Bundle Informatics and Information Governance Committee 13 ...

Bundle Informatics and Information Governance Committee 13 November 2018

1 11:30 - IG18/1 Chair's opening remarks2 IG18/2 Apologies3 IG18/3 Declarations of Interest4 11:30 - IG18/4 Committee Terms of Reference

Dr Evan MooreIGI18.4a ToR coversheet v1.0.docx

IGI18.4b IGI ToR V1.0.docx

5 11:45 - IG18/5 Committee Cycle of BusinessDr Evan Moore

IGI18.5a COB coversheet.docx

IGI18.5b IGI Cycle of Business V0.05.docx

6 12:15 - IG18/6 Summary action planIGI18.6 Summary Action Log.doc

7 12:20 - IG18/7 Corporate risks assigned to the CommitteeDr Evan Moore

IGI18.7a Corporate Risk Register coversheet.docx

IGI18.7b CRR10.pdf

8 Informatics8.1 12:40 - IG18/8 Informatics Operational Plan Q2 performance update

Mr Dylan Williams in attendanceIGI18.8 Informatics Operational plan QTR 2 report.docx

8.2 IG18/9 Chair Assurance report : Digital Transformation GroupDylan Williams in attendance

IGI18.9 IGI Committee Report DTG Chairman's report - Nov 18 Final.docx

9.1 13:10 - IG18/10 Update on the national response to WAO informatics reportMr Andrew Doughton WAO in attendance

IGI18.10a Response to AGW Informatics report coversheet.docx

IGI18.10b Response to AGW Informatics report 876A2018-19.pdf

10 Information Governance10.1 13:30 - IG18/11 Information Governance Group Chair assurance report incorporating Quarterly KPI and

Compliance ReportMrs Justine Parry in attendance

IGI18.11 IGG Chair's Assurance Report Oct 2018-final.docx

10.2 IG18/12 Information Governance PoliciesMrs Justine Parry in attendance

IGI18.12 All Wales IG polices-final coversheet.docx

IGI18.12.1 All Wales Information Governance Policy v1.docx

IGI18.12.2 All Wales Information Security Policy v1.docx

IGI18.12.3 All Wales Email Use Policy v2.docx

IGI18.12.4 All Wales Internet Use Policy v2.docx

10.3 14:00 - IG18/13 Information Governance Annual report 2017/18Mrs Justine Parry in attendance

IGI18.13a Information Governance Annual Report Coversheet.docx

IGI18.13b Information Governance Annual Report 2017_18 v1 Final.doc

11 IG18/14 Issues to inform the Chair's Assurance report12 14:20 - IG18/15 Date of next meeting 14.2.19 9.30am Carlton Court Boardroom

dI105214

Typewritten Text

AGENDA 11.30am Boardroom 2, Corporate Offices, Wrexham Maelor, LL13 7TD

4 IG18/4 Committee Terms of Reference

1 IGI18.4a ToR coversheet v1.0.docx

1

Information Governance and Informatics Committee 13.11.18

To improve health and provide excellent

care

Report Title: Information Governance and Informatics Committee Terms of Reference

Report Author: Diane Davies ~ Business Support Manager

Responsible Director:

Dr Evan Moore ~ Executive Medical Director

Public or In Committee

Public

Purpose of Report: On 6.9.18 the Board approved a range of proposals for Board and Committee arrangements including revisions to the remit of the Finance and Performance Committee to focus more on operational performance and budget compliance, and the establishing of an Information Governance & Informatics (IGI) Committee to be chaired by the Board IT Independent Member. This would enable F&P Committee to focus more clearly on the key finance and performance issues but would also provide improved Board oversight and engagement with the IG (and IT) agenda. IGI Committee would link into the F&P Committee (via Committee Business Management Group) on matters relating to in year performance and into the Strategy, Partnerships and Population Health (SPPH) Committee on future plans, but would report directly to the Board through its Chair’s Assurance Reports and its Annual Report as per other Board Committees. The Board approved Terms of Reference for the Information Governance and Informatics Committee which would meet quarterly which are now presented to the Committee for completeness.

Approval / Scrutiny Route Prior to Presentation:

The Board approved the establishment of the new Committee on 6.9.18

Governance issues / risks:

Governance has been strengthened in the establishment of the Committee, providing greater opportunity for assurance on Information Governance and Informatics, which was previously undertaken through the wider remit of the F&P Committee

Financial Implications:

None

Recommendation: The Committee is asked to note the Terms of Reference approved by the Board.

2

Health Board’s Well-being Objectives (indicate how this paper proposes alignment with the Health Board’s Well Being objectives. Tick all that apply and expand within main report)

√ WFGA Sustainable Development Principle (Indicate how the paper/proposal has embedded and prioritised the sustainable development principle in its development. Describe how within the main body of the report or if not indicate the reasons for this.)

√

1.To improve physical, emotional and mental health and well-being for all

1.Balancing short term need with long term planning for the future

✓

2.To target our resources to those with the greatest needs and reduce inequalities

✓ 2.Working together with other partners to deliver objectives

✓

3.To support children to have the best start in life

3. Involving those with an interest and seeking their views

✓

4.To work in partnership to support people – individuals, families, carers, communities - to achieve their own well-being

✓ 4.Putting resources into preventing problems occurring or getting worse

✓

5.To improve the safety and quality of all services

✓ 5.Considering impact on all well-being goals together and on other bodies

6.To respect people and their dignity

7.To listen to people and learn from their experiences

✓

Special Measures Improvement Framework Theme/Expectation addressed by this paper Governance Equality Impact Assessment Not required for a paper of this nature

Disclosure:

Betsi Cadwaladr University Health Board is the operational name of Betsi Cadwaladr University Local Health Board

Board/Committee Coversheet v10.0

1 IGI18.4b IGI ToR V1.0.docx

Betsi Cadwaladr University Health Board Terms of Reference and Operating Arrangements

INFORMATION GOVERNANCE AND INFORMATICS

COMMITTEE

1. INTRODUCTION

The Board shall establish a committee to be known as the Information Governance and Informatics Committee (IGI). The detailed terms of reference and operating arrangements in respect of this Committee are set out below.

2. PURPOSE

The purpose of the Committee is to advise and assure the Board in discharging its responsibilities with regard to the quality and integrity; safety and security and appropriate access and use of information to support health improvement and the provision of high quality healthcare. The Committee will seek assurance on behalf of the Board in relation to the Health Board’s arrangements for appropriate and effective management and protection of information (including patient and personal information) in line with legislative and regulatory responsibilities. The Committee will also provide advice and assurance to the Board in relation to the direction and delivery of the Informatics and Information Governance Strategies to drive continuous improvement and support IT enabled health care to achieve the objectives of the Health Board’s integrated medium term plan.

3. DELEGATED POWERS

3.1 The Committee, in respect of its provision of advice and assurance will, and is authorised by the Board to: -

• oversee the development of the Health Board’s strategies and plans

for maintaining the trust of patients and public through its

arrangements for handling and using information, including

personal information, safely and securely, consistent with the

Board’s overall strategic direction and any requirements and standards

set for NHS bodies in Wales;

• oversee the direction and delivery of the Health Board’s informatics

and information governance strategies to drive change and

transformation in line with the Health Board’s integrated medium term

plan that will support modernisation through the use of information and

technology;

• consider the information governance and informatics implications

arising from the development of the Health Board’s corporate

strategies and plans or those of its stakeholders and partners;

• consider the information governance and informatics implications for

the Health Board of internal and external reviews and reports;

• oversee the development and implementation of a culture and process

for data protection by design and default (including Privacy Impact

Assessments) in line with legislation (e.g. General Data Protection

Regulation).

3.2 The Committee will, in respect of its assurance role, seek assurances that information governance and the informatics (including patient records) arrangements are appropriately designed and operating effectively to ensure the safety, security, integrity and effective use of information to support the delivery of high quality, safe healthcare across the whole of the Health Board’s activities. 3.3 To achieve this, the Committee’s programme of work will be designed to ensure that, in relation to information governance, informatics and patient records:

there is clear, consistent strategic direction, strong leadership and transparent lines of accountability;

there is a citizen centred approach, striking an appropriate balance between openness and confidentiality in the management and use of information and technology;

the handling and use of information and information systems across the organisation is consistent, and based upon agreed standards;

there is effective communication, engagement and the workforce is appropriately trained, supported and responsive to requirements in relation to the effective handling and use of information (including IT Systems) – consistent with the interests of patients and the public;

there is effective collaboration with partner organisations and other

stakeholders in relation to the sharing of information in a controlled manner, to provide the best possible outcomes for its citizens (in accordance with the Wales Accord for the Sharing of Personal Information

and Caldicott requirements);

the integrity of information is protected, ensuring valid, accurate, complete and timely information is available to support decision making across the organisation;

the Health Board is meeting its responsibilities with regard to the General Data Protection Regulation, the Freedom of Information Act, Caldicott, Information Security, Records Management, Information Sharing, national Information Governance policies and Information Commissioner’s Office Guidance;

The Health Board is safeguarding its information, technology and networks through monitoring compliance with the Security of Network and Information Systems regulations and relevant standards;

all reasonable steps are taken to prevent, detect and rectify irregularities or

deficiencies in the safety, security and use of information, and in particular that:

▪ Sources of internal assurance are reliable, and have the capacity and capability to deliver;

▪ Recommendations made by internal and external reviewers are considered and acted upon on a timely basis;

▪ Lessons are learned from breaches in the safe, secure and effective use of information, as identified for example through reported incidents, complaints and claims; and

▪ Training needs are assessed and met.

receive assurance on the delivery of the informatics and information governance operational plans including performance against the annual Informatics Capital Programme;

seek assurance on the effectiveness and impact of the Health Board’s Digital Transformation Plans;

• seek assurance on the performance and delivery of the rollout of the core

national IT systems which could have significant impact on the Health

Board’s operational services and escalate to the Board as appropriate.

3.4 The Committee will receive assurance on compliance with key performance indicators in relation to the quality and effectiveness of information and information systems against which the Health Board’s performance will be regularly assessed. 3.5 Maintain oversight of the effectiveness of the relationships and governance arrangements with partner organisations in relation to informatics and information governance. This will include NHS Wales Informatics Service (NWIS).

4. AUTHORITY

4.1 The Committee may investigate or have investigated any activity within its

terms of reference. It may seek relevant information from any:

• employee (and all employees are directed to cooperate with any legitimate request made by the Committee); and

• other committee, sub-committee or group set up by the Board to assist it in the delivery of its functions.

4.2 May obtain outside legal or other independent professional advice and to secure the attendance of outsiders with relevant experience and expertise if it considers it necessary, in accordance with the Board’s procurement, budgetary and other requirements;

4.3 May consider and where appropriate, approve on behalf of the Board any

policy within the remit of the Committee’s business; 4.4 Will review risks from the Corporate Risk Register that are assigned to the

Committee by the Board and advise the Board on the appropriateness of the scoring and mitigating actions in place.

5. SUB-COMMITTEES

5.1 The Committee may, subject to the approval of the Health Board, establish

sub-committees or task and finish groups carry out on its behalf specific aspects of Committee business.

6. MEMBERSHIP

6.1 Members Four Independent Members of the Board

6.2 In Attendance Executive Medical Director (lead director)

Chief Information Officer, Informatics Board Secretary/ Senior Information Risk Owner (SIRO) Caldicott Guardian Assistant Director Information Governance & Assurance/ Data Protection Officer (DPO)

6.2.1 Other Directors/Officers will attend as required by the Committee Chair, as well any others from within or outside the organisation who the Committee considers should attend, taking into account the matters under consideration at each meeting.

6.3 Member Appointments 6.3.1 The membership of the Committee shall be determined by the Chairman of

the Board taking account of the balance of skills and expertise necessary to deliver the Committee’s remit and subject to any specific requirements or directions made by the Welsh Government. This includes the appointment of the Chair and Vice-Chair of the Committee who shall be Independent Members.

6.3.2 Appointed Independent Members shall hold office on the Committee for a

period of up to 4 years. Tenure of appointments will be staggered to ensure business continuity. A member may resign or be removed by the Chairman of

the Board. Independent Members may be reappointed to the Committee up to a maximum period of 8 years.

6.4 Secretariat

6.4.1 Secretary: as determined by the Board Secretary. 6.5 Support to Committee Members 6.5.1 The Board Secretary, on behalf of the Committee Chair, shall:

• Arrange the provision of advice and support to Committee members on any aspect related to the conduct of their role; and

• Ensure the provision of a programme of development for Committee members as part of the overall Board Development programme.

7. COMMITTEE MEETINGS

7.1 Quorum 7.1.1 At least two Independent Members must be present to ensure the

quorum of the Committee, this should include either the Chair or the Vice-Chair of the Committee. In the interests of effective governance it is expected that at least one of those named officers listed above will also be in attendance.

7.2 Frequency of Meetings

7.2.1 Meetings shall be routinely be held on a quarterly basis. 7.3 Withdrawal of individuals in attendance

7.3.1 The Committee may ask any or all of those who normally attend but who are not members to withdraw to facilitate open and frank discussion of particular matters.

8. RELATIONSHIP & ACCOUNTABILITIES WITH THE BOARD AND ITS COMMITTEES/GROUPS

8.1 Although the Board has delegated authority to the Committee for the exercise

of certain functions as set out within these terms of reference, it retains overall responsibility and accountability for ensuring the quality and safety of healthcare for its citizens through the effective governance of the organisation.

8.2 The Committee is directly accountable to the Board for its performance in

exercising the functions set out in these Terms of Reference,

8.3 The Committee, through its Chair and members, shall work closely with the

Board’s other Committees including joint committees/Advisory Groups to provide advice and assurance to the Board through the:

8.3.1 joint planning and co-ordination of Board and Committee business; and 8.3.2 sharing of information

in doing so, contributing to the integration of good governance across the organisation, ensuring that all sources of assurance are incorporated into the Board’s overall risk and assurance arrangements.

8.4 The Committee shall embed the corporate goals and priorities through the

conduct of its business, and in doing and transacting its business shall seek assurance that adequate consideration has been given to the sustainable development principle and in meeting the requirements of the Well-Being of Future Generations Act.

9. REPORTING AND ASSURANCE ARRANGEMENTS

9.1 The Committee Chair shall:

9.1.1 report formally, regularly and on a timely basis to the Board on the Committee’s activities via the Chair’s assurance report, the presentation of an annual report; and membership of the Health Board’s committee business management group.

9.1.2 ensure appropriate escalation arrangements are in place to alert the Health Board Chair, Chief Executive or Chairs of other relevant committees of any urgent/critical matters that may affect the operation and/or reputation of the Health Board.

9.2 The Board Secretary, on behalf of the Board, shall oversee a process of regular and rigorous self-assessment and evaluation of the Committee’s performance and operation.

10. APPLICABILITY OF STANDING ORDERS TO COMMITTEE BUSINESS

10.1 The requirements for the conduct of business as set out in the Standing

Orders are equally applicable to the operation of the Committee, except in the following areas:

• Quorum

11. REVIEW

11.1 These terms of reference and operating arrangements shall be reviewed

annually by the Committee and any changes recommended to the Board for approval.

Date of approval by the Board 6.9.18 Reported to Committee

5 IG18/5 Committee Cycle of Business

1 IGI18.5a COB coversheet.docx

1


To improve health and provide

excellent care

Report Title: Information Governance and Informatics Committee Cycle of Business

Report Author: Diane Davies ~ Business Support Manager


Dr Evan Moore ~ Executive Medical Director


Public

Purpose of Report: On 6.9.18 the Board approved a range of proposals for Board and Committee arrangements including the establishment of an Information Governance & Informatics (IGI) Committee to be chaired by the Board IT Independent Member. As part of Board and Committee governance arrangements a Cycle of Business is required to be established to ensure the Committee operates within the scope of its Terms of Reference.


The Board approved the establishment of the new Committee on 6.9.18 The draft Cycle of Business has been drawn together in liaison with the Committee Chair and Lead Director.


Governance has been strengthened in the establishment of the Committee, providing greater opportunity for assurance on Information Governance and Informatics, which was previously undertaken through the wider remit of the F&P Committee


None

Recommendation: The Committee is asked to discuss and approve the draft Cycle of Business, identifying any gaps and appropriate scheduling of items.



√



✓


✓ 2.Working together with other partners to deliver objectives

✓

2



✓


✓ 4.Putting resources into preventing problems occurring or getting worse

✓


✓ 5.Considering impact on all well-being goals together and on other bodies



✓

Special Measures Improvement Framework Theme/Expectation addressed by this paper Governance Equality Impact Assessment Not required for a paper of this nature

Disclosure:



1 IGI18.5b IGI Cycle of Business V0.05.docx

INFORMATION GOVERNANCE & INFORMATICS COMMITTEE CYCLE OF ANNUAL BUSINESS AND FORWARD

PLANNER last updated 05/11/2018 18:05

Part 1 – Annual Recurring Business

Agenda Items

Notes Nov

Feb May

Aug Nov Feb

Preparation of Reports to IGIC

• Ensure Executive Summary is provided (First page of report) max 2 pages

Opening Business (Standing items)

Apologies Standard Committee

item x x x x x x

Declarations of Interest Standard Committee

item x x x x x x

Draft minutes of previous meeting, matters arising and review of Summary Action Plan

Standard Committee item

x x x x x x

Governance matters

Committee Annual Report (including annual review of ToR and cycle of business)

Submission to June Audit Committee

prior to Board

x

Terms of Reference review Annual review x x

Review of Corporate Risks allocated to the Committee ToR 4.4 x x x

Policies (compliance with national policy and development of organisational policy)

ToR

Periodic updates on Limited Assurance Audit reports Per Audit Committee

Informatics

Informatics Strategy – annual review ToR 3.1.1 x

Approval of Informatics – Operational Plan ToR 3.1.2/10 x

Performance against Informatics Operational plan To include

x x x x x x



Agenda Items

Notes Nov

Feb May

Aug Nov Feb

• updates on rollout of new national and local IT systems

• monitoring of existing national and local IT systems

• updates on downtime and stability of systems and impact

• Capital expenditure and Revenue expenditure

Quarterly Assurance report

• Emerging risks

• National Audit responses / progress updates on recommendations

• Compliance against relevant regulations

• Digital Transformation Group update (not minutes)

• Systems landscape including gaps

• Information security

x x x x x x

System Demonstrations (ad hoc as relevant)

(as appropriate for escalation)

Partner organisation arrangements – other partners to be identified

ToR 3.5

NWIS Annual attendance to present annual programme and priorities

Information Governance

Information Governance Strategy – annual review ToR 3.1.1 x

Information Governance Assurance quarterly report (KPI and compliance report) To include:

• Emerging Risks

ToR x x x x x x



Agenda Items

Notes Nov

Feb May

Aug Nov Feb

• FOI requests and compliance

• DPA SAR requests and compliance

• Access to Health Records requests and

compliance

• IG Incidents reported and lessons learnt

• IG Training compliance

• IG Helpdesk support calls and actions

• NIIAS reporting and compliance

• Communication / compliance audits and findings

• Sharing of information/WASPI

• Data Protection Impact Assessments

- Patient records

- Issues of Significance from IGG

Information Governance Annual Report ToR 3.1.2 /10 x x

Toolkit Progress Report

Transfer from F&P

Caldicott ToR 3.3.5



Agenda Items

Notes Nov

Feb May

Aug Nov Feb

Health Records

Corporate Records Management Project Update Report

Transfer from F&P

Health Care Records (including Annual Report)

To be determined

Data Protection (including General Data Protection Regulations)

ToR

Integrated Quality Performance Review – relevant dimensions

ToR 3.4

Implications of internal and external reviews and reports ToR

Strategy / plan development (eg; handling of PPI) ToR

Lessons learned from information breaches ToR 3.4

National Infected Blood Inquiry update per Nov 2018 Board

paper recommendation

Closing Business (standing items)

Summary of InCommittee business to be reported in public (if applicable)

Standard Committee item

Issues of significance to inform Chair assurance report Standard Committee

item x x x x x x

Date of next meeting Standard Committee

item x x x x x x

Exclusion of press and public (if applicable) Standard Committee

item

InCommittee Business (if applicable)

Draft minutes of previous InCommittee meeting, matters Standard Committee



Agenda Items

Notes Nov

Feb May

Aug Nov Feb

arising and summary action plan item

Part 2 Rolling Plan of Ad-Hoc Business

ITEM FROM NOTES

November 2018

Update on the national

response to WAO informatics

report

Andrew Doughton

WAO

Transferred from F&P Committee

Email Andrew Doughton / Dawn Sharp

February 2019

May 2019



August 2019

November 2019

February 2020

Meeting information

Meeting date Submission deadline for paper review/quality

assurance

Publication date

13.11.18 1.11.18 6.11.18

14.2.19 4.2.19 7.2.19

9.5.19 26.4.19 2.5.19

15.8.19 5.8.19 8.8.19

21.11.19 11.11.19 14.11.19

13.2.20 3.2.20 6.2.20

6 IG18/6 Summary action plan

1 IGI18.6 Summary Action Log.doc

1

BCUHB Information Governance and Informatics Committee Summary Action Log – arising from meetings held in public

Officer

Minute Reference and Action Agreed

Original Timescale

Latest Update Position Revised Timescale

Actions outstanding transferred from Finance and Performance Committee

John Cunliffe FP18/187.2 Performance report The availability and accuracy of data was discussed at length. In respect of primary care it was acknowledged that data was drawn down from a myriad of repositories due to the nature of primary care contracting. In addition it was noted that Community service systems were currently predominantly paper based. In the discussion which followed it was agreed that the Independent Board member for Information Technology would raise the issue of investment potential for the development of a bespoke system with the Chief Information Officer via the Information Governance and Informatics Committee.

