cddft anti virus procedure - cddft.nhs.uk · information risk management procedure proc/ig/0028...

Information Risk Management Procedure

PROC/IG/0028 Version 5.0 1

CDDFT Procedure Reference Number PROC/IG/0028

Title Information Risk Management Procedure

Version number 5.0

Original Policy Date August 2010

Date approved 28/03/2012

Effective date 28/03/2012

Approving Body Business and Operations Committee

Originating Directorate Commercial Services

Scope Trust Wide

Last review date 28/03/2012

Next review date 28/03/2015

Reviewing body Business and Operations Committee

Document Owner Head of Information Governance

Equality impact assessed Yes – August 2010

Date superseded Not Applicable

Status Approved

Confidentiality Staff in Confidence

Keywords Information Assessment Risk Procedure

Approval

Signature of Chairman of Approving Body

Name / job title of Chairman of Approving Body:

Tom Hunt – Commercial Director and Acting Director of Finance

Signed paper copy held at (location): Library Services DMH



Contents 1. Introduction ............................................................................................................4 2. Duties and Responsibilities ...................................................................................5

2.1. Accounting Officer-Chief Executive Officer ...............................................................5 2.2. Senior Information Risk Owner Responsibilities (SIRO) ...........................................5 2.3. Senior Information Asset Owners (SIAO) .................................................................6 2.4. Information Asset Owners (IAO) ...............................................................................6 2.5. Information Asset Administrators ..............................................................................7 2.6. All CDDFT Staff ........................................................................................................8

3. Training and Management of Roles ......................................................................9 3.1. Managing Nominated Staff .......................................................................................9 3.2. Training ....................................................................................................................9

4. Information Risk Management procedure .......................................................... 10 4.1. General Summary Sheet (Tab 1)............................................................................ 10 4.2. Asset Risk Assessment (Tab 2) ............................................................................. 10 4.3. Data Flow (Tab 3) .................................................................................................. 10 4.4. Retention and Disposal Log (Tab 4) ....................................................................... 10 4.5. Information Asset and Data flow Action Plan .......................................................... 10 4.6. Attendance at IRM Meetings .................................................................................. 11

5. Legal Requirements ............................................................................................. 12 Referenced documents ........................................................................................................ 12 Appendix 1 – Information Asset Register ............................... Error! Bookmark not defined. Appendix 2 - Information Risk Management Areas…………………………………17 Appendix 3 - Risk Matrix Definitions…………………………………………………..18 Appendix 4 - Archive label template………………………………………………… 19 Appendix 5 - Action plan template…………………………………………………… 20 Appendix 6 - IRM meeting summary front sheet…………………………………….21 Appendix 7 – Definitions…………………………………………………………………22 Appendix 8 - Equality Assessment Tool ........................................................................... 23



DOCUMENT CONTROL INFORMATION

Version Control Table

Date Version State

April 2010 1.0 Draft

August 10 2.0 Draft

September 10 3.0 Approved

January 2011 4.0 Approved

March 2012 5.0 Approved

Table of Revision

Date Section Revision Author

April 2010 Whole Document Head of Information Governance

February 2011

Whole Document Head of Information Governance

February 2012

Whole Document Information Governance and Risk Manager



1. INTRODUCTION County Durham and Darlington NHS Foundation Trust (CDDFT) aspire to the highest standards of corporate behavior and clinical competence, to ensure that safe, fair and equitable procedures are applied to all organisational transactions, including relationships with patients, public, staff and stakeholders and the use of public resources. This document sets out the Trusts approach to assessing the information assets throughout the Trust This document applies to all CDDFT staff and those working on behalf of CDDFT.



2. DUTIES AND RESPONSIBILITIES

2.1. Accounting Officer-Chief Executive Officer

- The Accounting Officer has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. The Trust Accounting Officer is the Chief Executive Officer.

- Information risks should be handled in a similar manner to other major risks such as

financial, legal and reputational risks.

