreduce filesize).
Attainment Criterion 2aBuilding upon the existing contractual situation, all contracts for staff, contractors and other third partyusers who have access to confidential information or assets containing confidential information includecompliance with information governance requirements, as part of employment or contracting processes.
Achieved: Yes
Comments:Continuing from section 1(b) and 1(c) the situation regarding staff contracts will be handled via themedium of the Memorandum. For contracts with third parties (only likely to be research sites or otherNHS organisations from whom data might be obtained) clauses will be inserted (as outlined in 1(b). Asimilar Memorandum ("Memorandum of Information Governance Compliance, Contractors and ThirdParties") will be instituted in the event that the standard terms and conditions of University contracts failto adequately address this issue.
EvidenceRequired
Obtained Location Details
SamplecontractshowingthatappropriateIG clausesareincluded incontracts.
Yes Uploaded MemorandumOfInformationGovernanceComplianceThirdPartiesVer1.pdf
Attainment Criterion 3aAll new staff, contractor and other third parties comply with IG responsibilities and this is tested throughspot checks and routine monitoring.
Achieved: Yes
Comments:During the hibernation phase of the study, where no research activities are taking place, a 'light touch'monitoring process will be adopted whereby the Chief Investigator/Information Governance lead willreview the state of new contract documents being routinely deployed and assess whether theinformation governance clauses contained therein are as robust as the obligations contained in thestudy's own Memoranda (see 1(b) in this section) and if not retain the Memoranda for use as and whenthe pandemic occurs (matters covered in the Continuity Management Plan as described in 1(c)). Duringthe pandemic phase monitoring will be more robust and, as the exigencies of the pandemic permit, willbe the responsibility of the study Management Group (as then constituted) to make such arrangementsas they see fit (and which satisfy the requirements at that time of the Information Governance Toolkit orwhatever instrument or technology may have replaced it) for assessing and determining that compliancewith the study's IG plan and policies is being maintained.
Evidence Required Obtained Location Details
Completed monitoring forms, or a report on theoutcome of staff compliance checks.
No [notspecified]
Attainment Criterion 3bAs the law in this area is subject to change, an annual review is undertaken to assess whether thecontractual clauses are still sufficient.
Achieved: No
Evidence Required Obtained Location Details
Meeting notes including the decisions made andany changes required.
No [notspecified]
Requirement 10-123All staff members are provided with appropriate training on information governance requirements.
Requirement Owner(s): Andy Irving
Current Level: 2Target Level: 3
Attainment Criterion 1aResponsibility for arranging appropriate IG training for all staff has been assigned to a named individual.
Achieved: Yes
Comments:Training within the University of Sheffield is provided centrally by the Corporate Information andComputing services (CICs) See email circulated by the Dean of ScHARR, Jon Nicholl (forwarded by Michelle Hassall) named:ACTION REQUIRED: Online Information Security Awareness detailing the online training package andstaff responsibility to complete.
Evidence Required Obtained Location Details
A named individual's job description, or a signednote or e-mail assigning responsibility.
Yes Uploaded OnlineInformationSecurityAwarenessemail.pdf
Attainment Criterion 1bAppropriate basic IG training has been identified for all staff including new starters, and additionaltraining has been identified for key staff groups.
Achieved: Yes
Comments:See Information Security Training events e-mail highlighting specific training needs within for all staffand additional training identified for ScHARR department (to [email protected])
See also New Staff Induction Check list with Information Security highlighted.
Evidence Required Obtained Location Details
Written details of the training to be provided. Yes Uploaded InformationSecuritytrainingeventsemail.pdf
New Staff Induction Check list Yes Uploaded New StaffInductionChecklist.docx
Attainment Criterion 1cBasic IG training is provided to all new starters as part of their induction.
Achieved: Yes
Comments:See New Staff Induction checklist including signpost to the 'Information Security training' on MOLE2.
Evidence Required Obtained Location Details
Training records, for example, IG Training Toolreports.
Yes Uploaded New StaffInduction
Checklist.docx
Attainment Criterion 2aAll staff including locum, temporary, volunteer, student and contract staff members have completed orare in the process of completing basic IG training.
Achieved: Yes
Comments:See e-mail from confirmation from Chris Willis (Information Coordinator Corporate Information andComputing Services, The University of Sheffield) confirming research team completion of Info Securitytraining. As this is relevant only to those staff currently in post and assigned to Painted this issue will bedealt with (during the pandemic phase) as described in the Continuity Management Plan, section 2.2.
EvidenceRequired Obtained Location Details
Training reports orcertificates ofattendance.
Yes Uploaded Info Security training email confirmation.pdf
Future training Yes Uploaded PaintedContinuityPlanVer1PointZeroNoAppendices.pdf
the ContinuityManagementPlan
Attainment Criterion 2bThe training needs of staff is assessed to ensure that the basic training provided is sufficient and staff inkey roles are provided with additional training when required which may be provided through the NHSIG Training Tool or by other means.
Achieved: Yes
Comments:The University provide Information Security Training online which meets the training needs of allrelevant staff. See email from confirmation from Chris Willis(Information Coordinator Corporate Information andComputing Services, The University of Sheffield) confirming research team completion of Info Securitytraining.
Evidence Required Obtained Location Details
Training needs analysis document, certificates ofattendance / attainment or IG Training Toolreports.
