1. No category

Information Governance Strategy

Version 3.0
LOGOLOGO
Information Governance Strategy
Includes ‘Information risk’ & incident management
methodology
Approved by: Quality Assurance Group
Ratification date: February 2017
Review date: January 2019
1
Information Governance Strategy
Document Status
Information Governance Strategy
Document Status
Version 5.0
Document Author(s)
Kate Tregale
Document Owner
Chief Financial Officer & Caldicott Guardian
Client
Clinical Commissioning Group
File Reference
Date Issued
February 2017
Approved by and date
of approval
QAG February 2017 via exceptional reporting
Version 3.0
Version 3.0
Revision History
South, Central & West Commissioning Support Unit
Document status: current
Version
Date
Comments
1.0
17th December 2004
First draft for comment & PCT specific tailoring
1.1
28th January 2005
Minor amendments following team comment
1.2
04 May 2005
Made current following PCT board approvals –
included one amendment relating to scope including
support for independent contractors.
1.3
January 2006
Minor update in line with revised Information
Governance Policy and to reflect up coming PCT
structure changes.
1.4
October 2008
Review and update to reflect organisational and sector
developments, particularly the role of Senior
Information Risk Owner
1.5
November 2010
Review and update to reflect changes in IG toolkit and
to set out as suitable for future planned organisational
structures – no fundamental changes, but improved
throughout
1.6
Jan 2012
Reference BNSSG Cluster and Information Risk Group
1.7
Jan 2013
Prepared and altered for Clinical Commissioning
Groups
1.8
June 2013
Amended to reflect changes to incident reporting via IG
toolkit.
2.0
February 2014
Annual update – including Caldicott 2
recommendations
3.0
January 2015
Review in relation to audits of IG Toolkit and v12
4.0
January 2016
Annual review.
5.0
February 2017
In year review
2
Version 3.0
Contents
Information Governance Strategy.......................................................................... 1
1
Purpose ......................................................................................................... 1
2
Background................................................................................................... 1
3
Scope ............................................................................................................. 1
4
Strategic approach & objectives/deliverables ........................................... 2
5
Accountability ............................................................................................... 4
6
Key Policy Framework ................................................................................. 5
7
Management of work plan and compliance assessment .......................... 5
8
South Central & West Commissioning Support Unit & Resources .......... 6
9
Monitoring providers .................................................................................... 6
10
Risk, Incident and Query Management ....................................................... 6
10.1
Risk Management methodology: .................................................................. 6
10.2
Incident reporting, management & investigation ........................................... 8
11
Access control & data transfer principles .................................................. 9
12
New developments – ensuring compliance ............................................... 9
13
Education Strategy ....................................................................................... 9
14
Development, approval and implementation of guidance ........................ 11
15
Communication with patients and how their information is used ........... 12
16
Review of Strategy, policy & guidance ....................................................... 15
3
Information Governance Strategy
1
Version 3.0
Purpose
The organisation is required to have effective arrangements in place to govern the uses of
information and information systems in the organisation. This Strategy sets out the scope
and approach that the organisation will operate to ensure legal and regulatory compliance
and where practical best practice in handling information is achieved.
2
Background
Information Governance has developed a programme of work to encompass all aspects
of handling information and compliance with legislation including Data Protection Act
(1998) and the Freedom of Information Act (2000), and meeting regulatory standards for
records management, information security and data quality. It recognises the significant
overlap in activities, knowledge and skills required for these areas and aims to ensure
consistency and efficiency of approach to deal with related matters.
NHS Digital (formerly Health & Social Care Information Centre) have set standards and a
measure of compliance within the ‘Information Governance’ toolkit. Performance of
organisations relates to a number of core standards set by the Care Quality Commission.
It is also an intrinsic part of processes such as CCG authorisation and
commissioner/provider contracts.
In the wider context organisations are now subject to significant monetary penalties if they
are found to have failed in their responsibilities under the Data Protection Act 1998.
Numerous large fines have been imposed by the Information Commissioner’s Office. As a
result organisations are required to report any Serious Incidents Requiring Investigation
(SIRI) and provide assurance of compliance with information governance standards in the
annual report.
In 2013, the Information Governance Review ‘To share or not to share’ (Caldicott 2) was
published. This strategy has been revised in light of the recommendations accepted by
the Government response. A third report by Dame Fiona Caldicott was published in July
2016 reviewing Data Security, Consent and Opt-Outs. This report made a number of
recommendations along with a report by the Care Quality Commission (CQC) into how
data is safely and securely managed in the NHS. Although these recommendations are
being considered and not yet implemented the organisation is mindful of possible future
changes and will prepare as far as possible and review this policy when further
information is known.
The UK Data Protection Act will be replaced by the General Data Protection Regulation or
similar legislation during the next couple of years. Information Governance activities and
practices will be mindful of the requirements of this new approach to Data Protection and
action plans to ensure compliance created.
It is also recognised that effective governance of information is a key supporting element
to making best use and gaining real benefit from the information resources.
3
Scope
Information Governance is an ‘umbrella’ term for a number of linked initiatives which are
categorised in the Information Governance toolkit as follows:




