Version 0.1 1 Date Radford Medical Practice INFORMATION GOVERNANCE AND DATA SECURITY POLICY 2019 Document History Version Date: October 2018 Version Number: 1.0 Status: Final Next Revision Due: January 2021 Developed by: Paul Couldrey (IG Consultant) Policy Sponsor: Practice Manager Approved by: Dr K Kaur/Karen Murch Date approved: 19.2.19 Date ratified: Revision History Version Revision date Summary of Changes 1.0 08/02/18 First Draft 1.1 19.2.19 Final
o InformationTechnologyInfrastructureLibrary(ITIL)o Communications-ElectronicsSecurityGroup(CESG)Guidanceo ManagementofRisk
ThePracticeiscommittedtoensuringthatthereisadequateprovisionforthesecuremanagementofinformationresourcesitownsorcontrols.The Practice recognises that information security is not simply about implementing Informationtechnologysolutions;itreflectsoverallmanagementandthecultureoftheorganisation.
Version 0.1 3 Date
Scope
Thispolicyrelatesto:• all informationthat isprocessedorheldduringthepracticebusinessoron itsbehalfbykey
It alsoapplies toallmembersof staffemployedby,orworkingonbehalfof thePractice, includingcontracted,non-contracted,temporary,honorary,secondments,bank,agency,students,volunteers,locumsorthirdparties.The InformationGovernancePolicy recognises that thepractice isanorganisationworkingwithinanewandrapidlychangingcommissioningandinformationgovernancelandscape,especiallywiththeintroductionoftheGDPR.AssuchthePractice’spolicyisfocusedonsettingupandembeddingtherequired governance arrangements and doing this in such a way that the practice retains themaximumflexibilityandresiliencesothatitcanadapttothisenvironment.Thekeyelementsandresourcestosupportthedeliveryofthispolicyare:
TheInformationGovernanceImprovementPlan,identifyingleadpracticeofficers,willbeagreedeachyear to ensure compliance against each of the requirements. This Plan forms part of the overallpracticeendorsedDataProtectionandConfidentialityPolicy.
Version 0.1 4 Date
Purpose
ThepurposeofthispolicyistodescribethemanagementarrangementsthatwilldeliverInformationGovernance assurance for the Practice. Information Governance is a framework that enables theorganisationtoestablishgoodpracticearoundtheprocessingofinformationanduseofinformationsystems, ensure that information is handled to ethical and quality standards in a secure andconfidential manner, promote a culture of awareness and improvement, deliver its corporateobjectivesandcomplywithlegislation,statutoryrequirementsandothermandatorystandards.
The InformationGovernanceManagement Framework (IGMF)will underpin thePractice’s strategicgoalsandensurethattheinformationneededtosupportanddelivertheirimplementationisreadilyavailable,accurateandunderstandable.InformationGovernancehasfourfundamentalaims:
• To develop support arrangements and provide staff with appropriate tools and support toenablethemtocarryouttheirresponsibilitiestoconsistentlyhighstandards;
• To enable the practice to understand its own performance andmanage improvement in asystematicandeffectivemanner.
The Practice has a statutory responsibility to patients and the public to ensure that the services itprovides have effective policies, processes and people in place to deliver objectives in relation toholdingandusingconfidentialandpersonalinformation.BroadObjectives
Version 0.1 5 Date
The Practice will ensure there is a systematic and planned approach to the management ofinformationgovernancebyestablishingan InformationSecurityManagementSystem (ISMS) in linewithISO27001andInformationSecurityManagement:NHSCodeofPractice.
• Theeffectivenessof the ISMSwillbecontinually improved through theuseofaudit results,analysisofincidents,correctiveandpreventiveactionsandmanagementreviews.
• Steps will be taken to ensure that internal and external transfers of patient confidentialinformation are conducted in a secure and safe manner, this will include, for example,encryptionofemailsandremovablemediaholdingpersonalinformation(asmandatedbytheCabinetOfficeInformationGovernanceAssuranceProgrammein2008).