Yes Uploaded Info Securitytraining emailconfirmation.pdf
Attainment Criterion 3aProviding staff with IG training does not provide sufficient assurance that they have understood their IGresponsibilities. Therefore, compliance checks and routine monitoring is undertaken to test staff.
Achieved: No
Evidence Required Obtained Location Details
A completed audit sheet or monitoring form, or areport on the outcome of staff compliance checksand any actions taken.
No [notspecified]
Attainment Criterion 3bWhere necessary, any staff member requiring assistance should be supported to increase theirunderstanding of and adherence to IG best practice.
Achieved: No
Evidence Required Obtained Location Details
Training attendance lists, diary slots for individualtraining, HR/personnel records, or in staff signaturelists - that staff have received additional supportand understand their duties and responsibilities.
No [notspecified]
Attainment Criterion 3cStaff understanding and training materials are regularly reviewed especially when new procedures areintroduced and on induction of new staff.
Achieved: No
Evidence Required Obtained Location Details
Meeting notes where the training was reviewedduring the year including the decisions made andany updates.
No [notspecified]
Requirement 10-220Personal information is only used in ways that do not directly contribute to the delivery of care serviceswhere there is a lawful basis to do so and objections to the disclosure of confidential personalinformation are appropriately respected
Requirement Owner(s): Andy Irving
Current Level: 2Target Level: 3
Attainment Criterion 1aResponsibility has been assigned for documenting guidelines for staff about lawful and appropriatesharing of confidential personal information and respecting service user wishes.
Achieved: Yes
Comments:Dr Jennifer Burr is the designated principal ethics contact for ScHARR (Designated Principal EthicsContacts list)
Evidence Required Obtained Location Details
A named individual's job description, a note or e-mail assigning responsibility or the terms ofreference of a group.
Yes Uploaded Principal-Ethics-Contacts.pdf
SREGP- Anonymity-Confidentiality-Data-Protection policy
Yes Uploaded SREGP-Anonymity-Confidentiality-Data-Protection.pdf
Attainment Criterion 1bThe documented guidelines provide direction to staff to ensure they share confidential personalinformation lawfully and appropriately and that they respect service user choices regarding disclosure.
Achieved: Yes
Comments:See SREGP-Anonymity-Confidentiality-Data-Protection University policy (attached)
Evidence Required Obtained Location Details
A document, staff handbook, or leaflet coveringconsent issues around the use and disclosure ofpersonal information.
Yes Uploaded SREGP-Anonymity-Confidentiality-Data-Protection.pdf
Attainment Criterion 1cThe guidelines have been approved by senior management, an appropriate committee or otherestablished local governance process.
Achieved: Yes
Comments:Please see url http://www.shef.ac.uk/ris/other/committees/ethicscommittee detailing the University's research ethics processes and committee accountable to the UniversitySenate.
EvidenceRequired
Obtained Location Details
Minutes ofmeetings, in adocument oremail or apersonalendorsement inwriting from anappropriatelysenior manager.
Yes Internet http://www.shef.ac.uk/ris/other/committees/ethicscommittee
Attainment Criterion 2aThe guidelines for staff are accessible to them in an appropriate location.
Achieved: Yes
Comments:All guidlines are available on the internet and staff intranet at http://www.shef.ac.uk/ris/other/gov-ethics/ethicspolicy/policy-notes
Evidence Required Obtained Location Details
Inclusion in staff handbook, orpublished on the Intranet, orpersonal copies for staff (in thelatter case there may be a list ofstaff signatures confirming receiptof the guidance) or the evidencemay be a description of thedissemination process or minutesof the meeting where this wasdecided.
Yes Internet http://www.shef.ac.uk/ris/other/gov-ethics/ethicspolicy/policy-notes
Attainment Criterion 2bAll staff members have been informed of the guidance and in particular of their own responsibilities forcompliance.
Achieved: Yes
Comments:See email dated 13.12.12 from the Dean of ScHARR re: online information security training. See emaildated 16.1.13 re: Information Security training events.
Evidence Required Obtained Location Details
Notes or minutes of team meetings/awarenesssessions or staff briefing materials.
No [notspecified]
Email. Information Security training event Yes Uploaded InfoSecuritytrainingemail.docx
Information Security Training Requirement Yes Uploaded OnlineInformationSecurityAwarenessemail.pdf
Attainment Criterion 3a
Providing staff with guidance materials and briefings does not provide sufficient assurance that theguidance has been understood and is being followed, therefore compliance spot checks and routinemonitoring are conducted.
Achieved: No
Evidence Required Obtained Location Details
A completed monitoring form, or a report on theoutcome of staff compliance checks.
No [notspecified]
Documentation from reviews of information sharing(eg where information has been shared for non-care services, where service users have declined toagree to disclosure or have changed theirdisclosure decision).
No [notspecified]
Attainment Criterion 3bPolicy and law change over time and it is important that the content of guidance is regularly reviewedand aligned with the latest central guidelines.
Achieved: No
Evidence Required Obtained Location Details
Minutes/meeting notes where the guidance hasbeen reviewed during the year including thedecisions made and any updates to the guidance.
No [notspecified]
Requirement 10-221There are appropriate confidentiality audit procedures to monitor access to confidential personalinformation
Requirement Owner(s): Andy Irving
Current Level: 2Target Level: 3
Attainment Criterion 1aResponsibility for documenting confidentiality audit procedures that cover monitoring and auditingaccess to confidential personal information has been assigned to an individual or group.
