Ref: PL001

Information Governance and Information Security Policy and Framework

Version 1.1

Designation of Policy Author(s)

Head of Confidentiality and Data Protection

Policy Development Contributor(s)

None

Designation of Sponsor Executive Director of Finance (Senior Information Risk Owner)

Responsible Committee Information Governance Committee

Date ratified 31/10/2018

Date issued 05/11/2018

Review date 31/03/2019

Coverage Trust Wide

The Trust is committed to a duty of candour by ensuring that all interactions with patients, relatives, carers, the general public, commissioners, governors, staff and regulators are honest, open, transparent and appropriate and conducted in a timely manner. These interactions be they verbal, written or electronic will be conducted in line with the NPSA, ‘Being Open’ alert, (NPSA/2009/PSA003 available at www.nrls.npsa.nhs.uk/beingopen and other relevant regulatory standards and prevailing legislation and NHS constitution)

It is essential in communications with patients that when mistakes are made and/or patients have a poor experience that this is explained in a plain language manner making a clear apology for any harm or distress caused.

The Trust will monitor compliance with the principles of both the duty of candour and being open NPSA alert through analysis of claims, complaints and serious untoward incidents recorded within the Ulysses Risk Management System.

http://www.nrls.npsa.nhs.uk/beingopen

Liverpool Women’s NHS Foundation Trust Document: Information Governance and Information Security Policy and Framework Version No: 1.1

Page 2 of 12 Issued: Nov 2018

Review date: 31/03/2019

CONTENTS Page

1 Executive Summary ............................................................................................................................. 3

1.1 Applicability and Scope ............................................................................................................. 3

2 Introduction .......................................................................................................................................... 3

3 Policy Objectives ................................................................................................................................. 3

4 Definitions ............................................................................................................................................ 4

5 Duties and Responsibilities ................................................................................................................ 4

5.1 Committees ............................................................................................................................... 4

5.2 Individuals ................................................................................................................................. 4

6 Main Provisions ................................................................................................................................... 6

6.1 General Provisions .................................................................................................................... 6

6.2 Access to Information and Information Sharing ........................................................................ 6

6.3 Policies that the Trust will Implement ....................................................................................... 6

6.4 Information Governance Spot-check Programme .................................................................... 7

6.5 Information Governance and Information Security Incident Management ............................... 7

6.6 Staff Training and Training Standards ...................................................................................... 8

6.7 Privacy by Design and Privacy Impact Assessments ............................................................... 8

6.8 Privacy Notices ....................................................................................................................... 10

6.9 Information Governance Committee Terms of Reference ...................................................... 10

6.10 Authority to Act ........................................................................................................................ 11

6.11 Reporting ................................................................................................................................. 12

7 Key references ........................................................................................ Error! Bookmark not defined.

8 Associated Documents .......................................................................... Error! Bookmark not defined.

9 Training .................................................................................................... Error! Bookmark not defined.

10 Policy Administration ............................................................................. Error! Bookmark not defined.

10.1 Consultation, Communication and Implementation ................. Error! Bookmark not defined.

10.2 Version History ......................................................................... Error! Bookmark not defined.

10.3 Monitoring Compliance with this Policy ................................... Error! Bookmark not defined.

11 Appendices .............................................................................................. Error! Bookmark not defined.

11.1 Initial Equality Impact Assessment Screening Tool ................. Error! Bookmark not defined.

Liverpool Women’s NHS Foundation Trust Document: Information Governance and Information Security Policy and Framework Version No: 1.1

Page 3 of 12 Issued: Nov 2018

Review date: 31/03/2019

1 Executive Summary

1.1 Applicability and Scope

i. This policy covers all aspects of information within the organisation, including (but not

limited to) patient/client/service user information, personnel information, organisational

information.

ii. This Policy covers all aspects of handing information within the organisation, including

(but not limited to) structured record systems (paper and electronic) and transmission of

information.

iii. This Policy covers all Information systems purchased, developed and managed by/on

behalf of, the organisation and any individual directly employed or any individual

undertaking activity under the control or direction of the organisation.

2 Introduction

i. The Trust regards all person identifiable information that it holds or processes as confidential and will implement and maintain policies to ensure compliance with all necessary mandatory obligations.

ii. The Trust recognises the importance of reliable information, both in terms of the clinical management of individual patients and the efficient management of services and resources. Effective information governance plays a key part in supporting clinical governance, service planning and performance management.

iii. Effective Information Governance gives assurance to the Trust and to individuals that personal information is dealt with legally, securely, efficiently and effectively in order to deliver the best possible care.

iv. The Trust will ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management.

3 Policy Objectives

i. To provide a framework for the overall management of information processed within the Trust.

ii. To define the actions that are required to ensure all those that are covered by the policy

comply with any necessary obligations.

