security improvement audits (including security improvement … · 2018. 10. 3. · security...

Security Improvement Audits (including Security Improvement Audit Tool)

Summary This purpose of this document is to provide a framework for NSW HealthAgencies to undertake security improvement audits using the SecurityImprovement Audit Tool (SIAT).

Document type Policy Directive

Document number PD2018_038

Publication date 03 October 2018

Author branch Workplace Relations

Branch contact (02) 9391 9373

Review date 03 October 2023

Policy manual Not applicable

File number 18/974

Status Active

Functional group Corporate Administration - SecurityPersonnel/Workforce - Occupational Health and Safety, Security

Applies to Public Health Units, Local Health Districts, Board Governed Statutory HealthCorporations, Chief Executive Governed Statutory Health Corporations, SpecialtyNetwork Governed Statutory Health Corporations, Affiliated Health Organisations,NSW Health Pathology, Public Health System Support Division, Cancer Institute,Community Health Centres, Dental Schools and Clinics, Public Hospitals

Distributed to Ministry of Health, Public Health System, Divisions of General Practice,Government Medical Officers, NSW Ambulance Service

Audience Security, WHS personnel

Policy Directive

Secretary, NSW HealthThis Policy Directive may be varied, withdrawn or replaced at any time. Compliance with this directive ismandatory for NSW Health and is a condition of subsidy for public health organisations.

POLICY STATEMENT

PD2018_038 Issue date: October-2018 Page 1 of 1

SECURITY IMPROVEMENT AUDITS (including Security Improvement Audit Tool)

PURPOSE

The purpose of this document is to provide a framework for NSW Health Agencies (Agencies) to undertake security improvement audits (audits) across their facilities using the Security Improvement Audit Tool (SIAT).

Audits are conducted to determine compliance with the Protecting People and Property: NSW Health Policy and Standards for Security Risk Management in NSW Health Agencies (Security Manual) and work health and safety and security legislation and to ensure continuous improvement in security risk management.

MANDATORY REQUIREMENTS

Each Agency shall ensure that:

Security audits, using the SIAT, are undertaken in their facilities over a two-year audit cycle (commencing in July 2018).

The appropriate level of resources and expertise are available to undertake security audits.

A security improvement plan is developed to address the findings and recommendations of security audits.

The results and recommendations of the security audits are provided to the Chief Executive and the Board as the Agency’s officers and primary duty holders under the Work Health and Safety Act 2011 and Work Health and Safety Regulation 2017.

Outcomes of security audits are reported to the Ministry, as required under Section 3 of this Policy Directive.

IMPLEMENTATION

The Chief Executive, and other officers and managers must be proactive in implementing the requirements of this Policy Directive by providing the appropriate resources to undertake the security audits over each two-year audit cycle.

REVISION HISTORY

Version Approved by Amendment notes

October 2018 (PD2018_038)

Deputy Secretary, People, Governance & Culture

New policy.

ATTACHMENTS

1. Security Improvement Audits (including Security Improvement Audit Tool): Procedures.


PROCEDURES

Issue date: October-2018

PD2018_038


PROCEDURES

PD2018_038 Issue date: October-2018 Contents page

CONTENTS

1 BACKGROUND ......................................................................................................... 2

1.1 About this document ......................................................................................................... 2

1.2 Key definitions ................................................................................................................... 2

1.3 Legal and legislative framework ....................................................................................... 3

2 AUDIT PROCESS ..................................................................................................... 4

2.1 Staff Undertaking Audits ................................................................................................... 4

2.2 Two-Year Audit Cycle ....................................................................................................... 4

2.3 Auditing ............................................................................................................................. 5

3 GOVERNANCE AND REPORTING........................................................................... 5

4 SECURITY IMPROVEMENT AUDIT TOOL STRUCTURE ........................................ 6

4.1 Contents Page .................................................................................................................. 6

4.2 Security Improvement Audit Report ................................................................................. 6

4.3 Security Improvement Audit Tool Summary Report......................................................... 7

4.4 Results – Summary Table ................................................................................................ 7

4.5 Security Improvement Audit Tool Excel Document Utilisation ......................................... 7

5 SUPPORTING DOCUMENTATION........................................................................... 8

Appendix 1 – Contents Page .......................................................................................... 9

Appendix 2 – Security Improvement Audit Tool ............................................................ 10

Appendix 3 – Security Improvement Audit Tool Summary Report................................. 95

Appendix 4 – Results Summary Table .......................................................................... 98


PROCEDURES


1 BACKGROUND

1.1 About this document

The purpose of this document is to provide a framework for NSW Health Agencies (Agency/ies) to undertake security improvement audits (audits) across their facilities using the Security Improvement Audit Tool (SIAT) to ensure compliance to the Protecting People and Property: NSW Health Policy and Standards for Security Risk Management in NSW Health Agencies (Security Manual) and to achieve continuous improvement in security risk management.

Audits are to be undertaken within a financial two-year audit cycle (audit cycle):

All hospitals are to be audited within the audit cycle by at least a person with a 1A security licence and extensive health care security experience and a Work Health and Safety Practitioner, both of whom are independent of the facility they are auditing.

Other NSW Health owned or leased facilities (including those that are not located on Local Health District/Network complexes) can be audited by an independent person with a 1A security licence where available and/or Work Health and Safety Practitioners and relevant experts.

Individuals who have the relevant technical expertise (acquired through training, qualification or experience) relevant to what is being audited can be included in the audit team as required. These experts do not have to be independent of the facility as their role is to provide expert knowledge to auditors so that they can assess the level of compliance in respect of what is being audited.

The aim of the SIAT is to provide a consistent and effective approach for information gathering on which an Agency can act, in order to comply with its obligations as set out in the Security Manual and this Policy Directive, and as an extension of this improve its performance by:

1. Identifying the existence of and assessing the quality of compliance to this Policy Directive and the Security Manual.

2. Assessing the extent to which this Policy Directive and the Security Manual has been implemented and applied in the Agency’s facilities.

3. Assessing the awareness of workers on the systems and procedures implemented by the Agency to comply with its security risk management obligations, as set out in the Security Manual.

1.2 Key definitions

Audits: Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled1.

Audit Program: Arrangement for a set of one or more audits planned within a specific timeframe.2

1 AS/NZS ISO 19011:2014 Guidelines for auditing management systems


PROCEDURES


Audit Scope: Extent and boundaries of an audit, it includes a description of the physical locations, organisational units, activities and processes, as well as the time period covered.3

Facility:

Is a hospital, nursing home, residential care or any other NSW Health workplace where the Security Manual applies, that provides services including all surrounding buildings that form part of the complex.

It also includes NSW Health workplaces that are standalone (don’t form part of a LHD/Network complex) such as warehouses and collection centres.

NSW Health Agencies for the purposes of Security auditing include:

Local Health Districts, Justice Health and Forensic Mental Health Network, Sydney Children’s Hospitals Network, NSW Health Pathology, HealthShare NSW, Albury Wodonga in respect of staff who are employed in NSW Health.

Affiliated health organisations in respect of its recognised establishment and services are to comply with this Policy Directive but do not need to report to the NSW Ministry of Health on a quarterly basis on the progress and outcome of audits.

1.3 Legal and legislative framework

Work Health and Safety Act 2011 (WHS Act) and Work Health and Safety Regulation 2017 (WHS Regulation)

The WHS Act creates duties and obligations in relation to managing risks in the workplace. Under the WHS Act a person has an obligation to eliminate risks to health and safety, so far as is reasonably practicable, and if it is not reasonably practicable to eliminate risks to health and safety, to minimise those risks so far as is reasonably practicable. Providing effective risk management as part of the work health and safety management system minimises the risks associated with security and personal safety.

The WHS Act and the WHS Regulation also create obligations for Agencies as persons conducting a business or undertaking (PCBU) to ensure that their premises are safe. The Agency must ensure, so far as is reasonably practicable the provision of any information, training, instruction or supervision that is necessary to protect all persons from risks to their health and safety arising from work carried out as part of the conduct of the business or undertaking. This includes any relevant safety training. The training is to be suitable and adequate with regard to the nature of work and the nature of the risks associated with the work and the control measures implemented.

This Policy Directive deals with specific requirements for security; however, for the purposes of the WHS Act, each Agency should address security risks in accordance with the broader duty to eliminate or minimise risks as is reasonably practicable. Where it is reasonably practicable an Agency should eliminate or minimise a risk, even if not required by the Security Manual.

2 AS/NZS ISO 19011:2014 Guidelines for auditing management systems 3 AS/NZS ISO 19011:2104 Guidelines for auditing management systems


PROCEDURES


For further information in relation to the WHS Act refer to the Policy Directive Work Health and Safety: Better Practice Procedures – NSW Health.

2 AUDIT PROCESS

2.1 Staff Undertaking Audits

Agencies are to ensure that:

The appropriate level of resources are available to undertake audits, which may involve the engagement of security staff and work health and safety practitioners from other Agencies to undertake audits, as long as the requirements of this Policy Directive are met.

Those undertaking audits are independent of the facility they are auditing. This means an indiviudal does not audit the decisions they have made i.e. they do not have any accountability for that facility. Independent auditors may be someone from:

- Another facility within the LHD/Network/or other NSW Health Agency

- Another LHD/Network/or other NSW Health Agency

- External to NSW Health.

The two key roles in an audit team (and their role) are:

Security managers/senior security staff, who will organise schedules and lead the audits for which they are responsible.

Work health and safety practitioners who will provide expert WHS advice during the audit.

The SIAT is to be used for all security audits for all workplaces where the Security Manual applies. This will provide audit consistency and context to the criteria contained in the Security Manual/SIAT so as to identify what is compliant and to provide recommendations for compliance, positive feedback and opportunities for improvement.

2.2 Two-Year Audit Cycle

The audit cycle is the timeframe within which an Agency completes audits of its facilities.

All hospitals are to be audited within the audit cycle to the extent required based on the level of risk. For example, every Emergency Department and mental health facility must be audited but not every ward within a hospital will need to be audited, a sample of different types of wards should be included within the scope of the audit.

Agencies responsible for other types of facilities are also required to adhere to the two-year audit cycle. Audit programs must include an adequate sample of facilities based on the level of risk where there are multiple facilities that have a similar function such as warehouses and collection centres.


PROCEDURES


2.3 Auditing

Each NSW Health Agency shall ensure:

Agreed arrangements to consult about audit scope, accountabilities and to provide information are in place with other Agencies that are responsible for services within the scope of the audit at an LHD/Network, e.g. HealthShare, NSW Health Pathology or a Private Public Partnership.

An audit program is established for the audit cycle. The NSW Ministry of Health (the Ministry) may request a copy of the audit program and audit reports from time to time.

The audit scope must include all sections (Chapters) from the Security Manual that apply to that workplace.

A plan is developed to address the findings and recommendations of the audit. The plan must include actions and timeframes for implementation, and be signed off by the relevant senior executive(s). The findings and recommendations may include the Agencies head office as well as the local facility.

The results and recommendations of the audits are provided to the Chief Executive and the Board, where relevant, as officers under WHS legislation.

Outcomes of audits are reported to the Ministry as required under Section 3 of this Policy Directive.

3 GOVERNANCE AND REPORTING

Chief Executives are to ensure that:

The results of audits and recommendations are reported to Boards and/or a committee of the Board (including the Audit and Risk Committee) as required as part of established regular reporting mechanisms.

The action being taken in response to the audit reports is appropriate and commensurate with the level of risk having regard to work health and safety and security related legislative obligations, and the action is reported to the Board (where applicable) as required.

Reports are provided to the Ministry on a quarterly basis through the Work Health & Safety Executive Reporting process on the following: Progress of their audits during the two-year audit cycle; Provision of significant outcomes of the audit. Significant outcomes are considered

to be either: - Where there is 50% or greater non-compliance in high risk sections of the audit

tool, or - Where there is 50% or greater non-compliance of high risk sections overall, i.e.

non-compliance to each high risk section is such that there is only 50% compliance overall

- The non-compliance(s) identified is such that there is a possibility that: Legal or regulatory action may be taken against the Facility Workers and others may be seriously injured


PROCEDURES


There will be a major disruption to the Facility if corrective action is not taken

The matter may be a State-wide issue.

Agencies are also encouraged to provide information on any initiatives identified through the audit that can be shared as good practice with other Agencies in relevant forums.

The Agency shall ensure that audit reports and associated documents are available for review by the Ministry when requested from time to time.

4 SECURITY IMPROVEMENT AUDIT TOOL STRUCTURE

The tool is made up of the following worksheets:

Contents Page (Appendix 1)

Security Improvement Audit Tool (Appendix 2)

Security Improvement Audit Summary Report (Appendix 3)

Results Summary Table (Appendix 4)

4.1 Contents Page

The contents page provides easy reference to the different criteria contained within the SIAT.

It provides a link to each Chapter for easy navigation.

Any criterion within the audit tool that is strategic in nature such as criterion 1.1 can be audited once for the NSW Health Agency and then used in other audits during the audit cycle. Another audit of that criterion would have to be undertaken if changes occur.

Outcome of one audit can be used in other types of audits where the criteria are the same, for example there are similar criteria in the Work Health and Safety Audit Tool to that of the Security Improvement Audit Tool.

1.6 to 1.13 relates to hazards/risks that may be identified during the audit that are not already covered by the security manual. It is not compulsory to use this option unless a hazard/risk has been identified.

Criteria relating to building design may only need to be audited once if it is found compliant to requirements and then only again where there are changes when redesign/refurbishment occurs.

4.2 Security Improvement Audit Report

The report is an audit checklist and once populated becomes part of the audit report. The different sections of the audit report and their application is as follows:

First Column – provides the section number and criterion number connected with each criteria.

Criteria – sets out the requirements against which audit evidence is compared.


PROCEDURES


Compliance Criteria – sets out the audit evidence required to determine compliance and may include multiple examples of audit evidence where there may be various ways of determining compliance. Other documented evidence of compliance than that provided as examples should be considered during the audit.

C/NC/NA – this column includes a drop down menu from which either Compliant, Not Compliant or Not Applicable must be chosen for each criterion, whichever is applicable. Where Not Applicable is chosen, a reason why must be included. The cell will turn green if Compliant, light grey if Not Applicable and is risk rated where the criterion is Not Compliant. The Not Compliant risk ratings are as follows:

High Risk

Medium Risk

Low Risk

Evidence Sighted During Audit – Evidence sighted and the positions held of those contacted during the audit to determine compliance to the criterion need to be included in this section. The evidence included in this column must be verifiable and therefore needs to include a unique identifier, such as a title and a date or a document number.

