IG Policy V1.2

BSO PAPER 124/2014

Information Governance Policy

DRAFT

December 2014

Reference No: / BSO
Version: / V1.203 Dec 14
Ratified by:
Date Ratified:
Date Equality Screened:
Originator/Author / Nicola Kelly/Scott Stevenson
Responsible committee/individual / IGMG
Date Issued:
Review date:
Target Audience: / All BSO Staff
Distributed Via: / Intranet, Hard Copy
Protective Marking / No
Publication Scheme / No
Amended by:
Date amendments approved:

Table of Contents

1Introduction

2Scope

3Policy

4Responsibilities

5Performance and Monitoring Compliance

6Review

7Equality Statement

Appendices

Appendix A – Information Governance Overview

Appendix B – Information Governance Documentation & Materials System

Appendix C – List of Supporting Documents

1Introduction

1.1Information held by the Business Services Organisation represents one of its most valuable assets. It is the core to most of the services delivered to its business partners and customers. It is therefore essential that all information assets are managed in accordance with best practice and the legislative framework which includes:

  • The Data Protection Act 1998.
  • The Freedom of Information Act 2000.
  • Guidance from the Information Commissioners Office.
  • Information Management – Controls Assurance Standard issued by DHSSPSNI.

In addition, it is important that the information is held securely to prevent unauthorised and/or accidental disclosure.

1.2The BSO is committed to properly protecting the information that it holds. This policy and associated practices and procedures have been agreed by the Board of the BSO and the Senior Management Team

1.3Information Security is everyone’s responsibility and while the technology employed assists in maintaining the confidentiality and the integrity of the information assets the appropriate care by people in the use of the information is equally important.

2Scope

2.1The scope of this Information Governance (IG) Policy is to support the protection, control and management of BSO’s information assets. The policy will cover all information within the BSO and is concerned with all information systems, electronic and non-electronic. It applies to all directorates, services and departments in the BSO, all BSO staff, all agency staff, temporary staff and as appropriate to its contractors and third party service providers.

2.2It applies to information:

  • Stored on computers.
  • Transmitted across internal and public networks such as email or Intranet/Internet.
  • Stored within databases.
  • Printed or handwritten on paper, whiteboards etc.
  • Sent by facsimile (fax), telex or other communications method.
  • Stored on removable media such as CDs, hard disks, pen drives, tapes and other similar media.
  • Stored on fixed media such as hard drives and disk subsystems.
  • Held on film or microfiche.
  • Paper and electronic structured records systems.
  • Information recording and processing systems whether paper electronic video or audio records.
  • Presented on slides, overhead projectors, using visual and audio media.
  • Spoken during telephone calls and meetings or conveyed by any other method.

2.3This policy covers all forms of information held by the BSO, including (but not limited to):

  • Information about members of the public
  • Non BSO employees on BSO premises
  • Staff and Personal information
  • Organisational, business and operational information

2.4This policy covers all information systems purchased, developed and managed by/or on behalf of, the BSO and any individual directly employed or otherwise used by the BSO.

3Policy

There are five key, interlinked strands to this policy

  • Openness.
  • Legal compliance.
  • Information security.
  • Quality Assurance.
  • Training and Awareness.

3.1Openness

The BSO recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. Confidential information will be defined and where appropriate kept confidential, underpinning the principles of Caldicott and the regulations outlined in the Data Protection Act 1998 (DPA).

Non-confidential information about the BSO and services will be available to the public through a variety of means, one of which will be the provisions of the Freedom of Information Act 2000 (FOIA).

The BSO has established procedures and arrangements for handling queries from members of the public and for liaison with the press and broadcasting media.

Integrity of information will be developed, monitored and maintained to ensure that it is appropriate for the purposes intended.

The availability of information for operational purposes will be maintained within set parameters relating to its importance via appropriate procedures and computer system resilience. This is supported by appropriate business continuity plans.

Awareness and understanding of all staff, with regard to their responsibilities, will be routinely assessed, recorded and appropriate training and awareness provided.

Risk assessment in conjunction with overall priority planning of BSO activity will be undertaken to determine appropriate, cost-effective IG controls are in place.

3.2Legal Compliance

The BSO regards all identifiable personal information relating to members of the public as confidential. Annual assessments and audits of its compliance against legal requirements will be undertaken.

All identifiable personal information relating to staff is treated as confidential except where national policy on accountability and openness requires otherwise.

In addition the BSO will establish and maintain policies and procedures:

  • to ensure compliance with Data Protection Act 1998 (DPA), Human Rights Act 1998, the common law duty of confidentiality, Environmental Information Regulations 2004, and the Freedom of Information Act 2000.
  • for the controlled and appropriate sharing of patient identifiable information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act 2012, Crime and Disorder Act 1998).

3.3Information Security

  • The BSO has established and maintains policies for the effective and secure management of its information assets and resources.
  • Audits will be undertaken or commissioned to assess information and IT security arrangements.
  • The BSO’s Incident Reporting system will be used to report, monitor and investigate all breaches of confidentiality and security.

3.4Information Quality Assurance

  • The BSO will establish and maintain policies for information quality assurance and the effective management of records.
  • Audits will be undertaken or commissioned of the BSO’s quality of data and records management arrangements.
  • Managers will be expected to take ownership of, and seek to improve, the quality of data within their services within cost and resource restraints.
  • Wherever possible, information quality will be assured at the point of collection.
  • The BSO will promote data quality through policies, procedures/user manuals and training.

3.5The BSO is dedicated to the secure management and use of information held within its organisation and compliance with the legislation and codes of practice issued by relevant regulators and the DHSSPS in respect to information security and use. The BSO will maintain effective arrangements to ensure the confidentiality, security and quality of personal and other sensitive information.

