Information Governance Policy

Why we need an Information Governance Policy:

The practice handles ever-increasing amounts of information. Timely and accurate information is crucial both for the clinical decision-making and efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management. It is therefore of paramount importance that information is efficiently managed in Seymour Medical Centre and that we have appropriate policies and procedures to provide a robust framework for information management.

Seymour Medical Centre recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The practice supports the principles of corporate governance and recognises its public accountability, but equally places importance on confidentiality, the security of personal information about patients and staff. The practice also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.

The reasons for sharing information may include:

  • example data sharing agreements between organisations, reviewed in the IG meeting)
  • Assuring and improving the quality of care, treatment and advice
  • Monitoring and protecting public health, safety and well being
  • Risk Management
  • To avoid duplication of information gathering
  • Investigating complaints or actual/potential legal claims
  • Teaching/staff development
  • To safeguard children and vulnerable adults (refer to Policy for Safeguarding for details of relevant information sharing requirements)

The practice has assigned responsibility for information governance to a team which consists of:

  • Caldicott Guardian : Dr Amish Patel
  • Information governance lead: Mrs Janice Phillips

The practice believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers to ensure the quality of information available in the organisation and to make best use of that information in decision-making.

There are 4 key interlinked strands to the information governance policy:

1. Openness
2. Legal compliance
3. Information security
4. Quality assurance

1. Openness

There will always be conflict between what is considered to be confidential information and the need to be open to facilitate the smooth management of care and treatment of patients and to maintain the safety of staff. Staff should give careful consideration to how information/data is handled and ensure that any information that is produced, or given to a third party is not in breach of the Data Protection Act.

  • Non-confidential information on the practice and its services is available to the public through the practice website and via NHS England
  • The practice have established and maintains a policy to ensure compliance with the Freedom of Information Act
  • Patients are able to request access to their medical records
  • The practice has arrangements in place for liaison with the press and broadcasting media
  • The practice has written procedures and arrangements for handling queries and complaints from patients and the public
  • Our statement on confidentiality & freedom of information with regards to how it affects patients is displayed on our website and included in new patient registration pack
  • Our freedom of information act statement is also on the website

2. Legal Compliance

  • The practice regards all identifiable personal information relating to patients as confidential
  • The practice regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise
  • The practice has established and maintain policies to ensure compliance with the Data Protection Act, Human Rights Act and the common law confidentiality
  • The practice has established and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act)

3. Information Security

Seymour Medical Centre ensures that all personal information is kept in a secure environment, where access is controlled, and security measures are in place. This includes electronic capture and storage and manual paper records.

  • The practice has established and maintain policies for the effective and secure management of its information assets and resources
  • The practice promotes confidentiality and data security to its staff through policies, procedures and training
  • The practice has established and maintains a Significant Event reporting procedure and monitors and investigates all reported instances of actual or potential breaches of confidentiality and security

4. Information Quality Assurance

The practice has established and maintains a policy for information quality assurance and the effective management of records. This includes clear protocols for processing, scanning and coding clinical data coming into the practice.

  • Managers are expected to take ownership of, and seek to improve, the quality of information within their services
  • Wherever possible, information quality is assured at the point of collection
  • The practice promotes information quality and effective records management through policies, procedures, staff induction and staff training

Principles in the use of Confidential Information – Caldicott Guidelines.

The purpose of this section is to outline a local code of conduct on the use of confidential information to ensure that patient or personal identifiable data is used and disclosed in an adequate manner according to the Caldicott Principles Data Protection Act and the Freedom of Information Act.

The Practice has appointed a Caldicott Guardian.

All Practice Staff, both clinical and non-clinical must adhere to all Policies and Procedures concerning Information Governance and Confidentiality.

Confidentiality Policy

The practice has a comprehensive confidentiality policy which is mandatory reading for new employees and on the staff reading list.

This policy covers areas including all aspects of communication including verbal, email, written documents, faxing both in and outgoing and post.

It also covers issues relating to working away from the office, and the principles of maintaining confidentiality and management of confidential waste, internet use and maintenance and security of passwords.

The policy refers to relevant legal tools and the practice’s right to monitor use of the internet.

The policy gives staff information of how to report breaches in confidentiality or information governance.

The policy covers user of email, including etiquette, offensive emails and confidentiality.

Firewall and Virus Protection

The Firewall and Virus Protection of the computer system is the responsibility of Saxon Enterprises Ltd (commissioned by Waltham Forest Clinical Commissioning Group) who maintain the Practice IT systems.

AntiVirus

The Internet is a major source of computer viruses the effects of which can range from a minor irritant to a major disaster and all have costs involved in their eradication.

Although the IT network has background antivirus defences it is still essential for users to specifically check files and mail prior to opening. In the event that a user suspects a virus infestation they must stop using that machine, and contact the IT Help Desk.

Training

All staff will be given training on information governance and confidentiality at induction and as part of the ongoing training schedule. If a member of staff requires further training they will discuss this with the practice manager.

Security Breaches

An Information Security incident is defined as any event which has resulted, or could result in:

1. the disclosure of confidential information to any unauthorised individual
2. the integrity of the system or data being put at risk
3. the availability of the system or information being put at risk
4. an adverse impact, for example: embarrassment to the NHS; threat to personal safety or privacy; legal obligation or penalty; financial loss; disruption of activities

Types of incidents that should be recorded include:

1. computer misuse;
2. computer virus activity
3. confidentiality breach
4. records related incident
5. theft or loss of records
6. System abuse or infiltration
7. This list is not exhaustive