Audit Comments/Recommendations – Provide recommendations for compliance, positive feedback and opportunities for improvement.

Reference Material for this section – Refers to the main reference material in determining compliance to the relevant section.

4.3 Security Improvement Audit Tool Summary Report

This template is used to provide an overall summary of the audit outcome.

4.4 Results – Summary Table

This worksheet automatically calculates the number of Compliances, Not Compliant (by risk rating) and Not Applicable as the status of each criterion is identified through the audit process.

This page is included as part of the Audit Report.

4.5 Security Improvement Audit Tool Excel Document Utilisation

An Excel version of the audit tool will be provided to all organisations and updates provided when applicable.

The text and risk ratings contained within this excel document must not be changed and must be the same as contained in Appendices 1, 2, 3 and 4 of this Policy Directive.


PROCEDURES


Additional columns to the right of the last column can be inserted to assist with managing the audit process, for example columns which contain the agreed actions and timeframes to be taken for each not compliant criterion.

5 SUPPORTING DOCUMENTATION

Information Sheets, Audit Preparation Supporting Documentation for each section of the SIAT, and other supporting documentation that may be developed is made available through the Ministry’s intranet, Human Resources E-Compendium and circulated to the relevant Agencies.


PROCEDURES


Appendix 1 – Contents Page

Criteria No Criteria Name

1 Security Risk Management

2 Security Risk Management Responsibility

3 Security Risk Management in the Planning Process

4 Health Facility Design

5 Health Service Leasing of Property to or from External Parties

6 Security Arrangements for Patients in Custody

7 Security Education and Training

8 Ongoing Review and Continuous Improvement of Security Risk Management

9 Access and Egress Control

10 Key Control

11 Alarm Systems

12 Lighting

13 Workplace Camera Surveillance

14 Role of Security Staff in NSW Health

15A Security in the Clinical Environment - Part A Emergency Departments

15B Security in the Clinical Environment - Part B Other Clinical Areas

16 Working in the Community

17 Security in Rural and Remote Health Services

18 Security in Pharmacies

19 Security in Car Parks

20 Security of Property

21 Security of Information

22 Security of Medical Gases

23 Security of Radioactive Substances

24 Fire Evacuation and Other Emergencies

25 Bomb Threat/Terrorist Threat

26 Violence

27 Armed Hold-up

28 Use of Weapons by Security Staff

29 Code Black Arrangements

30 Effective Incident Management


PROCEDURES


Appendix 2 – Security Improvement Audit Tool

Criteria (All criteria elements must be met to comply)

Compliance Criteria Unless a documented risk assessment determines another

control is more appropriate C/NC/NA

Evidence Sighted During

Audit

Audit Comments/ Recommendations

SECTION 1 SECURITY RISK MANAGEMENT FRAMEWORK

1 Security Risk Management

1.1 There is a documented system in place to identify reasonably foreseeable security related hazards, assess the risks and identify controls appropriate to the level of risk and the process for monitoring and evaluating the effectiveness of the controls. The documented system includes the process for consulting with staff whose safety may be impacted by the hazard and when required other shared duty holders.

There is a documented system in place to identify hazards, including hazards associated with security. The documented system includes the process for identifying hazards, assessing the risks relating to the hazards and identifying the controls appropriate to the level of risk, the monitoring and evaluation of the effectiveness of those controls and the consultation process with staff and other shared duty holders.

Not Compliant

1.2 There is a documented process to monitor and evaluate controls identified through risk assessments for effectiveness.

There is a documented process that outlines the roles and responsibilities for the monitoring and evaluation of controls.

Not Compliant

1.3 There is a documented system in place for the reporting of incidents and the process for the investigation and identification of controls.

There is a documented system in place for the reporting, investigation and control identification of incidents. Staff have been trained or provided with information on how to report incidents and are involved in the identification of control measures.

Not Compliant


PROCEDURES






Audit


1.4 There is a system in place to collaborate and share information between clinical, WHS and security personnel.

There is evidence of a system in place for collaboration and information sharing between clinical, WHS and security personnel, evidence can include agendas and minutes of meetings. The frequency of collaboration and information sharing is appropriate.

Not Compliant

1.5 Chief Executive and the Board are provided with relevant information on security related risks and how they are being addressed.

There is evidence that the Chief Executive and Board are being provided with relevant information about security related risks and the actions to address the risks. Evidence is to include copies of reports provided to the Chief Executive and Board.

Not Compliant

Hazards/Risks Identified that are not covered by the Security Manual

1.6 The identified hazard/risk has been assessed, where the controls are not known, in consultation with workers.

[Insert Hazard/Risk] has been assessed, in consultation with workers, or the reason for no assessment is outlined, i.e. reference to controls that have already been identified through other means such as industry standards.

Not Compliant


Not Compliant


Not Compliant


PROCEDURES






Audit


1.7 The identification of controls is undertaken using the hierarchy of controls as required by Work Health and Safety Legislation.

[Insert Hazard/Risk] Controls have been identified using the hierarchy of controls as evidenced in the risk assessment or determined through other means.

Not Compliant


Not Compliant


Not Compliant

1.8 The controls are being evaluated for effectiveness at a frequency relevant to the level of risk. Changes made where required.

[Insert Hazard/Risk] has evidence of review and changes made when necessary, evidence of review can be minutes of meetings, toolbox talks, etc.

Not Compliant


Not Compliant


Not Compliant

1.9 Specific legislative requirements associated with the hazard/risk have been identified, e.g. licences required

[Insert Hazard/Risk] Specific legislative requirements have been identified where applicable.

Not Compliant


Not Compliant


PROCEDURES






Audit



Not Compliant

1.10 The Hazard/Risk is included on the hazard register. [Insert Hazard/Risk] is included on the register. Not Compliant

[Insert Hazard/Risk] is included on the register. Not Compliant

[Insert Hazard/Risk] is included on the register. Not Compliant

1.11 Data based on the hazards/risks is analysed on an ongoing basis in order to monitor, and where required, improve the controls.

[Insert Hazard/Risk] Copies of data are available as well as documentation of review such as minutes of meetings and toolbox talks.

Not Compliant

[Insert Hazard/Risk] Copies of data are available as well as documentation of review such as minutes of meetings and toolbox talks.

Not Compliant

[Insert Hazard/Risk] Copies of data is available as well as documentation of review such as minutes of meetings and toolbox talks.

Not Compliant

1.12 Training materials specific to the hazard have been developed and include a competency skill component where required.

[Insert Hazard/Risk] Training material is appropriate to the tasks undertaken and may include safe work procedures, specific PPE training, etc. Training material checked has a skills competency component when identified as required.

Not Compliant


PROCEDURES






Audit



Not Compliant


Not Compliant

1.13 Training of workers in relation to the hazard has been undertaken.

[Insert Hazard/Risk] Training plan is in place and training is taken as per schedule.

Not Compliant


Not Compliant


Not Compliant

Reference Material for this Section Includes: Safe Work Australia Codes of Practice: How to manage work health and safety risks, Work health and safety consultation

2 Security Risk Management Responsibility


PROCEDURES






Audit


2.1 Board Members have taken reasonable steps to ensure: - Systems are in place to identify, assess and eliminate or control security related risks. - They get relevant information on security related risks and how they are being addressed including compliance to security manual. - They review information provided and take appropriate action to resolve issues or concerns.

The risk management process is documented and covers the criteria requirements. Security related information reported to the Board are available. There is evidence that action has been taken by the Board where applicable and could include minutes of meetings, emails, action implementation plans, etc.

Not Compliant

2.2 The Chief Executive has ensured: -There is an effective security risk management system. - NSW Health security risk management standards are met. - Staff are consulted in the development and implementation of security procedures and when purchasing equipment. - Appropriate legislative and Ministry reporting requirements are met including nominating a suitably qualified person to hold the Master Licence and its associated responsibilities. - Staff are provided with the necessary skills to prevent and manage security/violence related issues.

There is a documented security risk management system. There is evidence that resourcing has been considered in the implementation and maintenance of the system. There is evidence of consultation in the development of the system. There is evidence that the system is monitored and evaluated. Evidence that security management standards are met is determined through the Security Audit process. Security procedures have been implemented and there is evidence of consultation with staff. The person holding the Master Licence is in accordance with the Security Industry Act 2007. Staff requiring training to prevent and manage security/violence related issues have been identified (e.g. training matrix). There is evidence that appropriate training has been provided to staff.

Not Compliant


PROCEDURES






Audit


2.3 The Facility Manager has: - Identified individuals responsible for security administration. - Ensured the ongoing implementation of an effective security program. - A system is in place to ensure crimes and suspicious activities are reported to police. - A system is in place to advise security related incidents to Chief Executive, Risk Manager, Security Master Licence Holders and external authorities such as SafeWork NSW and NSW Police.

There is evidence that the responsibility for security administration has been allocated to individuals. The security program is in place, there is evidence of consultation and regular monitoring and evaluation. Staff are aware of what needs to be reported to NSW Police and there is evidence that reporting has occurred. There is a documented process for notifying security related incidents in accordance with the manual. There is evidence of notifications.

Not Compliant

2.4 Service Director/Department Manager/Facility Security Administrator/Team Leaders/Supervisors: - Monitor and ensure compliance with NSW Health security policies and local procedures - Consult on security matters with staff, WHS reps, security staff and other duty holders. - Keep staff informed of personal and property security policy and procedures and management action in response to hazard and incident reports. - Identify areas where personal and property security can be improved in consultation with staff. - Respond to incident and hazard reports. - Implement risk control strategies. - Identify staff training needs. - Report security related incidents.

There is evidence that compliance to security policies and local procedures have been monitored. There is evidence of consultation with staff on security matters. Staff are kept informed on security actions, examples of evidence could be minutes of meetings, emails, toolbox talks, etc. There is evidence of consultation with staff in the improvement of security processes. Security incident and hazard reports responses are available. There is evidence of risk controls being implemented. Training for staff has been identified appropriate to the level of risk, training is scheduled and taken. Evidence that security related incidents have been reported in accordance with local procedures.

Not Compliant


PROCEDURES






Audit


2.5 Security staff and Health and Security Assistants comply with the requirements set out in the manual.

Have current security licence and first aid certificate. Staff interviewed are aware of the policies and procedures for responding to security related requests. There is evidence through reporting that incidents response is in accordance with policy. Reports on security matters are prepared by Security/HASA staff and are available. There is evidence of security recommendations been made to management consistent with staff licensing levels. There is evidence that security audits and inspections have been undertaken. Staff have current knowledge on relevant legislation and maintain knowledge on health care security requirements e.g. policy on patient restraint.

Not Compliant

2.6 Staff responsibilities as outlined in the manual for security have been communicated to them.

There is evidence that training or information has been provided to staff about their responsibilities. This could be through emails, training in this section of the security manual. Staff interviewed are aware of their responsibilities.

Not Compliant

Reference Material for this section includes: Security Industry Act 2007


3.1 Security Planning is undertaken across the facility or service.

Evidence of key committee or workgroups that oversee security planning. Any specific security planning templates or tools used.

Not Compliant


PROCEDURES






Audit


3.2 Plans and proposals that include significant risk (including but not limited to construction/refurbishment of premises, changes to equipment, and changes to systems of work such as models of care) must identify and assess security risks and include strategies to eliminate, or where they can’t be eliminated, minimise security risks.

There is evidence that plans and proposals include security risks and strategies to eliminate/minimise those risks. Including: Strategic planning, Business planning, Service development planning, Disaster/emergency planning, Project Definition Planning (as part of Facility planning), Procurement Processes, including processes for procuring services, premises, equipment, furniture, fixtures and fittings, WHS/security improvement and management planning and Individual department plans. Randomly check a quantity of plans and proposals to determine whether they meet the requirements.

Not Compliant

3.3 Planning documentation must record the consultation undertaken with staff and experts in identifying and assessing risks, and in determining risk control options.

There is evidence of consultation with staff and experts in identifying security risks and determining risk controls to eliminate/minimise risk.

Not Compliant

Reference Material for this section includes: This Chapter must be read in conjunction with NSW Health Policy Directive PD2015_043 Enterprise Wide Risk Management Policy and Framework and PD2013_050 Work Health and Safety Better Practice Procedures.

4 Health Facility Design


PROCEDURES






Audit


4.1 The NSW Health Agency has consulted with workplace safety, risk management, security staff and any other staff whose health and safety is likely to be affected and other duty holders who have a duty to their staff that all reasonably foreseeable security risks are identified, assessed and eliminated where reasonably practicable, or where they cannot be eliminated, effectively minimised as part of facility planning, design, refurbishment and prior to engaging in any significant reorganisation of the physical working environment.

Risk assessment has been undertaken which meets the requirements set out in the criterion. There is evidence of consultation with workplace safety, risk management, security staff and other duty holders, this could be through minutes of meetings, emails, etc. Consultation has occurred as part of facility planning design, refurbishment and prior to engaging in any significant reorganisation of the physical working environment.

Not Compliant

4.2 The standards outlined in the Australasian Health Facility Guidelines and the security manual are referenced and compliance achieved during all stages of the facility planning, design or refurbishment process. This includes security considerations related to any temporary accommodation or other temporary arrangements, e.g. wards, offices, parking, contractor access.

There is evidence that the Guidelines have been referred to and have been complied with. Consultation has occurred. Consideration has been given to any temporary accommodation or temporary arrangements. Evidence could be through minutes of planning meetings, planning design notes, etc.

Not Compliant

4.3 New and refurbished facilities reflect the four Crime Prevention through Environmental Design principles: Territorial reinforcement, Surveillance, Space management and Access control.

Check that any new and refurbished facilities meet the four principles: Territorial reinforcement, Surveillance, Space management and Access control.

Not Compliant

Reference Material for this section includes: Safe Work Australia: Guidance on the use of positive performance indicators 2005. Australasian Health Facilities Guideline, http://www.police.nsw.gov.au/safety_and_prevention/policing_in_the_community/safer_by_design


http://www.police.nsw.gov.au/safety_and_prevention/policing_in_the_community/safer_by_design


PROCEDURES






Audit


5.1 A security risk assessment must be undertaken in consultation with staff and other duty holders prior to entering into any lease agreements associated with Leasing property for use by NSW Health Agencies as part of providing services to the community, e.g. premises located within shopping centres, office blocks, community halls, schools or other premises remote from their community health team base, or Properties leased for use by NSW Health Agencies must meet the requirements set out in the Security manual.

