Agenda Item 3.9 Cover Sheet: Governing Body Date 3rd September 2014 Title of paper Information Governance (IG) Policies Presenter & Organisation Beryl Bevan , Ealing CCG Author Ben Westmancott, Director of Compliance Responsible Director Ben Westmancott, Director of Compliance Clinical Lead Mohini Parmar, Chair , Ealing CCG Confidential No The Committee is asked to: The Governing Body is asked ratify these policies. Summary of purpose and scope of report The BEHH policies on Pseudonymiastion and Subject Access Request have expired. The CWHHE IG policies are configured differently to those of BEHH and therefore it is necessary to move from all the BEHH IG policies to those of CWHHE. Therefore the following policies are presented for ratification by the Governing Body: • Data Protection • Whistleblowing • Confidentiality Code of Conduct • Safe Haven • E mail • Data Quality • Information Asset • Information Governance Quality & Safety/ Patient Engagement/ Impact on patient services: N/A Financial and resource implications N/A Equality / Human Rights / Privacy impact analysis N/A Risk N/A Supporting documents The policies are included Governance and reporting (list committees, groups, or other bodies that have discussed the paper) Committee name Executive Management and Innovation Committee Date discussed 27th August 2014 Outcome The committee recommended the polices for approval DATA PROTECTION POLICY Date completed: June 2013 Responsible Director: Director of Compliance Approved by/ date: CWHHE Quality and Safety Committee, 2nd October 2013 Review date: October 2014 Amended: Page 1 Author: Ben Westmancott Data Protection Policy For more information on this document, please contact: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative 15 Marylebone Road, London NW1 JD E-mail: [email protected] Version Control Version Date Issued Brief Summary of Changes Owners name 1.0 2.0 July 2013 August 2013 Amended to reflect CWHHE procedure Circulated to local CCG IT Committee for comment Ben Westmancott Ben Westmancott Document Imprint Copyright © Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups, 2013: All rights reserved Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information Regulations 2005. SI2005 No 1515” Information on re-use can be obtained from: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative Tel: 020 3350 4313, E-mail: [email protected] Page 2 Data Protection Policy Contents 1. Introduction .................................................................................................................. 5 2. Scope of Policy............................................................................................................. 5 3. Summary of Aims ........................................................................................................ 5 4. Notification to the Information Commissioner .............................................................. 5 5. CCG staff with Data Protection Responsibilities .......................................................... 5 6. Data Protection Principles ............................................................................................ 6 7. Processing .................................................................................................................. .6 8. Privacy Notices............................................................................................................ .6 9. Responsibilities of Individual Data Users .................................................................... .7 10. Accuracy of Data .......................................................................................................... 7 11. Sensitive Personal Data ............................................................................................... 7 12. Data Security and Disclosure ....................................................................................... 7 13. Data Subjects' Consent ............................................................................................... 8 14. Right of Access to Personal Data ................................................................................. 8 14.1. Patients Right of Access to Medical & Confidential Hospital Records................. 7 14.2. Staff Right of Access to Personnel Records ....................................................... 8 14.3. Right of Access to Personal Data by Elected Representatives ........................... 8 15. CCTV ........................................................................................................................... 9 16. Email ............................................................................................................................ 9 17. Disclosure outside of the European Economic Area .................................................. 10 18. Retention of Data ....................................................................................................... 10 Appendix A - EEA Countries .............................................................................................. 11 Appendix B - Request for Staff Personnel Records ........................................................... 12 Page 3 Data Protection Policy 1. Introduction Like all NHS organisations, Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups (CCGs) hold and process information about its employees, patients and other individuals for various purposes (for example, the effective provision of healthcare services or to operate the payroll and to enable correspondence and communications). To comply with the Data Protection Act 1998 (the DPA), information must be collected and used fairly, stored safely and not disclosed to any unauthorised person. The DPA applies to both manual and electronically held data. The policy applies to all information in the CCG. Non-compliance with this policy may result in disciplinary action. The policy does not apply to member Practice’s personal records. It covers the personal and confidential records held and processed by CCG staff. 2. Scope of Policy This policy covers records held and processed by the CCG. The CCG is responsible for its own records under the terms of the DPA, and it has submitted a notification as a Data Controller to the Information Commissioner. Details can be found on the organisation’s website. 3. Summary of Aims The lawful and correct treatment of personal information is vital to the successful operation of, and maintaining confidence within the CCG, and the individuals with whom it deals. Therefore, the CCG will, through appropriate management, and strict application of criteria and controls: 3.1. observe fully conditions regarding the fair collection and use of information; 3.2. meet its legal obligations to specify the purposes for which information is used; 3.3. collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements; 3.4. ensure the quality of information used; 3.5. apply strict checks to determine the length of time information is held; 3.6. ensure that the rights of people about whom information is held can be fully exercised under the Act. (These include: the right to be informed that processing is being undertaken; the right of access to one's personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase information which is regarded as wrong information.); 3.7. take appropriate technical and organisational security measures to safeguard personal information; 3.8. ensure that personal information is not transferred abroad without suitable safeguards. 4. Notification to the Information Commissioner The CCG has an obligation as a Data Controller to notify the Information Commissioner of the purposes for which it processes personal data. Notification monitoring within the CCG is carried out by the Deputy SIRO. Individual data subjects can obtain full details of the CCG's data protection registration/notification with the Information Commissioner from the Information Governance Manager or from the Information Commissioner's website (http://www.information commissioner.gov.uk). 5. CCG staff with Data Protection responsibilities All queries about this CCG policy should be directed to the Deputy SIRO. Requests for a full subject access request should be made to the Deputy SIRO. CCG staff requiring personnel information should complete the form shown in Appendix B and send it through to the Deputy SIRO. See also Section 14. Right to Access Personal Data, see below for more details. Page 4 6. Data Protection Principles The CCG, as a Data Controller, must comply with the eight Data Protection Principles set out in the Act. In summary, these state that personal data shall: 6.1. Be processed fairly and lawfully and shall not be processed unless certain conditions are met. 6.2. Be obtained for specified and lawful purposes and shall not be processed in any manner incompatible with those purposes. 6.3. Be adequate, relevant and not excessive for those purposes. 6.4. Be accurate and kept up to date. 6.5. Not be kept for longer than is necessary for those purposes. 6.6. Be processed in accordance with the data subject's rights under the 1998 Act. 6.7. Be the subject of appropriate technical and organisational measures against unauthorised or unlawful processing, accidental loss or destruction. 6.8. Not be transferred to a country outside the European Economic Area, unless that country or territory has equivalent levels of protection for personal data. See Section 17. 7. Processing "Processing", in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including: 7.1. organisation, adaptation or alteration of the information or data, 7.2. disclosure of the information or data by transmission, dissemination or otherwise making available, or 7.3. alignment, combination, blocking, erasure or destruction of the information or data. 8. Privacy Notices Sometimes called a Fair Processing Notice, any collection of personal data must satisfy the requirements of the fair processing condition set out in the first Data Protection Principle. This includes paper or electronic application forms, telephone calls, and surveys. You must ensure an appropriate Privacy Notice is included wherever personal data is collected. This particularly applies to patient consent forms: it may be that current forms need to be amended to include a statement about data protection. The purpose of a Privacy notice is to explain to the individual: • the identity of the organisation collecting his or her data; • how the personal information which is provided will be used; • any other information which the individual should be told in order to ensure the processing of his or her information is fair, for example: o a description of any other organisations the information may be shared with or disclosed to; whether the information will be transferred outside the UK; o the fact that the individual can object to the use of his or her information for marketing; o the fact that an individual can obtain a copy of his or her information. Ensure that the Privacy Notice is in a prominent position whenever used. Transparency is key. An example form of words for a Privacy Notice might be: Your personal data will be used only in accordance with the Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups notification under the Data Protection Act 1998 and in compliance with the Freedom of Information Act 2000. The CCG will not disclose any personal information to any other third parties, except where there is a legal justification or required by law, without your express consent. Further details in relation to the use of personal data will be published on the CCG’s web site http://www.centrallondonccg.nhs.uk/ Page 5 http://www.westlondonccg.nhs.uk/ http://www.hammersmithfulhamccg.nhs.uk/ http://www.hounslowccg.nhs.uk/ Any queries concerning Data Protection and Freedom of Information should be addressed to the Deputy SIRO. 9. Responsibilities of Individual Data Users All employees of the CCG who record and/or process personal data in any form (called "Data Users" in this policy) must ensure that they comply with: • the requirements of the Data Protection Act 1998 (including the Data Protection Principles) • the CCG's Data Protection Policy, including any procedures and guidelines which may be issued from time to time. A breach of the Data Protection Act and/or the CCG's Data Protection Policy may result in disciplinary action. Consideration should be given towards contacting the Deputy SIRO for data protection advice concerning the following: • when developing a new computer system for processing personal data - it may also be necessary to comply with the CCG's Information Asset Policy; • when using an existing computer system to process personal data for a new purpose as it may be necessary to notify an amendment to an existing registration in the CCG's Database Management Policy; • when creating a new manual filing system containing personal data; • when using an existing manual filing system containing personal data for a new purpose. 10. Accuracy of Data Staff who have responsibility for handling any patient, staff or other individual's information must ensure that it is accurate and as up to date as possible, as detailed in their job descriptions b. All staff members are responsible for checking that any personal information they provide to the CCG in connection with their employment is accurate and up to date e.g. change of address or name. The CCG cannot be held responsible for any errors unless the member of staff has informed the CCG about them. a. 11. Sensitive Personal Data The CCG (or the CSU or alternative IT Provider on our behalf) may from time to time process "sensitive personal data" relating to staff, patients and other individuals. This sensitive personal data may include information which has incidentally come into the possession of the CCG. This type of information will not be routinely sought by the CCG. In exceptional circumstances, the CCG may need to process information regarding criminal convictions or alleged offences in connection, for example, with any disciplinary proceedings or other legal obligations. In circumstances where sensitive personal data is to be held or processed, the CCG will seek the explicit consent of the individual in question unless one of the limited exemptions provided in the Data Protection Act 1998 applies (such as to perform a legal duty regarding employees or to protect the data subject's or a third party's vital interests). 12. Data Security and Disclosure All staff within the CCG are responsible for ensuring that: a. Any personal data which they hold is kept securely. Page 6 b. Personal data is not disclosed either orally or in writing or otherwise to any unauthorised third party, and that every reasonable effort will be made to see that data is not disclosed accidentally. Unauthorised disclosure is a disciplinary matter and may be considered gross misconduct. If in any doubt, consult your line manager, the Deputy SIRO or Human Resources. Personal data must be kept securely and examples of how this may be done will include: c. keeping the data locked in a filing cabinet, drawer or room; or if the data is computerised, ensuring that the data is password protected or kept only on disk which is itself kept securely; or d. any other appropriate security measures which are detailed in the CCG’s Information Governance Policies 13. Data Subjects' Consent The CCG will not normally collect and process personal information. Where it does, it is the CCG’s policy to seek and obtain express consent whenever practicable from individual data subjects for the main ways in which the CCG may hold and process personal data concerning them. This is to allow individuals an opportunity to raise any objections to any intended processing of their personal data. The CCG will consider any such objections but reserves the right to process personal data in order to carry out its functions as permitted by law. Legally, however, certain types of personal data may be processed for particular purposes without the consent of individual data subjects. Where this takes place the CCG will ensure that individuals processing that data are required to justify their reasons for doing so in line with the 1998 Act and the guidelines issued by the Information Commissioner. 14. Right of Access to Personal Data Staff, patients and other individuals have the right under the DPA to access any personal data that is being held about them either in an "automatically processable form" (mainly computer records) or in a "relevant filing system". (i.e. any set of information structured in such a way that specific information relating to a particular individual is readily accessible).They also have the right to request the correction of such data where they are incorrect. This is called a Subject Access Request. a) Patients Right of Access to Medical & Confidential Hospital Records The CCG will only exceptionally hold identifiable data about patients, but must have a process for managing subject access requests in respect of it. An individual who wishes to exercise his/her right of subject access is asked to formally request this information in writing to the Deputy SIRO. Any inaccuracies in data disclosed in this way should be communicated immediately to the responsible Manager who shall take appropriate steps to make the necessary amendments. Requests made under the Data Protection Act 1998 will be subject to the following set fees: • £50 maximum fee where the data subject is supplied with copies of manual or a combination of manual and automated records in permanent form. • No fee where access (but no copies) is sought to manual records, at least part of which comprise a recent record (made within 40 days). £10 for granting access to automated records. • £10 where access only (but no copies) is sought to manual records, none of which comprise a recent record (all are over 40 days old). The CCG will seek to respond to the request for access to personal data within the 40 calendar days (including bank holidays and weekends) of the request. b) Staff Right of Access to Personnel Records Any member of staff who wishes to exercise his/her right of access to their staff record or similar personal information is asked to request this information in writing to the Human Resources Page 7 Department using the form shown in Appendix B of this policy. Any such request will be formalised, acknowledged, and logged into a tracking database. The department will have a specific time frame to respond with either photo-copies of the information requested, or a time when the member of staff will be able to read the information at source accompanied by a departmental senior manager. The response to the requester in either case will be through the Human Resources Department. Such access to information will not normally be subject to the payment of a fee. Where it is proposed to charge a fee for access, no such charge will be made until the agreement of a fee structure with staff side representatives. Any perceived inaccuracies in data disclosed in this way should be communicated immediately to the Human Resources Department who will take appropriate steps to investigate and make any agreed and/or necessary amendments. 1 Should a member of staff make a formal full subject access request under the terms of the DPA, as described in Section 14.1 above, such a request will be subject to the fee structure detailed in that section a. Right of Access to Personal Data by Elected Representatives Under the Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002, Members of Parliament/Members of Scottish Parliament can make a request for (sensitive) personal information about someone in an official capacity (e.g. an MP asking about a constituent), and to be able to expect the information to be provided without the CCG receiving explicit consent from the data subject in question. i. It has become practice in the NHS, that when an MP makes an approach to an organisation on a constituent’s behalf it can be assumed that the constituent’s consent has been given (implied consent). The CCG fully accepts that effective communication with MPs, amongst others, is necessary and in our patients/service users interests, subject to checks or knowledge of the bona fides of the representative. There is no policy intention to prevent efficient and effective working relationships between MPs, their constituents and the CCG. Failure to adequately assist MPs may result in them writing to Secretary of State complaining that CCG is being obstructive and impugning the integrity of MPs. ii. In general, when an MP writes to the CCG on behalf of a constituent, it is safe to assume that the constituent has given consent for the approach to be made; i.e. we have the implied (if not explicit) consent of the constituent. In such circumstances, information about the individual can be passed to the MP in order to respond to a specific enquiry. However, the guidance from the Information Commissioner makes it clear that Data Controllers should ensure that consent from the data subject is obtained satisfactorily, and this is especially the case in relation to sensitive personal information. It would be quite appropriate for the Data Controller to approach the Data Subject in relation to this, prior to disclosure to the MP. iii. Where someone other than the constituent approaches the MP, for example relatives or friends intervening, perhaps inadvertently against the wishes of the individual concerned, it is acceptable to clarify the situation with the MP and to obtain consent before answering the enquiry. However, such cases should be rare and guidance must be sought from the Caldicott Guardian and/or the Information Governance Manager before any response is made to the MP. iv. In the case of constituency workers or Parliamentary Secretaries, an element of common sense must be applied. MPs are unable to personally handle every aspect of a constituent's case. For example it is highly unlikely that the MP personally typed the letter and it is equally unlikely (although possible) that the constituent would believe this to be the case. Page 8 v. There is little problem in advising a constituency worker of the progress of a particular request. This does not mean however that the constituency worker should be given detailed confidential information about the constituent unless it is clear that it is both appropriate to do so and preferably with the direct knowledge and consent of the constituent. In response to an MP, the Secretary of State stated that implied consent "would not normally be automatically” extended to constituency workers 15. CCTV A number of CCTV cameras are present on the CCG sites, to assist with security for staff, other individuals and their property, and in accordance with the CCG's 'notification' to the Information Commissioner. Disclosure of images from the CCG CCTV system will be controlled and consistent with the purpose for which the system was established. For example, it will be appropriate to disclose images to law enforcement agencies where a crime needs to be investigated, but it would not be considered appropriate to disclose images of identifiable individuals to the media for entertainment purposes or place them on the internet. Images can be released to the media for identification purposes; this should not generally be done by anyone other than a law enforcement agency. If you have any queries regarding the operation of or access to the CCTV system, please contact the CCG Security Manager. If access is required in connection with ongoing disciplinary matters, permission should be sought from the Director of Human Resources or nominated deputy. 