Information Governance Policy

Introduction

The primary role of the organisation is to provide healthcare and to secure the best possible outcomes for patients. In doing so, the organisation will seek to uphold the NHS Constitution. This policy is important because it will help the people who work for the organisation to understand how to look after the information, they need to do their jobs, and to protect this information on behalf of patients.

This policy sets out the intentions of the organisation to manage the information governance agenda within its remit to the standards required by law and regulation. Specifically, Data Protection Legislation (Data Protection Act 2018, General Data Protection Regulation (EU) 2016/679 and UK GDPR 2018 as referenced in this Act – identified in this documentation as the Data Protection Legislation).  In doing so, supports high-quality healthcare, through accurate, accessible and appropriately governed information.

This document refers to information to encompass the terms information, data and records.

The NHS and the administration of the NHS are dependent on the appropriate use of personal data, and the management of secondary uses of this data and business sensitive data.

The aims of this policy are:

• To maximise the value of organisational assets by ensuring that data is:
• Held securely and confidentially
• Obtained fairly and lawfully
• Recorded accurately and reliably
• Used effectively and ethically
• Shared and disclosed appropriately and lawfully
• To protect the organisation’s information assets from all threats, whether internal or external, deliberate or accidental. The organisation will ensure:
• Information will be protected against unauthorised access
• Confidentiality of information will be assured
• Integrity of information will be maintained
• Information will be supported by the highest quality data
• Regulatory and legislative requirements will be met
• Business continuity plans will be produced, maintained and tested
• Information security training will be available to all staff
• All breaches of information security, actual or suspected, will be reported to, and investigated
• This policy is part of the collection related to information governance which set out the expected standards and controls around the use of information. The policies are:
• Information Governance
• Information Quality
• Confidentiality Policy
• Information Management
• Information Security

The concepts and standards within these policies are interrelated. Obligations and intentions are considered across the suite of policies. The policies sit under an overarching Information Governance Framework which sets out roles and responsibilities and information governance related work plans.

Scope

This policy applies to:

• All information and data held and processed by the organisation which must be managed and held within a controlled environment, including the personal data of patients and staff, as well as corporate information. It applies to information, regardless of format, and includes legacy data held by the organisation
• All permanent, contract or temporary staff of the organisation and any third parties who have access to the premises, systems or information. Any reference to staff within this document also refers to those working on behalf of the organisation on a temporary, contractual or voluntary basis
• Information systems, data sets, computer systems, networks, software and information created, held or processed on these systems, together with printed outputs from these systems
• All means of communicating information, both within and outside the organisation in both paper and electronic format, including data and voice transmissions, emails, post, fax, voice and video conferencing

Purpose

Information governance ensures processes, confidentiality and security controls are in place and sets standards of quality and ethical use of personal data. Corporate records must also be managed appropriately and where possible provided to the public under the appropriate legislation (Freedom of Information Act 2000 and Environmental Information Regulations 2004) to ensure transparency and accountability.

Information forms a key component of the Government’s Information Revolution for the NHS. This reaffirms the NHS intention to ensure effective decision making, inform and, empower patients through the provision of accurate, accessible and coherent information.

All staff are responsible and contribute towards effective and responsible governance of information in line with the organisation’s aims and objectives.

Objectives

The Practice Partners are committed to ensuring that all:

• Information that relates to patients and staff is processed, protected and disclosed appropriately to provide improved healthcare and decisions for patients.
• Information related to its functions, activities and decisions must be managed to the appropriate standards.

The right information, in the right format, to the right people at the right time.

The aims for the management of information and associated risk include:

• Effective and efficient management of information for the care of service users and the management of the care service
• Actively advance the management of information to improve the provision of services, information and care of patients
• Engage with partner organisations and where appropriate and lawful share information to support care and the public interest
• Discharge its obligations to disclose information in response to lawful requests with due regard to its duties of confidence by following clear and systematic processes
• Ensure that systems and processes are effective to ensure the confidentiality and security of personal and other sensitive information
• Ensure that all information and data processed, held and managed is of the highest quality in terms of completeness, accuracy, relevance, accessibility and timeliness
• Ensure that all information and data is held in a consistent and systematic manner that ensures its accessibility, accuracy and integrity throughout its lifecycle
• To actively provide information in line with the Freedom of Information Act 2000 and other regulatory or organisation requirements
• Ensure all staff, are informed, trained and active in the appropriate management of information
• To ensure that change is undertaken in a structured and systematic manner that ensures information governance issues are dealt with in a timely, proportionate and appropriate way

The use of Information

All information must be created, used and managed in a professional manner, as described in the Information Management Policy. Information must be accessible to the organisation on a long-term basis and must be stored in a systematic and consistent manner.

