🌍

Overview of our IG strategy

Introduction

As defined on our homepage, IG is an organisational strategy for managing data and information. This strategy allows us to ensure that we’re safely managing all the relevant data we hold (be it patient data, employee data or any other personal data we might hold).

This page gives an overview of our principles and the (multifaceted) approach we take to ensure that we’re doing the right things with the data we hold and to help us comply with all the relevant laws/regulations that might apply.

This will be the basis upon which IG will be implemented throughout Penrose Health.

✂️

This page replaces the ‘Information Governance Framework’ that was previously in place (prior to June 2022). The contents of that document are split between this page and other relevant pages that can be found via our IG Homepage

Why we care about IG

Information Governance is vitally important to us for a number of reasons.

First and foremost, it is a basic right for people to have information about them treated fairly and with respect. You wouldn’t want someone abusing information about you and equally we should be respectful with the data we hold about others.
As well as treating data respectfully, it’s also an intrinsic right for people to have control over any data we hold about them. Again, if someone was holding information about you, you’d want the right to be able to ask them to change it or delete it.
If we treat the data we hold correctly, this will enable us to build trust between the people we serve (both patients and employees) and the organisation as a whole. Trust is a foundational part of our relationships with each other enabling us to serve our patients or to work together as a team.
It’s also the law! There are a number of laws and regulations that apply to us as an organisation that legally enforce our responsibilities around information governance. Although these can be confusing and sometimes change, not everyone has to read them / stay up to date with all of them. Our IG strategy takes into account all the relevant laws, requirements and principles as listed below.

⚖️

There are many laws, requirements, standards and principles that govern the use of personal data in business / NHS contexts - we’ve used them to create our IG strategy as laid out below and on our IG Homepage

‣

Click here to see all the laws, requirements, standards and principles used

‣

Click here to see the seven Data Protection Principles outlined by the DPA 2018

Our core principles around IG

The principles below underpin our IG strategy and informs how we build out all of the relevant policies, procedures and processes upon which we rely.

We acknowledge and respect the rights of anyone whose data we hold. These rights include understanding what data we hold and being able to modify or remove that data.
We will aim to always follow all the relevant laws, requirements, standards and principles and ensure that staff are trained appropriately to make the right decisions around data
We take a privacy by design and default approach - this means that everything we do is always done with privacy in mind and we start all work with a privacy centred approach.
We use a risk-based methodology for any IG decision making and delivery - we aim to ensure the benefits of any data processing are greater than the risks that might be posed.

How we maintain robust IG

In order to maintain these principles and ensure we can follow through with our commitment to strong IG, we maintain a multipronged approach:

‣

1. We approach the use of data and data sharing with a risk based approach - carrying out impact assessments as necessary

‣

2. We only share data if necessary / beneficial and we ensure that compliant contracts / agreements are in place if we do this

‣

3. We are open and transparent about how we hold data - allowing data subjects to know what data we hold, and enabling them to modify data or opt-out entirely

‣

4. We have key responsible and accountable people associated with IG throughout our organisation. These people have appropriate training and know their responsibilities well.

‣

5. We map out all of the data we hold and how it flows to give us an overall picture of IG in our organisation

‣

6. We have a comprehensive set of policies around specific areas of IG to give us more detail on how to maintain high standards

‣

7. We ensure staff are trained appropriately, know their responsibilities and agree to our robust confidentiality policy

‣

8. We have a robust internal incident reporting framework and identify avenues for staff to report externally should they feel compelled to do so

‣

9. We review all of the above and our overall strategy at least every 12 months to ensure we stay up to date and that our strategies remain relevant

‣

10. We complete any necessary toolkits / frameworks to help us measure and demonstrate compliance as needed

As well as reviewing / updating this content regularly, the IG Homepage is made available to all staff at all times via our Company Handbook and the Penrose Portal.

Keeping on top of IG

Although we feel the above strategies are a robust approach to IG, the business and all the requirements around us do change regularly.

To keep up with these changes, our Key People regularly monitor and update the contents of the 🔒IG Homepage as and when required. However, to give some dedicated space for IG and to make sure all relevant changes are made, we carry out a variety of tasks on an annual basis. This annual review ensures continued compliance and best practice.

Our annual IG reviews include:

Information Asset Register and Flows reviewed for accuracy / completeness
Staff training records are audited and staff are surveyed on their understanding of IG
Information Governance across the organisation is audited / spot checked with a checklist
Incident Reports and their action plans are reviewed
Statement of assurance from IAOs to Accountable Officer
Review of Information Risks across the organisation and any DPIAs completed
Overarching review of governance, IG framework, policies, laws and workplan

To see when any of this content was last updated and what changes were made, you can view the full history using the clock icon in the top hand corner. If you don’t have access to this, please contact the SIRO.

210629 Data Security Audit Spot check v2.docx68.7KB

You haven’t mentioned the DSPT yet?!

Correct! This is because although the DSPT is important, it’s actually more of a framework/toolkit to help organisations assess and demonstrate their compliance with the principles of IG. Specifically, the DSPT is about measuring performance against the National Data Guardian’s 10 data security standards.

Whilst the DSPT can help guide us / show us where we might be missing things, we should have an overarching IG strategy in place first and only then should we use the DSPT to see if we’re doing the right things!

Other frameworks like CyberEssentials or ISO27001 are similar standards to help organisations measure and demonstrate compliance with IG principles.

🚦

DSPT Answers 2021-22