Information Risk Policy
Version
2
Name of responsible (ratifying) committee
Information Governance Steering Group
Date ratified
12 March 2014
Document Manager (job title)
Information Governance Manager
Date issued
08th August 2014
Review date
07th August 2016
Electronic location
Management Policies
Related Procedural Documents
Key Words (to aid with searching)
Information Governance Policy, Data Protection Policy,
Confidentiality Code of Conduct, Information
Governance Strategy, ICT Security Policy
Information Risk, Data Protection, Information Asset,
Information Asset Owner, Information Asset
Administrator, Senior Information Risk Owner,
Information Governance
Version Tracking
Version
Date Ratified
2
12 March 2014
Brief Summary of Changes
No material changes
Author
IG Manager
Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless
requirements change)
Page | 1
CONTENTS
QUICK REFERENCE GUIDE
This policy must be followed in full when developing or reviewing and amending Trust procedural
documents.
For quick reference the guide below is a summary of actions required. This does not negate the need
for the document author and others involved in the process to be aware of and follow the detail of this
policy. The quick reference can take the form of a list or a flow chart, if the latter would more easily
explain the key issues within the body of the document
1. The aim of information risk management is not to eliminate risk, but rather to provide the
structural means to identify, prioritise, and manage the risks involved in all Trust activities.
2. Information risk management should be embedded into business processes and functions.
This is achieved through key approval and review processes / controls – and not to impose
risk management as an extra requirement.
3. Information Risks are risks that relate to the loss, damage, or misuse of information or which
threatens the confidentiality, integrity or availability of an information asset, especially
information which is personal or confidential in nature.
4. All staff should be aware of information risk management, how to raise risks and incidents,
and have responsibility for ensuring that information is kept secure.
5. Information Assets are generally administration systems or database used to process
personal identifiable data (PID) directly or used in any way that has the potential to affect the
confidentiality / integrity / availability / legal processing of PID.
6. Information risks should be managed in a robust way within work areas and should not be
seen as something that is the sole responsibility of ICT or Information Governance staff.
7. Managers must acknowledge that information is valuable and risks must be mitigated. They
must portray the importance of handling information through their decisions and actions.
8. All incidents that constitute and actual or potential loss of information, which could potentially
lead to a breach of confidentiality, are to be reported directly to the Risk Management
Department.
9. Information Asset Owners are responsible for overseeing the completion and regular review
and update of their Information Asset Registers.
10. Information Asset Owners must provide an annual assurance report to the SIRO on the risk
status of their Information Assets and any other areas of information risk considered
appropriate.
11. When new Information Assets are considered the Trust must follow its formal due diligence
processes. These will be triggered through submission of business cases and where privacy
impact assessments are identified as required. A completed and agreed Privacy Impact
Assessment will be acceptable as an Information Risk Assessment
12. When new Information Assets are to be introduced, the Trust must assess whether they are
compliant, or required to be compliant with The NHS Number Standard for Secondary Care
and The NHS Care Records Guarantee (Commitment 11)
13. Information Assets should not be procured if they are unable to comply with the above
standards.
Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless
requirements change)
Page | 2
1. INTRODUCTION
1.1
The Trust Board has approved the introduction and embedding of information risk
management into the key controls and approval processes of all major business
processes and functions of the Trust. This decision reflects the high level of
importance placed on minimising information risk and safeguarding the interests of
patients, staff and the Trust itself.
1.2
Information risk is inherent in all administrative and business activities and everyone
working for, or on behalf of, the Trust continuously manages information risk. The
Board recognises that the aim of information risk management is not to eliminate risk,
but rather to provide the structural means to identify, prioritise, and manage the risks
involved in all Trust activities. It requires a balance between the cost of managing and
treating information risks with the anticipated benefits that will be derived.
1.3
The Board acknowledges that information risk management is an essential element of
broader information governance and is an integral part of good management practice.
The intent is to embed information risk management in a very practical way into
business processes and functions. This is achieved through key approval and review
processes / controls – and not to impose risk management as an extra requirement.
