information security policy - lambethccg.nhs.uk · 12.1 key legislative and regulatory environment...

Document Title Information Security Policy Issue Date: March 2018 Document Status: RATIFIED File location: S:/Lambeth Share/Lam/CCG/Shared Documents/Policies

Review Date: November 2020 Version: 1.2

of 22

This document is uncontrolled once printed. Please check on the CCG’s Internet site for the most up to date version

Information Security Policy

Document Title: Information Security Policy Issue Date: March 2018 Document Status: RATIFIED File location: S:/Lambeth Share/Lam/CCG/Shared Documents/Policies


of 22

Document control

Document Information

Document Name:

Information Security Policy

Directorate: Governance and Development

Consultation: Information Governance Steering Group

Approved by: Information Governance Steering Group Date: 30 November 2017

Ratified by Integrated Governance Committee agreed approval by Chair’s action Chair’s action

Date 7 Feb 2018 6 March 2018

Supersedes: V1.1 version

Description: Policy outlining the organisational approach and objectives for the Security of Information held and used by NHS Clinical Commissioning Group

Audience: All staff

Contact details: NEL Commissioning Support Unit, Information Governance Function Email: [email protected]

Change History Version Date Author Approver Reason 0.1 May-13 SL CSU,IG

Manager, H Thomas

SL CSU, Head of IG, D Stone

1st Draft

0.2 23 Oct 13 SL CSU IG Manager

Integrated Governance Committee

Quality Assurance review

1.0 Mar 14 SL CSU, IG Manager, A Ford

Minor Amendments

1.1 November 14

J Earley Interim Governance Manager

Information Governance Committee

Minor amendments

1.2 Nov 2017 NEL CSU IG Team

IGSG Update CSU references and Re-approval

mailto:[email protected]



of 22

Table of Contents 1 Introduction ....................................................................................................................................... 6

1.1 Policy statement and aim ................................................................................................... 6

1.2 Objectives ............................................................................................................................. 7

1.3 Promoting Equality .............................................................................................................. 8 2 Scope of this Policy ......................................................................................................................... 8 3 Governance ...................................................................................................................................... 9

3.1 Roles and Responsibilities ................................................................................................. 9

3.2 Provision of Information Services by Third Parties ........................................................ 9 4 Information Security Assurance Plan ......................................................................................... 10

4.1 Overview ............................................................................................................................. 10

4.2 Management of Information Risk .................................................................................... 10

4.3 System Level Security Policies ....................................................................................... 10

4.4 Information Security Incidents ......................................................................................... 11

4.5 Information Sharing and Transmission .......................................................................... 11

4.6 Performance of Information Systems ............................................................................. 11

4.7 Change Management ....................................................................................................... 12

4.8 Mandatory Controls ........................................................................................................... 12

4.9 Information Risk Owner Review ...................................................................................... 12 5 Information Security Principles ................................................................................................... 12

5.1 Access Control ................................................................................................................... 12

5.2 Responsibility for Equipment ........................................................................................... 12 6 Information Security Incidents and Events ................................................................................ 13

6.1 Identifying Information Security Incidents ...................................................................... 13

6.2 Examples of Information Security Incidents .................................................................. 13

6.3 Management of Information Security Incidents ............................................................ 13 7 External Information Security Incidents and Events ................................................................ 13

7.1 Provision of service by third parties. ............................................................................... 13

7.2 Nominated Contact Point or Security Manager ............................................................ 13 8 Performance ................................................................................................................................... 14

8.1 Measures of ICT Performance ........................................................................................ 14

8.2 Other Security Performance Measures ......................................................................... 14 9 Change Management ................................................................................................................... 14

9.1 Change Management that requires SIRO sign off ....................................................... 15

9.2 Change Management that requires Caldicott Guardian sign off ................................ 15

9.3 Sign off where these criteria do not apply ..................................................................... 15 10 Audit and monitoring criteria ........................................................................................................ 15



of 22

10.1 Monitoring and Reporting of compliance ....................................................................... 15

Table 1 Control Audit .................................................................................................................... 16

10.2 Non Compliance ................................................................................................................ 17 11 Review ............................................................................................................................................ 17

11.1 Next formal review ............................................................................................................. 17

11.2 Latest Version .................................................................................................................... 17 12 Statement of evidence/references .............................................................................................. 17

