Get documents about "Isms Non Disclosure Agreement - Download Now Excel
Description
Isms Non Disclosure Agreement document sample
Document Sample
IGTV4 REQUIREMENT CHANGE CONTROL - PCTs
V4
Req
No V4 Initiative Description V3 Req No. V3 Initiative
101 IG Does the PCT have adequate 200 Confid CoP
Management governance in place to support
the current and evolving
Information Governance agenda?
301 Information Quality
Assurance/National
Programme
404 IG Management
405 IG
Management/National
Programme
411 Health Records
412 Freedom of Information
907 Data Protection
5600 Information Security
9001 Freedom of Information
9400 IG Management
102 IG How would you assess your 103 IG
Management PCT’s ability to access expertise Management/National
across the Confidentiality & Data Programme
Protection Assurance agenda? 407 Data Protection
103 IG How would you assess your 102 Information
Management PCT’s ability to access to Security/National
expertise across the Information Programme
Security agenda?
103 IG
Management/National
Programme
104 IG How would you assess your 103 IG
Management Trust’s ability to access expertise Management/National
across the Information Quality and Programme
Records Management Agenda? 408 Health Records
105 IG Does the PCT have in place 903 IG Management
Management comprehensive IG Policy and
associated Strategy and
Improvement Plans all signed off
by the Board? 904 IG Management
106 IG Does the PCT have an up to date 602 Information
Management and tested business continuity Security/National
plans for all critical infrastructure Programme
components and core information
systems?
107 IG Does the PCT have a 909 Freedom of Information
Management comprehensive Board endorsed
Information Lifecycle Management
Policy/Strategy and
implementation plan? 7600 Health Records
108 IG Has the SHA implemented its NEW
Management Information Governance
management arrangements to
ensure the NHS CFH Statement
of Compliance (SoC) is satisfied?
109 IG Does the Trust ensure that staff NEW
Management and those working on behalf of the
Trust comply with the terms and
conditions set out on the RA01
form?
110 IG Does the PCT ensure that it has 5605 Confid CoP/Data
Management formal contractual arrangements Protection/Information
that include compliance with Security
information governance
requirements, with all contractors
and support organisations?
111 IG Does the PCT ensure that all 5606 Confid CoP/Data
Management individuals carrying out work on Protection/Information
behalf of the PCT have Security/National
employment contracts which Programme
require compliance with
information governance
standards?
112 IG Do the PCT's staff induction 8601 IG Management
Management procedures effectively raise the
awareness of information
governance?
113 IG Does the PCT assess staff 8604 IG Management
Management training needs and ensure job/role
specific information governance
training is provided to all staff? 8605 IG Management
8607 Health Records
8900 Health Records
201 Confidentiality Does the PCT have a 9100 Confid CoP
and Data Confidentiality Code of Conduct
Protection that provides staff with clear 9500 Confid CoP
Assurance guidance on the disclosure of
patient personal information?
202 Confidentiality Does the PCT ensure that 6504 Confid CoP/National
and Data patients are generally asked Programme
Protection before their personal information
Assurance is used in ways that do not directly
contribute to, or support the
delivery of, their care and that 6505 Confid CoP
patients’ decisions to restrict the
disclosure of their personal
information are appropriately
respected?
203 Confidentiality Does the PCT ensure that 6700 Confid CoP/Data
and Data patients are informed about the Protection/National
Protection proposed uses of their personal programme
Assurance information and the importance of
providing accurate information to
NHS staff? 6701 Confid CoP/Data
Protection
204 Confidentiality Does the PCT have effective 6704 Confid CoP
and Data procedures for ensuring that
Protection detailed questions, raised by
Assurance patients about how their
information may be used, can be
answered?
205 Confidentiality Does the PCT have appropriate 8000 Data
& Data procedures for recognising and Protection/National
Protection responding to patient requests for Programme
Assurance access to their health records?
206 Confidentiality Has the PCT established 7309 Confid CoP/National
and Data appropriate confidentiality audit Programme
Protection procedures in line with the
Assurance requirements of the National
Programme for IT?
207 Confidentiality Has the PCT agreed protocols 6501 Confid CoP
and Data governing the sharing of patient-
Protection identifiable information with other
Assurance organisation's where this is
required?
208 Confidentiality Has the PCT put in place safe- 7200 Confid CoP
and Data haven procedures for all routine
Protection flows of patient personal
Assurance information to the organisation?
209 Confidentiality Does the PCT comply with data 6000 Data Protection
& Data protection requirements in respect
Protection of transfers of personal data about
Assurance patients or staff to countries
outside of the EEA?
210 Confidentiality Does the PCT ensure that all new 5912 Data Protection
& Data processes, software and hardware
Protection comply with confidentiality data
Assurance protection requirements?
301 Information Does the PCT have a formal 100 Information Security
Security information security risk
Assurance assessment and management
programme that is implemented
and regularly reviewed?
302 Information Does the PCT have documented 605 Information
Security and accessible information Security/National
Assurance security event reporting, Programme
investigation and resolution 9101 Information Security
procedures in place that are
explained to staff?
303 Information Has the PCT established 5103 Information
Security business processes that ensure Security/National
Assurance all staff smartcards and access Programme
profiles issued are appropriate
and satisfy their obligations as
RAs?