Current risk assessments are available for premises leased from external organisations which includes security related risks, and have been undertaken in consultation with staff according to the requirements set out in the manual. The assessment includes all the requirements set out under "Leasing Premises from External Organisations" section of the Security manual. Lease arrangements specify responsibilities for aspects of security such as the installation and maintenance of a range of security features (e.g. security grills, locks, alarms, lighting) and meet the requirements specified in the Security manual. A business continuity plan which meets the requirements of the manual is available and current. Evidence of consultation with staff and consultation, cooperation and coordination with other duty holders can be included in the risk assessment, minutes of meetings, tool box talks, etc.

Not Compliant

5.2 A security risk assessment is undertaken in consultation with staff and other duty holders prior to leasing premises to external organisations such as pharmacies, newsagents, gift shops, food outlets, banking services.

Current risk assessments are available for external organisations that have leased premises. The risk assessments have been undertaken according to the manual and in consultation with staff and other duty holders. The assessment includes the requirements set out under the Security manual section "When Leasing to External Organisations".

Not Compliant


PROCEDURES






Audit


5.3 Risk assessments are undertaken to control the risk of ram raid style attempted theft of Automatic Teller Machines as outlined in the security manual including Attachment A.

Risk assessments have been undertaken of ATM locations and meet the requirements of the manual. Risk controls have been implemented. Significant Risk Controls have been approved by the Chief Executive or their delegate prior to implementation.

Not Compliant

Reference Material for this section includes: The Australasian Health Facility Guidelines

6 Security Arrangements for Patients in Custody

6.1 Risk Assessments are undertaken to identify hazards, assess risks, and identify controls in consultation with staff and other shared duty holders such as Corrective Services NSW, Juvenile Justice NSW, Department of Immigration and Citizenship and NSW Police in relation to patients in custody. Documented protocols are implemented as a result of the risk assessments.

Documented protocols for managing patients who are in custody of another Agency are implemented based on risk assessments in consultation with the shared duty holders. It includes: The roles of NSW Health staff and that of the other external Agencies. Providing information to the external Agency about facility protocols and evacuation plans. The process for advising the appropriate staff (e.g. facility manager and security staff) when a patient is admitted and potential risks associated with their admission. Transferring a patient in custody if they cannot be safely managed at that facility. Identifying when custodial patients are to be placed away from other patients and staff, for example a safe assessment room. Managing public and media inquiries. Managing clinical inquiries from Justice Health medical staff. The process for the NSW Health Agency to obtain information

Not Compliant


PROCEDURES






Audit


about the patient in order that a risk assessment of the individual patient can be made. Staff have been provided with information and/or training and when interviewed are aware of the local procedures.

6.2 The requirements for Corrective Services NSW patients in custody as set out in the Security manual have been implemented.

Local security procedures include the requirements for Security Arrangements for Patients in Custody. If other risk controls have been implemented, there is evidence that those controls are more appropriate. There are documented procedures in place, staff have been trained and when interviewed understand the requirements.

Not Compliant

6.3 The requirements for Juvenile detainee patients as set out in the Security manual have been implemented.

Local security procedures include the requirements for Security Arrangements for Patients in Custody. If other risk controls have been implemented there is evidence that those controls are more appropriate. There are documented procedures in place, staff have been trained and when interviewed understand the requirements.

Not Compliant

6.4 The requirements for Patients in the custody of Police as set out in the Security manual have been implemented.

Local security procedures include requirements for Security Arrangements for Patients in Custody. If other risk controls have been implemented there is evidence that those controls are more appropriate. There are documented procedures in place, staff have been trained and when interviewed understand the requirements.

Not Compliant


PROCEDURES






Audit


6.5 The requirements for Forensic Patients arriving from a mental health facility as set out in the Security manual have been implemented.

There is evidence that the requirements have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, staff have been trained and when interviewed understand the requirements.

Not Compliant

Reference Material for this section includes: Memorandum of Understanding between NSW Police and NSW Health, Memorandum of Understanding between NSW Corrective Services and NSW Health.

7 Security Education and Training

7.1 There is a documented system in place to conduct training needs analysis as part of an ongoing security program at least every two years or when work circumstances change

There is a documented system in place to undertake training needs analysis for staff which includes the identification of security training requirements and the ongoing training every two years or when circumstances change.

Not Compliant


PROCEDURES






Audit


7.2 Staff are provided with appropriate security related education and training, including violence prevention and management training. Training needs are identified according to the Identifying security related education and training needs for all staff section of this chapter. The training schedule reflects the When should security related education and training be provided? section of the manual.

Training needs have been identified as required by this chapter of the Security manual, PD2017_043 Violence Prevention and Management Training Framework for NSW Health Organisations and PD2012_035 Aggression Seclusion and Restraint: Preventing, Minimising and Managing Disturbed Behaviour in Mental Health Facilities. Training needs analysis has been undertaken for staff, training specific to security has been identified in compliance with the manual and a training matrix/plan is available. The training schedule reflects when training should be undertaken according to the manual. Training for staff in high risk areas and security personnel is provided prior to commencement or as soon as possible after commencement of duties. Training has been provided as identified. Training is appropriate to the role of the staff member and is consistent with NSW Health Policy PD2017_043 Violence Prevention & Management Training Framework for the NSW Health Organisations.

Not Compliant


PROCEDURES






Audit


7.3 Specialised training is identified and provided in accordance with the Security manual.

Specialised training has been identified, including any specialised training needs for: Supervisors and managers, security staff, WHS/Risk management practitioners, First Aid Officers, Fire Wardens, Return to Work Coordinators, Health and Safety Representatives, duress response staff. The training matrix and training schedule reflect any specialised training. Training has been provided according to the training schedule.

Not Compliant

7.4 Staff identified as duress responders to a clinical or corporate/security incident must be provided with specific training.

The training plan and schedule includes specific training for duress responders which includes: the process for duress response, assessing a scene, verbal de-escalation and negotiation skills and evasive self-defence, physical restraint techniques, use of mechanical and other restraints where appropriate and approved for use, and associated legal implications. Staff who require duress responder training have been identified and have received the appropriate training.

Not Compliant

7.5 Training is provided on an ongoing basis, including regular drills, in order to update and maintain skills.

There is a plan for ongoing training that is appropriate to the level of risk. There is documented evidence that the training has been undertaken.

Not Compliant


PROCEDURES






Audit


7.6 Evaluation of security related education and training activities are undertaken in accordance with the security manual.

There is a documented program in place to review specific activities and the effectiveness of the education and training program against the NSW Healthy Agency pre-determined performance indicators such as: - Staff awareness of security related policies and practices. - Changes to number of incidents occurring and the outcomes of those incidents. - Changes to the number of hazards being identified.

Not Compliant

Reference Material for this section includes: PD2017_043 Violence Prevention & Management Training Framework for the NSW Public Health System, PD2012_035 Aggression, Seclusion & Restraint in Mental Health Facilities in NSW


8.1 The preparation and undertaking of Security audits will be audited separately through the WHS Audit Tool.

Not required to be audited as part of the Security Improvement Audit.

8.2 The recommended actions from previous security audits have been progressed/completed according to the Security Improvement Plan timeframes.

Previous Security Improvement Plans are available and the actions have either been completed or progressed according to the timeframes.

Not Compliant

8.3 Security risk management performance is measured against a set of pre-determined indicators, evaluated, monitored and improved.

Performance indicators have been identified and reflect those outlined in the manual. There is evidence that the performance indicators are monitored, reviewed and actions taken when required. The frequency of monitoring, reviewing and evaluating is appropriate to the level of risk.

Not Compliant


PROCEDURES






Audit


Reference material for this section includes: PD2017_043 Violence Prevention and Management Training Framework for NSW Health Organisations

SECTION 2 CORE SECURITY RISK CONTROLS

9 Access and Egress Control

9.1 Risk assessments are undertaken in clinical and non-clinical buildings and facilities, in consultation with staff and other duty holders to minimise/eliminate foreseeable security risks associated with access and egress.

There is a current risk assessment available that includes security risks and the identification of controls associated with access and egress. There is evidence of consultation with staff and other duty holders.

Not Compliant

9.2 There are procedures in place for effective access and egress and perimeter controls and includes: - the implementation of remote locking on main access doors to Emergency Departments. - under what circumstances is lockdown to occur, including threats such as terrorist incidents, altercation in Emergency Departments or a suspected infant abduction - any identified controls. Access/identification systems have been developed and implemented.

There is a facility lockdown procedure in place consistent with the requirements set out in IB2017_047 Health Care Facility Lockdown - A framework for developing procedures. There are procedures in place that outline the roles and responsibilities and describes how to and when to lock remotely and includes the system for access and identification. Key staff are aware of the procedures. Check that Emergency Departments can be remotely locked. Staff interviewed are aware of the access and identification system procedures. Observe the process if possible.

Not Compliant


PROCEDURES






Audit


9.3 The requirements for Security Arrangements for access and egress control as set out in the Security manual have been implemented. This includes: - Managing access to and egress from the land controlled by the facility. - Providing safe access and egress especially after hours and during emergencies - Controlling access to vulnerable areas and securing vulnerable patients. - Applying the principles of Crime Prevention Through Environmental Design as outlined in Chapter 4.

There is evidence that the required standards have been implemented for access and egress control as set out in the criteria, if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, staff have been trained and when interviewed understand the requirements. Check that that access controls to the land on which the facility is situated is appropriate to the level of risk.

Not Compliant


PROCEDURES






Audit


9.4 The requirements for doors as set out in the Security manual have been implemented. This includes: - Perimeter/external access doors are locked and access restricted to the minimum necessary point in the building. - Perimeter/external access doors meet the standards outlined in the manual and the Australasian Health Facility Guidelines. - Electronic door alarms are connected to staff pagers where practicable - Fire isolated exit doors meet the requirements of the manual. - After-hours public and staff entry points are fitted with video/CCTV intercom systems. - Glazing in doors and panels beside doors must be resistant to being breached. - ED public entry doors must have the capacity to be locked remotely. - Other public entry doors like main entry door must be fitted with remote locking if risk assessment determines its necessary. - Doors between public areas and treatment areas are access controlled (excludes ward patient bedrooms/bed areas) - The duress response plan identifies the designated entry points and the entry door is marked.

There is evidence that the required standards have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, staff have been trained and when interviewed understand the requirements.

Not Compliant


PROCEDURES






Audit


9.5 The requirements for minimising the opportunity for entry to, or exit from windows as set out in the Security manual have been implemented. External and internal windows are constructed to be resistant to physical force and include shatter proof film or security screens.

There is evidence that the standards have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, staff have been trained and when interviewed understand the requirements.

Not Compliant

9.6 Signage/Wayfindings conform with the requirements set out in GL2014_018 Wayfinding for Health Facilities. Signage must clearly identify staff only access areas.

Check that signage/wayfindings conform with the Wayfinding for Health Facilities guideline. There is clear signage to identify staff only access.

Not Compliant

9.7 The standard requirements for name badges as set out in the Security manual have been implemented. Security Staff and Health and Security Assistants must have their full licence displayed at all times while on duty. For most other staff full names must be worn at chest height. A decision not to do so must be based on a documented risk assessment. Staff in Emergency Departments, mental health units and drug and alcohol units are only required to display first name and family name initial.

There is evidence that the standards have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, staff are aware of the requirements and staff name badges are appropriate to where they work.

Not Compliant


PROCEDURES






Audit


9.8 The minimum standard requirements for Identity/Access Systems as set out in the manual have been implemented. This includes: - Level of access to be granted to staff members is assessed and determined by their role. This includes arrangements for staff who are working in a casual or temporary capacity like locums. - Verification of staff when issuing identity/access cards is undertaken according to the security manual. - Code Black teams have access to all parts of the facility that they may be required to attend. - Record of document authorising access is kept by the issuing department. - Review of access occurs as required by the security manual. - Identification photos must include the person's full face. - Administration of the Identity/Access system meets the requirements set out in the security manual. - Procedures have been implemented for determining, approving and recording the level of access to staff only areas to those that are not staff.

There is evidence that the minimum standards have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, staff have been trained and when interviewed understand the requirements.

Not Compliant

Reference material for this section includes: Security Industry Act 1997, Information Bulletin IB2017_047 Health Care Facility Lockdown - a Framework for developing procedures, GL2014_018 Wayfinding for Health Facilities, Australasian Health Facility Guidelines.


PROCEDURES






Audit


10 Key Control

10.1 Risk assessments are undertaken, in consultation with staff and other duty holders in relation to eliminating or if not practicable minimising foreseeable security risks associated with the control of keys and code locks.

There is a current risk assessment available that includes security risks and the identification of controls associated with the control of keys and code locks. There is evidence of consultation with staff and other duty holders.

Not Compliant

10.2 Procedures have been developed to support the identified controls.

There are procedures in place to support the findings of the risk assessment, and is in compliance with the Security manual. There is evidence that staff have been trained or information provided about the procedures. Staff who are interviewed are aware of the requirements set out in the procedures.

Not Compliant

10.3 The movement of keys is controlled using Key Authority Records and Key and Security Logs.

Key Authority Records are available which includes all personnel authorised to draw and return keys and includes a specimen signature. This can be done via a secure electronic log. Key and Security Logs are available, reconciled and retained for at least a minimum of 12 months.

Not Compliant


PROCEDURES






Audit


10.4 All requirements set out in the Security manual are implemented: - Number of keys is limited to what is practicable. - Staff are advised that keys should not be worn around the neck to avoid strangulation. - Keys are not left lying around in view. - Authority to draw keys is kept up-to-date. - Keys not on issue are locked in containers out of sight. - Keys are given to person responsible for facility key control to manage. - Keys are numbered to indicate the lock or entry they fit. - Key losses both in and out of hours are reported to key control officer. - Keys are cut as per security manual. - Keys are destroyed as per Security manual requirements. - Key cutting/duplication done locally as per security manual. - Codes provided to control code locks are to those with legitimate access needs. - Master key override is available for digilocks or coded doors. - Key pad access codes are changed in accordance with security manual. - Changes to codes are communicated to relevant staff in a timely way.

There is evidence that the requirements have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, staff have been trained and when interviewed understand their responsibilities and the requirements.

Not Compliant


PROCEDURES






Audit


Reference Material for this section includes: Security Industry Act 1997, Standards for Security Risk Management in NSW Health Agencies.

11 Alarm Systems

11.1 Risk assessments are undertaken, in consultation with staff and other duty holders in relation to minimising/eliminating foreseeable security risks by establishing requirements for duress alarm systems taking into consideration the standards set out in the Security manual. The risk assessment takes into consideration the need for back-up in the event of system power failure, the strategic location throughout the health care facility for fixed alarms, mobile duress alarms worn by staff when working within the facility and by staff who regularly work outside of the facility, i.e. community health staff.

