nhs berkshire east clinical commissioning group ......nhs berkshire east clinical commissioning...

19
BECCG IG Assurance Statement October 2016 V1.0 Page | 1 NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement Tracey Burrows October 2016 V1.0

Upload: others

Post on 07-Aug-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

BECCG IG Assurance Statement October 2016 V1.0 Page | 1

NHS Berkshire East Clinical Commissioning Group

Information Governance Assurance Statement

Tracey Burrows

October 2016

V1.0

Page 2: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 2

1 INTRODUCTION

The Information Governance Toolkit is a framework of legal rules and central guidance set out by National policy in relation to

the management of information and presents them in in a single standard as a set of information governance requirements. NHS

organisations are required to carry out self-assessments of their compliance against these requirements on an annual basis.

The purpose of the assessment is to enable organisations to measure their compliance against the law and central guidance and

to see whether information is handled correctly and protected from unauthorised access, loss, damage and destruction.

In previous years there has been an official submission to NHS Digital of a “Progress Update” for the organisation’s compliance

against the toolkit requirements - this year 2016/17 there is no such formalised submission required. However, this report is a

formal position statement for the organisation indicating the position it is in as at the 31st October 2016 and outlines the work

required to achieve Level 2 across all requirements by 31 March 2017.

Page 3: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 3

2 LEGEND

The below legend is to assist those to interpret IG Toolkit V14 Requirements:

LEGEND

Requirement No.

Number given to each “Requirement” within IG Toolkit V14

Predicted Score

Predicted score as at 31 March 2017

Requirement

Description of each “Requirement”

Evidence

Evidence required to achieve Level 2 or higher

Assurance Low Assurance in achieving predicted level – may not have enough evidence to satisfy Requirement

Medium Assurance in achieving predicted level – evidence may be difficult to obtain

High Assurance in achieving predicted - no issues identified in obtaining evidence

Page 4: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 4

REQ

NO.

PREDICTED

LEVEL

REQUIREMENT EVIDENCE REQUIRED TO MAINTAIN PREDICTED LEVEL ASSURANCE

130 2 There is an adequate Information

Governance Management

Framework to support the current

and evolving Information

Governance agenda

Job Descriptions

SCWCSU SLA

IG Framework

IM&T TOR

SLA Reports

Agenda / Minutes Evidencing Approvals

High

131 2 There is an adequate Information

Governance Management

Framework to support the current

and evolving Information

Governance agenda

IG Handbook

Minutes Evidencing Approvals

Updated Intranet Site

Staff Communications

Policy Timetable

IG Improvement Plan

IG Assurance Statement

High

132 2 Formal contractual arrangements

that include compliance with

information governance

requirements, are in place with all

contractors and support

organisations

NHS Standard Contract

Contracts Statement (IG Clauses incl. in Contracts)

Contracts Statement - Compliance with NHS Standard Contract

Contacts Statement – List of Contracts

Contracts – Example Contract

Account Manager – List of SLAs in place with BECCG

Account Manager Statement – IG Compliance

Account Manager - SLA for WAMCCG

Account Manager - SLA for SCCG

Medium

Page 5: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 5

Account Manager - SLA for BACCG

Optum – Example Contact

Optum Statement – List of Third Party Contracts

Optum Statement – List of London Trust Contracts

Optum Statement – Compliance with NHS Standard Contract

SIRO Statement – Confirmation of Contracts IG Compliance

SIRO Statement - Confirmation of Optum IG Compliance)

SIRO Statement – Confirmation of SCWCSUs IG Compliance

SIRO Statement – Confirmation of CHC IG Compliance

CHC – Contract

CHC – List or Providers

CHC – Example Contract

133 3 Employment contracts which

include compliance with

information governance

standards are in place for all

individuals carrying out work on

behalf of the organisation

ConsultHR - Statement of Confidentiality (COS01)

ConsultHR – IG Compliance Statement

ConsultHR - Contract of Employment

ConsultHR - Disciplinary Policy

ConsultHR - Induction Guide for new starters

ConsultHR – Induction Guide and Checklist

ConsultHR - Recruitment & Selection Policy

IG Improvement Plan

IG Handbook

IG Assurance Statement

IG Training & Awareness Plan

IG Training Database

High

Page 6: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 6

Quick Reference Guide to Caldicott & DPA

Staff Communications – Intranet Launch

Mobile Computing Leaflet

Updated Intranet Site

IG Training Tool: Link

IG Training Slides – IG Training

IG Training Slide – IAA & IAO

Staff Communication – IG Training

IG Compliance Audit – Quality

IG Compliance Audit – Printers

IG Incident Log

Data Flow Mapping & Risk Assessment (DEPT)

