name of p lan : effective from: 11 /01/2016

Information Governance Staff Training Strategy (and Action Plan) v1 1

Policy No: IG14

Version: 1.0

Name of Plan: Information Governance Staff Training Strategy

(and Action Plan)

Effective From: 11/01/2016

Date Ratified 02/12/2015

Ratified Health Informatics Assurance Group (HIAG)

Review Date 01/12/2017

Sponsor Director of Finance and Informatics

Expiry Date 01/12/2018

Withdrawn Date

Unless this copy has been taken directly from the Trust intranet site (Pandora) there is no assurance that

this is the most up to date version

This strategy supersedes all previous issues


Version Control

Version Release Author /

Reviewer

Ratified by /

Authorised by

Date Changes

(Please identify

page no.)

1.0

11/01/2016 M. Galloway Health

Informatics

Assurance Group

(HIAG)

02/12/2015 New strategy –

review of IG training

requirements for the

IGTK.


Contents

Section Page

1. Introduction .................................................................................................................................. 4

2. Purpose ......................................................................................................................................... 4

3. Scope ............................................................................................................................................ 4

4. Duties and Responsibilities ........................................................................................................... 5

5. What is Information Governance ................................................................................................. 5

6. Annual Review of the IGTK Training and Comms Controls .......................................................... 6

7. Staff Training Needs Assessment (TNA) ....................................................................................... 6

8. The Information Governance Staff Training Programme ............................................................. 7

8.1 New Starters – Induction Process .................................................................................... 7

8.2 The Annual Mandatory Staff IG Training Programme .................................................... 7

8.3 Non Clerical Staff ............................................................................................................ 7

8.4 Specialised Roles .............................................................................................................. 7

8.5 Volunteers and Apprentices ............................................................................................ 8

8.6 One to One Sessions ........................................................................................................ 8

9. Governance .................................................................................................................................. 9

10. Session Evaluation Methodology.................................................................................................. 9

11. IG Reporting .................................................................................................................................. 9

12. Staff Training Assessment Methodology ...................................................................................... 9

13. Promotion of Procedural Documentation Guidance.................................................................... 10

14. Staff Communication .................................................................................................................... 10

15. Review ......................................................................................................................................... 10

16. Dissemination ............................................................................................................................... 11

17. Compliance and Monitoring ......................................................................................................... 11

18. Consultation and Approval ........................................................................................................... 11

APPENDICES

Appendix 1: An Annual Review of the IGTK Training and Comms Requirements 2015/2016 .................. 12-24

Appendix 2: DoH IG Staff Training Needs Assessment Matrix .................................................................. 25

Appendix 3: Gateshead Health NHS Foundation Trust IG Staff Training Needs Assessment Matrix ....... 26

Appendix 4: IG Staff Mandatory Training Programme for Specialised Roles Summary ............................ 27-28

Appendix 5: Staff Guidance for using the HSCIC IG Training Tool (IGTT) ................................................ 29

Appendix 6: Information Governance Letter and IG Spot Check Questionnaire ..................................... 30-32

Appendix 7: IG Staff Training and Comms Action Plan 2015-2017 ........................................................... 33


Information Governance Staff Training Strategy (and Action Plan)

1. Introduction

To ensure compliance with current legislation and central DoH guidelines, the Health and Social

Care Information Centre (HSCIC) Information Governance Toolkit (IGTK) requires all organisations in

the Health and Social Care Sector to have a documented training and communication strategy and

action plan in place to raise staff awareness of best practice and to inform staff of their legal

responsibilities and consequences of non-compliance with the Trust’s IGTK requirements.

IG knowledge and awareness is at the heart of every organisation’s core activities. Appropriate

governance standards and best practices must be effectively communicated and embedded into an

organisation’s governance structure in order to achieve a stable workforce and an environment

that is free from data breaches and blunders. Without appropriate knowledge communicated to

staff the Trust’s ability to meet and maintain it’s legal and policy requirements could be severely

impaired.

It is now a mandated requirement of the IGTK (Control 112) that organisations must routinely

assess and monitor staff training needs. The requirement states “that Information Governance

awareness and mandatory training procedures are in place and all staff are appropriately trained”.

It further states that “basic IG training must include an individual comprehension test so that staff

understand the content of what they have learnt”.

Organisations are therefore expected to identify who needs to be trained, how the training will be

delivered and whether the requirement is beyond basic level training i.e. is it a specialised role.

2. Purpose

The purpose of this strategy is therefore to ensure:-

• There is a comprehensive IG staff training programme in place for all staff that covers the

ethical standards and requirements for handling patient and corporate data;

• The training programme covers an agreed level of competency requirements as outlined in

the IGTK Standard 112 and systematically assesses the needs of staff;

• Staff training is identified in a training needs assessment (TNA);

• Specialised roles receive additional training and support to help them perform in their work

duties;

• Action is taken where key information governance requirements are identified and need to

be addressed.

3. Scope

This strategy applies to any individual in any capacity, including temporary/honorary employees,

students, volunteers, placement students and contractors etc. who work on behalf of the Trust.


4. Duties and Responsibilities

Job Role Type of Training

Chief Executive The Chief Executive will take full responsibility for the effective

implementation of this IG Staff Training Strategy.

Senior Information

Risk Officer (SIRO) (i.e.

the Director of

Finance and

Informatics)

The SIRO will ensure the Trust Board is adequately briefed on all

information risk issues associated with IG staff training. This will

ensure:-

• The Trust’s approach in terms of resource, commitment and

execution is effective and is communicated to all staff;

• Ensure all training requirements are kept up to date.

The Caldicott Guardian

i.e. the Medical

Director

The Caldicott Guardian will ensure all training requirements are kept up

to date in line with changes in legislation and national NHS guidance.

The Deputy Director of

IT and Informatics

The Deputy Director of IT and Informatics will take full ownership of this

strategy and ensure its sits within the current Information Governance

Framework.

Head of Information

and Data Quality

The Head of Information and Data Quality will ensure all the necessary

risk assessments and training needs assessments have been conducted

to ensure the effectiveness of the training programme is still fit for

purpose.

Information

Governance Lead

The Information Governance Lead will take full responsibility for the

development and co-ordination of the Trust’s IG staff training

programme with O&D. This will involve reviewing and agreeing actions

where information risks have been identified.

Line Managers Line Managers are responsible for ensuring that all IG communication

and training requirements are cascaded to junior members of staff and

all staff training sessions identified are attended to.

All Staff All staff are expected to complete / attend their IG training sessions

when requested.