16. Email It is permissible and appropriate for the CCG to keep records of internal communications, provided such records comply with the Data Protection Principles. The appropriate use of email in the proper functioning of the CCG, and the limitations can be found in the CCG's Email Policy. All CCG staff should be aware that the DPA subject access right, subject to certain exceptions, applies to emails which contain personal data about individuals which are sent or received by CCG staff. 17. Disclosure outside of the United Kingdom (UK) or European Economic Area (EEA) The CCG may, from time to time, need to transfer personal data to countries or territories outside of the UK or EEA (which is the EU member states plus the European Free Trade Association (EFTA) countries of Iceland, Liechtenstein and Norway) in accordance with purposes made known to individual data subjects. For example, the names and contact details of members of staff at the CCG on a website may constitute a transfer of personal data world wide. If an individual wishes to raise an objection to this disclosure, then written notice should be given to the CCG's Deputy SIRO. Other personal data, even if it would otherwise constitute fair processing, must not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the UK or EEA to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects. The European Commission has the power to determine whether a third country (i.e. not an EU member state or an EFTA country) ensures an adequate level of protection for personal data by reason of its domestic law or the international commitments it has entered into. The Commission has so far recognised Switzerland, Canada, Argentina, Guernsey, Isle of Man, Jersey, the US Department of Commerce's ‘Safe Harbor’ Privacy Principles, and the transfer of Air Passenger Name Record to the United States' Bureau of Customs and Border Protection as providing adequate protection. 18. Retention of Data The CCG will hold different types of information for differing lengths of time, depending on legal and Page 9 operational requirements, following which it will either be archived or destroyed. This will be done in accordance with the retention periods detailed in the CCG's Records Management Policy which is compliant with the Department of Health's Records Management: NHS Code of Practice, parts 1 & 2: April January 2009, and the Code of Practice for the Management of Records, Section 46, Freedom of Information Act (2000). Any CCG local retention policies will use the timescales detailed in the NHS Code of Practice as a minimum. All data retention will comply with the 5th Principle of the Data Protection Act 1998. Page 10 Data Protection Policy Appendix A - EEA Countries The 8th Principle of the Data Protection Act 1998 prohibits the transfer of personal information to countries or territories outside the European Economic Area (EEA). (Currently the EEA consists of the 27 European Union member states and 3 other states) The European Union states are: Austria Belgium Bulgaria Cyprus The Czech Republic Denmark Estonia Finland France Germany Greece Hungary Ireland Italy Latvia Lithuania Luxembourg Malta Netherlands Poland Portugal Romania Slovakia Slovenia Spain Sweden United Kingdom The other EEA states are: Iceland Liechtenstein Norway Page 11 Appendix B OFFICE USE ONLY DPA RFI Date in Completed Request to view or receive copies of your Staff Personnel Record Subject Access Request under the Data Protection Act 1998 Not a Medical Record request, not a Full Subject Access request Personal Details Surname Forename(s) Job Title Department Your Ext. No. Line Manager Line Manager Ext. No. I require (please tick the appropriate box) To view my Record Copies of my Record If you require copies of your record, they will be sent to your home address: please complete the address section below: Home address House number or name Road name Area City or town Post Code Declaration I declare that the information in this form is correct and that I am the person named above. Signed Date Notes for applicants 1. 2. 3. 4. 5. 6. 7. All requests for staff personnel records must be made on this form. Copies of this form can be obtained from Human Resources and the Deputy SIRO. Please enter “Staff Personnel Record Request” in the subject line. Forms can be either emailed or posted to you. If emailed, print out and complete. Forms can also be downloaded from the CCG intranet site Completed forms should be returned by internal post to the Human Resources Department. The Human Resources Department will progress your request, either setting up a viewing appointment or dispatching the copy of your personnel record to your address. Under the Data Protection Act 1998 we have 40 days to complete your request; every effort will be made to complete your request before that deadline and within the NHS commitment of 21 days. In accordance with the CCG Data Protection Policy, no charge is made for this request. Full subject access requests will be charged at £10 plus disbursements in line with this policy. Page 12 XXX CCG WHISTLEBLOWING POLICY Date completed: January 2013 Responsible Director: Ben Westmancott Author: Approved by/ date: XXXX Governing Body, [date] Review date: [+ 1 year] Kieran Seale Amended: This policy is based on the policy template provided in “Speak up for a healthy NHS” produced by the NHS Social Partnership Forum and Public Concern at Work. CWHH is a collaboration between the Central London, West London, Hammersmith & Fulham and Hounslow Clinical Commissioning Groups Page 1 of 5 Introduction 1. All of us at one time or another have concerns about what is happening at work. Usually these are easily resolved. However, when the concern feels serious because it is about a possible danger, professional misconduct or financial malpractice that might affect patients, colleagues, or the Clinical Commissioning Group itself, it can be difficult to know what to do. 2. You may be worried about raising such an issue and may think it best to keep it to yourself, perhaps feeling it is none of your business or that it is only a suspicion. You may feel that raising the matter would be disloyal to colleagues, to managers or to the organisation. You may have said something but found that you have spoken to the wrong person or raised the issue in the wrong way and are not sure what to do next. 3. The governing body of the Clinical Commissioning Group is committed to running the organisation in the best way possible and to do so we need your help. We have introduced this policy to reassure you that it is safe and acceptable to speak up and to enable you to raise any concern you may have at an early stage and in the right way. Rather than wait for proof, we would prefer you to raise the matter when it is still a concern. 4. This policy applies to all those who work for us: whether full-time or parttime, self-employed, employed through an agency or as a volunteer. 5. If something is troubling you which you think we should know about or look into, please use this procedure. If, however, you wish to make a complaint about your employment or how you have been treated, please use the grievance policy or bullying/harassment policy, which you can obtain from your manager or personnel officer. (If you have a concern about financial misconduct or fraud, please see our Anti-fraud Policy). This Whistleblowing Policy is primarily for individuals who work for us and have concerns where the interests of others or of the organisation itself are at risk. 6. If in doubt – raise it! Our commitment to you Your safety 7. The governing body, Chief Officer and the staff unions are committed to this policy. If you raise a genuine concern under this policy, you will not be at risk of losing your job or suffering any detriment (such as a reprisal or victimisation). Provided you are acting in good faith (effectively this means honestly), it does not matter if you are mistaken or if there is an innocent explanation for your concerns. So please do not think we will ask you to prove it. Of course we do not extend this assurance to someone who maliciously raises a matter they know is untrue. CWHH is a collaboration between the Central London, West London, Hammersmith & Fulham and Hounslow Clinical Commissioning Groups Page 2 of 5 Your confidence 8. With these assurances, we hope you will raise your concern openly. However, we recognise that there may be circumstances when you would prefer to speak to someone in confidence first. If this is the case, please say so at the outset. If you ask us not to disclose your identity, we will not do so without your consent unless required by law. You should understand that there may be times when we are unable to resolve a concern without revealing your identity, for example where your personal evidence is essential. In such cases, we will discuss with you whether and how the matter can best proceed. 9. Please remember that if you do not tell us who you are it will be much more difficult for us to look into the matter. We will not be able to protect your position or to give you feedback. Accordingly you should not assume we can provide the assurances we offer in the same way if you report a concern anonymously. How to raise a concern 10. If you are unsure about raising a concern at any stage you can get independent advice from your trade union representative or Public Concern at Work (see contact details under Independent advice below). Please remember that you do not need to have firm evidence before raising a concern. However, we do ask that you explain as fully as you can the information or circumstances that gave rise to your concern. Step one If you have a concern about a risk, malpractice or wrongdoing at work, we hope you will feel able to raise it first with your line manager or lead clinician. This may be done verbally or in writing. Step two If you feel unable to raise the matter with your line manager or lead clinician, for whatever reason, please raise the matter with: [Name of designated officer] [Contact details] OR [Name of designated officer] [Contact details] These people have been given special responsibility and training in dealing with whistleblowing concerns. If you want to raise the matter in confidence, please say so at the outset so that appropriate arrangements can be made. You may also choose to raise an issue with one of the CCG Lay Members who will refer it on as appropriate. Step three If these channels have been followed and you still have concerns, or if you feel that the matter is so serious that you cannot discuss it with any of the above, please contact: CWHH is a collaboration between the Central London, West London, Hammersmith & Fulham and Hounslow Clinical Commissioning Groups Page 3 of 5 Daniel Elkeles, Chief Officer. Department of Health 11. The Clinical Commissioning Group recognises its accountability within the NHS. In light of this you can also contact: • NHS Counter Fraud Line on 0800 028 40 60 (if your concern is about financial malpractice); • Local Counter Fraud lead (details to be confirmed); • Department of Health: Customer Service Centre, Department of Health, Richmond House, 79 Whitehall, London SW1A 2NS Email: [email protected], Telephone: 020 7210 4850; • NHS Commissioning Board (London), Southside, 105 Victoria Street, London SW1E 6QT, Telephone 020 7932 3700. How we will handle the matter 12. Once you have told us of your concern, we will assess it and consider what action may be appropriate. This may involve an informal review, an internal inquiry or a more formal investigation. We will tell you who will be handling the matter, how you can contact them, and what further assistance we may need from you. If you ask, we will write to you summarising your concern and setting out how we propose to handle it and provide a timeframe for feedback. If we have misunderstood the concern or there is any information missing, please let us know. We undertake to acknowledge concerns within 48 hours, and give a substantive response within 28 days. 13. When you raise the concern it will be helpful to know how you think the matter might best be resolved. If you have any personal interest in the matter, we do ask that you tell us at the outset. If we think your concern falls more properly within our grievance, bullying and harassment or other relevant procedure, we will let you know. 14. Whenever possible, we will give you feedback on the outcome of any investigation. Please note, however, that we may not be able to tell you about the precise actions we take where this would infringe a duty of confidence we owe to another person. While we cannot guarantee that we will respond to all matters in the way that you might wish, we will strive to handle the matter fairly and properly. By using this policy you will help us to achieve this. Independent advice 15. If you are unsure whether to use this policy or you want confidential advice at any stage, you may contact your union or the independent whistleblowing charity Public Concern at Work on 020 7404 6609 or by email at [email protected]. Their lawyers can talk you through your options and help you raise a concern about malpractice or wrongdoing at work. CWHH is a collaboration between the Central London, West London, Hammersmith & Fulham and Hounslow Clinical Commissioning Groups Page 4 of 5 External contacts 16. While we hope this policy gives you the reassurance you need to raise your concern internally with us, we recognise that there may be circumstances where you can properly report a concern to an outside body. In fact, we would rather you raised a matter with the appropriate regulator – such as the Care Quality Commission, the National Commissioning Board or the National Patient Safety Agency – than not at all. Your union or Public Concern at Work will be able to advise you on such an option if you wish. Monitoring oversight 17. The governing body/Audit Committee is responsible for this policy and will review it annually. The governance team will monitor the daily operation of the policy and if you have any comments or questions, please do not hesitate to let one of their team know. CWHH is a collaboration between the Central London, West London, Hammersmith & Fulham and Hounslow Clinical Commissioning Groups Page 5 of 5 Confidentiality Code of Conduct Date completed: June 2013 Responsible Director: Director of Compliance Approved by/ date: CWHHE Quality and Safety Committee, 2nd October 2013 Review date: October 2014 Amended: Author: Ben Westmancott Confidentiality: Staff Code of Conduct For more information on this document, please contact: For more information on this document, please contact: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative 15 Marylebone Road, London NW1 JD E-mail: [email protected] Version Control Version Date Issued Brief Summary of Changes Owners name 1.0 2.0 July 2013 August 2013 Amended to reflect CWHHE procedures Circulated to local CCG IT committee for comment Ben Westmancott Ben Westmancott Document Imprint Copyright © Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups, 2013: All rights reserved Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information Regulations 2005. SI2005 No 1515” Information on re-use can be obtained from: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative Tel: 020 3350 4313, E-mail: [email protected] Confidentiality~Staff Code of Conduct Version 2 Page 2 of 15 Confidentiality: Staff Code of Conduct Contents 1. Introduction .............................................................................................................. 4 2. Purpose of the Code ................................................................................................ 4 3. Background .............................................................................................................. 4 4. Principles of Confidentiality ...................................................................................... 4 5. General Requirements ............................................................................................. 5 6. Detailed provisions ................................................................................................... 6 6.1. Confidentiality of Information ............................................................................. 6 6.2. Confidential Information .................................................................................... 6 6.3. Person-identifiable Information .......................................................................... 6 6.4. Requests for Information ................................................................................... 6 6.5. Telephone Enquiries ......................................................................................... 6 6.6. Requests for Information by the Police .............................................................. 7 6.7. Requests for Information by the Media .............................................................. 7 6.8. Disclosure of Information to other STH Staff...................................................... 7 6.9. Abuse of Privilege ............................................................................................. 7 6.10. Carelessness .................................................................................................... 7 6.11. Research and Audit ........................................................................................... 7 6.12. Using the Post ................................................................................................... 7 6.13. Electronic Media ................................................................................................ 8 6.14. Case notes ........................................................................................................ 8 6.15. Faxing ............................................................................................................... 8 6.16. Storage of Confidential Information ................................................................... 8 6.17. Disposal of Confidential Information .................................................................. 8 6.18. Confidentiality of Passwords ............................................................................. 8 6.19. Emailing Confidential Information ...................................................................... 9 6.20. Working at home ............................................................................................... 9 7. General Provisions ................................................................................................. 10 7.1. Interpretation .......................................................................................................... 10 7.2. Non-compliance ..................................................................................................... 10 8. Amendments .......................................................................................................... 10 9. Useful Telephone numbers .................................................................................... 10 Appendix 1: Caldicott Principles........................................................................................... 11 Appendix 2: Some professional codes, undertakings and guidance..................................... 12 Appendix 3: NHSMail and other Secure Email Interconnectivity……………………………..17 Confidentiality~Staff Code of Conduct Version 2 Page 3 of 15 Confidentiality: Staff Code of Conduct This document should be read and understood prior to the contract of employment or other confidentiality agreement being signed. If anything is not clear please contact your Line Manager or the Human Resources (Department) (Adviser). 1. Introduction Much of our work involves us, in one way or another, with access to confidential information. Often this will be personal information about staff or, exceptionally, patients. We may also have corporately confidential information e.g. commercial or legal. We trust our staff to respect this confidence. It is very important. We have produced this Code of Conduct to explain, not only to you but to others with whom we do our work, how seriously we treat this matter. 2. 3. Purpose of the Code • To inform staff of the need and reasons for keeping information confidential • To inform staff about what is expected of them • To protect the CCG as an employer and as a user of confidential information Background Personal information about individuals is routinely collected by the CCG as part of its work. The CCG staff and those authorised to use that information are bound by common law obligations of confidentiality, contracts of employment and the requirements of the Data Protection Act 1998. Patient information (where held) is also subject to the Caldicott guidelines (Appendix 1). A general duty of confidence arises when one person discloses information to another in circumstances where it is reasonable to expect that the information will be held in confidence. All staff members working in the NHS are bound by a legal duty of confidence to protect identifiable personal information that they may come into contact with during the course of their duties. The NHS has published a detailed Code of Practice on Confidentiality and this is available at: http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/codes/confcode.pdf Information collected by the CCG about its staff is subject to the same duty of confidentiality and the requirements of the Data Protection Act 1998. If confidentiality is broken then this breach may result in an unauthorised disclosure of information, a breach of the Data Protection Act and a loss of trust between an individual and the CCG. A principle of this Code of Conduct (Code) is that no employee shall breach their legal duty of confidentiality, allow others to do so, or attempt to breach any of the CCG security systems or controls in order to do so. This Code has been written to meet the requirements of: • The Data Protection Act 1998 • The Human Rights Act 1998 • The Computer Misuse Act 1990 • The Copyright Designs and Patents Act 1988 • The NHS Code of Confidentiality 2003 Confidentiality~Staff Code of Conduct Version 2 Page 4 of 15 This Code has been produced to protect staff by making them aware of the correct procedures so that they do not inadvertently breach any of these requirements. If the Code is breached then this may result in legal action against the individual and/or the CCG as well as investigation in accordance with the CCG disciplinary procedures. 