Dental practice template IG Work Plan - Information Governance

Document Sample
Dental practice template IG Work Plan - Information Governance Powered By Docstoc
					                                                      [Insert name of dental practice] Information Governance workplan
No.      Initial             Requirement                         Purpose                   Work to be done to      Knowledgebase               Target
           IGT                                                                            progress to next level resources available             IGT
          level                                                                                                                                 level
 9-114             Responsibility for Information     To ensure that all staff are able   Nominate who is going to IG lead
                   Governance has been assigned to    to access guidance in the           be IG lead in the practice. responsibilities - see
                   an appropriate member, or          practice in the event of IG         This person needs to be IG template IG policy
                   members, of staff                  issues, problems and queries.       aware and ideally have
                                                                                          undertaken some IG
                                                                                          training, e.g. via the IG
                                                                                          Training Tool.

9-115              There is an information            To demonstrate the practice's       Document an IG policy. To Template IG policy;
                   governance policy that addresses   commitment to handling              ensure your staff are fully Template staff
                   the overall requirements of        patients' information within the    aware of the do's & don'ts declaration form
                   information governance             law and professional code of        of your policy and
                                                      conduct. To make all staff aware    procedures consider
                                                      of the policy and underpinning      supplying them with a
                                                      procedures.                         copy. Ensure staff sign a
                                                                                          declaration form
                                                                                          confirming that they have
                                                                                          read and understand
                                                                                          materials issued to them.
No.     Initial              Requirement                             Purpose                    Work to be done to            Knowledgebase          Target
          IGT                                                                                  progress to next level       resources available        IGT
         level                                                                                                                                        level
9-116             All contracts (staff, contractor and   Under the DPA 1998, a data          Check all your staff       Template
                  third party) contain clauses that      controller (the practice) must      contracts to ensure they confidentiality
                  clearly identify information           take reasonable steps to ensure     contain the relevant       agreement for staff
                  governance responsibilities            the reliability of any employees    clause. If not, you could
                                                         or third parties that have access   adapt the one-page
                                                         to personal data. A contract        confidentiality agreement
                                                         clause should explicitly and        and ask all your staff to
                                                         unambiguously state the             sign. This can then be
                                                         obligation to keep patient          added as an appendix to
                                                         information confidential,           their contract. Where
                                                         otherwise the dental practice       necessary, you should
                                                         may have little or no defence in    check your contracts with
                                                         the event of an accidental or       third party contractors
                                                         intentional breach by a member      that are able to access
                                                         of staff or contractor.             confidential personal
                                                                                             information, e.g IT system

9-117             All staff members are provided         To assist practices to ensure       There is an online IG         Access the online IGTT
                  with appropriate training on           their staff are adequately          Training Tool which           at:
                  information governance                 informed of their responsibility    contains an introduction      www.connectingforhe
                  requirements                           to keep patient information         to IG for dental practices.
                                                         confidential, secure, accurate      Other relevant modules        ool
                                                         and up to date. It supports the     include, information
                                                         requirement for confidentiality     security guidelines,
                                                         clauses in contracts (116).         password management,
                                                                                             and records management.
No.     Initial              Requirement                           Purpose                    Work to be done to           Knowledgebase        Target
          IGT                                                                                progress to next level      resources available      IGT
         level                                                                                                                                   level
9-209             All person identifiable data          To ensure that dental practices    Use your mapped data        Template map of
                  processed outside of the UK           are aware of who is processing     flows (Req 208) to identify information flow
                  complies with the Data Protection     person identifiable data           any overseas processing. If
                  Act 1998 and Department of            overseas and consider the legal    you use third party
                  Health guidelines                     implications when entering into    contractors, you need to
                                                        a contract for data processing.    check where they are
                                                                                           processing your data.

9-212             Consent is appropriately sought       To ensure the practice has         Ensure procedures are      Template staff
                  before personal information is        procedures in place to gain        contained within your      declaration form
                  used in ways that do not directly     specific informed consent to use   code of conduct or
                  contribute to the delivery of care    patient information for a          equivalent document
                  services and objections to the        secondary purpose.                 referred to in requirement
                  disclosure of confidential personal                                      201. Ensure staff have
                  information are appropriately                                            read and understood the
                  respected                                                                document.

9-213             There is a publicly available and     To assist dental practices to      Document a patient           BDA - Model Data
                  easy to understand patient            comply with the Data Protection    information leaflet and      Protection Code of
                  information leaflet that informs      Act 1998 provisions and            ensure it is available to    Practice for patients
                  patients how their information is     contractual obligations to         patients, e.g. in reception,
                  used, who may have access to that     ensure patients are effectively    sent with appointment
                  information, and their own rights     informed about the use of their    letters. Ensure your staff
                  to see and obtain copies of their     information.                       are adequately informed
                  records                                                                  about the leaflet so they
                                                                                           can either assist with
                                                                                           patient queries or know
                                                                                           where to obtain advice.
No.     Initial             Requirement                          Purpose                    Work to be done to            Knowledgebase          Target
          IGT                                                                              progress to next level       resources available        IGT
         level                                                                                                                                    level
9-214             The dental practice must have a    To provide guidance to staff        Document a code of            Template code of
                  confidentiality code of conduct    regarding individual                conduct. Alternatively, the   conduct, including
                  that provides staff with clear     responsibility for safeguarding     practice can adopt the        guidelines for staff on
                  guidance on the disclosure of      and preserving confidentiality      Confidentiality NHS Code      disclosure;
                  personal information.              and information security to         of Practice and issue staff   Confidentiality NHS
                                                     assist the practice to ensure       with practice-specific        Code of Practice
                                                     their organisational duty is met.   information about
                                                                                         handling patient
                                                                                         information and ensure
                                                                                         that they read and
                                                                                         understand the
                                                                                         obligations around the
                                                                                         disclosure of information.

