nhs berkshire east clinical commissioning group ......nhs berkshire east clinical commissioning...
TRANSCRIPT
BECCG IG Assurance Statement October 2016 V1.0 Page | 1
NHS Berkshire East Clinical Commissioning Group
Information Governance Assurance Statement
Tracey Burrows
October 2016
V1.0
NHS South, Central and West Commissioning Support Unit Page | 2
1 INTRODUCTION
The Information Governance Toolkit is a framework of legal rules and central guidance set out by National policy in relation to
the management of information and presents them in in a single standard as a set of information governance requirements. NHS
organisations are required to carry out self-assessments of their compliance against these requirements on an annual basis.
The purpose of the assessment is to enable organisations to measure their compliance against the law and central guidance and
to see whether information is handled correctly and protected from unauthorised access, loss, damage and destruction.
In previous years there has been an official submission to NHS Digital of a “Progress Update” for the organisation’s compliance
against the toolkit requirements - this year 2016/17 there is no such formalised submission required. However, this report is a
formal position statement for the organisation indicating the position it is in as at the 31st October 2016 and outlines the work
required to achieve Level 2 across all requirements by 31 March 2017.
NHS South, Central and West Commissioning Support Unit Page | 3
2 LEGEND
The below legend is to assist those to interpret IG Toolkit V14 Requirements:
LEGEND
Requirement No.
Number given to each “Requirement” within IG Toolkit V14
Predicted Score
Predicted score as at 31 March 2017
Requirement
Description of each “Requirement”
Evidence
Evidence required to achieve Level 2 or higher
Assurance Low Assurance in achieving predicted level – may not have enough evidence to satisfy Requirement
Medium Assurance in achieving predicted level – evidence may be difficult to obtain
High Assurance in achieving predicted - no issues identified in obtaining evidence
NHS South, Central and West Commissioning Support Unit Page | 4
REQ
NO.
PREDICTED
LEVEL
REQUIREMENT EVIDENCE REQUIRED TO MAINTAIN PREDICTED LEVEL ASSURANCE
130 2 There is an adequate Information
Governance Management
Framework to support the current
and evolving Information
Governance agenda
Job Descriptions
SCWCSU SLA
IG Framework
IM&T TOR
SLA Reports
Agenda / Minutes Evidencing Approvals
High
131 2 There is an adequate Information
Governance Management
Framework to support the current
and evolving Information
Governance agenda
IG Handbook
Minutes Evidencing Approvals
Updated Intranet Site
Staff Communications
Policy Timetable
IG Improvement Plan
IG Assurance Statement
High
132 2 Formal contractual arrangements
that include compliance with
information governance
requirements, are in place with all
contractors and support
organisations
NHS Standard Contract
Contracts Statement (IG Clauses incl. in Contracts)
Contracts Statement - Compliance with NHS Standard Contract
Contacts Statement – List of Contracts
Contracts – Example Contract
Account Manager – List of SLAs in place with BECCG
Account Manager Statement – IG Compliance
Account Manager - SLA for WAMCCG
Account Manager - SLA for SCCG
Medium
NHS South, Central and West Commissioning Support Unit Page | 5
Account Manager - SLA for BACCG
Optum – Example Contact
Optum Statement – List of Third Party Contracts
Optum Statement – List of London Trust Contracts
Optum Statement – Compliance with NHS Standard Contract
SIRO Statement – Confirmation of Contracts IG Compliance
SIRO Statement - Confirmation of Optum IG Compliance)
SIRO Statement – Confirmation of SCWCSUs IG Compliance
SIRO Statement – Confirmation of CHC IG Compliance
CHC – Contract
CHC – List or Providers
CHC – Example Contract
133 3 Employment contracts which
include compliance with
information governance
standards are in place for all
individuals carrying out work on
behalf of the organisation
ConsultHR - Statement of Confidentiality (COS01)
ConsultHR – IG Compliance Statement
ConsultHR - Contract of Employment
ConsultHR - Disciplinary Policy
ConsultHR - Induction Guide for new starters
ConsultHR – Induction Guide and Checklist
ConsultHR - Recruitment & Selection Policy
IG Improvement Plan
IG Handbook
IG Assurance Statement
IG Training & Awareness Plan
IG Training Database
High
NHS South, Central and West Commissioning Support Unit Page | 6
Quick Reference Guide to Caldicott & DPA
Staff Communications – Intranet Launch
Mobile Computing Leaflet
Updated Intranet Site
IG Training Tool: Link
IG Training Slides – IG Training
IG Training Slide – IAA & IAO
Staff Communication – IG Training
IG Compliance Audit – Quality
IG Compliance Audit – Printers
IG Incident Log
Data Flow Mapping & Risk Assessment (DEPT)
Organisational Structure
134 3 Information Governance
awareness and mandatory
