Trust Board Meeting: Wednesday 12 November 2014 TB2014.129 Title

advertisement
Trust Board Meeting: Wednesday 12 November 2014
TB2014.129
Title
Update on Information Governance: Mid-Year Selfassessment against Information Governance Toolkit
Status
For discussion
History
Bi-annual Update
Board Lead(s)
Andrew Stevens, Director of Planning and Information
Key purpose
Strategy
Assurance
Policy
TB2014.129 Update Information Governance Mid-Year Review
Performance
Page 1 of 13
Oxford University Hospitals
TB2014.129
Executive Summary
1. A self-assessment of the Information Governance toolkit was undertaken in October
2014 and it is anticipated that the Trust will score level 3 in 43 out of 45 toolkit
standards.
2. A cyber security audit was undertaken in August 2014. The Trust is developing an
action plan in response to the audit findings.
3. 289 freedom of information requests were made to the Trust in the first half of this
financial year. The percentage of requests responded to within 20 working days was on
average 69%.
4. A new standard operating procedure to manage freedom of information requests has
been developed. The Trust publication scheme has been developed to now be fully
compliant with the Information Commissioner’s Office standards.
5. Recommendation
The Trust Board is asked to note this paper.
TB2014.129 Update Information Governance Mid-Year Review
Page 2 of 13
Oxford University Hospitals
TB2014.129
Information Governance (IG) Mid-year Update
1.
Introduction
1.1. This paper sets out the work which that been undertaken within the Information
Governance Department over the first six months of financial year 2014/15.
2.
Information Governance Toolkit
2.1. The Information Governance Toolkit is a set of information governance
requirements drawn from central guidance and Department of Health Policy.
Organizations that process patient data are required to carry out selfassessments of their compliance which are grouped under the following
headings:
2.1.1. Management structures and responsibilities (e.g. assigning responsibility
for carrying out the IG assessment, providing staff training, etc).
2.1.2. Confidentiality and data protection.
2.1.3. Information security.
2.2. The purpose of the assessment is to enable organisations to measure their
compliance to see whether information is handled correctly and protected from
unauthorised access, loss, damage and destruction.
2.3. The toolkit requires three assessments to be undertaken during the course of a
financial year. An initial baseline score which is submitted at the end of July, a
mid-year update score at the end of October and a final published score at the
end of March. More detailed information concerning baseline scoring against
set parameters can be found in appendix one. The Trust toolkit self assessment
scores for the past 5 years are presented below.
Toolkit Self Assessment Scores
120
100
80
Baseline
% 60
Target
40
Published
20
0
2010/11 2011/12 2012/13 2013/14 2014/15
2.4. The table demonstrates that assessed compliance has been increasing year on
year with target scores mirroring closely actual year end scores. It is anticipated
that by year end 2014/15, 43 out of 45 toolkit standards will be scored at level 3.
2.5. In order to ensure accurate self-assessment the toolkit is externally audited
annually by KPMG. The next audit is due to commence on the 20 October 2014
prior to the submission of the Trust’s mid-year toolkit assessment.
TB2014.129 Update Information Governance Mid-Year Review
Page 3 of 13
Oxford University Hospitals
3.
TB2014.129
Information Governance Data Quality Group
3.1. It is the role of the Information Governance Data Quality group to oversee the
work of the information governance department. The overall board lead is the
Senior Information Risk Officer with Information Governance section of the
meeting being Chaired by the Trust Caldicott Guardian. Meetings are held six
weekly and so far in 2014/15 the group have met five times. The group is
comprised of representatives from all Divisions and its remit is to ensure the
Trust complies with statutory responsibilities, fulfils its legal obligations in terms
of confidentiality and data protection, and manages high quality information
efficiently within a robust governance structure.
3.2. A work programme has been developed to ensure that important objectives are
met during the financial year. Progress against this workplan to date is
presented in appendix two. Work undertaken this year includes the revision and
development of policies, management and assessment of risks such as the use
of fax machines, audit of corporate records, review of Trust intranet and internet
IG pages and the development of staff and patient feedback surveys.
