Unit 1: Information Governance
Refresher Module Guidance and Assessment
LEARNING OUTCOMES
When you have completed this unit you should:
1) have revised and updated knowledge of information governance issues at this Trust
2) continue to:
 understand the importance of providing a confidential and secure healthcare service
 handle information safely and securely
 comply with data protection and freedom of information legislation
 include IG in everyday practices (including patient care)
3) be able to recognise a breach of confidentiality or information security
4) have accessed and completed the appropriate annual mandatory Information Governance
module
WHAT IS INFORMATION GOVERNANCE?
Information Governance is a term which describes the way we „process‟ or handle information. It
covers personal information (that is, relating to patients/service users and employees) and also
corporate information (for example, financial and accounting records).
INTRODUCTION
All staff, both clinical and non-clinical, , including agency, locum, temporary, volunteers, students
etc. must complete and pass a prescribed Information Governance training module every year.
The training module, which includes a short multiple-choice assessment test, is also accessible
through a national on-line e-learning tool. This particular module provides revision and updates,
including specific training for this Trust surrounding IG.
HOW DOES IG AFFECT YOU?
Information Governance applies to all employees.
Information should be safeguarded, yet available in the right place, at the right time in order for
staff to be able to care for patients. There are lots of different aspects of IG, including
confidentiality, Data Protection, Freedom of Information Act (2000), good record keeping and
information security. They all contribute towards supporting the provision of safe and high quality
patient care.
-------------------------------------------------------------------------------------------------------------------------------CONFIDENTIALITY
All staff working for Blackpool Teaching Hospitals NHS Foundation Trust including volunteers,
students, agency and temporary staff have a duty to protect and maintain the confidentiality of
patients and other personal information.
Make sure that you still understand your responsibilities and speak to your line manager if you
have any doubts.
You are asked to „sign up‟ to the Confidentiality Code of Conduct each year, through the appraisal
process. It is your responsibility to ensure that all confidential information is held securely. If you
do not have an appraisal, you should contact the IG team to sign up annually.
The duty of confidentiality is written into employment contracts. Any breach of confidentiality of
information gained, whether directly or indirectly, in the course of work is a disciplinary offence that
could result in dismissal.
Just because we are „all signed up‟, it doesn‟t mean that we can hear or see information about
anyone just because we may have the ability to access it. We should only access information
necessary for our job role and never anymore.
Page 1 of 10
Please see the incident section below for more information on how different types of information
can affect an untoward incident.
CALDICOTT
Following a second review of how patient information is used carried out in 2013, Caldicott2 reenforces the six existing Caldicott principles for the security of patient information and adds a
seventh:
1. Justify the purpose (use) for using confidential information
2. Don‟t use personal data unless it is absolutely necessary
3. Use the minimum amount necessary of personal or confidential data
4. Access to this data should be on a strict need-to-know basis*
5. Everyone with access to this data should be aware of their responsibilities
6. Comply with the law
7. The duty to share information can be as important as the duty to protect patient
confidentiality**
Every NHS organisation still has a senior clinician, nominated to act as a champion for the uses of
patient information. Here at Blackpool Teaching Hospitals NHS Foundation Trust, our Caldicott
Guardian is Professor Mark O‟Donnell.
*You should not access ANY information unless you are directly involved in that patient‟s care or
you have a legitimate reason to access their information for example audits. You are not permitted
to access information for yourself, colleagues, family or friends. This is classed as unauthorised
access to information and by doing so you are breaching the Computer Misuse Act 1990. This will
result in disciplinary action.
INFORMATION SHARING
**The Department of Health has produced some guidance around the need to share for direct
health care. If you need to share with other NHS or non NHS providers for purposes other than
this, you may need to consider whether you will need additional approval from the IG team before
releasing any information.
THE DATA PROTECTION ACT 1998
UK law in the form of the Data Protection Act 1998 (DPA) governs how organisations may use
personal information (about living people), including how they obtain, store, share, transport or
dispose of it.
Within organisations, staff should inform patients why their information is collected and recorded,
what is collected, who might see this personal confidential information and their rights.
