Sandwell Children’s Trust Information Framework

Document Control

Title Information Governance Framework

Version V1.0

Status Draft

Place in Organisation Strategy and Transformation Directorate

Produced by Data Protection Officer

Amendment History

Date Summary of Changes Author(s) Version Number

Document Approval

Approved By Executive Management Team Approved Date 30/01/2019 Next Review 3 years from date of approval

Information Governance Framework

Contents

1. PURPOSE OF THE FRAMEWORK ...... 3 2. SCOPE ...... 3 3. OBJECTIVES ...... 4 4. ROLES AND RESPONSIBILITIES ...... 4 4.1. Role of the Accounting Officer (AO) ...... 4 4.2. Role of the Senior Information Risk Owner (SIRO) ...... 4 4.3. Role of the Information Governance Group in Information Governance ...... 6 4.4. Role of the Caldicott Guardian (CG) ...... 7 4.5. Role of the Information Asset Owners (IAOs) ...... 8 4.6. Role of the Data Protection (DPO) ...... 8 4.7. Role of all staff ...... 9 5. OPERATIONAL REQUIREMENTS ...... 10 6. INFORMATION POLICIES ...... 10 7. IMPLEMENTATION PLAN ...... 11

Information Governance Framework

1. PURPOSE OF THE FRAMEWORK The purpose of this Information Governance Framework is to formally establish Sandwell Children’s Trust’s position regarding information assurance. It is intended to describe the processes in place to gain confidence that information risk is being adequately identified, mitigated and monitored. It sets out the roles and responsibilities within Sandwell Children’s Trust to support Information Assurance with particular emphasis on ensuring appropriate personnel have been assigned responsibilities for the management of information assets within the organisation.

The framework has been reviewed and developed to reflect the start-up of the Trust in 2018 as well as current risks and challenges. The Information Governance Framework is the legal, regulatory and business context within which information assets for Sandwell Children Trust are created, used and managed. The framework sets the controls that are required to support the Trust’s purpose of improving the lives of children and young people.

Figure 1 Information Governance Document Hierarchy

2. SCOPE The Framework applies to all Trust’s staff, contractors and consultants, regardless of employment terms, position and location.

Information Governance Framework

The Framework applies to all the Trust’s information assets, including: - the information and data the Trust has inherited from the Council - information created to support business activities - applications and systems used to create, capture and maintain information - Throughout this document, all Trust records, information and data holdings are described holistically by the term 'information'. The framework is supported by a three year or five-year Information Governance Strategy. 3. OBJECTIVES The objectives of the Information Governance Framework are to: - affirm the Trust's commitment to effective information governance practices in order to meet legal obligations, accountability requirements, business needs and stakeholders' expectations - ensure that all information assets are well managed through the information life cycle - ensure all staff understand their information governance responsibilities - support consistent information management standards and practices across the Trust 4. ROLES AND RESPONSIBILITIES 4.1. Role of the Accounting Officer (AO) The Chief Executive Officer (CEO) has overall accountability for Information Governance (IG) within the trust. As Accountable Officer, the CEO is accountable for the management of IG and for ensuring appropriate mechanisms are in place to support service delivery and continuity. IG provides a framework to ensure information is used appropriately and is held securely. KEY RESPONSIBILITY When the Information Commissioner’s Office calls the Trust to account, it is its accounting officer who gives evidence. In turn, others in the organisation, operating using delegated powers, account for their own performance to the accounting officer.

4.2. Role of the Senior Information Risk Owner (SIRO) The Senior Information Risk Owner (SIRO) is an Executive Director or Senior Management Board Member who will take overall ownership of the Trust’s confidentiality and data protection obligations, act as champion for information risk on the Board and provide written advice to the Chief Executive/Accounting Officer on the content of the Trust’s Statement of Internal Control in regard to information risk. The SIRO is expected to understand how the strategic business goals of the Trust and how other Social Care Organisations, Local Authorities and NHS Organisations’

Information Governance Framework

business goals may be impacted by information risks, and how those risks may be managed. The SIRO will implement and lead the Information Governance (IG) risk assessment and management processes within the Trust and advise the Board on the effectiveness of information risk management across the Trust. The SIRO shall receive training as necessary to ensure they remain effective in their role as Senior Information Risk Officer. RESPONSIBLE TO: The Accounting Officer or the Chief Executive Officer KEY RESPONSIBILITIES a) Policy and process - Oversee the development of an Information Risk Policy. This should include a Strategy for implementing the policy. - Take ownership of the assessment processes for information risk, including prioritisation of risks and review of the annual information risk assessment to support and inform the Statement of Internal Control - Ensure that the Board and the Chief Executive (Accountable Officer) are kept up to date and briefed on all information risk issues affecting the Trust and its business partners - Review and agree actions in respect of identified information risks. - Ensure that the Trust’s approach to information risk is effective in terms of resource, commitment and execution, being appropriately communicated to all staff - Provide a focal point for the escalation, resolution and/or discussion of information risk issues - Ensure that an effective infrastructure is in place to support the role by developing a simple Information governance structure, with clear lines of Information Asset ownership and reporting with well-defined roles and responsibilities b) Incident Management – Ensure that identified information threats and vulnerabilities are followed up for risk mitigation, and that perceived or actual information incidents are managed in accordance with Data Protection Act 2018 and the Security Policy Framework – To ensure that there are effective mechanisms in place for reporting and managing Serious Untoward Incidents (SUIs) relating to the information of the Trust These mechanisms should accommodate technical, operational or procedural improvements arising from

