NHS Erewash Clinical Commissioning Group
INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK
Document History
Document Reference: IG01
Document Purpose:The document compliments all other Information Governance policies and sets out the management arrangements for information governance in the CCG
Date Approved: August 2014
Approving Committee: Governing Body – November 2014
Version Number: 1.2
Status: FINAL
Next Revision Due: August 2015
Developed by: Information Governance, Greater East Midlands Commissioning Support Unit (GEM CSU)
Policy Sponsor: Assistant Chief Officer and SIRO
Target Audience:
All Staff within the CCG whether operating directly or providing services to other organisations under a service level agreement or joint agreement and to none executive directors, contracted third parties (including agency staff), locums, students, volunteers, trainees, visiting professionals or researchers, secondees and other staff on temporary placements within the organisation.
Associated Documents: All Information Governance Policies and the Information Governance Toolkit
1
Revision History
Version Revision date Summary of Changes
1.0 August 2013 Revised in line with NHS England Policies and updated to reflect version 11 of the Information Governance Toolkit
1.1 August 2014 Revised in line to reflect Version 12 of the Information Governance Toolkit
FINAL 1.2 August 2014 Approved at IG Product Group
Policy Dissemination information
Reference Number
Title Available from
Information Governance Management Framework
Page 2 of 24
document.docx
CONTENTS
Section Page
1 Introduction 4
2 Purpose & Scope 4
3 Policy Statement 4
4 Senior IG Management Details - Organisation Roles & Accountabilities
4
5 Key Policies 8
6 Governance Arrangements 8
7 Resources 9
8 Training Guidance 9
9 Incident Management 9
10 Equality & Diversity Impact Assessment 9
11 Monitoring & Compliance 9
12 Further Information or Guidance 9
13 References 10
14 Appendix 1 Terms of Reference - Information Governance Working Group
11
15 Appendix 2 Terms of Reference – Information Governance Committee
14
14 Appendix 3 – Information Governance Operational Structure
18
15 Appendix 4 – CCG Toolkit Requirements Training Needs Analysis
19
16 Appendix 5 – Information Governance Related Policies, Procedures & Guidance
21
17 Appendix 6 – CCG Version 12 Requirements List 22
Page 3 of 24
document.docx
Information Governance Management Framework for Erewash CCG1. Introduction
Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources.
The way that an organisation chooses to deliver against these requirements is referred to within the Information Governance Toolkit (IGT) as the organisation’s Information Governance Management Framework.
This Framework must be documented, approved at the most appropriate senior management level in the organisation (e.g. a member of the Executive Team) and reviewed annually. This document sets out Erewash CCG’s approach to embedding robust information governance throughout the CCG.
The IGT is available here: https://nww.igt.hscic.gov.uk. A user name and password is required to access the CCG IG Toolkit Return.
This policy is a standalone document and provides a summary/overview of how the CCG is addressing the IG agenda and reflects the capacity and capability of the CCG.
2. Purpose and scope
The purpose of this policy is to establish employee responsibility and the rules of conduct for all members of staff regarding the CCG’s information governance framework. This policy applies to all staff within the CCG whether operating directly or providing services to other organisations under a service level agreement or joint agreement. and to non-executive directors, contracted third parties (including agency staff), locums, students, volunteers, trainees, visiting professionals or researchers,, secondees and other staff on temporary placements within the organisation.
3. Policy Statement
The Health & Social Care Information Centre (HSCIC) mandates that the Information Governance Toolkit (IGT) version 12 is completed by all organisations that commission or provide services within and to the NHS.
An Information Governance Management Framework (IGMF) is required to be in place to ensure that the Information Governance agenda is owned and implemented in a structured manner.