• All staff, contractors and other relevant parties will be made aware of the organisations
• Procedures will be established to ensure that information governance requirements areaddressed during the implementation, development and maintenance of services and/orsystems.
continuewithitscorebusinessfunctionsintheeventofafailureorlossofsystemsorservices.Appropriate procedureswill be developed to ensure the timely recovery or replacement ofinformationsystemsandservices.Theplanswillberegularlytestedandrevised.
and procedures. The results of such audits will be fed into the ISMS, the InformationGovernance work-plan and information risk registers to ensure continued and ongoingimprovement.
InformationSecurityManagementSystem(ISMS)ThePracticerecognisethateffectiveinformationsecurityinvolvesmorethansimplyinstallingsecurityproducts such as anti-virus software and providing a security policy. The practicewill establish anISMS,whichwill provide ameans to identify and co-ordinate the approach to themanagementofinformationsecuritywithinthepracticeinordertoprotectit,anditsbusiness.TheISMSwillbebasedontheNHSInformationSecurityManagementFramework. The governing principle behind the ISMS is the design, implementation and maintenance of acoherent set of policies, processes and systems to manage risks to its information assets, thusensuringacceptablelevelsofinformationsecurityrisk.Based on this risk approach,wewill establish, implement, operate,monitor, review,maintain andimproveinformationsecurityforallorganisationswithinthePractice.
Followingtheprinciplesoftheabovemodel,anInformationGovernanceWork-planforthepracticewillbecreated.ThisencompassestherequirementsoftheDS&PToolkit,legalandNHSrequirementsand the results of audits and risk assessments. The work-plan will be carefully monitored andregularly reviewed and revised, to ensure it continues to meet the information governancerequirementsofthepracticeandensurecontinuousimprovement.GovernanceArrangementsMeetingswillbeheldevery6monthswiththeCaldicottGuardian,SIRO,IGleadandAdminLead.Thegroupwillperformthefollowingfunctions:
• Developandmaintain the informationgovernancepolicyandsupportingpolicies,proceduresandguidelines.
• Conduct regular audits to review the effectiveness of the implementation of the
Information Governance is “a framework for handling information in a confidential and securemanner to appropriate ethical andquality standards inmodernhealth services”. It brings togetherwithin a singular cohesive framework, the interdependent requirements and standards of practice.ThispolicyformspartofthePractice’soverallPracticeAssuranceFramework.
• Some information is confidential because it contains personal details the practice mustcomply with regulation which regulates the holding and sharing of confidential personalinformation.ChangestothewayinwhichpatientconfidentialdatacanbeprocessedcameaboutasaresultoftheHealth&SocialCareAct2012. It is importantthatrelevant,timelyandaccurateinformationisavailabletothosewhoareinvolvedinthecareofserviceusers,but it is also important that personal information is not shared more widely than isnecessary;
• Some information isnon-confidentialand is for thebenefitof thepracticeandthegeneralpublic and its employees share responsibility for ensuring that this type of information isaccurate,uptodateandeasilyaccessibletothepublic;
• Themajority of information about the practice and its business should be open to publicscrutinyalthoughsome,whichiscommerciallysensitive,mayneedtobesafeguarded.
An outline of the high-level IG organisational objectives that the practice seeks to achieve is asfollows:
• Complywiththerelevantinformationprivacyandconfidentialitylawsandregulationsaswellas contractual requirements and internal policies on information and systems security andprotection,andprovidetransparencyonthelevelofcomplianceviatheDS&PToolkit;
• Maintain information riskatacceptable levelsandprotect informationagainstunauthoriseddisclosure,unauthorisedorinadvertentmodifications,andpossibleintrusions;
• Addresstheincreasingpotentialforcivilorlegalliabilityimpactingtheorganisationasaresultof information breaches through efficient and effective risk management, processimprovementandrapidincidentmanagement;
• Provide confidence in interactions with key external organisations – for example, Acute &CommunityProviders,customers,NHSEngland,NHSDigital,Monitors,CommissionersandtheCQC.
