Confidentiality Audit Procedure - Wolverhampton

of 19 [PROTECT: DRAFT]

Confidentiality Audit Procedure

Document references

Version 1.0

Date April 2014

Author Anna Zollino-Biscotti, Information Governance Officer

Change History

Version Date Description

1.0 Draft

With Thanks to:

Wolverhampton City Council acknowledges the work undertaken by Greenwich Clinical Commissioning Group, on which this document is based.

[PROTECT: DRAFT] of 19

Contents Page

2.0 Monitoring Confidential Information ................................................................. 3 3.0 Auditing Access to Confidential Information .................................................... 4 4.0 Audit Method ................................................................................................... 4 5.0 Frequency ....................................................................................................... 4

6.0 Pre-Audit Questionnaires ................................................................................ 5 7.0 Pre-Audit Meeting ........................................................................................... 5

8.0 Audit Checklist ................................................................................................ 5 9.0 Conducting the Audit ....................................................................................... 6 9.2 Staff Awareness Interviews ............................................................................. 6 10.0 Reporting ........................................................................................................ 7

10.1 Non-Compliance ............................................................................................. 7 11.0 Audit Report .................................................................................................... 8 12.0 Closing Meeting .............................................................................................. 8

13.0 Audit Follow Up ............................................................................................... 8 14.0 Audit Closure ................................................................................................... 8

18.0 Associated documents and related policies .................................................... 9 19.0 Appendices ................................................................................................... 10 Appendix 1 Pre Audit Questionnaire ...................................................................... 11

Appendix 2 Compliance Audit Template .................................................................. 12

Appendix 3 Noncompliance Action Plan ..................................................................... 17 Appendix 4 Audit Report ............................................................................................ 18


1.0 Introduction With advances in the electronic management of health and social care information, such as the electronic social care record and similar information management systems, the requirement to monitor access to such confidential information has become increasingly important.

With the large number of staff using these systems, it is imperative that access is strictly monitored and controlled. Furthermore, with the increased use of electronic communications, the movement of confidential information via these methods poses the threat of information falling into the hands of individuals who do not have a legitimate right of access to it.

Failure to implement adequate controls to manage and safeguard confidentiality may result in a breach of that confidentiality, therefore contravening the requirements of the following:

Caldicott Principles

Data Protection Act 1998

Human Rights Act 1998

Common Law Duty of Confidentiality

These procedures provide an assurance mechanism by which the effectiveness of controls implemented within the local authority are audited; areas for improvement and concern are highlighted and recommendations are made for improved control and management of confidentiality within Community Directorate of Wolverhampton City Council.

2.0 Monitoring Confidential Information

In order to provide assurance that access to confidential information is gained only by those individuals that have a legitimate right of access, it is necessary to ensure appropriate monitoring is undertaken on a regular basis. Monitoring will be carried out by the Information Governance Team in order that irregularities regarding access to confidential information can be identified and reported to the Caldicott Guardian and Information Governance Board and action taken to address the situation, either through the implementation of additional controls, disciplinary action, or other remedial action as necessary. Any breach or suspected breach involving confidentiality, integrity or availability of information (hardcopy or digital) must be reported using the corporate information incident contact point. Please refer to the corporate Information Incident Policy.


3.0 Auditing Access to Confidential Information The Caldicott Guardian will ensure that audits of security and access arrangements within each area are conducted on a regular basis; as a minimum these should be carried out once a year. Areas to be audited are to include:

Security applied to manual files e.g. storage in locked cabinets / locked rooms

Arrangements for recording access to manual files e.g. access requests by solicitors, police, data subjects etc.

Evidence that checks have been carried out to ensure that the person requesting access has a legitimate right to do so

Retention and disposal arrangements

The location of fax machines and answer phones which receive confidential information – are they designated safe haven faxes?

Confidential information sent or received via email, security applied and email system used

Information removed from the workplace – has authorisation from the appropriate person been gained either for long term or short term removal?

Security arrangements applied i.e. transportation in secure containers

The understanding of staff within the department of their responsibilities with regard to confidentiality and restrictions on access to confidential information

Security applied to laptops, compliance with the local authority’s IT Security Policy.