305 Information Does the PCT ensure that the 2600 Information Security
Security Operating and Application and
Assurance information systems under its 2802 Information Quality
control support appropriate Assurance
access control functionality? 5100 Information Security
306 Information Are there defined, documented 5101 Information
Security and agreed access rights for all Security/National
Assurance users of PCT information Programme
systems and services? 5102 Information Security
307 Information Has the PCT established a 5608 Information Security
Security register of all its major information
Assurance assets and assigned responsibility
or ‘ownership’ for each?
308 Information Does the PCT ensure that digital 6506 Information Security
Security information shared with other
Assurance organisation’s is secured in
transit?
309 Information Does the PCT have adequate 7602 Information Security
Security procedures in place to ensure the
Assurance availability of information
processing facilities,
communications services and
data?
310 Information Does the PCT have procedures in 7604 Information Security
Security place to prevent information
Assurance processing being interrupted or
disrupted through equipment
failure, environmental hazard or
human error?
311 Information Does the PCT ensure that its 4100 Information Security
Security Information systems are capable
Assurance of the rapid detection, isolation
and removal of malicious code
and unauthorised mobile code?
312 Information Does the PCT have in place 4101 Health Records
Security appropriate procedures for
Assurance ensuring that the development
and introduction of any new local
information systems, software, IT
projects and, more generally, IT
support activities are conducted in
7605 Information Security
a secure and structured manner?
313 Information Does the PCT have appropriate 7608 Information Security
Security procedures in place to ensure that
Assurance communication networks under
the PCT’s control operate in a
secure manner?
314 Information Does the PCT have appropriate 7609 Information Security
Security procedures for ensuring that
Assurance mobile computing and teleworking
are conducted in a secure
manner?
401 Clinical Does the PCT have a strategy to 4301 Information Quality
Information ensure the correct NHS Number is Assurance/National
Assurance recorded for each active patient Programme
and that it is used routinely in 5910 Health Records
clinical communications?
403 Clinical Does the PCT have PCT-wide, 7300 Health
Information multi-professional audit of clinical Records/National
Assurance record keeping standards, Programme
including accuracy, for all
professional groups in all
specialties?
405 Clinical Does the PCT have robust 802 Information Quality
Information procedures and processes for all Assurance
Assurance data collection activities across
the PCT? 803 Information Quality
Assurance
5800 Information Quality
Assurance
6301 Information Quality
Assurance
408 Clinical Does the PCT have procedures in 911 Information Quality
Information place to ensure that when new Assurance
Assurance services are provided or where
changes within the system are
made, that these do not adversely
impact on information quality?
601 Corporate Does the PCT have documented 4400 Freedom of Information
Information and implemented procedures for
Assurance the creation and filing of electronic
corporate records to enable
efficient retrieval and effective
records management? 4401 Freedom of Information
602 Corporate Does the PCT have documented 7404 Freedom of Information
Information and implemented procedures for
Assurance the creation, filing and
tracking/tracing of paper corporate
records to enable efficient retrieval
and effective records
management?
602 Corporate Does the PCT have documented
Information and implemented procedures for
Assurance the creation, filing and
tracking/tracing of paper corporate
records to enable efficient retrieval
and effective records 7405 Freedom of Information
management?
603 Corporate Does the PCT have publicly 908 Freedom of Information
Information available documented and
Assurance implemented procedures to
ensure compliance with the FOI 6502 Freedom of Information
Act 2000?
6503 Freedom of Information
604 Corporate Has the PCT carried out an audit 6900 Freedom of Information
Information of its corporate records and
Assurance information as part of the records
lifecycle management strategy?
PRIMARY CARE TRUSTS - DELETED REQUIREMENTS
V3 req V3 initiative Description
604 Freedom of Does the PCT have documented Deleted for all organisations
Information procedures for the storage,
closure, retention and disposal of
documents and records?
700 Confid CoP Does the PCT have a Deleted for all organisations
communications strategy for
satisfying DPA fair processing
requirements and supporting
patient consent to use of their
information for care purposes?
804 Information Does the PCT have formal Deleted for all organisations
Quality documented arrangements for
Assurance reviewing and validating all waiting
lists to ensure that lists do not
include patients who are no longer
awaiting admission or
appointment?
4300 Information Does the PCT ensure that NHS Deleted for PCTs
Quality standard definitions, values and
Assurance validation programmes are
incorporated within key systems?
4402 Health Records Does the PCT have a Deleted for PCTs
tracing/tracking system to control
the movement and location of
paper clinical/care records and
which provides an auditable trail
of record transactions?
4403 Health Records Does the PCT have a computer Deleted for all organisations
based clinical/care
system(s)available to appropriate
clinical/care staff with access to
technical backup staff 24/7?
5801 Information Does the PCT have effective Deletd for PCTs
Quality arrangements for updating local
Assurance documentation as national data
standards develop?
5909 Data Protection Does the PCT have procedures in Deleted for all organisations
place to regularly review flows of
patient personal information and
justify the purposes served?
5913 Data Protection Does the PCT comply with data Deleted for all organisations
protection requirements in respect
of automated decision-making?