12.1 Key Legislative and Regulatory Environment ............................................................... 17

12.2 Other References .............................................................................................................. 18 13 Implementation and dissemination of document ...................................................................... 18 Annexe A -Equality & Equity Impact Assessment Checklist .............................................................. 19 Annexe B - Definitions .............................................................................................................................. 21



of 22

Document Consultation Record Version Date Name Post Organisation Comments 0.1 08-Aug-13 L

Struffolino IG Business Manager CSU Style and

grammar 0.1 08/10/2013 I Allsup IG Manager SL CSU Content 0.1 Oct 2013 IGSG IGSG LCCG Style and

grammar 1.1 November

2014 J Earley Interim Governance

Manager Lambeth CCG

Minor amendments

1.2 November 2017

IGSG IGSG Lambeth CCG

Minor amendments



of 22

1 Introduction 1.1 Policy statement and aim

This policy will set out the objectives and framework for the management of information within NHS Lambeth Clinical Commissioning Group to ensure its security, maintaining its confidentiality, integrity and availability. This includes meeting our obligations under legislation to those we hold information about, supporting the on-going development of the Organisation and ensuring that innovation supports our Organisation’s development without undermining the security of the information we hold. This policy and commitment extends to the services we commission, ensuring their appropriate use and control of information to deliver high quality healthcare and to support our patients and our Organisation. This policy outlines the legal, regulatory and best practice framework that this Organisation works to and the methods we will use to deliver and maintain this policy. Background This document defines the information security principles and objectives for NHS Lambeth Clinical Commissioning Group “the Organisation”. It outlines the systems that ensure current information security obligations are met, how changes, performance and incidents are governed. This document sets the policy, stating the required standard.

Information is an asset that, like other important business assets, is essential to our organisation’s business and needs to be suitably protected. Its security must be maintained to the standards expected in law, regulations and contract. The standard for the public sector is mandated by the Cabinet Office. It supports the confidentiality, integrity and availability of the information held, processed and the responsibility of the Organisation. It is supported by an assurance process that demonstrates the on-going management of the security of information, the associated risk and the process of change to ensure the correct controls are in place. The standard ISO/IEC 27002:2005 describes information security and information in the following terms, which set the remit and principles behind this policy and related controls:

“Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected. Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.”



of 22

This Organisation will achieve information security by the implementation, monitoring and improvement of suitable controls. As a commissioner of services we require services we commission to ensure the on-going security of information with those providing services. The Organisation is responsible for driving improvements in Information Governance from these services and monitoring their management of risks associated with information security and any failures to maintain standards of information security. This ensures an efficient, effective and accountable service supporting high quality healthcare and appropriate clinical decision making. In those instances where we appropriately share or publish information we must ensure that this done in a lawful and secure manner. The policy is part of a suite related to Information Governance which set out the expected standards and controls around its use. They are: Information Governance, Information Quality, Information Management and Information Security. The concepts and standards are interrelated. It is important to consider all of our obligations and intentions across the suite of policies.

1.2 Objectives This policy sets out NHS Lambeth Clinical Commissioning Group’s objectives and principles for ensuring the security of information within its remit. The policy identifies the resources, priorities and risks required to ensure information security management is carried out to the appropriate standard. Our key objectives in information security are to maintain and improve Confidentiality - Access to Information is confined to those with appropriate authority

and a legitimate relationship to it; Integrity – Information shall be complete and accurate. All systems, assets and

networks shall operate correctly, according to specification; Availability - Information shall be available and delivered to the right person, at the

time when it is needed. To achieve this, the policy sets out: The Organisation’s information security obligations; The key areas of control and management of risk for information security across the

organisation; How the Organisation will assess where information security impacts on business

processes and how assurance is provided; The expectation on the management of Information Assets, ICT systems and

information to deliver information security and assurance; The responsibilities of staff in maintaining Information Security. The primary aims of information security are to: To understand where risks to information security originate, what issues that arise

and the management of those risks; To protect information assets from threats, both internal and external.



of 22

1.3 Promoting Equality Information Governance promotes the fair, equitable and open access to high quality healthcare. By promoting better security of information this Organisation can meet its statutory duty to address health inequality and commission high quality healthcare.