2. PURPOSE
2.1
The purpose of this policy is to protect the Trust, its staff and its patients from
information risk, where the likelihood of occurrence and the consequences are
significant. This policy will provide a consistent framework in which information risk will
be identified, considered and addressed in key approval, review and control
processes.
2.2
This will encourage proactive risk management, provide assistance to, and improve
the quality of, decision making throughout the Trust and help to safeguard the Trust’s
information assets.
2.3
This policy is required to comply with the NHS Chief Executive’s communication
(September 2008) with reference to the Government’s Data Handling Review (June
2008).
3. SCOPE
3.1
This policy is applicable to all areas of the Trust and adherence should be included in
all contracts for outsourced or shared services.
3.2
Whilst the Risk Management Strategy and associated risk management policies are
applicable to all risks, this policy identifies those additional measures which are
specific to the management of information risks.
‘In the event of an infection outbreak, flu pandemic or major incident, the Trust recognises
that it may not be possible to adhere to all aspects of this document. In such circumstances,
staff should take advice from their manager and all possible action must be taken to
maintain ongoing patient and staff safety’
Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless
requirements change)
Page | 3
4. DEFINITIONS
4.1
Risk – the chance of something happening, which would have an impact upon
objectives. It is measured in terms of likelihood and severity.
4.2
Consequence – the outcome of an event or situation, expressed qualitatively or
quantitatively, being a loss, disadvantage or gain. There may be a range of possible
outcomes associated with an event.
4.3
Information Risk – a risk that relates to the loss, damage, or misuse of information or
which threatens the confidentiality, integrity or availability of an information asset,
especially information which is personal or confidential in nature.
4.4
Likelihood – a qualitative description for probability or frequency.
4.5
Risk Assessment – the overall process of risk analysis and risk evaluation.
4.6
Risk Management – the culture, processes and structures directed towards the
effective management of potential opportunities and adverse effects.
4.7
Risk Treatment – selection and implementation of appropriate options for dealing with
risk which, conceptually, will involve one or a combination of the following strategies:
 Risk avoidance
 Reduction in the likelihood of occurrence
 Reduction in the consequences of occurrence
 Risk transference
 Risk tolerance / acceptance
4.8
Risk Management Process – the systematic application of management policies,
procedures and practices to the task of establishing the context and identifying,
analysing, evaluating, treating, monitoring and communicating risk.
4.9
Information Assets – in general Information Assets will be administration systems or
database used to process PID directly or used in any way that has the potential to
affect the confidentiality / integrity / availability / legal processing of PID. The following
outlines the main examples of Information Assets:
 Databases and data files
 System information and documentation
 Back-up and archive data
 Operations and support procedures
 Audit data
 Applications and system software
 Data encryption utilities
 Development and maintenance tools
 Paper records (including patient care notes and staff records)
 Environmental services necessary for the safe operational of Information
Assets (e.g. power and air conditioning)
 Business continuity plans
4.10
Information Governance Compliance Framework – an Information Governance
compliance monitoring and management tool on the Trust intranet.
Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless
requirements change)
Page | 4
5. DUTIES AND RESPONSIBILITIES
5.1
Accounting Officer The Chief Executive is the Accounting Officer and has overall
responsibility for ensuring that information risks are assessed and mitigated to an
acceptable level, where information risks are handled in a similar manner to other
major risks such as financial, legal and reputational risks.
The Accounting Office is required to provide assurance, through the Statement of Internal
Controls, that all risks to the Trust, including those relating to information, are effectively
managed and mitigated.
5.2
Trust Board It is the responsibility of the Trust Board to create a strong information
handling culture, which permeates throughout the Trust and informs everyone’s
approach to performing daily tasks, regardless of position and seniority.
5.3
Senior Information Risk Owner (SIRO) The SIRO Acts as an advocate for information
risk on the Board and in internal discussions and provides written advice to the
Accountable Officer regarding the “information risk” elements of their annual
Statement of Internal Control (SIC).
