information governance policy v2.0...

Information Governance Policy

Macintosh HD:Users:michael:Google Drive:Information Governance:Information Governance Policy v2.0.docx

IG Toolkit


Version: 1

Date Issued: December 2015 Target Audience: All Respiricare Staff

Next Review Date: December 2016 Responsible for Review: Natasha Beckett Respiricare Director



Table of Contents:

1. Introduction 2. Employee / contracted staff responsibilities 3. Management responsibilities 4. Data Protection. 5. Confidentiality including Caldicott Principles 6. The right of Access to Information (Subject Access Requests) 7. Documentation and Information Lifecycle 8. Mandatory training 9. Information Security 10. Information Sharing 11. Corporate Governance 12. Terms of reference for IG Meetings. 13. IG Toolkit compliance statement 14. Incident Reporting

1. Introduction

Information Governance is a framework for handling personal information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service. It provides a consistent way for employees to deal with the many different information handling requirements including:

• Information Governance Management. • Clinical Information assurance for Safe Patient Care. • Confidentiality and Data Protection assurance. • Corporate Information assurance. • Information Security assurance. and • Secondary use assurance.

The aims of this document are:

• To maximise the value of organisational assets by ensuring that data is: o Held securely and confidentially o Obtained fairly and lawfully. o Recorded accurately and reliably. o Used effectively and ethically, and o Shared and disclosed appropriately and lawfully.

• To protect the organisation’s information assets from all threats, whether

internal or external, deliberate or accidental. NHS England will ensure: o Information will be protected against unauthorised access o Confidentiality of information will be assured. o Integrity of information will be maintained. o Information will be supported by the highest quality data. o Regulatory and legislative requirements will be met. o Business continuity plans will be produced, maintained and tested. o Information security training will be available to all staff, and



o All breaches of information security, actual or suspected, will be reported to, and investigated by the Information Governance Senior Manager.

2. Employee / Contracted staff Responsibilities As an employee of RespiriCare Limited you are subject to an obligation of confidentiality to all personal, sensitive and commercial information processed by the Trust and as such you must adhere to the DPA, Caldicott Guidelines and NHS Information Security Procedures, which form part of all employee Terms and Conditions of Employment. All employed or contracted staff must sign a copy of RespiriCare Limited’s Information Governance without exception. All contracted staff will be required to complete an enhanced DBS clearance and proof of current NMC / HCPC registration if applicable.

Professional bodies (e.g. National Midwifery Council (NWC), General Medical Council (GMC)) provide additional supplementary advice and guidance for their own disciplines. These guidelines should not conflict with this policy or legislative requirements.

While you are at work you may have access to information about patients/colleagues and/or RespiriCare Limited. You may come in to contact with this type of information during the course of your work or simply see, hear or read something while you are working. Circumstances may occur where you believe that a duty of care, either to the patient or to the staff member overrides the duty of confidentiality. In these circumstances you must discuss the matter with your supervisor/line manager in the first instance, or escalate it to the next senior manager and/or, where practicable, obtain advice from the Trust Caldicott Guardian or Information Governance Manager (Natasha Beckett / Gail Spinks). The discussion and outcome must be thoroughly documented and retained for future reference.

This policy, and its supporting standards and work instructions, are fully endorsed by the Trust Board through the production of these documents and their minuted approval. 3. Management Responsibilities The Directors for RespiriCare Limited have ultimate responsibility for Information Governances Policy within RespiriCare Limited. The Information Governance Manager (Natasha Beckett) will work closely with Information Governance Associate Gail Spinks to ensure all responsibilities for IG are met, including the role of Caldicott Guardian and Data Protection Officer. 4. Data Protection:

4a. Introduction



RespiriCare Limited needs to collect and use certain types of information about the Individuals or Service Users who come into contact with RespiriCare Limited in order to carry on our work. This personal information must be collected and dealt with appropriately whether is collected on paper, stored in a computer database, or recorded on other material and there are safeguards to ensure this under the Data Protection Act 1998.

4b. Data Controller

RespiriCare Limited is the Data Controller under the Act, which means that it determines what purposes personal information held, will be used for. It is also responsible for notifying the Information Commissioner of the data it holds or is likely to hold, and the general purposes that this data will be used for.

4c. Disclosure

RespiriCare Limited may share data with other agencies such as the local authority, funding bodies and other voluntary agencies.

The Individual/Service User will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows RespiriCare Limited to disclose data (including sensitive data) without the data subject’s consent.

These are:

a) Carrying out a legal duty or as authorised by the Secretary of State

b) Protecting vital interests of a Individual/Service User or other person

c) The Individual/Service User has already made the information public

d) Conducting any legal proceedings, obtaining legal advice or defending any legal rights

e) Monitoring for equal opportunities purposes – i.e. race, disability or religion

f) Providing a confidential service where the Individual/Service User’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill Individuals/Service Users to provide consent signatures.

g) RespiriCare Limited regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

h) RespiriCare Limited intends to ensure that personal information is treated lawfully and correctly.