9-304             Monitoring and enforcement         This requirement is only            All staff with NHS CFH    Template compliance
                  processes are in place to ensure   relevant to those practices that    smartcards must be issued monitoring form
                  NHS national application           require access to NHS CFH           with the RA01 leaflet
                  Smartcard users comply with the    products and services such as:      which sets out the terms
                  terms and conditions of use        the Summary Care Record;            & conditions of use. The
                                                     Choose and Book; Personal           practice will need to
                                                     Demographics Service, etc. Its      inform staff that
                                                     purpose is to establish a           compliance monitoring
                                                     baseline of good dental practice    will be carried out.
                                                     and monitoring to ensure staff
                                                     comply with the conditions set
                                                     out in the RA01 form.

9-316             There is an information asset      To enable the practice to locate Record your practice's       Template information
                  register that includes all key     and track all its information    assets in a simple register. asset register
                  information, software, hardware    assets and ensure that
                  and services                       appropriate protection is
No.     Initial              Requirement                            Purpose                   Work to be done to             Knowledgebase          Target
          IGT                                                                                progress to next level        resources available        IGT
         level                                                                                                                                       level

9-317             Unauthorised access to the       To ensure that dental practice          Assess the physical            Template physical
                  premises, equipment, records and assets (premises, equipment             security of your practice.     security risk
                  other assets is prevented        and information) and staff are          Where necessary put in         assessment and
                                                   protected by physical security          place measures to delay        action plan;
                                                   measures. Staff should be               and prevent unauthorised       Template incident
                                                   encouraged to feedback to the           access and to detect           reporting form;
                                                   responsible person, any                 attempted or actual            Template incident
                                                   potential risks they identify in        unauthorised access.           register
                                                   the course of their duties.             Ensure your staff know
                                                                                           what to do in the event
                                                                                           that unauthorised access
                                                                                           does occur.

9-318             The use of mobile computing           To protect personal information    Ensure you have a log of       Template mobile
                  systems is controlled, monitored      held on the dental practice’s      all staff issued with mobile   computing equipment
                  and audited to ensure their correct   mobile IT systems by ensuring      computing equipment.           asset log; Template
                  operation and to prevent              that access is only available to   Document procedures on         staff guidelines on the
                  unauthorised access                   authorised personnel.              the use of mobile              use of mobile
                                                                                           computing devices and          computing
                                                                                           issue them to your staff.      equipment;
                                                                                                                          Template assignment
                                                                                                                          of mobile computing
                                                                                                                          equipment form
No.     Initial              Requirement                            Purpose                     Work to be done to               Knowledgebase         Target
          IGT                                                                                  progress to next level          resources available       IGT
         level                                                                                                                                          level
9-319             There are documented plans and       To ensure that the dental             Carry out an assessment          Template business
                  procedures to support business       practice is still able to carry out   of the risks to all systems      impact analysis sheet;
                  continuity in the event of power     vital business processes in the       where information critical       Template business
                  failures, system failures, natural   event of a security failure or a      to the running of the            continuity plan
                  disasters and other disruptions      disaster. To ensure all staff         practice is held. In the first
                                                       know what they need to do in          instance document the
                                                       the event of a security failure or    impacts on your practice
                                                       disaster.                             in the event of a security
                                                                                             failure or disaster. This
                                                                                             should be developed into
                                                                                             a business continuity plan.

9-320             There are documented incident        To ensure that where incidents        Allocate responsibility for      Template incident
                  management and reporting             occur, the damage from them is        managing information             management
                  procedures                           minimised and lessons are             incidents and put                procedure including
                                                       learnt from them. To ensure all       procedures in place for          guidelines for staff;
                                                       staff know to report all incidents    the reporting and                Template incident
                                                       and near-misses are so that they      management of incidents.         reporting form;
                                                       can be recorded and                                                    Template incident
                                                       appropriately managed.                                                 register
No.     Initial             Requirement                           Purpose                   Work to be done to          Knowledgebase       Target
          IGT                                                                              progress to next level     resources available     IGT
         level                                                                                                                               level
9-321             There are appropriate procedures    To enable the dental practice to   Document a procedure to     Template access
                  in place to manage access to        effectively control access to      allocate and remove user    control procedure
                  computer-based information          information held on its            accounts. Ensure you        including guidelines
                  systems                             computer systems and ensure        provide guidance to your    for staff;
                                                      that only authorised personnel     staff to ensure they use    Template compliance
                                                      have access to use and share       the system appropriately.   monitoring form;
                                                      information held within the        Monitor usage.              Template staff
                                                      systems the practice manages.                                  declaration form

9-322             All transfers of hardcopy and       To maintain the security and       Use your mapped data        Template information
                  digital personal and sensitive      confidentiality of patient         flows to identify who you   handling procedure
                  information have been identified,   information during transfers and   share confidential          including guidelines
                  mapped and risk assessed;           transport of records,              information with. Ensure    for staff; Template
                  technical and organisational        correspondence, faxes, e-mail,     procedures for secure       compliance
                  measures adequately secure these    telephone messages, and other      transfer are included in    monitoring form
                  transfers                           communications.                    the document produced .

Shared By:
xiaohuicaicai xiaohuicaicai