Information Governance Policy
Document Description
Document Type: Protocol
Service Application: General practice
Version: 1.0
Ratification date:
Target Group: All Staff
Review date: March 2019
Relevant guidance:
Lead Author(s)
Name: Position within the practice
Paul Couldrey: Data Protection Officer
Discrimination
- Gender: This policy will be applied equally regardless of the gender of the patient
- Race: This policy will be applied equally regardless of the race of the patient
- Disability: This policy will be applied equally regardless of whether or not the patient has a disability or not
- Sexual Orientation: This policy will be applied equally regardless of the sexual orientation of the patient
- Age: This policy will be applied equally regardless of the age of the patient
- Religion/Belief: This policy will be applied equally regardless of the religion/belief of the patient
- Human Rights: This policy will not impact on anyone’s human rights
Summary Sheet
The purpose of this policy is to provide the Friendly Family Surgery staff with a framework in regards to information governance.
The policy has been developed and reviewed in line with developments within the information governance agenda, pseudonymisation and the information governance toolkit.
Legislation
- Data protection act 2018
- General data protection regulation 2016
- Human rights act 1998
- Freedom of information 2000
- Access to health records act 1990 (where not superseded by the data protection act)
- Computer misuse act
- Copyright, designs and patents act 1988 (as amended by the copyright computer programs regulations 1992)
- Crime and disorder act
- Electronic communications act 2000
- Regulation of investigatory powers act 2000
- Common law duty of confidentiality
- National health service act 1977
The policy provides a balance between the openness and confidentiality in the management and use of information. This policy provides a standard to which information should be dealt with to abide by legal obligations. The policy states that all personal identifiable information relating to patients and staff as confidential, except where national policy on accountability and openness requires otherwise.
This policy will be reviewed annually by the information governance practice lead in line with the NHS digital data security and protections toolkit and any new guidance or changes within procedure.
Distribution
This policy will be available for all staff to view on the practice’s Intranet. Managers of staff without direct access to the practice’s Intranet must provide access to an up to date paper copy of the policy.
Introduction
Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management.
It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability provide a robust governance framework for information management.
Information governance is a framework in which information should be handled in accordance with legal and ethical standards. This policy provides staff with how this framework can be achieved within the organisation.
Purpose of the Policy
To ensure the practice meets its responsibility for the legal and ethical management of information assets and resources and ultimate compliance with the Information governance toolkit, NHS and other professional codes of conduct relating to confidentiality and consent; guidance from the information commissioner.
Policy Aim
The aim of this policy is to provide the employees of the practice with a simple framework through which the elements of information governance will be met.
The practice aims to achieve a standard of excellence of Information governance by ensuring that information is dealt with legally, securely and effectively in the course of the practice business in order to deliver high quality patient care.
Scope
Information governance covers all staff employed by the practice, private contractors, volunteers and temporary staff.
The scope is:
- All information recorded, disclosed and used by the practice.
- All information systems managed by the practice
- Any individuals using information “owned” by the practice
- Any individuals requiring access to information “owned” by the practice
Policy Principles
The practice recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The practice fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients, staff and commercially sensitive information. The practice also recognises the need to share patient’s information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient, and in some circumstances, the public interest.
The practice believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians, managers and staff to ensure and promote the quality of information and to actively use information in decision making processes.
There are 4 key interlinked strands to the information governance policy:
- Openness
- Legal compliance
- Information security
- Quality assurance
Openness
Information will be defined as, and where appropriate kept, confidential underpinning the principles of information governance and the provisions of in the general data protection regulation 2016 and data protection act 2018.
Non-confidential information and services will be available to the public through a variety of means including the practice’s internet based publication schemes under the freedom of information act 2000.
The practice must ensure compliance with the freedom of information act 2000 and will favour the disclosure of requested information.
Patients will have access to information relating to their own health care, options for treatment and their rights as patients. Any request for access to personal information by the patient or the patient’s representative must be processed in line with the practice’s subject access request procedures. The practice must ensure compliance with the GDPR 2016, data protection act 2018, the freedom of information act 2000 and the access to health records act 1990 (in relation to deceased patient’s records).
The practice will have clear procedures and arrangements for liaison with the press and broadcasting media.
Integrity of information will be developed, monitored and maintained to ensure that it is appropriate for the purposes intended.
Availability of information for operational purposes will be maintained and within set parameters relating to its importance via appropriate procedures and computer system resilience.
Compliance with legal and regulatory framework will be achieved, monitored and maintained through the information governance toolkit and associated procedures. .
The practice will establish and maintain policies and procedures to ensure compliance with the data protection act 1998, human rights act 1998, the common law duty of confidentiality and the freedom of information act 2000 and all forthcoming related legislation.
Legal Compliance
The practice will regard all personal confidential information relating to patients and staff as confidential, except where national policy on accountability and openness requires otherwise.
The practice will establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking into account relevant legislation (e.g. health and social care act, crime and disorder act, protection of children act).
The practice will undertake annual assessments and audits of its compliance with legal requirements.
The practice will establish and maintain policies to ensure compliance with the data protection law, human rights act and the common law duty of confidentiality.
Information Security
The practice will establish and maintain procedures for the effective and secure management of its information assets and resources.
The practice will undertake annual assessments and audits of its information and IT security arrangements.
The practice will promote effective confidentiality and security practice to its staff through policies, procedures and training.
The practice must maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.
Information Quality Assurance
The practice will establish and maintain procedures for information quality assurance and the effective management of records.
The practice will undertake annual assessments and audits of its information quality and records management arrangements.
Wherever possible information quality should be assured at the point of collection.
Data standards will be set through clear and consistent definition of data items in accordance with national standards.
The practice will promote information quality and effective records management through a range of policies, procedures/user manuals and training.