5. What is Information Governance

Information governance brings together a cluster of best practice and standards relating to the use

and handling of data which staff are required to have an understanding of. These include, but are

not limited to:-

• Patient/client confidentiality;

• Data Protection and the Caldicott Principles/requirements;

• Subject access and disclosure requirements;

• Data quality;

• Records management;

• Information security;

• Freedom of Information.

Organisations like the Trust are required to ensure that information is used legally and ethically and

is managed in such a way that it receives the highest level of confidence and trust from its staff and

service users. This will not only protect the security and confidentiality of assets but enhance its

business activities and service delivery.


6. Annual Review of the IGTK Training and Comms Controls

To meet this commitment, an annual review of the training and communication controls in v13 of

the IGTK was undertaken by the IG Lead to establish a clear plan of action tailored for specific staff

groups and job roles. (Appendix 1). The review observed the DoH IG Staff Training Matrix standards

(Appendix 2) and recommended guidance on the HSCIC IG Training Tool (IGTT).

A staff training programme was developed and a summary review was incorporated as good

practice into the current IG Improvement Plan. Where information risks were identified the IG

Team made improvements to ensure a level 2 or more compliance scoring could be achieved in all

mandated training/comms requirements.

7. Staff Training Needs Assessment (TNA)

The Training Needs Assessment identified the following points:-

• IG training must be provided as part of the staff induction process when staff join the

organisation (112);

• IG training must be part of an annual mandatory training programme where staff can

update their current knowledge;

• Key staff or groups/divisions are given additional training beyond basic confidentiality and

security levels to perform in their role;

• IG training should form part of the annual staff appraisal or performance review of staff;

• Training must be provided whenever there is a change in role or responsibilities or where

staff need more support;

• Further staff training is identified following a Root Cause Analysis (i.e. RCA) relating to an

information governance incident.

The Training Needs Assessment identified that all staff must receive some form of basic IG training

in relation to their role regardless of whether they are permanent, temporary or contracting staff.

The review highlighted that those in specialised roles were required to undertake additional

training to support their role activities as per the training hierarchy requirements in Table 1.

Table 1: The Hierarchy of Staff Training Needs Based on the IGTT Tool Recommendations

(All Staff)

Basic Mandatory Information Governance Training

An Introduction to IG Training / Refresher Module

Key Specialised Roles Training

(The Senior Information Risk Officer (SIRO), the Caldicott Guardian, Information

Governance Lead, Information Security Manager, Data Quality Lead, Clinical

Coders, FOI Lead)

Patient Confidentiality, Records Management / Caldicott / Access to Health

Records / Information Risk Management / Information Security / Security Data

Transfers

Personal Development Training

(Optional courses recommended in the IGTK by staff)

Business Continuity/Password Management/Secure Handling of

Confidential Information modules


8. The Information Governance Staff Training Programme

The IG Staff Training programme to be imposed on staff is as follows:-

8.1 New Starters – Induction Process

All new starters will receive a training session in basic IG principles via the Trust’s staff

induction programme at the start their employment. This requirement will be expected to

be undertaken within 6 weeks of their start date of employment at the Trust. Managers

responsible for managing staff are required to comply with this requirement.

8.2 The Annual Mandatory Staff IG Training Programme

All staff (including clinical and non-clinical) will complete an annual mandatory IG training

session. This requirement will be co-ordinated by the Trust’s Organisation and

Development Team (O&D). Staff will be offered the option of attending a face to face

session or completing an online IG e-learning assessment module.

Those who do not have access to a PC will be required to attend a face to face training

session. Staff who are unable to make a face to face IG training session due to work rota

commitments will have to complete the e-learning module. If further support is required,

an O&D advisor may be available to provide further assistance on request.

The Trust’s e-learning portal can be accessed at: - http://e-learning

Staff completing the e-learning module are required to register online to the learning portal

to generate their password and login details, all of which are organised through O&D.

8.3 Non Clerical Staff

It is recognised that certain staff roles will not always routinely access personal data for

e.g.:-

• Cooks/catering staff;

• Helpers/assistants;

• Domestics, Housekeepers;

• Craftsmen;

• Porters;

• Support workers.

Even so, these roles still play an active part in the Trust’s business activities and therefore

will still need to have basic knowledge of current IG practices so that information risks and

trends can be identified, reported (via Datix) and acted upon. All these roles will therefore

still receive basic mandatory training each year.

8.4 Specialised Roles

All staff in designated roles (for e.g. the SIRO, Caldicott Guardian, specialised managers etc.)

will be required to undertake additional training via the Information Governance Training

Tool (IGTT) or by another means where professional development can be demonstrated.

The expected training format will be:-


Table 2: Training Format for Specialised Roles

Job Role Type of Training

Senior Information Risk Officer (SIRO) IGTT Modules

The Caldicott Guardian – the Medical

Director

IGTT Modules

Information Governance Lead IGTT Modules / specialised training

The IT and Information Security Manager IGTT Modules / specialised training

Health Records Manager IGTT Modules

Subject Access Handlers IGTT Modules

FOI Lead and FOI Co-ordinators Specialised training

Data Quality Lead Specialised training

Clinical Coders Specialised training

Information Asset Owners and Information

Asset Administrators

IGTT Modules

Appendix 3 illustrates the Trust’s proposed training programme (covering recommended

and mandatory IGTT modules) for designated roles. (Based on recommended guidance)

Appendix 4 highlights the mandatory staff training programme for designated roles.

All modules required for completion can be accessed online at:

https://www.igtt.hscic.gov.uk/igte/index.cfm

Each designated role will be required to refresh their IG training modules every three years

with the exception of the SIRO who will complete the training annually.

A step by step guide on how to register and access the IGTT modules is illustrated in

Appendix 5.

All those in specialised roles will be informed by the IG lead of the IGTK requirement to

undertake additional IG training. Where modules are not completed within a specific time

frame line managers will be contacted to cascade the training requirement.

8.5 Volunteers and Apprentices

Group sessions will be provided to all volunteers and apprentices / cadets by the IG Lead

throughout the year prior to their commencement start date at the Trust.

8.6 One to One Sessions

Specialised training workshops will be available to staff who require more departmental

training, support and guidance. This will allow for more informal discussions to take place

about how IG policies and procedures apply to their own department/service areas.

Specialised training is likely to result from:-

• Departmental information security incidents;

• External/internal audit inspections and recommendations;

• New training standards and changes to legislation that apply to the service area.

Such sessions will be provided on an ad-hoc basis, on request.


9. Governance

The IG Team will work closely with O&D to ensure:-

• Staff receive comprehensive awareness training;

• Are provided with appropriate induction materials (for e.g. Codes of Conduct summarising

staff legal obligations and requirements), staff handbooks and staff contracts which outline

appropriate Data Protection and Confidentiality Clauses;

• Service line managers are provided with appropriate induction checklists.