2.2. Senior Information Risk Owner Responsibilities (SIRO)

The Trust Senior Information Risk Owner’s (SIRO) is the Executive Director of Finance and Chief Operating Officer. The following responsibilities are appropriate to all NHS Senior Information Risk Owner’s:

- To ensure routine meetings are established with the Trust’s Chief Executive as Accounting Officer to brief, discuss or report upon matters on information governance risk assurance and information risk culture affecting the Trust, including input to the annual NHS Information Governance reporting processes;

- To maintain sufficient knowledge and experience of the organisation’s business and

goals with particular emphasis on the use of and dependency upon internal and external information assets;

- To develop and implement an Information Governance Information Risk Policy that is

appropriate to all departments of the organisation and their uses of information;

- To identify and implement an appropriately joined-up and resourced information governance risk management structure throughout the organisation with clear lines of responsibility and accountability;

- To initiate and oversee an information risk awareness and training programme of

work to communicate importance and maintain impetus, to enable the sharing of good information governance assurance practice within the organisation and to learn from good practice developed and practiced within other NHS organisations locally and nationally;

- To initiate and oversee a comprehensive programme of work that identifies,

considers, prioritises and addresses NHS Information Governance risk and systems’ accreditation for all parts of the business and with particular regard to information systems that process personal data. The Senior Information Risk Owner should routinely review all key information risks of the organisation and their mitigation plans in order to record progress or status updates a minimum of every six months;

- To ensure that NHS Information Governance Policy, formal risk management method

and standards are applied and maintained consistently throughout the organisation’s information governance risk assessment and management framework;

To act as the focal point for information risk management for the organisation including resolution of any pan-organisation or other escalated risk issues raised by Information Asset Owners, Information Security Officers, and Auditors etc.



In addition to Information Governance risk management responsibility, the NHS Senior Information Risk Owner will normally be the organisation’s focal point for incident response management and follow-up, and root cause analysis. In this capacity, the Senior Information Risk Owner shall:

- Ensure there are effective mechanisms established and publicised for the reporting of ‘perceived’ or ‘actual’ Serious Untoward Incidents (SUI) affecting the Trust and systems and services that the Trust may share with others, in accordance with published NHS Information Governance requirements; IR1’s;

- Ensure that there is a considered and agreed ‘draft’ incident response and

communications plan available, that may be re-used or quickly adapted should the need arise. In addition to the immediate incident and its circumstances this draft response plan should also consider and take account of focal contacts within departments, escalation points and management reporting relationships, potential patient or other communications requirements, and of media and public interest and enquiries arising as consequence of a Serious Untoward Incident.

2.3. Senior Information Asset Owners (SIAO)

The responsibilities of the Information Asset Owner’s fall into three main categories as stated below as IAO’s in addition the senior IAO must:

- Facilitate the Care Group / department / area they are responsible for ensuring that all information asset registers and associated action plans are completed and regularly reviewed for each area under their remit.

- Ensure that all information assets are logged in accordance with Archive, retention, storage and destruction requirements.

- Ensure all IAO and IAA Job description clauses are signed and filed in personal files for all IAO’s and IAA’s within their care group / department / area

- Ensure all nominated IAO’s and IAA’s complete their IRM training on an annual basis. - Attend quarterly meetings with other Senior IAO’s to share best practice and discuss

issues, also developing their quarterly report for IRM. - Attending any data loss / breach SUI incident root cause analysis meetings within

their area of responsibility. - Reporting to the care group / departmental meetings on monthly incidents in their

areas. - Implementing actions from any incidents in their areas - Support the managers of their areas investigating incidents. - Ensure any staff changes within the positions of IAO’s and IAA’s are communicated

to the IG Risk Manager.

2.4. Information Asset Owners (IAO)

The responsibilities of the Information Asset Owner’s fall into three main categories.

a) Leading and fostering a culture that values, protects and uses information for the success of the Trust and benefit of its customers

To do this the Information Asset Owner’s must:

- Understand the Senior Information Risk Owner’s plans to achieve and monitor the right NHS Information Governance culture, across the Trust and with its business partners through the Information Governance Steering Group.



