policy information sheet - cddft.nhs.uk risk policy.pdfmanage information risk and how effectiveness...

\\dmh-p-store1\data\Corporate Affairs\Shared\Freedom of information\Responses 2012\August 2012\08.12.04\Information Risk Policy.doc Rev 6.0 Feb 11 of 24 24/08/2012

Policy Information Sheet

Reference Number POL/HIG/0028

Title CDDFT Information Risk Policy

Version number 6.0

Document Type Policy

Original Policy Date October 2008

Date approved January 2011

Effective date January 2011

Approving body Marketing and service Development Committee

Originating Directorate

Health Informatics Directorate

Scope Trust Wide

Last review date December 2010

Next review date December 2013

Reviewing body Information Governance Steering Group

Document Owner Head of Information Governance and IT Security

Equality impact assessed

Yes – December 2010

Date superseded October 2008

Status Approved

Confidentiality Staff in Confidence

Keywords Information Risk Policy

Approval Signature of Chairman of Approving Body

Name / job title of Chairman of approving Body: Sue Jacques Chief Operating Officer Business and

Infrastructure Committee

Signed paper copy held at (location): IG DMH Office


1 Version Control

Version Control

Version Control Table

Date Version State

Oct 08 1.0 Draft

November 08 2.0 Approved

February 09 3.0 Draft

May 10 4.0 approved

December 10 5.0 Draft

February 11 6.0 Approved

Table of Revision

Date Section Author State

Oct 08 All Head of Information Governance

Draft

Dec 10 All Head of Information Governance

Draft

2 Review

This document will be reviewed every two years from the date of issue and annually from that date.


3 Table Of Contents

1 Version Control ....................................................................................................... 2

2 Review ...................................................................................................................... 2

3 Table Of Contents ................................................................................................... 3

4 Overview .................................................................................................................. 5

5 Introduction ............................................................................................................. 5

6 Intended Audience .................................................................................................. 5

7 Related Policies ....................................................................................................... 5

8 Policy Statement ..................................................................................................... 6

9 Scope........................................................................................................................ 7

10 Purpose of this document ................................................................................... 7

11 Trust Legal Responsibilities ............................................................................... 8

12 Definition of Terms .............................................................................................. 9

12.1 Risk .................................................................................................................... 9

12.2 Consequence ..................................................................................................... 9

12.3 Likelihood ........................................................................................................... 9

12.4 Risk Assessment ................................................................................................ 9

12.5 Risk Management .............................................................................................. 9

12.6 Risk Treatment ................................................................................................... 9

12.7 Risk Management Process ................................................................................ 9

13 Losses and Confidentiality/Security Breaches ............................................... 10

14 Legislation .......................................................................................................... 10

15 Information Risk................................................................................................. 11

15.1 Creating an Information Handling Culture ........................................................ 11

15.2 Information Risk Management Programme ...................................................... 11

15.3 Information Risk Mitigation ............................................................................... 11

15.4 Monitoring and further mitigation ...................................................................... 16

15.5 Responsibilities and Risk Framework ............................................................... 17

15.6 Information Assets and Monthly reports ........................................................... 17

15.7 Related Policies and Work Plans ..................................................................... 18


15.8 Training ............................................................................................................ 18

15.9 Monitoring ........................................................................................................ 18

15.10 Incident Reporting ......................................................................................... 18


4 Overview

This Document Covers Information Risk for County Durham and Darlington Foundation NHS Trust. (CDDFT)

5 Introduction

5.1 County Durham and Darlington Foundation NHS Trust herein after referred to as “The Trust”, is highly reliant on information that is captured, stored, processed and delivered by computers and their associated communication facilities.

5.2 Such information plays a vital role in supporting business processes and customer services, in contributing to operational and strategic business decisions and in conforming to legal and statutory requirements.

5.3 Accordingly the information and the enabling technologies are important assets that will be protected to the level commensurate with their value to the organisation. Special care will be taken to ensure that Person Identifiable and business/corporate confidential information is not compromised.

6 Intended Audience

All Trust staff (including temporary workers, locums and staff seconded or contracted from other organisations)

7 Related Policies

The following is a list of policies related to this policy. These policies must be read together with this policy

CDDFT Information Lifecycle Management Strategy

CDDFT Transfer of Personal information Policy

CDDFT Information Governance Policy,

CDDFT Information Classification procedure

CDDFT IT Security Policy

CDDFT IT Security Incident Policy

CDDFT Incident Management Policy

CDDFT Information risk management procedure


8 Policy Statement

8.1 It is the policy of The Trust to ensure that:

Information is protected against unauthorised access.

