Version 0.1 1 Date

RadfordMedicalPractice

INFORMATIONGOVERNANCEANDDATASECURITYPOLICY2019

DocumentHistoryVersionDate: October2018

VersionNumber: 1.0

Status: Final

NextRevisionDue: January2021

Developedby: PaulCouldrey(IGConsultant)

PolicySponsor: PracticeManager

Approvedby: DrKKaur/KarenMurch

Dateapproved: 19.2.19

Dateratified: RevisionHistoryVersion Revision

dateSummaryofChanges

1.0 08/02/18 FirstDraft1.1 19.2.19 Final

Version 0.1 2 Date

IntroductionRadfordMedicalPracticerecognisesthatinformationhasitsgreatestvaluewhenitisaccurate,uptodateandaccessiblewhereandwhenitisneeded.Inaccurate,outdatedorinaccessibleinformationthatistheresultofoneormoreinformationsecurityweaknessescanquicklydisruptordevaluecriticalprocesses.Informationunderpinsthedeliveryofhighqualityhealthcarecommissioningandmanyotherkeyservicedeliverables.Inaddition,thepublicisincreasinglyconcernedabouthoworganisationsarehandlinginformation;thepatientshavearighttoexpectustohandletheirdatainasafeandsecuremannerandcomplywithlegalandprofessionalresponsibilities.ThereisalegalrequirementforthepracticeasaPublicAuthoritytoaddresscompliancewiththeincomingGeneralDataProtectionRegulation(GDPR)by25May2018,andtheAssociatedUKspecificDataProtectionAct2018togetherwithassociated(tobepublishedNHSguidance).Aneffectiveinformationsecuritymanagementregimemustbeinplacetoensurethatinformationisappropriatelyprotectedandreliablyavailable.ThisdocumentsetsoutastrategicdirectionforinformationgovernancemanagementwithinthePractice.Thepolicyisbasedonanumberoflegalandbestpracticestandardsincluding:

• ISO27001,theinternationalstandardforinformationsecuritymanagementsystems(ISMS)• InformationSecurityManagement:NHSCodeofPractice• GeneralDataProtectionRegulation2016,DataProtectionAct2018,FreedomofInformation

Act2000,ComputerMisuseActandotherrelatedlawandregulation• HealthandSocialCareAct2013• NHSAct2006(s.251andassociatedCAGApprovals)• OfficeofGovernmentCommerce(OGC)Policies&standards

o InformationTechnologyInfrastructureLibrary(ITIL)o Communications-ElectronicsSecurityGroup(CESG)Guidanceo ManagementofRisk

ThePracticeiscommittedtoensuringthatthereisadequateprovisionforthesecuremanagementofinformationresourcesitownsorcontrols.The Practice recognises that information security is not simply about implementing Informationtechnologysolutions;itreflectsoverallmanagementandthecultureoftheorganisation.

Version 0.1 3 Date

Scope

Thispolicyrelatesto:• all informationthat isprocessedorheldduringthepracticebusinessoron itsbehalfbykey

providers;• thehandlingofallinformationthroughallrecognisedmeans;and• allinformationsystemspurchased,developedandmanagedbyoronbehalfofthePractice.

It alsoapplies toallmembersof staffemployedby,orworkingonbehalfof thePractice, includingcontracted,non-contracted,temporary,honorary,secondments,bank,agency,students,volunteers,locumsorthirdparties.The InformationGovernancePolicy recognises that thepractice isanorganisationworkingwithinanewandrapidlychangingcommissioningandinformationgovernancelandscape,especiallywiththeintroductionoftheGDPR.AssuchthePractice’spolicyisfocusedonsettingupandembeddingtherequired governance arrangements and doing this in such a way that the practice retains themaximumflexibilityandresiliencesothatitcanadapttothisenvironment.Thekeyelementsandresourcestosupportthedeliveryofthispolicyare:

• TheDataSecurityandProtectionsToolkit(2018);• InformationGovernanceManagementFrameworkandPolicy• GDPRPIDandImprovementPlans(HighLevelandOperational)• InformationGovernancePolicy;• InformationGovernancePolicies;

TheInformationGovernanceImprovementPlan,identifyingleadpracticeofficers,willbeagreedeachyear to ensure compliance against each of the requirements. This Plan forms part of the overallpracticeendorsedDataProtectionandConfidentialityPolicy.

Version 0.1 4 Date

Purpose

ThepurposeofthispolicyistodescribethemanagementarrangementsthatwilldeliverInformationGovernance assurance for the Practice. Information Governance is a framework that enables theorganisationtoestablishgoodpracticearoundtheprocessingofinformationanduseofinformationsystems, ensure that information is handled to ethical and quality standards in a secure andconfidential manner, promote a culture of awareness and improvement, deliver its corporateobjectivesandcomplywithlegislation,statutoryrequirementsandothermandatorystandards.

The InformationGovernanceManagement Framework (IGMF)will underpin thePractice’s strategicgoalsandensurethattheinformationneededtosupportanddelivertheirimplementationisreadilyavailable,accurateandunderstandable.InformationGovernancehasfourfundamentalaims:

• Tosupporttheprovisionofhigh-qualitycarebypromotingtheeffectiveandappropriateuseofinformation;

• Toencourageresponsiblestafftoworkcloselytogether,preventingduplicationofeffortandenablingefficientuseofresources;

• To develop support arrangements and provide staff with appropriate tools and support toenablethemtocarryouttheirresponsibilitiestoconsistentlyhighstandards;

• To enable the practice to understand its own performance andmanage improvement in asystematicandeffectivemanner.

The Practice has a statutory responsibility to patients and the public to ensure that the services itprovides have effective policies, processes and people in place to deliver objectives in relation toholdingandusingconfidentialandpersonalinformation.BroadObjectives

Version 0.1 5 Date

The Practice will ensure there is a systematic and planned approach to the management ofinformationgovernancebyestablishingan InformationSecurityManagementSystem (ISMS) in linewithISO27001andInformationSecurityManagement:NHSCodeofPractice.