- take visible steps to support and participate in that plan (including completing own training)

- ensure that staff understand the importance of effective Information Governance and receive appropriate education and training

- Consider whether better use of any information held is possible, within applicable Information Governance rules, or where information is no longer required.

b) Knowing what information comprises or is associated with the asset, and

understands the nature and justification of information flows to and from the asset

This requires the Information Asset Owner to:

- maintain an understanding of ‘owned’ assets and how they are used - approve and minimize information transfers while achieving business purposes - approve arrangements where it is necessary for information to be put onto portable or

removable media like (but not limited to) Encrypted USB Memory Sticks, laptops and CDROM, and ensure information is effectively protected to NHS Information Governance standards

- approve the disposal mechanisms for information from the asset c) Knowing who has access to the asset, whether system or information, and

why, and ensures access is monitored and compliant with policy

The Information Asset Owner needs to ensure that:

- they understand the Trust’s policies on the use of information and the management of information risk

- decisions on access to information assets are taken in accordance with NHS Information Governance good practice and the policies of the Trust

- Ensuring compliance with data sharing agreements within the local area - Ensuring information handling procedures are fit for purpose and are properly applied - access provided to an asset is the minimum necessary to satisfy business objectives - the use of the asset is checked regularly and that use remains in line with policy. - Complete the CfH Information Risk Management Introduction and foundation Module

on an annual basis.

2.5. Information Asset Administrators

Information Asset Administrators will provide support to their Information Asset Owner to:

- ensure that policies and procedures are followed; - recognise potential or actual security incidents; - consult their Information Asset Owner on incident management; - ensure that information asset registers are accurate and maintained up to date.

Their tasks will be:

- Maintenance of Information Asset Registers; - Under the direction of their Information Asset Owner, ensuring that personal

information is not unlawfully exploited - Recognising new information handling requirements (e.g. a new type of information

arises) and that the relevant Information Asset Owner is consulted over appropriate procedures;

- Recognising potential or actual security incidents and consulting the Information Asset Owner;

- Reporting to the relevant Information Asset Owner on current state of local information handling;



- Ensuring that local information handling constraints (e.g. limits on who can have access to the assets) are applied, referring any difficulties to the relevant Information Asset Owner.

- Act as first port of call for local managers and staff seeking advice on the handling of information;

- Under the direction of their Information Asset Owner, ensuring that information is securely destroyed when there is no further requirement for it.

- Complete the CfH Information Risk management Introduction Module on an annual basis.

2.6. All CDDFT Staff

All staff including temporary and agency staff are responsible for: - Compliance with this procedure. Failure to comply may result in disciplinary action

being taken. - Co-operating with the development and implementation of this procedure as part of

their normal duties and responsibilities. - Identifying the need for change in this procedure as a result of becoming aware of

changes in practice, changes to statutory requirements, revised professional or clinical standards and local / national directives, and advising their line manager accordingly.

- Identifying training needs in respect of this procedure and bringing them to the attention of their line manager.

- Attending training / awareness sessions when mandated.



3. TRAINING AND MANAGEMENT OF ROLES

3.1. Managing Nominated Staff

Senior IAO’s should nominate staff to the roles of IAO and IAA and forward names to the Information Risk and Governance Manager. The Information Risk and Governance Manager will then register the staff on the Connecting for Health Training Tool. The Senior IAO must ensure that all nominations are current and that any additions or changes (including leavers) are notified to the Information Risk and Governance Manager immediately.