1.11.18

7 IG18/7 Corporate risks assigned to the Committee

1 IGI18.7a Corporate Risk Register coversheet.docx

1



care

Report Title: Review of Corporate Risks Assigned to the Information Governance and Informatics Committee

Report Author: Mr Peter Barry, Head of Risk & Assurance


Dr Evan Moore, Executive Medical Director


Public

Purpose of Report: The attached report has been produced from the web-based Datix system and details the risk entry allocated to the Information Governance and Informatics Committee: CRR10 – Informatics It has been agreed that the Corporate Risk and Assurance Framework (CRAF) risks will be reviewed twice per year by the Board’s Committees. These risks will next be presented to the Committee in May 2019.


The full CRAF is scrutinised by the Health Board twice per year and is published on the Board’s external facing website. Individual risks are allocated to one of the Board’s Committees for regular consideration and review.


Report provides for the identification of the risk, the arrangements in place presently to control the risk and further mitigation action/s required.


Identified through development of business cases and strategic outline

plan required as part of further actions to achieve the target risk score.

Recommendation: The Committee is asked to consider the relevance of the current controls, review the actions in place and consider whether the risk scores remain appropriate.

2



√




2.Working together with other partners to deliver objectives




4.Putting resources into preventing problems occurring or getting worse

√


√

5.Considering impact on all well-being goals together and on other bodies



Special Measures Improvement Framework Theme/Expectation addressed by this paper Governance – management of risk Strategic and Service Planning http://www.wales.nhs.uk/sitesplus/861/page/81806

Equality Impact Assessment Not applicable for governance paper of this nature.

Disclosure:


1 IGI18.7b CRR10.pdf

CRR10

Director Lead: Executive Medical Director Date Opened: 01/08/2015

Assuring Committee: Information Governance and Informatics Committee Date Last Reviewed: 13/09/2018

Risk: Informatics Target Risk Date: 31/12/2019

There is a risk that the Informatics infrastructure is not fit for purpose. This may be due to: (a) A lack of capacity and resource. (b) Increasing demand. (c) Reliance on the NHS Wales Informatics service. This could lead to failures in clinical and management information systems, impacting negatively on patient safety/outcomes, and greater risk of cyber-attack.

Impact Likelihood Score

Initial Risk Rating 4 5 20

Current Risk Rating 4 4 16

Target Risk Score 4 3 12

Movement in Current Risk Rating since last presented

to Board in July 2018

No Change

Controls in place Further action to achieve target risk score

Controls Part A & B: 1. Governance structures in place to approve plans and approved plans for 2018 (Capital, IMTP and Operational). 2. Integrated planning process and agreed timescales. 3. Forward programme of business case development. 4. Local innovation to address operational risk (e.g. SBRI, ETTF). 5. Programme management approach to the implementation of Systems including Gateway review process where required. 6. Detective control and processes e.g. Performance Monitoring, reporting and escalation structures in place. 7. Governance structure for Informatics to review requests for work and prioritise. 8. Draft Informatics Strategic Outline Plan detailing the "investment

1. Refine and agree the Strategic Outline Plan for Informatics - Quarter 3 2018. 2. Agreed Strategic direction for the Electronic Patient Record SOC date TBC. 3. Develop associated business cases for resource required for SOP and SOC and to address failing infrastructure e.g. Central File Library. (Qtr 3 BC Central File Library, Tele health and Digital Dictation QTR 2/3 2018). 4. Engagement with National Teams at multiple levels and escalation of issues via processes re requirements for:- a. A more user friendly better performing Welsh Clinical Portal. b. Delivery of a single Radiology System (TBC Qtr 2/3 2018 2019). c. Rapid development of the Welsh Care Record Service.

0

5

10

15

20

25

01/08/2015 18/11/2015 01/06/2016 19/05/2017 04/06/2018

Initial

Current

Target

requirements for technology and digitally enabled service change" produced to support local and national planning. 9.Increased revenue budget 2018 2019 Controls Part C 1. Engagement with National Teams at Multiple Levels 2. Integrated planning process and agreed timescales from third party suppliers including NWIS Note: evidence of slippage past agreed dates is suggested to be a trend for NWIS 3. Participation in change control process 4. Specifications for Products and services agreed via Governance Structures 5. Quarterly Contracting Reviews against SLA commenced Jan 18 6. Review meetings with NWIS directors twice a year

5. Secured additional Capital and revenue budget going forward (with busness case justifications).

Assurances Links to

1. National system implementation oversight by NMIB chaired by the Cabinet Secretary. 2. Annual Internal Audit Plan. 3. WAO reviews and reports e.g. Structured assessments and data quality 4. Scrutiny of Clinical Data Quality by CHKS. 5. Auditor General Report - Informatics Systems in NHS Wales

Strategic Goals Principal Risks Special Measures Theme

2 3 4 5 6 7 PR6 PR5 PR2 Strategic and Service Planning

8.1 IG18/8 Informatics Operational Plan Q2 performance update

1 IGI18.8 Informatics Operational plan QTR 2 report.docx


To improve health and provide excellent care

Report Title: Informatics Operational Plan performance update:

• Performance against Informatics Operational Plan Objectives – 2018 2019 Quarter 2. Paper 1

• Draft Informatics Priorities for the next three years (Draft Integrated Medium Term Plan Objectives). Paper 2

Report Author: Mrs Tracy Williams, Informatics Head of Performance and Improvement


Dr Evan Moore, Executive Medical Director


Public

Purpose of Report: The Committee is asked to consider this report in order to

• Monitor progress which has, or is being made, against the Informatics Operational Plan and monitor delivery of the roll out of core National IT systems (Paper 1)

• Approve / be advised of changes to the previously published 2018 / 2019 operational plan that are highlighted via change or exception (Paper 1)

• Receive draft Informatics priorities (which are currently under consultation via Integrated Medium Term Plan (IMTP) planning activities) and provide comments that will inform further iterations of plans. (Paper 2)


The papers have been reviewed for submission by the Chief Information Officer


Paper 1: As detailed within the report the overall status of the majority of deliverables are on target. Eight projects are not performing to plan, experiencing issues or off target and are detailed within the paper. Those which are not performing to plan due to our reliance on the NHS Wales Informatics Service are:-

• Diabetes and Hepatitis C (Hep C) National E-Docs should have been delivered in Quarter 2; these are both reported as off target as we await the project plan from the National Team. Note progress is being made.

• Improving Assurance of Results Management (i.e. electronic ping to help stop printing Pathology results). Representations for the required National interfaces to this local solution continue to be made. In the meantime, BCU pilots the new Welsh Clinical Portal (WCP) mobile application in October 2018 to review if it has the required functionality to address the current gaps in the WCP regarding results notification and action recording.

Whilst the IPT telephony Project remains at risk, progress has been made with identifying long-term committed resource, which will enable the progression of this project. Delays to allocation of resource and recruitment timescales will undoubtedly result in an extension to project timescales (circa 12 months) and a significant reduction in capital spends for this financial year. This has been subject to disclosure and discussion at the Capital Programme Management Team. The annual Informatics budget has been reduced by some £250k against the WCCIS budget. Whilst this will not be an issue in year (due to vacant positions) the effect of recruitment activities already undertaken will result in a budget overspend next year unless monies are re-provisioned. Paper 2: The paper detailing the Informatics priorities for the next three years is the draft insertion intended for BCU’s IMTP. As such, this paper details the intended plan and approach for 2019 to 2022. It is derived from a previously approved 5-year plan which balances short term need with longer term planning for the future. The plan remains consistent with the approach of previous years, which is to implement technology to maintain and improve our existing infrastructure and systems whilst supporting service transformation and growing our capacity and capability. Objectives remain unchanged and priorities remain as the implementation of National systems such as WPAS, WEDS, and WCCIS (working together with other partners to deliver objectives); local projects, which will accelerate the journey to an electronic record; focusing on getting the basics right (improving the safety and quality of services); focusing on leveraging the benefits of the tools that we already have and rolling programmes of work to get and keep the basics right.


The Quarter 2 update highlights budget changes that will need to be

addressed in next year’s budget allocation.

Recommendation: The Committee is asked to: Paper 1 - monitor progress against the Informatics Operational Plan and note the risks highlighted. Paper 2 - review alignment of plans to BCU objectives and provide feedback to inform further iterations of the plan.



√



√



√



√



√


√ 5.Considering impact on all well-being goals together and on other bodies



Special Measures Improvement Framework Theme/Expectation addressed by this paper http://www.wales.nhs.uk/sitesplus/861/page/81806

Equality Impact Assessment N/A

Disclosure:



Paper 1; Performance against Informatics Operational Plan Objectives – 2018 2019 Quarter 2 This summary report aims to provide the Information Governance and Informatics Committee with a mechanism to monitor the progress that

Informatics is making against its Operational Plan. Reporting is by benefits delivered, change/exception to plan, or significant event only.

1. Objective Status As indicated in table 1, the total number of objectives/ projects to be delivered in Table 1; Summary table of progress against objectives 2018 2019 remains at 52. The overall status of the majority of deliverables is on target (30). The overall status or 12 projects is “not applicable” as these projects are scheduled to begin in later quarters (12). Eight projects are not performing to plan, experiencing issues or off target. These projects form the primary focus of this paper along with significant events which have occurred in other projects. Objectives delivered and benefits realised this quarter; No projects have

completed this quarter. Two project completed in Quarter 1. Operational Plan Change or Exception;

The Paediatric Mobile Nursing Application (CHAI) which aims to replace paper nursing documentation is reported as experiencing issues as project timelines will be extended. As planned in Quarter 2 a “ Dry Run” in a 'real life’ ward environment was undertaken, whilst largely successful,

it identified some issues e.g. workflows for pre-operative assessment requires standardisation, and some additional software developments are required to support workflows e.g. a Ward Clerk screen. The Project Board have agreed to continue with the Dry Run for a further 3-month period to ensure the robustness of the solution and to test the resolutions to the issues. Project plans will be revised over the coming months to identify a go-live date; these plans will also need to consider the impact of winter pressures. Whilst concerns were highlighted in the Quarter 1 report about resources for mobile device support for this project, this is no longer considered to be a risk due to the impending appointment of mobile technicians and the need to revise the anticipated go live date.

Improving Assurance of Results Management (i.e. electronic ping to help stop printing Pathology results) is reported as experiencing issues due to the restrictions that NWIS have placed on BCU to take the “My Ping” solution into User Acceptance Testing. Representations for the required National

interfaces to this local solution continue to be made as the need for a solution is frequently highlighted by clinical and administrative colleagues expressing concern and frustration across BCU. In the meantime, BCU will pilot the new Welsh Clinical Portal (WCP) mobile application in October 2018 to review if it has the required functionality to address the current gaps in the WCP regarding results notification and action recording.

Diabetes and Hepatitis C (Hep C) National E-Docs which are available from within the Welsh clinical Portal (Welsh E-Documents Reporting) should have been delivered in Quarter 1, these are both reported as off target as we await the project plan from the National Team. Whilst “off target”

Total Number of

Objectives/Projects

Complete On Target At Risk

Experiencing

Issues Off Target Not Applicable

Overall Status 2 30 1 4 3 12

Quality Status 2 33 0 3 2 12

Milestone Status 2 32 1 2 4 11

Cost Status 2 32 0 1 3 14

Risk Status 2 32 1 2 3 12

Benefit Status 2 33 0 1 3 13

52

some progress is being made; the Hep C form has been confirmed as the next form to be piloted in User Acceptance Testing and Diabetes colleagues are actively engaging on the standard set of core data for this speciality, in addition the Lung Function audit is now live to update by BCU teams via the WCP. A Request to NWIS has been made to allow BCU to hold and update the forms locally to support accessibility to our data and local tailoring/formatting e.g. addition of local fields whilst ensuring compliance with national data sets.

In a change to plans the Digital Dictation Business Case Development and approval is now being led through the Administration and Clerical review. The operational Plan will be updated to reflect the revised ownership (a reduction in reportable objectives to 51) next quarter. Whilst Informatics will

continue to support the project this change is considered essential to ensure that benefits can be appropriately identified, agreed and delivered. This project is currently reported as “at risk” due to delays with approvals. An Invest to save bid is currently being progressed

In a change to plan, the current phase of the Welsh Patient Administration System (WPAS) Project (upgrading Myrddin in the East) has been re-profiled to reflect a later than planned delivery date. Changes to the implementation date were made following Project Team concerns and Project Board

Agreement that the November/ December date was unattainable due to recruitment and data validation activities. Following Project Board direction, a date in February 2019 was sought from NWIS via the national PAS Service Management Board in August. This was approved in principal and ratified by NWIS directors. Resources have been secured locally and Nationally for a February 2019 go-live.

Operational Plan Significant Event;

Progress in accordance with plans is being made with the Local Document Repository/Digital Forms project which was an exploration to Accelerate the Journey to the EPR. A ‘Local Eco System’ Project has been established as a steering group and a Senior Responsible Officer has been identified.

The first meeting was held on the end of September. Working with a consultant, the Head of Digital Records has identified and is progressing with five work streams (WS) which were ratified by the Steering Group:WS1 – Establish BCUHB Baseline, WS2 – Develop Models of Delivery, WS3 – Explore Models for Integration, WS4 – Develop a detailed Specification , WS5 – Develop a Business Case

BCU have provided its priorities for the Welsh Care Record Service Programme (WCRS; is a National Repository for Information and Information sharing across Wales). These priorities will continue to be reviewed in light of the work with the Local Eco System. All discharge advice letters from Medicines Transcribing and e-Discharge (MTeD) used in West and Central and all discharge advice letters and clinic letters available from the Electronic

Point Of Care (EPOC) system used in the East, are available in WCRS via the Welsh Clinical Portal (WCP). The next document set to be considered are the Clinic Letters from PIMS (West). BCU are able to view documents held in the WCRS from other Health Boards and this has been communicated across BCU. Work is continuing nationally concerning standards, which will inform local standards for data collection/sharing. Key issues currently being considered by the WCRS Board is which documents will sit in which repository (WRRS/WCRS), determining the location to view in the WCP (results or documents tab). A draft Privacy Impact Assessment has been developed by the national team to seek approval from the Information Commissioners Office to hold all digital information for the foreseeable future; mitigating the issue that documents (patient records) cannot be destroyed in WCRS in line with retention. BCU are contributing to the Privacy Impact Assessment in support of this approach.

Whilst still reported as off target (see previous reports), the Welsh Community Care Information System (WCCIS) project board have granted approval for the pilot project work to commence with four District Nursing Teams in the West during Quarter 4 of 2018/2019 and Quarter 1 of 2019 2020.

To support BCU in meeting the General Data Protection Regulations a Patient Records Transition Programme has been established with an interim Programme Manager provided from the Information Governance team. Evan Moore is the executive lead responsible and SRO for the

Finance

Revenue position; At Month 06, Informatics was underspent by £400k. Despite

planned recruitment to vacancies and a number of cost pressures, which are yet to

be borne, it is anticipated that Informatics will underspend its budget allocation at

M12. At present, this is disclosed at circa £150k. This is due to the full year effect of

vacant posts, which are in various stages of recruitment.

The annual Informatics budget has been reduced by some £250k against the WCCIS

budget. Whilst this will not be an issue in year (due to vacant positions), the effect of

recruitment activities already undertaken will result in a budget overspend next year

unless monies are returned.

Capital; Some significant changes have been requested against the Informatics Discretionary Capital Programme. The most significant “grouped” changes are that spends to support National Projects have been reduced or removed (circa £200k) to reflect project status, recruitment delays or a requirement to spend Welsh Government monies within year. The most significant singular change reflected is to the IPT telephony programme, which has been subject to previous reports. Whilst revenue resources are now in place to support this project, it is evident that the previously allocated spends of £705k will not be required within year. The current allocation is now reflected at £186k. Capital Programme Management Team were advised that this project is likely to extend to cover the period of inactivity and that costs would be re-profiled. Whist the slippage”from these schemes has been added to core infrastructure (specifically to procure more devices) to create a balanced Informatics programme, it is clear that wider BCU capital pressures will require slippage to be reallocated to priority BCU areas e.g. to meet estate infrustrue requirements in areas like Mental Health. Due to levels of assets in storage, a reduction in the Capital programme which is likely is not anticipated to have an adverse effect in year.

Paper 2; Digital Health Informatics IMTP Insertion 2019 2022

The plan and approach for 2019/22 remains consistent with the approach of previous years, which is to implement technology to maintain and improve our existing infrastructure and systems whilst supporting service transformation and growing our capacity and capability. The 3-year ‘enabling’ plan is derived from a previously approved five-year rolling plan, which has been developed to underpin service needs and support the delivery of a number of strategic developments in Digital Records, Analytics, Information Management and Information Communications Technology. Our plans and developments are based on the Informed Health and Care Strategy that Informatics driven work will produce:-

Our approach and pace to deliver the vision considers resource availability, National and legislative context which influences priorities, direction and pace of delivery and previously published “guiding principles” (1). The need to “get the basics right” and maintain our focus on the delivery of the plan is essential. In effect, this means that there will be very few opportunities to introduce new or additional technology outside of those identified within this plan or those emergent ones, which are driven by legislative requirements.

Figure 1; Informatics Objectives The resultant focus on our plan will ensure that we maintain the required pace to deliver a range of projects that underpin our previously published objectives which are defined in figure 1. The plan for 2019/22 forms Figure 2. It lists the projects that will be undertaken to deliver each of the objectives. High-level timescales are also indicated along with schemes that have been undertaken in previous years. As shown in figure 2, Informatics priorities for 2019 2022 which will further the “Digital Roadmap” include:-

Phase 3 of the Welsh Patient

Administration Project, which supports

the acute hospital care programme. In

2019 2020 we will replace the

commercial patient administration

system that is currently in use in the

West. Standardising / continuing to

standardise Patient Administration

Processes for services that utilise product. Morphing three instances of the administration

system into one unified system circa 2020 2021. The three instances are Central phase 1

which was completed in 2017 2018, East phase 2 which has been the focus for 2018 2019

and West which will be the phase 3 2019 2020 focus.

Completing pilot studies that commenced in 2018 2019 and learning lessons to inform wider

installation and utilisation of the Welsh Community Care Information System that is an

integrated Health and Social care system. This system underpins transformation as it is

designed to enable Health and Social Care professionals to work together to provide care

closer to people’s homes. This project therefore supports Mental Health and Care Closer to

Home programmes.

Re- constituting the previously paused Welsh Emergency Department System project which

assists with the management of the patient within the Emergency department and the

patients’ pathway. This project therefore supports the unscheduled care programme.

To supplement these National programs and to accelerate the Health Board’s journey to an electronic patient record, Digital Roadmap priorities in figure 2 also include a number of local innovative solutions:-

Completing the deployment of the Paediatric Nursing mobile Application (CHAI = Connected

Healthcare Administrative Interface) on the acute wards within our hospitals. This will be

enabled through the continued digitisation of nursing records and the use of mobile devices

to move process closer to the patient’s bedside. This would converge with National

Products when available.