There is a current risk assessment available that establishes the requirements for duress alarms to ensure staff, patients and assets are secure. There is evidence of consultation with staff and other duty holders. Consultation has occurred in areas such as: Mental health services, Emergency departments, Pharmacy and other drug storage areas, Women's health and maternity units, Paediatric units, Youth health units, Sexual assault units, Cash handling and storage areas, isolated facilities/units, Car parks and grounds, Vehicles (e.g. ambulances), Alcohol and other drugs services, ICUs and HDUs, Aged care wards, Community services, Theatre recovery.

Not Compliant

11.2 Alarms systems are reviewed at a frequency appropriate to the level of risk.

There is a schedule of alarm system review at an appropriate frequency. There is evidence that the reviews are undertaken and any actions identified during the review have been implemented.

Not Compliant


PROCEDURES






Audit


11.3 Staff members have unobstructed access to purpose designed equipment appropriate to the level of risk enabling them to summon assistance if they are faced with a personal threat or physical assault, this includes mobile and fixed duress alarms.

Alarms are located without obstruction for staff to be able to summon assistance easily when facing personal threat or physical assault that is appropriate to the level of risk. A combination of both fixed and mobile alarms have been considered and are available in accordance with the risk assessment.

Not Compliant

11.4 Staff required to answer public access doors after hours wear mobile duress alarms, e.g. maternity units.

There is a system in place for staff have access to and wear mobile duress alarms when answering public access doors after hours. Staff when interviewed are aware of the requirement.

Not Compliant

11.5 All staff working in Emergency Departments are provided and are wearing mobile duress alarms at all times when in the Emergency Department. Random compliance spot checks are undertaken and reported to the Department Manager and Chief Executive.

There is a documented procedure to ensure mobile duress alarms are available in ED for all staff. Check that all staff in ED are wearing duress alarms. Check that random compliance spot checks are being done, recorded and reported to the Chief Executive.

Not Compliant


PROCEDURES






Audit


11.6 The requirements for Duress Alarms as set out in the manual have been implemented in consultation with staff. A risk assessment has been undertaken to ensure that there is an appropriate mix of duress alarms. The alarm systems complement all other protective measures taken to prevent and manage risk.

There is evidence that the minimum standards have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. There is an appropriate mix of duress alarms based on a risk assessment. The alarms systems work well with other implemented protective measures. There is evidence that staff and other duty holders have been consulted as required by the security manual.

Not Compliant


PROCEDURES






Audit


11.7 The features of mobile duress alarms meet the requirements set out in the Security manual. - Emits a low tone/vibration/other means to alert the person that an alarm has been sent after activation. - Activates where user is not moving or falling down. Includes warning before alarm triggered. - Message received by the code black team within ten seconds from activation. - Alerts other staff in the work area/facility that a colleague requires assistance. - Duress alarms for community health staff have GPS capability. - Alarms have self-testing capability and notify malfunctions immediately. -Alarms are self-testing, occur at intervals of one hour or less and can produce hard copy/electronic evidence of testing. - Sufficient redundancy/high availability to achieve 100% continuous operation. - Battery life is not less than longest shift. - Displays battery status and warns when charge is low. - Ingress Protection rating and operational temperature range are appropriate to risk. - Downtime procedures are in place, including uninterrupted power supply for a period suitable to the level of risk.

There is evidence that the required standards have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. The system meets the requirements for 100% continuous operation. There are documented procedures in place including downtime procedures, staff have been trained and when interviewed understand the requirements.

Not Compliant


PROCEDURES






Audit


11.8 Mobile duress alarms are worn in accordance with the security manual. Are worn where the staff member is moving around in the course of their work and there is a risk of being confronted by aggressive behaviour. When worn are attached to a strong and stable part of the clothing, e.g. clipped to a trouser pocket or waistband. They are not worn around the neck due to the potential for strangulation.

Check whether staff are aware of when and how to wear duress alarms and that staff are wearing them in accordance with the Security manual.

Not Compliant

11.9 Mobile Duress Alarm Testing requirements as set out in the security manual are met. - Alarms are tested at the start of each shift - Alarms are self-testing and notify malfunctions immediately via an independent system. - Alarm self-testing occurs at intervals of one hour or less and is capable of producing hard copy and electronic evidence of testing. The evidence is kept for a minimum of 90 days.

There are documented systems in place which includes the roles and responsibilities for testing mobile duress alarms. Testing records are available and meet the requirements for testing. The duress alarm system is self-testing and has the capability to notify malfunctions. There is evidence that faults are identified, recorded and faults rectified.

Not Compliant


PROCEDURES






Audit


11.10 Fixed Duress Alarms meet the requirements set out in the security manual which include: - Be able to interface with other local communication and security systems. - Be able to cover all working and amenity areas for the specific location. - Provides integrity of communication and isn't prone to interference and false alarms. - Includes a fixed backup system. - Be capable of transmitting a duress signal within 5 seconds of activation both indoor and outdoor. - Provides assurance to person activating by sending low tone or vibration etc. - Code Black team receives alarm within 10 seconds. - Alerts other staff in the work area/facility. - Does not activate an audible alarm. - Does not interfere with functions of critical medical equipment. - Is not susceptible to tampering or activation by patients/visitors.

There is evidence that the requirements have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. Staff are aware of where the fixed duress alarms are located and have been trained in their use.

Not Compliant


PROCEDURES






Audit


11.11 Fixed Duress Alarm Testing requirements as set out in the security manual are met. - Are tested in line with manufacturer's advice, the regime is documented, e.g. testing occurs every 30 days. - Testing records are maintained and faults reported. - Staff who are in the vicinity of the faulty alarm are advised of any issues and then advised when it is operational again.

There is evidence that fixed duress alarms are tested as required. Maintained testing records are available. There is a procedure for reporting faults and reports are available if faults have been reported. There is a procedure in place to advise staff of faulty alarms. The relevant staff when interviewed are aware of how faulty alarms are advised to them.

Not Compliant

11.12 Training and information is provided to staff in the use of alarm systems.

Staff who require training in alarm systems have been identified. Staff have been provided with training using information provided by suppliers on their commencement.

Not Compliant

Reference material for this section includes: Australian Standards: AS/NZS3000 Electrical Installations

12 Lighting

12.1 Internal lighting must be risk assessed, in consultation with staff and other duty holders, to ensure there is sufficient internal lighting to eliminate risks, where reasonably practicable, or where they cannot be eliminated, minimise security related risks.

Current risk assessment of internal lighting is available and there is evidence of consultation with staff and other duty holders, evidence of consultation could be minutes of meetings.

Not Compliant


PROCEDURES






Audit


12.2 The minimum standard requirements for internal lighting set out in the manual have been implemented.

There is evidence that the minimum standards have been implemented for internal lighting or if other risk controls have been implemented, there is evidence that these controls are more appropriate.

Not Compliant

12.3 External lighting must be risk assessed, in consultation with staff and other duty holders, to ensure there is sufficient external lighting to eliminate risks, where reasonably practicable, or where they cannot be eliminated, minimise security related risks.

Current risk assessment of external lighting is available and there is evidence of consultation with staff and other duty holders, evidence of consultation could be minutes of meetings.

Not Compliant

12.4 Areas requiring special lighting have been identified and appropriate lighting installed.

There is evidence that special lighting has been identified. Special lighting has been installed in areas such as entrance foyers, emergency departments, staff entry and exit points, pharmacies and car parks.

Not Compliant

12.5 The requirements for External lighting set out in the Security manual have been implemented.

There is evidence that the requirements have been implemented for External lighting or if other risk controls have been implemented, there is evidence that these controls are more appropriate. External lighting is sufficient to eliminate dark areas and allow facial recognition to facilitate correct functioning of CCTV cameras.It's connected to an uninterruptible power supply.

Not Compliant

Reference material for this section includes: AS/NZS1680 series, AS/NZS1158 series, AS4485.1 and AS/NZS2890

13 Workplace Camera Surveillance


PROCEDURES






Audit


13.1 Risk assessments are undertaken, in consultation with staff, other duty holders and security experts, to identify locations in buildings and grounds for CCTV.

A current risk assessment is available with evidence that it was undertaken in consultation with staff, other duty holders and security experts that has identified locations in buildings and grounds where CCTV surveillance may be of assistance. The risk assessment takes into consideration the issues outlined in the Security manual. The purpose of each CCTV is clearly identified in relation to the security risk management program, i.e. purpose is to provide a visual deterrent, support access control measures or used to identify an incident where a duress response/code black response is required.

Not Compliant

13.2 Agreement has been reached with staff in accordance with the Security manual when CCTV cameras are being installed on the purpose of the CCTV cameras and how it will be carried out.

There is evidence that staff have been consulted in accordance with the security manual. Effective procedures are implemented that a consistent with the Workplace Surveillance Act 2005. There is evidence of communication with staff about the procedures and what they should do in the event of a threat. Staff interviewed are aware of the procedures.

Not Compliant

13.3 Covert camera surveillance used to capture suspected unlawful activity has been approved by the Secretary of NSW Health. The relevant requirements of the Workplace Surveillance Act 2005 are met.

There is evidence of approval by the Secretary of NSW Health where covert camera surveillance is in place. There is a documented system in place for the use of covert camera surveillance in accordance with the security manual and the Workplace Surveillance Act 2005 There is evidence that covert camera surveillance is undertaken in compliance with the documented system, the

Not Compliant


PROCEDURES






Audit


Security manual and the Act.

13.4 The requirements for Overt camera surveillance/CCTV as set out in the manual have been implemented. - Cameras are visible to people in the area under surveillance. - Signs notifying people they may be under camera surveillance are clearly visible. - Signs in other languages have been considered which involve words rather than pictures. - Patient information includes information on presence of CCTV.

There is evidence that the requirements have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. Check that cameras are visible in the area under surveillance. There is evidence that signs in other languages have been considered where signs are words and not pictures and where applicable signs in other languages are present. Patient information includes presence of CCTV.

Not Compliant

13.5 Monitoring and storage of camera surveillance images is in accordance with the Security manual.

There is evidence that requirements set out in the Security manual for monitoring and storage of camera surveillance images have been implemented.

Not Compliant

13.6 Placement of CCTV Units is in accordance with the Security manual.

There is evidence that the placement of the CCTV Units meets the requirements of the Security manual.

Not Compliant


PROCEDURES






Audit


13.7 Procedures are in place in the use of workplace camera surveillance consistent with relevant legislation, including the Workplace Surveillance Act 2005.

Procedures are in place that are consistent with relevant legislation. There is evidence that staff have been trained or provided information. Staff interviewed are aware of the requirements.

Not Compliant

13.8 There is a system in place for considering requests for surveillance records.

There is a documented system for considering requests for surveillance records that includes the factors and requirements outlined in the security manual. Staff are aware and have been trained. Check if there is evidence of compliance.

Not Compliant

Reference material for this section includes: Workplace Surveillance Act 2005, Crimes Act 1900 s16,

14 Role of Security Staff in NSW Health

14.1 Risk assessments are undertaken, in consultation with staff and other duty holders, to establish the appropriate level of security staffing to respond effectively and in a timely way to security related issues. The requirements at point 2 Determining the appropriate level of security staffing of this chapter of the Security manual are to be considered as part of the assessment.

Risk assessment is available, current and includes consultation with staff and where relevant other duty holders. It reflects the level of identified risk of security/violence occurring, the size of the facility, the services being provided and the local demographic and is in accordance with the requirements set out in point 2.

Not Compliant


PROCEDURES






Audit


14.2 Specific risk assessments arising from utilising contract security staff have been undertaken in accordance with the Security manual.

Risks specific to contractors have been identified and a documented system is in place to eliminate or minimise those risks. Assessing risks takes into account the unique circumstances in providing security services in a health environment and the work health and safety obligations outlined in the Ministry guideline GL2013_011 Work Health and Safety - Other Workers Engagement Contractors are provided with the required training prior to commencement including the understanding of NSW Health Policies on the role of security staff and standards and any other training required by security Staff.

Not Compliant

14.3 There are local procedures outlining how security staff undertake the role and how violence related incidents are managed in consultation with security staff, managers and clinical staff.

There are local procedures outlining how security undertake their role that complies with this chapter of the Security manual. Position Descriptions and other information about the role of security is consistent with role of security staff in this chapter of the security manual and local procedures. Security and other staff interviewed are aware of the role of security.

Not Compliant

14.4 All security staff, including Health and Security Assistants, have a current 1A licence.

There is a documented process in place to check the currency of security licences. Licences checked during audit are current.

Not Compliant


PROCEDURES






Audit


14.5 Security staff understand the scope of their role as outlined in the security manual including the boundaries of their role and that of NSW Police.

There is evidence that security staff have been provided with training and information on the boundaries of their role including that of NSW Police. This includes reference to the Memorandum of Understanding between the Ministry of Health, Ambulance and NSW Police. Staff interviewed understand the scope of their role and that of NSW Police and are aware of the contents of the Memorandum of Understanding. Local procedures in the management of patients in custody are implemented and staff understand the requirements.

Not Compliant

14.6 Security staff, including contractors, are provided information and training consistent with PD2017_043 Violence Prevention and Management Training Framework.

Contract security staff are engaged through the Whole of Government contract for security services (Integrated Security Services).

There is a documented training system in place to ensure security staff including contracted security staff to undertake the training as required by PD2017_043. There is evidence that security staff have been provided with the appropriate training as required by the policy directive. Check that contract staff have been engaged through the Whole of Government contract for security services.

Not Compliant

14.7 There is an escalation procedure in place to both the Chief Executive and any other appropriate forums such as the Local Protocol Committee for issues relating to NSW Police response to security incidents such as response timeliness.

There is a procedure in place describing when and how to escalate an issue to the relevant stakeholders. Relevant staff when interviewed are aware of the process.

Not Compliant


PROCEDURES






Audit


14.8 There are local procedures on restraint that include the requirements set out in this chapter of the Security manual and include: - Physically restraining patients and others - Using mechanical restraint on patients - When restraint can be used. Security Staff who are required to undertake restraint have undertaken restraint training as required by this chapter of the Security manual.

Local procedures are available and meet the requirements of this chapter of the Security manual. There is evidence that relevant staff have been provided with the required training in restraint. Staff when interviewed understand their role and how and when to restrain patients physically.

Not Compliant

14.9 Mechanical restraints used are standardised and have the features outlined in the security manual: - Are adjustable. - Fit for purpose, e.g. fit for use with combative/aggressive patients. - Allow patient to be placed in a sitting or lying position. - Have wide cuff. - Have no sharp edges. - Made of a material that is easy to clean. - Easy to apply. - Difficult for the patient to remove. - Able to be secured to furniture.