10. Session Evaluation Methodology

The IG Staff Training Programme will be evaluated using O&D’s standard staff training evaluation

form to help continuously improve the content and quality of the training delivered. This will

enable the IG Lead to identify any gaps that may need to be addressed.

Any changes to further develop the IG staff training programme will be through the HIAG in

collaboration with O&D to ensure all expected requirements are identified and realised.

11. IG Reporting

It is a requirement of the IGTK Control 112 (2a) that “at least 95% of all staff, including new

starters, locums, temporary, students and staff contracted to work in the organisation have

completed their annual IG training in the period 1 April to 31 March”.

Quarterly training reports on the IG Training Tool (IGTT) will be run off by the IG Lead (for targeted

staff groups) whilst mandatory attendance reports (Induction and Mandatory) provided by O&D

will be reviewed to identify non-compliance.

Compliance will be shown as follows:-

In Date

Nearly Out of Date

Out of Date

The IG Lead will administer the HSCIC Training Tool for the Trust and will deal with any staff

enquiries on training uptake and system access, where applicable.

The Trust’s Mandatory Training Dashboard will also be used as additional evidence for the IGTK

submission.

12. Staff Training Assessment Methodology

A criterion of the IGTK Requirement for 112 is that “action must be taken to test and follow up staff

understanding of IG…….providing staff with IG guidance does not provide assurance that they have

understood their IG responsibilities”. The Trust will collect evidence to demonstrate that the IG

training programme is effective in improving current working IG practices in the workplace.

Evidence as required by the IGTK will take the form of:-

• A comprehension test;

• Staff monitoring;

• Random IG spot checks and questionnaires;


The comprehension test will be sent out to training attendees via a staff email link no later than

three days after the training session via the IG Team. The online questions will be reset annually at

the start of every financial year and the results of the comprehension test will be feedback to the

HIAG quarterly.

The IG Lead will conduct IG spot checks and confidentiality audits to ensure there is compliance

with the IGTK training requirements. The audit results will be fed back into the annual review of the

IG staff training presentation and training materials / handouts.

Appendix 6 highlights the IG spot check request letter and pre-spot check questionnaire to be

circulated to staff.

13. Promotion of Procedural Documentation Guidance

A number of IGTK controls require documented procedural guidance to be communicated to staff.

Specifically, guidance about:-

• Network security;

• Incident management;

• Information sharing i.e. subject access requests and information disclosures;

• Confidentiality audits / IG spot checks;

• Change management;

• Registration Authority and Smartcards;

• Business continuity planning;

• Mobile working/teleworking;

To ensure compliance, the IG Lead will advise all service contributors of the IGTK to ensure

appropriate guidance is communicated to staff, as and when necessary.9

14. Staff Communication

The IG Lead will maintain a Training and Comms Plan 2015-2017 (Appendix 7) to ensure staff are

informed about the requirements of the Trust’s Information Governance Framework.

In conjunction with the Trusts Communication Team, the Information Governance Team will

maintain a calendar to identify when IG messages should be cascaded to staff. This will be via the

Trust’s QE weekly to all corporate and clinical staff. The Information Governance Lead will collate

and comment on current issues around new legislation/NHS guidance updates and

confidentiality/security incidents (potential, near misses or actual incidents) so that staff are

informed about best practice. The suggested quarters for all staff briefings and newsletters will be:

January, April, July and October.

All comms messages will be signed off by the Deputy Director of Informatics for approval.

The Information Governance lead will maintain a catalogue of alerts, topics, briefings and

communications released to staff.

The Comms Team will circulate all approved newsletters/briefings to all staff in the Trust, as and

when necessary.

15. Review

This Strategy will be reviewed annually to keep up to date with national guidance and legislation or

when sudden changes in statutory law dictates otherwise.


16. Dissemination

The Strategy will be disseminated via the staff intranet.

17. Compliance and Monitoring

The success of this Strategy will be monitored against the following performance objectives:-

Measureable Objective Audit Monitoring Frequency of

Monitoring

Assigned

Responsibility

Group/

Committee

Assigned

Responsibility

To achieve an annual

95% target rate for

attendance to IG training

sessions

Quarterly reports

from the mandatory

training dashboard,

e-learning

programme and

IGTT System

Quarterly Information

Governance Lead

Health Informatics

Assurance Group

(HIAG)

IG Incidents Training issues

flagged from RCA

reports and

investigations

Ongoing Information

Governance Lead

Health Informatics

Assurance Group

(HIAG)

Training Session

Evaluation Feedback

Forms

Review of staff

comments about the

current IG staff

training programme


Governance Lead

Health Informatics

Assurance Group

(HIAG)

Results of the IG

Comprehension Test

Review of whether

staff understand

current IG best

practices across the

Trust.


Governance Lead

Health Informatics

Assurance Group

(HIAG)

IG Spot Check

Questionnaire Results

Issues flagged up

from the IG spot

checks /

questionnaires


Governance Lead

Health Informatics

Assurance Group

(HIAG)

18. Consultation and Approval

This Strategy will be reviewed and approved by the Health Informatics Assurance Group (HIAG).


Appendix 1: An Annual Review of the IGTK Training and Comms Requirements 2015/2016

IGTK

Req.

IGTK Req. Level Key Message Examples of Evidence Required Delivery Method

105 The IG policies have been

communicated to staff and there are

strategies and/or improvement plans in

place to deliver information

governance improvements, including

but not necessarily limited to the IG

Toolkit requirements, which have been

signed off at a senior level.

2a IG policies have been

communicated to appropriate staff

and made available throughout the

organisation.

A selection of policies that cover best IG

practice:-

• Overarching Information Governance

Strategy and Policy

• Confidentiality and Data Protection

Policy

• Information Security Policy

• FOI Policy

• Records Management Policy

• Data Quality Strategy and Policy

All policies are published on the

staff intranet.

Policies are referred to in the

Induction and Mandatory Training

sessions.

111 All current and new employment

contracts contain appropriate IG

compliance requirements. An action

plan has been documented to ensure

that individuals working on behalf of

the organisation understand their

responsibilities.

1b There is a documented action plan

for raising awareness and

compliance with information

governance standards

• IG Staff Training and Communication

Plan

All published on the staff intranet.

1c The action plan has been

implemented and all existing staff

are aware of their obligations for IG.

All new staff are appropriately

vetted, trained and provided with

guidelines to ensure they are aware

of their obligations for IG before

they start handling person

identifiable information.