• Theeffectivenessof the ISMSwillbecontinually improved through theuseofaudit results,analysisofincidents,correctiveandpreventiveactionsandmanagementreviews.

• Allimportantinformationassetswillbeidentifiedandappropriatelymanagedandprotected.

Anyprotectionappliedwillbebasedonformallydocumentedriskassessmentstoensurethatitiscommensuratewiththevalueoftheassetandtheperceivedthreats.

• Actualandpotentialinformationgovernancerelatedincidentswillberecordedandresponded

toinatimelyandappropriatemanner;findingswillbefedintotheISMStoensurecontinuedandongoingimprovements.

Version 0.1 6 Date

• Steps will be taken to ensure that internal and external transfers of patient confidentialinformation are conducted in a secure and safe manner, this will include, for example,encryptionofemailsandremovablemediaholdingpersonalinformation(asmandatedbytheCabinetOfficeInformationGovernanceAssuranceProgrammein2008).

• All staff, contractors and other relevant parties will be made aware of the organisations

requirementsforinformationsecurityandundertakeappropriatetraining.

• Acultureofinformationsecurityawarenesswillbepromotedandestablished.

• Procedures will be established to ensure that information governance requirements areaddressed during the implementation, development and maintenance of services and/orsystems.

• Businesscontinuityplanswillbedevelopedacrossallservicestoensurethecentreisableto

continuewithitscorebusinessfunctionsintheeventofafailureorlossofsystemsorservices.Appropriate procedureswill be developed to ensure the timely recovery or replacement ofinformationsystemsandservices.Theplanswillberegularlytestedandrevised.

• Systemsandserviceswillberegularlyauditedagainstinformationgovernancerelatedpolicies

and procedures. The results of such audits will be fed into the ISMS, the InformationGovernance work-plan and information risk registers to ensure continued and ongoingimprovement.

InformationSecurityManagementSystem(ISMS)ThePracticerecognisethateffectiveinformationsecurityinvolvesmorethansimplyinstallingsecurityproducts such as anti-virus software and providing a security policy. The practicewill establish anISMS,whichwill provide ameans to identify and co-ordinate the approach to themanagementofinformationsecuritywithinthepracticeinordertoprotectit,anditsbusiness.TheISMSwillbebasedontheNHSInformationSecurityManagementFramework. The governing principle behind the ISMS is the design, implementation and maintenance of acoherent set of policies, processes and systems to manage risks to its information assets, thusensuringacceptablelevelsofinformationsecurityrisk.Based on this risk approach,wewill establish, implement, operate,monitor, review,maintain andimproveinformationsecurityforallorganisationswithinthePractice.

Version 0.1 7 Date

TheCoreElementsofaneffectiveInformationSecurityManagementSystemaresummarisedinthefollowingPlan-Do-Check-Actmodel.

PLAN-EstablishtheISMS

• DefinethebusinessneedsforinformationsecurityandsetthoseoutinacorporateInformationSecurityPolicy

• IdentifyandassesstheriskstoInformationSecurity

• Identifyandevaluatecontrolstobeestablishedtomanagetheinformationsecurity

risksidentified,transfertherisksoracceptthemasappropriate.DO-ImplementandoperatetheISMS

• Developandimplementactionplanstomanagetheidentifiedinformationsecurityrisks

• Implementtrainingandawarenessforallrelevantstaff

CHECK-MonitorandreviewtheISMS

• Establishprocesses to identify actual andpotential information security incidentsorsystemweaknesses

• Monitorandupdateinformationsecurityriskassessmentsasrequired

Version 0.1 8 Date

• Monitor the effectiveness of the ISMS in managing information risks throughinternalreviewsandindependentaudit.

• Reporttheresultstomanagementforreview.

ACT-MaintainandimprovetheISMS

• Takecorrectiveandpreventativeactions,basedontheresultsofauditsandmanagementreviewsorotherrelevantinformation,toachievecontinualimprovementoftheISMS.

Followingtheprinciplesoftheabovemodel,anInformationGovernanceWork-planforthepracticewillbecreated.ThisencompassestherequirementsoftheDS&PToolkit,legalandNHSrequirementsand the results of audits and risk assessments. The work-plan will be carefully monitored andregularly reviewed and revised, to ensure it continues to meet the information governancerequirementsofthepracticeandensurecontinuousimprovement.GovernanceArrangementsMeetingswillbeheldevery6monthswiththeCaldicottGuardian,SIRO,IGleadandAdminLead.Thegroupwillperformthefollowingfunctions:

• Developandmaintain the informationgovernancepolicyandsupportingpolicies,proceduresandguidelines.

• Conduct regular audits to review the effectiveness of the implementation of the

informationgovernancepolicy.

• Providecleardirectionandvisiblemanagementsupportforsecurityinitiatives.

• Identifytheresourcesneededforinformationgovernance.

• Approve assignment of specific roles and responsibilities for informationgovernanceacrossthePractice.

• Initiateplansandprogrammestomaintaininformationsecurityawareness.

Version 0.1 9 Date

• Ensure that the implementation of information security controls is coordinatedacrossthePractice.

• Take appropriate action and implement any necessary changes to policy or

proceduresinresponsetotheresultsofauditsorincidents.

• Continuallymonitorandassessrisks,ensuringappropriateandtimelyresponsestochangingandemergingthreats.

InformationGovernanceDefinition

Information Governance is “a framework for handling information in a confidential and securemanner to appropriate ethical andquality standards inmodernhealth services”. It brings togetherwithin a singular cohesive framework, the interdependent requirements and standards of practice.ThispolicyformspartofthePractice’soverallPracticeAssuranceFramework.