Check that Mechanical restraints meet the requirements. Not Compliant


PROCEDURES






Audit


14.10 There are local procedures for restraining of a patient who is incapable of giving consent to medical treatment. Security staff understand the scope of their role including the boundaries of their role and have been provided with appropriate information and training in Restraining of a patient who is incapable of giving consent to medical treatment.

Local procedures are available and meet the requirements of this chapter of the Security manual. There is evidence that security staff have been provided with training in restraining of a patient who is incapable of giving consent to medical treatment. Staff interviewed understand how and when to restrain patients who are not capable of giving consent to medical treatment.

Not Compliant

14.11 There are local procedures on Making a citizen's arrest. Security staff understand the scope of their role including the boundaries of their role and have been provided with appropriate information and training in Making a citizen's arrest.

Local procedures are available and meet the requirements of this chapter of the Security manual. There is evidence that security staff have been provided with training in Making a citizen's arrest. Staff interviewed understand their role and how and when to make a citizen's arrest.

Not Compliant

14.12 There are local procedures for Detaining Patients under the Mental Health Act 2007. Security staff understand the scope of their role including the boundaries of their role and have been provided with appropriate information and training in Detaining Patients under the Mental Health Act 2007.

Local procedures are available and meet the requirements of this chapter of the security manual. There is evidence that security staff have been provided with training in Detaining Patients under the Mental Health Act 2007. Staff interviewed understand how and when to detain patients under the Mental Health Act 2007.

Not Compliant


PROCEDURES






Audit


14.13 There are local procedures for Retrieving patients who are attempting to abscond from a facility. Security staff understand the scope of their role including the boundaries of their role and have been provided with appropriate information and training in Retrieving a patient who is attempting to abscond from a facility.

Local procedures are available and meet the requirements of this chapter of the Security manual. There is evidence that security staff have been provided with training in Retrieving a patient who is attempting to abscond from a facility. Staff interviewed understand how and when to retrieve a patient who is attempting to abscond from the facility.

Not Compliant

14.14 Security staff understand the scope of their role including the boundaries of their role and have been provided with appropriate information and training in Assumption of Care Orders.

There is evidence that security staff have been provided with training in Assumption of Care Orders. Staff interviewed understand their role where there is an Assumption of Care Order.

Not Compliant

14.15 There are local procedures which includes roles and responsibilities when Searching Patients and Visitors and their property in accordance with this chapter of the security manual and includes searching for weapons and other dangerous objects where the individual has consented. Security staff and clinicians understand the scope of their role including the boundaries of their roles and have been provided with appropriate information and training in Searching Patients and Visitors and their property. Conditions of Entry which is clear and appropriate is in place to make people aware of conditions when entering the facility.

Local procedures are available and outline the roles and responsibilities when searching patients and visitors and their property in accordance with this chapter of the security manual. There is evidence that security staff and clinicians have been provided with training in Searching Patients and Visitors and their property. Staff interviewed understand their role and how and when to search patients and visitors and their properties. Check whether the conditions of entry are in place and are clear and appropriate.

Not Compliant


PROCEDURES






Audit


14.16 There are local procedures that include roles and responsibilities when Searching Health Patients in accordance with this chapter of the Security manual Security staff and clinicians understand the scope of their role including the boundaries of their role and have been provided with appropriate information and training in Searching mental health patients.

Local procedures are available and outline the roles and responsibilities when searching mental health patients in accordance with this chapter of the Security manual. There is evidence that security staff have been provided with training in Searching mental health patients. Staff interviewed understand their role and how and when to search mental health patients.

Not Compliant

14.17 There are local procedures which includes roles and responsibilities when Accompanying patients being treated under the Mental Health Act and who are being transported between NSW Health Facilities in accordance with this chapter of the Security manual. It includes the requirement that risk assessments are done prior to transporting patients to limit the potential to become violent during transportation. Security staff understand the scope of their role including the boundaries of their role and have been provided with appropriate information and training.

Local procedures are available and outline the roles and responsibilities when accompanying patients being treated under the Mental Health Act and who are being transported between NSW Health Facilities in accordance with this chapter of the security manual. It includes the requirement for a risk assessment prior to transportation. Check a sample of de-identified risk assessments to ensure they are being done and are appropriate. There is evidence that security staff have been provided with training. Staff interviewed understand their role and how and when they can accompany patients being treated under the Mental Health Act 2007.

Not Compliant


PROCEDURES






Audit


14.18 There are local procedures which include roles and responsibilities when Escorting Individuals (non -patients) from NSW Health premises. An authority/delegation has been approved by the Chief Executive for NSW Health staff members to exercise judgment and action to escort individuals from NSW Health premises. Security staff and/or other delegates understand the scope of their role including the boundaries of their role and have been provided with appropriate information and training.

Local procedures are available and outline the roles and responsibilities when escorting individuals (non-patients) from NSW Health premises in accordance with this chapter of the Security manual. Authority/delegations approved by the Chief Executive in accordance with this chapter of the Security manual is available. Staff interviewed understand their role when escorting individuals (non-patients) from NSW Health premises.

Not Compliant

14.19 There are local procedures which include roles and responsibilities to manage issues associated with the identification, removal and retention of weapons or implements from patients. Security staff understand the scope of their role including the boundaries of their role and have been provided with appropriate information and/or training.

Local procedures are available and outline the roles and responsibilities to manage issues associated with the identification, removal and retention of weapons or implements from patients in accordance with this chapter of the security manual. There is evidence that security staff have been provided with information and/or training. Staff interviewed understand their role.

Not Compliant

14.20 There are local procedures which outline the roles and responsibilities when storing and disposing of weapons or implements that meet the requirements of this chapter of the security manual. Security staff understand the scope of their role including the boundaries of their role and have been provided with appropriate information and or training.

Local procedures are in place that meet the requirements of this chapter of the Security manual. There is evidence that security staff have been provided with information and/or training. Staff interviewed know how and when to store and dispose of weapons or implements.

Not Compliant


PROCEDURES






Audit


Reference material for this section includes: Mental Health Act 2007, PD2017_043 Violence Prevention and Management Training Framework, Memorandum of Understanding with NSW Police Force, PD2015_004 Principles for Safe Management of Disturbed and/or Aggressive Behqaviour and the Use of Restraint, PD2012_035 Aggression, Seclusion and Restraint in Mental Health Facilities in NSW, PD2015_004 Principles for the Safe Management of Disturbed and/or Aggressive Behaviour and the Use of Restraint, GL2015_007 Management of Patients with Acute Severe Behavioural Disturbance in Emergency Departments, PD2013_007 Child Wellbeing and Child Protection Policies and Procedures for NSW Health, Weapons Prohibition Act 1998, Inclosed Lands Protection Act 1901, GL2013_002 Management of NSW Police Force Officers' Firearms in Public Health Facilities and Vehicle, GL2013_011 Work Health and Safety - Other Workers Engagement

SECTION 3 SECURITY RISK CONTROLS IN PRIORITY AREAS

15A Security in the Clinical Environment - Part A Emergency Departments - Building design that complies with criteria is only audited once and then if changes when redesign/refurbishment occurs (it is highlighted in green)

15A.1 Risk assessments are undertaken in consultation with staff and other duty holders, that all reasonably foreseeable security risks associated with the Emergency Department environment are identified, assessed, eliminated where reasonably practicable, or where they cannot be eliminated, effectively minimised.

A current risk assessment is available which identifies, assesses and minimises or eliminates risks associated with the Emergency Department as required by this chapter of the manual. CCTV has been included as part of the risk assessment and the purpose of its location has been identified.

Not Compliant

15A.2 There is a documented process for staff to communicate to colleagues the risks presented by a patient.

There are documented processes in place which outlines the roles and responsibilities in communication to colleagues about the risks presented by patients. There is evidence that staff have been trained and when interviewed are aware of the procedural requirements.

Not Compliant

15A.3 The Emergency Department complies as far as practicable with Parts B and C of the Australasian

Using the Australasian Health Facility Guidelines, parts B and C check that the Emergency Department complies with the

Not Compliant


PROCEDURES






Audit


Health Facility Guidelines and with other NSW Health standards set out in NSW Health Policy Directives referenced in this chapter of the security manual.

specifications/requirements. The Emergency Department also complies with other NSW Health Policy Directives referenced in this chapter of the security manual.

15A.4 There are procedures in place which include the roles and responsibilities to effectively manage security risks, including any identified risk from the design/layout, developed in consultation with staff.

There are procedures in place which outline the roles and responsibilities to effectively manage security risks in accordance with this chapter of the Security manual. There is evidence that staff have been consulted in the development of the procedures. Staff have been provided training in the procedures. Staff are aware of the requirements of the procedures and their roles and responsibilities.

Not Compliant


PROCEDURES






Audit


15A.5 The main public entry access doors can be remotely locked/unlocked and use of CCTV are in accordance with this chapter of the security manual. - main public entry access doors can be locked/unlocked remotely and fitted with CCTV. - CCTV provides a clear picture at all times of the day and night. - CCTV is placed in accordance with this chapter of the security manual. - CCTV cameras which both record and provide live view and provide a clear visual image of individuals are placed in waiting rooms and are positioned to prevent unauthorised access to treatment areas such as tailgating. - Privacy issues have been taken into account in regards to the positioning of CCTV.

Check that ED main public entry doors can be locked/unlocked in accordance with this chapter of the security manual. Check that the CCTV in waiting rooms meet the requirements of this chapter of the security manual and privacy issues have been considered in regards to its position. Please note some criteria may already have been audited under Chapter 13.

Not Compliant

15A.6 CCTV live feeds are available at Emergency Department staff stations in accordance with the Security manual. Privacy issues have been taken into consideration when positioning CCTV and monitors.

Check that Emergency Department staff stations have live feeds available and appropriate to reduce safety risks. There is evidence that privacy issues were taken into consideration when positioning CCTV and monitors.

Not Compliant


PROCEDURES






Audit


15A.7 The waiting rooms in Emergency Departments meet the physical design in accordance with this chapter of the Security manual.

Waiting areas must: • Be comfortable, decorated in muted colours and be free of unnecessary clutter. • Have a clear path to commonly used amenities (e.g. phones, water and vending machines, toilets etc.). • Have adequate lighting, seating, ventilation and temperature control • Have signage that clearly directs patients and carers to the reception area, triage and the waiting area. • Be fitted with furnishings that cannot be moved and/or used to cause injury e.g. linked rows of seating. • Have controlled access to clinical areas e.g. doors

Not Compliant

15A.8 There are local procedures in place that outlines the roles and responsibilities in ensuring appropriate ongoing communication with patients (and carers) awaiting care in accordance with this chapter of the Security manual and NSW Health Policy Directive Emergency Patients Awaiting Care.

Communication strategies at a minimum must involve: • Informing patients/carers at the time of triage what to do if their condition changes or they become concerned while awaiting care. • If they are not allowed to eat or drink. • Suitable alternatives to the Emergency Department. • Regular advice on changed waiting times. Staff have been provided information and/or training in the procedures. Staff interviewed are aware of the requirements and their responsibilities.

Not Compliant


PROCEDURES






Audit


15A.9 The Triage areas, interview rooms, write-up areas and staff stations meet the requirement of this section of the Security manual. The Australasian Health Facility Guidelines is referenced for any additional or new standards.

Physical design is in accordance with this chapter of the security manual and the AusHFG. • Design does not create entrapment or concealment points: - Appropriate barriers where there is a protection requirement from violence, security of property/records, clinical privacy. - Two exit points. - Layout prevents patient position and furniture/equipment from blocking staff members access to an exit route. - Speed of access/egress. • Rooms have two doors and layout does not allow staff obstruction or interception by patients to escape to a safe area. Doors that lock have swipe card locks. • Has fixed and/or mobile alarms, as appropriate. Fixed duress alarms are positioned to allow staff easy access. • Windows with integrated blinds have safety glass. • Are not in isolated areas, and are close to and in view of other staff.

Not Compliant

15A.10 The physical design of the treatment rooms meets the requirement of this section of the Security manual.

Every room, e.g. write-up areas, family examination / consultation rooms, have the following characteristics: • Two exit points free from entrapment risks with layout allowing staff access to escape routes/safe areas without patient obstruction/interception. Doors that need to be locked have swipe card locks to allow rapid exit. • Layout allows clinicians to face patients at all times, including positioning the desk, computer and telephone so clinicians don't turn their back to the patient to use the computer or other

Not Compliant


PROCEDURES






Audit


equipment. Computers can be on wheels. • Fixed duress alarms supplement mobile duress alarms and are not used as alternatives. • Are free of unsecured equipment that may cause injury laying in view. • Windows and glass doors are constructed to be resistant to physical force i.e. used lamination, shatterproof film of security screens. • Include dimensions that reflect NSW Health standards. • Are only used for the designated purpose, including using for two patients when only designated for one.


PROCEDURES






Audit


15A.11 The physical design of the open clinical treatment areas meet the requirement of this section of the Security manual.

Treatment areas (not rooms) have the following characteristics: • Layout does not create entrapment or concealment risks. There is a line of sight from staff stations into all areas of the open plan clinical areas. • Layout allows clinicians to face patients at all times. Desk, computer and telephone are positioned so clinicians don't turn their back to patients. Computers on wheels can be used. • Adult and paediatric beds and amenities are separated. • There is a separate safe area for assessing and managing patients with acute severe behavioural disturbances • There is lockable storage for equipment. Local practices involve the collection of all cutlery (metal and plastic) and sharps used in the treatment area immediately after use, or put in a safe area if it is not to be immediately removed from the workplace.

Not Compliant

15A.12 Staff only areas have signage clearly identifying these areas as staff only, be access controlled and fitted with fixed duress alarms.

Staff-only areas e.g. meal rooms, tutorial rooms, offices, staff toilet and locker rooms have the following characteristic: • Signage clearly identifies these areas as staff only areas. • Are access controlled to ensure they are secured from patient access areas. • Are fitted with fixed duress alarms.

Not Compliant


PROCEDURES






Audit


15A.13 Clinical areas for safe assessment of patients with Acute Severe Behavioural Disturbance meet the requirements of this chapter of the security manual.

Dedicated clinical areas in Emergency Departments (eg safe assessment rooms) are available to provide a safe area for assessing and managing Acute Severe Behavioural Disturbance patients. Clinical practices are consistent with NSW Health policy and in place to manage patients with ASBD. There is evidence that the clinical spaces are designed in consultation with staff, including mental health staff.

