Information Governance Policy

Transcription

1 NHS Dorset Clinical Commissioning Group Information Governance Policy 16 December 2015 Supporting people in Dorset to lead healthier lives

2 PREFACE This policy sets out best practice guidance for all staff in managing information securely, legally and ethically. All managers and staff (at all levels) are responsible for ensuring that they are viewing and working to the current version of this procedural document. If this document is printed in hard copy or saved to another location, it must be checked that the version number in use matches with that of the live version on the CCG intranet. All CCG procedural documents are published on the staff intranet and communication is circulated to all staff when new procedural documents or changes to existing procedural documents are released. Managers are encouraged to use team briefings to aid staff awareness of new and updated procedural documents. All staff are responsible for implementing procedural documents as part of their normal responsibilities, and are responsible for ensuring they maintain an up to date awareness of procedural documents.

3 A SUMMARY POINTS Policy and best practice guidance for managing information ethically, securely and legally B ASSOCIATED DOCUMENTS Procedure for the Management of Adverse Incidents Procedure for the Management of Serious Incidents Remote Access and Homeworking Policy IT Security Policy Network Security Policy Confidentiality: Staff Code of Conduct Freedom of Information Policy C DOCUMENT DETAILS Procedural Document Number 91 Author Job Title Directorate Recommending committee or group Approving committee or group Joyce Green / Helen Williams Head of IG and Customer Care / IG and Customer Care Manager Quality Information Governance Group Information Governance Group Date of recommendation (v1) 16 December 2015 Date of approval (v1) 16 December 2015 Version 1.3 Sponsor Recommendation date 16 December 2015 Approval date 16 December 2015 Review frequency Annually Review date December 2016 D Version No CONSULTATION PROCESS Review Date 1.3 December 2016 Author and Job Title Joyce Green, Head of IG and Customer Care Helen Williams, IG and Customer Care Manager Level of Consultation Information Governance Group

4 E VERSION CONTROL Date of issue Version No Date of next review Nature of change Approval date Approval committee /group December December 2016 Amalgamation of a series of policies Information Governance Group F SUPPORTING DOCUMENTS/EVIDENCE BASED REFERENCES Evidence Hyperlink (if available) Date Information Governance Review NHS Code of Practice: Records Management NHS Code of Practice Information Security Management updated NHS Code of Practice: Confidentiality HSG(96)18 The Protection and Use of Patient Information HSC 1999/012 Caldicott Guardians HSC 2002/003 Implementing the Caldicott Standard into Social Care The Caldicott Principles The Caldicott 2 Review Data Protection Act Human Rights Act Access to Medical Reports Act Freedom of Information Act Department of Health Guidance for Access to Health Records Requests Common Law Duty of Confidentiality Electronics Communications Act Computer Misuse Act Civil Contingencies Act Health and Social Care Act Protocol for Information Sharing between Health and Social Care Agencies updated

5 F SUPPORTING DOCUMENTS/EVIDENCE BASED REFERENCES Evidence Hyperlink (if available) Date National Archives Guidelines on Developing a Policy for Managing Public Records Act NHS Constitution HSCIC Guide to Confidentiality in Health and Social Care: Treating Confidential Information with Respect HSCIC Code of Practice on Confidential Information G Internal CCG Intranet DISTRIBUTION LIST CCG Internet Website Communications Bulletin External stakeholders

6 CONTENTS PAGE 1 Relevant to 1 2 Introduction 1 3 Scope 2 4 Purpose 2 5 Definitions 2 6 Roles and responsibilities 2 7 Supporting roles 4 8 Key governance bodies 8 9 Supporting policies and procedures 9 10 Information governance management framework 9 11 Commissioning of services Information security assurance framework Forensic readiness Bring your own devices (BYOD) Incident management Data protection Privacy impact assessments Legal compliance Openness Records management Information quality assurance NHS constitution Information and cyber security Strategy Training Consultation Recommendation and approval process Communication/dissemination Implementation Monitoring compliance and effectiveness of the document Document review frequency and version control 27

7 APPENDICES A Glossary 28 B Key Contacts 31 C Information Governance Group Terms of Reference 32 D Key Supporting Policies and Procedures 36 E Information Governance Training Plan and Training Needs Analysis 37 F G Procedure for Carrying Out Confidentiality Audits and Confidentiality Audit Template Form Procedure for Carrying out Privacy Impact Assessments and Privacy Impact Assessment Template Form H Guidance on Information Governance Forensic Readiness 54 H.1 Procedure for Information Governance Forensic Readiness 56 I Guidance on the Introduction of Bring Your Own Device 61 J Guidance on Managing Subject Access Requests and Associated Charges J.1 Procedure for Managing Subject Access Requests 78 K Guidance on the Management of Records 80 K.1 Procedure for the Management of Records 87 L Guidance on Data Quality 90 M Guidance on Passwords 93 N Guidance on the Transmission of Information by 97 N.1 Guidance on Writing Business s 101 N.2 Guidance on the Encryption of s 104 O Guidance on the Transmission of Information by Facsimile 108 P Guidance on the Transmission of Information by Post 110 Q Guidance on the Communication of Information by Telephone 112 R Guidance on Pseudonymisation 113 S Guidance on Safe Havens 118 T Guidance on Smartcards

8 1. RELEVANT TO 1.1 This policy and associated strategy, framework, guidance and procedures applies to all staff within the CCG whether operating directly or providing services under a service level agreement or joint agreement. The policy is relevant to all staff including contracted employees, non-executive directors and contracted third parties such as bank, agency, volunteers, locums, student placements, staff on secondment, researchers, visiting professionals and suppliers. 2. INTRODUCTION 2.1 Effective Information Governance (IG) requires clear management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The way that an organisation chooses to deliver against these requirements is referred to within the Information Governance Toolkit (IGT) as the organisation s IG Management Framework. 2.2 The IG Framework must be documented, approved at the most appropriate senior management level in the organisation and be reviewed annually. This policy sets out the IG Framework for the NHS Dorset Clinical Commissioning Group (CCG). 2.3 IG is primarily based upon the Data Protection Act 1998 (DPA) which is the main piece of legislation in relation to the security and confidentiality of personal and sensitive information. 2.4 Other legislation that protects confidential information is: Article 8 of the Human Rights Act Everyone has the right to respect for his private and family life, his home and his correspondence; The Common Law Duty of Confidentiality. A duty of confidence arises when one person discloses information to another in circumstances where it is reasonable to expect that the information will be held in confidence. 2.5 The CCG fully supports the principles of IG and recognises its public accountability, but equally places importance on the confidentiality of personal information, and the security arrangements in place to safeguard that information and also any commercially sensitive information. 2.6 The CCG also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. 1

9 3. SCOPE 3.1 This policy covers all aspects of information within the CCG including, but not limited to: patient information; workforce information; organisational information; information from a third party, held or processed by the CCG. 4. PURPOSE 4.1 The purpose of this document is to set out the process, governance arrangements, strategy and policy framework for the delivery of safe and effective IG within the CCG and for any services commissioned by the CCG. 4.2 It is a requirement of the IGT that the CCG has an Overarching IG Policy in place which sets out the IG Management Framework for delivery of the IG toolkit requirements. 4.3 This policy and associated documentation sets out how the CCG will achieve these requirements. 5. DEFINITIONS 5.1 This document contains the IG Policy and associated strategy, governance framework, guidance and procedures for the NHS Dorset Clinical Commissioning Group. 5.2 A list of definitions, terms and abbreviations used in this document can be found within the glossary at Appendix A. 6. ROLES AND RESPONSIBILITIES Governing Body 6.1 It is the role of the Governing Body to define the CCG policy in respect of IG, taking into account legal and NHS requirements. The CCG Governing Body is also responsible for ensuring that sufficient resources are provided to support the requirements of this policy. 6.2 The CCG Governing Body, whilst retaining their legal responsibilities, has delegated IG compliance to the nominated Caldicott Guardian, Senior Information Risk Owner (SIRO), Data Protection Officer and the Information Governance Group (IGG). 2

10 Chief Officer 6.3 The Chief Officer is the named officer with responsibility for ensuring that the CCG complies with its statutory obligations and Department of Health directives for IG. The Chief Officer is required to provide assurance through the Statement of Internal Control (SIC) annually that all risks relating to information are effectively managed. The Chief Officer also ensures that the roles of SIRO and Caldicott Guardian are assigned and supported. 6.4 The Chief Officer will ensure that the CCG has access to specialist advice regarding the requirements of relevant legislation. 6.5 Responsibility for implementation of IG, data protection, data quality, records management and information security has been delegated to the Head of IG and Customer Care. Senior Information Risk Owner (SIRO) 6.6 The Governing Body Secretary and Legal Counsel is the SIRO for the CCG who attends all Governing Body meetings and ensures ownership of the organisation s information risk policy, including providing advice and assurance to the CCG Governing Body on information risk issues. The SIRO also provides written advice to the Chief Officer in relation to information risk on the Governance Statement. 6.7 The SIRO is responsible for ensuring that organisational information risk is properly identified, managed and that appropriate assurance mechanisms exist. 6.8 The SIRO is responsible for providing leadership and guidance to the CCG s Information Asset Owners and ensuring that the CCG s Information Asset Register is maintained. The SIRO is supported by the Head of Information Governance and Customer Care, the IG team, the Information Security Manager and the Caldicott Guardian. 6.9 A key part of the role involves assisting with the development of the Information Asset Register and associated documentation such as system level security documentation, forensic readiness and access control procedures. This includes assisting in the development of business continuity management arrangements for the key information assets. Caldicott Guardian 6.10 The Director of Nursing and Quality is the CCG Caldicott Guardian and is responsible for acting as the conscience of the organisation The Caldicott Guardian ensures that the CCG and partner organisations protect the confidentiality of patient level information, and is responsible for advising the CCG and the Governing Body on confidentiality issues. This also includes establishing and maintaining procedures governing access to and the use of person confidential data held or processed within the CCG systems and the transfer of such data from the CCG to and from other bodies. 3

11 6.12 The Caldicott Guardian for the CCG is supported by the Head of IG and Customer Care, the IG team, the Information Security Manager, the SIRO and the IGG members who all form part of the broader Caldicott Function The Caldicott Guardian works with the IG team to ensure the requirements of the IG Review and the Government response are implemented as required. Caldicott Function 6.14 The IGT suggests that in all but the smallest of organisations, the Caldicott Guardian should work as part of a broader Caldicott Function with support staff such as the SIRO, Information Security Manager and IG leads and IGG members contributing to the work as required. The key responsibilities of the Caldicott Function are to: support the Caldicott Guardian; ensure the confidentiality and data protection work programme is successfully co-ordinated and implemented; ensure compliance with the principles contained within the Confidentiality: NHS Code of Practice and that staff are made aware of individual responsibilities (and changes to the Caldicott principles), through policy, procedure and training; complete the Confidentiality and Data Protection Assurance component of the IGT, contributing to the annual assessment; audit and monitor access to confidential information; provide routine reports to senior management on Confidentiality and Data Protection The Confidentiality Audit Procedure which forms part of the role of the Caldicott Function can be found at Appendix F. 7. SUPPORTING ROLES 7.1 These senior roles are supported by an expert advice unit who are appropriately trained and receive regular updated training on legal requirements. 7.2 A list of staff members who hold roles supporting the IG Framework is set out at Appendix B. Head of Information Governance and Customer Care 7.3 The Head of IG and Customer Care is the Data Protection Officer for the CCG and works in an advisory role, along with the IG team, to provide guidance and specialist advice and support to the CCG on data protection and other IG areas including records management, whilst also leading on audit and improvement plans relating to IG. 4

12 7.4 The Head of IG and Customer Care has overall responsibility for co-ordinating the IG work programme and completion of the IGT annual assessment. 7.5 Responsibility for Freedom of Information (FOI) and for ensuring that all FOI processes are in place to comply with the Act has been delegated to the Head of IG and Customer Care. This includes ensuring the CCG FOI publication scheme is up to date and establishing appropriate arrangements to deal with appeals/investigations into complaints about decisions and response times. Assistance is provided by other members of the team who also handle FOI requests. 7.6 The Head of IG and Customer Care is responsible for ensuring that all staff are aware of their personal responsibilities for compliance and adhere to organisational policies and procedures. This includes ensuring that training and written procedures are widely disseminated and available to all staff. Information Security Manager (ISM) 7.7 The IM&T Infrastructure Manager is the ISM for the CCG and is responsible for co-ordinating the information security agenda for the CCG, supported by the Patient Safety and Risk Manager, the Head of IG and Customer Care, the IG team, the SIRO, the Caldicott Guardian and IGG members. 7.8 The ISM is responsible for the CCG Information Security Policy and for ensuring compliance with the information security components of the IGT. This includes providing regular reports to the SIRO and to the IGG. 7.9 The ISM is also responsible for administering the security of the information assets in accordance with ISO/IEC The ISM is responsible for co-ordinating the necessary response and resolution activities following a suspected or actual cyber security incident or breach, and for providing advice and guidance. Information Risk Lead 7.11 The Patient Safety and Risk Manager is responsible for feeding information risks into the organisation wide risk register Further responsibilities are to support the organisation in the risk assessment process, including the programme that considers the security risks to: information assets; transfers of information identified in the information flow mapping. 5

13 Business Continuity Lead 7.13 The Assurance Lead is responsible for ensuring that the organisation has a business continuity strategy and plans in place for all critical information assets identified in the Information Asset Register, and for obtaining approval of the plans from the SIRO Responsibilities also include ensuring the business continuity plans are regularly tested and the outcomes documented through simulation exercises. Data Quality Lead 7.15 The Head of Performance and Business Intelligence is responsible for ensuring that systems and processes are in place to provide accurate and timely validation of information in relation to commissioned services. Information Governance Group (IGG) Members 7.16 IGG members provide day to day support to staff within their directorates on all aspects of IG, and represent the directorate at the IG Group. They also develop, support and monitor the work programme to enable the IGT to be completed on an annual basis IGG members assist in the IG audit programme and co-ordinate the reporting of any breaches in information security or compliance with IG policies and procedures Members of the IG Group also: advise the Governing Body on issues relating to data protection, confidentiality and IG; offer support advice and guidance to the Caldicott Guardian and SIRO, as part of the Caldicott Function within the CCG. Information Asset Owners (IAO s) 7.19 IAO s are responsible for ensuring that all information assets are appropriately owned and managed. The IAO s work with all members of staff in their directorates (and across directorates as appropriate) to ensure there is clear ownership and regular review of information assets and the mapping of data flows and the legal basis for the data flows to the information assets The IAO s must ensure that any system and users they are responsible for comply with the current DPA legislation The IAO s are responsible for ensuring that: the system is recorded on the Information Asset Register; 6

14 users are set up on the system on a need to know basis in line with access control procedures; expert advice is available regarding data protection issues; unusual requests for disclosure are scrutinised; there is a System Security Procedure which outlines the media, frequency and retention period for back-ups of the data and programs for the systems within their control IAO s support the SIRO in managing the risk associated with all information assets IAO s will ensure that IG forensic readiness planning is adequately considered and documented within the system level security documentation for information assets. Director of Engagement and Development 7.24 The Director of Engagement and Development is responsible for overseeing all staff requests for access to personal files, with support from the Information Governance team (see Appendix J) The Director of Engagement and Development will ensure that appropriate clauses are in staff contracts to ensure that all staff are bound by the requirements of the Data Protection Act Managers 7.26 Managers are responsible for ensuring staff are aware of all policies relating to IG The day to day responsibility for enforcing this policy and associated documentation is delegated to Line Managers. Managers will ensure that all staff: attend appropriate training; know how to deal with requests for person identifiable information Managers are responsible for ensuring Privacy Impact Assessments (PIA s) are completed whenever a service is changed or a new project is started (see guidance at Appendix G). Staff 7.29 All staff are expected to adhere to this policy and associated documentation. Any breaches of this policy will be investigated in line with the CCG disciplinary procedures All staff are required to attend IG training on an annual basis. 7

15 7.31 All CCG employees are responsible for ensuring that all the personal data used and held by the CCG is secured from loss, corruption, damage and disclosure All staff who create, receive and use records have records management responsibilities. Staff: are responsible at law for any records they create and use; must be aware that any records they create are not their personal property, but belong to the CCG. 8. KEY GOVERNANCE BODIES Information Governance Group (IGG) 8.1 The CCG has established an Information Governance Group (IGG) comprising of representatives from directorates within the CCG in order to promote a consistent approach to IG. The group is responsible for developing and sharing best practice across the organisation and ensuring that IG standards are included in other work programmes and projects. 8.2 The group co-ordinates the review of the CCG s IG management and accountability arrangements and produces and monitors the annual IG work programme. The CCG recognises that other key staff will be involved in, and contribute to, this work programme. 8.3 The group is responsible for reviewing, approving and monitoring Privacy Impact Assessments to ensure privacy considerations are taken into account when new projects are introduced or changes are made to existing services. 8.4 The group is also responsible for advising the Governing Body on issues relating to data protection, confidentiality and Information Governance. 8.5 Terms of Reference for the group were agreed by the IGG on 16 December 2015 and can be seen at Appendix C. These are reviewed on an annual basis. 8.6 The IGG reports to the Audit and Quality Committee, and responsibility for the approval of related policies and procedures is delegated to the Directors Performance Group on behalf of the CCG Governing Body. Information Asset Group 8.7 Occasionally, as necessitates, an Information Asset Group will meet to monitor the Information Asset work programme. 8.8 The group is responsible for reviewing the CCG Information Asset Register and ensuring that risk assessments, access control procedures, system level security documentation and business continuity arrangements are in place for the information assets. 8