These aims and objectives will be achieved by ensuring the effectivemanagement of InformationGovernanceby:
• Ensuring that the practice meets its obligations under the Data Protection legislation, theHumanRightsAct1998,theFreedomofInformationAct2000andtheHealthandSocialCareAct2012;
• Establishing, implementing and maintaining policies for the effective management ofinformation;
• Ensuring that information governance is a cohesive elementof the internal control systemswithinthePractice;
• Ensuring that information governance is an integral part of the practice culture and itsoperatingsystems;
• EnsuringmaintenanceofyearonyearimprovementwithintheDS&PToolkitsubmission;• Reducingduplicationandlookingatnewwaysofworkingeffectivelyandefficiently;• Minimisingtheriskofbreachesofpersonaldata;• Minimisinginappropriateusesofpersonaldata;• Ensuring that Service Level Agreements between the practice and other organisations are
• Ensuring there is provision of sufficient training, instruction, supervision and information toenableallemployeestooperatewithininformationgovernancerequirements,includingthoseundertakingspecialistroles;
• Ensuring the information governance policy and related plans link to and support othercorporateorstrategicobjectives,e.g.businesscontinuityplanning,andensuringthepracticeis able to meet its commitments under the Civil Contingencies Act 2004 (specifically theEmergencyPreparedness,Resilience&Responseassuranceprocess).
Version 0.1 12 Date
Rolesandresponsibilities
Information Governance Steering Group
The Information Governance Steering Group will be established to support and drive the broader information governance agenda and provide the partners with the assurance that effective information governance best practice mechanisms are in place within THE PRACTICE.
The IGSG will meet every 6 months and will be Chaired by the SIRO. The Group will:
• be accountable to the Senior partners • support the practice SIRO and the practice Caldicott Guardian in their roles; • monitor information governance performance annually using the DS & P Toolkit hosted by
NHS Digital (NHSD); • provide audited toolkit Results to the partners for approval prior to final submission to the
NHSD; • be responsible for overseeing operational information governance issues; • develop and maintain policies, standards, procedures and guidance; • co-ordinate and monitor the implementation of the information governance policy, framework
and policies across the Practice; In addition to the SIRO, the membership of the IGSG will include the following:
• Senior Information Risk Owner (SIRO) • Caldicott Guardian • General Manager
(Terms of Reference in Appendix 1)
Individualroles
SeniorInformationRiskOwner(SIRO)–PaulCouldrey
The SIRO for The Practice, holds responsibility for ensuring that information is processed and heldsecurely throughout the Practice. The role covers all the aspects of information risk, theconfidentialityofpatientandserviceuserinformationandinformationsharing.TheDataProtectionand Security Toolkit sets out clear responsibilities of the SIRO in relation to risks surroundinginformation and information systems, which also extend to business continuity and the role ofInformationAssetOwners.
Inparticular,theSIROisresponsiblefor:
• leadingand fosteringaculture thatvalues,protectsanduses information for thesuccessofthepracticeandbenefitofitsserviceusers;
Version 0.1 13 Date
• owning the Practice’s overall information risk policy and risk assessment processes andensuringtheyareimplementedconsistentlybyInformationAssetOwners(IAO’s);
• ensure that The Practice’s approach to information risk is effective in terms of resources,commitmentandexecutionandthatthisiscommunicatedtoallstaff;
TheCaldicottGuardianisresponsibleforactingasachampionfordataconfidentiality. Theyshouldensure that confidentiality issues are appropriately reflected in practice policies and workingprocedures for staff and oversee all arrangements, protocols and procedures where confidentialinformationmaybesharedwithexternalbodiesincludingdisclosurestootherpublicsectoragenciesandotheroutsideinterests.