Information Governance Framework

lessons learnt. c) Leadership – Provide leadership for Information Asset Owners (IAOs) of the Trust through effective networking structures, sharing of relevant experience, provision of training and creation of information risk reporting structures – Advise the Board on the level of Information Risk Management performance within the Trust, including potential cost reductions and process improvements arising etc.

4.3. Role of the Information Governance Group in Information Governance An Information Governance Group (IGG) will meet periodically and will be chaired by the Senior Information Risk Owner or Governance and Strategy Manager. The terms of reference for the Information Governance Group highlights the members and the role of the group: The Group will ensure that Sandwell Children’s Trust has effective policies and management arrangements covering all aspects of the Information Governance Framework themes as set out in section 4. The SIRO will receive regular reports from nominated Lead Officers on activity that demonstrates compliance with the Information Governance Framework. KEY RESPONSIBILITY a) To ensure that an appropriate comprehensive information governance framework, strategy and action plan is in place throughout the Trust in line with current industry stands and legislative requirement b) To inform the review of the Trust’s management and accountability arrangements for Information Governance. c) Advise on the suite of information governance policies and associated IG strategy d) To monitor compliance in - Confidentiality and data protection - (including cyber) - Record Management and Transparency (including Freedom on Information and Environmental Information Regulation) - Data Quality and analytics - Personal Data Information Rights (SARs, Erasure, Rectification) e) To coordinate the activities of staff given data protection, confidentiality, security, information quality, and Freedom of Information

Information Governance Framework

responsibilities f) To offer support, advice and guidance to the Caldicott Function and Information Governance Function within the Trust

4.4. Role of the Caldicott Guardian (CG) The Caldicott Guardian role acts as the Trust’s conscious and will in order of priority: – an existing member of the senior management team – a senior health or social care professional – the person with responsibility for promoting or equivalent functions The Trust Caldicott Guardian will be registered on the publicly available National Register of Caldicott Guardian and will need to: - Advise when any information risk reviews concerning personal information are carried out - Be aware of any confidentiality issues related to the SIRO’s information risk work - Work with the SIRO on issues that cross responsibility areas, e.g. information mapping - Coordinate their work and the organisation’s response, together with that of the SIRO, if there is an incident affecting personal information RESPONSIBLE TO: The Accounting Officer or the Chief Executive Officer KEY RESPONSIBILITIES a) In the strategic role, the Caldicott Guardian must: - be familiar with the Trust’s business and goals regarding the use and sharing of confidential information - Member of Information Governance Group - Be on the Board/senior management team o As a champion for information sharing and confidentiality issues o Advise on current information sharing and confidentiality p o Providing regular reports about the management of Caldicott issues b) In the advisory role, the Caldicott Guardian must: - Access internal and external sources of advice and guidance where necessary to provide information sharing and confidentiality advice. - Issue advice to help to resolve local issues impacting on the information sharing and confidentiality agenda. - Keep a log of resolved issues. c) In Operational role, the Caldicott Guardian must: - Advise on information sharing and confidentiality are in Trust’s strategies,

Information Governance Framework

policies, working procedures and training - Make sure there is lessons learned from confidentiality incidents to staff are disseminated and completed - actively support work to facilitate and enable appropriate information sharing - Be a key contributor to the approval process when information is to be shared

4.5. Role of the Information Asset Owners (IAOs) Information Asset Owners (IAOs) are directly accountable to the SIRO and must provide assurance any personal data processed within their service area are compliant with the information governance obligations. Information Asset Owners (IAOs) are the Heads of Service or a senior/responsible individual involved in running the relevant business. IAOs must formally review the information assets annually and complete an annual assurance statement aligned to confidentiality, integrity and availability of their information assets, including those in their delivery chain, at a minimum once a year or more frequently (quarterly or six monthly) if the risks are exceptionally high, and implement proportionate responses. Through the Cabinet Office issued ‘The Data Handling Review’ the government has implemented the role of Information Asset Owner (IAO) for public sector organisations as a mandatory requirement. RESPONSIBLE TO: The Senior Information Risk Owner (SIRO) KEY RESPONSIBILITIES To meet the requirements of the Cabinet Office Issued ‘Security Policy Framework (SPF)’, IAOs will have to: a) Lead and foster a culture that values, protects and uses information for the public good b) Know what information the asset holds, and what enters and leaves it and why c) Know who has access and why, and ensure their use of the asset is monitored. d) Understand and address risks to the asset, and provide assurance to the SIRO. e) Ensure the asset is fully used for the public good, including responding to access requests

4.6. Role of the Data Protection (DPO) The role of the Trust Data Protection Officer (or ‘DPO’) is to manage and ensure the Trust’s and the CEO’s statutory obligations in respect of all matters in relation to information law, including the Data Protection Act 2018, General Data Protection Regulation 2018, Freedom of Information Act 2000 and Environmental Information Regulations 2004.