Phase 2 of an “Ecosystem” project that will see the creation and installation of a local document repository that delivers and receives outputs to and from National Products to support the generation of electronic documents which will “build up” the patients record. As an electronic records will support the removal of barriers to multidiscipline and multi-site care this project supports all Transformation programmes

Many of our objectives require us to maintain our emphasis on getting the basics right. Data Driven decision making is no exception. A concentration on process will be required to leverage the benefits of the tools that we already have. Data Driven decision making will only be possible if we have accurate real time data to inform business intelligence. Specific priorities for 2019 2020 therefore include delivering content to support flow based decisions around real time admit discharge and transfer data, outcomes in real time driven by clinicians. We will also continue the work to provide administrative data to support clinical engagement, and improve data quality.

As in previous years, Digital Infrastructure priorities will remain the primary source of Informatics Discretionary Capital spend. Rolling programmes of work are required to “get and keep the basics right”, these include enhancements to core infrastructure such as the replacement of networks and obsolete hardware. They also include the continuation of projects such as the migration of our telephone infrastructure from an “end of life” solution to one, which is fully supported and capable of underpinning service change once fully implemented. A requirement to more proactively manage and secure our data, which is borne through the growing use of systems, the increased collection of data to manage and support patients and improved legislation will see an increased concentration on the plethora of disparate systems deployed throughout the health Board. Outputs will include security assessments and policies. Ref 1. Williams D 2018, Informatics Operational Plan 2018 2019. Betsi Cadwaladr University Health Board

Figure 2 – DRAFT revisions anticipated

8.2 IG18/9 Chair Assurance report : Digital Transformation Group

1 IGI18.9 IGI Committee Report DTG Chairman's report - Nov 18 Final.docx

1

Information Governance and Informatics Committee: 13.11.18


care

Report Title: Digital Transformation Group – Chairman’s report

Report Author: Mr Dylan Williams, Chief Information Officer


Mr Dylan Williams, Chief Information Officer


Public

Purpose of Report: The committee is asked to use this report to:- Note the Chair’s report


The paper has been approved by the Chief Information Officer


The report highlights a) Lost opportunities, benefits and risks resulting from delays in

national systems

b) The business intelligence work is progressing well but further

ownership of data quality and real time data input is required.

c) The need for more coordinated corporate approach to initiatives

such as Technology Enhanced Care as part of the IMTP

process.


The paper highlights potential costs of mitigating legacy laboratory

system risks.

Recommendation: The Committee is asked to: Note issues of significance from the Digital Transformation Group, in particular the escalation of risk identified with legacy laboratory systems and potential actions and costs to mitigate the risk. Ensure that the Group is supported in its remit by encouraging attendance from areas.


√ WFGA Sustainable Development Principle (Indicate how the paper/proposal has embedded and prioritised the sustainable development principle in its development. Describe how within the main body of the

√

2

report or if not indicate the reasons for this.)



√



√



√



√





Special Measures Improvement Framework Theme/Expectation addressed by this paper http://www.wales.nhs.uk/sitesplus/861/page/81806

Equality Impact Assessment N/A

Disclosure:


3

Digital Transformation Group 27th September 2018

Boardroom, Carlton Court, St Asaph 1. Purpose of the group

The purpose of the Digital Transformation Group, which reports into the Executive Management Group, is to provide a robust and functional governance structure to support BCU in its journey of digital transformation. This will be achieved by:-

• Strengthening the Health Board’s focus on Informatics to underpin its planning capability, and to support better decision making.

• Allowing senior service managers and clinical leads time to discuss and develop a strategic approach to digital transformation.

• Ensuring that its Informatics service is well placed to support new national IT systems as they become available through the provision of advice and guidance e.g. on service priorities and business capabilities.

• Ensuring that local innovations to meet service need are considered in light of approved strategies and plans and that disparate technology agendas are linked.

• Improving clinical and service engagement through the Digital Transformation Group and the underpinning groups that provide support. That is the Informatics User Group, Clinical Informatics Network (under development), and System Owners Group. See Appendix 1 for governance structure and more detail.

2. Meeting summary

The group met on the 27 September 2018 and was chaired by the Chief Information Officer. It was noted that attendance was low and the meeting was quorate for part of the meeting. This has previously been escalated as a risk to the remit of the group. To be highlighted again. The main items of business were as follows.

3. Service Priorities

Community East: The Lead Manager Operational Improvement for East presented a typical day for the service and highlighted key issues including;

• Continued use of paper records adds journeys to base to update records and access test results.

• Treatment of homeless patients and complex cases requires effective connections between services.

• Informatics support has resulted in a helpful data sharing agreement for the daily feed of patient data in the Chester area.

• The IV Team in East can capture information on PAS but lack modern technology. A project with nursing homes has shown improved links with a GP practice increases confidence in staff and benefits patients.

• It was noted that a touch screen laptop and VPN token trial for nurses and managers in Central area had concluded that whilst there was benefit to the

4

team leaders there was little benefit for the nurses in the absence of a specific mobile app. It was recognised that the delayed Welsh Clinical Community Information System (WCCIS) was the key application to provide mobile technology benefits for community teams and that the delay in the project was leading to significant opportunity costs and delaying service modernisation.

It was noted that telehealth or Technology Enhanced Care (TEC) had not been mentioned as a priority for the area – this is consistent with other areas across BCU. There appears to be a disconnect between the Informatics assumption that TEC is a major transformational component of care closer to home and the Area’s priorities. It was agreed that this disconnect needs to be addressed via the IMTP process and that the Executive Director for Primary Care should be invited to meet with the Informatics Senior Management to review demand for BCU wide technology.

4. Risk items

The Blood Sciences Service Manager outlined the risk of supporting the, now obsolete, pathology system known as Telepath which is being maintained due to the continued delay in the delivery of the blood transfusion functionality in the national Laboratory Information Management System (LIMS). A hardware failure would mean that the local informatics could not recover the software and hardware. The risks are that

• Ageing software and hardware is increasingly difficult to support and data recover would be challenging – leading to potential loss of data and GDPR breach.

• Go live date for the new system continues to be delayed.

• Any ‘new’ hardware and software support is very expensive. For example, each site could cost in the region of £100k - £200k based on the latest commercial quotations.

A decision is required on whether to invest in the stabilisation of the system or wait until the new implementation. Confidence in the delivery of the new system remains low based on the track record. The service manager provided assurance for the laboratory and transfusion continuity and continued patient safety in the absence of the system. The plan for retrieval of backed-up data or major incident would be to send samples to Central to test with the resultant risk of increased time for processing. It was recommended that

a) The risk be escalated to a Tier 1 risk on the Corporate Register. Escalation would be via the Executive Management Group and the Blood Science Service Manager to alert to the potential impact on service due to numerous delays with roll out by the LIMS project.

b) The issue would be brought to the attention of the Information Governance and Informatics Committee (IGIC) for review.

5. Terms of reference:

5

The group’s terms of reference had been agreed and to be submitted to EMG. The group’s Chair report would also be submitted to the new IGIC.

Sub-Group Chair’s report from User Group: Terms of Reference been agreed and reports will be provided to future DTG. The last meeting focussed on planning with one issue of significance was raised regarding the attribution of a shared risk regarding IP Telephony which resulted in resources being redistributed and slippage being reported on what is now a six-year project.

6. Strategy and Planning Data Strategy (Business Intelligence (BI)) update: The Head of Information provided an update on the BI strategy and presented slides demonstrating the BI tool and significant potential benefits of the system which is based on the Microsoft platform known as Power BI. 74 data sets have been rigorously testing and approved and the first few sets will become live over the coming months. The aim is to be able to distribute real time data to any device. The main challenge remains the need to improve data quality and ownership real-time updating of operational systems. Digital Dictation & Speech Recognition: The Chief Clinical Information Officer advised a case was being presented to Welsh Government’s Invest 2 Save fund panel. A supplier pre procurement event had been arranged, having identified procurement framework in England. Technology Enabled Care: A business case has been drafted and is to be shared with planning and transformation teams for a strategic view. 7. Business Case Review The National Patient Flow case was circulated to service areas for comment. The case is transformational and includes Health Board costs for a national system.

9.1 IG18/10 Update on the national response to WAO informatics report

1 IGI18.10a Response to AGW Informatics report coversheet.docx

1



care

Report Title: Response to the Auditor General for Wales’ report on Informatics systems in NHS Wales

Report Author: Mr Andrew Doughton, Performance Audit Lead, Wales Audit Office


Mr David Thomas,


Public

Purpose of Report: At the meeting of the Finance and Performance Committee 26 July 2018, Wales Audit Office received a request to provide an update on the national response to the Auditor General for Wales’ report on informatics systems in NHS Wales. Given the Health Board has since formed the Information Governance and Informatics Committee, we have prepared this paper for the attention of this committee. The purpose of this paper is to provide the committee with an update on the process being adopted at a national level. We have not sought to provide assurance on the findings from the work of the Public Accounts Committee, Welsh Government or other stakeholders during the inquiry process.


Not applicable


The Auditor General for Wales’ report identifies a number of risk and issue areas including: • a need to strengthen informatics leadership across NHS Wales,

and a significant need to strengthen governance arrangements for NWIS;

• many national systems are significantly delayed which causes widespread frustration; and

• a need to better track, record and monitor national systems because currently it is unclear whether they are delivering the intended benefit.


Not applicable

Recommendation: The Information Governance and Informatics Committee should discuss and note for information.

Health Board’s Well-being Objectives (indicate how this paper proposes alignment with the Health Board’s Well Being objectives. Tick all

√ WFGA Sustainable Development Principle (Indicate how the paper/proposal has

√

2

that apply and expand within main report) embedded and prioritised the sustainable development principle in its development. Describe how within the main body of the report or if not indicate the reasons for this.)





✓






5.Considering impact on all well-being goals together and on other bodies



Special Measures Improvement Framework Theme/Expectation addressed by this paper Not applicable Equality Impact Assessment Not applicable

Disclosure:



1 IGI18.10b Response to AGW Informatics report 876A2018-19.pdf

Page 1 of 5 - Response to the Auditor General for Wales’ report on Informatics systems in NHS

Wales

Reference: 876A2018-19

Date issued: 1 November 2018

Response to the Auditor General for Wales’ report on Informatics systems in NHS Wales

At the meeting of the Finance and Performance Committee 26 July 2018, we received a

request to provide an update on the national response to the Auditor General for Wales’

report on informatics systems in NHS Wales. Given the Health Board has since formed

the Information Governance and Informatics Committee, we have prepared this paper for

the attention of this committee.

The purpose of this paper is to provide the committee with an update on the process

being adopted at a national level. We have not sought to provide assurance on the

findings from the work of the Public Accounts Committee, Welsh Government or other

stakeholders during the inquiry process.

Background

In January 2018, the Auditor General for Wales published his report on informatic

systems in NHS Wales1. While this report relates to informatics across all of NHS Wales,

it clearly considers the national arrangements, and in doing so raises issues relating to

the national hosted organisation NHS Wales Informatics Services (NWIS). We did not,

however, include within the scope the following areas:

• patient safety issues relating to information systems or informatics services;

• the appropriateness of NHS Wales chosen systems, in comparison to options

adopted in other countries; or

• information governance and cybersecurity issues.

Since issuing his report, we also became aware of emerging concerns about national

level IT incidents and drew these issues to the attention of the Public Accounts

Committee. The Committee decided to expand the scope of its inquiry and take additional

oral and written evidence on infrastructure and resilience. We have included system

incidents detail in Appendix 2.

1 Auditor General for Wales’ report on Informatics Services 2018

of 5 - Response to the Auditor General for Wales’ report on Informatics systems in NHS Wales

High level report findings

The Auditor General for Wales’ report has highlighted:

• a clear high-level vision for NHS informatics, but a need for a clearer

understanding of priorities and approach for prioritising the programme,

determining what ‘once for Wales’ means and addressing barriers to change as

well as a need for a clear funding approach to deliver the vision;

• a need to strengthen informatics leadership across NHS Wales, and a significant

need to strengthen governance arrangements for NWIS;

• many national systems are significantly delayed which causes widespread

frustration; and

• there is a need to better track, record and monitor national systems because

currently it is unclear whether they are delivering the intended benefit.

Report recommendations

We made 13 recommendations to NHS Wales, of which nine relate to improvements

needed across Wales, and therefore requiring a response from health boards.

Recommendations were made in the following areas:

• informatics strategy

• leadership

• governance arrangements

• finances

• project management

• benefits management

Scrutiny and oversight in response to the Auditor General for Wales’ report

The Welsh Government issued its formal response to the report on 6 March 2018

(Appendix 1). The Wales Audit Office has not undertaken any additional work since the

Welsh Government presented its response, nor considered any early progress made in

response to recommendations.

The Auditor General for Wales’ report was also presented to the Health Board’s audit

committee on 31 May 2018. The committee received the full report, the Welsh

Government response issued on 6 March, and the Health Board’s own response to the

report. The Health Board’s own response welcomed the report and supported the

recommendations. The Health Board’s response identified:

• a need for a better understanding of what ‘once for Wales’ means, suggesting a

possible pause on national developments until there is greater clarity on design

principles and standards;

of 5 - Response to the Auditor General for Wales’ report on Informatics systems in NHS Wales

• that failure to introduce change will maintain the current slow pace of delivery and

will not help health boards achieve good financial, operational and clinical

outcomes;

• the national informatics governance arrangements need to be addressed quickly;

and

• there needs to be greater recognition of the quantum of locally managed and

hosted systems which are not under the auspices of NWIS.

In Appendix 1, we have set out the key milestones for Public Accounts Committee receipt

of Auditor General for Wales’ report and their consequent hearing on informatics systems

in NHS Wales. The Public Account Committee will report on their inquiry in the autumn

2018, and is currently drafting its report.

Going forward – a local perspective

We understand that the Health Board continues to implement recommendations, and this

includes:

• strengthening informatics leadership arrangements and clinical leadership through

clinical informatics associate director positions;

• strengthening Health Board governance arrangements by setting up an information

governance and informatics committee; and

• redrafting and reprioritising the five-year informatics strategic outline programme.

These local arrangements will need to evolve to ensure that:

• there are stronger governance links between the Health Board and national

arrangements;

• risks associated with existing national managed systems, as well as new national

system procurement and development are monitored and where possible

mitigated;

• sufficient informatics funding is available to enable Health Board clinical services to

become more financially efficient, for example building upon pilot projects to

improve patient flow, tele-health and digital dictation; and

• there are improved arrangements to determine business benefits and efficiencies

from those investments.

Appendix 1

Page 4 of 5 - Response to the Auditor General for Wales’ report on Informatics systems in NHS Wales

Timeline for Public Accounts Committee hearing on informatics systems in NHS Wales

Date Reporting and evidence hearing stages

10 January 2018 The Auditor General for Wales published his report on informatics systems

in NHS Wales. Link to report

22 January 2018 Initial response from the Director General Health and social services and

NHS Chief Executive. Link to letter

6 March 2018 Full response to the report from the Director General Health and social

services and NHS Chief Executive. Link to full response to

recommendations

12 March 2018 The Auditor General for Wales’ report was received at the private meeting of

the Public Accounts Committee. Committee members noted that they had

previously agreed to undertake an inquiry and to hold evidence sessions

over the summer term.

16 April 2018 Public accounts committee commences inquiry evidence session 1 from

NWIS and Velindre NHST Trust (Note: Velindre NHS Trust is the hosting

body for NWIS). Link to NWIS and Velindre paper

23 April 2018 Public accounts committee evidence session 2 from Aneurin Bevan UHB

and Hywel Dda UHB. Link to Aneurin Bevan paper Link to Hywel Dda paper

14 May 2018 Public accounts committee evidence session 3. This was led by Andrew

Goodall, and included additional information from the Royal Pharmaceutical

society, Community Pharmacy Wales, Royal College of Psychiatrists in

Wales, British Medical Association Cymru, Royal College of Nursing Wales.

8 June 2018 The Auditor General for Wales issues a letter to the Chair of the Public

Accounts Committee identifying resilience issues for major NHS IT systems

in Wales. Link to letter

28 June 2018 Velindre NHS Trust issue a response relating to the Auditor General for Wales’ letter issued on 28 June to the Chair of the Public Accounts Committee Link to letter

2 July 2018 Public accounts committee evidence session 4. This included a research

briefing to the committee from the following Velindre NHS Trust

representatives: Dr Jacinta Abraham – Medical Director, Mark Osland –

Director of Finance and Informatics, and Stuart Morris – Associate Director

of Informatics. The supporting documents are restricted.

16 July 2018 Public accounts committee evidence session 5. This was led by Andrew

Goodall, and included a letter from Andrew to the Chair of the Public

Accounts Committee. Additional information was sought from Velindre NHS

Trust to determine the extent of assurances they receive on specific issues

such as IT outages.

Link to Andrew Goodall’s letter to Nick Ramsay

Link to additional information relating to NWIS incident reporting to Velindre

NHS Trust (This directly relates to letters issued 8 and 28 June)

29 August 2018 Additional information has been provided to inform the inquiry by Andrew

Griffiths and by Welsh Government.

Appendix 2

Page 5 of 5 - Response to the Auditor General for Wales’ report on Informatics systems in NHS Wales

Log of system outages/incidents

10.1 IG18/11 Information Governance Group Chair assurance report incorporating Quarterly KPI and Compliance Report

1 IGI18.11 IGG Chair's Assurance Report Oct 2018-final.docx



excellent care

Chair’s Report

Name of Group: Information Governance Group

Meeting date: 23rd October 2018

Name of Chair: Justine Parry, Assistant Director: Information Governance and Assurance (Vice Chair)


Grace Lewis-Parry, Board Secretary

Summary of business discussed:

• The Group received the Quarter 2 Information Governance( IG) key performance indicator report which highlighted:

• Continued improvement in responding to FOI requests from 81 to 82%;

• Continued improvement in responding to non-clinical subject access requests from 60 to 88%;

• 89% compliance with responding to Health Record requests. This has been impacted by the reduction in time frame for responses as part of legislative changes from 40 to 28 days;

• Continued reporting and follow up to ensure lessons learnt from IG incidents, 68 reported this quarter with 2 assessed as requiring notification to the Information Commissioners Office and Welsh Government;

• Continued improvement in compliance with mandatory information governance training, up to 81%;

• 193 support calls received and dealt with, within 2 working days;

• Reduction in the reported notifications issued from the National Intelligent Integrated Auditing Solution (NIIAS) from August to September;

• Continued approval of data processing and data protection impact assessments to ensure compliance with legislation.

• The Group received a report on the progress made against the internal work programme and the findings from the recent Information Commissioners data protection audit. The Group were presented with the latest tier 3 Information Governance Risk Register. Risks will be revised to take account of the effect the national infected blood inquiry, destruction of records and the Patient Record Transition Work Programme.

• The Group approved the Information Governance Annual

Report subject to minor amendments for submission to the Information governance and informatics (IGI) Committee in November.

• The Group approved 4 national policies for submission to the IGI Committee for endorsement and implementation across the Health Board, noting that these will supersede current local policies It was recognised that there may also be a need to develop supporting procedures locally .The Group received the Chair’s assurance report from the Patient Record Group which highlighted:

• The standardisation of a clinical waiver process across all specialties relating to the access to health records process;

• The standardisation of a process for clinicians to provide a copy of the patient outcome letter during appointments.

• The Group received a verbal update from the ICT Governance and Security Group which highlighted:

• Progress against the Network Information Security Directive (NIS);

• The work in progress to develop the principles and policy surrounding bringing your own device to work and the impact on the organisation.

• The Group received a verbal update on WCCIS and a pilot commencing with 4 district nursing sites in the West from February 2019. Previous IG concerns raised were in the process of being addressed nationally.

• The Group noted the implementation of a national working group tasked with the development of the Welsh IG Toolkit.

Key assurances provided at this meeting:

• Progress against performance indicators, internal and external Information Commissioners improvement plans.

• Communications provided widely across the Health Board to support learning lessons from reported incidents and audit findings.

Key risks including mitigating actions and milestones

• Compliance with legislation. This is being monitored via the work programmes and reported as part of the key performance indicator reports.

Special Measures Improvement Framework Theme/Expectation addressed

• N/A

Issues to be referred to another Committee

None

Matters requiring escalation to the committee

• Information governance annual report

• Approval of national Information Governance policies

Well-being of Future Generations Act Sustainable Development Principle

The work of the IG group will help to underpin the delivery of the sustainable development principles by Supporting a productive and low carbon society through the development of systems and procedures to increase the responsible use of informatics. Working collaboratively across Wales to deliver solutions with partners to improve planning and delivery of services.