TheCaldicottGuardianisresponsiblefor:
• ensuring that the practice satisfies the highest practical standards for handling patientinformation;
• ensuringconfidentiality is reflectedappropriately inTHEPRACTICE’spoliciesandprocedurestosupportthelawfulandethicalprocessingofinformation;
• actingasthe‘conscience’ofTHEPRACTICE;• ensuring that staff complywith Caldicott Principles and the guidance contained in theNHS
IGLead–KarenMurchThenominatedIGleadisthePracticeManager.TheIGLeadhasresponsibilityforprojectmanagingthe overall co-ordination, publicising andmonitoring the Practice IG framework. The IG Lead hasspecificresponsibilityforthedevelopmentofthispolicy,producingreportsandDS&PTtoolkitreturns.InformationAssetOwners
The Information Asset Owners (IAO) will be senior members of the practice staff responsible forinformationassetswithintheirremit.TheywillprovideassurancetotheSIROthatinformationriskismanagedeffectivelyfortheirinformationassists.Thiswillbeachievedby:
• Supporting Information Asset Administrators who will ensure the above takes place. Thedetailed roles and responsibilities are defined in Appendix A of the NHS Information RiskManagementGuidance
• Ensuring that information risk assessments are performed on all information assets wheretheyhavebeenassigned ‘ownership’andprovideassurancetotheSIROonthesecurityanduseoftheseassets;
All those working for the practice have legal obligations, under the Data Protection legislation,commonlawdutyofconfidentiality,andprofessionalobligations,forexampletheConfidentialityNHSCode of Practice and professional codes of conduct. These are in addition to their contractualobligationswhichincludeadherencetopolicy,andconfidentialityclausesintheircontract.The same responsibilities apply to thoseworking on behalf of the organisationswhether they arevolunteers, students, work placements, contractors or temporary employees. Those working onbehalf of the organisation are required to sign a third-party agreement outlining their duties andobligations.Breachesof any law, contract, codeofpracticeor confidentiality agreementwill be reportedusingappropriatechannelsandactiontakenwherenecessary.
DataSecurityandProtectionToolkit
CompletionoftheDataSecurityandProtectionToolkit ismandatoryforallorganisationsusingNHSMailandprovidingNHSservices. TheToolkit coversmost statutory, common lawandprofessionalrequirements,aswellastraining,assuranceprocessesandchangecontrolprocesses.Annualimprovementplanswillbedevelopedeachyeartoensurethepracticeachievesasatisfactorylevel in all requirements. As the DS&P is publicly available, assessment scores of partnerorganisationswill be used to assess their suitability to share information and to conduct businesswith.
ThePractice’sprogresswillbereportedtothePartnersatregularintervalsbytheSIRO.Compliancewith the Toolkit will provide assurance to the Partners that the majority of strategic informationgovernanceobjectivesarebeingmet.
Thepractice iscommittedtoensuringthat itspolicies followtheHORUSmodelasproposedbytheDepartment of Health to ensure compliance with legislation, including the GDPR 2016 and DataProtectionAct2018.Theprinciplesofthismodelarethatinformationis:
• policies and procedures are in place to facilitate compliance with all relevant legislation,regulationsandduties;
• compliance with the Data Protection Act 2018 is maintained when handling PersonalConfidentialData,exceptwherethereisalegalrequirementtooverridetheAct;
• information is appropriate for the purpose intended and that at all times the integrity ofinformationisdeveloped,monitoredandmaintained;
• information made available for operational purposes is maintained within set parametersrelatingtoitsimportanceviaappropriateproceduresandcomputerresiliencesystems;
public through a variety of media, in line with the Freedom of Information Act andEnvironmentalInformationRegulations;
• will have clear procedures and arrangements for liaison with the press and broadcastingmedia;
• patientsand serviceuserswill haveaccess to information relating to theirownhealth care,optionsandtreatmentandtheirrightsaspatients;
• undertakeorcommissionannualauditsofcompliancewithlegalrequirements;• information and IT security, information quality and recordmanagement requirements are
areestablishedandmaintained;• informationismanagedthroughout its lifecycleofcreation,retention,maintenance,useand
disposal;
Version 0.1 18 Date
• procedures for information quality assurance and the effectivemanagement of records areestablishedandmaintained;
• information iseffectivelymanagedso that it isaccurate,up-to-date, secure, retrievableandavailablewhenrequired;
• incident reporting procedures, which includes the investigation of all reported instances ofactualorpotentialbreachesofconfidentialityandsecurityareestablishedandmaintained;
Incidentsmust be reported andmanaged through established processes. Significant issues will besubject to full investigation and reporting action. Incidents relating to personal informationwill bereportedtotheCaldicottGuardianwhilst thoseofamorecorporatenaturewillbereportedtotheSIRO.
With the increasinguseofelectronicdataandwaysofworkingwhich relyon theuseofelectronicinformationandcommunicationsystems todeliver services, there isaneed forprofessionaladviceandguidanceontheiruseaswellastheneedtoensurethattheyaremaintainedandoperatedtotherequiredstandardsinasafeandsecureenvironment.