3.3. Examples of work still to be undertaken include completion of a database for
documenting information assets and flows, further development of the Trust FOI
publication scheme, review of the use of fax machines and the transfer of
personal data domestically and overseas, and the development of a new
interactive learning and development tool.
4.
Information Governance Risks
4.1. Currently the risk register comprises of three global information governance
risks.
4.1.1. The Trust not having the resources, systems and/or processes to
achieve and maintain level 2 on all requirements of the IG toolkit.
4.1.2. Data unavailability or loss via poor records management, inappropriate
transmission, loss of portable media, laptop/desktop/device theft,
unsecured waste disposal, incompliant transcription services, and/or
incorrect or excessive disclosure.
4.1.3. OUH served with an improvement or decision notice, or financial penalty
by the ICO due to breaches in confidentiality/non-compliance with the
Data Protection Act.
4.2. A further two risk assessments have been undertaken concerning the use of fax
machines and portable devices. The group decided to review all risks, scoring
their constituent parts, to gain a better understanding of where the highest risks
are located.
4.3. Spot checks of information governance arrangements in departments began in
October 2014. The completion of these should assist Divisions to identify their
information governance risks and provide valuable intelligence to the Trust
SIRO. The results of spot checks will be reported to the Information
Governance Data Quality Group.
TB2014.129 Update Information Governance Mid-Year Review
Page 4 of 13
Oxford University Hospitals
5.
TB2014.129
Information Governance Incidents
5.1. Serious Incidents Requiring Investigation
5.1.1. No information governance serious incidents requiring investigation have
been reported in the first half of 2014/15.
5.2. Incidents
5.2.1. All incidents reported under the categories of consent, confidentiality,
communications and information governance, documentation and
records (including EPR) are reported to the department leads as well as
the information governance team. The responsibility for investigating
these incidents remains with the departmental manager. However, where
incidents are believed to be serious or require additional input the
information governance team will assist with the investigation.
5.2.2. The tables presented below shows the ratio of incidents reported and
their harm rate for these two categories.
IG Incidents by Category First 6
Months 2014/15
Documentation
and Records
(including EPR),
71, 41%
Consent,
Confidentiality,
Communications
& Information
Governance, 103,
59%
IG Incidents Harm Rate First 6
Months 2014/15
200
162
150
100
50
8
2
Minor
Moderate
0
No harm
5.2.3. The majority of incidents that were reported resulted in no harm. Those
with minor harm mainly related to loss of portable written information.
TB2014.129 Update Information Governance Mid-Year Review
Page 5 of 13
Oxford University Hospitals
TB2014.129
Work has been undertaken to promote the safe handling of written
information through the purchasing of confidential waste bins and posters
at all exits to Trust sites as well as ticker tape messages to staff to
remind them of their responsibility to safely dispose of information.
5.2.4. The moderate incidents reported relate to the security of information and
are still under investigation.
6.
Cyber Security
6.1. In August 2014 KPMG undertook a Cyber Security Audit of the Trust. The
purpose of the audit was to assess the maturity of cyber controls against
government standards in combination with internationally accepted maturity
models. The domains examined were leadership and governance, human
elements, information risk management, business continuity, operations and
technology and legal and compliance.
6.2. The audit report identified some key recommendations for implementation
which include:
6.2.1. Assigning a specific cyber risk owner at board level
6.2.2. Implementation of a security awareness programme
6.2.3. Development of assurance and board sign off regarding EPR disaster
recovery plan testing
6.2.4. Development of user access management assurance for departmental
systems
6.3. A meeting has been held with KPMG to discuss the audit findings with a further
meeting being scheduled in the near future to develop an action plan.
7.