16 8.9 The Information Asset Group is a sub-group of the IGG and the Audit and Quality Committee. Formal Committee to the Governing Body the Audit and Quality Committee 8.10 In line with CCG standing orders, a formal report on IG is received by the Audit and Quality Committee on a quarterly basis Any policies and procedures agreed by the IGG will be submitted to the Directors Performance Group for approval, before they are noted by the Audit and Quality Committee Any concerns raised by the Audit and Quality Committee will be highlighted to the Governing Body. 9. SUPPORTING POLICIES AND PROCEDURES 9.1 A summary of CCG key policies and procedures that support the IG work programme are listed at Appendix D of this document. 9.2 This is a live document and as new policies and procedures are approved, they will be added to this document. 10. INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK 10.1 The IG Management Framework documents how the CCG will manage information about patients and employees, with a particular emphasis on personal and sensitive information The CCG has established an approach to IG that ensures the organisation (from Governing Body level down) has the ability to fully comply with its requirements in terms of data protection and confidentiality. The roles and responsibilities that form part of the IG Management Framework are set out above in sections 6 and 7 of this policy Critically, it is also essential to ensure that the Governing Body and the senior management of the organisation can be assured of continued compliance, and in particular, changes in performance (both within the CCG and commissioned services), can be monitored and managed. 9

17 10.4 The governance arrangements in place to achieve this are set out below: Overarching Approach to Confidentiality and Data Protection Assurance Chief Officer IG, IT, Information Security advisory roles Ultimate Accountable Officer Governing Body, includes Caldicott Guardian and SIRO Department Head (Deputy Directors) Information Asset Owners Department Head (Deputy Directors) Information Asset Owners Department Head (Deputy Directors) Information Asset Owners Operational Staff, including Information Asset Users and Administrators Operational Staff, including Information Asset Users and Administrators Operational Staff, including Information Asset Users and Administrators 11. COMMISSIONING OF SERVICES 11.1 The Service Delivery team and the Quality team are additionally responsible for ensuring that IG arrangements are in place and monitored in all organisations contracted to provide services to the CCG, either under a full contract or through a Service Level Agreement The Contracting and Procurement team are responsible for ensuring that contracts allowing access to the CCG information systems are in place before access is allowed. These contracts must ensure that the staff or subcontractors of the external organisation comply with all appropriate security policies The Service Delivery and Quality teams are responsible for ensuring that provider compliance with IG is reviewed through contract monitoring, and that any new service developments with providers are subject to the completion of a Privacy Impact Assessment (see guidance at Appendix G) Formal procedural arrangements are in place to ensure that compliance with the commissioning/contract responsibilities outlined above is maintained and reviewed regularly. 10

18 12. INFORMATION SECURITY ASSURANCE FRAMEWORK 12.1 The CCG has established a comprehensive Information Security Assurance Framework in line with IGT requirements, which is formalised within information security policies and operating procedures under the leadership of the SIRO and the ISM, and embedded in the directorate structures of IAO s The relevant responsibilities relating to information security and for maintaining information security are set out below: SIRO ultimately responsible for maintaining compliance with Information Security Policy Information Security Manager operational manager lead Head of Information Governance and Customer Care and the Information Governance Team Patient Safety and Risk Manager Business Continuity Lead 12.3 The information systems, equipment, software and data used by the CCG represent a considerable investment and are valuable assets, essential to the effective and continuing operation of the CCG. Much of the data held by the CCG is of a confidential nature and it is necessary for this information and the information systems to be protected against any events, accidental or malicious, which may put at risk the activities of the CCG or their investment in information The CCG has an Information Asset Register in place which is maintained by the IAO s and regularly updated, ensuring that risks to the information assets are assessed and reviewed and reported to the SIRO. System level security and access control is also managed by the IAO s, along with the mapping of information flows to and from the information assets to ensure information is kept secure The CCG has also established business continuity and disaster recovery plans from all critical information systems and networks. 11

19 12.6 All risks associated with any aspect of IG are entered onto the CCG Risk Register and managed locally to reduce them to the lowest possible level Incident reporting procedures are in place and further details of the incident reporting process are provided in Section 15 of this policy. 13. FORENSIC READINESS 13.1 The aim of IG forensics is to provide a systematic, standardised and legal basis for the admissibility of digital evidence that may be required for formal dispute or legal process In this context, IG forensics may include evidence in the form of log files, s, back-up data, removable media, portable computers, network and telephone records amongst others that may be collected in advance of an event or dispute occurring IG forensics provide a means to help and manage the impact of important business risks. IG evidence can support a legal defence, it can verify and may show that due care was taken in a particular transaction or process, and may be important for internal disciplinary actions When planning for IG forensic readiness, the IAO s will consider: the ability to gather digital evidence without interfering with business processes; prioritising digital evidence gathering to those processes that may significantly impact the CCG, staff and patients; allowing investigations to proceed at a cost in proportion to the incident or event; minimising business disruptions to the CCG; ensuring digital evidence makes a positive impact on the outcome of any investigation, dispute or legal action Guidance and Procedures on the management of forensic readiness within the CCG can be found at Appendices H and H BRING YOUR OWN DEVICE (BYOD) 14.1 BYOD is the use of employee-owned devices for business purposes within an organisation. Smartphones are the most common example but it also includes tablets, laptops and USB drives The underlying feature of BYOD is that the user owns, maintains and supports the device. This can mean cost and resource efficiencies as the staff member provides the equipment rather than the organisation purchasing this directly. 12

20 14.3 The legal responsibility for protecting personal information is with the CCG, not the device owner Further guidance on the introduction of BYOD can be found at Appendix I. 15. INCIDENT MANAGEMENT 15.1 The CCG has two sets of procedures in place for the management of all incidents, including information and confidentiality related incidents. These are available on the CCG intranet: Procedure for the Management of Adverse Incidents; Procedure for the Management of Serious Incidents Staff are encouraged to report all information and confidentiality incidents, whether suspected or actual, so that they can be investigated, appropriate actions taken to address the incident and lessons learnt so that they do not recur Incidents are reported through the CCG incident reporting system, Ulysses, and the incident reporting procedures are accessible to all staff through the internet, intranet and Primary Web for GP practices. Incident reporting is discussed at IG induction Staff must complete an Adverse Incident Report Form which is then loaded onto Ulysses. The risks are graded according to the risk matrix set out in the procedure which includes information security/confidentiality breaches Incident reports are provided to every IGG meeting and discussed by the group If it is classed at an IG SIRI severity level 2 incident (i.e. a personal data breach as defined in the Data Protection Act, or a high risk of reputational damage; both of which are reportable to the Department of Health and the Information Commissioner s Office) the ISM will be contacted along with relevant internal staff members From June 2013, all organisations processing health and adult social care personal data are required to use the IGT Incident Reporting Tool to report level 2 IG serious incidents to the Department of Health, the Information Commissioner s Office and other regulators Equally, all externally commissioned services are reviewed at monthly contract performance meetings, and quarterly quality meetings, and reviews of IG and serious incidents are part of the standing monthly agenda. 13

21 16. DATA PROTECTION 16.1 The Data Protection Act 1998 (DPA) came into force on 1 March 2000 and applies to all person identifiable information about living individuals held in manual files, computer databases, videos and other automated media. This includes personnel and payroll records, medical records, other manual files, microfiche/film, pathology results, x-rays etc The DPA defines eight principles of good practice to follow when obtaining, processing, holding/storing personal data relating to living individuals. These are referred to as the data protection principles The DPA dictates that information should only be disclosed on a need to know basis. Print outs and paper records must be treated carefully and disposed of in a secure manner, and staff must not disclose information outside their line of duty The DPA also requires the CCG to register its data holdings with the Office of the Information Commissioner, identifying the purposes for holding the data, how it is used and to whom it may be disclosed. Failure to register or an incorrect registration is a criminal offence and may lead to the prosecution of the organisation. Rights of Subject Access 16.5 Under the DPA any living person has the right of access to their information held/used by the CCG and to also request certain information relating to the processing of their information including: a description of the information; the purpose the information is used for; the disclosures that are made/may be made; the source of the information Applications to personal identifiable information are made under two Acts: Data Protection Act 1998 for living individuals; Access to Health Records Act 1990 for deceased individuals Guidance and procedures on managing subject access requests can be found at Appendices J and J PRIVACY IMPACT ASSESSMENTS (PIA S) 17.1 A PIA must be completed for any significant change of service or introduction of a new information asset. A two stage PIA form and action plan is available for staff to complete as required. 14

22 17.2 All PIA s and accompanying action plans will be approved and monitored by the Information Governance Group The CCG has produced a PIA procedure to assist with the completion of PIA s, and this can be found at Appendix G. 18. LEGAL COMPLIANCE 18.1 The CCG considers all identifiable personal information relating to patients and staff as confidential (except where national policy on accountability and openness requires otherwise) and is committed to acquiring, using and storing information legally and ethically in line with legislation, policies and guidance The CCG also recognises that on occasions, legal and professional guidance may need to be sought for information security and disclosure issues. Applications for legal advice must be directed to the CCG solicitors through the Head of IG and Customer Care The intellectual property rights over any software developed on CCG equipment by staff employed by the CCG belongs to the CCG unless explicitly covered by a separate agreement Unauthorised or unlicensed software is not permitted on CCG equipment. It is expressly forbidden for any user to load or operate software gained from the internet, magazine gifts or other sources unless authorised by the IM&T department. 19. OPENNESS 19.1 The CCG recognises the need for an appropriate balance between openness and confidentiality in the management and use of information Information will be defined and, where appropriate, kept confidential, in line with the revised Caldicott Principles and the principles outlined in the DPA. Non-confidential information on the CCG and services will be available to the public through a variety of means, in line with the FOI publication scheme The CCG will also ensure that: patients and staff will be informed about the proposed use of their information, who will have access to it, and the organisations it may be disclosed to. This will be through the CCG website and patient leaflets; the integrity of information will be developed, monitored and maintained to ensure that it is appropriate for the purposes intended; the availability of information for operational purposes will be maintained within set parameters relating to its importance via appropriate procedures and computer system resilience. 15

23 19.4 Further advice on Freedom of Information can be found on the intranet in the CCG s Policy and procedures for requests made under the Freedom of Information Act 2000 and the Environmental Information Regulations RECORDS MANAGEMENT 20.1 Records management is the process by which the CCG manages all aspects of records, whether internally or externally generated and in any format or media type, from their creation, all the way through their lifecycle to their eventual disposal Records are a valuable resource because of the information they contain. Information is only usable if it is correctly recorded in the first place, is regularly updated and is easily accessible when needed The CCG s records are a corporate asset, providing evidence of actions and decisions and representing a vital asset to support daily functions and operations. Records support policy formation and managerial decisionmaking, protect the interests of the CCG and the rights of patients, staff and members of the public. They support consistency, continuity, efficiency and productivity and help deliver services in consistent and equitable ways Effective records management ensures that information is properly managed and is available whenever and wherever there is a justified need for information Guidance and procedures on the management of records can be found at Appendix K and K INFORMATION QUALITY ASSURANCE 21.1 The quality of information acquired and used within the CCG is a key component to its effective use and management. As such, managers will be expected to take ownership of, and seek to improve, the quality of data collected and held within their services The way in which data is collected and analysed can influence the results and it is therefore important to have a clear framework in place which supports this process The CCG will promote data quality through the use of policies and procedures and associated statutory professional requirements to ensure that wherever possible, information quality will be assured at the point of collection. This will include reference to nationally available systems such as SUS Data Quality Dashboards and Key Performance Indicator (KPI) reports, enabling commissioners to explore data quality issues across contracted provider services Guidance on managing data quality can be found at Appendix L. 16

24 22. NHS CONSTITUTION 22.1 The CCG will abide by the rights and pledges made within the NHS Constitution, including: you have the right to be treated with dignity and respect in accordance with your human rights; you have the right of access to your own health records and to have any factual inaccuracies corrected; you have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure; you have the right to be informed about how your information is used; you have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis. 23. INFORMATION AND CYBER SECURITY 23.1 The CCG recognises that organisations and their information systems and networks are faced with security threats from a wide range of sources, including computer security violation, vandalism, fire or flood Dependence on information systems and services means the CCG is more vulnerable to security threats. The interconnecting of public and private networks and sharing of information resources increases the difficulty of achieving access control Cyber security is about protecting computer-based equipment and information from unintended or unauthorised access, change or destruction. Threats may come in the form of: theft or unauthorised access of computers, laptops, tablets, mobiles: remote attack on IT systems or the website; attacks on information held in third party systems such as CCG hosted services; gaining access to information through CCG staff Information security is characterised as the preservation of: confidentiality ensuring that information is accessible only to those authorised to have access; 17

25 integrity safeguarding the accuracy and completeness of information and ensuring that all systems, assets and networks operate correctly, according to specification; availability ensuring that authorised users have access to information and associated assets when required The CCG will establish and maintain policies for the effective and secure management of its information assets and resources and will work closely with other agencies that support this function by ensuring that staff have access to and are familiar with the information security policies and procedures The CCG is committed to maintaining and developing an infrastructure for information and information assets which has an appropriate level of security. All information assets will have a minimum security framework. In the case of local or standalone systems, it is the responsibility of the relevant manager to ensure compliance with this policy Information security will be addressed at recruitment stage for all staff and all contracts of employment and job descriptions include a confidentiality clause Where staff are unsure about sharing information they should refer to the Dorset Information Sharing Charter (DISC), the Confidentiality: Staff Code of Conduct, or take advice from their line manager, the ISM, the IG team or the Caldicott Guardian. Passwords and Access Control 23.9 Access to electronic information assets will be controlled on the basis of service requirements, and managed through the use of protocols for allocating and controlling access, secure logins and passwords Each system will have Access Control Procedures in place, setting out the process for obtaining or removing access to the system Each individual is responsible for keeping their own password secure and ensuring that it is neither disclosed to, nor used by, anyone else under any circumstances Use of shared passwords is not permitted Staff must only access systems using their own login and password. All staff are accountable for any activity carried out under their login and password and this is audited Guidance on password management can be found at Appendix M. 18

26 Risk Analysis Effective information security management is based upon the core principle of risk assessment and management. In order to make the best use of resources, each information system should be secured to a level appropriate to the measure of risk associated with it A risk assessment will be carried out for each of the CCG information systems by the IAO. Measures will be put in place to ensure each system is secured to an appropriate level Once identified, information security risks will be managed on a formal basis. Risks will be recorded within the CCG risk register and action plans put in place to demonstrate effective management of the risks. Network Connection The CCG conforms to the NHS.net Code of Connection and as far as practical applies the good practice guidelines contained in the following guidance: All devices connected to the CCG network must be authorised and meet all required standards. Computer Operations Responsibilities and procedures for the management and operation of all computers and networks will be established and supported by appropriate documented operating instructions. NHS Owned Computers Each PC (including notebooks, laptops, palmtops, tablets, portables) will have an IAO responsible for the overall security of the system. PCs must be specified and purchased in accordance with current recommendations on software and hardware Precautions must be taken to prevent and detect computer viruses. Information Management and Technology (IM&T) manages antivirus software and will provide advice and support on virus control The transmission of information via the CCG system will be undertaken in line with the guidance detailed at Appendix N Employees must not allow other employees to know or use their user ID and password. Computer screens must not be left unlocked and unattended; ctrl-alt-del, lock computer or Windows L must be used to lock the screen. 19

27 23.25 The IT Helpdesk should be contacted immediately if a virus is suspected. All attachments should be virus checked before opening (this is done automatically) There may be occasions when it is necessary to access messages from an individual s mailbox when a person is away from the office for a length of time. Where it is not possible to contact the member of staff to gain permission, authorisation will be requested from the Deputy Director or Director of that service before the IT Helpdesk access the mailbox with the Department Head There are types of that are expressly prohibited and could result in formal disciplinary proceedings or be used as evidence in legal proceedings. These include, but are not limited to, sending: s containing derogatory, libellous, defamatory, offensive, harassing, racist, obscene or pornographic remarks or depictions; comments which are not permitted in the spoken or paper environments; confidential messages without the express permission of the sender; messages from another employee s account; chain letters, junk letters, jokes or unsolicited messages All messages are subject to Data Protection and Freedom of Information legislation and can also form part of the corporate record. Staff should also be aware that messages could be used as evidence in legal proceedings messages containing inaccurate information in the form of opinion or fact about an individual or organisation may result in legal action being taken against the person sending the message and anyone forwarding the message on to others Limited use of personal s via other internet providers during break times is permitted. However, the transmission of work data across personal and messaging systems is strictly prohibited Limited personal access to the CCG system is allowed during breaks in line with the guidance accompanying this policy Reasonable personal use of other messaging systems such as MSN, Facebook, Twitter, is only permitted during break times in accordance with guidance provided in the Internet Acceptable Use Policy. 20

28 23.33 Personal use of peer to peer file sharing systems is not permitted as these are insecure and potentially breach copyright and represent security risks. This includes BitTorrent, Dropbox, Limeware etc. If there is a requirement to share large files with third parties, this can be done securely via To protect the network, all s are monitored for viruses. All traffic (incoming and outgoing) is logged automatically. The logs do not include content. These logs are audited periodically The content of s is not routinely monitored. However, the CCG reserves the right to retain and access message content as required. Any member of staff who has the content of their messages monitored will be informed before the monitoring takes place. If no action is to be taken as a result of monitoring the content of messages, then all the data collected as a result of the monitoring will be destroyed immediately It is strictly prohibited for staff to save work related s to a home computer Staff are not permitted to use the system for any private commercial purpose The use of the CCG address to register on internet websites for non- CCG purposes is not permitted. This is to reduce the risk and incidence of SPAM mail Any evidence of unacceptable usage should be reported via the CCG incident reporting procedures (see section 16 of this policy for further information), and line managers should be advised. All staff have a responsibility to comply with the guidance relating to the transmission of information by which is summarised at Appendix N Further guidance on writing business s can be found at Appendix N.1. Encryption Person identifiable data will be transmitted/transported either in an encrypted format, via secure or other secure means. Where this is not possible, a risk assessment will be conducted and approved by the relevant IAO with the support of the ISM or the IG team All messages containing sensitive or person identifiable information or commercially sensitive information must not be sent by unless it is encrypted to NHS standards using approved software Existing encryption facilities such as the national NHS mail (..@nhs.net) and SecureSend are available to use. The CCG also uses an encryption system called IronPort which all NHS Organisations in Dorset have installed Guidance on encryption can be found at Appendix N.2. 21