4. Senior Information Governance Management Details
Organisational Roles & Accountability
4.1 The CCG will:
Page 4 of 24
document.docx
Appoint an IG Lead, Senior Information Risk Owner and Caldicott Guardian. These designated roles will be reported in the CCG IG Toolkit Return under ‘Update Information Governance Senior Management Details’ once appointed
The roles of the Senior Information Risk Owner and Caldicott Guardian will be at Executive Board
The Information Governance Lead is a senior representative in the organisation who leads and co-ordinates the information governance works programme
The Accountable Officer has overall accountability and responsibility for Information Governance and is required to provide assurance through the Statements on Internal Control that all risks to the CCG, including those relating to information, are effectively managed and mitigated
The Records Manager is an individual/s with clear responsibility for the management of the records of an organisation from the time they are created up to their eventual disposal. This may include naming, version control, storing, tracking, securing and destruction (or in some cases, archival preservation) of records
An Information Asset Owner is a senior individual involved in running the relevant business. Their role is to understand and address risks to the information assets they ‘own’ and to provide assurance to the SIRO on the security and use of those assets
Information Asset Administrators are usually operational members of staff who understand and are familiar with information risks in their area or department. Information Asset Administrators ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management and ensure that information asset registers are accurate and up to date
4.2 The CCG Information Governance Lead in conjunction with services provided by GEMCSU will: Develop and maintaining comprehensive and appropriate documentation that
demonstrates commitment to and ownership of IG responsibilities, e.g. an overarching high level strategy document supported by corporate and/or directorate policies and procedures
Ensure that there is senior management awareness and support for IG resourcing and implementation of improvements
Provide direction in formulating, establishing and promoting IG policies
Establish working groups, if necessary, to co-ordinate the activities of staff given IG responsibilities and progress initiatives
Ensure that assessment and improvement plans are prepared for approval by the senior level of management in a timely manner and in line with national reporting requirements
Page 5 of 24
document.docx
Ensure that the approach to information handling is communicated to all staff and made available to the public
Ensuring that appropriate training is made available to staff and completed as necessary to support their duties and in line with IGT requirements
Liaise with other committees, working groups and programme boards in order to promote and integrate IG standards
Monitor information handling activities to ensure compliance with law and guidance
Provide a focal point for the resolution and/or discussion of IG issues
4.3 The SIRO will:
Take ownership of the organisation’s information risk policy and information risk management strategy. All key information assets will be identified and their details included in an Information Asset Register
Ensure that Information Asset owners will be identified for each key information asset
Ensure that all staff assigned responsibility for co-ordinating and implementing information risk management will be appropriately trained to carry out their role
Ensure that Information Asset Owners carry out risk reviews of the assets for which they are accountable, the frequency of review depending upon the importance of the asset and the nature of the risk environment
The SIRO will also lead and implement the information governance risk assessment and advise the Board on the effectiveness of risk management across the organisation
4.4 The Caldicott Guardian will:
Be added to the National Register of Caldicott Guardians
Identify the support necessary to ensure work related to confidentiality and data protection is appropriately carried out
Provide a plan for the Caldicott Function of the CCG
Ensure all staff assigned responsibility for co-ordinating and implementing the confidentiality and data protection work programme have been appropriately trained to carry out their role
Identify the work necessary to provide Confidentiality and Data Protection Assurance
Be a senior person responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing.
Page 6 of 24
document.docx
4.5 The Information Asset Owner will:
Identify and document the scope and importance of all Information Assets they own. This will include identifying all information necessary in order to respond to incidents or recover from a disaster affecting the Information Asset.
Take ownership of their local asset control, risk assessment and management processes for the information assets they own. This includes the identification, review and prioritisation of perceived risks and oversight of actions agreed to mitigate those risks.
Provide support to the organisation’s SIRO and Risk Management Board to maintain their awareness of the risks to all Information Assets that are owned by the organisation and for the organisation’s overall risk reporting requirements and procedures.
Ensure that staff and relevant others are aware of and comply with expected IG working practices for the effective use of owned Information Assets. This includes records of the information disclosed from an asset where this is permitted.
Provide a focal point for the resolution and/or discussion of risk issues affecting their Information Assets.
Ensure that the organisation’s requirements for information incident identification, reporting, management and response apply to the Information Assets they own. This includes the mechanisms to identify and minimise the severity of an incident and the points at which assistance or escalation may be required.
