Cover Sheet

Agenda Item
3.9
Cover Sheet:
Governing Body
Date
3rd September 2014
Title of paper
Information Governance (IG) Policies
Presenter &
Organisation
Beryl Bevan , Ealing CCG
Author
Ben Westmancott, Director of Compliance
Responsible Director
Ben Westmancott, Director of Compliance
Clinical Lead
Mohini Parmar, Chair , Ealing CCG
Confidential
No
The Committee is asked to:
The Governing Body is asked ratify these policies.
Summary of purpose and scope of report
The BEHH policies on Pseudonymiastion and Subject Access Request have expired. The CWHHE IG policies
are configured differently to those of BEHH and therefore it is necessary to move from all the BEHH IG
policies to those of CWHHE. Therefore the following policies are presented for ratification by the
Governing Body:
• Data Protection
• Whistleblowing
• Confidentiality Code of Conduct
• Safe Haven
• E mail
• Data Quality
• Information Asset
• Information Governance
Quality & Safety/ Patient Engagement/ Impact on patient services:
N/A
Financial and resource implications
N/A
Equality / Human Rights / Privacy impact analysis
N/A
Risk
N/A
Supporting documents
The policies are included
Governance and reporting (list committees, groups, or other bodies that have discussed the paper)
Committee name
Executive Management and
Innovation Committee
Date discussed
27th August 2014
Outcome
The committee recommended the polices
for approval
DATA PROTECTION POLICY
Date completed: June 2013
Responsible
Director:
Director of
Compliance
Approved by/
date:
CWHHE Quality and Safety Committee, 2nd October 2013
Review date:
October 2014
Amended:
Page 1
Author:
Ben Westmancott
Data Protection Policy
For more information on this document, please contact:
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
15 Marylebone Road, London NW1 JD
E-mail: [email protected]
Version Control
Version
Date Issued
Brief Summary of Changes
Owners name
1.0
2.0
July 2013
August 2013
Amended to reflect CWHHE procedure
Circulated to local CCG IT Committee for comment
Ben Westmancott
Ben Westmancott
Document Imprint
Copyright © Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups,
2013: All rights reserved
Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information Regulations 2005.
SI2005 No 1515”
Information on re-use can be obtained from:
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
Tel: 020 3350 4313, E-mail: [email protected]
Page 2
Data Protection Policy Contents
1.
Introduction .................................................................................................................. 5
2.
Scope of Policy............................................................................................................. 5
3.
Summary of Aims ........................................................................................................ 5
4.
Notification to the Information Commissioner .............................................................. 5
5.
CCG staff with Data Protection Responsibilities .......................................................... 5
6.
Data Protection Principles ............................................................................................ 6
7.
Processing .................................................................................................................. .6
8.
Privacy Notices............................................................................................................ .6
9.
Responsibilities of Individual Data Users .................................................................... .7
10. Accuracy of Data .......................................................................................................... 7
11. Sensitive Personal Data ............................................................................................... 7
12. Data Security and Disclosure ....................................................................................... 7
13. Data Subjects' Consent ............................................................................................... 8
14. Right of Access to Personal Data ................................................................................. 8
14.1. Patients Right of Access to Medical & Confidential Hospital Records................. 7
14.2. Staff Right of Access to Personnel Records ....................................................... 8
14.3. Right of Access to Personal Data by Elected Representatives ........................... 8
15. CCTV ........................................................................................................................... 9
16. Email ............................................................................................................................ 9
17. Disclosure outside of the European Economic Area .................................................. 10
18. Retention of Data ....................................................................................................... 10
Appendix A - EEA Countries .............................................................................................. 11
Appendix B - Request for Staff Personnel Records ........................................................... 12
Page 3
Data Protection Policy
1. Introduction
Like all NHS organisations, Central London, West London, Hammersmith & Fulham, Hounslow and Ealing
Clinical Commissioning Groups (CCGs) hold and process information about its employees, patients and
other individuals for various purposes (for example, the effective provision of healthcare services or to
operate the payroll and to enable correspondence and communications). To comply with the Data
Protection Act 1998 (the DPA), information must be collected and used fairly, stored safely and not
disclosed to any unauthorised person. The DPA applies to both manual and electronically held data.
The policy applies to all information in the CCG. Non-compliance with this policy may result in disciplinary
action. The policy does not apply to member Practice’s personal records. It covers the personal and
confidential records held and processed by CCG staff.
2. Scope of Policy
This policy covers records held and processed by the CCG. The CCG is responsible for its own records
under the terms of the DPA, and it has submitted a notification as a Data Controller to the Information
Commissioner. Details can be found on the organisation’s website.
3. Summary of Aims
The lawful and correct treatment of personal information is vital to the successful operation of, and
maintaining confidence within the CCG, and the individuals with whom it deals. Therefore, the CCG will,
through appropriate management, and strict application of criteria and controls:
3.1.
observe fully conditions regarding the fair collection and use of information;
3.2.
meet its legal obligations to specify the purposes for which information is used;
3.3.
collect and process appropriate information, and only to the extent that it is needed to fulfil
operational needs or to comply with any legal requirements;
3.4.
ensure the quality of information used;
3.5.
apply strict checks to determine the length of time information is held;
3.6.
ensure that the rights of people about whom information is held can be fully exercised under
the Act. (These include: the right to be informed that processing is being undertaken; the right
of access to one's personal information; the right to prevent processing in certain
circumstances; the right to correct, rectify, block or erase information which is regarded as
wrong information.);
3.7.
take appropriate technical and organisational security measures to safeguard personal
information;
3.8.
ensure that personal information is not transferred abroad without suitable safeguards.
4. Notification to the Information Commissioner
The CCG has an obligation as a Data Controller to notify the Information Commissioner of the purposes
for which it processes personal data. Notification monitoring within the CCG is carried out by the Deputy
SIRO. Individual data subjects can obtain full details of the CCG's data protection registration/notification
with the Information Commissioner from the Information Governance Manager or from the Information
Commissioner's website (http://www.information commissioner.gov.uk).
5. CCG staff with Data Protection responsibilities
All queries about this CCG policy should be directed to the Deputy SIRO.
Requests for a full subject access request should be made to the Deputy SIRO. CCG staff requiring
personnel information should complete the form shown in Appendix B and send it through to the Deputy
SIRO.
See also Section 14. Right to Access Personal Data, see below for more details.
Page 4
6. Data Protection Principles
The CCG, as a Data Controller, must comply with the eight Data Protection Principles set out in the Act. In
summary, these state that personal data shall:
6.1.
Be processed fairly and lawfully and shall not be processed unless certain conditions are met.
6.2.
Be obtained for specified and lawful purposes and shall not be processed in any manner
incompatible with those purposes.
6.3.
Be adequate, relevant and not excessive for those purposes.
6.4.
Be accurate and kept up to date.
6.5.
Not be kept for longer than is necessary for those purposes.
6.6.
Be processed in accordance with the data subject's rights under the 1998 Act.
6.7.
Be the subject of appropriate technical and organisational measures against unauthorised or
unlawful processing, accidental loss or destruction.
6.8.
Not be transferred to a country outside the European Economic Area, unless that country or
territory has equivalent levels of protection for personal data.
See Section 17.
7. Processing
"Processing", in relation to information or data, means obtaining, recording or holding the information or
data or carrying out any operation or set of operations on the information or data, including:
7.1.
organisation, adaptation or alteration of the information or data,
7.2.
disclosure of the information or data by transmission, dissemination or otherwise making
available, or
7.3.
alignment, combination, blocking, erasure or destruction of the information or data.
8. Privacy Notices
Sometimes called a Fair Processing Notice, any collection of personal data must satisfy the requirements
of the fair processing condition set out in the first Data Protection Principle. This includes paper or
electronic application forms, telephone calls, and surveys. You must ensure an appropriate Privacy Notice
is included wherever personal data is collected. This particularly applies to patient consent forms: it may
be that current forms need to be amended to include a statement about data protection.
The purpose of a Privacy notice is to explain to the individual:
• the identity of the organisation collecting his or her data;
• how the personal information which is provided will be used;
• any other information which the individual should be told in order to ensure the processing of his or
her information is fair, for example:
o
a description of any other organisations the information may be shared with or
disclosed to; whether the information will be transferred outside the UK;
o
the fact that the individual can object to the use of his or her information for marketing;
o
the fact that an individual can obtain a copy of his or her information.
Ensure that the Privacy Notice is in a prominent position whenever used. Transparency is key.
An example form of words for a Privacy Notice might be:
Your personal data will be used only in accordance with the Central London, West London,
Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups notification
under the Data Protection Act 1998 and in compliance with the Freedom of Information Act
2000. The CCG will not disclose any personal information to any other third parties, except
where there is a legal justification or required by law, without your express consent.
Further details in relation to the use of personal data will be published on the CCG’s web site
http://www.centrallondonccg.nhs.uk/
Page 5
http://www.westlondonccg.nhs.uk/
http://www.hammersmithfulhamccg.nhs.uk/
http://www.hounslowccg.nhs.uk/
Any queries concerning Data Protection and Freedom of Information should be addressed to the Deputy
SIRO.
9. Responsibilities of Individual Data Users
All employees of the CCG who record and/or process personal data in any form (called "Data Users" in
this policy) must ensure that they comply with:
• the requirements of the Data Protection Act 1998 (including the Data Protection Principles)
• the CCG's Data Protection Policy, including any procedures and guidelines which may be issued
from time to time.
A breach of the Data Protection Act and/or the CCG's Data Protection Policy may result in disciplinary
action.
Consideration should be given towards contacting the Deputy SIRO for data protection advice concerning
the following:
• when developing a new computer system for processing personal data - it may also be necessary
to comply with the CCG's Information Asset Policy;
• when using an existing computer system to process personal data for a new purpose as it may be
necessary to notify an amendment to an existing registration in the CCG's Database Management
Policy;
• when creating a new manual filing system containing personal data;
• when using an existing manual filing system containing personal data for a new purpose.
10.
Accuracy of Data
Staff who have responsibility for handling any patient, staff or other individual's information
must ensure that it is accurate and as up to date as possible, as detailed in their job
descriptions
b.
All staff members are responsible for checking that any personal information they provide to
the CCG in connection with their employment is accurate and up to date e.g. change of
address or name. The CCG cannot be held responsible for any errors unless the member of
staff has informed the CCG about them.
a.
11. Sensitive Personal Data
The CCG (or the CSU or alternative IT Provider on our behalf) may from time to time process "sensitive
personal data" relating to staff, patients and other individuals. This sensitive personal data may include
information which has incidentally come into the possession of the CCG. This type of information will not
be routinely sought by the CCG.
In exceptional circumstances, the CCG may need to process information regarding criminal convictions or
alleged offences in connection, for example, with any disciplinary proceedings or other legal obligations.
In circumstances where sensitive personal data is to be held or processed, the CCG will seek the explicit
consent of the individual in question unless one of the limited exemptions provided in the Data Protection
Act 1998 applies (such as to perform a legal duty regarding employees or to protect the data subject's or
a third party's vital interests).
12. Data Security and Disclosure
All staff within the CCG are responsible for ensuring that:
a.
Any personal data which they hold is kept securely.
Page 6
b.
Personal data is not disclosed either orally or in writing or otherwise to any unauthorised third
party, and that every reasonable effort will be made to see that data is not disclosed
accidentally.
Unauthorised disclosure is a disciplinary matter and may be considered gross misconduct. If in any doubt,
consult your line manager, the Deputy SIRO or Human Resources. Personal data must be kept securely
and examples of how this may be done will include:
c.
keeping the data locked in a filing cabinet, drawer or room; or if the data is computerised,
ensuring that the data is password protected or kept only on disk which is itself kept securely;
or
d.
any other appropriate security measures which are detailed in the CCG’s Information
Governance Policies
13. Data Subjects' Consent
The CCG will not normally collect and process personal information. Where it does, it is the CCG’s policy
to seek and obtain express consent whenever practicable from individual data subjects for the main ways
in which the CCG may hold and process personal data concerning them. This is to allow individuals an
opportunity to raise any objections to any intended processing of their personal data. The CCG will
consider any such objections but reserves the right to process personal data in order to carry out its
functions as permitted by law. Legally, however, certain types of personal data may be processed for
particular purposes without the consent of individual data subjects. Where this takes place the CCG will
ensure that individuals processing that data are required to justify their reasons for doing so in line with
the 1998 Act and the guidelines issued by the Information Commissioner.
14. Right of Access to Personal Data
Staff, patients and other individuals have the right under the DPA to access any personal data that is
being held about them either in an "automatically processable form" (mainly computer records) or in a
"relevant filing system". (i.e. any set of information structured in such a way that specific information
relating to a particular individual is readily accessible).They also have the right to request the correction of
such data where they are incorrect. This is called a Subject Access Request.
a) Patients Right of Access to Medical & Confidential Hospital Records
The CCG will only exceptionally hold identifiable data about patients, but must have a process for
managing subject access requests in respect of it. An individual who wishes to exercise his/her right of
subject access is asked to formally request this information in writing to the Deputy SIRO.
Any inaccuracies in data disclosed in this way should be communicated immediately to the
responsible Manager who shall take appropriate steps to make the necessary amendments. Requests
made under the Data Protection Act 1998 will be subject to the following set fees:
• £50 maximum fee where the data subject is supplied with copies of manual or a combination of
manual and automated records in permanent form.
• No fee where access (but no copies) is sought to manual records, at least part of which
comprise a recent record (made within 40 days). £10 for granting access to automated
records.
• £10 where access only (but no copies) is sought to manual records, none of which comprise a
recent record (all are over 40 days old).
The CCG will seek to respond to the request for access to personal data within the 40 calendar days
(including bank holidays and weekends) of the request.
b) Staff Right of Access to Personnel Records
Any member of staff who wishes to exercise his/her right of access to their staff record or similar
personal information is asked to request this information in writing to the Human Resources
Page 7
Department using the form shown in Appendix B of this policy. Any such request will be formalised,
acknowledged, and logged into a tracking database. The department will have a specific time frame to
respond with either photo-copies of the information requested, or a time when the member of staff will
be able to read the information at source accompanied by a departmental senior manager. The
response to the requester in either case will be through the Human Resources Department.
Such access to information will not normally be subject to the payment of a fee. Where it is proposed
to charge a fee for access, no such charge will be made until the agreement of a fee structure with
staff side representatives.
Any perceived inaccuracies in data disclosed in this way should be communicated immediately to the
Human Resources Department who will take appropriate steps to investigate and make any agreed
and/or necessary amendments.
1
Should a member of staff make a formal full subject access request under the terms of the DPA, as
described in Section 14.1 above, such a request will be subject to the fee structure detailed in that
section
a.
Right of Access to Personal Data by Elected Representatives
Under the Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order
2002, Members of Parliament/Members of Scottish Parliament can make a request for (sensitive)
personal information about someone in an official capacity (e.g. an MP asking about a constituent),
and to be able to expect the information to be provided without the CCG receiving explicit consent
from the data subject in question.
i.
It has become practice in the NHS, that when an MP makes an approach to an
organisation on a constituent’s behalf it can be assumed that the constituent’s consent
has been given (implied consent). The CCG fully accepts that effective communication
with MPs, amongst others, is necessary and in our patients/service users interests,
subject to checks or knowledge of the bona fides of the representative. There is no
policy intention to prevent efficient and effective working relationships between MPs,
their constituents and the CCG. Failure to adequately assist MPs may result in them
writing to Secretary of State complaining that CCG is being obstructive and impugning
the integrity of MPs.
ii.
In general, when an MP writes to the CCG on behalf of a constituent, it is safe to
assume that the constituent has given consent for the approach to be made; i.e. we
have the implied (if not explicit) consent of the constituent. In such circumstances,
information about the individual can be passed to the MP in order to respond to a
specific enquiry. However, the guidance from the Information Commissioner makes it
clear that Data Controllers should ensure that consent from the data subject is obtained
satisfactorily, and this is especially the case in relation to sensitive personal information.
It would be quite appropriate for the Data Controller to approach the Data Subject in
relation to this, prior to disclosure to the MP.
iii.
Where someone other than the constituent approaches the MP, for example relatives or
friends intervening, perhaps inadvertently against the wishes of the individual
concerned, it is acceptable to clarify the situation with the MP and to obtain consent
before answering the enquiry. However, such cases should be rare and guidance must
be sought from the Caldicott Guardian and/or the Information Governance Manager
before any response is made to the MP.
iv.
In the case of constituency workers or Parliamentary Secretaries, an element of
common sense must be applied. MPs are unable to personally handle every aspect of a
constituent's case. For example it is highly unlikely that the MP personally typed the
letter and it is equally unlikely (although possible) that the constituent would believe this
to be the case.
Page 8
v.
There is little problem in advising a constituency worker of the progress of a particular
request. This does not mean however that the constituency worker should be given
detailed confidential information about the constituent unless it is clear that it is both
appropriate to do so and preferably with the direct knowledge and consent of the
constituent. In response to an MP, the Secretary of State stated that implied consent
"would not normally be automatically” extended to constituency workers
15. CCTV
A number of CCTV cameras are present on the CCG sites, to assist with security for staff, other
individuals and their property, and in accordance with the CCG's 'notification' to the Information
