Information Risk Policy

Version 1_0

Responsible Person

Information Governance Manager

Lead Director Director of Performance and Corporate Services

Consultation Route

Information Governance Steering Group

Approval Route HSCB Senior Management Team and Governance Committee

Applies To All HSCB Staff, Contractors and Relevant Third Parties

Approval Date Senior Management Team – 08/09/15 Governance Committee – 24/09/15

Review Date September 2018

2

Amendment / Change Control

Version Date Author Reason / Comments Review Date

V0.1 June 2015

K Moore New Policy – Information Governance requirements

September 2018

V0.2 August 2015

K Moore Following IGSG Meeting – added in section on the role of the PDG and job title of current SIRO.

September 2018

3

Contents

Table of Contents

1.0 Introduction .................................................................................. 4

2.0 Purpose ......................................................................................... 4

3.0 Roles & Responsibilities ........................................................... 4-6

4.0 Information Risk Management Process ................................... 6-8

4.1 Information Assets ........................................................................ 6

4.2 Information Asset Register ............................................................ 6

4.3 Information Risk Assessments ................................................... 6-7

4.4 Treatment Plans ........................................................................... 7

4.5 Privacy Impact Assessments (PIAs) ............................................. 7

4.6 Information Risk Training .............................................................. 8

5.0 Monitoring Compliance ................................................................ 8

6.0 Assurance ..................................................................................... 8

7.0 Review and Revision Arrangements ........................................... 8

8.0 Policy Distribution ........................................................................ 9

Appendix One ................................................................................ 10-14

4

1.0 Introduction

This policy lays the framework for a formal information risk management programme in the HSCB by establishing responsibility for information risk, identification and analysis, planning for information risk mitigation and information risk management. The HSCB and its management team are required to assure the formal introduction and embedding of information risk management into key controls and approval processes for all the functions of the HSCB. Information risk is inherent in all administrative and business activities and everyone working for or on behalf of the HSCB continuously manages information risk. Information risk management is an essential element of broader information governance and is an integral part of good management practice. 2.0 Purpose The purpose of this Information Risk Policy is to:

Protect the HSCB from information risks where the likelihood of occurrence and the consequences are significant;

Provide a consistent risk management framework in which information risks will be identified, considered and addressed in key approval, review and control processes;

Provide assistance to and improve the quality of decision making throughout the HSCB;

Meet legal and statutory requirements;

Assist in safeguarding the HSCB Information Assets;

Integrate information risk as a key part of the risk management process.

3.0 Roles & Responsibilities The following are the reporting arrangements: Chief Executive – The Chief Executive has overall responsibility for the management of the HSCB and for ensuring appropriate mechanisms are in place to minimise information risks. Personal Data Guardian (PDG) - The PDG (Director of Integrated Care) has responsibility for ensuring that HSCB processes satisfy the highest practical standards for handling personal data. The PDG is the

5

‘conscience’ of the organization in respect of patient information, and will also promote a culture that respects and protects personal data. The PDG works closely with the SIRO and Information Asset Owners where appropriate, especially where information risk reviews are conducted for assets which comprise or contain patient/service user information. Senior Information Risk Officer (SIRO) – The SIRO (Director of Performance and Corporate Services) is responsible for coordinating the development and maintenance of information risk policies, procedures and standards for the HSCB. It is their role to:

Ensure the organisation’s overall information risk policy and risk assessment processes are implemented consistently by IAOs.

Review and agree actions in respect of identified information risks.

Provide a focal point for the resolution and/or discussion of information risk issues.

Advise the Chief Executive or relevant accounting officer on the content of their annual governance statement in regard to information risk.

Information Asset Owners (IAO) – The IAO is a senior member of staff who is the nominated owner for one or more identified information assets within their Directorate. Information Asset Owners will be required to:

Identify their information assets and where appropriate appoint for each asset an Information Asset Administrator (IAA).

With the assistance of the Information Governance Team ensure that risk assessments are performed at the inception of any new assets.

Understand what information is held and in what form, how it is added and removed, who has access to it and why.

Will ensure that information risk management is embedded into the key controls and approval processes of all major business processes and functions.

Responsible for risk assessment, reduction and prevention for their information assets including ongoing evaluation and risk management.

IAO’s are asked to provide annual assurance to the Senior Information Risk Owner (SIRO) that information risks identified for Information Assets within their Directorate are being appropriately managed.

6

Information Asset Administrators (IAA) – Working in conjunction with the IAO an Information Asset Administrator (IAA) may be assigned to:

Ensure policies and procedures are followed to help minimise risk.

Recognise potential security incidents.

Consult with the IAO on incident management.

Ensure that information asset registers are up to date.