Access to information systems, such as the email, the internet or network, and records of the organisation are provided to staff for business purposes and remain the property of the organisation. All access to, and use must be appropriate and in line with the discharge of duties.

When staff create information, they do so on behalf of the organisation, for example when sending emails, and are accountable for the information they create, for its appropriateness and accessibility.

Use of Personal Data

Personal data can relate to information about patients, service users and members of staff that describes an identifiable person. It does not have to include particular demographic information, such as name and address but can consist of a combination of factors that would make it possible to identify the person. Patient information provided to the NHS, is done so on the expectation of confidentiality. It is important for staff and working practice to account for this and to ensure that any secondary use of personal confidential data, for non-care purposes, is done in accordance with legal and organisational requirements.

The organisation publishes privacy notices on it’s website, which detail what personal data is held and processed, for what purpose it is used, who it is shared with, and what governs that process.

Use of Information to improve performance

The organisation will actively seek opportunities to improve the performance of the NHS across its patient base by the better use of information and data. This includes use of anonymised or de-identified patient data:

• To inform better health care decisions for individuals and the community
• To review processes and functions within the organisation to ensure efficient and effective data processing
• To engage with partner organisations to identify appropriate information sharing which ensures that the patient and public can exercise choice and are kept informed

All new or changed processes must utilise a Data Protection Impact Assessment (DPIA)to ensure that they identify any potential information governance requirements when scoping the business case for any change.

Data Quality

In order to support effective commissioning and to support efficiency, all systems and standard working practice involved in the processing of information, must ensure the accuracy and quality of information.

Data quality as per the Information Quality Policy requires:

• Accessibility – information can be accessed quickly and efficiently through the use of systematic and constituent filing.
• Accuracy – information is accurate, with systems that support this work through guidance.
• Completeness – the relevant information required is identified and working practice ensures it is routinely captured.
• Relevance – information is kept relevant to the issues rather than for convenience with appropriate management and structure.
• Timeliness – information is recorded as close to possible to being gathered and can be accessed quickly and efficiently.

Disclosure and Sharing Information

As a public body, the Practice can only share personal confidential data when it is legally permissible.

This includes:

• The common law duty of confidence, which extends after death.
• Data protection legislation.

Any basis of disclosure and sharing needs to be understood and clearly stated before it is undertaken. This decision must demonstrate that the disclosure or sharing is lawful and relevant to the purpose intended. Data sharing in the NHS is also governed by the Caldicott Principles which supports the legal framework.

Disclosure or sharing of personal confidential data requires one of the following conditions to be met:

• The informed and valid consent of the individual, balanced against any duty of care and consideration of capability to provide that consent;
• Disclosure is in the public interest, which must demonstrate consideration of the balance of public interest against the individual and provision of a confidential service; or
• Disclosure is in accordance with the law.

All routine sharing of information must be supported by a clear statement that can be made available to the public or patients. Privacy Notices must detail the type of information being shared, who is it is being shared with and to what purpose and benefit.

Public rights of disclosure

All staff are reminded that there are several pieces of legislation that require information to be released to the public, the Freedom of Information Act 2000, Environmental Information Regulations 2004), the subject of personal data (Data Protection Legislation), or those with a claim to the estate of the deceased or lawful right (Access to Health Records 1990).

Freedom of Information Act 2000 and Environmental Information Regulations 2004 applies to information in all formats; this includes emails, voice recordings and images.

