Embed Size (px)
Citation preview
HSCB Information Governance Policy Page 1
Information Governance Policy
Version 1.1
Responsible Person Information Governance Manager
Lead Director Head of Corporate Services
Consultation Route Information Governance Steering Group
Approval Route HSCB Senior Management Team
Applies To All HSCB Staff, Contractors and Relevant Third Parties
Approval Date Senior Management Team – 27 May 2014
Review Date June 2017
HSCB Information Governance Policy Page 2
Amendment / Change Control
Date Version Action Amendment
15/05/14 1.0
27/05/14 1.1 Comments from HSCB SMT received and amended accordingly
Additional Principle added in relation to Appropriate data Sharing
HSCB Information Governance Policy Page 3
Equality, Good Relations and Human Rights SCREENING
This policy has been screened for equality implications as required by Section 75 of Schedule 9 of the Northern Ireland Act 1998. It has been concluded that the policy does not in any way have an impact on the nine equality groupings or the three good relations duties. This policy will therefore not be subject to an Equality Impact Assessment.
Human Rights
This policy has been considered under the terms of the Human Rights Act 1998, and was deemed compatible with the European Convention Rights contained in the Act.
This policy will be included in the Health and Social Care Board’s Register of Screening documentation and maintained for inspection whilst it remains in force.
HSCB Information Governance Policy Page 4
CONTENTS
1.0 Introduction ..................................................................................... 5
2.0 Policy Statement.............................................................................. 5
3.0 Scope ............................................................................................... 5
4.0 HSCB Principles .............................................................................. 6
4.1 Openness ...................................................................................... 7
4.2 Legal Compliance ......................................................................... 7
4.3 Information Security ..................................................................... 7
4.4 Information Quality Assurance .................................................... 8
4.5 Appropriate Information Sharing ................................................. 8
5.0 Information Governance Framework ............................................. 8
6.0 Roles and Responsibilities ............................................................. 9
6.1 Chief Executive ............................................................................. 9
6.2 Senior Information Risk Owner (SIRO) ....................................... 9
6.3 The Personal Data Guardian (PDG) ............................................. 9
6.4 Information Asset Owners (IAO) .................................................. 9
6.5 Information Asset Assistants (IAA) ............................................. 9
6.6 Information Governance Team .................................................... 9
6.7 All Staff ........................................................................................ 10
7.0 Monitoring and Compliance ......................................................... 10
8.0 Review and revision arrangements .............................................. 10
9.0 Training Requirements ................................................................. 11
10.0 Policy Distribution ......................................................................... 11
Appendix One – Information Governance Framework ........................ 12
HSCB Information Governance Policy Page 5
1.0 Introduction
Information is a vital asset, both in terms of the clinical management of
patients and the efficient management of services and resources. It plays a
key part in corporate governance, service planning and performance
management.
It is therefore of paramount importance to ensure that information is
efficiently managed and that appropriate policies, procedures and
management accountability provide a robust governance framework for
information management.
The Information Governance (IG) framework for the Health and Social
Care Board (HSCB) is formed by those elements of law and policy from
which applicable information governance standards are derived and the
activities and roles which individually and collectively ensure that these
standards are clearly defined and met.
2.0 Policy Statement
Information Governance is an overarching term used to describe all
aspects of information management. This Information Governance Policy is
therefore a statement of the HSCB approach and intentions to fulfilling its
statutory and organisational responsibilities in relation to the management
of information. It will enable management and staff to make correct
decisions, work effectively and comply with relevant legislation and the
organisations aims and objectives.
This document sets out the high level principles across the HSCB for
confidentiality, integrity and availability of information to promote and build
a level of consistency across the HSCB on these principles.
Failure by any employee of the HSCB to adhere to this policy and its
associated procedures and guidelines will be viewed as a serious matter
and may result in disciplinary action.
3.0 Scope
This Information Governance Policy should be considered alongside the
supporting suite of policies and guidance covering the key aspects of
Information Governance. The main policy documents are as follows:
HSCB Information Governance Policy Page 6
Data Protection and Confidentiality Policy
Records Management Policy
Retention and Disposal Schedule
ICT Security and Associated Policies
Freedom of Information Procedures
Information Risk Procedures
The policy applies to all HSCB staff, Agency staff, third party
contractors/service providers and any other individual or organisation
processing information for or on behalf of the HSCB. It is applicable to all
processing activities on information held in any format and type such as
(but is not limited to):
Patient/client/service user information
Staff and personnel information
Organisational, business and operational information
Research, audit and reporting information
It is the responsibility of the HSCB Directors, Assistant Directors and
Senior Managers to ensure that this Information Governance Policy is
brought to the attention of all staff and that staff have appropriate training
on information governance and related policies on induction and annually
thereafter.
4.0 HSCB Principles
The HSCB recognises the need for an appropriate balance between
openness and confidentiality in the management and use of information.