Confidentiality of information is assured.

Integrity of information is maintained.

Regulatory requirements and legislation are met.

Information technology systems are used in a manner that prevents the release of information (by accident or deliberate/criminal act), ensures their safe use and avoids damage to the specific system or any other system to which it is connected.

Information that can be used to identify a person including confidential information about that person, business information and confidential business information is restricted to authorised users only

Business continuity plans are produced, maintained and tested.

Information security training is available to all staff.

All breaches of information security, actual or suspected, will be reported to and investigated by appropriately trained individuals within The Trust, and notified to the Trust Head of Information Governance.

8.2 The lawful and correct treatment of personal information is very important to the successful delivery of health care services and to maintaining confidence in the organisation as a whole.

To this end all staff will adhere to the Principles of the Data Protection Act 1998 (as outlined below), Caldicott Recommendations (as outlined below), NHS guidelines (as outlined below), Human Rights act, all other relevant legislation, this policy document and any relevant professional codes of practice.

8.3 The Data Protection Act Principles states that personal information:

Shall be processed and used fair and lawfully.

Shall not be further used in any manner incompatible with the purpose for which it has been obtained.

Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are used.

Shall be accurate.

Shall not be kept for longer than is necessary.

Shall be used in accordance with the rights of the individual.

Appropriate measures shall be taken against unauthorised disclosure.

Shall not be transferred to a country or territory outside the European Economic Area with inadequate levels of protection for the rights and freedoms of the person in relation to their information.

8.4 The Caldicott report outlines six principals;

Principle 1 – Justify the purpose(s) for using confidential information.

Principle 2 – Only use it when absolutely necessary.


Principle 3 – Use the minimum that is required.

Principle 4 – Access should be on a strict need-to-know basis.

Principle 5 – Everyone will understand his or her responsibilities.

Principle 6 – Understand and comply with the law..

In addition it recommends that the NHS number should be substituted for patient identifiable data wherever possible and that where patient data is transferred it should be reduced to the minimum required for the purpose.

8.5 NHS Guidelines

o Information Security Management NHS Code of Practice (gateway Ref 7974),

o Records Management Parts 1 & 2 NHS Code of Practice (gateway Refs. 270422/1 270422/2)

o Confidentiality NHS Code of Practice (gateway ref 1656)

In addition care will be taken, particularly with confidential clinical information, to ensure that the means of transferring it from one location to another are as secure as they can be. „Safe Havens‟ will be used wherever possible.

9 Scope

9.1 This Policy applies to all parties authorised by the Trust together with their staff (including temporary workers, locums and staff seconded or contracted from other organisations).

9.2 Any breach of or refusal to comply with this policy is a disciplinary offence which may lead to disciplinary action in accordance with the organisations Disciplinary Policy, up to and including, in appropriate circumstances, dismissal without notice.

10 Purpose of this document

10.1 The information risk policy defines how the Trust and its delivery partners will manage information risk and how effectiveness will be assessed and measured. In so doing, the information risk policy supports the organisation‟s strategic aims and objectives and should enable employees throughout the delivery chain to identify an acceptable level of risk, beyond which escalation of risk management decisions is always necessary. The information risk policy fits within the organisation‟s overall business risk management framework; information risk need not be managed separately from other business risks but should be considered a fundamental component of effective Information Governance

10.2 This policy is to ensure that all staff are aware of their individual responsibilities in relation to the management of Information Risk.


11 Trust Legal Responsibilities

Responsibility for the enforcement of this policy within The Trust lies with the Chief Executive, or any individual identified by them as having responsibility in this area; Associate Director of Health Informatics.

Responsibility for managing information security within The Trust will be undertaken by the Head of Information Governance and IT Security, supported by appropriately trained individuals within The Trust. The Head of Information Governance has responsibility for:

Maintaining the policy and providing advice and guidance on its implementation throughout The Trust.

Maintaining an up to date version of this policy, reviewing it on an annual basis and following major organisational changes.

Ensure the policies continued relevance, ensuring that a relevant current copy of the policy is distributed throughout The Trust.

Monitoring the overall implementation of the policy within The Trust.