To this end, RespiriCare Limited will adhere to the Principles of Data Protection, as detailed in the Data Protection Act 1998.

Specifically, the Principles require that personal information:

a) Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met,

b) Shall be obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes,

c) Shall be adequate, relevant and not excessive in relation to those purpose(s)

d) Shall be accurate and, where necessary, kept up to date,

e) Shall not be kept for longer than is necessary

f) Shall be processed in accordance with the rights of data subjects under the Act,

g) Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information,

h) Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Individuals/Service Users in relation to the processing of personal information.

RespiriCare Limited will, through appropriate management and strict application of criteria and controls:

• Observe fully conditions regarding the fair collection and use of information

• Meet its legal obligations to specify the purposes for which information is used

• Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements

• Ensure the quality of information used

• Ensure that the rights of people about whom information is held, can be fully exercised under the Act. These include:

o The right to be informed that processing is being undertaken,

o The right of access to one’s personal information



o The right to prevent processing in certain circumstances and

o The right to correct, rectify, block or erase information which is regarded as wrong information)

• Take appropriate technical and organisational security measures to safeguard personal information

• Ensure that personal information is not transferred abroad without suitable safeguards

• Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information

• Set out clear procedures for responding to requests for information

Data collection

Informed consent is when

• An Individual/Service User clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data

• And then gives their consent.

RespiriCare Limited will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.

When collecting data, RespiriCare Limited will ensure that the Individual/Service User:

a) Clearly understands why the information is needed

b) Understands what it will be used for and what the consequences are should the Individual/Service User decide not to give consent to processing

c) As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed

d) Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress

e) Has received sufficient information on why their data is needed and how it will be used

Data Storage

Information and records relating to service users will be stored securely and will only be accessible to authorised staff and volunteers.



Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately.

It is RespiriCare Limited responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.

Data access and accuracy

All Individuals/Service Users have the right to access the information RespiriCare Limited holds about them. RespiriCare Limited will also take reasonable steps ensure that this information is kept up to date by asking data subjects whether there have been any changes.

In addition, RespiriCare Limited will ensure that:

• It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection

• Everyone processing personal information understands that they are

contractually responsible for following good data protection practice

• Everyone processing personal information is appropriately trained to do so

• Everyone processing personal information is appropriately supervised

• Anybody wanting to make enquiries about handling personal information knows what to do

• It deals promptly and courteously with any enquiries about handling personal

information

• It describes clearly how it handles personal information

• It will regularly review and audit the ways it hold, manage and use personal information

• It regularly assesses and evaluates its methods and performance in relation to

handling personal information

• All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them

5. Confidentiality: NHS Code of Practice & the Caldicott Committee Report In 1997 the Caldicott Committee introduced stringent guidelines in the recording, access and use of personal data within the NHS. This document was called the Confidentiality: NHS Code of Practice. This Code mandated Each NHS organisation is required to have a Caldicott Guardian; this was mandated for the



NHS by Health Service Circular: HSC 1999/012. The mandate covers all organisations that have access to patient records https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice

Caldicott Principles The Information Governance Lead also takes the role of Caldicott Guardian within RespiriCare Limited. The Caldicott principles were recommended by the Caldicott Committee as a guide for the NHS for the use of, and transfer of patient identifiable information.

A seventh principle was added following the Caldicott 2 Report. The seven principles provided by the Caldicott Report are the baseline for good practice:

1 Justify the purpose for using confidential information 2 Only use it when absolutely necessary 3 Use the minimum that is required 4 Access should be on a strict need to know basis 5 Everyone must understand his or her responsibilities 6 Understand and comply with the law

The duty to share information can be as important as the duty to protect confidential information

6. The Right of Access to Information (Subject Access Requests)

Principle 6 of the DPA 1998 provides all individuals with the right to access personal information about themselves. The law also makes no distinction between the rights of adults and children. Therefore, children have the same rights as adults and all personal data must be processed in accordance with these rights.

These rights are:

• right of subject access (e.g. to a copy of your medical records or staff files) • right to prevent processing likely to cause damage or distress • right to prevent processing for the purposes of direct marketing • rights in relation to automated decision taking • right to take action for compensation if the individual or others suffers damage • right to take action to rectify, block, erase or destroy inaccurate data

• right to make a request to the Information Commissioner for an assessment to be made as to whether any provision of the Act has been contravened

RespiriCare Limited will aim to coordinate their response to these requests in line with NHS requirements in that the patient’s information will be released to them within 40 calendar days.

