Document History
Document name INFORMATION GOVERNANCE POLICY
Author: Hannah Edwards Owner: Information Governance Committee
Revision History Version Revision date Summary of Changes
1.0 Initial draft 2.0 2nd April 2007 Small changes made 3.0 Final version 4.0 29th April 2008 Change to audit frequency 5.0 October 2009 Changes made to reflect PCT and DCHS structures
Distribution and Approval Name Version Date Comments
Information Governance 26th February 1.0 Some comments made Committee Members 2007 Sub-Group of Information 2.0 2nd April 2007 Small changes made Governance Committee Integrated Governance 3.0 17th July 2007 Approved Committee Information Governance 4.0 6th may 2008 Approved Committee Information Governance 3rd November 5.0 Approved Committee 2009
Review date: March 2010 INFORMATION GOVERNANCE POLICY
1 Summary
2 Statement of Principles
Openness
Legal Compliance
Information Security
Information quality Assurance
3 Responsibilities
4 Information Governance Infrastructure
5 Conclusion
Review date: March 2010 INFORMATION GOVERNANCE POLICY
1 SUMMARY
Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management.
It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management.
This document sets out minimum policy standards across the community for confidentiality, integrity and availability of Information. The policy is intended to cover the overlapping areas of Data Protection Compliance, Information Security (ISO17799 standard), Data Quality and Confidentiality (with regards to ‘common law’).
NOTE: where this policy states ‘The PCT’, this refers to the PCT including Derbyshire Community Health Services.
2 STATEMENT OF PRINCIPLES
The PCT recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The PCT fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information. The PCT also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.
The PCT believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers to ensure and promote the quality of information and to actively use information in decision making processes.
There are 4 key interlinked objectives to the Information Governance Policy: Openness Legal Compliance Information Security Quality Assurance
2.1 Openness
Non-confidential information on the PCT and its services should be available to the public through a variety of media, in line with the PCT’s code of openness.
The PCT will establish and maintain policies to ensure compliance with the Freedom of Information Act.
The PCT will undertake or commission regular assessments and audits of its policies and arrangements for openness.
1 Patients should have ready access to information relating to their own health care, their options for treatment and their rights as patients.
The PCT will have clear procedures and arrangements for liaison with the press and broadcasting media.
The PCT will have clear procedures and arrangements for handling queries from patients and the public.
Co-operation between Organisations
The PCT will, where there is a defined purpose (or set of ) that are beneficial and justifiable, sign up to information sharing protocols with partner organisations, provided these protocols are set out within the boundaries of applicable legislation and regulation and do not compromise the PCT or the confidentiality of the personal/sensitive data that it holds.
2.2 Legal Compliance
The PCT regards all identifiable personal information relating to patients as confidential.
The PCT will undertake or commission regular assessments and audits of its compliance with legal requirements.
The PCT regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise.
The PCT will establish and maintain policies to ensure compliance with relevant legislation.
The PCT will establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation, NHS standards and guidelines.
2.3 Information Security
The PCT will establish and maintain policies for the effective and secure management of its information assets and resources.
The PCT will undertake or commission regular assessments and audits of its information and IT security arrangements in line with the PCT’s audit plan.
The PCT will promote effective confidentiality and security practice to its staff through policies, procedures and training.
The PCT will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.
2.4 Information Quality Assurance
The PCT will establish and maintain policies and procedures for information quality assurance and the effective management of records.
The PCT will undertake or commission regular assessments and audits of its information quality and records management arrangements, in line with the PCT’s audit plan.
2 Managers are expected to take ownership of, and seek to improve, the quality of information within their services.
Wherever possible, information quality should be assured at the point of collection.
Data standards will be set through clear and consistent definition of data items, in accordance with national standards.
The PCT will promote information quality and effective records management through policies, procedures/user manuals and training.
3 RESPONSIBILITIES
It is the role of the PCT Board to define the PCT’s policy in respect of Information Governance, taking into account legal and NHS requirements. The Board is also responsible for ensuring that sufficient resources are provided to support the requirements of the policy.