5.4
Information Asset Owners (IAOs) IAOs are senior individuals involved in running the
relevant business / service areas. The IAO role is to:
 understand and address risks to the information assets they ‘own’
 provide assurance to the SIRO on the security and use of these assets
5.5
Information Asset Administrators (IAAs) IAAs provide support to their IAO. To do this
they will:
 ensure that policies and procedures are followed
 recognise potential or actual security incidents
 consult their IAO on incident management
 ensure that information asset registers are accurate and maintained and kept
up-to-date
5.6
Information Risk Management Group Subject matter experts used to counsel the
SIRO on general and specific information risk issues
5.7
All staff should be aware of information risk management, how to raise risks and
incidents, and have responsibility for ensuring that information is kept secure. Secure
practices can help:
 avoid unauthorised disclosure, dissemination or access to information
 support appropriate storage, transportation, transfer and disposal of information
Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless
requirements change)
Page | 5
Trust Board
Chief Executive Accounting Officer
SIRO is accountable to Trust Board for the security of
Information Assets and acts as an advocate for
Information Risk on the Board.
Senior Information Risk Owner (SIRO)
(Owner of Information Risk Programme and risk assessment process for identified
information security risks and informs Statement of Internal Control)
Regular Information Risk
Management meetings with SIRO
Advise on current issues / potential
solutions / courses of action to meet
Information Risk expectations
Information
Risk Mgmt
Group
Head of IT / Information
Governance Manager
Counsel on general
information risk issues,
asset identification,
asset classification and
risk assessment
Promote best
practice and
requirements,
and monitor
compliance
Provide assurance to
SIRO information risk
is being effectively
managed for each
‘owned’ asset
Information
Asset Owners
Ensure policies and
procedures are followed /
recognise security
incidents / maintain asset
register
Information security incidents
are reported and investigated
involving SIRO and other
suitable panel representation.
SIRO liaises with Head of Risk
Management and Legal
Services regarding Statement
of Internal Control
Risk
Mgmt
Department
Report risks to Information
Assets and other relevant
Information Security incidents
Information
Asset
Administrators
6. PROCESS
Aims
6.1
The aim of information risk management is to:
 Protect the Trust, its staff and its patients from information risks where the
likelihood of occurrence and the consequences are significant
 Provide a consistent risk management framework in which information risks will
be identified, considered and addressed in key approval, review and control
processes
 Encourage proactive rather than reactive risk management
 Provide assistance to, and improve the quality of, decision making throughout
the Trust;
 Meet legal or statutory requirements
 Assist in safeguarding the Trust’s information assets
6.1.1
The key requirement is for information risk to be managed in a robust way within
work areas and not to be seen as something that is the sole responsibility of ICT
or Information Governance staff. Assurance needs to be provided in a consistent
manner. To achieve this, a structured approach is needed, building upon the
existing Information Governance Compliance Framework. This structured
approach relies upon the identification of information assets and assigning
‘ownership’ of assets to senior accountable staff (Information Asset Owners).
Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless
requirements change)
Page | 6
6.1.2
Information Asset Owners (IAOs) are supported by Information Asset
Administrators (IAAs), who are operational staff with day-to-day responsibility for
managing risks to their information assets. The IAOs are responsible for
ensuring information risk is managed appropriately and for providing assurance
to the SIRO.
6.1.3
The aim is to ensure that the approach to risk management:
 Takes full advantage of existing authority and responsibility structures
where these are fit for purpose
 Associates tasks with appropriate management levels
 Avoids unnecessary impacts on day to day business
 Ensures that all the necessary activities are discharged in an efficient,
effective, accountable and visible manner
Management Lead
6.2
Managers must acknowledge that information is valuable and risks must be mitigated.
They must portray the importance of handling information through their decisions and
actions.
 All staff should know good information handling as part of their job
 Senior staff will understand they are bound by the same rules as junior staff.