Planned business for the next meeting:

Range of regular reports plus

• Quarter 3 Key Performance Indicator compliance

• Quarter 3 Work programme

Date of next meeting:

15th January 2019

V1.0 Approved

10.2 IG18/12 Information Governance Policies

1 IGI18.12 All Wales IG polices-final coversheet.docx

1



care

Report Title: Adoption of All Wales Information Governance policies

Report Author: National Information Governance Management Advisory Group


Mrs Grace Lewis-Parry, Board Secretary


Public

Purpose of Report: To inform members of the Committee of the revised information governance policy arrangements:

• Information Governance Policy – this is a new policy and would

replace the Health Board’s IG06 Data Protection and Confidentiality

Policy.

• Information Security Policy – this is a new policy and would replace

the Health Board’s IG05 IM&T Security Policy.

• Email Use Policy – this is the 2nd version of this national policy.

This will be supported by the Health Board’s internal IG08 Email

Procedure.

• Internet Use Policy – this is the 2nd version of this national policy

and will replace the Health Board’s current IG09 Internet Access

Procedure. This will be supported by Health Board guidance to

cover illegal, obscene, racist material, and a list of blocked /

unblocked internet site categories.

BCUHB officials have been actively engaged in the development of all of these policies.


These policies have been developed via the National Information Governance Management and Advisory Group on behalf of the Wales Information Governance Board. The Welsh Partnership forum was also consulted as part of the development and the Wales Information Governance Board has approved the policies for national adoption during its meeting on the 26th June 2018. The Health Board’s internal Information Governance Group have also reviewed the policies and have recommended them for local adoption.


It is a statutory requirement to comply with Data Protection Legislation and these policies will assist the Health Board in meeting its legal obligations. They will also assist partnership working with other Health Boards and Trusts across Wales as we will be working to common standards.

2

Non-compliance with the legislation can lead to penalties imposed by the Information Commissioner and loss of confidence by the public in the Health Board’s ability to protect the privacy of their information.


Non-compliance with the legislation can lead to significant fines

imposed by the Information Commissioners office.

Recommendation: The Committee is asked to endorse the All Wales Information Governance, Information Security, Email and Internet policies for use by the Health Board.



√





X





X


X 5.Considering impact on all well-being goals together and on other bodies


X


Special Measures Improvement Framework Theme/Expectation addressed by this paper Not applicable

Equality Impact Assessment These policies have been Equality Impact Assessed by the National Wales Informatics Service as a national body.

Disclosure:



1 IGI18.12.1 All Wales Information Governance Policy v1.docx

Author: IGMAG Policy Sub Group P a g e | 1 Version: 1

NHS Wales Information Governance Policy

Author: Information Governance Management Advisory Group Policy Sub Group

Approved by: Information Governance Management Advisory Group Approved by: Wales Information Governance Board

Version: 1 Date: 26/06/2018

Review date: 26/06/2018

NHS Wales All Wales Information Governance Policy


This Page is intentionally blank



Contents

1. Introduction ............................................................................................... 5

2. Purpose ..................................................................................................... 5

3. Scope ......................................................................................................... 5

4. Roles and responsibilities ....................................................................... 5

5. Policy ......................................................................................................... 6

5.1 Data Protection and Compliance ................................................................................. 6

5.1.1 Personal Data ............................................................................................................. 6 5.1.2 Special Categories of Personal Data ........................................................................ 6 5.1.3 Fair and Lawful Processing ....................................................................................... 6 5.1.4 Individual’s Rights ..................................................................................................... 7 5.1.5 Accuracy of Personal Data ........................................................................................ 7 5.1.6 Data Minimisation ...................................................................................................... 7 5.1.7 Data Protection Impact Assessment (DPIA)............................................................. 7 5.1.8 Incident Management and Breach Reporting........................................................... 7 5.1.9 Information Governance Compliance ....................................................................... 8 5.1.10 Information Asset Management ................................................................................ 8 5.1.11 Third Parties and Contractual Arrangements .......................................................... 8

5.2 Information Security ..................................................................................................... 8

5.2.1 Senior Information Risk Owner ................................................................................. 8

5.3 Records Management ................................................................................................... 8

5.4 Access to Information ................................................................................................... 8

5.5 Confidentiality ............................................................................................................... 9

5.5.1 Confidentiality: Code of Practice for Health and Social Care in Wales .................. 9 5.5.2 Caldicott ..................................................................................................................... 9

5.6 Sharing Personal Data .................................................................................................. 9

5.6.1 Wales Accord for the Sharing of Personal Information (WASPI) ............................ 9 5.6.2 One-off Disclosures of Personal Data .................................................................... 10

5.7 Welsh Control Standard for Electronic Health and Care Records .......................... 10

5.7.1 The Control Standard .............................................................................................. 10 5.7.2 The Register for Information Sharing Systems ..................................................... 10

5.8 Data Quality ................................................................................................................. 10

6. Training and Awareness ........................................................................ 10



7. Monitoring and compliance ................................................................... 11

8. Review ..................................................................................................... 11

9. Equality Impact Assessment ................................................................. 12

Annex: Policy Development - Version Control ................................................ 13

Annex 2: Equality Impact Assessment ................... Error! Bookmark not defined.



1. Introduction

This document is issued under the All Wales Information Governance Policy Framework and maintained by the NHS Wales Informatics Service (NWIS) on behalf of all NHS Wales organisations.

2. Purpose

The aim of this Policy is to provide all NHS Wales employees with a framework to ensure all personal

data is acquired, stored, processed, and transferred in accordance with the law and associated

standards. These include Data Protection legislation, the common law duty of confidence, NHS

standards such as the Caldicott Principles, and associated guidance issued by Welsh Government,

Information Commissioner’s Office (ICO), Department of Health and other professional bodies.

The objectives of the Policy are to:

• Set out the legal, regulatory and professional requirements;

• Provide staff with the guidance to understand their responsibilities for ensuring the confidentiality

and security of personal data.

3. Scope

This policy applies to the workforce of all NHS Wales organisations including staff, students, trainees, secondees, volunteers, contracted third parties and any other persons undertaking duties on behalf of NHS Wales. For the purpose of this policy ‘NHS Wales Organisations’ include all Health Boards and NHS Trusts.

It applies to all forms of information processed by NHS Wales organisations; and covers all business functions and the information, information systems, networks, physical environment and relevant people who support those business functions.

4. Roles and responsibilities

The Chief Executive is responsible for ensuring the highest level of organisational commitment to the policy and the availability of resources to support its implementation and any associated legal requirements. Specific responsibilities will be delegated to the Data Protection Officer, Senior Information Risk Officer and the Caldicott Guardian or an Executive Director as appropriate.

Managers are responsible for the implementation of this policy within their department/directorate. In addition, they must ensure that their staff are aware of this policy, understand their responsibilities in



complying with the policy requirements and are up to date with mandatory information governance training.

The workforce must familiarise themselves with the policy content and ensure the policy requirements are implemented and followed within their own work area. Mandatory information governance training must be undertaken at least every two years. Breaches of the policy must be reported via local incident reporting processes and dealt with in line with the All Wales Disciplinary Policy where appropriate.

5. Policy

5.1 Data Protection and Compliance

Data protection legislation is about the rights and freedoms of living individuals and in particular their

right to privacy in respect of their personal data. It stipulates that those who record and use any personal

data must be open, clear and transparent about why personal data is being collected, and how the data

is going to be used, stored and shared.

While the emphasis on this policy is on the protection of personal data, organisations will also own

business sensitive data and provision for the security of that data will also be governed by this policy as

appropriate.

5.1.1 Personal Data

For the purpose of this policy, the use of the term “personal data” relates to information relating to both

living and deceased identifiable persons.

Examples of key identifiable personal data include (but are not limited to) name, address, full postcode,

date of birth, NHS number, National Insurance number, images, recordings, IP addresses, email

addresses etc.

5.1.2 Special Categories of Personal Data

Special categories of personal data are defined by data protection legislation as including any data

concerning an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade

union membership, health, sex life, sexual orientation, genetic and biometric data where processed to

uniquely identify an individual.

5.1.3 Fair and Lawful Processing

Under data protection legislation, personal data, including special category data must be processed fairly

and lawfully. Processing broadly means collecting, using, disclosing, sharing, retaining or disposing of

personal data or information.



In order for the processing to be fair, NHS Wales organisations will be open and transparent about the

way it processes personal data by informing individuals using a variety of methods. The most common

way to provide this information is in a privacy notice.

In order to provide assurance, NHS Wales organisations will identify and record the lawful basis for the

information it processes in all privacy notices and in an information asset register.

Privacy notices must be clear, straightforward and appropriate to the level of understanding of the

intended audience, and produced in line with ICO guidance.

5.1.4 Individual’s Rights

Individuals have certain rights with regard to the processing of their personal data. NHS Wales

organisations must ensure that appropriate arrangements are in place to manage these rights.

5.1.5 Accuracy of Personal Data

Arrangements must be in place to ensure that any personal data held by NHS Wales organisations is

accurate and up to date.

5.1.6 Data Minimisation

NHS Wales organisations will use the minimum amount of identifiable information required when

processing personal data. Where appropriate, personal data must be anonymised or pseudonymised.

Local arrangements must be followed.

5.1.7 Data Protection Impact Assessment (DPIA) All new projects or major new flows of information must consider information governance practices from the outset to ensure that personal data is protected at all times. This also provides assurance that NHS Wales organisations are working to the necessary standards and are complying with data protection legislation. In order to identify information risks a DPIA must be completed. Your information governance department will provide the required guidance and template.

5.1.8 Incident Management and Breach Reporting

NHS Wales organisations must have arrangements in place to identify, report, manage and resolve any

data breaches within specified legal timescales. Lessons learnt will be shared to continually improve

procedures and services, and consideration given to updating risk registers accordingly. Incidents must

be reported immediately following local reporting arrangements.



5.1.9 Information Governance Compliance

NHS Wales organisations must have arrangements in place to monitor information governance

compliance . Any risks identified must be managed in line with local risk management arrangements.

5.1.10 Information Asset Management

Information assets will be catalogued and managed by NHS Wales organisations by using an

Information Asset Register which must be regularly reviewed and kept up to date.

5.1.11 Third Parties and Contractual Arrangements

Where the organisation uses any third party who processes personal data on its behalf, any processing

must be subject to a legally binding written contract which meets the requirements of data protection

legislation. Where the third party is a supplier of services, appropriate and approved codes of conduct or

certification schemes must be considered to help demonstrate that the organisation has chosen a

suitable processor.

5.2 Information Security

NHS Wales organisations will maintain the appropriate confidentiality, integrity and availability of its

information, and information services, and manage the risks from internal and external threats. Please

refer to the National Information Security Policy for further details.

5.2.1 Senior Information Risk Owner Every NHS Wales organisation must have a designated Senior Information Risk Owner (SIRO). The SIRO provides an essential role in ensuring that information security and information governance risks are managed. All organisations must have arrangements in place to support staff to adequately manage risks in a robust manner.

5.3 Records Management

NHS Wales organisations must have a systematic and planned approach to the management of records

in the organisation from their creation to their disposal. This will ensure that organisations can control the

quality and quantity of the information that it generates, can maintain that information in an effective

manner, and can dispose of information efficiently when it is no longer required and outside the retention

period.

5.4 Access to Information



NHS Wales organisations are in some circumstances required by law to disclose information. Examples include information requested under the Freedom of Information Act, the Environmental Information Regulations or requests for personal data. Processes must be in place for disclosure under these circumstances. Where required, advice should be sought from the organisation’s information governance department.

5.5 Confidentiality

5.5.1 Confidentiality: Code of Practice for Health and Social Care in Wales

NHS Wales has adopted the Confidentiality: Code of Practice for Health and Social Care in Wales. All

staff have an obligation of confidentiality regardless of their role and are required to respect the personal

data and privacy of others.

Staff must not access information about any individuals who they are not providing care, treatment or administration services to in a professional capacity. Rights to access information are provided for staff to undertake their professional role and are for work related purposes only. It is only acceptable for staff to access their own record where self-service access has been granted.

Appropriate information will be shared securely with other NHS and partner organisations in the interests

of patient, donor care and service management. (See section 5.6 on Information Sharing for further

details).

5.5.2 Caldicott

NHS Wales will uphold the following Caldicott Principles in relation to patient information.

Each organisation must appoint a Caldicott Guardian whose role is to safeguard the processing of

patient information.

5.6 Sharing Personal Data

5.6.1 Wales Accord for the Sharing of Personal Information (WASPI) The WASPI Framework provides good practice to assist organisations to share personal data effectively

and lawfully. WASPI is utilised by organisations directly concerned with the health, education, safety,

crime prevention and social wellbeing of people in Wales.

NHS Wales organisations will use the WASPI Framework for any situation that requires the regular

sharing of information outside of NHS Wales wherever appropriate. Advice must be sought from the

information governance department in such circumstances.



5.6.2 One-off Disclosures of Personal Data

Formal Information Sharing Protocols (ISPs) or other agreements must be used when sharing

information between external organisations, partner organisations, and external providers. ISPs provide

a framework for the secure and confidential obtaining, holding, recording, storing and sharing of

information. Advice must be sought from the information governance department in such circumstances.

Personal data may need to be shared externally on a one-off basis, where an ISP or equivalent sharing

document does not exist. It is important that this sharing follows all the principles of good information

governance and that local arrangements are made and followed to ensure suitable processes are

followed.

5.7 Welsh Control Standard for Electronic Health and Care Records

5.7.1 The Control Standard The Wales Control Standard for Electronic Health and Care Records describes the principles and common standards that apply to shared electronic health and care records in Wales, and provides the mechanism through which organisations commit to them. NHS Wales organisations have committed to abide by the Control Standard. The Control Standard will be underpinned by local level policies and procedures to ensure electronic records are accessed and used appropriately.

5.7.2 The Register for Information Sharing Systems A register of core national systems is maintained by the NHS Wales Informatics Service and sets out how shared electronic health and care records are held. NHS Wales organisations may include ‘local’ systems in the register. Cooperation must be maintained between organisations and the NHS Wales Informatics Service in order to ensure that the information is accurate and up to date.

5.8 Data Quality

NHS Wales organisations process large amounts of data and information as part of their everyday

business. For data and information to be of value they must be of a suitable standard.

Poor quality data and information can undermine the organisation’s efforts to deliver its objectives and

for this reason, the NHS in Wales is committed to ensuring that the data and information it holds and

processes is of the highest quality reasonably practicable under the circumstances. All staff have a duty

to ensure that any information or data that they create or process is accurate, up to date and fit for

purpose. NHS Wales organisations will implement procedures where necessary to support staff in

producing high quality data and information.

6. Training and Awareness



Information governance is everyone’s responsibility. Training is mandatory for NHS staff and must be completed at commencement of employment and at least every two years subsequently. Non NHS employees must have appropriate information governance training in line with the requirements of their role.

Staff who need support in understanding the legal, professional and ethical obligations that apply to them should contact their local information governance department.

7. Monitoring and compliance

NHS Wales trusts its workforce, However it reserves the right to monitor work processes to ensure the effectiveness of the service. This will mean that any personal activities that the employee practices in work may come under scrutiny. NHS Wales organisations respect the privacy of its employees and does not want to interfere in their personal lives but monitoring of work processes is a legitimate business interest.

Staff should be reassured that NHS Wales organisations take a considered approach to monitoring, however it reserves the right to adopt different monitoring patterns as required. Monitoring is normally conducted where it is suspected that there is a breach of either policy or legislation. Furthermore, on deciding whether such analysis is appropriate in any given circumstances, full consideration is given to the rights of the employee.

Managers are expected to speak to staff of their concerns should any minor issues arise. If breaches are detected an investigation may take place. Where this or another policy is found to have been breached, disciplinary procedures will be followed. Concerns about possible fraud and or corruption should be reported to the counter fraud department.

In order for the NHS Wales organisations to achieve good information governance practice staff must be encouraged to recognise the importance of good governance and report any breaches to enable lessons learned. They must be provided with the necessary tools, support, knowledge and training to help them deliver their services in compliance with legislation. Ultimately a skilled workforce will have the confidence to challenge bad information governance practice, and understand how to use information legally in the right place and at the right time. This should minimise the risk of incidents occurring or recurring.

8. Review This policy will be reviewed every two years or more frequently where the contents are affected by major internal or external changes such as: • Changes in legislation; • Practice change or change in system/technology; or • Changing methodology.



9. Equality Impact Assessment This policy has been subject to an equality assessment. Following assessment, this policy was not felt to be discriminatory or detrimental in any way with regard to the protected characteristics, the Welsh Language or carers.



Annex: Policy Development - Version Control Revision History

Date Version Author Revision Summary

05/10/2017 V0.1 Andrew Fletcher (on behalf of the IGMAG policy sub group)

IG Leads in sub group first draft.


Comments from IG Leads in sub group applied to policy.


Comments from all IG Leads in IGMAG applied

08/03/2018 V0.4 Andrew Fletcher (on behalf of IGMAG)

Version control information updated


Changes following Equality Impact Assessment

Reviewers This document requires the following reviews:

Date Version Name Position

07/02/2018 V0.3 Internet and Email policy sub group

Sub group of the Information Governance Management and Advisory Group

08/03/2018 V0.4 Information Governance Management Advisory Group

All Wales Information Governance Leads

30/04/2018 V0.4 Welsh Partnership Forum All Wales workforce leads and trade unions

08/05/2018 V0.4 Equality Impact Assessment

26/06/2018 V0.5 For Approval

Wales Information Governance Board

Advisory Board to the Minister for Health and Social Care (Welsh Government)

Approvers This document requires the following approvals:


07/06/2018 V0.5 Information Governance Management and Advisory Group


26/06/2018 V2 Wales Information Governance Board




Annex 2: Equality Impact Assessment

Equality Impact Assessment (EQIA) Form

Ref no: POL/IGMAG/IG/v1

Name of the policy, service, scheme or project:

Service Area

NHS Wales Information Governance Policy


Preparation

Aims and Brief Description

The policy is a new All Wales Information Governance Policy. The policy will replace all local policies in this area.

Which Director is responsible for this policy/service/scheme etc

All Wales policy developed in conjunction with Health Boards/Trusts

Who is involved in undertaking the EQIA

Andrew Fletcher and EQIA group

Have you consulted with stakeholders in the development of this policy?

Yes. A sub group has developed this policy with a membership consisting of information governance leads and an OSSMB representative. IM&T leads and the Wales Partnership Forum have been consulted. The NHS Wales Information Governance Management and Advisory Group have approved the text of this Policy. The policy will be approved by the Wales Information Governance Board.

Does the policy assist services or staff in meeting their most basic needs such as; Improved Health, fair recruitment etc

Yes. The policy will provide consistency throughout NHS Wales in having a single policy. This will ensure that staff who work across boundaries have a consistent standard to work to, hence strengthening the governance framework. A key driver during the process was the need to recognise that organisations needed to trust their staff.

Who and how many (if known) may be affected by the policy?

All NHS Wales staff within the Health Boards and NHS Trusts.

What guidance have you used in the development of this service, policy etc?

The policy is based on good practice and legal obligations as set out by the Information Commissioners Office and in the legislation. The policy has also been constructed from existing agreed principles and the corporate knowledge of its stakeholders.



Equality Duties

The Policy/service/project or scheme aims to meet the specific duties set out in equality legislation.

Protected Characteristics

Race

Sex/G

en

der

Dis

ab

ility

Sexu

al

orie

nta

tion

Relig

ion

an

d

Belie

f

Ag

e

Gen

der

reas

sig

nm

en

t

Pre

gn

an

cy

an

d M

ate

rnity

Marria

ge

& c

ivil

Partn

ers

hip

s

Wels

h

Lan

gu

ag

e

Care

rs

To eliminate discrimination and harassment

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Promote equality of opportunity ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Promote good relations and positive attitudes

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Encourage participation in public life ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

In relation to disability only, should the policy / service / project or scheme take account of difference, even if involves treating some individuals more favourably?

✓

Human Rights Based Approach – Issues of Dignity & Respect

The Human Rights Act contains 15 rights, all of which NHS organisations have a duty. The 7 rights that are relevant to healthcare are listed below.

Consider is the policy/service/project or scheme relevant to: Yes

No N/A

Article 2: The Right to Life X

Article 3: the right not to be tortured or treated in a inhumane or degrading way X

Article 5: The right to liberty X

Article 6: the right to a fair trial X

Article 8: the right to respect for private and family life X

Article 9: Freedom of thought, conscience and religion X

Article 14: prohibition of discrimination X

Key

✓ Yes

x No

- Neutral



Measuring the Impact

What operational impact does this policy, service, scheme or project, have with regard to the Protected Characteristics. Please cross reference with equality duties

Impact – operational & financial

Race This is an all Wales high level framework approach which aims to achieve the values under the policy, it is the protection of everybody’s information and gives clear guidelines. The policy details how the organization protects someone’s data and security without prohibiting access to services and providing adequate access to data to meet individual needs and the appropriate sharing of data.