Foster an effective IG culture for staff and others who access or use their Information Assets to ensure individual responsibilities are understood, and that good working practices are adopted in accordance with the organisation’s policy.
4.6 The Information Asset Owner will:
Ensure that policies and procedures are followed when using an information asset
Recognise actual or potential security incidents
Consult their IAO on incident management
Assist the IAO to ensure that information asset registers are accurate and up to date, for example by reporting when an information asset they use is no longer required.
Page 7 of 24
document.docx
5. Key Policies
The CCG via Greater East Midlands Clinical Commissioning Unit (GEMCSU) will provide the following policies (or equivalent) to set out scope and intent in terms of embedding Information Governance processes throughout the Organisation:
An Overarching Information Governance Policy
A Confidentiality and Data Protection Policy
An Information Security Policy
A Corporate Governance Policy (which covers FOI)
An Information Lifecycle Management Policy (Records Management and Information Quality)
In particular the CCG will implement policies as required to support confidentiality, security and records management processes in addition to this Information Governance Management Framework
6. Governance Arrangements
The following governance arrangements have been agreed:
The CCG Governing Body will receive periodic assurance that management and accountability arrangements are adequate and are informed in a timely manner of future changes in the IG agenda by IG updates within the corporate report.
The CCG will be represented at Countywide Information Governance Group. The Governing Body of the CCG will have responsibility for the Information
Governance Agenda supported by identified senior roles i.e. Caldicott Guardian, SIRO, and IG Lead.
Under a service level agreement, the CCG will obtain Information Governance Support through the GEMCSU.
Responsibility and accountability for Information Governance will be cascaded through the organisation via staff contracts, contracts with third parties, Information Asset Owner arrangements and departmental leads.
Key information governance messages will be developed by GEMCSU through a Service Level Agreement and made available to the CCG for onward dissemination.
Page 8 of 24
document.docx
7. Resources
Key staff involved in the Information Governance Agenda, below those at Executive Team level, will be provided to the CCG through a Service Level Agreement between the CCG and GEMCSU.
8. Training Guidance
Staff need clear guidelines on expected working practices and on the consequences of failing to follow policies and procedures.
The approach to ensuring that all staff receive training appropriate to their roles will be detailed and provided by GEMCSU through a Service Level Agreement with the CCG.
Information Governance Services will assist the CCG in achieving 95% take up of mandatory information governance training and advise/manage staff to undertake further specialist information governance training as required.
Mandatory annual Information Governance Training should be completed by all third party contractors.
Training will also be made available via the HSCIC e-learning site (at August 2014 still hosted at): https://www.igtt.hscic.gov.uk/igte/index.cfm?action=logout
9. Incident Management
Clear guidance on incident management procedures will be documented and staff will be made aware of their existence, where to find them and how to implement them through a Service Level Agreement between the CCG and GEMCSU.
All incidents will be reported via the CCG Information Governance Group (or equivalent) on a bi-monthly basis.
10. Equality & Diversity Impact Assessment
None required.
11. Monitoring and Compliance
The IGMF will be reviewed at least annually in line with IG Toolkit requirements or amended as required to reflect changes in organisational ownership.
12. Further Information or Guidance
Contact Information Governance (IG) Services/GEMCSU on [email protected] 01332 868721
Key Roles within IG Services/GEMCSU
Information Governance Consultant (North)
Information Governance Project Officer
Page 9 of 24
document.docx
13. References
NHS Code of Confidentiality:https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice
The IG Toolkit.
https://nww.igt.hscic.gov.uk/requirementsorganisation.aspx?tk=414264250435607&cb=b890a2c3-bfb6-4f8f-9dc2-27aea4159c93&lnv=2&clnav=YES
Checklist for Reporting, Managing and Investigating Information Governance Serious Untoward Incidents (Gateway reference 13177)
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/links/suichecklist.pdf
NHS Information Risk Management http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/risk/inforiskmgtgpg.pdf
The Caldicott Review: Information Governance in the Health and Social Care System
https://www.gov.uk/government/publications/the-information-governance-review
Page 10 of 24
document.docx
Appendix 1
Terms of Reference for CCG Information Governance Working Group
Terms of Reference
1. Remit and purpose of the group
Information governance is a key component of the clinical and corporate assurance framework and can be defined as: “providing a framework for handling personal and sensitive information in a confidential and secure manner appropriate to ethical and quality standards in a modern health service.” (Connecting for Health).
