Information governance policy

Document ref: BHT Pol 051

1. Introduction

Information Governance is a framework for ensuring that information is managed securely and lawfully, and that the confidentiality of personal and sensitive information is managed appropriately. Information Governance is concerned with the standards that should apply when information is processed and encompasses how information is obtained, secured, stored, used and shared.

Robust information governance requires clear and effective management, accountability structures, processes, policies and procedures, training and adequate resource.

2. Purpose

Information is a vital and valuable asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in corporate governance, service planning and performance management.

It is of paramount importance to ensure that the Trust’s information and key information assets are efficiently managed, and to have a solid strategy in place to comply in full with the legal, regulatory and governance requirements and mandates.

The purpose of the Policy is to establish a robust governance framework for information management and preserving the confidentiality, integrity, security and accessibility of data, processing systems and information in Buckinghamshire Healthcare NHS Trust. Appendix A provides a more detailed set of requirements in relation to information management and technology security controls.

The Trust will monitor its Information Governance (IG) controls through the NHS Digital Data Security and Protection Toolkit. This is a mandatory performance self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian’s ten data security standards, and the associated NHS Digital CareCERT suite of services across three leadership obligations:

People – ensure colleagues are equipped to handle information respectfully and safely, according to the Caldicott Principles
Process – ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
Technology – ensure technology is secure and up-to-

3. Scope

This policy applies to all information, information systems, networks, applications, location, associated organisations, colleagues employed or working on behalf of the Trust and third parties supplying goods and services to the Trust.

4. Policy Principles

The principles are to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by the Trust by:

Ensuring that all colleagues are aware of their personal responsibilities and fully comply with the relevant legislation as described in this and other policies.
Introducing a consistent approach to security, ensuring that all colleagues fully understand their own responsibility and the need for an appropriate balance between openness and confidentiality in the management and use of information.
Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day-to-day business and explaining how it should be implemented in the organisation.
Supporting the principles of corporate governance and recognising its public accountability and at the same time safeguarding the confidentiality and security of both patient and colleagues and commercially sensitive information.
Recognising the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest
Protecting information assets under the control of the
Informing and advising that penalties will be significantly increased for any infringement of the GDPR principles and data breaches.
Ensuring compliance with data breach notifications as a legal requirement – to be reported to the regulatory authority within 72 hours
Ensuring records of data processing activities are upheld
Ensuring the use of data protection impact assessment tool in any proposed data processing activities and where appropriate
Establishing data protection measures in all information processes
Ensuring that an active Fair Processing Notice is in place through which service users are informed about the Trust’s handling of person identifiable data in compliance with the Data Protection legislation
Recognising that there will be much tighter rules where consent is the basis for There are 4 key interlinked strands to the Information Governance Policy:
Openness
Legal compliance
Information security
Quality assurance

4.1 Openness

Non-confidential information about the Trust and its services should be available to the public through a variety of media, in line with the NHS Code of Conduct & Accountability
The Trust will publish a Notice of Fair Processing consistent with the requirements of the Data Protection Act 2018 and UK GDPR, to provide individuals with information around the purposes for processing their personal data.
The Trust will establish and maintain policies to ensure compliance with the Freedom of Information Act 2000
The Trust will undertake or commission regular assessments and audits of its policies and arrangements for openness.
Patients should have ready access to information relating to their own health care, their options for treatment and their rights as patients.
The Trust will have clear procedures and arrangements for liaison with the press and broadcasting media.

The Trust will have clear procedures and arrangements for handling queries from patients and the public.

4.2 Legal Compliance

The Trust will comply with the provisions of the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 and will establish and maintain appropriate and adequate administration arrangements for responding to data subject access requests within the timescales defined under the Act.
The Trust regards all identifiable information relating to patients and colleagues as confidential except where exemptions can be Trust colleagues will be made aware of all other relevant legislation and guidance relating to information security and confidentiality.
Patients will be informed of the purpose for which information is being collected and who may access it.
Trust will identify a lawful basis for processing person identifiable data demonstrating compliance under the new accountability principle of the UK (see Appendix B – UK GDPR Principles and Individual Rights)
Where appropriate informed and explicit consent will be sought from the data subject and recorded, for the collection, processing and disclosure of data.
Procedures and guidance will be provided to ensure appropriate disclosure of patient information, having regard to established professional ethics, patient consent, and formal access controls for clinical records and statutory requirements.
The Trust will undertake or commission regular assessments and audits of its compliance with legal requirements.
The Trust will establish and maintain policies to ensure compliance with the common law duty of confidentiality and all relevant Acts of Parliament.
Patient and/or colleague information will be shared with other agencies in accordance with agreed protocols and relevant legislation (e.g. Health and Social Care Act 2012, Crime and Disorder Act 1998, Protection of Children Act 1999).