Cases Involving the Information Commissioner’s Office (ICO)
7.1. Two complaints were made to the ICO in the first half of 2014/15. No formal
action has been taken by the ICO other than referring the complaints back to
the Trust to be addressed. The complaints related to the security of medical
records received in July 2014 and disclosure of information to clinicians
received in August 2014.
8.
Freedom of Information
8.1. A full time FOI Officer was appointed and began work at the Trust in early May
2014. Since their appointment the FOI Officer has reviewed the FOI process, a
new standard operating procedure has been written and the Trust publication
scheme has been developed to now be compliant with ICO requirements.
TB2014.129 Update Information Governance Mid-Year Review
Page 6 of 13
Oxford University Hospitals
TB2014.129
8.2. Detail concerning FOI performance is presented below.
Performance 2014/15 April
May June July August
# FOI Requests
50
41
33
65
49
Received
Clarified and Remain
5
1
0
5
7
Outstanding
% Sent within 20 days 74% 59% 68% 80%
67%
Reasons for breaching 20 day response target
Complex Request
4
4
5
4
9
Internal Delay
4
7
5
6
6
Final Revision
3
4
3
2
4
Administrative Delay
2
2
1
1
2
Sept
Total
51
289
4
22
76%
69%
6
3
5
0
32
31
21
8
8.3. The numbers of FOI requests received by the Trust is broadly the same as this
time period during the last financial year. In the first half of 2014/15 289
requests were received in the first half of the year up to end of September as
compared to 299 requests received in 2013/14 up to mid October 2013.
8.4. The average compliance rate for the completion of FOI requests within 20
working days in the first half of 2014/15 is 69%. The process for
acknowledgement and requesting information has been reviewed and the
timescale for initial work by the FOI Officer has been shortened. It is hoped that
this will increase the average compliance rate allowing more time for the
request to be checked and signed off. One third of requests that did not meet
the timescale were due to the complexity and nature of the request.
Additionally, these requests often involved a number of services making the
drawing together of data sources more difficult.
Andre Stevens, Director of Planning and Information
Report prepared by
Nuala Buchan-Brodie, Information Governance and Records Manager
TB2014.129 Update Information Governance Mid-Year Review
Page 7 of 13
Oxford University Hospitals
TB2014.129
Appendix 1 – IG Toolkit Status Up-date following Submission of Baseline Score
Legend:
Requirement has not been answered
Requirement has not been reviewed
Requirement is not scored at the required level
Requirement is scored at or above the required level
Requirement
Baseline Latest
101
There is an adequate Information Governance
Management Framework to support the current and
evolving Information Governance agenda
2
2
105
There are approved and comprehensive Information 3
Governance Policies with associated strategies
and/or improvement plans
3
110
Formal contractual arrangements that include
compliance with information governance
requirements, are in place with all contractors and
support organisations
3
3
111
Employment contracts which include compliance
with information governance standards are in place
for all individuals carrying out work on behalf of the
organisation
3
3
112
Information Governance awareness and mandatory
training procedures are in place and all staff are
appropriately trained
3
3
200
The Information Governance agenda is supported by 2
adequate confidentiality and data protection skills,
knowledge and experience which meet the
organisation’s assessed needs
2
201
Staff are provided with clear guidance on keeping
personal information secure, on respecting the
confidentiality of service users, and on the duty to
share information for care purposes
2
2
202
Personal information is shared for care but is only
used in ways that do not directly contribute to the
delivery of care services where there is a lawful
basis to do so and objections to the disclosure of
confidential personal information are appropriately
respected
2
2
203
Individuals are informed about the proposed uses of
their personal information
2
3
TB2014.129 Update Information Governance Mid-Year Review
Page 8 of 13
Oxford University Hospitals
Requirement
TB2014.129
Baseline Latest
205
There are appropriate procedures for recognising
3
and responding to individuals’ requests for access to
their personal data
3
206
There are appropriate confidentiality audit
procedures to monitor access to confidential
personal information
1
2
207
Where required, protocols governing the routine
sharing of personal information have been agreed
with other organisations
3
3
209
All person identifiable data processed outside of the
UK complies with the Data Protection Act 1998 and
Department of Health guidelines
3
3
210
All new processes, services, information systems,
2
and other relevant information assets are developed
and implemented in a secure and structured manner,
and comply with IG security accreditation,
information quality and confidentiality and data
protection requirements
2
300
The Information Governance agenda is supported by 2
adequate information security skills, knowledge and