While there is one toolkit submission covering the PCT including Derbyshire Community Health Services (DCHS), both the PCT and DCHS Information Governance Committees are responsible for:
Overseeing day to day Information Governance issues Developing and maintaining policies, standards, procedures and guidance Raising awareness of Information Governance
The Director of Commissioning and Informatics is the Board representative for Information Governance and is the appointed SIRO (Senior Information Risk Owner). The SIRO is responsible for information risk management and will provide written advice to the Accountable Officer on the content of their annual Statement of Internal Control (SIC) in regard to information risk.
The Medical Director for DCHS is the Caldicott Guardian for the PCT inclduing DCHS and therefore has responsibility for championing confidentiality and data protection issues and acting as the ‘conscience’ of the organisation when dealing with information sharing and disclosure.
Managers within the PCT and DCHS are responsible for ensuring that the policy and its supporting guidelines are built into local processes and that there is on-going compliance.
All staff, whether permanent, temporary or contracted, are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis.
4 INFORMATION GOVERNANCE INFRASTRUCTURE
PCT BOARD
DCHS Board
PCT Integrated DCHS Integrated Governa Governa nce nce 3 PCT Information DCHS Information Governa Governa nce nce 6 CONCLUSION
The implementation of the policy and action plan will ensure that information is more effectively managed by both the PCT and DCHS. Each year this policy will be reviewed and an action plan developed against the IG toolkit to identify key areas for continuous improvement.
4 Equality Impact Risk Assessment Forms
Important information about the documentation for Stage 1 Screening and Stage 2 Full Assessment
Please note:
For the purposes of EIRA all Functions, Services, Policies, Procedure and Protocol are referred to as The Process
Stage 1
All processes need to have Stage 1 Screening.
If Stage 2 Full Assessment is found not be required following the Screening, only the Stage 1 documentation should be attached to the process when completed.
Stage 2
If Stage 2 Full Assessment has been identified as needed following the Screening, both Stage 1 and Stage 2 documentation should be attached to the process when completed.
Full guidance on completing EIRAs is available on the Intranet by under Equality and Diversity
5 Equality Impact Risk Assessment Form (EIRA)
Process being assessed is a:
Guideline Service or Practice Written Policy Informal policy Function or Strategy Informal procedure Other (please state)
NB. WHATEVER IT IS BEING ASSESSED WILL BE DESCRIBED AS A PROCESS FROM NOW ON
Name of process: Information Governance Policy & Strategy
Reference number if an existing policy /process: PRO/07/08
Person responsible for process: Hannah Edwards
Directorate and Dept section: Provider Development – Information Dept
Process is New Existing
Lead person responsible for conducting the EIRA: Hannah Edwards
Answer the following screening questions on completion of the assessment and send to the HR Department – Lead for Equality and Diversity for signing off along with a copy of the process.
If no relevance to inequality found
Date screening completed: 19/06/2007 Date for screening review:
If relevance to inequality found and full assessment undertaken
Date full assessment completed:
Date for review:
EIRA signed off by Trust Equality Lead Linda King Yes No
Date 2 July 2007 √
6 Stage 1 – Screening the process What are you assessing and whom do you need to do it with?
Q1. What is the aim and what are the key objectives of the process? The Information Governance Policy and Strategy set out the minimum policy standards for ensuring information is managed appropriately and effectively across the PCT. The aim is to ensure that all information is accurate, timely, complete, accessible and treated confidentially whenever appropriate. The strategy sets out the approach to be taken by the PCT to provide a robust Information Governance framework to achieve those aims.
Q2. What outcomes or benefits is the process attempting to achieve, why and for whom? (e.g. What do you want to be providing, how well, changes improvements and what benefits will there be?) The objectives of the Information Governance policy and strategy are to ensure openness, legal compliance, robust information security and effective quality assurance for all information. Effective information management will benefit all staff, patients and the public by ensuring they have access to the information they need, when they need it.