4.3 Information Security

Systems will be established to ensure that corporate records including health records are available and accessible at all times.
The Trust will establish effective authorisation procedures for the use and access to confidential information and records. Control over access and disclosure to health records is overseen by the Caldicott Guardian.
The Trust will establish and maintain policies for the effective and secure management of its information assets and resources.
The Trust will undertake or commission regular assessments and audits of its information and IT security arrangements.
The Trust will promote effective confidentiality and security practice to its collegues through policies, procedures and training.
The Trust will establish and maintain incident reporting procedures which will include the monitoring and investigation where appropriate, of reported instances of actual or potential breaches of confidentiality or information security.

All IG serious incidents will be graded according to the impact of the breach and the likelihood of those serious consequences occurring. Those that are likely to result in a high risk to the rights and freedoms of individuals must be reported to ICO using the Data Security and Protection Toolkit.

The Trust will provide clear and manageable policy for home working and ensure suitable mechanisms are in place to facilitate it. Employees working from home have a legal obligation to ensure data security and records management practices remain in place in line with Trust policies and Ref: Agile Working Policy. Colleagues are responsible for taking adequate steps to ensure the security of Trust information and equipment in their own homes and in transit and ensuring that no other person can access or overhear confidential information.

4.4 Information Quality Assurance

The Trust will establish and maintain policies and procedures for information quality assurance and the effective management of records.
The Trust will undertake or commission regular assessments and audits of its information quality and records management arrangements.
Information Asset Owners and Line Managers are expected to take ownership of, and seek to improve, the quality of information within their services.
Wherever possible, information quality should be assured at the point of
Data standards will be set through clear and consistent definition of data items, in accordance with national standards.
The Trust is working within BS10008 standard. This outlines best practice for the implementation and operation of electronic managements The Trust uses an electronic document record management system to store patient records. The standard includes all of the necessary policies and procedures. It is designed to help verify and authenticate information to avoid the legal pitfalls of information storage.

5. Management Structure and Responsibility

All collegues are required to maintain the security, confidentiality, integrity and availability of all Trust information including that which relates to patients and collegues. Information Governance responsibilities will be detailed in all job descriptions and contracts of employment and in the contracts for all suppliers and other external users. Non-compliance with the policy can result in disciplinary action.

Trust Board

· It is the role of the Trust Board to define the Trust’s policy in respect of Information Governance and risk and meeting legal, statutory and NHS requirements.

· Is responsible for ensuring that sufficient resources are provided to support the requirement of the policy.

· The responsibility for this is delegated through the Chief Executive Officer

to the Director of Strategy and Business Development as Senior Information Risk Owner (SIRO).

Executive Management Committee	· This committee is the forum for making major operational decisions and assists the Chief Executive in the performance of their duties. · Development and implementation of strategy, operational plans, policies, procedures and budgets. · Monitoring of operating and financial performance. · The assessment and control of risk, prioritisation and allocation of resources. · Receives and acts on reports from the SIRO through the Caldicott & Information Governance Committee.
Senior Information Risk Owner (SIRO)	· The Senior Information Risk Owner is responsible for and takes ownership of the organisation’s Information Governance/risk policy and acts as advocate for Information Governance risk on the Board. · Authorises the Data Security and Protection Toolkit Self -Assessment submissions. · Ensures that an effective information assurance governance infrastructure is in place including information asset ownership, reporting, defined roles and responsibilities. · Ensures that the Caldicott and Information Governance Committee have a suitably experienced chairman in place.
Data Protection Officer (DPO)	· The DPO is an expert in data protection and reports directly to the highest level of management and is given the required independence to perform their tasks · Inform and assist in monitoring internal compliance with data protection laws and advise on data protection obligations · Acts as the first contact point for data subjects and the supervisory authority · Raising awareness of data protection issues, training colleagues and conducting internal audits · To advise on, and to monitor, data protection impact assessments
Information Asset Owner (IAO)	· Information Asset Owners are senior individuals involved in running the relevant business. · Their responsibility is to identify, understand and address risk to the information assets they “own”. Responsible for the operational management of Trust’s records in accordance with Trust policy. · Accountable to the SIRO for providing assurance on the security and use of their information assets.
Caldicott & Information Governance Committee	· This committee is responsible for overseeing day to day Information Governance issues. · Develop, maintain and approve policies, standard procedures and guidance. · Coordinate and raise awareness of Information Governance in the Trust. · Report on an exception basis to the Trust Management Committee on information Governance issues and risk · Support the Senior Information Risk Manager in completion of their delegated duties. · Direct and monitor compliance with the. NHS Digital Data Security and Protection Toolkit (DSPT)