29 Transmission of Confidential Information by Facsimile (Fax) Machine The transmission of information via the use of fax machines will be undertaken in line with the confidentiality and security legislation and guidance detailed within this policy and at The use of fax machines is an unsecure method of transferring confidential information. There are alternatives to this method of transferring information and more secure methods should be used where these are available and practical. Confidential/person identifiable information should only be sent via a fax machine if other methods have been considered and excluded The fax should be located in a secure location where information cannot easily be accessed by unauthorised persons, and information sent by fax should be sent to a Safe Haven location where only persons with a legitimate right to view the information can access it. Transmission of Confidential Information by Post There are occasions where it is necessary to send confidential information by post which brings with it the potential for breaches of security. Detailed guidance on sending confidential information by post can be found at Appendix P. Verbal Communications Staff are provided with guidance on verbal communications in the Confidentiality: Staff Code of Conduct. This guidance includes: taking appropriate precautions not to reveal confidential information e.g. to avoid being overheard when making a telephone call; not having confidential conversations in public places; taking care when leaving messages on answer machines The CCG recognises that recorded telephone messages may contain personal or confidential information and has put in place the following measures to protect the confidentiality of this information: access to voic is password protected; only authorised staff have access to the answering machine Guidance on the communication of information by telephone can be found at Appendix Q. 22

30 Pseudonymisation and Safe Havens The CCG occasionally uses patient identifiable information for purposes other than healthcare; this is known as secondary uses. It is NHS policy and a legal requirement that when patient data is used for purposes not involving the direct care of the patient, the patient should not be identified unless it can be done so legally i.e. with patient consent The NHS Confidentiality Code of Practice states the need to effectively anonymise patient data prior to the non-direct care use of the data Data cannot be labelled as primary or secondary use data; it is the purpose of the disclosure and the usage of the data that is either primary or secondary. This means that it is legitimate to hold data in an identifiable form, but it becomes essential to ensure that only authorised users are able to have identifiable data disclosed to them All NHS organisations require safe haven processes to maintain the privacy and confidentiality of the personal information held by the organisation. The implementation of these processes facilitates compliance with the legal requirements placed upon the organisation, especially concerning sensitive personal and confidential information Additionally, employees of the CCG, when disclosing information to other organisations both within and outside the NHS, must seek an assurance that these organisations have suitable processes in place to receive confidential information in a way that ensures the security, integrity and confidentiality of that data The NHS Code of Practice: Confidentiality requires that the use of patient data for purposes that do not directly contribute to the safe care of the individual concerned must be effectively anonymised (in a de-identified form) To ensure that the CCG is able to maintain systems and support for the delivery of healthcare services, the organisation has attained Accredited Safe Haven Status (ASH). This means that where person confidential data is received and sent for secondary purposes, New Safe Havens are in place to restrict access and support the pseudonymisation process of de-identifying the data Detailed guidance on Pseudonymisation can be found at Appendix R, and guidance on the requirements for a New Safe Haven can be found at Appendix S. Smartcards CCG users of Smartcards must follow the terms and conditions of use listed on the Spine Portal: Smartcards should be treated with care and protected to prevent loss or damage. 23

31 23.61 Staff must report suspected Smartcard misuse in line with the CCG Incident Reporting Procedure Further guidance on the use of Smartcards can be found at Appendix T. Internet Use The CCG has developed an Internet Acceptable Use Policy to control internet usage across the CCG. This can be found on the CCG intranet. Security of Assets All major information assets have a nominated owner (IAO) who is responsible for security measures and for the detailed risk assessment for each asset. This is included in the Information Asset Register and will be reviewed on a regular basis A Remote Access and Homeworking Policy is in place to ensure the security of information when staff are working from home, including the security of those information assets created remotely. A copy of this policy can be found on the CCG intranet Availability of data will be maintained by taking back ups and through the provision of Uninterruptible Power Supply (UPS) which covers key infrastructures such as servers and data warehoused for short periods whilst they are safely shut down. Locally based systems are the responsibility of IAO s Recovery points are at four hourly intervals: 8.00am; midday; 4.00pm Following the total catastrophic loss of the site, the recovery point would be up to one week. Systems Development, Planning and Procurement Security issues must be considered and documented during the requirements phase and the procurement phase of all system procurements and developments by completing a Privacy Impact Assessment (see guidance at Appendix G). Minimum security standards will be incorporated in all new systems New operational software must be quality assured. System test and live data should be separated and adequately protected. All changes to the systems, including externally commissioned systems, must pass through a formal change control procedure. 24

32 Business Continuity Planning and Disaster Recovery The CCG has processes in place to maintain appropriate plans for the restoration of all critical IT systems. The CCG plans to recover all systems by day 3 following total catastrophic loss of all systems on a site. There is an order of recovery of the systems in place All systems will have threats and vulnerabilities assessed to determine how critical they are to the CCG. Individual work areas have procedures in place to maintain essential services in the event of IT system failure Disaster Recovery and Business Continuity Plans are in place for the CCG and cover areas such as back-up, media control, event logging, monitoring, protection from theft and damage, unauthorised access and capacity planning. The disaster recovery plans are tested on an annual basis. 24. STRATEGY 24.1 The CCG aims to achieve a standard of excellence in IG by ensuring that information is dealt with legally and securely in the course of CCG business, in order to support high quality patient care The CCG aims to minimise and manage the key risks arising from information handling processes. These are: legal action due to non-compliance with statutory and regulatory requirements; loss of public confidence in the CCG; contribution to clinical or corporate negligence The CCG will ensure that the work necessary to implement the standards required for IG will be carried out through an annual IG Implementation Plan arising from a baseline assessment against the standards set out in the IGT. Regular reports relating to IG progress will be submitted to the IGG which in turn will report to the Audit and Quality Committee The CCG will also ensure that detailed policies and procedures for IG are available for all staff, with the Confidentiality: Staff Code of Conduct booklet acting as a staff guidebook for all issues The IGG will further ensure the embedding of IG across the organisation through training. As information plays a key part in all corporate and clinical activities, training appropriate to the needs to individuals and staff groups will be delivered, using the most appropriate mechanism set out below. 25. TRAINING 25.1 It is recognised that the successful implementation of IG Policy is dependent upon the input and commitment of staff at all levels of the organisation. 25

33 Induction 25.2 New staff will receive information governance training, delivered by the IG team, as part of their corporate induction. They will also be issued with a copy of the booklet Confidentiality: Staff Code of Conduct at their induction. Annual Training 25.3 Staff need clear guidelines on expected working practices and on the consequences of failing to follow policies and procedures. All staff are required to attend mandatory annual information governance training which is run by the IG team and tailored to individual staff groups Subsequent training needs for individual staff members will be identified through the appraisal process/individual performance review process Additional ad hoc information governance training will be provided by the IG team as required, for example following an incident relating to a confidentiality breach Specific staff roles have also been identified to receive additional training and these are set out in the IG Training Plan and Training Needs Analysis at Appendix E The Workforce Directorate and the IG team will monitor take up of the training and report to the IGG. Where there is a low take-up of training, this will be reported to Directors for action. 26. CONSULTATION 26.1 This policy is a legislative requirement and no consultation is required. 27. RECOMMENDATION AND APPROVAL PROCESS 27.1 Refer to Section C Document Details at the front of this policy. 28. COMMUNICATION/DISSEMINATION 28.1 Refer to Section G Distribution List at the front of this policy. 29. IMPLEMENTATION 29.1 This policy does not require any new aspects to be implemented This policy will be made available to staff through the intranet as detailed in the CCG s Policy for the Management of Procedural Documents. 30. MONITORING COMPLIANCE AND EFFECTIVENESS OF THE DOCUMENT 30.1 The IGG takes overall responsibility for ensuring compliance with the policies and procedures summarised in this policy, reporting to the SIRO and the Caldicott Guardian who ensure Governing Body level assurance. 26

34 30.2 Year on year improvement within the IG agenda will be monitored through the IGT which is submitted to the Health and Social Care Information Centre (HSCIC) on an annual basis Minutes from the IGG are submitted to the Audit and Quality Committee. Following each IGG meeting, a report summarising the issues discussed at the meeting is prepared and issued to the Audit and Quality Group and the Directors Performance Group. An annual report is also provided to the Governing Body, together with the scores of the IGT assessment The annual work plan for IG will be reviewed and monitored by the IGG and Internal audit will conduct an annual audit against the IGT submission to provide assurance on the level and suitability of the evidence to support the IGT self-assessment scores Audits will be undertaken or commissioned to assess information and cyber security arrangements across the organisation, as well as data quality and records management arrangements to ensure compliance Audits of the CCG s data quality and records management arrangements will be undertaken or commissioned as appropriate to ensure compliance Compliance with this policy will also be measured against the criteria for Record Keeping in relation to the National Health Service Litigation Authority. 31. DOCUMENT REVIEW FREQUENCY AND VERSION CONTROL 31.1 This policy will be reviewed on an annual basis or earlier if appropriate, to take into account any changes to legislation that may occur, and/or guidance from the Department of Health or the Information Commissioner Any changes made throughout the year will be issued as amendments to the framework. Such amendments will be clearly identifiable to the section to which they refer and the date issued. These will be clearly communicated via the CCG weekly bulletin. 27

35 APPENDIX A GLOSSARY Phrase Information Governance forensic readiness Information Governance forensic readiness planning Personal Data Subject Access Request (SAR) Data Controller Data Subject Information Commissioner Definition This is the ability of an organisation to make use of digital evidence when required. Its aim is to maximise the organisation s ability to gather and use digital evidence whilst minimising disruption or cost. This means proactive planning for a digital investigation through the identification of scenarios, sources of admissible evidence related monitoring and collection processes and capabilities, storage requirements and costs. The provisions of the DPA apply only to personal data. The term personal data is defined, in section 1(1) of the act as data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Subject Access Rights give individuals the right to make an application in writing to gain access to information held, or processed, about them. A data controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data is processed. A data subject means an individual who is the subject of personal data and must be a living individual. Organisations, such as companies and other corporate bodies of persons cannot, therefore, be data subjects. The data subject need not be a United Kingdom national or resident. Provided that the data controller is subject to the Act, rights with regards to personal data are available to every data subject regardless of nationality or residence. The Information Commissioner is responsible for administering the DPA and enforcing its provisions through powers vested in him and through the courts. Further information is available at 28

36 Phrase Record Corporate and operational records held in any format by the CCG NHS Record Corporate Record Information Document Records Management Definition Recorded information in any format of any type, in any location, which is created, received or maintained by the CCG in the transaction of its activities or the conduct of its affairs and is kept as evidence of such activity. Administrative records; staffing records; complaints records; financial and accounting records; photographs slides and other images (non-clinical); microform (microfiche and microfilm (non-clinical records); audio and video tapes, cassettes and CD- ROMs and DVDs; s; computerized records (databases, output and disks); scanned documents; material intended for short term or transitory use including notes and spare copies of documents; diaries; any other material which holds non clinical information. An NHS record is anything which contains information, in any media, which has been created or gathered as a result of any aspect of the work of the NHS employees, including agency, temporary, students or bank staff. Record that relates to an organisation s business activities, processes, activities and transactions. A record comprises of information which is a corporate asset. Not all documents are records. If for example, an is sent asking the time of a meeting or forwarding a piece of information that is already in the public domain, the is a document not a record. If, however, the adds a new piece of information, supplies an appraisal on a member of staff or contributes to decision-making, then it becomes a record, because it is the only evidence of an action or activity. Records management is a discipline which utilises an administrative system to direct and control the creation, version control, distribution, filing, retention, storage and disposal of records in a way that is administratively and legally sound, whilst at the same time serving the operational needs of the CCG and preserving an appropriate historical record. 29

37 Phrase Records Life Cycle Media Ownership/Copyright Data Quality Safe Haven Pseudonymisation Personal Identifiable Data (PID) Primary Uses Secondary Use Service BYOD (Bring your own device) Definition This term describes the life of a record from its creation/receipt through the period of its active use, then into a period of inactive retention (such as closed files which may still be referred to occasionally) and finally either confidential disposal or archival preservation. Paper (documents, files, folders, bundles, maps, plans, charts etc) or electronic format. May comprise text, sound or image. It is important to remember that the ownership and copyright of records created or held within the CCG is with the CCG and not with any individual or department. Data quality is the ability to supply accurate, timely and complete data which can be translated into information whenever and wherever required. Data quality is vital to effective decision making at all levels of the organisation. Safe Haven is a term used to encompass all processes and procedures put in place to ensure that confidential information is protected from loss, damage or unauthorised access at the time it is received. Pseudonymisation is a method which disguises the identity of patients by creating a pseudonym for each identifiable patient data item. This allows patient linking analysis which is required within secondary uses. Personal identifiable data refers to any data, or combination of data, that can be used to identify an individual. Primary uses relates to information which is used for health care and medical purposes which directly contributes to the treatment, diagnosis or the care of the individual and includes relevant supporting administrative processes. The Secondary Use Service (SUS) is primarily a data warehouse which provides access to anonymous patient-based data for purposes other than direct clinical care. SUS is delivered by the NHS Information Centre and NHS Connecting for Health. BYOD is the use of employee-owned devices for business purposes within an organisation. 30

38 APPENDIX B KEY CONTACTS Job Role Job Title and Name Contact Number Information Governance Team Head of Information Governance and Customer Care (Data Protection Officer, CCG Records Manager, CCG Freedom of Information Lead) Information Governance and Customer Care Manager Information Governance Officer Information Governance and Customer Care Officer Customer Care Officer Freedom of Information Team Caldicott Guardian Joyce Green Helen Williams Donna Adams Sandra Legg Judy Franek Joyce Green Donna Adams Sandra Legg / Director of Quality Sally Shead Senior Information Risk Owner Governing Body Secretary Conrad Lakeman Business Continuity Lead Assurance Lead Tree Larby / Information Risk Lead Patient Safety and Risk Manager Susie Hawkins Information Security Manager IM&T Infrastructure Manager Duncan Pike

39 APPENDIX C INFORMATION GOVERNANCE GROUP TERMS OF REFERENCE 1. AUTHORITY AND PURPOSE 1.1 The key authority and purpose of the Information Governance Group is to: ensure that the NHS Dorset Clinical Commissioning Group (CCG) has effective policies and management arrangements covering all aspects of Information Governance in line with the CCG s Information Governance Framework, including maintaining the currency of the Information Governance Policy and other associated policies, guidance and procedures in accordance with national standards; to advise the Governing Body on issues relating to Information Governance and include those specific to: provision of information services; management of corporate records; Data Protection Act 1998; confidentiality; sharing of information; Freedom of Information Act 2000; Human Rights Act 1998; Access to Medical Reports Act 2009; cyber security; legal basis of data flows; information risk. agree, and sign off (as delegated by the Governing Body), the appropriate components of the Information Governance Toolkit Assessment; develop the CCG s Information Governance work programme and monitor progress of the work; ensure the CCG s approach to information handling, keeping personal information secure and respecting the confidentiality of service users, is communicated to all staff and made available to the public; 32

40 offer support, advice and guidance to the Caldicott Function, the Senior Information Risk Owner (SIRO) and the Data Protection Programme within the CCG; receive and consider reports into breaches of confidentiality and security and, where appropriate, undertake an investigation and recommend remedial action; review Privacy Impact Assessments (PIA) for new projects and maintain an overview of the robustness of the PIA process across the organisation; review and monitor the organisational information asset register; review and monitor flows of information in and out of the organisation with a focus on the legal basis for these flows; support IG within the contracting and procurement process; ensure that mandatory Information Governance training made available by the CCG is taken up by staff on an annual basis as necessary to support their role, and monitor attendance levels across the organisation; promote sound Information Governance principles across the CCG with key stakeholders, including staff and independent NHS contractor professions and ensure staff have access to appropriate and up to date guidance; liaise with other healthcare trusts, organisations, committees and working groups in order to promote Information Governance issues; review and approve all information sharing agreements for the CCG. 2. MEMBERSHIP 2.1 The Information Governance Group membership will comprise of members with sufficient authority to ensure the IG work programme is understood and where necessary completed by directorates. Membership will include, but not be restricted to the following members: Caldicott Guardian; Senior Information Risk Owner; IM&T Infrastructure Manager; Head of Performance and Business Intelligence; Head of Information Governance and Customer Care (Data Protection Officer, Freedom of Information Lead); 33