Organisational Structure

134 3 Information Governance

awareness and mandatory

training procedures are in place

and all staff are appropriately

trained

Job Descriptions

SCWCSU SLA

IM&T TOR

Consult HR Induction Guidance & Checklist

IG Handbook

IG Training Database

IG Training Report

Starters & Leavers Report

IG Training Tool

IG Training Slides

IG Training Audit

High

Page 7: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 7

Training Needs Assessments (Key Roles)

IG Compliance Audit – Quality

IG Compliance Audit – Printers

Data Flow Mapping & Risk Assessment (DEPT)

Incident Log

FOI Training & Awareness Plan

IG Training & Awareness Implementation Plan

Minutes / Agenda Evidencing Approvals

230 3 The Information Governance

agenda is supported by adequate

confidentiality and data

protection skills, knowledge and

experience which meet the

organisation’s assessed needs

Job Descriptions

ICO Caldicott Register

Caldicott Plan

IG Handbook

Caldicott 5 Year Plan (Runs out 2016)

Minutes Evidencing Approvals

IM&T TOR

SCWCSU SLA

Training Database

Training Certificates (Key Staff)

Data Flow Maps & Risk Assessment Plan

IG Assurance Statement

IM&T Risk Register

Incident Log

IG Improvement Plan

Minutes (Evidencing IG Assurance/IG Improvement Plan)

High

Page 8: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 8

231 3 Staff are provided with clear

guidance on keeping personal

information secure, on

respecting the confidentiality of

service users, and on the duty to

share information for care

purposes

IM&T TOR

Job Descriptions

SCWCSU SLA

IG Handbook

Minutes (Evidencing IG Handbook)

Staff Guidance

ConsultHR - Statement of Confidentiality

ConsultHR - Contract of Employment

Consult HR Statement - IG Compliance

ConsultHR - Induction Guidance

Information Sharing Agreement (Template)

Intranet – Review

Internet – Policies & Procedures

Internet - Privacy Policy

Internet - Fair Processing Notice

Staff Guidance (Mobile Computing, Printer etc)

Staff Communications

Posters & Leaflets (Caldicott, DPA)

Training Database

IG Training Slides (IG)

IG Training Slides (IAA & IAO)

IG Compliance Audit – Quality

IG Compliance Audit – Printers

Data Flow Mapping & Risk Assessment Plan

High

Page 9: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 9

Step by Step Guide to DFM & RA

IM&T Risk Register

IG Incident Log

Patient Survey

232 2

Confidential personal information

is only shared and used in a

lawful manner and objections to

the disclosure or use of this

information are appropriately

respected

Data Flow Map & Risk Assessment Plan

IM&T Risk Register

Staff Communications – Data Flow Mapping etc

Intranet - Data Flow Mapping Guidance (Link)

Data Flow Mapping Training Slides

Step by Step Guide to DFM & RA

Data Flow Mapping & Risk Assessment Template

IAA & IAO Communications

Incident Log

Incident Trend Analysis

Minutes Evidencing Approvals

NEW: Add Legal basis to data flows / Data Flow Map Breach Report /

Service User Objection Process

High

234 2 There are appropriate procedures

for recognising and responding

to individuals’ requests for

access to their personal data

Job Descriptions

SCWCSU SLA

IG Handbook

IM&T Minutes (IG Handbook approval)

Staff Communications – IG Handbook

ConsultHR - Subject Access Request Guide

Training Database

High

Page 10: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 10

Training Certificates (Key Staff: FOI)

IG Training Slides (IG Intro)

IG Training Slides (IAO & IAA)

IG Training Tool (Link)

IG Introduction Content for Auditor

SARs Database

IG Training Content

NEW: SARs reporting process

235 2 Staff access to confidential

personal information is

monitored and audited. Where

care records are held

electronically, audit trail details

about access to a record can be

made available to the individual

concerned on request

IM&T TOR

Job Descriptions

SCWCSU SLA

IG Handbook

Minutes (IG Handbook)

Step by Step Guide to DFM & RA

IT Registration Authority Procedures

IT Registration Authority Policy

DELOITTE IT Audit Procedures

Intranet Site - Review

ConsultHR - Statement of Confidentiality

ConsultHR - Contract of Employment

Staff Communications - Intranet

System Access Audit (Datix)

Incident Log

Incident Report Form

High

Page 11: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 11

IM&T Risk Register

System Access Audit (Broadcare System)

Patient Record Access Form (CHC Records)

