PRIVACY NOTICE – download here
GDPR – INFORMATION GOVERNANCE (POLICY)
1.1 Information Governance is to do with the way organisations process or handle information. It covers personal information, i.e. that relating to Service Users and employees, and corporate information, e.g. financial and accounting records.
1.2 Information Governance allows organisations and individuals to ensure that personal information is handled legally, securely, efficiently and effectively, in order to deliver the best possible care.
1.3 In addition, IG enables organisations to put in place procedures and processes for their corporate information that support the efficient location and retrieval of corporate records where and when needed, in particular to meet requests for information and assist compliance with Corporate Governance standards and our obligations to the General Data Protection Regulation GDPR.
1.4 Information Governance provides a consistent way for staff to deal with the many different information handling requirements, including:
• The Data Protection Act 1998;
• Human Rights Act 1993;
• The Freedom of Information Act 2000;
• The Access to Medical Records Act 1988;
• The Health and Social Care Act 2012;
• Common law Duty of Confidentiality;
• The Caldicott Report 1997 and the Caldicott Principles Records Management;
• Health and Social Care Act 2012;
• General Data Protection Regulation 2018. (GDPR)
2.1 To ensure that our Manu Integrity Services and staff are consistent in the way they handle personal and corporate information, that leads to improvement in the way we handle information and complies with the requirements of GDPR, information governance legislation and best practice.
3.0 INFORMATION GOVERNANCE FRAMEWORK
3.1 Information governance provides a framework for our Service to bring together all of the requirements, standards and best practice that apply to the handling of information, allowing:
• Implementation of central advice and guidance;
• Compliance with the law;
• Year on year improvement plans.
3.2 At its heart, Information Governance is about setting information, handling standards and giving us the tools to achieve the standards. The ultimate goal is to ensure our Service and staff are consistent in the way they handle personal and corporate information and avoid duplication of effort, leading to improvements in:
• Information handling activities;
• Service User confidence in our Service;
• Staff training and development.
3.3 The goal of information governance within our organisation is to apply a holistic approach whilst making information available to those who need it, reducing costs where possible and ensuring compliance to GDPR.
3.4 It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management within our Service.
3.5 We recognise the principles of Caldicott and the regulations outlined in the Data Protection Act, Freedom of Information Act and GDPR, and a need for an appropriate balance between openness and confidentiality in the management and use of information.
4.0 INFORMATION GOVERNANCE PRINCIPALS
4.1 Our Service will adopt the following principals which will be applied to our information governance:
• Open – About information that is non-confidential;
• Secure – Manage sensitive information in a way that protects the user and Service User;
• Legally comply with legislation – As part of the Freedom of information Act, Data Protection Act and General Data Protection Regulation;
• Quality assured – be subject to processes and audits to ensure that the manner in which we handle information is consistent with legal requirements.
4.2 We will use information in accordance with law and best practice.
4.3 With the consent of data subjects we will use information between partner organisations to support the care of Service Users.
4.4 We will maintain policies and procedures to ensure compliance to GDPR and good governance,
4.5 Manu Integrity Services will follow a programme of continuous improvement around data management and protection.
5.0 IMPLEMENTATION OF THE ACCESSIBLE INFORMATION STANDARD
5.1 The aim of the accessible information standard is to make sure that people who have a disability, impairment or sensory loss get information that they can access and understand, and any communication support that they need.
5.2 The standard requires our Service to make sure that Service Users, and their carers, can access and understand the information they are given. This includes making sure that people get information in different formats if they need it, for example in large print, braille, easy read or via email.
5.3 The accessible information standard also requires our Service to make sure that people get any support with communication that they need, for example support from a British Sign Language (BSL) interpreter, deafblind manual interpreter or an advocate.
6.0 INFORMATION GOVERNANCE TOOLKIT
6.1 All organisations that have access to NHS patient data must use the IG Toolkit to evidence practising good information governance.
6.2 Care Homes must complete the IG Toolkit for one or two purposes:
a. To provide IG assurances to the Department of Health or to NHS commissioners of Services, this may be linked to contractual obligations;
b. To provide IG assurances to HSCIC as part of the terms and conditions of using national systems and Services including N3, E-Referrals, and NHS Mail etc.
6.3 Where we require access to NHS patient data the manager will nominate an IG Toolkit Organisation Administrator who will be responsible for registration, completing and publishing the annual IG Toolkit assessment.
6.4 National data definitions, standards, values and validation programmes which should be incorporated within our key systems. We will update documentation as standards develop.
7.1 Managers and staff should demonstrate a commitment to the principals of Information Governance and the General Data Protection Regulation (see policy Compliance with General Data Protection Regulation Ref: GDPR 02).
7.2 The manager (Elma Manunure) is responsible for ensuring that all personal data is processed in line with the legal requirements of GDPR.
7.3 The manager will nominate a senior member of staff to be responsible for implementation, overseeing and maintenance of our Services obligations under GDPR.
7.4 The manager will ensure that all staff are trained to understand their responsibilities for data protection including GDPR.