7. Documentation and Information Lifecycle



RespiriCare Limited is committed to safekeeping and safe disposal of records as required by:

• Public Records Act 1958

• Freedom of Information Act 2000

• Data Protection Act 1998

• Records management NHS Code of Practice

Patient records will be kept in line with professional standards as laid out by the Chartered Society of Physiotherapy http://www.csp.org.uk/professional-union/professionalism/professionalism-resources/record-keeping-guidance

And the Nursing & Midwifery Council guidelines for Record Keeping http://www.nipec.hscni.net/Image/SitePDFS/nmcGuidanceRecordKeepingGuidanceforNursesandMidwives.pdf

8. Mandatory Training

All RespiriCare Limited staff will be subject to a Disclosure and Barring Service (DBS) check prior to commencing work, which will then be subject to renewal every 3 years.

It is mandated through the Health and Social Information Care (HSCIC) and Care Quality Commission (CQC) IG Toolkit, that all staff must complete Information Governance Training annually. Data Protection and confidentiality will form a major part of the course content, which will be offered to all employees via a Computer Based Training package via www.igtt.hscic.gov.uk

RespiriCare Limited will ensure all new employees / contractors have access to the Information Governance Policy via the RespiriCare Limited Shared Drive.

9. Information Security

RespiriCare Limited refer to NHS England’s Information Security Policy for guidance. The aim of the NHS England’s Information Security Policy is to preserve confidentiality, integrity and availability.

All employed staff are responsible for information security and therefore must understand and comply with this policy and associated guidance. Failure to do so may result in disciplinary action. In particular all staff should understand:

• What information they are using, how it should be protectively handled, stored and transferred.



• What procedures, standards and protocols exist for the sharing of information with others.

• How to report a suspected beach of information security within the organisation.

• Their responsibility for raising any information security concerns with the Information Security Officer.

Contracts with external contractors that allow access to the organisation’s information systems must be in operation before access is allowed. These contracts must ensure that the staff or sub-contractors of the external organisation comply with all appropriate security policies.

Information security framework includes:

• Staff security requirements shall be addressed at the recruitment stage and all contracts of employment shall contain an appropriate confidentiality clause.

• Information security expectations of staff shall be included within appropriate job definitions.

• Access to information shall be restricted to users who have an authorised business need to access the information

• All information security events and suspected weaknesses are to be reported to the Information Governance Lead.

• RespiriCare Limited shall use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to co-operate fully with this policy.

• RespiriCare Limited shall use encrypted removable media • Full details of the NHS England’s Information Security Policy can be fund at

https://www.england.nhs.uk/wp-content/uploads/2013/06/info-sec-1.pdf

10. Information Sharing

All employees working in the NHS are bound by a legal duty of confidence to protect personal information they may come into contact with during the course of their work. As RespiriCare Limited are working with the NHS it is imperative that they aware of their contractual responsibilities but also the requirements within the common law duty of confidence and the Data Protection Act 1998. This statement sets out the requirements placed on all NHS England staff when sharing personal information within the NHS and between the NHS and other bodies.

Information includes:

Person identifiable data/information e.g. staff records

Personal confidential data - taken from the Caldicott Review, this term describes personal information about identified or identifiable individuals, which should be kept private or secret. ‘Personal’ includes the DPA definition of personal data, but it is adapted to include dead as well as living people and



‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act.

Information sharing, in the context of this statement, means the disclosure of personal information from one or more organisations to a third party organisation or organisations. Information sharing can take the form of:

• a reciprocal exchange of data; • one or more organisations providing data to a third party or parties; • several organisations pooling information and making it available to

each other; • several organisations pooling information and making it available to a

third party or parties; • exceptional, one-off disclosures of data in unexpected or emergency

situations;

Sharing non personal information with other organisations - Key information is shared with other organisations to: improve patient experience; facilitate commissioning of services; manage and plan future services; facilitate quality improvement and clinical leadership; assure and improve the quality of care and treatment; statutory returns and requests; train staff; audit performance.

Sharing personal information with other organisations – where necessary and proportionate, personal information may be shared with other organisations to: Investigate complaints or potential legal claims; protect children and adults at risk; assess need, service delivery and treatment.

This statement covers two main types of information sharing:

o systematic’, routine information sharing where the same data sets are shared between the same organisations for an established purpose; and

o exceptional, one-off decisions to share information for any of a range of purposes.

Factors to consider - When deciding whether to enter into an arrangement to share personal data (either as a provider, a recipient or both) you should consider what is the sharing meant to achieve? There should be a clear objective, or set of objectives. Being clear about this will identify the following:

• Could the objective be achieved without sharing the data or by anonymising it? It is not appropriate to use personal data to plan service provision, for example, where this could be done with information that does not amount to personal data.

• What information needs to be shared? You should not share all the personal data you hold about someone if only certain data items are needed to achieve the objectives. The third Caldicott principle specifies “Use the minimum necessary personal confidential data “.

