Information governance
Staff handbook
RDaSH
02
88
Information governance
Introduction to
information governance
Overview
03
88
Information governance – or IG - includes
information security and confidentiality,
the Data Protection Act and the
Freedom of Information Act. It is of great
importance within the Trust’s agenda
and is supported by the Trust’s Board of
Directors.
This handbook will guide you through
each of these areas and the way we
comply locally and will help you to attain
a high level of compliance with the Trust
policies and procedures as well as with the
laws concerning the handling of personidentifiable data (PID).
www.rdash.nhs.uk
Introduction to
information governance
04
88
Information governance toolkit
Through a well defined framework,
IG ensures that PID is handled
with appropriate confidentiality
and security and is compliant with
information laws.
The IG management framework
ensures high quality in:
• IG assurance
• Confidentiality and data
protection assurance
• Information security assurance
• Clinical information assurance
• Secondary use assurance
• Corporate information
management
The framework brings together the
requirements, standards and best
practices that apply to the handling
of information.
Information governance
The Rotherham Doncaster and
South Humber NHS Foundation Trust
has a comprehensive IG programme
documented in the IG toolkit
framework that is managed by the
IG Steering Group and co-ordinated
by the IG Manager.
Introduction to
information governance
05
88
Information governance structure
Accounting
Officer
(Chief Executive)
SIRO (Executive
Director of
Business
Assurance)
Caldicott
Guardian
(Executive
Medical Director)
Head of
Corporate
Governance
Information
Governance
Manager
Information
Governance
Security Specialist
Information
Governance
Officer
Information
Asset Owners
Admin
Officer
Information
Asset
Administrators
www.rdash.nhs.uk
Roles and responsibilities
06
88
Accounting Officer
The Trust’s Accounting Officer is the Chief
Executive, who has overall responsibility for
ensuring that information risks are assessed and
mitigated to an acceptable level. Information risks
are handled in a similar way to other risks, such
as those that are financial, legal and reputational.
Reference to the management of information
risk and associated IG practice is now required
in the Annual Governance Statement, which the
accounting officer is required to sign annually.
Senior Information Risk Owner (SIRO)
The SIRO is the Executive Director of Business
Assurance, who has lead responsibility for the
Trust’s information risks and provides a focus for
the management of information risk at Board
of Directors level. The SIRO is the chair of the IG
Steering Group.
Information governance
Roles and responsibilities
IG Steering Group
The IG Steering Group co-ordinates IG strategies
and policies across the Trust to ensure consistently
high standards of compliance with information
handling, in accordance with statutory and legal
requirements and the IG toolkit. The group also
supports the Trust’s objectives in the delivery of
high quality patient care.
07
88
Caldicott Guardian
The Caldicott Guardian is the Trust’s Executive
Medical Director, who has overall responsibility
for protecting the confidentiality of PID. The
Caldicott Guardian plays a key role in ensuring
that the Trust adheres to the highest standards
for handling PID and adheres to the Caldicott
management principles. It is the responsibility of
the Caldicott Guardian to feedback any IG issues
to the senior leadership team and the IG Steering
Group.
www.rdash.nhs.uk
Roles and responsibilities
08
88
Information governance team
The IG team is responsible for ensuring that IG is
implemented throughout the Trust. The team’s
responsibilities include:
• completing the interim and annual IG Toolkit
assessments;
• investigating incidents;
• providing IG training;
• handling requests for information made under
the Access to Health Records, Data Protection
and Freedom of Information Acts and also the
Environmental Information Regulations;
• giving advice and assistance in respect of data
protection, information security, information
sharing and freedom of information
Information governance
Roles and responsibilities
Information Asset Owners (IAOs)
The SIRO is supported by departmental IAOs,
who are senior managers involved in running
the relevant service. Their role is to understand
what information is held, what is added, what
is removed, how information is moved, who has
access to it and why.
09
88
IAOs must understand and address risks to the
information assets that they ‘own’ and provide
assurance to the SIRO on the security and use of
the assets.
