Information Governance Policy

INFORMATION GOVERNANCE POLICY
About Us

1.0 INTRODUCTION

Information Governance concerns the way Care Services process or handle information. It covers personal information, i.e. that relating to service users and employees, and corporate information, e.g. financial and accounting records.
Information Governance allows our Service and individuals to ensure that personal information is handled legally, securely, efficiently and effectively, in order to deliver the best possible care.
In addition, it enables our Service to put in place policies and processes for their corporate information that supports the efficient location and retrieval of corporate records where and when needed, in particular to meet requests for information and assist compliance with Corporate Governance standards.
Information Governance provides a consistent way for staff to deal with the many different information handling requirements, including requirements of the following legislation:
Digital Economy Act 2017.
The Data Protection Act 2018.
UK GDPR 2021.
Human Rights Act 1993.
The Freedom of Information Act 2000.
The Access to Medical Records Act 1990.
The Health and Social Care Act 2008.
Common law Duty of Confidentiality.

2.0 POLICY

2.1 To ensure that the our Service is consistent in the way it handles personal and corporate information. Always seeking improvement in the way we handle information that complies with information governance legislation and best practice.

3.0 UK GENERAL DATA PROTECTION REGULATION (UKGDPR) 2021 TAILORED TO MEET THE DATA PROTECTION ACT 2018

3.1 Article 5 of the UK GDPR sets out seven Key principles:

Lawfulness, fairness and transparency.
Purpose limitation.
Data minimisation.
Storage limitation.
Integrity and confidentiality (security)

3.2 All organisations that collect or use personal data must comply with the UK GDPR. Our service must:

Process the least possible amount of personal data.
Only keep it for as long as you need to.
Carry out assessments to make sure you process personal data in a lawful way.
Take the right steps to protect data and identify risks to privacy.
Consider if the person whose data you want to collect needs to give their consent.
Understand and respect the rights of the person whose data you are collecting.
Decide if you need to appoint a data protection officer.
Be transparent and open about the processing of personal data.
Report any security breaches.

3.3 The full guide to GDPR is available on the ICO website.

3.4 We will use information in accordance with law and best practice.

3.5 We will use information between partner organisations to support the care of Service Users.

3.6 We will maintain policies and procedures to ensure compliance and good governance.

3.7 Our Service will follow a programme of continuous improvement around data management and protection.

4.0 THE NATIONAL DATA GUARDIAN’S STANDARDS

4.1 Our Service will follow the requirements of The National Data Guardian’s 10 standards to protect confidential personal data and handle it securely. They include:

Only sharing data for ‘lawful and appropriate’ reasons.
Making sure your staff get regular training in data security.
Only letting people have access to personal information if they need it for their job.
Having a plan for what to do if there’s a threat to data security.
Not using older software that’s unsupported – this means it no longer gets technical support from the manufacturer.
Having a strategy for protecting your IT systems – you must base this on a proven framework like Cyber Essentials.
Having contracts with IT suppliers that hold them to account for the way they handle your information and making sure they meet the National Data Guardian’s standards.

It’s important for the manager to understand the full set of standards. They’re set out in the National Data Guardian’s review of data security, consent and opt-outs.

5.0 DATA PROTECTION TOOLKITS

5.1 The NHS Data Security and Protection Toolkit is an online self-assessment tool that enables our service to measure and publish our performance against the National Data Guardian’s ten data security standards.

5.2 The new incident reporting tool reflects the new reporting requirements of the UK General Data Protection Regulation (UKGDPR), and for relevant organisations the Networks and Information System (NIS) Regulations.

5.3 The NHS Data Security and Protection Toolkit is accessible through the NHS Digital website.

5.4 The Information Commissioners office have produced a data protection self-assessment toolkit. The toolkit provides checklists that will enable the manager to assess compliance with data protection law and find out what you need to do to make sure they are keeping people’s personal data secure.

5.5 Following completion of the checklists a short report can be generated suggesting practical actions to improve data protection compliance.

6.0 NHS DIGITAL CODE OF PRACTICE

6.1 We will comply with the NHS Digital set of codes that include:

Records management: this tells us how long we should keep different types of health and social care records
Confidential information.

6.2 Our service must ‘have regard’ to these two codes. This means we must follow them unless we have a good reason not to. For example, if we have a different way of handling these things that’s just as effective.