What are these rights?
The DPA provides the public with rights; for example rights to access information held about them.
These are known as Subject Access Requests and are facilitated by the Data Access Team. The
Data Access Team also process requests for information.
Patients have other rights, including rights to compensation and rights to prevent information being
processed about them. There are more, these are just a few.
Those staff directly involved in patient care should include this in their process. For example, a
patient should be able to review who they previously consented to share information with at their
last visit, and be given the option to revise it.
Staff should also be informed about how their information is used. You can ask the IG
department for more information about this.
Page 2 of 10
THE FREEDOM OF INFORMATION ACT 2000 / ENVIRONMENTAL INFORMATION
REGULATIONS 2004
The FOIA 2000 came into force on 1st January 2005 and works alongside the EIR 2004 which
was already providing a means of access to environmental information associated with public
bodies.
FOI gives the public the right to request information from public authorities. When asked for
information, we have a duty to respond within 20 working days to written information requests. It
also obligates public authorities to publish certain information about their activities. Some
examples are:
 Who we are and what we do
 What we spend and how we spend it
 What our priorities are and how we are doing in relation to them
 How we make decisions
 Our policies and procedures
 The Services we Offer
Annual training is provided to staff involved in the FOI process across the Trust. If you are asked
to provide information for an FOI request, please do so as soon as possible. If you are not sure
what the requestor is asking for, or have any questions, please liaise with the FOI lead straight
away. It is possible for the request to be clarified in further detail before the Trust responds,
providing the Trust has adhered to the FOI process within a timely manner.
RECORDS MANAGEMENT/ GOOD RECORD KEEPING
Good record keeping (including clinical record keeping) contributes to providing patients with safe
and high quality care. Information should be made available in the right place, at the right time.
Poor quality information is bad for patient care, bad for funding and bad for reputation, e.g.





Incomplete, inadequately analysed data can lead to serious failures in service.
Poor demographic data results in duplicate and confused entries on patient record systems.
Confused patient identity numbers can lead to the wrong patient being treated.
Inadequate records lead to poorly planned care.
Poor data results in poor commissioning, monitoring, planning and financing of services.
DISCLOSURE OF INFORMATION
Personal information shared in confidence should not be used or disclosed further without the
consent of the individual.
Exceptions to the requirement for consent are rare and limited to legal requirements to disclose
information, e.g. by Acts of Parliament or court orders; disclosures permitted by regulations made
under section 251 of the NHS Act 2006, (previously known as section 60 of the Health and Social
Care Act 2001), or where there is a public interest or justification for breaching confidentiality such
as a serious crime, including murder, rape or child abuse.
The Data Access Team, in IG facilitate requests for information. Please seek advice from your line
manager or the Data Access Team before disclosing information to anyone if you are unsure.
INFORMATION SYSTEM MANAGEMENT
It is especially important to seek Information Governance advice at the outset of any new project
or process (including upgrades to equipment or software) or when you plan changes to systems.
Screening process– complete the necessary documentation for your new project or system
You need to consider Privacy Impact Assessments where person identifiable information is used
Submit to Information Governance Team once the above is completed
Page 3 of 10
The project or system will need to be taken to the Health Informatics Project Board (HIPB) for
approval
Ensure any change in process to an existing system are revised and approved as above
Make sure you have a system administrator identified before the project/system is taken to HIPB
Sharing information stored on your system with a third party? Contact the IG Helpdesk for advice
before sharing
INFORMATION SECURITY
Conversations - Please ensure that you find a quiet area to have a confidential conversation.
Never discuss these conversations in public places or where you can be overheard. Remember –
access to information is on a strict need to know basis
No sharing – You must not share login credentials/access cards under any circumstances. For
example, your smart card is issued to you for access to the systems you have permission to use.
They must not be shared with your colleagues, ever. Remember to remove your SMART card
from the PC and lock your computer when you leave it.
Passwords - Choose a secure password that is memorable only to you - and keep it secret. It is a
breach of Trust policy to share your password with colleagues. Your password is for you and you
alone. DO NOT write your password down anywhere.
