Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management.
It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management.
This Policy should also be considered alongside the Confidentiality Policy.
2. Relevant CQC Fundamental Standard/H+SC Act Regulation (2014)
Regulation 15: “Premises and Equipment”.
The organisation recognises the need for an appropriate balance between openness and confidentiality in the management and use of information.
The organisation fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information.
The organisation also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.
The organisation believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such, it is the responsibility of everyone in the organisation to ensure and promote the quality of information and to actively use information in decision making processes.
There are four key interlinked strands to the Information Governance Policy:
- Legal compliance
- Information security
- Quality assurance
It is the role of the CQC Registered Manager to define the organisation’s policy in respect of Information Governance, taking into account legal and NHS requirements.
The CQC Registered Manager is also responsible for ensuring that sufficient resources are available to support the requirements of the policy.
The CQC Registered Manager is the designated Information Governance Lead in the organisation and is responsible for:
- Overseeing day to day Information Governance issues;
- Developing and maintaining policies, standards, procedures and guidance;
- Coordinating Information Governance in the organisation;
- Raising awareness of Information Governance; and
- Ensuring that there is on-going compliance with the policy and its supporting standards and guidelines.
All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they remain aware of the requirements incumbent upon them for ensuring compliance on a day to day basis.
5. Policy Approval
The organisation acknowledges that information is a valuable asset, therefore, it is wholly in its interest to ensure that the information it holds, in whatever form, is appropriately governed, protecting the interests of all of its stakeholders.
The organisation will, therefore, ensure that all staff, contractors and other relevant parties observe this policy, in order to ensure compliance with Information Governance and contribute to the achievement of the primary care objectives and delivery of effective healthcare to the local population.
6. Caldicott Guardian
A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. Each NHS organisation is required to have a Caldicott Guardian; it shall be the duty of the Board to designate a Caldicott Guardian for the Company.
Person identifiable information takes many forms. It can be stored on computers, transmitted across networks, printed or stored on paper, spoken or recorded. The organisation must safeguard the integrity, confidentiality, and availability of sensitive information.
No one from the organisation – (this includes staff employed by commercial partners and volunteer groups) – is allowed to share any person identifiable information unless it has been authorised by the organisation’s Caldicott Guardian. It is unlikely that this authorisation will be granted unless the access is on a need to know basis and justifiable against the Caldicott principles.
The Caldicott standard is based around six principles:
7. Confidential Waste Management
Confidential Waste is defined as ‘waste containing personally-identifiable information or waste which is business sensitive’. Below is a specific list of material classed as ‘confidential’ that would require secure disposal:
- data relating to future activities of the Organisation;
- payroll and pension data;
- sensitive personal data, as defined by the Data Protection Act 1998, covering racial or ethnic origin, political opinions, religious beliefs, Trade Union activities, physical or mental health, sexual life, or details of criminal offences;
- higher level personal data, such as information relating to staff disciplinary proceedings or harassment;
- clinical records;
- records of a commercially sensitive nature, such as contracts, tenders, purchasing and maintenance records, or legal documents; and
- records containing sensitive information such as video, DVD, photographs and other multi-media formats.
Legally, the Organisation is obliged under the provisions of the Data Protection Act 1998 to protect all personally-identifiable information and the seventh principle states that ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
The Organisation therefore recognises it has a duty of care to ensure all personally- identifiable and confidential information relating to the Organisation’s business activities is protected from the public domain and has an obligation to dispose of all clinical and non-clinical information under secure and confidential conditions. Through the proper control of the destruction of records, vulnerability to legal challenge or financial loss is minimised
It is the responsibility of all Organisation staff to ensure confidential information they are handling is destroyed effectively, securely and in accordance with this policy and procedure. Whether clinical or administrative, anyone who creates, receives and uses records has records management responsibilities, which includes the disposal of all documents.
Any breach of confidentiality should be classed as a security incident and reported in accordance with the Organisation’s Incident Reporting Policy.
In order to ensure the Organisation is meeting its legal requirements, it must ensure all records are appropriately retained for the maximum amount of time. All manual records that have reached the end of their lifecycle, in accordance with the Department Of Health Records Management: NHS Code of Practice.
It is the responsibility of all staff to ensure information they are handling is destroyed effectively, securely and in accordance with this policy and procedure. All manual records that have reached the end of their lifecycle should be destroyed using one of the following methods:
- A convenient and effective way for you to access private health care services when you need it.
- We can tailor your treatment to your needs
- A range of finance and payment options available
- We offer a friendly, trustworthy and above-all-else familiar service.