3.2. Training

The nominated Senior Information Asset Owners, Information Asset Owners (IAO) and Information Asset Administrators (IAA) must complete the following Connecting for Health e-learning modules which are specific to their IAO or IAA role. This training must be completed annually, a pass must be obtained and a copy of the certificate should be printed and retained for audit evidence. All Information Asset Administrators Information Risk Management – Introduction All Senior Information Asset Owners and Information Asset Owners Information Risk Management – Introduction Information Risk Management – Foundation The link to the web site is found below: http://www.igte-learning.connectingforhealth.nhs.uk/igte/index.cfm Your email address is your user name. PLEASE NOTE: this training is IN ADDITION to the standard Trust Information Governance training which must be completed by ALL staff. All staff: Information Governance Introduction Completion mandated annually after completing the introduction to Information Governance once each year must then complete refresher Information Governance training.

http://www.igte-learning.connectingforhealth.nhs.uk/igte/index.cfm



4. INFORMATION RISK MANAGEMENT PROCEDURE

The processes below refer the document located in Appendix 1.

4.1. General Summary Sheet (Tab 1)

Complete all details as shown on this first tab. This tab also contains the risk matrix referred to in the next 2 sections.

4.2. Asset Risk Assessment (Tab 2)

In order to complete this tab each department /area must

agree an asset numbering regime eg comm/IG/001

identify ALL information assets including (but not restricted to) o manual / paper based assets o electronic assets including ALL databases o mobile media stores, including memory sticks, mobile phones etc o those on site o any stored off site

Refer to Appendix 2 Information Risk Management Area

Then using the matrix (tab 1) compete a risk assessment for each asset. Identify a likelihood score and a consequence score; the sheet will multiply them to give an overall. Refer to Appendix 3 for matrix definitions.

4.3. Data Flow (Tab 3)

In order to complete this tab each department /area must

Identify each data flow linked to the identified assets.

Complete one line for each method of transfer, so if an asset is transferred by fax, but also by email then complete 2 lines.

Include data flows into the department or area.

Follow the same procedure as above to complete risk assessments for each data flow.

4.4. Retention and Disposal Log (Tab 4)

This tab must record all information assets in respect of

How long it needs to be kept in live environment

Once archived how long it should be kept, please refer to the Records management Code of Practice Annex D1 and D1 linked here http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747

Where the archived documents are stored on and off site

Disposal – how and when to be recorded. All disposals should be carried out in accordance with CDDFT Confidential Waste Policy.

Please note all documents need to be stored in the correct format, all boxes to be correctly labelled with contents see Appendix 4

4.5. Information Asset and Data flow Action Plan

Once the above document has been completed it is then necessary to review the risk scores for both the information assets and the data flows, for any risk recording a score equating to

http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747

http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747



medium or above an action should be formulated and added to the action plan for review by the department. An action plan template can be found on Appendix 5.

4.6. Attendance at IRM Meetings

All Senior IAO’s are required to attend quarterly meetings and submit a summary report for these meetings – see Appendix 6. This report should record current status, any issues or concerns, any best practice and should be agreed and copied to the area Divisional manager or Associate Chief Operating Officer. It is the responsibility of the Information Risk and Governance Manager to escalate any issues and present an overall IRM summery at the Information Governance Steering Group meetings. The Divisional Managers will be updated at AOP monthly regarding the progress within their divisions as Senior Information Risk Owner chairs the meeting.



5. LEGAL REQUIREMENTS The Data Protection Act 1998 The Freedom of Information Act 2000 The Computer Misuse Act 1990 The Copyright, Designs and Patents Act 1988 The Electronic Communications Act 2000 Referenced documents Personal transfer of information Policy Information Risk Management Policy Confidential Waste Policy Department of Health Risk Management Code of Practice – Records Management: annex D1 and D2. IG Toolkit



Information Retention and

Disposal Record

Department OwnerDocument

Reference

Document

Description

Info - Details

PII/Sensitive

Retention

Date

Date of

Archive

Archive

LocationDisposal Date

Disposal

Location

Disposal Confirmation and

Signature

Information Governance

Lisa Wilson

Head of

Information

Governance HI/IG/001 Staff personal Files PII & Sensitive

6 years after

leaves keep

summary file

until 70th

Birthday 01/10/2011

IT Basement

DMH DL3 6HX

Confidential

waste bin

Appendix 1 (a)



