NHS Information Governance Risk Management. Introduction Information risk to be managed in a robust manner Assurance to be provided in a consistent manner.

Slides:



Advertisements
Similar presentations
Module N° 4 – ICAO SSP framework
Advertisements

Organizational Governance
Health Records Management Practitioner
Auditing, Assurance and Governance in Local Government
Child Safeguarding Standards
Contractor Safety Management
Security Controls – What Works
ISO General Awareness Training
By Saurabh Sardesai October 2014.
Session 3 – Information Security Policies
APPRAISAL OF THE HEADTEACHER GOVERNORS’ BRIEFING
Governance of the Treasury Function CIPFA Scottish Treasury Management Forum Alan George, Regional Director 23rd February 2012.
G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.
Postgraduate Educational Course in radiation protection and the Safety of Radiation sources PGEC Part IV The International System of Radiation Protection.
Occupational Health and Safety
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
The Policy Company Limited © Control of Infection.
Internal Control in a Financial Statement Audit
James Aiello PricewaterhouseCoopers Africa Utility Week 06 International Good Practice in Procurement.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
IRS Enterprise Risk Management (ERM)
Health and Safety Policy
Guide - Recordkeeping for business activities carried out by contractors Natalie Dewson Senior Advisor Government Recordkeeping Programme Archives New.
SMS Planning.  Safety management addresses all of the operational activities of the entire organization.  The four (4) components of an SMS are: 1)
APPRAISAL OF THE HEADTEACHER GOVERNORS’ BRIEFING.
SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.
SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: Mob:
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Organizations of all types and sizes face a range of risks that can affect the achievement of their objectives. Organization's activities Strategic initiatives.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
ValleyView Publishing.  To achieve a suitable location for the new office will be determined  To establish administrative systems  To establish an.
Page 1 Procurement and Probity Issues that Impact on the School Environment Presentation to the Tasmanian Schools Administrators’ Association (TSAA) Hobart.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

Roadmap For An Effective Compliance And Ethics Program
Accountability & Structured Privacy Management
Embedding the golden threads that lead to quality care every time……
Solihull Review of Urgent Care Programme Approach And Governance 2013
Risk Management and the role of the Audit Committee
Successful Integration is a result of good governance – getting the wiring right Integrated care as an aspiration is simple, and simplest if one begins.
Health and Safety Policy
Fundamental elements of internal control
Fundamental elements of internal control
Electronic Records Management Program
Establish Process Governance
G.D.P.R General Data Protection Regulations
RECORDS AND INFORMATION
County HIPAA Review All Rights Reserved 2002.
Leadership and Management for Safety
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Response to Report on Local Government new risk management and internal audit framework for NSW councils.
the foundation for achieving our missions
Our New Integrated Business Management System [“IMS”]
QUALITY, HEALTH, SAFETY & ENVIRONMENTAL POLICY
Operationalizing Export Certification and Regionalization Programmes
Gem Complete Health Services
MFSS Governance Version: 3.1 – May 2016.
Neopay Practical Guides #2 PSD2 (Should I be worried?)
PC Briefing note Transport Portfolio 14 October 2014.
Briefing to the Portfolio Committee on Defence on the audit outcomes for the 2013/2014 financial year.
COBIT 5 and GRC Date.
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
An overview of Internal Controls Structure & Mechanism
Roles and Responsibilities
Briefing to the Portfolio Committee on Department of Correctional Services on the audit outcomes for the 2013/2014 financial year Presenter: Solly Jiyana.
Operational Risk Management
Why do we need to keep records
Portfolio Committee on Communications
Presentation transcript:

NHS Information Governance Risk Management

Introduction Information risk to be managed in a robust manner Assurance to be provided in a consistent manner Structured approach is necessary –Identify Information Assets (IA) –Assign ownership of those IA –Formalise and standardise information risk management Builds upon existing NHS Information Governance frameworks

Three New NHS Roles In common with other government and public service bodies, NHS organisations should in future establish three new roles to aid the structured management of their information risk: Senior Information Risk Owner (SIRO) Information Asset Owners (IAO) Information Asset Administrators (IAA)

Ownership and Responsibilities The organisation’s management Board or equivalent ‘owns’ the information risk policy and its implementation The organisation’s SIRO is responsible for ensuring Information Risk Policy is developed, implemented, reviewed and its effect monitored Information Risk Policy should be available and communicated to all staff as part of their induction, training and ongoing personal development arrangements.

Information Risk Management (IRM) Structural Model Structural ModelNHS TrustGeneral Practice Accounting OfficerChief ExecutivePCT Chief Executive SIROBoard level SIROPCT SIRO 1+ senior IAOsDepartment HeadsSenior Partner 0+ IAAs for each IAOOperational staff responsible for one or more information assets Practice Manager

Key Local IRM Considerations Maximise existing lines of authority and responsibility where these are fit for purpose Associate tasks at appropriate management levels Avoid adverse impacts on day to day business Ensure information risk management arrangements are efficient, effective, accountable and transparent

Roles: Accounting Officer The Accounting Officer has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risks should be handled in a similar manner to other major risks such as financial, legal and reputational risks.

Roles: SIRO The SIRO is an executive who is familiar with information risks and their mitigations, including information risk assessment methodology. The SIRO provides the focus for the assessment and management of information risk at Board level, providing briefings and reports on matters of performance, assurance and cultural impact.

