Our policies and procedures
- Statement of Purpose Document (61KB)
- Policies and procedures relating to human resources (including Race, Disability, Age and Gender, Equal Opportunities)
- Standing financial procedures
Complaints and other customer service policies and procedures
What is Information Governance?
Information Governance provides a strategic framework for the management of all information (clinical and non-clinical). It ensures accessibility, confidentiality and integrity of all our information.
Information is a vital asset both in terms of the clinical management of patients and the efficient management of services and resources. We ensure that information is efficiently managed and that appropriate policies, procedures and structures provide a robust governance framework.
Information Governance provides necessary safeguards for appropriate use of personal identifiable information (relating to patients and staff).
What is Personal Identifiable Information?
Personally Identifiable Information (PII) refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify an individual. Examples of PII include name, address, NHS number and e-mail address.
How do we Safeguard Information?
We apply the following legal requirements and standards:-
- Confidentiality: NHS Code of Practice
- BS7799 / ISO 17799 Information Security Management
- Data Protection Act 1998*
- Records Management - HSC 1999/053 for the record
- Information Quality Assurance - Data Accreditation
- Freedom of Information Act 2001
- Controls Assurance - IM&T and Records Management
The following standards are drawn together from the core Information Governance initiative:-
- Holding information securely and confidentially
- Obtaining information fairly and efficiently
- Recording information accurately and reliably
- Using information effectively and ethically
- Sharing information appropriately and lawfully
Code of Conduct for Handling Personal Information
Confidentiality is written into the contracts of all of the staff working for the Trust. The Trust also has a code of conduct for staff handling confidential information. This covers to the confidentiality of personal identifiable information. Signature of acceptance included in employment contract.
This privacy notice sets out how The Countess of Chester Hospital NHS Foundation Trust (The Trust) uses and protects any information that you provide to us.
A review was commissioned in 1997 by the Chief Medical Officer of England "owing to increasing concern about the ways in which patient information is being used in the NHS in England and Wales and the need to ensure that confidentiality is not undermined. Such concern was largely due to the development of information technology in the service, and its capacity to disseminate information about patients rapidly and extensively".
A committee was established under the chairmanship of Dame Fiona Caldicott, Principal of Somerville College, Oxford, and previously President of the Royal College of Psychiatrists. Its findings were published in December 1997 and the report highlighted six key principles:-
- Principle 1 - Justify the purpose(s) - Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate guardian.
- Principle 2 - Don't use patient-identifiable information unless it is absolutely necessary. Patient-identifiable information items should not be used unless there is no alternative.
- Principle 3 - Use the minimum necessary patient-identifiable information. Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiability.
- Principle 4 - Access to patient-identifiable information should be on a strict need to know basis. Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see.
- Principle 5 - Everyone should be aware of their responsibilities. Action should be taken to ensure that those handling patient-identifiable information, both clinical and non-clinical staff, are aware of their responsibilities and obligations to respect patient confidentiality.
- Principle 6 - Understand and comply with the law. Every use of patient-identifiable information must be lawful. Someone in each organisation should be responsible for ensuring that the organisation complies with legal requirements.
The Trust's Caldicott Guardian is responsible for overseeing access to patient information.
*The Data Protection and the Data Protection Act 1998
The Data Protection Act is based on an EU Directive and protects personal information about living individuals (collection, storage & use).
It covers Information that has the capability to identify an individual and includes:-
- Paper records (health records, personnel records)
- Electronic files, databases, spreadsheets & email
- Photographs (Consent issues)
The Data Protection Act is enforced by the Information Commissioner.
Anyone processing personal data must comply with the eight enforceable principles of good practice.
- Processed fairly and lawfully with a legitimate basis
- Processed only for specified lawful purposes
- Adequate, relevant and not excessive
- Accurate and kept up-to-date
- Not kept for longer than is necessary
- Processed in accordance with data subjects' rights
- Protected by appropriate security
- Not transferred outside the European Economic Area (EEA) without adequate protection
Everyone in the NHS has a responsibility to understand the implications of dealing with personal data. No data whether held electronically or on paper is completely secure, however following best practice guidance, procedures and policies can hugely reduce risk. It is accepted that given the nature of the service some risks may never be totally eliminated. It is however essential that NHS Trusts have in place Information Governance management systems which eliminate risk wherever possible and reduce the impact of those risks that cannot be eliminated to an 'acceptable level'.