Sex/gender

Disability

Sexual orientation

Religion belief and non belief

Age

Gender reassignment

Pregnancy and maternity

Marriage and civil partnership

Other areas

Welsh language

Carers

Outcome report

Equality Impact Assessment: Recommendations Please list below any recommendations for action that you plan to take as a result of this impact assessment

Recommendation Action Required Lead

Officer Time-scale

Resource implications

Comments

1 Communication of the changes

Make sure staff aware of the changes

AF ASAP Time

2 Updated EQIA statement

Inclusion of reference to protected characteristics

AF ASAP Time

Recommendation Likelihood Impact Risk Grading

1 2 2 4

2 2 2 4

Risk Assessment based on above recommendations

Reputation and compromise position Outcome

It is providing security and reassurance to stakeholders that the information we hold is used appropriately and any breach may lead to fines and reputational damage.

To ensure that information is used and protected appropriately and a framework in place to ensure that happens.

Training and dissemination of policy

More training and dissemination in Health Boards on this policy.

Is the policy etc lawful? Yes No Review date

Does the EQIA group support the policy be adopted?

Yes No 3 years



Signed on behalf of NWIS Equal Impact Assessment Group

S Brooks Lead Officer

Date: 8 May 2018 Date: 8 May 2018

1 2 3 4 5

Negligible Minor Moderate Major Catastrophic

Sta

tuto

ry d

uty

No or minimal impact or breach of guidance / statutory duty Potential for public concern Informal complaint Risk of claim remote

Breech of statutory legislation Formal complaint Local media coverage – short term reduction in public confidence Failure to meet internal standards Claims less than £10,000 Elements of public expectations not being met

Single breech in statutory duty Challenging external recommendations Local media interest Claims between £10,000 and £100,000 Formal complaint expected Impacts on small number of the population

Multiple breeches in statutory duty Legal action certain between £100,000 and £1million Multiple complaints expected National media interest

Multiple breeches in statutory duty Legal action certain amounting to over £1million National media interest Zero compliance with legislation Impacts on large percentage of the population Gross failure to meet national standards

Risk Grading Descriptors

LIKELIHOOD DESCRIPTION

5 Almost Certain

Likely to occur, on many occasions

4 Likely Will probably occur, but is not a persistent issue

3 Possible May occur occasionally

2 Unlikely Not expected it to happen, but may do

1 Rare Can’t believe that this will ever happen

1 IGI18.12.2 All Wales Information Security Policy v1.docx


NHS Wales Information Security Policy





NHS Wales All Wales Information Security Policy





Contents

1. Introduction ..................................................................................................... 4

2. Purpose ............................................................................................................ 4

3. Scope ............................................................................................................... 4

4. Roles and responsibilities .............................................................................. 4

5. Policy ............................................................................................................... 5

5.1 User Access Controls ........................................................................................................... 5

5.1.1 Physical Access Controls .................................................................................................. 5 5.1.2 Passwords .......................................................................................................................... 5 5.1.3 Remote Working ................................................................................................................. 6 5.1.4 Staff Leavers and Movers .................................................................................................. 6 5.1.5 Third Party Access to Systems ......................................................................................... 6

5.2 Storage of Information .......................................................................................................... 6

5.3 Portable Devices and Removable Media ............................................................................. 7

5.4 Secure Disposal..................................................................................................................... 7

5.4.1 Paper ................................................................................................................................... 7 5.4.2 Electronic ............................................................................................................................ 7 5.4.3 Other Items ......................................................................................................................... 7

5.5 Transporting and relocation of information ........................................................................ 8

5.5.1 Transporting Information ................................................................................................... 8 5.5.2 Relocating information ....................................................................................................... 8

6. Training and Awareness ................................................................................. 8

7. Monitoring and compliance ............................................................................ 8

8. Review .............................................................................................................. 9

9. Equality Impact Assessment .......................................................................... 9

Annex: Policy Development - Version Control ...................................................... 10

Annex 2: Equality Impact Assessment ................................................................... 11



1. Introduction This document is issued under the All Wales Information Governance Policy Framework and maintained by the NHS Wales Informatics Service (NWIS) on behalf of all NHS Wales organisations.

2. Purpose The purpose of the Policy is to set out the responsibilities of NHS Wales organisations in relation to the security of the information they process. Processing broadly means collecting, using, disclosing, sharing, retaining or disposing of personal data or information. These responsibilities include, but are not restricted to, ensuring that:

• All systems are properly assessed for security;

• The confidentiality, integrity, availability and suitability of information is maintained;

• All individuals as referenced within the scope of this policy are aware of their obligations. This policy must be read in conjunction with relevant organisational procedures. Information must only be shared where there is a defined purpose to do so. Nothing in this policy will restrict any organisation from sharing or disclosing any information provided they have an appropriate legal basis for doing so. Any information sharing which involves Personal Data or business sensitive information must be transferred securely.

3. Scope This policy applies to the workforce of all NHS Wales organisations including staff, students, trainees, secondees, volunteers, contracted third parties and any persons undertaking duties on behalf of NHS Wales. For the purpose of this policy ‘NHS Wales Organisations’ will include all NHS Wales organisations including all Health Boards and NHS Trusts. It applies to all forms of information processed by NHS Wales organisations; and covers all business functions and the information, information systems, networks, physical environment and relevant people who support those business functions.

4. Roles and responsibilities The Chief Executive is responsible for ensuring the highest level of organisational commitment to the policy and the availability of resources to support its implementation and any associated legal requirements. Specific responsibilities will be delegated to the Data Protection Officer, Senior Information Risk Owner and the Caldicott Guardian or an Executive Director as appropriate. Managers are responsible for the implementation of this policy within their department/directorate. In addition, they must ensure that their staff are aware of this policy understand their responsibilities in complying with the policy requirements and are up to date with mandatory information governance training. Breaches of the policy



must be reported via local incident reporting processes and dealt with in line with the All Wales Disciplinary Policy where appropriate. The workforce must familiarise themselves with the policy content and ensure the policy requirements are implemented and followed within their own work area. Mandatory information governance training must be undertaken at least every two years. Breaches of this policy must be reported via local incident reporting processes.

5. Policy

5.1 User Access Controls Access to information will be controlled on the basis of business requirements. System Managers will ensure that appropriate security controls and data validation processes, including audit trails, will be designed into application systems that store any information, especially personal data. The workforce has a responsibility to access only the information which they need to know in order to carry out their duties. Examples of inappropriate access include but are not restricted to:

• Accessing your own health record;

• Accessing any record of colleagues, family, friends, neighbours etc., even if you have their consent, except where this forms part of your legitimate duties;

• Accessing the record of any individual without a legitimate business requirement.

5.1.1 Physical Access Controls All organisations are responsible for determining the security measures required based on local risk assessment. Maintaining confidentiality in clinical areas can be challenging and the need to preserve confidentiality must be carefully balanced with the appropriate care, treatment and safety of the patient. Where physical security measures exist it must be ensured that they are employed at all times (e.g. filing cabinets must be locked, security doors and windows must be closed securely, blinds to secure areas closed). Access cards, PIN codes, keycodes, etc. must be kept secure and regularly changed as required. The workforce must ensure a clear desk and clear screen when away from their work area ensuring that confidential information, in any format, is secure and not visible to anyone who is not authorised to access it. All central file servers and central network equipment will be located in secure areas with access restricted to designated staff as required by their job function.

5.1.2 Passwords The workforce are responsible for the security of their own passwords which must be developed in line with NHS guidance ensuring they are regularly changed. Passwords must not be disclosed to anyone, and users must not allow anyone to access any work using their log-in details.



In the absence of evidence to the contrary, any inappropriate access to a system will be deemed as the action of the user. If a user believes that any of their passwords have been compromised they must change them immediately.

5.1.3 Remote Working NHS Wales recognises that there is a need for a flexible approach to where, when and how our workforce undertake their duties or roles. Handling confidential information outside of your normal working environment brings risks that must be managed. Examples of remote working include, but are not restricted to:

• Working from home

• Working whilst travelling on public/shared transport

• Working from public venues (e.g. coffee shops, hotels etc.)

• Working at other organisations (e.g. NHS, local authority or academic establishments etc.)

• Working abroad As a control measure to mitigate risks involved in remote working, no member of the workforce will work remotely unless they have been authorised to do so. Remote working must not be authorised for anyone who is not up to date with mandatory training in information governance.

5.1.4 Staff Leavers and Movers Managers will be responsible for ensuring that local leaving procedures are followed when any member of the workforce leaves or changes roles to ensure that user accounts are revoked / amended as required and any equipment and/or files are returned. Confidential, patient or staff information must not be transferred to a new role unless authorised by the relevant heads of service. A leaver’s checklist should be completed in all cases.

5.1.5 Third Party Access to Systems Any third party access to systems must have prior authorisation from the IT Department, and where personal data is involved, authorisation must also be sought from the Information Governance Department.

5.2 Storage of Information All information stored on or within NHS Wales organisations is the property of that organisation. All software, information and programmes developed for NHS Wales organisations by the workforce during the course of their employment will remain the property of the organisation. Information in an electronic format should be stored on a dedicated network drive or be securely protected by encryption. Copying or storing of anything that is not work related onto organisational devices is a breach of this policy. Users are not permitted to use their personal devices for the purposes of NHS Wales business unless they have been explicitly authorised to do so.



All systems supported by NHS Wales organisations will be backed up as part of their backup regime. Unless specifically told otherwise this will not include information held on local hard drives, portable devices or removable media. Users must not store information on local drives (usually referred to as the C Drive). Exceptions to this may be for legitimate work purpose to a device that is encrypted.

5.3 Portable Devices and Removable Media Whilst it is recognised that both portable devices and removable media are widely used throughout NHS Wales, unless they are used appropriately they pose a security risk to the organisation. Portable devices include, but are not limited to, laptops, tablets, Dictaphones®, mobile phones and cameras. All portable devices must either be encrypted, or access the network via NHS Wales approved applications (e.g. Mobile Device Management Software). Users must not attach any personal (i.e. privately owned) portable devices to any NHS organisational network without prior authorisation. Removable media includes, but is not limited to, USB ‘sticks’ (memory sticks), memory cards, external hard drives, CDs / DVDs and tapes. Appropriate controls must be in place to ensure any information copied to removable media is encrypted. All removable media such as CDs must be encrypted if used to transport confidential information and should only be used if no other secure method of transfer is available. Users must not send details of how to unencrypt with the removable media.

5.4 Secure Disposal For the purposes of this policy, confidential waste is any paper, electronic or other waste of any other format which contains personal data or business sensitive information.

5.4.1 Paper All confidential paper waste must be stored securely and disposed of in a timely manner in the designated confidential waste bins or bags; or shredded on site as appropriate. This must be carried out in line with local retention and destruction arrangements.

5.4.2 Electronic Any IT equipment or other electronic waste must be disposed of securely in accordance with local disposal arrangements. For further information, please contact your IT Department.

5.4.3 Other Items Any other items containing confidential information which cannot be classed as paper or electronic records e.g. film x-rays, orthodontic casts, carbon fax/printer rolls etc, must be destroyed under special conditions. For further information, please contact your information governance team.



5.5 Transporting and relocation of information

5.5.1 Transporting Information When information is to be transported from one location to another location, local procedures must be formulated and followed to ensure the security of that information.

5.5.2 Relocating information When information is to be relocated to another location, local procedures must be formulated and followed to ensure no information is left at the original location.

6. Training and Awareness Information governance is everyone’s responsibility. Training is mandatory for NHS staff and must be completed at commencement of employment and at least every two years subsequently. Non NHS employees must have appropriate information governance training in line with the requirements of their role. Staff who need support in understanding the legal, professional and ethical obligations that apply to them should contact their local Information Governance Department.

7. Monitoring and compliance NHS Wales trusts its workforce, however it reserves the right to monitor work processes to ensure the effectiveness of the service. This will mean that any personal activities that the employee practices in work may come under scrutiny. NHS Wales organisations respect the privacy of its employees and does not want to interfere in their personal lives but monitoring of work processes is a legitimate business interest. Staff should be reassured that NHS Wales organisations take a considered approach to monitoring, however it reserves the right to adopt different monitoring patterns as required. Monitoring is normally conducted where it is suspected that there is a breach of either policy or legislation. Furthermore, on deciding whether such analysis is appropriate in any given circumstances, full consideration is given to the rights of the employee. Managers are expected to speak to staff of their concerns should any minor issues arise. If breaches are detected an investigation may take place. Where this or another policy is found to have been breached, disciplinary procedures will be followed. Concerns about possible fraud and/or corruption should be reported to the Counter Fraud team. In order for NHS organisations to achieve good information governance practice staff must be encouraged to recognise the importance of good governance and report any breaches to enable lessons learned. They must be provided with the necessary tools, support, knowledge and training to help them deliver their services in compliance with legislation. Ultimately a skilled workforce will have the confidence to challenge bad information governance practices, and understand how to use information legally in the right place and at the right time. This should minimise the risk of incidents occurring or recurring.



Annex: Policy Development - Version Control Revision History


05/10/2017 V0.1 Andrew Fletcher (Chair of the IGMAG policy sub group)

IG Leads in sub group first draft.


Comments from IG Leads in sub group applied to policy.


Comments from all IG Leads in IGMAG applied




Changes following Equality Impact Assessment

26/06/2018 V1 Andrew Fletcher (Chair of the IGMAG policy sub group)

Minor amendment by Wales Information Governance Board incorporated



07/02/2018 V0.3 Internet and Email policy sub group

Sub group of the Information Governance Management and Advisory Group

08/03/2018 V0.4 Information Governance Management Advisory Group



08/05/2018 V0.4 Equality Impact Assessment NWIS Equality Impact Assessment Group

26/06/2018 V0.5 For Approval

Wales Information Governance Board






26/6/2018 V1 Wales Information Governance Board






Ref no: POL/IGMAG/IS/v1


Service Area

NHS Wales Information Security Policy


Preparation


The policy is a new All Wales Information Security Policy. The policy will replace all local policies in this area.








Yes. The policy will provide consistency throughout NHS Wales in having a single policy. This will ensure that staff who work across boundaries have a consistent standard to work to, hence strengthening the governance framework. A key driver during the process was the need to recognise that organisations needed to trust their staff.


All NHS Wales staff within the Health Boards and NHS Trusts.





Equality Duties



Race

Sex/G

en

der

Dis

ab

ility

Sexu

al

orie

nta

tion

Relig

ion

an

d

Belie

f

Ag

e

Gen

der

reas

sig

nm

en

t

Pre

gn

an

cy

an

d M

ate

rnity

Marria

ge

& c

ivil

Partn

ers

hip

s

Wels

h

Lan

gu

ag

e

Care

rs


✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓



✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓



✓




No N/A









Key

✓ Yes

x No

- Neutral





Race The revised policy is high level and focused on the security of information and the operational service management boards need to consider the detail around cyber security and procedures. It is about protecting information around the protected characteristics so it is used appropriately.

Sex/gender

Disability

Sexual orientation


Age

Gender reassignment



Other areas

Welsh language

Carers

Outcome report



Officer Time-scale


Comments

1 Updated statement in policy

Inclusion of reference to protected characteristics rather than homophobic, bi-phobic, racist etc so inclusive of all in the statement

AF ASAP Time



AF ASAP Time



AF ASAP Time


1 2 2 4

2 2 2 4

3 2 2 4



It is providing security and reassurance to stakeholders that the information we hold is used appropriately and any breach may lead to fines and reputational damage.

To ensure that information is used and protected appropriately and a framework in place to ensure that happens.

Training and dissemination of policy

More training and dissemination in Health Boards on this policy.





Yes No 3 years




1 2 3 4 5


Sta

tuto

ry d

uty








5 Almost Certain






1 IGI18.12.3 All Wales Email Use Policy v2.docx


NHS Wales

Email Use Policy






NHS Wales All Wales Email Use Policy




Contents

1. Introduction ..................................................................................................... 4

2. Purpose ............................................................................................................ 4

3. Scope ............................................................................................................... 4


5. Policy ............................................................................................................... 5

5.1 Inappropriate emails ............................................................................................................. 5

5.2 Personal Data and Business Sensitive Information: Filtering and Misdirection ............. 5

5.3 Personal Use .......................................................................................................................... 5

5.4 Access to Information requests ........................................................................................... 6



8. Review .............................................................................................................. 7


Appendix A - Inappropriate use ................................................................................ 8

Annex 1: Policy Development - Version Control ..................................................... 9

Annex 2: Equality Impact Assessment .......................... Error! Bookmark not defined.




2. Purpose This policy provides assurance that the NHS Wales email facilities are being used appropriately to assist in delivering services. The policy also sets out the responsibilities of all users when using NHS Wales email services. These responsibilities include, but are not restricted to, ensuring that:

• The confidentiality, integrity, availability and suitability of information and NHS computer systems are maintained by ensuring use of email services is governed appropriately;

• All individuals as referenced within the scope of this policy are aware of their obligations. This policy must be read in conjunction with relevant organisational procedures.

3. Scope This policy applies to the workforce of all NHS Wales organisations including staff, students, trainees, secondees, volunteers, contracted third parties and any persons undertaking duties on behalf of NHS Wales. For the purpose of this policy ‘NHS Wales Organisations’ will include all NHS Wales organisations including all Health Boards and NHS Trusts. This policy applies to all those making use of the NHS email services by any means regardless of the location from which accessed and the type of equipment used, for example corporate equipment, devices owned by a third party organisation or personal devices operated under a Bring Your Own Device Scheme.

4. Roles and responsibilities The Chief Executive is responsible for ensuring the highest level of organisational commitment to the policy and the availability of resources to support its implementation and any associated legal requirements. Specific responsibilities will be delegated to the Data Protection Officer, Senior Information Risk Officer and the Caldicott Guardian or an Executive Director as appropriate. Managers are responsible for the implementation of this policy within their department/directorate. In addition, they must ensure that their staff are aware of this policy understand their responsibilities in complying with the policy requirements and are up to date with mandatory information governance training. Breaches of the policy must be reported via local incident reporting processes and dealt with in line with the All Wales Disciplinary Policy where appropriate. The workforce must familiarise themselves with the policy content and ensure the policy requirements are implemented and followed within their own work area. Mandatory information governance training must be



undertaken at least every two years. Breaches of this policy must be reported via local incident reporting processes.

5. Policy

5.1 Inappropriate emails Inappropriate content and material must not be sent by email. Inappropriate content including prohibited language in emails may be blocked. Subject matter considered inappropriate is detailed in appendix A. Regardless of where accessed users must not use the NHS Wales email system to participate in any activity, to create, transmit or store material that is likely to bring NHS Wales into disrepute or incur liability on the part of NHS Wales organisations. Some users may need to receive and send potentially offensive material as part of their role (for example - child protection). Arrangements must be authorised to facilitate this requirement.

5.2 Personal Data and Business Sensitive Information: Filtering and Misdirection

The NHS Wales network is considered to be secure for the transfer of any information including Personal Data and business sensitive information within NHS Wales. This includes all email addresses in the NHS email directory which include those email addresses that end in “wales.nhs.uk” which are hosted on the NHS Wales email service. However, to mitigate against the risk of misdirection users should consider the use of encryption or other security measures when transferring Personal Data or business sensitive information. Transfer of Personal Data or business sensitive information to any email address not ending in “wales.nhs.uk” is not currently considered secure. Where this type of information needs to be sent, appropriate security measures must be implemented, for example, the secure file sharing portal, secure mail systems or encryption. Users must be vigilant in ensuring that all emails are sent to the correct recipient and to use the NHS address book to check that the correct email address or addresses have been selected. Misdirected emails should be reported via local incident reporting processes.

5.3 Personal Use

NHS email accounts must not be used as a personal private email account. Private use of email is permitted in the following circumstances:

• Emails to occupational health

• Email for Health and Wellbeing

• Communications connected with approved personal development / training

• Communications with Trade Unions and Professional Bodies

• Emergency emails



Users must not subscribe to or provide any NHS email address to any third party organisation for personal use. Please note: where local organisations have provided patients and staff with access to public Wi-Fi services, staff may use these to access personal email accounts on their own device in their own time.