6001 Information Has the PCT submitted its Patient Deleted for all organisations
Quality Care Datasets to ClearNET within
Assurance the required national deadlines?
6003 Information Has the PCT submitted its Mental Deleted for PCTs
Quality Health Minimum Dataset to
Assurance ClearNET within the required
national deadlines?
6301 Information Does the PCT meet agreed Deleted for PCTs
Quality processes and timescales for the
Assurance/Nati correction of errors and omissions
onal identified by validation or identified
Programme by internal users?
6302 Information Does the PCT have procedures to Deleted for PCTs
Quality ensure that staff routinely check
Assurance/Nati information about patients with the
onal source so that corrections are
Programme made as necessary to appropriate
records?
6303 Information Does the PCT have documented Deleted for PCTs
Quality procedures for analysing trends in
Assurance information over time which
ensure that large changes are
investigated and explained?
7302 Information Has the PCT had an external Deleted for PCTs
Quality audit of clinical coding based on
Assurance/Nati national standards within the last
onal 12 months?
Programme
7303 Information Does the PCT have a Deleted for PCTs
Quality documented procedure and a
Assurance regular audit cycle for accuracy
checks on patient data?
7306 Information Has the PCT completed and Deleted for PCTs
Quality passed the Completeness and
Assurance Validity check for data as detailed
in the guidance document?
7310 Information Is the PCT involving clinical staff Deleted for PCTs
Quality in validating information derived
Assurance from the recording of clinical
activity?
7401 Health Records Does the PCT have processes in Deletd for PCTs
place to enable it to regularly
monitor and measure availability
of all clinical/care records?
7402 Health Records Does the PCT ensure that copies Deleted for PCTs
of records from Accident and
Emergency Departments, Minor
Injury Units and Walk-in Centres
are filed within the main record for
patients who are subsequently
admitted and, where patient
consent has been obtained, there
is a system to ensure that the GP,
and Health Visitor and School
Nurse for children, are sent a copy
of the the clinical/care record?
7403 Health Records Does the PCT have paper Deleted for PCTs
clinical/care records of a standard
design in each specialty within the
PCT, combined with a locally
agreed standard format for filing
within clinical/care records?
7406 Health Records Has the PCT ensured that its Deleted for all organisations
clinical/care records storage areas
provide a safe working
environment with adequate space
and equipment to maintain
operational efficiency?
7603 Information Does the PCT have appropriate Deleted for all organisations
Security procedures and safeguards to
physically protect areas where
information processing facilities
are housed and information/data
are held?
7606 Health Records Has the PCT ensured that the Deleted for all organisations
environment in all office and
clinical/care record storage areas
comply with all current, relevant
health and safety legislation and
fire regulations?
7607 Information Does the PCT have appropriate Deleted for all orgnisations
Security procedures for preventing the
compromise or theft of
information, software or
information processing equipment
and media?
8800 Information Does the PCT have (or access) a Deleted for PCTs
Quality formal, targeted training
Assurance programme for all staff involved in
the collection and management of
patient-related data covering the
operation of key systems?
8802 Information Does the PCT use training Deleted for PCTs
Quality programmes for clinical coders
Assurance that are comprehensive and cover
clinical coding using national
standard training materials?
Description Overall impact of changes
Major / Medium / Minor / No
Change
Does the PCT have an active management 200/301/404/405/411/4 Minor
forum with public/patient representation that 12/907/5600/9001/9400
provides direction and visible support for merged
initiatives relating to communicating with
patients?
Is responsibility for Information Quality 200/301/404/405/411/4
Assurance allocated appropriately within the 12/907/5600/9001/9400
PCT? merged
Is there clearly defined Board level responsibility 200/301/404/405/411/4
that includes performance monitoring for 12/907/5600/9001/9400
Information Governance and there are clear merged
lines of accountability throughout the
organisation leading to the Board?
Does the PCT have a senior manager appointed 200/301/404/405/411/4
by the Chief Executive who is responsible for co- 12/907/5600/9001/9400
ordinating, publicising and monitoring merged
implementation of the Information Governance
Strategy and reporting on a regular basis to the
Board?
Does the PCT have a Clinical/Care Records 200/301/404/405/411/4
Committee accountable to the PCT Board, 12/907/5600/9001/9400
which makes decisions on policy matters and merged
which includes representation by clinical
representatives and the Clinical/Care Records
Manager/Advisor and is linked appropriately to
other Information Governance Groups?
Is responsibility for Freedom of Information 200/301/404/405/411/4
allocated appropriately within the PCT? 12/907/5600/9001/9400
merged
Is the PCT’s Data Protection notification to the 200/301/404/405/411/4
Information Commissioner comprehensive and 12/907/5600/9001/9400
up to date? / merged
Do the PCT's senior management monitor 200/301/404/405/411/4
information security? 12/907/5600/9001/9400
merged
Does the PCT ensure that all staff members 200/301/404/405/411/4
responsible for Freedom of Information receive 12/907/5600/9001/9400
appropriate training? merged
Have the PCT's Chief Executive and Board 200/301/404/405/411/4
Members been briefed on Information 12/907/9001/9400/
Governance and they are effectively supported merged
on the Information Governance work
programme?