7.5 The manager is responsible for ensuring that data protection policies are effectively monitored by a person who does not have responsibilities for the policy in order to maintain independence.
7.6 All staff, must ensure at all times that high standards of data quality, data protection, integrity, confidentiality and records management are met in compliance with information governance, GDPR, and other relevant legislation. It is the responsibility of the manager to ensure that all staff familiarise themselves with this policy and adhere to its principles.
7.7 All staff should:
• Foster a culture that values, protects and uses information responsibly and ultimately for the benefit of Service Users;
• Adhere to the regulations related to information governance and GDPR;
• Attend mandatory training related to information governance and GDPR at least annually;
• Be open and honest in informing their line manager of any inadvertent failure to conform with GDPR and this Information Governance Policy.
8.0 INFORMATION SHARING
8.1 We will obtain Service Users consent and explain to them when we are required to receive and share personal data from or with other organisations. This can include inter-agency meetings where multi approach care plans are discussed and put in place for Service Users.
8.2 Where we are required to implement formal data sharing arrangements we will:
• Stipulate when information can be shared;
• Specify what security measures need to be in place;
• Specify who is allowed to authorise data sharing;
• Require records of sharing to be maintained; and
• Ensure requirements for dealing with subject access requests or, where applicable, freedom of information requests are specified.
8.3 We will establish formal agreements with organisations where we are required to share information. We will determine how the information will be processed over its lifecycle, including how it is disposed of.
8.4 We will review these agreements regularly and ensure they continue to meet the Services requirements.
9.0 INFORMATION RISKS
9.1 We will manage information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.
9.2 We will use our risk management procedures to manage information risk.
9.3 The nominated senior person for data protection will be responsible for managing information risks, coordinating procedures put in place to mitigate them, and for logging risk assessing information.
9.4 Where information risks are identified the manager will put in place action plans to address them. Records should be kept of the actions taken.
10.0 DATA PROTECTION IMPACT ASSESSMENTS
10.1 Prior to the introduction of any new technology that may have an impact on the processing of the data subject’s personal information, the manager will carry out a data protection impact assessment to ensure that any risks to the information are addressed and controls put in place.
11.1 We shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information
• The name and details of our Service, and the senior person responsible for data protection;
• The purposes for which we collect, hold, and processes personal data;
• Details of the categories of personal data collected, held, and processed;
• Details of how long personal data will be retained (please refer to Data Retention Policy); and
• Detailed descriptions of all technical and organisational measures taken to ensure the security of personal data.
12.0 DATA BREACH
12.1 A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This means that a breach is more than just losing personal data.
12.2 We are required to notify Information Commission Office (ICO) of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed, such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
12.3 We will assess any data breach on an individual basis to establish the seriousness of the incident. Where the breach is considered serious for example theft or loss of a Service Users personal information we will notify the Information Commissioners Office (ICO) relevant about a loss.
Notifying Service Users
12.4 Where a breach is likely to result in a high risk to the rights and freedoms of Service Users, staff or volunteers we must notify those concerned directly.
12.5 A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the Information Commission Office (ICO).
What information must a breach notification contain?
12.6 The nature of the personal data breach including, where possible:
• The categories and approximate number of individuals concerned; and the categories and approximate number of personal data records concerned;
• The name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
• A description of the likely consequences of the personal data breach; and
• A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
How do I notify a breach?
12.7 A notifiable breach has to be reported to the Information Commissioners Office (ICO) within 72 hours of our Service becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.
Response and Evaluation of the breach
12.8 Following a data breach we will investigate the causes of the breach and evaluate the effectiveness of our response to it.
12.9 We will take steps to prevent any further incidents of data breach including:
• Making sure that we are fully aware of what personal data is held and where and how it is stored;
• Establish where the biggest risks lie. For example, how much sensitive personal data we hold;
• Give consideration to risks that will arise when sharing with or disclosing to others;
• Ensure method of transmission is secure and only share or disclose the minimum amount of data necessary thereby even if a breach occurs, the risks are reduced;
• Identify weak points in our existing security measures such as the use of portable storage devices or access to public networks;
• Monitor staff awareness of security issues and look to fill any gaps through training or tailored advice;
• Consider whether we need to establish a group of technical and nontechnical staff who discuss ‘what if’ scenarios – this would highlight risks and weaknesses as well as giving staff at different levels the opportunity to suggest solutions;
• Where a Business Continuity Plan for dealing with serious incidents is in place, consider implementing a similar plan for data security breaches;
• Identify a group of people responsible for reacting to reported breaches of security.
12.10 For more information on Data Breach please refer to GDPR-12
13.0 MONITORING AND COMPLIENCE
13.1 We recognise that having data protection policies and procedures in place is not enough. We need to ensure through monitoring and review that they are working as intended in practice.
13.2 We will continually monitor and audit how information is handled and processed as part of the management review process of our Service.
13.3 This policy will be reviewed annually to ensure it continues to meet GDPR and information governance requirements.