Information Risk Policy Version 2 Name of responsible (ratifying) committee Information Governance Steering Group Date ratified 12 March 2014 Document Manager (job title) Information Governance Manager Date issued 08th August 2014 Review date 07th August 2016 Electronic location Management Policies Related Procedural Documents Key Words (to aid with searching) Information Governance Policy, Data Protection Policy, Confidentiality Code of Conduct, Information Governance Strategy, ICT Security Policy Information Risk, Data Protection, Information Asset, Information Asset Owner, Information Asset Administrator, Senior Information Risk Owner, Information Governance Version Tracking Version Date Ratified 2 12 March 2014 Brief Summary of Changes No material changes Author IG Manager Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless requirements change) Page | 1 CONTENTS QUICK REFERENCE GUIDE This policy must be followed in full when developing or reviewing and amending Trust procedural documents. For quick reference the guide below is a summary of actions required. This does not negate the need for the document author and others involved in the process to be aware of and follow the detail of this policy. The quick reference can take the form of a list or a flow chart, if the latter would more easily explain the key issues within the body of the document 1. The aim of information risk management is not to eliminate risk, but rather to provide the structural means to identify, prioritise, and manage the risks involved in all Trust activities. 2. Information risk management should be embedded into business processes and functions. This is achieved through key approval and review processes / controls – and not to impose risk management as an extra requirement. 3. Information Risks are risks that relate to the loss, damage, or misuse of information or which threatens the confidentiality, integrity or availability of an information asset, especially information which is personal or confidential in nature. 4. All staff should be aware of information risk management, how to raise risks and incidents, and have responsibility for ensuring that information is kept secure. 5. Information Assets are generally administration systems or database used to process personal identifiable data (PID) directly or used in any way that has the potential to affect the confidentiality / integrity / availability / legal processing of PID. 6. Information risks should be managed in a robust way within work areas and should not be seen as something that is the sole responsibility of ICT or Information Governance staff. 7. Managers must acknowledge that information is valuable and risks must be mitigated. They must portray the importance of handling information through their decisions and actions. 8. All incidents that constitute and actual or potential loss of information, which could potentially lead to a breach of confidentiality, are to be reported directly to the Risk Management Department. 9. Information Asset Owners are responsible for overseeing the completion and regular review and update of their Information Asset Registers. 10. Information Asset Owners must provide an annual assurance report to the SIRO on the risk status of their Information Assets and any other areas of information risk considered appropriate. 11. When new Information Assets are considered the Trust must follow its formal due diligence processes. These will be triggered through submission of business cases and where privacy impact assessments are identified as required. A completed and agreed Privacy Impact Assessment will be acceptable as an Information Risk Assessment 12. When new Information Assets are to be introduced, the Trust must assess whether they are compliant, or required to be compliant with The NHS Number Standard for Secondary Care and The NHS Care Records Guarantee (Commitment 11) 13. Information Assets should not be procured if they are unable to comply with the above standards. Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless requirements change) Page | 2 1. INTRODUCTION 1.1 The Trust Board has approved the introduction and embedding of information risk management into the key controls and approval processes of all major business processes and functions of the Trust. This decision reflects the high level of importance placed on minimising information risk and safeguarding the interests of patients, staff and the Trust itself. 1.2 Information risk is inherent in all administrative and business activities and everyone working for, or on behalf of, the Trust continuously manages information risk. The Board recognises that the aim of information risk management is not to eliminate risk, but rather to provide the structural means to identify, prioritise, and manage the risks involved in all Trust activities. It requires a balance between the cost of managing and treating information risks with the anticipated benefits that will be derived. 1.3 The Board acknowledges that information risk management is an essential element of broader information governance and is an integral part of good management practice. The intent is to embed information risk management in a very practical way into business processes and functions. This is achieved through key approval and review processes / controls – and not to impose risk management as an extra requirement. 2. PURPOSE 2.1 The purpose of this policy is to protect the Trust, its staff and its patients from information risk, where the likelihood of occurrence and the consequences are significant. This policy will provide a consistent framework in which information risk will be identified, considered and addressed in key approval, review and control processes. 2.2 This will encourage proactive risk management, provide assistance to, and improve the quality of, decision making throughout the Trust and help to safeguard the Trust’s information assets. 2.3 This policy is required to comply with the NHS Chief Executive’s communication (September 2008) with reference to the Government’s Data Handling Review (June 2008). 3. SCOPE 3.1 This policy is applicable to all areas of the Trust and adherence should be included in all contracts for outsourced or shared services. 