Caldicott Guardian

· The Caldicott Guardian acts in a strategic, advisory and facilitative capacity in the use and sharing of patient information.

Responsible for approving, monitoring and reviewing protocols governing access to person identifiable information by colleagues within the Trust and other organisations both NHS and non NHS.

Information Governance Manager

· Provides expert technical advice and guidance to the Trust on matters relating to information governance.

· Acts as the Trust Information Security Manager.

· Develops and provides suitable Information Governance training for all colleagues.

· Monitors actual or potential reported information security incidents within the organisation. Refer to policy IG0043 Handling Reported Security Incidents (BHT Pol 221).

· Supports and assists the IT security officer with regard to IT/information security incidents.

· Responsible for the timely completion and submission of the end of financial year DSP Toolkit self-assessment.

Director of IT

Chief Information Security Officer

· Provides expert technical advice to the Trust on matters relating to IT Security and ensures compliance and conformance.

· Acts as the Trust IT Security Manager.

· Supports and assists with regard to IT/information security incidents.

Managers

· Responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is on-going compliance.

· That all job descriptions contain the relevant responsibility for information security, confidentiality and records management.

· That colleagues undertake information governance mandatory training and on-going training needs are routinely assessed.

· Managers shall be individually responsible for the security of their physical environment where information is processed and stored.

· Day to day responsibility for the management of trust records within their respective area/department.

All colleagues

· All colleagues, whether permanent, temporary or contracted, including students, contractors and volunteers shall comply with information security policy and procedures including the maintenance of data confidentiality and data integrity and ensure that no breach of information security or confidentiality, result from their actions. Failure to do so may result in disciplinary action.

· All colleagues must ensure they keep appropriate records of their work in

the Trust and manage those records in keeping with this policy and with any other guidance subsequently produced.

· Colleagues shall be responsible for the operational security of the information systems they use.

· Colleagues are required to undertake relevant Information Governance training covering confidentiality and information security.

Third Party Contractors/third parties

· Appropriate contracts and confidentiality/information security agreements shall be in place with third party contractors/ third parties where potential or actual access to information assets is identified.

6. Legislation and Key Reference Documents

The Trust is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the Trust, who may be held personally accountable for any breaches of information security for which they may be held The Trust shall comply with the following legislation, key documents and other legislation as appropriate:
Data Protection Act 2018
UK General Data Protection Regulation (UK GDPR)
EU General Data Protection Regulation 2016/679
The Privacy and Electronic Communications Regulations (PECR)
The Copyright, Designs and patents Act (1988)
The Computer Misuse Act (1990)
The Health and Safety at Work Act (1974)
Human Rights Act (1998)
Regulation of Investigatory Powers Act 2000
Freedom of Information Act 2000
Health & Social Care Act 2022
Confidentiality: NHS Code of Practice
Records Management: NHS Code of Practice for Health and Social Care
Information Security Management: NHS Code of Practice
Caldicott Committee Report 1997, Caldicott Review 2 2013 and National Data Guardian for Health and Care Review of Data Security, Consent and Opt-Outs 2016

The NHS Care Record Guarantee for England 2005 (Revised 2011) sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It covers people’s access to their own records, controls on others’ access, how access will be monitored and policed, options people have to further limit access, access in an emergency, and what happens when someone cannot make decisions for themselves. Everyone who works for the NHS or for organisations delivering services under contract to the NHS has to comply with this guarantee.