41 Information Governance and Customer Care Manager; Information Governance Officer; Risk Manager; Public Relations Lead; Customer Care Officer; Engagement and Development representative; Review, Design and Delivery representative; Continuing Healthcare representative; Design and Transformation representative; Finance and Procurement representative; Governing Body lay member. 2.2 The group will be chaired by the Senior Information Risk Owner 2.3 The committee may co-opt other members from time to time as relevant to the business being considered. 3. ATTENDANCE, FREQUENCY, LOCATION AND TIMING OF MEETINGS 3.1 The Information Governance Group will meet every two months. Meetings will be held at Vespasian House or Canford House. 3.2 All members of the group are required to attend meetings or provide appropriate and informed representation in their absence for continuity purposes. 3.3 All members of the group are required to provide brief progress reports on their specific areas of work and bring pieces of work to the group for discussion and approval, where relevant. 3.4 Other representatives who are not members of the Group may be invited to attend for all or part of a discussion, particularly when the Group is discussing areas of operation that are the responsibility of that representative. 3.5 The Group can also invite representatives of partner and stakeholder organisations to attend meetings on an ad hoc or routine basis. 3.6 In order to fulfil its remit, the Information Governance Group may obtain any professional advice it requires and invite, if necessary, external experts. 34

42 3.7 The Information Governance Team will be responsible for the administration of the Information Governance Group and the timely production of the minutes. 4. REPORTING 4.1 Formal minutes will be kept of the meetings and submitted for approval at the next meeting. 4.2 The draft minutes will be cleared by the Chair of the Information Governance Group and/or a nominated lead. 4.3 Unless papers or items are marked as restricted, then members of the Information Governance Group will be expected to share the information with their colleagues. 4.4 Overarching reports from the Information Governance Group will be taken to the Governing Body via the Audit and Quality Committee. 4.5 Prior to submission to the Health and Social Care Information Centre, the Information Governance Group will agree the annual Information Governance Toolkit Assessment report. 5. AUTHORITY 5.1 The Information Governance Group is authorised by the Governing Body to investigate any activity within its terms of reference. The Group is authorised to seek any information it requires from any employee, and all employees are directed to co-operate with any request made by the Group. 5.2 The Group is also authorised to implement any activity which is in line with the terms of reference, as part of the Information Governance work programme. 6. APPROVAL OF TERMS OF REFERENCE 6.1 These terms of reference were approved by the Information Governance Group on 16 December The terms of reference will be reviewed on an annual basis by the Information Governance Group. 35

43 APPENDIX D Policy/Procedure Name SUPPORTING POLICIES AND PROCEDURES Approval Details Information Governance Policy IGG 16 December 2015 Data Protection Policy IGG 16 December 2015 Confidentiality: Staff Code of Conduct Leaflet IGG 10 October 2013 Reviewed 3 February 2015 IT Security Policy IGG 10 October 2013 Network Security Policy IGG 4 March 2015 Amendments approved 26 May 2015 Dorset Information Sharing Charter Main charter approved June Underpinning documents currently under review with Better Together IG Group. Procedure for the Management of Serious Incidents Procedure for the Management of Adverse Incidents Risk Management Framework Policy and Procedures for requests made under the FOI Act 2000 and the EIR 2004 Directors Performance Meeting 18 August 2015 Directors Performance Meeting 5 October 2015 Directors Performance Meeting March 2015 IGG 16 December 2015 Confidentiality: Patient Information Leaflet IGG 22 October 2013 NHS Smartcard and Registration Authority Policy IGG March 2012 Reviewed 26 November 2014 Remote Access and Homeworking Policy Directors Performance Meeting 20 April

44 APPENDIX E 1. INTRODUCTION INFORMATION GOVERNANCE TRAINING PLAN AND TRAINING NEEDS ANALYSIS 1.1 To ensure organisational compliance with the law and central guidelines relating to Information Governance (IG), Information Governance training is considered to be Core mandatory training that all staff within NHS Dorset Clinical Commissioning Group (CCG) are required to complete within two weeks of commencing employment, and thereafter on an annual basis at the relevant directorate training sessions. 1.2 To meet this requirement, the CCG has established a clear plan for Information Governance training that is appropriately tailored to specific staff groups or job roles. This plan addresses how and when each work area and/or staff group will be trained, how training needs beyond the basic level will be addressed, and also includes induction processes for new staff. 2. INFORMATION GOVERNANCE TRAINING OVERVIEW 2.1 The NHS Operating Framework Informatics Planning 2010/11 provides guidance on the informatics components of local operating plans, and national expectations for the NHS for delivery of national and local objectives are set out. Under Annex 1 National Expectations the section on sustaining robust information governance states that: All staff should receive annual basic IG training appropriate to their role through the online NHS IG Training Tool 2.2 Historically, a blended training approach was offered to deliver IG training to all staff. Staff were encouraged to complete their annual IG training through the online IG Training Tool and facilitated training sessions were also offered throughout the year for those staff who preferred a face-to-face training environment. 2.3 However, the Information Governance Review - Information: To Share or Not to Share? which was carried out by Dame Fiona Caldicott and published in March The report highlighted that: mandatory training is often a tick-box exercise. Although mandatory training such as the online NHS Information Governance Training Tool may provide an introduction to some information governance issues, this one size fits all approach is too often focused on processes and policies in organisations In fact it is possible to pass the training tool by answering the questions at the end without bothering to read the text. 37

45 2.4 One of the recommendations of this report is that there is: a fundamental cultural shift in the approach to learning about information governance across health and social care. 2.5 With this in mind, staff will be required to attend mandatory annual information governance training which will be run by the Information Governance Team and tailored to individual staff groups. 3. TRAINING NEEDS ANALYSIS 3.1 Staff will inevitably have different levels of awareness of their responsibilities for safeguarding confidentiality, protecting information and preserving information security. Whilst the mandatory basic IG training will be sufficient to give staff the knowledge they require, some jobs will require additional training and some staff may require additional support. 3.2 This will be addressed by regular assessment of training and development needs, consideration of how these needs might best be met and evaluation of any training that has been undertaken. 3.3 All staff will receive an annual appraisal and a mid-year review which will set out the skills and competencies required to perform a particular job role and then an assessment of the current level of skills and competencies of the staff member performing the job. Where a skills/competency gap is identified, appropriate training will then be arranged. 3.4 Skills/competency gaps will be analysed to see if there is a common theme in each area of the organisation where additional training programmes can be planned for the future. Staff Induction 3.5 Staff induction for all new starters needs to ensure that IG training needs are addressed. New members of staff may otherwise fail to be aware of the relevant requirements and guidelines about their own individual responsibilities for IG compliance. 3.6 Therefore, all new starters will receive face to face information governance training within two weeks of commencing employment, delivered by the Information Governance Team, as part of their corporate induction. They will also be issued with a copy of the booklet Confidentiality: Staff Code of Conduct at their induction. 3.7 Information Governance induction training will be tailored to an individual s role, covering: introduction to Information Governance in the CCG working environment; fundamentals of the Data Protection Act 1998 and the Caldicott Principles; 38

46 Freedom of Information Act 2000 and individual responsibilities; NHS Constitution; basic information security and records management guidance. pointers to where policies, procedures and further information are located. 3.8 Once induction has been completed, new starters will be required to attend their directorate facilitated training session during the course of the year. Annual IG Training 3.9 Existing staff will be required to attend mandatory annual information governance training sessions which will be run by the Information Governance Team. The training will cover key areas such as information security, records management, Freedom of Information Act 2000, Data Protection Act 1998, NHS Constitution, Caldicott Principles and updates on any recent monetary penalties issued by the Information Commissioner s Office or any changes to guidance and legislation. The training will be tailored to the needs of individual staff groups and several sessions will be run for each directorate. All staff will be expected to attend one of these sessions The areas covered by the training will be renewed and updated on an annual basis, following an evaluation of staff competence during the training sessions and the outcome of Information Governance staff compliance audits. Organisational and legislative requirements will also be taken into consideration Subsequent training needs for individual staff members will be identified through the appraisal process/individual performance review process Additional ad hoc information governance training will be provided by the Information Governance Team as required, for example, following an incident relating to a confidentiality breach Specific staff roles have also been identified to receive additional training, for example, Information Governance Group members will receive additional information governance training to enable them to carry out their roles in providing data protection and information governance support to their directorates. Information Governance Team 3.14 The Information Governance Team will attend specialised Information Governance training which will be sourced according to the needs of the organisation. Not all members of the team will attend the same training; this will be dependent on work areas and team requirements. 39

47 Information Governance Group Leads 3.15 The Information Governance Group Leads will require additional IG training to enable them to carry out their roles as the directorate specialists on Information Governance. Specific training will cover the Data Protection Act in greater depth to enable the Leads to handle day to day issues. This training will be delivered either by the Information Governance Team, or sourced by an external provider. Caldicott Guardian 3.16 The Caldicott Guardian is a specialist role requiring a detailed knowledge on confidentiality issues to enable the role to be performed effectively. To fulfil this requirement, any newly appointed Caldicott Guardian will receive specialised training from an external provider in the first instance. This will then be updated through attendance at the CCG facilitated IG training sessions, with occasional updates delivered by an external provider. Senior Information Risk Owner / Information Asset Owners 3.17 The Information Governance Toolkit states that the SIRO should receive strategic information risk management training on an annual basis. To fulfil this requirement, any newly appointed SIRO will receive specialised training from external provider, followed by attendance at the CCG facilitated IG training sessions on an annual basis, with occasional updates delivered by an external provider Information Asset Owners are required to have a good knowledge of risk management and business continuity arrangements for their key information assets. With this in mind, The IAO s will attend the facilitated IG training sessions delivered by the Information Governance Team, and additional training will be provided on an individual basis around the risk assessment process for information assets. Information Security Manager 3.19 The Information Security Manager is a specialist role requiring specific knowledge on Information Security Management and ISO To fulfil this requirement, any newly appointed Information Security Manager will receive specialised training from an external provider, followed by attendance at the CCG facilitated IG training sessions on an annual basis, with occasional updates delivered by an external provider. Staff handling Subject Access Requests 3.20 Staff handling subject access requests form part of the Information Governance Team, and as such, will receive specialised training as part of their annual training requirements. This will include training on accessing health records. 40

48 CCG Governing Body 3.21 The CCG Governing Body will receive specific training delivered by the Head of Information Governance and Customer Care. The training will primarily focus on the corporate responsibilities of the Governing Body. 4. TRAINING MONITORING AND REVIEW 4.1 Training attendance will be monitored and recorded via the Electronic Staff Record (ESR), and the Information Governance Team will oversee take up of the training and report to the Information Governance Group. Information Governance training is mandatory for all staff and a 95% take-up is necessary to comply with the requirements of the Information Governance Toolkit. 4.2 The success of the information governance training will be monitored through the assessment of staff IG awareness via the Information Governance Confidentiality Audit which will be carried out on a quarterly basis. 4.3 In addition, Information Governance Group leads will receive regular reports on the progress of staff training uptake in their directorates to enable monitoring and chasing. 4.4 This training plan will be updated on an annual basis in line with legal requirements, corporate and/or Department of Health policy, or any major changes which may impact on the Information Governance agenda, at a local or national level. 41

49 PROCEDURE FOR CARRYING OUT CONFIDENTIALITY AUDITS AND CONFIDENTIALITY AUDIT TEMPLATE 1. RESPONSIBILITY FOR MONITORING OF ACCESS APPENDIX F 1.1 The Information Governance Group is mandated to oversee the governance of privacy and confidentiality issues. The Terms of Reference for the group set out the requirements for members to: receive and consider reports into breaches of confidentiality and security and, where appropriate, undertake an investigation and recommend remedial action. 1.2 The Terms of Reference are reviewed on an annual basis to ensure they reflect the necessary requirements for monitoring confidentiality and privacy breaches. 1.3 Confidentiality audit and monitoring responsibilities lie with the Caldicott Function of the CCG. 2. EXAMPLES OF AUDIT 2.1 A copy of the Information Governance Confidentiality Audit can be found at the end of this procedure. The areas covered by the audit are set out below: general information governance; data protection/freedom of information; confidentiality; information security; records management and data quality; incident reporting. 3. REPORTING AND ESCALATION PROCESSES 3.1 Confidentiality audit and monitoring outcomes will be investigated and actioned by the Information Governance Group and reported to the Audit and Quality Committee in line with risk management processes for the CCG. 3.2 Documentation in relation to confidentiality and privacy audits, investigation and performance monitoring will be copied routinely to the Caldicott Guardian. 3.3 Confidentiality incidents are reported through the CCG incident reporting process which is available on the intranet. Lessons learnt from incidents, complaints etc. will be disseminated through the appropriate communication processes, including the weekly communications bulletin and directorate team meetings. 42

50 3.4 A log of all privacy and confidentiality outcomes, complaints, actions taken and lessons learnt will be provided by the Information Governance Group. Exceptional issues will be escalated by the Caldicott Guardian to the Audit and Quality Committee and to the appropriate Directors. 4. FREQUENCY OF AUDITS 4.1 The audits will be carried out on a quarterly basis and will cover all departments within the CCG on a rolling basis during the course of the year. 43

51 INFORMATION GOVERNANCE CONFIDENTIALITY AUDIT Area Date Staff Member Information Governance What is the level of staff awareness around IG? Do they know the difference between FOI, DP, Caldicott? What IG training has been undertaken by staff? Check for evidence of training. Are staff aware of IG policies around protecting information, records and data protection etc.? Do staff know where to go for advice about IG, records management, data quality etc.? Data Protection/ FOI What awareness do staff have of FOI and Subject Access Requests? Check for awareness of timeframes, who to pass on the request to, awareness about access requests from solicitors, police etc. How do staff inform individuals about how their information is used? Have staff members been briefed on the Confidentiality: Staff Code of Practice? Check understanding and accessibility of the Code? Confidentiality Where do staff hold conversations about individuals? Look out for conversations in public areas such as the kitchen, corridors, stairs. 44

52 How do staff transport/share information? Check awareness of remote access, encryption, storage, transportation, recording information taken out of the CCG, compliance with Remote Access and Homeworking Policy. Do staff work from home? Check no s are sent to home address. Check for copy of risk assessment. Information Security Are all staff wearing their ID badges? Check location of passwords, evidence of shared passwords, knowledge of correct format for passwords. Where are the printers and fax machines positioned? Check there is no information left lying around. Are computers locked when staff leave their desks? Are staff aware of security arrangements? Check for knowledge on use of Ironport, nhs.net, lack of encryption for subject header of s. Check for awareness of security arrangements around portable equipment. Do staff know how to dispose of PCD? Check disposal arrangements for post it notes, notebooks and other temporary recording material. Check knowledge of when to carry out a Privacy Impact Assessment. Are there any under review for the directorate? 45

53 Records Management and Data Quality Are records stored securely and filed properly in a suitable location? Check both electronic and paper records for relevant filing systems, correct drives, no named folders. Check awareness of records retention schedules, naming conventions, procedures for creation and filing of paper and electronic records. How often do staff sort through records? Check through filing cabinets and electronic folders. Can some records be archived/destroyed? Do staff have access to electronic or paper health records through systems such as Smartcards, Ulysses, ESR, SUS? Check access controls are in place. Have staff attended any data quality training? Check for evidence of training, training records, system procedures. Incident Reporting Do staff know what an information security/confidentiality incident is? Do staff know the process for reporting an information incident? Are staff aware of the consequences of breaching confidentiality? Information Governance Management Review information mapping. Check mapping is up to date and risk assessments completed. 46

54 Review Information Asset Register. Check departmental register is up to date with access control procedures and system level security documentation in place. Review Business Continuity Plan and ensure satisfactory arrangements are in place for key information assets. Review list of Homeworkers and ensure risk assessments are in place and up to date. Review any patient literature 47

55 APPENDIX G PROCEDURE FOR CARRYING OUT PRIVACY IMPACT ASSESSMENTS AND PRIVACY IMPACT ASSESSMENT TEMPLATE FORM 1. INTRODUCTION 1.1 The purpose of this document is to provide support and information to all staff to enable the successful assessment of the impact upon privacy of any service change. 1.2 The procedure describes the process for ensuring that all new projects, processes and systems introduced to the NHS Dorset Clinical Commissioning Group (CCG), comply with confidentiality, privacy and data protection requirements. 1.3 Specifically, the procedure also ensure that processes for completing and reviewing Privacy Impact Assessments (PIA) are managed in a controlled way. 1.4 This procedure should be used alongside the Privacy Impact Assessment Form at the end of this document. 2. PROCESS FOR COMPLETION When should I start a PIA? 2.1 A PIA is most effective when started at an early stage of a project when the project is being designed. Ideally, it should be started before decisions are set in stone and before systems have been procured. 2.2 Projects that are already up and running should be submitted to a compliance check. Who is responsible for completing the PIA? 2.3 Each Director or Manager who manages or leads projects is responsible for completing a PIA, whilst all employees have a duty to promote privacy and data protection principles. 2.4 Completed PIA s should be sent to the Information Governance team for inclusion in the agenda of the Information Governance Group. The PIA s will then be reviewed by the Group and signed off by the Senior Information Risk Owner (SIRO) and the Caldicott Guardian who attend the meetings. 2.5 If the PIA requires urgent review, the Information Governance team, the SIRO, the Caldicott Guardian and the Information Security Manager will convene a separate meeting to review. 48

56 Stages of a PIA 2.6 A Privacy Impact Assessment form must be completed for any significant change of service or introduction of a new information asset. 2.7 It is recognised that the majority of service changes are small and may not require a full PIA assessment. Therefore, the assessment process is designed in 2 stages. 2.8 In order to decide what type of Privacy Impact Assessment, if any, is required, section 1 of the PIA must be completed. Depending upon the outcome of this, one of two routes should be followed. The diagram below provides further information on the stages of the PIA. PIA Process Stage 1 New Asset or Process introduced manager completes Section 1 of the PIA Form to screen whether a full assessment required Stage 2 YES Manager completes the full PIA required by filling in Section 2 of the PIA Form and completing a Privacy Impact Action Plan. NO IAO disagrees Manager determines that no full PIA is required. Section 1 of PIA Form is completed, signed and returned to Directorate Information Asset Owner for checking. PIA Form is passed to IG Group, who review action plan, decide whether sufficient, and make recommendations as to any further actions required. Manager ensures actions implemented IAO agrees No further action required. 3. MONITORING AND REVIEW OF PIA 3.1 Where it is indicated that developments require a full stage 2 assessment and completion of an action plan, these will be reviewed by the Information Governance Group. Progress against the implementation of change in line with the completed PIA s will be reviewed by the Information Governance Group on a bi-monthly basis. 49