4. Principles of Confidentiality Patients have a right to expect that a health care worker involved in their care, or commissioning of their care, will not disclose any personal information learnt during the course of their duties, unless permission is given. Without assurances about confidentiality patients may be reluctant to give information which is needed in order to provide good care. When you are responsible for confidential information you must make sure that the information is effectively protected against improper disclosure when it is recorded, stored, transmitted or received or disposed of. When patients give consent to disclosure of information about them, you must make sure they understand what will be disclosed, the reasons for disclosure and the likely consequences. You must make sure that patients are informed whenever information about them is likely to be disclosed to others involved in their healthcare, and that they have the opportunity to withhold their permission. You must respect requests by patients that information should not be disclosed to third parties, except in exceptional circumstances (for example, where the health and safely of others would otherwise be at serious risk). If you disclose confidential information, you should release only as much information as is necessary for the purpose. If it is appropriate to share information gained in the course of your work with other health or social work practitioners; you must make sure that, as far as is reasonable, the information will be kept in strict professional confidence and only used for the purpose for which the information was given. If you decide to disclose confidential information, you must be prepared to explain and justify your decision to do so. You must abide by these principles in perpetuity (forever!). 5. General requirements Staff are obliged to keep any personal identifiable information strictly confidential e.g. patient and employee records. Note also that pseudonymised and anonymised data must also be handle with care, particularly in respect of any risks of inappropriate re-identification by a third party (see the Information Commissioner’s “Anonymisation: managing data protection risk code of practice” http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/anonymisation.aspx It should be noted that staff may also come into contact with non-person identifiable information and this should also be treated with the same degree of care e.g. business in confidence information such as confidential meeting papers, legal documentation or procurement decisions. Disclosure and sharing of personal identifiable information is governed by the requirements of Acts of Parliament and government guidelines. The Caldicott Guidelines (Appendix 1) have been developed for use of patient related information. The CCG has appointed a Guardian to uphold these principles and this is the Director of Quality and Patient Safety. Confidentiality~Staff Code of Conduct Version 2 Page 5 of 15 For health and other professionals there are requirements through their own professional Codes of Conduct. (Appendix 2). Some departments have their own special requirements. 6. Detailed provisions 6.1. Confidentiality of Information All staff are responsible for maintaining the confidentiality of information gained during their employment by the CCG. This duty of confidentiality is a contractual requirement. 6.2. Confidential Information • any information that relates to patients, staff (including non-contract, volunteers, bank and agency staff, locums, student placements), their family or friends, however it is stored. For example, information may be held on paper, floppy disk, computer storage device, CD, computer file or printout, video, photograph or even heard by word of mouth. 6.3. • includes information stored on portable devices such as (but not limited to) laptops, palmtops, mobile phones, memory sticks and digital cameras. • can take many forms including medical notes, audits, employee records, occupational health records etc. It also includes any CCG business information. Person-identifiable Information Is anything that contains the means to identify a person either on its own or in combination with other items, e.g. name, address, postcode, date of birth, NHS number, National Insurance number, etc. Even a visual image such as a photograph is sufficient to identify an individual. Certain categories of information are legally defined as particularly sensitive and should be most carefully protected by additional requirements stated in legislation. For example: information regarding in-vitro fertilisation, sexually transmitted diseases, HIV and termination of pregnancy). During your work you should consider all information to be sensitive, even something as straightforward as a patient’s name and address. This standard should be applied to all information that you come into contact with. 6.4. Requests for Information Never give information about patients or staff to persons who do not “need to know”. Always ask and check. All requests for person-identifiable information should be justified and only in accordance to the procedures in your area of work. Some requests may also need to be agreed by the CCG Caldicott Guardian. Exceptions to this rule may require you to get written consent from the patient in advance. If the patient is unconscious and unable to give consent you will need to consult with the health professional in charge of the patient’s care. If you have any concerns about disclosing or sharing patient information you must discuss them with your Line or Senior Manager. If they are not available then consult someone with the same or similar responsibilities. If you cannot find anyone at the time to help then take down the requestors details and contact them when you are satisfied the disclosure of information can take place. Confidentiality~Staff Code of Conduct Version 2 Page 6 of 15 6.5. Telephone Enquiries If a request for information is made by telephone: • Always try to check the identity of the caller • Check whether they are entitled to the information they request. • Take a number, verify it independently and call back. • Record how you have verified the identity of the caller If in doubt consult your Line or Senior Manager. 6.6. Requests for Information by the Police Requests for information from the Police should always be referred to the senior clinician or the CCGs Information Governance lead or in accordance with the procedures in your area of work. 6.7. Requests for Information by the Media Do not, under any circumstances, give out any information to members of the press. If you receive any requests from the media, either by personal visit or by phone, refer the person to the CCG Communications lead. 6.8. Disclosure of Information to other CCG Staff Information on individuals should only be released on a need-to-know basis. Always check the member of staff is who they say they are; this can be done by checking the employee’s ID badge and/or their internal extension number prior to giving them any information. If possible also check whether they are entitled to the information. Don’t be bullied into giving out information. If in doubt, check with your line manager or the IG lead for the CCG. 6.9. Abuse of Privilege It is strictly forbidden for staff to look at any information relating to their own family, friends or acquaintances unless they are directly involved in the patient’s clinical care or with the employee’s administration on behalf of the CCG. Action of this kind will be viewed as a breach of confidentiality and will be subject to the CCG disciplinary process. If you have concerns about this issue please discuss with your Line or Senior Manager. 6.10. Carelessness Do not talk about staff members or patients in public places or where you can be overheard by the public, patients or even other members of staff. Do not leave any personal records or confidential information lying around unattended. Make sure that any computer screens or other displays of a person’s information on a notice-board or whiteboard cannot be seen by the general public. 6.11. Research and Audit It is important that personal information identifying any individual is carefully used and protected. Audit and Research advice can be obtained from the IG Lead in relation to best practice. It is usual for research and audit information to not identify an individual. Confidentiality~Staff Code of Conduct Version 2 Page 7 of 15 6.12. Using the Post Best practice requires that all correspondence containing personal information should always be addressed to a named recipient. This means personal information and data should be addressed to a person, or a legitimate Safe Haven, but not to a department, a unit or an organisation. In cases where the mail is for a team it should be addressed to an agreed post holder or team leader. Post containing confidential information or data should only be sent in a securely sealed envelope or package. Special care should be taken with personal information sent in quantity, such as casenotes, or collections of personal records on paper, floppy disk or other removable electronic media. Electronic storage should be encrypted and password protected. For items being sent to an external address these should be sent by Recorded Delivery or by NHS courier, to safeguard that these are received by the authorised recipient. All electronic media is to be checked for the presence of pre-existing information prior to sending. With Personal Identifiable Data (PID) it is also advisable to obtain a receipt of posting. Remember that pseudonymised data is still covered by the DPA. 6.13. Electronic media Should be password protected. Advice on how to password protect files is available from the local Information Governance Lead. 6.14. Case notes Case notes and other bulky material should only be transported in suitable boxes or containers and never in dustbin sacks, carrier bags or similar. The containers should not be left unattended unless they are stored, waiting for collection, securely. The containers should only be taken and transported by an approved carrier. 6.15. Faxing The use of faxes is discouraged and used only in exceptional circumstances. No personal identifiable data should be sent via fax and wherever possible use other more secure methods such as end to end encrypted email. Faxes should always be addressed to named recipients. Always check the telephone number of the fax machine to avoid misdialling and ring the recipient to check that they have received the fax. More details can be found in the Safe Haven Policy. If your fax machine stores numbers in memory, always check that the number held is correct and current before sending sensitive information. See also the CCG Safe Haven Policy and guidance 6.16. Storage of Confidential Information Paper-based confidential information and electronic storage media should always be kept securely and preferably in a room that is locked when unattended. PC-based information should never be saved onto local hard drives but onto the CCG network. If removable media is used then this should be encrypted and accessed using dual authentication (login and password). Confidential information must not be stored in areas that are not encrypted to NHS standards e.g. dropbox. Confidentiality~Staff Code of Conduct Version 2 Page 8 of 15 6.17. Disposal of Confidential Information Person-identifiable information or confidential information must be disposed of by cross shredding. Waste must be placed in the confidential waste consoles until it can be collected for secure disposal. Floppy disks/CDs, portable hard drives, memory sticks and other portable electronic media containing confidential information should be either securely deleted and reformatted or destroyed. Computer files with confidential information no longer required must be deleted from both the computer and the server if necessary. Computer hard disks are disposed of by the CSU or alternative IT provider, on our behalf, through a specialist third party provider. The CCG will assure itself that this process is appropriate and will review the process annually. Advice is available from the Local Information Governance Lead. 6.18. Confidentiality of Passwords Personal passwords issued to, or created by, staff should be regarded as confidential and must not be communicated or shared with to anyone. Passwords should be minimum length of 8 alphanumeric characters, however, as encryption is now mandatory for all portable storage media (including laptops) holding Personal Identifiable Data (PID) and other sensitive patient information, pass codes should be considered for security reasons. Pass codes should have a minimum of 12 alphanumeric characters and symbols in their construction. Passwords should not be written down. No employee should attempt to bypass or defeat the security systems or attempt to obtain or use passwords or privileges issued to other staff. Any attempts to breach security should be immediately reported to the SIRO. Such breaches of security may result in disciplinary action and may also be regarded as a contravention of the Computer Misuse Act 1990 and the Data Protection Act 1998 and lead to criminal action. 6.19. E-mailing Confidential Information Should you need to send Personal Identifiable Data (PID) or other sensitive information via e-mail to other NHS organisations, you should set up and use an NHS mail account and send your e-mail to an NHS mail address. NHS email addresses are identifiable by @nhs.net suffixes. You must not send unencrypted information to any other addresses with the exception of the government secure email addresses listed in Appendix 3. These have the same security rating as NHS mail. Please be aware that nhs.uk and gov.uk email addresses are not encrypted and PID should not be sent to these addresses. If you need to send PID or other sensitive information to another NHS organisation using a non NHS mail address, be aware of confidentiality, data protection and security issues and use the minimum identifiable information which must then be encrypted and password protected using SafeBoot, or WinZip version 11.or later, using a 256 bit AES encryption key. Individual users must not send or forward confidential or sensitive CCG information through non CCG e-mail. Examples of non CCG email are (this list is by no means exhaustive): • • • • Confidentiality~Staff Code of Conduct Google/Gmail Hotmail, Yahoo mail, AOL mail, Version 2 Page 9 of 15 • Internet or remote storage areas and e-mail services provided by other ISP's (Internet Service Providers) Individual users are prohibited from using instant messaging services such as, but not limited to, Microsoft Messenger or Yahoo Messenger. Agreed information sharing protocols must be used when sending or forwarding confidential or sensitive CCG information to individuals in other organisations. More information on information sharing protocols is available from the Deputy SIRO. CCG staff have a responsibility to alert a sender should they receive confidential information from an unencrypted email address. 6.20. Working at home It is sometimes necessary for staff to work at home. If you need to do this you must have the approval of your Line or Senior Manager. If agreed you should ensure that the following controls detailed below are met: you should also remember that you have a personal liability under both the Data Protection Act 1998 and your contract of employment for any breach of these requirements: Ensure you have authority to take the information or data home as detailed above It is not permitted for personal records of any type to be taken home. The CCG has separate arrangements for the transport and use of personal records to other locations. If you are removing CCG information or data of any type please ensure that the removal is recorded, the new location logged and the date it will be returned. Return of the information must be recorded. All information, especially PID, that is removed from the work environment via any form of portable electronic storage media must be securely encrypted and password protected whilst it is being transported and used at home. The CCG will issue encrypted USB sticks for secure transport of data on request. Staff should only use CCG approved IT equipment for working at home. By registering, the data flow (point to point) will be recorded and also registered. Whilst the information is at home, you have personal responsibility for its security and confidentiality. If information is on portable electronic storage media such as floppy disk, CD ROM, USB stick or any other removable device, it must be either securely erased and formatted or the media taken back to the workplace. Under no circumstances, should CCG information be accessible to members of your family, friends or colleagues. If you are working at home on a regular basis, it is recommended that you apply for and are issued with a device configured to the CCG security, encryption and log–on/password specifications and used exclusively for CCG business. This avoids the problems that can be caused when confidential information is loaded on to a family used home computer, which is, in any event, not permitted. Open wi-fi networks should not be used to log on to the CCG’s network. 7. General provisions 7.1. Interpretation If any person requires an explanation concerning the interpretation or the relevance of this code of conduct, they should discuss the matter with their Line or Senior Manager, the IG lead/team or the Caldicott Guardian. Confidentiality~Staff Code of Conduct Version 2 Page 10 of 15 The Data Protection Officer for the CCG is the Director of Compliance The Caldicott Guardian is The Director of Quality and Patient Safety 7.2. Non-Compliance Non-compliance with this code of conduct by any person working for the CCG may result in disciplinary action being taken in accordance with the CCG disciplinary procedure. To obtain a copy of the disciplinary procedures please discuss with your Line or Senior Manager or the Human Resources Department. 8. Amendments This code will be amended as necessary to reflect the CCG development of policies and procedures and the changing needs of the NHS. 9. Useful Telephone numbers Caldicott Guardian: 020 3350 4817 Communications Department: 07771339170 Data Protection Officer: 020 3350 4313 Confidentiality~Staff Code of Conduct Version 2 Page 11 of 15 Appendix 1 Caldicott Principles Justify the purpose(s) Question why the information is required and what specific information is needed, to enable them to perform their task. Don't use patient-identifiable information unless it is absolutely necessary Consider why identifiable information about a patient is being requested, whether it could be anonymised in some way, and if not what the benefits are, do they out weigh the patient’s right to confidentiality. Use the minimum necessary patient identifiable information Where supplying patient-identifiable information is vital, then we need to consider the absolute minimum required, for this we have to consider what it is needed for and what they have a right to see. Access to patient-identifiable information should be on a strict need-to-know basis Only those who need to view patient-identifiable data should be allowed access and even then only to that which they need to know. Everyone with access to patient-identifiable information should be aware of his or her responsibilities Each member of staff concerned should be aware of the implications that a breach of confidentiality has on the patient or member of staff and what they should be doing to prevent or reduce the risk of any such breaches. Understand and comply with the law All uses of patient-identifiable data should be lawful. Someone within your organisation must be responsible for ensuring that the organisation complies with legal requirements. Confidentiality~Staff Code of Conduct Version 2 Page 12 of 15 Appendix 2 Some professional codes, undertakings and guidance General Medical Council Principles 1. Confidentiality is central to trust between doctors and patients. Without assurances about confidentiality, patients may be reluctant to seek medical attention or to give doctors the information they need in order to provide good care. But appropriate information sharing is essential to the efficient provision of safe, effective care, both for the individual patient and for the wider community of patients. 2. You should make sure that information is readily available to patients explaining that, unless they object, their personal information may be disclosed for the sake of their own care and for local clinical audit. Patients usually understand that information about them has to be shared within the healthcare team to provide their care. But it is not always clear to patients that others who support the provision of care might also need to have access to their personal information. And patients may not be aware of disclosures to others for purposes other than their care, such as service planning or medical research. You must inform patients about disclosures for purposes they would not reasonably expect, or check that they have already received information about such disclosures. Confidentiality is an important duty, but it is not absolute. You can disclose personal information if: (a) it is required by law (see paragraphs 17 to 23) (b) the patient consents – either implicitly for the sake of their own care (see paragraphs 25 to 31) or expressly for other purposes (see paragraphs 32 to 35) (c) it is justified in the public interest (see paragraphs 36 to 56). 