DHID_AQP Template_IG Workplan by hedongchenchen

VIEWS: 3 PAGES: 18

									                                                        [Insert name of organisation] Information Governance workplan
Require   Enter               Requirement                          Purpose                  Work to be done to      Knowledgebase              Enter
ment      Initial                                                                          progress to next level resources available          Target
No.         IGT                                                                                                                                  IGT
           level                                                                                                                                level
    140             Responsibility for Information     To ensure that all staff are able   Nominate who is going to IG lead
                    Governance has been assigned to    to access guidance in the event     be IG lead. This person    responsibilities - see
                    an appropriate member, or          of IG issues, problems and          needs to be IG aware and template IG policy
                    members, of staff                  queries.                            ideally have undertaken
                                                                                           some IG training, e.g. via
                                                                                           the IG Training Tool.



    141             There is an information            To demonstrate the                  Document an IG policy. To Template IG policy;
                    governance policy that addresses   organisation's commitment to        ensure your staff are fully Template staff
                    the overall requirements of        handling patients' information      aware of the do's & don'ts declaration form
                    information governance             within the law and professional     of your policy and
                                                       code of conduct. To make all        procedures consider
                                                       staff aware of the policy and       supplying them with a
                                                       underpinning procedures.            copy. Ensure staff sign a
                                                                                           declaration form
                                                                                           confirming that they have
                                                                                           read and understand
                                                                                           materials issued to them.
Require   Enter                Requirement                             Purpose                    Work to be done to           Knowledgebase          Enter
ment      Initial                                                                                progress to next level      resources available      Target
No.         IGT                                                                                                                                         IGT
           level                                                                                                                                       level
    142             All contracts (staff, contractor and   Under the DPA 1998, a data          Check all your staff       Template
                    third party) contain clauses that      controller (the organisation)       contracts to ensure they confidentiality
                    clearly identify information           must take reasonable steps to       contain the relevant       agreement for staff
                    governance responsibilities            ensure the reliability of any       clause. If not, you could
                                                           employees or third parties that     adapt the one-page
                                                           have access to personal data. A     confidentiality agreement
                                                           contract clause should explicitly   and ask all your staff to
                                                           and unambiguously state the         sign. This can then be
                                                           obligation to keep patient          added as an appendix to
                                                           information confidential,           their contract. Where
                                                           otherwise the organisation may      necessary, you should
                                                           have little or no defence in the    check your contracts with
                                                           event of an accidental or           third party contractors
                                                           intentional breach by a member      that are able to access
                                                           of staff or contractor.             confidential personal
                                                                                               information, e.g IT system
                                                                                               suppliers.



    143             All staff members are provided         To assist organisations to ensure   Organisations should         Access the online IGTT
                    with appropriate training on           their staff are adequately          ensure their staff receive   at:
                    information governance                 informed of their responsibility    appropriate training; what   www.connectingforhe
                    requirements                           to keep patient information         is considered to be          alth.nhs.uk/igtrainingt
                                                           confidential, secure, accurate      appropriate is likely to     ool
                                                           and up to date. It supports the     differ depending on the
                                                           requirement for confidentiality     work a staff member is
                                                           clauses in contracts (Req 142).     doing. There is an online
                                                                                               IG Training Tool which
                                                                                               organisations may wish to
                                                                                               access, though there is no
                                                                                               obligation to do so.
Require   Enter                Requirement                            Purpose                   Work to be done to         Knowledgebase        Enter
ment      Initial                                                                              progress to next level    resources available    Target
No.         IGT                                                                                                                                   IGT
           level                                                                                                                                 level
    240             All person identifiable data          To ensure that organisations are   Use information gathered Template Information
                    processed outside of the UK           aware of who is processing         for requirement 241 to       Mapping Spreadsheet
                    complies with the Data Protection     person identifiable data           identify any overseas
                    Act 1998 and Department of            overseas and consider the legal    processing. If you use third
                    Health guidelines                     implications when entering into    party contractors, you
                                                          a contract for data processing.    need to check where they
                                                                                             are processing your data.




