Information Governance, Policy & Strategy

Policy: GV00

Policy Descriptor
This Policy defines the Strategy for the Information Governance framework,
including people, resources, the culture and the processes necessary to
ensure efficient management of the information needed to support the core
purpose of the Trust in caring for individuals and improving public health.

Do you need this document in a different format?

Contact PALS – 0800 0730741 or email dpn-tr.pals@nhs.net

Document Control
Policy Ref No & Title:
Version:
Replaces / dated:
Author(s) Names / Job Title
responsible / email:
Ratifying committee:
Director / Sponsor:
Primary Readers:
Additional Readers
Date ratified:
Date issued:
Date for review:
Date archived:
Other Relevant Standards met:
GV00 Information Governance, Policy & Strategy
v1.5
Previous Policy dated Jan 15
Susan Banham, Information Governance Manager
susan.banham@nhs.net
IM&T strategy group
Helen Smith, Medical Director
All Staff
28 Feb 2017
June 2016
February 2019
Requirements 8-101,8-105,8-300,8-301,8-302,8-307 IG Toolkit
Contents

1. Introduction ............................................................................................................................ 3

2. Purpose .................................................................................................................................. 3

3. Duties within the Organisation ............................................................................................. 3

4. Scope of the Strategy ............................................................................................................ 4

5. Principles ............................................................................................................................... 6

5.4. Openness ...................................................................................................................... 6

5.5. Legal Compliance ......................................................................................................... 7

5.6. Information Security ..................................................................................................... 7

5.7. Information Quality Assurance & Monitoring ............................................................. 7

6. Key Policies/Procedures ....................................................................................................... 8

7. References ............................................................................................................................. 8

Appendix 1 - Information Governance Framework Summary.................................................... 9

2
1. Introduction

1.1. This Policy sets out the Strategic approach that Devon Partnership NHS Trust will adopt to
provide a robust Information Governance framework for the future management of
information.

1.2. Information is a vital asset, both in terms of the clinical management of individual patients
and the efficient management of services and resources. It plays a key part in clinical
governance, service planning and performance management.

1.3. It is therefore of paramount importance to ensure that information is efficiently managed,

and that appropriate policies, procedures and management accountability and structures
provide a robust governance framework for information management.

2. Purpose

2.1. The purpose of this Policy is to define the Strategy for the Information Governance
framework, including people, resources, the culture and the processes necessary to ensure
the information needed to support the core purpose of the Trust in caring for individuals and
improving public health.

3. Duties within the Organisation

3.1. It is the role of Devon Partnership NHS Trust Board to define the Trust’s policy in respect
of Information Governance, taking into account legal and NHS requirements. The Board is
also responsible for ensuring that sufficient resources are provided to support the
requirements of the policy.

3.2. The IM&T strategy Group is responsible for overseeing day to day Information
Governance issues; developing and maintaining policies, standards, procedures and
guidance, coordinating Information Governance in Devon Partnership NHS Trust and
raising awareness of Information Governance.

3.3. The Trust Medical Director is the Caldicott Guardian. The Caldicott Guardian is
responsible for supporting appropriate information sharing, advising on options for lawful
and ethical processing of information and acting as advocate for confidentiality and
information sharing requirements and issues on the Board.

3.4. The Trust Chief Information Officer is the Senior Information Risk Officer (SIRO) and is
responsible for taking ownership of the Trust’s information risk policy and acting as
advocate for information risk on the Board.

3.5. The Chief Information Officer is the Trust’s nominated Data Protection officer and is
responsible for ensuring that the Trust meets it’s legal obligations in relation to the Data
Protection Act (1998) and the Freedom of Information Act (2000).

3.6. The Information Governance Manager is responsible for leading on the Trusts
Information Governance Agenda including monitoring and co-ordinating Subject Access
Requests under the Data protection Act and requests under the Freedom of Information
Act, issues on confidentiality and data protection and Records Management, drawing up the
Trust response to the Information Governance Toolkit, identifying areas for improvement
and producing and implementing an action plan to address any deficiencies.

3.7. Information Asset Owners (IAOs) are responsible for understanding and addressing risks
to the information assets they ‘own’ and for providing assurance to the SIRO on the security
and use of those assets

3
3.8. Managers within Devon Partnership NHS Trust are responsible for ensuring that the policy
and its supporting standards and guidelines are built into local processes and that there is
on-going compliance.

