Trust Board Meeting: Wednesday 12 November 2014 TB2014.129 Title Update on Information Governance: Mid-Year Selfassessment against Information Governance Toolkit Status For discussion History Bi-annual Update Board Lead(s) Andrew Stevens, Director of Planning and Information Key purpose Strategy Assurance Policy TB2014.129 Update Information Governance Mid-Year Review Performance Page 1 of 13 Oxford University Hospitals TB2014.129 Executive Summary 1. A self-assessment of the Information Governance toolkit was undertaken in October 2014 and it is anticipated that the Trust will score level 3 in 43 out of 45 toolkit standards. 2. A cyber security audit was undertaken in August 2014. The Trust is developing an action plan in response to the audit findings. 3. 289 freedom of information requests were made to the Trust in the first half of this financial year. The percentage of requests responded to within 20 working days was on average 69%. 4. A new standard operating procedure to manage freedom of information requests has been developed. The Trust publication scheme has been developed to now be fully compliant with the Information Commissioner’s Office standards. 5. Recommendation The Trust Board is asked to note this paper. TB2014.129 Update Information Governance Mid-Year Review Page 2 of 13 Oxford University Hospitals TB2014.129 Information Governance (IG) Mid-year Update 1. Introduction 1.1. This paper sets out the work which that been undertaken within the Information Governance Department over the first six months of financial year 2014/15. 2. Information Governance Toolkit 2.1. The Information Governance Toolkit is a set of information governance requirements drawn from central guidance and Department of Health Policy. Organizations that process patient data are required to carry out selfassessments of their compliance which are grouped under the following headings: 2.1.1. Management structures and responsibilities (e.g. assigning responsibility for carrying out the IG assessment, providing staff training, etc). 2.1.2. Confidentiality and data protection. 2.1.3. Information security. 2.2. The purpose of the assessment is to enable organisations to measure their compliance to see whether information is handled correctly and protected from unauthorised access, loss, damage and destruction. 2.3. The toolkit requires three assessments to be undertaken during the course of a financial year. An initial baseline score which is submitted at the end of July, a mid-year update score at the end of October and a final published score at the end of March. More detailed information concerning baseline scoring against set parameters can be found in appendix one. The Trust toolkit self assessment scores for the past 5 years are presented below. Toolkit Self Assessment Scores 120 100 80 Baseline % 60 Target 40 Published 20 0 2010/11 2011/12 2012/13 2013/14 2014/15 2.4. The table demonstrates that assessed compliance has been increasing year on year with target scores mirroring closely actual year end scores. It is anticipated that by year end 2014/15, 43 out of 45 toolkit standards will be scored at level 3. 2.5. In order to ensure accurate self-assessment the toolkit is externally audited annually by KPMG. The next audit is due to commence on the 20 October 2014 prior to the submission of the Trust’s mid-year toolkit assessment. TB2014.129 Update Information Governance Mid-Year Review Page 3 of 13 Oxford University Hospitals 3. TB2014.129 Information Governance Data Quality Group 3.1. It is the role of the Information Governance Data Quality group to oversee the work of the information governance department. The overall board lead is the Senior Information Risk Officer with Information Governance section of the meeting being Chaired by the Trust Caldicott Guardian. Meetings are held six weekly and so far in 2014/15 the group have met five times. The group is comprised of representatives from all Divisions and its remit is to ensure the Trust complies with statutory responsibilities, fulfils its legal obligations in terms of confidentiality and data protection, and manages high quality information efficiently within a robust governance structure. 3.2. A work programme has been developed to ensure that important objectives are met during the financial year. Progress against this workplan to date is presented in appendix two. Work undertaken this year includes the revision and development of policies, management and assessment of risks such as the use of fax machines, audit of corporate records, review of Trust intranet and internet IG pages and the development of staff and patient feedback surveys. 3.3. Examples of work still to be undertaken include completion of a database for documenting information assets and flows, further development of the Trust FOI publication scheme, review of the use of fax machines and the transfer of personal data domestically and overseas, and the development of a new interactive learning and development tool. 4. Information Governance Risks 4.1. Currently the risk register comprises of three global information governance risks. 4.1.1. The Trust not having the resources, systems and/or processes to achieve and maintain level 2 on all requirements of the IG toolkit. 