1.Summary
Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management.
It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management.
This Policy should also be considered alongside the Confidentiality Policy.
2. Relevant CQC Fundamental Standard/H+SC Act Regulation (2014)
Regulation 15: “Premises and Equipment”.
3. Principles
The organisation recognises the need for an appropriate balance between openness and confidentiality in the management and use of information.
The organisation fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information.
The organisation also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.
The organisation believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such, it is the responsibility of everyone in the organisation to ensure and promote the quality of information and to actively use information in decision making processes.
There are four key interlinked strands to the Information Governance Policy:
– Non-confidential information about the organisation and its services will be available to the public through a variety of media, in line with the organisation’s code of openness.
– The organisation will establish and maintain policies to ensure compliance with the Freedom of Information Act.
– The organisation will undertake or commission reviews of its policies and arrangements for openness.
– Patients will have ready access to information relating to their own health care, their options for treatment and their rights as patients.
– The organisation will have clear procedures and arrangements for liaison with the press and broadcasting media.
– The organisation will have clear procedures and arrangements for handling queries from patients and the public.
Legal Compliance
Information Security
Information Quality Assurance
4. Responsibilities
It is the role of the CQC Registered Manager to define the organisation’s policy in respect of Information Governance, taking into account legal and NHS requirements.
The CQC Registered Manager is also responsible for ensuring that sufficient resources are available to support the requirements of the policy.
The CQC Registered Manager is the designated Information Governance Lead in the organisation and is responsible for:
All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they remain aware of the requirements incumbent upon them for ensuring compliance on a day to day basis.
5. Policy Approval
The organisation acknowledges that information is a valuable asset, therefore, it is wholly in its interest to ensure that the information it holds, in whatever form, is appropriately governed, protecting the interests of all of its stakeholders.
The organisation will, therefore, ensure that all staff, contractors and other relevant parties observe this policy, in order to ensure compliance with Information Governance and contribute to the achievement of the primary care objectives and delivery of effective healthcare to the local population.
6. Caldicott Guardian
6.1.
A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. Each NHS organisation is required to have a Caldicott Guardian; it shall be the duty of the Board to designate a Caldicott Guardian for the Company.
6.2.
Person identifiable information takes many forms. It can be stored on computers, transmitted across networks, printed or stored on paper, spoken or recorded. The organisation must safeguard the integrity, confidentiality, and availability of sensitive information.
6.3.
No one from the organisation – (this includes staff employed by commercial partners and volunteer groups) – is allowed to share any person identifiable information unless it has been authorised by the organisation’s Caldicott Guardian. It is unlikely that this authorisation will be granted unless the access is on a need to know basis and justifiable against the Caldicott principles.
6.4.
The Caldicott standard is based around six principles:
Every proposed use or transfer of person identifiable information within or from an organisation should be clearly defined and scrutinised with continuing uses regularly reviewed by the Caldicott Guardian.
Person identifiable information items shall not be used unless there is no alternative.
Where use of person identifiable information is considered to be essential, each individual item of person information should be justified with the aim of reducing identity.
Only those individuals who need access to person identifiable information should have access to it and they should only have access to the personal information items that they need to see.
Actions should be taken to ensure that all staff who handle person identifiable information are aware of their responsibilities and obligations to respect confidentiality.
Every use of person identifiable information must be lawful. Individuals have a right to believe that personal information given in confidence will be used for the purposes for which it was originally given, and not released to others without their informed consent.
7. Confidential Waste Management
7.1.
Confidential Waste is defined as ‘waste containing personally-identifiable information or waste which is business sensitive’. Below is a specific list of material classed as ‘confidential’ that would require secure disposal:
7.2.
Legally, the Organisation is obliged under the provisions of the Data Protection Act 1998 to protect all personally-identifiable information and the seventh principle states that ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
7.3.
The Organisation therefore recognises it has a duty of care to ensure all personally- identifiable and confidential information relating to the Organisation’s business activities is protected from the public domain and has an obligation to dispose of all clinical and non-clinical information under secure and confidential conditions. Through the proper control of the destruction of records, vulnerability to legal challenge or financial loss is minimised
7.4.
It is the responsibility of all Organisation staff to ensure confidential information they are handling is destroyed effectively, securely and in accordance with this policy and procedure. Whether clinical or administrative, anyone who creates, receives and uses records has records management responsibilities, which includes the disposal of all documents.
7.5.
Any breach of confidentiality should be classed as a security incident and reported in accordance with the Organisation’s Incident Reporting Policy.
7.6.
In order to ensure the Organisation is meeting its legal requirements, it must ensure all records are appropriately retained for the maximum amount of time. All manual records that have reached the end of their lifecycle, in accordance with the Department Of Health Records Management: NHS Code of Practice.
7.7.
It is the responsibility of all staff to ensure information they are handling is destroyed effectively, securely and in accordance with this policy and procedure. All manual records that have reached the end of their lifecycle should be destroyed using one of the following methods:
Internal Shredding: Cross Cut Shredder
Paper records should be destroyed using a shredding device designed to cross cut material to ensure shredding cannot be reconstructed. Staff shredding their own records are responsible for ensuring records are destroyed adequately and in such a way that protects the security of the information contained within them.
Use of External Confidential Waste Disposal Company
A confidential waste disposal company will be used if necessary, subject to confirmation that it meets all relevant statutory and other standards.
All queries with regard to the destruction of IT equipment and electronic media must be referred to the IM&T Lead.