57 3.2 Urgent developments requiring input in between Information Governance Group meetings will be reviewed by the Information Governance team and the Caldicott Guardian. 4. MONITORING AND REVIEW OF PROCEDURES 4.1 This procedure will be reviewed every year by the Information Governance Group. 4.2 In addition, the Information Governance Toolkit requires an annual audit on the effectiveness of this guidance and the quality of the assessments completed within the organisation. This will be carried out by the Information Governance team. 50

58 PRIVACY IMPACT ASSESSMENT FORM Section 2 of this form is protected - please complete the fields that are shaded. The boxes will expand as you type so that you are not limited to how much you write. You can move between the fields using the cursor up and down keys. Section 1 Screening for a Privacy Impact Assessment 1. What is the name of the service / policy / procedure / project being assessed? 2. Briefly describe the service changes / new policy or procedure that is being Impact Assessed. What needs, or duties, is it designed to meet? Will it have an impact on the sharing of confidential data? 3. If this service /policy /procedure /CCG function has no relevance for Privacy considerations, please give your reasoning below and sign page 3 of this form. Where there is no relevance for privacy considerations, then the screening section can be signed and countersigned and there is no need for a full assessment. Where there is relevance for privacy considerations, then a full Privacy Impact Assessment must be undertaken and Section 2 completed below: Section 2 Full Privacy Risk Screening Assessment 4a. Does the project/service development involve any technologies that might have a privacy impact, for example, Smartcards, biometrics, digital imaging, video recording or logging of electronic traffic? (i.e. does the project use or suggest new or extra technologies that will have a greater impact on privacy?) Yes / No 51

59 4b. Does the project/service development involve the use of new personal identifiers or an extension in the use of personal identifiers? (i.e. are you setting up a new way to identify someone, or re-using an existing way? Is it intrusive?) Yes / No 4c. Does the project/service development involve the handling of a significant amount of new personal data? (i.e. are you going to be using new personal data that you haven t previously collected? Are you including a way to authenticate someone s identity or introducing an identity management process?) Yes / No 4d. Does the project/service development involve new or changed data management processes that might be intrusive, insecure, more permissive in terms of access to data, or unclear? (i.e. are you suggesting using personal data in a new or significantly changed way? Is this the sort of data that people would have concerns about? Yes / No Privacy Impact Assessment Action Plan When completing the action plan set out below, you will need to set out the actions that you need to take in order to minimise the impact on privacy. If you are working with a third party, you should involve them in completing this PIA and action plan. You may wish to consider: How will the patient be informed of any changes to the use of their information? If you are working with a third party, who will be the data controller for that information? Which organisation will be responsible for handling subject access requests, complaints, FOI requests etc.? How long will the information be held for? Do you need an information sharing agreement to be set up? Does contract cover reporting of incidents to CCG? What IG controls does the third party have in place, what IG training will their staff receive? 52

60 Will the information be seen or shared with other people, organisations or other countries that don t have the same legal requirement to consider privacy? How will information be transferred / moved about securely / tracked? Will any staff be working remotely or from home, and has a risk assessment been completed? Who will have access to the information? What access controls will you have in place, and do you have an access control policy? How secure is your computer system, have you liaised with IT? How will the information be securely stored, will the information be stored on a cloud, where is the cloud located? The following actions will be undertaken as a result of the Privacy Impact Assessment to address identified adverse impact: Adverse impact identified Action to be taken Timescale Responsible manager To be signed by the Manager undertaking the full assessment: Name: Designation: Date: To be countersigned by Senior Manager, i.e. Service Head, Line Manager, Director, as appropriate: Name: Designation: Date: 53

61 APPENDIX H GUIDANCE ON INFORMATION GOVERNANCE FORENSIC READINESS 1. FORENSIC READINESS 1.1 Forensic science is generally defined as the application of science to the law. Over the last decade, the number of crimes that involve computers has grown, spurring an increase in companies and products that assist personnel in using computer-based evidence to determine the details of computerrelated incidents. As a result, digital forensic tools and techniques have evolved to enable organisations to properly provide computer crime data to courts. 1.2 In addition to assisting with criminal investigations and the handling of computer security incidents, digital forensic tools and techniques are invaluable for many other organisational and security related tasks such as: troubleshooting operational issues finding the virtual and physical location of a host with an incorrect network configuration, resolving a functional problem with an application, and recording and reviewing the current operating system and application configuration settings for a host; log monitoring analysing log entries and correlating log entries across multiple systems, assisting in incident handling, identifying policy violations, and auditing and other related efforts; recovering lost data from systems including data that has been accidently or purposely deleted or otherwise modified. acquiring data for possible future use from hosts that are being redeployed or retired acquiring and storing the data from a user s work station when the user leaves the organisation; protecting sensitive information and maintaining certain records for audit purposes enabling organisations to notify other agencies or individuals when protected information is exposed to other parties. 1.3 This guidance will enable authorised personnel to monitor systems and networks and to perform investigations for legitimate reasons under appropriate circumstances. 1.4 The attached procedure clearly defines the roles and responsibilities of all staff members and external organisations performing or assisting with the organisation s forensic activities. 1.5 The CCG will rely on a combination of their own staff and external groups to perform forensic tasks. 54

62 1.6 Outside parties will only be used when specialised assistance is needed for tasks such as: sending physically damaged media to a data recovery firm for reconstruction; having specially trained law enforcement personnel or consultants collect data from mobile electronic storage devices such as mobile phones and similar sources. 1.7 The above tasks usually require the use of specialised software, equipment, facilities, and technical expertise that the CCG cannot afford to acquire and maintain. 55

63 APPENDIX H.1 PROCEDURE FOR INFORMATION GOVERNANCE FORENSIC READINESS 1. INTRODUCTION 1.1 In the unlikely event that an information security incident should occur, the CCG must have the capability to ensure that there is both a clear audit trail of use of information sources, and procedures to ensure that there is no damage to, or tampering with information. 1.2 In order to ensure compliance with a complicated policy area, these procedures have been drafted to support staff in the event of an incident requiring the use of digital forensic techniques. 2. ACTION REQUIRED Staff 2.1 All staff who become aware of an incident that may require the safe protection of information should: contact the Workforce department, Head of Information Governance and Customer Care, the Senior Information Risk Owner (SIRO) or Information Security Manager (ISM) immediately; ensure that they do not unplug or touch any electronic equipment. Information Governance Team 2.2 Once notified of an information security incident, the above specialists will then: define the business scenarios that may require digital evidence; identify available sources and different types of potential evidence; determine the evidence collection requirement and advise the (SIRO) of the action required. 2.3 Where an area of criminal activity is determined, particularly where there is suspicion of a breach of either the Protection of Children Act 1978 Section 1, or the Criminal Justice Act 1988 Section 160, a report must be made to the police. Evidence collection, examination and analysis must be carried out by the police. This applies to any stage of an internal investigation. 2.4 Where there are requirements within any investigation for expertise beyond the CCG s in-house capability, a risk assessment will be carried out balancing data or information loss, and/or system damage and failure with the cost of employing external forensic expertise. 56

64 2.5 This assessment will be made at a senior level and involve the SIRO, the Information Asset Owner concerned, the ISM, the Head of Information Governance and Customer Care and, depending on the sensitivity and confidentiality of the information compromised, the Caldicott Guardian. 2.6 In the event that electronic evidence needs to be seized, the Information Governance forensic readiness team will follow the best practice process set out below at Table Further guidance for the Information Governance forensic readiness team on securing the electronic evidence is detailed in Table 2, and a checklist for managing the process is set out in Table 3. 57

65 Table 1 Best Practice for the seizure of electronic evidence ACPO - copyright acknowledged 58

66 Table 2 Securing Electronic Evidence MUST DO BUT REMEMBER LABEL ALL EQUIPMENT Don t obscure anything already written on it. Never use packaging tape for a label. LABEL ALL LEADS Record which machine they were attached to and which connector was used. BAG UP ALL EQUIPMENT Use anti-static bags where possible. Otherwise, use tough paper bags or wrap in paper and put in aerated plastic bags. SEAL ALL BAGS AND RE-LABEL Time, date, location, name of person securing and contact point. STORE CAREFULLY Protect with padding. Keep away from heat, damp and magnetic fields. STORE SECURELY Store in a lockable space. LOG Make an inventory of all items. DUPLICATE Duplicate the inventory to senior management. All copyright acknowledged 59

67 Table 3 RAG Action Points - tick box support At the scene STEP ACTION 1. Isolate the room/area containing the equipment 2 Get people away: cordon off the area 3. DON'T touch anything 4. Photograph or sketch a plan of the equipment, exactly as found 5. Make a written record of all the equipment (Type, Make, Model, etc) 6. Keep a written record of very action taken on the equipment Desktop Computers SITUATION ACTION Computer is on Computer is off Printer is printing No forensic analyst immediately available Don't switch it off Don't switch it on Let it finish Pull plugs from rear of machine (NOT from the wall sockets) Laptop Computers SITUATION ACTION Lid is shut (first) Lid is shut (second) Lid is open and computer is on Lid is open and computer is off Don't open it 1. Remove power cord 2. Remove battery 1. Remove power cord 2. Remove battery Shut lid, remove battery Finally STEP ACTION 1. Bag and label all equipment 2. Remove to safe and secure storage Adapted from ACPO Good Practice Guide for Computer Based Electronic Evidence. Jan Collie copyright acknowledged 60

68 APPENDIX I Please note: the CCG does not currently permit BYOD GUIDANCE ON THE INTRODUCTION OF BRING YOUR OWN DEVICE (BYOD) 1. INTRODUCTION 1.1 BYOD is the use of employee-owned devices for business purposes within an organisation. Smartphones are the most common example but it also includes tablets, laptops and USB drives. 1.2 The underlying feature of BYOD is that the user owns, maintains and supports the device. This can mean cost and resource efficiencies as the staff member provides the equipment rather than the organisation purchasing this directly. 1.3 The number of organisations introducing BYOD has fallen recently due to data protection concerns and data incidents. 1.4 The legal responsibility for protecting personal information is with the CCG not the device owner. The following laws apply: the Data Protection Act 1998 (DPA) which states that measures must be taken against unauthorised or unlawful processing of personal data; the Employment Practices Code which states that employees are entitled to a degree of privacy in the work environment. 1.5 In addition, the CCG has obligations under the following Acts and needs to ensure that the requirements are met if the use of BYOD is introduced: Regulation of Investigatory Powers Act; Computer Misuse Act; Freedom of Information Act; Official Secrets Act. 1.6 The Information Commissioner s Office (ICO) can impose fines of up to 500,000 for serious data breaches. 2. CONSIDERATIONS 2.1 One of the key things to consider is planning for a security incident. How will the following be implemented? immediate action to limit losses; limit reputational damage; learn lessons from the incident; 61

69 the ability to revoke access to business information and services quickly; understand how any data remaining on the device will be dealt with. 2.2 In addition the CCG must: identify who is responsible for replacing lost or stolen personally owned devices; consider the effect any delay on the replacement of devices will have; ensure that staff know who to contact and what to do if a device is stolen. Staff must feel confident that they can quickly report incidents without fear of recriminations, especially if it is their own device. 3. GUIDANCE 3.1 The ICO and the Government have produced guidance on the introduction and use of BYOD. The key issues identified within the guidance that organisations need to be aware of when introducing BYOD are: having a BYOD policy in place; ensuring that all processing of personal data will be processed for a purpose different from that for which it was originally collected. Needs to be on the risk register; how the device will be secured and controlled; how data will be transferred; limiting the choice of devices to those which the CCG has assessed as providing an appropriate level of security for the personal data being processed; introduction of monitoring; in the event of a data security breach, being able to demonstrate that the CCG has secured, controlled or deleted all personal data on a particular device. 3.2 There are potential implications for the transfer of data outside of the European Economic Area (EEA). Without strict controls in place this is a breach of the 8 th Principle of the Data Protection Act. 3.3 Information needs to be freely available to fulfil the CCG s obligations under law relating to requests made under the Freedom of Information Act 2000 and Subject Access requests under the Data Protection Act Search facilities currently used would not be available with BYOD. How would this be addressed? 3.4 CCG systems would be more open to Spam and malware attacks. 62

70 3.5 Consideration would need to be given as to how these devices would be logged on the Information Asset Register. This is a requirement for successful submission of the IG Toolkit. 3.6 It is important to remember that however data is used and stored, the CCG is the Data Controller and therefore responsible in law. 3.7 Guidance published by the ICO and Gov.uk is available at: ance.pdf 63

71 GUIDANCE ON MANAGING A SUBJECT ACCESS REQUEST AND ASSOCIATED CHARGES 1. INTRODUCTION APPENDIX J 1.1 Living individuals (known as Data Subjects) have the right, under the Data Protection Act 1998 (DPA), to view and obtain a copy of all personal data relating to them that is held by the CCG, irrespective of when it was created. 1.2 This includes both computerised and manual records. It also includes any type of personal information that is recorded about the person including photographs, audio messages and CCTV images. 1.3 To exercise this right, an individual must make a written request for information held about them. This is known as a Subject Access Request. 2. RIGHTS OF SUBJECT ACCESS 2.1 Under the DPA any living person has the right of access to their information held/used by the NHS Dorset Clinical Commissioning Group (CCG) and to also request certain information relating to the processing of their information including: a description of the information; the purpose the information is used for; the disclosures that are made/may be made; the source of the information. 2.2 Applications to personal identifiable information are made under two Acts: DPA for living individuals; Access to Health Records Act 1990 (AHR) for deceased individuals. 2.3 An individual does not have the right to access information held about someone else unless they are an authorised representative, have parental responsibility or are acting on behalf of a deceased person. 2.4 The requestor is not required to give a reason as to why they are applying for access but they do need to provide sufficient information to enable the correct records to be located. 2.5 If a request does not mention the DPA specifically, it is still a valid request and should be treated as such. 2.6 The applicant has a right to an explanation of any terms in the information that they do not understand. 64

72 3. PROCESSING OF SUBJECT ACCESS REQUESTS 3.1 A request for personal information under the DPA is known as a Subject Access Request (SAR). 3.2 All staff are expected to recognise a request for access to information. 3.3 AN SAR must be made in writing. The CCG has a standard form to make it easier for the individual to include all details required; however, use of an inhouse form is not legally prescribed. The CCG can invite individuals to use the form but cannot require them to do so. 3.4 An ed or faxed request is as valid as one sent in hard copy. SARs might also be received via social media such as Facebook and Twitter. These requests are also valid. 3.5 Oral requests should be considered. The CCG does not need to respond to an oral request but, depending on the circumstances, it might be reasonable to do so. 3.6 If a request does not specifically mention the DPA, or specify that it is an SAR, it is still valid and should be treated as such if it is clear that the individual is asking for their own personal data. 3.7 The Information Governance team will process and record all requests for access and disclosure of personal identifiable information. Any request for access to personal information must be forwarded to the Information Governance Team for action. Please Note: This does not include access to staff records; these should be forwarded to the Director of Engagement and Development. SARs via Social Media 3.8 Individuals may make a request using any Facebook page or Twitter account the CCG has. These must be passed to the Information Governance Team for processing. 3.9 The individual must provide evidence of identity and, as there may be a fee to pay, other information will be required to supplement the request The CCG will not provide the requested personal information via social media in order to comply with information security requirements. An alternative delivery address must be obtained. Who can Make a Request 3.11 A request can be made by: an individual (for access to information about them); a person authorised in writing to make an application on an individual s behalf i.e. a solicitor; 65

73 where the individual is a child, person having parental responsibility for the child; person appointed by the court when an individual does not have capacity to manage their own affairs; when an individual has died the individual s personal representative or any person having a claim out of the estate. This is subject to the recorded wishes of the deceased person. Individuals Living Abroad 3.12 The DPA gives individuals who now reside outside of the UK the right to apply for access to their former UK records. Such a request should be dealt with as someone making an access request from within the UK Original records should not be given to individuals to keep or take outside the UK; however, they are entitled to request a copy which they may take with them. Denying Access 3.14 An individual has a general right to access information about themselves, under the DPA, held by the CCG. There are limited circumstances in which the CCG may determine that information cannot be provided to an individual who has made a request. These circumstances include: in the opinion of the relevant clinical professional, the information to be disclosed would be likely to cause serious harm to the physical or mental health of the applicant or any other person; where the record relates to, or has been provided by, an identifiable third party, unless the third party has consented to disclosure; the granting of access to an individual s representative would disclose information provided by the individual, in the expectation that it would not be disclosed to the person making the request; the individual has expressly indicated that such information should not be disclosed to another individual; when disclosure may hamper the prevention or detection of serious crime; 4. DEALING WITH REPEATED OR UNREASONABLE REQUEST 4.1 The DPA does not limit the number of SARs an individual can make. It does however; allow for some discretion if the requests are made at unreasonable intervals. The DPA states that you do not have to comply with an identical or similar request to one you have already dealt with, unless a reasonable interval has elapsed between the first and subsequent requests. 66

