| Req No |
Description
|
Action
|
|
Information Governance Management
|
| 14.1-101 |
There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda
|
|
| 14.1-105 |
There are approved and comprehensive Information Governance Policies with associated strategies and/or improvement plans
|
|
| 14.1-110 |
Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations
|
|
| 14.1-111 |
Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation
|
|
| 14.1-112 |
Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained
|
|
|
Confidentiality and Data Protection Assurance
|
| 14.1-200 |
The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation’s assessed needs
|
|
| 14.1-201 |
The organisation ensures that arrangements are in place to support and promote information sharing for coordinated and integrated care, and staff are provided with clear guidance on sharing information for care in an effective, secure and safe manner
|
|
| 14.1-202 |
Confidential personal information is only shared and used in a lawful manner and objections to the disclosure or use of this information are appropriately respected
|
|
| 14.1-203 |
Patients, service users and the public understand how personal information is used and shared for both direct and non-direct care, and are fully informed of their rights in relation to such use
|
|
| 14.1-205 |
There are appropriate procedures for recognising and responding to individuals’ requests for access to their personal data
|
|
| 14.1-206 |
Staff access to confidential personal information is monitored and audited. Where care records are held electronically, audit trail details about access to a record can be made available to the individual concerned on request
|
|
| 14.1-209 |
All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines
|
|
| 14.1-210 |
All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements
|
|
|
Information Security Assurance
|
| 14.1-300 |
The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation’s assessed needs
|
|
| 14.1-301 |
A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed
|
|
| 14.1-302 |
There are documented information security incident / event reporting and management procedures that are accessible to all staff
|
|
| 14.1-303 |
There are established business processes and procedures that satisfy the organisation’s obligations as a Registration Authority
|
|
| 14.1-304 |
Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use
|
|
| 14.1-305 |
Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems
|
|
| 14.1-307 |
An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy
|
|
| 14.1-308 |
All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers
|
|
| 14.1-309 |
Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place
|
|
| 14.1-313 |
Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely
|
|
| 14.1-314 |
Policy and procedures ensure that mobile computing and teleworking are secure
|
|
| 14.1-323 |
All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures
|
|
| 14.1-324 |
The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate
|
|
|
Clinical Information Assurance
|
| 14.1-400 |
The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience
|
|
| 14.1-401 |
There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements
|
|
| 14.1-402 |
Procedures are in place to ensure the accuracy of service user information on all systems and /or records that support the provision of care
|
|