5.4 Access to Information requests Information held on computers, including those held in email accounts may be subject to requests for information under relevant legislation and regulation. All staff should be mindful that it may be necessary to conduct a search for information and this may take place with or without the author’s knowledge or consent.

5.5 Records Management The email system must not to be used as a storage facility.

• All emails should either be deleted or saved securely to the appropriate record (e.g. to a clinical / business record or network drive).

• Any emails that are retained within the email system should be automatically archived by the email system. This data should not be retained for any period of time greater than 6 years.

6. Training and Awareness Information governance is everyone’s responsibility. Training is mandatory for NHS staff and must be completed at commencement of employment and at least every two years subsequently. Non NHS employees must have appropriate information governance training in line with the requirements of their role. Staff who need support in understanding the legal, professional and ethical obligations that apply to them should contact their local information governance department. The NHS Wales workforce should become competent in using email services to the level required of their role in order to be efficient and effective in their day-to-day activities.

7. Monitoring and compliance NHS Wales trusts its workforce, however it reserves the right to monitor work processes to ensure the effectiveness of the service. This will mean that any personal activities that the employee practices in work may come under scrutiny. NHS Wales organisations respect the privacy of its employees and does not want to interfere in their personal lives but monitoring of work processes is a legitimate business interest. NHS Wales uses software to scan emails for inappropriate content and filters are in place to detect this. Where an email is blocked, emails may be checked for compliance when a user requests an email to be released. All email use will be logged to display date, time, username, email content; and the address to which the message is being sent.



Staff should be reassured that NHS Wales organisations take a considered approach to monitoring, however it reserves the right to adopt different monitoring patterns as required. Monitoring is normally conducted where it is suspected that there is a breach of either policy or legislation. Furthermore, on deciding whether such analysis is appropriate in any given circumstances, full consideration is given to the rights of the employee. Managers are expected to speak to staff of their concerns should any minor issues arise. If breaches are detected an investigation may take place. Where this or another policy is found to have been breached, disciplinary procedures will be followed. Concerns about possible fraud and or corruption should be reported to the counter fraud team. In order for the NHS organisations to achieve good information governance practice staff must be encouraged to recognise the importance of good governance and report any breaches to enable lessons learned. They must be provided with the necessary tools, support, knowledge and training to help them deliver their services in compliance with legislation. Ultimately a skilled workforce will have the confidence to challenge bad information governance practice, and understand how to use information legally in the right place and at the right time. This should minimise the risk of incidents occurring or re-occurring.

8. Review This policy will be reviewed every two years or more frequently where the contents are affected by major internal or external changes such as:

• Changes in legislation;

• Practice change or change in system/technology; or

• Changing methodology.




Appendix A - Inappropriate use

For the avoidance of doubt, NHS Wales will generally consider any of the following inappropriate use:

• Knowingly using another person’s NHS Wales email account and its functions, or allowing their email account to be used by another person without the relevant permission. Note: If an email is required to be sent on another person’s behalf then this must be performed using delegated permissions functionality and must be approved for use beforehand;

• Allowing access to NHS Wales email services by anyone not authorised to access the services, such as by a friend or family member;

• Communicating or disclosing confidential or sensitive information unless appropriate security measures and authorisation are in place;

• Communicating or saving any information or images which are unlawful, or could be regarded as defamatory, offensive, abusive, obscene, hateful, pornographic, violent, terrorist, indecent, being discriminatory in relation to the protected characteristics, or using the email system to inflict bullying or harassment on any person.

• Knowingly breaching copyright or Intellectual Property Rights (IPR)

• ‘Hacking’ into others’ accounts or unauthorised areas;

• Obtaining or distributing unlicensed or illegal software by email;

• Deliberately attempting to circumvent security systems protecting the integrity of the NHS Wales network;

• Any purpose that denies service to other users (for example, deliberate or reckless overloading of access links or switching equipment);

• Deliberately disabling or overloading any ICT system or network, or attempting to disable or circumvent any system intended to protect the privacy or security of employees, patients or others;

• Intentionally introducing malicious software such as Viruses, Worms, and Trojans into the NHS Wales network;

• Expressing personal views that may bring NHS Wales into disrepute;

• Distributing unsolicited commercial or advertising materials;

• Communicating unsolicited personal views on political, social, or religious matters with the intention of imposing that view on any other person. This does not preclude Trade Union officials from communicating with staff on Trade Union related matters;

• Installing additional email related software, or changing the configuration of existing software without appropriate permission;

• Sending unlicensed or illegal software or data including executable software, such as shareware, public domain and commercial software without correct authorisation;

• Forwarding chain email or spam (unsolicited mail) within the organisation or to other organisations;

• Subscribing to a third party email notification using a NHS Wales email account for reasons not connected to work, membership of a professional body or trade union;

• Sending personal photos or videos;

• Registering a NHS Wales e-mail address with any third party company for personal use (e.g. department store accounts; online grocery shopping accounts);

• Access to internet based e-mail providers including services such as Hotmail, Freeserve, Tiscali etc is prohibited for reasons of security with the exception of:

o Access to email services provided by a recognised professional body or a trade union recognised by the employer;

o Any UK university hosted e-mail account (accounts ending in .ac.uk);

o Any email account hosted by a body which the employee contributes to in conjunction with their NHS role, such as a local authority or tertiary organisation.



Annex 1: Policy Development - Version Control Revision History


01/2017 V1 Andrew Fletcher (on behalf of the Internet and Email policy sub group)

Original policy as approved January 2017


Policy text applied to new template. Duplicate and substitute statements replaced with template text except insofar as they were not covered by these statements.


Comments from IG Leads in sub group applied to the policy.


Comments from IM&T Leads applied to the policy.


IGMAG Policy Sub Group changes applied to the policy.


Comments from all IG Leads applied. Draft for approval




Version control information updated – No changes following Welsh Partnership Forum Consultation.


Changes following Equality Impact Assessment. Completed equality impact assessment added.



07/02/2018 V1.4 IGMAG Policy sub group Sub group of the Information Governance Management and Advisory Group







26/06/2018 V1.8 for approval

Wales Information Governance Board Advisory Board to the Minister for Health and Social Care (Welsh Government)





26/06/2018 V2 Wales Information Governance Board Advisory Board to the Minister for Health and Social Care (Welsh Government)





Ref no: POL/IGMAG/Email Use/v2


Service Area

NHS Wales Email Use Policy


Preparation


The policy maintains the aim of having a single Email Use Policy for all NHS Wales organisations, to promote the same principles and values across all NHS Wales organisations and it’s workforce.


n/a All Wales policy developed in conjunction with Health Boards/Trusts


Andrew Fletcher and EQIA Group




Yes. The policy will stand as a single email use policy for NHS Wales. As per the original all-Wales Policy, it removes many of the restrictions which were in place in some organisations, while strengthening the governance framework. A key driver during the process was the need to recognise that organisations needed to trust their staff.


All users of the NHS Wales Email service within the Health Boards and NHS Trusts.





Equality Duties



Race

Sex/G

en

der

Dis

ab

ility

Sexu

al

orie

nta

tion

Relig

ion

an

d

Belie

f

Ag

e

Gen

der

reas

sig

nm

en

t

Pre

gn

an

cy

an

d M

ate

rnity

Marria

ge

& c

ivil

Partn

ers

hip

s

Wels

h

Lan

gu

ag

e

Care

rs


✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓



✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓



✓




No N/A









Key

✓ Yes

x No

- Neutral





Race There is a consistent approach to IT policies across NHS Wales, this is an extension of the approach to put clear boundaries in place for staff, a revision of restrictions and identifying the need to respect and trust our staff. There is a clear statement around behaviours making it explicit that hateful and discriminatory language will not be accepted. There needs to be a wider understanding and context of trigger words. Dignity and respect of those using email policy as individuals and staff and clear instructions so staff know what is applicable to them.

Sex/gender

Disability

Sexual orientation


Age

Gender reassignment



Other areas

Welsh language

Carers

Outcome report


Recommendation Action Required Lead Officer

Time-scale


Comments



AF ASAP Time



AF ASAP Time


1 2 2 4

2 2 2 4



The policy is clear so that all staff aware of responsibilities and therefore reputation of organisation is preserved.

A clear understanding of the policy and responsibilities of staff in the use of IT in the workplace. Training and dissemination of policy




Yes No 3 years






1 2 3 4 5


Sta

tuto

ry d

uty








5 Almost Certain






1 IGI18.12.4 All Wales Internet Use Policy v2.docx


NHS Wales

Internet Use Policy





NHS Wales All Wales Internet Use Policy





Contents

1. Introduction ..................................................................................................... 4

2. Purpose ............................................................................................................ 4

3. Scope ............................................................................................................... 4


5. Policy ............................................................................................................... 5

5.1 Position Statement ................................................................................................................ 5

5.2 Conditions & Restrictions .................................................................................................... 5

5.3 Personal Use .......................................................................................................................... 6



8. Review .............................................................................................................. 7


Appendix A - Inappropriate use ................................................................................ 8

Annex: Policy Development - Version Control ...................................................... 10

Annex 2: Equality Impact Assessment .......................... Error! Bookmark not defined.




2. Purpose This policy provides assurance that NHS Wales internet facilities are being used appropriately to assist in delivering services. The policy also sets out the responsibilities of all users when using the internet. These responsibilities include, but are not restricted to, ensuring that:

• The confidentiality, integrity, availability and suitability of information and NHS computer systems are maintained by ensuring use of internet services is governed appropriately;

• All individuals as referenced within the scope of this policy are aware of their obligations. This policy must be read in conjunction with relevant organisational procedures.

3. Scope This policy applies to the workforce of all NHS Wales organisations including staff, students, trainees, secondees, volunteers, contracted third parties and any persons undertaking duties on behalf of NHS Wales. For the purpose of this policy ‘NHS Wales Organisations’ will include all NHS Wales organisations including all Health Boards and NHS Trusts. The policy describes the principles which must be adhered to by all in the use of the internet, the NHS Wales Network (which is defined as a corporate Intranet) and other affiliated sites. The terms “internet access” or “internet use” encompass any use of any resources of the internet including social media / social networking, browsing, streaming, downloading, uploading, posting, “blogging”, “tweeting”, chat and email. The NHS Wales Social Media Policy provides information on the appropriate use of social media. This policy applies to all staff that make use of the NHS network infrastructure and / or NHS equipment to access internet services regardless of the location from which they accessed and the type of equipment that is used including corporate equipment, third party and personal devices.

4. Roles and responsibilities The Chief Executive is responsible for ensuring the highest level of organisational commitment to the policy and the availability of resources to support its implementation and any associated legal requirements. Specific responsibilities will be delegated to the Data Protection Officer, Senior Information Risk Officer and the Caldicott Guardian or an Executive Director as appropriate.



Managers are responsible for the implementation of this policy within their department/directorate. In addition, they must ensure that their staff are aware of this policy, understand their responsibilities in complying with the policy requirements and are up to date with mandatory information governance training. Breaches of the policy must be reported via local incident reporting processes and dealt with in line with the All Wales Disciplinary Policy where appropriate. The workforce must familiarise themselves with the policy content and ensure the policy requirements are implemented and followed within their own work area. Mandatory information governance training must be undertaken at least every two years. Breaches of this policy must be reported via local incident reporting processes.

5. Policy

5.1 Position Statement

Internet access is provided to staff to assist them in the performance of their duties and the provision of these facilities represents a major commitment on the part of NHS Wales in terms of investment and resources. The NHS Wales workforce should become competent in using internet services to the level required for their role in order to be more efficient and effective in their day-to-day activities. NHS Wales will support its workforce in understanding how to safely use internet services and it is important that users understand the legal, professional and ethical obligations that apply to its use. If used correctly, the internet can increase efficiency and safety within patient care.

5.2 Conditions & Restrictions To avoid inadvertent breaches of this policy, inappropriate content will be blocked by default where possible. Inappropriate material must not be accessed. Exceptions may be authorised for certain staff where access to particular web pages are a requirement of the role. Subject matter considered inappropriate is detailed in appendix A. Some sites may be blocked by default due to their general impact on network resources and access to these for work purposes can be requested by contacting the Local IT Service Desk. Regardless of where accessed users must not participate in any online activity or create or transmit or store material that is likely to bring the organisation into disrepute or incur liability on the part of NHS Wales. Business Sensitive Information or Personal Data (which includes photographs and video recordings) of any patient, member of the public, or member of staff taken on NHS Wales premises must not be uploaded to any form of non NHS approved online storage, media sharing sites, social media, blogs, chat rooms or similar, without both the authorisation of a head of service and the consent of the individual who is the Data Subject of that recording. The NHS Wales Social Media Policy provides information on the appropriate use of social media. It is each user’s responsibility to ensure that their internet facilities are used appropriately. Managers are reminded that, as an NHS Wales resource, the internet is in many ways similar to the telephone systems and should be managed accordingly.



5.3 Personal Use NHS Wales organisations allow staff reasonable personal use of internet services providing this is within the bounds of the law and decency and compliance with policy. Personal use should be incidental and reasonable. As a threshold, NHS Wales defines this as a maximum of thirty minutes in one calendar day and before or after normal working hours, or during agreed break times. These limitations are also necessary due to network demands and therefore local restrictions may apply dependent on the duration of access and the capacity of resources available. In addition to this, users must not stream or download large volumes of data (e.g. streaming audio or video, multimedia content, software packages) as these may have a negative impact on network resources. Where local organisations have provided patients and staff with access to public Wi-Fi services, employees are encouraged to use these facilities by default on personally-owned devices instead of using NHS equipment. Local agreements will be in place for the use of and availability of these facilities. Staff who use NHS equipment outside NHS Wales premises (for example – in a home environment) are permitted to connect to the internet. Use of the internet under these circumstances must be through the secure VPN connection provided by the NHS Wales organisation. Use of the equipment for such purposes is still subject to the same conditions as laid out in this policy. All personal use of the internet is carried out at the user’s own risk. The NHS Wales does not accept responsibility or liability for any loss caused by or liability arising from personal use of the internet. Internet access facilities must not be used to run or support any kind of paid or unpaid personal business venture outside work, whether or not it is conducted in a user’s own time or otherwise. At no time should access to the internet be used by any individual for personal financial gain (E.g. using eBay or any other auction sites).

6. Training and Awareness Information governance is everyone’s responsibility. Training is mandatory for NHS staff and must be completed at commencement of employment and at least every two years subsequently. Non NHS employees must have appropriate information governance training in line with the requirements of their role. Staff who need support in understanding the legal, professional and ethical obligations that apply to them should contact their local information governance department. The NHS Wales workforce should become competent in using internet services to the level required of their role in order to be efficient and effective in their day-to-day activities.

7. Monitoring and compliance NHS Wales trusts its workforce. NHS Wales reserves the right to monitor work processes to ensure the effectiveness of the service. This will mean that any personal activities that the employee practices in work may come under scrutiny. NHS Wales



organisations respect the privacy of its employees and does not want to interfere in their personal lives but monitoring of work processes is a legitimate business interest. NHS Wales uses software to automatically and continually record the amount of time spent by staff accessing the internet and the type of websites visited by staff. Attempts to access any prohibited websites which are blocked is also recorded. Staff should be reassured that NHS Wales organisations take a considered approach to monitoring, however it reserves the right to adopt different monitoring patterns as required. Monitoring is normally conducted where it is suspected that there is a breach of either policy or legislation or when a manager has concerns around employees performance, (e.g. excessive internet usage). Furthermore, on deciding whether such analysis is appropriate in any given circumstances, full consideration is given to the rights of the employee. Managers are expected to speak to staff of their concerns should any minor issues arise. If breaches are detected an investigation may take place. Where this or another policy is found to have been breached, disciplinary procedures will be followed. Concerns about possible fraud and/or corruption should be reported to the counter fraud team. In order for NHS organisations to achieve good information governance practice, staff must be encouraged to recognise the importance of good governance and report any breaches to enable lessons learned. They must be provided with the necessary tools, support, knowledge and training to help them deliver their services in compliance with legislation. Ultimately a skilled workforce will have the confidence to challenge bad IG practice, and understand how to use information legally in the right place and at the right time. This should minimise the risk of incidents occurring or re-occurring.





Appendix A - Inappropriate use For the avoidance of doubt, NHS Wales organisations will generally consider any of the following inappropriate use:

• Excessive personal use.

• Allowing access to NHS Wales internet services by anyone not authorised to access the services, such as by a friend or family member.

• Communicating or disclosing confidential or sensitive information via the internet without authorisation or without the appropriate security measures being in place.

• Downloading or communicating any information or images which are unlawful, or could be regarded as defamatory, offensive, abusive, obscene, hateful, pornographic, violent, terrorist, indecent, being discriminatory in relation to the protected characteristics,; or using the email system to inflict bullying or harassment on any person.

• Downloading, uploading, transmitting, viewing, publishing, storing or distributing defamatory material or intentionally publishing false information about NHS Wales or its staff, clients or patients.

• Knowingly accessing, or attempting to access internet sites that contain obscene, hateful, pornographic, violent, terrorist, racist or otherwise illegal material. This will include such pages on social media sites.

• Knowingly and without authority view, upload, or download material that may bring NHS Wales into disrepute; or material that could cause offence to others.

• Sending or saving information or images which could be considered defamatory, obscene, hateful, pornographic, violent, terrorist, racist or otherwise illegal material.

• Downloading or installing or distributing unlicensed or illegal software.

• Downloading software without authorisation or changing the configuration of existing software using the internet without the appropriate permissions.

• Breaching copyright or Intellectual Property Rights (IPR).

• ‘Hacking’ into others accounts or unauthorised areas.

• Deliberately attempting to circumvent security systems protecting the integrity of the NHS Wales network.

• Any purpose that denies service to other users (for example, deliberate or reckless overloading of access links or switching equipment).

• Intentionally introducing malicious software such as Viruses, Worms, and Trojans into the NHS Wales network.

• To access sites with the intention of making a personal gain (for example - running a business).

• Access to internet based e-mail providers such as Hotmail, Freeserve, Tiscali etc is prohibited for reasons of security with the exception of:

o Access to email services provided by a recognised professional body or a trade union recognised by the employer;

o Any UK university hosted e-mail account (accounts ending in .ac.uk);

o Any email account hosted by a body which the employee contributes to in conjunction with their NHS role, such as a local authority or tertiary organisation.



• Altering any of the system settings on a NHS Wales owned PC or trying to change the access server in an attempt to avoid the restriction imposed by the filtering software. This will be deemed as a breach of this policy and will be dealt with under the All Wales Disciplinary Policy.



Annex 1: Policy Development - Version Control Revision History


01/2017 V1 Andrew Fletcher (on behalf of the Internet and Email policy sub group)

Original policy as approved January 2017


Policy text applied to new template. Duplicate and substitute statements replaced with template text except insofar as they were not covered by these statements.


Comments from IG Leads in sub group applied to the policy.


Comments from IM&T Leads applied to the policy.


IGMAG Policy Sub Group changes applied to the policy.


Comments from all IG Leads applied. Draft for approval




Version control information updated – No changes following Welsh Partnership Forum Consultation.


Changes following Equality Impact Assessment. Completed equality impact assessment added.



07/02/2018 V1.4 IGMAG Policy sub group Sub group of the Information Governance Management and Advisory Group







26/06/2018 V1.8 for approval

Wales Information Governance Board Advisory Board to the Minister for Health and Social Care (Welsh Government)





26/06/2018 V2 Wales Information Governance Board Advisory Board to the Minister for Health and Social Care (Welsh Government)





Ref no: POL/IGMAG/Internet Use/v1


Service Area

NHS Wales Internet Use Policy


Preparation


The policy is the product of the review of the All Wales Internet Use Policy.








Yes. The policy will stand as a single internet use policy for NHS Wales. As per the original all-Wales Policy, it removes many of the restrictions which were in place in some organisations, while strengthening the governance framework. A key driver during the process was the need to recognise that organisations needed to trust their staff.


All users of the NHS Wales internet service within the Health Boards and NHS Trusts.





Equality Duties



Race

Sex/G

en

der

Dis

ab

ility

Sexu

al

orie

nta

tion

Relig

ion

an

d

Belie

f

Ag

e

Gen

der

reas

sig

nm

en

t

Pre

gn

an

cy

an

d M

ate

rnity

Marria

ge

& c

ivil

Partn

ers

hip

s

Wels

h

Lan

gu

ag

e

Care

rs


✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓



✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓



✓




No N/A









Key

✓ Yes

x No

- Neutral





Race There is a consistent approach to IT policies across NHS Wales, this is an extension of the approach to put clear boundaries in place for staff, a revision of restrictions and identifying the need to respect and trust our staff. There is a clear statement around behaviours making it explicit that hateful and discriminatory language will not be accepted. There needs to be a wider understanding and context of trigger words. Dignity and respect of those using Internet policy as individuals and staff and clear instructions so staff know what is applicable to them.