74 4.2 If there has been a previous request, and the information has been added to or amended since then, we are required to provide a full response to the requester not just the information which is new or has been amended. 5. CONSENT 5.1 In most cases the consent to access personal information will be provided by the individual making the request, however, there may be cases where the individual is unable to consent or the individual is a child. 5.2 A request received from an individual s representative must be authorised by the individual. 5.3 If an individual is unable to authorise the release of their information due to a lack of mental capacity then a person who has been legally appointed to act on their behalf has the right to apply for access to the information of that individual. Such a person should be asked to produce evidence that they hold a lasting power of attorney, or court of protection order, which allows the person to make decisions regarding finances, property and welfare. 5.4 When a request is received from an individual the organisation should ensure that sufficient identity checks are carried out to ensure that the individual is entitled to the records they are requesting. 5.5 There may be occasions when a representative, such as family members, who do not have an automatic right of access to the records, seeks disclosure. Whilst there is no right for next of kin to review the records of an incapacitated individual, there may be times when it is appropriate. Requests of this nature must be considered on a case by case basis and in conjunction with the Data Protection Officer/Head of Information Governance and the Caldicott Guardian. Requestor Dies prior to Response being Provided 5.6 If a requestor dies before a response is provided but the SAR was received when the individual was living, the CCG must provide the response to the individual s personal representative. The representative should be contacted prior to completing the response to check if they still require the information. Access to Children s Personal Identifiable Information 5.7 Legally, young people aged 16 and 17 are regarded as adults for the purposes of consent and the right to confidentiality. 5.8 Children under the age of 16 who have the capacity and understanding to make decisions are also entitled to decide whether personal information may be disclosed. Case law has established that such a child identified in Fraser Guidelines (previously known as Gillick Competent ), i.e. where a child is under 16 but has sufficient understanding to give consent, or refusal, this should be respected. However good practice dictates that the child should be encouraged to involve parents or those with parental responsibility. 67

75 5.9 Parents can make subject access requests on behalf of their children who are too young to make their own request. A young person aged 12 or above is generally considered mature enough to understand what a subject access request is. They can make their own request and would need to provide their consent to allow their parents to make the request for them. Requests of this nature need to be considered on a case by case basis and staff must seek advice from the CCG Safe Guarding Children Lead Parental access must not be given, unless it is in the child's best interests to do so, where: it conflicts with the child's best interests; the information that a child revealed was in the expectation that it would not be disclosed Parental responsibility for a child is defined in the Children Act (1989) as all the rights, duties and powers, responsibilities and authority which by law a parent of a child has in relation to the child and his property. Parental responsibility can also be acquired by the local authorities if the child is under a care order Establishing parental responsibility, (where parents are separated and one of them applies for access to the records) can be complex and staff should always consider whether evidence of parental responsibility is required before information is shared. Where there are any concerns about establishing whether someone has parental responsibility staff should seek advice from one of the following; the Lead for Safeguarding Children, the Data Protection Officer or the Information Governance Team. Enduring Power of Attorney 5.13 An enduring power of attorney gives authority where an individual lacks capacity and relates to financial and material management of their affairs and has been superseded by the Lasting Power of Attorney. Where a request is made by a representative who has Enduring Power of Attorney this requires careful consideration. To refuse the request may cause difficulties for representatives, for example, when they are seeking continuing healthcare funding for an individual. Lasting Power of Attorney 5.14 Where a request is made by an individual who has Lasting Power of Attorney this should be given due consideration as it may cover health related decisions. A copy of the document must be asked for, ensuring that it has been registered with the Office of the Public Guardian. If a welfare power is not included then careful consideration is required. 68

76 6. ACCESS TO AN INDIVIDUAL S RECORD BY OTHER AGENCIES 6.1 There will be occasions when the organisation receives requests for access to individual records from other agencies. These can include: the Coroner; Court Order; Social Services; Parliamentary and Health Service Ombudsmen; Inland Revenue. Court Order 6.2 When a request is received accompanied by a court order this should be adhered to unless there is a robust reason to challenge it. Advice must be sought from the Information Governance Team. Coroner s Office 6.3 Information may be disclosed to the Coroner. If the information is in the form of original records a form must be signed to transfer responsibility for confidentiality whilst in the possession of the Coroner s office. This form will also act as a receipt for the CCG that the original records are with the Coroner. Copies of the records must be retained by the CCG. Parliamentary and Health Service Ombudsman 6.4 Requests from the Parliamentary and Health Service Ombudsman need to be complied with. The request for the individual records will be made via the Customer Care team. By other Agencies 6.5 There will be occasions where the CCG receives requests for access to an individual s information from other agencies. These may include the General Medical Council, Social Services and other NHS organisations or statutory bodies such as the National Health Service Litigation Authority (NHSLA) and Care Quality Commission. All of these requests must be managed through the Information Governance Team. Police 6.6 The Police do not have automatic right of access to personal identifiable information; all requests from the Police must be directed to the Information Governance team or the Data Protection Officer. 6.7 Requests for reports without data subject consent must be requested using Section 29 of the Data Protection Act 1998 and be made to the Data Protection Officer. 69

77 6.8 Information about an individual may be released to the police without the individual s consent when it is required in connection with Serious Crime (murder, grievous bodily harm, rape and other defined crimes). This must be done in consultation with the Caldicott Guardian, Data Protection Officer or Information Governance team. 6.9 If the request from the police occurs outside of normal working office hours and the disclosure is in connection with a serious crime then the senior manager on call must be contacted. All efforts must be made to not allow the original information to be taken, and where possible to delay any disclosure until the information can be copied. 7. SHARED RECORDS 7.1 The modernisation and integration of health and social care places a greater emphasis on shared records. When developing an integrated service the CCG will set out arrangements for managing the requirements of the DPA, and Subject Access Requests, with any partners as part of the service reconfiguration or development. 7.2 The following principles will be followed where this is the case. The organisation receiving the subject access request will: take responsibility for processing the request; have an agreed and documented procedure for complying with such requests; seek consent or refusal for the release of the parts of the record in relation to the partner organisation; in the event of a refusal to disclose from the partner organisation, explain in the response to the applicant the reason for refusal and refer them to the other partner organisation directly. 7.3 The term shared records does not include records held separately by other authorities/organisations which contain information provided by either organisation to the other. 8. ACCESS TO INFORMATION OF A DECEASED PERSON 8.1 Access to information of a deceased person is governed by the Access to Health Records Act (1990). Under this legislation when an individual has died, their personal representative, executor, administrator or anyone having a claim resulting from the death has the right to apply for access to the deceased s information. 8.2 The personal representative is the only person who has an unqualified right of access to a deceased individual s information and need give no reason for applying for access. Individuals other than the personal representative have a legal right of access under the Act only where they can establish a claim arising from an individual s death. 70

78 8.3 There may be circumstances where individuals who do not have a statutory right of access request access to a deceased person s record. The duty of confidentiality continues beyond death therefore, when requests of this nature are received they must be considered on a case-by-case basis. Staff should contact the Data Protection Officer or Information Governance team for advice. 8.4 The Information Governance team must satisfy themselves as to the identity of applicants. Where an application is being made on the basis of a claim arising from the deceased s death, applicants must provide evidence to support their claim. Personal representatives will also need to provide evidence of identity. 8.5 No access should be granted to the applicant if the deceased person gave the information in the expectation that it would not be passed on to the applicant. 9. MENTAL HEALTH TRIBUNALS 9.1 Requests for access to records are received in preparation for mental health review tribunals. These requests have to be dealt with urgently. 10. MENTAL CAPACITY ACT In cases where a person is without capacity and does not have a relative or other non-paid carer, an Independent Mental Capacity Advocate (IMCA) can be appointed to act on the person s behalf The IMCA has a statutory duty, under Section 35 of the Mental Capacity Act 2005, to provide support and advice in regards to the individual s affairs including health and welfare decisions. As a result the IMCA may need to view or take copies of relevant records of the individual they are representing. 11. STAFF RECORDS 11.1 Staff have the right of access to their information held/used by the CCG. All requests should be made to the Director of Engagement and Development 12. PERMISSION TO RELEASE 12.1 Under the Data Protection Act 1998, prior to any record being released, the appropriate professional must be consulted. When one or more professionals have been involved in the record, the professional who is most suitable to advise should be consulted Where records belonging to other organisations are contained within an individual s record, for example, when records have been collated for a Continuing Health Care file, permission should be sought from that organisation, prior to records being released. 71

79 13. FEES 13.1 Under the Data Protection Act 1998 (Fees and Miscellaneous Provisions) Regulations 2001, the maximum fee that can be charged to individuals or their representatives acting on their behalf (e.g. a solicitor) for providing copies of personal identifiable information is 10 for computer records and 50 for copies of manual records (or a mixture of manual and computer records) Under the Data Protection Act 1998 (Fees and Miscellaneous Provisions) Regulations 2001, an individual can be charged to view their record. Viewing of records can be arranged through the Information Governance team. A 10 administration fee is levied. If an individual wishes to view their records and subsequently makes a request for copies, the 10 fee for viewing is included in the 50 fee Maximum charges under the DPA will include postage and packaging costs, and are intended to cover the reasonable administrative costs of disclosure. This includes the cost of Special Delivery to ensure secure delivery of records The charges for access requests should not be made for financial gain Exemptions apply to charging when the record has been added to within the last 40 days but only when: the records are held manually; the individual wishes to view them in person; no copy is required Under the AHR a fee of 10 may be charged for access to the records. However, an additional fee will be charged for copying and posting the records. There is no limit on this charge, but it should not result in a profit for the record holder. The CCG charges 10 plus an additional 30p per side copied and this includes the cost of Special Delivery to ensure secure delivery of records Requesters will be advised of the estimated cost of reproducing the records before any work is carried out. A full list of charges and exemptions are available at the end of this guidance. 14. TIMESCALES 14.1 The Data Protection Act 1998 requires requests to be complied with within 40 calendar days and in exceptional circumstances, if it is not possible to comply within this period, then the applicant should be informed The 40 calendar days period does not start until the written request and payment has been received in full and the identity or authority of the person making the request can be validated. In exceptional circumstances these timescales can be extended by mutual agreement of both parties. 72

80 15. RECORDING THE REQUEST 15.1 All requests to access an individual s record should be logged with the Information Governance Team in order that an audit trail can be established and the procedure audited. The log should contain such information as date request received; date fee requested and received, the 40 day deadline date, and date of completion of request. 16. CONFIRMING IDENTITY 16.1 Once a request has been made (or consent has been obtained where appropriate) due consideration must be given to the information submitted to confirm the identity of the individual, e.g. full and previous name, date of birth, current and previous address etc To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, the CCG needs to be satisfied as to the identity of the requestor To ensure the identity of the individual or applicant, a request for evidence of identity should be made. This could include a copy of a passport, driving licence, birth certificate, paid utility bill or any document that might reasonably be only in their possession. You can ask for enough information to judge whether the person making the request is the individual to whom the personal data relates but it must be reasonable. If the identity of the person making the request is obvious you should not request excessive information. The level of checks carried out should depend upon the possible harm and distress that inappropriate release of information would cause If the requester is applying for records on behalf of an individual they will need to provide proof of identity (as above) and must also include the individual s written authorisation for access to their records If the requester is applying for the records of a deceased individual they must include proof of their own identity together with proof of a court appointment as personal representative. 17. ELECTRONIC RECORDS 17.1 In most cases, information stored in electronic format can easily be retrieved. Information removed from the live system is likely to have been: archived; copied to back-up files; deleted. 73

81 Archived Information and Back-up Records 17.2 If copies of electronic data have been retained in this format then the information requested in an SAR has to be located. You are entitled to ask a requestor to provide enough context about their request to enable you to conduct a targeted search. Information Contained in s 17.3 The content of s stored on an electronic system is a form of electronic record. Contents of an should not be regarded as deleted merely because it has been moved to a person s Deleted Items folder. If the s have been archived the right of subject access still applies. Subject to certain exemptions access must be provided to all personal data held even if it is difficult to find. 18. DELETED INFORMATION 18.1 Information is deleted when it is permanently discarded with no intention of ever trying to access it again. Organisations are not required to expend time and effort recreating information that they have deleted as part of their general records management process. Information should not be knowingly deleted once an SAR has been received. 19. CORRECTING A RECORD 19.1 If, after accessing the requested information, the individual feels that information recorded is incorrect then they should be advised to discuss the situation with the relevant professional in an attempt to have the record amended. If the matter is not resolved they should be advised of the current complaints policy and procedure as outlined in the CCG s Complaints Policy The CCG suggests, in line with good practice, that the individual is allowed to include a statement in their record stating that they disagree with specific parts of the record. The individual could seek further advice from the Information Commissioner (ICO) who may rule that any erroneous information is rectified, blocked, erased or destroyed, or that the individual seek legal independent advice to pursue their complaint. The ICO s office address is Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. 20. SENDING INFORMATION 20.1 Copies of the requested information are to be sent by Special Delivery. The information will be marked Private and Confidential and To be opened by addressee only, this will ensure that confidentiality is being preserved and the package is being signed for upon delivery but also trackable by the Post Office. 74

82 21. MAKING REASONABLE ADJUSTMENTS FOR DISABLED PEOPLE 21.1 Some disabled people find it difficult to communicate in writing and may have difficulty in making a SAR. The CCG will make reasonable adjustments for such a person if they wish to make a SAR. This could include: accepting a verbal request; documenting the request in an accessible format and sending it to the disabled person to confirm the details of the request The CCG will respond to the request in a format which is accessible to the disabled person. 22. FREEDOM OF INFORMATION 22.1 The Freedom of Information Act 2000 is not intended to allow individuals to gain access to personal data held about themselves or others. Requests for personal data must be made under the Data Protection Act

83 LIST OF CHARGES AND EXEMPTIONS RELATING TO THE DISCLOSURE OF PERSONAL INFORMATION 1. INFORMATION DISCLOSED UNDER THE DATA PROTECTION ACT 1998 Paper Records 1.1 A charge of 50 will be made in respect of each request for disclosing copies of personal information held in a paper format. Package and posting is included in this charge. Audio/Visual Recordings 1.2 A maximum charge of 50 will be made for a request containing multiple pieces of media. This includes package and posting. A minimum charge of 25 will be made for a single copy of media. This does not include package and posting. 1.3 If a request for this type of record is made at the same time as a request for the paper record this will be included in the same 50 charge. Photographs 1.4 A maximum charge of 50 will be made for multiple copies of photographs. A minimum charge of 25 will be made for a single copy of a photograph. This includes package and posting. If a request for this type of record is made at the same time as a request for the paper record this will be included in the same 50 charge. Automated Personal Information 1.5 A charge of 10 will be made for any electronically produced records. This does not include package and posting. If a request for this type of record is made at the same time as a request for the paper record this will be included in the same 50 charge and will include package and posting. 2. INFORMATION DISCLOSED UNDER THE ACCESS TO HEALTH RECORDS ACT 2.1 Disclosure of these records relate specifically to deceased individuals. 2.2 A charge of 10 will be made in respect of each request made unless an entry has been made in the 40 days prior to the request. There will also be a charge of 30p per side of information copied. Package and posting is not included in these charges. Where package and posting is charged separately this will be dependent on the weight of the information being sent. 76

84 3. VIEWING OF RECORDS 3.1 A charge of 10 will be made to view information to cover administrative arrangements. If following the viewing the requester decides that they want a full copy of their information the full charge of 50 will be made. If individual copies are required they will be charged at 30p per side copied. 4. REDUCED CHARGES 4.1 In those cases where applicants claim financial hardship and are unable to pay the full amount, the matter should be referred to the Head of Corporate Governance or the Corporate Governance Manager. Either has the sole discretion to either waive or agree a reduced sum. 4.2 The decision to waive or reduce the charge should be based upon an assessment of the applicant s financial status and evidence of this may be asked for. This may be: an Awards Letter for people claiming Income Support an Awards Letter for people claiming Guaranteed Pension Credits an Awards Letter for people claiming Job Seekers Allowance a white card for people who hold a NHS Exemption Certificate an Awards Certificate for people holding a HC2 or HC3 Certificate 4.3 The Head of Information Governance and Customer Care or the Information Governance and Customer Care Manager have the discretion to waive charges in exceptional circumstances of sensitivity. 77

85 PROCEDURE FOR MANAGING SUBJECT ACCESS REQUESTS 1. PROCESS 1.1 Date stamp the request. 1.2 If being requested by the individual s representative, is the individual s consent attached? If so: APPENDIX J.1 check the wording on the consent agrees with what the representative/solicitor has requested; does it contain sufficient information to identify the individual? is it current signed within the last 3 months? 1.3 If no consent is attached, immediately request from the representative/ solicitor. 1.4 Does the letter mention any intention of litigation? If so refer immediately to the Head of Information Governance and Customer Care. 1.5 If the individual has requested access in writing, forward a consent form for completion with a covering letter. This will enable you to identify the parts of the record required. Please note: the 40 day time period begins on receipt of the written request. 1.6 Log the request. 1.7 Send an acknowledgement letter to the requestor. 1.8 Check with the appropriate departments to determine if any notes are held. Request that copies/original notes are forwarded for copying. 1.9 Write to the applicant and request the fee. The timescale stops whilst waiting for the fee. Remember the 21/max 40 days requirement. If the request will take longer than 40 days, an explanation of the delay should be given to the applicant. Advise the Information Governance Office in case of future complaint Ensure notes are checked by the health professional or appropriate person for any third party references or information that may cause harm to the health/condition of an individual if released Prepare closure letter to be sent with the copy records and include an acknowledgement slip Ensure notes are sent by Special Delivery. 78

86 2. VIEWING OF NOTES 2.1 If an individual wishes to view the notes, make an appointment. The appointment needs to be supervised by a health professional or administrator. 3. NO FEE 3.1 If no fee is received within 6 weeks, write to applicant to establish intentions to proceed. If no longer proceeding, destroy the copy notes and record the date in the log. 4. COMPLETION 4.1 Await the acknowledgement slip for receipt of records. Chase if not received within 2 weeks. 4.2 File separately with other SAR s and not with any other personal records. 79