2 Scope of this Policy This policy is applicable to: All records, information and data held and processed by NHS Lambeth Clinical

Commissioning Group. All information must be managed and held within a controlled environment and to a standard of accuracy and completeness. This includes personal data of patients and staff, patient level data (non-identifiable) as well as corporate information. It applies to records, information and data regardless of format, in addition to legacy data held by the Organisation;

All records, information and data held must be in a structured secure environment; this applies to confidential information/data or information/data that is disclosed under the Freedom of Information Act or already in the public domain on the internet for the organisation;

This policy addresses the required security to be applied to electronic records. The management and security that must be applied to paper records is contained in the Information Management policy;

The standards expected from services commissioned by our Organisation for healthcare and non-healthcare purposes;

All permanent, contract or temporary personnel and all third parties who have access to NHS Lambeth Clinical Commissioning Groups premises, systems or information. Any reference to staff within this document also refers to those working on behalf of the Organisation on a temporary, contractual or voluntary basis. This includes Members of the Clinical Commissioning Group discharging obligations, roles or work on behalf of the Organisation;

Information systems, data sets, computer systems, networks, software and information created, held or processed on these systems, together with printed output from these systems;

All means of communicating information, both within and outside the Organisation and both paper and electronic, including data and voice transmissions, emails, post, fax, voice and video conferencing.

The Cabinet Office defines data as ‘qualitative or quantitative statements or numbers that are assumed to be factual, and not the product of analysis or interpretation’ and Information as ‘output of some process that summarises, interprets or otherwise represents data to convey meaning’. See Annexe B for definitions



of 22

3 Governance 3.1 Roles and Responsibilities

Responsibility and accountability ultimately resides with the Accountable Officer for NHS Lambeth Clinical Commissioning Group, the Chief Officer. S/he is supported in this role by the work of the Clinical Commissioning Groups Governing Board and delegated sub-committees as outlined in the Information Governance Framework.

The Senior Information Risk Owner (SIRO) is a member of the Governing Body accountable to it for the appropriate management of risk associated with the Organisation’s use and holding of information. The CCG’s SIRO is Chief Officer Andrew Eyres. The Caldicott Guardian (CG) is responsible for leading the assurance agenda for the use of personal information within NHS Lambeth Clinical Commissioning Group. They are responsible for advising the Governing Body on the standards expected for maintaining the expected standards of confidentiality and data protection. The CCG’s Caldicott Guardian is Adrian McLachlan. Both the SIRO and Caldicott Guardian are responsible for ensuring that the Organisation’s appropriate standards are set and met, and that relevant risks are identified. The Information Governance Steering Group of the Governing Body has delegated authority, and responsibilities outlined in its terms of reference. The Governing Body of NHS Lambeth Clinical Commissioning Group is responsible for approving the policy and strategy framework. The Information Governance Steering Group reports to the Governing Body and the Integrated Governance Committee, which monitors the implementation of the policy and approves necessary supporting controls such as protocols and procedures. Senior managers are responsible for identifying and managing information risks in their remit. Staff nominated as Information Risk Owners (Information Asset Owners - IAO) and those responsible for operating Information Assets as Information Risk Administrators (Information Asset Administrators - IAA) are accountable to the SIRO for the appropriate identification and management of risks. Information Security risks form a vital part of the role and assurance required from these post holders. All staff are responsible for maintaining the controls for the use of information. These include operating policy, protocol and procedures, completing mandated training and ensuring they are aware and comply with legal obligations. Line managers are responsible for ensuring the required standards are met.

3.2 Provision of Information Services by Third Parties

Several key Information Services are commissioned by NHS Lambeth Clinical Commissioning Group which play a crucial part in maintaining information security. This includes Information and Communications Technology (“ICT”), Business Intelligence



of 22

(also referred to as Informatics) as well as physical security. Providers will be contracted to ensure the required standards of security, will routinely give assurance and the on-going management of associated risks. They will do so within a framework of written controls, risk management and systems to monitor and provide assurance. Scrutiny of these functions will be undertaken by NHS Lambeth Clinical Commissioning Group as detailed in the relevant contract and in line with the Accountability and Responsibility detailed within this policy. It is expected that routine reports and evidence of the controls in place will be provided to this Organisation, in a timely and appropriate manner. This will need to be in line with relevant assurance processes such as audit, the requirements of the Information Governance Toolkit and Risk Management.