Sex/gender

Disability

Sexual orientation


Age

Gender reassignment



Other areas

Welsh language

Carers

Outcome report



Officer Time-scale


Comments



AF ASAP Time



AF ASAP Time


1 2 2 4

2 2 2 4




A clear understanding of the policy and responsibilities of staff in the use of IT in the workplace. Training and dissemination of policy




Yes No 3 years






1 2 3 4 5


Sta

tuto

ry d

uty








5 Almost Certain






10.3 IG18/13 Information Governance Annual report 2017/18

1 IGI18.13a Information Governance Annual Report Coversheet.docx

1



excellent care

Report Title: Information Governance Annual Report 2017/18

Report Author: Wendy Hardman, Head of Information Governance Justine Parry, Assistant Director: Information Governance and Assurance


Grace Lewis-Parry, Board Secretary


Public

Purpose of Report: BCUHB has a responsibility to ensure robust information governance systems and processes are in place to protect patient, personal and corporate information. This report provides assurance across the key areas of information governance including, but not limited to, confidentiality, data protection, requests for information, information security and training.


Information Governance Group. Approved for submission by the Board Secretary.


It is a statutory requirement to comply with the data protection legislation, non-compliance can lead to penalties, including significant fines, imposed by the Information Commissioner and loss of confidence by the public in the Health Boards ability to protect the privacy of their information.


Not applicable

Recommendation: The Committee is asked to:

• note the contents of the report and the improvements regarding

compliance with information governance practice;

• endorse the Information Governance Annual Report 2017/18



√



2.To target our resources to those with the 2.Working together with other partners to

2

greatest needs and reduce inequalities

deliver objectives





√




√


Special Measures Improvement Framework Theme/Expectation addressed by this paper Not applicable

Equality Impact Assessment Not applicable

Disclosure:



1 IGI18.13b Information Governance Annual Report 2017_18 v1 Final.doc

Betsi Cadwaladr University Health Board

Information Governance Annual Report

2017/18

Information Governance Annual Report 2017/18 Author: Wendy Hardman, Head of Information Governance

Version v1 final Page 2 of 26

Contents

Page Background 3

1. Purpose 3 2. Accountability/Responsibilities 4 3. Information Governance Operational Plan 5 4. Caldicott and Confidentiality 7

• Caldicott C-PIP Self Assessment

• Improvement Plan 2018/19 5. Audits 9

• Internal Audit Report

• Compliance Spot Checks 6. Senior Information Risk Owner Section 9

• Information Security

• Information Governance Incident Reporting

• Information Governance Incidents

• Identified incident improvement actions

• Information Governance Risk Register 7. Information Sharing 13

• WASPI 8. Caldicott Guardian Decisions / Authorisations 14 9. Policies and Procedures 15 10. Data Quality 16 11. Requests for Information 16

• Freedom of Information Act/Environmental Information Regulations Requests

• Internal Review o Complaints to the Information Commissioners Office

• Data Protection Act 1998 Subject Access Requests o Complaints to the Information Commissioners Office

• Access to Health Records Requests 12. Complaints/Concerns and Outcomes 20 13. Training 20 14. Information Governance within Primary Care 21 15. Achievements 23 16. Conclusions 24 17. Looking forward 25



Background The term ‘Information Governance’ is used to describe how organisations manage the way information is handled. It covers the requirements and standards that Betsi Cadwaladr University Health Board (BCUHB) needs to achieve to fulfil its obligations that information is handled legally, securely, efficiently, effectively and in a manner which maintains public trust. Information Governance applies the balance between privacy and sharing of personal confidential data and is therefore fundamental to the health care system, both providing the necessary safeguards to protect personal information and an effective framework to guide those working in health to decide when to share, or not to share.

There is a comprehensive and complex range of national guidance and legislation within which BCUHB must operate, including compliance with:

• Data Protection Act

• General Data Protection Regulation

• Freedom of Information Act 2000

• Environmental Information Legislation 2004

• Public Records Act 1958

• Access to Health Records Act 1990

• Computer Misuse Act 2000

• Caldicott Principles in Practice (C-PIP)

• Common Law duty of confidentiality

• Wales Accord to Share Personal Information (WASPI)

• Data quality

• Information Security assurance - ISO 27001:2005 & 2013 Information security management (formerly BS7799)

• Records Management NHS Code of Practice

• Information Commissioners Codes of Practice An Information Governance Framework has been put in place to provide assurance against these which is monitored and administered via the Information Governance Team. This annual report details the work that has been carried out over the last year to provide this assurance.

1.0 Purpose BCUHB has a responsibility to ensure robust information governance systems and processes are in place to protect personal and corporate information. The purpose of this report is to provide assurance across the key areas of information governance including, but not limited to, confidentiality, data protection, requests for information and information security. The main aims of this report are: 1.1 To inform BCUHB and key stakeholders about our compliance with:



• Legislation and Standards;

• To provide a summary of our activities in relation to Information Governance during 2017/18;

• To describe the achievements relating to Information Governance within BCUHB during the previous 12 months.

1.1 To provide assurance to our key stakeholders that our information

governance systems and processes are appropriate and effective.

1.2 To outline the Information Governance operational plan achievements during 2017/18 and to identify our priorities for 2018/19.

2.0 Accountability and Responsibilities 2.1 Chief Executive has overall responsibility for Data Protection and Confidentiality within BCUHB. As accountable officer they are responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to support service delivery and continuity. Ensuring adherence to the data protection law and its principles is key to this as it will ensure appropriate, safe, secure and legal processing and access to personal data held by the Health Board.

2.2 Senior Information Risk Owner (SIRO) - The Board Secretary has delegated responsibility for ensuring that the Board corporately meets its legal responsibilities, and for the adoption of internal and external information governance requirements. They will act as the conscience for information governance on the Board and advises on the effectiveness of information governance management across the organisation. They are also the identified Senior Information Risk Owner (SIRO) and will take ownership of information risk and is a key factor in successfully raising the profile of information risks and embedding information risk management into the Health Board’s culture.

2.3 Caldicott Guardian - The Deputy Medical Director has been nominated as the Boards Caldicott Guardian and is responsible for protecting the confidentiality and reflecting patients’ interests regarding the use of patient identifiable information. They are responsible for ensuring patient identifiable information is shared in an appropriate, ethical and secure manner. The Caldicott Guardian is the Chair of the Information Governance Group. 2.4 Data Protection Officer (DPO) – The Assistant Director of Information Governance and Assurance has responsibility for keeping the Board updated about data protection responsibilities, risks and issues. They will ensure that all data protection procedures and related policies are reviewed as appropriate and that training and advice is provided to all staff. They will also ensure that Data Protection Impact Assessments are carried out for all new projects and services and that contracts and agreements are checked with third parties who may have access to the Health Boards personal data.



2.5 Chief Information Officer (Deputy SIRO) has overall responsibility for the technical infrastructure to ensure the security and data quality of the information assets and systems held within the Board. 2.6 Executive Directors are responsible for the governance of information retained and processed within their Clinical or Corporate Divisions. 2.7 Head of Information Governance (Deputy DPO) is responsible for the development, communication and monitoring of Information Governance policies, procedures action plans and IG Training Strategy, ensuring the Health Board adopts best practice and standards with support from the Information Governance Team. 2.8 Finance & Performance (F&P) Committee is responsible for providing assurance to the Board that the Information Governance Framework is implemented; monitors compliance against legislative requirements and that information governance systems and processes are developed, co-ordinated and monitored. 2.9 Operational Information Governance Group (IGG) provide evidence based and timely advice to the F&P Committee to assist it in discharging its functions and meeting its responsibilities with regards to Freedom of Information, Data Protection, Confidentiality, Caldicott, Information management and security; and appropriate access and use of patient, personal or business sensitive information. This includes providing assurance in relation to the Health Board’s arrangements for creating, collecting, storing, safeguarding, disseminating, sharing, using and disposing of records in accordance with its stated objectives and legislative responsibilities. 2.10 Information Governance Leads with support from the Information Governance Team ensure compliance with local policies, procedures and standards; national guidance, standards and legislation; and to promote best practice across the organisation within their Divisions. 2.11 All staff are responsible for any records or data they create and what they do with the information they use. They must adhere to all information governance policies, procedures and standards which are written into the terms and conditions of their contracts of employment and the organisation’s Staff Code of Conduct and attend mandatory IG training every two years.

3.0 Information Governance Operational Plan The Information Governance Team is responsible for all elements of Information Governance (excluding Health Records) across BCUHB. The Information Governance agenda is wide and varied and therefore there is a necessity to have a planned and phased approach to help deliver this agenda.



The Information Governance Operational Plan was originally developed in 2011 and was built on the requirements detailed within the Caldicott Principles in Practice (C-PiP) Assessment. Continued development of this plan to incorporate the English IG Toolkit requirements and audit recommendations so that the plan outlines the activities and main actions of the Information Governance Team across the information governance agenda. The IGG is responsible for monitoring the plan, however regular updates are submitted to the F&P Committee to provide assurance to the Board.

The plan details 5 information governance objectives for the health board as below:

• Objective 1: Information Governance Management;

• Objective 2: Confidentiality and Data Protection Assurance;

• Objective 3: Information Security Assurance;

• Objective 4: Clinical Information Assurance;

• Objective 5: Corporate Information Assurance; The General Data Protection Regulation (GDPR) which was approved in 2016 and comes into force on the 25th May 2018 will be directly applicable as law in the UK. This will replace the Directive that is the basis of the Data Protection Act 1998. Although in general the principles of data protection remain the same, there is greater focus on evidence-based compliance with specified requirements for transparency, more extensive rights for data subjects and considerably harsher penalties for non-compliance. As a Health Board we have been required to develop and implement an action plan to achieve compliance against this regulation and this is reflected within the Information Governance Operational Plan for 2018/19 which will incorporate:

• all outstanding actions from 2017/18;

• review and update the IG Strategy to align with the new requirements within the forthcoming GDPR;

• continue to implement the project plan and communication plan for the GDPR Transition Programme;

• review and update all policies and procedures to comply with GDPR;

• review and amend the IG training package to incorporate GDPR and update the 3 year IG training plan;

• carry out an information asset audit which will capture retention, storage, information flows, identify information asset owners and will inform the Health Boards information asset register;

• carry out a system asset audit which will capture the lifecycle of the asset, identifying cyber security compliance, contracts and system owners;

• further development of the IG Portal and Servicedesk as a central tool for support, advice and performance monitoring and to collect



information and system assets and maintain the information asset register;

• develop comprehensive guidance for staff on the use of the Data Protection Impact Assessments ensuring they are actively promoted in readiness for the mandatory requirement as part of GDPR;

• continuing with the active monitoring and escalation of notifications from the National Intelligent Integrated Auditing Solution (NIIAS) as it is aligned to more national clinical systems;

• review all fair processing information to ensure that staff and patients are effectively informed with regards to the sharing of their information:

o Develop a process for fair processing o Ensure that fair processing notices are accessible,

understandable and freely available;

• review all information sharing arrangements and contract agreements with 3rd parties to comply with GDPR and cyber-security requirements.

4.0 Caldicott and Confidentiality In 1997, the review of the uses of patient-identifiable information, chaired by Dame Fiona Caldicott, devised 6 principles for information governance that could be used by all organisations with access to patient information. Those principle were:

1. Justify the purpose(s) of using confidential information 2. Only use it when absolutely necessary 3. Use the minimum that is required 4. Access should be on a strict need-to-know basis 5. Everyone must understand his or her responsibilities 6. Understand and comply with the law

This placed a requirement for each organisation to develop a work programme to assess their compliance with the Caldicott Principles on an annual basis. The Health Board carried out its first baseline assessment in January 2010. Since then improvement plans have been developed and implemented into the IG operational plan. Progress with this plan has been monitored by the Information Governance Group and Team. During 2013 a further review of the Caldicott Principles and their relevance to the modern health and social care system was carried out and this was known as Caldicott2. The recommendation from this was that a seventh principle be adopted: The duty to share information can be as important as the duty to

protect patient confidentiality: Health and social care professionals should have the confidence to share

information in the best interests of their patients within the framework set



out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

4.1 Caldicott: Principles into Practice (C-PIP)

The Caldicott Foundation Manual: Principles into Practice (C-PIP) provides Caldicott Guardians and their support staff with updated knowledge about the legal background to their duties and aspects of Information Governance. The manual sets out what organisations need to do and the arrangements that need to be in place to ensure patient information is handled appropriately. Requirements are set into 41 self assessment standards which have been grouped into 6 sections. Against each question there is a hierarchy of answers and a score automatically generated depending on which option the Health Board is compliant against. Each organisation must then annually assess their compliance with the Caldicott Principles and produce a programme of work to ensure there is continual improvement. The Health Board has completed the seventh year of the online toolkit and has slightly increased its score at 89% this year, retaining the Class 4 Star Rating. 4.2 Caldicott Improvement Plan 2018/19

The improvement plan has been updated to reflect the work that still needs to be carried out to enable the Health Board to become more compliant with the standard requirements. The Information Governance Operational Plan for 2018/19 incorporates the outstanding requirements indentified in the Caldicott Improvement Plan. This is regularly monitored and reviewed by the Information Governance Team and is escalated to the IGG and F&P Committee. The areas for prioritisation next year will be:

• Continue to develop and implement a robust information governance assurance programme – Welsh IG Toolkit;

• Develop and implement guidance and provide awareness training for staff on the use of Data Protection Impact Assessments ;

• Increase the compliance level of IG Training;

• Improve the security and privacy of patient information by risk assessing data processing activity;

• Implement an information asset register and commence risk assessments;

• Map information flows and identify and or/ implement appropriate information sharing arrangements as required;

• Monitor and provide assurance to the Board with regards to the Health Board’s compliance with GDPR.

The Health Board also continues to ensure that it provides patients and the public with information about how their information might be used via privacy notices which are published on the Health Boards website.



5.0 Audits It is necessary for the health board to evaluate and assess compliance with legislation and standards and to be able to demonstrate continued improvements with regards to information governance practice. In addition to the completion of the Caldicott self-assessment audit, information governance practices have also been audited by IG compliance spot checks across the Health Board. 5.1 Compliance Spot Checks This is the fifth year the Health Board has conducted Information Governance Compliance Spot Checks. These checks support the Information Governance Framework by demonstrating compliance against legislation, national and local standards and are an essential monitoring mechanism to provide assurance that information is being safeguarded. Action plans are shared with the areas which are regularly reviewed for updates by the Information Governance Team. Any areas of good practice are also collated by the Information Governance Team and disseminated across the Health Board as part of the quarterly IG key performance indicator reports and the IG Bulletin. During 2017/18: 25 Information Governance compliance spot checks were undertaken; 7 within the Mental Health service, 2 GP Managed Practices, 1 Ysbyty Glan Clwyd ward, 2 Wrexham Maelor hospital wards, 3 Ysbyty Gwynedd wards, 2 Flying Start services and 8 community hospital sites.

6.0 Senior Information Risk Owner Section The role of the Senior Information Risk Owner (SIRO) is to take ownership of the Health Board’s information risk process and to act as an advocate for information risk on the Board. On an annual basis and in addition to the section included within the annual governance statement, the following dedicated section will be provided on part of the overarching IG Annual Report. 6.1 Information Security During 2017/18 there has continued to be high media interest with regards to information security. The NHS continues to face increased challenges and pressures in ensuring appropriate information security is in place as well as the growing cyber-security threat that has been prevalent over the last year. The Heath Board continues to ensure that resilient processes and procedures are in place across the Health Board. Key activities and audits are on-going within Clinical / Corporate divisions to ensure that good information security practice is maintained.



6.2 Information Governance Incident Reporting The Health Board manages the reporting of information governance incidents (including those relating to personal data) through the Incident Reporting System (Datix), and considers that any incident involving the actual or potential loss or inappropriate disclosure of personal information which could potentially lead to identity fraud, or have other significant impacts on individuals should be classed as serious. This applies to all types of device or media involved, and includes the loss or inappropriate access of both electronic and paper records. 6.3 Information Governance Incidents During 2017/18 the Health Board recorded 241 incidents which were categorised and reported as information governance incidents. The Health Board continued to use the Department of Health’s Digital Information Policy – Checklist for Reporting, Managing and Investigating Information Governance Serious Incidents to classify these risks, in terms of severity. This guidance assists in categorising incidents according to the likely consequences of harm. If the categorisation reaches a score of 2 or above this is classed as notifiable to the Information Commissioners Office. The number of incidents categorised 0 to 1 or 2 are broken down below:

Category 0 or 1 Category 2 – reportable to the ICO

239 2

The Health Board uses this guidance to ensure that:

• there is a consistent approach to evaluating serious IG incidents; early reports of serious IG incidents are made so sufficient time is giving if notification is required. Under new data protection legislation there will be a requirement to notify within 72 hours;

• appropriate action is taken to prevent harm or damage to patients, staff and the reputation of the Health Board;

• all aspects of the serious incident are fully explored and ‘lessons learned’ are identified and communicated; and

• appropriate corrective action is taken to prevent recurrence.

These incidents are reported to the IGG and the F&P Committee on a quarterly basis. These are broken down into 3 category areas:

• Non-compliance with IG policies and procedures;



• Breaches of confidentiality (which could include personal data transmitted/sent to wrong person, personal data found in a public area, inappropriate access to a system)

• Information Management and Technology Security issues:

6.4 Serious information governance incidents All serious incidents categorised as Level 2 and above are reported to the ICO and Welsh Government. There were 2 incidents this year that required reporting to WG and the ICO: 1. Loss of nursing notes from an independent Residential Home after they

were accidently taken away be a removal man. This information was not retrieved and the residents affected were informed of the loss of their information. The ICO took no further action as they were happy that the Health Board has taken the appropriate remedial action.

2. Maternity care notes which went missing from a locked office in a community building. As a result of this incident, the door code to the office was changed and all patient information will be stored in a locked cabinet within the office. The patients affected were informed of the breach. To date, the Health Board is still awaiting the outcome of the ICO findings.

6.5 Identified Incident Improvement Actions Examples of the types of action undertaken as part of incident investigations include:

• IG Compliance audits undertaken where appropriate to highlight any areas requiring action;

• Awareness raising amongst team or wider organisation of IG policies and procedures;

• Advice and guidance frequently issued to staff on issues such as confidential waste, bogus callers, USB sticks, emailing confidential information, inappropriate recording or taking pictures of staff / patients, transporting / disclosing confidential information, labelling of internal & external mail, inappropriate access;



• Regular reminders to staff with regards to inappropriate access to health information and the use of NIIAS;

• Advice and guidance issued to staff in relation to the use of secure printing following a series of incidents.

6.6 Auditing of our systems To ensure a more robust and efficient way of monitoring and auditing access to the electronic clinical record, processes have been put in place to enable the Health Board to actively manage notifications that may be generated from the National Intelligent Integrated Auditing System (NIIAS). The objective of the system is to automatically pick up potential suspected unauthorised access to patient information by staff along with inappropriate access of their own health information. All notifications are investigated by the Line Manager of the staff member and if the access is found to be inappropriate action is taken using the Health Boards Disciplinary Procedures. During 2017/18 NIIAS generated 312 notifications of alleged inappropriate access to family records or own health records, this is a decrease on last year as per the table below:

Year Accessing own record

Accessing family member

False positive

Total

2016/17 290 93 4 387

2017/18 204 104 4 312

6.7 Information Governance Risk Register During 2017/18 the IG Departmental risk register continued to be updated with the main information governance risks identified as:

• Failure to meet our requirements under GDPR with regards to patient and corporate records with regards to locating, accessing, storage and retention;

• Resource constraints affecting the handling of requests for information via Freedom of Information Act and Data Protection (subject access requests) leading to low compliance on timescales and complaints to the ICO;

• Data Protection Impact Assessment procedure is not embedded within the Health Board therefore new systems and processes are not always effectively being assessed for any data protection impacts;

• Fair processing information is not always readily available or accessible to the public regarding our information sharing activities;

Existing controls included:



• Development, implementation, review and dissemination of appropriate policies, procedures and guidance;

• Appointment to appropriate posts and identification of leads, e.g. Caldicott Guardian, SIRO, Data Protection Officer and Clinical/Corporate Division Information Governance Leads;

• Appropriate Committees and supporting groups established to be responsible for the IG Framework;

• Development, implementation and review of the IG Operational Plan;

• Reporting of incidents via the Incident Reporting System;

• Develop and implement a robust corporate records management system;

• Provision of Good Record Keeping training;

• Case note tracking systems are in place for Health Records to ensure that the current location is known;

• Case note availably for outpatient clinics has been assigned as a lead area of work to increase focus and remove barriers to availability;

• Provision of additional storage space to alleviate storage issues, and minimise the risk to staff safety (through the management of records in an inadequate space);

• Regular key performance indicator compliance monitoring for information governance and Health Records in place which is reported to appropriate Board Committees;

• Continued improvement and delivery of comprehensive mandatory IG training programme and 3 year IG Training Strategy and plan;

• Continued management of the National Intelligent Integrated Auditing Solution;

• The NHS Wales Informatics Services (NWIS) facilitates and provides expert advice and support on the delivery of the GP IG Toolkit to GP Practices.