Not Compliant

15A.14 Clinical practices are consistent with NSW Health Policy on Safe Assessment Rooms and NSW Health guidelines GL2015_007 Management of Patients with Acute Severe Behavioural Disturbance in Emergency Departments

There are procedures in place to meet NSW Health Policy on Safe Assessment Rooms. Staff interviewed have been provided information and/or training in the procedures and are aware of the requirements.

Not Compliant

15A.15 Appropriate protocols have been implemented for admission, assessment and ongoing management and transfer of Patients who may have or may developed Acute Severe Behavioural Disturbance as required by the Security manual.

Documented protocols have been implemented in accordance with the security manual and in consultation with staff. Staff have been provided with training and/or information. Staff interviewed are aware of the protocols.

Not Compliant

15A.16 Clinical protocols to prevent and manage violence are in place as required by the Security manual.

Documented protocols have been implemented in accordance with the security manual and in consultation with staff. Staff have been provided with training and/or information. Staff interviewed are aware of the protocols.

Not Compliant

Reference material for this section includes: Australasian Health Facility Guidelines, PD2010_033 Children and Adolescents - Safety and Security in NSW Acute Health Facilities, PD2013_007 Child Wellbeing and Child Protection Policies and Procedures for NSW Health, PD2013_007 Child Wellbeing and Child Protection Policies and Procedures for NSW Health, GL2015_007 Management of patients with Acute Severe Behavioural Disturbance in Emergency Departments, GL2013_012 Sexual Safety of Mental Health Consumers Guidelines,


PROCEDURES






Audit


Australian Standard Security for health care facilities, Health Infrastructure Guideline for the design of Safe Assessment Rooms/Areas.

SECTION 3 SECURITY RISK CONTROLS IN PRIORITY AREAS

15B Security in the Clinical Environment - Part B Other Clinical Areas - Building design that complies with criteria is only audited once and then if changes when redesign/refurbishment occurs (it is highlighted in green)

15B.1 Risk assessments are undertaken in consultation with staff and other duty holders that all reasonably foreseeable security risks associated with the clinical environment (other than the emergency department) are identified, assessed, eliminated where reasonably practicable, or where they cannot be eliminated, effectively minimised.

A current risk assessment is available which identifies, assesses and minimises or eliminates risks associated with the clinical environment as required by this chapter of the manual. CCTV has been included as part of the risk assessment and the purpose of its location has been identified.

Not Compliant

15B.2 There is a documented process for staff to communicate to colleagues the risks presented by a patient.

There are documented processes in place which outlines the roles and responsibilities in communication to colleagues about the risks presented by patients. There is evidence that staff have been trained and when interviewed are aware of the procedural requirements.

Not Compliant


PROCEDURES






Audit


15B.3 The physical design in the clinical environment (excluding the Emergency Department) complies with Parts B and C of the Australasian Health Facility Guidelines and with other NSW Health standards set out in NSW Health Policy Directives referenced in this chapter of the security manual.

Using the Security Manual and the Australasian Health Facility Guidelines, parts B and C check that the clinical environment complies with the specifications/requirements.

Not Compliant

15B.4 Procedures have been developed in consultation with staff and other duty holders to effectively manage security risks in every clinical area as required by this chapter of the Security manual. .

Procedures have been implemented which outline the roles and responsibilities to effectively manage security risks in clinical areas. There is evidence of consultation with staff and other duty holders. Staff interviewed are aware of the procedures.

Not Compliant

15B.5 Clinical protocols are in place to manage potential or actual violence.

The roles and responsibilities have been documented, there is evidence that clinical protocols are in place and are appropriate to the level of risk. There is evidence that staff have been trained in the protocols.

Not Compliant

15B.6 The physical design of key clinical areas meet the requirement of this section of the security manual. The Australasian Health Facility Guidelines are referenced for any additional or new standards.

Check the physical design is in accordance with this chapter of the security manual and the Australasian Health Facility Guidelines.

Not Compliant


PROCEDURES






Audit


15B.7 The physical design of interview rooms, write up areas, staff stations and examination/consultation areas meet the requirement of this section of the security manual. The Australasian Health Facility Guidelines is referenced for any additional or new standards.

Check the physical design is in accordance with this chapter of the security manual and the Australasian Health Facility Guidelines.

Not Compliant

15B.8 The facility is compliant with the requirements set out in this chapter of the manual for Meal rooms, offices and toilets.

Using this chapter of the security manual check that the Clinical Environments comply with the requirements set out in the manual.

Not Compliant

15B.9 Clinical protocols to prevent and manage violence are in place as required by the Security Manual.

Documented protocols have been implemented in accordance with the security manual and in consultation with staff. Staff have been provided with training and/or information. Staff when interviewed are aware of the protocols.

Not Compliant


PROCEDURES






Audit


15B.10 The following requirements outlined in the Security manual have been implemented to Respond to Needs of People with Disability: - Pre-admission planning for disability support of a patient with disabilities. - Staff communication with carers of the person with disabilities. - Protocols for having present a person known by patients with intellectual disabilities. - Completion of Transfer of Care Risk assessment where a person with disabilities is a non-planned admission through the Emergency Department.

Documented protocols are in place as required. Staff have been provided with information and/or training in the protocols. Staff when interviewed are aware of the protocols.

Not Compliant

15B.11 Appropriate protocols have been implemented for assessment and ongoing management of Patients who may have or may develop Acute Severe Behavioural Disturbance as required by the Security manual.

The protocols have been documented in consultation with staff. Staff have been provided with information and/or training. Staff when interviewed are aware of the protocols.

Not Compliant


PROCEDURES






Audit


15B.12 There is sufficient staffing levels and skill mix to provide prompt clinical care in accordance with this chapter of the security manual. - Staffing levels are adequate at all times including at times of peak activity to reduce the risk of violence from patients and visitors. - Staffing levels and skill mix are adequate to allow early recognition of potential violence to deter violence and respond adequately. - There is adequate staffing so no-one works in isolation.

There are documented procedures which includes roles and responsibilities to ensure that staffing is appropriate and in accordance with this chapter of the security manual. Those rostering staff are aware of the requirements and rosters checked are in accordance with this chapter of the security manual.

Not Compliant

Reference material for this section includes: Australasian Health Facility Guidelines, PD2010_033 Children and Adolescents - Safety and Security in NSW Acute Health Facilities, PD2013_007 Child Wellbeing and Child Protection Policies and Procedures for NSW Health, PD2013_007 Child Wellbeing and Child Protection Policies and Procedures for NSW Health, GL2013_012 Sexual Safety of Mental Health Consumers Guidelines, Security for health care facilities standard.

16 Working in the Community

16.1 All reasonably foreseeable security risks associated with working in the community are identified, assessed, eliminated where reasonably practicable or effectively minimised in consultation with staff and other duty holders.

A current risk assessment is available which identifies, assesses and eliminates or minimises the risk of staff working in the community. The risk assessment was undertaken in consultation with staff, evidence of consultation can be minutes of meetings, toolbox talks, etc.

Not Compliant


PROCEDURES






Audit


16.2 The process for working in the community is documented.

Documentation such as safe work procedures have been developed and implemented for risks that could not be eliminated. There is evidence of consultation with staff during the risk assessment and the development of documentation. .

Not Compliant

16.3 Staff working in the community have access to appropriate field equipment and effective communication devices at all times.

Staff have access to field equipment and effective communication devices. The equipment is appropriate, is maintained as per manufacturers' requirements and is available at the required times. Training and information has been provided. Staff are aware of the procedures and can show how the communication devices are used.

Not Compliant

16.4 Staff do not carry out home visits alone where there is a history of violence by either the patient or other residents in the home, or the risk of violence is unknown.

There is a documented system in place to identify patients or other residents that may be violent and to provide this information to staff who carry out home visits. The documented system includes the requirement that staff members carrying out visits to those residents must not do so alone. Staff are aware of the requirements and there is evidence of compliance to all criteria. There is an appropriate level of resources in order that staff are accompanied when carrying out a home visit where there is a history of violence of the risk of violence is unknown.

Not Compliant


PROCEDURES






Audit


16.5 The requirements for working in the community - Preparing for Community Visits set out in the Security manual have been implemented.

There is evidence that the requirements have been implemented, or if other risk controls have been implemented, there is evidence that these controls are more appropriate.

Not Compliant

16.6 The requirements for working in the community - Prior to Leaving Base set out in the Security manual have been implemented.


Not Compliant

16.7 The requirements for working in the community - During Community Visits set out in the Security manual have been implemented.


Not Compliant

16.8 The requirements for working in the community - At the Conclusion of Community Visits set out in the Security manual have been implemented.


Not Compliant

16.9 The requirements for working in the community - After Hours Visits in the Community set out in the Security manual have been implemented.


Not Compliant

16.10 The requirements for working in the community - Working in Isolated Clinics and Community Health Centres set out in the Security manual have been implemented.


Not Compliant

16.11 The requirements for working in the community - When Confronted with Violent or Potentially Violent Behaviour set out in the Security manual have been implemented.


Not Compliant


PROCEDURES






Audit


16.12 The requirements for working in the community - Field Communication Technology set out in the Security manual have been implemented.


Not Compliant

Reference Material for this section includes: The provision of an effective communication device for community nurses and midwives is a requirement of the Public Health Nurses’ and Midwives’ (State) Award 2015 clause 22.

17 Security in Rural and Remote Health Services

17.1 Risk assessments are undertaken to identify and consider the factors specific to rural and remote workplaces when ensuring, in consultation with staff and other duty holders, that all reasonably foreseeable security risks are identified, assessed, eliminated where reasonably practicable or, if they cannot be eliminated, minimised and the process appropriately documented Staff accommodation, where provided, is included in the facility risk management process.

There is a current risk assessment which takes into consideration the requirements set out in this chapter of the Security manual. There is evidence of consultation with staff and other duty holders where required. Staff accommodation has been taken into consideration where it has been provided.

Not Compliant

17.2 The controls outlined in the risk assessment have been implemented and meet the requirements of this chapter of the manual.

Safe work practices and equipment to support the identified controls are available, current, maintained and reviewed on an ongoing basis. There is evidence that staff have been trained in the safe work practices and equipment.

Not Compliant

17.3 Field Communication Technology is available for staff working in rural and remote locations.

The appropriate communication devices are available, are in working order and are maintained as per manufacturers' instructions.There is evidence that staff have been trained in

Not Compliant


PROCEDURES






Audit


their use.The quantity of communication devices available is appropriate to the level of risk.

Reference Material for this section includes:

18 Security in Pharmacies - Building design that complies with criteria is only audited once and then when changes redesign/refurbishment occurs (it is highlighted in green)

18.1 A risk assessment has been undertaken of Pharmacy(ies) in consultation with staff and other duty holders as required by the Security Manual.

Risk Assessment is available for pharmacies that take into consideration: - Accessibility via window or door breaches. - Security of the drugs safe and storage. - Ability to detect intrusion – intruder alarms. - Accessibility of the pharmacy from the roof and availability of access to the roof. - Security of staff including duress alarms, duress response and CCTV. - Ability to control and identify persons accessing pharmacy, e.g. by visual identification or card access. There is evidence that consultation has occurred, this could be noted in the risk assessment, minutes of meetings, emails, etc. There is evidence that the risk assessment has been reviewed and is effective.

Not Compliant

18.2 Processes are appropriately documented and effective procedures are developed and implemented.

There are documented procedures as required by the minimum standards outlined in this section. There is evidence that staff have been trained or informed of the procedures. Staff interviewed are aware of the

Not Compliant


PROCEDURES






Audit


requirements outlined in the procedures.

18.3 Construction of Pharmacy is in accordance with requirements of Australasian Health Care Facility Guidelines.

Floor and ceilings of the pharmacy are constructed out of solid material. Walls are extended to the underside of the floor slab above to prevent any intrusion over the wall or from the ceiling cavity. Windows are minimal. The design reflects the controls identified through the risk assessment.

Not Compliant

18.4 The requirements for security in pharmacies set out in the Security manual have been implemented.

There is evidence that the requirements have been implemented for security in pharmacies, if other risk controls have been implemented, there is evidence that these controls are more appropriate.

Not Compliant

Reference Material for this section includes: Australasian Health Facilities Guideline

19 Security in Car Parks

19.1 Car parks are designed and located for maximum security for staff, patients and visitors as far as practicable.

A documented risk assessment has been undertaken in consultation with staff to ensure the car parks are designed to ensure maximum security for staff, patients and visitors so far as is practicable. If not, then check that the risk assessment addresses any risks identified through the design process.

Not Compliant


PROCEDURES






Audit


19.2 All reasonably foreseeable security risks associated with car parking are identified, assessed, where reasonably practicable eliminated or, where they cannot be eliminated, effectively minimised.

Risk controls have been implemented for identified risks that could not be eliminated. Refer to the risk assessment when auditing this section to ensure that all controls have been implemented.

Not Compliant

19.3 There are documented car park security procedures implemented, including appropriate lighting levels, access control, CCTV surveillance, signage and after-hours access and a good line of sight so that persons approaching can clearly be seen.

Documented procedures are available and current. Staff have been trained in the procedures and when interviewed are aware of their content.

Not Compliant

19.4 Car spaces are allocated for afternoon and night shift staff, where reasonably practicable.

There is an allocation of car park spaces for afternoon and night shift staff. If there are no allocated car park spaces, it is reasonably practicable not to do so.

Not Compliant

Additional Reference Material for this section includes:

20 Security of Property

20.1 The risk assessment for theft and wilful damage has been identified, assessed, eliminated where reasonably practicable or, where it cannot be eliminated, effectively minimised. Where the controls are not already known.

Controls are in place to eliminate or mitigate the risk of theft and wilful damage.

Not Compliant

20.2 There is a documented system in place to report every case of property theft and wilful damage to the police.

There is a documented system in place to report every case of theft and wilful damage to the police. Staff have been provided with information and/or trained and when interviewed understand the requirements for reporting theft.

Not Compliant


PROCEDURES






Audit


There is evidence that theft and damage have been reported. Check IIMs or other reporting requirements to identify what theft and damage has occurred and then whether it has been reported.

20.3 The requirements for Security of Property as set out in the Security manual have been implemented. This includes keeping assets and property registers up-to-date, identifying assets with unique physical markings, storing items that attract theft in locked areas, enforcing an effective key control program, utilising CCTV monitoring, etc.

There is evidence that the requirements have been implemented for Security of Property (first general section of the manual), if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, staff have been trained and when interviewed understand the requirements.

Not Compliant

20.4 The requirements for Engineering/Maintenance as set out in the security manual have been implemented.


Not Compliant

20.5 The minimum standard requirements for Transport as set out in the Security manual have been implemented. Please note: That while theft and damage to transport would be medium risk, patient transportation should be considered a higher risk.