Confidentiality & Data Protection – staff responsibilities and patients’ rights
Corporate information – Freedom of information and records management
Clinical information – Health records management
Information Governance Management – operational framework
-1-
Information Governance Strategy
Version 3.0
Secondary Uses of information – appropriateness and quality
Information Security – technical and organisational security processes


The scope is clearly wide with some impact on every member of staff. For an organisation
to ensure an appropriate level of compliance, many individuals and groups across the
organisation are required to have specified responsibilities. The groups and staff are
identified later and responsibilities are detailed in the Information Governance Policy
(IGMS). The scope of this strategy is to set out the structure for Information Governance
Management and activity, ensuring that the organisation addresses all areas effectively.
4
Strategic approach & objectives/deliverables
The fundamental objective for the strategy is to promote positive compliance with
legislation and standards and by consequence reduce risk, with risk being identified in a
number of categories:

Loss of public trust/confidence in the organisation (due in particular to
losses/inappropriate disclosures)

Contribution to, or cause of, clinical or corporate negligence (due to unavailable,
inaccurate, incomplete or out of date information)

Legal action including fines, for non-compliance with Data Protection, Common
Law, Human Rights and Freedom of Information legislation
So in assessing activities to comply, the Information Governance lead and other staff will
evaluate requirements from a risk management perspective, utilising where possible
existing risk assessment methods (CRAMM) and standards (ISO27000 series).
A ‘whole systems’ approach is fundamental to an effective Information Governance
framework. To this extent the work of the Information Governance team will incorporate
the following core work streams, directed towards ensuring implementation of the IG
policy and requirements of compliance with the IG toolkit:

Information Governance Management System – ensuring that the approaches
and methods for handling information are clearly documented and evidenced. This
will include oversight of information governance work by appropriate committee.
o

Education and awareness programme – of staff, partners, contractors and
patients, achieved via formal and informal education and awareness programmes
and a process to review and ensure compliance for all new uses of information
both in terms of information systems and development of healthcare services.
This stream is guided by the IG Education Strategy and Communication with
patients and how their information is used
o

Deliverables - a robust framework of policy and guidance that is
approved, owned and promoted by the organisation, incorporating work
plans to maintain and improve compliance.
Deliverables – A programme of educational activities that provide core
education to all staff, which assesses staff knowledge and provides further
support as required. Additional educational activities delivered to staff that
need them via periodic organisation wide training needs analysis.
Technical security solutions – establishing where technical solutions can aid the
reduction of risk around handling data, but do not put unnecessary burdens on
staff working practices. This is overseen by the Information Governance Group
2
Information Governance Strategy
Version 3.0
and managed on a day to day basis by an integrated programme between IG and
IT services and linked to audits and risk assessment activities to identify
requirements.
o

Deliverables – Any technical solution to improve security will be part of a
defined business case (if needing funding) and project plan. Deliverables
will be specifically defined within these.
Information risk assessment programme (including security) – relating to
compliance with policy and process and effectiveness of technical solutions and
covering all aspects of related work, including system use, facilities, corporate
records etc. This area includes specific local and internal audit programmes. This
has a specific focus on knowing what information is held (information assets),
where it comes from and where it goes (information flows) and managing times
when it is unavailable (business continuity)
o
Deliverables – regular risk reviews of systems, processes as part of the
annual assurance and improvement work plan for information governance.
Annual reviews of the security of key information assets and information
flows will be undertaken to ensure security is achieved and maintained as
far as possible. Confidentiality & system usage audits will also be
undertaken.
There are also significant work programmes in other areas that support Information
Governance compliance, namely:

Data Quality work – linked to performance, contract monitoring and secondary
uses of data extracted from the patient record. This also incorporates work to
ensure that the use of Personal Confidential Data (PCD) is controlled
appropriately within the framework of ‘Accredited Safe Havens’ and ‘Controlled
Environment for Finance (CEfF)’. (This service is provided by South, Central &
West Commissioning Support Unit to NS CCG).
An annual work plan for assurance and improvement will be established as part of the
end of year IG toolkit compliance assessment - see section 6 for more detail.
Compliance objectives:
April 2015 – Sept 2016 (achieved):

Enhanced IG Strategy, integrated with overall CCG strategic aims

Ensured 95% of staff achieved a pass in core IG knowledge assessment.