The Data Protection legislation (GDPR and DPA1998/2018) is the most fundamental piece oflegislation that underpins InformationGovernance. The practice is registeredwith the InformationCommissionersOfficeandwill fullycomplywithall legal requirementsof the law.AprocesswillbeadoptedtoensurethatareviewofallofnewsystemsiscarriedoutandwhererequirementssuchastheneedforPrivacyImpactAssessments(PIA)arehighlightedthesewillbecompleted. ThiswillbeincludedintheIGservicespecification.
TrainingandStaffSupport
Fundamental to the success of delivering the Information Governance Policy is developing anInformationGovernance culturewithin thePractice.Awareness and trainingwill beprovided to allstaffthatutiliseinformationintheirday-to-dayworktopromotethisculture.Inordertoachievethis,theIGSGwillensure:
• all staff complete an Induction sessionwhen they first start employmentwhichwill includeInformation Governance. In subsequent years all staff are required to complete furtherInformationGovernancetrainingassetoutone-learningforhealth.ThisisanannualexerciseandisrequiredtomeetasatisfactorylevelwithintheDS&Ptoolkit;
ThispolicyonceapprovedbythePartnerswillbesharedwithallmembersofstaff.Ateambriefingwillalsobeprovidedtosupportthisdissemination.TheimplementationofthisIGpolicyandIGToolkitimprovementplanwillensurethatinformationismoreeffectivelymanagedinthePractice.Tosupportthispolicy,thePracticewill implementkeyIGpoliciesandwillensurethatstaffabidebythese.Each year the IG policy will be reviewed, and a revised DS&P Toolkit improvement plan will bedevelopedagainsttheDS&PToolkitattainmentlevelsandscores,thusidentifyingthekeyareasforaprogrammeofcontinuousimprovement.
Policy,ProtocolandProcedureDistribution
Allemployee-basedpolicies,protocolsandprocedureswillbemadeavailableonthepracticeshareddrive and will be highlighted in staff briefings. Knowledge of the key details of InformationGovernance related policies will be tested through the use of the online Information Governancetrainingtool,andtheuseofstaffsurveysand/orconfidentialityauditstotestknowledgeinparticularareas.
MonitoringandReview
Thispolicywillbereviewedonthefirstanniversaryfollowingitsadoptionandsubsequentlyeverytwoyearsuntil rescindedor superseded.Anearlier reviewof thisdocumentmaybeundertaken in theeventof:
TheDS&PToolkit submission is amandatory annual return; the criteria for complianceare setoutwithin the relevant Toolkit. The successful implementation of Information Governance across theorganisationwillbereflectedintheachievementlevelproducedfromtheannualToolkitsubmission.
Formal reporting will be managed through the IGSG group. The Practice Manager will establisheffective reporting arrangements with the partners to ensure the practice is receiving ongoingassuranceof their IG performance anduse these reports as anopportunity to quickly identify andescalateanyissuesorrisksatanearlystage.
AllpoliciesandproceduresaredevelopedinlinewiththePractice’sEqualityandDiversitypoliciesandneed to take intoaccount thediverseneedsof thecommunity that is served. TheEquality ImpactAssessment tool is designed to help consider the needs and assess the impact of the policy beingdeveloped.Thepracticeiscommittedtoensuringthatittreatsitsemployeesfairly,equitablyandreasonablyandthatitdoesnotdiscriminateagainstindividualsorgroupsonthebasisoftheirethnicorigin,physicalormentalabilities,gender,age,religiousbeliefsorsexualorientation.
2.6 TheGroupmayestablishsuchworkinggroupsorprojectteamsasitconsidersappropriatetosupportitsobjectivesandduties.Anygrouporprojectteam so established shall have terms of reference, including reportingarrangements,approvedbytheInformationGovernanceSteeringGroup.11 3.0 OBJECTIVES
11.2 Copies of the approved agenda andminutes submitted for theGroupwill bepublishedonthepracticeshareddrive.(UnlesstheycontainpersonalorothersensitiveinformationexemptfromdisclosureundertheFreedomofInformationAct).