Greater East Midlands Commissioning Support Unit (GEM CSU) provides Information Governance support, advice and expertise to the Derbyshire CCGs through the IG Services team. The team link into each Clinical Commissioning Group through an operational IG lead.
The purpose of the IG Working Group is to:
1.1. be the operational focal point for CCG IG leads and GEM CSU IG leads to discuss information governance issues (and their resolution), including discussion of queries and incident monitoring, providing advice and recommendations to the CCG Information Governance Committee as required.
1.2. monitor the operational accountability and availability of CCG staff/resources for Information Governance, taking into account national programmes and compliance requirements e.g. Operating Framework, Information Governance Toolkit and making recommendations to the CCG Information Governance Committee as appropriate.
1.3. ensuring compliance with the CCG Information Governance Toolkit and evidence gathering, including exception reporting to the CCG Information Governance Committee as appropriate.
1.4. act as the forum for dissemination of information from the GEM CSU IG team to the CCGs.
2. Accountability
GEM CSU hosts the Information Governance Working Group meetings on behalf of the Derbyshire CCGs.
Overall accountability for Information Governance lies with the CCG Chief Officer, delegated through the role of the Senior Information Risk Officer (SIRO).
Accountability for operational delivery lies with the CCG Information Governance lead reporting to the CCG SIRO, who is responsible for day to day management and delivery of the function.
IG advice and expertise is provided to the CCG through the GEM CSU IG Services team who will liaise with the SIRO, Caldicott Guardian and IG lead/link as appropriate.
3. Membership
Page 11 of 24
document.docx
- GEM CSU North Information Governance Consultant- GEM CSU Information Governance Officers- Members of the GEM CSU Information Governance Team when required.- CCG Information Governance Leads- CCG Governance Officers
Other members will be co-opted to the Committee as required.
Deputising Arrangements
All members may nominate a representative to attend in their absence.
Quorum Arrangements
Two CCG Information Governance leads, plus two other members of the GEM CSU Information Governance team need to be present in order for the Group to be quorate:
Chair of Group: GEM CSU North IG Consultant Deputy Chair: GEM CSU IG Team member
In the event of neither of these members being available a temporary Chair will be elected from those members present.
4. Functions & Responsibilities
i. To support the formulation, implementation and monitoring of compliance of the Information Governance Strategy and Framework for the CCG.
ii. To work proactively to ensure that that the CCG meets all NHS and legal requirements relating to information governance. This includes compliance with the NHS Information Governance Toolkit standards and submission of organisational assessments.
iii. To support the development, implementation and monitoring of the annual CCG Information Governance Improvement plan.
iv. To liaise with Information Governance related groups at local and national levels as appropriate.
v. To support solutions and implementation programmes (including training and awareness raising) to ensure that the CCG complies with developing information governance requirements.
vi. To support the implementation of tailored staff awareness and training programmes for information governance meeting national requirements. vii. To monitor and review the CCG Risk Registers, ensuring risks are appropriately forwarded to the CCG Corporate Risk Register.
5. Reporting arrangements
The group reports to the CCG Information Governance Committee.
Page 12 of 24
document.docx
The minutes of the meeting and regular reports are submitted to the CCG Information Governance Committee meetings.
6. Frequency of meetings
The CCG Information Governance Working Group will meet on a monthly basis with additional meetings as required to meet its responsibilities.