experience which meet the organisation’s assessed
needs
2
301
A formal information security risk assessment and
2
management programme for key Information Assets
has been documented, implemented and reviewed
2
302
There are documented information security incident / 3
event reporting and management procedures that
are accessible to all staff
3
303
There are established business processes and
2
procedures that satisfy the organisation’s obligations
as a Registration Authority
2
304
Monitoring and enforcement processes are in place
to ensure NHS national application Smartcard users
comply with the terms and conditions of use
3
3
305
Operating and application information systems
2
(under the organisation’s control) support
appropriate access control functionality and
documented and managed access rights are in place
for all users of these systems
2
307
An effectively supported Senior Information Risk
Owner takes ownership of the organisation’s
information risk policy and information risk
management strategy
3
TB2014.129 Update Information Governance Mid-Year Review
3
Page 9 of 13
Oxford University Hospitals
Requirement
TB2014.129
Baseline Latest
308
All transfers of hardcopy and digital person
identifiable and sensitive information have been
identified, mapped and risk assessed; technical and
organisational measures adequately secure these
transfers
2
2
309
Business continuity plans are up to date and tested
for all critical information assets (data processing
facilities, communications services and data) and
service - specific measures are in place
2
2
310
Procedures are in place to prevent information
processing being interrupted or disrupted through
equipment failure, environmental hazard or human
error
2
2
311
Information Assets with computer components are
2
capable of the rapid detection, isolation and removal
of malicious code and unauthorised mobile code
2
313
Policy and procedures are in place to ensure that
Information Communication Technology (ICT)
networks operate securely
2
2
314
Policy and procedures ensure that mobile computing 2
and teleworking are secure
2
323
All information assets that hold, or are, personal data 2
are protected by appropriate organisational and
technical measures
2
324
The confidentiality of service user information is
protected through use of pseudonymisation and
anonymisation techniques where appropriate
2
2
400
The Information Governance agenda is supported by 3
adequate information quality and records
management skills, knowledge and experience
3
401
There is consistent and comprehensive use of the
NHS Number in line with National Patient Safety
Agency requirements
2
2
402
Procedures are in place to ensure the accuracy of
service user information on all systems and /or
records that support the provision of care
3
3
404
A multi-professional audit of clinical records across
all specialties has been undertaken
3
3
406
Procedures are in place for monitoring the availability 3
of paper health/care records and tracing missing
records
3
501
National data definitions, standards, values and
validation programmes are incorporated within key
3
TB2014.129 Update Information Governance Mid-Year Review
3
Page 10 of 13
Oxford University Hospitals
Requirement
TB2014.129
Baseline Latest
systems and local documentation is updated as
standards develop
502
External data quality reports are used for monitoring
and improving data quality
3
3
504
Documented procedures are in place for using both 2
local and national benchmarking to identify data
quality issues and analyse trends in information over
time, ensuring that large changes are investigated
and explained
2
505
An audit of clinical coding, based on national
standards, has been undertaken by a Clinical
Classifications Service (CCS) approved clinical
coding auditor within the last 12 months
2
2
506
A documented procedure and a regular audit cycle
for accuracy checks on service user data is in place
3
3
507
The Completeness and Validity check for data has
been completed and passed
2
2
508
Clinical/care staff are involved in validating
2
information derived from the recording of clinical/care
activity
2
510
Training programmes for clinical coding staff entering 2
coded clinical data are comprehensive and conform
to national clinical coding standards
2
601
Documented and implemented procedures are in
place for the effective management of corporate
records
3
3
603
Documented and publicly available procedures are in 3
place to ensure compliance with the Freedom of
Information Act 2000
3
604
As part of the information lifecycle management
strategy, an audit of corporate records has been
undertaken
2
2
80%
81%
Total (%)
TB2014.129 Update Information Governance Mid-Year Review
Page 11 of 13
Oxford University Hospitals
TB2014.129
Appendix 2 – Information Governance Workplan 2014/15 – October 2014
Information Governance Work Programme 2014/15 (October update)
Task
Toolkit
Ref
Approve 2014-15 work programme
Review IG Risks and update Health Assure
Review of IGTK V11 results
Review and update contents of the IG Intranet site
Review IG suite of policies and procedures, approve at IGDQG
Create comprehensive list of contractors and third parties that have
access to information and/or information assets. Ensure contracts
reviewed annually.