• IG Staff Training Strategy, Training

and Communication Plan and TNA

• Staff Code of Conduct

• IG Staff Handbook

The action plan has been implemented

and all existing staff are aware of their

obligations for IG. All new staff are

appropriately vetted, trained and

provided with guidelines to ensure

they are aware of their obligations for

IG before they start handling person

identifiable information.

2a The action plan has been

implemented and all staff have

been informed of their

responsibilities and the

consequences of misconduct. Staff

may be informed through team

meetings, awareness sessions or

staff briefing materials

Consequences of misconduct are

highlighted in the:-


Policy

• Staff Code of Conduct IG Induction

and Mandatory Training Programme

/ Presentation


• IG Staff Training Strategy and Training

and Communication Plan

Guidance is published on the staff

intranet.

The IG staff training presentation

is available on request.


112 An IG training programme has been

developed that includes staff training

needs analysis, induction for new

starters and the completion of basic IG

training with an individual test of

comprehension for all staff.

1b An IG training programme has been

developed and documented, to

provide basic IG training for

everyone including new starters,

training needs analysis and

additional training for key staff

groups or roles.

• A documented Training Plan /

Programme.

• A Staff Training Needs Assessment

The TNA and action plan is

documented in the IG Staff

Training Strategy

1c Basic IG training, including an

individual comprehension test, is

provided to all new starters as part

of their induction.

• Completion of an IG comprehension

test

Staff are requested to complete a

comprehension test at the end of

their IG mandatory training

session.

IGTK

Req.


112 All staff, including new starters,

locums, temporary students and staff

contracted to work in the organisation

have completed their annual training.

Training materials and plans are

checked for equivalent materials in the

NHS IG Training Tool by auditors or

through another documented local

governance process. Training needs are

regularly reviewed and re-evaluated

when necessary.

2a At least 95% of all staff, including

new starters, locums, temporary

students and staff contracted to

work in the organisation have

completed their annual IG training

in the period 1st

April to 31 March.

• Induction and mandatory training

attendance reports

• IGTT generated training reports to

evidence roles and number of staff

who have undertaken specialised IG

training.

• For NHS organisations only –

approval of training presentation

materials by an auditor

IGTT reports are down loaded by

the IG Lead quarterly

Updates on the Trust training

dashboard is monitored and

reported on quarterly to the HIAG.

200 There is a Caldicott function with

adequate confidentiality and data

protection skills, knowledge and

experience to successfully co-ordinate

and implement the confidentiality and

data protection work programme.

2b All staff assigned responsibility for

co-ordinating and implementing the

confidentiality and data protection

work programme, including the

Caldicott Guardian, have been

appropriately trained to carry out

their role.

• Caldicott training – completion of

IGTT modules

The Caldicott Guardian undertook

his training in Jan 2015.

201 There is documented guidance for staff

on keeping personal information

secure and on respecting the

confidentiality of service users that also

includes guidance on the duty to share

information for care purposes. The

documented guidance has been

1b There is staff guidance (e.g.

document, or handbook, or leaflet)

on keeping personal information

secure, on respecting the

confidentiality of service users, and

on the duty to share information for

care purposes.

• Documented IG Staff Handbook

• Staff induction/mandatory materials

The IG staff handbook is circulated

to staff prior to the induction

process.


approved by senior management or

committee.

1d The guidance for staff is made

accessible to them in an appropriate

location.

• Published staff guidance

202 All purposes that require confidential

personal data to be used or shared

have been identified and have a clear

and documented lawful basis. All staff

engaged in supporting these purposes

understand what is lawful and what is

not.

2a There are guidelines for staff that

are accessible to them in an

appropriate location.



Policy (IG06)

The policy is published on the staff

intranet.

The IG Staff Handbook is under

review.

203 Communication materials clearly set

out how personal information and de-

identified data are used and shared,

both for direct care and for other

purposes, including who it is shared

with and for what purposes.

1a There are documented fair

processing materials.

• Fair processing notice The Trust’s fair processing notice is

published on the staff intranet.

1c All relevant staff members have

been effectively informed about the

existence of the materials. They

might be informed through team

meetings, awareness sessions, or

staff briefing materials.

• Fair processing notice – fair

processing is discussed in the

mandatory training programme and

the Confidentiality and Data

Protection Policy

The Fair Processing is published via

the GHNT internet website.

Guidance on fair processing is

discussed in the IG induction and

mandatory staff training

programme.

205 There is a documented procedure for

handling subject access requests that

has been approved by senior

management or committee.

1a There is a documented procedure

for processing subject access

requests efficiently and in

accordance with the law

• Documented subject access

procedures

A Trust SAR Policy is currently in

development.

SAR procedures are held by

individual teams that process

SARs.

Subject access requests are actioned by

fully trained and resourced staff and all

staff members are aware of the need

to support subject access requests, and

where in the organisation such

requests should be directed. The

procedure has been implemented

effectively to meet the statutory

deadlines.

2a All staff assigned responsibility for

processing subject access requests

have been appropriately resourced

and trained to do so.

• Subject access handler training All subject access handlers in the

Trust are required to complete the

following recommended modules

on the IGTT:-

• Access to Health Records

• Patient Confidentiality


206 All staff members with the potential to

access confidential personal

information have been made aware of

the procedures. The procedures have

been implemented and appropriate

action is taken where confidentiality

processes have been breached.

2a All staff members with the potential

to access confidential personal

information have been informed

that monitoring and auditing of

access is being carried out, of the

need for compliance with

confidentiality and security

procedures and the sanctions for

failure to comply. Staff might be

informed through team meetings,

awareness sessions, staff briefing

materials, or staff may be provided

with their own copy of the

procedures.

• Confidentiality audit procedures

• SSSP Policies

A Confidentiality Audit Procedure

has been drafted and requires

approval by the HIAG.

Staff access controls are outlined

in the Trust’s SSSP Policies held by

the system administrators.

210 All staff members who may be

responsible for introducing changes to

processes or information assets have

been effectively informed about the

requirement to seek approval from the

appropriate group. All new

implementations follow the

documented procedure. Where the

proposed new process or information

asset is likely to involve a new use or

significantly change the way in which

personal data is handled, an

appropriate privacy impact assessment

is always carried.

2a All staff members that are likely to

introduce new information

processes or information assets are

effectively informed about the

requirement to obtain approval

from the IG forum (or equivalent) at

the proposal stage of the new

process or information asset. Staff


meetings, awareness sessions, or

staff briefings.

• Privacy impact procedure / policy –

IG10

The Privacy Impact Assessment

Procedure & Checklist and the

Information Governance Policy for

New and Changed Systems,

Processes and Services (IG10) are

both published on the staff

intranet.