Managers and Divisional / departmental Information Asset Owners and Administrators are responsible for implementing the policy within their business areas, and for adherence to the policy by their staff.

It is the responsibility of each employee, including temporary and contract staff, to adhere to the security policy. Any breach of or refusal to comply with this policy is a disciplinary offence which may lead to disciplinary action in accordance with The Trust Disciplinary Policy, up to and including, in appropriate circumstances, dismissal without notice.


12 Definition of Terms

For the purposes of this policy the following terms are defined ;

12.1 Risk

The chance of something happening, which will have an impact upon objectives. It is measured in terms of consequence and likelihood.

12.2 Consequence

The outcome of an event or situation, expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. There may be a range of possible outcomes associated with an event.

12.3 Likelihood

A qualitative description or synonym for probability or frequency.

12.4 Risk Assessment

The overall process of risk analysis and risk evaluation.

12.5 Risk Management

The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.

12.6 Risk Treatment

Selection and implementation of appropriate options for dealing with risk. Conceptually, treatment options will involve one or a combination of the following five strategies:

Avoid the risk

Reduce the likelihood of occurrence

Reduce the consequences of occurrence

Transfer the risk

Retain/accept the risk

12.7 Risk Management Process

The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analyzing, evaluating, treating, monitoring and communicating risk.


13 Losses and Confidentiality/Security Breaches

13.1 All incidents that constitute a loss of information which could potentially lead to a breach of patient confidentiality are to be reported via an IR1 following the Trust incident reporting procedure, the incident must also be reported directly to the Trust Risk Manager. The Trust Head of Information Governance and IT Security will instigate investigation procedures to try and establish the nature and potential threat of the incident.

13.2 All incidents that highlight a risk to information are to be reported via an IR1 following the Trust incident reporting procedure, the incident must also be reported directly to the Trust Risk Manager. The Trust Head of Information Governance and IT Security will instigate investigation procedures to try and establish the nature and potential threat of the incident.

13.3 All such incidents must be documented on an IR1 form that must be forwarded to the Risk Manager after reporting the incident.

13.4 Incidents could involve:

Loss of case notes

Loss of USB Memory Stick

Loss of paper clinic notes

Loss of Hardware.

Virus attack

Unauthorised access.

Misuse of System/Privileges.

14 Legislation

14.1 All Trust staff of will comply with current legislation regarding the use and retention of Person Identifiable Data and use of computer systems. These include, but are not limited to:

Data Protection Act 1998

Computer Misuse Act 1990

Copyright, Design & Patents Act

Regulation of Investigatory Powers

Human Rights Act

Electronic Communications Act

Obscene Publications Act

Common Law Duty of Confidentiality

Contracts Act 1990

EU Directive on Waste Electrical and Electronic Equipment

14.2 Breaches of the Computer Misuse Act carry a maximum penalty of 10 years imprisonment or an unlimited fine.


15 Information Risk

15.1 Creating an Information Handling Culture

It is the responsibility of the Trust board to create an information handling culture. This must permeate throughout the Trust and must inform everyone‟s approach as to how they perform their daily tasks, regardless of seniority.

Managers must not just acknowledge that information is valuable and risks must be mitigated. They must portray through their decisions and actions, the importance of handling information.

All staff should know good information handling is part of their job

Senior staff will understand they are bound by the same rules as junior staff. They must not override, for reasons of convenience, risk controls.

All staff should be able to answer general questions about information protection and make sensible information risk decisions for themselves including knowing the limits of their competence and when to defer to others for guidance.

All staff Personal Development Plans should include competencies on Information handling

It is the responsibility of The Trust Board to ensure that the Trust has an open approach to incidents and learning.

The Trust Board must encourage all staff to question instructions that seem inappropriate on information risk grounds and must encourage reporting on instances of inappropriate behaviour.

The Trust will assign responsibility for Information Risk at Board Level. This individual will be identified as the Senior Information Risk Owner (SIRO). The SIRO is responsible for ensuring that organisational information risk is properly identified, managed and that appropriate assurance mechanisms exist. The Trust SIRO is the Director of Finance, Deputy Chief Executive Officer.

15.2 Information Risk Management Programme

An Information Risk Management Programme must be aligned to the Trust business plan to support individual objectives and ensure they are adequately resourced.