Commissioner. Disclosure of images from the CCG CCTV system will be controlled and consistent with
the purpose for which the system was established. For example, it will be appropriate to disclose images
to law enforcement agencies where a crime needs to be investigated, but it would not be considered
appropriate to disclose images of identifiable individuals to the media for entertainment purposes or place
them on the internet. Images can be released to the media for identification purposes; this should not
generally be done by anyone other than a law enforcement agency.
If you have any queries regarding the operation of or access to the CCTV system, please contact the
CCG Security Manager. If access is required in connection with ongoing disciplinary matters, permission
should be sought from the Director of Human Resources or nominated deputy.
16. Email
It is permissible and appropriate for the CCG to keep records of internal communications, provided such
records comply with the Data Protection Principles. The appropriate use of email in the proper functioning
of the CCG, and the limitations can be found in the CCG's Email Policy.
All CCG staff should be aware that the DPA subject access right, subject to certain exceptions, applies to
emails which contain personal data about individuals which are sent or received by CCG staff.
17. Disclosure outside of the United Kingdom (UK) or European Economic Area (EEA)
The CCG may, from time to time, need to transfer personal data to countries or territories outside of the
UK or EEA (which is the EU member states plus the European Free Trade Association (EFTA) countries
of Iceland, Liechtenstein and Norway) in accordance with purposes made known to individual data
subjects. For example, the names and contact details of members of staff at the CCG on a website may
constitute a transfer of personal data world wide. If an individual wishes to raise an objection to this
disclosure, then written notice should be given to the CCG's Deputy SIRO.
Other personal data, even if it would otherwise constitute fair processing, must not, unless certain
exemptions apply or protective measures taken, be disclosed or transferred outside the UK or EEA to a
country or territory which does not ensure an adequate level of protection for the rights and freedoms of
data subjects.
The European Commission has the power to determine whether a third country (i.e. not an EU member
state or an EFTA country) ensures an adequate level of protection for personal data by reason of its
domestic law or the international commitments it has entered into.
The Commission has so far recognised Switzerland, Canada, Argentina, Guernsey, Isle of Man, Jersey,
the US Department of Commerce's ‘Safe Harbor’ Privacy Principles, and the transfer of Air Passenger
Name Record to the United States' Bureau of Customs and Border Protection as providing adequate
protection.
18. Retention of Data
The CCG will hold different types of information for differing lengths of time, depending on legal and
Page 9
operational requirements, following which it will either be archived or destroyed. This will be done in
accordance with the retention periods detailed in the CCG's Records Management Policy which is
compliant with the Department of Health's Records Management: NHS Code of Practice, parts 1 & 2: April
January 2009, and the Code of Practice for the Management of Records, Section 46, Freedom of
Information Act (2000).
Any CCG local retention policies will use the timescales detailed in the NHS Code of Practice as a
minimum. All data retention will comply with the 5th Principle of the Data Protection Act 1998.
Page 10
Data Protection Policy
Appendix A - EEA Countries
The 8th Principle of the Data Protection Act 1998 prohibits the transfer of personal information to
countries or territories outside the European Economic Area (EEA). (Currently the EEA consists of the 27
European Union member states and 3 other states)
The European Union states are:
Austria
Belgium
Bulgaria
Cyprus
The Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Ireland
Italy
Latvia
Lithuania
Luxembourg
Malta
Netherlands
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
United Kingdom
The other EEA states are:
Iceland
Liechtenstein
Norway
Page 11
Appendix B
OFFICE USE ONLY
DPA RFI
Date in
Completed
Request to view or receive copies of your Staff Personnel Record
Subject Access Request under the Data Protection Act 1998
Not a Medical Record request, not a Full Subject Access request
Personal Details
Surname
Forename(s)
Job Title
Department
Your Ext. No.
Line Manager
Line Manager Ext. No.
I require (please tick the appropriate box)
To view my Record
Copies of my Record
If you require copies of your record, they will be sent to your home address:
please complete the address section below:
Home address
House number or name
Road name
Area
City or town
Post Code
Declaration
I declare that the information in this form is correct and that I am the person named above.
Signed
Date
Notes for applicants
1.
2.
3.
4.
5.
6.
7.
All requests for staff personnel records must be made on this form.
Copies of this form can be obtained from Human Resources and the Deputy SIRO. Please enter “Staff Personnel Record
Request” in the subject line. Forms can be either emailed or posted to you. If emailed, print out and complete.
Forms can also be downloaded from the CCG intranet site
Completed forms should be returned by internal post to the Human Resources Department.
The Human Resources Department will progress your request, either setting up a viewing appointment or dispatching
the copy of your personnel record to your address.
Under the Data Protection Act 1998 we have 40 days to complete your request; every effort will be made to complete
your request before that deadline and within the NHS commitment of 21 days.
In accordance with the CCG Data Protection Policy, no charge is made for this request. Full subject access requests
will be charged at £10 plus disbursements in line with this policy.
Page 12
XXX CCG WHISTLEBLOWING POLICY
Date completed: January 2013
Responsible
Director:
Ben Westmancott
Author:
Approved by/
date:
XXXX Governing Body, [date]
Review date:
[+ 1 year]
Kieran Seale
Amended:
This policy is based on the policy template provided in “Speak up for a healthy NHS”
produced by the NHS Social Partnership Forum and Public Concern at Work.
CWHH is a collaboration between the Central London, West London, Hammersmith & Fulham
and Hounslow Clinical Commissioning Groups
Page 1 of 5
Introduction
1. All of us at one time or another have concerns about what is happening at
work. Usually these are easily resolved. However, when the concern feels
serious because it is about a possible danger, professional misconduct or
financial malpractice that might affect patients, colleagues, or the Clinical
Commissioning Group itself, it can be difficult to know what to do.
2. You may be worried about raising such an issue and may think it best to
keep it to yourself, perhaps feeling it is none of your business or that it is
only a suspicion. You may feel that raising the matter would be disloyal to
colleagues, to managers or to the organisation. You may have said
something but found that you have spoken to the wrong person or raised
the issue in the wrong way and are not sure what to do next.
3. The governing body of the Clinical Commissioning Group is committed to
running the organisation in the best way possible and to do so we need
your help. We have introduced this policy to reassure you that it is safe
and acceptable to speak up and to enable you to raise any concern you
may have at an early stage and in the right way. Rather than wait for proof,
we would prefer you to raise the matter when it is still a concern.
4. This policy applies to all those who work for us: whether full-time or parttime, self-employed, employed through an agency or as a volunteer.
5. If something is troubling you which you think we should know about or look
into, please use this procedure. If, however, you wish to make a complaint
about your employment or how you have been treated, please use the
grievance policy or bullying/harassment policy, which you can obtain from
your manager or personnel officer. (If you have a concern about financial
misconduct or fraud, please see our Anti-fraud Policy).
This
Whistleblowing Policy is primarily for individuals who work for us and have
concerns where the interests of others or of the organisation itself are at
risk.
6. If in doubt – raise it!
Our commitment to you
Your safety
7. The governing body, Chief Officer and the staff unions are committed to
this policy. If you raise a genuine concern under this policy, you will not be
at risk of losing your job or suffering any detriment (such as a reprisal or
victimisation). Provided you are acting in good faith (effectively this means
honestly), it does not matter if you are mistaken or if there is an innocent
explanation for your concerns. So please do not think we will ask you to
prove it. Of course we do not extend this assurance to someone who
maliciously raises a matter they know is untrue.
CWHH is a collaboration between the Central London, West London, Hammersmith & Fulham
and Hounslow Clinical Commissioning Groups
Page 2 of 5
Your confidence
8. With these assurances, we hope you will raise your concern openly.
However, we recognise that there may be circumstances when you would
prefer to speak to someone in confidence first. If this is the case, please
say so at the outset. If you ask us not to disclose your identity, we will not
do so without your consent unless required by law. You should understand
that there may be times when we are unable to resolve a concern without
revealing your identity, for example where your personal evidence is
essential. In such cases, we will discuss with you whether and how the
matter can best proceed.
9. Please remember that if you do not tell us who you are it will be much
more difficult for us to look into the matter. We will not be able to protect
your position or to give you feedback. Accordingly you should not assume
we can provide the assurances we offer in the same way if you report a
concern anonymously.
How to raise a concern
10. If you are unsure about raising a concern at any stage you can get
independent advice from your trade union representative or Public
Concern at Work (see contact details under Independent advice below).
Please remember that you do not need to have firm evidence before
raising a concern. However, we do ask that you explain as fully as you can
the information or circumstances that gave rise to your concern.
Step one
If you have a concern about a risk, malpractice or wrongdoing at work,
we hope you will feel able to raise it first with your line manager or lead
clinician. This may be done verbally or in writing.
Step two
If you feel unable to raise the matter with your line manager or lead
clinician, for whatever reason, please raise the matter with:
[Name of designated officer] [Contact details]
OR
[Name of designated officer] [Contact details]
These people have been given special responsibility and training in
dealing with whistleblowing concerns. If you want to raise the matter in
confidence, please say so at the outset so that appropriate
arrangements can be made. You may also choose to raise an issue
with one of the CCG Lay Members who will refer it on as appropriate.
Step three
If these channels have been followed and you still have concerns, or if
you feel that the matter is so serious that you cannot discuss it with any
of the above, please contact:
CWHH is a collaboration between the Central London, West London, Hammersmith & Fulham
and Hounslow Clinical Commissioning Groups
Page 3 of 5
Daniel Elkeles, Chief Officer.
Department of Health
11. The Clinical Commissioning Group recognises its accountability within the
NHS. In light of this you can also contact:
• NHS Counter Fraud Line on 0800 028 40 60 (if your concern is
about financial malpractice);
• Local Counter Fraud lead (details to be confirmed);
• Department of Health: Customer Service Centre, Department of
Health, Richmond House, 79 Whitehall, London SW1A 2NS Email: [email protected], Telephone: 020 7210 4850;
• NHS Commissioning Board (London), Southside, 105 Victoria
Street, London SW1E 6QT, Telephone 020 7932 3700.
How we will handle the matter
12. Once you have told us of your concern, we will assess it and consider
what action may be appropriate. This may involve an informal review, an
internal inquiry or a more formal investigation. We will tell you who will be
handling the matter, how you can contact them, and what further
assistance we may need from you. If you ask, we will write to you
summarising your concern and setting out how we propose to handle it
and provide a timeframe for feedback. If we have misunderstood the
concern or there is any information missing, please let us know. We
undertake to acknowledge concerns within 48 hours, and give a
substantive response within 28 days.
13. When you raise the concern it will be helpful to know how you think the
matter might best be resolved. If you have any personal interest in the
matter, we do ask that you tell us at the outset. If we think your concern
falls more properly within our grievance, bullying and harassment or other
relevant procedure, we will let you know.
14. Whenever possible, we will give you feedback on the outcome of any
investigation. Please note, however, that we may not be able to tell you
about the precise actions we take where this would infringe a duty of
confidence we owe to another person. While we cannot guarantee that we
will respond to all matters in the way that you might wish, we will strive to
handle the matter fairly and properly. By using this policy you will help us
to achieve this.
Independent advice
15. If you are unsure whether to use this policy or you want confidential advice
at any stage, you may contact your union or the independent
whistleblowing charity Public Concern at Work on 020 7404 6609 or by
email at [email protected]. Their lawyers can talk you through your
options and help you raise a concern about malpractice or wrongdoing at
work.
CWHH is a collaboration between the Central London, West London, Hammersmith & Fulham
and Hounslow Clinical Commissioning Groups
Page 4 of 5
External contacts
16. While we hope this policy gives you the reassurance you need to raise
your concern internally with us, we recognise that there may be
circumstances where you can properly report a concern to an outside
body. In fact, we would rather you raised a matter with the appropriate
regulator – such as the Care Quality Commission, the National
Commissioning Board or the National Patient Safety Agency – than not at
all. Your union or Public Concern at Work will be able to advise you on
such an option if you wish.
Monitoring oversight
17. The governing body/Audit Committee is responsible for this policy and will
review it annually. The governance team will monitor the daily operation of
the policy and if you have any comments or questions, please do not
hesitate to let one of their team know.
CWHH is a collaboration between the Central London, West London, Hammersmith & Fulham
and Hounslow Clinical Commissioning Groups
Page 5 of 5
Confidentiality Code of Conduct
Date completed: June 2013
Responsible
Director:
Director of
Compliance
Approved by/
date:
CWHHE Quality and Safety Committee, 2nd October 2013
Review date:
October 2014
Amended:
Author:
Ben Westmancott
Confidentiality: Staff Code of Conduct
For more information on this document, please contact:
For more information on this document, please contact:
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
15 Marylebone Road, London NW1 JD
E-mail: [email protected]
Version Control
Version
Date Issued
Brief Summary of Changes
Owners name
1.0
2.0
July 2013
August 2013
Amended to reflect CWHHE procedures
Circulated to local CCG IT committee for comment
Ben Westmancott
Ben Westmancott
Document Imprint
Copyright © Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups,
2013: All rights reserved
Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information Regulations
2005. SI2005 No 1515”
Information on re-use can be obtained from:
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
Tel: 020 3350 4313, E-mail: [email protected]
Confidentiality~Staff Code of Conduct
Version 2
Page 2 of 15
Confidentiality: Staff Code of Conduct
Contents
1.
Introduction .............................................................................................................. 4
2.
Purpose of the Code ................................................................................................ 4
3.
Background .............................................................................................................. 4
4.
Principles of Confidentiality ...................................................................................... 4
5.
General Requirements ............................................................................................. 5
6.
Detailed provisions ................................................................................................... 6
6.1.
Confidentiality of Information ............................................................................. 6
6.2.
Confidential Information .................................................................................... 6
6.3.
Person-identifiable Information .......................................................................... 6
6.4.
Requests for Information ................................................................................... 6
6.5.
Telephone Enquiries ......................................................................................... 6
6.6.
Requests for Information by the Police .............................................................. 7
6.7.
Requests for Information by the Media .............................................................. 7
6.8.
Disclosure of Information to other STH Staff...................................................... 7
6.9.
Abuse of Privilege ............................................................................................. 7
6.10. Carelessness .................................................................................................... 7
6.11. Research and Audit ........................................................................................... 7
6.12. Using the Post ................................................................................................... 7
6.13. Electronic Media ................................................................................................ 8
6.14. Case notes ........................................................................................................ 8
6.15. Faxing ............................................................................................................... 8
6.16. Storage of Confidential Information ................................................................... 8
6.17. Disposal of Confidential Information .................................................................. 8
6.18. Confidentiality of Passwords ............................................................................. 8
6.19. Emailing Confidential Information ...................................................................... 9
6.20. Working at home ............................................................................................... 9
7.
General Provisions ................................................................................................. 10
7.1.
Interpretation .......................................................................................................... 10
7.2.
Non-compliance ..................................................................................................... 10
8.
Amendments .......................................................................................................... 10
9.
Useful Telephone numbers .................................................................................... 10
Appendix 1: Caldicott Principles........................................................................................... 11
Appendix 2: Some professional codes, undertakings and guidance..................................... 12
Appendix 3: NHSMail and other Secure Email Interconnectivity……………………………..17
Confidentiality~Staff Code of Conduct
Version 2
Page 3 of 15
Confidentiality: Staff Code of Conduct
This document should be read and understood prior to the contract of employment or other
confidentiality agreement being signed.
If anything is not clear please contact your Line Manager or the Human Resources (Department)
(Adviser).
1.
Introduction
Much of our work involves us, in one way or another, with access to confidential information.
Often this will be personal information about staff or, exceptionally, patients. We may also have
corporately confidential information e.g. commercial or legal. We trust our staff to respect this
confidence. It is very important. We have produced this Code of Conduct to explain, not only to you
but to others with whom we do our work, how seriously we treat this matter.
2.
3.
Purpose of the Code
•
To inform staff of the need and reasons for keeping information confidential
•
To inform staff about what is expected of them
•
To protect the CCG as an employer and as a user of confidential information
Background
Personal information about individuals is routinely collected by the CCG as part of its work. The CCG
staff and those authorised to use that information are bound by common law obligations of
confidentiality, contracts of employment and the requirements of the Data Protection Act 1998.
Patient information (where held) is also subject to the Caldicott guidelines (Appendix 1).
A general duty of confidence arises when one person discloses information to another in
circumstances where it is reasonable to expect that the information will be held in confidence. All staff
members working in the NHS are bound by a legal duty of confidence to protect identifiable personal
information that they may come into contact with during the course of their duties.
The NHS has published a detailed Code of Practice on Confidentiality and this is available at:
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/codes/confcode.pdf
Information collected by the CCG about its staff is subject to the same duty of confidentiality and the
requirements of the Data Protection Act 1998.
If confidentiality is broken then this breach may result in an unauthorised disclosure of information, a
breach of the Data Protection Act and a loss of trust between an individual and the CCG.
A principle of this Code of Conduct (Code) is that no employee shall breach their legal duty of
confidentiality, allow others to do so, or attempt to breach any of the CCG security systems or controls
in order to do so.
This Code has been written to meet the requirements of:
•
The Data Protection Act 1998
•
The Human Rights Act 1998
•
The Computer Misuse Act 1990
•
The Copyright Designs and Patents Act 1988
•
The NHS Code of Confidentiality 2003
Confidentiality~Staff Code of Conduct
Version 2
Page 4 of 15