Review IG Training Needs Assessment and Develop Training Plan
Complete Trust-wide information mapping exercise
Assessment of transfers of personally identifiable information to
countries outside the UK. Transfers should be fully documented,
reviewed and tested to ensure compliance with the DPA and the IG
tool kit.
Plan audit of corporate records (in at least 4 corporate areas)
Update Trust privacy statement
Review and update Publication Scheme and FOI intranet pages
Review of use of fax machines within the Trust (from IGDQ minute
13-14/009)
IGTK V12 baseline submission score
IGTK V12 update submission score
SIRO report and IGTK v12 final submission report
Carry out spot checks to confirm staff understanding of IG
responsibilities
TB2014.129 Update Information Governance Mid-Year Review
101
110, 302
111, 112
308
604
603
All
All
All
111, 112
Date
Lead
Status
April
April, July, Oct,
Jan.
April
April onwards
April onwards
April onwards and
by 31.01.15
NB-B
NB-B
Complete
In progress
MH
NB-B
NB-B
NB-B
Complete
Complete
In progress
In progress
April onwards and NB-B
by 30.06.14
April onwards and NB-B
by 30.09.14
31.12.14
Complete
December
31.08.14
By 31.01.15
30.09.14
NB-B
CB
NB-B
NB-B
Complete
Complete
In progress
In progress
July
October
April 2015
By 31.01.15
NB-B
NB-B
RH
NB-B
Complete
Planned
Planned
In progress
Page 12 of 13
In progress
Oxford University Hospitals
Task
Carry out service user satisfaction survey to record whether SU’s
trust OUH to hold information securely (previously deemed to be
done via annual survey but consider more targeted questions)
Approval of IGTK V12 final submission score
IGTK v12 Updates to IGDQ
EPR Implementation Updates to IGDQ
RA Updates to IGDQ (to include annual audit to cover smartcards,
RA hardware (computers, scanners and smartcard readers) and
consumables.
IG Incidents/Confidentiality Breaches Updates to IGDQ
Review of IG Key Documents Programme 2013/14
ICO News Releases Update to IGDQ
FOI performance update to IGDQ
TB2014.129
Toolkit
Ref
201
Date
Lead
Status
By 31.01.15
NB-B
In progress
All
All
31.03.15
After each
submission
6 weekly
6 weekly
NB-B
NB-B
Planned
In progress
PA
HJ
In progress
6 weekly
6 weekly
6 weekly
Quarterly (June,
Sept, Dec, Mar)
March
NB-B
NB-B
NB-B
NB-B
Ongoing
Ongoing
Ongoing
Ongoing
NB-B
Planned
Bi-annually (Sept,
Mar)
End of March
2015 for April
2015
31 March 2015
NB-B
Ongoing
BW
Planned
NB-B
In progress
303, 304
Annual FOI performance update to the Health Informatics
Committee
IG bi-annual report to the Health Informatics Committee
Annual Subject Access Request Report
205
Review and update evidence for all level 3 toolkit requirements
All not
listed
below
TB2014.129 Update Information Governance Mid-Year Review
Page 13 of 13
Download