3.2 Whilst the Risk Management Strategy and associated risk management policies are applicable to all risks, this policy identifies those additional measures which are specific to the management of information risks. ‘In the event of an infection outbreak, flu pandemic or major incident, the Trust recognises that it may not be possible to adhere to all aspects of this document. In such circumstances, staff should take advice from their manager and all possible action must be taken to maintain ongoing patient and staff safety’ Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless requirements change) Page | 3 4. DEFINITIONS 4.1 Risk – the chance of something happening, which would have an impact upon objectives. It is measured in terms of likelihood and severity. 4.2 Consequence – the outcome of an event or situation, expressed qualitatively or quantitatively, being a loss, disadvantage or gain. There may be a range of possible outcomes associated with an event. 4.3 Information Risk – a risk that relates to the loss, damage, or misuse of information or which threatens the confidentiality, integrity or availability of an information asset, especially information which is personal or confidential in nature. 4.4 Likelihood – a qualitative description for probability or frequency. 4.5 Risk Assessment – the overall process of risk analysis and risk evaluation. 4.6 Risk Management – the culture, processes and structures directed towards the effective management of potential opportunities and adverse effects. 4.7 Risk Treatment – selection and implementation of appropriate options for dealing with risk which, conceptually, will involve one or a combination of the following strategies: Risk avoidance Reduction in the likelihood of occurrence Reduction in the consequences of occurrence Risk transference Risk tolerance / acceptance 4.8 Risk Management Process – the systematic application of management policies, procedures and practices to the task of establishing the context and identifying, analysing, evaluating, treating, monitoring and communicating risk. 4.9 Information Assets – in general Information Assets will be administration systems or database used to process PID directly or used in any way that has the potential to affect the confidentiality / integrity / availability / legal processing of PID. The following outlines the main examples of Information Assets: Databases and data files System information and documentation Back-up and archive data Operations and support procedures Audit data Applications and system software Data encryption utilities Development and maintenance tools Paper records (including patient care notes and staff records) Environmental services necessary for the safe operational of Information Assets (e.g. power and air conditioning) Business continuity plans 4.10 Information Governance Compliance Framework – an Information Governance compliance monitoring and management tool on the Trust intranet. Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless requirements change) Page | 4 5. DUTIES AND RESPONSIBILITIES 5.1 Accounting Officer The Chief Executive is the Accounting Officer and has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level, where information risks are handled in a similar manner to other major risks such as financial, legal and reputational risks. The Accounting Office is required to provide assurance, through the Statement of Internal Controls, that all risks to the Trust, including those relating to information, are effectively managed and mitigated. 5.2 Trust Board It is the responsibility of the Trust Board to create a strong information handling culture, which permeates throughout the Trust and informs everyone’s approach to performing daily tasks, regardless of position and seniority. 5.3 Senior Information Risk Owner (SIRO) The SIRO Acts as an advocate for information risk on the Board and in internal discussions and provides written advice to the Accountable Officer regarding the “information risk” elements of their annual Statement of Internal Control (SIC). 5.4 Information Asset Owners (IAOs) IAOs are senior individuals involved in running the relevant business / service areas. The IAO role is to: understand and address risks to the information assets they ‘own’ provide assurance to the SIRO on the security and use of these assets 5.5 Information Asset Administrators (IAAs) IAAs provide support to their IAO. To do this they will: ensure that policies and procedures are followed recognise potential or actual security incidents consult their IAO on incident management ensure that information asset registers are accurate and maintained and kept up-to-date 5.6 Information Risk Management Group Subject matter experts used to counsel the SIRO on general and specific information risk issues 5.7 All staff should be aware of information risk management, how to raise risks and incidents, and have responsibility for ensuring that information is kept secure. Secure practices can help: avoid unauthorised disclosure, dissemination or access to information support appropriate storage, transportation, transfer and disposal of information Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless requirements change) Page | 5 Trust Board Chief Executive Accounting Officer SIRO is accountable to Trust Board for the security of Information Assets and acts as an advocate for Information Risk on the Board. Senior Information Risk Owner (SIRO) (Owner of Information Risk Programme and risk assessment process for identified information security risks and informs Statement of Internal Control) Regular Information Risk Management meetings with SIRO Advise on current issues / potential solutions / courses of action to meet Information Risk expectations Information Risk Mgmt Group Head of IT / Information Governance Manager Counsel on general information risk issues, asset identification, asset classification and risk assessment Promote best practice and requirements, and monitor compliance Provide assurance to SIRO information risk is being effectively managed for each ‘owned’ asset Information Asset Owners Ensure policies and procedures are followed / recognise security