IAOs are responsible for information asset
registers for their service or directorate and are
supported by information asset administrators
(IAAs).
A list of Trust IAOs and IAAs is available from the
IG Team.
www.rdash.nhs.uk
Information security
10
88
Sending secure mail
The tables below summarises which emails are
secure and which are not. Note that it is the
email address that affects the security, not the
physical location.
From:
@rdash.nhs.uk
@doncasterpct.nhs.uk
@rdash.nhs.uk
Y
Y
To:
@doncasterpct.nhs.uk @gp-c86****.nhs.uk
Y
Y
Y
Y
@gp-c86****.nhs.uk
Y
Y
Y
NHSmail
N
N
N
Other NHS
N
N
N
Non NHS
N
N
N
Unsecure emails should have encryption applied:
refer to the IT awareness guide for details of how
to do this http://nww.intranet.rdash.nhs.uk/
wp-content/uploads/2012/08/IT-AwarenessGuide1.doc
Information governance
Information security
Encrypted portable devices
The most common device is a
memory stick, also known as a
pen drive, thumb drive, USB stick,
etc; which connects to the USB
port of a computer and is used
to store information. They have a
large memory capacity so pose a
considerable security risk if lost,
stolen or abused.
Thousands of memory sticks are lost
or stolen every year resulting in the
loss of huge amounts of confidential
and sensitive data.
Only approved, encrypted memory
sticks issued by the IT Team can be
used to store Trust information:
the use of any other memory
stick is strictly prohibited. When a
memory stick is issued it must only
be used in accordance with the
usage described on the application
form, which can be accessed via the
following link:
http://nww.intranet.rdash.nhs.
uk/support-services/informationtechnology/informatics-forms/
11
88
Trust memory sticks must only be
connected to Trust PCs or laptops:
they must never be connected to
personally-owned equipment unless:
• Using the memory stick for
coursework, providing it does
not hold any Trust information,
or,
• Delivering training on a non-Trust
PC or laptop.
www.rdash.nhs.uk
Information security
12
88
Internet and email use
All staff must observe the rules of
acceptable use, which include the
following:
• No member of staff is permitted
to transmit, access, display or
download offensive material,
including hostile text or images
relating to gender, ethnicity, race,
sexual orientation, religious or
political convictions when using
Trust facilities;
• No Trust information may be
e-mailed, copied or uploaded to
a website, blog, cloud storage or
any other form of storage except
where it has been approved by
the IT team;
• Staff must not introduce
inappropriate material to any
Trust equipment or network,
e.g.: material that is sexually
explicit, racially offensive,
homophobic or otherwise
unlawfully discriminatory;
• Internet and e-mail use is subject
to UK law and the Trust’s policies
and any misuse will be dealt with
appropriately;
Information governance
• The use of internet and e-mail
is monitored for compliance,
security and network
management reasons in line with
central government guidelines
and local policies;
• The Trust has the final
decision on what constitutes
inappropriate use and offensive
material and reserves the right
to determine the suitability of
any usage, which, if found to
be illegal or in breach of Trust
policies, will lead to disciplinary
proceedings and may lead
to dismissal and criminal
prosecution.
Information security
Transporting data
off-site
1. If physical movement is
unavoidable, all papers,
electronic storage devices or
any other media containing PID
must be transported in a lockable
container or bag that is securely
closed and marked ‘confidential’.
2. Where there is a not a regular
transfer, a risk assessment must
be conducted and authorisation
be obtained from the IAO first.
3. Information that is taken off-site
must be recorded together with
the reason it was removed and
where it was taken.
4. Electronic media transported
between sites and organisations
must be encrypted, preferably
by using encrypted files on CD
or DVD that is packaged and
clearly labelled to ensure it is
handled correctly and sent using
Recorded Delivery. Passwords
must be transported separately.
13
88
5. Never leave PID unattended or
on view in vehicles.
6. If information is to be returned,
ensure it is done so as soon as
possible.