Achieved: Yes
Comments:In the hibernation phase of Painted its care-taking management will be under the overall direction of theUniversity's Clinical Trials Research Unit. This Unit will therefore be charged with responsibility forimplementing these confidentiality audit procedures. CTRU's Quality Assurance team produce annualaudit programmes setting out the studies, systems and procedures to be audited, the audit objectives,the time-scale for completion of the audits and the persons responsible. The Painted ContinuityManagement Plan makes explicit reference to the CTRU as principle agent in this matter. For its part theCTRU audit programme for 2013 includes the production of a standard operation procedure (SOP)which will describe the procedure for conducting CTRU audits within the context of the auditprogramme. Throughout the hibernation phase the Painted confidentiality audit processes will besubsumed under those of the wider CTRU, and as such will be subject to the same reviewing andupdating processes. The Chief Investigator and the Director of the CTRU will jointly exercise thefunction of leading the confidentiality audit process as it applies to Painted. When Painted moves into its active, pandemic, phase it will be the responsibility of the CTRU and theChief Investigator to ensure that any auditing that their then-current SOP stipulates is carried out withinwhatever is at that time the designated time frame but at the minimum on at least one occasion duringthe pandemic phase.
EvidenceRequired
Obtained Location Details
A namedindividual's jobdescription, a noteor e-mail assigningresponsibility or the
Yes Uploaded CTRU audit programme2013.pdf
terms of referenceof a group.Quality auditing(future)
Yes Uploaded PaintedContinuityPlanVer1PointZeroNoAppendices.pdf
the StudyContinuityManagementPlan
Attainment Criterion 1bThere are documented confidentiality audit procedures that clearly set out responsibilities for monitoringand auditing access to confidential personal information.
Achieved: Yes
Comments:As alluded to in 1(a) it will be for the CTRU's Quality Assurance team to produce the required annualaudit programmes. The audit programme, its operation and oversight, will be described in one or moreCTRU SOPs, which are themselves subject to periodic review. As such the detail of this and the precisemodus operandi will change with time, depending on how long the hibernation phase lasts.
Evidence Required Obtained Location Details
Documented confidentiality audit procedures whichinclude the details of the named staff member, jobrole or responsible group.
No [notspecified]
Attainment Criterion 1cThe procedures have been approved by senior management, an appropriate committee or otherestablished local governance process and have been made available throughout the organisation.
Achieved: Yes
Comments:As this confidentiality auditing matter is in the hands of the CTRU, and will be governed by the SOPs,approval at a senior level follows automatically. All SOPs used within the CTRU are the process ofdetailed internal development and require sign-off by designated senior members of the CTRUmanagement.
Evidence Required Obtained Location Details
Approval/sign off within the minutes of meetings,in a document or email or a personalendorsement in writing from an appropriatelysenior manager.
Yes Uploaded SOP GEN002SOPManagementv3_SIGNED.pdf
Inclusion in a staff handbook, or publishing theprocedures on the Intranet or personal copies ofthe procedures provided to staff (in the lattercase there may be a list of staff signaturesconfirming receipt of the procedures) or theevidence may be a description of thedissemination process or minutes of the meetingwhere the process was decided.
No [not specified]
Attainment Criterion 2aAll staff members with the potential to access confidential personal information have been informed thatmonitoring and auditing of access is being carried out, of the need for compliance with confidentialityand security procedures and the sanctions for failure to comply. Staff might be informed through teammeetings, awareness sessions, staff briefing materials, or staff may be provided with their own copy ofthe procedures.
Achieved: Yes
Comments:It seems likely (although this can't be absolutely certain) that those members of staff who maypotentially access confidential or personal information will be staff working within the CTRU. Certainly,during the hibernation phase the only staff having dealings with the study will be CTRU staff. As suchthese individuals will already have received training and awareness raising as part of their generalCTRU induction and staff development. In the event of a pandemic again it seems likely that theresearch staff to be deployed will be existing CTRU members, and the same comments regarding
training etc apply. Should it be the case, in the pandemic phase, that research staff from outside theCTRU are deployed then those members of staff will be required to sign the Declaration, attesting totheir awareness of, and familiarity with, the required SOPs and other processes or procedures. Ensuringthat outside staff are aware and familiar will be a matter for the Chief Investigator and CTRU Director tojointly manage.
Evidence Required Obtained Location Details
Minutes/notes of meetings, briefing and awarenesssession materials or a list of staff signatures thatthey have read, understood and will comply withthe procedures.
Yes Uploaded OnlineInformationSecurityAwarenessemail.pdf
Attainment Criterion 2bThe procedures have been effectively implemented and appropriate action is taken where confidentialityprocesses have been breached. Therefore staff compliance is monitored and there are case reviews ifconfidentiality processes have been breached.
Achieved: Yes
Comments:At this stage in the study (the hibernation phase) there is no possibility of confidentiality processes beingbreached as there is no ongoing research activity and no confidential information being handled. Nor isit possible to say at this time by exactly what means compliance will be monitored. It will only be in thepandemic phase that the issue of confidentiality becomes 'live'. What can be stated is thatimplementation, compliance monitoring and reviewing of breaches (should they occur) will beundertaken to the same quality standard as all other CTRU research activities even if it cannot be statednow exactly what the processes etc will be.
Evidence Required Obtained Location Details
Completed monitoring form, or a report on theoutcome of staff compliance checks.
No [notspecified]
Where a breach has occurred, copies of SeriousUntoward Incident reports, lessons learned reports,staff feedback briefings, staff retraining files, ordisciplinary documents. Evidence may also befound in public statements and communications toservice users.