To meet this responsibility, all staff are responsible for ensuring that the contents of records are:

• Accessible – ensuring that they can be found within a systematic and consistent filing structure.
• Appropriate and relevant – this includes a professional and appropriate
• Have Integrity or completeness – so that they can be used in an ongoing basis.
• Confidential – appropriately safeguarded to ensure confidentially with a clear statement of who was provided access to the information.
• Identified – systems and staff should ensure that personal identifiable, sensitive, confidential and corporate information is clearly stored and marked as such.

Details of the policy on active disclosure and compliance with the Freedom of Information Act is outlined in the organisation’s Freedom of Information Policy and associated protocols and procedures.

Transferring of information

All transfers of information within and outside the organisation must be managed, comply with the information security requirements, and follow clear process. All teams must have a clear statement of their inward and outward flows of personal data and personal confidential data.

This process must identify:

• The appropriate method, and inherent risks, of the transfer;
• The contact point and details to which the information is routinely transferred. All contact points should identify a team and position, rather than an individual to which the information is being transferred; and
• How the transfer is confirmed and completed. In addition, where the transfer of information involves personal or identifiable data:
• The purpose and justification for transferring the information; and
• Security standards of the method of transfer.

It is expected that most transfers of information will be routine and follow an identified process.

Safe Havens

In order to support the appropriate transferring of personal confidential data, the organisation will identify appropriate safe haven locations. Safe havens answer the requirements of the Data Protection Legislation and The NHS Code of Practice: Confidentiality and the NHS Care Record Guarantee. Safe havens have arrangements and procedures in place to ensure personal identifiable or sensitive information can be held, received and communicated securely.

Where safe haven locations are not available to staff the relevant safe haven procedure for the method of transmission should be applied, safe haven locations and procedures will be posted on the intranet. The Practice does not support the use of physical fax machines and has an appropriate electronic solution in place where a fax is required to be sent. Staff must make every effort to encourage those they communicate with to use secure email and/or software with secure and controlled access to communicate sensitive information.

Information Security

The purpose of information security is to ensure business continuity in order to minimise the impact of security-related incidents and to ensure the integrity of the information and data processed by the Practice, as described in the Information Security Policy.

Information security enables information to be processed and shared with appropriate safeguards in place. It ensures the protection of information and assets as well as identifying and acting on threats to security.

Information security is both technical and physical. It ranges from the security of networks to the use of appropriate passwords by staff and storage of confidential information in secure environments.

All staff contribute towards the security of information and the Practice is required to have a clear statement on the information security and risks in place for the assets within their remit.

Information security has three basic components:

• Confidentiality: assuring that sensitive information or data is accessible to only authorised individuals and is not disclosed to unauthorised individuals or the public.
• Integrity: safeguarding the accuracy and completeness of information and software and protecting it from improper modification.
• Availability: ensuring that information, systems, networks and applications as well as paper records are available when required to departments, groups or users that have a valid reason and authority to access them.
• Accountability – Users are held responsible for their use of information.

Further information is detailed in the Information Security Policy.

Monitoring and compliance

This policy and the associated controls,  protocols and procedures - will be monitored through the risk management system for the organisation. The information governance risk register will be reviewed on a regular basis and additionally in response to any information incident or enforcement action by the Information Commissioner’s Office. Information risk management is a key component of wider assurance and control in setting the priorities for the information governance work plan.

The Practice will be required to routinely review the risks and information flows associated with the information assets utilised to fulfil the business functions and activities within their remit.

Non-Compliance

Failure to comply with the standards and appropriate governance of information as detailed in this policy, supporting protocols and procedures may result in disciplinary action. All staff are reminded that this policy covers several aspects of legal compliance that as individuals they are responsible. Failure to maintain these standards can result in criminal proceedings against the individual.

Review

Review will take place every three years or earlier until rescinded or superseded, due to legal or national policy changes.

The audience of this document should be aware that a physical copy may not be the latest version.  The latest version, which supersedes all previous versions, is available in the policy register for the organisation. Those to whom this policy applies are responsible for familiarising themselves periodically with the latest version and for complying with policy requirements at all times.

Implementation and dissemination

The updated policy, once approved by the Practice, will be shared with all staff through via email and other staff briefings and will be updated on the intranet.

Awareness of the policy will be checked through a staff survey and spot checks on at least an annual basis.