CCG moved from locally provided online IG training compliance assessment to
Skills for Health training tool via ConsultOD

Moved activities to regular review, including information asset, data flow risk
reviews stating the legitimate purpose for processing personal confidential data
(PCD). Established rolling programme of detailed risk assessments for key
assets.

Maintain strong, robust IG approach supporting requirements such as DSCRO,
ASH and CEfF
September 2016 onwards
3
Information Governance Strategy
5
Version 3.0

Maintenance of level 2 or greater compliance with IG toolkit

Implementation of recommendations from the National Data Guardian and CQC
information security reviews when finalised.

Implementation as required of policy and procedural changes required for
compliance with General Data Protection Regulations or the new UK equivalent

Compliance with NHS Digital’s data sharing framework contract and data sharing
agreements
Accountability
Accountable officer: As required by the ‘statement of internal controls’ the accountable
officer is the Chief Financial Officer.
Support is provided by the following roles:
Senior Information Risk Owner (SIRO): The role currently resides with the Chief
Financial Officer and is required to be an executive board member. The role is to act as
an advocate for ‘information risks’ and will provide the statement of internal control.
The role will lead the identification and management of information risks that will affect the
strategic direction of the organisation as well as being responsible for the management of
serious incidents.
Caldicott Guardian: The guardian should be ideally a board member and a registered
clinical professional. The focus of the role remains the use of patient data and in terms of
the work areas within information governance, the role will focus on confidentiality/data
protection, clinical information and secondary uses of patient data.
The roles of SIRO and Caldicott Guardian are vital components within the organisation’s
framework for handling information appropriately, however as they have limited time for
this area of work, there is also an operational and developmental support structure in
place to develop, maintain and check the required areas of compliance.
Information Governance (IG) Lead: The IG Lead for the CCG is the Senior Information
Governance Manager. The Senior IG Manager will operate the IG Framework, in order to
maintain, check and improve the required areas of compliance. They also act as the
Information Security Manager, in conjunction with key roles in IT services.
The table below illustrates the work areas, the key operational lead and the committees in
place to oversee the required operational and development activities:
Assurance Area
(from NHS Digital IG
toolkit)
Overseeing
committee
Lead staff
Confidentiality & Data
Protection
Quality & Assurance
Group
Caldicott Guardian / Senior
Information Governance Manager
Clinical Information
Quality & Assurance
Group
Caldicott Guardian / Senior
Information Governance Manager
4
Information Governance Strategy
6
Version 3.0
Information
Governance
Management
Quality & Assurance
Group
SIRO / Senior Information
Governance Manager
Secondary Uses
Quality & Assurance
Group
SIRO/Senior Information
Governance Manager & Head of
Business Intelligence
Information Security
Quality & Assurance
Group
SIRO/ Senior Information
Governance Manager responsibilities as allocated in IT
Services – IG responsibilities matrix
Key Policy Framework
The Information Governance Management System comprises of the overarching IG
Policy, the Information Security policy, Data Protection & Confidentiality Policies. These
are supported by the guidance set produced and managed by the Information
Governance team: www.protectinginfo.nhs.uk/Staff_Guidance.asp
7
Management of work plan and compliance assessment
An information governance work plan will be developed and maintained. It will be
monitored by regular reports to the Quality & Assurance Group (QAG). Reporting will
enable QAG to:

Monitor and direct activities to improve compliance with requirements

To review and agree policies, processes and guidance

To ensure operational support for queries, education, service development and
audit/assurance is in place and effective.
The work plan will be managed by the Senior Information Governance Manager
(SWCSU). It will be overseen by the Senior Information Risk Owner and Caldicott
Guardian.
Improvements will generally be measured by increase in scores within the IG toolkit,
unless a specific goal is linked to a particular activity.
The programme will identify the resources required and responsibilities within the CCG
and SWCSU to deliver the programme. It will also identify timescales by which activities
are intended to be completed.
The SWCSU Information Governance team will undertake the annual assessment
required by the IG toolkit and will submit the results within the time frame dictated by NHS
Digital this is currently end of the financial year. In addition any mandated ‘mid-year’
assessments will also be undertaken
Improvement and update of the scoring will be undertaken throughout the year, so that
the audit is not left until the last month or two of the financial year. Approval of the score
to be submitted will be gathered from the SIRO and Caldicott Guardian and Quality &
Assurance Group.
5
Information Governance Strategy
8
Version 3.0
South Central & West Commissioning Support Unit & Resources
SCW CSU will be undertaking a number of key activities on behalf of the CCG. The CCG
will therefore require assurance from SCW CSU that the processing of personal data that
it undertakes on behalf of the CCG is done in an appropriate and secure manner. SCW
CSU is required to undertake regular assessment of compliance with information
governance and improvement action where required.
The Service Level Agreement and or Information Sharing Agreement will include the core
purposes for processing data, as well as key principles and methods compliant with
Caldicott principles to only use personal data when necessary and to use the minimum
amount of personal confidential data.
A lead individual in the Information Governance team will be identified to fulfil the role of
‘Information Governance Manager’ for the organisation.
In order to maintain a quality service of ‘accessible expertise’ staff within the IG team who
fulfil the role of ‘Information Governance Manager’ will have access to expertise and ISEB
qualified data protection practitioners (or equivalent).
The IG team will provide support in both pro-active and reactive ways:
9

Education – pro-actively through an ongoing programme of mandatory sessions
and re-actively to incident reports and queries

Audit – to meet requirements placed on the organisation by NHS Digital and any
local audit procedure and to continually develop and maintain a programme of
pro-active compliance audit with policy and procedure within the information risk
management programme.

Expert support – to service and system development programmes
Monitoring providers
As a commissioner of services, the CCG will establish a monitoring process to identify
compliance levels within their commissioned providers. This will be via the IG toolkit and
where required further discussion and investigation of provider compliance. This will also
include ensuring providers are investigating, managing, reporting and publishing details
on incidents appropriately.
Any monitoring activity will link to and utilise the NICE Quality Standard 15 (Patient
experience statements in adult NHS services) in particular statement 12 related to
information exchange.
10
Risk, Incident and Query Management
10.1
Risk Management methodology:
It is important to define the difference between a risk and an incident. In terms of this
methodology, a risk is where a problem has been identified that could lead to an incident.
Defining a problem as a ‘risk’ allows for either corrective action, or documented
acceptance of that risk to be in place prior to any potential incident and where possible
the probability of or impact from an incident to be reduced. The methodology applied is
consistent with the general approach to risk management within the organisation.
Identification of risks: There are several ways in which a risk will be identified:
6
Information Governance Strategy
Version 3.0

Query raised by staff member

Assessment of new service or system by information governance team

Compliance audit by information governance team

Investigation of an incident/near miss that identifies where risk remains
Assessment of risks: Where an information governance risk has been identified in any
of the above situations, assessment of the risk will be undertaken by information
governance support. The level of documentation on these assessments will vary
depending on the situation where the ‘risk’ has been identified. Risks will be assessed on
the ‘5 x 5’ matrix of probability and impact, defined in the organisation risk management
policy and utilising the following guidance on potential impacts:
Level 1
Level 2
Level 3
Level 4
Level 5
Minor non
compliance with
standards
Non compliance
with standards
Non compliance with
core standards
Enforcement action
or fine. Major or
repeated non
compliance with
core standards
Prosecution/severe
fine. Severely critical
report

Query – in many cases the advice provided in response to a query will mitigate the
risk either entirely or to a reasonable degree. Responses to queries other than
those that can be easily answered will be logged by the IG team. Should any real
risk remain following the response, this will be included in the log and a risk
assessment entered as a ‘compliance’ risk on the risk register.

Assessment of new service or system – as with queries, advice provided should
mitigate risk entirely or as far as reasonably possible. Should risk remain it will be
assessed and where necessary highlighted in either the project risk log or the
overall risk register.

Compliance audit – any audit activity will produce a report that will highlight risks if
necessary and potential action to reduce risk. Where the audit activity is part of
formal internal or external audit, the formal audit processes will monitor activity to
reduce risk and will liaise about appropriate entry in risk registers. Where audit
has been undertaken by the information governance team, a report will be
produced and any risks included on the risk register until they have been reduced.

