Trust Board – 27th August 2008
Information Governance
1.
Overview
The NHS Chief Executive in his letter dated 4th December 2007 (gateway 9185) to all
NHS Trust Chief Executives requested that all NHS Organisations undertake a
series of actions to:
 Review the transfer of person identifiable data (PID), relating to both patients and
staff;
 Confirm that the methods used for transfer of data were secure; and
 Take immediate remedial action where this was found not to be the case.
The NHS Chief Executive identified a number of immediate specific requirements for
securing data in transit, which were to be actioned immediately:
 Undertake a review of all Trust systems and procedures and take immediate
action if any shortfalls were identified;
 Checking that control on movement of person identifiable data is in line with
Department of Health (DOH) guidance;
 Not holding person identifiable data on portable media unless encrypted,
 No longer permitting bulk transfer of person identifiable data, unless absolutely
needed for direct patient care, unless secure processes are in place;
 Ensuring there is data protection, incident reporting and risk assessment
processes in place.
All NHS organisations were initially given two deadlines by which to complete these
actions and provide assurance to their respective SHA’s, 21st December 2007 for
bulk transfers of personal data (51 data items and above) and 31st of January 2008
for all other transfers of personal data. Both deadlines were met by NGH.
These measurers were in addition to the completion of the Information Governance
(IG) Toolkit completed by each NHS organisation for submission to the DOH at the
end of March each year. NGH submitted the assessment of version 5 of the IG
Toolkit with a score of 75%, RAG status green.
A further letter from the NHS Chief Executive dated 20th May 2008 (gateway 9912) to
all NHS Chief Executives requested that:
 PCT’s review Trust action plans against the IG Toolkit annual returns.
 SHA’s should consider an independent audit of PCT’s and Trust’s on their
information governance standards associated with the NHS CFH information
governance statement of compliance as part of the IG Toolkit.
 SHA’s should ensure that all organisations have appropriate access to
information governance subject matter experts.
 All NHS organisations must now include details of Serious Untoward Incidents
involving data loss or confidentiality in their Annual Reports for 2007/8.
 All NHS organisations must now make specific reference to information
governance in terms of identifying and managing information risks in their Annual
Statement of Internal Controls Form 2007/8 onwards.
1
 All NHS organisations must identify a Senior Information Risk Owner at Board
level who will be required to take ownership of the organisations Information Risk
Policy, act as an advocate for information risk on the Board and provide written
advice to the accounting officer on the content of their Statement of Internal
Control in regard to information risk.
2.
Process and Timescales
East Midlands SHA have now instigated an independent audit of Trust’s information
governance standards, which will be carried out by East Midlands NHS Internal Audit
Services and will be completed by the 30th September 2008 (see Annex A).
Northampton PCT has now been tasked by the SHA to review each Trust’s
prospective IG Toolkit scores for March 2009. Identifying risks and issues
associated with achieving predicted scores and ensuring that Trust’s provide RAG
rated action plans to mitigate associated risk. This assessment must be completed
by 1st September 2008.
3.
Progress and Governance Arrangements
The Trust has taken action to ensure that:





4.
Details of any Serious Untoward Incidents involving data loss or confidentiality
were included in the Annual Report for 2007.
Specific reference to information governance in terms of identifying and managing
information risks was reflected in the ‘Annual Statement of Internal Controls Form
2007’.
A Task and Finish Group has been set up to review action plans and provide the
relevant evidence to support the trusts IG Toolkit assessment. Responding to
Northampton PCT by 1st September 2008 and submit the IG Toolkit version 6
assessment to the DOH by the end of March 2009. The Task and Finish Group
will be chaired by the Director of Planning and will report to the Information
Governance Group (chaired by the Medical Director) for approval of the risk
issues, actions and final IG Toolkit assessment. Each directorate will identify an
Information Governance Lead to ensure that the requirements of the IG Toolkit
are embedded within Directorates, creating directorate experts, who will be
trained and supported by the Data Protection Manager
The Director of Planning will respond to the East Midlands NHS Internal Audit on
information governance standards submitting the response and evidence to the
Integrated Governance Committee for approval prior to submission on 30th
September 2008.
The CEO will identify a Senior Information Risk Owner at Board level, approved
by the Board, who will take ownership of the organisations Information Risk
Policy, act as an advocate for information risk on the Board and provide written
advice to the accounting officer on the content of their statement of internal
control in regard to information risk.
Conclusion
As part of the DOH Information Governance Assurance Programme the Trust must
ensure that it has plans in place to respond to the ‘SHA Independent Audit on
Information Governance Standards’. Further the Trust must make certain that it has
robust plans in place to undertake the IG Toolkit assessment for both proposed and
final assessment scores.
The Trust will appoint a Senior Information Risk Owner at Board level to work with
the Caldicott Guardian to provide assurance on information governance.
2
Expected Outcomes and Tasks – Appendix A
Phase
Expected Outcomes
Tasks
Report
Deadline
1
Assurance to be provided by
Trust CEO that:
 All bulk transfers of P.I.D
have been identified and
reviewed.
 Remedial action has been
taken to suspend insecure
bulk flows of P.I.D.
 Identify risk-assess and
document data flows on
spreadsheet provided.
21/12/07
2
Assurance to be provided by
Trusts that:
 Remedial action has been
taken in regard of insecure,
bulk flows of P.I.D.
 All bulk transfers of P.I.D
are secure.
 Other high risk areas have
been identified.
 Action is being taken to map
and review risks for all other
(non-bulk) flows of P.I.D.
31/01/08
 Highlight areas of key risk and
implement immediate remedial
action as necessary
 Assign project lead to co-ordinate
and support data mapping
process for all other flows of
P.I.D.
 Assign responsibility to, and
inform, department heads to
identify and risk assess dataflows within their areas.
 Assign project lead(s) to coordinate work on the IG standards
identified at Annex A.
3
Assurance to be provided by
Trusts that:
 All other (non-bulk) flows of
P.I.D have been identified
and reviewed.
 Remedial action has been
taken in regard to risk areas
 All non-bulk flows of P.I.D
are secure, or risks
mitigated.
 All required security policies
are in place.
 An incident reporting policy
is in place
 Carry out review of P.I.D flows
using spreadsheet or mapping
tool and risk criteria provided by
NHS CFH.
 Highlight areas of key risk and
implement immediate remedial
action as necessary.
 Review incident reporting
procedures to ensure these
include process for reporting/
investigating P.I.D incidents.
 Review other procedures relating
to transfer of data including,
courier services, data encryption,
confidential waste, etc.
29/02/08
4
All required assurance to be
provided by Trust CEO
 Complete and submit signed
Statement of Compliance to NHS
CFH
 Complete and submit Information
Governance Toolkit assessment
(v5)
 Complete and submit the
assurance statement provided at
Annex D to the SHA
31/03/08
3