How is access to

the information

asset controlled

and monitored

(incl leavers etc)

Describe the Physical

Security you have in

place for this Asset

Describe the

controls in place to

secure this asset

from visitors /

patients

How are these

assets assessed for

retention and

subsequent disposal

Does the dept have a

business continuity

plan / service

continuation plan in

event of the

information asset

being unavailable

Please detail any

physical risks you

have identified to this

Asset (theft,

unauthorised access

etc)

What Controls are

in place to mitigate

these risks

Please detail any

Environmental risks

you have identified to

this Asset (fire, flood,

air conditioning

breakdown etc)

What Controls

are in place to

mitigate these

risks

Please detail any

electronic risks you

have identified to this

Asset (unauthorised

access, sharing

passwords, not

logging off etc )

What Controls

are in place to

mitigate these

risks

Please detail any Legal

and Regulatory risks

you have identified to

this Asset (failure to

comply with Data

Protection act, staff not

aware of trust policy

etc )

What Controls

are in place to

mitigate these

risks

Impact Score Likelihood

Score

Overall Risk

Score

(Lowest risk

score 1,

highest risk

score 25)

Has an Action

Plan been

developed to

address the

issues

recorded in

this

assessment

dept process in place locked in sisters office in non patient areas trust policy dept review No misplaced kept in locked office dept processflood business continuity to relocatepassword sharing staff training and system monitoringstaff not aware of legislation none 3 3 9 No

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Appendix 1(b)



Information Data Flow

Record

Data Flows drop down drop down drop down drop down drop down

Type of Data (Brief general

Description)

Inbound / Outbound Internal / External Manual/Electronic Method of Transfer Destination

paper discharge summary Outbound External Electronic Fax PCT

Please complete Columns A to K for each information data flow either sent or received by

your department. Please use the drop down lists to identify each way in which data is

transfered

Appendix 1 (c)



Information Retention and

Disposal Record

Department OwnerDocument

Reference

Document

Description

Info - Details

PII/Sensitive

Retention

Date

Date of

Archive

Archive

LocationDisposal Date

Disposal

Location

Information Governance

Lisa Wilson

Head of

Information

Governance HI/IG/001 Staff personal Files PII & Sensitive

6 years after

leaves keep

summary file

until 70th

Birthday 01/10/2011

IT Basement

DMH DL3 6HX

Confidential

waste bin

Appendix 1 (d)



Information Risk Management Areas

A) Information Governance and Security

IG Policy, Procedure & Guidelines Security Organisation Personnel Security Physical & Environmental Security Media Security Incident Management Business Continuity Management Compliance with Best Practice Requirement B) Records Management Records management Strategy, Policy & Procedures (Paper & Electronic) Records Inventory / Audit Records Storage & Locations Records Naming Conventions Electronic Records Storage & Security Email Records Management Retention & Disposal Archiving of Records (Paper & Electronic B1) Patient Records Paper Health Records Patient Clinical Systems Patient Administration Systems Pharmacy & Drug Records Waiting and Clinical Lists Admissions, Ward Books, Dairies B2) Corporate Records Finance Records Human Resources Purchase & Supplies Health Informatics Estates and Facilities Corporate Affairs C) Systems & Network Support Identification and Authentication Access Control Audit & Logging System & Communications Protection Security Appliances (Firewalls, VPN Gateways, Content filtering, Wi-Fi etc) System & Information Integrity Protection Configuration Management

Appendix 2



Table 1 – Consequence Score (C)

1 2 3 4 5

Descriptor Insignificant Minor Moderate Major Catastrophic

Objectives / Projects

Insignificant cost increase / schedule

slippage. Barely noticeable reduction in

scope or quality

<5% over budget / schedule slippage. Minor reduction in

quality / scope

5 – 10% over budget / schedule

slippage. Reduction in scope

or quality

10 – 25% over budget / schedule slippage.