IGisdefinedbytherequirementsthattheorganisationisrequiredtodemonstratecompliancewithaspartoftheDS&Ptoolkitfrom2018,theseincludethefollowingdomains:

• InformationGovernanceManagement• ConfidentialityandDataProtectionAssurance• InformationSecurityAssurance• ClinicalInformationAssurance• SecondaryUseAssurance

Withinthisdefinitionanddomainsthepracticewillhandleandprotectmanyclassesofinformation:

• Some information is confidential because it contains personal details the practice mustcomply with regulation which regulates the holding and sharing of confidential personalinformation.ChangestothewayinwhichpatientconfidentialdatacanbeprocessedcameaboutasaresultoftheHealth&SocialCareAct2012. It is importantthatrelevant,timelyandaccurateinformationisavailabletothosewhoareinvolvedinthecareofserviceusers,but it is also important that personal information is not shared more widely than isnecessary;

• Some information isnon-confidentialand is for thebenefitof thepracticeandthegeneralpublic and its employees share responsibility for ensuring that this type of information isaccurate,uptodateandeasilyaccessibletothepublic;

• Themajority of information about the practice and its business should be open to publicscrutinyalthoughsome,whichiscommerciallysensitive,mayneedtobesafeguarded.

Informationcanbeinmanyforms,including(butnotlimitedto):

Version 0.1 10 Date

• Structuredrecordsystems–paperandelectronic;• Transmissionofinformation–fax,e-mail,postandtelephone;and• Allinformationsystemspurchased,developedandmanagedby/oronbehalfofthePractice.

Aims&Objectives

TheIGPolicyofthepracticewillbebaseduponavisionofa long-termdeliveryofclear,openaimsandobjectivestoensurethat:

• Thepracticecomplieswithallstatutoryrequirements;• The practice has an information governance policy that supports the achievement of

corporateobjectives;• Thepracticecandemonstrateaneffective framework formanaging informationgovernance

assurance;• Staffareawareoftheirresponsibilitiesandtheimportanceofinformationgovernance;• Informationgovernancebecomesasystematic,efficientandeffectivepartofbusinessasusual

forthePractice,• Informationgovernanceisintegratedintothechangecontrolprocess;• Thereareeffectivemethodsforseekingassuranceacrosstheorganisation;• ThePracticecandemonstratethattheinformationgovernancearrangementsoforganisations

itcommissionsservicesfromacrosshealthcareandcommissioningsupportareadequate;• Thepolicy isable to respond toanychange requiredbyexternalbodiesandanychallenges

emergingfromchangestotheinformationgovernancelandscape.

An outline of the high-level IG organisational objectives that the practice seeks to achieve is asfollows:

• Complywiththerelevantinformationprivacyandconfidentialitylawsandregulationsaswellas contractual requirements and internal policies on information and systems security andprotection,andprovidetransparencyonthelevelofcomplianceviatheDS&PToolkit;

• Maintain information riskatacceptable levelsandprotect informationagainstunauthoriseddisclosure,unauthorisedorinadvertentmodifications,andpossibleintrusions;

• Addresstheincreasingpotentialforcivilorlegalliabilityimpactingtheorganisationasaresultof information breaches through efficient and effective risk management, processimprovementandrapidincidentmanagement;

• Provide confidence in interactions with key external organisations – for example, Acute &CommunityProviders,customers,NHSEngland,NHSDigital,Monitors,CommissionersandtheCQC.

• Create,maintainandcontinuouslyimprovetrustfromcustomersandthepublic;

Version 0.1 11 Date

• Provideaccountabilityforsafeguardingpatientandothercriticalinformation;and

• Protecttheorganisation’sreputation.

These aims and objectives will be achieved by ensuring the effectivemanagement of InformationGovernanceby:

• Ensuring that the practice meets its obligations under the Data Protection legislation, theHumanRightsAct1998,theFreedomofInformationAct2000andtheHealthandSocialCareAct2012;

• Establishing, implementing and maintaining policies for the effective management ofinformation;

• Ensuring that information governance is a cohesive elementof the internal control systemswithinthePractice;

• Recognisingtheneedforanappropriatebalancebetweenopennessandconfidentialityinthemanagementofinformation;

• Ensuring that information governance is an integral part of the practice culture and itsoperatingsystems;

• EnsuringmaintenanceofyearonyearimprovementwithintheDS&PToolkitsubmission;• Reducingduplicationandlookingatnewwaysofworkingeffectivelyandefficiently;• Minimisingtheriskofbreachesofpersonaldata;• Minimisinginappropriateusesofpersonaldata;• Ensuring that Service Level Agreements between the practice and other organisations are

managedanddevelopedinaccordancewithInformationGovernancePrinciples;• EnsuringthatcontractedbodiesaremonitoredagainstInformationGovernancestandards;• Protectingtheservices,staff, reputationandfinancesof thepracticethroughtheprocessof

earlyidentificationofinformationrisksandwheretheserisksareidentifiedensuringsufficientriskassessment,riskcontrolandeliminationareundertaken;

• Ensuring there is provision of sufficient training, instruction, supervision and information toenableallemployeestooperatewithininformationgovernancerequirements,includingthoseundertakingspecialistroles;

• Ensuring the information governance policy and related plans link to and support othercorporateorstrategicobjectives,e.g.businesscontinuityplanning,andensuringthepracticeis able to meet its commitments under the Civil Contingencies Act 2004 (specifically theEmergencyPreparedness,Resilience&Responseassuranceprocess).

Version 0.1 12 Date

Rolesandresponsibilities

Information Governance Steering Group

The Information Governance Steering Group will be established to support and drive the broader information governance agenda and provide the partners with the assurance that effective information governance best practice mechanisms are in place within THE PRACTICE.