Investigation of an incident or near miss – as with the process to manage
incidents the risk will be assessed and reduction actions planned. The process
will see the risk reported to the Risk Manager for inclusion in the risk register.
Reporting of risks: The majority of risks raised to the information governance team to
assess will come from the department that will ‘own’ the risk and will be seeking ‘expert’
assessment. Therefore inclusion in the relevant risk register is the responsibility of the
staff member reporting the risk. This will be re-iterated by the information governance
team when assessing the risk.
Where the information governance team identify, potentially through pro-active audit
activity, risks that otherwise might not be identified, they will ensure that the relevant
manager in the department is made aware of the risk, in order that it can be included in
departmental or corporate risk registers where appropriate.
Reporting to the SIRO: Any risk scoring over 8, will be reported to the Senior
Information Risk Owner (SIRO). Risks scoring over 15 should be reported immediately to
the SIRO, Risk Manager and Head of Information Governance (SCWCSU). Any risk
scoring 25 will be reported immediately, via the SIRO to the Chief Executive, or direct in
the absence of the SIRO. Risks scoring less than 8 will not be routinely reported.
7
Information Governance Strategy
10.2
Version 3.0
Incident reporting, management & investigation
Incident reporting: The reporting of incidents relating to issues about information is part
of the organisation’s general ‘incident reporting’ procedure. Regular information
governance education informs all staff to report issues relating to information via the
organisation incident reporting process.
Incident management: Management of any incident will require collaboration between
the risk manager and information governance team. Each incident is specific and will
require its own management plan, however there are some forms of incident where swift
action is necessary and the information governance team may assume a lead role in
management.

Allegation or suspected misuse of systems: It can be vital that potential
evidence is preserved. If a case of potential misuse is brought to the attention of
the information governance team, they will assess and determine if action is
necessary to prevent further user access to system(s) and for IT equipment to be
removed from further use for potential forensic examination. As expertise to
undertake a forensic examination is limited, the engagement of professional
services (NHS Forensic Computing Unit) will be considered. Decision will be
taken by the Head of Information Governance and or Senior Information
Governance Manager or in their absence by either the Head of IT Services, Head
of SCW CSU or Chief Officer of the CCG. This is most likely in cases of email,
internet or office systems misuse. If a member of staff may be potentially
suspended from duty, discussion will take place with HR to determine if access
should be temporarily halted, prior to discussion about suspension. Once
suspension is confirmed access must be halted to all systems immediately.

Data loss: Where an issue relating to data is reported the Information
Governance team will undertake an immediate assessment and determine any
potential containment actions. Following all efforts to contain an incident, an initial
classification in relation to the published ‘Serious Incident Requiring Investigation’
scale will be determined. Any incidents with an initial classification of 1 or more
will be notified to the Senior Information Risk Owner immediately.
Where classification is difficult due to a lack of facts about a case, a ‘worst case
scenario’ will be established and scored and if appropriate (i.e. level 1 or greater)
the SIRO will be informed. The SIRO will determine if the incident should be
reported or whether further time will be allowed to establish facts. Reporting will
be done by the IG Incident reporting tool in the IG toolkit.
The Information Governance team will endeavour to establish a realistic score
within one working day, depending on the availability of staff involved to answer
questions relating to the loss.
Informing individuals affected: Where an incident has either, a potential or
direct impact on individuals, then the individuals will be informed. An explanation
and apology will be provided. Where possible each person will be contacted
individually, unless this will put a significant undue burden on resources and
where other methods (i.e. via press release/local media) can be used. Individuals
will be contacted by default unless there is a robust reason where informing will
cause more harm and distress.
Incident investigation: The Information Governance team will utilise the
‘Information Security incident’ investigation procedure. In addition to scoring on a
level as per the risk assessment, the investigation procedure will categorise the
impact in relation to the category set in the CRAMM (Computerised Risk
Assessment and Management Methodology) tool.
8
Information Governance Strategy
Version 3.0
Incident publication: Any incident classed as level 2 will be logged on the IG
toolkit incident reporting tool. When concluded these will be closed and therefore
open to publication by NHS Digital. In addition a statement on incidents will be
included in the annual CCG statement of control.
11
Access control & data transfer principles
The fundamental risks to data are the risks of inappropriate disclosure or unavailability
(temporary or permanent). If either of these risks occur public confidence in
organisations can be severely damaged, as witnessed since significant ‘losses’ of data
became front page headlines from November 2007. The following strategic approaches
to accessing and transferring data are promoted:
12

Access on a ‘need to know’ basis determined where possible by job role, location,
organisational structure and where appropriate a care or service relationship with
the patient or individual. These to be determined by the Information Asset Owner.

Access control systems to support audit of accesses made.

Storage of data to be on central servers accessed by a network of connected
devices, to reduce the need to copy data ‘off network’.

Data taken ‘off network’ to be encrypted if it contains personal identifiable data or
is classed as organisationally sensitive.

Technical controls over removal of data from network including restriction to
organisation owned devices, and authorisation of copying to CD/DVD.

