Docstoc

DOCUMENTATION

Document Sample
DOCUMENTATION Powered By Docstoc
					                             TRUST POLICY
                IT Procurement and Implementation Policy
Reference Number           HIG/POL/0018
Title                      CDDFT IT PROCUREMENT AND IMPLEMENTATION
                           POLICY
Version number             4.0
Document Type              Policy
Effective date             January 2007
Date published             July 2007
Approving body             Informatics Steering Committee
Originating Directorate    Health Informatics Directorate
Scope                      Trust-wide
Last review date           February 2010
Next review date           January 2012
Reviewing body             Informatics Steering Committee
Reviewer                   I.T Support Manager
Document Owner             Associate Director of NCRS & IT
Equality impact assessed   yes
Date superseded            July 2008
Status                     Issued
Confidentiality            None
Keywords                   Trust IT Procurement Policy



SIGNATURE (CHAIRPERSON):




Version 4.0                        Page 1                   14/11/2011
Version Control
 VERSION CONTROL TABLE
 DATE                     VERSION                 STATE
 June 2005                1.0                     DRAFT

 June 2006                2.0                     DRAFT

 January 2007             3.0                     FINAL

 September 2008           4.0                     Draft




 TABLE OF REVISION
 DATE             SECTION            AUTHOR           STATE
 January 10       2.2.5              C Robinson       Final

 January 09       All                C Robinson       Final

 January 07       All                S Dodd           Final

 July 07          All                SDodd            Draft

 September 2008   All                L Wilson         Draft




Version 4.0                         Page 2                    14/11/2011
1      Introduction

1.1    Introduction to the Procurement of IT Equipment and Services

       The procurement of IT equipment and services can be a complex task.
       Depending on the goods or services required and the cost involved, there are
       a number of procedures which, by law, have to be followed. These
       procedures are explained more fully in later sections of this Policy. The major
       „milestones‟ of procuring IT are documented in the following steps, as well as
       the services offered by the IT Department:

       The above can be a lengthy process not only depending on how quickly and
       efficiently IT Services, the Procurement Department and the relevant
       suppliers work together but also on the amount of stock held by suppliers. In
       an attempt to achieve maximum efficiency, the IT Services Department and
       the Procurement Department have built up a strong working relationship and
       have both been working closely with relevant suppliers of IT Equipment in
       order to maintain existing relationships. In many cases, these relationships
       have resulted in negotiating reasonable discounts on top of the normal NHS
       discounts for a large proportion of IT goods purchased by the Trust.

       Involving IT Services in the selection of goods ensures that the user is buying
       the best technology for their requirements and that it meets the Trust‟s IM&T
       Strategy whilst both Procurement and IT Services continue to strive to ensure
       that the Trust receives value for money on all its purchases.


1.2    Introduction to IT Services

       The IT Services Department has developed in accordance with the needs of
       the organisation and represents the mix of skills necessary to support the
       Trust in the use and operation of IT.

       In all instances where assistance is required to fix faults and install
       equipment, users must contact the IT Servicedesk on 4340 or via email to
       helpdesk@cddft.nhs.uk




Version 4.0                            Page 3                          14/11/2011
1.3    Scope

       The purpose of this document is to clarify the various procedures for the
       procurement of computer systems within the Trust. Section 4 onwards looks
       to provide Managers and users with sufficient information to enable them to
       identify appropriate solutions to meet the needs of their business and make
       informed decisions on the tools required to implement an appropriate IT
       solution.

       A standard approach to procurement is necessary to:

              a)   safeguard, as far as possible, against early obsolescence,
              b)   ensure suitability and value for money,
              c)   ensure reliability,
              d)   enable the provision of cost effective training and support,
              e)   enable the provision of cost effective and good quality support
                   services, where appropriate.
              f)   compliance with Trust‟s Constitution and Standing Financial
                   Instructions

       This document and the resulting procurement procedures are not intended to
       replace expert advice - which will continue to be available from the IT
       Services and Procurement Department - including the need to have any major
       IT expenditure approved in the appropriate Directorate/Trust Business Plan.
       The document is, however, an aid to assist Managers and/or users in
       purchasing IT and to make them aware of the main criteria involved in the
       process.

       This document also states why certain decisions are made, eg. at what point
       it is necessary to officially tender for goods as opposed to obtaining
       quotations from a single supplier.

       Finally, it provides a useful guide to IT Services staff in determining the
       policies and procedures to be followed when purchasing IT equipment and to
       enable them to reliably relay this information to users.




Version 4.0                          Page 4                         14/11/2011
2      Policies and Procedures for the Procurement of Information
       Technology

2.1    NHS Terms and Conditions for the Purchase of products and
       services – SIMCON March 2007.
       The above terms and conditions are specific to the procurement of IT
       products and services. They are currently used by the Purchasing and
       Supplies Agency (PASA). These NHS Terms and Conditions were reviewed
       and updated in March 2007.

       It should be noted that the IT Services Department work closely with PASA
       and the Procurement Department who provide expert advice on the process
       of procuring IT systems and have an in-depth knowledge of the rules and
       regulations governing the purchase of IT.

2.2    The Current IT Services Department Procurement Procedures
       (based on the PASA procedures for procuring goods)

       A framework agreement is available (developed by the PASA) which acts as a
       buying guide for the Trust, which includes the NHS approved list of suppliers
       for the purchase of PC hardware and/or software. In view of this, and the
       number of PC products which are available today, it is important for you, the
       user, to make the right choice. This document attempts to assist Managers
       and users to ensure that they make appropriate and informed decisions when
       purchasing PC products.

       All purchases of IT Equipment (regardless of cost) must be approved by
       IT Services before it can be ordered. All purchases of IT Equipment must
       comply with the Trust‟s Constitution and Standing Financial Instructions.

       With regard to the procurement process, the NHS and the Trust has formally
       agreed that all purchases should follow the criteria as set out below:

2.2.1 Total Purchase Price (including VAT): Not exceeding £1,000

       It is possible to requisition IT peripherals up to the value of £1,000 of non
       repetitive equipment, over a twelve month period, without the need for any
       formal contact with the Procurement / Finance Department. If an item is
       repetitive and over £1,000 over a twelve month period, refer to paragraph
       2.2.2 and other relevant paragraphs as the value increases. Users must also
       be aware that any service development, e.g. purchase of PC equipment,
       requires inclusion in the appropriate Directorate Business Plan. IT Services
       will subsequently ensure that any purchase meets the criteria set out in this
       document.




Version 4.0                           Page 5                         14/11/2011
2.2.2 Total Purchase Price (including VAT): Exceeds £1,000 but less than
      £5,000

       See Scheme of Delegation Page 4 4.1 Quotations - require a minimum
       of two verbal quotations to comply with Standing Financial Instructions.
       - Quotations are not specifically required to comply with Standing Financial
       Instructions but advice is to obtain a written quotation. The requirement for an
       investment appraisal applies here as detailed in 2.2.3 below. 2 verbal quotes
       must be recorded in writing on the requisition

2.2.3 Total Purchase Price (including VAT) : Exceeds £5,000 but less than
      £20,000

       Any order for goods with a total value between £5,000 and £19,999 requires
       three written quotations. All written quotations should be arranged through
       either the IT Services Department or Procurement Department. All written
       original quotations to be entered into the Trust‟s Quotation Register held in
       Procurement. IT Services will be happy to advise on the content of the
       quotation and will ensure that the purchase meets the criteria as set out in this
       document, as necessary.