The IGSG will meet every 6 months and will be Chaired by the SIRO. The Group will:

• be accountable to the Senior partners • support the practice SIRO and the practice Caldicott Guardian in their roles; • monitor information governance performance annually using the DS & P Toolkit hosted by

NHS Digital (NHSD); • provide audited toolkit Results to the partners for approval prior to final submission to the

NHSD; • be responsible for overseeing operational information governance issues; • develop and maintain policies, standards, procedures and guidance; • co-ordinate and monitor the implementation of the information governance policy, framework

and policies across the Practice; In addition to the SIRO, the membership of the IGSG will include the following:

• Senior Information Risk Owner (SIRO) • Caldicott Guardian • General Manager

(Terms of Reference in Appendix 1)

Individualroles

SeniorInformationRiskOwner(SIRO)–PaulCouldrey

The SIRO for The Practice, holds responsibility for ensuring that information is processed and heldsecurely throughout the Practice. The role covers all the aspects of information risk, theconfidentialityofpatientandserviceuserinformationandinformationsharing.TheDataProtectionand Security Toolkit sets out clear responsibilities of the SIRO in relation to risks surroundinginformation and information systems, which also extend to business continuity and the role ofInformationAssetOwners.

Inparticular,theSIROisresponsiblefor:

• leadingand fosteringaculture thatvalues,protectsanduses information for thesuccessofthepracticeandbenefitofitsserviceusers;

Version 0.1 13 Date

• owning the Practice’s overall information risk policy and risk assessment processes andensuringtheyareimplementedconsistentlybyInformationAssetOwners(IAO’s);

• takeownershipof informationriskassessmentprocesses, includingthereviewoftheannualinformationriskassessmentandagreeactionsinrespectofanyrisksidentified;

• ensure that The Practice’s approach to information risk is effective in terms of resources,commitmentandexecutionandthatthisiscommunicatedtoallstaff;

• EnsureInformationAssetOwners(IAOs)undertakeriskassessmentsoftheirassets;

• BeresponsiblefortheIncidentManagementprocessensuringidentifiedinformationsecurityrisksareaddressedandanylessonslearntareimplemented;

• Provide a focal point for themanagement, resolution and/or discussion of information riskissues;

• EnsurethatthePractice’sapproachtoinformationriskiseffectiveinitsdeploymentintermsofresource,commitmentandexecutionandthatthisiscommunicatedtoallstaff;

• EnsuretheorganisationisadequatelybriefedoninformationriskissuesDataProtectionOfficer–PaulCouldrey

• PaulCouldreyofPCIGConsultingLimitedwillactastheDPOforthePractice.ThisroleiskeyinensuringthatthePracticecompliesandcandemonstratethattheycomplywithGDPR.

Version 0.1 14 Date

CaldicottGuardian–DrKKaur

TheCaldicottGuardianisresponsibleforactingasachampionfordataconfidentiality. Theyshouldensure that confidentiality issues are appropriately reflected in practice policies and workingprocedures for staff and oversee all arrangements, protocols and procedures where confidentialinformationmaybesharedwithexternalbodiesincludingdisclosurestootherpublicsectoragenciesandotheroutsideinterests.

TheCaldicottGuardianisresponsiblefor:

• ensuring that the practice satisfies the highest practical standards for handling patientinformation;

• ensuringconfidentiality is reflectedappropriately inTHEPRACTICE’spoliciesandprocedurestosupportthelawfulandethicalprocessingofinformation;

• actingasthe‘conscience’ofTHEPRACTICE;• ensuring that staff complywith Caldicott Principles and the guidance contained in theNHS

ConfidentialityCodeofPractice;• facilitating,enablingandoverseeinginformationsharingagreementsandarrangementsputin

placetosharepersonalconfidentialdatawithexternalbodies.

IGLead–KarenMurchThenominatedIGleadisthePracticeManager.TheIGLeadhasresponsibilityforprojectmanagingthe overall co-ordination, publicising andmonitoring the Practice IG framework. The IG Lead hasspecificresponsibilityforthedevelopmentofthispolicy,producingreportsandDS&PTtoolkitreturns.InformationAssetOwners

The Information Asset Owners (IAO) will be senior members of the practice staff responsible forinformationassetswithintheirremit.TheywillprovideassurancetotheSIROthatinformationriskismanagedeffectivelyfortheirinformationassists.Thiswillbeachievedby:

• EnsuringallInformationAssetsandflowsofdatawithintheirremitareidentifiedandloggedensuringeachhasalegalbasistobeprocessed.

• Identifying,managingandescalatingall informationsecurity(forexample,dependenciesandaccesscontrol)andinformationrisksasappropriate.

• Supporting Information Asset Administrators who will ensure the above takes place. Thedetailed roles and responsibilities are defined in Appendix A of the NHS Information RiskManagementGuidance

• Ensuring that information risk assessments are performed on all information assets wheretheyhavebeenassigned ‘ownership’andprovideassurancetotheSIROonthesecurityanduseoftheseassets;

Version 0.1 15 Date

• Knowingwhatinformationisheldandforwhatpurpose;• Ensuringthatinformationgovernancepoliciesandsystemlevelproceduresarefollowed.

Version 0.1 16 Date

Allstaff(andThirdParties)

All those working for the practice have legal obligations, under the Data Protection legislation,commonlawdutyofconfidentiality,andprofessionalobligations,forexampletheConfidentialityNHSCode of Practice and professional codes of conduct. These are in addition to their contractualobligationswhichincludeadherencetopolicy,andconfidentialityclausesintheircontract.The same responsibilities apply to thoseworking on behalf of the organisationswhether they arevolunteers, students, work placements, contractors or temporary employees. Those working onbehalf of the organisation are required to sign a third-party agreement outlining their duties andobligations.Breachesof any law, contract, codeofpracticeor confidentiality agreementwill be reportedusingappropriatechannelsandactiontakenwherenecessary.