Page 13 of 24
document.docx
Appendix 2
Terms of Reference for CCG Information Governance Committee
1. Remit and purpose of the Committee
Information governance is a key component of the clinical and corporate assurance framework and can be defined as:
“providing a framework for handling personal and sensitive information in a confidential and secure manner appropriate to ethical and quality standards in a modern health service.” (Connecting for Health)
The purpose of the CCG Information Governance Committee (CCG IGC) (using delegated authority from the relevant authorising committee – See addendum) is to:
1.1. be the organisational focal point for information governance issues (and their resolution), providing advice, reports and recommendations to the relevant CCG authorising committee Accountable Officer, Clinical Commissioning Group Governing Body as required.
1.2. monitor the organisational management accountability, compliance arrangements and availability of specialist staff/resources for Information Governance, taking into account national programmes and compliance requirements e.g. Operating Framework, Information Governance Toolkit and making recommendations to the relevant CCG committee as appropriate.
2. AccountabilityOverall accountability for Information Governance lies with the Accountable Officer and the CCG Governing Bodies, delegated through the role of the Senior Information Risk Officers (SIRO). The CCG Information Governance Committee makes recommendations which need to be approved by the individual CCG governance process.
Accountability for operational delivery lies with the CCG Information Governance Lead reporting to the CCG Information Governance Committee, and SIRO who is responsible for day to day management and delivery of the function.
3. Membership- Representation from Erewash CCG, Hardwick CCG, North Derbyshire CCG and
Southern Derbyshire CCG, including:o CCG Caldicott Guardian (x4)o CCG Senior Information Risk Officer (x4)o CCG Information Governance Lead (x4)
- Representation from Greater East Midlands Commissioning Support Unit (GEM CSU)o GEM CSU Information Governance Consultanto GEM CSU Information Governance Officerso Members of the GEM CSU Information Governance Team when required.
Other members may be invited to attend the Committee as required e.g. HR representative, Communications representative, representatives from Public Health, Commissioning etc.
Page 14 of 24
document.docx
Deputising Arrangements
All members can nominate a representative to attend in their absence but the representative must have sign off authority for policies and committee decisions.
In the absence of the relevant CCG Caldicott Guardian the SIRO will sign off and obtain retrospective Caldicott Guardian approval.
Quorum Arrangements
One of the following, plus two other members of the Committee need to be present in order for the CCG IGC to be quorate:
Caldicott Guardian SIRO GEM CSU Information Governance representative Chair of Committee: Southern Derbyshire CCG SIRO Deputy Chair: Hardwick CCG SIRO
In the event of neither of these members being available a temporary Chair will be elected from those members present.
4. Functions & Responsibilities
i. To ensure that a consistent approach is applied to adoption of information governance, information security and records management standards and legislation across the CCGs, independent practitioners and commissioned service providers.
ii. To oversee the formulation, implementation and monitoring of compliance of the Information Governance Strategy and Framework for the CCGs.
iii. To work proactively to ensure that that the CCGs meet all NHS and legal requirements relating to information governance. This includes compliance with the NHS Information Governance Toolkit standards and submission of organisational assessments.
iv. To be the body which assures that all new processes, services and information systems are developed and implemented in a secure and structured manner, comply with Information Governance security accreditation, information quality, confidentiality and data protection requirements.
v. To develop and recommend policies (and monitor user compliance) to meet information governance requirements affecting the Clinical Commissioning Groups for ratification though the relevant CCG authorising body. Policies approved by Committee will be reported to the relevant authorising committee for ratification.
vi. To review incidents, near misses and complaints relating to information governance to enable lessons learnt, share outcomes, and make recommendations where compliance with requirements have been breached or jeopardised. Such investigations will comply with national NHS Guidelines, the CCG Incident Reporting policy and ISO 27001.