       It should be noted that it is possible to obtain quotations from a single supplier
       only if there are no other suppliers who can provide the equipment or service
       required and the conditions within section 7.3 of the Trusts Standing Financial
       instructions are satisfied.

       Capital investments over £5,000 must be approved by the Trusts capital
       planning Committee and Capital Planning IT sub group.

2.2.4 Total Purchase Price (excluding VAT) : Exceeds £20,000 but less than
      the sterling equivalent of €130,000

       The IT Services Department will provide advice and assistance to the user in
       the complex process of tendering for goods and/or services. IT Services will
       also assist in the production of a formal list of requirements / specification
       which will be required for this process.

       The Procurement Department will subsequently be involved in managing the
       tendering process and a minimum of two weeks will be required for the return
       of the responses from the suppliers'.

       All responses will be received in the legally prescribed manner. Following
       this, the Procurement Department will record the appropriate information for
       their own audit reference / Department of Health statistical returns then
       forward copies of the appropriate information and documentation to the IT
       Systems Manager. Original Tender documentation to be retained in
       Procurement. Depending on IT Equipment to be purchased User Groups /
       Evaluation Team need to be formed prior to a decision made.

       It should be noted that single tenders may be permitted with the prior written
       agreement of the Chief Executive or Director of Finance as laid down in
Version 4.0                             Page 6                            14/11/2011
       Standing Financial Instructions. However, this method should be used only in
       extreme cases and must be justifiable to an external Audit process.

       Once a supplier has been chosen, the Procurement Department will contact
       both the successful and unsuccessful suppliers in accordance with the
       Tender process.

       Capital investments up to £100,000 must be approved by the Trust‟s Capital
       Planning Committee and where appropriate the IT sub group

2.2.5 Total Purchase Price (excluding VAT) : Exceeds £ (€130,000)

       Users must, by law, strictly adhere to the conditions of the EC/GATT (General
       Agreement for Tariff and Trade), now known as the World Trade Organization
       (WTO), GPA Procurement Procedures. Briefly, these state that all
       procurements over (€130,000) must be publicised in the Official Journal of the
       European Union (OJEU - EU Journal). Thresholds change every two years,
       next change is due to come into force January 2012. In addition, appropriate
       information regarding award of contract must also be publicised in that
       Journal. The advert must also contain specific information regarding the
       requirements of the system or equipment in order that relevant suppliers can
       respond to the advert.

       For purchases within this category users MUST consult the IT Services
       Department

       Standing Financial Instructions require a minimum of 5 suppliers to be given
       the opportunity to tender. All purchases over £100,000 can only be approved
       by the Trust board

       2.2.6 For all procurement of IT Systems Information Governance
       assessments must be completed to ensure compliance with Information
       storage, transfer and disposal. Adherance to the Data Protection Act and
       Freedom of Inofrmation Act must also be included.
       IG Project Checklist is Appendix 1.
       IG Data Processing Agreement Appendix 2
       IG Third Party Agreement Form Appendix 3




Version 4.0                           Page 7                          14/11/2011
2.3    POISE (Procurement Of Information Systems Effectively)


       What is POISE? 

       P.O.I.S.E. is an established procurement philosophy for the purchase of
       information systems (IS) used widely in the NHS. POISE is not just a buying
       process for IS, it is an attempt to get people to think about why they want to
       buy information systems, how they will buy them and how they will judge the
       success of their procurements. House purchases provide a useful analogy. If
       we liken the acquisition of an information system to a buying of the house,
       then in the past procurement has been seen as the conveyancing element -
       the administration needed for the transfer of title. This artificial distinction
       may explain some of the failed IS purchases within the NHS. After all, the
       conveyancing process can be first class, but this is of little consequence if you
       decide to buy a house that is too small or in the wrong place. POISE
       recognises that the procurement of any information system needs to be more
       than a paper exercise if it is to benefit the organisation. Information systems
       can greatly assist people in their work, but only if the systems meet their
       needs.

       When can POISE be used?
       POISE can be used for all procurements of information systems, whatever
       their size, made by the NHS.

       Who is POISE for?
       POISE is for all those who are engaged in specifying and buying systems for
       the NHS. These may include project managers, information, computing and
       Procurement staff, general managers, heads of departments, clinicians and
       authority or trust members.

       Further details on the POISE process can be obtained from the IT Services
       Department and/or PASA.

             Reference: NHS Procurement - POISE: A Step by Step Approach




Version 4.0                                Page 8                           14/11/2011
2.4    PRINCE (PRojects IN Controlled Environments)

       PRINCE is the Project Management standard for government IT
       Departments. Developed by the Central Computer and Telecommunications
       Agency (CCTA) which is part of HM Treasury, PRINCE was designed to be
       compatible with system development methods used in government IT projects
       and to facilitate their use for the technical aspects of development.

       County Durham and Darlington NHS Foundation Trust will make appropriate use
       of this project management methodology in all information system procurements.
       Detailed guidance on the use of PRINCE can be obtained from the Associate
       Director of NCRS & IT.

2.5    General Information

       At the request of PASA, all requests for advice and assistance with regard to
       the purchase of computer systems must be directed to IT Services. Any
       information or advice referred to PASA will be redirected to the IT Services
       Department.

2.6    Conditions For Purchase of IT Server Equipment
       Any project that requires the purchase of IT equipment that is to be housed in
       any of the Trusts computer or comms rooms must conform to the following
       recommendations and be authorised by either IT Operations Manager or IT
       Networks Manager.

             Where possible all equipment must be rack-mountable and be purchased
              with the relevant rack mounting kit (for any equipment that is not rack-
              mountable a shelf must be purchased for the relevant rack).
             Before any equipment is ordered the IT Operations Manager or IT
              Networks Manager must confirm that there is enough capacity in the
              existing racks for the new equipment. If capacity is not available a new
              rack and accessories (including console switch and UPS if necessary)
              must be purchased from the project.
             All equipment in the racks must be powered from a UPS within the rack. If
              there is no capacity in existing UPS for the new equipment then a new
              rack-mountable UPS must be purchased from the project.
             Before any equipment is ordered the IT Networks Manager must confirm
              that there is sufficient capacity to connect the new equipment to the Trusts
              network. If this capacity is not available the project must purchase the
              relevant equipment for network connection (i.e. switch or data point).
             Before any equipment is ordered the IT Operations Manager must confirm
              that there is sufficient capacity within the Trusts backup configuration to be
              able to backup the new equipment. If this capacity is not available the
              project must purchase the relevant equipment to enable the new
              equipment to be backed up (i.e. new tape drive).
             All new Windows based servers that are ordered must also include an
              order for additional backup and cleaning tapes.

Version 4.0                                Page 9                            14/11/2011
             All Windows based servers that are ordered must include orders for the
              relevant backup software to enable the server and system to be backed
              up (i.e. remote server agent license or any other agents that are required
              for specific software eg SQL Server or Oracle backup agents).




Version 4.0                              Page 10                         14/11/2011
3      IT Equipment Procurement Procedures

       The procurement process involves a complex set of procedures to which we
       are all legally bound. Therefore, for the purposes of clarity, the following
       simple guidelines should be followed.

       Purchase of computer equipment, software and/or services, etc. at a cost of:

             £90,319 (€133,000) upwards - follow the instructions as set out in
              paragraph 2.2.5 of this document.

             £20,000 to £90,319 - follow the instructions as set out in paragraph
              2.2.4 of this document.

             £5,000 to £20,000 - follow the instructions as set out in paragraph
              2.2.3 of this document.

