Presentation is loading. Please wait.

Presentation is loading. Please wait.

NHS Information Governance Risk Management. Introduction Information risk to be managed in a robust manner Assurance to be provided in a consistent manner.

Published byCecilia Madlyn Clark Modified over 7 years ago

Similar presentations

Presentation on theme: "NHS Information Governance Risk Management. Introduction Information risk to be managed in a robust manner Assurance to be provided in a consistent manner."— Presentation transcript:

1 NHS Information Governance Risk Management

2 Introduction Information risk to be managed in a robust manner Assurance to be provided in a consistent manner Structured approach is necessary –Identify Information Assets (IA) –Assign ownership of those IA –Formalise and standardise information risk management Builds upon existing NHS Information Governance frameworks

3 Three New NHS Roles In common with other government and public service bodies, NHS organisations should in future establish three new roles to aid the structured management of their information risk: Senior Information Risk Owner (SIRO) Information Asset Owners (IAO) Information Asset Administrators (IAA)

4 Ownership and Responsibilities The organisation’s management Board or equivalent ‘owns’ the information risk policy and its implementation The organisation’s SIRO is responsible for ensuring Information Risk Policy is developed, implemented, reviewed and its effect monitored Information Risk Policy should be available and communicated to all staff as part of their induction, training and ongoing personal development arrangements.

5 Information Risk Management (IRM) Structural Model Structural ModelNHS TrustGeneral Practice Accounting OfficerChief ExecutivePCT Chief Executive SIROBoard level SIROPCT SIRO 1+ senior IAOsDepartment HeadsSenior Partner 0+ IAAs for each IAOOperational staff responsible for one or more information assets Practice Manager

6 Key Local IRM Considerations Maximise existing lines of authority and responsibility where these are fit for purpose Associate tasks at appropriate management levels Avoid adverse impacts on day to day business Ensure information risk management arrangements are efficient, effective, accountable and transparent

7 Roles: Accounting Officer The Accounting Officer has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risks should be handled in a similar manner to other major risks such as financial, legal and reputational risks.

8 Roles: SIRO The SIRO is an executive who is familiar with information risks and their mitigations, including information risk assessment methodology. The SIRO provides the focus for the assessment and management of information risk at Board level, providing briefings and reports on matters of performance, assurance and cultural impact.

9 Aspect of SIRO Role (1) Aspect of RoleSupporting Actions Lead and foster a culture that values, protects and uses information for the success of the organisation and benefit of its patients ensures the Organisation has a plan to achieve and monitor the right NHS IG culture, across the Organisation and with its business partners; takes visible steps to support and participate in that plan (including completing own training); ensures the Organisation has appointed Information Asset Owners (IAOs) who are skilled, focussed on the issues, and supported, plus the information risk management specialists that it needs

10 Aspect of SIRO Role (2) Own the organisation’s overall information risk policy and risk assessment process, test its outcome, and ensure it is used ensures that the organisation information risk policy is complete – covering how the organisation implements NHS Information Governance risk management in its own services and activities and those of its delivery partners, and how compliance will be monitored ensures that information asset risk reviews are completed each quarter taking account of extant NHS Information Governance guidance (available from Department of Health and NHS Connecting for Health) based on the information risk assessment, understands what information risks there are to the organisation and its business partners through its delivery chain, and ensures that they are addressed, and that they inform investment decisions including the risk considerations of outsourcing ensures that information risk assessment and mitigating actions taken benefit from an adequate level of independent scrutiny

11 Aspect of SIRO Role (3) Advise the Chief Executive or relevant accounting officer on the information risk aspects of his/her Statement of Internal Control receives annual assessment of performance, including material from the IAOs and specialists, covering NHS Information Governance reporting requirements as well as local actions planned for the organisation’s own circumstances; provide advice to the Chief Executive or relevant Accounting Officer on the information risk parts of their Statement of Internal Control; shares assessment and supporting material with the Department of Health and NHS Connecting for Health, to support pan-NHS IG work in this area.

12 Aspect of SIRO Role (4) Own the organisation’s information incident management framework ensure that the organisation has implemented an effective information incident management and response capability that allows learning and sharing of experience from events throughout the organisation and for the prevention of similar events elsewhere.

13 Roles: IAO Information Asset Owners are senior individuals involved in running the relevant business. Small organisations may have a single IAO, whereas larger ones are likely to have several. The IAO’s role is to: –understand and address risks to the information assets they ‘own’; and –provide assurance to the SIRO on the security and use of these assets.