3. When disclosing information about a patient, you must: a) use anonymised or coded information if practicable and if it will serve the purpose (b) be satisfied that the patient: (i) has ready access to information that explains that their personal information might be disclosed for the sake of their own care, or for local clinical audit, and that they can object, and (ii) has not objected (c) get the patient’s express consent if identifiable information is to be disclosed for purposes other than their care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest (d) keep disclosures to the minimum necessary, and (e) keep up to date with, and observe, all relevant legal requirements, including the common law and data protection legislation. 4. When you are satisfied that information should be disclosed, you should act promptly to disclose all relevant information. 5. You should respect, and help patients to exercise, their legal rights to: (a) be informed about how their information will be used, and (b) have access to, or copies of, their health records. Confidentiality~Staff Code of Conduct Version 2 Page 13 of 15 Extract taken from Confidentiality (2009)which sets out the principles of confidentiality and respect for patients' privacy that doctors are expected to understand and follow. Nursing and Midwifery Council ‘The code: Standards of conduct, performance and ethics for nurses and midwives’ (2008) states: • • • "You must respect people's right to confidentiality." "You must ensure people are informed about how and why information is shared by those who will be providing their care." "You must disclose information if you believe someone may be at risk of harm, in line with the law of the country in which you are practising." Confidentiality A duty of confidence arises when one person discloses information to another in circumstances where it is reasonable to expect that the information will be held in confidence. This duty of confidence is derived from: • common law – the decisions of the Courts • statute law which is passed by Parliament. • Confidentiality is a fundamental part of professional practice that protects human rights. This is identified in Article 8 (Right to respect for private and family life) of the European Convention of Human Rights. The common law of confidentiality reflects that people have a right to expect that information given to a nurse or midwife is only used for the purpose for which it was given and will not be disclosed without permission. This covers situations where information is disclosed directly to the nurse or midwife and also to information that the nurse or midwife obtains from others. One aspect of privacy is that individuals have the right to control access to their own personal health information. It is not acceptable for nurses and midwives to: • • • discuss matters related to the people in their care outside the clinical setting discuss a case with colleagues in public where they may be overheard leave records unattended where they may be read by unauthorised persons. Legislation All nurses and midwives need to be aware of the following pieces of legislation relating to confidentiality: The Data Protection Act 1998 This Act governs the processing of information that identifies living individuals. Processing includes holding, obtaining, recording, using and disclosing of information and the Act applies to all forms of media, including paper and electronic. The Human Fertilisation and Embryology Act 1990 Regulates the provision of new reproductive technology services and places a statutory ban upon the disclosure of information concerning gamete donors and people receiving treatment under the Act. Unauthorised disclosure of such information by healthcare professionals and others has been made a criminal offence. The National Health Service Venereal Disease Regulations (SI 1974 No.29) Confidentiality~Staff Code of Conduct Version 2 Page 14 of 15 This states that health authorities should take all necessary steps to ensure that identifiable information relating to persons being treated for sexually transmitted diseases should not be disclosed. The Mental Capacity Act (2005) This provides a legal framework to empower and protect people who may lack capacity to make some decisions for themselves. The assessor of an “individual’s capacity to make a decision will usually be the person who is directly concerned with the individual at the time the decision needs to be made” this means that different health and social care workers will be involved in different capacity decisions at different times. The Freedom of Information Act 2000 and Freedom of Information (Scotland) Act 2002 These Acts grant people rights of access to information that is not covered by the Data Protection Act 1998, e.g. information which does not contain a person’s identifiable details. The Computer Misuse Act 1990 This Act secures computer programmes and data against unauthorised access or alteration. Authorised users have permission to use certain programmes and data. If the users go beyond what is permitted, this is a criminal offence. Disclosure Disclosure means the giving of information. Disclosure is only lawful and ethical if the individual has given consent to the information being passed on. Such consent must be freely and fully given. Consent to disclosure of confidential information may be: • explicit • implied • required by law or • capable of justification by reason of the public interest Disclosure with consent Explicit consent is obtained when the person in the care of a nurse or midwife agrees to disclosure having been informed of the reason for that disclosure and with whom the information may or will be shared. Explicit consent can be written or spoken. Implied consent is obtained when it is assumed that the person in the care of a nurse or midwife understands that their information may be shared within the healthcare team. Nurses and midwives should make the people in their care aware of this routine sharing of information, and clearly record any objections. Disclosure without consent The term ‘public interest’ describes the exceptional circumstances that justify overruling the right of an individual to confidentiality in order to serve a broader social concern. Under common law, staff are permitted to disclose personal information in order to prevent and support detection, investigation and punishment of serious crime and/or to prevent abuse or serious harm to others. Each case must be judged on its merits. Examples could include disclosing information in relation to crimes against the person e.g. rape, child abuse, murder, kidnapping, or as a result of injuries sustained from knife or gun shot wounds. These decisions are complex and must take account of both the public interest in ensuring confidentiality against the public interest in disclosure. Disclosures should be proportionate and limited to relevant details. Nurses and midwives should be aware that it may be necessary to justify disclosures to the courts or to the Nursing & Midwifery Council and must keep a clear record of the decision making process and advice sought. Courts tend to require disclosure in the public interest where the information concerns misconduct, illegality and gross immorality. Disclosure to third parties This is where information is shared with other people and/or organisations not directly involved in a persons care. Nurses and midwives must ensure that the people in their care are aware that Confidentiality~Staff Code of Conduct Version 2 Page 15 of 15 information about them may be disclosed to third parties involved in their care. People in the care of a nurse or midwife generally have a right to object to the use and disclosure of confidential information. They need to be made aware of this right and understand its implications. Information that can identify individual people in the care of a nurse or midwife must not be used or disclosed for purposes other than healthcare without the individuals’ explicit consent, some other legal basis, or where there is a wider public interest. Information Sharing Protocols These are documented rules and procedures for the disclosure and use of patient information between two or more organisations or agencies, in relation to security, confidentiality and data destruction. All organisations should have these in place and nurses and midwives should follow any established information sharing protocols. Confidentiality after death The duty of confidentiality does continue after death of an individual to whom that duty is owed. Information disclosure to the police In English law there is no obligation placed upon any citizen to answer questions put to them by the police. However, there are some exceptional situations in which disclosure is required by statute. These include: • the duty to report notifiable diseases in accordance with the Public Health Act 1984 • the duty to inform the Police, when asked, of the name and address of drivers who are allegedly guilty of an offence contrary to the Road Traffic Act 1998 • the duty not to withhold information relating to the commission of acts of terrorism contrary to the Terrorism Act 2000 • the duty to report relevant infectious diseases in accordance with the Public Health (Infectious Diseases) Regulations 1998. Police access to medical records The police have no automatic right to demand access to a person’s medical records. Usually, before the police may examine a person’s records they must obtain a warrant under the Police and Criminal Evidence Act 1984. Before a police constable can gain access to a hospital, for example, in order to search for information such as medical records or samples of human tissue, he or she must apply to a circuit judge for a warrant. The police have no duty to inform the person whose confidential information is sought, but must inform the person holding that information. The Police and Criminal Evidence Act (1984) This Act allows nurses and midwives to pass on information to the police if they believe that someone may be seriously harmed or death may occur if the police are not informed. Before any disclosure is made nurses and midwives should always discuss the matter fully with other professional colleagues and, if appropriate consult the NMC or their professional body or trade union. It is important that nurses and midwives are aware of their organisational policies and how to implement them. Wherever possible the issue of disclosure should be discussed with the individual concerned and consent sought. If disclosure takes place without the person’s consent they should be told of the decision to disclose and a clear record of the discussion and decision should be made as stated above. Special considerations to be taken into account when disclosure is being considered In some circumstances it may not be appropriate to inform the person of the decision to disclose, for example, due to the threat of a violent response. The nurse or midwife may feel that, because of specific concerns, a supplementary record is required containing details of the disclosure. The Data Protection Act 1998 does allow for healthcare professionals to restrict access to information they hold on a person in their care, if that information is likely to cause serious harm to the individual or another person. A supplementary record should only be made in exceptional circumstances as it limits the Confidentiality~Staff Code of Conduct Version 2 Page 16 of 15 access of the person in the care of the nurse or midwife to information held about them. All members of the health care team should be aware that there is a supplementary record and this should not compromise the persons’ confidentiality. Nurse or midwife acting as a witness in a court case If a nurse or midwife is summoned as a witness in a court case he/she must give evidence. There is no special rule to entitle the nurse or midwife to refuse to testify. If a nurse or midwife refuses to disclose any information in response to any question put to him/her, then a judge may find the nurse or midwife in contempt of court and may ultimately send him/her to prison. Risk or breach of confidentiality If a nurse or midwife identifies a risk or breach of confidentiality they must raise their concerns with someone in authority if they are unable to take affirmative action to correct the problem and record that they have done so. A risk or breach of confidentiality may be due to individual behaviour or as a result of organisational systems or procedures. The Code states “You must act without delay if you believe that you, a colleague or anyone else may be putting someone at risk”. Nurses and midwives have a professional duty to take action to ensure the people in their care are protected and failure to take such action could amount to professional misconduct on their part. This information was updated May 2012. Confidentiality~Staff Code of Conduct Version 2 Page 17 of 15 Appendix 3 NHSMail and other Secure Email Interconnectivity NHSmail users may communicate securely and directly with email users on other secure Government domains – these are listed below. Please also note that this now includes those local authorities using the ‘Government Connect’ email domain of GCSX.GOV.UK – this is particularly useful for those NHSmail users wishing to communicate with Social Services staff in local authorities - gsi.gov.uk - gsx.gov.uk - gse.gov.uk - pnn.gov.uk - scn.gov.uk - pnn.police.uk - eu-admin.net - gsisup.co.uk - cjsm.net - psops.net - gcsx.gov.uk Confidentiality~Staff Code of Conduct Version 2 Page 18 of 15 Safe Haven Policy Date completed: June 2013 Responsible Director: Director of Compliance Approved by/ date: CWHHE Quality and Safety Committee, 2nd October 2013 Review date: October 2014 Amended: Author: Ben Westmancott [Type text] [Type text] For more information on this document, please contact: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative 15 Marylebone Road, London NW1 JD E-mail: [email protected] Version History Version 1.0 2.0 Date issued July 2013 August 2013 Brief summary of change Amended to reflect CWHHE procedures Circulated to local CCG IT Committee comments Owner’s name Ben Westmancott Ben Westmancott Document Imprint Copyright © Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups, 2013: All rights reserved Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information Regulations 2005. SI2005 No 1515” Information on re-use can be obtained from: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative Safe Haven Policy Version 1.0 Page 2 of 10 [Type text] [Type text] Contents 1. Introduction ........................................................................................................................ 4 2. Scope ................................................................................................................................. 4 3. Legislation and guidance .................................................................................................... 4 4. Definitions .......................................................................................................................... 4 4.1. Safe Haven.................................................................................................................. 4 4.2. Personal Information ................................................................................................... 4 4.3. Sensitive Personal Information .................................................................................... 5 4.4. Where Safe Haven procedures should be in place ...................................................... 5 5. Responsibilities for implementation .................................................................................... 5 5.1. Caldicott Guardian ....................................................................................................... 5 5.2. Information Governance Manager ............................................................................... 5 5.3. All CCG staff................................................................................................................ 5 6. Sharing information with external organisations.................................................................. 5 7. Other relevant polices......................................................................................................... 6 8. Contacts and further information ........................................................................................ 6 8.1. Information Governance Manager ............................................................................... 6 8.2. Caldicott Guardian ....................................................................................................... 6 9. Policy Review and Awareness ............................................................................................ 6 10. Disciplinary Matters ............................................................................................................ 6 Appendix A: Requirements for Safe Havens ............................................................................ 7 A.1 Safe haven location and security arrangements .............................................................. 7 A.2 Fax machines.................................................................................................................. 7 A.3 Misdirected faxes ............................................................................................................ 8 A.4 Junk and unsolicited faxes .............................................................................................. 8 Appendix B: CCG Safe Haven Directory .................................................................................. 9 Appendix C Safe Haven Fax Cover sheet .............................................................................. 10 Safe Haven Policy Version 1.0 Page 3 of 10 [Type text] 1. [Type text] Introduction All NHS organisations require Safe Haven procedures to maintain the privacy and confidentiality of the personal information held. The implementation of these procedures facilitates compliance with the legal requirements placed upon Central London, West London, Hammersmith and Fulham, Hounslow and Ealing Clinical Commissioning Group (the CCGs), especially concerning sensitive personal and confidential information. Where external organisations or partners or other agencies, and even a different internal CCG department needs to send personal information to a CCG department, they should be confident that they are being sent to a location which ensures the security, integrity and confidentiality of that data. Given that we do not routinely process patient confidential data, we do not currently have a requirement for a safe haven. However, this policy has been prepared should that situation change. 2. Scope This policy provides: • • • • • • The legislation and guidance which dictates the use of a Safe Haven. A definition for the term Safe Haven. When and why a Safe Haven should be used. Definitions as to who can have access, and who you can disclose to. The necessary procedures and requirements that are needed to implement a Safe Haven. See Appendix A Rules for different kinds of Safe Haven The CCG may designate roles to a commissioning support organisation in order to better manage their Information Governance; this policy will be agreed with such an organisation as necessary. 3. Legislation and guidance A number of Acts and their associated guidance notes dictate the need for Safe Haven arrangements to be set in place, they include: Data Protection Act 1998 (Principle 7): “Appropriate technical and organisational measures shall be taken to make personal data secure” NHS Code of Practice: Confidentiality Annex A1 Protect patient Information “Care must be taken, particularly with confidential clinical information, to ensure that the means of transferring from one location to another are secure as they can be” 4. Definitions 4.1. Safe Haven The term Safe Haven can refer to either a location (or in some cases a piece of equipment) situated on the CCG premises or a ‘Virtual Safe Haven’ where arrangements Safe Haven Policy Version 1.0 Page 4 of 10 and procedures are in place to ensure person-indefinable information can be held, received and communicated securely. An example of a Virtual Safe Haven is a named number of staff who may all work in the same team, on the same database or server but are not in the same physical location. 4.2. Personal Information Personal information is information which can identify a person. Information in which the person is the focus and which links that individual to details which would be regarded as private e.g. name and private address, name and home telephone number. 4.3. Sensitive personal information Sensitive personal information is defined in Schedule 3 of the Data Protection Act 1998 and is where the personal information contains details of: • Health or physical condition • Sexual life • Ethnic origin • Religious beliefs • Political views • Criminal convictions For this type of information more stringent measures should be employed to ensure that it remains secure and confidential. 4.4. Where Safe Haven procedures should be in place Safe Haven procedures should be in place in any designated Safe Haven or Virtual Safe Haven location. This is likely to be but not exclusively where a large amount of personal information is being received, held or communicated. 5. Responsibilities for implementation 5.1. Caldicott Guardian The Caldicott Guardian for the CCG will ultimately approve all procedures that relate to the secure and confidential use of patient information. 5.2 Deputy SIRO The deputy SIRO, through the local governance leads, has been designated the role of facilitating all aspects of the information governance agenda that relate to Safe Havens, including data protection, confidentiality code of conduct, information security and risk assessment. 5.3 CCG staff All staff are responsible for following the Safe Haven processes to support secure and confidential processing of personal-identifiable information. 