These are both under review.

300 There is an appropriate Information

Security framework in place with

adequate skills, knowledge and

experience to successfully co-ordinate

and implement the Information

Security agenda.


Information Security have been


their role.

• Information security accreditation

certificate – recently updated

• Training attendance lists

• Training evaluation records

The Trust’s Information Security

Manager needs to refresh their

training security certificate. Last

training took place in 2006.


302 The information security event

reporting and management procedures

have been communicated to

staff/relevant third parties.

2a The procedures have been

effectively communicated to staff

and third parties working on behalf

of or under contract to the

organisation, including the

importance of reporting

information security events and

near misses.

• Datix training sessions

• Datix training materials

• The Reporting of Serious IG Incidents

Policy (IG11)

• Incident/Near Miss Reporting and

Investigation Policy (Including Serious

Incidents. (RM04)

The Datix User Guides and

guidance on Datix training is

published via the staff intranet

web pages.

Both policies are published on the

staff intranet.

303 The RA policy, RA implementation plan

and business processes and procedures

have been implemented and operate

effectively.

2a The organisation has moved fully to

PBAC; the training needs of RA staff

have been analysed and a training

programme has been implemented

to ensure that all staff assigned

responsibility for managing and

implementing the RA function have

access to the latest software and RA

Process Guidance and are


their role.

• RA Policy - Training needs analysis

documents, training attendance

certificates, training materials,

existing qualifications, e-learning

completion certificates or training

evaluation records.

Due the implementation of a new

national RA System the RA Policy is

yet to be refreshed.

Smart Card usage is referred to in

the Information Governance Staff

Handbook.

IGTK

Req.


304 The plan/procedure has been

implemented and all NHS Smartcard

users have been effectively informed

that NHS Smartcard usage will be

monitored, the need for compliance

and the sanctions for non-compliance.

2b The plan/procedure has been

implemented and all NHS Smartcard

users including new, temporary and

contract staff members are aware

that compliance with the terms and

conditions of NHS smartcard usage

is monitored and the procedures for

breach and disciplinary measures.

• RA Terms and conditions for usage

and compliance


307 The SIRO and supporting Information

Risk Management leads (IAOs and

supporting staff) are appropriately

trained and conduct regular risk

reviews for all key assets.

2a The SIRO and all other staff assigned

responsibility for co-ordinating and

implementing information risk

management have been


their role.

• IAO and IAA training certificates

• SIRO training certificates

All IAOS and IAAs are asked to

complete a range of

recommended modules every

three years on the IGTT. These

modules include:-

IAOs

• Introduction to

Information Governance

• NHS Information Risk

Management for SIROs

and IAOs


Management: Foundation

IAAs

• Introduction to



Management:

Introductory



Guidance about Information Asset

Training needs to be published on

the staff intranet so that staff

understand their role

responsibilities.


3b The SIRO successfully completes

strategic information risk

management training at least

annually, which may be through the

modules in the NHS IG Training Tool

or through external training.

• IG Training Tool reports,

attendance certificates, formal

qualifications, or booking and

invoicing documentation for

external training.

The SIRO completes a range of

recommended modules annually

on the IGTT. These include:-

• Introduction to



Management for SIROs

and IAOs



• Secure Transfer of Data

• Security Guidelines

IGTK

Req.


308 Routine transfers of person identifiable

and sensitive information in all areas

have been identified, mapped and risk

assessed. All risks are appropriately

recorded in the risk register along with

the actions taken to secure the

information. IAOs (or equivalent) have

developed information agreements

and procedures to ensure transfers are

adequately protected, comply with

NHS Codes of Practice and NHS IG

standards and ensure their staff who

transfer or receive this information are

effectively informed of the procedure

which applies to the transfer method

they use.

2d Relevant staff (including post room

and reception staff) have been

effectively informed of the secure

transfer and receipt requirements

for person identifiable and sensitive

information.

• All post and reception staff

attendance training lists

All post room staff attend the IG

Staff Mandatory Training

Programme.

Signed signatures will need to be

collected for future training

requirements.


309 Approved Business Continuity Plans are

in place for all critical Information

Assets and all staff are aware of their

roles and responsibilities. Information

Asset Owners (or equivalent) have

implemented approved procedures

and controls for their information

assets and have effectively informed all

relevant staff.

2c All relevant staff are made aware of

business continuity plans and any

implications for their role.

• Staff need to be informed of the

need to manage business

continuity plans for their

information assets.

The IG Lead, in conjunction with

the Business Continuity Manager,

will send out staff email

communication regarding BC

Planning.

The IG Lead will ask the BC

Manager to publish all BC

documentation on the staff

intranet.

311 The approved procedures and controls

for network security in respect of all

information networks controlled by the

organisation have been implemented.

2b The documented and approved

procedures and controls have been

made available at appropriate

points in the organisation and all

relevant staff have been informed

of their responsibilities to maintain

network security by complying with

them. Informing staff might be done

through team meetings, staff

briefings, awareness sessions and

by IT user induction training.

• Network security advice must be

provided to staff.

Staff guidance on network security

is highlighted in the IT and

Information Security Policy (OP06)

which is published on the staff

intranet.

314 All mobile or teleworkers are

appropriately approved, authorised

and made aware of

procedures/guidelines. Robust remote

access solutions and adequate

information security functionality for

mobile devices and removable media

has been provided.

2b Mobile or teleworkers are provided

with procedures / guidelines.

• Remote working procedures and

IT spec must be provided to staff.

The Trust’s remote working

procedures are highlighted in the

IT and Information Security Policy

(OP06) which is published on the

staff intranet.


400 There is an appropriate Information

Quality and Records Management

framework in place with adequate

skills, knowledge and experience to

successfully co-ordinate and

implement the information quality and

records management agenda.


Information Quality and Records

Management Assurance have been


their role.

• Training attendance courses and

lists for the records manager and

data quality leads.

The Health Records Manager is

required to complete a set of

modules on the IGTT. These

include:-

• Introduction to IG

• Records Management

and the NHS Code of

Practice

• Records Management in

the NHS

• The Importance of Good

Clinical Record Keeping

IGTK

Req.


400 • Patient Confidentiality

• Access to Health Records

The Data Quality Lead may need to

update the current DQ training

certificate as this dates back to

June 2008.

402 Data collection and validation activities

are regularly monitored. All staff

collecting and recording data are

effectively trained to do so and

dedicated staff take appropriate action

where errors and omissions are

identified.

2b Procedures have been made

accessible to all staff involved in

data collection activities.

• User Guide RTT Data Quality

Guide

The Medway and RTT Data Quality

Guides are published on the staff

intranet.