You should change your password often. If you need to send encrypted removable media, do not
attach the password to the device, always send it separately.
Removable Media and Encryption
All laptops, memory sticks and other portable IT data (e.g. USB sticks, CDs and DVDs) used in the
Trust must be encrypted and encryption keys (passwords) must never be transported with the data
they are designed to protect. Staff must not use any USB stick other than those supplied by the
Trust.
Fines up to £500,000 can be imposed for the loss or theft of patient data on an unencrypted laptop
The same fine can apply if the encryption key (password) is not applied properly to protect the
data.
Encryption does not protect against financial penalties or patient trust.
Mobile Devices - Make sure all mobile devices, including laptops and Blackberry‟s, are locked
away securely when not in use. Do not leave devices in your car overnight.
Please refer to the Mobile Computing Equipment Management (Mobile Devices and Media) Policy
CORP-POL-513 if you would like to request to use your own device or for further information.
Medical Photography - You must not use iPhones or Blackberry‟s to take clinical photographs. The
Department of Medical Photography and Illustration is the first point of contact for any imaging
needed throughout the Trust.
Please refer to the Photography and Video Recordings of Patients: Confidentiality, Consent,
Storage and Copyright procedure.
Disposal of Confidential Information
Paper-based person identifiable or Trust sensitive information must be disposed of confidentially
(using confidential waste bins) and not in the normal rubbish. Some examples are:
 Character references of unsuccessful job applicants
 Patients‟ appointment lists
 A list of patient‟s who took hospital transport the previous week
 A ward handover sheet
Page 4 of 10
Removable media containing person identifiable or Trust sensitive information must be disposed
of confidentially (using other methods – further information is available from the IT Department)
and not in the normal rubbish. Some examples are:
 Cassette tapes once used for dictating letters to patients
 A CD with no markings found in an old cabinet
Transporting/ Sending Information - When you are sending any paper-based records, you should
know that it is your responsibility to ensure that they reach their intended destination safely and
securely.
You should also familiarise yourself with the Transportation of Person Identifiable information and
Trust sensitive information in paper form, electronic devices and dictation tapes procedure.
Fax – If you are faxing, please ensure that you ring the recipient, double check the fax number,
always use a cover sheet and check to make sure the fax has been received. Only fax when
absolutely necessary and send all correspondence via secure email instead.
Email – The Trust provides a send secure email solution for all Trust (bfw) email account holders.
If you work in an acute and some community settings you will have the ability to use the send
secure button available on your Microsoft email facility. If you do not have this option or are using
any mobile device which is not supported by Microsoft and you want to send an encrypted email
please type [secure] in square brackets in the subject line before sending your email.
Things to remember:
 Always double check the recipient before sending any emails, especially those containing
person identifiable or Trust sensitive information- there are lots of duplicate names on the
address book
 Password protect information, or a document in addition where necessary
 Test emails should be sent where the address has not been used before
 Send secure must be used when sending patient identifiable or Trust sensitive information
outside of the Trust
 The minimum amount of information necessary should always be used
 No person identifiable information should be in the subject line
 Be aware - emails can be disclosable to the person they are written about
 Contact the IG helpdesk for advice if you are unsure
Post – When sending information in the post, please remember to confirm the address of the
recipient, seal the information in a robust envelope, when appropriate, send the information by
recorded delivery or tracked post and where possible, ask the recipient to confirm receipt. Please
refer to the Transportation/sending information part of this document for more information when
sending health records in the post.
SOCIAL MEDIA/ NETWORKING
Take care when using social networking sites. The importance of this cannot be over-emphasized.
As an employee of the Trust, when using social media for personal use please:
 Be aware that staff have a duty of care to protect the confidentiality of personal information
relating to any individual (including patients, staff and visitors). This is in accordance with
the Trusts Confidentiality Code of Conduct Policy (CORP/POL/107) and Guidance
(CORP/GUID/140). Any breach of confidentiality, including through social media, will be
dealt with via the Trust Disciplinary Procedure (see Section 7).