Doesn’t meet secondary objectives

>25% over budget / schedule slippage.

Doesn’t meet primary objectives

Injury Minor injury not requiring first aid

Minor injury or illness, first aid

treatment needed

RIDDOR / Agency reportable

Major injuries, or long term incapacity /

disability (loss of limb)

Death or major permanent incapacity

Patient Experience

Unsatisfactory patient experience not directly related to patient care

Unsatisfactory patient experience –

readily resolvable

Mismanagement of patient care

Serious mismanagement of

patient care

Totally unsatisfactory

patient outcome or experience

Complaints / Claims

Locally resolved complaint

Justified complaint peripheral to clinical

care

Below excess claim. Justified complain involving lack of appropriate care

Claim above excess level. Multiple

justified complaints

Multiple claims or single major claim

Service / Business

Interruption

Loss / interruption > 1 hour

Loss / interruption > 8 hours

Loss / interruption > 1 day

Loss / interruption > 1 week

Permanent Loss of service or facility

Staffing and Competence

Short term staffing level temporarily reduces

service quality (<1 day)

Ongoing low staffing level

reduces service quality

Late delivery of key objective / service due to lack of staff. Minor error due to

poor training. Ongoing unsafe

staffing level

Uncertain delivery of key objective / service

due to lack of staff. Serious error due to

poor training.

Non delivery of key objective / service due to lack of staff. Loss of key staff.

Critical error due to insufficient training

Financial Small Loss Loss >0.1% of

budget Loss >0.25% of

budget Loss >0.5% of budget

Loss > 1% of budget

Inspection / Audit

Minor recommendations

Minor non-compliance with standards

Recommendations given. Non-

compliance with standards

Reduced rating. Challenging

recommendations. Non-compliance

with core standards

Enforcement Action. Low rating. Critical report. Major non-

compliance with core standards.

Prosecution. Zero Rating. Severely

critical report

Adverse Publicity / Reputation

Rumours Local Media – short term. Minor effect

on staff morale.

Local Media – long term. Significant

effect on staff morale.

National Media <3 Days

National Media >3 Days. MP Concern

(Questions in House)

Table 2 – Likelihood Score (L)

1 2 3 4 5

Descriptor Rare Unlikely Possible Likely Almost Certain

Frequency Not expected to occur

for years Expected to occur at

least annually Expected to occur at least monthly

Expected to occur at least weekly

Expected to occur at least daily

Probability

< 1% 1 – 5% 6 – 20% 21 – 50% > 50%

Will only occur in exceptional

circumstances Unlikely to occur

Reasonable chance of occurring

Likely to occur More likely to occur

than not

Risk Matrix R (risk) = C (Consequence) x L (Likelihood)

Consequence

Likelihood 1 Insignificant 2 Minor 3 Moderate 4 Major 5 Catastrophic

5 Almost Certain 5 10 15 20 25

4 Likely 4 8 12 16 20

3 Possible 3 6 9 12 15

2 Unlikely 2 4 6 8 10

1 Rare 1 2 3 4 5

Appendix 3



Information Risk Action Plan Template Information Risk Management – Action Plan – Date 2010 Department / Division…………………………….

No. Main Action Detailed action Responsible owner Delivery date Comments

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Appendix 5



Agenda Item X

COUNTY DURHAM & DARLINGTON FOUNDATION TRUST

Information Governance Assurance

Information Governance Information Risk Management Update Report for XXX Division

1. Purpose of Report 2. Background

This report is for information and to update the group on the status of the Information Risk Management programme within the XXX Division

3. Key Action / Issues 4. Recommendations Name : Title : Date:

Appendix 6



APPENDIX 7 – DEFINITIONS

What is a record? For the purpose of this process, a record is anything which contains information that has been created or gathered as a result of any aspect of the work of NHS employees, including,