An example of an IAA could be an existing systems administrator. All Staff – Everyone has a role in the effective management of information risk. All staff will actively participate in identifying potential information risks in their areas and contribute to the implementation of appropriate treatment actions. 4.0 Information Risk Management Process 4.1 Information Assets An Information Asset is any set of records or information that is held by the HSCB, in any format, in support of a business function. The information held in an Information Asset can originate from any number of sources such as information from other organisations/individuals to information produced by the HSCB. Refer to Appendix A for more information on Information Assets and Guidance Notes. 4.2 Information Asset Register The Information Governance Team will lead on and ensure that an Information Asset Register (IAR) is set up for each Directorate. The register will:

Allow the HSCB to understand what information it holds and how that information is being used;

Ensure Information Assets are appropriately managed which will in

turn reduce the risks to that information;

Be maintained by each IAO with assistance from the identified

IAA’s.

Be managed by the Information Governance Team who will ensure that all registers are regularly updated.

Click here to view the Information Asset Register template.

4.3 Information Risk Assessments

7

An information risk assessment will be performed for all identified information assets. Information risk assessments will:

Be conducted by the Information Governance Team in conjunction with the IAO / IAA.

Be carried out using the HSCB’s existing risk assessment procedure i.e. Data Flow and Information Security questionnaire, which will map the flow of information into and out of each asset and enable assessment of risks.

Quantify the level of risk associated to each asset, the HSC Grading Matrix ‘five by five’ will be utilised to rate the level of risk. Click here to view the HSC Risk Assessment tools.

Ensure all threats, vulnerabilities and impacts are identified and if necessary included within the HSCB wide risk register.

Information risk assessments will occur at the following times:

At the inception of new systems / applications or anything that constitutes an information asset as outlined in Appendix A.

At least annually to provide assurance to the SIRO on the agreed management of risks, this should be appropriately managed in line with HSCB policies and procedures.

Before enhancements, upgrades and conversions associated with critical systems or applications.

4.4 Treatment Plans

Treatment Plans will be developed based on the outcome of the risk assessment. Treatment options will involve one or a combination of the following four strategies:

Avoid the risk

Reduce the likelihood of occurrence

Reduce the consequences of occurrence

Retain/accept the risk

Where applicable, mitigation plans shall include specific recommendations, to reduce information risk, alongside realistic completion dates. These will be communicated to the relevant IAO’s for information / action.

8

4.5 Privacy Impact Assessments (PIAs)

As a further element of good practice a Privacy Impact Assessment (PIA) will be considered for all major projects for example new systems, new services, etc. within an IAO’s area of responsibility. Where the overview of the project identifies that a PIA is required to be undertaken this will be conducted in accordance with the criteria specified by the Information Commissioners Office. If required, the Information Governance Team will provide support during this process. 4.6 Information Risk Training Relevant training will be made available to all IAO’s / IAA’s and it is the responsibility of individuals to avail of the training. All HSCB staff complete Information Governance Training and Risk Management E-Learning every 3 years as part of mandatory induction training. If staff require additional or tailored training in this area, this can be arranged via contacting Ken.Moore@hscni.net. 5.0 Monitoring Compliance Monitoring of the policy will be informed by the number of reported Information Governance complaints and incidents. 6.0 Assurance Indicators for audit may include:

The existence of an identified IAO for each Directorate.

The existence of an Information Asset Register for each Directorate.

The existence of a HSCB Risk Register.

Annual assurance to the SIRO from each IAO. An annual review will be carried out by the Information Governance Team on behalf of the SIRO and reported to the Information Governance Steering Group (IGSG). Overall responsibility for action plans will lie with the SIRO but will be completed by relevant IAO and reported to and monitored by IGSG. 7.0 Review and Revision Arrangements

9

The HSCB is committed to ensuring that all policies are kept under review to ensure that they remain compliant with relevant legislation. This policy will be reviewed by the Information Governance Steering Group every 3 years. However, it will be reviewed when affected by major internal or external changes such as:

Legislation

Practice change or change in system/technology

Changing methodology 8.0 Policy Distribution This Policy will be made available to all HSCB staff via the HSCB’s Intranet site.

10

Appendix One

Identification of Information Assets

Every business function conducted by the HSCB is dependent on

information in one format or another. Information is therefore recognised

as having a value to the organisation and as such it needs to be treated

and managed as an asset. The purpose of this piece of work is to

develop a register of Information Assets as a first step in addressing

risks to the information held by the HSCB. Each Directorate is therefore

asked to complete the attached template and establish an Information

Asset Register for their Directorate.

What is an Information Asset?

An Information Asset is any set of records or information that is held by

the HSCB, in any format, in support of a business function. The

information held in an Information Asset can originate from any number

of sources such as information from other organisations/individuals to

information produced by the HSCB. For this exercise we only wish to

record details of Information Assets which hold more than fifty records.

