Transcript NHS Information Governance

NHS Information Governance
Risk Management
Introduction
• Information risk to be managed in a robust
manner
• Assurance to be provided in a consistent
manner
• Structured approach is necessary
– Identify Information Assets (IA)
– Assign ownership of those IA
– Formalise and standardise information risk
management
• Builds upon existing NHS Information
Governance frameworks
Three New NHS Roles
• In common with other government and
public service bodies, NHS organisations
should in future establish three new roles
to aid the structured management of their
information risk:
• Senior Information Risk Owner (SIRO)
• Information Asset Owners (IAO)
• Information Asset Administrators (IAA)
Ownership and Responsibilities
• The organisation’s management Board or
equivalent ‘owns’ the information risk policy and
its implementation
• The organisation’s SIRO is responsible for
ensuring Information Risk Policy is developed,
implemented, reviewed and its effect monitored
• Information Risk Policy should be available and
communicated to all staff as part of their
induction, training and ongoing personal
development arrangements.
Information Risk Management
(IRM) Structural Model
Structural Model
NHS Trust
General Practice
Accounting Officer
Chief Executive
PCT Chief Executive
SIRO
Board level SIRO
PCT SIRO
1+ senior IAOs
Department Heads
Senior Partner
0+ IAAs for each IAO
Operational staff
responsible for one or
more information
assets
Practice Manager
Key Local IRM Considerations
• Maximise existing lines of authority and
responsibility where these are fit for purpose
• Associate tasks at appropriate management
levels
• Avoid adverse impacts on day to day business
• Ensure information risk management
arrangements are efficient, effective,
accountable and transparent
Roles: Accounting Officer
• The Accounting Officer has overall
responsibility for ensuring that information
risks are assessed and mitigated to an
acceptable level.
• Information risks should be handled in a
similar manner to other major risks such
as financial, legal and reputational risks.
Roles: SIRO
• The SIRO is an executive who is familiar with
information risks and their mitigations, including
information risk assessment methodology.
• The SIRO provides the focus for the assessment
and management of information risk at Board
level, providing briefings and reports on matters
of performance, assurance and cultural impact.
Aspect of SIRO Role (1)
Aspect of Role
Supporting Actions
Lead and foster a
•
culture that values,
protects and uses
information for the
•
success of the
organisation and
benefit of its
•
patients
ensures the Organisation has a plan to achieve and monitor
the right NHS IG culture, across the Organisation and with
its business partners;
takes visible steps to support and participate in that plan
(including completing own training);
ensures the Organisation has appointed Information Asset
Owners (IAOs) who are skilled, focussed on the issues,
and supported, plus the information risk management
specialists that it needs
Aspect of SIRO Role (2)
Own the organisation’s
overall information
risk policy and risk
assessment process,
test its outcome, and
ensure it is used
•
ensures that the organisation information risk policy is complete –
covering how the organisation implements NHS Information
Governance risk management in its own services and activities
and those of its delivery partners, and how compliance will be
monitored
•
ensures that information asset risk reviews are completed each
quarter taking account of extant NHS Information Governance
guidance (available from Department of Health and NHS
Connecting for Health)
•
based on the information risk assessment, understands what
information risks there are to the organisation and its business
partners through its delivery chain, and ensures that they are
addressed, and that they inform investment decisions including
the risk considerations of outsourcing
•
ensures that information risk assessment and mitigating actions
taken benefit from an adequate level of independent scrutiny
Aspect of SIRO Role (3)
Advise the Chief
Executive or
relevant
accounting officer
on the information
risk aspects of
his/her Statement
of Internal Control
•
receives annual assessment of performance, including
material from the IAOs and specialists, covering NHS
Information Governance reporting requirements as well as
local actions planned for the organisation’s own
circumstances;
•
provide advice to the Chief Executive or relevant
Accounting Officer on the information risk parts of their
Statement of Internal Control;
• shares assessment and supporting material with the
Department of Health and NHS Connecting for Health, to
support pan-NHS IG work in this area.
Aspect of SIRO Role (4)
Own the
organisation’s
information
incident
management
framework
•
ensure that the organisation has implemented an effective
information incident management and response capability
that allows learning and sharing of experience from events
throughout the organisation and for the prevention of
similar events elsewhere.
Roles: IAO
• Information Asset Owners are senior individuals
involved in running the relevant business.