No [notspecified]
Attainment Criterion 3aAccess to confidential personal information is subject to regular review and, where necessary, measuresare put in place to reduce or eliminate frequently encountered confidentiality events.
Achieved: No
Evidence Required Obtained Location Details
Minutes/ meeting notes where access has beenreviewed during the year including the decisionsmade such as new guidance for staff, improvedphysical security measures, documented IT systemchanges (eg stronger password formation; portcontrol to prevent download of personalinformation to USB sticks, etc) or other newprocesses.
No [notspecified]
Attainment Criterion 3bPolicy and law change over time as do technological developments and it is important that the content ofprocedures is regularly reviewed, is aligned with the latest central guidelines and takes into account anynew systems or processes introduced into the organisation.
Achieved: No
Evidence Required Obtained Location Details
Minutes/meeting notes where the procedures havebeen reviewed during the year including the
No [notspecified]
decisions made and any updates to the procedures.
Requirement 10-222All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 andDepartment of Health guidelines
Requirement Owner(s): Andy Irving
Current Level: Not Relevant
Target Level: Not Relevant
Requirement 10-223All transfers of personal and sensitive information are conducted in a secure and confidential manner
Requirement Owner(s): Andy Irving
Current Level: 2Target Level: 3
Attainment Criterion 1aAll areas from which personal and sensitive information is sent or received have been identified.
Achieved: Yes
Comments:Any personal/ sensitive data collected by hospital sites will be uploaded onto the Prospect database(hosted by the Clinical Trials Research Unit - University of Sheffield) See Network Diagrams.
Evidence Required Obtained Location Details
List of the relevant areas. Yes Uploaded ProspectNetworkDiagrams(PAINTED).pptx
Attainment Criterion 1bThere is a documented procedure for the secure transfer and receipt of personal and sensitiveinformation.
Achieved: Yes
Comments:See the PaInTED System Level Security Policy for details.
Evidence Required Obtained Location Details
A document, staff handbook, or leaflet. Yes Uploaded System Level SecurityPolicy(PAINTED)Version3.pdf
Attainment Criterion 1cThe procedure has been approved by senior management.
Achieved: Yes
Comments:PaInTED System Level Security Policy - See page 8 signed by senior project management team.
Evidence Required Obtained Location Details
Minutes of meetings, in a document or email or apersonal endorsement in writing from anappropriately senior manager.
No [notspecified]
Attainment Criterion 2aThe procedure has been made accessible to staff in an appropriate location.
Achieved: Yes
Comments:At present there are no staff actively engaged in research activities as the study is in the hibernationphase. In the event of a pandemic incoming staff will be directed to the appropriate documents on thethe study network folder. All IG policies and procedures are accessible on the project intranet folder(N:\projects\PaInTED (2012)\DATABASE\Information Governance Toolkit). Once familiarised signatureswill be required on the IG declaration form. The Continuity Management Plan obliges whoever is thestudy manager at the time of the pandemic to ensure that all project staff are familiar with all the policiesapplying to the study.
EvidenceRequired
Obtained Location Details
Inclusion in a staffhandbook or bypublishing it on theIntranet, or staffmay be providedwith their owncopy of theprocedure. In thelatter case theremay be a list ofstaff signaturesconfirming receiptof the procedure orthe evidence maybe a description ofthe publicationprocess or minutesof the meetingwhere this wasdecided.
Yes Uploaded PaintedContinuityPlanVer1PointZeroNoAppendices.pdf
the ContinuityManagementPlan
Attainment Criterion 2bAll staff members have been informed of the procedure and in particular of their own responsibilities forcompliance.
Achieved: Yes
Comments:At present, as mentioned in 2(a), there are no staff actively engaged in research activities.
Evidence Required Obtained Location Details
Minutes/notes of team meetings, or briefingmaterials from awareness sessions.
No [notspecified]
Attainment Criterion 2cAll new staff, temporary and contract staff members are made aware of the procedure and in particularof their own responsibilities for compliance.
Achieved: Yes
Comments:In the event of a pandemic incoming research staff will be made aware of the existence of the IG policyand of their responsibility for familiarising themselves with this. Signatures will be collected on thedeclaration form attesting to this familiarity. Staff new to the University will be similarly treated and alsobe subject to the University's general induction process for new staff (See also University of SheffieldNew Staff Induction Checklist).
Evidence Required Obtained Location Details
Staff induction materials and in staff signaturelists - that they have read and understand whythey must comply with the guidance.
No [notspecified]
New Staff Induction Checklist Yes Uploaded New StaffInductionChecklist.docx
Attainment Criterion 3aProviding staff with guidance materials and briefings does not provide sufficient assurance that theguidance has been understood and is being followed, therefore compliance spot checks and routinemonitoring are conducted.
Achieved: No
Evidence Required Obtained Location Details
Completed monitoring forms, or a report on theoutcome of staff compliance checks.
No [notspecified]
Attainment Criterion 3bPolicy and law change over time and it is important that the content of procedure is regularly reviewed toensure it continues to provide secure and confidential methods for transferring and receiving patientinformation.
Achieved: No
Evidence Required Obtained Location Details
Minutes/meeting notes where the procedure hasbeen reviewed during the year including thedecisions made and any updates to the procedure.