Aspect of SIRO Role (1) Aspect of RoleSupporting Actions Lead and foster a culture that values, protects and uses information for the success of the organisation and benefit of its patients ensures the Organisation has a plan to achieve and monitor the right NHS IG culture, across the Organisation and with its business partners; takes visible steps to support and participate in that plan (including completing own training); ensures the Organisation has appointed Information Asset Owners (IAOs) who are skilled, focussed on the issues, and supported, plus the information risk management specialists that it needs

Aspect of SIRO Role (2) Own the organisation’s overall information risk policy and risk assessment process, test its outcome, and ensure it is used ensures that the organisation information risk policy is complete – covering how the organisation implements NHS Information Governance risk management in its own services and activities and those of its delivery partners, and how compliance will be monitored ensures that information asset risk reviews are completed each quarter taking account of extant NHS Information Governance guidance (available from Department of Health and NHS Connecting for Health) based on the information risk assessment, understands what information risks there are to the organisation and its business partners through its delivery chain, and ensures that they are addressed, and that they inform investment decisions including the risk considerations of outsourcing ensures that information risk assessment and mitigating actions taken benefit from an adequate level of independent scrutiny

Aspect of SIRO Role (3) Advise the Chief Executive or relevant accounting officer on the information risk aspects of his/her Statement of Internal Control receives annual assessment of performance, including material from the IAOs and specialists, covering NHS Information Governance reporting requirements as well as local actions planned for the organisation’s own circumstances; provide advice to the Chief Executive or relevant Accounting Officer on the information risk parts of their Statement of Internal Control; shares assessment and supporting material with the Department of Health and NHS Connecting for Health, to support pan-NHS IG work in this area.

Aspect of SIRO Role (4) Own the organisation’s information incident management framework ensure that the organisation has implemented an effective information incident management and response capability that allows learning and sharing of experience from events throughout the organisation and for the prevention of similar events elsewhere.

Roles: IAO Information Asset Owners are senior individuals involved in running the relevant business. Small organisations may have a single IAO, whereas larger ones are likely to have several. The IAO’s role is to: –understand and address risks to the information assets they ‘own’; and –provide assurance to the SIRO on the security and use of these assets.

Aspects of IAO Role (1) Aspect of RoleSupporting Actions Lead and foster a culture that values, protects and uses information for the success of the organisation and benefit of its patients understands the Organisation’s plans to achieve and monitor the right NHS IG culture, across the Organisation and with its business partners; takes visible steps to support and participate in that plan (including completing own training) Knows what information the Asset holds, and what enters and leaves it and why maintains understanding of ‘owned’ assets and how they are used up to date; approves and minimises information transfers while achieving business purposes; approves arrangements so that information put onto portable or removable media like laptops and CDrom are minimised and are effectively protected to NHS IG standards; approves and oversees the disposal mechanisms for information of the asset when no longer needed

Aspects of IAO Role (2) Knows who has access and why, and ensures their use is monitored and compliant with policy understands the organisation’s policy on access to and use of information; checks that access provided is the minimum necessary to satisfy business objectives; receives records of checks on use and assures self that effective checking is conducted regularly Understands and addresses risks to the asset, and provides assurance to the SIRO conducts quarterly reviews of information risk in relation to ‘owned’ assets; makes the case where necessary for new investment or action to secure ‘owned’ assets; provides an annual written risk assessment to the SIRO for all assets ‘owned’ by them

Aspects of IAO Role (3) Ensures the asset is fully used for the benefit of the organisation and its patients, including responding to requests for access from others considers whether better use of the information is possible or where information is no longer required; receives, logs and controls requests from others for access; ensures decisions on access are taken in accordance with NHS IG standards of good practice and the policy of the organisation.

Roles: IAA Information Asset Administrators will provide support to their IAO –ensure that policies and procedures are followed; –recognise potential or actual security incidents; –consult their IAO on incident management; –ensure that information asset registers are accurate and maintained up to date.

Candidate IAA Tasks Maintenance of Information Asset Registers; Ensuring compliance with data sharing agreements within the local area; Ensuring information handling procedures are fit for purpose and are properly applied; Under the direction of their IAO, ensuring that personal information is not unlawfully exploited Recognising new information handling requirements (e.g. a new type of information arises) and that the relevant IAO is consulted over appropriate procedures; Recognising potential or actual security incidents and consulting the IAO; Reporting to the relevant IAO on current state of local information handling; Ensuring that local information handling constraints (e.g. limits on who can have access to the assets) are applied, referring any difficulties to the relevant IAO. Act as first port of call for local managers and staff seeking advice on the handling of information; Under the direction of their IAO, ensuring that information is securely destroyed when there is no further requirement for it

NHS Information Assets 1 Information assets come in many shapes and forms. and the following list can only be illustrative. It is generally sensible to group information assets in a logical manner e.g. where they all related to the same information system or business process.

NHS Information Assets 2 Personal/Other InformationSoftware  Databases and data files  Back-up and archive data  Audit data  Paper records and reports  Applications and System Software  Data encryption utilities  Development and Maintenance tools System/Process DocumentationHardware  System information and documentation  Operations and support procedures  Manuals and training materials  Contracts and agreements  Business continuity plans  Computing hardware including PCs, Laptops, PDA, communications devices eg. blackberry and removable media Miscellaneous  Environmental services eg. power and air-conditioning  People skills and experience

Information Risk Management Policy All NHS organisations need clear IRM policy IRM should be a fundamental component of the organisation’s overall business risk management framework Some organisations e.g. PCTs should develop policies that cover their smaller business partners e.g. local independent contractors

Information Risk Management 2 Key aspects of an IRM policy: –Provide support for the organisation’s business aims and objectives –Define how the organisation and its delivery partners will manage its IR –Identify how RM effectiveness will be assessed and measured –Define IRM escalation points and mechanisms