Patient
Info
www.rdash.nhs.uk
Information security
14
88
Posting PID
Internal mail
Opening Incoming Mail
Use a new, robust envelope – not
an internal mail envelope; marked
‘private and confidential’.
Mail marked ‘confidential’ or
‘private and confidential’ or similar
should only be opened by the
addressee, unless authority has been
delegated and recorded.
Clearly print the name and address
of the recipient on the front and the
sender on the reverse.
Always acknowledge safe receipt.
External Mail
Sensitive information and PID sent
to other organisations should be
done using recorded delivery or Trust
recognised courier and safe receipt
must always be confirmed.
Routine correspondence and letters,
such as those sent to patients, must
be correctly addressed and show
the recipient’s full name: these items
should be sent by standard first or
second class post.
Information governance
Information security
Reporting an IG incident
Reporting incidents is the
responsibility of all staff, temporary
and permanent. Rapid investigation
of incidents improves complaints
management and allows early
communication with the people
involved.
By identifying weaknesses in
processes and procedures, reporting
aims to prevent future incidents
and helps to develop and improve
service. Many incidents occur due
to lack of training so reporting them
assists in showing areas of the Trust
where staff training needs to be
improved.
Any suspected breach of information
security involving the confidentiality,
integrity or availability of data
must be reported using the process
detailed below.
Examples of information governance
incidents include:
15
88
• Loss of staff ID badge
• Loss of a patient or staff record
• PID not being transported in the
appropriate manner
• PID being lost in the post
• PID found on display, e.g.: on
a printer, photocopier, monitor,
etc.
• Loss of a USB stick
• Loss or theft of a laptop
All teams have access to the Trust’s
Incident Reporting Policy and
guidance for completing an IR1 form
is available on the Intranet.
For further information please
contact the IG Team on 01302
796189.
Reporting an Incident
On the intranet homepage, select
‘Safeguard (IR1)’ from the quick links
in the bottom, right-hand corner.
www.rdash.nhs.uk
Information security
16
88
Information sharing agreements (ISAs)
An information sharing agreement is
a signed ratified document between
the Trust and a third party that sets
out:
• The need to, and reasons for,
sharing the data
• The information that will be
shared
• Confirmation of the law that
allows the information to be
shared
• How the information will be
shared
• Who the parties to the
agreement are
• Any necessary security
requirements.
Information governance
Information security
Information security
K: drive policy
All Trust workstations (desktop PCs
and laptops) require a username
and password to be entered before
information can be accessed. When
a workstation is left, always press
‘Ctrl’ + ‘Alt’ + ‘Delete’ to lock it so
that no-one else can access it.
Folders can be created that are only
accessible by defined groups or
certain individuals, which is useful
for work that is to be shared in
teams, departments or services.
Never share your passwords.
Clear c: drive policy
No data is to be stored on a PC
or laptop C: drive, regardless of
whether it includes PID or not: if the
computer crashes or is stolen then
you will have lost your work.
U: drive policy
Access to an U: or ‘home’ drive is
personal to every user and should
be used for storing information that
does not need to be shared.
17
88
Ensure PID is saved to a folder with
restricted access otherwise it can be
shared Trust-wide.
Instructions for requesting new
folders are included in the IT
awareness guide, which is available
via the following link:
http://nww.intranet.rdash.nhs.uk/
wp-content/uploads/2012/08/ITAwareness-Guide1.doc
Transferring
confidential
electronic records
internally
Best practice is to create a restricted
folder in which to save the records
that only the sender and recipient
can access.
www.rdash.nhs.uk
Legislative and other
regulatory requirements
18
Data protection and the common
law duty of confidentiality
The common law duty of
confidentiality prohibits the
disclosure of information that was
provided in confidence unless there
is a statutory requirement to do so,
such as by court order, it can be
justified in the public interest or the
provider consents to it.
Information governance
Legislative and other
regulatory requirements
Caldicott principle guidelines
The Caldicott management principles must be used when dealing with PID.