6. Sharing information with external organisations Employees of the CCG who are authorised to disclose information to other organisations outside the NHS must obtain an assurance that these organisations have a designated Safe Haven point for the receipt of personal information. Safe Haven Policy Version 1.0 Page 5 of 10 The CCG must be assured that these external organisations comply with the Safe Haven requirements, and meet legislative and related guidance requirements relating to: • Data Protection Act 1998 • Common Law Duty of Confidentiality • NHS Confidentiality Code of Conduct Staff sharing personal information with other agencies should be aware of protocol agreements between the CCG and those agencies. For clarification contact should be made with the Director of Compliance. It is advisable to use end to end encrypted email such as nhs.net rather than faxes, if possible. Please note that nhs.uk or gov.uk addresses are not encrypted mail and are therefore not permissible when dealing with patient identifiable data. 7. Contacts and further information • Caldicott Guardian: Director of Quality and Patient Safety • SIRO: Chief Officer • Deputy SIRO: Director of Compliance • Local Information Governance Lead 9. Policy Review and Awareness This policy and associated procedures will be monitored by the Director of Compliance and as part of the requirements of the Information Governance toolkit. The policy will be reviewed regularly, at least annually. 10. Disciplinary Matters The CCG expects all staff to comply with the Safe Haven Policy and procedures and guidance published in its support. Where there is evidence of a breach of this policy, it must be investigated in accordance with the CCG’s disciplinary procedures applicable to all employees of the CCG; to those engaged in duties in the CCG under a Letter of Authority/Honorary Contract or Work Experience programme or agreements made between the CCG and any user’s employing organisation such as other NHS bodies or other third-parties such as contractors, students, visitors or volunteers. In all cases the CCG must act immediately to prevent a further breach and this action may include restriction of access to systems. This will include an investigation of the breach and implementation of any learning that emerges from the review. Also consider the following websites • The Information Commissioner http://www.informationcommissioner.gov.uk/ • NHS Code of Practice: Confidentiality http://www.dh.gov.uk/assetRoot/04/06/92/56/04069256.pdf Safe Haven Policy Version 1.0 Page 6 of 10 Appendix A: Requirements for Safe Havens A.1 Safe Haven location & security arrangements All areas that have been designated as Safe Havens should be risk assessed prior to the commencement of operational use. Risk assessments should be carried out by the, Local Information Governance Lead. All Safe Havens should be an office or workspace that is locked or only accessible via an electronically controlled access solution available to authorised staff, or a Virtual Safe Haven that encompasses a number of named persons using secure networks or systems accessible only to those individuals. The Safe Haven should be sited so that only authorised staff can enter the location i.e. it is not an area which is readily accessible to any visitors to the building. If the Safe Haven office or workspace is sited on the ground floor any windows should have locks on them and blinds which should be closed when the office or workspace is not occupied. The Safe Haven office or workspace should conform to health and safety requirements in terms of fire, safety from flood, theft or environmental damage. Manual paper records contained person-identifiable information should be stored in locked cabinets. . Equipment such as fax machines in the Safe Haven should have a code password and be turned off out of office hours where this does not pose a clinical risk.. A.2 Fax machines Fax machines are considered a high risk method of communication and must only be used to transfer personal information where it is absolutely necessary to do so. The following best practice rules should apply, however a full risk assessment may indicate that the fax location and use is secure where only some of the criteria are met. • The fax is sent to a Safe Haven location where only authorised staff with a legitimate right to view the information can access it. • The sender is certain that the correct person will receive it and that the fax number is correct. To ensure this use the following: Populate the speed dial of the fax with frequently used numbers and clear unequivocal identifiers: keep a separate electronic or hard copy list of those identifiers and their fax numbers for reference and as back-up. These numbers must be regularly checked for accuracy. Where manual dialling is required, double check the number with the documentation before pressing the dial button – if you are unsure that the number is correct, test by sending a blank fax to the recipient asking them to confirm receipt and that they are who you expect them to be. Always use a Safe Haven front sheet to the fax that clearly identifies the CCG and the Department of the originator, the name and contact details of the originator, the intended recipient, the number of pages sent (including the front sheet) and any reference numbers used. The fax sheet should also include a confidentiality clause agreed by the, Caldicott Guardian. See also Appendix C: Safe Haven fax front cover. Safe Haven Policy Version 1.0 Page 7 of 10 Where possible the NHS number should be used for identification in preference to the patient's name and address. Only the minimum amount of personal information should be sent and, where possible the data should be anonymised or psuedonymised using a unique identifier agreed with the receiver. Where sending particularly large or sensitive faxes notify the recipient when you are sending and ask them to acknowledge and confirm receipt and that all the pages detailed on the Safe Haven fax front sheet have been received. Log all activity (calls sent and received) either by a hardcopy or electronic log, or by printing out and storing the fax internal activity log on a daily basis. A.3 • Fax machines should be turned off when not in use and stored in a secure locked cupboard or storage room, where this does not result in a clinical risk. • To preserve confidentiality, faxes and other patient identifiable information should be secured in lockable filing cabinets accessible only authorised staff. Misdirected faxes The contents of misdirected faxes must not be disclosed to other parties without the sender’s permission. Any information received in a misdirected fax must be treated as highly confidential and the sender must be made aware that it has been sent to the wrong person. A misdirected fax can be received from internal and external sources. A.4 Junk and unsolicited faxes Fax versions of ‘junk mail’ are becoming increasingly common, consisting mainly of advertising material and should be ignored. Responding to these may encourage more faxes to be sent and therefore should be considered bad practice. Where appropriate, Departments may make use of the Fax Preference Service (www.fpsonline.org.uk). Safe Haven Policy Version 1.0 Page 8 of 10 Appendix B: CCG Safe Haven Directory Name Safe Haven Policy Fax Number Version 1.0 Location – give specific details please Page 9 of 10 Appendix C Type Address Here Facsimile Office Telephone: Facsimile: Direct Dial: Website: Email Address: To: Fax No: From: Date: Tel No: Pages including this one: Subject: PLEASE COMPLETE ALL FIELDS The information contained in this facsimile transmission may be legally privileged and is intended for the use of the individual(s) or entity(s) named above. If you are not the intended recipient, you are hereby notified that use, dissemination, distribution or copying of this facsimile or its information is strictly prohibited. If you have received this facsimile in error, please notify the sender by telephone or facsimile immediately on the telephone number above to arrange return of these documents. Thank you. Safe Haven Policy Version 1.0 Page 10 of 10 Email Policy Date completed: June 2013 Responsible Director: Director of Compliance Approved by/ date: CWHHE Quality and Safety Committee, 2nd October 2013 Review date: October 2014 Author: Amended: Page 1 Ben Westmancott Email Policy For more information on this document, please contact: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative 15 Marylebone Road, London NW1 JD E-mail: [email protected] Version Control Version Date Issued Brief Summary of Changes Owners name 1.0 2.0 July 2013 August 2013 Amended to reflect CWHHE Procedures Circulated to local CCG IT Committee for Comment Ben Westmancott Ben Westmancott Document Imprint Copyright © Central London, West London, Hammersmith & Fulham and Ealing, Hounslow Clinical Commissioning Groups, 2013: All rights reserved Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information Regulations 2005. SI2005 No 1515” Information on re-use can be obtained from: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative Tel: 020 3350 4313, E-mail: [email protected] Page 2 Email Policy 1. Introduction .................................................................................................................... 4 2. Scope of Policy .............................................................................................................. 4 3. Legal Considerations .................................................................................................... 4 4. Responsibilities ............................................................................................................. 4 5. Conditions of Use .......................................................................................................... 5 6. E-mail, confidential Information security and encryption ................................................ 5 7. Third party Secure Email Addresses .............................................................................. 6 8. Monitoring of System .................................................................................................... .6 9. Personal Use ................................................................................................................. 6 10. Disciplinary Matters ........................................................................................................ 7 Appendix 1. Definitions used in this Policy .......................................................................... 8 Appendix 2. Associated Information .................................................................................... 9 Appendix 3. Caldicott Guidelines....................................................................................... 10 Page 3 The information and guidelines within this policy are important and apply to the entire CCG. Non-compliance may result in disciplinary action. 1. Introduction This document sets out the CCGs’ policy for the protection of the integrity and availability of the e-mail system. It establishes CCGs and user responsibilities for use of the e-mail system. It provides reference to documentation relevant to this policy and which is to be considered in conjunction with this policy. The CCGs make available a network connection to employees and through an authorisation process give access to web services comprising an e-mail system and Internet and Intranet for: • their work duties; • work-related educational purposes; • work-related research purposes; and • contact with other colleagues inside and outside the CCGs to be within the remit of item 5, conditions of use, (page 5 of this policy) The CCGs may provide access to web services to non-CCG employees working within the CCGs through an authorisation process and under an agreement with the employing organisation. The Policy is supported by the CCG Information Security Policy and is compliant with ISO/IEC 22002:2005 10.8 and the BS ISO/IEC 27001 controls 10.8.4 and meets with current legal requirements (Appendix 2). 2. Purpose and Scope The purpose of the CCG e-mail policy is to ensure the proper use of the e-mail system and establish rules for sending, receiving and storing of electronic mail; make all users aware of what the CCG deems as acceptable and unacceptable use of its e-mail system. To ensure the security of the e-mail system, the CCG must: • ensure that e-mail is available for users in connection with their work duties; • preserve integrity of the system; • preserve confidentiality within the Caldicott guidelines and Data Protection Act 1998; • protect assets against unauthorised disclosure. The Policy applies to all e-mail services provided by the CCG. The Policy applies equally to all individuals authorised to access any CCG electronic resource with the facility to send, receive or store electronic mail regardless of use. The Policy applies to personal use of e-mail in addition to the use of e-mail in the course of conducting NHS business, associated research and other work-related purposes. 3. Legal Considerations E-mail is a business communication tool and users are obliged to use this tool in a responsible, effective and lawful manner. By its nature e-mail seems to be less formal than other written Page 4 communication however the same laws apply. It is important that users are aware of the legal risks of e-mail. (Appendix 2) 4. Responsibilities The CSU or alternative IT provider, on behalf of the CCGs, will provide the appropriate and authorised software for e-mail. The CSU or alternative IT provider, on behalf of the CCGs, will provide an authorisation process for users to access e-mail. The CCG will ensure that all users are competent in the use of e-mail in accordance with the published e-mail procedures. The content of e-mail accounts maintained on the CCG's systems remains the property of the CCG. 5. Conditions of use This Policy prohibits certain activities in the use of e-mail. Such use may make both the user and CCG liable under law. • composing, sending or forwarding of e-mail with any libellous, defamatory, offensive, harassing, racist, obscene or pornographic remarks or depictions • forwarding of confidential information in contravention of the Data Protection Act, NHS Code of Practice on Confidentiality, Caldicott guidelines. • knowingly sending of an attachment containing malicious software e.g. a virus. • use of e-mail for political lobbying. • actions that may lead the CCG open to action in breach of copyright or licencing laws when composing or forwarding e-mail and e-mail attachments (Appendix 3) • accessing and using another user's e-mail account without their permission. • forging or attempting to forge e-mail messages e.g. spoofing This policy also prohibits certain other activities as they impede the function of the CCG's network systems and the efficient functioning of e-mail. • sending or forwarding chain letters or other non-work related correspondence. • unwarranted sending of large messages or attachments. • sending unsolicited messages e.g. spam to large number of users or large groups except as required when conducting CCG business. • using the CCG's e-mail to conduct private or freelance work for the purpose of commercial gain. It is recognised that in the course of their work or associated research some users may have a requirement to transmit or receive material that may be defined as offensive, obscene, indecent or similar. In such circumstances it will be acceptable for this to be done. In using e-mail to communicate externally, users must not give the impression that their comments represent the views of the CCG unless specifically authorised to do so. In using e-mail users must conduct themselves in a way that meets their responsibilities Page 5 detailed in their code of conduct, terms and conditions and/or contract of employment Users must conduct themselves in accordance with the requirements of this policy and the user agreement made with the CCG and employing organisation. If a disclaimer is used it must be that recommended by the CCG. 6. E-mail, confidential Information security and encryption Should you need to send Personal Identifiable Data (PID) or other sensitive information via email to other organisations, you should set up and use an NHS mail account and send your email to an NHS mail address. NHS email addresses are identifiable by @nhs.net suffixes. You must not send unencrypted information to any other addresses with the exception of the government secure email addresses listed in Section 7, below. These have the same security rating as NHS mail. Users must comply with the latest guidance on acceptable activities for CCGs with respect to PID. Please note that nhs.uk and non-secure gov.uk email addresses should not be used to send or receive confidential information. If you need to send PID or other sensitive information to another NHS organisation using a non NHS mail address be aware of confidentiality, data protection and security issues and use the minimum identifiable information which must then be encrypted and password protected using SafeBoot, or WinZip version 11.or later and a 256 bit AES encryption key. Individual users must not send or forward confidential or sensitive CCG information through non CCG e-mail. Examples of non CCG e-mail accounts include but are not limited to: • • • • • Google/Gmail Hotmail, Yahoo mail, AOL mail, Internet or remote storage areas and e-mail services provided by other ISP's (Internet Service Providers) e.g. Dropbox Individual users are prohibited from using instant messaging services such as but not limited to Microsoft Messenger or Yahoo Messenger. In addition to the above, agreed information sharing protocols must be used when sending or forwarding confidential or sensitive CCG information to individuals in other organisations. More information on information sharing protocols is available from the IT Department. Users must not retain confidential CCG information unless authorised to do so. 7. Third party Secure Email Addresses NHS mail users may communicate securely and directly with email users on other secure Government domains – these are listed below. Please also note that this now includes those local authorities using the ‘Government Connect’ email domain of GCSX.GOV.UK – this is particularly useful for those NHSmail users wishing to communicate with Social Services staff in local authorities or the Home Office nationally. - gsi.gov.uk - gsx.gov.uk - gse.gov.uk Page 6 - pnn.gov.uk - scn.gov.uk - pnn.police.uk - eu-admin.net - gsisup.co.uk - cjsm.net - psops.net - gcsx.gov.uk 8. Monitoring of System All e-mail is monitored for viruses. All e-mail (incoming and outgoing) is logged automatically. Monitoring logs are audited periodically. The content of e-mail is not routinely monitored. The CCG reserves the right to retain message content as required to meet legal and statutory obligations. 9. Personal Use The CCG's e-mail is meant for CCG business and healthcare related use; the CCG will, however, allow the use of e-mail for personal use but only where this does not interfere with the normal work duties of the individual user or the work of others. It must be noted that there is no absolute right for staff to use e-mail for private use. It is expected that such use will be made at out-of-hours times and in designated breaks such as lunch-time. • personal e-mail must adhere to the terms of this policy. • personal e-mail must be kept separately from work e-mail as detailed in the current related code of practice. • personal e-mail must be deleted regularly. • forwarding of chain letters, virus warnings, junk mail, mass-mailing and unlicenced programmes is strictly forbidden. • the CCG will not be liable for any financial or material loss to an individual user when using e-mail for personal use. • the CCG will not be liable for any pecuniary loss to any external supplier of goods and/or services in the event of an individual user failing to honour any financial obligations contracted to that supplier whilst using the CCG email system for personal use. 10. Disciplinary Matters The CCG expects all users to comply with the e-mail Policy and the procedures published in its support. Where there is evidence of a breach of this Policy, it will be investigated in accordance Page 7 with the CCG's disciplinary procedures applicable to all employees of the CCG; to those engaged in duties in the CCG under a Letter of Authority/Honorary Contract or Work Experience programme or agreements made between the CCG and any user's employing organisation such as other NHS bodies or other third-parties such as contractors, students, visitors or volunteers. In all cases the CCG will act immediately to prevent a further breach and this action may include blocking of e-mail and restriction of access to the e-mail system. Page 8 Appendix 1 Definitions Attachment: is a file that is attached to an e-mail message. Attachments are normally considered separately from the body of an email message. Attachments can contain malicious software and should be opened with care. Asset: any information system, computer or programme owned by the CCG Authorisation: the granting or denying of access rights to network resources, programmes or processes. Authorisation process: a set of security procedures designed to identify and authorise users appropriately. Authorised user (user): an individual given access to the e-mail system in accordance with the CCG's procedures. Caldicott: a set of standards developed in the NHS for the collection, use and confidentiality of patient-related information Contact: a national, centrally managed email and directory service which is available to all 1.2 million NHS staff in England. Electronic mail (e-mail): any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system. Electronic mail system: any computer software application that allows electronic mail to be communicated from one computing system to another. Electronic resource: any personal computer E-mail (electronic mail): any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system. E-mail account: the part identified to an individual user E-mail services (system): the overall system provided by the CCG ISP (Internet Service Provider): a company that provides internet access and other services like e-mail, usually on a subscription basis Information sharing protocols: written agreements made within existing legislative framework between the CCG and named organisations to allow sharing of confidential and patient-related information for health and social care purposes Intranet: a private network for communication and sharing of information accessible only to authorised users within an organisation eg. the CCG's own intranet site or the NHSnet Internet: a global system connecting computers and