In 1997 following a review by the National Data Guardian of how patient information was handled across the NHS, the six Caldicott Principles were developed to ensure that such information is protected and only used when it is appropriate to do so. Following a further two reviews in 2013 and 2016, a seventh principle was added and in December 2020 the National Data Guardian announced the inclusion of an eight Caldicott These eight principles represent best practice for using and sharing identifiable personal information and should be applied whenever a disclosure of personal information is being considered. (see Appendix – C Caldicott Principles)
In April 2018 the new redesigned Data Security and Protection Toolkit (DSP Toolkit) replaced the Information Governance Toolkit. It forms part of a new framework for assurance that organisations are implementing the ten data security standards recommended by the National Data Guardian and meeting

their statutory obligations on data protection and data security. (see Appendix – D National Data Guardian Standards)

In September 2013, the Health and Social Care Information Centre (HSCIC) now known as NHS Digital published “A Guide to Confidentiality in Health & Social Care – Treating confidential information with respect”. This guide summarises existing laws, principles and obligations when using or sharing confidential information and describes the confidentiality rules that people are entitled to expect to be followed in care settings run by the NHS or publicly funded adult social care services.
The NHS Constitution for England (revised 2013) sets out a series of patients’ rights and NHS pledges. All NHS bodies and private and third sector providers supplying NHS services are required by law to take account of the constitution in their decisions and actions. The relevant right for this requirement is: You have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure.

6.7 Accessible Information Standard.

We, the Trust, are legally required to follow the Accessible Information Standard. The Standard sets out a specific, consistent approach to identifying, recording, flagging, sharing and meeting the inform ation and communication support needs of patients, service users, carers and parents with a disability, impairment or sensory loss.

The aim of the Standard is to establish a framework for identifying, recording and sharing this information so that patients can access services appropriately and independently and remain involved in decisions around their care and treatment.

Examples of accessible communication/contact needs include email, text message, and telephone and when alternative contact methods are requested, it is important to remember that patient confidentiality and information security must not be compromised and reference should be made to the appropriate policy e.g. the ‘IT Acceptable Use Policy’ to ensure consent is appropriately documented and the patient or service user is made aware of the risks involved.

The Standard aims to support everyone with information and / or communication needs relating to a disability, impairment or sensory loss.

This includes, but is not limited to:

People who are deaf, blind or deafblind;
People who have hearing and/or visual loss;
People with a learning disability;
People who have communication difficulties following a stroke, such as aphasia, or because of a mental health condition.

Individuals with any form or type of disability (or impairment) which affects their ability to read or receive information, to understand information, and / or to communicate, are within the scope of this Standard. Remember, many of the above would be classed as a hidden disability. Patient confidentiality and information security must not be compromised and reference should be made to the appropriate policy

e.g. ‘IT Acceptable Use Policy’ to ensure consent is appropriately documented and the patient or service user is made aware of the risks involved.

6.8 The National Data Opt-out – Sharing Patient Data for Research and Planning Purposes

The National Data Opt-Out allows patients to opt out of their confidential information being used beyond their direct care for certain research and planning purposes. It was introduced on 25 May 2018 in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs. All NHS organisations in England are required to be compliant from 30th September 2021. It does not apply to data that patients have explicitly consented to share, nor to aggregated or anonymised data, only to the use of confidential data without consent.

Colleagues that are involved in sharing data for secondary uses services are required to check with the Business Intelligence Department whether a patient has registered an opt-out or not. Ref: National Data Opt Out Guidance.

7. Monitoring This Policy

Minimum requirement to be monitored	Process for monitoring	Responsible individual to undertaking monitoring and production of a report	Frequency of monitoring	Responsible Committee
Key roles and responsibilities	Review job description and contract	Line manager and HR	Annually	SIRO
IG Training compliance	Training compliance report	Information Governance	Monthly	Caldicott and IG Committee. DPO
Information Security breaches	Incident reporting system	Information Governance	Quarterly	Caldicott and IG Committee, SIRO
Best practice across the Trust	Confidentiality spot checks	Information Governance	Quarterly	Caldicott and IG Committee
Conformance with Dept of Health and NHS Digital requirements	DSP Toolkit assessment	Information Governance	Twice annually	Caldicott and IG Committee, SIRO

8. Review of This Policy

This document should be subject to review when any of the following conditions are met:

The introduction of new legislation highlights errors and omissions in its
Where other standards / guidance issued by the Trust conflict with the information
Where the knowledgebase regarding interpretation of the legislation evolves to the extent that revision would bring about improvement.
3 years from the ratification

APPENDIX A

INFORMATION MANAGEMENT AND SECURITY FRAMEWORK

Information takes many forms and includes data stored on computers, transmitted across networks, printed copy, handwritten, sent by fax, stored on tapes, diskettes, CDs, DVDs, USB memory sticks and other mobile media, or spoken in conversation and over the telephone. Data represents an extremely valuable asset and to ensure its integrity the Trust must safeguard accuracy and completeness by protecting against unauthorised use/disclosure, modification or intelligent interruption.