One risk has been escalated to the Tier 2 Office of the Board Secretary Risk Register:

• Failure to implement all of the requirements of the GDPR by 25th May 2018.

A GDPR Transition Programme has been put in place with project streams to carry out work around accountability, staff awareness, audit the information we hold, map information flows and review information sharing contracts with 3rd parties.

7.0 Information Sharing BCUHB may share information with other organisations in order to provide safe high quality health care for patients. These organisations include the Welsh Government, Local Authorities, Voluntary Organisations and the Police. However, it is essential that patients can trust the Health Board and



its partner organisations to share this information in a relevant, secure and confidential manner, thus protecting the patient’s privacy at all times. 7.1 Wales Accord on the Sharing of Personal Information The Wales Accord on the Sharing of Personal Information (WASPI) has been endorsed by the Welsh Government as the ‘single’ information sharing framework for Wales. The purpose of the framework is to enable service-providing organisations directly concerned with the health, welfare, safeguarding, and protection of individuals and the public to share personal information between them in a lawful, safe and informed way. Using the WASPI framework will aid the sharing of personal information where there are often perceived barriers between partner organisations and will reduce the fragmentation of services ensuring that the rights of all those involved in the process are protected. The framework consists of two elements: the Wales Accord on the Sharing of Personal Information and supporting local Information Sharing Protocols (ISPs). A range of guidance documents, templates ISPs been developed to assist partner organisations in implementing the framework. Within the health board, regular reports on newly approved ISPs and other information sharing agreements are provided quarterly to the Information Governance Group.

8.0 Caldicott Guardian Authorisations As part of the role of the Calidicott Guardian (CG) there is a requirement for operational decisions or, as the delegated officer, to authorise information sharing on behalf of the Board where services or systems involve patient or information. There are several ways in which to share information appropriately and within legislation:

• Data Processing Agreement (DPA) provides a framework for the secure and confidential obtaining, holding, recording, storing and sharing of information between participating partner agencies or organisations. The Health Board approved 15 DPAs.

• An Information Sharing Agreement (ISA) is a signed ratified document between a partner (third party) and the Health Board that sets out what information is going to be shared, what powers in law give the ability to share information, how the information is going to be shared, who the partners to the agreement are and any necessary security requirements. The Health Board approved 4 ISAs.



• Data Disclosure Agreement (DDA) is the routine sharing of data sets between organisations for an agreed purpose. The Health Board approved 1 DDA.

• During the last year we have also carried out 3 audits and 1 case for exceptionality: 1. National Paediatric Diabetes Audit – National audit 2. National Audit of Cardiac Rehabilitation (NACR) - Audit of patients who

have had stents or bypass surgery (this is anonymised) in order to inform improvement in cardiac services across the Country

3. EPIC - Mersey, Cheshire and Wales status Epilepticus audit A case for exceptionality was put foward to work outside the requirments of the Email Procedure, which states that personal data should not be emailed outside of NHS Wales:

1. In line with the Social Services and Well Being (Wales) Act 2014 everyone has a duty to report abuse. This should be reported to the statutory leads of the Local Authority where the alleged abuse occurred as quickly as possible; given that operational staff do not have access to MOVEiT all referrals are e-mailed direct to the safegurding deptartment; this is creating risks in relation to delay and ‘ownership’ by the referring clinician.

a. The referrals are only processed during normal working week and therefore delays can occur out of hours and this is a significant risk.

Agreement: It was agreed by IG and approved by Caldicott Guardian that emails for this particular workflow could be send via email as long as they were password protected.

9.0 Policies and Procedures During 2017/18 the majority of Information Governance policies and procedures were reviewed in line with the new General Data Protection Regulation (GDPR).

• Procedure for storage and transportation of personal data or sensitive information

• Procedure for Compliance with Freedom of Information Act and Environmental Info Regulations 2004

• Internet Access Procedure

• Procedure for Dealing with Subject Access Requests under the Data Protection Act

• IM&T Security Policy & Procedure

• Notification of Information Security Breach Procedure



• Permitted Persons Restricted Control Procedures

• Privacy Impact Assessment Procedure and SOP

• Information Governance Strategy

• Data Protection Act

• Subject Access Request Procedure

• Confidential Waste Procedure

• NIIAS Management of Notifications Procedure

• Process for the requesting, approval and review of Information accessed by an employee

• Guidance on disclosing personal information

• Software Patch Policy Procedure The Data Protection Registration Notification was also updated in September 2017. Policies and procedures will continue to be developed or updated during 2018/19 to further support the Information Governance Framework. Particular attention will be given to our Access to Information Policy and Procedures and Records Management Policy and Procedures to ensure they comply with the new requirements within the GDPR.

10.0 Data Quality Data Quality is managed and monitored by the Informatics Department and will be reported through progress reports on delivery of the Informatics Operational Plan. The Information Governance Team will provide advice and support when necessary to ensure a consistent approach across the Health Board.

11.0 Requests for Information The BCUHB Access to Information Policy incorporates requests for information under the Freedom of Information Act, Environmental Information Regulations, Data Protection Act and Access to Health Records Act. 11.1 Freedom of Information Act 2000/Environmental Information Regulations 2004 Requests The Freedom of Information Act 2000 (FOIA) became active on 1st January 2005 and gives anyone the right of access to information held by public authorities. Responses should be provided within 20 working days and are co-ordinated and processed by the Information Governance Team and receive Board Level Director and/or Chief Executive approval before release. BCUHB has a robust system in place for dealing with FOIA requests. The number of requests have slightly decreased this year however the number of questions have increased and the complexity of these requests puts in place a greater challenge to remain compliant with statutory deadlines. However,



the Health Board managed to increase compliance to 77%. Failure to meet statutory requirements in this area is monitored by the Information Commissioners Office (ICO) who is the UK’s independent authority set up to uphold information rights. Performance across BCUHB is monitored on a quarterly basis and reports are submitted to the IGG and via issues of significance to the F&P Committee. During 2017/18 BCUHB received and processed the following FOIA requests:

YEAR No. of requests No. of questions Responded to within 20 days

2016/17 631 2,569 70%

2017/18 625 2,770 77%

A comparable 4 year breakdown of applicant types has been categorised into the chart below.

The main themes of information requested were in relation to:

• Use of Agency staff and spend

• Drugs and Medication

• Staff related (salaries, redundancies, sickness absence, vacancies)

• Mental health services (CAMHS, adult services, out of area placements, spend)

• Health Services (including service reviews, estates/facilities, ward closures etc.)

• Statistics (including waiting times, admissions, cancelled operations, delayed transfer of care, bed numbers etc.)

• Complaints, claims and incidents (including assaults on patients and staff)

• Copies of reports, guidelines, policy, procedures, audits, emails

• Financial Expenditure

• Individual patient funding requests and Continuing Health Care



The following chart details the requests received per Division / Corporate Service:

Requests are normally responded to in full, however there are some

circumstances whereby the information is not provided. Reasons why a

request may not be fully responded to include:

• Information not held by the Health Board

• Request withdrawn by the applicant

• Request clarification not received from the applicant

• Request transferred to another public authority

• Section 12 – Fee Limit was exceeded

• Exemption 21 – Information accessible by other means

• Exemption 22 – Information intended for future public release

• Exemption 31 – Law enforcement

• Exemption 38 – Health and Safety

• Exemption 40 – Personal Information

• Exemption 43 – Commercial interests



In the spirit of openness and transparency all finalised responses are published anonymously on the BCUHB Internet site under the FOIA Disclosure log. 11.2 Requests for Internal Reviews If an applicant is dissatisfied with the response they receive, they can request an internal review be carried out by the Health Board. Seven requests for an internal review were received during 2017/18 compared to 3 in 2016/17. The internal reviews upheld 4 of the Health Board’s original responses, 2 reviews overturned the Health Board’s original decision and therefore the initial requested information was provided, and 1 review partially overturned the Health Boards original decision and therefore part of the initial requested information was provided. 11.3 Complaints to the Information Commissioners Office (ICO) If an applicant remains dissatisfied with the result of the internal review they have a right of appeal to the ICO for an independent review. During 2017/18 the Health Board received 3 complaints from the ICO, and following the Health Board’s comprehensive response, no further action was taken.

11.4 Data Protection Subject Access Requests (DPA SAR) Requests for information under the DPA SAR can be made by anyone who wishes to view or receive a copy of personal information about themselves, this could be a copy of their health records, copy of a personnel file or any other information that may hold personal information about them. BCUHB has a legal obligation to respond to these requests unless an exemption applies and upon receipt of the appropriate authority, responses to requests for non-clinical information are processed and co-ordinated by the Information Governance Team. During 2017/18 requests increased however, the Health Board improved its compliance rate to 85% compared to 75% in the previous year:



Year No. of requests No. replied to within 40 days

2016/17 33 75%

2017/18 38 85%

11.5 Complaints to the Information Commissioners Office (ICO) An applicant can complain directly to the ICO in relation to how the Health Board has dealt with a request under the Data Protection Act. During 2017/18 the ICO received 3 complaints; 2 of which related to a concern that the Health Board had not provided all the information requested, the other complaint was relating to the Health Board not releasing the names of individual staff who had accessed a health record. The Health Board was able to provide a positive response to these complaints and no further action was taken by the ICO. The ICO also upheld our decision not to name individual staff. 11.6 The Access to Health Records Procedure This is managed and monitored by the Health Records Department which sits within the Informatics Division and therefore statistics and compliance is reported via the Health Records performance reports. However, for the last 2 quarters of 2017/18 statistical data is now being reported via the overarching quarterly IG KPI report which is reported to the Information Governance Group. The Information Governance Team continues to provide advice and support when necessary to ensure a consistent approach is used across the Health Board.

12.0 Complaints/Concerns & Outcomes During 2017/18 BCUHB received 26 complaints involving:

• Alleged confidentiality breach (internal)

• Alleged data loss

• Breaches in confidentiality such as: ▪ Correspondence sent to incorrect address or recipient ▪ inappropriate access to information ▪ Information left / found in a public place

All complaints were fully investigated and where evidence of a confidentiality breach was found immediate actions were identified and implemented including:

• Informing and apologising to patients whose information had been breached;

• completion of compliance spot checks;

• ensuring any training needs fulfilled;

• raising staff awareness of current policies and procedures;

• changing processes to avoid future similar incidents.



Any lessons learned were disseminated throughout the Health Board via alerts and the IG Bulletin, and also used as examples within the mandatory IG training.

14.0 Training Information Governance training covers all aspects of Information Governance including information security, data protection and confidentiality and is provided via a number of sources:

• IG training (as part of the UK Core Skills for Health) is mandatory for all staff every 2 years and is embedded into the Workforce & Organisational Development & Clinical mandatory training days;

• Staff have access to the all Wales e-learning package which has additional local content;

• Formal training sessions are available to all staff across the organisation;

• Ad-hoc sessions to individual departments/teams to coincide with their training days / staff meetings etc. at a time and place convenient to them;

• Workbook available for facilities staff without supervisory responsibilities, who are unable to access IT facilities;

• Regular awareness raising and sharing lessons learnt via corporate newsletters, emails, security alerts;

• Regular distribution of guidance and updated policies and procedures; During 2017/18 there were 39 face to face Information Governance training sessions held with a total of 1,885 staff in attendance, from this we received 756 completed evaluation forms which provided the following feedback, and demonstrates that the majority of staff found the sessions to be useful and were happy with the venues and timing of the sessions, overall, 94% of staff rated the sessions good to excellent.



In addition to the face to face training 5,445 staff undertook the e-learning package, and from January 2018 we have been delivering IG sessions at all Orientation weeks. The overall compliance for staff attaining their mandatory IG training was 78%.

15.0 Information Governance with Primary Care The NHS Wales Informatics Services (NWIS) on behalf of the Primary Care Informatics Programme (PCIP) in conjunction with the Health Board, have been tasked with facilitating and providing expert advice and support on the delivery of the Information Security Management System (ISMS) within General Medical Practices and Community Pharmacy.

The purpose of the Project is to provide General Medical Practices and Pharmacies with the tools to be able to evidence a level of Information and IT Security that will allow them to safely contribute to any systems implemented by the NHS Wales Informatics Service (NWIS) Programme and to be able to demonstrate compliance with the NHS Wales Information Security and Acceptable Use Policy and current legislation.

During 2017/18 NWIS have offered support to practices to address areas identified for improvement. The first annual submission of the GP IG Toolkit was carried out and 92 of 102 (90%) GP Practices completed their submission. The table below breaks this down by GP Cluster:

Cluster Number of

Practices

Submitted Started but not submitted

Not Started

Anglesey 11 9 82 % 1 9 % 1 9 %

Arfon 10 10 100 % 0 0 % 0 0 %

Central and South Denbighshire

6 5 83 % 1 17 % 0 0 %

Conwy East 4 3 75 % 1 25 % 0 0 %

Conwy West 12 11 92 % 1 8 % 0 0 %

Deeside, Hawarden and

Saltney

7 7 100 % 0 0 % 0 0 %



Dwyfor 5 5 100 % 0 0 % 0 0 %

Holywell and Flint 7 6 86 % 1 14 % 0 0 %

Meirionydd 6 6 100 % 0 0 % 0 0 %

Mold, Buckley and Caergwle

7 5 71 % 2 29 % 0 0 %

North Denbighshire 6 5 83 % 1 17 % 0 0 %

South Wrexham 8 7 87.5 % 1 12.5 % 0 0 %

West and North Wrexham

6 6 100 % 0 0 % 0 0 %

Wrexham Town 7 7 100 % 0 0 % 0 0 %

Random validation of the submissions of one practice per GP cluster will be carried out by NWIS and a report provided to the Health Boards once this has been completed. Awareness sessions and support were provided to GP Practices around their readiness for GDPR. These sessions were provided by the ICO, NWIS and the Health Board. A readiness checklist was also provided and Policies and Procedures are being developed nationally which GP Practices will be asked to adopt. GP Practices also have access to the All Wales IG e-learning package which has been updated to reflect the changes to data protection legislation. GP Cluster Project Support Sixty four primary care clusters have been established in Wales, tasked with ensuring that the health and social care needs of their local population are met. In order for the potential of the clusters to be maximised, a multidisciplinary leadership team is being established within each cluster, ensuring better communication and sharing of information and resources between healthcare professionals in the network locality. A project was set up to enable integration of the services across the cluster. Each of the 8 practices included in the South Wrexham GP Cluster agreed ‘in principle’ to open up their patient records so that they may be accessed and updated across the cluster for the benefit of their collective patients. The long term goal is to open up these records outside of the GP cluster so that they can become a fully integrated record that can be updated by any health and social care professionals directly caring for the patient/service user. The IG Team carried out a privacy impact assessment around the project requirements to ensure that the Data Protection Act would not be breached by this sharing of patient records and that any processing was carried out in a fair and lawful way. Through this work we were able to provide support, guidance and produce template documentation to enable the GP Cluster to carry out this new way of integrated working. This consisted of data controller in common agreements, communication plans, training and awareness packages and fair processing information for patients. This way of working



has been demonstrated as good practice and the template documentation has been adopted nationally across Wales.

16.0 Achievements 16.1 The Operational Information Governance Group (IGG) meets on a quarterly basis. The IGG is chaired by the Health Board’s Caldicott Guardian and is attended by the DPO, Head of ICT, Head of Heath Records, Information Governance Team and representatives from Clinical and Corporate Divisions. Any issues of significance from this group are reported to the F&P Committee alongside appropriate assurance reports. The IGG’s terms of reference are to:

• Prepare for implementation of the General Data Protection Regulation (GDPR) and receive quarterly highlight reports.

• Ensure that the Health Board has effective policies and management arrangements covering all aspects of Information Governance in line with the Health Boards overarching Information Governance Strategy

• Ensure that the Health Board undertakes annual assessments and audits of its Information Governance policies and arrangements via its assurance framework.

• Establish an annual Information Governance Workplan, secure the necessary implementation resources, and monitor the implementation of that plan.

• review operational information governance risk and health records risks that are assigned to the Group and advise the appropriate Director on any risks requiring escalation.

• Monitor quarterly IG KPI reports which will include performance data relating to access to health records.

• Receive and consider reports into breaches of confidentiality and security and where appropriate undertake or recommend remedial action.

• Receive Chairs assurance report from the Patient Records Group and the ICT Security & Governance Group.

• Report and provide assurance to the F&P Committee on a quarterly basis.

• Liaise with other Health Board committees, Management Teams, and Project Boards in order to promote Information Governance issues.

17.0 Conclusions 2017/18 continued to be a challenging year in respect of Information Governance. There has been a rise in demand on the Information Governance Team with regards to:



• More complex requests for information via Data Protection – subject access requests and Freedom of Information requests;

• Requests for Information Sharing development – requiring facilitation and implementation;

• Increase in reported incidents – requiring support with investigations;

• Increase in allegations of breaches of confidentiality – requiring investigation and reporting;

• Increase in the delivery of IG Training sessions;

• Increase in requests for support and guidance to staff;

• Implementation of national and local systems;

• Support with national and local projects;

• Preparing the organisation in readiness for the General Data Protection Regulation.

• Continued coordination of the National FOIA collection and reporting

• Continued coordination of the National GDPR position reporting for all NHS Organisations.

The Information Governance Framework for BCUHB continued to be progressed across the organisation to ensure that efficient and secure practice was maintained. Training and guidance continued to be delivered by the Information Governance team, with awareness also raised through various routes including mandatory and ad-hoc staff training, induction, newsletters, bulletins and email alerts. A GDPR Transition Programme was put in place to enable the organisations readiness for GDPR and regular updates and reports were presented to the IGG and F&P Committee. The Information Governance Team will continue to provide an effective service and aim for continuous improvement throughout 2018/19 and beyond to meet the needs of all services across BCUHB.

18. Looking forward 18.1 The main emphasis for the year 2018/19 will be ensuring the Health Board can comply with the new and enhanced requirements within GDPR. To enable this the GDPR Transition Programme will merge into the normal work of the IG Team to increase and strengthen resources and arrangements with continuation of the following work packages:

• Continue with staff awareness sessions, one to one and team support;

• Carry out information asset audits on all information the health board holds including corporate and clinical;

• Identify information asset owners and implement an information asset register with programme of review;



• Carry out an audit of all electronic systems that collect data and carry out risk assessments around their compliance with information security, cyber security and data protection;

• Map information flows both internal and external ensuring any sharing with 3rd parties complies with standards and data protection requirements and that robust levels of security certification and contracts are in place;

• Develop a corporate records business classification structure and system which incorporates retention and disposal requirements;

• Provide awareness and training for staff on the use of the asset register and records management system;

• Further develop the Information Asset Register to capture the whole lifecycle of a record or system which will include data protection impact assessments; 3rd party assurance; information flows; contract review and retention and destruction alerts.

18.2 Participate in a Data Protection Audit with the Information Commissioners Office and implement the findings from this review. 18.3 Actively participate and present assurance to the appropriate Board Committee. 18.4 Continue to roll out the 3 year IG Training Strategy and Plan. 18.5 Continue to manage NIIAS as it is further rolled out across the National systems. 18.6 Develop and implement a training and awareness packages for staff who are responsible for the following roles:

• Information Asset Owner

• Information Asset Administrator

• System Owner

• Records management 18.7 Introduce an IG walkabout programme. 18.8 Continue to maintain and improve on the Caldicott C-PiP compliance rate.

Bundle Informatics and Information Governance Committee 13 ...

Documents

Transcript of Bundle Informatics and Information Governance Committee 13 ...