Has the PCT ensured that it has appropriate 103/407 merged Minor
access to expertise across all elements of (Confid CoP & Data
Information Governance? Protection element)
Is responsibility for Data Protection allocated 103/407 merged
appropriately within the PCT? (Confid CoP & Data
Protection element)
Is responsibility for Information Security 102/103 merged (IS Minor
allocated appropriately within the PCT? element)
Has the PCT ensured that it has appropriate 102/103 merged (IS
access to expertise across all elements of element)
Information Governance?
Has the PCT ensured that it has appropriate 103/408 merged (IQ Minor
access to expertise across all elements of element)
Information Governance?
Are responsibilities for Clinical/Care Records 103/408 merged (IQ
Management appropriately allocated through the element)
PCT including those services provided to the
PCT, which are the subject of service level
agreement(s)?
Does the PCT have in place a comprehensive 903/904 merged Minor
Information Governance Policy document that is
agreed by the Board?
Does the PCT have an Information Governance 903/904 merged
Strategy and improvement plan that is agreed
by the Board?
Does the PCT have up to date and tested No Change
business continuity plans for all critical
infrastructure components and core information
systems?
Does the PCT have a comprehensive records 909/7600 merged Medium
management strategy that supports Freedom of
Information and is endorsed by the Board?
Has the PCT ensured that storage areas have 909/7600 merged
sufficient capacity to accommodate clinical/care
records for the required minimum retention
periods and to accommodate the annual growth
of new records?
Medium
Medium
Does the PCT ensure that it has formal No Change
contractual arrangements that include
compliance with information governance
requirements, with all contractors and support
organisations?
Do all staff contracts contain clauses that clearly 5606/8601 merged Minor
identify staff responsibilities for compliance with
information governance requirements?
Do the PCT's staff induction procedures 5606/8601 merged No Change
effectively raise the awareness of Information
Governance?
Does the PCT assess staff training needs in 8604/8605/8607/8900 Minor
respect of Information Governance and evaluate merged
the results of training?
Does the PCT ensure that Information 8604/8605/8607/8900
Governance training is provided appropriately to merged
all staff?
Does the PCT ensure that all managers and all 8604/8605/8607/8900
staff responsible for clinical/care records attend merged
a formal training programme in Clinical/Care
Record Management?
Does the PCT ensure that all staff providing 8604/8605/8607/8900
clinical/care records related services are kept up merged
to date with new clinical/care records processes
and procedures to ensure PCT-wide
compliance?
Does the PCT have a Confidentiality Code of 9100/9500 merged Minor
Conduct for staff?
Does the PCT's confidentiality code of 9100/9500 merged
conduct/practice provide staff with clear
guidance on the disclosure of patient personal
information?
Does the PCT ensure that patients are generally 6504/6505 merged Minor
asked before their personal information is used
in ways that do not directly contribute to, or
support the delivery of, their care?
Does the PCT ensure that patients' decisions to 6504/6505 merged
restrict the disclosure of their personal
information are appropriately respected?
Does the Trust make information available to 6700/6701 merged Medium
patients/clients, in effective and appropriate
ways, to inform them about the proposed uses
of their personal information?
Does the PCT ensure that when patient 6700/6701 merged
personal information is to be used for purposes
that are not described in the information leaflets
etc that have been provided to patients, that
steps are taken to inform those patients and
amend leaflets etc when necessary?
Does the PCT have effective procedures for No Change
ensuring that detailed questions, raised by
patients about how their information may be
used, can be answered?
Does the PCT have appropriate procedures for No Change
recognising and responding to patient requests
for access to their health records?
Has the PCT established appropriate No Change
confidentiality audit procedures in line with the
requirements of the National Programme for IT?
Has the PCT agreed protocols governing the No Change
sharing of patient-identifiable information with
other organisations?
Has the PCT put in place safe-haven No Change
procedures for all routine flows of patient
personal information to the organisation?
Does the PCT comply with data protection No Change
requirements in respect of transfers of personal
data about patients or staff to countries outside
of the EEA?
Does the PCT ensure that all new processes, No Change
software and hardware comply with data
protection requirements?
Does the PCT have a formal information risk Minor
assessment and management programme
overseen by senior management?
Does the PCT have documented incident 605/9101 merged Minor
control and investigation procedures?
Are the PCT's incident reporting procedures 605/9101 merged
accessible to staff?
Has the PCT put in place appropriate Minor
registration/authentication processes for staff in
line with the requirements of the National
Programme?
Do the PCT's information systems support 2600/2802/5100 Minor
appropriate access control functionality? merged
Does the PCT have an audit trail linking data 2600/2802/5100
items to individual input staff? merged
Does the PCT operate effective password 2600/2802/5100
management procedures for all staff? merged
Do all of the PCT's staff have defined and 5101/5102 merged Minor
documented access rights in respect of patient
identifiable information?
Do all of the PCT's staff have defined and 5101/5102 merged
documented access rights, agreed by senior
management in accordance with business
needs, in respect of non-patient information
systems (e.g. Internet) and, in particular, to
system and administration files and controls?