The Data Quality Strategy and

Action Plan published on the staff

intranet also outlines the Trusts

DQ requirements.

2c All staff entering data are effectively

trained to accurately collect and

record service user information,

check the information with an

appropriate source and report

errors or omissions.

• Training materials

• Attendance lists

• Staff briefings

Information is briefed to staff at

the Data Quality group meetings.


404 The approach to auditing clinical

records has been implemented and all

staff are informed of their

responsibilities with regards to clinical

record keeping

2b Staff have been informed of their

responsibilities for clinical record

keeping (including clinical record

keeping standards, the standard

design and filing to be followed and

the importance of participating in

regular audit). Staff may be

informed through awareness

sessions, briefing materials or

training.

• Induction training sessions

• Staff briefing sessions

• Team news letters

• Staff guidance

Clinical recording is referred to in

the induction and mandatory

training programmes.

Safe Care have a staff webpage

but it is out of date now.

Safe Care newsletters used to be

communicated but these are

rarely done now.

406 There are documented and approved

procedures to monitor the availability

of paper health/care records, including

tracking records and tracing missing

records.

1a There are documented procedures

in place for monitoring paper

health/care record availability,

which includes measures to track

records removed from the records

storage area, to take appropriate

action when records are unavailable

and to trace missing records

• Tracking and tracing record

procedures

The Records Management Policy

(IG05) is currently under review to

take account of these

requirements.

The procedures for monitoring the

availability of paper health/care

records have been implemented and

action taken where availability of

records is considered poor

2a All relevant staff members have

been informed about the

procedures, and in particular of

their own responsibilities to comply

with the record tracking process,

and to appropriately report

unavailable or missing records.

Informing staff may be through

team meetings, awareness sessions,

staff briefings or training (e.g. on

induction or in specific training

programmes).

• Team meetings

• Training sessions

Records management training is

provided to all staff via the

induction process.

The Records Management Policy

(IG05) is available on the staff

intranet.


IGTK

Req.


504 Documented procedures have been

developed for using local and national

benchmarking to identify possible data

quality issues.

1b There are documented procedures

for using local and national

benchmarking to identify possible

data quality issues including

analysing trends in information over

time and making comparisons

between periods.

• Data quality procedure for local

and national bench marking

These procedures are held by the

Information System Teams.

The procedures have been

implemented by appropriately trained

staff, and local and national

benchmarking is used to identify and

investigate data quality issues.

2a Appropriate staff members are

effectively trained to analyse and

investigate data quality issues.

• Data quality training sessions Clinical coders are trained to

identify incorrect data entries.

Data quality training requirements

are delivered via the data quality

and clinical team meetings.

506 Data quality is addressed as part of the

Information Lifecycle Management

Policy and reflected in the terms of

reference of a Data Quality

monitoring/review group. Service user

data accuracy audits are incorporated

into the organisation's audit plan.

1c Staff guidance on accuracy checking

has been publicised and distributed

to easily accessible locations

targeting all relevant staff.

• Data quality staff briefings

• Guidance published on the staff

intranet

• Procedures in a communal area

of a network for staff to access

DQ procedures are located on the

staff intranet and on the

communal network drive for the

systems team.

DQ issues are discussed at the DQ

and system meetings.

508 A strategy for involving clinical/care

staff in validating information derived

from the recording of clinical/care

activity has been developed.

1c Information has been publicised

and distributed to easily accessible

locations targeting all relevant staff.

• Staff guidance in the staff

internet

• Procedures in communal

networks

The Safe Care Risk Strategy is

publicised on the staff intranet.

Staff guidelines are also

highlighted in the Clinical Policy.

510 There is a programme of clinical coding

standards training conforming to

national standards for all clinical coding

staff entering coded clinical

information.

1a All clinical coding staff who assign

ICD-10 and OPCS-4 codes must

complete the e-learning packages ‘A

Basic Introduction to Clinical

Coding’ and ‘Anatomy and

physiology’ prior to attendance on

formal clinical coding standards

training, of no less than 21 days

duration, within 6 months of

commencing employment.

• Clinical coder training All clinical coders complete a

training programme every three

years.


A programme of clinical coding

standards refresher training every

three years for all clinical coding staff

entering coded clinical information is in

place that conforms to national

standards. All clinical coders are

supported in gaining Accredited Clinical

Coder (ACC) status by passing the

National Clinical Coding Qualification

(UK).

2a All clinical coding staff who assign

ICD-10 and OPCS-4 codes must

attend a clinical coding standards

refresher course of no less than four

days duration every 3 years.

• Clinical coding certificates

• Staff attendee lists

• Evaluation reports

The Clinical Coders certificates

were refreshed in 2014.

2c The organisation supports all clinical

coders in gaining Accredited Clinical

Coder (ACC) status. National Clinical

Coding Qualification training is

based on national standards for ICD-

10 and OPCS-4 and is delivered by a

Clinical Classifications Service

approved clinical coding trainer.

• Clinical trainer training The Clinical Coder trainer

refreshed her certificate in Sept

2014.

IGTK

Req.


Clinical coders have attended clinical

coding specialty and update training

workshops when classification

revisions require

3a Clinical coding staff who assign ICD-

10 and OPCS-4 codes within the

organisation have attended all

specialty workshops relevant to

their work, and update training

workshops when classification

revisions require.

• Clinical coding staff training All clinical coding training was

refreshed in 2014. Refresh training

is every three years so the next

refresh is 2017.

601 The record management procedures

have been implemented. All staff

members have access to and have

been effectively informed of the

procedures.

1b Staff have been effectively informed

of the procedures and their

responsibilities. Staff might be

informed through team meetings,

awareness sessions, staff briefings,

or staff may be provided with their

own copy of the procedures.

• Procedures involved in the

naming, creation, filing and

referencing tracking and tracing

of corporate records.

Certain sections of the Records

Management Policy are currently

under review so it is aligned to the

requirements of this IGTK control.


603 There are documented procedures for

FOIA 2000 compliance, which set out

clear responsibilities for responding to

information requests efficiently and in

accordance with the law. The ICO

model publication scheme has been

adopted and a guide to information has

been communicated to, and is

accessible by members of the public.

1b Formal FOI procedures have been

publicised and distributed to easily

accessible locations targeting all

relevant staff.

• Staff FOI Policy/Procedures Staff guidance about FOI is

published on the staff intranet.

All staff members are aware of their

responsibility to support requests for

information, and are aware of where in

the organisation such requests should

be directed. Front-line staff members

are provided with more detailed

guidance about the procedure to

follow. Staff in areas where requests

are ultimately managed are provided

with comprehensive training.