They must not override, for reasons of convenience, risk controls
 All staff should be able to answer general questions about information
protection and make sensible information risk decisions for themselves,
including knowing the limits of their competence and when to defer to others
for guidance
 All staff personal development plans should include competencies on
information handling
 It is the responsibility of the Trust Board to ensure that the Trust has an open
approach to incidents and learning
 The Trust Board must encourage staff to question instructions that seem
inappropriate on information risk grounds and must encourage reporting on
instances of inappropriate behaviour
Information Risk Management Programme
6.3
An information risk management programme must be aligned to the Trust Business
Plan to support individual objectives and ensure they are adequately resourced. The
information risk management programme should cover:
 The balance between level of risk, tolerance of risk and the effort being used to
manage the risk
 Identification of gaps between the current and target risk positions
 Progress being made against agreed information risk priorities
 The effectiveness of the risk management controls including successes and
failures
Information Risk Mitigation
6.4
Information risk mitigation must:
 Be commensurate with the level of risk – it does need to remove the risk
entirely
 Be kept simple so that it is manageable and can be communicated to staff
 Include monitoring and reporting on the ongoing level of information
governance / confidentiality / information security breaches, so that the
effectiveness of the protection being achieved can be assessed
 Risk must be assessed in terms of the general level of harm that could be
reasonably caused if data were to become compromised or unavailable
 Take the form of a wide range of controls directed at reducing the likelihood of
an information (confidentiality, integrity or availability) failure and reduce the
amount of harm a failure could cause
Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless
requirements change)
Page | 7



Control and reduce the likelihood and amount of harm of a failure and enhance
overall mitigation
Apply ‘good practice’ controls, which are easy for staff to understand and apply
Be supplemented with customised controls for specific high risk circumstances
Information Incidents
6.5
All incidents that constitute and actual or potential loss of information, which could
potentially lead to a breach of confidentiality, are to be reported directly to the Risk
Management Department. All such incidents must be documented on an Adverse
Incident Form, and could involve:
 Loss of patient information
 Loss of staff information
 Loss of business information
 Loss of hardware:
Laptops
USB Devices
 Virus attacks
 Unauthorised access to systems / information assets
 Misuse of systems / privileges
Information Asset Register Maintenance
6.6
Information Asset Owners responsible for overseeing the completion and regular
review and update of their Information Asset Registers. Amendments and updates are
more likely to be made by Information Asset Administrators, who will have more of an
operational and day-to-day knowledge of the Information Assets.
Information Risk Assurance Reports
6.7
Information Asset Owners must provide an annual assurance report to the SIRO on
the risk status of their Information Assets and any other areas of information risk
considered appropriate. The SIRO will report annually to the Trust Board on
Information Risk Management, which will include the status of risks to information
assets.
Introducing New Information Assets
6.8
When new Information Assets are considered the Trust must follow its formal due
diligence processes. These will be triggered through submission of business cases
and where privacy impact assessments are identified as required. A completed and
agreed Privacy Impact Assessment will be acceptable as an Information Risk
Assessment for one year, following which time Information Asset Owners will need to
undertake routine risk assessments as part of general assurance reports.
Associated Assessments
6.9
When new Information Assets are to be introduced, the Trust must assess whether
they are compliant, or required to be compliant with:
6.9.1
The NHS Number Standard for Secondary Care, which will be initially assessed
through the Applicable Systems Test:
Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless
requirements change)
Page | 8
6.9.2
6.1
The NHS Care Records Guarantee (Commitment 11), which states “We will
keep a record in the newer electronic record systems of anyone who has
accessed a health record or added notes to it. Some of the older computer
systems will only record who has accessed a record where they have made
changes. Paper records only include where people have made notes in the
record and not when someone looks at the record.”
Information Assets should not be procured if they are unable to comply with the
standards set out in section 6.9 and advice should be sought from the Senior
Information Risk Owner and / or Caldicott Guardian if an exception is required.
