| Req No |
Description
|
Action
|
|
Information Governance Management
|
| 14.1-130 |
There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda
|
|
| 14.1-131 |
There are approved and comprehensive Information Governance Policies with associated strategies and/or improvement plans
|
|
| 14.1-132 |
Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations
|
|
| 14.1-133 |
Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation
|
|
| 14.1-134 |
Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained
|
|
|
Confidentiality and Data Protection Assurance
|
| 14.1-230 |
The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation’s assessed needs
|
|
| 14.1-231 |
Staff are provided with clear guidance on keeping personal information secure, on respecting the confidentiality of service users, and on the duty to share information for care purposes
|
|
| 14.1-232 |
Confidential personal information is only shared and used in a lawful manner and objections to the disclosure or use of this information are appropriately respected
|
|
| 14.1-234 |
There are appropriate procedures for recognising and responding to individuals’ requests for access to their personal data
|
|
| 14.1-235 |
Staff access to confidential personal information is monitored and audited. Where care records are held electronically, audit trail details about access to a record can be made available to the individual concerned on request
|
|
| 14.1-236 |
All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines
|
|
| 14.1-237 |
All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements
|
|
| 14.1-250 |
Individuals are informed about the proposed uses of their personal information
|
|
|
Information Security Assurance
|
| 14.1-340 |
The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation’s assessed needs
|
|
| 14.1-341 |
A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed
|
|
| 14.1-342 |
There are established business processes and procedures that satisfy the organisation’s obligations as a Registration Authority
|
|
| 14.1-343 |
Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use
|
|
| 14.1-344 |
Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems
|
|
| 14.1-345 |
An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy
|
|
| 14.1-346 |
Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place
|
|
| 14.1-347 |
Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely
|
|
| 14.1-348 |
Policy and procedures ensure that mobile computing and teleworking are secure
|
|
| 14.1-349 |
There are documented incident management and reporting procedures
|
|
| 14.1-350 |
All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers
|
|
| 14.1-351 |
All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures
|
|
| 14.1-352 |
The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate
|
|
|
Clinical Information Assurance
|
| 14.1-420 |
The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience
|
|
| 14.1-421 |
There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements
|
|