87 APPENDIX K 1. RESPONSIBILITIES GUIDANCE ON THE MANAGEMENT OF RECORDS 1.1 All staff who create, receive and use records have records management responsibilities. Members of staff: are responsible in law for any records they create and use; must be aware that any records they create are not their personal property, but belong to the CCG. 2. TYPES OF RECORDS 2.1 Paper records: ensure that paper records are kept secure; for active records these should be kept in secure areas, (i.e. specific records libraries, lockable filing cabinets etc.) making sure they are only accessible to authorised personnel on a need to know basis; keep records for at least the minimum length of time as stipulated in the document issued by the Department of Health, Records Management: NHS Code of Practice; ensure that records can be accessed when required; make sure that records scheduled for destruction are disposed of securely. 2.2 Electronic records: inform the Data Protection Officer of all new and existing record systems to ensure that electronic records are secure; employees should be aware of the vulnerability of using floppy disks and CDs for the exclusive long-term storage of permanent records; ensure that electronic records are kept for the same length of time as their paper or hardcopy counterparts, and ensure that records are retained for at least the minimum length of time as stipulated in the document issued by the Department of Health, Records Management: NHS Code of Practice ; maintain appropriate security levels for accessing information; protect confidential information; ensure that records scheduled for destruction are disposed of securely. 80

88 3. STANDARDS AND PRACTICE Creation of Records 3.1 Adequate records must be created where there is a need to be accountable for decisions, actions, outcomes or processes. Generally the CCG creates and accumulates records as part of the business process for example, the minutes of Governing Body Meetings, payment of accounts and appraisal of staff members. 3.2 Records must be created accurately, legibly, contemporaneously and in an agreed format. They must be free from subjective information and support the purpose for which they were created. Staff should assume that their records will be scrutinised at some point. 3.3 For all records kept which identify individuals, the CCG should ensure that the procedures and safeguards put in place satisfy the rights of the data subjects and that the manner in which the records are kept and shared comply with Information Governance, the Data Protection Act 1998 and the Caldicott Principles. 3.4 All staff should follow the Records Management Policy and local procedures in the discharge of their duties. When creating a record, the record should be full and accurate to the extent necessary to: provide evidence that a transaction occurred; prove that policies, procedures and rules have been followed; inform colleagues and successors; provide sufficient detail of actions which have occurred, what was decided, when it occurred, who was involved and the sequence of actions; enable proper scrutiny of the conduct of the CCG by anyone authorised to undertake such a scrutiny for example the Health Care Commission; protect confidentiality, financial, legal and other rights of the CCG, its patients, its staff and any other people affected by its actions and decisions; respond to a request for information under the Freedom of information Act 2000 and the Environmental Information Regulations 2004; respond to a request for information under the Data Protection Act 1998; respond to a request for information under the Access to Health Records Act

89 4. MANAGEMENT OF RECORDS Electronic Records 4.1 As part of our work we all create information, data, documents and records and we also need to share information with others. Naming folders, files and documents 4.2 Naming conventions are standard rules to be used for naming both documents and electronic folders and are used to make it easier to find documents. Corporate standards must be followed in the naming of record files and folders. It is unacceptable for any document to leave the organisation without having either a logical file name or format for presentation that shows the CCG as being the owner of such documents. 4.3 This corporate approach to the naming of electronic files will ensure that current and future staff will be able to create, update and search for files in a much easier manner than the current system. Version numbers 4.4 Where the record is likely to be replaced in the future by a new version a version number should be included, both in the filename and also the document itself (usually via a template). The format to be used is v1, v The key objective with version numbers is that the most current version is obvious and that there is an audit trail of previous versions. Structuring folders and files 4.6 A well thought out structure of folders (also known as directories or classification schemes) for filing documents is a key element to efficient electronic record keeping. 4.7 Folder titles should be clear and concise and adequately describe the contents. 4.8 Access to folders can be set up with varying degrees of permissions / controls, depending on the nature of the contents and who requires access. 4.9 If possible the filing structure should reflect the way in which paper corporate records are filed to ensure consistency. However, if it is not possible to do this, the names allocated to files and folders should allow intuitive filing. Filing of corporate records to local drives on PCs and laptops is not an acceptable practice. Paper Records 4.10 Where documents are kept as hard copy files, the filing structure and naming of the files should follow the same principles as described within the management of electronic files. All records should be arranged in a recordkeeping system that will enable the CCG to obtain the maximum benefit from the quick and easy retrieval of information. 82

90 4.11 Groups of paper documents which relate to the same subject must be placed in date order into a file. All the papers must be fixed with no loose sheets. On the cover of the file must be written the full details of the subject and the years the documents relate to, and a team name as it appears in the organisational chart. Where there are too many papers for a single file, additional volumes are to be created and numbered by volume with exactly the same folder title If the paper file corresponds to electronic records, and the two sets of records must be viewed together, a link must be established by writing the file path on the cover of the file. If practical the electronic records, including s, can be printed off and placed in the folder. The electronic record should then be destroyed and a note made on the folder name that it has been printed to paper Paper records should be: factual, consistent and accurate; written clearly and in such a way that the text cannot be erased; written in such a way that any alterations or additions are dated, timed and signed. The original entry should still be able to be read clearly; accurately dated, and signed; be readable on any photocopies; if a hand written record, this should be in black pen, not ink as this can run, and on white paper. Other coloured pens and paper can be used providing the combination of pen and paper produces a legible and permanent record; not include the use of correction fluid. 5. STORAGE AND SECURITY OF RECORDS Storing Paper Records 5.1 The CCG creates and stores a diverse range of records across a wide geographical area, with no centralised management of all records. Offsite storage can be accessed for inactive records. 5.2 When a record is in constant or regular use, or is likely to be needed quickly, it should be stored within the business unit responsible for the related work. Storage facilities for current records will usually be local to the work area of the user i.e. desk drawers, filing cabinets and cupboards to enable information to be appropriately filed, and easily retrieved when required. 83

91 5.3 Each area must have a robust system of storing records, including locked metal filing cabinets or secure storerooms away from direct public access. Metal filing cabinets should be locked whenever a room is left vacant; keys to the cabinets must be kept secure and should never be left in the lock or visible in the room when it is unoccupied. Ideally the keys should be secured in a locked drawer or key cabinet. 5.4 Keys to rooms and areas where records are stored, or archived, must be controlled and the names of key holders recorded, or a system of daily issue of keys implemented. Records should never be left unsecured in an unmanned area. In areas where keypad controls are used a record should be maintained of those with access to the area. 5.5 When identifying storage systems for paper records the following should be taken into account: Health and Safety regulations including ergonomics security i.e. lockable filing cabinets for confidential information; user requirements; type of records being stored; size and quantity; usage and frequency of retrievals; suitability, space efficiency and price. 5.6 Whenever a record is removed from the filing system, except where this is to make an immediate entry and return the record to the filing system, it should be tracked using an electronic tracking system or a tracer card placed in the area where the record was removed from. 5.7 Where practicable, entry controls should protect buildings and designated service areas from unauthorised visitors, especially in areas where records are kept. It is essential that the need for security be balanced with the need for accessibility of records. 5.8 Visible identity badges must be worn by staff at all times and systems should be in place to identify and report any strangers or unauthorised personnel seen in secure areas. It is the responsibility of every member of staff to challenge people without identification and report untoward incidents at the earliest opportunity. 5.9 Offsite storage is available for less frequently required materials Some records may not be required for use but have been identified for permanent preservation. 84

92 5.11 Particular attention is required when storing data electronically and on a computer. Sensitive data, and in particular person identifiable information, should not be stored on a personal computer hard disk drive, especially on portable or laptop computers. All such information should be maintained on the CCG Servers. Where information is stored in this manner, relevant levels of access must be created in line with the Data Protection Act (1998) and the Information Security Policy Staff should not normally take staff/person identifiable information or CCG sensitive information outside of the normal working environment i.e. home. Where this cannot be avoided, procedures should be in place to safeguard that information effectively. This includes the safe disposal of any confidential waste. In such circumstances, this information should be brought back to the CCG for secure disposal in the confidential waste bins/bags. Storing Non-Paper Records 5.13 When choosing the appropriate methods for storage (e.g. scanning) consideration should be given to: minimising storage costs of materials which would otherwise face destruction; making copies available for others to use (such as research) whilst safeguarding the original; reducing the storage space occupied by low activity paper records; the provision of the Data Protection Act 1998 on the registration and restriction of disclosure; microfilmed records as well as to other personal records. Storage of Audio and Visual Records 5.14 Visual records assembled by staff in the course of working within the NHS, should be regarded as Public Records and include the following: artistic images still photographs, prints, slides, transparencies, electronic readable images and x-rays; moving images, video or file; tapes and voic The teaching and historical value of images should be considered prior to destruction and they may be permanently preserved (seek the advice of local archivists). Photographs may be copied in cases where the original is deteriorating. The provisions of the Data Protection Act 1998 on registration of records and restriction of disclosure apply to photographs of identifiable individuals as well as other personal records. 85

93 5.16 As with other record types visual records archived or stored must be logged so they are retrievable if necessary. 86

94 PROCEDURE FOR THE MANAGEMENT OF RECORDS 1. TRACKING OF RECORDS APPENDIX K If appropriate a tracking system will be in place. As a minimum it should include: the item reference number or other identifier; a description of the item; the person/department to whom it is being sent; the date of the transfer. 2. REGISTRATION OF RECORD COLLECTIONS 2.1 The CCG will establish and maintain mechanisms through which departments and other units can register the records they are maintaining. The inventory of record collections will facilitate: the classification of records into series; and the recording of the responsibility of individuals creating records. 2.2 The register will be reviewed annually. Inventory of Corporate Records 2.3 The Information Governance team will undertake an inventory of corporate records for the CCG, in order to establish the type of records it currently has, the form in which they are held and the record keeping systems currently in use. 2.4 The inventory of record collections will enable the CCG to: ensure corporate record retention periods are in line with the Records Management: NHS Code of Practice; identify the location of records in order to assist the CCG in responding promptly to FOI requests for information; determine the use made of each category of corporate record; determine whether duplicate records exist; determine whether it is necessary to retain the record; assess current and further records storage requirements; identify record creation and disposal concerns; 87

95 identify the department responsible for creation, use and management of each record collection; create an information asset register; identify any information security concerns. 2.5 The inventory will be managed by the Information Governance team and will be reviewed annually. 3. RETENTION AND DISPOSAL SCHEDULES Retention Period 3.1 It is a requirement that all of the CCG s records are retained for a minimum period of time for legal, operational, research and safety reasons. The length of time for retaining records will depend on the type of record and its importance to the CCG s business functions. 3.2 The CCG has adopted the retention periods set out in the Records Management: NHS Code of Practice. This is available on the CCG intranet. Retention periods will be calculated from the end of the calendar or accounting year following the last entry in the record (e.g. manual file, computer record) dependant on record. 3.3 Any new retention periods that are required to be added to the schedule must be proposed to the Information Governance Group. Once agreed, they will be added to the retention schedule. 3.4 Records selected for permanent preservation and no longer in use by the CCG should be transferred as soon as possible to adequate storage and/or public access facilities. For further information regarding permanent preservation please contact the Information Governance team. 3.5 Records not selected for permanent preservation and which have reached the end of their administrative life should be destroyed in a secure manner as is necessary for the type of information the record holds. 3.6 If a record for destruction is known to be the subject of a request for information, destruction must be delayed until disclosure has taken place or if the CCG has decided not to disclose the information, until the complaint and appeals provisions of the Data Protection or Freedom of Information Act, have been exhausted. Disposal of Paper Records 3.7 Confidential waste bins/bags are provided in all work areas for staff to use. Staff and contractors must ensure that any information that has confidential/sensitive information recorded or details of corporate business information which is deemed as private, are disposed of in the confidential waste bins/bags. 88

96 Disposal of Electronic Records 3.8 When deleting electronic records, special precautions should be taken to ensure that electronic storage media containing confidential material or information that may infringe upon personal or business privacy is electronically wiped cleaned or physically destroyed. 3.9 Deleting records in some programs does not actually remove the information. Most operating systems do not erase deleted information from hard disks, but remove the file names from the directory and eventually write over the unwanted information Hard disks from computers must be reformatted before the computers are disposed of or re-issued. The only time when a re-issued computer is not reformatted is when a staff member is taking over a job role that requires access to the information recorded by a previous staff member to carry out their job role (this arrangement must be agreed by the Manager and IT department) It is the responsibility of all staff and contractors who are leaving their employment, or have a contract ending with the CCG, ensure that any nonbusiness information stored on the computer is deleted before their employment/contract terminates. If staff and contractors are unsure on the procedure for the disposal/deletion of electronic storage or files, advice must be sought from the IT department. 89

97 APPENDIX L GUIDANCE ON DATA QUALITY 1. DATA QUALITY 1.1 To ensure an organisation achieves data quality, it must set out how: data is collected and co-ordinated; data is transferred between systems; data is organised; data is analysed; data is interpreted; conclusions and results drawn from the data are validated. 1.2 The following principles are used in assessment of data quality: Accuracy is the data correct and is it valid? Accessibility can the data be readily and legally collected? Comprehensiveness is the relevant data collected and are any data omissions (where intentional or otherwise known) documented? Consistency are clear and accurate data definitions implemented and adhered to? Do the data definitions define what level of detail is collected? Validity is the data up to date? 2. GENERAL PRINCIPLES 2.1 Several overarching principles underpin the approach to data quality. 2.2 All staff will conform to legal and statutory requirements and recognised good practice, aim to be significantly above average on in-house data quality indicators, and will strive towards 100% accuracy across all information systems. 2.3 All data collection, manipulation and reporting processes by the CCG will be covered by clear procedures which are easily available to all relevant staff, and regularly reviewed and updated. 2.4 All staff should be aware of the importance of good data quality and their contribution to achieving it, and should receive appropriate training in relation to data quality aspects of their work. 90

98 2.5 Teams should have comprehensive procedures in place for identifying and correcting data errors, so that information is accurate and reliable at the time of use. 3. DATA QUALITY STANDARDS 3.1 Although there are many aspects of good quality data, the key indicators are generally: validity all data items held on the CCG s computer systems must be valid. Where codes are used, these will comply with national standards and wherever possible, computer systems will be programmed to only accept valid entries; at data input data accuracy is the direct responsibility of the person inputting the data, supported by their line manager; systems will include validation processes at data input to check in full or in part the acceptability of the data wherever possible. Depending of the system, later validation may be necessary to maintain referential integrity; completeness all mandatory data items within a dataset should be completed. Use of default codes will only be used where appropriate, and not as a substitute for real data; consistency correct procedures are essential to complete data capture; coverage this reflects all information that is owned by the CCG, including paper and computerised records; accuracy data recorded manually and on computer systems must be accurate; relevance information should be contextually appropriate. 4. VALIDATION METHODS 4.1 Various methods will be used to accomplish validation of data: 4.2 On submission of data returns, procedures will exist to ensure that completeness and validity of the data sets used. This can be done by comparing to historical data sets, looking at trends in the data and also by cross checking the data with other staff members. 4.3 Regular spot checks by staff members which involve analysis of a random selection of records against source material if available. Spot checks should be done on an ongoing basis (at least quarterly) to ensure the continuation of data quality. 91

99 4.4 The CCG will endeavour to ensure that timescales for submission of information are adhered to, and that the quality and accuracy of such submissions is of the highest standard. Internal deadlines for the completion of data sets, to ensure national timescales are achieved, will be explicit and monitored. 4.5 The CCG routinely receives activity information from its service providers. This information is used to monitor the performance of contracts and to contribute to the service planning and development process. Sufficient and appropriate checks are made by the service providers to ensure that the information received is accurate and complete. Where data falls outside anticipated ranges, a more detailed evaluation and validation is undertaken. 4.6 The CCG conducts regular monthly meetings with local Trusts, to ensure that any data discrepancies are picked up and any corrections are made as required. 5. DATA SET CHANGE NOTICES (DSCN) 5.1 Data Set Change Notices are issued by NHS Connecting for Health. 5.2 These give notification to NHS healthcare agencies of changes to information requirements and will be included as appropriate in the NHS Data Dictionary and Manual, and the NHS Commissioning Data Set Manual and thereby ensuring that data is meaningful across NHS organisations over time. 5.3 Data Set Change Notices may be accessed via the following web address: 92

100 APPENDIX M GUIDANCE ON PASSWORDS 1. PASSWORDS CONTROL FOR INFORMATION ASSETS 1.1 Access to electronic information assets will be managed through the use of protocols for allocating and controlling access, secure logins and passwords. 1.2 The CCG will follow the Department of Health User Guide to Passwords set out below. 2. DEPARTMENT OF HEALTH USER GUIDE TO PASSWORDS Initial password 2.1 All network user accounts must have a user ID and password. The password is used to authenticate the identity of the person using an account as the authorised user. It also prevents misuse by unauthorised users. The IT Department will issue all new users to the network with a temporary password. You will have to change this password when you log on to the system for the first time. Don t share your password with others 2.2 Giving someone your password allows them to use your identity on the network. You will get blamed for any misuse if someone has logged in using your ID. It is your responsibility to ensure you do not share your password. 2.3 Films and television programmes tend to show hackers using sophisticated electronic equipment to find people s passwords (see below). However, these methods are generally used to guess file passwords. 2.4 Unauthorised users such as hackers will normally find out what your user password is by asking you. The jargon for this is known as human or social engineering. A favourite ploy is to use an internal telephone, pose as a member of the IT department, suggest there are network problems and ask for your password so they can test the system. 2.5 Remember, an authorised IT system or system supervisor can gain access to your account (when authorised) without needing to know your password. If anyone phones for your password, find out who they are, why they want it, refuse to give it and contact the IT department as soon as possible. Make passwords hard to guess 2.6 Passwords based on personal information such as account name, your first or last name, your initials etc. - are extremely easy to guess and should never be used. Spelling a name backwards, nicknames, pet s names, your birthday, the name of the place you live or your hobby are all typical forms of password that are easily guessed, so don t use them. People also use words such as guest, password, secret. Again, don t use them. They are examples of bad passwords and leave your account open to unauthorised access. 93