Not Compliant


PROCEDURES






Audit


20.6 The requirements for Laundry as set out in the Security manual have been implemented.


Not Compliant

20.7 The requirements for Catering as set out in the Security manual have been implemented.


Not Compliant

20.8 The requirements for Stores as set out in the Security manual have been implemented.


Not Compliant

20.9 The requirements for Administration as set out in the Security manual have been implemented.


Not Compliant

20.10 The minimum requirements for Mail Deliveries as set out in the Security manual have been implemented.


Not Compliant


PROCEDURES






Audit


20.11 The requirements for Cash Handling as set out in the Security manual have been implemented.


Not Compliant

20.12 The requirements for Patients' Property as set out in the Security manual have been implemented.


Not Compliant

20.13 The requirements for Staff Property as set out in the Security manual have been implemented.


Not Compliant


21 Security of Information


PROCEDURES






Audit


21.1 Risk assessments are undertaken, in consultation with staff and other duty holders, to ensure that all reasonably foreseeable security risks associated with the protection of information and material (including electronic information) from unauthorised disclosure are identified, assessed, eliminated where reasonably practicable or, where they cannot be eliminated, effectively minimised.

A risk assessment which identifies current risks in regards to the protection of information and material is available, the risks have been assessed and have been either eliminated or minimised where it is not practicable to eliminate the risks. There is evidence of consultation with staff and other duty holders, this could be included as part of the risk assessment or through minutes of meetings, toolbox talks, etc.

Not Compliant

21.2 Procedures/effective plans have been developed and implemented which ensure compliance with relevant legislation, information security standards and Government policy.

Procedures/effective plans have been implemented as a result of the risk assessment and consultation which ensure compliance with relevant, information security standards and Government policy. Staff have been provided information or training in the procedures and there is evidence of compliance.

Not Compliant

21.3 The requirements for Security of Information as set out in the Security manual have been implemented.

There is evidence that the requirements have been implemented for Security of Information (first general section of the manual), if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, staff have been trained, when interviewed understand the requirements.

Not Compliant

21.4 Security of Personal Health Information has appropriate security safeguards to prevent unauthorised use, disclosure loss or other misuse.

There is evidence that the security safeguards implemented are appropriate. There are documented procedures in place, staff have been trained, when interviewed understand the requirements.

Not Compliant


PROCEDURES






Audit


21.5 The requirements for Security of Equipment as set out in the Security manual have been implemented. - Access to information is password protected. - Equipment is appropriately and securely stored. - Equipment is only left in cars where absolutely necessary. - Computer system servers are located in secure, climate controlled locations off public corridors. - All records are removed from equipment prior to disposal.

There is evidence that the minimum standards have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, staff have been trained and when interviewed understand the requirements.

Not Compliant

21.6 The requirements for Labelling Information as set out in the Security manual have been implemented. - Sensitive official information is protected from unauthorised access. - Labels are used to mark such information.

There is evidence that the requirements have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, staff have been trained, when interviewed understand the requirements.

Not Compliant

21.7 The requirements for Disposal of Information as set out in the Security manual have been implemented.


Not Compliant


PROCEDURES






Audit


Reference Material for this section includes: The Privacy Manual for Health Information (March 2015) provides guidance material to assist NSW Health Agencies to comply with the security requirements established in the Health Records and Information Privacy Act 2002. NSW Health Policy Directive PD2013_033 Electronic Information Security Policy, Department of Premier & Cabinet Circular M2012-15 Security of Electronic Information, General Disposal Authority No.17 : Public health services: Patient/Client records (available from State Records NSW at www.records.nsw.gov.au) Standards: information security management ISO/IEC AS/NZS 27001: 2006 – Information Technology: Security Techniques Information Security Management Systems, AS/NZS ISO/IEC 27005:2012 - Information technology - Security techniques - Information security risk management The Department of Premier & Cabinet Circular 2002/69 Status - Archived (Guide to Labelling Sensitive Information) provides standards for the preparation, handling, removal, auditing, copying, storage, disposal and transmission of sensitive information and should be utilised by NSW Health Agencies when developing local procedures. The absence of a sensitivity label means that official information continues to be handled in accordance with existing NSW Health Agency practices, including compliance with the Government Information (Public Access) Act 2009.

22 Security of Medical Gases

22.1 Risk assessments are undertaken to ensure, in consultation with staff and other duty holders, that all reasonably foreseeable security risks associated with storing and piping medical gases are identified, assessed, eliminated where reasonably practicable or, where they cannot be eliminated, effectively minimised. Medical gases can take the form of gas cylinders of a range of sizes including bulk tanks, and gas delivery plant and piping.

A risk assessment that is current is available which identifies reasonably foreseeable security risks associated with the storing and piping medical gases. There is evidence of consultation which can be included as part of the risk assessment, minutes of meetings, toolbox talks, etc.

Not Compliant

22.2 The process is appropriately documented and effective procedures are developed and implemented.

Documentation such as safe work procedures have been developed and implemented for risks that could not be eliminated. There is evidence of consultation with staff during the risk assessment and the development of documentation.

Not Compliant


PROCEDURES






Audit


Staff when interviewed are aware of the requirements.

22.3 The requirements for Security of Medical Gases as set out in the Security manual have been implemented.

There is evidence that the requirements have been implemented for Security of Medical Gases (first general section of the manual), if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, staff have been trained, when interviewed understand the requirements.

Not Compliant

22.4 The requirements for Bulk Medical Gas Storage as set out in the Security manual have been implemented.


Not Compliant

22.5 The requirements for Storage of Portable Cylinders of Medical Gases as set out in the Security manual have been implemented.


Not Compliant


PROCEDURES






Audit


22.6 The requirements for Portable Medical Gas - storage at a Ward level as set out in the Security manual have been implemented.


Not Compliant

22.7 The requirements for Transport of Medical Gas Cylinders as set out in the Security manual have been implemented.


Not Compliant

Reference Material for this section includes: Dangerous Goods (Road and Rail Transport) Regulation 2014

23 Security of Radioactive Substances

23.1 NSW Health Agencies are required to ensure, in consultation with staff and other duty holders, that all reasonably foreseeable security risks associated with radioactive substances are identified, assessed, eliminated where reasonably practicable or, where they cannot be eliminated, effectively minimised. NSW Health Agencies are required to ensure that the process is appropriately documented and effective procedures are developed and implemented.

A risk assessment that is current is available and identifies reasonably foreseeable security risks associated with radioactive substances. Documentation such as safe work procedures have been developed and implemented for risks that could not be eliminated. There is evidence of consultation with staff in the undertaking of the risk assessment and the preparation of procedures and other documentation. Staff when interviewed are aware of the requirements.

Not Compliant


PROCEDURES






Audit


23.2 Stores (including waste stores) are properly marked with approved warning signs, and regulations regarding their use are posted at access points.

Documentation includes the requirement to properly mark radioactive substances according to the criteria. Staff are aware of the requirements, check signage and warning signs compliance to requirements.

Not Compliant

23.3 Access to any storage areas is restricted by use of doors, locks, barriers and signs. Sources are secured against unauthorised removal and tampering.

Storage areas comply with the outlined criteria. Not Compliant

23.4 Access control procedures are developed and implemented.

Access control procedures are in place. Staff are aware of the requirements and evidence of compliance is available.

Not Compliant

23.5 Records of the location of radioactive substances and irradiating apparatus are maintained.

Records are available and are current. Not Compliant

23.6 Records are kept of all radioactive substances discharged from the premises which include the following information: - The type of radioactive substances discharged. - The estimate of the total activity of the radioactive substances discharged. - The manner in which the radioactive substances were discharged. - The date on which the radioactive substances were discharged.

There is a documented system for the discharge of radioactive substances from the premises. Staff are aware of the requirements and there is evidence of compliance.

Not Compliant


PROCEDURES






Audit


23.7 Any loss or theft of radioactive material, as required by the Radiation Control Regulation 2013, is reported to: - The officer responsible for radiation safety. - The Chief Executive Officer or Facility Manager. - The Secretary of the Ministry of Health. - Police and Radiation Control Section, Environment Protection Authority. Note: In emergency situations involving suspected or actual damage, spillage, loss or theft of radioactive substances contact the Radiation Control Section of the Environment Protection Authority.

There is a documented system which outlines the roles and responsibilities for reporting the loss or theft of radioactive material as required by the Radiation Control Regulation 2013. There is a safe work procedure on the loss of containment of radioactive material and it includes contacting the EPA. Staff are aware of the requirements. Check for evidence of compliance if there is a record of loss or theft of radioactive material.

Not Compliant

23.8 Local radiation safety manuals include a section on the security of radioisotopes used and/or stored in those facilities. All radioisotopes used or stored within a facility and their subsequent disposal must be recorded in a register. No unauthorised access to radioisotopes is to be permitted.

A current radiation safety manual has been implemented and includes a section on the security of radioisotopes. There is a register that includes information about radioisotopes used or stored within the facility and the subsequent disposal. There is a system in place to restrict access to radioisotopes only to authorised personnel. Staff are aware of the requirements and there is evidence of compliance.

Not Compliant

Security during Transportation of Radioactive Substances


PROCEDURES






Audit


23.9 Only authorised persons undertake the escort of radioactive substances when being transported within an organisation

There is a system in place for the transportation within the organisation of radioactive substances by only authorised persons. Staff are aware of the requirements and evidence of compliance is provided.

Not Compliant

23.10 When radioactive substances are transported by road, the transport needs to be in accordance with the legal requirements as per Section 36 of the Radiation Control Regulation 2013 and the Safe Transport of Radioactive Material Code of Practice – 2008 (Australian Radiation Protection and Nuclear Safety Agency).

There is a documented system in place that sets out the requirements for the transportation of radioactive substances by road according to the outlined criteria. Staff are aware of the requirements and there is evidence of compliance where radioactive substances have been transported.

Not Compliant


SECTION 4 SECURITY RISK CONTROLS IN UNPLANNED EVENTS

24 Fire Evacuation and Other Emergencies


PROCEDURES






Audit


24.1 Risk Assessments are undertaken in consultation with staff and other duty holders, to ensure that all reasonably foreseeable security risks associated with fire and other events that may result in evacuation or significant upheaval are identified, assessed, eliminated where reasonably practicable or, where they cannot be eliminated, effectively minimised. Risk assessments take into account: - Accounting for staff, patients and others evacuated. - Securing evacuated patients that may be at risk of harm or absconding. - Securing evacuated patients in custody, scheduled, with cognitive deficits and children/babies. - Directing Fire Brigade - Operating emergency communication equipment. - Possibility that fire is a diversionary tactic for criminal activity. - Theft of assets, property damage and looting. - Controlling crowds.

A current risk assessment is available that has identified risks associated with fire and other events that may result in evacuation or significant upheaval. There is evidence that it has been undertaken in consultation with staff and other duty holders. The requirements set out in this chapter have been taken into consideration. Evacuation Plans have been developed and are current taking into account the specific requirement of each department, for e.g. Emergency Department, Mental Health Units, Maternity. Evacuation plans are monitored, reviewed and revised as required.

Not Compliant

24.2 Procedures have been developed in accordance with the risk assessment to manage security during fires or other emergencies that may affect a facility.

There are documented procedures in place to manage security in the event of a fire or other emergencies. There is evidence that staff have been provided with training. There is evidence that the effectiveness of the procedures are reviewed and monitored at a frequency appropriate to the level of risk.

Not Compliant


PROCEDURES






Audit


24.3 Business Continuity Plans have been prepared and incorporate the fire evacuation and other emergencies procedures.

Business Continuity Plans are available and incorporate fire evacuation and other emergencies procedures.

Not Compliant

24.4 Procedures at facility level have been developed that outline the steps of What to do in the event of a fire or other emergency.

Local procedures are available and include Details on who should be contacted in the event of a fire or other emergency and when this contact should occur. The specific role of NSW Health Agency staff and emergency services. This includes the roles of unit staff, e.g. paediatric unit. A nominated emergency coordinator and deputies (in the absence of the coordinator) Guidelines on the use of fire equipment The evacuation plan(including priority for the removal of patients) and Details on assembly points. There is evidence that staff have been trained in the procedures. There is evidence that the effectiveness of the procedures are reviewed and monitored at a frequency appropriate to the level of risk.

Not Compliant

Reference Material for this section includes: PD2010_024 Fire Safety in Health Care Facilities

25 Bomb Threat/Terrorist Threat


PROCEDURES






Audit


25.1 Risk assessments are undertaken, in consultation with staff, other duty holders and response agencies, to ensure that all reasonably foreseeable security risks associated with receiving explosive devices, National Security Threat Level rating or terrorist threats are identified, assessed, eliminated where reasonably practicable or, where they cannot be eliminated, effectively minimised

There is a current documented risk assessment with evidence that consultation has been undertaken with staff, other duty holders and response agencies to assess the risks associated with receiving explosive devices, terrorist threats and to respond to changes to the National Security Threat Level.

Not Compliant

25.2 Procedures have been developed in accordance with the risk assessment and the Security manual and include the assessing and management of potential threats to persons and service delivery and security issues arising from the threats and are consistent with the Australian Standards Codes for Emergencies. The procedures include NSW health workplaces located away from a hospital campus. Training has been provided specific to the roles.

Procedures which include roles and responsibilities are in place in accordance with the risk assessment and this chapter of the security manual. Staff training plans include the appropriate training to meet the requirements and are job specific. Training has been provided according to the plans.

Not Compliant


PROCEDURES






Audit


25.3 The requirements as set out in Security and Housekeeping of this chapter of the Security manual are in place. This includes risk assessment and the implementation of procedures. This includes but is not limited to: - Good quality door fittings, locks and alarms. - Restrictions to entry/exit points. - Assessments for the need to install surveillance equipment. - Registration and identification procedures. - Emergency lockdown procedures. - Daily physical security inspections and surveys. - Utilising NSW Police and security professionals to assist in assessing threat to the workplace. - Organisational storage practices and workplace cleanliness. - Secure buildings, rooms and storage areas not in regular use.

There are documented procedures which include roles and responsibilities to meet the requirements of this chapter of the Security manual. The requirements as set out have been implemented, including appropriate door fittings, locks and alarms, entry/exit points are restricted, surveillance is in accordance with the assessment which is available, there is a procedure for registration and identification. Daily physical security inspections and surveys are undertaken. Emergency lockdown procedures are in place and there is a test regime. Staff interviewed are aware of their local security and housekeeping arrangements and procedures.