Liverpool Women’s NHS Foundation Trust Document: Information Governance and Information Security Policy and Framework Version No: 1.1

Page 4 of 12 Issued: Nov 2018

Review date: 31/03/2019

4 Definitions

None have been defined.

5 Duties and Responsibilities

5.1 Committees

i. The following Committees shall be incorporated as part of the overall management of

Information Governance and Information Security

- Information Governance Committee will provide general oversight and

management of Information Governance and Information Security for the

Trust.

- Patient Records Committee will provide general oversight and management

of records management policies across and within the Trust.

- IM&T Manager Meeting will provide technical and managerial expertise for

the Information Governance Committee.

- Data Quality Committee shall consider issues relating to Data Quality

- The Finance, Performance and Business Development Committee is the

Committee to which the Information Governance committee reports to.

5.2 Individuals

i. The Senior Information Risk Owner

- Takes overall responsibility for Information Governance and Information

Security at a Trust level, which includes the risk assessment process for

information risk, including review of annual information risk assessments that

support and inform the Statement of Internal Control. The Trust recognises

the need for an appropriate balance between openness and confidentiality in

the management and use of information.

- Reviews and approve actions in respect of identified information risks

- Ensures that the organisation’s approach to information risk is effective in

terms of resource, commitment and execution and that this is communicated

to all staff.

ii. The Caldicott Guardian

- Is agreed as the ‘conscience’ of the organisation and to advise the Trust

Board on matters relating to confidentiality.

- Reviews and approves protocols governing the disclosure of patient

information across organisational boundaries.

- Approves the release of information where consent from the data subject is

not considered necessary or appropriate.

iii. Director of Human Resources

- Assumes overall responsibility for Registration Authority and Smart Cards

usage within the Trust.

Liverpool Women’s NHS Foundation Trust Document: Information Governance and Information Security Policy and Framework Version No: 1.1

Page 5 of 12 Issued: Nov 2018

Review date: 31/03/2019

iv. Chief Information Officer

- Takes overall responsibility for Data Protection for the Trust

- Ensures that the organisation complies with the General Data Protection

Regulation.

v. Head of Confidentiality and Data Protection

- Maintains and develops the Trust Information Governance and Information

Security Policy and Framework.

- Is responsible for the management of Confidentiality and Data Protection

across the Trust.

- Is responsible for the Trust Information Governance submission.

- Is responsible for Subject Access and Freedom of Information.

vi. Head of IT Services

- To be responsible for the management of Information Security across the

Trust.

- To monitor local responses to Information Security incidents and provide

support in developing proportionate and effective responses to manage risk.

- To be responsible, as operational Lead, for IT services and the associated

security risks.

vii. Local Information Governance Leads

- To act as the primary departmental point of contact for Information

Governance and Information Security related matters.

- To attend the Trust Information Governance Committee meetings.

- To co-ordinate the annual data mapping exercise for the area they

represent.

- To co-ordinate departmental compliance to Information Governance and

Information Security training and deal with any areas of non-compliance.

- To undertake local Information Governance and Information security

assessments where necessary.

- To ensure the Information Governance Committee decisions are

implemented within the area represented.

viii. Data Protection Officer

- To inform and advise the Trust about obligations to comply with GDPR and

other data protection laws

- To monitor compliance with GDPR and other data protection laws and with

relevant policies

- To advise on, and to monitor, data protection impact assessments

- To act as a point of contact for the Information Commissioner

Liverpool Women’s NHS Foundation Trust Document: Information Governance and Information Security Policy and Framework Version No: 1.1

Page 6 of 12 Issued: Nov 2018

Review date: 31/03/2019

6 Main Provisions

6.1 General Provisions

i. The Trust places importance on the confidentiality of, and the security arrangements for

safeguarding personal information about anyone on who the Trust processes information

ii. The Trust recognises the need for an appropriate balance between openness and

confidentiality in the management and use of information

iii. The Trust recognises the need to share patient information with other health organisations

and other agencies in a controlled manner consistent with the appropriate legislation and

other mandatory obligations.

iv. The Trust believes that accurate, timely and relevant information is essential to deliver the

highest quality health care

v. The Trust expects all individuals that have access to information that falls within the scope

of this policy to ensure and promote the provision of this policy and any associated policy or

procedure

vi. The Information Governance Committee is the committee that has responsibility for overall

operational approval, control and management of the policies shown within this policy

6.2 Access to Information and Information Sharing

i. The Trust will implement and maintain policies for the controlled and appropriate sharing of

patient information with other agencies, taking into account relevant legislation

ii. The Trust will implement and maintain policies to control the release of non-confidential

information through the Freedom of Information Act and through the Trust Publication

Scheme

6.3 Policies the Trust will implement

i. The Trust will implement policies covering the following:

- The controlled and appropriate sharing of patient information with other

agencies, taking into account relevant legislation

- The sharing of non-confidential information through the Freedom of

Information Act and through the Trust Publication Scheme

- The release of information to individuals through Subject Access Provisions

of the Data Protection Act

- The effective and secure management of its information assets

- The overall standards that are applied to confidentiality and data protection

Liverpool Women’s NHS Foundation Trust Document: Information Governance and Information Security Policy and Framework Version No: 1.1

Page 7 of 12 Issued: Nov 2018

Review date: 31/03/2019

- Data Quality

- Standards to be applied with respect to confidentiality, data protection and

compliance monitoring

ii. Information Governance and Information Security Policy and Framework shall encompass

the following:

- Policies that relate to Confidentiality and Access to Information

Confidentiality Policy

Data Protection Policy

Freedom of Information Policy

Information Sharing Policy

- Policies that relate to Systems Access and Use

Access to and the use of Clinical Systems Policy

Access to and the use of the Trust Network Policy

Acceptable Use of Email, Internet and Trust Data Policy

- Policies that relate to the Protection of Trust Systems

Anti-virus, Firewall and Network Security Policy

Physical Protection and Access Control Policy

- Policies that relate to ensuring Service Continuity

Business Continuity and Disaster Recovery Policy

- Policies that relate to the management of standards and quality

Data Quality Policy

Audit, Compliance and Maintenance of Standards Policy

iii. This policy shall be reviewed annually.

iv. All policies covered by this policy shall be reviewed every two years or when an incident

occurs where a systematic failure has been identified as the cause of the failure.

6.4 Information Governance Spot-check Programme

i. The Trust will undertake an Information Governance Spot-check programme to assess the compliance of various departments and areas to a number of different requirements that are primarily described in the Information Governance Toolkit.

ii. Information Governance spot check audits will enable the Trust to identify areas of weakness and to take appropriate action to reduce the risk of information Governance breaches.

6.5 Information Governance and Information Security Incident Management

Liverpool Women’s NHS Foundation Trust Document: Information Governance and Information Security Policy and Framework Version No: 1.1

Page 8 of 12 Issued: Nov 2018

Review date: 31/03/2019

i. The Trust will assess and manage incidents in line with “Checklist Guidance for Reporting,

Managing and Investigating Information Governa nce Serious Incidents Requiring

Investigation“

ii. The Trust’s Incident Reporting system will be used to report, monitor and investigate

information governance and information security related incidents and risks

6.6 Staff Training and Training Standards

i. The Information Governance Department will provide face to face, classroom based

training where required, which will, if required, be modified to the specific requirements of

the target audience

ii. Where it is considered necessary due to the nature of their work or in response to an

incident, an individual or group of staff may be compelled to undertake training that is over

and above the requirements specified within this policy

iii. Information Governance and Information Security training within the Trust will be

considered on the basis of 2 levels, as follows:

Basic Any individuals who falls within the scope of this Policy as defined by

Paragraph 1.1

Higher Level Staff who have a specific responsibility for any aspect of Information

Governance, Confidentiality or Data Protection

iv. The specific requirement at each level shall be decided by the Information Governance

Committee on an annual basis

6.7 Privacy by Design and Privacy Impact Assessments

i. The Trust recognises that confidentiality and data protection is fundamental to ensuring

compliance to the Trust overall objectives and will incorporate “Privacy by Design” into day

to day operational activities. This means that:

- Confidentiality and Data Protection will be a key consideration of all projects

and initiatives where confidentiality will be potentially impacted upon

- Privacy Impact Assessments will be carried out wherever necessary

- The Information Governance Committee must consider any proposed

initiative or project changes that would generally be considered major or

critical

ii. Privacy Impacts shall be managed according to the following definitions

Level Definitions

Liverpool Women’s NHS Foundation Trust Document: Information Governance and Information Security Policy and Framework Version No: 1.1

Page 9 of 12 Issued: Nov 2018

Review date: 31/03/2019

4

Without this change: - There would be a risk or detriment to the health and wellbeing of patients,

staff, visitors or any other service users, or - The Trust, or any department within it, would be unable to carry out one of

its statutory or other mandatory duties, or - The Trust, or any department within it would be operationally halted

3

Without this change: - Operational activities are widely impacted upon but there is no risk to the

health and wellbeing of patients, staff, visitors or any other service users, or - The Trust, or any other department within it, would be widely operationally

affected but would still be able to carry out its statutory or mandatory duties, or

- The Trust, or any department within it, would be widely impacted upon but would remain operational.

2

Without this change: - Operational activities are not impacted upon, there is no risk to patients,

staff, visitors or any other service users but the Trust, or any department within it, would be unable to function as it did before.