Management of information governance
The management of information governance across the practice will be co-ordinated by the information governance lead.
The data security and protections toolkit
The DS&P covers all aspects of legal compliance and encompasses the following initiatives:
- Information governance management
- Confidentiality and data protection assurance
- Information security assurance
In order to successfully implement this programme it has been recognised that robust information governance arrangements are required. Information governance covers the information component of both clinical governance and corporate governance and provides a framework for handling information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service.
It looks at the systems and access rights to which staff and managers have access, and the way in which information is shared.
The implementation of the IG policy and the DS&P toolkit will ensure that information is more effectively managed within the practice.
The year on year improvement plans taken from the practice’s scoring of the IG toolkit will show improvement and/or maintenance of the high standards reached.
To enforce the care record guarantee and ensure compliance with the NHS 10 commitments.
Responsibilities
Organisational responsibilities
All information recorded and subsequently used / handled by NHS staff
is subject to consent from the individual to whom the data relates. The practice ensures that all staff members are clear about their legal and ethical responsibilities relating to data recording and usage, and ensures and supports appropriate education and training.
The practice must ensure that legal and ethical requirements relating to information are met.
The practice must make arrangements to meet the performance assessed requirements of the connecting for health IG toolkit which ultimately feeds into other external assessments, e.g. care quality commission.
Responsibilities of staff
Recorders and users of information must:
- Be aware of their responsibilities
- Complete information governance training annually
- Comply with policies and procedures issued by the practice
- Report all information governance incidents
- Work within the principles outlined in the information governance toolkit, relevance NHS codes and guidelines produced by e.g. information commissioner.
Training
Fundamental to the success of delivering the IG policy is developing an IG culture within the practice. Awareness and training must be provided on an ongoing basis to all staff to promote this culture.
All new staff must receive training as part of the practice’s induction on data protection, confidentiality, security, freedom of information and records management.
Information governance training is mandatory for staff and can be completed via the on-line training modules or within a face to face training session provided by PCIG consulting limited where particular needs have been identified. Training is required annually for all staff which ensures they are kept up to date with any changes.
The practice awareness sessions and campaigns are also planned.
References
Legal and regulatory framework
The practice is bound by the provisions of a number of items of legislation and regulation affecting the stewardship and control of information. The main relevant legislation are regulations are:
- Data protection act 2018
- General data protection regulation 2016
- Human rights act 1998
- Access to health records act 1990
- Computer misuse act 1990
- Copyright, designs and patients act 1988
- Information governance policy page 12 of 53 December 2009
- Copyright (computer programs) regulations 1992
- Crime and disorder act 1998
- Electronic communications act 2000
- Environmental information regulations 2004
- Freedom of information act 2000
- Health and Social Care Act
- Regulation of investigatory powers act 2000 (and lawful business practice regulations)
- Public interest disclosure act 1998
- NHS trusts and primary care trusts (sexually transmitted diseases) directions 2000
- Human fertilisation and embryology act 1990
- Abortion regulations 1991
- Public records act 1958
- Regulations under the health and safety at work act 1974
- Re-use of public sector information regulations 2005
This list is not exhaustive.
Regulatory framework
In relation to many of the above, the NHS has set out and mandated a number of elements of regulation that constitute “information governance” through a national programme. This area is developing at a fast changing pace and the focus within this section will need significant periodical review.
The regulatory elements are:
- DS&P toolkit which requires practicess to assess their progress against set criteria
- Caldicott – a report for the audit and improvement on the use of patient identifiable data (1997) and HSC 1999/012
- Standards for information security management
- Information quality assurance
- NHS confidentiality-code of practice (2003)
- NHS guidance on consent to treatment
- Records management-NHS code of practice
- Care quality commission regulations
- Information commissioner
- Caldicott principles
Ethical framework
The right to expect privacy ethically entitles a patient to the exercise of control over the content, uses of and disclosures of information about them as an individual. Respect for that privacy by staff is essential for maintaining patient trust in, and integrity of, the relationship between staff and patient. The department of health provides basic principles that underpin ethical frameworks and which form part of staff work practices in implementing this policy.
Staff should:
- Protect – look after patient’s information
- Inform – ensure patients are aware of how their information is used; there should be no surprises
- Provide choice – allow patients to decide whether their information can be disclosed and used in particular ways
- Improve practice – by always looking for better ways to protect, inform and provide choice.
So that the public/patient will:
- Understand the reasons for recording and processing information
- Give their consent for the disclosure and use of their personal information
- Gain trust in the way the NHS handles information
- Understand their rights to access information held about them
The Caldicott principles, applying to the disclosing of patient-identifiable information, are:
- Justify the purpose(s) of every proposed use or transfer
- Don’t use it unless it is absolutely necessary
- Use the minimum amount of patient identifiable data necessary
- Access to it should be on a strict need-to-know basis
- Everyone with access to it should be aware of their responsibilities
- Understand and comply with the law
- The duty to share information can be as important as the duty to protect patient confidentiality
Information commissioner
The information commissioner has specific responsibilities under the GDPR 2016. This regulation provides a framework to ensure that personal information is handled properly. The act works in two ways.
Firstly, it states that anyone who processes personal information must comply with 6 principles, which make sure that personal information is:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Secondly, the regulation provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
Additionally, all staff should be familiar with their own professional codes relating to ethical aspects of information governance (i.e. respect for patient privacy and dignity).
Monitoring compliance
Staff are expected to comply with the requirements set out within the information governance policy and related policies. Compliance will be monitored via the practice IG lead reports of spot checks, completion of staff questionnaires, incidents reported, electronic audit trails and submission of the information governance toolkit.
Non-adherence to the information governance policy and related policies will result in local disciplinary policies being implemented.