101 2.7 Hackers use password-cracking tools that incorporate extensive word and name dictionaries (in various languages). For that reason you should never choose dictionary words or names. The cracking tools will also check for simple tricks like words spelled backwards or simple substitution of certain characters (i.e. password becomes pa55w0rd ). 2.8 The best passwords are those based on pass phrases and/or non-dictionary words (including nonsense words), combined with obscure character substitutions. These can be extremely difficult to either guess or crack. Passwords that use numbers and letters are referred to as alphanumeric and must be used for the network. 2.9 An example of a good password, O1u9a6t4 is a combination of the phrase Once upon a time (based on the first letter of each word) and the year I started school (helping me to remember a series of numbers). Note that the letters and numbers are interspersed. Always choose something that relates to use so that you can remember it. Further examples of good and bad passwords are included at the end of this guide Remember that passwords are case sensitive. Check the Caps Lock key before typing a new password. Passwords with upper case (CAPITAL) letters are not the same as ones with lower case letters. For example O1U9A6T4 and o1a9a6t4, if you have originally typed the former you will not be able to use the latter. Password size 2.11 Using the maximum number of characters greatly increases the complexity of guessing or cracking passwords. You must use passwords that are at least six characters long. Change passwords regularly 2.12 A regular password change is necessary, since it prevents misuse of your account without your knowledge if your password was somehow accidentally (or deliberately) disclosed The network is set up with forced periodic password changes. Under this system you will have to change your password after a given amount of time. You will not be able to use a password you have used previously. Note that you do not have to wait until you are forced to change your password. You can change it if you think it has been compromised or as often as you like. The IT department may also tell you to change your password if there has been a general security alert. 94

102 Use different passwords for different systems and applications 2.14 If your password is compromised on one system, using different passwords on different systems will help prevent intruders from gaining access to your accounts and data on other systems. For example, network and system managers should use different passwords for their personal account and their privileged account. If the personal account password is accidently revealed, the privileged account is still protected. Similarly, you should use different passwords for your account and network logons If you do this, make sure one password is not simply a derivative of another. While using multiple passwords increases the difficulty of managing passwords, it results in significant increases in security. Don t leave passwords where others can find them 2.16 Don t leave your passwords written down in or on your desk or anywhere on or near the computer equipment. If you absolutely must write down your passwords, keep them in a secure, locked place Also, don t leave your passwords where others can find them electronically. Never store them in a text file or send them in an EXAMPLES OF GOOD AND BAD PASSWORDS Bad passwords 3.1 Today: this is just a dictionary word that is easily discovered with hacking software. It is also only five characters long. Passwords should be at least six characters long. 3.2 t1d2y: Here the digits 1 and 2 have been substituted for the vowels of the dictionary word today. Again, hacking software is designed to look for this type of substitution. 3.3 today1!: Here there is some attempt to mix letters and numbers. However, adding a number on to the end of a dictionary word poses little problem to hackers. Good passwords 3.4 t1o9d6a4y or t o(d^a$y: here the word (today) has been used and digits or special characters have been included between each letter. The length of the password also makes it difficult to guess or crack electronically t9o6d4ay or t(o^d$ay: this is even more secure than the previous example since the password begins with a digit or character. 3.6 Other ideas include using a pattern of consonant/vowel/consonant - consonant/vowel/consonant - consonant/vowel/consonant with some extended characters for example SUN-NUM-FED-S3t. Once you have said this through phonetically in your head a few times these become relatively easy to remember; inclusion of the hyphens makes it even more effective. 95

103 3.7 A traditional password pattern is to use a word beginning with a capital then a number of lowercase letters followed by numbers and extended characters as shown in 3.3. However, dictionary attacks will look for these patterns and try them early on. Moving the capital letters and numbers around will make the password more secure, so Dorset341! becomes!d3rset41. These passwords can prove more difficult to remember though! 3.8 Using a short sentence is a very effective way of preventing dictionary attack and is even better if mixed with other techniques. An example of this would be IwanTtOGohomE8arly or th1sismyl0ginpassword. 96

104 GUIDANCE ON THE TRANSMISSION OF INFORMATION BY 1. WHEN TO USE APPENDIX N 1.1 is not always the best way to communicate information as they can be misunderstood and the volume of messages people receive can be prohibitive to receiving a meaningful reply as a result of overload. 1.2 It is the responsibility of the person sending an message to decide whether is the most appropriate method to communicate the information. 1.3 The decision to send an should be based on a number of factors including: the subject of the message messages can constitute a formal record. It may be necessary to consider whether the sensitivity of the information would be more appropriately communicated in a different way. It should be noted that there are certain subjects that should be avoided in messages as they could be construed as discriminatory; the recipient s availability often it may be easier to speak face to face to a person or speak on the telephone in preference to sending an ; the speed of transmission where information needs to be communicated as a matter of urgency, it is better to use the telephone; the speed of response if a message needs to be acted upon immediately, is probably not the best way of communicating the information. It may be more appropriate to speak to the person directly and then send confirmation of the conversation if necessary; the number of recipients the authority to send an to all staff is restricted to the communications teams and senior managers who will usually use the weekly communications bulletin to achieve this. If a message is particularly important, the communications teams should be contacted to discuss the appropriate way to send the message. 2. DEALING WITH SENSITIVE SUBJECTS 2.1 Information relating to some subjects is too sensitive to be sent via . The privacy and confidentiality of the messages sent via cannot be guaranteed and it is the responsibility of all employees to use their judgement about the appropriateness of using when dealing with sensitive subjects. Sensitive personal data must not be sent by to external web mail addresses. 97

105 2.2 A disclosure statement must be included at the end of all external s to protect the CCG from information being disclosed to unauthorised personnel. The standard disclosure statement used by the CCG is: Disclaimer: This may contain confidential information and/or copyright material. This is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you receive this by mistake, please advise the sender immediately by using the reply facility in your software. 2.3 Staff must ensure that all sensitive information sent via is treated with care in terms of drafting and addressing. Incorrect sensitive information sent via might provide a case for initiating legal proceedings against the person sending the information and/or the CCG. Sensitive information can include commercial information or information about specific individuals or groups messages containing information that is not intended for general distribution should be clearly marked either in the title or at the beginning of the message messages containing personal information are covered by the Data Protection Act 1998 (DPA) and must be treated in line with the principles outlined in the Act. Personal data may include the address of an individual external to the CCG. Personal information in s may be inspected by a data subject on request, and should only be included in an when necessary. 2.6 Under the DPA, personal information includes opinions about an individual or the personal opinions of an individual. messages containing this type of information should only be used for the purpose for which the information was provided, be accurate and up to date, and must not be disclosed to third parties without the express permission of the individual concerned messages that contain information that is not supported by fact should indicate that it is the sender s opinion that is being expressed. 3. MAILBOX ORGANISATION 3.1 To manage messages appropriately, it is necessary to identify messages that are records of business activities. These messages should be moved from personal mailboxes and managed with and in the same way as other records. 3.2 Not all messages are worthy of retention. Some messages should be managed within the mailbox and kept only for as long as required before being deleted. Examples of messages which do not have corporate value as records and should therefore be deleted are: non-work related messages relating to private communications; social communications such as lunch dates, leaving events; unsolicited promotional material. 98

106 3.3 Some records will only have a transitory value and should be deleted once initial action has been taken. Examples of short term records include: messages for information holiday notices, staff on duty; invitations and responses to work related events; transitory correspondence produced for informational purposes; meeting notes and arrangements; copies of reports; copies of newsletters; advertising material available publicly; cover letters please find attached etc. convenience copies of messages retained for ease of access and reference value; internal messages received as cc or bcc. 3.4 Mailbox size for all employees is restricted and it is important that messages are dealt with as quickly as possible to prevent loss of information. 4. SHARED MAILBOXES 4.1 Shared mailboxes are used where there are a group of people responsible for the same area of work such as Individual Patient Treatments, or Complaints. These mailboxes should be managed by a named member of the relevant team who will grant access to the mailbox where appropriate. 4.2 The owner of the mailbox is responsible for providing specific rules relating to the management of the mailbox and how messages are responded to, and for ensuring that messages remain in the folder no longer than the preagreed time period. After this time, they should be deleted or managed as records of the discussion. 4.3 A shared mailbox cannot be recreated without the authorisation from the relevant Director and the IT Helpdesk. The creation of a shared mailbox should be done for a specific purpose with agreed levels of access prior to creation. 5. IDENTIFYING AND MANAGING RECORDS 5.1 messages can constitute part of the formal record of a transaction. messages that might constitute a record are likely to contain information relating to business transactions that have or are going to take place, decisions taken in relation to the business transaction or any discussion that took place in relation to the transaction. Examples of s with value as corporate records can include: expressing approval of action or decision; 99

107 direction for important action or decision; external business correspondence; which could be used to justify decision making process; s which set policy precedents. 5.2 The retention period for messages in this category should be in line with the retention periods set out in the Records Management Policy. 5.3 As messages can be sent to multiple recipients, there are specific guidelines to indicate who is responsible for capturing an as a record: for internal messages, the sender of an message or the employee who started the dialogue that forms a string of messages; for messages sent externally, the sender of the message; for external messages received by one person, the recipient; for external messages received by more than one person, the person responsible for the area of work relating to the message. 6. MANAGING RECORDS WITH ATTACHMENTS 6.1 Where an message has an attachment, in most circumstances the attachment should be saved as a record within the message, as a single entity. The message will provide the context within which the attachment was used. 6.2 If the attachment is a document that requires further work to be carried out such as a draft policy that requires additional input, the attachment may be saved separately in another location to be worked on. In this instance, the copy attachment will become a completely separate record. 7. SAVING MESSAGES AS RECORDS 7.1 messages that can be considered to be records should be saved as soon as possible. Most messages will form part of a conversation chain. chains should be saved as records at significant points during the conversation rather than waiting to the end of the conversation because it might not be apparent when the conversation has finished messages that constitute records must be saved on the networked drive (in the relevant folder relating to the same business activity) in.msg format. 7.3 Personal mailboxes should not be used for long-term storage of messages. s should be archived on a regular basis using the facilities within Microsoft Outlook. It is important to remember that all s kept on the system can be recalled under the Freedom of Information Act 2000, and therefore only those s that are necessary should be saved. 100

108 APPENDIX N.1 1. BUSINESS S GUIDANCE ON WRITING BUSINESS S 1.1 is not always the best way to communicate information as they can be misunderstood and the volume of messages people receive can be prohibitive to receiving a meaningful reply as a result of overload. 1.2 When writing business messages it is important that consideration is given to the way in which the message is being conveyed. This includes thinking about the title, the text and the addresses. s should be well structured and polite. This guidance provides standards of good practice to assist staff in the appropriate business use of . Subject Line 1.3 Always include information in the subject line and ensure it gives a clear indication of the content of the message. Think about using the subject line to indicate what people should do with the for immediate action, for information, for noting etc. 1.4 Indicate if the subject matter is sensitive and use flags to indicate whether the message is of high or low importance and the speed with which an action is required. 1.5 Do not put any person confidential information in the subject line of the as this is unencrypted. 1.6 Indicate whether an action is required or whether the is for information only. Subject and Tone 1.7 Greet people by name at the beginning of an message. 1.8 Identify yourself at the beginning of the message when contacting someone for the first time, and ensure that the purpose and the content of the message is clearly explained. 1.9 Include a signature with your own contact details only using the standard signature and footer information below: name and designation; organisation; address; telephone contact numbers Do not include a physical signature as this may be used for other purposes. 101

109 1.11 The disclaimer below should also be included underneath your signature and footer information: Disclaimer: This may contain confidential information and/or copyright material. This is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you receive this by mistake, please advise the sender immediately by using the reply facility in your software Ensure that the is polite and courteous Make a clear distinction between fact and opinion Proof read messages before they are sent to check for errors Try to limit messages to one subject per message Include the original message when sending a reply to provide context check there is no person confidential data When the subject of a string of messages has significantly changed, start new messages, copying relevant sections from the previous string of messages. Ensure messages are not unnecessarily long, and ensure that attachments are not longer versions of the s. Summarise the content of the attachments in the main body of the message. Structure and Grammar 1.18 Ensure you use plain English, with paragraphs to structure information and important information contained at the beginning of the message Avoid using abbreviations and CAPITALS, and try not to over use bold text Do not use emoticons ( symbols that show how you feel such as ) Use a plain white background with dark blue or black text. Do not use textured or coloured backgrounds. Addressing 1.22 Distribute messages only to the people who need to know the information Using reply all will send the reply to everyone included in the original . Think carefully before using reply all as it is unlikely that everyone included will need to know your reply Use the To field for people who are required to take further action, and the cc field for people who are included for information only. Think carefully about who should be included in the cc field Ensure the message is correctly addressed. Check that the predictive nature of the system for selecting addresses has picked the right person to send the to. 102

110 2. GENERAL 2.1 Be aware that different computer systems will affect the layout of an message. Avoid sending messages in HTML format, if a recipient is using an system that does not allow HTML, the layout will be affected. 2.2 Be aware that some computer systems might have difficulties with attachments. Observe the restrictions on attachment size. The maximum total message size (including attachment) is 10MB. If you need to send larger attachments you can use secure send or contact the IT Helpdesk. 2.3 Restrict the number of addresses that the is sent to and try not to forward messages unnecessarily. 3. NAMING CONVENTIONS FOR SAVING S AS RECORDS 3.1 Change the title of the when saving it on the networked drive if it does not accurately reflect the content of the message. For example, titles such as A few points will soon become meaningless when it is forgotten what the points relate to. 3.2 Ensure the title contains sufficient information to enable any member of the department to identify the relevance of the content to themselves. 3.3 All instances of FW and RE should be removed from the title as they do not provide any information about the content of the message. 3.4 Do not include the date of an and the fact that it is an . The date will be automatically captured and the fact it is an will be obvious. 3.5 Do not include nonsense terms, for example letter Do not use MSDOS style 8-letter titles, for example maylet Use natural language and spell words in full. Use abbreviations and acronyms with caution, as they may become obsolete over a period of time and can have more than one meaning. 3.8 Write the names of organisations in full and include the appropriate abbreviation. If there is not enough space, ensure that the information is captured elsewhere, for example in the notes field. 3.9 Wherever possible, always use the role title rather than the name of the person. For example, Comments on by Head of Department Always identify people by their full name rather than by their initials. Initials can be forgotten or confused with people with similar initials. 103

111 APPENDIX N.2 1. SECURITY GUIDANCE ON THE ENCRYPTION OF S 1.1 Every employee has a responsibility to ensure that they use appropriately and follow the NHS Dorset Clinical Commissioning Group s (CCG) procedures to ensure that s containing patient identifiable or confidential information are sent securely. 1.2 Not all is secure and the guidelines set out below must be followed at all times. 2. NHS DORSET CCG INTERNAL s sent between NHS Dorset CCG addresses are automatically secure and patient confidential information is safe to send internally by You must never include person identifiable or confidential information such as name, date of birth, NHS number etc. in the subject line of the as this is not secure. 2.3 When sending information by , it is the responsibility of the sender to ensure that they are sending to the correct person. 3. S BETWEEN ORGANISATIONS COVERED BY IRONPORT 3.1 IronPort is a system that allows the confidential exchange of electronic mail between subscribing organisations. s containing person identifiable or confidential information can be sent securely from NHS Dorset CCG accounts to recipients at the organisations listed below (known as the IronPort community): NHS Dorset CCG Dorset HealthCare NHS Foundation Trust Royal Bournemouth Hospital and Christchurch Hospitals NHS Foundation Trust Poole General Hospital Dorset County Hospital Yeovil District Hospital Taunton and Somerset NHS Foundation Trust (Musgrove Park) 104

112 South West Ambulance All Dorset GP (insert practice NACS code) All Somerset GP Practices Bournemouth Borough Council Poole Borough Council Dorset County Council Somerset Council Contact practice to check they are signed up to Ironport each practice set up individually but with.nhs.uk at the end of the 4. MANUAL ENCRYPTION FOR ORGANISATIONS NOT COVERED BY IRONPORT 4.1 Manual encryption must be used for all s sent externally to recipients other than the IronPort organisations listed above. Messages will only be encrypted if the sender specifically requests manual encryption. If this is not requested, the will not be sent securely. 4.2 To manually encrypt an , either: turn on encryption by typing [encrypt] as the first word in the subject line. This should all be in lower case, with SQUARE brackets, and with no space before the first bracket and no other spacing within the brackets, or; click the Options button (or Tags button) on the Microsoft Outlook toolbar, then click the arrow against Sensitivity, and select Confidential. 105

113 4.3 Either of these methods will ensure the is sent securely the will be encrypted when the SEND button is pressed. 4.4 Anyone within the NHS Dorset CCG and the IronPort community will be able to open the just like any normal . Anyone outside of this group will have to register for a Cisco Registered Envelope Service account in order to open the . They will receive an with full instructions on how to register. 5. NHS.NET It is important to note that sending s with person identifiable or confidential information from nhs.net to any other address, other than those noted below, is not secure. 106