4.1.2. Data unavailability or loss via poor records management, inappropriate transmission, loss of portable media, laptop/desktop/device theft, unsecured waste disposal, incompliant transcription services, and/or incorrect or excessive disclosure. 4.1.3. OUH served with an improvement or decision notice, or financial penalty by the ICO due to breaches in confidentiality/non-compliance with the Data Protection Act. 4.2. A further two risk assessments have been undertaken concerning the use of fax machines and portable devices. The group decided to review all risks, scoring their constituent parts, to gain a better understanding of where the highest risks are located. 4.3. Spot checks of information governance arrangements in departments began in October 2014. The completion of these should assist Divisions to identify their information governance risks and provide valuable intelligence to the Trust SIRO. The results of spot checks will be reported to the Information Governance Data Quality Group. TB2014.129 Update Information Governance Mid-Year Review Page 4 of 13 Oxford University Hospitals 5. TB2014.129 Information Governance Incidents 5.1. Serious Incidents Requiring Investigation 5.1.1. No information governance serious incidents requiring investigation have been reported in the first half of 2014/15. 5.2. Incidents 5.2.1. All incidents reported under the categories of consent, confidentiality, communications and information governance, documentation and records (including EPR) are reported to the department leads as well as the information governance team. The responsibility for investigating these incidents remains with the departmental manager. However, where incidents are believed to be serious or require additional input the information governance team will assist with the investigation. 5.2.2. The tables presented below shows the ratio of incidents reported and their harm rate for these two categories. IG Incidents by Category First 6 Months 2014/15 Documentation and Records (including EPR), 71, 41% Consent, Confidentiality, Communications & Information Governance, 103, 59% IG Incidents Harm Rate First 6 Months 2014/15 200 162 150 100 50 8 2 Minor Moderate 0 No harm 5.2.3. The majority of incidents that were reported resulted in no harm. Those with minor harm mainly related to loss of portable written information. TB2014.129 Update Information Governance Mid-Year Review Page 5 of 13 Oxford University Hospitals TB2014.129 Work has been undertaken to promote the safe handling of written information through the purchasing of confidential waste bins and posters at all exits to Trust sites as well as ticker tape messages to staff to remind them of their responsibility to safely dispose of information. 5.2.4. The moderate incidents reported relate to the security of information and are still under investigation. 6. Cyber Security 6.1. In August 2014 KPMG undertook a Cyber Security Audit of the Trust. The purpose of the audit was to assess the maturity of cyber controls against government standards in combination with internationally accepted maturity models. The domains examined were leadership and governance, human elements, information risk management, business continuity, operations and technology and legal and compliance. 6.2. The audit report identified some key recommendations for implementation which include: 6.2.1. Assigning a specific cyber risk owner at board level 6.2.2. Implementation of a security awareness programme 6.2.3. Development of assurance and board sign off regarding EPR disaster recovery plan testing 6.2.4. Development of user access management assurance for departmental systems 6.3. A meeting has been held with KPMG to discuss the audit findings with a further meeting being scheduled in the near future to develop an action plan. 7. Cases Involving the Information Commissioner’s Office (ICO) 7.1. Two complaints were made to the ICO in the first half of 2014/15. No formal action has been taken by the ICO other than referring the complaints back to the Trust to be addressed. The complaints related to the security of medical records received in July 2014 and disclosure of information to clinicians received in August 2014. 8. Freedom of Information 8.1. A full time FOI Officer was appointed and began work at the Trust in early May 2014. Since their appointment the FOI Officer has reviewed the FOI process, a new standard operating procedure has been written and the Trust publication scheme has been developed to now be compliant with ICO requirements. TB2014.129 Update Information Governance Mid-Year Review Page 6 of 13 Oxford University Hospitals TB2014.129 8.2. Detail concerning FOI performance is presented below. Performance 2014/15 April May June July August # FOI Requests 50 41 33 65 49 Received Clarified and Remain 5 1 0 5 7 Outstanding % Sent within 20 days 74% 59% 68% 80% 67% Reasons for breaching 20 day response target Complex Request 4 4 5 4 9 Internal Delay 4 7 5 6 6 Final Revision 3 4 3 2 4 Administrative Delay 2 2 1 1 2 Sept Total 51 289 4 22 76% 69% 6 3 5 0 32 31 21 8 8.3. The numbers of FOI requests received by the Trust is broadly the same as this time period during the last financial year. In the first half of 2014/15 289 requests were received in the first half of the year up to end of September as compared to 299 requests received in 2013/14 up to mid October 2013. 