Information Governance for Registration Authorities


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information Governance for Registration Authorities

  1. 1. Registration Authority and the IG Toolkit More than just 303 and 304 Alex Beisser IG and RA Manager 1
  2. 2. Some questions • How many of you have heard about the IG Toolkit (IGT)? • Have you been asked to provide evidence for the IGT? • Were questioned about the evidence that you provided? • What level of compliance have you achieved in the RA Standards? 2
  3. 3. Introduction to IGT • A best practice framework around confidentiality and data protection based on ISO 27001/2 model for the NHS and its partners • Now in its 10th version • 24 different set of standards for organisations • 45 standards for an acute organisation split into  Information Governance Management – 5 Standards  Confidentiality and Data Protection Assurance - 9 Standards  Information Security Assurance – 15 Standards  Clinical Information Assurance – 5 Standards  Secondary Use Assurance – 8 Standards  Corporate Information Assurance – 3 Standards 3
  4. 4. Not all the same • Pharmacies – IGT 10-304 • General Practice – IGT 10-304 • Prison Health – IGT 10-304 and 10-305 • Lucky you... 4
  5. 5. Other providers • What standards are affected for:  Acute Trusts  Mental Health Trusts  Community Health Trusts  Any Qualified Provider – Clinical Services  Commissioning Organisations  Ambulance Service 5
  6. 6. Have a look • IGT 10-101 • IGT 10-105 • IGT 10-110 • IGT 10-111 • IGT 10-112 • IGT 10-200 • IGT 10-206 • IGT 10-300 • IGT 10-301 • IGT 10-302 • IGT 10-303 • IGT 10-304 • IGT 10-305 • IGT 10-308 • IGT 10-309 • IGT 10-400 • IGT 10-601 17 Standards affected 6
  7. 7. The details 101: There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda. Required evidence: • RA Manager or representative should sit in IG Steering Committee or Group (ToR) 7
  8. 8. The details 105: There are approved and comprehensive Information Governance Policies with associated strategies and/or improvement plans. Required evidence: • Up-to-date and reviewed RA policy and accompanying procedures (i.e. UIM, ESR, IIM) 8
  9. 9. The details 110: Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations Required evidence: • Service Level Agreements if you provide RA services to other organisations 9
  10. 10. The details 111: Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation Required evidence: • Employment contracts and Job Descriptions for RA Staff • CRB and staff vetting procedures (recent changes) and recording of them in ESR (eGIF flag) • Identifying smartcard use within Job Descriptions 10
  11. 11. The details 112: Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained. Required evidence: • Is RA mentioned in your IG Training? • End user smartcard usage training 11
  12. 12. The details 200: The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation’s assessed needs Required evidence: • Have your RA staff been trained appropriately • RA Staff’s Job Description • RA procedures and guidance material 12
  13. 13. The details 206: There are appropriate confidentiality audit procedures to monitor access to confidential personal information. Required evidence: • RA access control audits 13
  14. 14. The details 300: The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation’s assessed needs Required evidence: • Does the RA Manager has the required knowledge and expertise to run and manage RA? • RA Manager’s Job Description • RA staff are key to organisation’s IG agenda • Is the RA function represented in IG Steering Group? 14
  15. 15. The details 301: A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed Required evidence: • Risk Assessment of RA function (including software, hardware and staff) 15
  16. 16. The details 302: There are documented information security incident / event reporting and management procedures that are accessible to all staff Required evidence: • Reported smartcard incidents (sharing cards, loss, theft, miss-use etc.) • Procedure for detailing with RA breaches • Incident Policy should refer to RA function • RA audit logs 16
  17. 17. The details 303: There are established business processes and procedures that satisfy the organisation’s obligations as a Registration Authority. Required evidence: • Your RA framework 17
  18. 18. The details 304: Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use Required evidence: • RA Monitoring plan (how will you do it?) • Responsible officer (who will do it?) • Procedure for dealing with smartcard breaches (links to 302) • Improvement and action plan • Improvement and action plan has been audited (spot checks) 18
  19. 19. The details 305: Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems Required evidence: • PBAC access control documentation (incl. reviews undertaken in 2012/13) • UIM / IIM Procedures • Smartcard request procedures • RA Structure (Sponsors): “... ensured that there are approved access controls in place for each key information asset under their control” • Samples of access requests 19
  20. 20. The details 308: All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers Required evidence: • Service Level Agreements if you provide RA services to other organisations (links to 110) 20
  21. 21. The details 309: Business Continuity Plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place Required evidence: • RA Business Continuity Plan 21
  22. 22. The details 400: The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience Required evidence: • Are your access levels appropriate for staff accessing clinical systems (RiO, EMIS web, Cerner, SCR, etc.)? • Can the staff do their day job without a smartcard? • Gateway documents for RiO R1.1 22
  23. 23. The last one 601: Documented and implemented procedures are in place for the effective management of corporate records Required evidence: • Old RA forms (including from predecessor organisations) • RA request forms, emails, notes etc. 23
  24. 24. If you don’t have enough... 604: As part of the information lifecycle management strategy, an audit of corporate records has been undertaken Required evidence: • Audit of RA forms and requests 24
  25. 25. Are happy, worried or confused? • Organisational structures change all the time • I have been through it all this twice and will soon go through it for a third time • 25