• Small organisations may have a single IAO,
whereas larger ones are likely to have several.
• The IAO’s role is to:
– understand and address risks to the information
assets they ‘own’; and
– provide assurance to the SIRO on the security and
use of these assets.
Aspects of IAO Role (1)
Aspect of Role
Supporting Actions
Lead and foster a culture
that values, protects
and uses information
for the success of the
organisation and
benefit of its patients
•
understands the Organisation’s plans to achieve and monitor the
right NHS IG culture, across the Organisation and with its
business partners;
•
takes visible steps to support and participate in that plan
(including completing own training)
Knows what information
the Asset holds, and
what enters and
leaves it and why
•
maintains understanding of ‘owned’ assets and how they are used
up to date;
•
approves and minimises information transfers while achieving
business purposes;
•
approves arrangements so that information put onto portable or
removable media like laptops and CDrom are minimised and are
effectively protected to NHS IG standards;
•
approves and oversees the disposal mechanisms for information
of the asset when no longer needed
Aspects of IAO Role (2)
Knows who has access •
and why, and
ensures their use is
monitored and
•
compliant with
policy
•
understands the organisation’s policy on access to and use
of information;
checks that access provided is the minimum necessary to
satisfy business objectives;
receives records of checks on use and assures self that
effective checking is conducted regularly
Understands and
• conducts quarterly reviews of information risk in relation
addresses risks to
to ‘owned’ assets;
the asset, and
provides assurance • makes the case where necessary for new investment or
action to secure ‘owned’ assets;
to the SIRO
•
provides an annual written risk assessment to the SIRO for
all assets ‘owned’ by them
Aspects of IAO Role (3)
Ensures the asset is • considers whether better use of the information is
fully used for the
possible or where information is no longer required;
benefit of the
organisation and • receives, logs and controls requests from others for
access;
its patients,
including
• ensures decisions on access are taken in accordance
responding to
with NHS IG standards of good practice and the
requests for
policy of the organisation.
access from
others
Roles: IAA
• Information Asset Administrators will
provide support to their IAO
– ensure that policies and procedures are
followed;
– recognise potential or actual security
incidents;
– consult their IAO on incident management;
– ensure that information asset registers are
accurate and maintained up to date.
Candidate IAA Tasks
•
•
•
•
•
•
•
•
•
•
Maintenance of Information Asset Registers;
Ensuring compliance with data sharing agreements within the local area;
Ensuring information handling procedures are fit for purpose and are
properly applied;
Under the direction of their IAO, ensuring that personal information is not
unlawfully exploited
Recognising new information handling requirements (e.g. a new type of
information arises) and that the relevant IAO is consulted over appropriate
procedures;
Recognising potential or actual security incidents and consulting the IAO;
Reporting to the relevant IAO on current state of local information handling;
Ensuring that local information handling constraints (e.g. limits on who can
have access to the assets) are applied, referring any difficulties to the
relevant IAO.
Act as first port of call for local managers and staff seeking advice on the
handling of information;
Under the direction of their IAO, ensuring that information is securely
destroyed when there is no further requirement for it
NHS Information Assets 1
• Information assets come in many shapes
and forms.
• and the following list can only be
illustrative. It is generally sensible to group
information assets in a logical manner e.g.
where they all related to the same
information system or business process.
NHS Information Assets 2
Personal/Other Information
Software
Databases and data files
Back-up and archive data
Audit data
Paper records and reports
Applications and System Software
Data encryption utilities
Development and Maintenance tools
System/Process Documentation
Hardware
System information and documentation
Operations and support procedures
Manuals and training materials
Contracts and agreements
Business continuity plans
Computing hardware including PCs,
Laptops, PDA, communications devices
eg. blackberry and removable media
Miscellaneous
Environmental services eg. power and
air-conditioning
People skills and experience
Information Risk Management Policy
• All NHS organisations need clear IRM
policy
• IRM should be a fundamental component
of the organisation’s overall business risk
management framework
• Some organisations e.g. PCTs should
develop policies that cover their smaller
business partners e.g. local independent
contractors
Information Risk Management 2
• Key aspects of an IRM policy:
– Provide support for the organisation’s
business aims and objectives
– Define how the organisation and its delivery
partners will manage its IR
– Identify how RM effectiveness will be
assessed and measured
– Define IRM escalation points and
mechanisms