training procedures are in place
and all staff are appropriately
trained
Job Descriptions
SCWCSU SLA
IM&T TOR
Consult HR Induction Guidance & Checklist
IG Handbook
IG Training Database
IG Training Report
Starters & Leavers Report
IG Training Tool
IG Training Slides
IG Training Audit
High
NHS South, Central and West Commissioning Support Unit Page | 7
Training Needs Assessments (Key Roles)
IG Compliance Audit – Quality
IG Compliance Audit – Printers
Data Flow Mapping & Risk Assessment (DEPT)
Incident Log
FOI Training & Awareness Plan
IG Training & Awareness Implementation Plan
Minutes / Agenda Evidencing Approvals
230 3 The Information Governance
agenda is supported by adequate
confidentiality and data
protection skills, knowledge and
experience which meet the
organisation’s assessed needs
Job Descriptions
ICO Caldicott Register
Caldicott Plan
IG Handbook
Caldicott 5 Year Plan (Runs out 2016)
Minutes Evidencing Approvals
IM&T TOR
SCWCSU SLA
Training Database
Training Certificates (Key Staff)
Data Flow Maps & Risk Assessment Plan
IG Assurance Statement
IM&T Risk Register
Incident Log
IG Improvement Plan
Minutes (Evidencing IG Assurance/IG Improvement Plan)
High
NHS South, Central and West Commissioning Support Unit Page | 8
231 3 Staff are provided with clear
guidance on keeping personal
information secure, on
respecting the confidentiality of
service users, and on the duty to
share information for care
purposes
IM&T TOR
Job Descriptions
SCWCSU SLA
IG Handbook
Minutes (Evidencing IG Handbook)
Staff Guidance
ConsultHR - Statement of Confidentiality
ConsultHR - Contract of Employment
Consult HR Statement - IG Compliance
ConsultHR - Induction Guidance
Information Sharing Agreement (Template)
Intranet – Review
Internet – Policies & Procedures
Internet - Privacy Policy
Internet - Fair Processing Notice
Staff Guidance (Mobile Computing, Printer etc)
Staff Communications
Posters & Leaflets (Caldicott, DPA)
Training Database
IG Training Slides (IG)
IG Training Slides (IAA & IAO)
IG Compliance Audit – Quality
IG Compliance Audit – Printers
Data Flow Mapping & Risk Assessment Plan
High
NHS South, Central and West Commissioning Support Unit Page | 9
Step by Step Guide to DFM & RA
IM&T Risk Register
IG Incident Log
Patient Survey
232 2
Confidential personal information
is only shared and used in a
lawful manner and objections to
the disclosure or use of this
information are appropriately
respected
Data Flow Map & Risk Assessment Plan
IM&T Risk Register
Staff Communications – Data Flow Mapping etc
Intranet - Data Flow Mapping Guidance (Link)
Data Flow Mapping Training Slides
Step by Step Guide to DFM & RA
Data Flow Mapping & Risk Assessment Template
IAA & IAO Communications
Incident Log
Incident Trend Analysis
Minutes Evidencing Approvals
NEW: Add Legal basis to data flows / Data Flow Map Breach Report /
Service User Objection Process
High
234 2 There are appropriate procedures
for recognising and responding
to individuals’ requests for
access to their personal data
Job Descriptions
SCWCSU SLA
IG Handbook
IM&T Minutes (IG Handbook approval)
Staff Communications – IG Handbook
ConsultHR - Subject Access Request Guide
Training Database
High
NHS South, Central and West Commissioning Support Unit Page | 10
Training Certificates (Key Staff: FOI)
IG Training Slides (IG Intro)
IG Training Slides (IAO & IAA)
IG Training Tool (Link)
IG Introduction Content for Auditor
SARs Database
IG Training Content
NEW: SARs reporting process
235 2 Staff access to confidential
personal information is
monitored and audited. Where
care records are held
electronically, audit trail details
about access to a record can be
made available to the individual
concerned on request
IM&T TOR
Job Descriptions
SCWCSU SLA
IG Handbook
Minutes (IG Handbook)
Step by Step Guide to DFM & RA
IT Registration Authority Procedures
IT Registration Authority Policy
DELOITTE IT Audit Procedures
Intranet Site - Review
ConsultHR - Statement of Confidentiality
ConsultHR - Contract of Employment
Staff Communications - Intranet
System Access Audit (Datix)
Incident Log
Incident Report Form
High
NHS South, Central and West Commissioning Support Unit Page | 11
IM&T Risk Register
System Access Audit (Broadcare System)
Patient Record Access Form (CHC Records)
NEW: Requirement allows for N/R scoring
236 2 All person identifiable data
processed outside of the UK
complies with the Data Protection
Act 1998 and Department of
Health guidelines
Job Descriptions
IM&T TOR
SCWCSU SLA
SBS - IG Toolkit Report V13
SBS - Data Transfer Agreement with Steria
SBS - Data Transfer Agreement between Steria and Steria (India)
Steria India ISO 9001 Certification
Steria India ISO 27001 Certification
Data Flow Mapping Report
Minutes Evidencing Approvals
NEW: Assurance for NHS SBS for ESR Transfers
Medium
237 2 All new processes, services,
information systems, and other
relevant information assets are
developed and implemented in a