Q3. What other key process does this link with? (Consider process that will affect access to your process and outcomes. Consider a joint EIRA if there are interlinking issues) The key policies linked to the Information Governance Strategy and Policy are: - Records Management Policy - IM&T Security Policy - Confidentiality Code of Conduct for Staff
Q4. What Partners / Stakeholders (Internal and External) are you involving in this assessment: (Consider the people who developed the process, are responsible for implementing it or are involved in similar or linked process?) DHIS Information Governance Team
Is it likely it will be affected by legal requirements on equality? Q5. Do you believe the process being assessed needs to ensure that it helps to meet the duty of equality in:
Please tick all that apply:
Eliminating Discrimination Promoting Equal Opportunities Promoting good relations between different groups
7 If you ticked any of the above the process will definitely require a full assessment
What do you / we already know?
Q6a Is there any existing EVIDENCE or CONCERN from staff, users or communities that any of the following groups have been or could be affected in different ways by the aims, objectives or implementation of the process? Is that impact positive or negative?
Group Yes No Positive Negative Age Gender (Male, Female and Transsexual)? Learning Difficulties / Disability or Cognitive Impairment? Mental Health Need? Sensory Impairment? Physical Disability? Race or Ethnicity? (Including cultural beliefs and norms) Religious, Spiritual belief? Sexual Orientation? Homeless or chaotic lives? Others — Please state
6b.Please give details of the evidence you have:
Do you have confidence in not discriminating or impacting on key groups?
8 Q7. If you do not have any evidence for Q6, can you show that you have enough evidence or are you confident enough to either demonstrate that the process will/ does not negatively impact the groups mentioned or that the process is not applicable to for assessment against these groups. Yes No If you answered No the process is likely to require a full assessment (please go to Q8) If you have tick Yes please detail what evidence you have: The Information Governance Policy and Strategy are high-level documents with no mention of any standards or procedures that could negatively impact the groups mentioned.
Next Steps
Q8. Does this process need to go onto full assessment? To decide whether your process needs a full assessment consider – does your evidence indicate possible negative impact, how clear is the evidence you already have, are you confident in your evidence of no negative impact?
If you have ticked yes please go to Q10 Ye
No If you have ticked no please go to Q9
Q9. Briefly state your reasons for this proposal not going onto a full assessment. The Information Governance Policy and Strategy are high-level documents detailing the approach and standards required by the PCT to ensure effective information management. The linked policies mentioned in Q3 cover specific information governance areas in more detail and will be assessed separately to identify if they have any equality impact.
Please now complete the screening question on the cover sheet Q10. Using the prioritisation guide on page 5 please indicate if you feel the proposal is a possible:
High Risk of Impact Medium Risk of Impact Low Risk of Impact
Please state the date you are going to undertake a full assessment: ______
Please now file a copy of your screening and send a copy to the Lead for Equality and Diversity in the HR Department. Link your results / findings with whatever procedures or process for policy development that is relevant to your work or Directorate.
9 PRIORITISATION GUIDE
Level of Criteria Characteristics Actions Impact
Potential for significant Frontline services with high negative outcomes on scope for, or evidence of, Processl needs to be HIGH different groups reviewed and unequal access or outcomes amended as soon as The function is Potential for significant possible and within 1 relevant to all parts of concern about how different Strategic planning functions with direct year the duty groups are treated impact on how services that have an equality dimension are organised There is substantial evidence of groups Typically ACCESS to service /proposal by being adversely either Employees or Service Users may be affected raised at this level
There is substantial public concern
Potential for different groups Frontline services with less scope for, or Process needs to be to be inappropriately treated evidence of, unequal access or outcomes. reviewed and MEDIUM differently amended within Strategic functions that could 2 years The function is Potential for concern about influence how different groups relevant to most parts how different groups are of the duty treated or that services are are treated delivered differently. There is some Typically, EXPERIENCE of service / evidence of groups proposal by either Employees or Service being adversely Users may be raised at this level affected
There is some public concern
Little or no potential for Back office support functions Process needs to be unequal access or impacts reviewed and LOW between different groups Direct service delivery where scope for amended within different access or outcomes is limited 3 years All other functions (even ones with very little relevance).
10