Page 5 of 10

Do not post derogatory comments/photographs/videos about patients/staff/visitors etc.
remember, be professional in your role and maintain professional boundaries. (Even when
you are not at work, the same rules must be followed)
 Never share confidential or sensitive information.
 Know that staff must not share information about patients without explicit
consent (refer to CORP/PROC/102, Consent to Examination or Treatment).
 Help to reduce risk of confidential information being added to social media accidentally,
understand that no photographs or videos of workspaces / computer screens, where person
identifiable information may be on view, may be used unless all such information has been
removed before the picture is taken.
For more information, please read the Social Networking Policy CORP-POL-220
Off sick? Be mindful of how some things being posted on a social media site may look to others or
your employer.
In short, please make sure that if you use social media, you maintain professional boundaries, do
not post inappropriate messages/ photographs onto social networking sites and maintain
confidentiality at all times.
INFORMATION GOVERNANCE/ INFORMATION SECURITY INCIDENTS
Any breach or near miss must be reported. Tell your line manager as soon as possible what has
gone wrong. You will need to use the on-line untoward incident reporting system. Look out for the
Information Governance updates which contain important updates including lessons learned.
Managers will need to investigate any potential information security or confidentiality breach.
Please liaise with the IG team for further assistance.
TRAINING
Please ensure that you have been given the appropriate training and own login details before
logging into any system to access confidential information. You must NOT look up information
under a login that is not your own, or if you have not been trained, even if you are asked to do so.
(Please refer to the Confidentiality and Caldicott section for more details.)
Managers must not agree for staff to use other staff login credentials etc. Managers must ensure
that all staff being brought into the organisation receive information governance training at the first
opportunity (on the first day of work OR prior to employment OR before being granted access to
any person identifiable or Trust sensitive information, including paper and electronic information).
Please contact the IG team who will be happy to arrange assistance with this training.
Managers should also ensure that staff remain up to date with this training and that all staff
understand their responsibilities for the duties themselves and their carry out. This includes
ensuring that processes are in place to assist staff when handling information.
Further data protection training in addition to mandatory training is offered to all employees by the
IG team. More information about information governance and guidance is available through the IG
intranet pages.
INFORMATION GOVERNANCE ADVICE AND SUPPORT
Your Information Governance team can provide advice and support on:
 Corporate or health records management
 Data protection and confidentiality
 Information security
 Freedom of Information
 Data access enquires
You can contact the Information Governance
[email protected]
Page 6 of 10
Helpdesk
(01253)
953057
or
email
Unit 1: Information Governance Assessment
The Refresher Module
Question 1
Which of the following statements about Caldicott are true?
Highlight three options
a) Caldicott2 was carried out during 2013
b) There are 10 Caldicott Principles
c) Every NHS Trust should appoint a „Caldicott Guardian‟ to act as the conscience for the uses of
patient information
d) Principle 4 states that “Access to information should be on a strict need-to-know basis”
e) Caldicott does not exist
Question 2
Mary, your colleague is awaiting some test results. She approaches you to ask you to look them
up on the system. She knows you have access to this information, but you are not directly involved
in her care and only work in the department where the results are processed. What should you
do?
Highlight one option
a) Look them up – you have access and Mary has just given you consent to do so
b) Tell her to go through the appropriate processes in order to get her results e.g ring the
secretary/GP surgery
c)
Tell her your login details and let her look herself
d) Look but only tell her if the result is something she will want to hear
Question 3
Staff should inform patients about why their information is collected and recorded, what is
collected, who might see this personal confidential information and their rights. True or False?
Highlight one option
a) True
b) False
Question 4
The Data Protection Act 1998 provides the public with rights.
Highlight three options
a) Rights of access to information held about them (also known as Subject Access Requests)
b) Rights to prevent information being processed about them
c)
Rights to compensations
d) Rights to access to any record about anyone
Question 5
What is the name of the department that facilitates requests for information such as Subject
Access Requests?