DataSecurityandProtectionToolkit

CompletionoftheDataSecurityandProtectionToolkit ismandatoryforallorganisationsusingNHSMailandprovidingNHSservices. TheToolkit coversmost statutory, common lawandprofessionalrequirements,aswellastraining,assuranceprocessesandchangecontrolprocesses.Annualimprovementplanswillbedevelopedeachyeartoensurethepracticeachievesasatisfactorylevel in all requirements. As the DS&P is publicly available, assessment scores of partnerorganisationswill be used to assess their suitability to share information and to conduct businesswith.

ThePractice’sprogresswillbereportedtothePartnersatregularintervalsbytheSIRO.Compliancewith the Toolkit will provide assurance to the Partners that the majority of strategic informationgovernanceobjectivesarebeingmet.

ThepracticewillcomplywiththeNHSDdeadlinesforsubmissionofupdatesandfinalassessment.

Version 0.1 17 Date

IGPolicies

Thepractice iscommittedtoensuringthat itspolicies followtheHORUSmodelasproposedbytheDepartment of Health to ensure compliance with legislation, including the GDPR 2016 and DataProtectionAct2018.Theprinciplesofthismodelarethatinformationis:

• Heldsafelyandconfidentially;• Obtainedfairlyandlawfully;• Recordedaccuratelyandreliably;• Usedeffectivelyandethically;• Sharedanddisclosedappropriatelyandlawfully.

Todeliverthismodel,thepracticewillensurethat:

• policies and procedures are in place to facilitate compliance with all relevant legislation,regulationsandduties;

• compliance with the Data Protection Act 2018 is maintained when handling PersonalConfidentialData,exceptwherethereisalegalrequirementtooverridetheAct;

• information is appropriate for the purpose intended and that at all times the integrity ofinformationisdeveloped,monitoredandmaintained;

• information made available for operational purposes is maintained within set parametersrelatingtoitsimportanceviaappropriateproceduresandcomputerresiliencesystems;

• allidentifiableinformationrelatingtopatientsisregardedasconfidential;• allidentifiableinformationrelatingtostaffisregardedasconfidential,exceptwherenational

policyonaccountabilityandopennessrequiresotherwise;• whenpersonidentifiabledataisshared,thesharingcomplieswiththelaw;• guidanceandbestpracticeandbothserviceuserrightsandpublicinterestarerespected;• non-confidential informationrelatingtothePracticeanditsservicesismadeavailabletothe

public through a variety of media, in line with the Freedom of Information Act andEnvironmentalInformationRegulations;

• will have clear procedures and arrangements for liaison with the press and broadcastingmedia;

• patientsand serviceuserswill haveaccess to information relating to theirownhealth care,optionsandtreatmentandtheirrightsaspatients;

• undertakeorcommissionannualauditsofcompliancewithlegalrequirements;• information and IT security, information quality and recordmanagement requirements are

metinaccordancewiththeDS&PToolkit;• therolesandresponsibilitiesidentifiedwithintheIGFrameworkareintegratedandembedded

withintheorganisation;• proceduresfortheeffectiveandsecuremanagementofits informationassetsandresources

areestablishedandmaintained;• informationismanagedthroughout its lifecycleofcreation,retention,maintenance,useand

disposal;

Version 0.1 18 Date

• procedures for information quality assurance and the effectivemanagement of records areestablishedandmaintained;

• information iseffectivelymanagedso that it isaccurate,up-to-date, secure, retrievableandavailablewhenrequired;

• incident reporting procedures, which includes the investigation of all reported instances ofactualorpotentialbreachesofconfidentialityandsecurityareestablishedandmaintained;

• RiskManagementandreportingproceduresareestablishedandmaintained,andwillhaveinplaceriskcontrolsandmonitoringprocessesallreportedinformationrisks;

• relevant instruction and training is provided to all staff through induction and thereafterannuallyinrelationtothispolicy.

IGResources

TheInformationGovernancePolicyandFramework isenactedthroughtheInformationGovernanceImprovementPlan.Thiscoversmajorelementsofinformationgovernanceimplementation,including:

• CompletionoftheDS&PToolkit;• Implementationofrelevantpoliciesandprocedures;• Informationflowmapping;• Informationassetregisterandassetriskassessments;• Incidentreportingandmanagement;• Mandatoryandspecialisttraining;• AnnualassurancestatementsfromIAOstotheSIRO,andonwardstothepartners

TheIGSGwillidentifyanypolicyassociatedresourceimplicationsincurredbytheimplementationoftheInformationGovernanceimprovementplan.Businesscaseswillbedevelopedtodeliverspecificinitiativesofprojects(ifnecessary).

IncidentReporting&Management

Incidentsmust be reported andmanaged through established processes. Significant issues will besubject to full investigation and reporting action. Incidents relating to personal informationwill bereportedtotheCaldicottGuardianwhilst thoseofamorecorporatenaturewillbereportedtotheSIRO.

ThePracticewillput inplacesuitablemechanisms toensurestaff identifyandmanage informationrisksinlinewithexistingriskmanagementpolicyandprocesses.All informationgovernance incidentsmustbe reportedas soonas theyaredetected inaccordancewithThePractice’sIncidentReportingandManagementprocedure.

InformationSecurity

Version 0.1 19 Date

With the increasinguseofelectronicdataandwaysofworkingwhich relyon theuseofelectronicinformationandcommunicationsystems todeliver services, there isaneed forprofessionaladviceandguidanceontheiruseaswellastheneedtoensurethattheyaremaintainedandoperatedtotherequiredstandardsinasafeandsecureenvironment.

RiskManagement

TheabilitytoapplygoodriskmanagementprinciplestoIGisfundamentalandthePracticewillapplythemthroughorganisationalpolicies.RiskassessmentwillalsobeincludedaspartoftheInformationAssetOwnersrole.AnyinformationflowsfromorintoidentifiedinformationassetswillberiskassessedandtheresultsreportedtothePracticeSIROforriskmitigation,acceptanceortransfer.