7. TRAINING REQUIREMENTS
All staff members are required to undertake accredited Information Governance training as
appropriate to their role on an annual basis The Trust’s Essential Skills Handbook contains an
Information Governance Module and an associated competency assessment (via ESR) which
must be completed in order to attain competency..
Staff with Information Risk Management responsibilities must also undertake training relevant
to these specialist roles. An Information Risk Management Training and Assessment Booklet
must be completed by all Information Asset Owners and Information Asset Administrators.
8. REFERENCES AND ASSOCIATED DOCUMENTATION
The Data Protection Act 1998
http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1
Records Management: NHS Code of Practice (2006)
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/
DH_4131747
NHS Code of Practice on Confidentiality 2003 (DoH)
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/
DH_4069253
Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless
requirements change)
Page | 9
Trust (Management) Policies:
 Information Governance Policy
 ICT Security Policy
 Trust Staff Code of Practice on Confidentiality
 Data Protection Policy
NHS Information Risk Management: Good Practice Guidance (2009)
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/risk/inforiskmgtgpg
.pdf
9. EQUALITY IMPACT STATEMENT
Portsmouth Hospitals NHS Trust is committed to ensuring that, as far as is reasonably
practicable, the way we provide services to the public and the way we treat our staff reflects
their individual needs and does not discriminate against individuals or groups on any grounds.
This policy has been assessed accordingly
All policies must include this standard equality impact statement. However, when sending for
ratification and publication, this must be accompanied by the full equality screening assessment
tool. The assessment tool can be found on the Trust Intranet -> Policies -> Policy
Documentation
Our values are the core of what Portsmouth Hospitals NHS Trust is and what we cherish. They
are beliefs that manifest in the behaviours our employees display in the workplace.
Our Values were developed after listening to our staff. They bring the Trust closer to its vision
to be the best hospital, providing the best care by the best people and ensure that our patients
are at the centre of all we do.
We are committed to promoting a culture founded on these values which form the ‘heart’ of our
Trust:
Respect and dignity
Quality of care
Working together
No waste
This policy should be read and implemented with the Trust Values in mind at all times.
Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless
requirements change)
Page | 10
10. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS
Minimum requirement to
be monitored
Staff Information
Training
Risk
Completion of Information
Risk Assessments
Lead
IG Manager
IG Manager
Tool
Records contained within
Information Asset Registers
Records contained within
Information Asset Registers
Frequency of Report of
Compliance
Reporting arrangements
Ongoing monitoring / CSCs
report twice annually to the
IGSG and annually to the
Senior Information Risk Owner
Policy audit report to:
Ongoing monitoring / CSCs
report twice annually to the
IGSG and annually to the
Senior Information Risk Owner
Policy audit report to:

IGSG

Senior Information Risk
Owner

IGSG

Senior Information Risk
Owner
Lead(s) for acting on
Recommendations
Information Asset owners
Information Governance Manager
Senior Information Risk Owner
Information Asset owners
Information Governance Manager
Senior Information Risk Owner
This document will be monitored to ensure it is effective and to assurance compliance.
The Information Governance Manager will monitor compliance with the requirements of this policy:
 Staff with responsibility for information assets completing Information Risk Management training (reports generated from the
Information Governance Training Tool as necessary to inform progress and update the Information Governance Compliance
Framework)
 Completion and reporting of risk assessments for information assets:
will be monitored through local Information Asset Registers (within the Information Governance Compliance Framework);
and
will be reported on a twice-yearly basis to the Information Governance Steering Group as part of reports on the
Information Governance Compliance Framework (Information Governance Toolkit standards)
 Information Asset Owners will be required to provide an annual assurance report to the SIRO on the risk status of their Information
Assets and any other areas of information risk considered appropriate. The SIRO will report annually to the Trust Board on
Information Risk Management, which will include the status of risks to information assets
Information Risk Policy | Issue Number: 2 | Issue Date: August 2014 | Review date: August 2016 (unless requirements change)
Page | 11