incidents / maintain asset register Information security incidents are reported and investigated involving SIRO and other suitable panel representation. SIRO liaises with Head of Risk Management and Legal Services regarding Statement of Internal Control Risk Mgmt Department Report risks to Information Assets and other relevant Information Security incidents Information Asset Administrators 6. PROCESS Aims 6.1 The aim of information risk management is to: Protect the Trust, its staff and its patients from information risks where the likelihood of occurrence and the consequences are significant Provide a consistent risk management framework in which information risks will be identified, considered and addressed in key approval, review and control processes Encourage proactive rather than reactive risk management Provide assistance to, and improve the quality of, decision making throughout the Trust; Meet legal or statutory requirements Assist in safeguarding the Trust’s information assets 6.1.1 The key requirement is for information risk to be managed in a robust way within work areas and not to be seen as something that is the sole responsibility of ICT or Information Governance staff. Assurance needs to be provided in a consistent manner. To achieve this, a structured approach is needed, building upon the existing Information Governance Compliance Framework. This structured approach relies upon the identification of information assets and assigning ‘ownership’ of assets to senior accountable staff (Information Asset Owners). Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless requirements change) Page | 6 6.1.2 Information Asset Owners (IAOs) are supported by Information Asset Administrators (IAAs), who are operational staff with day-to-day responsibility for managing risks to their information assets. The IAOs are responsible for ensuring information risk is managed appropriately and for providing assurance to the SIRO. 6.1.3 The aim is to ensure that the approach to risk management: Takes full advantage of existing authority and responsibility structures where these are fit for purpose Associates tasks with appropriate management levels Avoids unnecessary impacts on day to day business Ensures that all the necessary activities are discharged in an efficient, effective, accountable and visible manner Management Lead 6.2 Managers must acknowledge that information is valuable and risks must be mitigated. They must portray the importance of handling information through their decisions and actions. All staff should know good information handling as part of their job Senior staff will understand they are bound by the same rules as junior staff. They must not override, for reasons of convenience, risk controls All staff should be able to answer general questions about information protection and make sensible information risk decisions for themselves, including knowing the limits of their competence and when to defer to others for guidance All staff personal development plans should include competencies on information handling It is the responsibility of the Trust Board to ensure that the Trust has an open approach to incidents and learning The Trust Board must encourage staff to question instructions that seem inappropriate on information risk grounds and must encourage reporting on instances of inappropriate behaviour Information Risk Management Programme 6.3 An information risk management programme must be aligned to the Trust Business Plan to support individual objectives and ensure they are adequately resourced. The information risk management programme should cover: The balance between level of risk, tolerance of risk and the effort being used to manage the risk Identification of gaps between the current and target risk positions Progress being made against agreed information risk priorities The effectiveness of the risk management controls including successes and failures Information Risk Mitigation 6.4 Information risk mitigation must: Be commensurate with the level of risk – it does need to remove the risk entirely Be kept simple so that it is manageable and can be communicated to staff Include monitoring and reporting on the ongoing level of information governance / confidentiality / information security breaches, so that the effectiveness of the protection being achieved can be assessed Risk must be assessed in terms of the general level of harm that could be reasonably caused if data were to become compromised or unavailable Take the form of a wide range of controls directed at reducing the likelihood of an information (confidentiality, integrity or availability) failure and reduce the amount of harm a failure could cause Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless requirements change) Page | 7 Control and reduce the likelihood and amount of harm of a failure and enhance overall mitigation Apply ‘good practice’ controls, which are easy for staff to understand and apply Be supplemented with customised controls for specific high risk circumstances Information Incidents 6.5 All incidents that constitute and actual or potential loss of information, which could potentially lead to a breach of confidentiality, are to be reported directly to the Risk Management Department. All such incidents must be documented on an Adverse Incident Form, and could involve: Loss of patient information Loss of staff information Loss of business information Loss of hardware: Laptops USB Devices Virus attacks Unauthorised access to systems / information assets Misuse of systems / privileges Information Asset Register Maintenance 6.6 Information Asset Owners responsible for overseeing the completion and regular review and update of their Information Asset Registers. Amendments and updates are more likely to be made by Information Asset Administrators, who will have more of an operational and day-to-day knowledge of the Information Assets. Information Risk Assurance Reports 6.7 Information Asset Owners must provide an annual assurance report to the SIRO on the risk status of their Information Assets and any other areas of information risk considered appropriate. The SIRO will report annually to the Trust Board on Information Risk