They are:
1. Justify the purpose – all use of PID
must be clearly defined and reviewed
by the Caldicott Guardian; any
proposed new use must be discussed
with the Caldicott Guardian
2. Only use PID when it is absolutely
necessary to do so – this includes
within and between staff
members, teams, wards, etc. as
well as in transfers between the
Trust and other organisations:
PID must only be included if
it is essential for the specified
purpose of the transfer
3. Use the minimum necessary
PID – if using PID is essential, the
inclusion of every individual item
of PID must be justified so the
minimum amount is transferred
or accessible as required for a
specified purpose
4. Only make PID available on
a strict need-to-know basis
– only individuals with a justified
purpose for needing access to PID
should have access to it, and
they should only have access to the
parts of the PID that they need:
this may mean introducing access
controls or splitting information to
restrict access
19
88
5. Be aware of your
responsibilities – everyone
who handles PID must be
appropriately trained in respect
of patient confidentiality, with
annual refresher training
6. Understand and comply with
the law – every use of PID must be
lawful: the IG Team and Caldicott
Guardian are responsible for
ensuring that legal requirements
are met and provide advice and
assistance to staff.
7. The duty to share PID can
be as important as the duty
to protect it – All staff and
workers within the health and
care system must be aware that
the duty to safeguard children
or vulnerable adults may mean
PID should be shared, if it is
in the public interest to do so,
even without consent. Relevant
confidential PID held by health
and social care organisations
should be shared among the
registered and regulated health
and social care professionals who
have a legitimate relationship
with the individual.
www.rdash.nhs.uk
Legislative and other
regulatory requirements
20
88
Data Protection Act 1998
There are eight principles of good
practice within the Data Protection
Act: these are often referred to as
the ‘data protection principles’.
Principle 1 - personal data shall be
processed fairly and lawfully
• There is a requirement to make
the general public aware of
why the NHS needs information
about them, how it is used and
to whom it may be disclosed
• There should be no surprises:
inform data subjects why you are
collecting their information, what
you are going to do with it and
who you may share it with
• Remember to be open and
transparent about what will be
done with information used in
research projects
Principle 2 – personal data shall be
obtained for one or more specified
and lawful purposes and shall not
be further processed in any manner
that is incompatible with that
purpose/ those purposes
• Only use personal data for the
purpose(s) for which it was
obtained
• A database is any collection
of personal data that can be
processed by automated means,
for example, patient records,
staff records, prescription details
and research information
• Personal data held on Maracis,
TPP SystmOne or any other
patient administration system
must only be used for healthcare
purposes
• Ensure patients know who will
be involved in their care and that
they may need access to their
information
• Only share information outside
your team, ward, department
or service if you are certain it is
necessary and appropriate to
do so. All new requests to share
information outside the Trust
must be referred to the IG Team
• Always be open, honest and
clear.
• If in doubt, check with the IG
Team.
Information governance
Legislative and other
regulatory requirements
Principle 3 – personal data shall be
adequate, relevant and not excessive
for the purpose(s) for which it is
processed
Principle 5 – personal data
processed for any purpose(s) shall
not be kept for longer than is
necessary for the purpose(s)
• Only collect and keep
information you require: it is not
acceptable to hold information
without a firm view as to how it
will be used
• Follow the records retention
guidelines, which are available
under ‘General Policies’ on the
Intranet
• Never collect information “just in
case …”
• Explain abbreviations
• Use clear, legible writing
• Stick to the facts and avoid
personal opinions and
comments.
Principle 4 – personal data shall be
accurate and up to date
• Take care when inputting
information to ensure accuracy
• Check existing records
thoroughly before creating new
ones to avoid duplication
• Check patient details at every
contact, e.g.: address and
telephone number.
21
88
• Ensure regular housekeeping/
spring cleaning of information
• Do not keep information “just in
case …”
• Follow the guidelines for
disposal, which are included in
the records retention guidelines.