Information Governance Framework

RESPONSIBLE TO: The Senior Information Risk Owner (SIRO) KEY RESPONSIBILITIES The Trust DPO is responsible for the following tasks: - to inform and advise the AO and the SIRO and provide a steer to the organisation of their obligations pursuant to the Data Protection Act 2018, , and, where necessary, act as the arbiter on matters in relation to information law compliance - to develop and monitor the implementation and application of Trusts policies in relation to its information governance obligations, including the setting of corporate standards, assignment of responsibilities, raising corporate awareness, the training of staff and the implementation of related audits - to ensure that the Trust is compliant with its ICO Registration and privacy notices and that all relevant documentation is maintained - to lead the investigation, resolution and regulatory reporting of confidentiality or privacy breaches, criminal offences and complaints, acting as an ‘expert witness’ in legal proceedings where required - to identify, monitor and raise information law risks for the attention of the CEO, SIRO and Caldicott Guardian through the approved corporate channels, ensuring that all risks, mitigations, actions and sign-offs are formally recorded within the corporate risk registers - to act as the Point of Contact (or ‘POC’) point for regulatory bodies (including the Information Commissioner’s Office), stakeholders and partners on Trust information law obligations, providing the Trusts position with regards to these obligations and ensuring corporate consistency and compliance in these matters - to embed information governance within all Trust business processes, through the development of the Trust strategies and action plans

4.7. Role of all staff All Staff are required to complete relevant training as required. The Trust endeavors to maintain a training completion rate at 95% as require by the Data Security and Protection Toolkit. Other responsibilities are: - any information security incident or a (perceived) breach identified by staff must be promptly reported - Seek advice where they are unsure how to comply with data protection legislation or this framework - respond promptly to information requests in connection to data subject rights and

Information Governance Framework

freedom of information requests - understand that failure to comply with Trust policy is treated seriously and can lead to disciplinary action - understand it is an offence for an individual, knowingly or recklessly, to unlawfully disclose personal data and can lead to personal prosecution by the Information Commissioner’s Office

5. OPERATIONAL REQUIREMENTS The Information Governance Framework is built around 12 key themes which are set out below. The themes are derived from industry standards on Information Governance, Assurance and Security. The themes set out key areas the Trust will rely on to effectively manage Information Governance.

Each theme will have a nominated lead officer who will be responsible for providing progress updates on a regular basis. The IGG will then be responsible for reviewing the information and assurances presented to them by each of the nominated lead officers and for satisfying themselves that the relevant risks are being appropriately managed. i. Governance and Accountability ii. Personal Data Information Asset Registers iii. Embedding Data Privacy into SCT Operations iv. Privacy Training and Communications v. Managing Information Risks vi. Manage Third-Party Risk vii. Develop and Maintain Notices viii. Procedures for Inquiries, Complaints and Requests ix. Privacy by Design x. Audit xi. Systems and Database Compliance

6. INFORMATION POLICIES Information Governance covers a wide range of policies, processes and procedures. These may include: Confidentiality and Data Protection Information security Records Management and Archiving Retention and disposal schedules

Information Governance Framework

ICT and Acceptable Use Information sharing Toolkit Remote working

7. IMPLEMENTATION PLAN Responsibility and accountability for Information Governance is implemented in the Trust through the Accounting Officer, the Senior Information Risk Owner, the Executive Management Team, The Information Governance Group, the Calcidott Guardian and the Data Protection Officer through the theme identified and a dedicated Information Governance Action Plan.

Other sources of reading, support and advice Accounting Officer’s survival guide HM Treasury The Orange Book, HM Treasury Security Policy Framework, Cabinet Office Cyber risk management, a board level responsibility, BIS Cyber risk, The Institute of Risk Management Risk guides, The Institute of Risk Management Information asset owners and digital continuity - The National Archives Identifying Information Assets and Business Requirements - The National Archives Information Asset Register factsheet - The National Archives Guidance on the IAO Role, May 2018 - Cabinet Office, National security and intelligence, and Government Security Profession Data protection officers - ICO

General Note: This Framework will be reviewed every three years from the date of approval, unless required earlier.

Information Governance Framework