3.9. All staff, whether permanent, temporary or contracted, and contractors are responsible for
ensuring that they are aware of the requirements incumbent upon them and for ensuring
that they comply with these on a day to day basis.

4. Scope of the Strategy

4.1. There are two key components underpinning this strategy which are:

 The Trust Information Governance Policy, which outlines the objectives for information
governance; and

 An annual action plan arising from a base line assessment against the standards set
out in the NHS Information Governance toolkit (NHS Digital).

4.2. The standards in the toolkit are in six categories namely:

 Information Governance Management

 Confidentiality and Data Protection Assurance

 Information Security Assurance

 Clinical Information Assurance

 Secondary Use Assurance

 Corporate Information Assurance

4.3. The IM&T strategy Group reports assurance to the Finance and Investment Committee.
The Terms of Reference identify the scope and purpose of this group for taking forward
improvements in Information Governance.

4.4. The IM&T strategy Group has overall responsibility for overseeing the implementation of
this strategy, the Information Governance policy and the Information Governance action
plan. All will be subject to periodic review and progress reported to the Senior Management
Board. There is representation within the organisation to ensure that Information
Governance is embedded within the organisation structure.

4.5. The Medical Director and Caldicott Guardian is the named representative on the Board with
responsibility for Information Governance. The Caldicott Guardian will also identify a
number of Safer Information champions to assist in monitoring progress towards improving
performance. The following staff members are registered as champions of the Information
Governance Toolkit, which will support the Information Governance Manager:

 Chief Information Officer / Senior Information Risk Officer (SIRO) (chair)

 Medical Director

 Chief Clinical Information officer

 Risk Manager

4
  PALS Manager

 Service Representatives (to reflect the clinical directorates)

4.6. The Trust will complete a self-assessment against the objectives for Information
Governance utilising the NHS Information Governance web based toolkit by 31st March
each year. Completing this toolkit will identify the gaps in the Trust’s Information
Governance systems and an action plan will be drawn up with proposed solutions and
timescales. The IM&T strategy group will monitor and performance manage these actions
plans to ensure continual progress towards improvement.

4.7. This strategy cannot be seen in isolation as information plays a key part in Governance,
Strategic Risk, Clinical Governance and service planning and performance management.
The Strategy therefore links into all of these aspects of the organisation. In addition the
Trust has identified Information Governance as a risk within the organisation. The
implementation of this strategy will undoubtedly reduce the level of the current risk.

4.8. Fundamental to the success of delivering the Information Governance strategy is

developing an Information Governance culture within the Trust. On-going awareness and
training needs to be provided to all Trust staff who utilise information in their day to day
work to promote this culture. In order to achieve this, a training plan will be identified by the
IM&T strategy group. The Trust will focus on the following strategies:

 The Trust will ensure that all staff receive training in the areas of Information
Governance.

 The Trust will ensure that the staff induction programme includes Data Protection and
Caldicott awareness.

 There will be specific detailed training in the area of Information Governance for staff
where appropriate to their roles.

 The training arrangements for information Governance will be regularly reviewed as

part of the Training Needs Analysis for the Trust.

 All Managers will be responsible for raising Information Governance awareness within
their teams.

 The Trust will ensure that suitable guidance is made available to staff by appropriate
means including on the Trust intranet DAISY.

4.9. This information Governance policy and strategy will be posted under the policy section of
the Trust’s website. Managers are to ensure that their staff are aware of and adhere to the
Trust s Information Governance policy and procedures.

4.10. The IM&T strategy Group will identify any associated resource implications incurred by the
implementation of the Information Governance policy and action plan. Business cases will
be developed and submitted for consideration.

4.11. Information Governance will be performance managed by the IM&T strategy Group and
assurance will be reported to the Finance and Investment Committee. A performance
report will also be submitted to the Department of Health on an annual basis, via the
Information Governance Toolkit.