This Code has been produced to protect staff by making them aware of the correct procedures so that
they do not inadvertently breach any of these requirements.
If the Code is breached then this may result in legal action against the individual and/or the CCG as
well as investigation in accordance with the CCG disciplinary procedures.
4.
Principles of Confidentiality
Patients have a right to expect that a health care worker involved in their care, or commissioning of
their care, will not disclose any personal information learnt during the course of their duties, unless
permission is given. Without assurances about confidentiality patients may be reluctant to give
information which is needed in order to provide good care.
When you are responsible for confidential information you must make sure that the information is
effectively protected against improper disclosure when it is recorded, stored, transmitted or received or
disposed of.
When patients give consent to disclosure of information about them, you must make sure they
understand what will be disclosed, the reasons for disclosure and the likely consequences.
You must make sure that patients are informed whenever information about them is likely to be
disclosed to others involved in their healthcare, and that they have the opportunity to withhold their
permission.
You must respect requests by patients that information should not be disclosed to third parties, except
in exceptional circumstances (for example, where the health and safely of others would otherwise be
at serious risk).
If you disclose confidential information, you should release only as much information as is necessary
for the purpose.
If it is appropriate to share information gained in the course of your work with other health or social
work practitioners; you must make sure that, as far as is reasonable, the information will be kept in
strict professional confidence and only used for the purpose for which the information was given.
If you decide to disclose confidential information, you must be prepared to explain and justify your
decision to do so.
You must abide by these principles in perpetuity (forever!).
5.
General requirements
Staff are obliged to keep any personal identifiable information strictly confidential e.g. patient and
employee records.
Note also that pseudonymised and anonymised data must also be handle with care, particularly in
respect of any risks of inappropriate re-identification by a third party (see the Information
Commissioner’s “Anonymisation: managing data protection risk code of practice”
http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/anonymisation.aspx
It should be noted that staff may also come into contact with non-person identifiable information and
this should also be treated with the same degree of care e.g. business in confidence information such
as confidential meeting papers, legal documentation or procurement decisions.
Disclosure and sharing of personal identifiable information is governed by the requirements of Acts of
Parliament and government guidelines.
The Caldicott Guidelines (Appendix 1) have been developed for use of patient related information.
The CCG has appointed a Guardian to uphold these principles and this is the Director of Quality and
Patient Safety.
Confidentiality~Staff Code of Conduct
Version 2
Page 5 of 15
For health and other professionals there are requirements through their own professional Codes of
Conduct. (Appendix 2).
Some departments have their own special requirements.
6.
Detailed provisions
6.1.
Confidentiality of Information
All staff are responsible for maintaining the confidentiality of information gained during their
employment by the CCG. This duty of confidentiality is a contractual requirement.
6.2.
Confidential Information
•
any information that relates to patients, staff (including non-contract, volunteers, bank
and agency staff, locums, student placements), their family or friends, however it is
stored.
For example, information may be held on paper, floppy disk, computer storage
device, CD, computer file or printout, video, photograph or even heard by word of
mouth.
6.3.
•
includes information stored on portable devices such as (but not limited to) laptops,
palmtops, mobile phones, memory sticks and digital cameras.
•
can take many forms including medical notes, audits, employee records, occupational
health records etc. It also includes any CCG business information.
Person-identifiable Information
Is anything that contains the means to identify a person either on its own or in combination
with other items, e.g. name, address, postcode, date of birth, NHS number, National
Insurance number, etc. Even a visual image such as a photograph is sufficient to identify
an individual.
Certain categories of information are legally defined as particularly sensitive and should be
most carefully protected by additional requirements stated in legislation.
For example: information regarding in-vitro fertilisation, sexually transmitted diseases, HIV
and termination of pregnancy).
During your work you should consider all information to be sensitive, even something as
straightforward as a patient’s name and address.
This standard should be applied to all information that you come into contact with.
6.4.
Requests for Information
Never give information about patients or staff to persons who do not “need to know”. Always
ask and check.
All requests for person-identifiable information should be justified and only in accordance to
the procedures in your area of work.
Some requests may also need to be agreed by the CCG Caldicott Guardian.
Exceptions to this rule may require you to get written consent from the patient in advance. If
the patient is unconscious and unable to give consent you will need to consult with the
health professional in charge of the patient’s care.
If you have any concerns about disclosing or sharing patient information you must discuss
them with your Line or Senior Manager. If they are not available then consult someone with
the same or similar responsibilities. If you cannot find anyone at the time to help then take
down the requestors details and contact them when you are satisfied the disclosure of
information can take place.
Confidentiality~Staff Code of Conduct
Version 2
Page 6 of 15
6.5.
Telephone Enquiries
If a request for information is made by telephone:
•
Always try to check the identity of the caller
•
Check whether they are entitled to the information they request.
•
Take a number, verify it independently and call back.
•
Record how you have verified the identity of the caller
If in doubt consult your Line or Senior Manager.
6.6.
Requests for Information by the Police
Requests for information from the Police should always be referred to the senior clinician or
the CCGs Information Governance lead or in accordance with the procedures in your area
of work.
6.7.
Requests for Information by the Media
Do not, under any circumstances, give out any information to members of the press.
If you receive any requests from the media, either by personal visit or by phone, refer the
person to the CCG Communications lead.
6.8.
Disclosure of Information to other CCG Staff
Information on individuals should only be released on a need-to-know basis.
Always check the member of staff is who they say they are; this can be done by checking
the employee’s ID badge and/or their internal extension number prior to giving them any
information. If possible also check whether they are entitled to the information.
Don’t be bullied into giving out information.
If in doubt, check with your line manager or the IG lead for the CCG.
6.9.
Abuse of Privilege
It is strictly forbidden for staff to look at any information relating to their own family, friends
or acquaintances unless they are directly involved in the patient’s clinical care or with the
employee’s administration on behalf of the CCG.
Action of this kind will be viewed as a breach of confidentiality and will be subject to the
CCG disciplinary process.
If you have concerns about this issue please discuss with your Line or Senior Manager.
6.10. Carelessness
Do not talk about staff members or patients in public places or where you can be overheard
by the public, patients or even other members of staff.
Do not leave any personal records or confidential information lying around unattended.
Make sure that any computer screens or other displays of a person’s information on a
notice-board or whiteboard cannot be seen by the general public.
6.11. Research and Audit
It is important that personal information identifying any individual is carefully used and
protected. Audit and Research advice can be obtained from the IG Lead in relation to best
practice. It is usual for research and audit information to not identify an individual.
Confidentiality~Staff Code of Conduct
Version 2
Page 7 of 15
6.12. Using the Post
Best practice requires that all correspondence containing personal information should
always be addressed to a named recipient.
This means personal information and data should be addressed to a person, or a legitimate
Safe Haven, but not to a department, a unit or an organisation. In cases where the mail is
for a team it should be addressed to an agreed post holder or team leader.
Post containing confidential information or data should only be sent in a securely sealed
envelope or package.
Special care should be taken with personal information sent in quantity, such as casenotes, or collections of personal records on paper, floppy disk or other removable electronic
media.
Electronic storage should be encrypted and password protected. For items being sent to an
external address these should be sent by Recorded Delivery or by NHS courier, to
safeguard that these are received by the authorised recipient. All electronic media is to be
checked for the presence of pre-existing information prior to sending.
With Personal Identifiable Data (PID) it is also advisable to obtain a receipt of posting.
Remember that pseudonymised data is still covered by the DPA.
6.13. Electronic media
Should be password protected. Advice on how to password protect files is available from
the local Information Governance Lead.
6.14. Case notes
Case notes and other bulky material should only be transported in suitable boxes or
containers and never in dustbin sacks, carrier bags or similar. The containers should not be
left unattended unless they are stored, waiting for collection, securely. The containers
should only be taken and transported by an approved carrier.
6.15. Faxing
The use of faxes is discouraged and used only in exceptional circumstances. No personal
identifiable data should be sent via fax and wherever possible use other more secure
methods such as end to end encrypted email.
Faxes should always be addressed to named recipients.
Always check the telephone number of the fax machine to avoid misdialling and ring the
recipient to check that they have received the fax. More details can be found in the Safe
Haven Policy.
If your fax machine stores numbers in memory, always check that the number held is
correct and current before sending sensitive information.
See also the CCG Safe Haven Policy and guidance
6.16. Storage of Confidential Information
Paper-based confidential information and electronic storage media should always be kept
securely and preferably in a room that is locked when unattended.
PC-based information should never be saved onto local hard drives but onto the CCG
network. If removable media is used then this should be encrypted and accessed using dual
authentication (login and password). Confidential information must not be stored in areas
that are not encrypted to NHS standards e.g. dropbox.
Confidentiality~Staff Code of Conduct
Version 2
Page 8 of 15
6.17. Disposal of Confidential Information
Person-identifiable information or confidential information must be disposed of by cross
shredding. Waste must be placed in the confidential waste consoles until it can be collected
for secure disposal.
Floppy disks/CDs, portable hard drives, memory sticks and other portable electronic media
containing confidential information should be either securely deleted and reformatted or
destroyed. Computer files with confidential information no longer required must be deleted
from both the computer and the server if necessary.
Computer hard disks are disposed of by the CSU or alternative IT provider, on our behalf,
through a specialist third party provider. The CCG will assure itself that this process is
appropriate and will review the process annually.
Advice is available from the Local Information Governance Lead.
6.18. Confidentiality of Passwords
Personal passwords issued to, or created by, staff should be regarded as confidential and
must not be communicated or shared with to anyone.
Passwords should be minimum length of 8 alphanumeric characters, however, as
encryption is now mandatory for all portable storage media (including laptops) holding
Personal Identifiable Data (PID) and other sensitive patient information, pass codes should
be considered for security reasons. Pass codes should have a minimum of 12 alphanumeric
characters and symbols in their construction.
Passwords should not be written down.
No employee should attempt to bypass or defeat the security systems or attempt to obtain
or use passwords or privileges issued to other staff.
Any attempts to breach security should be immediately reported to the SIRO.
Such breaches of security may result in disciplinary action and may also be regarded as a
contravention of the Computer Misuse Act 1990 and the Data Protection Act 1998 and lead
to criminal action.
6.19. E-mailing Confidential Information
Should you need to send Personal Identifiable Data (PID) or other sensitive information via
e-mail to other NHS organisations, you should set up and use an NHS mail account and
send your e-mail to an NHS mail address. NHS email addresses are identifiable by
@nhs.net suffixes. You must not send unencrypted information to any other addresses with
the exception of the government secure email addresses listed in Appendix 3. These have
the same security rating as NHS mail. Please be aware that nhs.uk and gov.uk email
addresses are not encrypted and PID should not be sent to these addresses.
If you need to send PID or other sensitive information to another NHS organisation using a
non NHS mail address, be aware of confidentiality, data protection and security issues and
use the minimum identifiable information which must then be encrypted and password
protected using SafeBoot, or WinZip version 11.or later, using a 256 bit AES encryption
key.
Individual users must not send or forward confidential or sensitive CCG information through
non CCG e-mail. Examples of non CCG email are (this list is by no means exhaustive):
•
•
•
•
Confidentiality~Staff Code of Conduct
Google/Gmail
Hotmail,
Yahoo mail,
AOL mail,
Version 2
Page 9 of 15
•
Internet or remote storage areas and e-mail services provided by other
ISP's (Internet Service Providers)
Individual users are prohibited from using instant messaging services such as, but not
limited to, Microsoft Messenger or Yahoo Messenger.
Agreed information sharing protocols must be used when sending or forwarding confidential
or sensitive CCG information to individuals in other organisations. More information on
information sharing protocols is available from the Deputy SIRO.
CCG staff have a responsibility to alert a sender should they receive confidential
information from an unencrypted email address.
6.20. Working at home
It is sometimes necessary for staff to work at home. If you need to do this you must have the
approval of your Line or Senior Manager. If agreed you should ensure that the following
controls detailed below are met: you should also remember that you have a personal liability
under both the Data Protection Act 1998 and your contract of employment for any breach of
these requirements:
Ensure you have authority to take the information or data home as detailed above
It is not permitted for personal records of any type to be taken home.
The CCG has separate arrangements for the transport and use of personal records to other
locations.
If you are removing CCG information or data of any type please ensure that the removal is
recorded, the new location logged and the date it will be returned. Return of the information
must be recorded.
All information, especially PID, that is removed from the work environment via any form of
portable electronic storage media must be securely encrypted and password protected whilst
it is being transported and used at home. The CCG will issue encrypted USB sticks for
secure transport of data on request. Staff should only use CCG approved IT equipment for
working at home. By registering, the data flow (point to point) will be recorded and also
registered.
Whilst the information is at home, you have personal responsibility for its security and
confidentiality. If information is on portable electronic storage media such as floppy disk, CD
ROM, USB stick or any other removable device, it must be either securely erased and
formatted or the media taken back to the workplace. Under no circumstances, should CCG
information be accessible to members of your family, friends or colleagues.
If you are working at home on a regular basis, it is recommended that you apply for and are
issued with a device configured to the CCG security, encryption and log–on/password
specifications and used exclusively for CCG business. This avoids the problems that can be
caused when confidential information is loaded on to a family used home computer, which is,
in any event, not permitted. Open wi-fi networks should not be used to log on to the CCG’s
network.
7.
General provisions
7.1.
Interpretation
If any person requires an explanation concerning the interpretation or the relevance of this
code of conduct, they should discuss the matter with their Line or Senior Manager, the IG
lead/team or the Caldicott Guardian.
Confidentiality~Staff Code of Conduct
Version 2
Page 10 of 15
The Data Protection Officer for the CCG is the Director of Compliance
The Caldicott Guardian is The Director of Quality and Patient Safety
7.2.
Non-Compliance
Non-compliance with this code of conduct by any person working for the CCG may result in
disciplinary action being taken in accordance with the CCG disciplinary procedure.
To obtain a copy of the disciplinary procedures please discuss with your Line or Senior
Manager or the Human Resources Department.
8.
Amendments
This code will be amended as necessary to reflect the CCG development of policies and procedures
and the changing needs of the NHS.
9.
Useful Telephone numbers
Caldicott Guardian: 020 3350 4817
Communications Department: 07771339170
Data Protection Officer: 020 3350 4313
Confidentiality~Staff Code of Conduct
Version 2
Page 11 of 15
Appendix 1
Caldicott Principles
Justify the purpose(s)
Question why the information is required and what specific information is needed, to enable them to
perform their task.
Don't use patient-identifiable information unless it is absolutely necessary
Consider why identifiable information about a patient is being requested, whether it could be
anonymised in some way, and if not what the benefits are, do they out weigh the patient’s right to
confidentiality.
Use the minimum necessary patient identifiable information
Where supplying patient-identifiable information is vital, then we need to consider the absolute
minimum required, for this we have to consider what it is needed for and what they have a right to see.
Access to patient-identifiable information should be on a strict need-to-know basis
Only those who need to view patient-identifiable data should be allowed access and even then only to
that which they need to know.
Everyone with access to patient-identifiable information should be aware of his or her
responsibilities
Each member of staff concerned should be aware of the implications that a breach of confidentiality
has on the patient or member of staff and what they should be doing to prevent or reduce the risk of
any such breaches.
Understand and comply with the law
All uses of patient-identifiable data should be lawful. Someone within your organisation must be
responsible for ensuring that the organisation complies with legal requirements.
Confidentiality~Staff Code of Conduct
Version 2
Page 12 of 15
Appendix 2
Some professional codes, undertakings and guidance
General Medical Council
Principles
1. Confidentiality is central to trust between doctors and patients. Without assurances about
confidentiality, patients may be reluctant to seek medical attention or to give doctors the
information they need in order to provide good care. But appropriate information sharing is
essential to the efficient provision of safe, effective care, both for the individual patient and for
the wider community of patients.
2. You should make sure that information is readily available to patients explaining that, unless
they object, their personal information may be disclosed for the sake of their own care and for
local clinical audit. Patients usually understand that information about them has to be shared
within the healthcare team to provide their care. But it is not always clear to patients that others
who support the provision of care might also need to have access to their personal information.
And patients may not be aware of disclosures to others for purposes other than their care, such
as service planning or medical research. You must inform patients about disclosures for
purposes they would not reasonably expect, or check that they have already received
information about such disclosures.
Confidentiality is an important duty, but it is not absolute. You can disclose personal information
if:
(a) it is required by law (see paragraphs 17 to 23)
(b) the patient consents – either implicitly for the sake of their own care (see paragraphs
25 to 31) or expressly for other purposes (see paragraphs 32 to 35)
(c) it is justified in the public interest (see paragraphs 36 to 56).
3.
When disclosing information about a patient, you must:
a) use anonymised or coded information if practicable and if it will serve the purpose
(b) be satisfied that the patient:
(i) has ready access to information that explains that their personal information
might be disclosed for the sake of their own care, or for local clinical audit, and
that they can object, and
(ii) has not objected
(c) get the patient’s express consent if identifiable information is to be disclosed for
purposes other than their care or local clinical audit, unless the disclosure is required by
law or can be justified in the public interest
(d) keep disclosures to the minimum necessary, and
(e) keep up to date with, and observe, all relevant legal requirements, including the
common law and data protection legislation.
4.
When you are satisfied that information should be disclosed, you should act promptly to
disclose all relevant information.
5.
You should respect, and help patients to exercise, their legal rights to:
(a) be informed about how their information will be used, and
(b) have access to, or copies of, their health records.
Confidentiality~Staff Code of Conduct
Version 2
Page 13 of 15
Extract taken from Confidentiality (2009)which sets out the principles of confidentiality and respect for