4 Information Security Assurance Plan 4.1 Overview

NHS Lambeth Clinical Commissioning Group uses several mechanisms to manage information security. These are detailed below and in the relevant written controls. It is assumed that any ICT service and physical security service providers will maintain a list of information security issues, risks and mitigations for routine discussion with the SIRO. This includes information that is held on-site and with current networks, as well as that held off-site and off-line, including appropriate disposal and destruction processes to the required standard.

4.2 Management of Information Risk In order to appropriately manage Information Risk and appropriately prioritise the Information Security Assurance Plan, it is important to identify and quantify risk through the routine work of the Organisation and those providing key services, such as ICT. This risk needs to account for the value of the asset, the potential severity of any impact and the likelihood of an occurrence. It is undertaken in line with the Risk and Assurance framework for the Organisation. Risks are captured in the relevant Departmental Risk Register and will be reviewed on a regular basis. Risk Registers will be maintained for each ICT Network and contribute to the overall Corporate Risk Register through inclusion in the Directorate Risk Register. These are reviewed on a regular basis in accordance with the Organisation’s Risk Management and Assurance Framework.

4.3 System Level Security Policies Each Key Information System (Asset) is required to have a system level security policy that details, where appropriate: Access control requirement specifications (such as whether two part authentication is

required and is in place); Authorisation process for access to the system (user registration and deregistration); Assignment of responsibilities for the system (access, maintain and issue resolution); Details on system design and dependencies; Provisions for reports generated by system utilities on use and audit logs;



of 22

What system documentation is in place; Login controls (e.g. password strength and threshold of failed logins); Backup requirements; Back-up data testing arrangements; Business Continuity or Back-up plans for system data and software applications; Details of UPS technologies or other system continuity support; Schedules of tests; Input data validation; Risk Assessment for the System on key areas. The policy must detail what security reports are available and who can provide them for the following issues, where appropriate: Access log files generated by the system; Current User overview; Account monitoring (unused accounts etc.); Forensic Readiness assessment. The system level policy will be reviewed on at least an annual basis.

4.3.1 Definition of a Key Information System (Asset) Key Information Systems (Assets) are defined as: Systems which other business critical assets are dependent upon (e.g. Network); Business Critical.

4.4 Information Security Incidents All information Security Incidents will be recorded and reported to the SIRO on a routine basis in line with the relevant protocol. The report will note which issues were resolved, which have been escalated as risks and the associated action plan for the management or mitigation of the risk.

4.5 Information Sharing and Transmission Where information is shared or transmitted, maintaining the security, confidentiality and integrity of the data is a requirement of the Organisation’s legal obligations. This is in addition to ensuring an appropriate lawful basis. No Personal Confidential Data should be shared, transmitted or published without the appropriate approval of the Organisation or reference to the relevant process, such as legal disclosure or disclosure under Data Protection or Access to Health Care provisions.

4.6 Performance of Information Systems The performance of Information systems and dependencies will be provided to the SIRO and Director with responsibility for ICT, where applicable, on at least a quarterly basis. Any risks resulting from performance will be added to the relevant Risk Register in line with the Risk Management and Assurance Framework. Information Systems consist of but are not limited to: Network; Servers; Key databases and datasets (such as SUS); Email systems; Portable devices (such as laptops, memory sticks).



of 22

4.7 Change Management The SIRO will sign off on the Change Management process for each Network and Key Information Asset and will be advised of any changes that impact on Information Security. A Risk Assessment will be provided along with an outline of the proposed change. This will include details of the nominated Senior Responsible Officer for the change and Project Board where possible, as well as the reporting line to NHS Lambeth Clinical Commissioning Group. It is expected that a Privacy Impact Assessment which includes Information Security Assurance will be provided to the SIRO as part of the process of routine management and in good time to effect change.

4.8 Mandatory Controls Assurance will be regularly required from NHS SL CSU on the mandatory controls in place for Information Assets through a number of measures. It is expected to be part of routine ICT performance reports, for the assets within their control, part of the review and risk assessment of Information Risk Owners and a deliverable of the change management approval process.

4.9 Information Risk Owner Review Information Risk Owners are required to provide an annual update to the Senior Information Risk Owner on the management of information risks related to the information assets utilised within their remit. This includes a review of the controls and their effectiveness, on at least an annual basis.