No [notspecified]
Requirement 10-330Policy and procedures ensure that mobile computing and teleworking are secure
Requirement Owner(s): Andy Irving
Current Level: 2Target Level: 3
Attainment Criterion 1aThere are documented procedures for mobile working or teleworking that provide guidelines for staff onexpected behaviours.
Achieved: Yes
Comments:The university has policies and procedures in place to support staff using remote devices securely forwork.
See PAINTED SLSP section 14. Details of the data processing which states that the data will only beaccessed via University based internet enabled devices. NO home, mobile, teleworking has beenauthorised for this study.
Evidence Required Obtained Location Details
Documented mobile orteleworking procedures.
Yes Intranet http://www.shef.ac.uk/cics/remote/information
PAINTED System LevelSecurity Policy
Yes Uploaded System Level Security Policy(PAINTED)Version3.pdf
Attainment Criterion 1bThere is a documented policy for approvals and authorisation for mobile working and teleworkingarrangements
Achieved: Yes
Comments:
Uploaded University policy on home working. Again, regarding the PAINTED study specifically, no homeor remote working has been authorised.
Evidence Required Obtained Location Details
Documented policy for approvals andauthorisation for mobile andteleworking.
Yes Uploaded WorkingAtHomeGuidance.pdf
The System Level Security Policy Yes Uploaded System Level Security Policy(PAINTED)Version3.pdf
Supports theassertion that noremote/homeworking has beenauthorised (seesection 14).
Attainment Criterion 1cThe documented approvals policy and procedures have been agreed by an appropriate senior manageror group.
Achieved: Yes
Comments:No home or remote working has been authorised. See section 14 of the System Level Security Policy.
Evidence Required Obtained Location Details
Minutes of meetings, in a document oremail or a personal endorsement in writingof the approvals policy and proceduresfrom an appropriately senior manager orgroup
Yes Uploaded System Level SecurityPolicy(PAINTED)Version3.pdf
Attainment Criterion 2aAll mobile or teleworkers are appropriately approved and authorised, and records are maintained of allauthorisations.
Achieved: Yes
Comments:No home, mobile or teleworking has been authorised for this study. (See Painted SLSP attached) Logsare maintained of login attempts in order to monitor malicious attempts to gain access to the database.
Evidence Required Obtained Location Details
Records of approval, signatures/electronicevidence of authorisations, the removal ofauthorisation for unused accounts.
Yes Uploaded System Level SecurityPolicy(PAINTED)Version3.pdf
Attainment Criterion 2bMobile or teleworkers are provided with procedures/guidelines.
Achieved: Yes
Comments:(See 1a) The university has policies and procedures in place to support staff using remote devicessecurely for work.
See PAINTED SLSP section 14. Details of the data processing which states that the data will only beaccessed via University based internet enabled devices. NO home, mobile, teleworking has beenauthorised for this study.
Evidence Required Obtained Location Details
In staff handbook, publication ofprocedures on the intranet, hard copyprocedures provided to relevant staff,briefing materials, or awareness sessionmaterials.
Yes Uploaded System Level SecurityPolicy(PAINTED)Version3.pdf
Attainment Criterion 2cRobust remote access solutions have been provided.
Achieved: Yes
Comments:A port-based firewall (iptables) is installed and maintained on all Prospect servers. This applies to allconnections, whether from on-campus or off-campus, to ensure that only appropriate services areaccessible remotely. The firewall permits secure web access via HTTPS (Hypertext Transfer ProtocolSecure, port 443) and secure remote administration access via SSH (Secure Shell, port 22). For ease ofuse the firewall also permits standard web access via HTTP (Hypertext Transfer Protocol, port 80) whichredirects all connections to use HTTPS – no services are directly accessible via HTTP. An additionalfirewall is operated and maintained by CiCS to protect the entire University of Sheffield campus network,to which all Prospect servers are connected, and restricts connections from off-campus except thoseusing secure Virtual Private Network (VPN). This firewall permits only secure web access via HTTPSand standard web access via HTTP.
Data transmission from remote terminals to Prospect operates under Transport Layer Security (TLS)protocols utilising encryption of the transmitted data up to at least the level of 128 bits, or higher wherethis is possible. Logs are maintained of login attempts in order to monitor malicious attempts to gainaccess to the database.
Evidence Required Obtained Location Details
Technical specification documentation relating tothe solution itself.
No [notspecified]
System reports detailing number of users and theequipment allocated to them.
No [notspecified]
Attainment Criterion 3aProviding staff with guidelines, procedures and briefings does not provide sufficient assurance that theyhave been understood and are being followed, therefore compliance spot checks and routine monitoringare conducted.
Achieved: No
Evidence Required Obtained Location Details
Completed monitoring forms, or a report on theoutcome of staff compliance checks.
No [notspecified]
Attainment Criterion 3bDocumented reviews are carried out to obtain assurance that the mobile and/or teleworkingarrangements are only available to authorised users, all mobile devices and removable media areaccounted for; secure remote access is in place and that sensitive or confidential information (includingservice user information) is encrypted, securely transported or stored in secure locations.
Achieved: No
Evidence Required Obtained Location Details
Monitoring software, audit reports, reports to aSIRO or equivalent, and improvement plans.
No [notspecified]
Attainment Criterion 3cThe robustness of security and remote access controls may change over time. It is therefore importantthat the remote working procedures and guidelines are regularly reviewed to ensure they continue to beeffective.
Achieved: No
Evidence Required Obtained Location Details
Minutes/meeting notes where the procedures orcontrols have been reviewed including the decisionsmade and any updates to the procedures orcontrols.