4.12. Membership of the IM&T strategy Group will include:

 Chief Information Officer/SIRO (chair)

5
  Medical Director/ Caldicott Guardian

 Information Governance Manager

 Chief Clinical Information Officer

 Service Representatives (to reflect the clinical directorates)

5. Principles

5.1. Devon Partnership NHS Trust recognises the need for an appropriate balance between
openness and confidentiality in the management and use of information. Devon Partnership
NHS Trust fully supports the principles of corporate governance and recognises its public
accountability, but equally places importance on the confidentiality of, and the security
arrangements to safeguard, both personal information about patients and staff and
commercially sensitive information. Devon Partnership NHS Trust also recognises the need
to share patient information with other health organisations and other agencies in a
controlled manner consistent with the interests of the patient and, in some circumstances,
the public interest.

5.2. Devon Partnership NHS Trust believes that accurate, timely and relevant information is
essential to deliver the highest quality health care. As such it is the responsibility of all
clinicians and managers to ensure and promote the quality of information and to actively
use information in decision making processes.

5.3. There are 4 key interlinked strands to the information governance policy:

 Openness

 Legal compliance

 Information security

 Quality assurance

5.4. Openness

 Non-confidential information on Devon Partnership NHS Trust and its services should
be available to the public through a variety of media, in line with the Trust’s code of
openness and the Freedom of Information Act 2000.

 Devon Partnership NHS Trust will establish and maintain policies to ensure compliance
with the Freedom of Information Act 2000 and the Environmental Information
Regulations 2004. See GV05 Freedom of Information

 Devon Partnership NHS Trust will undertake or commission regular assessments and
audits of its policies and arrangements for openness.

 Patients should have ready access to information relating to their own health care, their
options for treatment and their rights as patients. See GV01 Access To Health
Records Policy

 Devon Partnership NHS Trust will have clear procedures and arrangements for liaison
with the press and broadcasting media. Contact the Communications department at
Wonford House, Exeter on 01392 208693 for further details.

6
  Devon Partnership NHS Trust will have clear procedures and arrangements for
handling queries from patients and the public. Contact PALS Freephone 0800 0730
741 for further details.

5.5. Legal Compliance

 Devon Partnership NHS Trust regards all identifiable personal information relating to
patients as confidential.

 Devon Partnership NHS Trust will undertake or commission regular assessments and
audits of its compliance with legal requirements.

 Devon Partnership NHS Trust regards all identifiable personal information relating to
staff as confidential except where national policy on accountability and openness
requires otherwise.

 Devon Partnership NHS Trust will establish and maintain policies to ensure compliance
with the Data Protection Act, Human Rights Act and common law confidentiality.

 Devon Partnership NHS Trust will establish and maintain policies for the controlled and
appropriate sharing of patient information with other agencies, taking account of
relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act,
Protection of Children Act).

5.6. Information Security

 Devon Partnership NHS Trust will establish and maintain policies for the effective and
secure management of its information assets and resources.

 Devon Partnership NHS Trust will undertake or commission regular assessments and
audits of its information and IT security arrangements. See G03 Information
Management And Technology Security Policy

 Devon Partnership NHS Trust will promote effective confidentiality and security practice
to its staff through policies, procedures and training and will ensure that staff contracts
include appropriate clauses covering Information Governance standards and
responsibilities with regard to Data Protection, Confidentiality and Information Security.

 Devon Partnership NHS Trust will establish and maintain incident reporting procedures
and will monitor and investigate all reported instances of actual or potential breaches of
confidentiality and security. Disciplinary action will be taken as appropriate in
accordance with the Trust Disciplinary Procedure.

 The Trust will establish and maintain procedures to ensure that appropriate Information
Governance requirements are included in contractual arrangements with third parties.

5.7. Information Quality Assurance & Monitoring

 Devon Partnership NHS Trust will establish and maintain policies and procedures for
information quality assurance and the effective management of records. See GV01
Access To Health Records Policy and GV06 Records Management Policy & Strategy

 Devon Partnership NHS Trust will undertake or commission regular assessments and
audits of its information quality and records management arrangements.

7
  Managers are expected to take ownership of, and seek to improve, the quality of
information within their services.

 Wherever possible, information quality should be assured at the point of collection.

 Data standards will be set through clear and consistent definition of data items, in
accordance with national standards.

 Devon Partnership NHS Trust will promote information quality and effective records
management through policies, procedures/user manuals and training.