Page 15 of 24
document.docx
vii. To authorise programmes of risk assessments and audits relating to information governance, security and confidentiality; review results and make recommendations to the relevant authorising committee.
viii. To provide expertise and advice and to make recommendations relating to information access requests received by the CCGs. Specifically, to make recommendations to the Accountable Officer on the disclosure of information (under the terms of the Data Protection, Freedom of Information Acts or Environmental Information Regulations and associated legislation e.g. Human Rights or Access to Health Records Acts) where the issues are complex and possibly contentious.
ix. To develop and approve suitable information sharing protocols for all organisations involved in routinely and regularly sharing information with the CCGs.
x. To provide advice and recommendations relating to records management requirements, procedures and practices.
xi. To oversee the formulation, ratification, implementation and monitoring of policies and procedures to ensure that the organisations have the capability of meeting NHS and statutory Information Governance requirements.
xii. To develop, implement and monitor the annual Information Governance Improvement plan and approve the Information Governance Toolkit submissions.
xiii. To liaise with Information Governance related groups at local and national levels as appropriate e.g. EM SIGN etc.
xiv. To develop solutions and implementation programmes (including training and awareness raising) to ensure that the CCGs comply with developing information governance requirements.
xv. To liaise with independent monitors e.g. Internal/External Audit, NHS Litigation Authority and to oversee the implementation of recommendations and action plans as required.
xvi. To ensure that tailored staff awareness and training programmes are in place and delivered for information governance meeting national requirements.
xvii. To provide support and advice to the organisation information governance specialists as requested or required.
xviii. To communicate to staff and the population served by the CCGs, the organisations’ approaches to information handling.
5. Reporting arrangements
The CCG IGC is accountable to the relevant individual CCG authorising committees.
The CCG IGC will provide minutes of meetings and regular reports (including an Annual Report) to the relevant authorising committee in accordance with the agreed reporting schedule.
Page 16 of 24
document.docx
It is the responsibility of the individual CCG IGC Committee members to forward any relevant reports and meeting minutes to the appropriate CCG Governing Bodies.
6. Frequency of meetings
The Information Governance Committee will meet on a bi-monthly basis with additional meetings as required to meet its responsibilities.
7. Review
These Terms of Reference will be reviewed at least annually by the Information Governance Committee or sooner if required to ensure that the Committee is carrying out its functions effectively.
Page 17 of 24
document.docx
Appendix 3
Information Governance Operational Structure
Page 18 of 24
document.docx
Accountable Officer
Records ManagerIG LeadSIROCaldicott Guardian
Information Asset Owner’s
Information Asset Administrator’s
GEMCSUIG Lead
Appendix 4
CCG Training Needs Analysis Job Role Introduction to
IG (Year 1)IG-Refresher Module (Years 2 & 3)
The Caldicott Guardian in the NHS & Social Care
NHS Information Risk Management for SIROs & IAOs
NHS Information Risk Management - Introductory
NHS Information Risk Management - Foundation
Password Management
Information Security Guidelines
Patient Confidentiality
IG Lead Mandatory Mandatory Recommended Recommended Recommended Recommended Optional Recommended Optional
Caldicott Guardian Mandatory Mandatory Mandatory Recommended Optional Optional Optional Optional Recommended
SIRO Mandatory Mandatory Recommended Mandatory Recommended Mandatory Optional Recommended Optional
IAO & IAA Mandatory Mandatory Optional Mandatory Recommended Mandatory Optional Optional Optional
Records Manager Mandatory Mandatory Optional Optional Optional Optional Optional Optional Optional
Admin/Clerical Mandatory Mandatory Optional Optional Optional Optional Optional Optional Optional
19
Job Role Access to Health Records
Records Management and the NHS Code of Practice
Records Management in the NHS
Secure Transfers of Personal Data
Business Continuity Management
NEW-Access to Information & Information Sharing in the NHS -
NEW-Secure Handling of Confidential Information
NEW-Information Security Management
IG LeadOptional Optional Optional Optional Recommended Recommended Optional Optional
Caldicott GuardianOptional Optional Optional Optional Optional Recommended Recommended Optional
SIROOptional Optional Optional Optional Optional Optional Optional Optional
IAO & IAAOptional Optional Optional Optional Optional Optional Optional Optional
Records ManagerRecommended Recommended Optional Optional Optional Optional Optional Optional
Admin/ClericalOptional Optional Optional Optional Optional Optional Optional Optional
20
Appendix 5
Information Governance Related Policies, Procedures & Guidance