Not Compliant

25.4 A documented program has been implemented to routinely undertake security checks (white level checks) where the government security alert is at probable or above as set out in the manual. The program includes the protocol for keeping informed about National Security Level rating movement and the procedures to respond when the threat rises to Probable, Expected or Certain.

A documented system is available and meets the requirements set out in the manual. The documented system includes the protocol for keeping informed of National Security Level ratings.

Not Compliant


PROCEDURES






Audit


25.5 Routine security checks in the workplace (white level inspections) have been implemented: - Staff have been provided with instruction on how to carry out a white level inspection. - They occur at the start of each shift. - Staff conduct a visual check of their work areas. - Staff advise the outcome of the inspection to their manager.

There is evidence that staff have been provided with instruction on carrying out white level inspections. There is evidence of training and staff interviewed are aware of the requirements. Training includes the HETI on-line training "white level inspection". There is evidence that white level inspections have been carried out.

Not Compliant

25.6 There are procedures in place in accordance with this chapter of the Security manual which outlines the roles and responsibilities in an event of a Bomb Threat or Threatening Telephone call. The procedures are consistent with the AS4083 Australian Standard on planning for emergencies in health care facilities for Code Purple. Staff have been provided with training specific to their role.

A procedure has been implemented in accordance with this chapter. There is evidence that staff have been provided training specific to their roles. Staff interviewed are aware of what they need to do.

Not Compliant

25.7 Procedures are in place for Identifying and Handling Suspicious Items in accordance with this chapter of the security manual.

A procedure has been implemented in accordance with this chapter. There is evidence that staff have been provided training specific to their roles. Staff interviewed are aware of what they need to do.

Not Compliant

Reference Material for this section includes: AS4083 Planning for Emergencies in Health Care Facilities, PD2013_006 Injury Management and Return to Work, PD2014_004 Incident Management Policy, Bomb: Defusing the Threat (Australian Bomb Data Centre), PD2017_026 Clinical and Related Waste Management for Health Services


PROCEDURES






Audit


26 Violence

26.1 Risk assessments are undertaken in consultation with staff and other duty holders to ensure that all reasonably foreseeable risks associated with violence are identified, assessed, eliminated where reasonably practicable or, where they cannot be eliminated, effectively minimised and that the process is appropriately documented.

A current risk assessment is available that has identified risks associated with violence. There is evidence that the assessment has been undertaken in consultation with staff and other duty holders. The requirements set out in this chapter of the Security manual have been met.

Not Compliant

26.2 Procedures have been developed in accordance with the risk assessment. Procedures include the requirement that in isolated facilities/units a minimum of two nurses or midwives must be rostered on each shift and if a second nurse or midwife is not available then a security staff member, Health and Security Assistant or other appropriate personnel must be made available. Similar procedures are implemented for community health staff who attend patients in isolated circumstances or in locations without ready access to support to that for nurses/midwives working in isolation.

Procedures are in place in line with the risk assessment and must include the requirements for minimum staffing in isolated facilities/units. For example a unit located in a separate building, a unit separated from other units by administration or storage areas (areas not occupied 24/7), a nurse working alone in a unit separated from other units by closed doors, a community or hospital-in-the-home nurse working alone where there may be a potential threat from patient/family/visitors. There is evidence in isolated facilities/circumstances that the requirement set out for nurses/midwives is complied with. There is evidence that training has been provided to staff. Staff interviewed are aware of the requirements.

Not Compliant


PROCEDURES






Audit


26.3 The minimum requirements for Providing Secure Staff Accommodation as set out in the manual have been met. - Access is limited to staff accommodation by key or card control access. - Surroundings, parking areas and paths between the facility and accommodation are well lit with good line of sight where a person could hide where possible. - Windows, doors and locks can be properly secured.

Where staff are provided with accommodation, there is evidence that the requirements set out in the manual have been met.

Not Compliant

26.4 The requirements for Responding to Violent Behaviour as set out in the Security manual have been met.

There is evidence that the requirements have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, there is evidence that staff have been trained. Staff interviewed understand the requirements.

Not Compliant

26.5 The requirements for Managing personal threats against individual staff members as set out in the Security manual have been met.

There is evidence that the requirements outlined in the Security manual have been implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. There are documented procedures in place, there is evidence that staff have been trained. Staff interviewed understand the requirements.

Not Compliant


PROCEDURES






Audit



27 Armed Hold-up

27.1 Risk assessments are undertaken, in consultation with staff and other duty holders, to ensure that all reasonably foreseeable risks associated with threats with weapons are identified, assessed, eliminated where reasonably practicable or, where they cannot be eliminated, effectively minimised.

A current risk assessment is available that has identified risks associated with threats with weapons. There is evidence that the assessment has been undertaken in consultation with staff and other duty holders. The risk assessment includes assessment of all vulnerable areas, including but not limited to banks and retail outlets on site, ATMs, Emergency Departments, wards that could be perceived as having drug stores, community service staff and vehicles that could be perceived as carrying drugs, pharmacies, pharmaceuticals storage areas and cashiers' counters. The other requirements set out in this chapter of the Security manual have been met.

Not Compliant

27.2 Procedures have been implemented as a result of the risk assessment which takes into consideration the standards set out in the Security manual which includes the consultation of staff, security and WHS experts for the response to and management of incidents involving weapons including armed hold-ups.

Procedures are available that meet the requirements of the Security manual. There is evidence that consultation has occurred with staff and the relevant experts. Staff have been provided with training in the procedures and when interviewed are aware of the requirements.

Not Compliant


PROCEDURES






Audit


27.3 Local procedures are implemented which include the Security manual requirements for What to do in the Event of an Armed Hold-up in progress.

Documented local procedures are in place which were developed in consultation with staff. Staff have been provided with information and/or training. Staff interviewed are aware of the requirements.

Not Compliant

27.4 Local procedures are implemented which include the Security manual requirements for What to do immediately after an Armed Hold-up.

Documented local procedures are in place which were developed in consultation with staff. Staff have been provided with information and/or training. Staff interviewed are aware of the requirements.

Not Compliant

Reference Material for this section includes: AS4083 Planning for Emergencies in Health Care Facilities

28 Use of Weapons by Security Staff

28.1 There are practical violence risk control strategies identified through a risk assessment process in consultation with staff and other duty holders that excludes the use of any weapons, including batons and handcuffs.

Practical violence risk control strategies have been identified that exclude the use of any weapons, including batons and handcuffs. There is evidence that staff and other duty holders were consulted.

Not Compliant


29 Code Black Arrangements


PROCEDURES






Audit


29.1 A Code Black response plan has been developed in consultation with staff for all workplaces and implemented. It provides a timely and effective response to Code Black situations (Including response to duress alarms). It meets the requirements of this chapter of the Security manual and it contains the elements set out in Appendix 29.1.

A duress response plan is available, includes the roles and responsibilities of all staff and there is a mechanism to review the plan on a regular basis. The plan meets the requirements of this chapter of the security manual and Appendix 29.1. - There is evidence that it has been reviewed. - The plan includes escape routes and safe havens. - Staff have been provided with information about the plan. - PPE such as duress alarms has been provided as appropriate. - Staff have been provided with information and/or training on commencement. - Staff interviewed are aware of the requirements and their specific roles. There is evidence of consultation.

Not Compliant

29.2 The Code Black Response is regularly tested via drills and a record of drills maintained. Code Black Response Team receive training together to ensure an understanding of roles, particularly as it relates to restraint.

Records are available of Code Black Response Drills and show that response is tested regularly. The drills are physical drills. There is evidence of Code Black Response Team undertaking training together. Code Black Response Team staff interviewed are aware of the requirements for response.

Not Compliant


PROCEDURES






Audit


29.3 The requirements for Code Black responders as set out in this chapter of the manual have been met. - Code Black responders who can cease their duties to respond when needed are identified for every shift. - The Code Black response involves a multi-disciplinary team with sufficient numbers of clinical and security or other personnel. - The Code Black Response Team includes a delegated clinical leader and an agreed assembly point to muster prior to entering the area. - During mustering roles for response are discussed and clear, e.g. who will bring Code Black Kit, who will communicate with treating clinicians, etc. - The clinical team leader is responsible for ensuring the individual's airway is maintained where restraint is needed. - It includes responsibilities of managers such as to ensure staff have the skills and training required, staff are available to respond, staff are provided with post incident assistance and that incidents are reviewed.

There is evidence that the requirements set out in the chapter have been met and implemented, if other risk controls have been implemented, there is evidence that these controls are more appropriate. - There are documented procedures in place. - Code Black Response Team members interviewed can outline the process for responding.

Not Compliant


PROCEDURES






Audit


29.4 The Code Black response Identifies responsibilities for all staff as set out in this chapter. It includes: - Use of personal protective equipment, safe havens and escape routes. - Attending training in violence prevention and management. - Fulfil roles and responsibilities during Code Black. - Document involvement in the Code Black incident. - Participate in any operational review and debriefing. - Cooperate with procedural changes.

The responsibilities of staff as required have been clearly stated. There is evidence that staff have been trained in the requirements. Staff interviewed are aware of their responsibilities.

Not Compliant

29.5 The Code Black response plan incorporates the management of post incident issues and the recording of the details of the code black call and the response provided. It includes a post incident investigation and operational debrief to consider information from all staff involved in the incident.

The code black response plan includes the management of post incident issues. There is evidence that code black calls are recorded and a post incident investigation has occurred in accordance with the Security manual.

Not Compliant

Reference Material for this section includes: PD2014_004 Incident Management Policy

30 Effective Incident Management


PROCEDURES






Audit


30.1 The mandatory standards outlined in Policy Directives PD2014_004 (Incident Management Policy) have been implemented specific to Security Incidents.

There is a system in place to meet the requirements of the policy directive to identify, notify, prioritise, investigate, analyse, and action all incidents. Reportable Incidents Briefs are provided to the Ministry of Health as outlined in the policy. There is evidence that security incidents have been reported, investigations undertaken and control measures identified and implemented.

Not Compliant

Reference Material for this section includes: PD2014_004 Incident Management Policy


PROCEDURES


Appendix 3 – Security Improvement Audit Tool Summary Report

Security Improvement Audit Tool Summary Report

NSW Health Agency:

Facility:

Address:

Details of Staff Undertaking Audit:

Name: Title:

Tel:

Principal Facility Contacts:

Name: Title:

Tel:

Areas Inspected During Audit:

Outline of areas audited


PROCEDURES


Start date of Audit

Number of days

The Aim of the Security Improvement Audit

The focus of the audit is to assess compliance with a range of requirements set out in the Protecting People and Property Security Manual. The aim of the audit tool is to provide a consistent and effective approach for information gathering on which an Agency can act in order to comply with its obligations as set out in the security manual and this policy and improve its performance by: 1. Identifying the existence and assessing the quality of compliance to this policy and security manual. 2. Assessing the extent to which this policy and security manual has been implemented and applied in the NSW Health Agency’s facilities 3. Assessing the awareness of workers in the systems and procedures implemented by the NSW Health Agency to comply with the security manual and policy. For the purpose of the WHS Act, each Agency should address security risks in accordance with the broader duty to eliminate or minimise risks as is reasonably practicable. Where it is reasonably practicable an Agency should eliminate or minimise a risk, even if not required by the security manual.

Mandatory Requirements

Ensure the audit scope is appropriate to the size of the organisation and the level of risk for health facilities and services that are to be audited · The audit scope is to be completed in the two-year audit cycle. · The audits are to be conducted only by staff who have completed the required training and are independent of the activity which they are auditing. · Report to the Ministry on any audit outcomes that may have significant impact for example something that has a state-wide implication. The Risk Rating Throughout the audit report each criterion has been assessed to verify whether what is being audited is compliant or not yet compliant.

If the assessment by those undertaking the audit is that a criterion is not yet compliant then a pre-determined risk rating will be applied to that criterion. The risk rating will assist the NSW Health Agency in planning and prioritising actions to mitigate the risks and hazards identified. Risk Rating Explanation of rating

High High probability of an adverse event occurring with a high consequence of harm to people, plant integrity or the environment. The presence of such an issue requires immediate attention including the


PROCEDURES


implementation of interim control measures where appropriate.

Medium High probability of an adverse event occurring with a low consequence of harm to people, plant integrity or the environment. Low probability of an adverse event occurring with a high consequence of harm to people, plant integrity or the environment.

Low Low probability of an adverse event occurring with a low consequence of harm to people, plan integrity or the environment.

Overall Performance:

Positive Findings:

Opportunities for Improvement:


PROCEDURES


Appendix 4 – Results Summary Table

Results Summary Table Number of

Criteria Compliant

Not Compliant N/A

High Medium Low

1 Security Risk Management 29 0 28 1 0 0

2 Security Risk Management Responsibility 6 0 4 2 0 0


3 0 2 1 0 0

4 Health Facility Design 3 0 3 0 0 0


3 0 0 3 0 0

6 Security Arrangements for Patients in Custody 5 0 5 0 0 0

7 Security Education and Training 6 0 5 1 0 0


2 0 1 1 0 0

9 Access and Egress Control 8 0 5 1 2 0

10 Key Control 4 0 3 1 0 0

11 Alarm Systems 12 0 11 1 0 0

12 Lighting 5 0 3 2 0 0

13 Workplace Camera Surveillance 8 0 5 3 0 0

14 Role of Security Staff in NSW Health 20 0 19 1 0 0

15A Security in the Clinical Environment - Part A Emergency Departments

16 0 15 1 0 0

15B Security in the Clinical Environment - Part B Other Clinical Areas

12 0 10 2 0 0

16 Working in the Community 12 0 2 0 0 0

17 Security in Rural and Remote Health Services 3 0 3 0 0 0

18 Security in Pharmacies 4 0 4 0 0 0

19 Security in Car Parks 4 0 4 0 0 0

20 Security of Property 13 0 2 11 0 0

21 Security of Information 7 0 4 3 0 0

22 Security of Medical Gases 7 0 7 0 0 0

23 Security of Radioactive Substances 10 0 9 1 0 0

24 Fire Evacuation and Other Emergencies 4 0 4 0 0 0

25 Bomb Threat/Terrorist Threat 7 0 7 0 0 0

26 Violence 5 0 5 0 0 0

27 Armed Hold-up 4 0 4 0 0 0

28 Use of Weapons by Security Staff 1 0 1 0 0 0

29 Code Black Arrangements 5 0 5 0 0 0

30 Effective Incident Management 1 0 1 0 0 0

Total Elements Assessed (less N/A criteria) 220 0 170 36 2 0

security improvement audits (including security improvement … · 2018. 10. 3. · security...

Documents