8.4. The average compliance rate for the completion of FOI requests within 20 working days in the first half of 2014/15 is 69%. The process for acknowledgement and requesting information has been reviewed and the timescale for initial work by the FOI Officer has been shortened. It is hoped that this will increase the average compliance rate allowing more time for the request to be checked and signed off. One third of requests that did not meet the timescale were due to the complexity and nature of the request. Additionally, these requests often involved a number of services making the drawing together of data sources more difficult. Andre Stevens, Director of Planning and Information Report prepared by Nuala Buchan-Brodie, Information Governance and Records Manager TB2014.129 Update Information Governance Mid-Year Review Page 7 of 13 Oxford University Hospitals TB2014.129 Appendix 1 – IG Toolkit Status Up-date following Submission of Baseline Score Legend: Requirement has not been answered Requirement has not been reviewed Requirement is not scored at the required level Requirement is scored at or above the required level Requirement Baseline Latest 101 There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda 2 2 105 There are approved and comprehensive Information 3 Governance Policies with associated strategies and/or improvement plans 3 110 Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations 3 3 111 Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation 3 3 112 Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained 3 3 200 The Information Governance agenda is supported by 2 adequate confidentiality and data protection skills, knowledge and experience which meet the organisation’s assessed needs 2 201 Staff are provided with clear guidance on keeping personal information secure, on respecting the confidentiality of service users, and on the duty to share information for care purposes 2 2 202 Personal information is shared for care but is only used in ways that do not directly contribute to the delivery of care services where there is a lawful basis to do so and objections to the disclosure of confidential personal information are appropriately respected 2 2 203 Individuals are informed about the proposed uses of their personal information 2 3 TB2014.129 Update Information Governance Mid-Year Review Page 8 of 13 Oxford University Hospitals Requirement TB2014.129 Baseline Latest 205 There are appropriate procedures for recognising 3 and responding to individuals’ requests for access to their personal data 3 206 There are appropriate confidentiality audit procedures to monitor access to confidential personal information 1 2 207 Where required, protocols governing the routine sharing of personal information have been agreed with other organisations 3 3 209 All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines 3 3 210 All new processes, services, information systems, 2 and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements 2 300 The Information Governance agenda is supported by 2 adequate information security skills, knowledge and experience which meet the organisation’s assessed needs 2 301 A formal information security risk assessment and 2 management programme for key Information Assets has been documented, implemented and reviewed 2 302 There are documented information security incident / 3 event reporting and management procedures that are accessible to all staff 3 303 There are established business processes and 2 procedures that satisfy the organisation’s obligations as a Registration Authority 2 304 Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use 3 3 305 Operating and application information systems 2 (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems 2 307 An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy 3 TB2014.129 Update Information Governance Mid-Year Review 3 Page 9 of 13 Oxford University Hospitals Requirement TB2014.129 Baseline Latest 308 All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers 2 2 309 Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place 2 2 310 Procedures are in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error 2 2 311 Information Assets with computer components are 2 capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code 2 313 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely 2 2 314 Policy and procedures ensure that mobile computing 2 and teleworking are secure 2 323 All information assets that hold, or are, personal data 2 are protected by appropriate organisational and technical measures 2 324 The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate 2 2 400 The Information Governance agenda is supported by 3 adequate information quality and records management skills, knowledge and experience 3 401 There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements 2 2 402 Procedures are in place to ensure the accuracy of service user information on all systems and /or records that support the provision