Principle 6 – personal data shall be
processed in accordance with the
rights of the data subject
• Right to subject access
• Right to prevent processing likely
to cause harm or distress
• Right to prevent processing for
the purposes of direct marketing
• Right in relation to automated
decision-making
www.rdash.nhs.uk
Legislative and other
regulatory requirements
22
88
• Right to take action for
compensation if the data subject
suffers damage
• Right to take action to rectify,
block, erase or destroy inaccurate
data
• Right to make a request to the
Information Commissioner’s
Office (ICO) for an assessment
to be made as to whether any
provision of the Data Protection
Act has been contravened.
Principle 7 – appropriate technical
and organisational measures shall
be taken against unauthorised or
unlawful processing of personal
data and against accidental loss
or destruction of, or damage to,
personal data
• Follow the Trust’s security and
confidentiality procedures
• Ensure the security of
confidential faxes by using
safe haven fax machines and
checking receipt
Information governance
• Always keep confidential papers
locked away when not in use
• Ensure confidential conversations
cannot be overheard
• Never share your passwords
• Ensure confidential information is
transported securely
• Be aware of confidentiality
contracts with third parties.
Principle 8 – data must not be
transferred outside the European
Economic Area (EEA) without
adequate protection.
If data needs to be transferred
outside the EEA please contact the
IG Team for guidance.
Access to records
What is a subject access
request?
The Data Protection Act allows all
living individuals a right of access
to information that an organisation
may hold about them: requesting
access to this sort of information is
known as a subject access request.
Access encompasses:
• A right to obtain a copy of the
record in permanent form
• A right to view a record without
obtaining a copy
• A right to have information
explained where necessary.
How do I know if I’ve
received a subject access
request?
23
A request does not have to state
‘subject access request’ or ‘access to
records request’ or mention the Data
Protection Act: it must be in writing,
state who the data subject is, state
what information is being requested
and include the appropriate consent
to access the information.
If the request is being made directly
by a patient, or by a person acting
on behalf of a patient, proof of
identity will also be required.
What should I do if I receive a subject access request?
All papers should be forwarded
immediately to the IG team by post
or fax. It is essential that this is done
on receipt as there is a legal time
scale for compliance, which starts
when the request is received by the
Trust, not when it is sent onto the
IG team, so delays will compromise
the time available for processing the
request.
The team will then contact the
relevant individuals to advise what
needs to happen and the legal
deadline for completion.
The IG team are based at
Woodfield House, Tickhill Road
Hospital, Balby, Doncaster.
www.rdash.nhs.uk
Access to records
24
88
Do I have to release the
requested records?
How long do I have to
respond to a request?
An appropriate medical professional
must consider requests for patients
and what level of access should
be granted. Typically, the Trust will
provide the requested information
unless:
The Data Protection Act allows 40
working days to provide a response:
this starts when all information that
is required to process the request is
received.
• The record contains third party
information where the third party
is not a medical professional and
has not given their consent to
the information being disclosed;
• Access to all or part of the record
would cause harm to the physical
or mental wellbeing of the
patient or another person. unless
original records are explicitly
requested by the General
Medical Council
An HR professional must consider
requests for staff records.
Only copy records are to be provided
to the IG team and requestor.
Information governance
What if the patient is
deceased?
The Data Protection Act does not
cover deceased individuals; however,
the Access to Health Records Act
1990 allows a right of access to
deceased patients’ records to certain
individuals.
For further information refer to the
Access to Health Records policy,
which is held under information
governance policies on the intranet.
Freedom of Information
What is the Freedom of Information act?
The Freedom of Information Act
2000 gives the general public a right
of access to information held by the
Trust.
This Act gives the public a right
of access to information held by
Trust. There are some exemptions
but, typically, we have to provide
requested information unless there
is a good reason not to. If we refuse
a request or withhold the requested
information the applicant has a
right to appeal to the information
commissioner, who is appointed
by parliament to ensure the Act is
complied with.
25
88
Who can request information under the Act?
Anybody can make a request:
competitors, potential suppliers,
journalists, patients, staff and
any other member of the public,
whether they are connected to the
Trust or not.
When a request is made there is no
requirement for the applicant to tell
us why they are making the request,
and we have no to right to ask.