Paper based / client based information

Sensitive administrative records e.g. personnel, estates, financial and accounting records, notes associated with complaints handling etc.

x-ray and imaging reports, photographs and other images

microfilm i.e. fiche or film

audio and videotapes, cassettes, CD-rom etc.

material intended for short term or transitory use, including notes and spare copies of documents

Internal Mail Mail that is addressed to Trust premises and bases where staff work and is collected and delivered by CDDFT or other NHS Trusts courier transport staff and external agencies with which the Trust has service level agreements. External mail Mail that is addressed and delivered by royal mail or an authorised courier company e.g. TNT UK etc. Sensitivity of Information When transferring information from one location to another, consideration needs to be made to the sensitivity of the information. What would be the impact, if the information were to be received by the wrong person? For the purposes of moving confidential information around, information can be considered as: NHS Confidential or NHS Restricted Suitable for documents and confidential information containing personal identifiable information, e.g. health records and personnel records, referral letters. This category may also include NHS restricted information such as:

Trust Corporate information

Financial data

Adversely effect the reputation of the Trust

Make it more difficult to maintain the operational effectiveness of the Trust

Cause financial loss or loss of earning potential

Prejudice the investigation of crime or facilitate the commission of crime or other illegal activity

Breach proper undertakings to maintain the confidence of information provided by third parties

Impede the effective development of the operations of policies

Breach statutory restrictions on disclosure of information

Disadvantage the trust in commercial or policy negotiations with others

Undermine the proper management of the organisation. NHS Unrestricted – all other information



APPENDIX 8 - EQUALITY ASSESSMENT TOOL

Equality Impact Assessment

Preliminary Assessment Form v1/2009

The preliminary impact assessment is a quick and easy screening process.

It should:

Indentify those policies, procedures, services, functions and strategies which require a full EIA by looking

at:

negative, positive or no impact on any of the equality groups

opportunity to promote equality for the equality groups

data / feedback

prioritise if and when a full EIA should be completed

justify reasons for why a full EIA is not going to be completed

Division/Department Health Informatics

Title of policy, procedure, function or service CDDFT Information Risk Management procedure

Type of policy, procedure, function or service

Existing

New/proposed

Changed

2

Q1 - What is the aim of your policy, procedure, project or service?

To assist iAO’s and iAA’s in completing their role.

Q2 - Who is the policy, procedure, project or service going to benefit?

Full Trust

Q3 - Thinking about each group below, does, or could the policy, procedure, project or service have a

negative impact on members of the equality groups below?

Group Yes

No

Unclear

Age X



Disability X

Race X

Gender X

Transgender X

Sexual Orientation X

Religion or belief X

Relationships between groups X

Other socially excluded groups X

If the answer is “Yes” or “Unclear” you MUST complete a full EIA

Q4 – Does, or could, the policy, procedure, project or service help to promote equality for members of the

equality groups?

Group Yes

No Unclear

Age X

Disability X

Race X

Gender X

Transgender X





Q5 – Do you have any feedback data from equality groups that indicate how this policy, procedure,

project or service may impact upon these groups?

Group Yes

No Impact

Yes

Impact

No

Unclear

Age X

Disability X

Race X

Gender X

Transgender X





Q6 – Using the assessments in questions 3, 4 and 5 should a full assessment be carried out on this policy,

procedure, project or service?

Yes No x



If you have answered “Yes” now follow the EIA toolkit and complete a full EIA form

Q7 – How have you come to this decision?

The procedure must be in place and risk assessments completed for all information types as per national

guidance and IG toolkit requirements.

Q8 – What is your priority for doing the full EIA

High Medium Low

x

Q9 – Who was involved in the EIA, and how?

Author

This EIA has been approved by: Head of IG

Date: 30/8/10 Contact number: x3085

Please ensure that this assessment is attached to the policy document to which it relates.

cddft anti virus procedure - cddft.nhs.uk · information risk management procedure proc/ig/0028...

Documents