No [notspecified]
Requirement 10-331
There is an information asset register that includes all key information, software, hardware and services
Requirement Owner(s): Andy Irving
Current Level: 3Target Level: 3
Attainment Criterion 1aResponsibility has been assigned for compiling and maintaining an information asset register.
Achieved: Yes
Comments:As outlined in the Painted Information Governance Policy it is the IG Lead's responsibility formaintaining the register of information assets.
Evidence Required Obtained Location Details
A named individual's job description, or a signednote or e-mail assigning responsibility.
Yes Uploaded PaintedInformationGovernancePolicy v121.6.13.pdf
Attainment Criterion 2aAll information assets have been documented in a register that includes relevant details about eachasset (ie the location of each asset, what type of information, who uses it etc).
Achieved: Yes
Comments:Assets are at the moment limited to the CTRU's Prospect database and the policy and otherdocumentation held on the network folder. Such assets as do presently exist are recorded in the assetregister. Certain infrastructural items (e.g. desktop or laptop computers) are not recorded in the Registeras, being in hibernation, there are no such items as these dedicated to Painted. In the event of thepandemic it will then be possible to identify the range of infrastructural items being used andappropriately record them.
Evidence Required Obtained Location Details
Documented Information Asset register. Yes Uploaded PAINTEDInformationAssetRegister.xlsx
Attainment Criterion 3aThe asset register is maintained, updated and regularly reviewed, eg to ensure that each asset is stillrequired and is still in use or to add new assets to the register.
Achieved: Yes
Comments:During the course of the hibernation the Register will be reviewed, in case of changes (for example) tofixed assets such as the Prospect database. An asset of this kind will remain an essential part of thestudy's armamentarium and thus can recorded in the knowledge that it will eventually be required. Otherassets may have to be entered only at the time the pandemic occurs. The study Continuity ManagementPlan will require the IG lead, on pandemic inception, to undertake an inventory of the assets and ensurethat the Register is up to date (see section 2.5).
EvidenceRequired
Obtained Location Details
Updates to theregister or a dateand signatureindicating it hasbeen reviewed.
Yes Uploaded PaintedContinuityPlanVer1PointZeroNoAppendices.pdf
the ContinuityManagementPlan
Attainment Criterion 3bIt is important that the information asset owner carries out their responsibilities appropriately to ensurethe currency of the register is maintained and that whenever new assets are introduced to theorganisation the register is updated.
Achieved: No
Evidence Required Obtained Location Details
Minutes/meeting notes where the responsibilitieswere reviewed during the year including thedecisions made and any updates to the register.
No [notspecified]
Requirement 10-332Unauthorised access to the premises, equipment, records and other assets is prevented
Requirement Owner(s): Andy Irving
Current Level: 2Target Level: 3
Attainment Criterion 1aA risk assessment has been undertaken to identify areas of the premises that are at risk of unauthorisedaccess. This covers the premises as a whole, and takes into account legitimate entry/exit points, areaswhere forced entry is possible and any unstaffed parts of the premises.
Achieved: Yes
Comments:No risk assessment has been undertaken of the current premises as it is not certain exactly whatpremises will be used at the time of the pandemic. The University operates a number of sites to whichthe CTRU and ScHARR may in the future be located. What can be said is that whatever building orlocation is in use at the time the University's Security department will overall responsibility forsafeguarding the premises and identifying the prime risk areas. In addition, given that the study will bemanaged (during the pandemic) by the CTRU, and that they are required as part of their status as aCTRU to maintain the security of their premises, it is anticipated that the site will have been subject totheir own risk assessment and remedial action. (Also see the Continuity Management Plan, section 2.7)
EvidenceRequired
Obtained Location Details
A documented riskassessmentincluding details ofany requiredimprovements.
Yes Uploaded PaintedContinuityPlanVer1PointZeroNoAppendices.pdf
ContinuityManagementPlan
Attainment Criterion 1bThere is a reporting process and safety measures in place for staff to follow in the event of unauthorisedaccess.
Achieved: Yes
Comments:The University currently has a policy, periodically disseminated to all staff, that outlines the actions to betaken in the event of an unauthorised intrusion being suspected or taking place. More specifically, forthe individual site where research work may be going on, there will be local implementations of the widerUniversity policy. These are all subject to change with time. At pandemic time (along with the riskassessment mentioned in 1(a)) the Chief Investigator/IG lead will review the then-existing policies forhandling unauthorised access and ensure staff are familiar with these.
Evidence Required Obtained Location Details
Documented staff guidance. Yes Uploaded incidentplanpv.pdf
University Incident Plan- this covers all'incidents', and wouldinclude unauthorisedaccess
Attainment Criterion 2aImprovements are being made to secure the premises, equipment, records and other assets.
Achieved: Yes
Comments:As mentioned in 1(a) this question is difficult to answer as it is not known what premises may be in useat the time of the pandemic. In like manner to 1(a) what can be said is that once the risk assessmenthas been conducted any required remedial work will be undertaken.
Evidence Required Obtained Location Details
An action plan or allocation of resources or newsecurity equipment (alarms, door locks, etc) or newways of working (clear desk, clear screen, etc).
No [notspecified]
Attainment Criterion 2bStaff members, including new staff, have been informed about new security measures put in place andthe process for reporting unauthorised access through team meetings or awareness sessions or staffbriefing or induction materials.