6. Key Policies/Procedures:

Access to Health Records Policy GV01

Confidentiality Policy GV03

Records Management Policy GV06

Freedom of Information Policy GV05

IM&T Security Policy G03

Incident Reporting Policy R01

Risk Management Strategy, Policy and Risk Assessment Process R03

Information Risk Procedure

Disciplinary Procedure HR06

7. References

Information Governance toolkit https://www.igt.hscic.gov.uk/

Freedom of Information Act 2000

Environmental Information Regulations 2004

Data Protection Act 1998

Human Rights Act 1998

8
Appendix 1 - Information Governance Framework summary

Information Governance Framework summary

2017/2018

Key Roles

Information Governance Lead (Chief Information Officer)

Senior Information Risk Owner (Chief Information Officer)

(SIRO)

Caldicott Guardian (Medical Director)

Data Protection Officer (Chief Information Officer)

Information Governance Manager

Key Governance Bodies

IM&T Chair: Chief Information Officer

Strategy Reports to Finance and Investment Committee.
Group Terms of Reference approved February 2017

Finance and Chair: Non-Executive Director

Investment Reports to: Board of Directors
Committee Terms of Reference approved: June 2016

Key Policies

Note that all policies and procedural documents are disseminated and published on the Trust
website in accordance with the Policy for the Development and management of Policies and
Procedural Documents G01

Information Defines the Strategy for the Information Governance Reviewed

Governance framework, including people, resources, the culture February 2017
Policy GV00 and the processes necessary to ensure efficient
management of the information needed to support the

9
 core purpose of the Trust in caring for individuals and
improving public health.

Subject Access
Request and Sets out the procedure and standards for staff to
Reviewed
Access to Health adopt when dealing with requests for Access to Health
February 2017.
Records Policy Records
GV01

Confidentiality The procedures and standards for staff to adopt when Reviewed
Policy GV03 dealing with confidential matters February 2016.

Freedom of The procedure and standards for staff to ensure

Reviewed June
Information compliance with the Freedom of Information Act 2000
2015.
Policy GV05 and Environmental Information Regulations 2004

Records Guidance on the procedures and standards for Reviewed

Management records management. (See also Records September
Policy GV06 Management Implementation strategy) 2016.

Information The standards required to establish and maintain the Reviewed

Security Policy security and confidentiality of information, information September
G03 systems, and applications owned or held by the Trust 2016.

Risk
Management The Trusts Risk Management Strategy and the
Strategy, Policy framework for the establishment and implementation Reviewed
and Risk of a risk management process (Includes Management February 2016
Assessment of Risks relating to Information Assets January 2014)
Process R03

Operation of the Policy to highlight the roles and responsibilities in

Reviewed June
Registration relation to the Registration Authority process and
2015.
Authority explain links into other policies, practices and systems

10
Resources

Key staff  Chief Information Officer (CIO)

roles
 Chief Clinical Information Officer

 Senior Information Risk Owner (SIRO)

 Caldicott Guardian

 Data Protection Officer

 Information Governance Manager

 Information Governance Administrator

 Information Asset Owners

Budget The budget is set annually for Information Governance although resources
are closely linked with the wider IM&T function. Representations are made to
the Board for authorisation of any additional resource sought.

Training and Guidance

Information Governance training is part of the core training requirements for all Devon
Partnership Trust staff. For full details refer to the core training grid. Initial “face to face”
training for IG is included in the programme for Corporate Induction which all new staff are
required to attend. All staff are required to complete e learning annually and staff with
specific IG responsibilities are required to complete additional training as appropriate to their
role.

Staff guidance is provided on the Trust intranet DAISY and all policies are published on the
trust website.

Incident Management

Incident The requirements in relation to the reporting management Reviewed

Reporting and review of all incidents. All incidents are reviewed and November 2015
Policy actions identified within the appropriate team and/or
directorate.

All incidents relating to Information Governance are

reviewed by the Information Governance manager to
identify any trends or trust-wide risks. Any Serious
Incidents (graded at level 2 or above in accordance with
current guidance) are reported via the Information
Governance toolkit in accordance with Trust policy and
national guidance. Specific IG requirements are set out in

11
 the appendix to this policy

Governance Framework

Details of responsibilities and accountability are set out in the Information Governance Policy

12