Highlight one option
a) Information Team
b) Data Access Team
c)
Data Information Team
d) Data Team
Page 7 of 10
Question 6
Under the Freedom of Information Act 2000, public authorities are obligated to publish certain
information about their activities. Which of these fall under the FOI Act?
Highlight three options
a) Who we are and what we do
b) What we spend and how we spend it
c) Patient and staff information
d) How we make decisions
Question 7
What are the possible consequences of failing to protect confidential information?
Highlight three options
a) A loss of patient trust
b) NHS organisations being fined up to £500,000
c) Critical media coverage
d) Faster and lawful sharing of information
e) No consequences- as long as there is a complete copy to refer to
Question 8
If you or your area/ team are looking at a new project/system or are making a change to an
existing project/ system, what steps should you take?
Highlight one option
a) Complete the necessary documentation
b) Consider Privacy Impact Assessments
c) Submit documents to the IG team
d) Identify a system administrator
e) All of the above
Question 9
Which of the following things should you remember when setting a password?
Highlight three options
a) Use a friend‟s name or a birthday date that you will not forget
b) Change it regularly as a precaution against someone else finding it out over time
c) Keep it as secret as you would your bank account PIN
d) Never post it with an encrypted CD it gives access to
e) Write it down in reverse order so no-one can guess it
Question 10
The major cause of security breaches in the NHS is the losses and thefts of IT equipment holding
staff or patient data. Which of these statements are correct?
Highlight four options
a) All NHS laptops and other portable IT data (e.g. USB sticks, CDs , DVDs) must be encrypted
b) Encryption keys (passwords) must never be transported with the data they are designed to
protect
c)
Fines up to £500,000 can be imposed for the loss or theft of patient data on an unencrypted
laptop
d) The same fine can apply if the encryption key (password) is not applied properly to protect
the data
e) Encryption protects against financial penalties
f)
Encryption protects against loss of patient trust in the NHS
Page 8 of 10
Question 11
What should you remember when sending an email?
Highlight one option
a) Check the recipient is correct
b) Use send secure encryption facility when sending emails outside of the Trust
c) Confirm the information within the email is the minimum about necessary
d) Be professional and remember that emails can be disclosable to the person they are written
about under law
e) All of the above
Question 12
Which of the following does the Trust Social Media Policy include?
Highlight three options
a) Staff have a duty of care to protect the confidentiality of personal information relating to any
individual (including patients, staff and visitors)
b) Any breach of confidentiality, including through social media, will be dealt with via the Trust
Disciplinary Procedure
c) The policy only applies when staff are physically at work
d) Staff must not share information about patients without explicit consent
Please check that you have chosen the correct amount of options for each question as some
questions require more than one answer.
Page 9 of 10
Unit 1:
Information Governance Completion Statement
PLEASE only sign and return when you are satisfied that your staff member has completed the relevant
mandatory units and correctly answered questions.
A PHOTOCOPY of this completion statement ONLY, MUST be sent to Learning and Development. This is for
input on to the Trusts Central Training Data Base (OLM) as evidence that your staff member has completed
the Mandatory Training Unit.
A further copy should be placed in your staff members personal development file.
This is to confirm the Mandatory Training Guidance has been read and understood and that the
Assessment has been completed by:
Surname: (Block Capitals)
……………………………………………………………………………………………………………………
Forename: (Block Capitals)
……………………………………………………………………………………………………………………
Job Title: …………………………………………………………………………………………………………
Department/Ward:……………………………………………………………………………………………
Division/Directorate:…………………………………………………………………………………………
Date Completed: (This must be within 12 weeks of receipt……………………………….
Staff Signature: …………………………………………………………………………………………………
Manager: (Print name)….……………………………………………………………………………………
Manager:( Signature) …………………..……………………………………………………………………
Return a copy to Learning and Development, Blackpool Teaching Hospitals, Learning and
Development Department, 42 whinney Heys Road, Blackpool, FY3 8NR
An electronic copy can be emailed to: [email protected]
Date Sent: …………………………………………
VERSION 5 - November 2015
Page 10 of 10