3.6The BSO proactively uses information with its partner organisations to support care, in compliance with the legislation and codes of practice issued by relevant regulators and theDHSSPS best Practice

3.7The BSO will establish and maintain an Information Governance Management Group, associated policies, procedures, protocols and guidelines and the on-going monitoring thereof which will ensure that information assets are identified, risk assessed and controlled in accordance with:

  • Current legislative Framework.
  • Applicable codes and regulations.
  • DHSSPSNI best practice guidelines for information handling and information security.
  • Each directorate will ensure the identification of all information assets, data flow documents and risk assessments along with associated action plans to ensure the protection of the asset.

The arrangements are summarized in the organisational chart attached in Appendix 1.

3.8The organisation will ensure that information it holds, through its business arrangements, is of the highest quality in terms of completeness, accuracy, relevance, accessibility and timeliness.

3.9The BSO is committed to making non-confidential information available in line with its responsibilities under the Freedom of Information Act (2000).

4Responsibilities

4.1The BSO Board has overall responsibility to ensure compliance with legislative and best practice as recommended by the Information Commissioner’s Office. It has responsibility to ensure that progress against the standards is reported on a regular basis at least annually as part of the annual governance statement.

It is the role of the Board of the BSO to define the BSO policy in respect of IG, taking into account legal and HSC requirements. They are also responsible for ensuring that sufficient resources are provided to support the requirements of the policy.

4.2The Chief Executive has responsibility for the delivery of this policy, through delegation of the day-to-day operation of the policy to the Director of Human Resources and Corporate Services (DHRCS).

4.3The Director of Human Resources and Corporate Services (DHRCS) as Personal Data Guardian (PDG) and Senior Information Risk Officer (SIRO) has responsibility to ensure compliance with legislation through the development and monitoring of policy and codes of practice. The DHRCS will also be responsible for the effective functioning of the Information Governance Management Group.

4.4All other Directors are responsible individually and collectively for the application of the Information Governance suite of policies within their Directorates.

4.5Managerswithin the BSO are responsible for ensuring that this policy and its supporting standards and guidelines are built into local processes and that there is on-going compliance.

4.6Line Managers must ensure that this policy and its supporting standards and guidelines are conveyed to their staff and any third party contractor working in the area and that there is on-going compliance with the standards set out in the documents that make up the IG Framework. They must also ensure that staff are adequately trained and apply the appropriate guidelines.

4.6All Staff members, whether permanent, temporary or agency are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis.

A failure to adhere to the policy and its associated procedures/guidelines may result in disciplinary action.

4.7The Administrative Services Manager (ASM) is responsible to the DHRCS for the coordination and management of IG in the BSO and has responsibility for the co-ordination of all activities to ensure the successful implementation of this policy including:

  • Distribution of the Policy
  • Training and Awareness (corporate level)
  • Monitoring and reporting on performance

4.8Each Directorate/Service area should identify a representative ideally at Band 7 or above as an Information Governance Lead (IGL) to work as part of the IGMG and to be responsible for the coordination of IG compliance within their service area. A member of staff of a lower grade can be appointed as the IG Lead following consultation with DHRCS.

4.9Information Asset Owners will lead and foster a culture that values, protects and uses information appropriately. They should ensure that they are knowledgeable on the information that the asset holds and the transfers of information into and out of it.

The IAO

  • should know who has access to the asset and why.
  • Should ensure access is monitored and auditable.
  • should understand, measure and address risks to the asset and provide assurance to the SIRO.

4.10Information Governance Management Group (IGMG)

The IGMG consists of the Information Governance Leads from each Business Unit. The group will:

  • Ensure the development of an information governance culture within BSO.
  • Ensure the development of a comprehensive Corporate Information Asset Register.
  • Develop policies and procedures to assist in the protection and safe use of information within BSO.
  • Ensure the compliance within the organisation of all aspects of the IG Strategy.
  • Review policies in relation to IG on a regular basis.
  • Develop support arrangements and provide staff with appropriate training and support to enable them to discharge their responsibilities to consistently high standards.
  • Develop action plans to ensure on-going improvements in the management of IG within BSO.
  • Maintain an overview of incidents affecting IG and security.
  • Identify training and development requirements for staff within BSO in respect of IG.

5Performance and Monitoring Compliance

5.1The effectiveness of this policy will be assessed on a number of factors:

  • Compliance with legislation in respect of Data Protection Act 1998 and Freedom of Information Act 2000.
  • The management (including frequency) of Data Breaches including inappropriate release of information, including near misses.
  • The retention, disposal and destruction of records in accordance with GMGR.
  • Performance against the Controls Assurance Standard for Information Management on an annual basis.

6Review

6.1This policy should be reviewed every two years under the authority of BSO Senior Management Team members. Associated IG standards will be subject to an on-going development and review programme

This policy and all associated documents within the Information Governance Framework will be reviewed no later than 2 years from approval, to ensure their continued relevance to the effective management of Information Governance within BSO.

7Equality Statement

7.1In accordance with the BSO’s Equal Opportunities policy, this policy will not discriminate, either directly or indirectly, on the grounds of gender, race, race, colour, ethnic or national origin, sexual orientation, marital status, religion or belief, age, union membership, disability, offending background or any other personal characteristic.

Appendices

Appendix A – Information Governance Overview

Appendix B–Information Governance Documentation & Materials System

Appendix C – List of Supporting Documents

1 / Data Protection Policy
2 / ICT Security Policy
3 / Freedom of Information Policy
4 / Records Management Policy
5 / Business Continuity Plan
6 / Information Security Policy
7 / Information Governance Assurance Framework
8 / IGMG Terms of Reference

Page 1 of 12