Partners in improving local health Slide 1 Information Governance & IT Security in the NHS Ian Davison, Director of Business Information Services Alison Emslie, IT Security Manager and IG Specialist Advisor
Partners in improving local health To inform VONNE members on IG and IT security, in particular on –Data Protection/Caldicott Principles –IG Toolkit –IT Security (inc encryption) To explain NECS’ role in IG and IT security To offer a Q&A opportunity for VONNE members NHS Unclassified– Slide 2 Objectives
Partners in improving local health North of England Commissioning Support (NECS) are an NHS Commissioning Support Unit (CSU) Hosted by NHSE, employed by NHS Business Services Authority (BSA) Formed in 2013 following the new Health and Social Care Act which saw the creation of CCGs, CSUs, and the demise of PCTs and SHAs On a path to autonomy since 2013, expectation of being fully autonomous in We are funded from contracts and SLAs with CCGs, NHSE, FTs, LAs, AQPs, etc. NHS Unclassified– Slide 3 NECS – our role and our path
Partners in improving local health Commercial approach being monitored and assessed, competing with private sector Increasingly our contracts are won via bidding processes on procurement frameworks Our role in IG and IT is to deliver services and projects to our customers, to advise, to protect and keep safe We serve all NE & Cumbria CCGs, all 400 GP practices in the NE, several FTs and LAs We have one IT system and network which all customers are connected to NHS Unclassified– Slide 4 NECS – our role and path (cont.)
Partners in improving local health DP Act requires every data controller (eg organisation) who is processing personal information to register with the ICO Appropriate DP registration for NHS business inc FOI Transfers outside EEA Public Register of Data Controllers NHS Unclassified– Slide 5 Data Protection Registration
Partners in improving local health Under the Data Protection Act, you must: only collect information that you need for a specific purpose keep it secure ensure it is relevant and up to date only hold as much as you need, and only for as long as you need it allow the subject of the information to see it on request Slide 6 Data Protection Principles
Partners in improving local health Requests for personal information (DP) Patients have rights to see their personal information. They can make a subject access request to see the personal information you hold about them. Subject access code of practice Access Aware toolkit for health Slide 7 DP Requests
Partners in improving local health Apply to the handling of patient-identifiable information: justify the purpose(s) of every proposed use or transfer don't use it unless it is absolutely necessary use the minimum necessary access to it should be on a strict need-to-know basis everyone with access to it should be aware of their responsibilities understand and comply with the law Duty to share information can be important as the duty to protect confidentiality Slide 8 Caldicott Principles
Partners in improving local health Requests for non confidential information (FOI) The Freedom of Information Act means that you must disclose official (NHS) information when people ask for it and reply within 20 working days. Slide 9 FOI Requests
Partners in improving local health GC21 Patient Confidentiality, Data Protection, Freedom of Information and Transparency Information Governance – General Responsibilities 21.1 The Parties acknowledge their respective obligations arising under FOIA, DPA and HRA, and under the common law duty of confidentiality, and must assist each other as necessary to enable each other to comply with these obligations The Provider must complete and publish an annual information governance assessment using the NHS Information Governance Toolkit and must achieve a minimum level 2 performance against all requirements in the relevant Toolkit The Provider must: nominate an Information Governance Lead; nominate a Caldicott Guardian and Senior Information Risk Owner, each of whom must be a member of the Provider’s Governing Body; ensure that the Co-ordinating Commissioner is kept informed at all times of the identities and contact details of the Information Governance Lead, Caldicott Guardian and the Senior Information Risk Owner; and ensure that NHS England and HSCIC are kept informed at all times of the identities and contact details of the Information Governance Lead, Caldicott Guardian and the Senior Information Risk Owner via the NHS Information Governance Toolkit. Slide 10 NHS Standard Contract
Partners in improving local health Comprehensive IG self-assessment (inc IT Security) Different versions for types of organisations Levels of compliance: –Level 1 = policy in place –Level 2 = policy implemented –Level 3 = implementation of policy audited All requirements level 2 (66%)= satisfactory NHS Unclassified– Slide 11 IG Toolkit - Overview
Partners in improving local health Requirement Description Guidance Attainment Levels Knowledge Base Resources Training Requirement Origins Slide 12 IGT Requirement Format
Partners in improving local health Slide 13 IGT Requirement Screenshot 1
Partners in improving local health Slide 14 IGT Requirement Screenshot 2
Partners in improving local health Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use There is an information asset register that includes all key information, software, hardware and services Unauthorised access to the premises, equipment, records and other assets is prevented The use of mobile computing systems is controlled, monitored and audited to ensure their correct operation and to prevent unauthorised access There are documented plans and procedures to support business continuity in the event of power failures, system failures, natural disasters and other disruptions There are documented incident management and reporting procedures There are appropriate procedures in place to manage access to computer-based information systems Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely Slide 15 IGT – IT Security Requirements
Partners in improving local health Level 1 - There is documented procedure for allocating and managing access to computer-based information systems. AA procedure has been documented that sets out how access to computer- based information systems will be allocated and managed. Evidence Required: Documented procedure. BResponsibility for allocating and removing access rights to the system has been assigned. Evidence Required: A named individual's job description, or a signed and dated note or assigning responsibility. CThe procedure has been approved by a senior member of staff. Evidence Required: Minutes of meetings, or in a document or or a personal endorsement in writing from an appropriately senior manager. Slide 16 IGT Requirement 321
Partners in improving local health In Transit –NHS Mail –Encrypted attachment –Encrypted USB stick/mobile device At rest –Encrypted laptops/PCs in public areas Slide 17 Encryption
Partners in improving local health IG Toolkit Information Commissioners Office –(for Data Protection & FOI) –Data Protection Public Register NHS Guide to Caldicott & DP Encryption guidance –NHS use of –Implementation in the NHS NHS Unclassified– Slide 18 Useful Links
Partners in improving local health NHS Code of Practice on Information Security e/DH_ NHS Mail – guidance on sending encrypted to non-secure addresses Online IG Training NHS contract –(for IGT compliance statement) Slide 19 Useful Links - continued
Partners in improving local health Questions Slide 20