The Risk Management Programme should cover;

the balance between level of risk, tolerance of risk and the effort being used to manage the risk,

Identification of gaps between the current and target risk positions,

Progress being made against agreed information risk priorities

The effectiveness of the risk management controls including successes and failures.

15.3 Trust Information Risk Strategy

The Trust strategy for risk management is defined as:

Key risks must be identified

All risk situations require a degree of management regardless of size of risk

Time constraints must be met


Resources used must be within budget

Strategy adopted must be supplementary to business objectives

Residual risk must be accepted and monitored

Strategic risk treatment can be applied to risks detailing the following:

Risk acceptance:

o Decision to accept a risk.

Risk avoidance:

o Decision not to become involved in, or action to withdraw from, a risk situation.

Risk Transfer:

o Sharing with another party the burden of loss or benefit of gain, for a risk

Risk reduction:

o Actions taken to lessen the probability, negative consequences, or both, associated with a risk

Any decisions of high impact with a risk transfer or reduction must be approved by Information Governance Steering Committee and or Senior Information Risk Owner.

15.4 Information Risk Mitigation

15.4.1 Risk mitigation

Risk mitigation must;

be commensurate with the level of the risk – it does not need to remove the risk

be kept simple so it is manageable and can be communicated to staff.

include monitoring and reporting on the ongoing level of information failures and security breaches so the effectiveness of the protection being achieved can be assessed.

Risks must be assessed in terms of general level of harm that could be reasonably caused if information were to fail or be compromised.

Mitigation should take the form of a wide range of controls directed at reducing the likelihood of an information failure and reducing the amount of harm a failure could cause.

Controls covering both will reduce the likelihood of failure and reduce the amount of harm and will enhance overall mitigation.

„Good Practice‟ controls should be identified, these must be easy for staff to understand and apply.

They must be supplemented with customised controls for specific higher risk circumstances.

15.4.2 Risk Assessment

Assessing risk should be based on threats and vulnerabilities of an asset.


Threats:

There a differing categories of threats to assess an asset against:

Technical - e.g. Virus / hackers

People related – e.g. industrial action, vandalism, unauthorised access

Environmental – e.g. fire / flood

Accidental or malicious – e.g. breach of legislation or regulation, illegal use of software, fire, air conditioning failure

Assess the threats on the consideration of likelihood of an event / incident occurring e.g.

Value of the asset – if lost

Local circumstances – can the area where asset is located be flooded?

Capability of individuals e.g. hacker , technical expertise

Strength of motive – does someone have a grudge?

Number of users – of the asset

History of events – could the incident happen again

Attitude of management – towards the threat

Realistically judge of the likelihood that each possible threat / attack scenario may successfully impact on an asset.

Vulnerabilities:

Vulnerabilities are influenced by:

Weaknesses in assets

Absence or presence of controls

There is a link between vulnerabilities and controls, establish the extent of vulnerabilities which may cause business impacts and map these to the controls in place and additional controls which can mitigate the risk.

Completion of a gap analysis will assist in calculating vulnerability of an asset.

Risk is :

The likelihood and impact of a threat or vulnerability of an asset.

Example risk matrix – ref: CDDFT IT Security incident Policy

Likelihood

Impact 5 M M H H H

4 L M M H H

3 L M M M H

2 L L M M H

1 L L L M M

1 2 3 4 5


15.4.3 Plan, Do, Check and Act

A risk based approach means there will always be some level of risk that will be tolerated.

Controls must be applied under constraints of;

Expertise

Cost

Effort

Practicability

Sometimes these will be in phases or as opportunity allows.

The „Plan‟ aspect and „Do‟ aspect must to be supported by „Check‟ and „Act‟

This will ensure that required controls have been implemented adequately and that action plans are in place to address shortfalls.

Controls

There are different types of controls:

People:

o Policies and awareness training

Physical:

o Entry controls, asset marking / classification

Procedural:

o Procedures for change control, clinical processes

Technical:

o Firewalls, encryption, anti virus software etc.

Controls can be implemented to achieve one or more of the following:

Correction

Prevention

Impact minimalisation

Deterrence

Detection

Recovery

Monitoring

Awareness

Correction and recovery controls should be supported by root cause analysis. When identifying controls from the risk assessment of the asset discussion with other Information Asset Owners is encouraged as similar risk areas may have been identified.


Risk assessments must be completed each quarter and reported to the Information Governance steering group as per Information Risk Management procedure.