The increasing reliance of the NHS on information technology for the processing of data and delivery of healthcare makes it necessary to ensure that these systems are developed, operated, used and maintained in a safe and secure fashion to protect from events, accidental or deliberate, that may jeopardise healthcare activities.

This document is intended to reflect guidance and best practice contained in the “Department of Health Information Security Management: NHS Code of Practice, April 2007” and NHS England – 2017/18 Data Security and Protection Requirements.

The key issues addressed by this framework are:

Confidentiality Data is secure and access is confined to those with specified authority to view the data.
Integrity All system assets are operating correctly according to specification and in the way the current user believes them to be operating.
Availability Relevant information is delivered to the right person when it is needed.

1. Data Security and Protection Awareness Training

Data Security and Protection awareness training shall be included in the induction
An ongoing awareness programme shall be established and maintained in order to ensure that colleague awareness is refreshed and updated annually.

2. Contracts of Employment

Colleague security requirements shall be addressed at the recruitment stage and all contracts of employment shall contain a confidentiality clause.
Information security expectations of colleagues shall be included within appropriate job
All contract agreements with Third Party suppliers of goods, services or consultancy with access or possible access to Trust information assets shall contain a confidentiality clause and an undertaking that any information obtained during the course of performing the contract is confidential and shall only be used for the sole purpose of the execution of the contract and will provide all necessary precaution to ensure that all such information is kept secure. They also must sign up to the Trust Third Party Confidentiality Code of Conduct & Non-Disclosure agreement, IG0012 v11.

3. Security Control of Assets

Each information asset, (hardware, software, IT application or data) shall have a named information asset owner who shall be responsible for the information security of that
A register of all computing assets and their “owners” will be established and maintained by the IT

4. Access Controls to IT secure Areas

Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information system and data storage facilities. Records of access will be maintained.

5. User Access Controls and monitoring

Access to information shall be restricted to authorised users who have a bona-fide business need to access the information.
Electronic audit trail shall be maintained and reviewed as necessary where the system is capable of providing these.

6. Computer Access Control

Access to computer facilities shall be restricted to authorised users who have a business need to use the facilities.
Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need g. systems or database administrators.

7. Security of IT system

In order to minimise loss or damage to all assets, equipment shall be physically protected from threats and environmental hazards.
The Trust will define certain locations as IT secure areas and the equipment will be installed and sited in accordance with the manufacturer’s All items of computer equipment must be recorded on the Trust register of IT assets.
IT equipment should be kept out of view of the general public if possible: where this is not possible computer screens should not normally be visible from public circulation Wherever possible screen savers should be applied.
Areas housing computer equipment should keep the doors and windows closed or locked when

8. IT System Management

Responsibilities will be appropriately assigned for the management of IT systems. These will include the management, monitoring and auditing of access to IT systems and the timely management of new starters and leavers and those changing job role. In addition, the National Programme for IT (NPfIT) requires Trusts to have established appropriate confidentiality audit

9. Computer and Network Procedures

Management of computer and networks shall be controlled through standard documented procedures that have been authorised by the IT Department.
Network risk assessments will be developed and undertaken routinely by the IT
A register of both internal and external users and systems will be maintained by the IT department who will be responsible for determining and controlling access rights.
The Trusts network is protected from intrusion by a series of controls implemented on Trust firewalls and these are checked on a regular basis and updated as appropriate or as required.

10. Protection from Malicious Software

The Trust shall use software countermeasures and management procedures to protect itself against the threat of malicious The Trust will maintain an IT Virus Control Procedure.