             £1,000 to £5,000 - follow the instructions as set out in paragraph 2.2.2
              of this document.

             Up to £1,000 - follow the instructions as set out in paragraph 2.2.1 of
              this document.

NB.    Managers must be aware that the procurement of a system cannot legally be
       executed on an incremental basis, e.g. by purchasing software one month
       and hardware the next from the same supplier and aggregated over 4 years.
       Prior to commencing any procurement cycle, managers must take in to
       consideration the full potential cost of a system, (plus aggregated cost if a
       single supplier is selected), including but not limited to; hardware, software,
       maintenance, support services, VAT, etc.

3.1    Standards

       Within the Trust, it is necessary to conduct our business in the most cost
       effective manner. This means that the fundamental reason for implementing
       standards is to improve the efficiency of patient care.

       The basic principles of standards is that, by implementing compatible
       standards, intercommunication between disparate information systems is
       facilitated. This means that our existing systems will, as some already do,
       share common data. We will also, however, be able to share information,
       electronically, with external agencies such as our purchasers. The standards
       required to achieve this include those for electronic communications between
       applications (open systems), coding and networking standards, etc. Without
       such standards, a great deal of effort would be expended in converting from
       different formats, re-inputting data (with the attendant risk of error), etc.

       In view of this, it is intended that IT Services will oversee, as far as possible,
       the adherence of appropriate standards as set out in the NHS IT Standards
       Handbook (issued by the NHS IA). In order to do this, however, it is
       necessary for all staff to adhere to the procedures as set out in this document.
Version 4.0                            Page 11                            14/11/2011
       The standards include:

          Electronic messaging
          Wide and local Area networking and communications equipment
          Software portability and open systems
          NHS data and coding
          Usability (eg. making systems easy to use)
          Quality
          Safety
          Security
          Encryption

3.2    Using this Document

       As previously discussed, it is anticipated that the IT Procurement and
       Implementation Policy will be an aid for Managers to procure small IT systems
       whilst also giving them an understanding of the issues relating to more major
       procurements.

       In order to clearly identify the major steps in procuring IT systems within
       CDDFT, from a PC based solution to a departmental system.

3.2.1 PC and Printers Procedure

       The IT department maintains a list of standard hardware and software that
       can be purchased including PCs, Printers and peripherals. Please consult the
       IT Servicedesk for advise on 4340. Approval for the purchased of non
       standard hardware and software is required from the Associate Director of
       NCRS & IT

3.3    EROS / Cardea
       All orders in the Trust are processed electronically on EROS or Cardea
       (EROS Replacement). After agreeing the equipment required with IT Services
       and identifying funding, the user then forwards the request (either via e-mail
       or memo) to the relevant IT Services Department, along with the Transfer
       Point for the budget from where the equipment is to be purchased from.

       On receipt of the request the IT Helpdesk Manager will check the contents for
       accuracy and completeness, if necessary the request will subsequently be
       passed to the IT Operations Manager or IT Networks Manager who will
       validate the requisition ensuring that the goods or services specified meet the
       Trust's current IT policies and that the required infrastructure is available to
       meet the needs of the new equipment.

       Following this, the request is then entered onto EROS / Cardea by IT
       Services. It then needs to be authorised by the relevant budget holder and
       vetted by Finance dependant on value before the order is electronically
       despatched to the supplier.

Version 4.0                           Page 12                           14/11/2011
3.4    Receipt of Orders

       ALL GOODS received MUST be delivered to the relevant IT Services
       Department Following receipt of the goods, delivery notes should be signed
       by the person taking receipt of the delivery and forwarded to the IT Helpdesk
       Manager for reference. If everything is in order the equipment can then be
       receipted on EROS to allow payment to take place. This will allow the IT
       Services Department to check for any obvious damage to the goods and carry
       out appropriate preparatory work, e.g. configuring hardware and/or software,
       in order to minimise disruption to the user in their own work environment.

       NOTE         Managers and/or users must not intercept the goods prior to the
                    IT Services Department checking the contents and quality of the
                    goods received. Users should be aware that if the goods are not
                    delivered directly to IT Services this will result in a delay in the
                    testing and installation of the equipment.

       NOTE         Any invoices received by the IT Services Department will be
                    forwarded directly to the appropriate section within the Finance
                    Directorate. The IT Helpdesk Manager shall retain a copy of all
                    invoices for the purposes of ensuring that the price invoiced is
                    the same as that which was originally quoted and to enable free
                    or reduced cost software and hardware upgrades where
                    appropriate.

       The IT Helpdesk Manager will undertake to co-ordinate the completion of all
       appropriate licensing documentation, correct installation of hardware and
       software, delivery and set-up.

3.5    Notification of Capital Assets to the Estates Department

       Notification of the purchase of all goods, not only IT, should be given to the
       Estates Department as soon as possible following receipt of the goods. In
       relation to IT equipment, it has been agreed with the Estates Department that
       the IT Services Department will, on receipt of IT goods, maintain the asset
       inventory information.

       All assets must be capitalised in accordance with the NHS Capital Accounting
       Manual. All capital expenditure must be approved by the Trust‟s Capital
       Planning Committee.

       The definition of an asset is described below:

       CAPITAL ASSET - an asset of group of assets which, when purchased, has a
       value/purchase price of £5,000 or greater. An example capital asset might be
       a PC server system consisting of all components, eg. keyboard, mouse,
       screen, base, software, printer, etc.

       REVENUE ASSET - an asset which, when purchased, has a value/purchase
price of £4,999 or less.


Version 4.0                           Page 13                            14/11/2011
3.6     Electrical Testing

      Guidance relating to the Electricity at Work Regulations (1989) states that all
      electrical equipment must be tested to ensure the specification meets
      appropriate statutory safety standards and regulations.

      For existing electrical equipment the Estates Department intend, as a general
      principal, to check the equipment on an annual basis.

      For new equipment it has been agreed that a visual inspection of the unit will
      be completed by the Servicedesk or IT Support Officer.

      You, as a user of electrical equipment, also have a responsibility to ensure the
      safety of yourself and your colleagues as far as possible. In order to address
      this, guidance produced by the Health and Safety Executive also states that
      the person(s) using the equipment can look critically at the electrical equipment
      they use in order to check for signs that the equipment is not in sound
      condition, for example:

      (a)     there is damage (apart from light scuffing) to the cable sheath;

      (b)     the plug is damaged, for example the casing is cracking or the pins are
              bent;

      (c)     there are inadequate joints, including taped joints in the cable;

      (d)     the outer sheath of the cable is not effectively secured where it enters the
              plug or the equipment. Obvious evidence would be if the coloured
              insulation of the internal cable cores were showing;

      (e)     the equipment has been subjected to conditions for which it is not
              suitable, eg. it is wet or excessively contaminated;

      (f)     there is damage to the external casing of the equipment or there are
              some loose parts or screws;

      (g)     there is evidence of overheating (burn marks or discoloration).

      These checks also apply to extension leads and associated plugs and sockets.
      Checks should be undertaken by the user when the equipment is taken into
      use and during use. Any faults should be reported to management and the
      equipment taken out of use immediately. Management should take effective
      steps to ensure that the equipment is not used again until repaired.

3.7     Documentation and System Manuals

       Copies of software and documentation will be maintained by the IT services
       department



Version 4.0                               Page 14                           14/11/2011
3.8    Upgrades

       Requests for system re-sizing and/or upgrade of both hardware and
       application software must be passed to the IT Operations Manager

3.9    IT Security

       All staff within the Trust have a duty to adhere to certain standards such as
       safety and security. Where you are not aware of your responsibilities in these
       areas, additional advice can be sought from the IG Security Audit Officer.