Details of the full Act and further information for the public can be found on the Information Commissioners website www.ico.gov.uk
Targets for Action
The Trust is required to complete and submit an Information Governance Toolkit Return to NHS Connecting for Health. The Toolkit encompasses all of the legal requirements the Trust is required to meet and addresses the following work areas:-
- Information Governance Management
- Confidentiality and Data Protection Assurance
- Information Security Assurance
- Clinical Information Assurance
- Secondary Use Assurance
- Corporate Information Assurance
The Toolkit enables the Trust to understand its performance and manage improvements in a systematic and effective manner.
Further information and details of the requirements for Trusts can be found of the Connecting for Health website www.connectingforhealth.nhs.uk
The Trust also is required to complete and submit a return to the Care Quality Commission which also incorporates Information Governance.
Further information and details of the requirements for Trusts can be found of the Care Quality Commission website www.cqc.org.uk
The Trust is committed to a programme of internal monitoring and review of Information Governance incorporating Caldicott and Data Protection.
The Trust strives for excellence in the Care Quality Commission and Connecting for Health Annual Health Check by meeting national Standards and targets.
DESIGNATED ROLES AND RESPONSIBILITIES
The Chief Executive carries ultimate responsibility for ensuring the implementation of Information Governance. The Deputy Chief Executive/Senior Information Risk Owner (SIRO) has delegated responsibility for this.
Alison Kelly the Director of Nursing and Quality/Senior Information Risk Owner (SIRO)
Senior Information Risk Owner (SIRO)
What is the role of a SIRO
- Is accountable and takes ownership of the Trust's information security
- Acts as an advocate for information risk on the Board
- Fosters a culture for protecting and using data
- Provides a focal point for managing information risks and incidents
- Is concerned with the management of all information assets
Every Trust must have a SIRO.
Ian Harvey - Medical Director/Caldicott Guardian
What is the role of a Caldicott Guardian
The Caldicott Guardian
- Is advisory and oversees access to patient identifiable information
- Ensures that high standards of patient and personal information security and confidentiality are implemented throughout the Trust
- Is the conscience of the Trust and ensures that confidentiality is a Trust priority and relevant issues are represented at the Board
- Provides a focal point for patient confidentiality and information sharing issues and makes sure that where confidential information is shared that it is done properly, legally, and ethically
- Is concerned with the management of patient information
Every Trust must have a Caldicott Guardian.
Robert Howorth - Assistant Director of Information Services
Contact Number 01244 366100
Image to insert
Rob is the Assistant Director of Information Services and has management responsibility for Information Services, Coding and Health Records. Rob is also the Trust's Information Security Officer.
Cora Suckley - Information Governance Manager
Contact Number 01244 362113
Cora works across the Trust to ensure the Trust meets its objectives and obligations towards the delivery of effective Information Governance.
This work includes the promotion of Information Governance, identification and establishment training & education programmes and working with the Divisions to manage Information Governance risks and incidents.
Information Governance Risk
Information Governance Risk is a confidentiality breach or loss/chance of loss of confidential information/data or an unapproved disclosure of confidential information.
As with any organisation the National Health Service (NHS) carries a number of Information Governance risks which if not properly managed and controlled have the potential to result in a loss or a breach of confidentiality of personal data.
Open reporting of potential and actual risks, mistakes or breaches is encouraged. This ensures that lessons are learnt from those mistakes and measures to prevent reoccurrence are promptly applied.
Information Governance Contact Details
To contact Information Governance for the Countess of Chester Hospital NHS Foundation Trust:-
- Phone Rob Howorth, Assistant Director of Information Services on 01244 366100 or Ext. 6100 if you are phoning from within the hospital.
- Email: firstname.lastname@example.org
- Phone Cora Suckley, Information Governance Manager on 01244 366676 or Ext.2113 if you are phoning from within the hospital.
- Email: email@example.com
- Or write to: - Cora Suckley, Information Governance, IM&T Department,
Countess of Chester Hospital NHS Foundation Trust,
Chester CH2 1UL
The Information Governance Service focuses on the Trust wide
protection and use of patient information, physical security of personally
identifiable or sensitive data and confidentiality.