NEW: Requirement allows for N/R scoring

236 2 All person identifiable data

processed outside of the UK

complies with the Data Protection

Act 1998 and Department of

Health guidelines

Job Descriptions

IM&T TOR

SCWCSU SLA

SBS - IG Toolkit Report V13

SBS - Data Transfer Agreement with Steria

SBS - Data Transfer Agreement between Steria and Steria (India)

Steria India ISO 9001 Certification

Steria India ISO 27001 Certification

Data Flow Mapping Report

Minutes Evidencing Approvals

NEW: Assurance for NHS SBS for ESR Transfers

Medium

237 2 All new processes, services,

information systems, and other

relevant information assets are

developed and implemented in a

secure and structured manner,

and comply with IG security

accreditation, information quality

and confidentiality and data

protection requirements

Job Descriptions

SCWCSU SLA

IM&T TOR

IT System Level Security Policy

IT Network Security Policy

IT Change Management Guide

SCWCSU - Initial PIA

SCWCSU - Full PIA

Project evidence:

Medium

Page 12: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 12

PIAs

IG Checklist

Sharing Agreements

NEW: Review Privacy / Fair Processing /Data Protection Act / Freedom

of Information Notices

250 2 Individuals are informed about

the proposed uses of their

personal information

Job Descriptions

SCWCSU SLA

IG Handbook

IM&T Minutes (IG Handbook approval)

ConsultHR - Contact of Employment

ConsultHR - Subject Access Requests

Internet – NHS Jobs Link

Internet – Fair Processing Notice

Internet – Privacy Policy

IG Training Tool (Link)

IG Training Slides (IG Intro)

IG Training Slides (IAO & IAA)

NEW: NHS England Accessible Information Standard

High

340 2 The Information Governance

agenda is supported by adequate

information security skills,

knowledge and experience which

meet the organisation’s assessed

needs

Job Descriptions

SCWCSW SLA

IG Improvement Plan

IM&T Minutes (Improvement Plan)

IG Handbook

IM&T Minutes (IG Handbook)

High

Page 13: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 13

IM&T TOR

IM&T Risk Register

Data Flow Mapping & Risk Assessmenet

SCWCSU Reporting Structures

Staff Communications – IG Handbook

IG Training Database

IT Information Security Policy

IT Backup & Business Continuity Policy

IT Cyber Security Brief

IT Staff JDs and Skillsets

IG Assurance Statement

341 2 A formal information security risk

assessment and management

programme for key Information

Assets has been documented,

implemented and reviewed

Data Flow Mapping & Risk Assessment Plan

IG Compliance Audit – Quality

IG Compliance Audit - Printers

Incident Log

IT Information Security Policy

IT System Level Security Policy

Intranet – Data Flow Mapping

IG Handbook

IM&T Minutes (IG Handbook)

IM&T Risk Register

Data Flow Mapping and Risk Assessment (DEPT)

Data Flow Mapping Report

NEW: Risk assessments to provide SIRO with assurance

Medium

Page 14: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 14

342 N/A? There are established business

processes and procedures that

satisfy the organisation’s

obligations as a Registration

Authority

NOTE: Reassess to determine if still not applicable (e.g. Registration

Authority Organisation)

Not

Applicable

343 N/A? Monitoring and enforcement

processes are in place to ensure

NHS national application

Smartcard users comply with the

terms and conditions of use

NOTE: Reassess to determine if still not applicable (e.g. smartcards) Not

Applicable

344 2 Operating and application

information systems (under the

organisation’s control) support

appropriate access control

functionality and documented

and managed access rights are in

place for all users of these

systems

Job Descriptions

IT Information Security Policy

It System Level Security Policy

IT Account Equipment and VPN RAS Request Forms

IT Service Desk Leavers Procedure

IT Inactive User Report Admin Guide

IT Inactive Users Report

IG Handbook

ConsultHR - Termination Form

System Access Audit Form (Broadcare)

System Access Audit Form (Datix)

Access Control (Medicines Optimisation System)

Access Control (Pharmacy System)

NOTE: Determine if weak evidence can be strengthened

Medium

Page 15: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 15

345 2 An effectively supported Senior

Information Risk Owner takes

ownership of the organisation’s

information risk policy and

information risk management

strategy

IG Handbook

IM&T Minutes (IG Handbook)

IM&T Minutes (Risk Register)

Job Descriptions

SCWCSU ASH Data Flows & Assets

BECCG - Asset Register

BECCG - iPad Register

BECCG - Organisational Structure

Staff Communications – Data Flow Mapping

Training Database

Training Certificates (Key Staff: SIRO)