       Note:            The Trust IT Security Policy is available from the relevant local
                        IG Security Audit Officer, please contact your relevant IT
                        Servicedesk for IG Security Audit Officer contact details.

       Approval must be sought from the IG Security Audit Officer before the
       purchase of:

                 Any modem or other networking equipment that may result in a new
                  connection external to the Trusts network (N3, Intranet or other
                  suppliers network).
                 Any purchase that could result in a reconfiguration of the Trusts
                  firewall‟s.
                 Any other purchases seemingly contrary to the Trusts IT Security
                  Policy

All PC based equipment, including Medical equipment incorporating
embedded operation systems mush comply with the Trusts Anti – virus and
encryption procedures.
See Appendix 1-3 in all cases of system procurement.

3.10 General

       For further information or clarification on Section 3, or any other part of this
       document, please contact Associate Director of NCRS & ITon 01207 584311




Version 4.0                              Page 15                          14/11/2011
4.     Technical Specification

       The Trust maintains a list of standard PCs, Printers and Peripherals that may
       be purchased. Any non standard items require the approval of the Associate
       Director of NCRS & IT

4.1    Medical equipment requiring connection to the Trusts network

       Medical equipment is increasingly using PC or embedded software within its
       operating functions. The approval of the Associate Director of NCRS & IT is
       required for these devices to connect to the Trust network. The device must
       also comply with the Trusts networking and anti virus procedures.




Version 4.0                          Page 16                          14/11/2011
5      Application Software

       The Trust maintains a list of software that may be purchased. Any non
       standard items require the approval of the I.T Support Manager.

5.1    Non Trust Purchased Software

       Personally owned software or educationally required software is only to be
       used following a request to the IT Services Dept and the subsequent approval
       been given, following investigation into whether the licensing requirements
       can be met and the hardware on which it is to be installed is suitable to run
       the software. Approval will be required from the I.T Support Manager.

       Please note – if approval is given for personally owned software to be
       installed, the software is stil to be installed by IT Services and all software
       media is subject to Trust anti-virus checks.

       It is a breach of the Trust IT Security Policy for a user install software without
       the knowledge of the IT Services Dept.




Version 4.0                            Page 17                            14/11/2011
6      Maintenance

6.1    Hardware Maintenance
       As a minimum, all Desktop PC equipment must be supplied with three year's
       next business day on-site warranty. It is at the departments own discretion to
       decide whether or not to purchase maintenance on printers.

6.2    Software Maintenance
       It is the Trust's policy that software be kept at the most current major version
       applicable in order to provide training and support in the most cost effective
       way.




Version 4.0                           Page 18                           14/11/2011
7      Receipting & Installation Procedures

All requests for IT equipment must be authorised and pursued by IT Services
as specified in Section 3 of this document.

7.1    Personal Computers (PC's) and Printers
7.1.1 On receipt of the equipment, the contents will be removed and checked for
      any obvious damage. If any damage is evident, the goods will be returned
      and a request for replacement goods made.          If the above causes an
      unsatisfactory delay in the receipt and/or installation of the goods, the
      customer will be informed.

7.1.2 The equipment will be configured and tested within the IT Services
      Department.

       The actual specification of the goods will be checked on arrival against:

       1)     The technical specification received with the goods, and
       2)     The original order and requisition.

       If there are any discrepancies, a member of the IT Services Department will
       liaise with the Procurement Department and, if necessary, the suppliers, and
       will subsequently organise for the correct goods to be despatched as soon as
       possible.

7.1.3 A copy of the delivery note will be retained by IT Services for reference and a
      record of the hardware will also be stored in a database for the purposes of
      ongoing support and maintenance.

7.1.4 It may be necessary, to test the equipment before final installation takes place
      (i.e. any equipment that has recently been repaired by an outside firm may
      require soak testing.)

7.1.5 All appropriate MS-Windows and network files will be installed under the
      relevant default install directory path.

7.1.6 Configuration and testing of the Network Interface Card will be carried out as
      necessary.

7.1.7 If required, any system or application software will be installed and tested.
      (See Section 7.2).

7.1.8 Appropriate arrangements to deliver and install the goods on-site, will be
      made with the user or person who initiated the original requisition, whichever
      is appropriate.

7.1.9 The user will be given limited instruction on the use of the hardware.
      Information required for more detailed training can be obtained from the
      Training and Education Centre.


Version 4.0                           Page 19                            14/11/2011
7.1.10 In all instances the user should contact the relevant IT Services Dept for
       support and assistance via their IT Servicedesk 01207 584340

7.2    System and Application Software

7.2.1 Working copies of system and application software must always be made
      and subsequently used for the installation. A record of the product, user,
      department, document path and serial number will be kept by the IT Services
      Department in the HP Openview Servicedesk software.

7.2.2 The original disks / CDs are to be kept in the IT Services Department.

7.2.3 Prior to installation the PC system requirements of the software package will
      be validated against the hardware specification. This is to ensure, for
      example, that the customer has sufficient hard disk space and memory
      available for the software to run efficiently. If the system requirements of the
      software are not satisfied, it will be due to:

       a.     Lack of hard disk space. This may be caused by poor hard disk
              management, e.g. where redundant program and data files occupy the
              hard disk drive unnecessarily. If this is the case the user will be
              informed about corrective disk management and encouraged to delete
              files and/or copy files to floppy disk.

       b.     Insufficient memory. The user will be informed of the problem and
              advice will be given.

       NB.    Until the above procedures are completed the package cannot be
              installed.

7.2.4 The IT Services Department will take responsibility for installing and testing
      the product(s). If applicable, any automatic file saving options will be selected
      and set to a maximum of 10 minutes.

       NB.    Where possible, all system and application software will be
              installed within the IT Services Department, prior to arranging on-
              site installation.

7.2.5 Where application software is to be installed, data directories will be created
      and users encouraged to store their data in these directories. Simple
      instruction of directory structures will be given, if necessary.

7.2.6 Documents/data created by the Office Application will be stored/saved on a
      mapped network drive in the relvant Trust network location.

7.2.7 Appropriate arrangements to deliver and install the software on-site, will be
      made with the user or person who initiated the original requisition, whichever
      is appropriate.

7.2.8 The user will be given limited instruction on the use of the software.


Version 4.0                           Page 20                           14/11/2011
7.2.9 In all instances the user should contact the relevant IT Services Dept for
      support and assistance via their local IT Servicedesk 01207 584340

7.3    Upgrades
       Prior to the upgrade, previous versions of software will be copied to network,
       tape or CD for the purposes of maintaining security. These actions will be
       carried out by the IT Services Department and all security copies will be
       retained by IT Services for a period of six months.

7.4    Bespoke / Specialist Application Software
7.4.1 For bespoke and / or specialist application software, a project plan will be
      required and will follow the PRINCE Project Management methodology.

7.4.2 All media must be checked for viruses

       NB.    This statement also applies to all system and application
              software, and ALL data disks that are distributed between
              systems.     A security policy, including a section on virus
              protection, is available.




Version 4.0                           Page 21                         14/11/2011
7.5    Networks

       Advice should be sought from the ICT Network Manager.

7.6    Other Peripheral Devices (e.g. modems, scanners, cd-roms
       etc.)
       Advice should be sought from the IT Support Manager.