2a Staff members are effectively

informed of the need to support

requests for information. Staff


meetings, awareness sessions or

staff briefings, or staff may be

provided with their own copy of the

procedure.

• Staff FOI training details

• Training certificates

• Attendees lists

In March 2015 all the FOI Co-

ordinators attended a one off FOI

training session that was delivered

by Dyllis Jones Ltd.

In June 2014, a 2 hour in-house

FOI training session was delivered

to the Directors and Associate

Directors of the Trust.

2c Comprehensive staff training has

been provided for staff working in

areas where FOI requests are

managed.

• Staff FOI training details

• Training certificates

All staff affected by the Trust’s

legal obligations to deliver FOI

training have been trained in 2015.


Appendix 2: DoH IG Staff Training Needs Assessment Matrix

Depending on the designated role, staff inevitably have different levels of IG responsibilities in respect of patient confidentiality, protecting and securing data and

preserving the information security of data. Staff may have established working routines and practices that may need to be challenged or improved. The NHS

Mandatory Information Governance Training Tool provides a range of IG training modules at a basic, intermediate and advanced level for staff who are required to

have sufficient knowledge in order to perform well in their role. The below matrix outlines the Department of Health expected IG training requirements per

designated staff role.

IGTT Course SIRO Caldicott

Guardian

IG Lead Informatio

n Security /

Risk

Manager

Informatio

n Asset

Owners

(IAOs)

Information

Asset

Administrat

ors (IAAs)

Health

Records

Manage

r

Clinical

Staff

Admin

Staff

Governing

Body

Access to Information and Information Sharing in the

NHS

Access to Health Records R

Business Continuity Management R R R R

Information Governance for Medical Secretaries

Information Governance for Pharmacy Staff

Information Governance – The Beginner’s Guide

Information Governance – The Refresher Module R R

Information Security Guidelines R R R R

Information Security Management R R R R

Introduction to Information Governance M M M M M M M M M M

NHS Information Risk Management for SIROs and IAOs R R R R R R

NHS Information Risk Management: Foundation R R

NHS Information Risk Management: Introductory R R R R R R

Password Management R

Patient Confidentiality R R

Records Management and the NHS Code of Practice R R R R

Records Management in the NHS R R

Secure Handling of Confidential Information R

Secure Transfers of Personal Data R R R R R R R R R

The Caldicott Guardian in the NHS and Social Care R R R R

The Importance of Good Record Clinical Keeping R R


Appendix 3: Gateshead Health NHS Foundation Trust IG Staff Training Needs Assessment Matrix

The Trust has conducted a training needs assessment of all designated roles across the Trust. Taken into consideration guidance provided by the DoH and the

HSCIC the TNA recommended the following IGTT modules be completed as additional training per specific role.

IGTT Course SIRO Caldicott

Guardian

IG Lead Informatio

n Security

Manager

Informatio

n Asset

Owners

(IAOs)

Informatio

n Asset

Administra

tors (IAAs)

Health

Records

Manage

r

Clinical

Staff

Admin

Staff

Governing

Body

Access to Information and Information Sharing in the

NHS

R R

Access to Health Records R

Business Continuity Management R R R R R R

Information Security Guidelines M M M R R R

Information Security Management R M R R R R

Introduction to Information Governance M M M M M M M M M M

IG – Refresher Module

NHS Information Risk Management for SIROs and IAOs M R M M M R R

NHS Information Risk Management: Foundation M R R M M

NHS Information Risk Management: Introductory R R R R M R

Password Management R R R R R R R

Patient Confidentiality R M R R R R R R R R

Records Management and the NHS Code of Practice R R R R R R

Records Management in the NHS R R

Secure Handling of Confidential Information R R R R R R R R R R

Secure Transfers of Personal Data M M M M M M M M M M

The Caldicott Guardian in the NHS and Social Care M R R R

The Importance of Good Record Clinical Keeping R R


Appendix 4: IG Staff Mandatory Training Programme for Specialised Roles Summary

The Mandatory Information Governance training programme requires staff in specialist roles to undertake the

following training within 3 months of taking up their post. Access to the modules is via the HSCIC e-learning IG

Training Tool at:- https://www.igtt.hscic.gov.uk/igte/index.cfm

Role Information Governance Toolkit Training Approx. to

Complete

Frequency

SIRO Introduction to Information Governance

NHS Information Risk Management: Foundation

NHS Information Risk Management for SIROs and IAOs

Secure Transfer of Data

Information Security Guidelines

1 hour

1 hour

1 hour

1.5 hours

1 hour

Annually

Caldicott

Guardian

Introduction to Information Governance

The Caldicott Guardian in the NHS and Social Care

Patient Confidentiality

1 hour

1 hour

1 hour

3 years

Trust Secretary

(who covers

corporate

records)



Secure Transfers of Personal Data


Records Management and the NHS Code of Practice


1 hour

1 hour

1.5 hours

1 hour

0.5 hour

1 hour

3 years

Information

Governance

Lead



Information Security Management



Access to Health Records


Business Continuity Management

Access to Information and Information Sharing

1 hour

1 hour

1 hour

1.5 hours

1 hour

0.5 hours

1 hour

1 hour

3 years

IT and

Information

Security

Manager



Password Management






1 hour

1 hour

0.5 hours

1.5 hours

1 hour

1 hour

1 hour

1 hour

3 years

Head of

Information

and Data

Quality





1 hour

1 hour

1 hour

1 hour

3 years

Health Records

Manager


Records Management and the NHS Code of Practice

Records Management in the NHS

The Importance of Good Clinical Record Keeping



1 hour

0.5 hours

0.5 hours

0.75 hours

0.5 hours

1 hour

3 years

Subject Access

Request

Handlers (SARS)




1 hour

0.5 hours

1 hour

3 years


Role Information Governance Toolkit Training Approx. to

Complete

Frequency

RA Manager Introduction to Information Governance

1 hour

3 years

Clinical

Manager


The Importance of Good Clinical Record Keeping

1 hour

0.75 hours

3 years

IAO Introduction to Information Governance



1 hour

1 hour

1 hour

3 years

IAA Introduction to Information Governance

NHS Information Risk Management: Introductory


1 hour

1 hour

1 hour

3 years


Appendix 5: Staff Guidance for using the HSCIC IG Training Tool (IGTT)

The IG Training Tool (IGTT) is a national NHS online training tool provided by the Health and Social Care

Information Centre (HSCIC) that focuses on all aspects of Information Governance (IG). The Trust uses

this system to roll out specialised IG staff training to designated roles who need to develop and improve

their working knowledge and skill set within their own service areas, to support the provision of high

quality health care. To complete the relevant training module that applies to your designated role

please complete the following steps:-.