Has the PCT established a register of all major No Change
information assets, assigned responsibility or
‘ownership’ for each and ensured that all of its
information/data sets are managed according to
Caldicott principles?
Does the PCT have appropriate procedures for Minor
ensuring that information passed to another
organisation is done so securely?
Does the PCT have in place appropriate No Change
procedures to maintain the integrity and
availability of information processing facilities,
communications services and information held?
Does the PCT have in place appropriate No Change
procedures for ensuring that the development
and introduction of new information systems,
software, IT projects and, more generally, IT
support activities are conducted in a secure and
structured manner?
Does the PCT ensure that its information Minor
systems are designed to support the rapid
detection, isolation and removal of malicious
software?
Has the PCT ensured that its electronic 4101/7605 merged Minor
clinical/care records system(s) are designed so
that records will remain accessible, authentic,
reliable and usable through any kind of system
change, for the entire period of their retention?
Does the PCT have appropriate procedures for 7605/4101 merged
preventing the compromise or theft of
information, software or information processing
equipment and media?
Does the PCT have appropriate procedures for Minor
ensuring that its information networks operate in
a secure manner?
Does the PCT have appropriate procedures for Minor
ensuring that remote working and teleworking
are conducted in a secure manner?
Does the PCT have procedures to ensure the 4301/5910 merged Minor
correct NHS Number is recorded for every
patient?
Does the PCT ensure that the new NHS number 4301/5910 merged
is used in clinical/care correspondence either
internally (e.g. for associating test results with a
patient's clinical/care record) or with external
organisations (e.g. in referral letters)?
Does the PCT have PCT-wide, multi- No Change
professional audit of clinical/care record keeping
standards, including accuracy, for all
professional groups in all specialties. Are results
regularly fed-back to healthcare professionals
and are there evidenced actions to maintain and
improve performance?
Does the PCT have current documented 802/803/5800/6301 Minor
procedures to cover the capture and recording merged
of patient information?
Where the PCT has different systems holding 802/803/5800/6301
common sets of data, are there documented merged
procedures for maintaining consistency between
the separate databases and/or for reconciling
differences?
Does the PCT have processes for monitoring 802/803/5800/6301
data collection activities to ensure procedures merged
are followed?
Does the PCT use external data quality reports
for monitoring and improving data quality?
Does the PCT have procedures in place to No Change
ensure that when new services are provided, or
where changes within the system are made, that
these do not adversely impact on information
quality?
Do the PCT's electronic record-keeping systems 4400/4401 merged Minor
allow records to be referenced, titled, indexed,
and if necessary, security marked, to enable
efficient retrieval and effective management of
records?
Has the PCT ensured its electronic record 4400/4401 merged
systems enable the movement and location of
records to be controlled and provide an
auditable trail of record transactions?
Do the PCT's paper-based record-keeping 7404/7405 merged Minor
systems allow records to be referenced, titled,
indexed, and if necessary, security marked, to
enable efficient retrieval and effective
management of records?
Minor
Has the PCT ensured its paper-based record 7404/7405 merged
systems enable the movement and location of
records to be controlled and provide an
auditable trail of record transactions?
Has the PCT complied with the Freedom of 908/6502/6503 merged Minor
Information Act requirement to publish and
maintain a Publication Scheme?
Does the PCT have clear procedures for 908/6502/6503 merged
recognising and responding to applications for
information under the Freedom of Information
Act 2000?
Has the PCT ensured its Freedom of 908/6502/6503 merged
Information request handling procedures,
including its duty to provide advice and
assistance, are publicly available and easy to
understand?
Has the PCT carried out an audit of its Minor
information and assessed whether it is subject
to a Freedom of Information exemption?
Actual change
The new Requirement does not require
additional evidence from organisations, it
places all the management
responsibilities for IG within a single
requirement
Requirements merged but no new
evidence required
Requirements merged but no new
evidence required
Requirements merged but no new
evidence required
Requirements merged but no new
evidence required
The Requirement introduces the concept
of Information Lifecycle Management,
however, the evidence required remains
much the same as for version 3
This is a New Requirement within the IG
Toolkit that requires that organisations
attain level 2 on a range of other IGT
Requirements
This is a new Requirement within the IG
Toolkit, however, organisations were
already obliged to meet the terms and
conditions referred to, and the
Requirement allows them to evidence
that this is the case
The Requirement clarifies that an
organisation should be ensuring that all
persons carrying out Trust work are
bound by IG terms in a contract
The Requirement brings together most of
the previous IG training requirements
The Requirement brings together the two
confidentiality code of conduct
requirements, no new work is necessary
The Requirement brings together the two
disclosure of patient information
requirements, no new work is necessary
The Requirement brings together the two
requirements to ensure patients are
adequately informed, but adds a third
string about informing patients why
accurate info is vital
Focus of requirement now on
implementation and review, rather than
documentation
The Requirement brings together the two
incident reporting requirements, no new
work is necessary
Requirement rewritten to provide
clarification of what is required but the
evidence remains the same
Brings together three previous
Requirements concerned with access
controls and audit
Removes the separation between
procedures for access to clinical and non-
patient systems
Some rewording but evidence required
remains the same
Some rewording but evidence required
remains the same
Brings together two previous
Requirements about managing system,
etc changes
Requirement reworded but no new
evidence required
Requirement reworded but no new
evidence required
Brings together the previous
Requirements about the NHS number
Brings together the previous
Requirements about data collection
Brings together the previous
Requirements about corporate electronic
records with improved guidance
Brings together the previous
Requirements about corporate paper
records with improved guidance
Brings together the previous
Requirements about corporate paper
records with improved guidance
Brings together the previous
Requirements about compliance with
FOIA 2000
Guidance refocuses attention on the
purpose and performance of the audit
7a157a04-4aa8-4f19-9976-3968dbadd95e.xls 2/24/2011
IG Requirement Change Control
Seq. Description Version 4 requirement
Initiative
No number
Does the Trust have a formal information risk assessment
and management programme (a.k.a. An Information
100 Information Security 301
Security Management System ISMS) overseen by senior
management?