The HSCB fully supports the principles of corporate governance and
recognises its public accountability but equally places importance on the
confidentiality of, and the security arrangements to safeguard both
personal information about service users and staff and commercially
sensitive information. Whilst meeting legislative and statutory requirements
the HSCB also recognises the need to share (disclose) patient information
with other health organisations and other agencies in a controlled manner
to support better care, consistent with the consent of the patient and, in
rare circumstances, the public interest.
HSCB Information Governance Policy Page 7
4.1 Openness
Information on the HSCB and its services should be available to the public
through a variety of media, in line with the HSCB Freedom of Information
procedures (subject to it not being exempt from disclosure). What
constitutes ‘exempt’ information is defined by law and decisions by the
Information Commissioner and/or the Information Tribunal.
The HSCB will undertake or commission annual assessments and audits of
its information governance processes and arrangements for openness.
Patients, clients and members of the public should have access to
personal information including their own health care, their options for
treatment and their rights as patients. Staff will have access to personal
information including their rights as employees.
4.2 Legal Compliance
The HSCB regards all identifiable personal information as confidential.
Personal information relating to staff will be treated as confidential except
where national policy on accountability and openness requires otherwise
and in the public interest. The HSCB will establish and maintain policies to
ensure compliance with the Data Protection Act, Freedom of Information
Act, the DHSSPS Code of Practice on Protecting the Confidentiality of
Service User Information and the common law duty of confidentiality.
The HSCB will undertake or commission annual assessments and audits of
its compliance with legal requirements in relation to information
governance primarily the Information Management Controls Assurance
Standard.
The HSCB will investigate all breaches of confidentiality and security, and
failure to comply with key information governance policies in line with
HSCB incident reporting processes.
4.3 Information Security
The HSCB, in partnership with the Business Services Organisation (BSO),
will establish and maintain policies for the effective and secure
management of its information assets and resources. The HSCB will
promote effective confidentiality and security practices to its staff through
the dissemination of its policies, the establishment of local procedures, and
staff training and awareness.
HSCB Information Governance Policy Page 8
The HSCB, in partnership with the Business Services Organisation (BSO),
will undertake or commission annual assessments and audits of its
information and IT security arrangements.
The HSCB will establish and maintain incident reporting procedures and
will monitor and investigate all reported instances of actual or potential
breaches of confidentiality and security.
4.4 Information Quality Assurance
The HSCB will establish and maintain policies and procedures for
information quality assurance and the effective management of records.
In compliance with the DHSSPS Information Management Controls
Assurance Standard, the HSCB will undertake annual assessments and
audits of its information quality and records management arrangements.
Managers are expected to take ownership of, and seek to improve, the
quality of information within their services. Wherever possible, information
quality should be assured at the point of collection.
The HSCB will promote information quality and effective records
management through policies, local procedures/user manuals and staff
training and awareness.
4.5 Appropriate Information Sharing
Appropriate sharing of some personal Health & Care information for direct
care purposes is essential for achieving faster, safer decisions for better
care outcomes. The HSCB will take account of ‘The Data Protection
considerations associated with the electronic processing of personal data
for direct care purposes’, DHSSPS, February 2012 and ICO Data Sharing
Code of Practice, May 2011 and establish and maintain Data Sharing
Agreements when appropriate to allow the secure and safe sharing of
patient identifiable information with due consideration given to patient
consent, arrangements for controlled access and governance
arrangements for the shared data.
5.0 Information Governance Framework
Appendix one provides the Information Governance Framework for the
HSCB. The framework provides a high level summary of the key
Information Governance roles, policies, reporting and oversight
HSCB Information Governance Policy Page 9
arrangements, training and incident management processes in place for
the HSCB.
6.0 Roles and Responsibilities
The main roles are identified as follows:
6.1 Chief Executive
The Chief Executive, as Accountable Officer, has responsibility for ensuring that sound systems of Corporate Governance are in place within the HSCB and to ensure compliance with legal and statutory obligations.
6.2 Senior Information Risk Owner (SIRO)
The SIRO (Director of PMSI and Corporate Services) is the focus for the management of information risk at Board level. The SIRO will advise the Accounting Officer on the Information Risk aspect of the Statement of Internal Control and will own the overall information risk and risk assessment process.
6.3 The Personal Data Guardian (PDG)
The PDG (Director of Integrated Care) has responsibility for ensuring that HSCB processes satisfy the highest practical standards for handling personal data. The PDG is the ‘conscience’ of the organization in respect of patient information, and will also promote a culture that respects and protects personal data. The PDG works closely with the SIRO and Information Asset Owners where appropriate, especially where information risk reviews are conducted for assets which comprise or contain patient/service user information.
6.4 Information Asset Owners (IAO)
The IAOs primary role is to manage and address risks associated with the information assets within their function and to provide assurance to the SIRO on the management of those assets. Each IAO for their function sits on the Information Governance Steering Group.