LegalCompliance

The Data Protection legislation (GDPR and DPA1998/2018) is the most fundamental piece oflegislation that underpins InformationGovernance. The practice is registeredwith the InformationCommissionersOfficeandwill fullycomplywithall legal requirementsof the law.AprocesswillbeadoptedtoensurethatareviewofallofnewsystemsiscarriedoutandwhererequirementssuchastheneedforPrivacyImpactAssessments(PIA)arehighlightedthesewillbecompleted. ThiswillbeincludedintheIGservicespecification.

TrainingandStaffSupport

Fundamental to the success of delivering the Information Governance Policy is developing anInformationGovernance culturewithin thePractice.Awareness and trainingwill beprovided to allstaffthatutiliseinformationintheirday-to-dayworktopromotethisculture.Inordertoachievethis,theIGSGwillensure:

• all staff complete an Induction sessionwhen they first start employmentwhichwill includeInformation Governance. In subsequent years all staff are required to complete furtherInformationGovernancetrainingassetoutone-learningforhealth.ThisisanannualexerciseandisrequiredtomeetasatisfactorylevelwithintheDS&Ptoolkit;

• specificmodulesavailablefortheCaldicottGuardian,SIRO, IAOsandIGstaffthemselvesarecompleted;

• allstaffundertakeanannualtrainingneedsanalysisandanyrecommendationsidentifiedwillbecompliedwithbystaff;

• keepallstaffinformedofcomplianceandstandardssettosupportthispolicyviastaffbulletinsandwherenecessaryInformationGovernancespecificmessages;

• implementstaffsurveystoassesslevelsofunderstandingandensurestaffarefullyawareoftheirresponsibilities;

Version 0.1 20 Date

• provide staffwith theopportunity todevelopmoredetailedknowledgeandappreciationoftheroleofinformationgovernancethrough:

• IGPoliciesandthispolicy;• Induction,mandatoryandrefreshertraining;• Linemanagersupport;• Specifictrainingcoursesforspecialistroles.

Implementation&Dissemination

ThispolicyonceapprovedbythePartnerswillbesharedwithallmembersofstaff.Ateambriefingwillalsobeprovidedtosupportthisdissemination.TheimplementationofthisIGpolicyandIGToolkitimprovementplanwillensurethatinformationismoreeffectivelymanagedinthePractice.Tosupportthispolicy,thePracticewill implementkeyIGpoliciesandwillensurethatstaffabidebythese.Each year the IG policy will be reviewed, and a revised DS&P Toolkit improvement plan will bedevelopedagainsttheDS&PToolkitattainmentlevelsandscores,thusidentifyingthekeyareasforaprogrammeofcontinuousimprovement.

Policy,ProtocolandProcedureDistribution

Allemployee-basedpolicies,protocolsandprocedureswillbemadeavailableonthepracticeshareddrive and will be highlighted in staff briefings. Knowledge of the key details of InformationGovernance related policies will be tested through the use of the online Information Governancetrainingtool,andtheuseofstaffsurveysand/orconfidentialityauditstotestknowledgeinparticularareas.

MonitoringandReview

Thispolicywillbereviewedonthefirstanniversaryfollowingitsadoptionandsubsequentlyeverytwoyearsuntil rescindedor superseded.Anearlier reviewof thisdocumentmaybeundertaken in theeventof:

• Legislativeorcaselawchanges;• Changesorreleaseofgoodpracticeorstatutoryguidance;• Identifieddeficiencies,risksorfollowingsignificantincidentsreported;• Changestoorganisationalinfrastructure.

Version 0.1 21 Date

• Newvulnerabilities;• Practicechangeorchangeinsystem/technology;• Changingmethodology.

PerformanceIndicators

TheDS&PToolkit submission is amandatory annual return; the criteria for complianceare setoutwithin the relevant Toolkit. The successful implementation of Information Governance across theorganisationwillbereflectedintheachievementlevelproducedfromtheannualToolkitsubmission.

PerformanceagainstthispolicywillbemonitoredagainsttheDS&PToolkitrequirementsbytheIGSG,andescalatedtothePartners.ThelevelofassurancewillbesubmittedofficiallyviatheInformationGovernanceToolkitonanannualbasis.InternalReporting

Formal reporting will be managed through the IGSG group. The Practice Manager will establisheffective reporting arrangements with the partners to ensure the practice is receiving ongoingassuranceof their IG performance anduse these reports as anopportunity to quickly identify andescalateanyissuesorrisksatanearlystage.

KeyLegislation&Guidance

Thispolicyshouldbereadinconjunctionwiththefollowing:

• ConfidentialityandDataProtection• CodeofConduct(inrespectofconfidentiality)• IGTraining• InformationSharing• PrivacyImpactAssessments• InformationSecurity/Safehaveprocedures• InformationRiskassessmentandManagementProgramme• RecordsManagement• SubjectAccessRequests• IGIncidentManagement• MobileMedia/SocialNetworking• FreedomofInformation

Keylegislationincludes:

Version 0.1 22 Date

• AccesstoHealthRecordsAct1990• ComputerMisuseAct1990• DataProtectionAct1998/2018• GeneralDataProtectionRegulation2016• FreedomofInformationAct2000• CivilContingenciesAct2004• HealthandSocialCareAct2012• FraudAct2006• NHSAct2006

FurtherReferences(ifnotincludedabove)

Thefollowingreferencescanbeaccessedviathelinksprovided:•DataProtectionAct1998availablefromwww.opsi.go.uk•AccesstoHealthRecordsAct1990availablefromwww.opsi.go.uk•HumanRightsAct1998availablefromwww.opsi.go.uk•FreedomofInformationavailablefromwww.opsi.go.uk•EnvironmentalInformationRegulationshttp://www.ico.org.uk/for_organisations/environmental_information/guide•RecordManagementavailablefromhttp://www.nationalarchives.gov.uk/information-management/projects-andwork/information-records-management.htm•CommonLawofConfidentiality•NHSConfidentiality-codeofpracticeavailablefromhttps://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice•CalidicottReportavailablefromhttps://www.gov.uk/government/publications/the-information-governance-review•TheHealthandSocialCareActhttp://www.legislation.gov.uk/ukdsi/2013/9780111533055•CrimeandDisorderAct1998http://www.legislation.gov.uk/ukpga/1998/37/contents•ProtectionofChildrenAct1999http://www.legislation.gov.uk/ukpga/1999/14/contents

EqualityandDiversityStatementTheorganisationaimstodesignandimplementservices,policiesandmeasuresthatmeetthediverseneedsofourservice,populationandworkforce,ensuringthatnoneareplacedatadisadvantageoverothers.

