| Req No |
Description
|
|
Information Governance Management
|
| 14.1-101 |
There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda
|
| 14.1-105 |
There are approved and comprehensive Information Governance Policies with associated strategies and/or improvement plans
|
| 14.1-110 |
Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations
|
| 14.1-111 |
Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation
|
| 14.1-112 |
Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained
|
|
Confidentiality and Data Protection Assurance
|
| 14.1-200 |
The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation’s assessed needs
|
| 14.1-201 |
The organisation ensures that arrangements are in place to support and promote information sharing for coordinated and integrated care, and staff are provided with clear guidance on sharing information for care in an effective, secure and safe manner
|
| 14.1-202 |
Confidential personal information is only shared and used in a lawful manner and objections to the disclosure or use of this information are appropriately respected
|
| 14.1-203 |
Patients, service users and the public understand how personal information is used and shared for both direct and non-direct care, and are fully informed of their rights in relation to such use
|
| 14.1-205 |
There are appropriate procedures for recognising and responding to individuals’ requests for access to their personal data
|
| 14.1-206 |
Staff access to confidential personal information is monitored and audited. Where care records are held electronically, audit trail details about access to a record can be made available to the individual concerned on request
|
| 14.1-207 |
Where required, protocols governing the routine sharing of personal information have been agreed with other organisations
|
| 14.1-209 |
All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines
|
| 14.1-210 |
All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements
|
|
Information Security Assurance
|
| 14.1-300 |
The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation’s assessed needs
|
| 14.1-301 |
A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed
|
| 14.1-302 |
There are documented information security incident / event reporting and management procedures that are accessible to all staff
|
| 14.1-303 |
There are established business processes and procedures that satisfy the organisation’s obligations as a Registration Authority
|
| 14.1-304 |
Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use
|
| 14.1-305 |
Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems
|
| 14.1-307 |
An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy
|
| 14.1-308 |
All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers
|
| 14.1-309 |
Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place
|
| 14.1-310 |
Procedures are in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error
|
| 14.1-311 |
Information Assets with computer components are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code
|
| 14.1-313 |
Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely
|
| 14.1-314 |
Policy and procedures ensure that mobile computing and teleworking are secure
|
| 14.1-323 |
All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures
|
| 14.1-324 |
The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate
|
|
Clinical Information Assurance
|
| 14.1-400 |
The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience
|
| 14.1-401 |
There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements
|
| 14.1-402 |
Procedures are in place to ensure the accuracy of service user information on all systems and /or records that support the provision of care
|
| 14.1-404 |
A multi-professional audit of clinical records across all specialties has been undertaken
|
| 14.1-406 |
Procedures are in place for monitoring the availability of paper health/care records and tracing missing records
|
|
Secondary Use Assurance
|
| 14.1-501 |
National data definitions, standards, values and data quality checks are incorporated within key systems and local documentation is updated as standards develop
|
| 14.1-502 |
External data quality reports are used for monitoring and improving data quality
|
| 14.1-504 |
Documented procedures are in place for using both local and national benchmarking to identify data quality issues and analyse trends in information over time, ensuring that large changes are investigated and explained
|
| 14.1-505 |
An audit of clinical coding, based on national standards, has been undertaken by a Clinical Classifications Service (CCS) approved clinical coding auditor within the last 12 months
|
| 14.1-506 |
A documented procedure and a regular audit cycle for accuracy checks on service user data is in place
|
| 14.1-507 |
The secondary uses data quality assurance checks have been completed
|
| 14.1-508 |
Clinical/care staff are involved in quality checking information derived from the recording of clinical/care activity
|
| 14.1-510 |
Training programmes for clinical coding staff entering coded clinical data are comprehensive and conform to national clinical coding standards
|
|
Corporate Information Assurance
|
| 14.1-601 |
Documented and implemented procedures are in place for the effective management of corporate records
|
| 14.1-603 |
Documented and publicly available procedures are in place to ensure compliance with the Freedom of Information Act 2000
|
| 14.1-604 |
As part of the information lifecycle management strategy, an audit of corporate records has been undertaken
|