computer networks. The computers are owned separately by a wide range of organisations, government agencies, companies and educational institutions. Junk-mail: unsolicited e-mail messages usually of a commercial nature, chain letters or other unsolicited mass-mailings (see also spam) Malicious software: software deliberately designed to harm a computer or network, includes viruses, Trojan horses and worms - the term malware is also used to describe these. Page 9 N3 or NHSnet: is a secure wide area network developed exclusively for the NHS Network: a system of interconnected computers which allows the exchange of information network connection: an individual's access to the network usually involving password checks and similar security measures Network systems: a term used to describe the systems on a network Phishing: The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit and debit card numbers, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information. see also spoofing. Software: computer programmes sometimes also called applications Spam: unsolicited e-mail messages, usually of a commercial nature sent to a large number of recipients. Refers also to inappropriate promotional or commercial postings to discussion groups or bulletin boards. Spoofing: forgery of an e-mail so that it appears to have been sent by someone other than the sender, see also phishing Trojan horse: a malicious, security-breaking program that is disguised as something benign such as a screen saver or game. User (authorised user): an individual given access to the CCG's e-mail system in accordance with the CCG's procedures. Virus: an unauthorised piece of computer code attached to a computer programme which secretly copies itself using shared discs or network connections. Viruses can destroy information or make a computer inoperable Web services: the network services provided by the CCG to individuals giving access to the internet, intranet, and e-mail services. Worm: launches an application that destroys information on a computer. It also sends a copy of the virus to everyone in the computer's e-mail address book. Page 10 Appendix 2 Associated Information Data Protection Act 1998 Copyright, Designs and Patents Act 1998 Computer Misuse Act 1990 Health and Safety at Work Act 1974 Human Rights Act 1998 Health and Social Care Act 2001 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Page 11 Appendix 3 Caldicott Guidelines: The Caldicott Principles as laid down by the NHS Executive Justify the purpose(s) Question why the information is required and what specific information is needed, to enable them to perform their task. Don't use patient-identifiable information unless it is absolutely necessary Consider why identifiable information about a patient is being requested, whether it could be anonymised in some way, and if not what the benefits are, do they out weigh the patients right to confidentiality. Use the minimum necessary patient identifiable information Where supplying patient-identifiable information is vital, then we need to consider the absolute minimum required, for this we have to consider what it is needed for and what they have a right to see. Access to patient-identifiable information should be on a strict need-to-know basis Only those who need to view patient-identifiable data should be allowed access and even then only to that which they need to know. Everyone with access to patient-identifiable information should be aware of his or her responsibilities Each member of staff concerned should be aware of the implications that a breach of confidentiality has on the patient or member of staff and what they should be doing to prevent or reduce the risk of any such breaches. Understand and comply with the law All uses of patient-identifiable data should be lawful. Someone within the organisation must be responsible for ensuring that the organisation complies with legal requirements. Page 12 CCG DATA QUALITY POLICY Date completed: June 2013 Responsible Director: Director of Compliance Approved by/ date: CWHHE Quality and Safety Committee, 2nd October 2013 Review date: October 2014 Author: Amended: Page 1 of 11 Ben Westmancott Data Quality Policy For more information on this document, please contact: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative 15 Marylebone Road, London NW1 JD E-mail: [email protected] Version Control Version Date Issued Brief Summary of Changes Owners name 1.0 2.0 July 2013 August 2013 Amendments made to reflect CWHHE procedure Circulated to local CCG IT Committee for Comment Ben Westmancott Ben Westmancott Document Imprint Copyright © Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups, 2013: All rights reserved Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information Regulations 2005. SI2005 No 1515” Information on re-use can be obtained from: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative Tel: 020 3350 4313, E-mail: [email protected] Page 2 of 11 Contents Policy Statement .................................................................................................................... 4 1. 2. Purpose .................................................................................................................................... 4 3. Objectives ................................................................................................................................ 4 4. What is Data Quality? .......................................................................................................... 4 5. Structure and Scope ............................................................................................................. 5 6. Responsibility and accountability...................................................................................... 6 7. Training ..................................................................................................................................... 9 8. Monitoring ................................................................................................................................ 9 9. Data Quality Standards........................................................................................................ 9 10. Validation Methods ............................................................................................................. 10 11. Data Set Change Notices (DSCN) .................................... Error! Bookmark not defined. 12. Implementation of the policy ............................................................................................ 11 Page 3 of 11 1. Policy Statement Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups (the CCGs) recognise that reliable information is fundamental in supporting the CCGs to achieve its goals. The CCGs recognises that all the decisions, whether clinical, managerial or financial need to be based on information which is of the highest quality. This policy should be read in conjunction with the following: • • • • • • • • • • • • • Confidentiality Staff Code of Conduct Data Protection Policy Freedom of Information Policy Information Asset Policy Information Governance Framework Information Governance Policy Information Governance Strategy Information Security Policy Mobile Working Policy Network Security Policy Records Management Policy Safe Haven Policy System Security Policy 2. Purpose The purpose of this document is to set out a clear policy framework for maintaining and increasing high levels of data quality within the CCGs. The way in which data is collected and analysed can influence the results and it is, therefore, important to have a clear and open framework in place which supports this process and accurately reflects the clinical practice of the CCGs. The Data Quality Policy sets out how the CCGs will collect, analyse and report data. Objectives The Data Quality Policy underpins the CCGs’ objective to record and present data of the highest possible quality and that all users of the information can be confident about its accuracy. It is primarily for CSU or alternative IT provider staff who process information on behalf of the CCGs. The CSU or alternative IT provider will have its own policy but this sets out our minimum requirements. 3. What is Data Quality? Data quality is the ability to supply accurate, timely and complete data, which can be translated into information, whenever and wherever it is required. Data quality is vital to effective decision making at all levels of the organisation. Supplying accurate data is a complicated task for a number of reasons: • There are many ways for the data to be inaccurate – data entry errors and incomplete data, etc. Page 4 of 11 • Data can be corrupted during translation depending on who is translating it, how and with what tools/processes. • Data must relate to the correct time period and be available when required. • Data must be in a form that is collectable and which can subsequently be analysed. To ensure an organisation achieves data quality, it must set out how: • Data is collected and co-ordinated. • Data is transferred between systems. • Data is organised. • Data is analysed. • Data is interpreted. • Conclusions and results drawn from the data are validated. The following principals are used in assessment of data quality: • Accuracy: Is the data correct and is it valid? • Accessibility: Can the data be readily and legally collected? • Comprehensiveness: Is the relevant data collected and are any data omissions (where intentional or otherwise known) documented. • Consistency: Are clear and accurate data definitions implemented and adhered to? Do the data definitions define what level of detail is collected? • Validity: Is the data up-to-date? 4. Structure and Scope This policy is intended to cover the collection, recording, validation, further processing and reporting of all types of reference information generated and used within, or reported externally by, the CCGs. It describes the necessary features of systems to manage such information and the supporting administrative, reporting and training arrangements to ensure the information is of consistently high quality. Written procedures will be available in all relevant locations within the CCGs to assist staff in collecting and recording data. These procedures will be kept up-to date, and where appropriate will also contain information relating to national data definitions. Processes will be established to ensure compliance with the procedures, which will include sample checks to audit compliance. It should be noted that all collection, storage, processing and reporting of personal information is governed by detailed legal requirements under the Data Protection Act 1998 and associated standards, such as the Caldicott guidelines. As the CCGs generate a very wide range of information for a whole variety of uses, this policy does not provide detailed guidance for specific data items or individual areas of application. It concentrates instead on general principles of completeness, accuracy, ongoing validity, timeliness, consistency of definitions and compatibility of data items, and signposts where specific procedures or further guidelines need to exist. Page 5 of 11 General Principles The following overarching principles underpin the approach to data quality: • All staff will conform to legal and statutory requirements and recognised good practice, aim to be significantly above average on in-house data quality indicators, and will strive towards 100% accuracy across all information systems. • All data collection, manipulation and reporting processes by the CCGs will be covered by clear procedures which are easily available to all relevant staff, and regularly reviewed and updated. • All staff should be aware of the importance of good data quality and their own contribution to achieving it, and should receive appropriate training in relation to data quality aspects of their work. • Teams should have comprehensive procedures in place for identifying and correcting data errors, such that information is accurate and reliable at time of use. 5. Responsibility and accountability Data quality is a key part of any information system that exists within the CCGs. All staff members will be in contact at some point with a form of information system, whether paper or electronic. As a result, all staff members are responsible for implementing and maintaining data quality and are obligated to maintain accurate information legally (Data Protection Act), contractually (contract of employment) and ethically (professional codes of practice). Accountability for an individual dataset may change during a business process but the designated key team has overall responsibility for any data quality issues to date. For the purposes of consistency staff should cross-check datasets that have been recorded by more than one agency. In the event of there being no identified key team, then the team responsible for any errors will be responsible for rectifying them. It is the responsibility of all managers to ensure that, where appropriate, systems are in place to validate the completeness, accuracy, relevance and timeliness of data/information. Also managers must ensure that all staff are fully aware of their obligations in this area. In certain circumstances, to support equality and diversity, line managers will need to consider individual requirements of staff to support good practice in complying with this policy. Ultimate responsibility for maintaining accurate and complete data and information lies with the Chief Officer but all staff who record information, whether on paper or by electronic means, have a responsibility to take care to ensure that the data is accurate and as complete as possible. Individuals with responsibility for data quality must have this clearly stated in their job descriptions. Page 6 of 11 All information assets of the CCG should be identified and have a nominated Information Asset Owner (IAO). Accountability for assets helps to ensure that appropriate protection is maintained. The Senior Information Risk Owner (SIRO) ensures owners are identified for all Information Assets with responsibility for managing the risks to those assets. Whilst responsibility for implementing and managing Information Asset controls may be delegated to Information Asset Administrators or equivalent, accountability should remain with the nominated owner of the asset. Chief Officer Has overall responsibility for Information Governance within each CCG. As Chief Officer, they are responsible for the management of Information Governance and for ensuring appropriate mechanisms are in place to support service delivery and continuity. Information Governance provides a framework to ensure information is used appropriately and is held securely. The Chief Officer is responsible for ensuring that information risks are assessed and mitigated to an acceptable level. Information risks should be handled in a similar manner to other major risks such as financial, legal, and reputational risks. Senior Information Risk Owner (SIRO) The Senior Information Risk Owner (SIRO) role is held by the Chief Officer. The SIRO role is accountable to the CO for ensuring that information risk is managed within the CCG. The SIRO will identify and manage the information risks to the CCG and with its partners. This includes oversight of the organisation's information security incident reporting and response arrangements. In order to do this, the SIRO will identify Information Asset Owners and Information Asset Administrators. The SIRO will ensure that there is and Information Asset Register and a risk assessment process adopted for each CCG The SIRO provides the focus for the assessment and management of information risk at Governing Body level, providing briefings and reports on matters of performance, assurance and cultural impact. The SIRO should oversee a review of the CCG Information asset register to ensure it is complete and robust. Deputy Senior Information Risk Owner The Deputy SIRO is the day-to-day operational lead for ensuring that information risks are managed appropriately. The deputy SIRO for CWHHE is the Director of Compliance. The Deputy SIRO will provide a coordinating and leadership role to the Information Governance Leads for each CCG. Caldicott Guardian The Caldicott Guardian is a senior health professional person who is responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. For CWHHE CCGs, this is the Director of Quality and Patient Safety. Acting as the 'conscience' of an organisation, the Caldicott Guardian actively supports work to enable information sharing where it is appropriate Page 7 of 11 to share, and will advise on options for lawful and ethical processing of information. The Caldicott Guardian will also have a strategic role which involves representing and championing Information Governance requirements and issues at executive team level and where appropriate, at a range of levels within the organisation's overall governance framework. Local Information Governance Leads The Information Governance lead will be responsible for ensuring that the following are in place: • Developing and maintaining the IGT and reporting to the SIRO and Deputy SIRO • Ensuring that there is top level awareness and support for IG resourcing and implementation of improvements within the CCG by effective working with the SIRO, Deputy SIRO and the Caldicott Guardian. • Establishing working groups, if necessary, to co-ordinate the activities of staff given IG responsibilities and progress initiatives; • Working with the Deputy SIRO to ensure that annual assessments and audits of IG and other related policies are carried out, documented and reported; • Data Protection, Freedom of Information and the Environmental information Regulations are implemented and information requests managed in a compliant manner • Ensuring appropriate and effective records management in line with NHS standards and guidance • Working with the Deputy SIRO to ensure that the annual assessment and improvement plans are prepared for approval by the SIRO and governing body in a timely manner. • Ensuring that the approach to information handling is communicated to all staff and made available to the public; • Ensuring that appropriate training is made available to staff and completed as necessary to support their duties. For NHS organisations this will need to be in line with requirements of the IGT [currently 95% of staff members] • Liaising with other committees, working groups and programme boards in order to promote and integrate Information Governance standards; • Monitoring information handling activities to ensure compliance with law and guidance; • Providing a focal point for the resolution and/or discussion of Information Governance issues All Staff All staff, whether permanent, temporary, contracted or contractors are responsible for ensuring that they are aware of their responsibilities in respect of Information Governance Information Asset Owners (IAO) Each Information Asset Owner should be aware of what information is held, and the nature and justification of information flows to and from the assets they are responsible for. The IAOs must understand and address risks to the information Page 8 of 11 assets they ‘own’ and provide assurance to the SIRO on the security and use of these assets. Information Asset Administrators (IAA) Provide support to their IAO. Ensure that policies and procedures are followed. Recognise potential or actual security incidents. Consult their IAO on incident management Ensure that information asset registers are accurate and maintained. 6. Training Staff will receive instruction and direction regarding Data Quality advice and information from a number of sources:• CCG Policies and Procedure Manuals • Line manager • Training – on induction and Information Governance training • Other communication methods (e.g. Team Brief/team meetings) • Extranet 7. Monitoring The CCGs, will as a matter of routine, monitor performance in collecting and processing data according to defined standards, and provide appropriate feedback to staff involved in the process of data collection. The CCGs are regularly audited to ensure that: • Applicable legislative Acts are complied with • NHS and CCG Policies and Standards are complied with • Suitable processes are used, and controls put in place, to ensure the completeness, relevance, correctness and security of data are achieved. 8. Data Quality Standards Although there are many aspects of good quality data, the key indicators commonly are: • Validity – All data items held on the CCGs computer systems must be valid. Where codes are used, these will comply with national standards. Wherever possible, computer systems will be programmed to only accept valid entries at data input. Data accuracy is the direct responsibility of the person inputting the data supported by their line manager. Systems will include validation processes at data input to check in full or in part the acceptability of the data wherever possible. Depending on the system, later validation may be necessary to maintain referential integrity. • Completeness – All mandatory data items within a dataset should be completed. Use of default codes will only be used where appropriate, and not as a substitute for real data. • Consistency – Correct procedures are essential to ensure complete data capture and that the formatting of data is consistent between datasets. Page 9 of 11 • Coverage – this reflects all information that is ‘owned’ by the CCGs, including paper and computerized records. • Accuracy – Data recorded manually and on computer systems must be accurate. • Relevance – Information should be contextually appropriate. 9. Validation Methods Validation should be accomplished using some or all of the following methods: • On submission of data returns, procedures will exist to ensure the completeness and validity of the data sets used. This can be done by comparing to historical data sets, looking at trends in the data and also by cross checking the data with other staff members. • Regular spot checks by staff members; which involve analysis of a random selection of records against source material, if available. Spot checks should be done on an on-going basis (at least quarterly) to ensure the continuation of data quality. • The CCGs will endeavour to ensure that timescales for submission of information are adhered to, and that the quality and accuracy of such submissions is of the highest standard. Internal deadlines for the completion of data sets, to ensure national timescales are achieved, will be explicit and monitored. • The CCGs routinely receive activity information from its service providers. This information is used to monitor the performance of contracts and to contribute to the service planning and development process. Sufficient and appropriate checks are made by the service providers to ensure that the information received is accurate and complete. Where data falls outside anticipated ranges a more detailed evaluation and validation is undertaken. • The CCGs conduct regular meetings with its partners and service providers, to ensure that any data discrepancies are picked up and any corrections are made as required. 