Version 0.1 23 Date

AllpoliciesandproceduresaredevelopedinlinewiththePractice’sEqualityandDiversitypoliciesandneed to take intoaccount thediverseneedsof thecommunity that is served. TheEquality ImpactAssessment tool is designed to help consider the needs and assess the impact of the policy beingdeveloped.Thepracticeiscommittedtoensuringthatittreatsitsemployeesfairly,equitablyandreasonablyandthatitdoesnotdiscriminateagainstindividualsorgroupsonthebasisoftheirethnicorigin,physicalormentalabilities,gender,age,religiousbeliefsorsexualorientation.

Version 0.1 24 Date

APPENDIX1

RadfordMedicalPracticeINFORMATIONGOVERNANCESTEERINGGROUP

TERMSOFREFERENCE

9 1.0 TITLE&FORMATIONInformationGovernanceSteeringGroup(IGSG)Formed:10 2.0 STATUS&DELEGATEDAUTHORITY

2.1 TheInformationGovernanceSteeringGroupisaformalcommitteeofthePractice.TheGroupisauthorisedtomakedecisionswhichare:

(i) WithintheseTermsofReference(ii) Specificallyreferredbythepartners

2.2 Allproceduralmattersinrespectofconductofmeetingsshallfollowthe

practicepolicy.

2.3 TheInformationGovernanceSteeringGroupisauthorisedbythepartnerstocarryoutanyactivitywithinitstermsofreference.ItisauthorisedtoseekclarificationandfurtherinvestigationofanyInformationGovernance(IG)relatedmatter,andtorequestanyrelevantinformationfromanyemployee.

2.4 TheInformationGovernanceSteeringGroupisauthorisedbythepartnerstoobtainoutsideorotherindependentprofessionaladvicewithrelevantexperienceandexpertiseifrequired.

2.5 TheGroupmayrecommendactionswhichrequirefinancialexpenditurebuttheGroupitselfdoesnothaveanydelegatedpowersofexpenditure,asthisrestswiththerelevantbudgetholder.

2.6 TheGroupmayestablishsuchworkinggroupsorprojectteamsasitconsidersappropriatetosupportitsobjectivesandduties.Anygrouporprojectteam so established shall have terms of reference, including reportingarrangements,approvedbytheInformationGovernanceSteeringGroup.11 3.0 OBJECTIVES

3.1 TheoverallobjectiveoftheGroupisto:

Version 0.1 25 Date

Ensurethatthereareeffectivestrategies,structures,policiesandsystemsinplacetomeettheInformationGovernanceRequirementsandAgenda.

InformationGovernanceisdefinedasaframeworkforhandlingpersonalandcorporateinformationinaconfidentialandsecuremannertoappropriateethicalandqualitystandardsinamodernhealthservice.

3.2 Infulfillingtheobjectiveunder3.1above,theGroupshall:

(i) bemindfuloftheprinciplesofintegratedgovernanceandwhere

necessaryidentify,considerandcommunicaterisksandimpactsthatmayextendtothewiderorganisationandwhicharisethroughtheexerciseofitsdelegatedfunctions.

(ii) linkitsprogrammeofworktothestrategicobjectivesofthepractice12 4.0 ACCOUNTABILITY

4.1 TheInformationGovernanceSteeringGroupisaccountabletothePartners

4.2 ThenominatedSeniorInformationRiskOwner(SIRO)willactasanadvocateforinformationriskininternaldiscussions.TheSIROisresponsibleforprovidingwrittenadvicetotheSeniorPartnersonthecontentoftheAnnualGovernanceStatement(AGS)inregardtoinformationrisk.

4.3 TheInformationAssetOwners’roleistounderstandandaddressriskstotheinformationassetsthey‘own’;andtoprovideassurancetotheSIROonthesecurityanduseoftheseassets.

Version 0.1 26 Date

13 5.0 MEMBERSHIP&ATTENDANCE

5.1 Fullmembers(withvotingrights):

• SeniorInformationRiskOwner(SIRO)• CaldicottGuardian• GeneralManager•

5.2 TheGroupwillbechairedbytheSeniorInformationRiskOwner

(SIRO).TheViceChairwillbetheCaldicottGuardian

5.3 Additionalmemberswithspecificexpertisemaybeco-optedtotheGroupasrequired.

5.4 MembersshallbeassumedtobeattendingameetingoftheGroupunlessapologiesaresentinadvancetothesecretary.Ifafullmembercannotattendandifreasonablypossible,theyshouldappointasuitablybriefeddeputytoattendontheirbehalf.Deputiesshallcontributetothequorumandshallhavevotingrightsasperfullmembers.

5.5 ThePracticeManagershallensurethatarrangementsareinplacefortheprovisionofadministrativesupporttotheGroup.

6.1 DUTIES

ThedutiesoftheGroupareto:

• WorkonbehalfofthePartnerstoensurethepracticecomplies

withtheInformationGovernanceandrecord-keepingelementsofnationalstandardsandcriteriaincluding:

o InformationGovernanceToolkitStandardso NHSLitigationAuthorityRiskManagementStandardso CareQualityCommissionStandardso NHSOperatingFrameworko Developactionplanstoensurecompliancewiththesestandards.o Seekassurancearoundcomplianceandcompleted

recommendations

• EstablishanInformationGovernanceimprovementplantosecurethenecessaryimplementationofresourcesandmonitortheimplementationofthatactionplan.