Is responsibility for Information Security allocated
102 Information Security 103
appropriately within the TRUST?
Has the Trust ensured that it has appropriate access to
103 IG Management expertise across all elements of Information Governance? 102/103/104
Does the Trust have an active management forum with
public/patient representation that provides direction and
200 Confidentiality Code of Practice 101
visible support for initiatives relating to communicating with
patients?
Is responsibility for Information Quality Assurance allocated
301 Information Quality Assurance 101
appropriately within the Trust?
Is there clearly defined Board level responsibility for
404 IG Management Information Governance, including co-ordination and 101
performance monitoring?
Does the Trust have a senior manager appointed by the
Chief Executive who is responsible for co-ordinating,
405 IG Management publicising and monitoring implementation of the 101
Information Governance Strategy and reporting on a
regular basis to the Board?
Is responsibility for Data Protection allocated appropriately
407 Data Protection 102
within the TRUST?
Are responsibilities for Health Records Management
408 Health Records 104
appropriately allocated through the Trust?
Does the TRUST have a Health Records Committee
accountable to the TRUST Board which makes decisions
411 Health Records on policy matters and which includes representation from 101
medical staff and is linked appropriately to other
Information Governance Groups?
Is responsibility for FOI allocated appropriately within the
412 Freedom of Information 101
Trust?
Does the TRUST have an up-to-date and tested continuity
602 Information Security plan for all critical infrastructure components and core 106
services?
Does the Trust have documented procedures for the
604 Freedom of Information storage, closure, retention and disposal of documents and DELETED
records?
Does the TRUST have documented incident control and
605 Information Security 302
investigation procedures?
Does the TRUST have a communications strategy for
satisfying DPA fair processing requirements and supporting
700 Confidentiality Code of Practice DELETED
patient consent to use of their information for care
purposes?
Does the Trust have current documented procedures to
802 Information Quality Assurance 405
cover the capture and recording of patient information?
Where the TRUST has different systems holding common
sets of data, are there documented procedures for
803 Information Quality Assurance 405
maintaining consistency between the separate databases
and/or for reconciling differences?
Page 28 of 33
7a157a04-4aa8-4f19-9976-3968dbadd95e.xls 2/24/2011
Seq. Description Version 4 requirement
Initiative
No number
Does the TRUST have formal documented arrangements
for reviewing and validating all waiting lists to ensure that
804 Information Quality Assurance DELETED
lists do not include patients who are no longer awaiting
admission or appointment?
Does the Trust have in place a comprehensive Information
903 IG Management Governance Policy document that is agreed by the Board? 105
Does the TRUST have an Information Governance
904 IG Management Strategy and improvement plan that is agreed by the 105
Board?
Is the TRUST’s Data Protection notification to the
907 Data Protection Information Commissioner comprehensive and up to date? 101
Has the TRUST complied with the Freedom of Information
908 Freedom of Information Act requirement to publish and maintain a Publication 603
Scheme?
Does the Trust have a comprehensive Records
909 Freedom of Information Management Strategy that supports FOI and has been 107
signed off by the Board?
Does the Trust have procedures in place to ensure that
when new services are provided, or where changes within
911 Information Quality Assurance 408
the system are made, that these do not adversely impact
on information quality?
Do the TRUST's information systems support appropriate
2600 Information Security 305
access control functionality?
Does the TRUST have an audit trail linking data items to
2802 Information Quality Assurance 305
individual input staff?
Does the TRUST ensure that its information systems are
4100 Information Security designed to support the rapid detection, isolation and 311
removal of malicious software?
Has the TRUST ensured that its electronic records systems
are designed so that records will remain accessible,
4101 Health Records 312
authentic, reliable and usable through any kind of system
change, for the entire period of their retention?
Does the Trust ensure that NHS standard definitions,
4300 Information Quality Assurance values and validation programmes are incorporated within DELETED
key systems?
Does the Trust have documented procedures to ensure the
correct NHS Number is recorded for every patient?
4301 Information Quality Assurance 401
Do the TRUST's electronic record-keeping systems allow
records to be referenced, titled, indexed, and if necessary,
4400 Freedom of Information 601
security marked, to enable efficient retrieval and effective
management of records?
Has the TRUST ensured its electronic record maintenance
systems enables the movement and location of records to
4401 Freedom of Information 601
be controlled and provides an auditable trail of record
transactions?