Name of PolicyPolicy Approval
Date(A)
Approving Body/Individual
(B)
Date approved at IGC(C)
Corporate Information Security Policy 4th December 2014
Governing Body Nov 2014
Confidentiality & Data Protection Policy 4th December 2014
Governing Body Oct 2014
Data Protection Policy 4th December 2014
Governing Body Included in above
Data Quality Policy 4th December 2014
Governing Body Oct 2014
Email Policy 4th December 2014
Governing Body Oct 2014
Freedom of Information (FOI) Policy 6th November 2014
Governing Body Sept 2014
Incident Reporting Policy See reporting icon and email
Sent to staff 16th October 2014
Local policy
Information Governance Management Framework (IGMF)
6th November 2014
Governing Body Sept 2014
Information Governance Policy 6th November 2014
Governing Body Sept 2014
Information Lifecycle Policy (including information quality)
6th November 2014
Governing Body Sept 2014
Information Risk Policy 4th December 2014
Governing Body Oct 2014
IT Acceptable Use Policy 4th December 2014
Governing Body Oct 2014
Network Security Policy TBA Jan 2015 Jan 2015Records Management Policy 6th November
2014Governing Body Sept 2014
Name of Procedure Procedure Approval Date
Approving Body/Individual
Date approved at IGC
Confidentiality Audit Process October 2014 Information Governance Committee
Oct 2014
Electronic Remote Working Guidance (see IG Briefing Pack/Handbook
TBA Jan 2015 In IT AUP Jan 2015
Incident Reporting Procedure See reporting icon and email
Sent to staff 16th October 2014
Local
Mobile Working Procedure TBA Jan 2015 In IT AUP Jan 2015
Privacy Impact Assessment (PIA) Procedure
September 2014 Information Governance Committee
Sept 2014
Safe Haven Procedure November 2014 N/A Information Governance
21
Committee Nov 2014
Subject Access Request (SAR) Procedure
TBA Jan 2015 Jan 2015
Local Guidance Approval Date Approving Body/Individual
Date approved at IGC
Fair Processing Notice Uploaded to Internet 21st January 2015
N/A Local
Privacy Notice Sent to all staff 21st January 2015
N/A Local
Staff Code of Conduct 6th November 2014
Governing Body Sept 2014
Staff Briefing Pack Sent to staff 5th November 2014
N/A October 2014
Dissemination Process
All the above policies and procedural documentation will be disseminated to staff by the CCG via the intranet or placed on the “shared drive” with instructions issued to staff how to access the documents.
Page 22 of 24
document.docx
Appendix 6
Clinical Commissioning Group Version 12 (2014-2015) Requirements List
Req No Description
Information Governance Management
12-130 There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda
12-131 There are approved and comprehensive Information Governance Policies with associated strategies and/or improvement plans
12-132 Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations
12-133 Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation
12-134 Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained
Confidentiality and Data Protection Assurance
12-230 The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation’s assessed needs
12-231 Staff are provided with clear guidance on keeping personal information secure, on respecting the confidentiality of service users, and on the duty to share information for care purposes
12-232 Personal information is only used in ways that do not directly contribute to the delivery of care where there is a lawful basis to do so and objections to the disclosure of confidential personal information are appropriately respected
12-234 There are appropriate procedures for recognising and responding to individuals’ requests for access to their personal data
12-235 There are appropriate confidentiality audit procedures to monitor access to confidential personal information
12-236 All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines
12-237 All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements
12-250 Individuals are informed about the proposed uses of their personal information
Information Security Assurance
12-340 The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation’s assessed needs
12-341 A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed
12-342 There are established business processes and procedures that satisfy the organisation’s obligations
Page 23 of 24
document.docx
as a Registration Authority
12-343 Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use
12-344 Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems
12-345 An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy
12-346 Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place
12-347 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely
12-348 Policy and procedures ensure that mobile computing and teleworking are secure
12-349 There are documented incident management and reporting procedures
12-350 All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers
12-351 All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures
12-352 The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate
Clinical Information Assurance
12-420 The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience
12-421 There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements
Page 24 of 24
document.docx