15.4.4 Escalation Paths

Escalation paths will be used for situations where the information risk owner and specialists cannot agree on the controls required or the timescales. Any issues the Senior Information Asset Owners should contact the Information Governance department to discuss and issues can be discussed and approved / or not at the Information Governance steering group.


15.5 Monitoring and further mitigation

The Trust needs to monitor for protection failures so they can deal with incidents and contain the harm these cause.

The Information Governance steering group will discuss any risk areas from Divisions within the agenda item on a quarterly basis. The Information Governance team will be available for any queries between meeting times and will spot check information asset registers and assessments on a rolling program.

Analysis of incidents will support the Trust in understanding the real level of risk being experienced and in adjusting the controls in place.

The dynamic nature of evolving information use and technology require regular re-evaluation of risk and controls to ensure these do not grow out of hand or constrain operational effectiveness or exceed risk tolerance levels.

The Trusts Board will ensure that it understands and accepts the aggregate information risk position to ensure that the Trusts information protection obligations are being fulfilled.


15.6 Responsibilities and Risk Framework

15.6.1 Senior Information Risk Owner

The Trust Board will assign a Senior Information Risk Officer (SIRO) who will, in turn, have responsibility for providing the Board with the Information Risk Report on a monthly basis.

The SIRO is responsible for:

Ensuring that an overall culture exists that values and protects information within the organisation

Own the organisations overall information risk policy and risk assessment process, test its outcome and ensure that it is used

Advise the Chief Executive on the information risk aspects of their statement on internal control

Own the organisation‟s information incident management framework

The Trust SIRO is the Director of Finance, Deputy Chief Executive Officer.

15.6.2 Directors and Service Leads

Each Director/ Service Lead will be designated with Risk/Data Ownership for information assets under their control at Divisional level and they will in turn identify Service / Departmental Risk / Data Owners.

15.6.3 Information Asset Owners / Information Asset Administrators

Each Information Asset Owners / Information Asset Administrators will provide the SIRO via the Information Governance Steering Group with a baseline of their information assets and the risks and controls in place to mitigate.

The Information Asset Owners / Information Asset Administrators will use the Information Classification Policy to enable critical assets to be identified and give priority to these assets.

It will be the responsibility of the Information Asset Owners / Information Asset Administrators to ensure that new information assets are added to their baseline and any redundant assets removed.

15.6.4 Information Governance Steering Group

The Information Governance Steering Group is responsible for collating all identified information risks and discussing the organisations Information Governance incident Log. The Group is responsible for communicating identified risks and their assessed impacts on the organisation and suggested mitigation to the SIRO and Governance Group.

15.6.5 Head of Information Governance & IT Security

The Head of Information Governance & IT Security will provide support and guidance on the implementation of Information Governance and Information Risk Management to the SIRO, Directors, Service Leads and Information Asset Owners / Information Asset Administrators

An overview of the Information Risk Management Framework is attached at Appendix 1.

15.7 Information Assets and Quarterly reports


All new projects (new systems, new services, staff moves) within a risk owner‟s area of responsibility must have a Privacy Impact Assessment (PIA) undertaken.

The PIA status should be included in the baseline report.

The PIA will be undertaken by a specialist from the Information Governance team. The specialists will also support Information Asset Owners / Information Asset Administrators in undertaking PIAs on existing areas if required.

The Risk/Data Owner will ensure every system, holding information in their responsible areas has a designated system administrator.

The System Administrator must have in place procedures to;

add and remove starters and leavers,

audit and check user‟s system access level,

ensure users follow protocols governing use of the system.

The System Administrator must have undertaken the Trust Information Governance training module.

The Information Risk Report will be set up in the Trust risk management system and Information Asset Owners / Information Asset Administrators will be expected to review their assets/controls/progress/incidents on a monthly basis.

This task can be delegated to Senior Managers but will remain the responsibility of the Director/Head of Service.

15.8 Related Policies and Work Plans

The Information Governance (IG) team will be responsible for reviewing and updating the suite of policies that support handling of information within the Trust. The Information Governance Steering Group will have oversight of the work programme (IG Toolkit) and IG policies.

The policies will be based on National and NHS standards of good practice.

Ref: Cddft Information Risk Procedure

15.9 Training

All staff will undertake Information Governance training annually to enable them to identify and assess risk within their own daily work and be aware of policies which will support them. This will be completed by the national e-learning IG Training tool.