The Act applies to all information
held by the Trust, in paper or
electronic form. Note that scraps
of paper with rough notes or
comments on are just as releasable
as letters, memos and emails. If an
email forms part of a
decision-making process it needs to
be filed electronically or printed and
kept in a file.
All letters, memos, emails, notes and
comments must be written in a way
that a member of the public could
read and understand them.
Good records management means
that we can easily determine
whether we hold the requested
information and where it can be
located.
www.rdash.nhs.uk
Freedom of Information
26
88
What information is
covered by the Act?
The Act applies to all information
held by the Trust, in paper or
electronic form. Note that scraps
of paper with rough notes or
comments on are just as releasable
as letters, memos and emails. If an
email forms part of a
decision-making process it needs to
be filed electronically or printed and
kept in a file.
All letters, memos, emails, notes and
comments must be written in a way
that a member of the public could
read and understand them.
Good records management means
that we can easily determine
whether we hold the requested
information and where it can be
located.
Information governance
What about information
created prior to the Act
coming into force?
The Act is retrospective and covers
all information, including that which
was created and held by the Trust
prior to the Act coming into force in
2000.
How is an FOI request
made?
A request must be in writing, which
includes email; and it must include
the name of the applicant, which
can be an organisation, and an
address for correspondence, which
includes an email address.
Freedom of Information
What should I do if I
receive a request?
All requests must be sent
immediately to the IG Team: it
is important that this is done
immediately as legally the Trust has
20 working days to respond, which
starts the day after the request is
received by the Trust.
Copyright
If copyright is held by the Trust then
the material can be licensed for reuse for a charge.
27
88
If another party holds copyright the
Trust cannot licence re-use of the
material.
Images and videos of
services users and staff
In addition, the Open Government
Licence (OGL) provides a simple set
of terms and conditions enabling
the free re-use of public sector
information.
Images are capable of being
personal data as people can be
recognised and identified by others
who know them.
Under the OGL the Trust has the
authority to license material for
re-use as long as the source of the
information is acknowledged.
The data protection principles must
be applied in the same way as they
are applied to electronic or paperbased personal data.
www.rdash.nhs.uk
Further information
28
88
Where can I find
more information?
IG team contact
details
More information on FOI and what
it means for you can be found:
Sue Meakin, IG Manager
T: 01302 796189
M: 07909 880396
• On the Ministry of Justice
website
http://www.justice.gov.uk/
• On the Information
Commissioner’s website
http://www.ico.gov.uk/
• On the Trust’s publication scheme
on the Intranet
http://www.rdash.nhs.uk/
information-for-the-public/
freedom-of-information/foipublication-scheme/
• From the IG team.
Information governance
Steve Massen, IG Security Specialist
T: 01302 796385
M: 07584 889382
Rachael Smith, IG Officer
T: 01302 796756
M: 07775 012253
Sue Hales, Admin Officer
T: 01302 796338
Woodfield House
Trust Headquarters
Tickhill Road Hospital
Doncaster
DN4 8QN
Further information
Top tips
29
88
Forward any requests for specific information to the IG Team.
Maintain and weed your paper and electronic files so they
only contain necessary information.
Only keep information for as long as it is needed or for the
required retention period.
Review your filing practices: all filing should be in a logical
and common system agreed within your department or
directorate. All staff in departments should be able to access
each other’s filing systems in the absence of a member of
staff. If an FOI request is made it is not acceptable to give
staff absence as a reason for exceeding the 20 day deadline.
Ensure electronic documents have footers on that easily
identifies where they are held.
Follow the Safe Haven policy and remember that emails are
classed as official records that the public has a right of access
to. The sender has very little control over an email once it has
been sent so be mindful of the content.
www.rdash.nhs.uk
30
88
Information governance
88
31
In
G
Secu
www.rdash.nhs.uk
Contact details
Information Governance
Business Assurance
Trust Headquarters
Woodfield House
Tickhill Road Hospital
Doncaster
DN4 8QN
DP7120/9772/05.13