secure and structured manner,
and comply with IG security
accreditation, information quality
and confidentiality and data
protection requirements
Job Descriptions
SCWCSU SLA
IM&T TOR
IT System Level Security Policy
IT Network Security Policy
IT Change Management Guide
SCWCSU - Initial PIA
SCWCSU - Full PIA
Project evidence:
Medium
NHS South, Central and West Commissioning Support Unit Page | 12
PIAs
IG Checklist
Sharing Agreements
NEW: Review Privacy / Fair Processing /Data Protection Act / Freedom
of Information Notices
250 2 Individuals are informed about
the proposed uses of their
personal information
Job Descriptions
SCWCSU SLA
IG Handbook
IM&T Minutes (IG Handbook approval)
ConsultHR - Contact of Employment
ConsultHR - Subject Access Requests
Internet – NHS Jobs Link
Internet – Fair Processing Notice
Internet – Privacy Policy
IG Training Tool (Link)
IG Training Slides (IG Intro)
IG Training Slides (IAO & IAA)
NEW: NHS England Accessible Information Standard
High
340 2 The Information Governance
agenda is supported by adequate
information security skills,
knowledge and experience which
meet the organisation’s assessed
needs
Job Descriptions
SCWCSW SLA
IG Improvement Plan
IM&T Minutes (Improvement Plan)
IG Handbook
IM&T Minutes (IG Handbook)
High
NHS South, Central and West Commissioning Support Unit Page | 13
IM&T TOR
IM&T Risk Register
Data Flow Mapping & Risk Assessmenet
SCWCSU Reporting Structures
Staff Communications – IG Handbook
IG Training Database
IT Information Security Policy
IT Backup & Business Continuity Policy
IT Cyber Security Brief
IT Staff JDs and Skillsets
IG Assurance Statement
341 2 A formal information security risk
assessment and management
programme for key Information
Assets has been documented,
implemented and reviewed
Data Flow Mapping & Risk Assessment Plan
IG Compliance Audit – Quality
IG Compliance Audit - Printers
Incident Log
IT Information Security Policy
IT System Level Security Policy
Intranet – Data Flow Mapping
IG Handbook
IM&T Minutes (IG Handbook)
IM&T Risk Register
Data Flow Mapping and Risk Assessment (DEPT)
Data Flow Mapping Report
NEW: Risk assessments to provide SIRO with assurance
Medium
NHS South, Central and West Commissioning Support Unit Page | 14
342 N/A? There are established business
processes and procedures that
satisfy the organisation’s
obligations as a Registration
Authority
NOTE: Reassess to determine if still not applicable (e.g. Registration
Authority Organisation)
Not
Applicable
343 N/A? Monitoring and enforcement
processes are in place to ensure
NHS national application
Smartcard users comply with the
terms and conditions of use
NOTE: Reassess to determine if still not applicable (e.g. smartcards) Not
Applicable
344 2 Operating and application
information systems (under the
organisation’s control) support
appropriate access control
functionality and documented
and managed access rights are in
place for all users of these
systems
Job Descriptions
IT Information Security Policy
It System Level Security Policy
IT Account Equipment and VPN RAS Request Forms
IT Service Desk Leavers Procedure
IT Inactive User Report Admin Guide
IT Inactive Users Report
IG Handbook
ConsultHR - Termination Form
System Access Audit Form (Broadcare)
System Access Audit Form (Datix)
Access Control (Medicines Optimisation System)
Access Control (Pharmacy System)
NOTE: Determine if weak evidence can be strengthened
Medium
NHS South, Central and West Commissioning Support Unit Page | 15
345 2 An effectively supported Senior
Information Risk Owner takes
ownership of the organisation’s
information risk policy and
information risk management
strategy
IG Handbook
IM&T Minutes (IG Handbook)
IM&T Minutes (Risk Register)
Job Descriptions
SCWCSU ASH Data Flows & Assets
BECCG - Asset Register
BECCG - iPad Register
BECCG - Organisational Structure
Staff Communications – Data Flow Mapping
Training Database
Training Certificates (Key Staff: SIRO)
IG Training & Awareness Plan
Training Slides – Data Flow Mapping
Data Flow Mapping Report
NOTE: Additional work required to evidence risk management
High
346 2 Business continuity plans are up
to date and tested for all critical
information assets (data
processing facilities,
communications services and
data) and service - specific
measures are in place
IG Handbook
IM&T Minutes (IG Handbook)
IT Backup & Business Continuity Policy
Data Flow Mapping & Risk Assessment Plan
Data Flow Mapping & Risk Assessment (DEPT)
SCWCSU SLA
Intranet – Data Flow Mapping
IM&T Risk Register
SCWCSU Ash Data Flows & Assets
High
NHS South, Central and West Commissioning Support Unit Page | 16
Training Slides - Data Flow Mapping
Staff Communication – Data Flow Maping
IT System Level Security Policy
IG Training & Awareness Plan
NOTE: Business Continuity Plans to be reviewed and tested
347 N/A? Policy and procedures are in
place to ensure that Information
Communication Technology (ICT)
networks operate securely.