Information Assets primarily hold either/or both Electronic Records and

Hard Copy Records however other forms exist such as recordings,

backup tapes etc. Common examples of Information Assets are:

Dedicated systems such as:

Finance (General Ledger),

HR (Human Resources Management System),

Complaints (Datix),

Intranets (HSCB Intranet, Primary Care Intranet)

Websites.

Spreadsheets and Databases developed either in-house or bought

in.

E-Mail Systems,

Electronic Document and Records Management System (Meridio),

Network Drive Folders,

Portable Hard Drives,

11

Memory Sticks

Blackberry Mobile Phones

Information Assets also include manual records -

Filing Cabinets,

Times Two Units,

Closed Record Stores (basements, registries etc),

Off-Site Storage

Basically - any set of 50 or more records retained for a business

process.

What is not an Information Asset?

Information Assets must have a value to the organisation, typical

examples of what isn’t classed as an Information Asset are:

Extra copies of reports;

E-mails which do not form part of a master file;

Information retained for personal reasons;

Spreadsheets and Databases personally developed by individuals

to assist them alone in their work;

Why do we need an Information Asset Register?

There are a number of reasons why the Board needs to compile an

Information Asset Register:

To allow the HSCB to understand what information it holds and

how that information is being used;

To ensure Information Assets are appropriately managed which

will in turn reduce the risks to that information;

To meet DHSSPS requirements in respect of Information Risk;

To meet Audit recommendations in respect of Information Risk.

Who can I speak to for assistance?

Each Directorate within the HSCB has one or more nominated

Information Asset Owners (IAO’s) - See Appendix 1 for details. It is

12

unlikely these individuals will have a working knowledge of all the Assets

within their Directorate therefore Information Asset Administrators (IAA’s)

will need to be identified for each Asset - These are individuals who

perhaps head up a team or are responsible for a particular business

process and have a working knowledge of the Information Asset. The

Information Governance Team is also available for support on this

project. Should you require any assistance please contact your

Information Asset Owner in the first instance or a member of the

Information Governance Team:

Ken.moore@hscni.net Peter.Moran@hscni.net Claire.donnelly@hscni.net

How do I compile an Information Asset Register?

List the key business processes undertaken by your Directorate, each

one will have one or more Information Assets associated with it.

Complete the attached register template completing a row for each

Asset.

What Happens when the exercise is complete?

When each Directorate completes their Register they will forward it to

the Information Governance Team who will combine all Directorate

registers into one Corporate Information Asset Register for the HSCB.

This will become an important document which will be maintained and

updated on a regular basis. Each Information Asset Owner will be asked

to provide assurances to the Board’s Senior Information Risk Owner at

least annually that all Information Assets have been recorded and are

being managed appropriately.

Following completion of the Registers the Information Governance Team

will analyse the information and establish which Information Assets hold

personally identifiable information or business sensitive information. With

the assistance of the IAA’s a further exercise to map the flow of

information into and out of these Assets will be completed. This will allow

risks to be identified and evaluated. Action can then be taken to

eliminate or reduce any risks to an acceptable level.

13

Step by Step Guide: Identifying and Recording Information Assets

Step One:

IAO’s to identify Business Processes and Key Systems

used within Directorate. Bear in mind this is all Teams in

all HSCB Offices.

Step Two:

For each Business Process identify an Information Asset

Administrator (IAA).

Step Three:

Circulate this paper and the Information Asset Register

template to each IAA asking them to fill out the template

for each Information Asset they identify. Set an

appropriate timescale for completion.

Step Four:

Pull all the completed templates into one Information

Asset Register per Directorate. If helpful you can

maintain each Team on a separate sheet within the

spreadsheet. E-mail the completed Register to

Ken.Moore@hscni.net (IG Manager).

Step Five:

The Information Governance Team will check the

completed Registers and where personal information or

business sensitive information is held contact will be made

with the IAA’s to assist with the Data Flow Analysis.

Step Six:

Following the Data Flow Analysis the Information

Governance team will help identify potential risks and

advise both IAO’s and IAA’s as to appropriate treatment.

14

Senior Information Risk Owner (SIRO):

Mr Michael Bloomfield - Head of Corporate Services

Information Asset Owners (IAO’s):

Finance – Mr Simon Christie

Commissioning - Ms Cara Anderson

Integrated Care - Ms Linda McIlroy

PMSI - Mr Stephen McDowell

Social Care and Children’s - Mr Tony Rodgers, Mr Aidan Murray and Mr Kevin Keenan

Transforming Your Care - Ms Lynn Campbell

E-Health & External Collaboration – Mr Des O’Loan

Corporate Services - Mr Ken Moore