Verbal conversations with personal data exchange Passwords being used within the area being audited

4.0 Audit Method

The audit should be carried out through a series of interviews with Heads of Service/Team managers and staff and can be conducted on a one to one basis or as a focus group. The use of questionnaires/observations can also be used to assist and supplement the audit It is important to note that some audits may be undertaken out of normal office hours and may be unannounced; therefore the use of questionnaires may not always be required.

5.0 Frequency

Prior to commencing the audit process it will be necessary to decide how frequently this audit will be carried out. It is recommended that each area is audited at least once a year.


6.0 Pre-Audit Questionnaires

It will assist the audit process for the area being audited to complete a pre-audit questionnaire (Appendix 1) which will enable the auditor to gain an understanding of the function of the department and the processes carried out relating to confidential information, this will allow the auditor to ask informed questions when conducting the audit and be referenced in the Audit Checklist (Appendix 2).

The pre-audit questionnaire should include the name of the department or area and a contact name and number should be returned to the auditor in advance of the scheduled audit date. The questions asked in the pre-audit questionnaire should assist the auditor in setting the context to the audit and should include:

Roles and responsibilities within the team The types of information that the team deal with The data flows in and out of the team. Awareness of general confidentiality issues within the team Understanding of Data Protection Principles directly relating to jobs/roles within

the team.

Understanding the requirements of policies, protocols and procedures relating to confidentiality

Training received within the team.

7.0 Pre-Audit Meeting

The auditor should arrange a brief pre-audit meeting with the Head of Service/Team Manager with the aim of discussing who will be involved in the audit, how long the audit is likely to take, what documentation will be required, what facilities will be required and what feedback will be provided to them. The required documentation should be forwarded to the auditor prior to the audit commencing, along with any local procedures which are in place, that are of relevance. 8.0 Audit Checklist

An audit checklist (see appendix 2 for template) should be comprised of specific questions relating to the department/team being audited and will enable the auditor to ensure that all aspects of the audit are covered, to track progress of the audit, and to record and evidence the responses to the questions. The audit checklist should be linked to the pre-audit questionnaire.


9.0 Conducting the Audit 9.1 Completion of Audit Checklist The audit checklist (Appendix 2) should be completed as part of the interview:

Column A – question/check This should list the sub-questions relevant to the pre-audit questionnaire and as minimum should cover the examples outlined in section 3.0.

Column B - documentary evidence This should be used to record evidence put forward to support the responses to questions asked. Where documents form the evidence provided, the unique reference number of the document(s) should be included for ease of reference

Column C – findings and observations

This should be used to record the auditor’s assessment as to how the evidence demonstrates compliance with the requirement/question and the link with the Data Protection Act 1998, the Caldicott Principles, the Common Law Duty of Confidentially and similar legislation.

Column D - Result

This should be used to record the auditor’s grading of the response to each question.

The following RAG rating codes should be used when grading responses:

RED evidence demonstrates major non-compliance AMBER evidence demonstrates minor non-compliance

GREEN evidence demonstrates fully compliance OBS no evidence of non-compliance was found, but an observation was

made that there was the potential for problems to occur and for improvements to be made.

9.2 Staff Awareness Interviews Staff awareness interviews give an opportunity for the auditor to assess the level of awareness of confidentiality issues. Interviews can be conducted either on a one to one basis or as a focus group the duration of which should be between 15 and 30 minutes.

The interview will be conducted using directed questioning techniques, whereby the auditor opens with a broad question relating to a specific topic, this is then followed up with further questions which gradually narrow the scope of the question until finally the member or members of staff give a specific answer to the question posed.

The auditor’s questions and the interviewee(s) responses should be recorded separately and should be linked to the audit checklist.


10.0 Reporting A formal report should be provided to the area being audited, detailing the outcome of the audit. This can be valuable to the department or area being audited, as it provides information as to their compliance with confidentiality requirements and should include:

details about functions or processes which comply,

details about functions or processes which do not comply and an improvement programme to ensure that the department or area fulfills all requirements.

