Information Governance and IT Security in the NHS - NECS Role and Responsibilities
Learn about information governance, IT security, and the role of North of England Commissioning Support (NECS) in supporting NHS organizations. Discover their objectives, role in data protection, and the importance of adhering to regulatory principles for safeguarding sensitive information.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Information Governance & IT Security in the NHS Ian Davison, Director of Business Information Services Alison Emslie, IT Security Manager and IG Specialist Advisor Partners in improving local health Slide 1
Objectives To inform VONNE members on IG and IT security, in particular on Data Protection/Caldicott Principles IG Toolkit IT Security (inc encryption) To explain NECS role in IG and IT security To offer a Q&A opportunity for VONNE members Partners in improving local health NHS Unclassified Slide 2
NECS our role and our path North of England Commissioning Support (NECS) are an NHS Commissioning Support Unit (CSU) Hosted by NHSE, employed by NHS Business Services Authority (BSA) Formed in 2013 following the new Health and Social Care Act which saw the creation of CCGs, CSUs, and the demise of PCTs and SHAs On a path to autonomy since 2013, expectation of being fully autonomous in 16-17 We are funded from contracts and SLAs with CCGs, NHSE, FTs, LAs, AQPs, etc. Partners in improving local health NHS Unclassified Slide 3
NECS our role and path (cont.) Commercial approach being monitored and assessed, competing with private sector Increasingly our contracts are won via bidding processes on procurement frameworks Our role in IG and IT is to deliver services and projects to our customers, to advise, to protect and keep safe We serve all NE & Cumbria CCGs, all 400 GP practices in the NE, several FTs and LAs We have one IT system and network which all customers are connected to Partners in improving local health NHS Unclassified Slide 4
Data Protection Registration DP Act requires every data controller (eg organisation) who is processing personal information to register with the ICO Appropriate DP registration for NHS business inc FOI Transfers outside EEA Public Register of Data Controllers Partners in improving local health NHS Unclassified Slide 5
Data Protection Principles Under the Data Protection Act, you must: only collect information that you need for a specific purpose keep it secure ensure it is relevant and up to date only hold as much as you need, and only for as long as you need it allow the subject of the information to see it on request Partners in improving local health Slide 6
DP Requests Requests for personal information (DP) Patients have rights to see their personal information. They can make a subject access request to see the personal information you hold about them. Subject access code of practice Access Aware toolkit for health Partners in improving local health Slide 7
Caldicott Principles Apply to the handling of patient-identifiable information: justify the purpose(s) of every proposed use or transfer don't use it unless it is absolutely necessary use the minimum necessary access to it should be on a strict need-to-know basis everyone with access to it should be aware of their responsibilities understand and comply with the law Duty to share information can be important as the duty to protect confidentiality Partners in improving local health Slide 8
FOI Requests Requests for non confidential information (FOI) The Freedom of Information Act means that you must disclose official (NHS) information when people ask for it and reply within 20 working days. Partners in improving local health Slide 9
NHS Standard Contract GC21 Patient Confidentiality, Data Protection, Freedom of Information and Transparency Information Governance General Responsibilities 21.1 The Parties acknowledge their respective obligations arising under FOIA, DPA and HRA, and under the common law duty of confidentiality, and must assist each other as necessary to enable each other to comply with these obligations. 21.2 The Provider must complete and publish an annual information governance assessment using the NHS Information Governance Toolkit and must achieve a minimum level 2 performance against all requirements in the relevant Toolkit. 21.3 The Provider must: 21.3.1 nominate an Information Governance Lead; 21.3.2 nominate a Caldicott Guardian and Senior Information Risk Owner, each of whom must be a member of the Provider s Governing Body; 21.3.3 ensure that the Co-ordinating Commissioner is kept informed at all times of the identities and contact details of the Information Governance Lead, Caldicott Guardian and the Senior Information Risk Owner; and 21.3.4 ensure that NHS England and HSCIC are kept informed at all times of the identities and contact details of the Information Governance Lead, Caldicott Guardian and the Senior Information Risk Owner via the NHS Information Governance Toolkit. Partners in improving local health Slide 10
IG Toolkit - Overview Comprehensive IG self-assessment (inc IT Security) Different versions for types of organisations Levels of compliance: Level 1 = policy in place Level 2 = policy implemented Level 3 = implementation of policy audited All requirements level 2 (66%)= satisfactory Partners in improving local health NHS Unclassified Slide 11
IGT Requirement Format Requirement Description Guidance Attainment Levels Knowledge Base Resources Training Requirement Origins Partners in improving local health Slide 12
IGT Requirement Screenshot 1 Partners in improving local health Slide 13
IGT Requirement Screenshot 2 Partners in improving local health Slide 14
View View View View View View View View View IGT IT Security Requirements Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use 13-304 There is an information asset register that includes all key information, software, hardware and services 13-316 Unauthorised access to the premises, equipment, records and other assets is prevented 13-317 The use of mobile computing systems is controlled, monitored and audited to ensure their correct operation and to prevent unauthorised access 13-318 There are documented plans and procedures to support business continuity in the event of power failures, system failures, natural disasters and other disruptions 13-319 13-320 There are documented incident management and reporting procedures There are appropriate procedures in place to manage access to computer-based information systems 13-321 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely 13-325 Partners in improving local health Slide 15
IGT Requirement 321 Level 1 - There is documented procedure for allocating and managing access to computer-based information systems. A B A procedure has been documented that sets out how access to computer- based information systems will be allocated and managed. Evidence Required: Documented procedure. Responsibility for allocating and removing access rights to the system has been assigned. Evidence Required: A named individual's job description, or a signed and dated note or e-mail assigning responsibility. C The procedure has been approved by a senior member of staff. Evidence Required: Minutes of meetings, or in a document or email or a personal endorsement in writing from an appropriately senior manager. Partners in improving local health Slide 16
Encryption In Transit NHS Mail Encrypted attachment Encrypted USB stick/mobile device At rest Encrypted laptops/PCs in public areas Partners in improving local health Slide 17
Useful Links IG Toolkit https://nww.igt.hscic.gov.uk/ Information Commissioners Office (for Data Protection & FOI) https://ico.org.uk/ Data Protection Public Register https://ico.org.uk/esdwebpages/search NHS Guide to Caldicott & DP https://www.google.co.uk/?gfe_rd=ssl&ei=Z5TpVqfcDcGBaMm-pIgD#q=caldicott+principles Encryption guidance NHS use of http://systems.hscic.gov.uk/infogov/security/encryptionguide.pdf Implementation in the NHS http://systems.hscic.gov.uk/infogov/security/infrasec/iststatements/dataenc_html Partners in improving local health NHS Unclassified Slide 18
Useful Links - continued NHS Code of Practice on Information Security http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidanc e/DH_074142 NHS Mail guidance on sending encrypted email to non-secure addresses http://systems.hscic.gov.uk/nhsmail/secure/senders.pdf Online IG Training https://www.igtt.hscic.gov.uk/ NHS contract https://www.england.nhs.uk/nhs-standard-contract/ (for IGT compliance statement) Partners in improving local health Slide 19
Questions Partners in improving local health Slide 20