5 Information Security Principles 5.1 Access Control

Access Control is required for the management of appropriate access to all information assets. Access will be restricted to any information that is sensitive, confidential or containing personal confidential data. Access control requirements will be elaborated for information assets and within System Level Policies, as required.

Access Control will be routinely monitored, audited and removed promptly once a legitimate basis for access no longer exists for a member of staff. Access will be provided in line with the training and awareness provided to staff. Appropriate authentication of users is required for both information and physical systems, the standards required will be outlined in the relevant system requirements.

5.2 Responsibility for Equipment Any equipment issued to staff is for the purposes of conducting the business of the Organisation and is required to be used in an appropriate and professional manner. Staff are responsible for the equipment issued to them and to follow the appropriate protocols and procedures for working off site, working remotely and for the return of any equipment no longer required by the staff member.



of 22

6 Information Security Incidents and Events 6.1 Identifying Information Security Incidents

All information security incidents should be reported to the relevant ICT Helpdesk upon detection. These should be highlighted to the nominated information security officer for the relevant organisation and, where appropriate, to the Information Governance function.

6.2 Examples of Information Security Incidents Information Security Incidents include: Viruses; Inappropriate access to confidential files or folders; Use or suspected use of another members of staff’s login for email, network or

system or smartcard; Suspected or known disclosure of your smartcard; Accidental or intentional damage to the accuracy of data; Slow computers; Pop‐Ups; Use of unencrypted laptops, USB sticks for the transport of confidential

information/data; Leaving smartcards unattended; Unattended IT Assets (laptops, USB sticks, etc.). The helpdesk will advise users of any additional steps that are required, including initiating Incident investigation policy and procedure as outlined in the relevant Serious Incident and Investigation Policy and Procedure.

6.3 Management of Information Security Incidents Management of Information Security Incidents and Near Misses will be in line with the relevant policy and will be escalated in line the relevant policy.

7 External Information Security Incidents and Events 7.1 Provision of service by third parties.

All contracts and service level agreements with external service providers for ICT, commissioned services or other services with information security implications must outline the reporting and escalation process to NHS Lambeth Clinical Commissioning Group. These incidents must be included in the report to the SIRO and must meet the minimum standard outlined by the relevant NHS or Information Security Standard.

7.2 Nominated Contact Point or Security Manager Where services are provided by a third party, a nominated contact point or security manager must be identified. This post holder will provide updates on issues and resolutions in a timely and appropriate manner to the Organisation to the standard required by the contract or service level agreement.



of 22

8 Performance 8.1 Measures of ICT Performance

All providers of ICT services will provide reports on ICT performance on a routine basis. These will be made available to the SIRO and will be scrutinized in line with the Information Security Framework. These reports will be provided for the reporting period: The level of performance for different teams and services (for example Network,

Voice and Mobile Working); Change Control management; Information Security priorities and actions; Network capacity, trends and management; Server capacity, trends and management; The number of helpdesk calls received, resolved and open; Number of User authorised User accounts; Number of User accounts activated; Number of User accounts deactivated; Number of Information Security Incidents, Events or Near Misses; Lessons Learnt from Information Security Incidents; Compliance Monitoring; Audit findings and reports; Review Meetings; Changes to Controls and system policies; System intrusion reports; Virus software effectiveness; User Surveys.

8.2 Other Security Performance Measures It is expected that the Physical Security and other issues will be managed in line with the relevant protocol and assurance structure. This will include site security, incident management, office moves, changes and decommissioning.

9 Change Management All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and will comply with Information Management, Quality, Governance and Security accreditation. They will account for data quality, confidentiality and data protection requirements It is required that the impact of any change is assessed and signed off before the change process is initiated. This change will include: A privacy impact assessment for changes impacting on data A security assessment for changes that impact on ICT security (network, telephony)

or physical security A risk assessment on the potential risks of the change incorporating any risks to the

delivery of the change. This risk assessment must balance the benefits of undertaking the change against the risks, and of those risks of not undertaking the change.

A procurement and contract requirement review for any use of third parties for the provision of services impacting on information management or security.



of 22

Further guidance on the change process can be found in the Information Governance Framework.

9.1 Change Management that requires SIRO sign off Where the following criteria apply, SIRO sign off will be required before any Change can commence: Changes that impact upon Key Information Assets or Systems; Changes that impact on the service provision to significant number of staff; Changes that impact upon the service provided to customers of significant value per

annum; Any changes that impact upon more than significant number of patients; Any changes with a risk assessment rating of 15 (See the Risk Management Process

for more detail). The precise definition of ‘significant’ will be set out in the Information Governance Framework and appropriate Change Control process in agreement with the SIRO.