Version 4.0                         Page 22                    14/11/2011
Appendix 1




         Third Party Confidentiality Agreement – County Durham and Darlington NHS Foundation
         Trust
                                         (The “Trust”)
To:

Date:

This document is with reference to the disclosure of information (the “Information”)
by the Trust to you (the “Recipient”) which shall mean: -


___________________________________________________________________
_______
The Information being disclosed to you in relation to: -


___________________________________________________________________
_______
To enable you to:


___________________________________________________________________
_______
(the “Purpose”)

1. UNDERTAKING
   In consideration of the Trust disclosing the Information to the Recipient, the
   Recipient hereby undertakes:-

      1.1. To use the Information so disclosed solely for the Purpose

      1.2. To keep and maintain confidential, at all times, all the Information disclosed
           to it and not to disclose the same to any third party other than to such of its
           employees, directors, shareholders and professional advisers to whom it is
           reasonably necessary to do so for the Purpose and to procure that all such
           persons are bound to the Trust in terms mutatis mutandis to the provisions of
           this Agreement; and

      1.3. To return to the Trust all Information, and copies of such, in tangible form
           including any notes or analyses prepared by the Recipient incorporating the
           Information, or at the Trust‟s option to certify to the Trust that the same have
           been destroyed immediately upon request by the Trust;

      1.4. To comply with any legislative requirements (for example the Data Protection
           Act) in respect of the Information and not transferring any data outside the
           EEA.


Version 4.0                                 Page 23                              14/11/2011
2. EXCEPTIONS
   The foregoing restrictions on the Recipient in clause 1 shall not apply to any of
   the Information which:

   2.1. Is, at the time of disclosure, demonstrably within the public domain;

   2.2. Is demonstrably lawfully within the Recipient‟s possession prior to the
        disclosure by the Trust;

   2.3. After disclosure enters the public domain, other than by default of the
        Recipient;

   2.4. Is acquired by the Recipient from a third party who has the legal right to
        transfer the Information to the Recipient free from restrictions or obligations
        of confidentiality;

   2.5. The Recipient is required to disclose by law or the rules of any competent
        regulatory authority (e.g. The Stock Exchange).

3. REMEDIES

   3.1. The Recipient shall notify the Trust in writing immediately any breach of any
      of the obligations hereunder comes to its notice and will take all and any
      corrective action as may reasonably be required by the Trust.

   3.2. Without prejudice to any other rights and remedies the Trust may have, the
      parties hereto acknowledge that in the event that any items of this agreement
      are breached, damages will be an insufficient remedy and the Trust shall be
      entitled to apply for an injunction or other equitable relief for any actual or
      threatened breach of the terms of this letter.

   3.3. The Recipient shall indemnify, keep indemnified and hold harmless the Trust
      against any claim, loss, damage, cost or expense (including without limitation
      legal costs on an indemnity basis) which the Trust receives, incurs, suffers or
      becomes liable for as a result of the Recipient‟s breach of the terms of this
      letter.

   3.4. The Recipient shall maintain with a reputable insurer comprehensive
      insurance cover against its full liability under paragraph 3.3 above. Such
      insurance cover shall be in the minimum sum of [£5 million] in respect of any
      one incident. The Recipient shall produce to the Trust upon request
      documentary evidence that such insurance is properly maintained.

4.    ACKNOWLEDGEMENTS
The Recipient acknowledges that:

   4.1. Nothing in this agreement is meant to transfer to the Recipient any
      ownership, right in or license to use the Information other than as necessary
      for the purpose;

   4.2. The Trust makes no representation or warranty nor assumes any
      responsibility, whether express or implied, relation to the use of the

Version 4.0                            Page 24                            14/11/2011
       Information its contents or accuracy except that it is the owner of or entitled to
       use the Information.

5. LAW
   The agreement shall be governed by English Law and the parties hereto agree to
   submit to the exclusive jurisdiction of the English courts.

6. TIME LIMIT
   The terms of an obligations under this agreement shall come into force with
   effect from the date of the first transfer of Information to the Recipient and shall
   continue in force [for a period of 1 year thereafter] [thereafter unless and
   until the Information falls within one of the exceptions within clause 2
   above].


Signed by:____________________________________


Signature:____________________________________

For and on behalf of County Durham and Darlington Foundation Trust


I/We acknowledge receipt of the confidentiality letter agreement dated [                  ]
and agree to be bound by its terms.


Signed by:____________________________________


Signature:____________________________________

For               and              on               behalf              of                [
       ] (the “Recipi




Version 4.0                             Page 25                           14/11/2011
Appendix 2

                           Data Processor Agreement

County Durham and Darlington NHS Foundation Trust (the “Trust”)

To:

Date:

Under the Data Protection Act 1998 (the “Act”), the Trust is required to put in place
an agreement in writing with any organisation which processes personal data on its
behalf, governing the processing of those data.

This document is with reference to the disclosure of personal data to:

___________________________________________________________________
__
(the “Data Processor”)

The Data Processor has agreed to process the following personal data (the
'Personal Data') on behalf of the Trust:

___________________________________________________________________
__
(the “Personal Data”)


The Data Processor will be permitted to process the Personal Data on behalf of the
Trust for the following purposes:

___________________________________________________________________
__
(the “Permitted Purposes”)

1.      Undertakings

        In consideration of the sum of [£1] now paid by the Trust to the Data
        Processor (the receipt of which is hereby acknowledged), the Data Processor
        agrees that it shall:

        1.1.   process the Personal Data solely for the Permitted Purposes and in accordance
               with the terms of this letter and the Trust’s instructions from time to time;

        1.2.   take appropriate technical and organisational measures against the
               unauthorised or unlawful processing of the Personal Data and against the
               accidental loss or destruction of, or damage to, the Personal Data (including
               adequate back up procedures and disaster recovery systems);

Version 4.0                              Page 26                            14/11/2011
       1.3.    ensure that only such of its employees who may reasonably require access to
               the Personal Data for the Permitted Purposes shall have access to the Personal
               Data;

       1.4.    ensure that all employees who are permitted to access the Personal Data have
               undergone training in the law of data protection and in the care and handling
               of Personal Data;

       1.5.    process the Personal Data only in accordance with the Act and the laws of the
               United Kingdom;

       1.6.    assist the Trust promptly with all subject access requests which may be
               received from individuals who are the subject of the Personal Data ('Data
               Subjects');

       1.7.    not disclose the Personal Data to a third party in any circumstances other than
               at the specific request of the Trust or as otherwise specified in this letter;

       1.8.    promptly carry out any request from the Trust requiring the Data Processor to
               amend, transfer or delete all or any part of the Personal Data;

       1.9.    notify the Trust immediately upon receiving any notice or communication
               from any supervisory or government body which relates directly or indirectly
               to the processing of the Personal Data;

       1.10.   if requested in writing by the Trust from time to time, provide to the Trust
               such copies of the Personal Data in the format and on the media reasonably
               specified by the Trust and/or delete or destroy all copies of the Personal Data
               in its possession custody or control as the Trust shall direct;

       1.11.   if any Personal Data in the possession or control of the Data Processor become
               lost, corrupted or rendered unusable for any reason, promptly restore such
               Personal Data using its back up and/or disaster recovery procedures at no cost
               to the Trust; and

       1.12.   not transfer any Personal Data outside the European Economic Area unless
               authorised in writing to do so by the Trust.

2.     Fair Processing Notices

       If the Data Processor is required to collect any Personal Data on behalf of the
       Trust, it shall ensure that it provides the individuals from whom the Personal
       Data are collected with such data protection notices in such form as the Trust
       may specify. The Data Processor agrees not to modify or alter such data
       protection notices in any way without the prior written consent of the Trust.