• Who requires access to the shared personal data? You should employ ‘need to know’ principles, meaning that when sharing both



internally between departments and externally with other organisations individuals should only have access to your data if they need it to do their job, and that only relevant staff should have access to the data. This should also address any necessary restrictions on onward sharing of data with third parties.

• When should it be shared? Again, it is good practice to document this, for example setting out whether the sharing should be an on-going, routine process or whether it should only take place in response to particular events.

• How should it be shared? This involves addressing the security surrounding the transmission or accessing of the data and establishing common rules for its security.

• How can we check the sharing is achieving its objectives? You will need to judge whether it is still appropriate and confirm that the safeguards still match the risks.

• How are individuals made aware of the information sharing? Consider what to tell the individuals concerned. Is their consent needed? Do they have an opportunity to object? How do you take account of their objections? How do you ensure the individual’s rights are respected and can be exercised e.g. how can they access the information held once shared?

• What risk to the individual and/or the organisation does the data sharing pose? For example, is any individual likely to be damaged by it? Is any individual likely to object? Might it undermine individuals’ trust in the organisations that keep records about them?

It is good practice to document all decisions and reasoning related to the information sharing.

In all circumstances of information sharing, staff will ensure that:

• When information needs to be shared, sharing complies with the law, guidance and best practice;

• Only the minimum information necessary for the purpose will be shared and, if sharing with providers, will only be shared when the contract explicitly permits it;

• Individuals’ rights will be respected, particularly confidentiality and security • Confidentiality must be adhered to unless there is a robust public interest or a

legal justification in disclosure; • Reviews of information sharing should be undertaken to ensure the

information sharing is meeting the required objectives/purpose and is still fulfilling its obligations

Further advice:

With information sharing there will always be exceptional and difficult circumstances where advice may be needed. The RespiriCare Limited’s Information Governance Specialist (Gail Spinks) should be consulted where there are any concerns about whether the proposed information sharing is appropriate. The Caldicott Guardian will use their judgement and knowledge of the law and practice to act in the best



interests of patients/clients. The issue, subsequent decisions and actions should be documented.

11. Corporate Governance statement

RespiriCare Limited is satisfied that it applies principles, systems and standards of good corporate governance which reasonably would be regarded as appropriate for an Any Qualified Provider supplier of health care services to the NHS.

• RespiriCare Limited is satisfied that processes and procedures are in place to enable RespiriCare Limited to work towards Level 2 IG Toolkit compliance by end March 2016.

• RespiriCare Limited is satisfied that processes and procedures are in place to ensure all medical practitioners providing care on behalf of RespiriCare Limited have met the relevant registration requirements.

12. Terms of Reference for monthly Information Governance meetings

RespiriCare Limited’s term of reference aim to provide direction of and oversee the development of RespiriCare Limited’s Information Governance Policies and to support the provision of clinical services to the NHS as an “Any Qualified Provider”

• Frequency: Monthly. Additional meetings will be held as required. • Attendees: Natasha Beckett, Kath Plumbe, +/- Gail Spinks. • Qurom: Meetings will require at least two attendees to be present • Record of meetings: Meetings to be minuted, disseminated and saved to IG

shared drive • Queries to be discussed with contracted IG Specialist Gail Spinks • Discussion points to include:

o Information Governance Management o Data protection o Confidentiality o Caldicott – Clinical Information o Information security o Data quality o Clinical Information Assurance o Secondary Use assurance

13. Information Governance Toolkit: Statement of compliance.

It is the aim of RespiriCare Limited to be IG Toolkit Level 2 compliant by end of March 2016. If this has not been achieved a robust action plan will be in place to ensure these requirements will be met by March 2017.



14. Incident Reporting

This statement describes RespiriCare Limited’s approach to incident reporting and management. An Incident is defined as an untoward event which causes or has the potential to cause any of the following:

• Harm to an individual • Financial loss to an individual or RespiriCare Limited • Damage to the property of an individual or RespiriCare Limited • Disruption to services provided by the RespiriCare Limited • Damage to the reputation of the RespiriCare Limited

This definition also encompasses all prevented incidents i.e. near misses

Reports should be made by anyone working for or with RespiriCare Limited as soon as possible after the event. Reports can be made to the Directors of RespiriCare Limited, Kath Plumbe or Natasha Beckett, either in writing or verbally (in which case they will be documented). Reports should include a timeline of events, details of remedial action taken at the time and contact details of any witnesses if appropriate.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.

In case of any queries or questions in relation to this policy please contact the RespiriCare Limited Data Protection Officer:

Insert name and contact details of the Data Protection officer. Signed: Natasha Beckett Position: Director RespiriCare Limited, IG Lead Date: 30.11.15 Review Date: 30.11.16

information governance policy v2.0...

Documents