patients' privacy that doctors are expected to understand and follow.
Nursing and Midwifery Council
‘The code: Standards of conduct, performance and ethics for nurses and midwives’ (2008) states:
•
•
•
"You must respect people's right to confidentiality."
"You must ensure people are informed about how and why information is shared by those
who will be providing their care."
"You must disclose information if you believe someone may be at risk of harm, in line with
the law of the country in which you are practising."
Confidentiality
A duty of confidence arises when one person discloses information to another in circumstances where
it is reasonable to expect that the information will be held in confidence. This duty of confidence is
derived from:
• common law – the decisions of the Courts
• statute law which is passed by Parliament.
•
Confidentiality is a fundamental part of professional practice that protects human rights. This is
identified in Article 8 (Right to respect for private and family life) of the European Convention of
Human Rights.
The common law of confidentiality reflects that people have a right to expect that information given to
a nurse or midwife is only used for the purpose for which it was given and will not be disclosed without
permission. This covers situations where information is disclosed directly to the nurse or midwife and
also to information that the nurse or midwife obtains from others. One aspect of privacy is that
individuals have the right to control access to their own personal health information.
It is not acceptable for nurses and midwives to:
•
•
•
discuss matters related to the people in their care outside the clinical setting
discuss a case with colleagues in public where they may be overheard
leave records unattended where they may be read by unauthorised persons.
Legislation
All nurses and midwives need to be aware of the following pieces of legislation relating to
confidentiality:
The Data Protection Act 1998
This Act governs the processing of information that identifies living individuals. Processing includes
holding, obtaining, recording, using and disclosing of information and the Act applies to all forms of
media, including paper and electronic.
The Human Fertilisation and Embryology Act 1990
Regulates the provision of new reproductive technology services and places a statutory ban upon the
disclosure of information concerning gamete donors and people receiving treatment under the Act.
Unauthorised disclosure of such information by healthcare professionals and others has been made a
criminal offence.
The National Health Service Venereal Disease Regulations (SI 1974 No.29)
Confidentiality~Staff Code of Conduct
Version 2
Page 14 of 15
This states that health authorities should take all necessary steps to ensure that identifiable
information relating to persons being treated for sexually transmitted diseases should not be
disclosed.
The Mental Capacity Act (2005)
This provides a legal framework to empower and protect people who may lack capacity to make some
decisions for themselves. The assessor of an “individual’s capacity to make a decision will usually be
the person who is directly concerned with the individual at the time the decision needs to be made”
this means that different health and social care workers will be involved in different capacity decisions
at different times.
The Freedom of Information Act 2000 and Freedom of Information (Scotland) Act 2002
These Acts grant people rights of access to information that is not covered by the Data Protection Act
1998, e.g. information which does not contain a person’s identifiable details.
The Computer Misuse Act 1990
This Act secures computer programmes and data against unauthorised access or alteration.
Authorised users have permission to use certain programmes and data. If the users go beyond what is
permitted, this is a criminal offence.
Disclosure
Disclosure means the giving of information. Disclosure is only lawful and ethical if the individual has
given consent to the information being passed on. Such consent must be freely and fully given.
Consent to disclosure of confidential information may be:
• explicit
• implied
• required by law or
• capable of justification by reason of the public interest
Disclosure with consent
Explicit consent is obtained when the person in the care of a nurse or midwife agrees to disclosure
having been informed of the reason for that disclosure and with whom the information may or will be
shared. Explicit consent can be written or spoken. Implied consent is obtained when it is assumed that
the person in the care of a nurse or midwife understands that their information may be shared within
the healthcare team. Nurses and midwives should make the people in their care aware of this routine
sharing of information, and clearly record any objections.
Disclosure without consent
The term ‘public interest’ describes the exceptional circumstances that justify overruling the right of an
individual to confidentiality in order to serve a broader social concern. Under common law, staff are
permitted to disclose personal information in order to prevent and support detection, investigation and
punishment of serious crime and/or to prevent abuse or serious harm to others. Each case must be
judged on its merits. Examples could include disclosing information in relation to crimes against the
person e.g. rape, child abuse, murder, kidnapping, or as a result of injuries sustained from knife or gun
shot wounds. These decisions are complex and must take account of both the public interest in
ensuring confidentiality against the public interest in disclosure. Disclosures should be proportionate
and limited to relevant details.
Nurses and midwives should be aware that it may be necessary to justify disclosures to the courts or
to the Nursing & Midwifery Council and must keep a clear record of the decision making process and
advice sought. Courts tend to require disclosure in the public interest where the information concerns
misconduct, illegality and gross immorality.
Disclosure to third parties
This is where information is shared with other people and/or organisations not directly involved in a
persons care. Nurses and midwives must ensure that the people in their care are aware that
Confidentiality~Staff Code of Conduct
Version 2
Page 15 of 15
information about them may be disclosed to third parties involved in their care. People in the care of a
nurse or midwife generally have a right to object to the use and disclosure of confidential information.
They need to be made aware of this right and understand its implications. Information that can identify
individual people in the care of a nurse or midwife must not be used or disclosed for purposes other
than healthcare without the individuals’ explicit consent, some other legal basis, or where there is a
wider public interest.
Information Sharing Protocols
These are documented rules and procedures for the disclosure and use of patient information
between two or more organisations or agencies, in relation to security, confidentiality and data
destruction. All organisations should have these in place and nurses and midwives should follow any
established information sharing protocols.
Confidentiality after death
The duty of confidentiality does continue after death of an individual to whom that duty is owed.
Information disclosure to the police
In English law there is no obligation placed upon any citizen to answer questions put to them by the
police. However, there are some exceptional situations in which disclosure is required by statute.
These include:
• the duty to report notifiable diseases in accordance with the Public Health Act 1984
•
the duty to inform the Police, when asked, of the name and address of drivers who are
allegedly guilty of an offence contrary to the Road Traffic Act 1998
•
the duty not to withhold information relating to the commission of acts of terrorism contrary
to the Terrorism Act 2000
•
the duty to report relevant infectious diseases in accordance with the Public Health
(Infectious Diseases) Regulations 1998.
Police access to medical records
The police have no automatic right to demand access to a person’s medical records. Usually, before
the police may examine a person’s records they must obtain a warrant under the Police and Criminal
Evidence Act 1984. Before a police constable can gain access to a hospital, for example, in order to
search for information such as medical records or samples of human tissue, he or she must apply to a
circuit judge for a warrant. The police have no duty to inform the person whose confidential information
is sought, but must inform the person holding that information.
The Police and Criminal Evidence Act (1984)
This Act allows nurses and midwives to pass on information to the police if they believe that someone
may be seriously harmed or death may occur if the police are not informed. Before any disclosure is
made nurses and midwives should always discuss the matter fully with other professional colleagues
and, if appropriate consult the NMC or their professional body or trade union. It is important that
nurses and midwives are aware of their organisational policies and how to implement them. Wherever
possible the issue of disclosure should be discussed with the individual concerned and consent
sought. If disclosure takes place without the person’s consent they should be told of the decision to
disclose and a clear record of the discussion and decision should be made as stated above.
Special considerations to be taken into account when disclosure is being considered
In some circumstances it may not be appropriate to inform the person of the decision to disclose, for
example, due to the threat of a violent response. The nurse or midwife may feel that, because of
specific concerns, a supplementary record is required containing details of the disclosure. The Data
Protection Act 1998 does allow for healthcare professionals to restrict access to information they hold
on a person in their care, if that information is likely to cause serious harm to the individual or another
person. A supplementary record should only be made in exceptional circumstances as it limits the
Confidentiality~Staff Code of Conduct
Version 2
Page 16 of 15
access of the person in the care of the nurse or midwife to information held about them. All members
of the health care team should be aware that there is a supplementary record and this should not
compromise the persons’ confidentiality.
Nurse or midwife acting as a witness in a court case
If a nurse or midwife is summoned as a witness in a court case he/she must give evidence. There is
no special rule to entitle the nurse or midwife to refuse to testify. If a nurse or midwife refuses to
disclose any information in response to any question put to him/her, then a judge may find the nurse
or midwife in contempt of court and may ultimately send him/her to prison.
Risk or breach of confidentiality
If a nurse or midwife identifies a risk or breach of confidentiality they must raise their concerns with
someone in authority if they are unable to take affirmative action to correct the problem and record
that they have done so. A risk or breach of confidentiality may be due to individual behaviour or as a
result of organisational systems or procedures. The Code states “You must act without delay if you
believe that you, a colleague or anyone else may be putting someone at risk”. Nurses and midwives
have a professional duty to take action to ensure the people in their care are protected and failure to
take such action could amount to professional misconduct on their part.
This information was updated May 2012.
Confidentiality~Staff Code of Conduct
Version 2
Page 17 of 15
Appendix 3
NHSMail and other Secure Email Interconnectivity
NHSmail users may communicate securely and directly with email users on other secure Government
domains – these are listed below. Please also note that this now includes those local authorities using
the ‘Government Connect’ email domain of GCSX.GOV.UK – this is particularly useful for those
NHSmail users wishing to communicate with Social Services staff in local authorities
-
gsi.gov.uk
-
gsx.gov.uk
-
gse.gov.uk
-
pnn.gov.uk
-
scn.gov.uk
-
pnn.police.uk
-
eu-admin.net
-
gsisup.co.uk
-
cjsm.net
-
psops.net
-
gcsx.gov.uk
Confidentiality~Staff Code of Conduct
Version 2
Page 18 of 15
Safe Haven Policy
Date completed: June 2013
Responsible
Director:
Director of
Compliance
Approved by/
date:
CWHHE Quality and Safety Committee, 2nd October 2013
Review date:
October 2014
Amended:
Author:
Ben Westmancott
[Type
text]
[Type text]
For more information on this document, please contact:
Director of Compliance, Ben Westmancott, CWHHE CCGs
Collaborative
15 Marylebone Road, London NW1 JD
E-mail: [email protected]
Version History
Version
1.0
2.0
Date issued
July 2013
August 2013
Brief summary of change
Amended to reflect CWHHE procedures
Circulated to local CCG IT Committee comments
Owner’s name
Ben Westmancott
Ben Westmancott
Document Imprint
Copyright © Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning
Groups, 2013: All rights reserved
Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information
Regulations 2005. SI2005 No 1515”
Information on re-use can be obtained from:
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
Safe Haven Policy
Version 1.0
Page 2 of 10
[Type text]
[Type text]
Contents
1. Introduction ........................................................................................................................ 4
2. Scope ................................................................................................................................. 4
3. Legislation and guidance .................................................................................................... 4
4. Definitions .......................................................................................................................... 4
4.1. Safe Haven.................................................................................................................. 4
4.2. Personal Information ................................................................................................... 4
4.3. Sensitive Personal Information .................................................................................... 5
4.4. Where Safe Haven procedures should be in place ...................................................... 5
5. Responsibilities for implementation .................................................................................... 5
5.1. Caldicott Guardian ....................................................................................................... 5
5.2. Information Governance Manager ............................................................................... 5
5.3. All CCG staff................................................................................................................ 5
6. Sharing information with external organisations.................................................................. 5
7. Other relevant polices......................................................................................................... 6
8. Contacts and further information ........................................................................................ 6
8.1. Information Governance Manager ............................................................................... 6
8.2. Caldicott Guardian ....................................................................................................... 6
9. Policy Review and Awareness ............................................................................................ 6
10. Disciplinary Matters ............................................................................................................ 6
Appendix A: Requirements for Safe Havens ............................................................................ 7
A.1
Safe haven location and security arrangements .............................................................. 7
A.2
Fax machines.................................................................................................................. 7
A.3
Misdirected faxes ............................................................................................................ 8
A.4
Junk and unsolicited faxes .............................................................................................. 8
Appendix B: CCG Safe Haven Directory .................................................................................. 9
Appendix C Safe Haven Fax Cover sheet .............................................................................. 10
Safe Haven Policy
Version 1.0
Page 3 of 10
[Type text]
1.
[Type text]
Introduction
All NHS organisations require Safe Haven procedures to maintain the privacy and
confidentiality of the personal information held. The implementation of these procedures
facilitates compliance with the legal requirements placed upon Central London, West
London, Hammersmith and Fulham, Hounslow and Ealing Clinical Commissioning Group
(the CCGs), especially concerning sensitive personal and confidential information.
Where external organisations or partners or other agencies, and even a different internal
CCG department needs to send personal information to a CCG department, they should
be confident that they are being sent to a location which ensures the security, integrity and
confidentiality of that data.
Given that we do not routinely process patient confidential data, we do not currently have a
requirement for a safe haven. However, this policy has been prepared should that
situation change.
2. Scope
This policy provides:
•
•
•
•
•
•
The legislation and guidance which dictates the use of a Safe Haven.
A definition for the term Safe Haven.
When and why a Safe Haven should be used.
Definitions as to who can have access, and who you can disclose to.
The necessary procedures and requirements that are needed to implement a Safe
Haven. See Appendix A
Rules for different kinds of Safe Haven
The CCG may designate roles to a commissioning support organisation in order to better
manage their Information Governance; this policy will be agreed with such an organisation
as necessary.
3. Legislation and guidance
A number of Acts and their associated guidance notes dictate the need for Safe Haven
arrangements to be set in place, they include:
Data Protection Act 1998 (Principle 7): “Appropriate technical and organisational measures
shall be taken to make personal data secure”
NHS Code of Practice: Confidentiality Annex A1 Protect patient Information “Care must be
taken, particularly with confidential clinical information, to ensure that the means of
transferring from one location to another are secure as they can be”
4. Definitions
4.1.
Safe Haven
The term Safe Haven can refer to either a location (or in some cases a piece of
equipment) situated on the CCG premises or a ‘Virtual Safe Haven’ where arrangements
Safe Haven Policy
Version 1.0
Page 4 of 10
and procedures are in place to ensure person-indefinable information can be held,
received and communicated securely. An example of a Virtual Safe Haven is a named
number of staff who may all work in the same team, on the same database or server but
are not in the same physical location.
4.2.
Personal Information
Personal information is information which can identify a person. Information in which the
person is the focus and which links that individual to details which would be regarded as
private e.g. name and private address, name and home telephone number.
4.3.
Sensitive personal information
Sensitive personal information is defined in Schedule 3 of the Data Protection Act 1998
and is where the personal information contains details of:
•
Health or physical condition
•
Sexual life
•
Ethnic origin
•
Religious beliefs
•
Political views
•
Criminal convictions
For this type of information more stringent measures should be employed to ensure that it
remains secure and confidential.
4.4.
Where Safe Haven procedures should be in place
Safe Haven procedures should be in place in any designated Safe Haven or Virtual Safe
Haven location. This is likely to be but not exclusively where a large amount of personal
information is being received, held or communicated.
5. Responsibilities for implementation
5.1.
Caldicott Guardian
The Caldicott Guardian for the CCG will ultimately approve all procedures that relate to the
secure and confidential use of patient information.
5.2
Deputy SIRO
The deputy SIRO, through the local governance leads, has been designated the role of
facilitating all aspects of the information governance agenda that relate to Safe Havens,
including data protection, confidentiality code of conduct, information security and risk
assessment.
5.3
CCG staff
All staff are responsible for following the Safe Haven processes to support secure and
confidential processing of personal-identifiable information.
6. Sharing information with external organisations
Employees of the CCG who are authorised to disclose information to other organisations
outside the NHS must obtain an assurance that these organisations have a designated
Safe Haven point for the receipt of personal information.
Safe Haven Policy
Version 1.0
Page 5 of 10
The CCG must be assured that these external organisations comply with the Safe Haven
requirements, and meet legislative and related guidance requirements relating to:
•
Data Protection Act 1998
•
Common Law Duty of Confidentiality
•
NHS Confidentiality Code of Conduct
Staff sharing personal information with other agencies should be aware of protocol
agreements between the CCG and those agencies. For clarification contact should be
made with the Director of Compliance. It is advisable to use end to end encrypted email
such as nhs.net rather than faxes, if possible. Please note that nhs.uk or gov.uk addresses
are not encrypted mail and are therefore not permissible when dealing with patient
identifiable data.
7. Contacts and further information
•
Caldicott Guardian: Director of Quality and Patient Safety
•
SIRO: Chief Officer
•
Deputy SIRO: Director of Compliance
•
Local Information Governance Lead
9. Policy Review and Awareness
This policy and associated procedures will be monitored by the Director of Compliance
and as part of the requirements of the Information Governance toolkit.
The policy will be reviewed regularly, at least annually.
10.
Disciplinary Matters
The CCG expects all staff to comply with the Safe Haven Policy and procedures and
guidance published in its support.
Where there is evidence of a breach of this policy, it must be investigated in accordance
with the CCG’s disciplinary procedures applicable to all employees of the CCG; to those
engaged in duties in the CCG under a Letter of Authority/Honorary Contract or Work
Experience programme or agreements made between the CCG and any user’s employing
organisation such as other NHS bodies or other third-parties such as contractors,
students, visitors or volunteers.
In all cases the CCG must act immediately to prevent a further breach and this action may
include restriction of access to systems. This will include an investigation of the breach