3.     Audit

       The Data Processor will allow its data processing facilities, procedures and
       documentation which relate to the processing of the Personal Data to be
Version 4.0                              Page 27                              14/11/2011
       scrutinised by the auditors of the Trust and/or the Trusts employees or
       agents, in order to ascertain compliance with the terms of this letter.

4.     Proprietary Rights

       The Data Processor acknowledges and agrees that (unless otherwise agreed
       in writing) the Trust retains all rights, title and interest in the Personal Data,
       including any copyright and database rights and that if the Data Processor
       creates any intellectual property rights in the course of processing the
       Personal Data for the Permitted Purposes the Data Processor hereby assigns
       such intellectual property rights to the Trust with full title guarantee, free from
       third party rights and for the full term during which those rights and any
       renewals or extensions subsist.

5.     Remedies

       Without prejudice to any other rights and remedies the Trust may have, the Data
       Processor agrees that damages may not be an adequate remedy for any breach of the
       terms of this letter. Accordingly, the Data Processor agrees that the Trust shall be
       entitled to the remedies of an injunction and other equitable relief for any actual or
       threatened breach of the terms of this letter.

6.     Indemnity

       "The Data Processor shall indemnify, keep indemnified and hold
       harmless the Trust up to a level of £1,000,000 per incident against
       any claims, loss, damage, cost or expense (including without
       limitation legal costs on an indemnity basis) which the Trust
       receives, incurs suffers or becomes liable for as a result of the Data
       Processor's breach of the terms of this letter."

7.     Insurance

       The Data Processor shall maintain with a reputable insurer comprehensive
       insurance cover against its full liability under paragraph 6 of this letter. Such
       insurance cover shall be in the minimum sum of [£5 million] in respect of any
       one incident. The Data Processor shall produce to the Trust upon request
       documentary evidence that such insurance is properly maintained.




8.     Law




Version 4.0                              Page 28                             14/11/2011
       This letter shall be governed by and construed in accordance with English law
       and each party hereby submits to the non-exclusive jurisdiction of the English
       courts.


Signed by: _______________________________


Signature: _______________________________


For and on behalf of County Durham and Darlington NHS Foundation Trust



I/ We acknowledge receipt of the Data Processor Agreement set out in the above
letter and agree to be bound by its terms:

Signed by: _______________________________


Signature: _______________________________


For and on behalf of _________________________________ (the “Data
Processor”)




Version 4.0                           Page 29                          14/11/2011
Appendix 3




       Information Governance Guidance for
                                  Projects
                               Version 2.0, March 2008




Version 4.0          Page 30                14/11/2011
                                    Information Governance Guidance for Projects


Purpose of this document

This guidance is intended to aid project managers and all stakeholders to ensure
that the relevant Information Governance requirements are identified, addressed
                       appropriately, and can be demonstrated at go-live approval


                                                                              Information


                           Distribution                  Project Managers, HIG LT.

                           Further copies                    Information Governance
                           from                                         Department




                           Document              IG Guidance Project checklist v2.0
                           Reference




                                                                          Version Control



Version     Release      Author                    Update comments

1.0 -       June 2007    Lisa Wilson – Head of     Approved By:

DRAFT                    Information
                         Governance & IT
                         Security

2.0 Draft   March 08     Lisa Wilson – Head of     Approved By:

                         Information
                         Governance & IT
                         Security
                                Information Governance Guidance for Projects


3.0       Septembe   Lisa Wilson – Head of   Approved by : HIG LT


Approve   r 08       Information
d                    Governance & IT
                     Security
                                                       Information Governance Guidance for Projects

introduction

All projects undertaken within County Durham and Darlington Foundation NHS Trust
that involve the use of either patient or staff identifiable information or electronic
systems need to consider Information Governance standards and requirements.

As Information Governance is huge in scope, and organisations should already have
in place plans to address the initiatives listed in the Information Governance Toolkit,
it is certainly not intended that projects take on direct management of these.
However there will be Information Governance requirements that are essential to the
delivery of individual projects. Some of these may arise as components specific to a
given deployment type (e.g. data migration; alert handling in the Single Assessment
Process), or they may be strategic developments required to underpin all or many
projects (e.g. establishment of Registration Authorities).
This guidance is intended to aid project managers and all stakeholders to ensure
that the relevant Information Governance requirements are identified, addressed
appropriately, and can be demonstrated at go-live approval.


Usage

It is suggested that that the guidance is used as follows:
     1. It should be presented to stakeholders at an early stage in a project to assist
          in the development of the PID. Information Governance should be involved at
          an early stage to provide support for project managers.
     2. As an aid to project managers it should help them identify
               a. project-specific Information Governance deliverables to be included
                     within the formal scope of a project , and
               b. strategic Information Governance requirements requiring management
                     input or monitoring as external dependencies.
     3. Project managers to amend the guidance sheet to record specific
          deliverables and actions – include guidance sheet with action plan as
          appendix to PID.
     4. In this way the Project Board can ensure that there is clarity over
          responsibility for IG components.



C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
Rev 3.0 Sept 08                                                   14/11/2011                                             Page 1 of 47
                                                       Information Governance Guidance for Projects

     5. Guidance and supporting documents are available from a number of sources.
     6. Information Governance leads will be able to locate the most up to date
          references.




C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
Rev 3.0 Sept 08                                                   14/11/2011                                             Page 2 of 47
                                                           Information Governance Guidance for Projects

    information governance requirements chEcklist

Governance                Guidance                                                                                                          [Enter Project]
Area
                                                                                                                                                              PID
                                                                                                              Summary Action Plan                                           Date
                                                                                                                                                              (in Scope /
                                                                                                                                                                            Addressed
                                                                                                                                                              Ext Dep)
1. Information            1.1 Has a member of the Project Board / Project Team been
Governance                allocated responsibility for ensuring compliance with
Management                Information Governance and contacted the Information
                          Governance Service to ensure that they are aware of the
                          project and to ensure that the project has access to the latest
                          up to date guidance.

                          1.2 Evidence that responsibilities for Information Governance,
                          both during and post project, been clearly established and
                          where appropriate included within job descriptions.

                          1.3 Evidence that training on Information Governance                                IG Awareness Training
                          responsibilities been provided to all end users.

                          1.4 Have proposed actions to resolve issues been approved
                          by appropriate organisational / community wide groups. E.g.
                          Infrastructure Group, Information Governance Group.

2. Data Protection        2.1 Evidence that new systems / processes are compliant                             Fair processing, DP notification changes?
& Confidentiality         with the requirements of the Data Protection Act 1998, and all
Code of Practice          aspects of the NHS Confidentiality Code of Practice have
                          been considered.

                          2.2 Evidence that where appropriate and required, systems
                          and processes are able to provide an enhanced level of
                          confidentiality and restrictions on access. For example, the
                          Gender Recognition Act 2004 requires that information
                          pertaining to the reassignment of a persons gender is given a
                          higher level of protection and restrictions on access.



    C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
    Rev 3.0 Sept 08                                                   14/11/2011                                             Page 1 of 47
                                                           Information Governance Guidance for Projects

Governance                Guidance                                                                                                          [Enter Project]
Area
                                                                                                                                                              PID
                                                                                                              Summary Action Plan                                           Date
                                                                                                                                                              (in Scope /
                                                                                                                                                                            Addressed
                                                                                                                                                              Ext Dep)
                          2.3 Evidence that confidentiality audit procedures have been
                          established.