10. Information Standards Notices (ISNs) Information Standards Notices (formally known as Data Set Change Notices) are issued by the Information Standards Board for Health and Social Care (ISB). These give notification to NHS healthcare agencies of changes to information requirements that will be included as appropriate in the NHS Data Dictionary & Manual and the NHS Commissioning Data Set Manual, thereby ensuring that data is meaningful across NHS Organisations over time. Information Standards Notices may be accessed via the following web address: http://www.isb.nhs.uk/isn Page 10 of 11 11. Implementation of the policy The Deputy SIRO has overall responsibility for implementing the Policy ensuring that the following action is taken: • That the Information Governance Group review the Policy annually so that it continues to reflect best practice and the legal and business needs of the CCGs; • That the Policy is promoted and circulated appropriately within the CCGs. • Training needs are assessed and agreed during induction and appraisal processes. • Monitoring and Audit to be identified and completed at appropriate intervals Page 11 of 11 Information Asset Policy Date completed: June 2013 Responsible Director: Director of Compliance Approved by/ date: CWHHE Quality and Safety Committee, 2nd October 2013 Review date: October 2014 Amended: Author: Ben Westmancott For more information on this document, please contact: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative 15 Marylebone Road, London NW1 JD E-mail: [email protected] Version History Version 1.0 2.0 Date issued July 2013 August 2013 Brief summary of change Amended to reflect CWHHE procedures Circulated to local CCG IT Committee for Comment Owner’s name Ben Westmancott Ben Westmancott Document Imprint Copyright © Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups, 2013: All rights reserved Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information Regulations 2005. SI2005 No 1515” Information on re-use can be obtained from: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative Tel: 020 3350 4313, E-mail: [email protected] Information Asset Policy Version 2.0 Page 2 of 14 Contents 1. Introduction ................................................................................................................. 6 2. Glossary ..................................................................................................................... 6 3. Purpose ...................................................................................................................... 6 4. Information Assets ..................................................................................................... 6 5. Role: Information Asset Owner (IAO) .......................................................................... 7 6. Role: Information Asset Administrator (IAA) ................................................................ 8 7. Information Governance ............................................................................................. 8 8. Data Quality ................................................................................................................ 9 9. Business Continuity .................................................................................................... 9 10. Change Control........................................................................................................... 9 11. Information Security .................................................................................................. 10 12. Information Risk ........................................................................................................ 10 13. Training..................................................................................................................... 10 14. Audit ......................................................................................................................... 11 Appendix One: Job Description: Senior Information Risk Owner (SIRO) .............................. 12 Appendix Two: Job Description: Information Asset Owner (IAO) .......................................... 13 Appendix Three: Job Description: Information Asset Administrator (IAA) ............................. 14 Information Asset Policy Version 2.0 Page 3 of 14 1. Introduction 1.1. This document provides a mechanism to achieve and maintain appropriate protection of the CCG’s Information Assets (IA). All major IA must be identified, have a responsible owner and maintenance responsibilities assigned. Accountability for assets helps to ensure that appropriate protection is maintained. 1.2. Owners to be identified for all IA and allocated responsibility for the maintenance of the appropriate controls should be assigned. Responsibility for implementing and managing controls may be delegated, although accountability must remain with the nominated owner of the IA. 2. Glossary Definitions of acronyms used throughout this document 3. BC – Business Continuity CCG – Clinical Commissioning Group IA – Information Assets IAA – Information Asset Administrator IAO – Information Asset Owner IG – Information Governance IGAF – Information Governance Assurance Framework IGAP – Information Governance Assurance Programme IGC – Information Governance Committee IGMF – Information Governance Management Framework IGT – Information Governance Toolkit IGTT – Information Governance Training Tool SIRI – Serious Incident Requiring Investigation SIRO – Senior Information Risk Owner Purpose 3.1. The purpose of this policy is to provide assurance to the Senior Information Risk Owner (SIRO) and ultimately the CCG Governing Body that appropriate frameworks are in place to ensure robust Information Security, Information Risk, Information Business Continuity and Data Quality controls are in place to support the CCGs Information Assets in line with internal/external requirements and policies. 3.2. The CCG may designate roles to a commissioning support organisation in order to better manage their Information Governance; this policy will be agreed with such an organisation as necessary. 4. Information Assets 4.1. Information Assets are those that are central to the efficient running of departments within the CCG i.e. analysis (data), finance, human resources etc. Information Assets will also include the computer systems, network hardware and software which are used to process this data. 4.2. Non-computerised systems holding information must be asset registered with relevant file identifications and storage locations. 4.3. It is a core IG objective that all Information Assets of the CCG are identified and that the business importance of those assets is established. Information Asset Policy Version 2.0 Page 4 of 14 4.4. There are six main categories of information asset: 5. • Information – this includes databases, system documentation and procedures, archive media and data • Software – this includes application programs, systems, development tools and utilities • Physical – this includes infrastructure, equipment, furniture and accommodation used for data processing • Services – including computing and communications, heating, lighting, power, air conditioning used for data processing • People – including qualifications, skills and experience in the use of information systems • Other – for example the reputation and image of the CCG Role: Information Asset Owner (IAO) 5.1. The Information Asset Owner is a senior member of staff who is the nominated owner for one or more identified information assets either within or controlled by the CCG. 5.2. There are several IAOs within the CCG with differing departmental roles. IAOs must work collaboratively with other IAOs and the relevant Information Governance department or support unit to ensure there is comprehensive asset ownership and clear understanding of responsibilities and accountabilities. This is especially important where information assets are shared by multiple parts of the CCG or with external partner organisations. IAOs and the IG department will support the CCGs SIRO in the overall information risk management function as defined in the CCGs Information Risk Management Policy. 5.3. The IAO is expected to understand the overall strategic objectives of the CCG and how the information assets they own or control contribute to and affect these objectives. The IAOs will therefore document, understand and monitor: • • • What information assets are held, and for what purposes; How information is created, amended or added to over time; Who has access to the information and why. 5.4. CCG IAOs shall receive training to ensure they remain effective in their role. Aspects of IAO Role Supporting Actions Leads and fosters a culture that values, protects and uses information for the success of the CCG and benefit of its patients • Knows what information an Information Asset holds, and what enters and leaves it and why • • • • • Information Asset Policy Understands the CCGs plans to achieve and monitor the right IG culture, across the CCG and with its business partners; takes visible steps to support and participate in that plan (including completing own training) maintains understanding of ‘owned’ assets and how they are used up to date; approves and minimises information transfers while achieving business purposes; approves arrangements so that information put onto portable or removable media like laptops and USB Sticks are minimised and are effectively protected to required NHS IG standards; approves and oversees the disposal mechanisms for information of the asset when no longer needed Version 2.0 Page 5 of 14 Aspects of Role Supporting Actions Knows who has access to the Information Asset and why, and ensures its use is monitored and compliant with CCG policy and procedures • understands the CCG policy on access to and use of information; • checks that access provided is the minimum necessary to satisfy business objectives; • receives records of checks on use and assures self that effective checking is conducted regularly With the support of the IG department, understands and addresses risks to the asset, and provides assurance to the SIRO • conducts at least annual reviews of information risk in relation to ‘owned’ assets; • makes the case where necessary for new investment or action to secure ‘owned’ assets; • provides an annual written risk assessment to the SIRO for all assets ‘owned’ by them Ensures the asset is fully used for the benefit of the CCG and its patients, including responding to requests for access from others • considers whether better use of the information is possible or where information is no longer required; • receives, logs and controls requests from others for access; • ensures decisions on access are taken in accordance with CCG IG standards of good practice and the policy of the CCG. • Information Asset Owners should collaborate to ensure data is collected and processed efficiently and without undue repetition. 6. Role: Information Asset Administrators (IAA) 6.1. Information Asset Administrators are usually operational members of staff who understand and are familiar with information risks in their area or department, e.g. Security Managers, Records Managers, Data Protection Officers, Internal Audit. For smaller organisations, an appropriate operational role may include Business Managers, and administrative staff. Information Asset Administrators will implement the organisation’s information risk policy and risk assessment process for those information assets they support and will provide assurance reports to the relevant Information Asset Owner as necessary. 6.2. Tasks of the IAA include: 7. • Ensuring compliance with data sharing agreements within the local area; • Ensuring information handling procedures are fit for purpose and are properly applied; • Under the direction of their IAO, ensuring that personal information is not unlawfully exploited • Recognising new information handling requirements (e.g. a new type of information arises) and that the relevant IAO is consulted over appropriate procedures; • Recognising potential or actual security incidents and consulting the IAO; • Reporting to the relevant IAO on current state of local information handling; • Ensuring that local information handling constraints (e.g. limits on who can have access to the assets) are applied, referring any difficulties to the relevant IAO. • Act as first port of call for local managers and staff seeking advice on the handling of information; • Under the direction of their IAO, ensuring that information is securely destroyed when there is no further requirement for it Information Governance tasks Information Asset Policy Version 2.0 Page 6 of 14 7.1. The inclusion of IA onto the CCGs asset register and that roles, responsibilities and accountabilities are assigned to the necessary personnel. 7.2. Maintenance of Information Asset Registers; 7.3. Robust governance systems, processes and procedures are in place to ensure compliance against local/national requirements including the IG Toolkit (IGT). 7.4. Provide assurance to the CCG Governing Body of compliance with this and associated standards and policies. 7.5. All IA must have a comprehensive library of up to date operational procedures that support users and IAA to carry out their role on a daily basis. 7.6. This policy must be read in conjunction with related policies/guidelines. 8. Data Quality 8.1. Access to high quality data is essential for good clinical governance and effective performance management. Better information will support the use of best evidence; provide more accurate assessment of the quality of services to support clinical governance and performance management. 8.2. Each Information asset must have in place: • 9. Documented local data quality audits (must be undertaken by the IAO/IAA on a regular basis). Audit outcomes to be reported to the relevant group. • Local data quality issue logs to be implemented and maintained. Common themes to be highlighted to the relevant group for escalation as required. These should be openly available for staff to access e.g. on the extranet. • User data quality spot checks to be undertaken on a regular basis and the outcomes formally documented. Business Continuity 9.1. Business continuity management (BCM) (as defined by the Business Continuity Institute 2001) is: ‘A holistic management process that identifies potential impacts that threaten an Organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities’. 9.2. BCM is concerned with managing risk to ensure that, at all times, the CCG can continue operating to, at least, a pre-determined minimum level, in the event of a major disruption including major IT system failure/disruption. 9.3. It is the policy of the CCG to ensure that all IA: • Have approved Business Continuity (BC) plans in place • All relevant staff are notified and have received training/guidance on the BC arrangements. • Regular testing of BC plans to be undertaken with outcomes and lessons learned formally reported to the relevant group/committee 10. Change Control 10.1. All changes to IA (e.g. system upgrades) must follow the CCGs Change Control procedure. This may be managed by a provider organisation. Information Asset Policy Version 2.0 Page 7 of 14 11. Information Security 11.1. Information Security controls exist in order to safeguard the confidentiality, integrity and availability of all forms of information within the CCG with the overall purpose of protecting personal and corporate information from all threats, whether internal or external, deliberate or accidental. The implementation and monitoring of such controls provides assurance to the CCG Governing Body that comprehensive and consistent information security controls are in place throughout the CCG to ensure business continuity. 11.2. It is the Policy of the CCG to ensure that for all IA: • Information will be protected against unauthorised access. • Confidentiality of information required through regulatory and legislative requirements will be assured. • Information will be available to authorised personnel as and when required. • Regulatory and legislative requirements will be met. • All breaches of information security, actual or suspected, will be reported and investigated using existing CCG processes. • All removal media and mobile devices are encrypted to the required standard. • Regular audits of user access rights. • Knowledge of the IG Forensics readiness policy and associated procedures. • Formal Information Security risk assessments to be undertaken regularly in order to counter potential threats to CCG IA. 12. Information Risk 12.1. Each IAO within the CCG is responsible for risk management and accreditation of IA under their control. 12.2. The IAO must ensure that an accreditation (a completed, reviewed risk assessment) is achieved for all IA they own. 12.3. The IAO should also consider the IA ongoing accreditation needs in line with the CCG overall risk management and reporting framework. 12.4. IAO shall ensure that information risk assessments are performed at least once a quarter on all assets where they have been assigned ‘ownership’. 12.5. Throughout the operational lifetime of the IA, including post-implementation changes, controls must continue to exist or replaced by ones providing greater effect. 13. Training To ensure the compliance with the standards as described in related policies/guidelines: 13.1. The IAO and IAA will be required to undertake training as necessary to ensure they remain effective in their role. 13.2. All users of the IA to receive appropriate approved training for their role. Training must incorporate data quality, information risk and security, testing of knowledge, and an observation before access is authorised. 13.3. Refresher training to be available for all staff who have identified training requirements. 13.4. All training to be recorded on the employee staff record, preferably using ESR 13.5. A documented training plan with aims and objectives to include data quality and information risk/security. 13.6. Comprehensive training materials and user guides are developed and implemented and easily accessible to the user. Information Asset Policy Version 2.0 Page 8 of 14 14. Audit 14.1. will be assessing compliance against the standards set out in this policy. 14.2. IAO and IAA are required to undertake local compliance spot checks/audits to provide assurance to the SIRO and Accountable Officer. Information Asset Policy Version 2.0 Page 9 of 14 APPENDIX ONE Job Description Job Title: Senior Information Risk Owner, Chief Officer Responsible to: CWHHE Clinical Commissioning Groups 1. JOB SUMMARY • The Senior Information Risk Owner (SIRO) will be a Clinical Commissioning Group (CCG) governing body member who will take overall ownership of the CCG’s Information Risk culture, act as champion for appropriate information risk management on the CCG governing body and provide written advice to the CCG’s Chief Officer / Company Secretary on the content of the CCG’s Annual Governance Statement in regard to information risk issues. • The SIRO is expected to understand how the strategic business goals of the CCG and how other NHS CCG’s business goals may be impacted by information risks, and how those risks may be managed effectively. • The SIRO will lead the CCG’s Information Governance (IG) work programme and information risk management processes within the CCG and advise the governing body on the effectiveness of information risk management across the CCG. • The SIRO shall undertake training as necessary to ensure they remain effective in their role as Senior Information Risk Officer. 2. KEY RESPONSIBILITIES a. Leadership and Culture • Lead and foster a CCG information risk culture that values, protects and uses information for the public good • Ensures the CCG has a information risk plan to achieve and monitor the right information risk culture, internally within the CCG, and externally with its partners and its commissioned services • Takes demonstrable steps to effectively resource, support and participate in that plan (including completing own training) • Provide leadership for the CCG through effective networking structures, sharing of relevant experience, provision of training and creation of information risk reporting structures. • Regularly Inform the governing body on the level of Information Risk Management performance within the CCG, including process improvements arising and decision making contexts etc b. Policy and process • Oversee the development of an Information Risk Policy. This should include a Strategy for implementing the policy within the existing or changing NHS Commissioning Framework and be compliant with NHS IG policy, standards and methods. • Take ownership of the processes and outcomes of information risk management, including prioritisation of risks and review of the cycle of information risk work programme to support and inform the Statement of Internal Control. • Ensure that the governing body and the Chief Officer are kept up to date and briefed on all information risk issues affecting the CCG and its business partners. Information Asset Policy Version 2.0 Page 10 of 14 • Review and agree actions in respect of identified information risks. • Ensure that the CCG’s approach to information risk is effective in terms of resource, commitment and execution, being appropriately communicated to all staff. • Provide a focal point for the escalation, resolution and/or discussion of information risk issues. • Ensure that an effective infrastructure is in place to support the role by developing an Information Risk governance structure, with clear lines of accountability and reporting with welldefined roles and responsibilities c. Incident Management • Ensure that identified information threats and vulnerabilities are followed up for risk mitigation, and that perceived or actual information incidents are managed in accordance with NHS IG requirements. • Ensure that there are effective mechanisms in place for reporting and managing Serious Untoward Incidents (SUIs) relating to the information of the CCG. These mechanisms should accommodate technical, operational or procedural improvements arising from lessons learnt. d. Training • The SIRO will be required to undertake information risk management training prior to undertaking the role and then at least annually to be able to demonstrate their skills and capabilities are up to date and relevant to the needs of the CCG. 3. AUTHORITY TO ACT • The SIRO shall have the authority to act and take decisions on behalf of the CCG, both internally and externally in matters of information risk. The governing body shall be routinely informed of decisions taken by the SIRO. 4. THE RELATIONSHIP WITH THE CALDICOTT GUARDIAN • There are a number of differences between the roles of the Caldicott Guardian and the SIRO which is why it is an NHS requirement that they should normally remain distinct and separate; for example, the Caldicott Guardian’s main focus is patient identifiable information whereas the SIRO is concerned with the risks to information systems generally. • The Senior Information Risk Owner role: o is accountable for IG processes and risk within their organisation; o fosters a culture for protecting and using data; o provides a focal point for managing information risks and incidents; o is concerned with the management of all information assets. • Whilst the Caldicott Guardian role: o is advisory, and accountable for that advice; o is the conscience of the organisation; o provides a focal point for patient/service user confidentiality & information sharing issues; o is concerned with the management of patient/service user information. 