    241             All transfers of personal and         To maintain the security and       Identify who you share     Template information
                    sensitive information are             confidentiality of patient         confidential information   handling procedure
                    conducted in a secure and             information during transfers and   with. Ensure procedures    including guidelines
                    confidential manner                   transport of records,              for secure transfer are    for staff; Template
                                                          correspondence, faxes, e-mail,     included in the document   compliance
                                                          telephone messages, and other      produced .                 monitoring form;
                                                          communications.                                               Template staff
                                                                                                                        declaration form;
                                                                                                                        Template Information
                                                                                                                        Mapping Spreadsheet




    242             Consent is appropriately sought       To ensure the organisation has     Ensure procedures are      Template staff
                    before personal information is        procedures in place to gain        contained within your      declaration form
                    used in ways that do not directly     specific informed consent or       code of conduct or
                    contribute to the delivery of care    some other legal basis to use      equivalent document
                    services and objections to the        patient information for a          referred to in requirement
                    disclosure of confidential personal   secondary purpose.                 244. Ensure staff have
                    information are appropriately                                            read and understood the
                    respected                                                                document.
Require   Enter                Requirement                            Purpose                    Work to be done to            Knowledgebase          Enter
ment      Initial                                                                               progress to next level       resources available      Target
No.         IGT                                                                                                                                         IGT
           level                                                                                                                                       level

    243             There is a publicly available and     To assist organisations to          Document a patient           Template leaflet
                    easy to understand patient            comply with the Data Protection     information leaflet and
                    information leaflet that informs      Act 1998 provisions and             ensure it is available to
                    patients how their information is     contractual obligations to          patients, e.g. in reception,
                    used, who may have access to that     ensure patients are effectively     sent with appointment
                    information, and their own rights     informed about the use of their     letters. Ensure your staff
                    to see and obtain copies of their     information.                        are adequately informed
                    records                                                                   about the leaflet so they
                                                                                              can either assist with
                                                                                              patient queries or know
                                                                                              where to obtain advice.



    244             There is a confidentiality code of    To provide guidance to staff        Document a code of            Template code of
                    conduct that provides staff with      regarding individual                conduct. Alternatively, the   conduct, including
                    clear guidance on the disclosure of   responsibility for safeguarding     practice can adopt the        guidelines for staff on
                    personal information                  and preserving confidentiality      Confidentiality NHS Code      disclosure;
                                                          and information security to         of Practice and issue staff   Confidentiality NHS
                                                          assist the organisation to ensure   with organisation-specific    Code of Practice
                                                          their organisational duty is met.   information about
                                                                                              handling patient
                                                                                              information and ensure
                                                                                              that they read and
                                                                                              understand the
                                                                                              obligations around the
                                                                                              disclosure of information.
Require   Enter               Requirement                          Purpose                  Work to be done to          Knowledgebase       Enter
ment      Initial                                                                          progress to next level     resources available   Target
No.         IGT                                                                                                                               IGT
           level                                                                                                                             level
    360             Monitoring and enforcement         This requirement is only          All staff with NHS CFH      Template compliance
                    processes are in place to ensure   relevant to those organisations   smartcards must be issued   monitoring form;
                    NHS national application           that require access to NHS CFH    with the RA01 leaflet       Template staff
                    Smartcard users comply with the    products and services such as:    which sets out the terms    declaration form
                    terms and conditions of use        the Summary Care Record;          & conditions of use. The
                                                       Choose and Book; Personal         organisation will need to
                                                       Demographics Service, etc. Its    inform staff that
                                                       purpose is to establish a         compliance monitoring
                                                       baseline of good practice and     will be carried out.
                                                       monitoring to ensure staff
                                                       comply with the conditions set
                                                       out in the RA01 form.



    361             There is an information asset      To enable the organisation to     Record your organisation's Template information
                    register that includes all key     locate and track all its          assets in a simple register. asset register
                    information, software, hardware    information assets and ensure
                    and services                       that appropriate protection is
                                                       maintained.
Require   Enter                Requirement                            Purpose                   Work to be done to             Knowledgebase          Enter
ment      Initial                                                                              progress to next level        resources available      Target
No.         IGT                                                                                                                                         IGT
           level                                                                                                                                       level
    362             Unauthorised access to the       To ensure that organisational           Assess the physical            Template physical
                    premises, equipment, records and assets (premises, equipment             security of your               security risk
                    other assets is prevented        and information) and staff are          organisation. Where            assessment and
                                                     protected by physical security          necessary put in place         action plan;
                                                     measures. Staff should be               measures to delay and          Template incident
                                                     encouraged to feedback to the           prevent unauthorised           reporting form;
                                                     responsible person, any                 access and to detect           Template incident
                                                     potential risks they identify in        attempted or actual            register
                                                     the course of their duties.             unauthorised access.
                                                                                             Ensure your staff know
                                                                                             what to do in the event
                                                                                             that unauthorised access
                                                                                             does occur.