14 Aspects of IAO Role (1) Aspect of RoleSupporting Actions Lead and foster a culture that values, protects and uses information for the success of the organisation and benefit of its patients understands the Organisation’s plans to achieve and monitor the right NHS IG culture, across the Organisation and with its business partners; takes visible steps to support and participate in that plan (including completing own training) Knows what information the Asset holds, and what enters and leaves it and why maintains understanding of ‘owned’ assets and how they are used up to date; approves and minimises information transfers while achieving business purposes; approves arrangements so that information put onto portable or removable media like laptops and CDrom are minimised and are effectively protected to NHS IG standards; approves and oversees the disposal mechanisms for information of the asset when no longer needed

15 Aspects of IAO Role (2) Knows who has access and why, and ensures their use is monitored and compliant with policy understands the organisation’s policy on access to and use of information; checks that access provided is the minimum necessary to satisfy business objectives; receives records of checks on use and assures self that effective checking is conducted regularly Understands and addresses risks to the asset, and provides assurance to the SIRO conducts quarterly reviews of information risk in relation to ‘owned’ assets; makes the case where necessary for new investment or action to secure ‘owned’ assets; provides an annual written risk assessment to the SIRO for all assets ‘owned’ by them

16 Aspects of IAO Role (3) Ensures the asset is fully used for the benefit of the organisation and its patients, including responding to requests for access from others considers whether better use of the information is possible or where information is no longer required; receives, logs and controls requests from others for access; ensures decisions on access are taken in accordance with NHS IG standards of good practice and the policy of the organisation.

17 Roles: IAA Information Asset Administrators will provide support to their IAO –ensure that policies and procedures are followed; –recognise potential or actual security incidents; –consult their IAO on incident management; –ensure that information asset registers are accurate and maintained up to date.

18 Candidate IAA Tasks Maintenance of Information Asset Registers; Ensuring compliance with data sharing agreements within the local area; Ensuring information handling procedures are fit for purpose and are properly applied; Under the direction of their IAO, ensuring that personal information is not unlawfully exploited Recognising new information handling requirements (e.g. a new type of information arises) and that the relevant IAO is consulted over appropriate procedures; Recognising potential or actual security incidents and consulting the IAO; Reporting to the relevant IAO on current state of local information handling; Ensuring that local information handling constraints (e.g. limits on who can have access to the assets) are applied, referring any difficulties to the relevant IAO. Act as first port of call for local managers and staff seeking advice on the handling of information; Under the direction of their IAO, ensuring that information is securely destroyed when there is no further requirement for it

19 NHS Information Assets 1 Information assets come in many shapes and forms. and the following list can only be illustrative. It is generally sensible to group information assets in a logical manner e.g. where they all related to the same information system or business process.

20 NHS Information Assets 2 Personal/Other InformationSoftware  Databases and data files  Back-up and archive data  Audit data  Paper records and reports  Applications and System Software  Data encryption utilities  Development and Maintenance tools System/Process DocumentationHardware  System information and documentation  Operations and support procedures  Manuals and training materials  Contracts and agreements  Business continuity plans  Computing hardware including PCs, Laptops, PDA, communications devices eg. blackberry and removable media Miscellaneous  Environmental services eg. power and air-conditioning  People skills and experience

21 Information Risk Management Policy All NHS organisations need clear IRM policy IRM should be a fundamental component of the organisation’s overall business risk management framework Some organisations e.g. PCTs should develop policies that cover their smaller business partners e.g. local independent contractors

22 Information Risk Management 2 Key aspects of an IRM policy: –Provide support for the organisation’s business aims and objectives –Define how the organisation and its delivery partners will manage its IR –Identify how RM effectiveness will be assessed and measured –Define IRM escalation points and mechanisms

Download ppt "NHS Information Governance Risk Management. Introduction Information risk to be managed in a robust manner Assurance to be provided in a consistent manner."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Organizational Governance

Organizational Governance
Health Records Management Practitioner

Health Records Management Practitioner
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Child Safeguarding Standards

Child Safeguarding Standards
Contractor Safety Management

Contractor Safety Management
Security Controls – What Works

Security Controls – What Works
ISO General Awareness Training

ISO General Awareness Training
By Saurabh Sardesai www.starvaluemodel.com October 2014.

By Saurabh Sardesai October 2014.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
APPRAISAL OF THE HEADTEACHER GOVERNORS’ BRIEFING

APPRAISAL OF THE HEADTEACHER GOVERNORS’ BRIEFING
Governance of the Treasury Function CIPFA Scottish Treasury Management Forum Alan George, Regional Director 23rd February 2012.

Governance of the Treasury Function CIPFA Scottish Treasury Management Forum Alan George, Regional Director 23rd February 2012.
G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.

G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.
Postgraduate Educational Course in radiation protection and the Safety of Radiation sources PGEC Part IV The International System of Radiation Protection.

Postgraduate Educational Course in radiation protection and the Safety of Radiation sources PGEC Part IV The International System of Radiation Protection.
Occupational Health and Safety

Occupational Health and Safety
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
The Policy Company Limited © Control of Infection.

The Policy Company Limited © Control of Infection.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
James Aiello PricewaterhouseCoopers Africa Utility Week 06 International Good Practice in Procurement.

James Aiello PricewaterhouseCoopers Africa Utility Week 06 International Good Practice in Procurement.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Similar presentations

Ads by Google