Secure methods of transfer including NHSmail, encryption and secure file transfer
tools to be used. Assessment of paper based transfers such as fax and post via
information flow mapping reviews.
New developments – ensuring compliance
The organisation will ensure that all service development plans (including service redesign), system development plans and other activities that may use personal data will be
reviewed to ensure compliance with relevant legislation. This will include both new
activities and new ways of working. The organisation will operate a process, in line with
the ‘Privacy Impact Assessment’ from the Information Commissioner’s Office to assess
and advise on how information should be obtained, stored, used, retained and disposed
of in the lifecycle of any activity. It will be a formal requirement of any project to ensure
consultation has taken place with Information Governance staff.
13
Education Strategy
Background and Current Position
The headline data losses that occurred in 2007/08 resulted in a number of central
government and ombudsman reports requiring organisations:
‘review and enhance the training that they give to their staff’ (ICO report July 08)
‘roll out basic level of mandatory training to all users of personal data, to be completed on
appointment and annually’ (O’Donnell report June 08)
Responsibility for education programme
9
Information Governance Strategy
Version 3.0
The Information Governance Team is responsible for the design, implementation and
integration of the education items described in this strategy. This is linked to the
workforce development leads within the organisation. The IG toolkit assessment
requirements will be used to monitor the implementation of education activities.
Induction
Upon employment all staff will receive an ‘acceptable use’ email and will undertake the
‘online assessment’ on core information governance responsibilities. This will be used to
raise awareness and measure their current level of knowledge.
Staff will receive an induction session as soon as possible after starting employment.
This will run 15 minutes in length. The intended outcomes are to:

Ensure staff are aware of the importance of handling information appropriately

Are aware how support and guidance can be accessed

Are aware of the key policy statements they must comply with
This will be by a facilitated presentation, supported by effective hand out materials.
Annual Requirement
All directives, whether they come from government investigatory reports, or the IG toolkit
make a strong case to provided IG education on an annual basis. Furthermore, there are
growing requirements to evidence that the education is inclusive, effective, tailored and
regularly reviewed. Below is the revised programme to be provided.
Assessment and self-directed improvement:
The minimum requirement for each member of staff is to undertake an annual
assessment to prove they have a minimum level of knowledge. This is via the ‘Online
assessment’ set up on ConsultOD. This links to the online ‘code of conduct’. Staff are
expected to achieve a minimum of 70% score to pass the module. Re-takes are allowed
and staff advised to use online materials to self-direct their learning if they are struggling.
New starters are expected to achieve this within 01 month of starting therefore checks on
levels of compliance will exclude staff starting within the last month.
Further educational support:
Other items, including those below, will be available on request:

Face to face ‘Core information Governance’ – as required for those unable to take
online training

Patient access requests & information rights – if applicable to those CCG staff
members who handle personal confidential data.

Information Assets, data flows & risk assessment (can be delivered as group or by
1-1 facilitated work with information asset owner)

Specific team briefs – this will cover topics such as new processing and uses of
data, records management and Freedom of Information
Face to face Core Information Governance
These sessions will run for approximately 2 hours and will be provided when there is
identified demand. Attendance will be for 20 staff (overbooked to 25 in case of drop off).
Below is a list of topics, these can be tweaked if a session is being specifically delivered
10
Information Governance Strategy
Version 3.0
for patient facing or non-patient facing roles. All sessions will be interactive and guided
by the requirements of the attendees, therefore tailored to their requirements ‘on the go’.
Topics covered include:
 Definitions – confidentiality, personal, sensitive
 Legal fundamentals – data protection, freedom of information & other legislation
 Key principles – informing, protecting, sharing, necessity, proportionality
 Consent, public interest, legal duties – in relation to sharing information
 Individual rights
 The fundamentals and benefits/impacts of quality and accuracy
 Key checks on accuracy, managing errors
 The spectrum of uses of data in the service
 Why information needs to be secured, the perils of information loss/unavailability
 The balancing act when protecting information,
 Key security requirements – re mobile working, media, storage, acceptable use,
phones, faxes, emails, physical security
 Monitoring, personal use
 Passwords and PINs
 What is a record? Record legislation including Freedom of Information
 Access to records – personal and organisational (incl. Subject Access (if
applicable) & Freedom of Information)
 Filing and maintaining effective records
 Retention and destruction
There is a requirement in the IG toolkit to provide education tailored to staff groups. This
will be met as it is already by ensuring all sessions are facilitated education sessions,
rather than formal training sessions with rigid content. The facilitators will ensure that the
discussion and group work is angled to the roles of the staff present as much as possible
and invite specific participation.
Other education activities
As well as the above facilitated sessions the following activities will support staff
education:
14