and implementation of any learning that emerges from the review.
Also consider the following websites
•
The Information Commissioner
http://www.informationcommissioner.gov.uk/
•
NHS Code of Practice:
Confidentiality http://www.dh.gov.uk/assetRoot/04/06/92/56/04069256.pdf
Safe Haven Policy
Version 1.0
Page 6 of 10
Appendix A: Requirements for Safe Havens
A.1
Safe Haven location & security arrangements
All areas that have been designated as Safe Havens should be risk assessed prior to the
commencement of operational use. Risk assessments should be carried out by the, Local
Information Governance Lead.
All Safe Havens should be an office or workspace that is locked or only accessible via an
electronically controlled access solution available to authorised staff, or a Virtual Safe
Haven that encompasses a number of named persons using secure networks or systems
accessible only to those individuals.
The Safe Haven should be sited so that only authorised staff can enter the location i.e. it is
not an area which is readily accessible to any visitors to the building.
If the Safe Haven office or workspace is sited on the ground floor any windows should
have locks on them and blinds which should be closed when the office or workspace is not
occupied.
The Safe Haven office or workspace should conform to health and safety requirements in
terms of fire, safety from flood, theft or environmental damage.
Manual paper records contained person-identifiable information should be stored in locked
cabinets. .
Equipment such as fax machines in the Safe Haven should have a code password and be
turned off out of office hours where this does not pose a clinical risk..
A.2
Fax machines
Fax machines are considered a high risk method of communication and must only be used
to transfer personal information where it is absolutely necessary to do so.
The following best practice rules should apply, however a full risk assessment may
indicate that the fax location and use is secure where only some of the criteria are met.
•
The fax is sent to a Safe Haven location where only authorised staff with a
legitimate right to view the information can access it.
•
The sender is certain that the correct person will receive it and that the fax
number is correct. To ensure this use the following:
 Populate the speed dial of the fax with frequently used numbers and
clear unequivocal identifiers: keep a separate electronic or hard copy list
of those identifiers and their fax numbers for reference and as back-up.
These numbers must be regularly checked for accuracy.
 Where manual dialling is required, double check the number with the
documentation before pressing the dial button – if you are unsure that
the number is correct, test by sending a blank fax to the recipient asking
them to confirm receipt and that they are who you expect them to be.
 Always use a Safe Haven front sheet to the fax that clearly identifies the
CCG and the Department of the originator, the name and contact details
of the originator, the intended recipient, the number of pages sent
(including the front sheet) and any reference numbers used. The fax
sheet should also include a confidentiality clause agreed by the,
Caldicott Guardian. See also Appendix C: Safe Haven fax front cover.
Safe Haven Policy
Version 1.0
Page 7 of 10
 Where possible the NHS number should be used for identification in
preference to the patient's name and address.
 Only the minimum amount of personal information should be sent and,
where possible the data should be anonymised or psuedonymised using
a unique identifier agreed with the receiver.
 Where sending particularly large or sensitive faxes notify the recipient
when you are sending and ask them to acknowledge and confirm
receipt and that all the pages detailed on the Safe Haven fax front sheet
have been received.
 Log all activity (calls sent and received) either by a hardcopy or
electronic log, or by printing out and storing the fax internal activity log
on a daily basis.
A.3
•
Fax machines should be turned off when not in use and stored in a secure
locked cupboard or storage room, where this does not result in a clinical
risk.
•
To preserve confidentiality, faxes and other patient identifiable information
should be secured in lockable filing cabinets accessible only authorised
staff.
Misdirected faxes
The contents of misdirected faxes must not be disclosed to other parties without the
sender’s permission. Any information received in a misdirected fax must be treated as
highly confidential and the sender must be made aware that it has been sent to the wrong
person. A misdirected fax can be received from internal and external sources.
A.4
Junk and unsolicited faxes
Fax versions of ‘junk mail’ are becoming increasingly common, consisting mainly of
advertising material and should be ignored. Responding to these may encourage more
faxes to be sent and therefore should be considered bad practice. Where appropriate,
Departments may make use of the Fax Preference Service (www.fpsonline.org.uk).
Safe Haven Policy
Version 1.0
Page 8 of 10
Appendix B: CCG Safe Haven Directory
Name
Safe Haven Policy
Fax Number
Version 1.0
Location – give specific
details please
Page 9 of 10
Appendix C
Type Address Here
Facsimile
Office Telephone:
Facsimile:
Direct Dial:
Website:
Email Address:
To:
Fax No:
From:
Date:
Tel No:
Pages
including
this one:
Subject:
PLEASE COMPLETE ALL FIELDS
The information contained in this facsimile transmission may be legally privileged and is intended for the use of the
individual(s) or entity(s) named above. If you are not the intended recipient, you are hereby notified that use,
dissemination, distribution or copying of this facsimile or its information is strictly prohibited. If you have received
this facsimile in error, please notify the sender by telephone or facsimile immediately on the telephone number
above to arrange return of these documents. Thank you.
Safe Haven Policy
Version 1.0
Page 10 of 10
Email Policy
Date completed: June 2013
Responsible
Director:
Director of
Compliance
Approved by/
date:
CWHHE Quality and Safety Committee, 2nd October 2013
Review date:
October 2014
Author:
Amended:
Page 1
Ben Westmancott
Email Policy
For more information on this document, please contact:
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
15 Marylebone Road, London NW1 JD
E-mail: [email protected]
Version Control
Version
Date Issued
Brief Summary of Changes
Owners name
1.0
2.0
July 2013
August 2013
Amended to reflect CWHHE Procedures
Circulated to local CCG IT Committee for Comment
Ben Westmancott
Ben Westmancott
Document Imprint
Copyright © Central London, West London, Hammersmith & Fulham and Ealing, Hounslow Clinical Commissioning Groups,
2013: All rights reserved
Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information Regulations 2005.
SI2005 No 1515”
Information on re-use can be obtained from:
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
Tel: 020 3350 4313, E-mail: [email protected]
Page 2
Email Policy
1. Introduction .................................................................................................................... 4
2. Scope of Policy .............................................................................................................. 4
3. Legal Considerations .................................................................................................... 4
4. Responsibilities ............................................................................................................. 4
5. Conditions of Use .......................................................................................................... 5
6. E-mail, confidential Information security and encryption ................................................ 5
7. Third party Secure Email Addresses .............................................................................. 6
8. Monitoring of System .................................................................................................... .6
9. Personal Use ................................................................................................................. 6
10. Disciplinary Matters ........................................................................................................ 7
Appendix 1. Definitions used in this Policy .......................................................................... 8
Appendix 2. Associated Information .................................................................................... 9
Appendix 3. Caldicott Guidelines....................................................................................... 10
Page 3
The information and guidelines within this policy are important and apply to the entire
CCG. Non-compliance may result in disciplinary action.
1. Introduction
This document sets out the CCGs’ policy for the protection of the integrity and availability of the
e-mail system.
It establishes CCGs and user responsibilities for use of the e-mail system.
It provides reference to documentation relevant to this policy and which is to be considered in
conjunction with this policy. The CCGs make available a network connection to employees and
through an authorisation process give access to web services comprising an e-mail system and
Internet and Intranet for:
•
their work duties;
•
work-related educational purposes;
•
work-related research purposes; and
•
contact with other colleagues inside and outside the CCGs to be within the remit
of item 5, conditions of use, (page 5 of this policy)
The CCGs may provide access to web services to non-CCG employees working within the
CCGs through an authorisation process and under an agreement with the employing
organisation. The Policy is supported by the CCG Information Security Policy and is compliant
with ISO/IEC 22002:2005 10.8 and the BS ISO/IEC 27001 controls 10.8.4 and meets with
current legal requirements (Appendix 2).
2. Purpose and Scope
The purpose of the CCG e-mail policy is to ensure the proper use of the e-mail system and
establish rules for sending, receiving and storing of electronic mail; make all users aware of
what the CCG deems as acceptable and unacceptable use of its e-mail system.
To ensure the security of the e-mail system, the CCG must:
•
ensure that e-mail is available for users in connection with their work duties;
•
preserve integrity of the system;
•
preserve confidentiality within the Caldicott guidelines and Data Protection Act
1998;
•
protect assets against unauthorised disclosure.
The Policy applies to all e-mail services provided by the CCG.
The Policy applies equally to all individuals authorised to access any CCG electronic resource
with the facility to send, receive or store electronic mail regardless of use. The Policy applies to
personal use of e-mail in addition to the use of e-mail in the course of conducting NHS
business, associated research and other work-related purposes.
3. Legal Considerations
E-mail is a business communication tool and users are obliged to use this tool in a responsible,
effective and lawful manner. By its nature e-mail seems to be less formal than other written
Page 4
communication however the same laws apply. It is important that users are aware of the legal
risks of e-mail. (Appendix 2)
4. Responsibilities
The CSU or alternative IT provider, on behalf of the CCGs, will provide the appropriate and
authorised software for e-mail.
The CSU or alternative IT provider, on behalf of the CCGs, will provide an authorisation
process for users to access e-mail.
The CCG will ensure that all users are competent in the use of e-mail in accordance with the
published e-mail procedures. The content of e-mail accounts maintained on the CCG's
systems remains the property of the CCG.
5. Conditions of use
This Policy prohibits certain activities in the use of e-mail. Such use may make both the user
and CCG liable under law.
•
composing, sending or forwarding of e-mail with any libellous, defamatory,
offensive, harassing, racist, obscene or pornographic remarks or depictions
•
forwarding of confidential information in contravention of the Data Protection Act,
NHS Code of Practice on Confidentiality, Caldicott guidelines.
•
knowingly sending of an attachment containing malicious software e.g. a virus.
•
use of e-mail for political lobbying.
•
actions that may lead the CCG open to action in breach of copyright or licencing
laws when composing or forwarding e-mail and e-mail attachments (Appendix 3)
•
accessing and using another user's e-mail account without their permission.
•
forging or attempting to forge e-mail messages e.g. spoofing
This policy also prohibits certain other activities as they impede the function of the CCG's
network systems and the efficient functioning of e-mail.
•
sending or forwarding chain letters or other non-work related correspondence.
•
unwarranted sending of large messages or attachments.
•
sending unsolicited messages e.g. spam to large number of users or large groups
except as required when conducting CCG business.
•
using the CCG's e-mail to conduct private or freelance work for the purpose of
commercial gain.
It is recognised that in the course of their work or associated research some users may have a
requirement to transmit or receive material that may be defined as offensive, obscene, indecent
or similar. In such circumstances it will be acceptable for this to be done.
In using e-mail to communicate externally, users must not give the impression that their
comments represent the views of the CCG unless specifically authorised to do so.
In using e-mail users must conduct themselves in a way that meets their responsibilities
Page 5
detailed in their code of conduct, terms and conditions and/or contract of employment
Users must conduct themselves in accordance with the requirements of this policy and the user
agreement made with the CCG and employing organisation. If a disclaimer is used it must be
that recommended by the CCG.
6. E-mail, confidential Information security and encryption
Should you need to send Personal Identifiable Data (PID) or other sensitive information via email to other organisations, you should set up and use an NHS mail account and send your email to an NHS mail address. NHS email addresses are identifiable by @nhs.net suffixes. You
must not send unencrypted information to any other addresses with the exception of the
government secure email addresses listed in Section 7, below. These have the same security
rating as NHS mail. Users must comply with the latest guidance on acceptable activities for
CCGs with respect to PID. Please note that nhs.uk and non-secure gov.uk email addresses
should not be used to send or receive confidential information.
If you need to send PID or other sensitive information to another NHS organisation using a non
NHS mail address be aware of confidentiality, data protection and security issues and use the
minimum identifiable information which must then be encrypted and password protected using
SafeBoot, or WinZip version 11.or later and a 256 bit AES encryption key.
Individual users must not send or forward confidential or sensitive CCG information through
non CCG e-mail. Examples of non CCG e-mail accounts include but are not limited to:
•
•
•
•
•
Google/Gmail
Hotmail,
Yahoo mail,
AOL mail,
Internet or remote storage areas and e-mail services provided by other ISP's (Internet
Service Providers) e.g. Dropbox
Individual users are prohibited from using instant messaging services such as but not limited to
Microsoft Messenger or Yahoo Messenger.
In addition to the above, agreed information sharing protocols must be used when sending or
forwarding confidential or sensitive CCG information to individuals in other organisations. More
information on information sharing protocols is available from the IT Department.
Users must not retain confidential CCG information unless authorised to do so.
7. Third party Secure Email Addresses
NHS mail users may communicate securely and directly with email users on other secure
Government domains – these are listed below. Please also note that this now includes those
local authorities using the ‘Government Connect’ email domain of GCSX.GOV.UK – this is
particularly useful for those NHSmail users wishing to communicate with Social Services staff
in local authorities or the Home Office nationally.
-
gsi.gov.uk
-
gsx.gov.uk
-
gse.gov.uk
Page 6
-
pnn.gov.uk
-
scn.gov.uk
-
pnn.police.uk
-
eu-admin.net
-
gsisup.co.uk
-
cjsm.net
-
psops.net
-
gcsx.gov.uk
8. Monitoring of System
All e-mail is monitored for viruses. All e-mail (incoming and outgoing) is logged automatically.
Monitoring logs are audited periodically.
The content of e-mail is not routinely monitored.
The CCG reserves the right to retain message content as required to meet legal and statutory
obligations.
9. Personal Use
The CCG's e-mail is meant for CCG business and healthcare related use; the CCG will,
however, allow the use of e-mail for personal use but only where this does not interfere with the
normal work duties of the individual user or the work of others. It must be noted that there is no
absolute right for staff to use e-mail for private use.
It is expected that such use will be made at out-of-hours times and in designated breaks such
as lunch-time.
•
personal e-mail must adhere to the terms of this policy.
•
personal e-mail must be kept separately from work e-mail as detailed in the
current related code of practice.
•
personal e-mail must be deleted regularly.
•
forwarding of chain letters, virus warnings, junk mail, mass-mailing and
unlicenced programmes is strictly forbidden.
•
the CCG will not be liable for any financial or material loss to an individual user
when using e-mail for personal use.
•
the CCG will not be liable for any pecuniary loss to any external supplier of goods
and/or services in the event of an individual user failing to honour any financial
obligations contracted to that supplier whilst using the CCG email system for
personal use.
10. Disciplinary Matters
The CCG expects all users to comply with the e-mail Policy and the procedures published in its
support. Where there is evidence of a breach of this Policy, it will be investigated in accordance
Page 7
with the CCG's disciplinary procedures applicable to all employees of the CCG; to those
engaged in duties in the CCG under a Letter of Authority/Honorary Contract or Work
Experience programme or agreements made between the CCG and any user's employing
organisation such as other NHS bodies or other third-parties such as contractors, students,
visitors or volunteers.
In all cases the CCG will act immediately to prevent a further breach and this action may
include blocking of e-mail and restriction of access to the e-mail system.
Page 8
Appendix 1
Definitions
Attachment: is a file that is attached to an e-mail message. Attachments are normally
considered separately from the body of an email message. Attachments can contain malicious
software and should be opened with care.
Asset: any information system, computer or programme owned by the CCG
Authorisation: the granting or denying of access rights to network resources, programmes or
processes.
Authorisation process: a set of security procedures designed to identify and authorise users
appropriately.
Authorised user (user): an individual given access to the e-mail system in accordance with
the CCG's procedures.
Caldicott: a set of standards developed in the NHS for the collection, use and confidentiality of
patient-related information
Contact: a national, centrally managed email and directory service which is available to all 1.2
million NHS staff in England.
Electronic mail (e-mail): any message, image, form, attachment, data, or other
communication sent, received, or stored within an electronic mail system.
Electronic mail system: any computer software application that allows electronic mail to be
communicated from one computing system to another.
Electronic resource: any personal computer
E-mail (electronic mail): any message, image, form, attachment, data, or other
communication sent, received, or stored within an electronic mail system.
E-mail account: the part identified to an individual user
E-mail services (system): the overall system provided by the CCG
ISP (Internet Service Provider): a company that provides internet access and other services
like e-mail, usually on a subscription basis
Information sharing protocols: written agreements made within existing legislative
framework between the CCG and named organisations to allow sharing of confidential and
patient-related information for health and social care purposes
Intranet: a private network for communication and sharing of information accessible only to
authorised users within an organisation eg. the CCG's own intranet site or the NHSnet
Internet: a global system connecting computers and computer networks. The computers are
owned separately by a wide range of organisations, government agencies, companies and
educational institutions.
Junk-mail: unsolicited e-mail messages usually of a commercial nature, chain letters or other
unsolicited mass-mailings (see also spam)
Malicious software: software deliberately designed to harm a computer or network, includes
viruses, Trojan horses and worms - the term malware is also used to describe these.
Page 9
N3 or NHSnet: is a secure wide area network developed exclusively for the NHS
Network: a system of interconnected computers which allows the exchange of information
network connection: an individual's access to the network usually involving password checks
and similar security measures
Network systems: a term used to describe the systems on a network
Phishing: The act of sending an e-mail to a user falsely claiming to be an established
legitimate enterprise in an attempt to scam the user into surrendering private information that
will be used for identity theft. The e-mail directs the user to visit a Web site where they are
asked to update personal information, such as passwords and credit and debit card numbers,
and bank account numbers, that the legitimate organization already has. The Web site,
however, is bogus and set up only to steal the user’s information. see also spoofing.
Software: computer programmes sometimes also called applications
Spam: unsolicited e-mail messages, usually of a commercial nature sent to a large number of
recipients. Refers also to inappropriate promotional or commercial postings to discussion
groups or bulletin boards.
Spoofing: forgery of an e-mail so that it appears to have been sent by someone other than the
sender, see also phishing
Trojan horse: a malicious, security-breaking program that is disguised as something benign
such as a screen saver or game.
User (authorised user): an individual given access to the CCG's e-mail system in accordance
with the CCG's procedures.
Virus: an unauthorised piece of computer code attached to a computer programme which
secretly copies itself using shared discs or network connections. Viruses can destroy
information or make a computer inoperable
Web services: the network services provided by the CCG to individuals giving access to the
internet, intranet, and e-mail services.
Worm: launches an application that destroys information on a computer. It also sends a copy