Management, which will include the status of risks to information assets. Introducing New Information Assets 6.8 When new Information Assets are considered the Trust must follow its formal due diligence processes. These will be triggered through submission of business cases and where privacy impact assessments are identified as required. A completed and agreed Privacy Impact Assessment will be acceptable as an Information Risk Assessment for one year, following which time Information Asset Owners will need to undertake routine risk assessments as part of general assurance reports. Associated Assessments 6.9 When new Information Assets are to be introduced, the Trust must assess whether they are compliant, or required to be compliant with: 6.9.1 The NHS Number Standard for Secondary Care, which will be initially assessed through the Applicable Systems Test: Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless requirements change) Page | 8 6.9.2 6.1 The NHS Care Records Guarantee (Commitment 11), which states “We will keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems will only record who has accessed a record where they have made changes. Paper records only include where people have made notes in the record and not when someone looks at the record.” Information Assets should not be procured if they are unable to comply with the standards set out in section 6.9 and advice should be sought from the Senior Information Risk Owner and / or Caldicott Guardian if an exception is required. 7. TRAINING REQUIREMENTS All staff members are required to undertake accredited Information Governance training as appropriate to their role on an annual basis The Trust’s Essential Skills Handbook contains an Information Governance Module and an associated competency assessment (via ESR) which must be completed in order to attain competency.. Staff with Information Risk Management responsibilities must also undertake training relevant to these specialist roles. An Information Risk Management Training and Assessment Booklet must be completed by all Information Asset Owners and Information Asset Administrators. 8. REFERENCES AND ASSOCIATED DOCUMENTATION The Data Protection Act 1998 http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1 Records Management: NHS Code of Practice (2006) http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/ DH_4131747 NHS Code of Practice on Confidentiality 2003 (DoH) http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/ DH_4069253 Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless requirements change) Page | 9 Trust (Management) Policies: Information Governance Policy ICT Security Policy Trust Staff Code of Practice on Confidentiality Data Protection Policy NHS Information Risk Management: Good Practice Guidance (2009) http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/risk/inforiskmgtgpg .pdf 9. EQUALITY IMPACT STATEMENT Portsmouth Hospitals NHS Trust is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds. This policy has been assessed accordingly All policies must include this standard equality impact statement. However, when sending for ratification and publication, this must be accompanied by the full equality screening assessment tool. The assessment tool can be found on the Trust Intranet -> Policies -> Policy Documentation Our values are the core of what Portsmouth Hospitals NHS Trust is and what we cherish. They are beliefs that manifest in the behaviours our employees display in the workplace. Our Values were developed after listening to our staff. They bring the Trust closer to its vision to be the best hospital, providing the best care by the best people and ensure that our patients are at the centre of all we do. We are committed to promoting a culture founded on these values which form the ‘heart’ of our Trust: Respect and dignity Quality of care Working together No waste This policy should be read and implemented with the Trust Values in mind at all times. Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless requirements change) Page | 10 10. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS Minimum requirement to be monitored Staff Information Training Risk Completion of Information Risk Assessments Lead IG Manager IG Manager Tool Records contained within Information Asset Registers Records contained within Information Asset Registers Frequency of Report of Compliance Reporting arrangements Ongoing monitoring / CSCs report twice annually to the IGSG and annually to the Senior Information Risk Owner Policy audit report to: Ongoing monitoring / CSCs report twice annually to the IGSG and annually to the Senior Information Risk Owner Policy audit report to: IGSG Senior Information Risk Owner IGSG Senior Information Risk Owner Lead(s) for acting on Recommendations Information Asset owners Information Governance Manager Senior Information Risk Owner Information Asset owners Information Governance Manager Senior Information Risk Owner This document will be monitored to ensure it is effective and to assurance compliance. The Information Governance Manager will monitor compliance with the requirements of this policy: Staff with responsibility for information assets completing Information Risk Management training (reports generated from the Information Governance Training Tool as necessary to inform progress and update the Information Governance Compliance Framework) Completion and reporting of risk assessments for information assets: will be monitored through local Information Asset Registers (within the Information Governance Compliance Framework); and will be reported on a twice-yearly basis to the Information Governance Steering Group as part of reports on the Information Governance Compliance Framework (Information Governance Toolkit standards) Information Asset Owners will be required to provide an annual assurance report to the SIRO on the risk status of their Information Assets and any other areas of information risk considered appropriate. The SIRO will report annually to the Trust Board on Information Risk Management, which will include the status of risks to information assets Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless requirements change) Page | 11