Achieved: Yes
Comments:New starter induction check list includes "building security arrangements" and "end of day and out ofhours procedures/ keys/ access" This induction check list also provides links to the University centralinduction web pages which includes initial health and safety training and out of hours training. At nomatter what point in the future the pandemic occurs policies and practices similar to this will still exist,whether at a University or local departmental level.
Evidence Required Obtained Location Details
Minutes/notes of team meetings, briefing andinduction materials.
Yes Uploaded New StaffInductionChecklist.docx
Attainment Criterion 3aAll improvements identified by the risk assessment have been fully implemented to preventunauthorised access to the premises, equipment, records and other assets.
Achieved: No
Evidence Required Obtained Location Details
New security equipment (alarms, door locks, etc)or new ways of working (clear desk, clear screen,etc).
No [notspecified]
Attainment Criterion 3bProviding staff with guidance and procedures for protecting the premises, equipment, records and otherassets does not provide sufficient assurance that the guidance and procedures have been understoodand are being followed, therefore compliance spot checks and routine monitoring are conducted.
Achieved: No
Evidence Required Obtained Location Details
Completed audit sheets or monitoring forms, or areport on the outcome of staff compliance checks(eg review of burglar alarm logs, clear deskprocedure, whether windows and doors arelocked).
No [notspecified]
Attainment Criterion 3cIt is important that physical security measures are subject to regular risk assessment and updatedguidance or procedures are issued to reflect new risks due to new ways of working or the purchase ofnew equipment.
Achieved: No
Evidence Required Obtained Location Details Risk assessments will include checks that securitymeasures are working effectively and that staff arecomplying with procedures.
No [notspecified]
Requirement 10-333There are documented incident management and reporting procedures
Requirement Owner(s): Andy Irving
Current Level: 2Target Level: 3
Attainment Criterion 1aResponsibility for leading on the management and reporting of information incidents has been assignedto an appropriate member of staff. Where necessary and available, support is obtained from thecommissioning organisation.
Achieved: Yes
Comments:The study "Continuity Management Plan" clearly specifies that in the event of a pandemic (and thus theactivation of the study) then the Chief Investigator, acting in his capacity as Information Governancelead, would take responsibility for this function. This responsibility is also reinforced in the document"Management of Information Incidents", version 0.1, June 2013, which details how any informationincidents will be handled.
EvidenceRequired
Obtained Location Details
A named individual'sjob description, or asigned note or e-mail assigningresponsibility.
Yes Uploaded PaintedContinuityPlanVer1PointZeroNoAppendices.pdf
ContinuityManagementPLan
Evidence ofcommissioningorganisation supportif required may bein emailcommunications, orin a formal SLA.
Yes Uploaded Painted Managing Information Incidents.pdf
Managementof InformationIncidentspolicy
Attainment Criterion 2aThere are incident management and reporting procedures.
Achieved: Yes
Comments:Apart from any general policies put in place by the University regarding incident management the studyhas its own incident management policy contained in the document "Management of InformationIncidents". This policy document clearly specifies the procedures that must be followed in the event of asuspected or actual information governance incident. As part of the management any such incidents areto be recorded in the PAINTED Incident reporting log.
Evidence Required Obtained Location Details
Documented procedures and a template incidentreporting form for staff.
Yes Uploaded PaintedManagingInformationIncidents.pdf
Painted Incident Reporting Log Yes Uploaded PAINTEDIncidentReporting
Log.xlsx
Attainment Criterion 2bStaff members have been informed of the incident reporting procedures and in particular of their ownresponsibilities for reporting incidents and near-misses.
Achieved: Yes
Comments:These, and other policies peculiar to the management and conduct of PAINTED, will only come into playat the time the pandemic occurs. It is therefore not possible to present evidence concerning knowledgeof the research team as the team will only come into being at the point of the pandemic. What can besaid is that the staff to be deployed will be employees of the Clinical Trials Research Unit (CTRU), andthus familiar with the SOPs the CTRU possesses that customarily apply to all their trials work. Inaddition, the Chief Investigator for the PAINTED study has particular responsibility for ensuring thatthose individuals tasked with PAINTED have familiarised themselves with this and all other necessarystudy specific policies and procedures (sections 2.5 and 2.6 of the Continuity Management Plan).Evidence that this has happened will take the form of the signed Information Governance Declarationforms which each team member will complete.
EvidenceRequired
Obtained Location Details
Minutes/notes ofteam meetings, orbriefing materialsused in awarenesssessions.
Yes Uploaded MemorandumOfInformationGovernanceVer0.2.pdf
This is thedeclaration ofcompliancewhich researchteam memberswill be askedto sign.
Incident reporting -additional evidence
Yes Uploaded PaintedContinuityPlanVer1PointZeroNoAppendices.pdf
ContinuityManagementPlan
Attainment Criterion 2cAny information incidents that arise are reported to the senior management team and where necessaryto the commissioning organisation and external parties. Reports include details of investigations oraction taken and detail any possible countermeasures.
Achieved: Yes
Comments:As referred to above the "Management of Information Incidents" policy requires that the ChiefInvestigator notifies the Steering Group chair of any suspected or actual incidents and also stipulatesthat Information Commissioner's Office, and appropriate persons within the University, be informedshould the incident appear to be 'high risk'.
Evidence Required Obtained Location Details
Completed incident reporting forms and reportsmade to senior management and where necessaryto the commissioning organisation, theInformation Commissioner, insurers, or the police.