IG Training & Awareness Plan

Training Slides – Data Flow Mapping

Data Flow Mapping Report

NOTE: Additional work required to evidence risk management

High

346 2 Business continuity plans are up

to date and tested for all critical

information assets (data

processing facilities,

communications services and

data) and service - specific

measures are in place

IG Handbook

IM&T Minutes (IG Handbook)

IT Backup & Business Continuity Policy

Data Flow Mapping & Risk Assessment Plan

Data Flow Mapping & Risk Assessment (DEPT)

SCWCSU SLA

Intranet – Data Flow Mapping

IM&T Risk Register

SCWCSU Ash Data Flows & Assets

High

Page 16: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 16

Training Slides - Data Flow Mapping

Staff Communication – Data Flow Maping

IT System Level Security Policy

IG Training & Awareness Plan

NOTE: Business Continuity Plans to be reviewed and tested

347 N/A? Policy and procedures are in

place to ensure that Information

Communication Technology (ICT)

networks operate securely.

NOTE: Reassess to determine if still not applicable (e.g. Network

Security Policy)

Not

Applicable

348 2 Policy and procedures ensure

that mobile computing and

teleworking are secure

IG Handbook

IM&T Minutes ( IG Handbook)

Intranet – Mobile Computing

ConsultHR - Contract of Employment

ConsultHR - Termination Forms

Staff Communications – Mobile Computing

Staff Guidance (Mobile Computing)

IT Account Equipment and VPN RAS Form

IT Remote Working and Portable Device Policy

IT Account Equipment and VPN RAS Request Form (ITAER1)

IT New Account User Acceptance Form

BECCG - Asset Register

BECCG - iPad Asset Register

Leavers Report

IT Security Policy

High

Page 17: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 17

349 3 There are documented incident

management and reporting

procedures

Job Descriptions

SCWCSU SLA

IM&T TOR

HSCIC - SIRI Reporting and Checklist Guidance

Incident Report Form

SOP Reporting & Investigating Incidents

IM&T Minutes (Incidents)

IG Training Slides

Intranet – Incident Reporting

Induction Checklist

Incident Log

IG Incident Trend Analysis

IG Compliance Audit – Quality

IG Compliance Audit - Printers

Data Flow Mapping & Risk Assessment (DEPT)

IG Action Plan (Incident form with to evidence actions)

Checklist for Checking Documents

Staff Communication – Checklist for Checking Documents Prior to

Distribution

Email Communication (evidencing communications with ICO)

Inclusion of Cyber Security

NEW: Attainment levels 2a and 2c amended to allow for not relevant

responses

NEW: Monthly Trend Analysis

High

Page 18: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 18

350 2 All transfers of hardcopy and

digital personal and sensitive

information have been identified,

mapped and risk assessed;

technical and organisational

measures adequately secure

these transfers

Data Flow Mapping & Risk Assessment (DEPT)

SCWCSU - ASH Data Flows & Information Assets

IG Handbook

IM&T Minutes (IG Handbook, Transfer of Information)

Data Flow Mapping & Risk Assessment Plan

IM&T Risk Register

IM&T Minutes (Risk Register)

ConsultHR - Statement of Confidentiality

IT New Account User Acceptance Form

Intranet – Data Flow Mapping

IG Training Slides – IG Intro

IG Training Slides – IAO & IAA

NOTE: Complete mapping of all data flows and risk assessments

Low

351 2 All information assets that hold,

or are, personal data are

protected by appropriate

organisational and technical

measures

SCWCSU ASH Data Flow Maps & Asset

BECCG Asset Register

BECCG iPad Asset Register

Data Flow Mapping & Risk Assessment (DEPT)

BECCG Organisational Structure

IM&T Risk Register

Data Flow Maps Report

NOTE: Risk assessments subject to peer group review to provide

assurance to SIRO

Medium

352 N/A? The confidentiality of service

user information is protected

NOTE: Determine if not applicable still applies to this requirement Not

Applicable

Page 19: NHS Berkshire East Clinical Commissioning Group ......NHS Berkshire East Clinical Commissioning Group Information Governance Assurance Statement ... organisations are required to carry

NHS South, Central and West Commissioning Support Unit Page | 19

through use of pseudonymisation

and anonymisation techniques

where appropriate

420 2 The Information Governance

agenda is supported by adequate

information quality and records

management skills, knowledge

and experience

Job Descriptions

Training Certificates

IG Handbook

DOH Records Management Code of Practice

IG Training Database

Training & Awareness Plan

Records management strategy document

IM&T Minutes (Records Management Policy)

High

421 Exempt? There is consistent and

comprehensive use of the NHS

Number in line with National

Patient Safety Agency

requirements

NOTE: Reassess to determine if still “Exempt” (e.g. NHS Number) Not

Applicable