    363             The use of mobile computing           To protect personal information    Ensure you have a log of       Template mobile
                    systems is controlled, monitored      held on the organisation’s         all staff issued with mobile   computing equipment
                    and audited to ensure their correct   mobile IT systems by ensuring      computing equipment.           asset log; Template
                    operation and to prevent              that access is only available to   Document procedures on         staff guidelines on the
                    unauthorised access                   authorised personnel.              the use of mobile              use of mobile
                                                                                             computing devices and          computing
                                                                                             issue them to your staff.      equipment;
                                                                                                                            Template assignment
                                                                                                                            of mobile computing
                                                                                                                            equipment form
Require   Enter                Requirement                            Purpose                      Work to be done to             Knowledgebase         Enter
ment      Initial                                                                                 progress to next level        resources available     Target
No.         IGT                                                                                                                                           IGT
           level                                                                                                                                         level
    364             There are documented plans and       To ensure that the organisation        Carry out an assessment        Template business
                    procedures to support business       is still able to carry out vital       of the risks to all systems    impact analysis sheet;
                    continuity in the event of power     business processes in the event        where information critical     Template business
                    failures, system failures, natural   of a security failure or a disaster.   to the running of the          continuity plan
                    disasters and other disruptions      To ensure all staff know what          organisation is held. In the
                                                         they need to do in the event of        first instance document
                                                         a security failure or disaster.        the impacts on your
                                                                                                organisation in the event
                                                                                                of a security failure or
                                                                                                disaster. This should be
                                                                                                developed into a business
                                                                                                continuity plan.



    365             There are documented incident        To ensure that where incidents         Allocate responsibility for    Template incident
                    management and reporting             occur, the damage from them is         managing information           management
                    procedures                           minimised and lessons are              incidents and put              procedure including
                                                         learnt from them. To ensure all        procedures in place for        guidelines for staff;
                                                         staff know to report all incidents     the reporting and              Template incident
                                                         and near-misses are so that they       management of incidents.       reporting form;
                                                         can be recorded and                                                   Template incident
                                                         appropriately managed.                                                register
Require   Enter               Requirement                           Purpose                  Work to be done to          Knowledgebase       Enter
ment      Initial                                                                           progress to next level     resources available   Target
No.         IGT                                                                                                                                IGT
           level                                                                                                                              level
    366             There are appropriate procedures     To enable the organisation to    Document a procedure to     Template access
                    in place to manage access to         effectively control access to    allocate and remove user    control procedure
                    computer-based information           information held on its          accounts. Ensure you        including guidelines
                    systems                              computer systems and ensure      provide guidance to your    for staff;
                                                         that only authorised personnel   staff to ensure they use    Template compliance
                                                         have access to use and share     the system appropriately.   monitoring form;
                                                         information held within the      Monitor usage.              Template staff
                                                         systems the organisation                                     declaration form
                                                         manages.

    367             Policy and procedures are in place   To ensure that networks under    Allocate responsibility for Template Network
                    to ensure that Information           the organisation's control       managing ICT networks.      Security Policy
                    Communication Technology (ICT)       appropriately protect the        Document a network
                    networks operate securely            information communicated over    security policy. Review
                                                         the networks and also protect    security risks and
                                                         the supporting infrastructure    implement appropriate
                                                         (including wireless networks).   measures to mitigate the
                                                                                          risks. Monitor compliance
                                                                                          and effectiveness.
Require   Enter               Requirement                            Purpose                    Work to be done to           Knowledgebase          Enter
ment      Initial                                                                              progress to next level      resources available      Target
No.         IGT                                                                                                                                       IGT
           level                                                                                                                                     level
    430             Procedures are in place to ensure    To ensure that all those involved   Document procedures for      Template Records
                    the accuracy of service user         in the care of an individual are    collecting and accurately    Management
                    information on all systems and /or   able to rely on the accuracy of     recording service user       Procedures including
                    records that support the provision   the available information in        information on all systems   record keeping
                    of care, support and advisory        order to be able to provide         and/or records that          guidance for staff;
                    services                             timely and effective care for, or   support the provision of     Exemplar about
                                                         support or advice to that           care, support and advice.    collecting service user
                                                         individual.                         Monitor compliance with      information
                                                                                             the procedures. Ensure
                                                                                             errors are identified, and
                                                                                             appropriate corrections
                                                                                             are made.
Progress
Progress
Progress
Progress
Progress
Progress
Progress
Progress
Progress

								
To top