All user emails on specific topics, authored by key Directors/Managers

Publicity materials for items such as memory sticks, printing, faxes etc

Screensavers

Sessions at team/department meetings on request (or as result of incident
resolution)

Use of products such as NHS Digital National IG training tool that provide on line
learning opportunities. It is noted that the current modules may well be suitable
for staff who have specific additional responsibilities, such as the Caldicott
Guardian, Senior Information Risk Owner and the Information Asset Owners.
Development, approval and implementation of guidance
In order to support education programmes and staff queries, the IG team produce a
number of guidance documents related to handling information. The following is the core
process for development, approval and implementation:
11
Information Governance Strategy
15
Version 3.0

Guidance will be developed by the team following identification of a significant
need. It will draw from sources available at the time including the Information
Commissioner’s Office, Ministry of Justice and British Standards Institute.

Following initial draft, key stakeholders across the organisation will be invited to
comment

Final drafts will be put to SIRO and Caldicott Guardian to determine if they need
formal approval by the Quality & Assurance Group.

Awareness will be raised via management channels, as appropriate to the subject
and any degree of urgency. Methods will include induction and mandatory
education sessions and ‘all staff’ communications.

If required a specific awareness/implementation programme will be established,
the need will be determined by the SIRO, Caldicott Guardian and Senior IG
Manager (who constitute the CCG’s Information Governance Group)
Communication with patients and how their information is used
Background
Whilst it is a requirement of the Data Protection Act 1998 to inform patients of the uses of
information, it is also a requirement of compliance with the ‘common law of
confidentiality’. Common law requires consent to process information, unless there is a
legal duty, or a substantial public/vital interest, to use or share information. Many of the
communication activities (both those in place and proposed) will suit implicit and explicit
consent under common law requirements.
Using information for the provision of care
Where information is recorded, used and shared directly for the care of a patient, then the
basis of consent will be ‘informed implied consent’, in line with the strategy of the
Department of Health. This will be achieved as follows:

Face to face communication with the patient – As part of general
communication with patients, staff should ensure, in all appropriate circumstances,
that when they record or share information that the patient is aware and they
explain their actions, including informing the patient who will see the information
and why.
There is evidence that patients are more concerned about who information is to be
shared with, or accessed by than the purposes it is used for, although each patient
will have their own individual concerns.

Clear ‘data collection’ forms – where patients are required to complete a form,
then the provision of ‘explanatory text’ must be considered. This should not be
lengthy but should ensure that any information the form asks for, where the
purpose is not immediately clear to the patient is explained. If this isn’t practical,
then forms should have a note stating ‘Please ask a member of staff if you want
help completing or understanding this form’.

Copying information to patients proactively – If a health professional considers
that communication with the patient will be improved by making a copy of
information (mainly letter, but also other items), then this should be actively
considered, as it by default improves a patient’s knowledge of what information is
recorded and shared about them.

Provision of information leaflets, posters and website links (using previously
supplied SCW CSU materials entitled - ‘How we handle your information’) – These
should be made generally available in patient facing areas and where a patient
12
Information Governance Strategy
Version 3.0
has raised a concern about information/confidentiality or a professional feels there
will be benefit, then patient information leaflets should be provided. These must
not be seen as a substitute for discussion with the patient, but as a compliment
that may help provide a consistent message to patients.
*SCW CSU ‘how we handle your information’ is available for use electronically but
no longer in hard copy format. Organisations who wish to use hard copy material
are required to produce their own versions.

The NHS Care Records Guarantee – This is available to patients nationally but
where there are queries from patients it will be used as a source of information
and advice.
Uses of information other than for the care of the patients
There are many uses of information in the NHS that are critical to the provision of the
service which are not directly related to the care of the patient, such as audit, research,
education and service management. As dictated by ‘Caldicott’ principles and legal
requirements, such uses should remove as much ‘identifying’ information as possible
before using the data. However the laws and regulations do recognise there are
situations where removing identifying data is not practical or, sometimes for specific
reasons, not possible.
This strategy is not a detailed explanation and analysis of such situations, as each use of
information should be considered in detail and determine the legal basis for using
information. In many instances the legal basis will be a form of consent. In principle such
consent should be explicit where this is practical, for example in the majority of research
studies. However there will be numerous situations where the scale of information use or
other factors will mean that explicit consent is not practical. Implied consent is possible
but Information Governance advice should be sought prior to the use of information.
However for such uses, whether the basis of consent is implicit or explicit, is not the focus
of this strategy. The strategy is concerned with making sure any such consent is valid as
there has been effective communication with patients. There must be a base level of
information made available to all patients. Specific one-off uses of information should
determine if further details should be provided.