5. KEY RELATIONSHIPS a. Internal - Within the CCG and its collaboration: • Deputy SIRO • Chief Officer • CCG governing body Members • Quality and Safety Committee • Information Governance Working Group • Managing Directors / Deputy Managing Directors Information Asset Policy Version 2.0 Page 11 of 14 • Other Directors • Director of Compliance • IG Lead / Data Protection Officer • Information Asset Owners • Programme Managers • Caldicott Guardian, although ownership of the Information Risk Policy and risk assessment processes will remain with the SIRO. • Patient representatives • All staff b. External - Regularly has contact with: • Other CCG Chief Officers • Other Senior Information Risk Owners, Caldicott Guardians and Information Governance Leads of the NHS Commissioning Board, Commissioning Support Unit, Local Authorities, Public Health England, Dept of Health and other NHS CCGs. • Regulatory authorities e.g. the Information Commissioners Office Information Asset Policy Version 2.0 Page 12 of 14 APPENDIX TWO Job Description Job Title: Information Asset Owner (IAO) Purpose of the Job: Information Asset Owners are senior individuals involved in running the relevant business. The IAO’s role is to: Understand and address risks to the information they ‘own’ Provide assurance to the SIRO on the security and use of these assets Specific Responsibilities: Maintains understanding of ‘owned’ assets and how they are used Approves and minimises information transfers while achieving business purposes Approves and oversees the disposal mechanisms for information of the asset when no longer needed Knows what information the asset holds and who has access to update the system Takes visible steps to ensure compliance to the CCG Information Governance strategy and IG Toolkit action plan Undertakes regular reviews on the information risk associated with the asset Understands and addresses risks to the asset and provides assurance to the SIRO Knows who has access and why, and ensures their use is monitored and complain with policy Receives, logs and controls requests from other for access Ensures that changes to the system are put through a formal ‘Request for Change’ process with relevant Equality Impact Assessment and Privacy Impact Assessment completed. Information Asset Policy Version 2.0 Page 13 of 14 APPENDIX THREE Job Description Job Title: Information Asset Administrator (IAA) Purpose of the Job: Information Asset Administrators will provide support to their IAO to: Ensure that policies and procedures are followed Recognise potential or actual security incidents Consult their IAO on incident management Ensure their information asset registers are accurate and maintained up to date Specific Responsibilities: Ensure compliance with data sharing agreements within the local area Ensure information handling procedures are fit for purpose and properly applied Under the direction of the IAO, ensure that personal information is not lawfully exploited Recognise new information handling requirements and the relevant IAO is consulted over appropriate procedures Recognise potential or actual security incidents and consulting the IAO Report to the relevant IAO on the current state of asset Act as a first port of call for local managers and staff seeking advice on the handling of information Under the direction of the relevant IAO ensure that information is securely destroyed when there is no further requirement for it (Refer to Records Management Policy). Information Asset Policy Version 2.0 Page 14 of 14 Information Governance Policy Date completed: June 2013 Responsible Director: Director of Compliance Approved by/ date: CWHHE Quality and Safety Committee, 2nd October 2013 Review date: October 2014 Author: Ben Westmancott Amended: Information Governance Policy Version 2.0 Page 0 of 10 Information Governance Policy For more information on this document, please contact: Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative 15 Marylebone Road, London NW1 JD E-mail: [email protected] Version Control Version Date Issued Brief Summary of Changes Owners name 1.0 2.0 July 2013 August 2013 Amended to reflect CWHHE procedures Circulated to local CCG IT Committee for Comment Ben Westmancott Ben Westmancott Document Imprint Copyright © Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups, 2013: All rights reserved Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information Regulations 2005. SI2005 No 1515” Information on re-use can be obtained from: Information Governance Policy Version 2.0 Page 1 of 10 Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative Tel: 020 3350 4313, E-mail: [email protected] Information Governance Policy Version 2.0 Page 2 of 10 Information Governance Policy 1. Introduction........................................................................................................ 3 2. Purpose ............................................................................................................. .3 3. Aim of the Policy. ................................................................................................ 3 4. Scope ............................................................................................................... 3 5. Clinical Commissioning Groups’ Information Governance Aims ........................ 4 6. Legal and Regulatory Framework ...................................................................... 4 7. Responsibilities of the Clinical Commissioning Group ........................................ 4 8. Responsibilities of the Users .............................................................................. 4 9. Information Governance Framework ................................................................. 4 10. Key Elements of the Information Governance Framework ................................ 5 10.1. Freedom of Information. ............................................................................... 5 10.2. Legal Compliance ....................................................................................... 5 10.3. Information Security. .................................................................................... 6 10.4. Information Quality Assurance ..................................................................... 6 10.5. Records Management .................................................................................. 7 11. Management of Information Governance. .......................................................... 7 12. Information Governance Arrangement between CCG and CSU ........................ 7 Annex 1 Legal and Regulatory Framework ................................................................. 8 Annex 2 Information Governance Work Areas.......................................................... 10 Information Governance Policy Version 2.0 Page 3 of 10 1. Introduction Information is a vital asset and resource, both in terms of the clinical management of individual patients and the efficient management of services and its support. It plays a key part in clinical governance, service planning and performance management. It is of paramount importance that information is efficiently managed; that appropriate accountability, standards, policies and procedures provide a robust governance framework for information management. 2. Purpose To describe a system that ensures Central London, West London, Hammersmith and Fulham, Hounslow and Ealing Clinical Commissioning Groups (the CCGs) meet their responsibilities for the management of information assets and resources. This high level policy sets out how the information governance arrangements, as a part of corporate governance, are in place to ensure the best commissioning of health care for those whom the CCG serves. The CCG may designate roles to a Commissioning Support Unit (CSU) or other provider in order to better manage their Information Governance; this policy will be agreed with such an organisation as necessary. The CCG is committed to the legally compliant management and use of information, taking account of the relevant Codes of Practice. It is a condition of employment that all CCG polices are adhered to; non-compliance may result in disciplinary action. 3. Aim of the Policy The CCG will at the highest level establish and support an Information Governance Management Strategy. 4. Scope • All information used by the CCG (includes staff/patient/service user; business and operational information; audit and reporting data). • The information governance arrangements between the CCG and the CSU or alternative provider • All information systems managed by the CCG, and the CSU or alternative provider on behalf of the CCG • Any individual using information 'owned' by the CCG • Any individual requiring access to information 'owned' by the CCG This policy covers: • All formats and modes of information processing, and both paper and electronic information. Information Governance Policy Version 2.0 Page 4 of 10 • 5. 6. All information systems purchased, developed and managed by/or on behalf of the organisation and any individual directly employed or otherwise by the organisation. CCG's Information Governance Aims • To hold information securely and confidentially • To obtain information fairly and efficiently • To record information accurately and reliably • To use information effectively and ethically • To share information appropriately and lawfully Legal and Regulatory Framework There are a number of legal obligations placed upon the CCG for the use and security of personally identifiable information. There are requirements to appropriately disclose information when required. There is an NHS regulatory and performance framework for the management of information. There are NHS Codes of Conduct for the use of information. There are operating procedures and codes of practice adopted by the NHS. 7. Responsibilities of the CCG All information used in the NHS is subject to handling by individuals and it is necessary for these individuals to be clear about their responsibilities and for the CCG to ensure and support appropriate education and training. The CCG must ensure legal requirements are met. The CCG must make arrangements to meet the requirements of the Information governance toolkit. To manage its obligations the CCG will issue and support standards, policies and procedures ensuring information is held, obtained, recorded, used and shared correctly. The CCG will promote good practice within member Practices, and expects that they will implement information governance in their Practices. Each Practice has a responsibility to complete the Information Governance Toolkit for General Practice, as set out by Connecting for Health. 8. Responsibilities of Users Users of information must: • be aware of their responsibilities • comply with policies and procedures issued by the CCG • work within the principles outlined in the information governance framework for the Information Governance Policy Version 2.0 Page 5 of 10 CCG 9. Information Governance Framework The CCG recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The CCG fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients (this will be held exceptionally by the CCG) and staff and commercially sensitive information necessary for the operation of the CCG. The CCG also recognises the need to share information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. The CCG will generally not collect or hold personal information in relation to patients or service users and will use pseudonymised or anonymised data. The CCG believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians, professionals and managers to ensure and promote the quality of information and to actively use information in decision making processes. This is both within the CCG and the services that it commissions. 10. Key Elements of the Information Governance Framework 10.1. Freedom of Information (FOI) • Non-confidential information about the CCG and its services will be available to the public through a variety of media and the CCG will establish and maintain policies to ensure compliance with the Freedom of Information Act • The CCG will undertake or commission annual assessments and audits of its Freedom of Information policies and arrangements • The CCG will have clear procedures and arrangements for handling queries from patients and the public • The CCG will have clear procedures and arrangements for liaison with the press and broadcasting media • Where the CSU or alternative provider provides aspects of the FOI arrangements, this will be set out clearly in the Freedom of Information Policy. 10.2. Personal Information and Legal Compliance • The CCG regards all identifiable personal information relating to individuals as confidential • The CCG will undertake or commission annual assessments and audits of its compliance with legal requirements • The CCG regards all identifiable personal information relating to individuals as Information Governance Policy Version 2.0 Page 6 of 10 confidential except where national policy on accountability and openness requires otherwise • The CCG will establish and maintain policies to ensure compliance with the Data Protection Act, Human Rights Act, the common law duty of confidentiality and NHS Code of Confidentiality • The CCG will carry out Privacy Impact Assessment (PIA) for new projects, policies and systems (mandated, not legal) requirement • The CCG will establish and maintain policies for the controlled and appropriate sharing of personal information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act) • The CCG will ensure that there is a Caldicott Guardian appointed, this is the Director of Quality and Patient Safety, who is a member of the Governing Body 10.3. Information Security • The CCG will establish and maintain standards and policies for the effective and secure management of its information assets and resources • The CCG will undertake or commission annual assessments and audits of its information and IT security arrangements • The CCG will undertake or commission risk assessments to determine appropriate security controls are in place for existing or potential information systems • The CCG will promote effective confidentiality and security practice to its staff through policies, procedures and training • The CCG will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security • The CCG will use ISO/IEC 27001 & 27002 as the basis of its Information Security management arrangements • The CCG will acknowledge the requirements of Connecting for Health in Data and Process Mapping and ensure strong security and encryption for all Personal Identifiable Data (PID) transmitted by laptops and mobile storage devices • The CCG will ensure that there is a Senior Information Risk Owner, this is the Chief Officer, who is a member of the Governing Body 10.4. Information Quality Assurance • The CCG will establish and maintain policies and procedures for information quality assurance, the Data Quality Policy • The CCG will undertake or commission annual assessments and audits of its Information Governance Policy Version 2.0 Page 7 of 10 information quality • Managers are expected to take ownership of, and seek to improve, the quality of information within their services • Wherever possible, information quality should be assured at the point of collection • Data standards will be set through clear and consistent definition of data items, in accordance with national standards. • The CCG will promote information quality through policies, procedures, user manuals and training 10.5. Records Management • The CCG will establish and maintain policies and procedures for the effective management of all records • The CCG will undertake or commission annual assessments and audits of its records management • Managers are expected to ensure effective records management within their service areas • The CCG will promote records management through policies, procedures and training • The CCG will use The Code of Practice for Records Management” issued the Department of Health, and similarly the Code of Practice in Section 46 in the Freedom of Information Act 2000 as its standard for records management 11. Management of Information Governance The CCG Governing Body will be responsible for implementing the Information Governance Policy and Management Framework. The Director of Compliance will monitor the Policy function within the CCG and report regularly to the CCG Governing body. Where some of the membership of the Committee, and some of the Information Governance functions, are provided by the CSU or alternative providerthis will be clearly documented. The Information Governance Working Group will implement the Information Governance Strategy and policy with other appropriate teams. 12. Information Governance Arrangements between CCG and CSU or Alternative Provider The CSU or alternative provider and CCG will set out clearly the IG arrangements and responsibilities in relation to each organisation. They will report monthly to the Governing Body. The Senior Information Risk Owner will be responsible for ensuring that the Information Information Governance Policy Version 2.0 Page 8 of 10 Governance Toolkit is completed and submitted [the requirements are set out in the Action Plan]. The Governing Body will sign off the Information Governance Toolkit for submission in March. Information Governance Policy Version 2.0 Page 9 of 10 Annexe 1 Legal and Statutory Framework The CCG is bound by the provisions of a number of items of legislation affecting the stewardship and control of information. The main relevant legislation is: • • • • • • • • • • • • • • • • • • • • Data Protection Act 1998 (and subsequent Special Information Notices) Human Rights Act 1998 Access to Health Records Act 1990 (where not superseded by the Data Protection Act 1998) Criminal Justice and Immigration Act 2008 Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 (as amended by the Copyright (Computer Programs) Regulations 1992 Crime & Disorder Act 1998 Electronic Communications Act 2000 Environmental Information Regulations 2004 Freedom of Information Act 2000 Health and Social Care Act 2001 Regulation of Investigatory Powers Act 2000 (& Lawful Business Practice Regulations 2000) Public Interest Disclosure Act 1998 NHS Sexually transmitted disease regulations 2000 National Health Service Act 1977 Human Fertilisation & Embryology Act 1990 Abortion Regulations 1991 Prevention of Terrorism (Temporary Provisions) Act 1989 & Terrorism Act 2000 Regulations under Health & Safety at Work Act 1974 Regulatory framework: The regulatory elements are: • The Information Governance Toolkit issued annually since 2003 which requires CCGs to assess their progress against set criteria. • Caldicott - Report, audit & improvement on the use of Patient Identifiable Data 1997 and HSC 1999/012 • ISO/IEC 27002:2005 ISO/IEC 27002:2005 - British Standard for Information Security Management, mandated for the NHS in 2001 Information Governance Policy Version 2.0 Page 10 of 10 • • • • Information Quality Assurance NHS Confidentiality Code of Practice NHS guidance on Consent to Treatment Information: To Share or Not to Share? The Information Governance Review Wider NHS and national regulation elements: Clinical Negligence Scheme for CCGs (CNST) - via NHS Litigation Authority Also related but not NHS specific - 'Clinical Professionals Regulatory Framework' In response to many of the above requirements the NHS has set out and mandated a number of elements of regulation that constitute the 'Information Governance Assurance Framework'. The detail of the Framework can be viewed in the briefing note: http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/igap/igaf/igafbriefing.pdf Information Governance Policy Version 2.0 Page 11 of 10 Annexe 2 Information Governance Work Areas Information Governance is: "a framework for handling personal information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service" Information Governance currently encompasses the following initiatives or work areas. Caldicott and Confidentiality Data Protection Act 1998 Records Management Caldicott Function (Control 102, IGT) UK Caldicott Guardian Council developments 2005 Information Security (ISO/IEC27001, ISO/IEC27002, BS7799-3) Business Continuity (BS25999) Policies, procedures, standards, protocols and codes of practice Human Rights Act 1998 Freedom of Information Act Environmental Information Regulations Re-use of Public Sector Information The Health and Social Care Act 2001 (Section 60) ICT strategic developments (Connecting for Health programme) 2005 onwards Mental Capacity Act 2005 The Cayton Review of Information Governance 2006 The Caldicott Guardian Manual 2010 Equality Act 2006 Information Quality Assurance (Data Accreditation) Information Governance Policy Version 2.0 Page 12 of 10
© Copyright 2024