10.1 Non-Compliance Where non-compliance is observed this should be recorded and referenced in the confidentially audit action plan (see Appendix 3 for template). The action plan should detail the following: ID/ref - linked to the audit checklist Description of non-compliance and area of risk Recommendation/action required (long term and short term as necessary) Responsible owner Proposed deadline Completion date.

Each area of non-compliance observed should have an associated recommendation which should be discussed and agreed with the Head of Service or Team manager. Each recommendation should also include a target date for completion and a named individual who will be responsible for ensuring that the recommendation is implemented. A follow up meeting or completion date should be agreed between the auditor and Head of Service/Manager to ensure that the action is completed and full compliance has been achieved. Recommendations will be tracked and managed by the IG Board. Non-compliance can fall into one of two categories:

RED: this would indicate that the non-compliance has occurred on a regular

basis or is an area where no measures or controls are in place which could potentially expose the business area to serious risk/consequence

AMBER: these could include one off occurrences of non- compliance, where there is little risk of the non-compliance causing more than a minor irritation

Where a number of minor instances of non-compliance (AMBER) are observed in the same functional area or department, this may indicate a more serious problem within that area. If this is the case, these instances of non-compliance should be combined into a major non-compliance (RED).


11.0 Audit Report This should be produced once the audit has been completed, regardless of the fact whether any non-compliance or concerns have been observed. This will include a summary of the findings of the audit, together with observations of non-compliance. Recommendations which have been made should also be included and the action plan should be provided as supporting documentation. Any follow up required and date of follow up should also be included in the report. The audit report should include an indication as to the scope. Please see Appendix 4 for the report template.

12.0 Closing Meeting

This meeting will allow the auditor to present the findings from the audit. The audit summary will be presented along with detailed findings, as should recommendations for improvement and timescales within which those improvements should be made. Finally, agreement should be gained from the Head of Service concerned, with the non-compliance observations made. Any comments expressing disagreement should also be noted on the audit documentation. Where there is disagreement with a recommendation, these should be escalated to the Caldicott or IG Board (as applicable) for a solution.

13.0 Audit Follow Up

Once the audit process is complete, arrangements should be made for follow-up where non-compliance has been observed, as per the action plan which will allow the auditor to confirm that the recommended corrective action has been implemented.

14.0 Audit Closure

Once corrective action has been checked and agreed as compliant by the auditor, the audit can be formally closed.

15.0 Review

A review of this procedure will be undertaken 12 months following implementation and subsequently every 2 years until withdrawn or superseded.

16.0 Non-compliance Non-compliance with this procedure by staff will be brought to the attention of the Caldicott Guardians and Information Governance Board.


17.0 Implementation and dissemination of document The Procedure, once approved by the In format ion Governance Board , will be shared with all staff via email or via the intranet. A team briefing will be provided to support this dissemination.

18.0 Associated documents and related policies

Please refer to Wolverhampton City Council’s Information Governance policies and procedures:

Information Governance Policies and Procedures: http://www.wolverhampton.gov.uk/igov

Other relevant procedures

ICT Security Policy

http://www.wolverhampton.gov.uk/igov


19.0 Appendices

Appendix 1 Pre Audit Questionnaire Appendix 2 Compliance Audit Template Appendix 3 Non Compliance Action Plan Appendix 4 Audit Report Template

of 19

Appendix 1 Pre Audit Questionnaire

Pre Audit Questionnaire

Directorate/Team: Audit Reference:

Location:

Contact Name: Position Telephone Number:

Summary of Directorate/Team Functions:

Number of Full Time Staff:

Number of Part Time Staff:

Number of Temporary Staff:

Data Protection Questions: Question 1 (enter question here)

Question 2 (enter question here)





of 19

Appendix 2 Compliance Audit Template

Confidentiality Audit Procedure/IG Compliance Audit

Site Location Directorate Date:

Aspect Confidentiality Audit & Information Governance

Auditor

Section: ICT Security (A) Documents

Referenced (B) Comments (C) Result (D)

How many laptops/desktops are there within the area?

How many laptops/desktops are within a public area?