Version 0.1 27 Date

• ToreviewandapprovePracticeInformationGovernancepoliciesonbehalfofthePartners

• Considerseriousbreachesofconfidentialityandinformation

securityandwhereappropriateundertakeorrecommendremedialaction.

• ToreviewtheanalysisandmanagementofInformation

Governanceincidentsandpreventedincidentstoensurethatanyqualityissueshavebeenidentifiedandremedialactionstakentoprotectpatientsandtheorganisationandthatanylessonslearnt;

o Arecommunicatedthroughouttheorganisationo Areusedtoreviewlocalprocessesandstructurestoenhance

informationgovernance

• ToreviewandpromoteInformationRiskawarenessandcontrol

• Considerandmonitortheimplementationofrecommendationsmadeinrelevantinternalauditreportsorothersourcesofassurance.

• Promoteandmonitorserviceuserfeedbackwithregardto

InformationGovernanceissues.

• Identifyingtrainingneeds,agreeingondeliverymethodandmonitoringprogress.

• Setthestrategicguidelinesforsharinginformationwithexternal

organisations.

• Consideranyrelevantissuesarisingfrompracticepolicyandnationalguidanceandtoalsoconsidertheimpact(includingrisksandresourcerequirements)ofstatedforthcominggovernmentpolicyandlegislation.

• Monitorandreviewthepolicy,policyandguidanceforthe

managementofrecordsinthepractice.

• Ensurethatthepractice,throughitsserviceareas,implementstheRecordsManagementpolicy(andotherrelatedpolicies)andprovidesguidanceonthedevelopmentandreviewoflocalsystems.

• Approvestandardsfortheformatandqualityofallrecords

includingwritingandcontent.

Version 0.1 28 Date

7.0 MEETINGS

7.1 TheGroupwillmeetevery6monthsunlessotherwiseagreedbytheChair.

7.2 TheChairoftheGroupmayalsoconvenespecialmeetings.

7.3 Venueswillbeagreedandnotifiedtomembersandasrelevant,toco-optedmembersandobservers.

7.4 TheGroupshalldeviseanannual“businesscycle”whichidentifiesthedatesofmeetingsandthematterswhicharetobeconsideredateachmeeting.8.0 QUORUM8.1 ThequorumwillbetwomemberswhichmustincludetheChairorViceChair.9.0 DECISIONMAKING

9.1 TheGrouphasjointandcollectiveresponsibilityforagreeingdecisions.Decisionsshallbereachedbyconsensuswherepossible,andwherethereisnotunanimousagreement,avoteshallbetakenandtheresultrecorded.TheChairshallhavecastingvotewhereapplicable.

9.2 Para9.1abovenotwithstanding,intheeventagreementcannotbereachedonaparticularissue,theChairmayopttoreferamattertothePartnersfordecision.

9.3 Co-optedmembersandobserversdonothavevotingrights.

9.4 IntheeventofanurgentdecisionbeingrequiredbetweenmeetingsonanymatterwithintheTermsofReferenceoftheGroup,theChairmaytake‘Chair’sAction’.Theactionwillbereportedtothenextmeetingforratificationandrecordedintheminutes/notes.10.0 PAPERS

10.1 TheagendaforeachmeetingwillbedevisedbythePracticeManagerandagreedwiththeChair.

10.2 Thedeadlineforagendaitemswillbecommunicatedpriortoeachmeeting,withanyurgentbusinessbeyondthedeadlinetobeagreedwiththeChairinadvanceofthemeeting.

10.3 Theagendaandassociatedpapers/documentsforeachmeetingwillbedistributedinadvanceofthemeetingtoallmembersandco-optedmembers.

Version 0.1 29 Date

10.4 Membershaveresponsibilitytomanagethepapers/documentsinaccordancewiththePractice’sRecordsManagementpolicy.

10.5 DraftMinutes/notesofeachmeetingwillagreedbytheChairbeforedistributiontothemembers.

10.6 AtthediscretionoftheChair,mattersofaconfidentialorsensitivenatureconcerninginformationwhichmaybeexemptfromdisclosureundertheFreedomofInformationActmaybecoveredundera“Part2”meetingoftheGroup.Ifa“Part2”meetingisheld,thefollowingshallapply:

(i) TheChairshallhavethepowertoexcludeanyfullmembersofthegroup

fromthemeetingprovidedthatthereareatleasttwomembersotherthantheChairpresent.

(ii) UnlessdeterminedotherwisebytheChair,papers&minutesofaPart2meetingshallbecirculatedtothoseattendingonly.

(iii) IntheeventofarequestmadeundertheFreedomofInformationActwhichispertinenttoPart2Grouppapers,adecisiononexemptionfromdisclosureshallbemadebytheChairinconsultationwiththeDataProtectionOfficer.Formallegaladviceshallbeobtainedifconsideredappropriate.

11. REPORTING

11.1 TheminutesofGroupmeetingsshallbeformallyrecordedandsubmittedtothePartners.

11.2 Copies of the approved agenda andminutes submitted for theGroupwill bepublishedonthepracticeshareddrive.(UnlesstheycontainpersonalorothersensitiveinformationexemptfromdisclosureundertheFreedomofInformationAct).

Version 0.1 30 Date

12.0 TERMSOFREFERENCE–RATIFICATIONANDREVIEW

12.1 TheTermsofReferencewillbeagreedbytheGroupandratifiedbythePartners.

12.2 TheTermsofReferencewillbereviewedannuallyorearlierattheChair’sdiscretion.

13.0 DISSOLUTION13.1 TheGroupmayonlybedissolvedwiththeagreementofthePartnersorbydefaultintheeventofthePracticeceasingtoexistasanindependent,statutorybody.Date:October2018