Yes Uploaded PAINTEDIncidentReportingLog.xlsx
Relating to the reporting of information incidents Yes Uploaded PaintedManagingInformationIncidents.pdf
Management ofInformation Incidentspolicy
Attainment Criterion 3aProviding staff with procedures for reporting incidents does not provide sufficient assurance that theprocedures have been understood and are being followed. Therefore compliance checks and routinemonitoring are conducted.
Achieved: No
Evidence Required Obtained Location Details
A completed audit sheet or monitoring form, or a No [not
report on the outcome of staff compliance checks. specified]
Attainment Criterion 3bInformation incidents and near-misses are appropriately discussed with staff and where necessary,retraining is carried out or new security measures are implemented.
Achieved: No
Evidence Required Obtained Location Details
Minutes/meeting notes or lessons learneddocuments. Where necessary, training materials orevidence of new measures put in place.
No [notspecified]
Attainment Criterion 3cNo matter how good existing procedures are weaknesses will always become apparent. New threatsand new systems or ways of working will expose these weaknesses and users on the ground arenormally the first to identify them. Therefore, staff should be encouraged to report anything they feelthreatens security, and this approach needs to be adopted during induction training.
Achieved: No
Evidence Required Obtained Location Details
Staff briefing materials, or incident report forms, orinduction materials or new security measures.
No [notspecified]
Requirement 10-334The confidentiality of service user information is protected through use of pseudonymisation andanonymisation techniques where appropriate
Requirement Owner(s): Andy Irving
Current Level: Not Relevant
Target Level: Not Relevant
Requirement 10-335There are adequate safeguards in place to ensure that all patient/client information is collected and usedwithin a secure data processing environment (safe haven) distinct from other areas of organisationalactivity.
Requirement Owner(s): Andy Irving
Current Level: 2Target Level: 3
Attainment Criterion 1aThere are documented responsibilities and agreed processes for the development and approval of theIGP, SLSP or equivalent policy.
Achieved: Yes
Comments:As outlined in response to earlier questions the study has developed both an information governancepolicy and SLSP which have been accepted by the Chief Investigator.
Evidence Required Obtained Location Details
Documentation of the organisation'sassigned responsibilities and processes forthe scoping, development and approval ofan IGP, SLSP or equivalent policy.
Yes Uploaded Painted InformationGovernance Policy v121.6.13.pdf
Relating to sign-off of policies Yes Uploaded System Level SecurityPolicy(PAINTED)Version3.pdf
The SLSP
Attainment Criterion 2aThe approved IGP, SLSP or equivalent policy has been effectively communicated to staff and thirdparties working on behalf of, under contract or formal agreement to the organisation, including thesupporting procedures to ensure confidentiality and security of information processed or stored.
Achieved: Yes
Comments:As has been mentioned previously there are no research active staff associated with the study atpresent. When the pandemic occurs all researchers (and other staff connected with the study) will berequired to familiarise themselves with the various documents and policies, all of which will beaccessible through the study's network folder. Signed declarations to this effect will be required from allstaff.
EvidenceRequired
Obtained Location Details
A staff briefingand/or inductionmaterials, IGP,SLSP or otherequivalent policiesand proceduresavailable ondesktop or localintranet, or hardcopy materialshanded to staffand/or placedprominently incommunal areas
Yes Uploaded MemorandumOfInformationGovernanceVer0.2.pdf
Memorandumof InformationGovernance
IG policycommunicating -evidence
Yes Uploaded PaintedContinuityPlanVer1PointZeroNoAppendices.pdf
ContinuityManagementPlan
Attainment Criterion 2bContracts or other formal agreements with affected third parties or business partners have beenreviewed to ensure these include references to the organisation's IGP, SLSP or equivalent policy alongwith clear and enforceable statement of obligations, expectations and references to the procedures forconfidentiality and security.
Achieved: Yes
Comments:The standard University contract document ("Model Agreement for Non-commercial Research in theHealth Service") contains general provisions requiring contracting parties to abide with legislative andregulatory body requirements relating to confidentiality and the handling of sensitive data (specificallyClause 2 "Study Governance", Clause 5 "Confidentiality, Data Protection and Freedom of Information",and Clause 4 of Schedule 2 "Study Conduct"). These clauses lay down basic standards but are notstudy specific. If, at some future point when the study may be activated, it has not proved possible toincorporate into the Model Agreement suitable clauses outlining the study specific requirements withrespect to information governance then third parties and other external contractors will be asked to signthe "Memorandum of Information Governance Compliance - Contractors and Third Parties".
EvidenceRequired
Obtained Location Details
A list ofcontracts andagreements,and the datesthey wereestablished,reviewed andtheir contentapproved/re-approved.
Yes Uploaded 130516 PAINTED pandemic site agreementFINAL.pdf
Memorandum Yes Uploaded
ofInformationGovernanceCompliance -Contractorsand ThirdParties
MemorandumOfInformationGovernanceComplianceThirdPartiesVer1.pdf
Attainment Criterion 3aDocumented assurance reviews and improvement plans are available to the unit/team manager andhost organisation for consideration, agreement and sign-off.
Achieved: No
Evidence Required Obtained Location Details
A copy of the IGP, SLSP or equivalent policy and itslatest signed-off assurance review documentation,or a note of a meeting where these issues wereappropriately considered and approved andconfirmation that any required improvements havebeen documented within an action plan andimplemented as necessary.
No [notspecified]