9.2 Change Management that requires Caldicott Guardian sign off Where the following criteria apply Caldicott Guardian, for the relevant Organisation(s), will be required before any Change can commence: Where patient records (regardless of format) are impacted Where a privacy impact assessment has indicated a significant change or threat to

privacy 9.3 Sign off where these criteria do not apply

Where these criteria do not apply, sign off will be provided by the principle Information Risk Owner effected or the Director acting as Senior Responsible Officer for the project/change.

10 Audit and monitoring criteria 10.1 Monitoring and Reporting of compliance

This policy and the associated controls will be monitored through the Information Risk Management system for the Organisation. The Information Risk Register will be reviewed on a monthly basis, in response to any information incident or enforcement action by the Information Commissioner’s Office. Information Risk Management will be a key component of wider assurance and control in setting the priorities for the information governance work plan for Information Quality. Further assurance will be provided through the Information Governance Toolkit (IGT) and the associated audit. Reviews of the current controls and their operation will be undertaken in line with a quarterly timescales, as a minimum, in line with the expectations of the Information Governance Toolkit. It is noted that the Toolkit may require supplementary work to ensure broader assurance. Information Risk Owners, assisted by Information Risk Administrators, will be required to routinely review the Risks and Information Flows associated with the Information Assets utilised to fulfil the business functions and activities within their remit.



of 22

Further monitoring will be undertaken through the change control process.

Table 1 provides more details Table 1 Control Audit

Control Audit and Monitoring Table Monitoring requirements ‘What in this document do we have to monitor’

The management of information risks (Information Risk Management) Compliance with the law Compliance with the Information Governance Toolkit Incidents related to the breach of this policy

Monitoring Method Information Risks will be monitored through the Information Risk Register and management system. Compliance with law will be monitored through audit, work directed by the Information Governance Toolkit and as directed by Information Risk Management The Information Governance Toolkit will be monitored by assessment of evidence against the objective of the relevant requirement. In addition, the IGT will be audited by the Organisation’s internal audit function before the annual submission. Incident reporting and management requirements

Monitoring prepared by Information Governance Function NEL CSU supporting the IG Lead for NHS Lambeth Clinical Commissioning Group and Information Governance Steering Group Incident reports will be produced by the nominated investigation officer

Monitoring presented to Information Governance Steering Group Senior Information Risk Owner Caldicott Guardian Nominated Governing Body Responsible Senior Manager for Records Management NHS Lambeth Clinical Commissioning Group Governing Body and Accountable Officer

Frequency of Review Monthly updates will be provided to the IG Steering Group, the SIRO and the CG Relevant Information Risks will be added to the Corporate Risk Register and reported in line with Risk Management system Annual (as a minimum) updates to the Governing Body will be provided. The internal audit report on IGT performance will be provided to the Governing Body or delegated sub-committee. Incident Reports will be reviewed on an annual basis and as directed by the seriousness of the incident



of 22

10.2 Non Compliance

Failure to comply with the standards and appropriate governance of information as detailed in this policy, supporting protocols and procedures can result in disciplinary action. All staff are reminded that this policy covers several aspects of legal compliance that they are responsible for as individuals. Failure to maintain these standards can result in criminal proceedings against the individual. These include but are not limited to:

Common law duty of confidentiality Computer Misuse Act 1990 Data Protection Act 1998 Freedom of Information Act 2000 Human Rights Act 1998 Public Records Act 1958

For a full list of relevant legislation and guidance see the Information Governance

Framework. 11 Review 11.1 Next formal review

Review will take place of the 1st anniversary of adoption and subsequently every three years until rescinded or superseded.

11.2 Latest Version The audience of this document should be aware that a physical copy may not be the latest version. The latest version, which supersedes all previous versions, is available in the policy register for the Organisation. Those to whom this policy applies are responsible for familiarising themselves periodically with the latest version and for complying with policy requirements at all times.

12 Statement of evidence/references A full list of guidelines, evidence and references will be provided and maintained in the Information Governance Framework.