Does the TRUST have a tracing/tracking system to control
4402 Health Records the movement and location of paper records and which DELETED
provides an auditable trail of record transactions?
Is the Trust PAS available to appropriate clinical staff 24/7
4403 Health Records (including technical back up)? DELETED
Does the Trust operate effective password management
5100 Information Security 305
procedures for all staff?
Page 29 of 33
7a157a04-4aa8-4f19-9976-3968dbadd95e.xls 2/24/2011
Seq. Description Version 4 requirement
Initiative
No number
Do all of the Trust's staff have defined and documented
5101 Information Security access rights in respect of patient identifiable information? 306
Do all of the Trust’s staff have defined and documented
access rights, agreed by management in accordance with
5102 Information Security business needs, in respect of non-patient information 306
systems (e.g. Internet) and, in particular, to system and
administration files?
Has the Trust put in place appropriate
5103 Information Security registration/authentication processes for staff in line with 303
the requirements of the National Programme?
Do the Trust’s senior management monitor information
5600 Information Security 101
security?
Does the Trust ensure that it has formal contractual
arrangements that include compliance with information
5605 Information Security 110
governance requirements, with all contractors and support
organisations?
Do all staff contracts contain clauses that clearly identify
5606 Information Security staff responsibilities for compliance with information 111
governance requirements?
Has the Trust established a register of all major information
assets, assigned responsibility or ‘ownership’ for each and
5608 Information Security 307
ensured that all of its information/data sets are managed
according to Caldicott principles?
Does the Trust have processes for monitoring data
5800 Information Quality Assurance 405
collection activities to ensure procedures are followed?
Does the TRUST have effective arrangements for updating
5801 Information Quality Assurance DELETED
local documentation as national data standards develop?
Does the TRUST have procedures in place to regularly
5909 Data Protection review flows of patient personal information and justify the DELETED
purposes served?
Does the TRUST ensure that the new NHS number is used
in clinical correspondence both internally (e.g. for
5910 Health Records 401
associating test results with a patient's clinical record) and
with external TRUSTs?
Does the TRUST ensure that all new processes, software
5912 Data Protection and hardware comply with data protection requirements? 210
Does the TRUST comply with data protection requirements
5913 Data Protection DELETED
in respect of automated decision making?
Does the Trust comply with Data Protection requirements in
6000 Data Protection respect of transferring personal data about patients or staff 209
to countries outside of the EEA?
Has the Trust submitted its Patient Care Datasets to
6001 Information Quality Assurance DELETED
ClearNet within the required national deadlines?
Has the Trust submitted itsMental Health Minimum
6003 Information Quality Assurance Datasets to ClearNet within the required national DELETED
deadlines?
Does the Trust meet agreed processes and timescales for
6301 Information Quality Assurance the correction of errors and omissions identified by DELETED
validation or identified by internal users?
Does the Trust have procedures to ensure that staff
routinely check information about patients with the source
6302 Information Quality Assurance DELETED
so that corrections are made as necessary to appropriate
records?
Page 30 of 33
7a157a04-4aa8-4f19-9976-3968dbadd95e.xls 2/24/2011
Seq. Description Version 4 requirement
Initiative
No number
Does the Trust have documented procedures for analysing
6303 Information Quality Assurance trends in information over time which ensure that large DELETED
changes are investigated and explained?
Has the Trust agreed protocols governing the sharing of
6501 Confidentiality Code of Practice 207
patient-identifiable information with other organisations?
Does the Trust have clear procedures for recognising and
6502 Freedom of Information responding to requests for information under the Freedom 603
of Information Act 2000?
Has the Trust ensured its FOI request handling procedures,
including its provision of advice and assistance, are
6503 Freedom of Information 603
publicly available and easy to understand?
Does the Trust ensure that patients are generally asked
before their personal information is used in ways that do
6504 Confidentiality Code of Practice 202
not directly contribute to, or support the delivery of their
care?
Does the Trust ensure that patients’ decisions to restrict the
6505 Confidentiality Code of Practice disclosure of personal information are appropriately 202
respected?
Does the Trust have appropriate procedures for ensuring
6506 Information Security that information passed to another organisation is done so 308
securely?
Does the Trust make information available to
Confidentiality Code of Practice patients/clients, in effective and appropriate ways, to inform
6700 203
Data Protection them about the proposed uses of their personal
information?
Does the Trust ensure that when patient personal
information is to be used for purposes that are not
Confidentiality Code of Practice
6701 described in the information leaflets etc that have been 203
Data Protection
provided to patients, that steps are taken to inform those
patients and amend leaflets etc when necessary?
Does the Trust have effective procedures for ensuring that
6704 Confidentiality Code of Practice detailed questions, raised by patients about how their 204
information, may be used, can be answered?
Has the Trust carried out an audit of its information and
6900 Freedom of Information assessed whether it is subject to FOI exemption? 604
Has the Trust put in place safe-haven procedures for all
7200 Confidentiality Code of Practice routine flows of patient identifiable information to the 208
organisations?
Does the Trust have trust-wide, multi-professional audit of
clinical record-keeping standards, including accuracy, for
all professional groups in all specialties. Are results
7300 Health Records 403
regularly fed-back to healthcare professionals and are
there evidenced actions to maintain and improve
performance?