of care 3 3 404 A multi-professional audit of clinical records across all specialties has been undertaken 3 3 406 Procedures are in place for monitoring the availability 3 of paper health/care records and tracing missing records 3 501 National data definitions, standards, values and validation programmes are incorporated within key 3 TB2014.129 Update Information Governance Mid-Year Review 3 Page 10 of 13 Oxford University Hospitals Requirement TB2014.129 Baseline Latest systems and local documentation is updated as standards develop 502 External data quality reports are used for monitoring and improving data quality 3 3 504 Documented procedures are in place for using both 2 local and national benchmarking to identify data quality issues and analyse trends in information over time, ensuring that large changes are investigated and explained 2 505 An audit of clinical coding, based on national standards, has been undertaken by a Clinical Classifications Service (CCS) approved clinical coding auditor within the last 12 months 2 2 506 A documented procedure and a regular audit cycle for accuracy checks on service user data is in place 3 3 507 The Completeness and Validity check for data has been completed and passed 2 2 508 Clinical/care staff are involved in validating 2 information derived from the recording of clinical/care activity 2 510 Training programmes for clinical coding staff entering 2 coded clinical data are comprehensive and conform to national clinical coding standards 2 601 Documented and implemented procedures are in place for the effective management of corporate records 3 3 603 Documented and publicly available procedures are in 3 place to ensure compliance with the Freedom of Information Act 2000 3 604 As part of the information lifecycle management strategy, an audit of corporate records has been undertaken 2 2 80% 81% Total (%) TB2014.129 Update Information Governance Mid-Year Review Page 11 of 13 Oxford University Hospitals TB2014.129 Appendix 2 – Information Governance Workplan 2014/15 – October 2014 Information Governance Work Programme 2014/15 (October update) Task Toolkit Ref Approve 2014-15 work programme Review IG Risks and update Health Assure Review of IGTK V11 results Review and update contents of the IG Intranet site Review IG suite of policies and procedures, approve at IGDQG Create comprehensive list of contractors and third parties that have access to information and/or information assets. Ensure contracts reviewed annually. Review IG Training Needs Assessment and Develop Training Plan Complete Trust-wide information mapping exercise Assessment of transfers of personally identifiable information to countries outside the UK. Transfers should be fully documented, reviewed and tested to ensure compliance with the DPA and the IG tool kit. Plan audit of corporate records (in at least 4 corporate areas) Update Trust privacy statement Review and update Publication Scheme and FOI intranet pages Review of use of fax machines within the Trust (from IGDQ minute 13-14/009) IGTK V12 baseline submission score IGTK V12 update submission score SIRO report and IGTK v12 final submission report Carry out spot checks to confirm staff understanding of IG responsibilities TB2014.129 Update Information Governance Mid-Year Review 101 110, 302 111, 112 308 604 603 All All All 111, 112 Date Lead Status April April, July, Oct, Jan. April April onwards April onwards April onwards and by 31.01.15 NB-B NB-B Complete In progress MH NB-B NB-B NB-B Complete Complete In progress In progress April onwards and NB-B by 30.06.14 April onwards and NB-B by 30.09.14 31.12.14 Complete December 31.08.14 By 31.01.15 30.09.14 NB-B CB NB-B NB-B Complete Complete In progress In progress July October April 2015 By 31.01.15 NB-B NB-B RH NB-B Complete Planned Planned In progress Page 12 of 13 In progress Oxford University Hospitals Task Carry out service user satisfaction survey to record whether SU’s trust OUH to hold information securely (previously deemed to be done via annual survey but consider more targeted questions) Approval of IGTK V12 final submission score IGTK v12 Updates to IGDQ EPR Implementation Updates to IGDQ RA Updates to IGDQ (to include annual audit to cover smartcards, RA hardware (computers, scanners and smartcard readers) and consumables. IG Incidents/Confidentiality Breaches Updates to IGDQ Review of IG Key Documents Programme 2013/14 ICO News Releases Update to IGDQ FOI performance update to IGDQ TB2014.129 Toolkit Ref 201 Date Lead Status By 31.01.15 NB-B In progress All All 31.03.15 After each submission 6 weekly 6 weekly NB-B NB-B Planned In progress PA HJ In progress 6 weekly 6 weekly 6 weekly Quarterly (June, Sept, Dec, Mar) March NB-B NB-B NB-B NB-B Ongoing Ongoing Ongoing Ongoing NB-B Planned Bi-annually (Sept, Mar) End of March 2015 for April 2015 31 March 2015 NB-B Ongoing BW Planned NB-B In progress 303, 304 Annual FOI performance update to the Health Informatics Committee IG bi-annual report to the Health Informatics Committee Annual Subject Access Request Report 205 Review and update evidence for all level 3 toolkit requirements All not listed below TB2014.129 Update Information Governance Mid-Year Review Page 13 of 13