                          2.4 Alert Handling Procedures established.                                          If NPfIT Guidance from CfH??

                          2.4 Evidence that new processes/systems are compliant with                          Template protocol
                          existing information sharing protocols, or where appropriate
                          protocols have been revised or new protocols created.

                          2.5. Evidence that appropriate consent and client information                       Patient leaflets/posters
                          provision is in place and adheres to NHS guidance and
                          legislation

                          2.6. Evidence that all end users have been made aware of the
                          NHS and organisational confidentiality codes of practice and
                          are aware of their responsibilities.

3.1 Information           3.1 Evidence that the organisations Information Governance
Security                  Policy is being adhered to. Policy will be reviewed in light of
                          new registration processes, with reference to Acceptable Use
                          Policy.

                          3.2 Stakeholder aware of their responsibilities, where                              Local Information Security Policies, Codes of
                          appropriate, Information Governance Policies/Acceptable Use                         Practice
                          Policy endorsed by committees representing subsidiary
                          organisations (e.g. for PCT‟s, local GP committee).

                          3.3 Adoption of good Practice Guidelines which underpin the
                          Statement of Compliance/Code of Connection.

                          3.4 Evidence that Information Security responsibilities have
                          been appropriately allocated and included within job
                          descriptions.




    C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
    Rev 3.0 Sept 08                                                   14/11/2011                                             Page 2 of 47
                                                          Information Governance Guidance for Projects

Governance               Guidance                                                                                                          [Enter Project]
Area
                                                                                                                                                             PID
                                                                                                             Summary Action Plan                                           Date
                                                                                                                                                             (in Scope /
                                                                                                                                                                           Addressed
                                                                                                                                                             Ext Dep)
                         3.5 Evidence that support and maintenance contracts contain
                         appropriate confidentiality or non-disclosure statements.

                         3.6 Evidence that ownership of assets has been established
                         and that new systems have been added to organisational
                         asset registers.

                         3.7 Evidence that appropriate physical and environmental                            SSSp‟s, BCP‟s, DR & risk assessment
                         security measures have been implemented and documented.

                         3.8 Evidence that appropriate system operating procedures                           SOP‟s
                         have been established and documented.

                         3.9 Evidence that appropriate controls have been established
                         to ensure systems and processes are adequately protected
                         against malicious and mobile code.

                         3.10 Evidence that appropriate procedures have been
                         established for information back-up.

                         3.11 Evidence that the System Security Sign-Off document
                         has been completed (located at the end of this document).

                         3.12 Evidence that end users have been made aware of
                         relevant organisational Information Governance policies and
                         procedures, for example covering the management of
                         removable media etc.

                         3.13 Evidence that appropriate access controls have been
                         established for new systems.

                         3.14 Evidence that appropriate user registration and privilege                      RBAC
                         management controls have been established. For CfH
                         projects Registration Authority Procedures will be used.




   C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
   Rev 3.0 Sept 08                                                   14/11/2011                                             Page 3 of 47
                                                           Information Governance Guidance for Projects

Governance                Guidance                                                                                                          [Enter Project]
Area
                                                                                                                                                              PID
                                                                                                              Summary Action Plan                                           Date
                                                                                                                                                              (in Scope /
                                                                                                                                                                            Addressed
                                                                                                                                                              Ext Dep)
                          3.15 Evidence that end users have received appropriate
                          training on maintaining the security of systems and their legal
                          responsibilities.

                          3.16 Evidence that appropriate business continuity and
                          disaster recovery procedures have been established and
                          tested.

4. Information            4.1 Specification of dataset to be migrated, taking into                            IQAP Guidance
Quality Assurance         account IQAP quality requirements and guidance on migration
and Data                  population.
Migration

                          4.2 For this dataset, statistical evidence of adherence to                          Guidance on Active Patients
                          relevant IQAP quality measures e.g. NHS Number population
                          at time of extract.

                          4.3 Data mapping specification listing field value translations,
                          validation rules to ensure compliance with NHS Data
                          Dictionary requirements, and locally implemented standards.

                          4.4 Satisfactory statistical comparison from 4.3.

                          4.5 Established process to reconcile data in IFF format
                          against source data.

                          4.6 Established process to reconcile loaded data against input
                          IFF. Ideally this should be an automated and comprehensive
                          field by field analysis, rather than manual sampling.

                          4.7 Established process to carry out 45 day approval. As 6,
                          this should be an automated and comprehensive field by field
                          analysis, rather than manual sampling.




    C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
    Rev 3.0 Sept 08                                                   14/11/2011                                             Page 4 of 47
                                                           Information Governance Guidance for Projects

Governance                Guidance                                                                                                          [Enter Project]
Area
                                                                                                                                                              PID
                                                                                                              Summary Action Plan                                           Date
                                                                                                                                                              (in Scope /
                                                                                                                                                                            Addressed
                                                                                                                                                              Ext Dep)
                          4.8 Application training adequately addresses data quality.

                          4.9 Current Data Quality Management Processes are updated
                          for ongoing use of and access to NHS CRS where
                          appropriate.



5. Freedom Of             5.1 Evidence that new non-clinical systems have the ability to
Information &             track the movement of records and allow records to be
Records                   referenced, titled, indexed and where appropriate security
                          marked.
Management

                          5.2 Evidence that systems & processes are compliant with the
                          organisations Records Management Strategy, Records
                          Management Policy and NHS Records Management Code of
                          Practice 2006.

6. Registration           6.1 Registration Authority (RA) Policy and Procedures
Authority                 approved by the Trust Board

                          6.2 Where appropriate, RA Policy and Procedures formally
                          endorsed by committees representing subsidiary
                          organisations (e.g. for PCT‟s, local GP Committee).

                          6.3 Service Level agreement in place with third party non-
                          NHS organisations for provision of RA Services.

                          6.4 Provisions for sponsorship, registration and de-
                          registration of LSP and contractor staff are documented.

                          6.5 NE Cluster RA checklist completed to acceptable
                          standard




    C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
    Rev 3.0 Sept 08                                                   14/11/2011                                             Page 5 of 47
                                                           Information Governance Guidance for Projects

Governance                Guidance                                                                                                          [Enter Project]
Area
                                                                                                                                                              PID
                                                                                                              Summary Action Plan                                           Date
                                                                                                                                                              (in Scope /
                                                                                                                                                                            Addressed
                                                                                                                                                              Ext Dep)
                          7.1 All Third Party Contracts should contain the following: 7.1
7. Third Party            – 7.8
Arrangements              The Trusts Information Security Policy and
                          applicable supporting policies e.g.
                              Access Control agreements
                              Anti Virus Procedure


                          7.2 All Third Party Contracts should contain the following                that
                          the Trust reserves the right to monitor the Third
                          party user activity and revoke their access is
                          misued or breach of DPA & Confidentiality.

                          7.3 All Third Party Contracts should contain the following
                          There is a requirement for the Third party to
                          maintain an up-to date list of users and privileges.