of the virus to everyone in the computer's e-mail address book.
Page
10
Appendix 2
Associated Information
Data Protection Act 1998
Copyright, Designs and Patents Act 1998
Computer Misuse Act 1990
Health and Safety at Work Act 1974
Human Rights Act 1998
Health and Social Care Act 2001
Regulation of Investigatory Powers Act 2000
Freedom of Information Act 2000
Page
11
Appendix 3
Caldicott Guidelines: The Caldicott Principles as laid down by the NHS Executive
Justify the purpose(s)
Question why the information is required and what specific information is needed, to enable
them to perform their task.
Don't use patient-identifiable information unless it is absolutely necessary
Consider why identifiable information about a patient is being requested, whether it could be
anonymised in some way, and if not what the benefits are, do they out weigh the patients right
to confidentiality.
Use the minimum necessary patient identifiable information
Where supplying patient-identifiable information is vital, then we need to consider the absolute
minimum required, for this we have to consider what it is needed for and what they have a right
to see.
Access to patient-identifiable information should be on a strict need-to-know basis
Only those who need to view patient-identifiable data should be allowed access and even then
only to that which they need to know.
Everyone with access to patient-identifiable information should be aware of his or her
responsibilities
Each member of staff concerned should be aware of the implications that a breach of confidentiality has on the patient or member of staff and what they should be doing to prevent or reduce
the risk of any such breaches.
Understand and comply with the law
All uses of patient-identifiable data should be lawful. Someone within the organisation must be
responsible for ensuring that the organisation complies with legal requirements.
Page
12
CCG DATA QUALITY POLICY
Date completed: June 2013
Responsible
Director:
Director of
Compliance
Approved by/
date:
CWHHE Quality and Safety Committee, 2nd October 2013
Review date:
October 2014
Author:
Amended:
Page 1 of 11
Ben Westmancott
Data Quality Policy
For more information on this document, please contact:
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
15 Marylebone Road, London NW1 JD
E-mail: [email protected]
Version Control
Version
Date Issued
Brief Summary of Changes
Owners name
1.0
2.0
July 2013
August 2013
Amendments made to reflect CWHHE procedure
Circulated to local CCG IT Committee for Comment
Ben Westmancott
Ben Westmancott
Document Imprint
Copyright © Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical
Commissioning Groups, 2013: All rights reserved
Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information
Regulations 2005. SI2005 No 1515”
Information on re-use can be obtained from:
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
Tel: 020 3350 4313, E-mail: [email protected]
Page 2 of 11
Contents
Policy Statement .................................................................................................................... 4
1.
2.
Purpose .................................................................................................................................... 4
3.
Objectives ................................................................................................................................ 4
4.
What is Data Quality? .......................................................................................................... 4
5.
Structure and Scope ............................................................................................................. 5
6.
Responsibility and accountability...................................................................................... 6
7.
Training ..................................................................................................................................... 9
8.
Monitoring ................................................................................................................................ 9
9.
Data Quality Standards........................................................................................................ 9
10.
Validation Methods ............................................................................................................. 10
11.
Data Set Change Notices (DSCN) .................................... Error! Bookmark not defined.
12.
Implementation of the policy ............................................................................................ 11
Page 3 of 11
1.
Policy Statement
Central London, West London, Hammersmith & Fulham, Hounslow and Ealing
Clinical Commissioning Groups (the CCGs) recognise that reliable information is
fundamental in supporting the CCGs to achieve its goals. The CCGs recognises that
all the decisions, whether clinical, managerial or financial need to be based on
information which is of the highest quality.
This policy should be read in conjunction with the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
Confidentiality Staff Code of Conduct
Data Protection Policy
Freedom of Information Policy
Information Asset Policy
Information Governance Framework
Information Governance Policy
Information Governance Strategy
Information Security Policy
Mobile Working Policy
Network Security Policy
Records Management Policy
Safe Haven Policy
System Security Policy
2.
Purpose
The purpose of this document is to set out a clear policy framework for maintaining
and increasing high levels of data quality within the CCGs. The way in which data is
collected and analysed can influence the results and it is, therefore, important to
have a clear and open framework in place which supports this process and
accurately reflects the clinical practice of the CCGs. The Data Quality Policy sets out
how the CCGs will collect, analyse and report data.
Objectives
The Data Quality Policy underpins the CCGs’ objective to record and present data of
the highest possible quality and that all users of the information can be confident
about its accuracy. It is primarily for CSU or alternative IT provider staff who process
information on behalf of the CCGs. The CSU or alternative IT provider will have its
own policy but this sets out our minimum requirements.
3.
What is Data Quality?
Data quality is the ability to supply accurate, timely and complete data, which can be
translated into information, whenever and wherever it is required. Data quality is vital
to effective decision making at all levels of the organisation.
Supplying accurate data is a complicated task for a number of reasons:
• There are many ways for the data to be inaccurate – data entry errors and
incomplete data, etc.
Page 4 of 11
• Data can be corrupted during translation depending on who is translating it,
how and with what tools/processes.
• Data must relate to the correct time period and be available when required.
• Data must be in a form that is collectable and which can subsequently be
analysed.
To ensure an organisation achieves data quality, it must set out how:
• Data is collected and co-ordinated.
• Data is transferred between systems.
• Data is organised.
• Data is analysed.
• Data is interpreted.
• Conclusions and results drawn from the data are validated.
The following principals are used in assessment of data quality:
• Accuracy: Is the data correct and is it valid?
• Accessibility: Can the data be readily and legally collected?
• Comprehensiveness: Is the relevant data collected and are any data
omissions (where intentional or otherwise known) documented.
• Consistency: Are clear and accurate data definitions implemented and
adhered to? Do the data definitions define what level of detail is collected?
• Validity: Is the data up-to-date?
4.
Structure and Scope
This policy is intended to cover the collection, recording, validation, further
processing and reporting of all types of reference information generated and used
within, or reported externally by, the CCGs. It describes the necessary features of
systems to manage such information and the supporting administrative, reporting
and training arrangements to ensure the information is of consistently high quality.
Written procedures will be available in all relevant locations within the CCGs to assist
staff in collecting and recording data. These procedures will be kept up-to date, and
where appropriate will also contain information relating to national data definitions.
Processes will be established to ensure compliance with the procedures, which will
include sample checks to audit compliance.
It should be noted that all collection, storage, processing and reporting of personal
information is governed by detailed legal requirements under the Data Protection Act
1998 and associated standards, such as the Caldicott guidelines.
As the CCGs generate a very wide range of information for a whole variety of uses,
this policy does not provide detailed guidance for specific data items or individual
areas of application. It concentrates instead on general principles of completeness,
accuracy, ongoing validity, timeliness, consistency of definitions and compatibility of
data items, and signposts where specific procedures or further guidelines need to
exist.
Page 5 of 11
General Principles
The following overarching principles underpin the approach to data quality:
• All staff will conform to legal and statutory requirements and recognised good
practice, aim to be significantly above average on in-house data quality
indicators, and will strive towards 100% accuracy across all information
systems.
• All data collection, manipulation and reporting processes by the CCGs will be
covered by clear procedures which are easily available to all relevant staff,
and regularly reviewed and updated.
• All staff should be aware of the importance of good data quality and their own
contribution to achieving it, and should receive appropriate training in relation
to data quality aspects of their work.
• Teams should have comprehensive procedures in place for identifying and
correcting data errors, such that information is accurate and reliable at time of
use.
5.
Responsibility and accountability
Data quality is a key part of any information system that exists within the CCGs. All
staff members will be in contact at some point with a form of information system,
whether paper or electronic. As a result, all staff members are responsible for
implementing and maintaining data quality and are obligated to maintain accurate
information legally (Data Protection Act), contractually (contract of employment) and
ethically (professional codes of practice).
Accountability for an individual dataset may change during a business process but
the designated key team has overall responsibility for any data quality issues to date.
For the purposes of consistency staff should cross-check datasets that have been
recorded by more than one agency.
In the event of there being no identified key team, then the team responsible for any
errors will be responsible for rectifying them.
It is the responsibility of all managers to ensure that, where appropriate, systems are
in place to validate the completeness, accuracy, relevance and timeliness of
data/information. Also managers must ensure that all staff are fully aware of their
obligations in this area. In certain circumstances, to support equality and diversity,
line managers will need to consider individual requirements of staff to support good
practice in complying with this policy.
Ultimate responsibility for maintaining accurate and complete data and information
lies with the Chief Officer but all staff who record information, whether on paper or by
electronic means, have a responsibility to take care to ensure that the data is
accurate and as complete as possible. Individuals with responsibility for data quality
must have this clearly stated in their job descriptions.
Page 6 of 11
All information assets of the CCG should be identified and have a nominated
Information Asset Owner (IAO). Accountability for assets helps to ensure that
appropriate protection is maintained. The Senior Information Risk Owner (SIRO)
ensures owners are identified for all Information Assets with responsibility for
managing the risks to those assets. Whilst responsibility for implementing and
managing Information Asset controls may be delegated to Information Asset
Administrators or equivalent, accountability should remain with the nominated owner
of the asset.
Chief Officer
Has overall responsibility for Information Governance within each CCG. As Chief
Officer, they are responsible for the management of Information Governance and for
ensuring appropriate mechanisms are in place to support service delivery and
continuity. Information Governance provides a framework to ensure information is
used appropriately and is held securely.
The Chief Officer is responsible for ensuring that information risks are assessed and
mitigated to an acceptable level. Information risks should be handled in a similar
manner to other major risks such as financial, legal, and reputational risks.
Senior Information Risk Owner (SIRO)
The Senior Information Risk Owner (SIRO) role is held by the Chief Officer. The
SIRO role is accountable to the CO for ensuring that information risk is managed
within the CCG. The SIRO will identify and manage the information risks to the CCG
and with its partners. This includes oversight of the organisation's information
security incident reporting and response arrangements. In order to do this, the SIRO
will identify Information Asset Owners and Information Asset Administrators. The
SIRO will ensure that there is and Information Asset Register and a risk assessment
process adopted for each CCG
The SIRO provides the focus for the assessment and management of information
risk at Governing Body level, providing briefings and reports on matters of
performance, assurance and cultural impact. The SIRO should oversee a review of
the CCG Information asset register to ensure it is complete and robust.
Deputy Senior Information Risk Owner
The Deputy SIRO is the day-to-day operational lead for ensuring that information
risks are managed appropriately. The deputy SIRO for CWHHE is the Director of
Compliance. The Deputy SIRO will provide a coordinating and leadership role to the
Information Governance Leads for each CCG.
Caldicott Guardian
The Caldicott Guardian is a senior health professional person who is responsible for
protecting the confidentiality of patient and service-user information and enabling
appropriate information sharing. For CWHHE CCGs, this is the Director of Quality
and Patient Safety. Acting as the 'conscience' of an organisation, the Caldicott
Guardian actively supports work to enable information sharing where it is appropriate
Page 7 of 11
to share, and will advise on options for lawful and ethical processing of information.
The Caldicott Guardian will also have a strategic role which involves representing
and championing Information Governance requirements and issues at executive
team level and where appropriate, at a range of levels within the organisation's
overall governance framework.
Local Information Governance Leads
The Information Governance lead will be responsible for ensuring that the following
are in place:
•
Developing and maintaining the IGT and reporting to the SIRO and Deputy
SIRO
•
Ensuring that there is top level awareness and support for IG resourcing and
implementation of improvements within the CCG by effective working with the SIRO,
Deputy SIRO and the Caldicott Guardian.
•
Establishing working groups, if necessary, to co-ordinate the activities of staff
given IG responsibilities and progress initiatives;
•
Working with the Deputy SIRO to ensure that annual assessments and audits
of IG and other related policies are carried out, documented and reported;
•
Data Protection, Freedom of Information and the Environmental information
Regulations are implemented and information requests managed in a compliant
manner
•
Ensuring appropriate and effective records management in line with NHS
standards and guidance
•
Working with the Deputy SIRO to ensure that the annual assessment and
improvement plans are prepared for approval by the SIRO and governing body in a
timely manner.
•
Ensuring that the approach to information handling is communicated to all
staff and made available to the public;
•
Ensuring that appropriate training is made available to staff and completed as
necessary to support their duties. For NHS organisations this will need to be in line
with requirements of the IGT [currently 95% of staff members]
•
Liaising with other committees, working groups and programme boards in
order to promote and integrate Information Governance standards;
•
Monitoring information handling activities to ensure compliance with law and
guidance;
•
Providing a focal point for the resolution and/or discussion of Information
Governance issues
All Staff
All staff, whether permanent, temporary, contracted or contractors are responsible
for ensuring that they are aware of their responsibilities in respect of Information
Governance
Information Asset Owners (IAO)
Each Information Asset Owner should be aware of what information is held, and the
nature and justification of information flows to and from the assets they are
responsible for. The IAOs must understand and address risks to the information
Page 8 of 11
assets they ‘own’ and provide assurance to the SIRO on the security and use of
these assets.
Information Asset Administrators (IAA)
Provide support to their IAO. Ensure that policies and procedures are followed.
Recognise potential or actual security incidents. Consult their IAO on incident
management Ensure that information asset registers are accurate and maintained.
6.
Training
Staff will receive instruction and direction regarding Data Quality advice and
information from a number of sources:• CCG Policies and Procedure Manuals
• Line manager
• Training – on induction and Information Governance training
• Other communication methods (e.g. Team Brief/team meetings)
• Extranet
7.
Monitoring
The CCGs, will as a matter of routine, monitor performance in collecting and
processing data according to defined standards, and provide appropriate feedback to
staff involved in the process of data collection.
The CCGs are regularly audited to ensure that:
• Applicable legislative Acts are complied with
• NHS and CCG Policies and Standards are complied with
• Suitable processes are used, and controls put in place, to ensure the
completeness, relevance, correctness and security of data are achieved.
8.
Data Quality Standards
Although there are many aspects of good quality data, the key indicators commonly
are:
• Validity – All data items held on the CCGs computer systems must be valid.
Where codes are used, these will comply with national standards. Wherever
possible, computer systems will be programmed to only accept valid entries at
data input. Data accuracy is the direct responsibility of the person inputting
the data supported by their line manager. Systems will include validation
processes at data input to check in full or in part the acceptability of the data
wherever possible. Depending on the system, later validation may be
necessary to maintain referential integrity.
• Completeness – All mandatory data items within a dataset should be
completed. Use of default codes will only be used where appropriate, and not
as a substitute for real data.
• Consistency – Correct procedures are essential to ensure complete data
capture and that the formatting of data is consistent between datasets.
Page 9 of 11
• Coverage – this reflects all information that is ‘owned’ by the CCGs, including
paper and computerized records.
• Accuracy – Data recorded manually and on computer systems must be
accurate.
• Relevance – Information should be contextually appropriate.
9.
Validation Methods
Validation should be accomplished using some or all of the following methods:
• On submission of data returns, procedures will exist to ensure the
completeness and validity of the data sets used. This can be done by
comparing to historical data sets, looking at trends in the data and also by
cross checking the data with other staff members.
• Regular spot checks by staff members; which involve analysis of a random
selection of records against source material, if available. Spot checks should
be done on an on-going basis (at least quarterly) to ensure the continuation of
data quality.
• The CCGs will endeavour to ensure that timescales for submission of
information are adhered to, and that the quality and accuracy of such
submissions is of the highest standard. Internal deadlines for the completion
of data sets, to ensure national timescales are achieved, will be explicit and
monitored.
• The CCGs routinely receive activity information from its service providers.
This information is used to monitor the performance of contracts and to
contribute to the service planning and development process. Sufficient and
appropriate checks are made by the service providers to ensure that the
information received is accurate and complete. Where data falls outside
anticipated ranges a more detailed evaluation and validation is undertaken.
• The CCGs conduct regular meetings with its partners and service providers,
to ensure that any data discrepancies are picked up and any corrections are
made as required.
10.
Information Standards Notices (ISNs)
Information Standards Notices (formally known as Data Set Change Notices) are
issued by the Information Standards Board for Health and Social Care (ISB). These
give notification to NHS healthcare agencies of changes to information requirements
that will be included as appropriate in the NHS Data Dictionary & Manual and the
NHS Commissioning Data Set Manual, thereby ensuring that data is meaningful
across NHS Organisations over time.
Information Standards Notices may be accessed via the following web address:
http://www.isb.nhs.uk/isn
Page 10 of 11
11.
Implementation of the policy
The Deputy SIRO has overall responsibility for implementing the Policy ensuring that
the following action is taken:
• That the Information Governance Group review the Policy annually so that it
continues to reflect best practice and the legal and business needs of the
CCGs;
• That the Policy is promoted and circulated appropriately within the CCGs.
• Training needs are assessed and agreed during induction and appraisal
processes.
• Monitoring and Audit to be identified and completed at appropriate intervals
Page 11 of 11
Information Asset Policy
Date completed: June 2013
Responsible
Director:
Director of
Compliance
Approved by/
date:
CWHHE Quality and Safety Committee, 2nd October 2013
Review date:
October 2014
Amended:
Author:
Ben Westmancott
For more information on this document, please contact:
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
15 Marylebone Road, London NW1 JD
E-mail: [email protected]
Version History
Version
1.0
2.0
Date issued
July 2013
August 2013
Brief summary of change
Amended to reflect CWHHE procedures
Circulated to local CCG IT Committee for Comment
Owner’s name
Ben Westmancott
Ben Westmancott
Document Imprint
Copyright © Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning
Groups, 2013: All rights reserved
Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information
Regulations 2005. SI2005 No 1515”
Information on re-use can be obtained from:
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
Tel: 020 3350 4313, E-mail: [email protected]
Information Asset Policy
Version 2.0
Page 2 of 14
Contents
1.
Introduction ................................................................................................................. 6
2.
Glossary ..................................................................................................................... 6
3.
Purpose ...................................................................................................................... 6
4.
Information Assets ..................................................................................................... 6
5.
Role: Information Asset Owner (IAO) .......................................................................... 7
6.
Role: Information Asset Administrator (IAA) ................................................................ 8
7.
Information Governance ............................................................................................. 8
8.
Data Quality ................................................................................................................ 9
9.
Business Continuity .................................................................................................... 9
10.
Change Control........................................................................................................... 9
11.
Information Security .................................................................................................. 10
12.
Information Risk ........................................................................................................ 10
13.
Training..................................................................................................................... 10
14.
Audit ......................................................................................................................... 11
Appendix One: Job Description: Senior Information Risk Owner (SIRO) .............................. 12
Appendix Two: Job Description: Information Asset Owner (IAO) .......................................... 13
Appendix Three: Job Description: Information Asset Administrator (IAA) ............................. 14
Information Asset Policy
Version 2.0
Page 3 of 14
1.
Introduction
1.1. This document provides a mechanism to achieve and maintain appropriate protection of the
CCG’s Information Assets (IA). All major IA must be identified, have a responsible owner and
maintenance responsibilities assigned. Accountability for assets helps to ensure that
appropriate protection is maintained.
1.2. Owners to be identified for all IA and allocated responsibility for the maintenance of the
appropriate controls should be assigned. Responsibility for implementing and managing
controls may be delegated, although accountability must remain with the nominated owner of
the IA.
2.
Glossary
Definitions of acronyms used throughout this document
3.
BC
– Business Continuity
CCG
– Clinical Commissioning Group
IA
– Information Assets
IAA
– Information Asset Administrator
IAO
– Information Asset Owner
IG
– Information Governance
IGAF
– Information Governance Assurance Framework
IGAP
– Information Governance Assurance Programme
IGC
– Information Governance Committee
IGMF
– Information Governance Management Framework
IGT
– Information Governance Toolkit
IGTT
– Information Governance Training Tool
SIRI
– Serious Incident Requiring Investigation
SIRO
– Senior Information Risk Owner
Purpose
3.1. The purpose of this policy is to provide assurance to the Senior Information Risk Owner
(SIRO) and ultimately the CCG Governing Body that appropriate frameworks are in place to
ensure robust Information Security, Information Risk, Information Business Continuity and
Data Quality controls are in place to support the CCGs Information Assets in line with
internal/external requirements and policies.
3.2. The CCG may designate roles to a commissioning support organisation in order to better
manage their Information Governance; this policy will be agreed with such an organisation as
necessary.
4.
Information Assets
4.1. Information Assets are those that are central to the efficient running of departments within the
CCG i.e. analysis (data), finance, human resources etc. Information Assets will also include
the computer systems, network hardware and software which are used to process this data.
4.2. Non-computerised systems holding information must be asset registered with relevant file
identifications and storage locations.
4.3. It is a core IG objective that all Information Assets of the CCG are identified and that the
business importance of those assets is established.
Information Asset Policy
Version 2.0
Page 4 of 14
4.4. There are six main categories of information asset:
5.
•
Information – this includes databases, system documentation and procedures,
archive media and data
•
Software – this includes application programs, systems, development tools and
utilities
•
Physical – this includes infrastructure, equipment, furniture and accommodation used
for data processing
•
Services – including computing and communications, heating, lighting, power, air
conditioning used for data processing
•
People – including qualifications, skills and experience in the use of information
systems
•
Other – for example the reputation and image of the CCG
Role: Information Asset Owner (IAO)
5.1. The Information Asset Owner is a senior member of staff who is the nominated owner for one
or more identified information assets either within or controlled by the CCG.
5.2. There are several IAOs within the CCG with differing departmental roles. IAOs must work
collaboratively with other IAOs and the relevant Information Governance department or
support unit to ensure there is comprehensive asset ownership and clear understanding of
responsibilities and accountabilities. This is especially important where information assets are
shared by multiple parts of the CCG or with external partner organisations. IAOs and the IG
department will support the CCGs SIRO in the overall information risk management function
as defined in the CCGs Information Risk Management Policy.
5.3. The IAO is expected to understand the overall strategic objectives of the CCG and how the
information assets they own or control contribute to and affect these objectives. The IAOs will
therefore document, understand and monitor:
•
•
•
What information assets are held, and for what purposes;
How information is created, amended or added to over time;
Who has access to the information and why.
5.4. CCG IAOs shall receive training to ensure they remain effective in their role.
Aspects of IAO Role
Supporting Actions
Leads and fosters a culture
that values, protects and uses
information for the success of
the CCG and benefit of its
patients
•
Knows what information an
Information Asset holds, and
what enters and leaves it and
why
•
•
•
•
•
Information Asset Policy
Understands the CCGs plans to achieve and monitor the right
IG culture, across the CCG and with its business partners;
takes visible steps to support and participate in that plan
(including completing own training)
maintains understanding of ‘owned’ assets and how they are
used up to date;
approves and minimises information transfers while achieving
business purposes;
approves arrangements so that information put onto portable
or removable media like laptops and USB Sticks are
minimised and are effectively protected to required NHS IG
standards;
approves and oversees the disposal mechanisms for
information of the asset when no longer needed
Version 2.0
Page 5 of 14
Aspects of Role
Supporting Actions
Knows who has access
to the Information Asset
and why, and ensures its
use is monitored and
compliant with CCG
policy and procedures
• understands the CCG policy on access to and use of information;
• checks that access provided is the minimum necessary to satisfy
business objectives;
• receives records of checks on use and assures self that effective
checking is conducted regularly
With the support of the
IG department,
understands and
addresses risks to the
asset, and provides
assurance to the SIRO
• conducts at least annual reviews of information risk in relation to
‘owned’ assets;
• makes the case where necessary for new investment or action to
secure ‘owned’ assets;
• provides an annual written risk assessment to the SIRO for all assets
‘owned’ by them
Ensures the asset is fully
used for the benefit of
the CCG and its
patients, including
responding to requests
for access from others
• considers whether better use of the information is possible or where
information is no longer required;
• receives, logs and controls requests from others for access;
• ensures decisions on access are taken in accordance with CCG IG
standards of good practice and the policy of the CCG.
• Information Asset Owners should collaborate to ensure data is
collected and processed efficiently and without undue repetition.
6. Role: Information Asset Administrators (IAA)
6.1. Information Asset Administrators are usually operational members of staff who understand and
are familiar with information risks in their area or department, e.g. Security Managers, Records
Managers, Data Protection Officers, Internal Audit. For smaller organisations, an appropriate
operational role may include Business Managers, and administrative staff. Information Asset
Administrators will implement the organisation’s information risk policy and risk assessment
process for those information assets they support and will provide assurance reports to the
relevant Information Asset Owner as necessary.
6.2. Tasks of the IAA include:
7.
•
Ensuring compliance with data sharing agreements within the local area;
•
Ensuring information handling procedures are fit for purpose and are properly applied;
•
Under the direction of their IAO, ensuring that personal information is not unlawfully
exploited
•
Recognising new information handling requirements (e.g. a new type of information
arises) and that the relevant IAO is consulted over appropriate procedures;
•
Recognising potential or actual security incidents and consulting the IAO;
•
Reporting to the relevant IAO on current state of local information handling;
•
Ensuring that local information handling constraints (e.g. limits on who can have
access to the assets) are applied, referring any difficulties to the relevant IAO.
•
Act as first port of call for local managers and staff seeking advice on the handling of
information;
•
Under the direction of their IAO, ensuring that information is securely destroyed when
there is no further requirement for it
Information Governance tasks
Information Asset Policy
Version 2.0
Page 6 of 14
7.1. The inclusion of IA onto the CCGs asset register and that roles, responsibilities and
accountabilities are assigned to the necessary personnel.
7.2. Maintenance of Information Asset Registers;
7.3. Robust governance systems, processes and procedures are in place to ensure compliance
against local/national requirements including the IG Toolkit (IGT).
7.4. Provide assurance to the CCG Governing Body of compliance with this and associated
standards and policies.
7.5. All IA must have a comprehensive library of up to date operational procedures that support
users and IAA to carry out their role on a daily basis.
7.6. This policy must be read in conjunction with related policies/guidelines.
8.
Data Quality
8.1. Access to high quality data is essential for good clinical governance and effective performance
management. Better information will support the use of best evidence; provide more accurate
assessment of the quality of services to support clinical governance and performance
management.
8.2. Each Information asset must have in place:
•
9.
Documented local data quality audits (must be undertaken by the IAO/IAA on a
regular basis). Audit outcomes to be reported to the relevant group.
•
Local data quality issue logs to be implemented and maintained. Common themes to
be highlighted to the relevant group for escalation as required. These should be
openly available for staff to access e.g. on the extranet.
•
User data quality spot checks to be undertaken on a regular basis and the outcomes
formally documented.
Business Continuity
9.1. Business continuity management (BCM) (as defined by the Business Continuity Institute 2001)
is:
‘A holistic management process that identifies potential impacts that threaten an
Organisation and provides a framework for building resilience with the capability for an
effective response that safeguards the interests of its key stakeholders, reputation,
brand and value-creating activities’.
9.2. BCM is concerned with managing risk to ensure that, at all times, the CCG can continue
operating to, at least, a pre-determined minimum level, in the event of a major disruption
including major IT system failure/disruption.
9.3. It is the policy of the CCG to ensure that all IA:
•
Have approved Business Continuity (BC) plans in place
•
All relevant staff are notified and have received training/guidance on the BC
arrangements.
•
Regular testing of BC plans to be undertaken with outcomes and lessons learned
formally reported to the relevant group/committee
10. Change Control
10.1. All changes to IA (e.g. system upgrades) must follow the CCGs Change Control procedure.
This may be managed by a provider organisation.
Information Asset Policy
Version 2.0
Page 7 of 14
11. Information Security
11.1. Information Security controls exist in order to safeguard the confidentiality, integrity and
availability of all forms of information within the CCG with the overall purpose of protecting
personal and corporate information from all threats, whether internal or external, deliberate or
accidental. The implementation and monitoring of such controls provides assurance to the
CCG Governing Body that comprehensive and consistent information security controls are in
place throughout the CCG to ensure business continuity.
11.2. It is the Policy of the CCG to ensure that for all IA:
•
Information will be protected against unauthorised access.
•
Confidentiality of information required through regulatory and legislative requirements
will be assured.
•
Information will be available to authorised personnel as and when required.
•
Regulatory and legislative requirements will be met.
•
All breaches of information security, actual or suspected, will be reported and
investigated using existing CCG processes.
•
All removal media and mobile devices are encrypted to the required standard.
•
Regular audits of user access rights.
•
Knowledge of the IG Forensics readiness policy and associated procedures.
•
Formal Information Security risk assessments to be undertaken regularly in order to
counter potential threats to CCG IA.
12. Information Risk
12.1. Each IAO within the CCG is responsible for risk management and accreditation of IA under
their control.
12.2. The IAO must ensure that an accreditation (a completed, reviewed risk assessment) is
achieved for all IA they own.
12.3. The IAO should also consider the IA ongoing accreditation needs in line with the CCG overall
risk management and reporting framework.
12.4. IAO shall ensure that information risk assessments are performed at least once a quarter on
all assets where they have been assigned ‘ownership’.
12.5. Throughout the operational lifetime of the IA, including post-implementation changes, controls
must continue to exist or replaced by ones providing greater effect.
13. Training
To ensure the compliance with the standards as described in related policies/guidelines:
13.1. The IAO and IAA will be required to undertake training as necessary to ensure they remain
effective in their role.
13.2. All users of the IA to receive appropriate approved training for their role. Training must
incorporate data quality, information risk and security, testing of knowledge, and an
observation before access is authorised.
13.3. Refresher training to be available for all staff who have identified training requirements.
13.4. All training to be recorded on the employee staff record, preferably using ESR
13.5. A documented training plan with aims and objectives to include data quality and information
risk/security.
13.6. Comprehensive training materials and user guides are developed and implemented and easily
accessible to the user.
Information Asset Policy
Version 2.0
Page 8 of 14
14. Audit
14.1. will be assessing compliance against the standards set out in this policy.
14.2. IAO and IAA are required to undertake local compliance spot checks/audits to provide
assurance to the SIRO and Accountable Officer.
Information Asset Policy
Version 2.0
Page 9 of 14
APPENDIX ONE
Job Description
Job Title: Senior Information Risk Owner, Chief Officer
Responsible to: CWHHE Clinical Commissioning Groups
1. JOB SUMMARY
• The Senior Information Risk Owner (SIRO) will be a Clinical Commissioning Group (CCG)
governing body member who will take overall ownership of the CCG’s Information Risk culture,
act as champion for appropriate information risk management on the CCG governing body and
provide written advice to the CCG’s Chief Officer / Company Secretary on the content of the
CCG’s Annual Governance Statement in regard to information risk issues.
• The SIRO is expected to understand how the strategic business goals of the CCG and how
other NHS CCG’s business goals may be impacted by information risks, and how those risks
may be managed effectively.
• The SIRO will lead the CCG’s Information Governance (IG) work programme and information
risk management processes within the CCG and advise the governing body on the
effectiveness of information risk management across the CCG.
• The SIRO shall undertake training as necessary to ensure they remain effective in their role as
Senior Information Risk Officer.
2. KEY RESPONSIBILITIES
a. Leadership and Culture
• Lead and foster a CCG information risk culture that values, protects and uses information for
the public good
• Ensures the CCG has a information risk plan to achieve and monitor the right information risk
culture, internally within the CCG, and externally with its partners and its commissioned services
• Takes demonstrable steps to effectively resource, support and participate in that plan
(including completing own training)
• Provide leadership for the CCG through effective networking structures, sharing of relevant
experience, provision of training and creation of information risk reporting structures.
• Regularly Inform the governing body on the level of Information Risk Management
performance within the CCG, including process improvements arising and decision making
contexts etc
b. Policy and process
• Oversee the development of an Information Risk Policy. This should include a Strategy for
implementing the policy within the existing or changing NHS Commissioning Framework and be
compliant with NHS IG policy, standards and methods.
• Take ownership of the processes and outcomes of information risk management, including
prioritisation of risks and review of the cycle of information risk work programme to support and
inform the Statement of Internal Control.
• Ensure that the governing body and the Chief Officer are kept up to date and briefed on all
information risk issues affecting the CCG and its business partners.
Information Asset Policy
Version 2.0
Page 10 of 14
• Review and agree actions in respect of identified information risks.
• Ensure that the CCG’s approach to information risk is effective in terms of resource,
commitment and execution, being appropriately communicated to all staff.
• Provide a focal point for the escalation, resolution and/or discussion of information risk issues.
• Ensure that an effective infrastructure is in place to support the role by developing an
Information Risk governance structure, with clear lines of accountability and reporting with welldefined roles and responsibilities
c. Incident Management
• Ensure that identified information threats and vulnerabilities are followed up for risk mitigation,
and that perceived or actual information incidents are managed in accordance with NHS IG
requirements.
• Ensure that there are effective mechanisms in place for reporting and managing Serious
Untoward Incidents (SUIs) relating to the information of the CCG. These mechanisms should
accommodate technical, operational or procedural improvements arising from lessons learnt.
d. Training
• The SIRO will be required to undertake information risk management training prior to
undertaking the role and then at least annually to be able to demonstrate their skills and
capabilities are up to date and relevant to the needs of the CCG.
3. AUTHORITY TO ACT
• The SIRO shall have the authority to act and take decisions on behalf of the CCG, both
internally and externally in matters of information risk. The governing body shall be routinely
informed of decisions taken by the SIRO.
4. THE RELATIONSHIP WITH THE CALDICOTT GUARDIAN
• There are a number of differences between the roles of the Caldicott Guardian and the SIRO
which is why it is an NHS requirement that they should normally remain distinct and separate;
for example, the Caldicott Guardian’s main focus is patient identifiable information whereas the
SIRO is concerned with the risks to information systems generally.
• The Senior Information Risk Owner role:
o is accountable for IG processes and risk within their organisation;
o fosters a culture for protecting and using data;
o provides a focal point for managing information risks and incidents;
o is concerned with the management of all information assets.
• Whilst the Caldicott Guardian role:
o is advisory, and accountable for that advice;
o is the conscience of the organisation;
o provides a focal point for patient/service user confidentiality & information sharing issues;
o is concerned with the management of patient/service user information.
5. KEY RELATIONSHIPS a. Internal - Within the CCG and its collaboration:
• Deputy SIRO
• Chief Officer
• CCG governing body Members
• Quality and Safety Committee
• Information Governance Working Group
• Managing Directors / Deputy Managing Directors
Information Asset Policy
Version 2.0
Page 11 of 14
• Other Directors
• Director of Compliance
• IG Lead / Data Protection Officer
• Information Asset Owners
• Programme Managers
• Caldicott Guardian, although ownership of the Information Risk Policy and risk assessment
processes will remain with the SIRO.
• Patient representatives
• All staff
b. External - Regularly has contact with:
• Other CCG Chief Officers
• Other Senior Information Risk Owners, Caldicott Guardians and Information Governance
Leads of the NHS Commissioning Board, Commissioning Support Unit, Local Authorities, Public
Health England, Dept of Health and other NHS CCGs.
• Regulatory authorities e.g. the Information Commissioners Office
Information Asset Policy
Version 2.0
Page 12 of 14
APPENDIX TWO
Job Description
Job Title: Information Asset Owner (IAO)
Purpose of the Job:
Information Asset Owners are senior individuals involved in running the relevant business.
The IAO’s role is to:

Understand and address risks to the information they ‘own’

Provide assurance to the SIRO on the security and use of these assets
Specific Responsibilities:

Maintains understanding of ‘owned’ assets and how they are used

Approves and minimises information transfers while achieving business purposes

Approves and oversees the disposal mechanisms for information of the asset when no
longer needed

Knows what information the asset holds and who has access to update the system

Takes visible steps to ensure compliance to the CCG Information Governance strategy
and IG Toolkit action plan

Undertakes regular reviews on the information risk associated with the asset

Understands and addresses risks to the asset and provides assurance to the SIRO

Knows who has access and why, and ensures their use is monitored and complain with
policy

Receives, logs and controls requests from other for access

Ensures that changes to the system are put through a formal ‘Request for Change’
process with relevant Equality Impact Assessment and Privacy Impact Assessment
completed.
Information Asset Policy
Version 2.0
Page 13 of 14
APPENDIX THREE
Job Description
Job Title: Information Asset Administrator (IAA)
Purpose of the Job:
Information Asset Administrators will provide support to their IAO to:

Ensure that policies and procedures are followed

Recognise potential or actual security incidents

Consult their IAO on incident management

Ensure their information asset registers are accurate and maintained up to date
Specific Responsibilities:

Ensure compliance with data sharing agreements within the local area

Ensure information handling procedures are fit for purpose and properly applied

Under the direction of the IAO, ensure that personal information is not lawfully exploited

Recognise new information handling requirements and the relevant IAO is consulted over
appropriate procedures

Recognise potential or actual security incidents and consulting the IAO

Report to the relevant IAO on the current state of asset

Act as a first port of call for local managers and staff seeking advice on the handling of
information

Under the direction of the relevant IAO ensure that information is securely destroyed
when there is no further requirement for it (Refer to Records Management Policy).
Information Asset Policy
Version 2.0
Page 14 of 14
Information Governance Policy
Date completed: June 2013
Responsible
Director:
Director of
Compliance
Approved by/
date:
CWHHE Quality and Safety Committee, 2nd October 2013
Review date:
October 2014
Author:
Ben Westmancott
Amended:
Information Governance Policy
Version 2.0
Page 0 of 10
Information Governance Policy
For more information on this document, please contact:
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
15 Marylebone Road, London NW1 JD
E-mail: [email protected]
Version Control
Version
Date Issued
Brief Summary of Changes
Owners name
1.0
2.0
July 2013
August 2013
Amended to reflect CWHHE procedures
Circulated to local CCG IT Committee for Comment
Ben Westmancott
Ben Westmancott
Document Imprint
Copyright © Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups,
2013: All rights reserved
Re-use of all or part of this document is governed by copyright and the “Re-use of Public Sector Information Regulations
2005. SI2005 No 1515”
Information on re-use can be obtained from:
Information Governance Policy
Version 2.0
Page 1 of 10
Director of Compliance, Ben Westmancott, CWHHE CCGs Collaborative
Tel: 020 3350 4313, E-mail: [email protected]
Information Governance Policy
Version 2.0
Page 2 of 10
Information Governance Policy
1.
Introduction........................................................................................................ 3
2.
Purpose ............................................................................................................. .3
3.
Aim of the Policy. ................................................................................................ 3
4.
Scope ............................................................................................................... 3
5.
Clinical Commissioning Groups’ Information Governance Aims ........................ 4
6.
Legal and Regulatory Framework ...................................................................... 4
7.
Responsibilities of the Clinical Commissioning Group ........................................ 4
8.
Responsibilities of the Users .............................................................................. 4
9.
Information Governance Framework ................................................................. 4
10. Key Elements of the Information Governance Framework ................................ 5
10.1. Freedom of Information. ............................................................................... 5
10.2. Legal Compliance ....................................................................................... 5
10.3. Information Security. .................................................................................... 6
10.4. Information Quality Assurance ..................................................................... 6
10.5. Records Management .................................................................................. 7
11. Management of Information Governance. .......................................................... 7
12. Information Governance Arrangement between CCG and CSU ........................ 7
Annex 1 Legal and Regulatory Framework ................................................................. 8
Annex 2 Information Governance Work Areas.......................................................... 10
Information Governance Policy
Version 2.0
Page 3 of 10
1.
Introduction
Information is a vital asset and resource, both in terms of the clinical management of
individual patients and the efficient management of services and its support. It plays a key
part in clinical governance, service planning and performance management.
It is of paramount importance that information is efficiently managed; that appropriate
accountability, standards, policies and procedures provide a robust governance framework
for information management.
2.
Purpose
To describe a system that ensures Central London, West London, Hammersmith and
Fulham, Hounslow and Ealing Clinical Commissioning Groups (the CCGs) meet their
responsibilities for the management of information assets and resources. This high level
policy sets out how the information governance arrangements, as a part of corporate
governance, are in place to ensure the best commissioning of health care for those whom
the CCG serves.
The CCG may designate roles to a Commissioning Support Unit (CSU) or other provider in
order to better manage their Information Governance; this policy will be agreed with such an
organisation as necessary.
The CCG is committed to the legally compliant management and use of information, taking
account of the relevant Codes of Practice. It is a condition of employment that all CCG
polices are adhered to; non-compliance may result in disciplinary action.
3.
Aim of the Policy
The CCG will at the highest level establish and support an Information Governance
Management Strategy.
4.
Scope
•
All information used by the CCG (includes staff/patient/service user; business and
operational information; audit and reporting data).
•
The information governance arrangements between the CCG and the CSU or
alternative provider
•
All information systems managed by the CCG, and the CSU or alternative provider
on behalf of the CCG
•
Any individual using information 'owned' by the CCG
•
Any individual requiring access to information 'owned' by the CCG
This policy covers:
• All formats and modes of information processing, and both paper and electronic
information.
Information Governance Policy
Version 2.0
Page 4 of 10
•
5.
6.
All information systems purchased, developed and managed by/or on behalf of the
organisation and any individual directly employed or otherwise by the organisation.
CCG's Information Governance Aims
•
To hold information securely and confidentially
•
To obtain information fairly and efficiently
•
To record information accurately and reliably
•
To use information effectively and ethically
•
To share information appropriately and lawfully
Legal and Regulatory Framework
There are a number of legal obligations placed upon the CCG for the use and security of
personally identifiable information.
There are requirements to appropriately disclose information when required. There is an
NHS regulatory and performance framework for the management of information.
There are NHS Codes of Conduct for the use of information. There are operating procedures
and codes of practice adopted by the NHS.
7.
Responsibilities of the CCG
All information used in the NHS is subject to handling by individuals and it is necessary for
these individuals to be clear about their responsibilities and for the CCG to ensure and
support appropriate education and training.
The CCG must ensure legal requirements are met.
The CCG must make arrangements to meet the requirements of the Information governance
toolkit.
To manage its obligations the CCG will issue and support standards, policies and
procedures ensuring information is held, obtained, recorded, used and shared correctly. The
CCG will promote good practice within member Practices, and expects that they will
implement information governance in their Practices. Each Practice has a responsibility to
complete the Information Governance Toolkit for General Practice, as set out by Connecting
for Health.
8.
Responsibilities of Users
Users of information must:
•
be aware of their responsibilities
•
comply with policies and procedures issued by the CCG
•
work within the principles outlined in the information governance framework for the
Information Governance Policy
Version 2.0
Page 5 of 10
CCG
9.
Information Governance Framework
The CCG recognises the need for an appropriate balance between openness and
confidentiality in the management and use of information. The CCG fully supports the
principles of corporate governance and recognises its public accountability, but equally
places importance on the confidentiality of, and the security arrangements to safeguard, both
personal information about patients (this will be held exceptionally by the CCG) and staff and
commercially sensitive information necessary for the operation of the CCG.
The CCG also recognises the need to share information with other health organisations and
other agencies in a controlled manner consistent with the interests of the patient and, in
some circumstances, the public interest.
The CCG will generally not collect or hold personal information in relation to patients or
service users and will use pseudonymised or anonymised data.
The CCG believes that accurate, timely and relevant information is essential to deliver the
highest quality health care. As such it is the responsibility of all clinicians, professionals and
managers to ensure and promote the quality of information and to actively use information in
decision making processes. This is both within the CCG and the services that it
commissions.
10. Key Elements of the Information Governance Framework
10.1.
Freedom of Information (FOI)
•
Non-confidential information about the CCG and its services will be available to
the public through a variety of media and the CCG will establish and maintain
policies to ensure compliance with the Freedom of Information Act
•
The CCG will undertake or commission annual assessments and audits of its
Freedom of Information policies and arrangements
•
The CCG will have clear procedures and arrangements for handling queries from
patients and the public
•
The CCG will have clear procedures and arrangements for liaison with the press
and broadcasting media
•
Where the CSU or alternative provider provides aspects of the FOI arrangements,
this will be set out clearly in the Freedom of Information Policy.
10.2.
Personal Information and Legal Compliance
•
The CCG regards all identifiable personal information relating to individuals as
confidential
•
The CCG will undertake or commission annual assessments and audits of its
compliance with legal requirements
•
The CCG regards all identifiable personal information relating to individuals as
Information Governance Policy
Version 2.0
Page 6 of 10
confidential except where national policy on accountability and openness
requires otherwise
•
The CCG will establish and maintain policies to ensure compliance with the
Data Protection Act, Human Rights Act, the common law duty of confidentiality
and NHS Code of Confidentiality
•
The CCG will carry out Privacy Impact Assessment (PIA) for new projects,
policies and systems (mandated, not legal) requirement
•
The CCG will establish and maintain policies for the controlled and appropriate
sharing of personal information with other agencies, taking account of relevant
legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection
of Children Act)
•
The CCG will ensure that there is a Caldicott Guardian appointed, this is the
Director of Quality and Patient Safety, who is a member of the Governing Body
10.3.
Information Security
•
The CCG will establish and maintain standards and policies for the effective
and secure management of its information assets and resources
•
The CCG will undertake or commission annual assessments and audits of its
information and IT security arrangements
•
The CCG will undertake or commission risk assessments to determine
appropriate security controls are in place for existing or potential information
systems
•
The CCG will promote effective confidentiality and security practice to its staff
through policies, procedures and training
•
The CCG will establish and maintain incident reporting procedures and will
monitor and investigate all reported instances of actual or potential breaches of
confidentiality and security
•
The CCG will use ISO/IEC 27001 & 27002 as the basis of its Information
Security management arrangements
•
The CCG will acknowledge the requirements of Connecting for Health in Data
and Process Mapping and ensure strong security and encryption for all
Personal Identifiable Data (PID) transmitted by laptops and mobile storage
devices
•
The CCG will ensure that there is a Senior Information Risk Owner, this is the
Chief Officer, who is a member of the Governing Body
10.4.
Information Quality Assurance
•
The CCG will establish and maintain policies and procedures for information
quality assurance, the Data Quality Policy
•
The CCG will undertake or commission annual assessments and audits of its
Information Governance Policy
Version 2.0
Page 7 of 10
information quality
•
Managers are expected to take ownership of, and seek to improve, the quality
of information within their services
•
Wherever possible, information quality should be assured at the point of
collection
•
Data standards will be set through clear and consistent definition of data items,
in accordance with national standards.
•
The CCG will promote information quality through policies, procedures, user
manuals and training
10.5.
Records Management
•
The CCG will establish and maintain policies and procedures for the effective
management of all records
•
The CCG will undertake or commission annual assessments and audits of its
records management
•
Managers are expected to ensure effective records management within their
service areas
•
The CCG will promote records management through policies, procedures and
training
•
The CCG will use The Code of Practice for Records Management” issued the
Department of Health, and similarly the Code of Practice in Section 46 in the
Freedom of Information Act 2000 as its standard for records management
11. Management of Information Governance
The CCG Governing Body will be responsible for implementing the Information Governance
Policy and Management Framework.
The Director of Compliance will monitor the Policy function within the CCG and report
regularly to the CCG Governing body. Where some of the membership of the Committee,
and some of the Information Governance functions, are provided by the CSU or alternative
providerthis will be clearly documented.
The Information Governance Working Group will implement the Information Governance
Strategy and policy with other appropriate teams.
12. Information Governance Arrangements between CCG and CSU or Alternative
Provider
The CSU or alternative provider and CCG will set out clearly the IG arrangements and
responsibilities in relation to each organisation.
They will report monthly to the Governing Body.
The Senior Information Risk Owner will be responsible for ensuring that the Information
Information Governance Policy
Version 2.0
Page 8 of 10
Governance Toolkit is completed and submitted [the requirements are set out in the Action
Plan].
The Governing Body will sign off the Information Governance Toolkit for submission in
March.
Information Governance Policy
Version 2.0
Page 9 of 10
Annexe 1 Legal and Statutory Framework
The CCG is bound by the provisions of a number of items of legislation affecting the
stewardship and control of information. The main relevant legislation is:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Data Protection Act 1998 (and subsequent Special Information Notices)
Human Rights Act 1998
Access to Health Records Act 1990
(where not superseded by the Data Protection Act 1998)
Criminal Justice and Immigration Act 2008
Computer Misuse Act 1990
Copyright, Designs and Patents Act 1988
(as amended by the Copyright (Computer
Programs) Regulations 1992
Crime & Disorder Act 1998
Electronic Communications Act 2000
Environmental Information Regulations 2004
Freedom of Information Act 2000
Health and Social Care Act 2001
Regulation of Investigatory Powers Act 2000
(& Lawful Business Practice Regulations 2000)
Public Interest Disclosure Act 1998
NHS Sexually transmitted disease regulations 2000
National Health Service Act 1977
Human Fertilisation & Embryology Act 1990
Abortion Regulations 1991
Prevention of Terrorism (Temporary Provisions) Act 1989 & Terrorism Act 2000
Regulations under Health & Safety at Work Act 1974
Regulatory framework:
The regulatory elements are:
• The Information Governance Toolkit issued annually since 2003 which requires CCGs
to assess their progress against set criteria.
• Caldicott - Report, audit & improvement on the use of Patient Identifiable Data 1997
and HSC 1999/012
• ISO/IEC 27002:2005 ISO/IEC 27002:2005 - British Standard for Information Security
Management, mandated for the NHS in 2001
Information Governance Policy
Version 2.0
Page 10 of 10
•
•
•
•
Information Quality Assurance
NHS Confidentiality Code of Practice
NHS guidance on Consent to Treatment
Information: To Share or Not to Share? The Information Governance Review
Wider NHS and national regulation elements:
Clinical Negligence Scheme for CCGs (CNST) - via NHS Litigation Authority
Also related but not NHS specific - 'Clinical Professionals Regulatory Framework'
In response to many of the above requirements the NHS has set out and mandated a
number of elements of regulation that constitute the 'Information Governance Assurance
Framework'. The detail of the Framework can be viewed in the briefing note:
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/igap/igaf/igafbriefing.pdf
Information Governance Policy
Version 2.0
Page 11 of 10
Annexe 2
Information Governance Work Areas
Information Governance is:
"a framework for handling personal information in a confidential and secure manner to
appropriate ethical and quality standards in a modern health service"
Information Governance currently encompasses the following initiatives or work areas.
 Caldicott and Confidentiality
 Data Protection Act 1998
 Records Management
 Caldicott Function (Control 102, IGT)
 UK Caldicott Guardian Council developments 2005
 Information Security (ISO/IEC27001, ISO/IEC27002, BS7799-3)
 Business Continuity (BS25999)
 Policies, procedures, standards, protocols and codes of practice
 Human Rights Act 1998
 Freedom of Information Act
 Environmental Information Regulations
 Re-use of Public Sector Information
 The Health and Social Care Act 2001 (Section 60)
 ICT strategic developments (Connecting for Health programme) 2005 onwards
 Mental Capacity Act 2005
 The Cayton Review of Information Governance 2006
 The Caldicott Guardian Manual 2010
 Equality Act 2006
 Information Quality Assurance (Data Accreditation)
Information Governance Policy
Version 2.0
Page 12 of 10