11. User media

Removable media of all types that contain software or data from external sources, or that have been used on external equipment, require the approval of the IT Security Officer before they may be used on the Trust’s systems. Such media must also be fully virus checked before being used on the organisation’s Users breaching this requirement may be subject to disciplinary action. Colleagues and contractors who are permitted to use portable media to transfer person identifiable data in the performance of their duties must apply industry standard AES256 data encryption procedures. Only the Trust approved encrypted memory/USB sticks may be used where use of these are deemed necessary. The use of port control will restrict access only to Trust permitted devices.

12. Access to the Internet and Email

The Trust will ensure adequate provision of user training to support access to Internet and The Trust will maintain appropriate policies covering all areas regarding access to the internet and use of email.

13. System Procurement and Acceptance

Trust policies on security and confidentiality must be reflected in any procurement for new or enhanced systems. All purchases of hardware, software and other related IT services g. IT support, maintenance or consultancy must be made through the Trust’s approved purchasing arrangements using the standard NHS Terms and Conditions. Managers must ensure that the Trust policy – Policy for the Procurement or Implementation of New IT Systems, Databases, Software and Information Flows – IG0025 and acceptance criterion are agreed with the supplier and Trust IG & IT services to provide sufficient guarantee that the requirements of the GDPR will be met.
The IG0025 and the Business Case for each procurement must be presented at the Capital Management Group and be approved before the procurement can Failure to do so may result in a delay in system installation.

14. Accreditation of Information Systems

The Trust shall ensure that all new information systems, applications and networks include a security plan and are risk assessed and are approved by the IT Security Officer and Information Security Officer before they commence operation.

15. System Change Control

Changes to information systems, applications or networks shall be reviewed and approved by the Director of IT.

16. Intellectual Property Rights

The Trust shall ensure that all information products are properly licensed and approved by the IT Users shall not install software on the Trust’s property without permission from the IT Department.

17. Information Risk Assessment and Management

All key/critical computer systems will be subject to periodic risk assessments carried out by systems managers/administrators. In the cases of manual information processes, line managers will carry out risk assessments.
The Trust will develop a procedure for carrying out IM&T systems risk assessments. The procedure will include:
- Roles and Responsibilities
- Timescales
- Planned and unplanned assessments
- Assessment of assets of the system
- Evaluation of potential threats/risks
- Assessment of likelihood of threats/risks occurring
- Identification of practical cost effective treatment plans
- Implementation programme for treatment plans
- Reporting

Once identified, information security risks shall be managed on a formal basis. They shall be recorded within a baseline risk register and action plans shall be put in place to effectively manage those risks. The risk register and all associated actions shall be reviewed at regular intervals. Any implemented information security arrangements shall also be a regularly reviewed feature of Trust’s risk management programme.

18. Business Continuity and Disaster Recovery Plans

The Trust shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and
Information Asset Owners (IAOs) are responsible for ensuring that business continuity plans are in place and identifying need for early review due to, for example, system or environment
Each plan for coping with disastrous failure must be approved by the appropriate level of authority in the Trust and be adequately resourced.

19. Data Quality and Validation

The Information Asset Owners will ensure there is up to date, complete and accurate data within information system that support operational and clinical decision-making. Where possible validation of data entry and data analysis at input stage will be incorporated and

20. Information and Cyber Security Incident Management

All information and cyber security events and suspected weaknesses must be reported through the Trust Incident Reporting Policy & Procedures. The Information Security officer/Information Governance Manager will maintain an Information Governance procedure for Reported Information Security Incidents. Information and cyber security events shall be appropriately reviewed to establish their cause and impacts with a view to avoiding similar events.

21. Disposal of IT Equipment and/or Confidential/Sensitive Data

IT equipment disposal must only be authorised by the IT
The IT department must ensure that, where possible, data storage devices are securely purged of sensitive data before disposal and organise any proposed secure destruction arrangements where it is not.
A procedure for disposal will be documented and retained by the IT
Unusable computer media must be destroyed (e.g. floppy disks, magnetic tapes, CD- ROMS). Where this is performed by an approved third party organisation, a certificate of disposal must be obtained.
All data must be disposed of securely and in accordance with the relevant legislation and Trust policies.
Contracts with third party suppliers must have clauses relating to the safe and secure disposal of media containing data processed on behalf of the Trust.
Disposal of equipment must be in accordance with the Trust Standing Orders and Standing Financial Instructions.

22. Standards of Business Conduct/Declaration of Interests

All colleagues and members of the Board must comply with the Trust ‘Guidance on Standards of Business Conduct for Trust Staff’ available on the Trust intranet.