                                                                           :A
                          7.4 All Third Party Contracts should contain the following
                          description of the services / system to be supplied
                          (i.e the OBS)

                          7.5 All Third Party Contracts should contain the following
                                                                                                              Look at average in other Contracts
                          :The target level of service and a definition of
                          unacceptable service


                          7.6 Verifiable       performance criteria                                           Check average in other contracts




    C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
    Rev 3.0 Sept 08                                                   14/11/2011                                             Page 6 of 47
                                                          Information Governance Guidance for Projects

Governance               Guidance                                                                                                          [Enter Project]
Area
                                                                                                                                                             PID
                                                                                                             Summary Action Plan                                           Date
                                                                                                                                                             (in Scope /
                                                                                                                                                                           Addressed
                                                                                                                                                             Ext Dep)
                         7.7 Copyright        protection or Escrow arrangements                              Escrow Risk Assessment document


                         7.8 The right to audit the Third party (either by the                               Build into the Trust audit requirements
                         Trust or other Third Party e.g. DATAC)




   C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
   Rev 3.0 Sept 08                                                   14/11/2011                                             Page 7 of 47
                                                       Information Governance Guidance for Projects




                                        System Security Sign-Off

System name                               _____________________________

System Manager                   _____________________________

Information Governance Representative                              _____________________________

Proposed Live Date                      _____________________________

HARDWARE

Area                                                                                               Date

Hardware level passwords applied

Passwords recorded


OPERATING SYSTEM

Area                                                                                               Date

Account restrictions / password controls applied

File restrictions applied

Administrator account renamed (where appropriate)

Guest accounts disabled

Auditing configured

Additional protocols / services / modules removed

User profiles applied (where appropriate)

Login script breakout keys tested

Legal notice applied




APPLICATION

C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
Rev 3.0 Sept 08                                                   14/11/2011                                             Page 8 of 47
                                                       Information Governance Guidance for Projects

Area                                                                                               Date

Account restrictions / password controls applied

Default file restrictions applied

Guest accounts disabled

Auditing/Alert Handling configured

Legal notice applied

Breakout keys tested

Users trained




DOCUMENTATION

Area                                                                                               Date

Third Party Contract Information
System accounts / administrative users

User accounts

Group accounts                                                                                     n/a

Security monitoring procedures

Standard Operating Procedures / Housekeeping

User procedures

System Specific Security Policy

Risk Assessment
Business Continuity
Disaster Recovery Plan
Information Sharing Protocols
Data Transfer Documentation




C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
Rev 3.0 Sept 08                                                   14/11/2011                                             Page 9 of 47
                                                       Information Governance Guidance for Projects



APPENDIX 4: EQUALITY ASSESSMENT TOOL
(To be completed and attached to Policy and Guidance documents when submitted for
approval to the appropriate Committee)

                    County Durham and Darlington Foundation NHS Trust

                                EQUALITY IMPACT ASSESSMENT TOOL

                Why do we need to conduct Equality Impact Assessments?

Are we missing something or someone in the way we carry out our services? We
must assess how effective all of our policies and functions are for all of our service
users and employees on a continuous basis. Sometimes we may not relate to the
impact on a certain group of people, whether of a different gender, race or whether a
person has a disability. We may have historically reviewed a process by thinking
“this is the way it has always been done”, “if it‟s OK for us, it‟s OK for everyone” or
“we have had very few complaints” but legislation now requires a different approach.
As a result, in particular, of the Disability Discrimination Act (1995) and Race
Relations (Amendment) Act 2000, the Trust is legally obliged to demonstrate how we
impact assess our policies and functions to promote equality of opportunity.

Within each service, functions, policies and procedures must be assessed to identify
existing or potential discrimination and inequality. This includes the full range of
formal and informal decisions and processes as well as „custom and practice‟, which
may have no written guidelines, but could have a major impact on service users,
communities or employees.

Impact assessments should also identify areas of good practice and can be used as
a method of sharing good practice, with colleagues and external stakeholders.

It is important to remember that the impact assessment process is not an end in
itself; the primary aim is to ensure and promote equality and diversity within service
delivery and employment.

Those policies, procedures or functions with the highest risk of negative impact on
the public or employees must be prioritised and assessed first.

Please complete the following checklist for each Policy, Procedure and
Function you have responsibility for, to identify if any of your policies,
procedures or functions have a discriminatory impact on service delivery or
employment.

If you have identified a potential discriminatory impact of the Policy, Procedure
or Function by answering „Yes‟ to Questions 1,2, 3, or 4, please refer it to the
Trust's Equality and Diversity Advisory Group (EDAG), together with any
suggestions you have as to the action required to avoid or reduce this
negative impact. You can contact EDAG via the Personnel Department.

For further advice in respect of answering any of the questions in the checklist,
please contact the Head of Operational Personnel.
C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
Rev 3.0 Sept 08                                                   14/11/2011                                            Page 10 of 47
                                                       Information Governance Guidance for Projects



                          EQUALITY IMPACT ASSESSMENT TOOL

Name of Policy, Procedure or Function CDDFT IT Procurement and
Implementation Policy
Department / Directorate Health Informatics IT
Associate Director of NCRS & IT

1. Could the policy, procedure or function affect people differently in terms of                                          Yes / No
their :-
              Disability (please note that this includes long-term illnesses)                                            No
              Race                                                                                                       yes
              Religious Belief                                                                                           Yes
              Gender                                                                                                     No
              Sexual Orientation                                                                                         yes
              Age                                                                                                        No
2. Does it influence relations between any different groups in the above                                                  No
categories?
3. Could some groups be affected differently?                                                                             No
If you answered yes to any of the above questions, please answer the
following questions. If not, please proceed to Question 4.


         Is there any evidence that some groups are affected differently?                                                No
         If not, do you need to gather evidence?                                                                         No
4. Is the impact of the policy, procedure or function likely to be negative on                                            No
any group?
If you answered yes to Question 4, please answer the following questions.


         Can the negative impact be avoided in any way?
         Is it unlawful?
         Can it be reasonably justified?
         What alternatives are there to delivering the policy, procedure or
          function without the impact?
         Can you reduce the impact by taking different action?
Completed by Head of IG & IT Security                                    Date 10/10/07
This checklist is an Appendix of the Trust‟s „Policy for Developing and Approving Policies and
Other Guidance Documents (Clinical and Non-Clinical)‟.




C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
Rev 3.0 Sept 08                                                   14/11/2011                                            Page 11 of 47
                                                       Information Governance Guidance for Projects

APPENDIX 2: DISSEMINATION PLAN
(To be completed and attached to Policy and Guidance documents when
submitted to the Committee approving this document)

                                    Policy or Guidance (P&G) Title:
                            CDDFT IT procurement and implementation Policy
             Date finalized                       Dissemination Lead (contact details)
             October 2007                           Associate Director of NCRS & IT

Previous P&G already              Yes         If yes, what in what format and where?
being used?                                   Intranet site IG pages


Proposed action to retrieve expired copies of P&G: delete old copy and retain. Upload new.

To be disseminated to             How will be disseminated, who                      Paper or              Comments
                                  will do and when?                                  electronic
Full trust                        Intranet site news page                            Electronic
Full trust                        Email trust bulletin                               Electronic

Full trust                        IG Intranet site                                   Electronic




             Dissemination Record – to be used once Policy or Guideline Approved

                            Date uploaded onto the Trust‟s Intranet 31/10/07.

  Disseminated To (either                  Format (i.e.             Date              No of              Contact Details /
  directly or via meetings,                 paper or              dissemi-           copies                Comments
             etc)                          electronic)             nated              sent
                ISC                         Paper and             23/10/07            Full
                                            electronic                             attendee
                                                                                       s




General comments:




C:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.docC:\Docstoc\Working\pdf\28c99da7-6a66-4e48-ad32-f1542fc2ccee.doc
Rev 3.0 Sept 08                                                   14/11/2011                                            Page 12 of 47

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:127
posted:11/14/2011
language:English
pages:46