6.5 Information Asset Assistants (IAA)
IAAs may be identified in each function to support the IAO.
6.6 Information Governance Team
The Information Governance Team will support the above roles and provide expert advice, guidance and support to all staff on all elements of Information Governance.
HSCB Information Governance Policy Page 10
6.7 All Staff
It is the responsibility of all staff to make themselves familiar with and comply with policies and procedures issued by the HSCB, and aware that failure to comply may result in disciplinary action. All staff will work within the principles outlined in the Information Governance framework and undertake annual Information Governance training.
7.0 Monitoring and Compliance
Actions to ensure compliance with this policy are detailed in the
corresponding Information Governance Strategy. The strategy
includes an action plan identifying key areas of work necessary to
ensure compliance with this policy. Formal reporting arrangements
are also outlined with expected timescales. Ultimately performance
will be monitored on a six monthly basis by the HSCB Governance
Committee. Compliance with the Information Governance Assurance
Framework will also be assessed by the annual completion of the
Information Management CAS. Formal reports will be provided to the
SIRO for sign off prior to submission.
The HSCB has in place an established incident reporting procedure
and will monitor and investigate all reported instances of actual or
potential breaches of confidentiality and security. As part of the
training and awareness programme, employees and third party
contractors will also be made aware of definitions of incidents and the
process for dealing with them.
8.0 Review and revision arrangements
This policy will be reviewed as per the review date on the policy front
sheet. However, it will be reviewed when affected by major internal
or external changes such as:
Legislation
Practice change or change in system/technology
Changing methodology
HSCB Information Governance Policy Page 11
9.0 Training Requirements
Staff will be trained in the use of systems and procedures to ensure
the quality and appropriate handling of information in order to
minimize risks to the organisation from poor information governance.
All staff will receive mandatory induction/awareness training covering
all aspects of Information Governance. Various methods of delivery
will be used including E-Learning where applicable. Annual refresher
updates will also be provided to all staff. Awareness raising of the key
information governance principles will be undertaken as necessary.
A staff Code of Conduct for Information Security and Confidentiality
will be developed and available to all staff via the Intranet and in hard
copy where applicable. This will give staff the key points regarding
confidentiality and information security and best practice guidance.
Staff with key roles (e.g. SIRO/Personal Data Guardian/Information
Asset Owner) will undertake regular training for their specific role.
10.0 Policy Distribution
The Policy will be made available to all HSCB Staff via the HSCB
Intranet site. A global notice will be sent to all staff notifying them of
the release of this document.
HSCB Information Governance Policy Page 12
Appendix One – Information Governance Framework
INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK
Heading Requirement Notes
Senior Roles IG Lead
Senior Information Risk Owner (SIRO)
Personal Data Guardian (PDG)
The Chief Executive as Accountable Officer has overall accountability for IG and is required to provide assurance, that all risks to the HSCB are effectively managed.
SIRO for the HSCB is Director of PMSI and Corporate Services.
PDG for the HSCB is Director of Integrated Care
IAOs for the HSCB are Assistant Directors within each Directorate
Key Policies Over-arching IG Policy
Data Protection Act 1998/Confidentiality Policy
Organisation Security Policy
Information Lifecycle Management (Records Management) Policy
Corporate Governance Policy
Information Governance Policy (to be developed)
Data Protection/Confidentiality Policy (March 2010)
ICT Security Policy
Secure Mobile ICT Equip (Sept 2012)
Use of the Internet Policy (Sept 2012)
Use of Electronic Mail Policy(Sept 2012)
Use of ICT Equipment Policy (Sept 2012)
Records Management Policy (June 2012)
Freedom of Information Policy (to be developed)
Key Governance Bodies
IG Board/Forum/Steering Group HSCB Governance Committee (meet bi annual)
HSCB Information Governance Steering Group (meet bi monthly)
HSCB Records Management Working Group (meeting bi monthly)
Resources Details of key staff roles and dedicated budgets
IG Manager x 1
Assistant IG Manager x 1
IG Project Manager x 1
IG Officer x 1
HSCB Information Governance Policy Page 13
IG Support Officers x 2
Governance Framework
Details of how responsibility and accountability for IG is cascaded through the organisation.
All staff contracts include IG clauses
Contractors Confidentiality Agreement
Information Asset Register
Examples of 3rd
party contractors
Training & Guidance Staff Code of Conduct (see criteria
5, 13 and 12)
Training for all staff
Organisation Security Policy
Training for specialist IG roles
Code of Conduct for Employees in Respect of Confidentiality (to be developed)
IG E-Learning Training is mandatory for all staff
HSCB ICT Security Policy
SIRO, PDG and IAO training completed
Incident Management
Documented procedures and staff awareness
Information Risk Policy (to be developed)
Information Sharing Protocol
Guidance for reporting IG related incidents
IG Leaflet
