Information Governance (IG) is a set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an organisational level. Information Governance supports Acle Medical Partnership’s immediate and future regulatory, legal, risk, environmental and operational requirements.
Information is a vital asset, both in terms of the commercial development and the efficient management of services and resources. It plays a key part in governance, service planning and performance management.
It is therefore of critical importance to ensure that information is appropriately managed, and that policies, procedures and management accountability and structures provide a robust governance framework for information management.
Acle Medical Partnership recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. Acle Medical Partnership fully supports the principles of clinical and corporate governance and recognises the power of public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients, the public and staff and commercially sensitive information. Acle Medical Partnership also recognises the need to share information with commissioners, partners and other third parties in a controlled manner consistent with the established lawful basis.
This overarching Information Governance Policy and the associated protocols sets out Acle Medical Partnership’s policy with respect to the governance of;
- Information and Cyber Security
- Data Quality and Records Management
Statutory Mandatory Framework
This policy serves to support Acle Medical Partnership to navigate and comply with the complex framework within which Information Governance operates.
This framework includes but is not limited to;
- NHS Act 2006
- Health and Social Care Act 2012
- Data Protection Act 2018
- Human Rights Act 1998
- Common Law Duty of Confidence
- Computer Misuse Act 1990
- General Data Protection Regulations (EU) 2016/679)
- Mental Health Capacity Act 2005
- Children Act 1989
- DH Records Management Code of Practice
- DH Information Security Code of Practice
- DH Confidentiality Code of Practice
The Acle Medical Partnership has overall responsibility for Information Governance at Acle Medical Partnership. As the senior accountable officer, he/she is responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to provide the necessary assurance to internal and external stakeholders.
Acle Medical Partnership has a particular responsibility for ensuring that Acle Medical Partnership meets its corporate legal responsibilities, and for the adoption of internal and external governance requirements.
Senior Information Risk Owner (SIRO)
- leads and fosters a culture that values, protects and uses information for the success of the organisation and benefit of its customers.
- owns the organisation’s overall information risk policy and risk assessment processes and ensuring they are implemented consistently by Information Asset Owners / Administrators.
- owns the organisation’s information incident management framework.
Information Asset Owners (IAOs)
The IAO will;
- Hold local responsibility for information risk management, devolved to the relevant directors, department leads by the SIRO.
- Business function leads within Acle Medical Partnership have overall responsibility for the management of risks generated by their information assets and are supported on a daily basis by Information Asset Administrators.
Caldicott Guardian Function
The Caldicott Guardian will;
- produce procedures, guidelines and protocols to support staff in the appropriate management of patient information.
- provide a point of escalation and specialist advice for staff with respect to information sharing, acting as the conscience of the organisation.
- bring to the attention of the relevant manager any occasion where the appropriate procedures, guidelines and protocols may have not been followed and raise concerns about any inappropriate uses made of patient information where necessary.
Data Protection Officer (DPO)
The DPO Will;
- inform and advise the organisation and its employees about their obligations to comply with the data protection legislation.
- monitor compliance with the data protection legislation, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, patients etc).
All staff, whether clinical or administrative, who create, receive and use data have information governance responsibilities. Employees have a contractual and legal obligation to read and comply with all company policies and to attend mandatory training to support the appropriate management of information.
- Non-confidential information related to Acle Medical Partnership and its services will be available to the public through a variety of media, in line with Acle Medical Partnership’s overall commitment to transparency.
- Acle Medical Partnership will adopt and maintain clear procedures and arrangements for liaison with the press and broadcasting media.
- Acle Medical Partnership will adopt and maintain an Information Rights and Access Protocol and a Freedom of Information Protocol to provide guidance for handling queries from data subjects and the public.
Privacy and Information Rights
- Acle Medical Partnership is committed to the privacy of its patients, staff and the public. Acle Medical Partnership will undertake or commission annual assessments and audits of its compliance with privacy legislation and will adopt and maintain protocol for completion of Data Protection Impact Assessments.
- Acle Medical Partnership regards all Personal Data relating to staff as confidential except where national policy on accountability and openness requires otherwise.
- Acle Medical Partnership will adopt and maintain protocols to ensure compliance with the Data Protection Act, General Data Protection Regulations, Human Rights Act and the common-law confidentiality.
- Acle Medical Partnership will establish and maintain protocols for the controlled and appropriate sharing of personal information with other agencies, taking account of relevant legislation (e.g. Data Protection Act, Human Rights Act).
- Acle Medical Partnership will ensure that contractual or best practice documents are in place for routine sharing of information between sharing partners.
- Acle Medical Partnership will adopt and maintain protocols for the effective and secure management of its information assets and resources.
- Acle Medical Partnership will undertake or commission annual assessments and audits of its information and IT security arrangements.
- Acle Medical Partnership will promote effective information and cyber security practice to its staff through policies, procedures and training.
- Acle Medical Partnership will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of information and cyber security.
Information Quality and Records Management
- Acle Medical Partnership will establish and maintain protocols and procedures for information quality assurance and the effective management of records.
- Acle Medical Partnership will undertake or commission annual assessments and audits of its information quality and records management arrangements.
- Managers will be expected to take ownership of, and seek to improve, the quality of information within their services.
- Wherever possible, information quality will be assured at the point of collection.
- Data standards will be set through clear and consistent definition of data items, in accordance with national standards..
- Acle Medical Partnership will promote information quality and effective records management through protocols, procedures/user manuals and training.
This policy should be read in conjunction with;
- Risk Management Policy
- Change Management Policy
- Information Rights and Access Protocol
- Information Sharing and Privacy Protocol
- Information Lifecycle and Data Quality Protocol
- Information / Cyber Security Protocol
- Information Incident Protocol
- Information Risk and Audit Protocol
- Data Protection Impact Assessment Protocol
- Freedom of Information Protocol
Compliance with this policy will be audited and the results fed into the Plan, Do, Check, Act Cycle described in the Information Risk and Audit Protocol.