The Information Governance Team will undertake specialist training to maintain their own knowledge of legislation and standards of good practice.

15.10 Monitoring

The Information Governance team will ensure a programme of audit, testing and monitoring of systems/staff/providers working to policy and standards. The outcomes and any actions from this programme will be logged centrally and inform the Information Governance Steering group on a quarterly basis.

15.11 Incident Reporting

All information incidents will be reported via the Trust IR1 reporting policy and inform the Trust via the Risk report, these will be reviewed for trends or patterns and impacts on controls in place by the Information Governance Steering Group and the SIRO.


15.12 Appendix 1

CDDFT Information Governance Risk Management & Assurance Framework

Illustrative organisation structure

CEO / Board

SIRO

Business and

Infrastructure

Committee

IG Steering Group

Information Asset Owner

(Systems and Other)

Overarching IG / IS Policy

Information Risk Policy

Information Security Management System

IG Toolkit

Risk & Issue Registers

Mitigation action plans

System Security Policy

System Accreditation


Appendix 2 – )’. Equality Impact Assessment

Preliminary Assessment Form v1/2009

The preliminary impact assessment is a quick and easy screening process.

It should:

Indentify those policies, procedures, services, functions and strategies which require a full EIA by

looking at:

negative, positive or no impact on any of the equality groups

opportunity to promote equality for the equality groups

data / feedback

prioritise if and when a full EIA should be completed

justify reasons for why a full EIA is not going to be completed

Division/Department Information Services

Title of policy, procedure, function or service CDDFT Information Risk Policy

Type of policy, procedure, function or service

Existing

New/proposed

Changed

2

Q1 - What is the aim of your policy, procedure, project or service?

To ensure Trust is compliant with Information risk policy

Q2 - Who is the policy, procedure, project or service going to benefit?

Full Trust Staff


Q3 - Thinking about each group below, does, or could the policy, procedure, project or service

have a negative impact on members of the equality groups below?

Group Yes

No

Unclear

Age X

Disability X

Race X

Gender X

Transgender X

Sexual Orientation X

Religion or belief X

Relationships between groups X

Other socially excluded groups X

If the answer is “Yes” or “Unclear” you MUST complete a full EIA

Q4 – Does, or could, the policy, procedure, project or service help to promote equality for

members of the equality groups?

Group Yes

No Unclear

Age X

Disability X

Race X

Gender X

Transgender X





Q5 – Do you have any feedback data from equality groups that indicate how this policy,

procedure, project or service may impact upon these groups?

Group Yes

No Impact

Yes

Impact

No

Unclear

Age X

Disability X

Race X

Gender X


Transgender X





Q6 – Using the assessments in questions 3,4 and 5 should a full assessment be carried out on this

policy, procedure, project or service?

Yes No x

If you have answered “Yes” now follow the EIA toolkit and complete a full EIA form

Q7 – How have you come to this decision?

Trust must comply with Department of Health standards re information risk management.

Q8 – What is your priority for doing the full EIA

High Medium Low

x

Q9 – Who was involved in the EIA, and how?

Author

This EIA has been approved by: Head of Information Governance

Date: 03/12/10 Contact number:x3085

Please ensure that this assessment is attached to the policy document to which it relates.


Appendix 3 – Dissemination Plan (To be completed and attached to Policy and Guidance documents when submitted to the Committee approving this document)

Policy or Guidance (P&G) Title: CDDFT Information Risk Policy

Date finalized January 2011

Dissemination Lead (contact details) Head of Information Governance and IT Security DMH x3085

Previous P&G already being used?

No If yes, what in what format and where?

Proposed action to retrieve expired copies of P&G: delete old copy and retain. Upload new.

To be disseminated to

How will be disseminated, who will do and when?

Paper or electronic

Comments

Full trust Intranet site news page Electronic

Full trust

Email trust bulletin Electronic

Full trust

IG Intranet site Electronic

Dissemination Record – to be used once Policy or Guideline Approved

Date uploaded onto the Trust’s Intranet ?/11/08.

Disseminated To (either directly or via meetings,

etc)

Format (i.e. paper or

electronic)

Date dissemi-

nated

No of copies

sent

Contact Details / Comments

IGSG

electronic Jan 11 Full attendees

General comments:

policy information sheet - cddft.nhs.uk risk policy.pdfmanage information risk and how effectiveness...

Documents