1 All other changes not categorised above

iii. Privacy Impact Assessment shall be approved and managed according to the assessed

extent of the impact on the Trust. Privacy Impact Assessments will be approved and

managed as follows:

Level Requirement

4 Privacy Impact Assessments shall be approved and monitored directly by the

Information Governance Committee until completion

3 Privacy Impact Assessments shall be approved by the Information Governance

Committee and then monitored at initiation and completion.

2

Privacy Impact Assessments shall be approved by the Information Governance

Committee and then monitored to completion by the Information Assurance

Manager. The Information Assurance Manager shall be provide a periodical

progress report to the Information Governance Committee

1

Privacy Impact Assessments shall be approved by any Officer who is an

Approving Officer and then monitored to completion by the Information Assurance

Manager. The Information Assurance Manager will provide a periodical progress

report to the Information Governance Committee

iv. The Trust Data Protection Officer shall be consulted on all Privacy Impact Assessments

v. All Privacy Impact Assessments will be registered with the Information Governance

Department. The Information Assurance Manager will provide general oversight of all

Privacy Impact Assessments

Liverpool Women’s NHS Foundation Trust Document: Information Governance and Information Security Policy and Framework Version No: 1.1

Page 10 of 12 Issued: Nov 2018

Review date: 31/03/2019

vi. Privacy Impact Assessment shall be submitted on the Trust approved template, which is

available via Section 8

6.8 Privacy Notices

i. The Trust will make available “Privacy Notices”, which will specify how the Trust processes

the personal information it holds.

6.9 Information Governance Committee Terms of Reference

i. The Information Governance Committee shall ensure that Information Governance and

Information Security is implemented to the required national standards

ii. The Duties of the Information Governance Committee are to:

- Promote the principles of Confidentiality and Data Protection throughout the

Trust

- Provide organisational support to individuals with responsibility for managing

Information Governance and Information Security

- Ensure the implementation of monitoring and management systems that will

provide overall assurance on compliance to national standards for

Information Governance and Information Security

- Monitor and manage the Trust mandatory Information Governance and

Information Security requirements and standards

- Report and escalate, where required or necessary, to the Finance,

Performance & Business Development Committee

- To approve relevant policies and procedures that are within the remit of the Committee

- Authorise variations or exceptions to requirements Trust policies that fall

within the remit of the Committee

- Monitor and manage relevant remedial action plans

iii. The Core Membership of the Committee is:

- Chief Information Officer (Chair)

- Head of Confidentiality and Data Protection (Deputy Chair)

- Head of IT Services

- Information Assurance Manager

- Local Information Governance Leads for Corporate Services

o Finance

o Information

o Human Resources

- Local Information Governance Leads for Clinical/Technical Services

o Neonatal

o Maternity

o Fertility Unit

o Genetics

o Pharmacy

Liverpool Women’s NHS Foundation Trust Document: Information Governance and Information Security Policy and Framework Version No: 1.1

Page 11 of 12 Issued: Nov 2018

Review date: 31/03/2019

o Governance

iv. A quorum is defined as:

- 7 members present

- At least 3 representatives from clinical areas

- At least 2 representatives from corporate areas

- Chief Information Officer or Head of Confidentiality and Data Protection

- Head of IT Services

i. The Director of Finance, who is the Senior Information Risk Owner, is accountable at board

level for Information Governance

ii. The committee reports to the Finance, Performance & Business Development Committee

iii. Core members are expected to attend 75% of meetings

iv. The Senior Information Risk Owner and/or the Caldicott Guardian should be in attendance

when matters that require their input or intervention are being considered by the Committee

v. Members must send a named deputy in the event that they are unable to attend. Those

attending will be acting as management representatives and will, therefore, be authorised

to act in that capacity for the areas they represent

vi. The Information Assurance Manager will be responsible for agenda production, which will normally be circulated to committee members one week ahead of the consideration meeting.

vii. The Information Governance Department will provide the necessary administrative support to the group.

6.10 Authority to Act

i. Approving Officers are, for the purposes of this Policy:

- The Chief Information Officer

- Deputy Chief Information Officer

- Head of IT Services

- Head of Confidentiality and Data Protection

ii. Authority to vary from this policy for a specific reason and a time limited period can be given

by an Approving Officer

iii. An Approving Officer shall not be allowed to give authority where giving such authority

would give rise to a conflict of interest

iv. Authority to vary from this Policy, which is not time-limited, may initially be given by an

Approving Officer but this must then be approved by the Information Governance

Committee at the first opportunity

Liverpool Women’s NHS Foundation Trust Document: Information Governance and Information Security Policy and Framework Version No: 1.1

Page 12 of 12 Issued: Nov 2018

Review date: 31/03/2019

6.11 Reporting

i. The Information Governance Committee shall be informed of any incidents where the

cause is a systematic failure of any of its systems of control

ii. All Managers will provide reasonable access to any system, area or individual that will allow

the Information Governance Department to assess compliance to this policy through the

Spot-check Programme