NOTE: Reassess to determine if still not applicable (e.g. Network
Security Policy)
Not
Applicable
348 2 Policy and procedures ensure
that mobile computing and
teleworking are secure
IG Handbook
IM&T Minutes ( IG Handbook)
Intranet – Mobile Computing
ConsultHR - Contract of Employment
ConsultHR - Termination Forms
Staff Communications – Mobile Computing
Staff Guidance (Mobile Computing)
IT Account Equipment and VPN RAS Form
IT Remote Working and Portable Device Policy
IT Account Equipment and VPN RAS Request Form (ITAER1)
IT New Account User Acceptance Form
BECCG - Asset Register
BECCG - iPad Asset Register
Leavers Report
IT Security Policy
High
NHS South, Central and West Commissioning Support Unit Page | 17
349 3 There are documented incident
management and reporting
procedures
Job Descriptions
SCWCSU SLA
IM&T TOR
HSCIC - SIRI Reporting and Checklist Guidance
Incident Report Form
SOP Reporting & Investigating Incidents
IM&T Minutes (Incidents)
IG Training Slides
Intranet – Incident Reporting
Induction Checklist
Incident Log
IG Incident Trend Analysis
IG Compliance Audit – Quality
IG Compliance Audit - Printers
Data Flow Mapping & Risk Assessment (DEPT)
IG Action Plan (Incident form with to evidence actions)
Checklist for Checking Documents
Staff Communication – Checklist for Checking Documents Prior to
Distribution
Email Communication (evidencing communications with ICO)
Inclusion of Cyber Security
NEW: Attainment levels 2a and 2c amended to allow for not relevant
responses
NEW: Monthly Trend Analysis
High
NHS South, Central and West Commissioning Support Unit Page | 18
350 2 All transfers of hardcopy and
digital personal and sensitive
information have been identified,
mapped and risk assessed;
technical and organisational
measures adequately secure
these transfers
Data Flow Mapping & Risk Assessment (DEPT)
SCWCSU - ASH Data Flows & Information Assets
IG Handbook
IM&T Minutes (IG Handbook, Transfer of Information)
Data Flow Mapping & Risk Assessment Plan
IM&T Risk Register
IM&T Minutes (Risk Register)
ConsultHR - Statement of Confidentiality
IT New Account User Acceptance Form
Intranet – Data Flow Mapping
IG Training Slides – IG Intro
IG Training Slides – IAO & IAA
NOTE: Complete mapping of all data flows and risk assessments
Low
351 2 All information assets that hold,
or are, personal data are
protected by appropriate
organisational and technical
measures
SCWCSU ASH Data Flow Maps & Asset
BECCG Asset Register
BECCG iPad Asset Register
Data Flow Mapping & Risk Assessment (DEPT)
BECCG Organisational Structure
IM&T Risk Register
Data Flow Maps Report
NOTE: Risk assessments subject to peer group review to provide
assurance to SIRO
Medium
352 N/A? The confidentiality of service
user information is protected
NOTE: Determine if not applicable still applies to this requirement Not
Applicable
NHS South, Central and West Commissioning Support Unit Page | 19
through use of pseudonymisation
and anonymisation techniques
where appropriate
420 2 The Information Governance
agenda is supported by adequate
information quality and records
management skills, knowledge
and experience
Job Descriptions
Training Certificates
IG Handbook
DOH Records Management Code of Practice
IG Training Database
Training & Awareness Plan
Records management strategy document
IM&T Minutes (Records Management Policy)
High
421 Exempt? There is consistent and
comprehensive use of the NHS
Number in line with National
Patient Safety Agency
requirements
NOTE: Reassess to determine if still “Exempt” (e.g. NHS Number) Not
Applicable