How many are secured against theft?

How are they secured against inappropriate access?

Are any covered by CCTV or infra-red security sensor?

Check to see if any are logged in and left unattended – observation

Is the screen viewable by the public?

Random check of C drives for confidential information – observation

Random check of keyboards and draws to find passwords written down – observation

Is the equipment security marked?

of 19

Section: Communications Documents Referenced

Comments Result

Is there facility for calls to be taken in privacy?

Check to see if calls can be heard from the public area – observation

Is there an answer phone in the public area?

Is this listened to whilst the public are present?

Where is the fax machine located?

Is this in a public area?

Is there a safe haven poster situated by the fax machine?

Check to see if any confidential information is on the machine – observation

Is it possible to reach across and remove a fax from the public area?

Is the fax machine sited correctly? i.e. away from windows, away from counter etc.

Are staff using the appropriate method of email communication?

Check to see if WCC secure messenger facility is being used appropriately and correctly.

Do staff have gcsx email accounts?

Check to see if staff are using GCSX email appropriately and correctly.

of 19

Section: Physical Security Documents Referenced

Comments Result

Is access to staff only areas restricted by a security device?

Is the device used or is the door left open or ajar?

Are there any public areas which are closed for any period i.e. lunch?

Is the area secured against entry during these periods?

Is there any CCTV coverage of the area?

If CCTV used is appropriate sign present?

Are Security staff present in the area?

Are there environmental controls to avoid damage via flooding, environmental issues?

Check to see if a clear desk policy is being followed by staff.

Section: Security of Confidential

Information Documents Referenced

Comments Result

Is confidential information used in a public area?

What security is used to protect this information?

Are locked cabinets available?

Check the reception area, walls and desks to see if confidential information is clearly on view – observation

Within staff only areas, is confidential information kept secure?

Can confidential information be seen from outside of the area?

Any Other Observations?

of 19

Is there a secure print facility available?

Check to see if staff are using the secure print facility where appropriate.

Are there any procedures in place regarding the disclosure of information?

Check to see how these processes are being followed (e.g. are disclosures being validated? Are they being recorded?)

Are there any procedures in place relating to the process of pseudonymisation of information?

Check to see if pseudonymisation is being undertaken appropriately and correctly.

How is data being captured? Check to see if data capture is relevant, accurate and not excessive.

What type of information is being recorded in work diaries? Check to see if PID is being recorded in these diaries.

Section: Records Security Documents Referenced

Comments Result

How are the records stored?

Where are supplementary records stored?

How do you archive your records?

Are records given a retention period?

Check to see if records are being retained in accordance with their retention period. adhered to.

of 19

Section: Disposal of Confidential Information

Documents Referenced

Comments Result

How is information being disposed of?

Check to see if confidential waste bins/bags are located within the area.

Check to see if PID is being disposed of using the correct waste bins/bags

Is there a shredder in the area?

Section: Disposal of Confidential

Information Documents Referenced

Comments Result

Do you require training in any areas that we have covered today?

If answered yes to the question above, what areas of training would you require?

Additional information

KEY: = Issue addressed adequately ? = Issue not addressed adequately = No reference found to issue in documentation

of 19

Appendix 3 Noncompliance Action Plan

ID Description of

Risk/noncompliance

Recommendations & Actions

Required

By Who When Completion date

Recommendation:

Action:

Confidentiality Audit Procedure of 19

Appendix 4 Audit Report

Audit Report Directorate/Team: Audit Date: Audit

Reference:

Page No: 1 of 2

Audit Summary:

Auditor Name: Date Closed:

Signature:

Confidentiality Audit Procedure of 19

Directorate/Team: Audit Date: Audit Reference:

Page No: 2 of 2

Observation Summary

Observation Reference

Details of Observation

Summary of Agreed Actions

Non- Compliance Reference

Action By

Corrective Action to be Taken

Date

Agreed Audit Follow up:


Signature:

Audit Closed


Signature:

Additional Comments:

Confidentiality Audit Procedure - Wolverhampton

Documents

Transcript of Confidentiality Audit Procedure - Wolverhampton