Information Governance Assurance Framework

1
Information Governance Assurance Framework

• Phil Walker
• Digital Information Policy

2
The First of Many
Breach of Confidentiality
3
Accountability and Responsibility

• "This is not the way I would have planned to
  organise my departure from HMRC.
• Quote from Mr Paul Grays resignation letter

4
National Impact

• "We will do everything in our power to ensure
  data is safe," the Prime Minister pledged.

Apologetic PM orders data security review
5
What was happening in Government?

• Cabinet Office led Data Handling Review
• Stronger Accountability
• Mandated Security Standards
• Culture Change
• Greater Scrutiny
• Information risks to be managed throughout the
  Departments delivery chain

6
What did this mean for the NHS?

• Data loss incidents under the spotlight
• Letters to CEOs from David Nicholson
• IG in Statements of Internal Controls
• Encryption
• Data Flow Mapping
• Accountability for managing information risk
• IG Assurance Programme

7
NHS Data Loss Incidents reported to the ICO Nov
07 Jan 09
8
Letters from David Nicholson

• SHAs have SRO responsibilities for developing IG
  accountabilities and capabilities
• PCTs have SRO responsibilities for local
  delivery, working with provider bodies
• A hierarchy of responsible CEOs securing robust
  IG across the NHS
• Assurances should be sought from all
  organisations from which care is commissioned

9
Stronger Accountability

• Accounting officers to cover information risks in
  Statements of Internal Controls from 08/09
• Mandating key aspects of Senior Information Risk
  Owner (SIRO) role
• Introducing information asset owners to improve
  management arrangements
• Annual assessment of compliance with mandated
  security standards

10
Mandated Security Standards

• Encryption to become the norm
• Secure disposal of data and hardware
• Penetration testing on significant systems
• Tighter arrangements for data held overseas
• Strong access controls in new systems
• Security accreditation of new systems
• Standard contract clauses

11
Culture Change

• Privacy Impact Assessments for new projects
• Plans to enhance culture
• Mandated training for all users of personal data
  and for those in key roles
• HR processes to ensure appropriate disciplinary
  action is taken
• Improved training and career progression for key
  assurance staff

12
Greater Scrutiny

• Coverage of information risks in annual reports
• All Departments to issue an information charter
• Reporting process for serious incidents

13
The Departments delivery chain

• SHAs
• PCTs
• Acute Trusts
• Mental Health Trusts
• Ambulance Trusts
• IS Providers
• Foundation Trusts
• GPs
• Dentists
• Opticians

• Pharmacists
• Walk in Centres
• Arms Length Bodies
• HSC IC
• Business Services
• Blood Transplant
• many more
• Funded bodies
• e.g. screening programmes
• Social Care other Business partners

14
Information Governance Framework
National Information Governance Board

• Central components
• Central Information Governance subject matter
  experts
• The Information Governance standard
• IG Toolkit
• IG Training provision
• IG Compliance mechanisms
• Assessment through the IGT
• Information Governance Statement of Compliance
• Audit processes

• Local components
• IG Management Structures
• Board Responsibility
• IG Steering Group
• Caldicott Guardian
• IG subject matter experts
• Information Risk Management
• SIRO IAOs
• Statement of Internal Controls and Annual Reports
• Incident Reporting

15
Information Governance Framework Standard

• Defines what is meant by Information Governance
• Management Accountability
• Process
• People
• Assessment Audit
• Covers legal compliance, security risk, plus
  records management quality

16
Assessment against the standard

• NHS Operating Framework
• National contracts for acute, ambulance etc
  services
• Guidance for Board Members
• Information Governance Toolkit
• Internal Audit
• Care Quality Commission

17
IG Assurance Forward Look

• Rolling out the IG Framework across the DH
  delivery chain
• Reviewing national contracts for the independent
  contractors (GPs etc)
• Improving guidance and training provision
• Professionalisation of IG roles careers
• Addressing capability capacity gaps

18
Questions ?
Any Questions?