Has the Trust had an external audit of clinical coding based
7302 Information Quality Assurance DELETED
on national standards within the last 12 months?
Does The Trust have a documented procedure and a
7303 Information Quality Assurance regular audit cycle for accuracy checks on patient data? DELETED
Has the Trust completed and passed the Completeness
7306 Information Quality Assurance and Validity check for data as detailed in the guidance DELETED
document?
Page 31 of 33
7a157a04-4aa8-4f19-9976-3968dbadd95e.xls 2/24/2011
Seq. Description Version 4 requirement
Initiative
No number
Has the Trust established appropriate confidentiality audit
7309 Confidentiality Code of Practice procedures in line with the requirements of the National 206
Programme for IT?
Is the Trust involving clinical staff in validating information
7310 Information Quality Assurance derived from the recording of clinical activity? DELETED
Does the TRUST have processes in place to enable it to
7401 Health Records 406
regularly monitor and measure casenote availability ?
Does the TRUST ensure that Accident and Emergency
records are contained within the main record for patients
7402 Health Records DELETED
who are subsequently admitted and is there a system to
ensure that the GP is sent a copy of the A&E record?
Does the TRUST have paper records that are of a standard
7403 Health Records design within the TRUST, combined with a locally agreed DELETED
standard format for filing within the health record?
Do the TRUST's paper based record-keeping systems
allow records to be referenced, titled, indexed, and if
7404 Freedom of Information 602
necessary, security marked, to enable efficient retrieval and
effective management of records?
Has the TRUST ensured its paper-based record
maintenance systems enables the movement and location
7405 Freedom of Information 602
of records to be controlled and provides an auditable trail of
record transactions?
Has the TRUST ensured that its records libraries provide a
7406 Health Records safe working environment with adequate space and DELETED
equipment to maintain operational efficiency?
Has the Trust ensured that storage areas have sufficient
capacity to accommodate casenotes for the required
7600 Health Records 107
minimum retention periods and to accommodate growth of
new records?
Does the Trust have in place appropriate procedures to
maintain the integrity and availability of information
7602 Information Security 309
processing facilities, communications services and
information held?
Does the Trust have appropriate procedures and
safeguards to physically protect areas where information
7603 Information Security DELETED
processing facilities are housed and information/data are
held?
Does the Trust have procedures in place to prevent
information processing being interrupted or disrupted
7604 Information Security 310
through equipment failure, environmental hazard or human
error?
Does the Trust have in place appropriate procedures for
ensuring that the development and introduction of new
7605 Information Security information systems, software, IT projects and more 312
generally, support activities are conducted in a secure
manner?
Has the Trust ensured that the environment in all office and
7606 Health Records storage areas complies with all current, relevant health and DELETED
safety legislation and fire regulations?
Does the Trust have appropriate procedures for preventing
7607 Information Security the compromise or theft of information, software or DELETED
information processing equipment and media?
Does the Trust have appropriate procedures for ensuring
7608 Information Security that its information networks operate in a secure manner? 313
Page 32 of 33
7a157a04-4aa8-4f19-9976-3968dbadd95e.xls 2/24/2011
Seq. Description Version 4 requirement
Initiative
No number
Does the Trust have appropriate procedures for ensuring
7609 Information Security that remote and teleworking are conducted in a secure 314
manner?
Does the Trust have appropriate procedures for
8000 Data Protection recognising and responding to patient requests for access 205
to their health records?
Do the TRUST’s staff induction procedures effectively raise
8601 Information Management the awareness of Information Governance? 112
Does the TRUST assess staff training needs in respect of
8604 Information Management 113
Information Governance?
Does the TRUST ensure that Information Governance
8605 Information Management 113
training is provided appropriately to all staff?
Does the TRUST ensure that all health records managers
8607 Health Records and staff attend a formal training programme in health 113
records management?
Does the Trust have (or access) a formal, targeted training
programme for all staff involved in the collection and
8800 Information Quality Assurance DELETED
management of patient-related data covering the operation
of key systems?
Does the Trust use training programmes for clinical coders
8802 Information Quality Assurance that are comprehensive and cover clinical coding using DELETED
national standard training materials?
Does the TRUST ensure that all staff providing health
records related services are kept up to date with new
8900 Health Records 113
health records processes and procedures to ensure
TRUST wide compliance?
Does the Trust ensure that all staff responsible for FOI
9001 Freedom of Information 101
receive appropriate training?
Do the Trust have a Confidentiality Code of Conduct for
9100 Confidentiality Code of Practice staff? 201
Are the TRUST's incident reporting procedures accessible
9101 Information Security 302
to staff?
Have the Trust’s CE & Board Members been briefed on
Information Governance and are they effectively supported
9400 IG Management 101
on the Information Governance work programme?
Does the TRUST's confidentiality code of conduct/practice
9500 Confidentiality Code of Practice provide staff with clear guidance on the disclosure of 201
patient personal information?
Page 33 of 33
Related docs
Other docs by zjz11283
Janitorial Supplies Checklist Heres a checklist by practice area for your initial office
Views: 271 | Downloads: 1