12.1 Key Legislative and Regulatory Environment The following is a list of the Key legislative and Regulatory Framework Legislation

Data Protection Act 1998 Freedom of Information Act 2000 Computer Misuse Act 1990 Common law duty of confidentiality Human Rights Act 1998 Health and Social Care Act 2012 Regulation and Guidance NHS Constitution Information Commissioner Offices guidance, passim. Care Quality Commission Requirements (for commissioned healthcare services)



of 22

A full list of current guidance will be maintained in the Information Governance Framework.

12.2 Other References Other relevant policies are: Information Governance Information Quality Information Management

A list of related protocols and procedures will be maintained in the Information Governance Framework

13 Implementation and dissemination of document The Policy, once approved will be shared with all staff through the staff email, updated on the intranet, included in staff briefings and place in the policy register. A team and management briefing will be provided to support this dissemination. In addition to the monitoring detailed above, awareness of the policy will be checked through a staff survey and spot checks on at least an annual basis.



of 22

Annexe A -Equality & Equity Impact Assessment Checklist This is a checklist to ensure relevant equality and equity aspects of proposals, policy or guidance have been addressed either in the main body of the document or in a separate equality & equity impact assessment (EEIA)/ equality analysis. It is not a substitute for EEIA/ equality analysis which is normally required unless it can be shown that a proposal has no capacity to influence equality. The checklist is to enable the policy lead and the relevant committee to see whether the EEIA has covered the ground and to give assurance that the proposals will not only be legal but also fair and equitable and lead to reduced health inequality. Challenge questions Yes/No/

DK/NA Comments

1. Does the document set out the health care needs of the groups intended to benefit from the proposal, including any differences in need in terms of the legally protected or other characteristics (such as socioeconomic position)

N/A

2. Does the document set out any known existing inequality in access, quality, experience and outcome of care for populations relevant to the proposal (ie as defined in 1. and in relation to the existing health or care service)?

N/A

3. Are there any particular public concerns about equality about the policy area that need to be addressed?

No

4. Has the policy described any gaps in knowledge about 1 -3, and any action taken to fill gaps (or recommendations for action)

No

5.

Does the document set out risks to equity of access, quality, experience and outcomes including risk of direct or indirect discrimination, and risk to good relations between people of different groups?

No

Within the policy is a section on Promoting Equality. Information Governance promotes the fair, equitable and opens access to

high quality healthcare. By promoting better security of

information this Organisation can meet its statutory duty to address health inequality and commission

high quality healthcare. 6. Does the document describe any

specific opportunities to promote equality and human rights, good relations between people of different

No



of 22

groups, to enhance participation, etc?

7. Does the document describe how the proposal, policy etc will address the identified inequalities?

No

8. Does the document make recommendations to mitigate risks and enhance the opportunities to promote equality and equity?

Yes

9. Does the document describe how monitoring and reporting will take place to assure equality and equity in the future including to stakeholders. [audit and monitoring table may be used]

No

* Race/ ethnicity, gender (including gender reassignment) age, religion or belief, disability, sexual orientation, marriage or civil partnership, pregnancy and maternity. This will include groups such as refugees and asylum seekers, new migrants, Gypsy and Traveller communities; and people with long term conditions, hearing or visual impairments, mental health problems or learning disability



of 22

Annexe B - Definitions Term Definition Source Data Data is used to describe ‘qualitative or quantitative statements

or numbers that are assumed to be factual, and not the product of analysis or interpretation.’

Definition taken from The Information Governance Review, Mar 2013 (Gateway Ref: 2900774)1 based on the Cabinet Office definition

Information Information is the ‘output of some process that summarises interprets or otherwise represents data to convey meaning.’

Definition taken from The Information Governance Review, Mar 2013 (Gateway Ref: 2900774)

Personal Confidential Data or PCD

This term describes personal information about identified or identifiable individuals, which should be kept private or secret. For the purposes of this review ‘personal’ includes the Data Protection Act definition of personal data, but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act.

Definition taken from The Information Governance Review, Mar 2013 (Gateway Ref: 2900774)

information security

preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved

[ISO/IEC 17799:2005]

information security management system ISMS

that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security NOTE: The management system includes organizational

[ISO/IEC 27001:2005 BS 7799-2:2005]

1 See https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf, p. 24

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf



of 22

structure, policies, planning activities, responsibilities, Practices, procedures, processes and resources.