1. The online IG training tool can be accessed at:

https://www.igtt.hscic.gov.uk/igte/index.cfm

2. To register as a new user:-

• Select “Register Now”.

• When the organisation box appears type in the Gateshead’s Trust code – RR7.

• From this point onwards you will be asked a series of security questions. Please

complete these as normal. You will be asked these questions if you need to

request a new password.

• Once completed the system will generate a password which will be sent to you in further

email communication.

3. To access the training modules:-

• Log back into the system using your username and password. Your log in details will be as follows:-

o Username: this is the email address you registered with – most likely your Gateshead email address: [email protected]

o Password: this is the password you were given or changed when you registered.

• Select the “Learning Tools” from the top menu tab.

• Select the module you wish to complete and then select “Launch”.

• Each assessment must be finished in one session or your score will not be recorded. The “Learn all about it” section contains a “bookmarking function”,

which remembers where you left off in case you need to leave the module and finish it later.

The module pass rate is 80%.

• Please print the certificate when you pass the course and save it somewhere save. This evidence will illustrate you completed the module.

4. Forgotten Password

Select “Reset my password”. This will generate an email to you to change your password.

5. Still Can’t Access the Site

Contact the IG Team on 0191 445 5680 for further assistance. Please note the system may be difficult to log into during busy periods.


Appendix 6: Information Governance Letter and IG Spot Check Questionnaire

Dear Manager,

As part of the Trust’s IG Toolkit assessment we are required to carry out quarterly IG spot checks. This will

involve you:-

• Completing the attached pre-spot check IG questionnaire;

• Attending an IG spot-check meeting with the IG Lead on an agreed date.

Your department has been selected for a scheduled IG spot check as part of a random selection of

departments across the Trust on………………………Please advise if you will be available on this day.

The spot checks are not intended to catch anybody out but rather to identify any areas that we, as a Trust,

need to review in order to ensure that we are compliant with the various areas of the Information Governance

framework.

As you are the nominated IAA (Information Asset Administrator) for this area I would like to arrange to visit

your team in order to carry out the spot check with you. The check itself should take only around 30 minutes

to complete and the results will be reported back to you and the relevant IAO (Information Asset Owner)

together with any action plan and recommendations.

I would therefore be grateful if you could contact me asap in order to arrange a suitable time for me to visit

the team. The visit will need to be carried out before (add date)……………………………………..

If the above date is not suitable then please advise asap.

Pre-Spot Check IG Questionnaire

The following pre-spot check IG questionnaire should take only about ten minutes to complete:-

Administration

1. How many staff do you have managerial responsibility for?

2. Of these, how many staff have completed their information governance training in the last 12 months?

Safehaven Procedures

3. Do you implement a clear desk policy? Yes No

4. Are staff informed about the Trust’s Safehaven Procedure in the first week of induction?

Yes No

5. Do you use a fax machine? Yes No

6. If yes to 5, does the fax machine provide a receipt facility? Yes No

7. Do staff ring the person once the fax has been received? Yes No


Transferring PID

8. How do staff send personal/patient identifiable data to external bodies and agencies? (Please provide

details of courier and email requirements?

9. If you use a courier are audit trails in place? Yes No

Fair Processing

10. Do you collect personal data from staff and patients? Yes No

11. If yes to 10, are patients informed of how their data will be used and shared?

Access

12. If staff handle personal data in paper format is access restricted to those who only have a need for

access? (Please advise how access is controlled for e.g. key codes, locked storage/cupboard/desk draw

facilities, sign in and sign out access.)

13. Are staff in the department advised about the issues covering patient confidentiality?

Yes No

14. Are all IT devices used in the department encrypted? For e.g. laptops, Ipads, ipods etc.

Yes No

Remote Working

15. Do staff take patient records home? Yes No

16. If yes to 15, please explain why?


Records Management

17. Do paper records ever leave the department? Yes No

18. If yes to 17, are there record tracking processes in place? Yes No

Research

19. What is the process for using patient data for research processes within the team? Is this approved?

IG Incidents

20. Are IG and IT incidents reported via Datix as soon as they occur? Yes No

Caldicott Guardian

21. Do you know who the Trust Caldicott Guardian is? Please confirm.

Please email us your completed questionnaire back to:- [email protected]

If you do not have an email facility, please send it to us in the internal post to the following address:-

Information Governance Team

Bensham Hospital

Saltwell Road | Gateshead

NE8 4YL

Tel. No. 0191 445 5680


Appendix 7: IG Staff Training and Comms Action Plan 2015-2017

New Starters

All new starters will be informed of their IG responsibilities through the following communication tools:-

Target

Audience

Briefing Type Frequency When Distribution

Method

New Staff IG Induction Briefing Pack –

hand-outs and presentation

Once Induction Process Via email by O&D

New Staff IG Induction Training for all new

starters – staff, doctors,

consultants, volunteers etc.

Once Induction Process IG Team -

presentation by

the IG Lead

New Staff Employment Contracts Once When staff start O&D

New Staff Confidentiality Statements for all

types of contracts

Once When staff start O&D

New Staff Corporate Staff Handbook –

Code of Conduct

Once Induction Process Via email by O&D

New Staff The provision of the IG Staff

Handbook

Once When staff start O&D

Current Workforce

Current staff of the Trust will be informed of their legal IG responsibilities through information cascaded

through the following communication tools below:-

Target

Audience

Briefing Type Frequency When Distribution

Method

All Staff IG Annual Staff Mandatory

Training Programme

Annually At a chosen period

in the year

IG Team

Presentation / E-

learning IG

module

All Staff Team Briefs by Service Line

Managers

Weekly Weekly Delivered by

Service Line

Manager

All Staff Division news letters (for

specialised areas)

As and when

required

When required Via email by the

IG Team

All Staff Articles in the Trust’s QE Weekly Quarterly When availability

exists

Via email by the

IG Team

All Staff Staff emails – only for serious

issues as the QE Comms Weekly

is the main vehicle for staff

communication

As and when

required

As and when

required

Via email by the

Comms Team

All Staff An Information Governance Hub

– dedicated staff Intranet pages

on information governance

Available

continuously

Periodically

reviewed

IG intranet pages

All Staff The Trust’s IG framework of

policies and procedures

Available

continuously

Periodically

reviewed

IG intranet pages

Service

Line

Managers

The use of dashboards i.e. for IG

Training etc.

Available

continuously

All the time Intranet

All Staff Screensaver alerts on desk tops As and when

required

Following a

security incident

Desk Top

Screensavers

name of p lan : effective from: 11 /01/2016

Documents