Regular operational activities (within the organisation) such as clinical or
administrative audit should be able to rely on the general provision of information
to patients about uses of data in the form of leaflets, correspondence and
discussion. Where there are similar activities but there may be involvement from
third party agencies (NHS or other) then careful consideration to the legal basis for
using information must be given.

One off uses of information – this maybe specific projects, or service
developments, both within and across organisations and may well require
additional detail to be provided to patients. This might be specific leaflet/mailings
that could inform patients or request explicit consent if deemed as a requirement.

Use of information for research initiatives – all manner of factors can influence the
approach to using information, including the need to use data on all available
cases of a condition regardless of the wishes of the patient. Each research study
is subject to the controls of the Research Governance Framework. The ethics
approval form must detail the approach to recruiting subjects and using
information. Each ethics application is reviewed for compliance with Data
Protection and common law requirements individually. There are provisions in the
Health & Social Care Act (section 251) for patient information to be used without
consent. A study wishing to use these provisions does have to make a formal
documented application to the national Patient Information Advisory Group.
Actions to comply with section 15 of this strategy
13
Information Governance Strategy
Version 3.0
For both direct care and other purposes, there is a clear requirement to make information
available to patients about general uses of their records and data by the organisation.
Materials to achieve this are already in use, but their distribution must be improved and
regularly reviewed. Rather than waiting for patients to ask, there must be a pro-active
distribution of materials.
Integration with regular communications with patients – rather than set up specific, costly,
one off distribution to patients, materials detailing the use of patient information must be
integrated with existing communications.
If insertion of the leaflet in communications is not practical, then consideration should be
given to using information as a standard paragraph at the foot of each letter, or printed on
the reverse side of the letter. The following text could be used;
‘Your health record contains facts about your health, treatment and the professional
opinions of the staff caring for you. All staff receive training and regular updates about
how to handle your information. They are all bound by a legal duty to keep information
confidential. If you wish to know more about the use of your information please speak to
the person in charge of your care or the Patient Advice and Liaison Service for your area’.
Providing information in other languages and media – To ensure accessibility the
materials will be available on request (or where discussion with patients leads to provision
as a course of action) in any other format. Due to cost constraints, translations or other
media will not be developed until there is a request (in line with other literature).
Requests for other languages or media are being handled by the relevant Patient Advice
& Liaison Service. Current materials are available in the following languages and
formats:

Mandarin, Polish, Romanian, Somali

Braille
All of the above materials will be subject to regular review and update, always including
checks for readability and suitability with a selection of organisations representing
patients and minority groups.
Staff awareness – Whilst distribution of the materials will generate a degree of staff
awareness, it is not enough. The importance of communicating with patients, both for
patient facing staff and those that do not see patients is included in education
programmes.
In addition staff guidance on handling information (code of conduct) will be distributed to
all staff and other useful material via www.protectinginfo.nhs.uk. This includes key
principles about keeping patients informed, offering them choice and how to share
information.
Support for patients and staff with queries about the use of information
Whilst all members of staff have a responsibility to inform patients about the use of their
information, they are not expected to handle all queries that patients may raise. They
may also have their own questions relating to the use of information. If a member of staff
is unsure how to respond to a patient query, they should direct the patient to the local
Patient Advice and Liaison Service (PALS). PALS will engage other staff, particularly
Information Governance leads where required to ensure a full and timely response is
given to patients and staff.
Staff are informed that queries can be directed via PALS and Information Governance
during core Information Governance training. The staff code of conduct leaflet informs
staff with queries about handling information to talk to their line manager in the first
instance, as things may be dealt with there and then. If not line managers should know,
again via core training, of the support facilities available to them in PALS and IG.
14
Information Governance Strategy
Version 3.0
Acceptance and monitoring
The patient materials will be put to patient representative groups when updated to ensure
that they are understandable and acceptable to as many patients as possible.
The Information Governance team will continually work with the organisation to ensure
that distribution channels are maintained and developed.
16
Review of Strategy, policy & guidance
The Strategy to be reviewed every two years to align itself with the review periods of; the
information governance policy set (Information Governance Management System) and
guidance documents ‘information governance reference pack’ contents. Individual items
may be reviewed before this, due to changes in standards, methods or interpretation.
Kate Tregale
Senior Information Governance Manager
February 2017
15

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2024 Paperzz