Information governance policy

1.     PURPOSE

Information is a vital and valuable asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in corporate governance, service planning and performance management.

It is of paramount importance to ensure that the Trust’s information and key information assets are efficiently managed, and to have a solid strategy in place to comply in full with the legal, regulatory and governance requirements and mandates.

The purpose of the Policy is to establish a robust governance framework for information management and preserving the confidentiality, integrity, security and accessibility of data, processing systems and information in Buckinghamshire Healthcare NHS Trust.  Appendix A provides a more detailed set of requirements in relation to information management and technology security controls.

The Trust will monitor its Information Governance (IG) controls through the NHS Digital Data Security and Protection Toolkit.  This is a mandatory performance self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian’s ten data security standards, and the associated NHS Digital CareCERT suite of services across three leadership obligations:

·       People – ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles

·       Process – ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses

·       Technology – ensure technology is secure and up-to-date

2.   SCOPE

This policy applies to all information, information systems, networks, applications, location, associated organisations, staff employed or working on behalf of the Trust and third parties supplying goods and services to the Trust.

3.       POLICY PRINCIPLES

The principles are to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by the Trust by:

·        Ensuring that all members of staff are aware of their personal responsibilities and fully comply with the relevant legislation as described in this and other policies.

·        Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibility and the need for an appropriate balance between openness and confidentiality in the management and use of information.

·        Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business and explaining how it should be implemented in the organisation.

·        Supporting the principles of corporate governance and recognising its public accountability and at the same time safeguarding the confidentiality and security of both patient and staff and commercially sensitive information.

·        Recognising the need to share patient information with other health  organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest

·        Protecting information assets under the control of the Trust.

·        Informing and advising that penalties will be significantly increased for any infringement of the GDPR principles and data breaches.

·        Ensuring compliance with data breach notifications as a legal requirement – to be reported to the regulatory authority within 72 hours

·        Ensuring records of data processing activities are upheld

·        Ensuring the use of data protection impact assessment tool  in any proposed data processing activities and where appropriate

·        Establishing data protection measures in all information processes

·        Ensuring that an active Fair Processing Notice is in place through which service users are informed about the Trust’s handling of person identifiable data in compliance with the Data Protection legislation

·        Recognising that there will be much tighter rules where consent is the basis for processing.

There are 4 key interlinked strands to the Information Governance Policy:

·        Openness

·        Legal compliance

·        Information security

·        Quality assurance

3.1    Openness
·        Non-confidential information about the Trust and its services should be available to the public through a variety of media, in line with the NHS Code of Conduct & Accountability

·        The Trust will publish a Notice of Fair Processing consistent with the requirements of the Data Protection Act 2018, to provide individuals with information around the purposes for processing their personal data.

·        The Trust will establish and maintain policies to ensure compliance with the Freedom of Information Act 2000

·        The Trust will undertake or commission regular assessments and audits of its policies and arrangements for openness

·        Patients should have ready access to information relating to their own health care, their options for treatment and their rights as patients

·        The Trust will have clear procedures and arrangements for liaison with the press and broadcasting media

·        The Trust will have clear procedures and arrangements for handling queries from patients and the public

3.2     Legal Compliance
·        The Trust will comply with the provisions of the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 and will establish and maintain appropriate and adequate administration arrangements for responding to data subject access requests within the timescales defined under the Act.

·        The Trust regards all identifiable information relating to patients and staff as confidential except where exemptions can be applied. Trust staff will be made aware of all other relevant legislation and guidance relating to information security and confidentiality.

·        Patients will be informed of the purpose for which information is being collected and who may access it.

·        Trust will identify a lawful basis for processing person identifiable data demonstrating compliance under the new accountability principle of the UK GDPR. (see Appendix B – UK GDPR Principles and Individual Rights)

·        Where appropriate informed and explicit consent will be sought from the data subject and recorded, for the collection, processing and disclosure of data.

·        Procedures and guidance will be provided to ensure appropriate disclosure of patient information, having regard to established professional ethics, patient consent, and formal access controls for clinical records and statutory requirements.

·        The Trust will undertake or commission regular assessments and audits of its compliance with legal requirements.

·        The Trust will establish and maintain policies to ensure compliance with the common law duty of confidentiality and all relevant Acts of Parliament.

·        Patient and/or staff information will be shared with other agencies in accordance with agreed protocols and relevant legislation (e.g. Health and Social Care Act 2012, Crime and Disorder Act 1998, Protection of Children Act 1999).

3.3  Information Security
·        Systems will be established to ensure that corporate records including health records are available and accessible at all times.

·        The Trust will establish effective authorisation procedures for the use and access to confidential information and records. Control over access and disclosure to health records is overseen by the Caldicott Guardian.

·        The Trust will establish and maintain policies for the effective and secure management of its information assets and resources.

·        The Trust will undertake or commission regular assessments and audits of its information and IT security arrangements.

·        The Trust will promote effective confidentiality and security practice to its staff through policies, procedures and training.

·        The Trust will establish and maintain incident reporting procedures which will include the monitoring and investigation where appropriate, of reported instances of actual or potential breaches of confidentiality or information security.

All IG serious incidents will be graded according to the impact of the breach and the likelihood of those serious consequences occurring.  Those that are likely to result in a high risk to the rights and freedoms of individuals must be reported to ICO using the Data Security and Protection Toolkit.

·        The Trust will provide clear and manageable policy for home working and ensure suitable mechanisms are in place to facilitate it.  Employees working from home have a legal obligation to ensure data security and records management practices remain in place in line with Trust policies and guidelines. Ref:  Home Working Policy.  Staff are responsible for taking adequate steps to ensure the security of Trust information and equipment in their own homes and in transit and ensuring that no other person can access or overhear confidential information.

     3.4  Information Quality Assurance

·        The Trust will establish and maintain policies and procedures for information quality assurance and the effective management of records.

·        The Trust will undertake or commission regular assessments and audits of its information quality and records management arrangements.

·        Information Asset Owners and Line Managers are expected to take ownership of, and seek to improve, the quality of information within their services.

·        Wherever possible, information quality should be assured at the point of collection.

·        Data standards will be set through clear and consistent definition of data items, in accordance with national standards.

·        The Trust is working within BS10008 standard.   This outlines best practice for the implementation and operation of electronic managements systems.  The Trust uses an electronic document record management system to store patient records. The standard includes all of the necessary policies and procedures.   It’s designed to help verify and authenticate information to avoid the legal pitfalls of information storage.

Quality control in record conversion is extremely important to the Trust.  Where information is scanned there is the potential for loss of some of the information.   In all cases, the organisation will review the information loss and decide as to whether the loss is acceptable.

4.   MANAGEMENT STRUCTURE AND RESPONSIBILITY

All Trust staff are required to maintain the security, confidentiality, integrity and availability of all Trust information including that which relates to patients and staff. Information Governance responsibilities will be detailed in all job descriptions and staff contracts of employment and in the contracts for all suppliers and other external users. Non-compliance with the policy can result in disciplinary action.