7.0 INFORMATION GOVERNANCE FRAMEWORK

7.1 Information governance provides a framework for our service to bring together all of the requirements, standards and best practice that apply to the handling of information, allowing:

Implementation of central advice and guidance.
Compliance with the law.
Year on year improvement plans.

7.2 At its heart, Information Governance is about setting information, handling standards and giving us the tools to achieve the standards. The ultimate goal is to ensure our service and Staff are consistent in the way they handle personal and corporate information and avoid duplication of effort, leading to improvements in:

Information handling activities.
Service User confidence in care providers.
Staff training and development.

7.3 The goal of information governance within our organisation is to apply a holistic approach whilst making information available to those who need it, reducing costs where possible and ensuring compliance of data storage and security.

7.4 It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management within our service.

7.5 We recognise the principles of Caldicott and the regulations outlined in the Data Protection and Freedom of Information Acts and a need for an appropriate balance between openness and confidentiality in the management and use of information.

8.0 IMPLEMENTATION OF THE ACCESSIBLE INFORMATION STANDARD

8.1 The aim of the accessible information standard is to make sure that people who have a disability, impairment or sensory loss get information that they can access and understand, and any communication support that they need.

8.2 The standard requires our service to make sure that service users, and their carers, can access and understand the information they are given. This includes making sure that people get information in different formats if they need it, for example in large print, braille, easy read or via email.

8.3 The accessible information standard also requires our service to make sure that people get any support with communication that they need, for example support from a British Sign Language (BSL) interpreter, deafblind manual interpreter or an advocate.

9.0 RESPONSIBILITIES OF STAFF

9.1 Managers and staff should demonstrate a commitment to the principals of Information Governance and the General Data Protection Regulation (see policy Compliance with General Data Protection Regulation Ref: (UKGDPR).

9.2 The manager (data controller) is responsible for ensuring that all personal data is processed in line with the legal requirements of (UKGDPR).

9.3 The manager will nominate a senior member of staff to be responsible for implementation, overseeing and maintenance of our Services obligations under (UK GDPR).

9.4 The manager will ensure that all staff are trained to understand their responsibilities for data protection including (UKGDPR).

9.5 The manager is responsible for ensuring that data protection policies are effectively monitored by a person who does not have responsibilities for the policy in order to maintain independence.

9.6 All staff, must ensure at all times that high standards of data quality, data protection, integrity, confidentiality and records management are met in compliance with the relevant legislation. It is the responsibility of the manager to ensure that all staff familiarize themselves with this policy and adhere to its principles.

9.7 All staff should:

Foster a culture that values, protects and uses information responsibly and ultimately for the benefit of Service Users.
Adhere to the regulations related to information governance and (UKGDPR);
Attend mandatory training related to information governance and (UKGDPR) at least annually;
Be open and honest in informing their line manager of any inadvertent failure to conform with (UKGDPR) and this Information Governance Policy.

10.0 INFORMATION SHARING

10.1 We will obtain Service Users consent and explain to them when we are required to receive and share personal data from or with other organisations. This can include inter-agency meetings where multi approach care plans are discussed and put in place for Service Users.

10.2 Where we are required to implement formal data sharing arrangements we will:

Stipulate when information can be shared;
Specify what security measures need to be in place;
Specify who is allowed to authorise data sharing;
Require records of sharing to be maintained; and
Ensure requirements for dealing with subject access requests or, where applicable, freedom of information requests are specified.

10.3 We will establish formal agreements with organisations where we are required to share information. We will determine how the information will be processed over its lifecycle, including how it is disposed of.

10.4 We will review these agreements regularly and ensure they continue to meet the services requirements.

11.0 INFORMATION RISKS

11.1 We will manage information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

11.2 We will use our risk management procedures to manage information risk.

11.3 The nominated senior person for data protection will be responsible for managing information risks, coordinating procedures put in place to mitigate them, and for logging risk assessing information.

11.4 Where information risks are identified the manager will put in place action plans to address them. Records should be kept of the actions taken.

12.0 DATA PROTECTION IMPACT ASSESSMENTS

12.1 Prior to the introduction of any new technology that may have an impact on the processing of the data subject’s personal information, the manager will carry out a data protection impact assessment to ensure that any risks to the information are addressed and controls put in place.

13.0 RECORDS

13.1 We shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information

The name and details of our Service, and the senior person responsible for data protection;
The purposes for which we collect, hold, and processes personal data;
Details of the categories of personal data collected, held, and processed;
Details of how long personal data will be retained (please refer to Data Retention Policy); and
Detailed descriptions of all technical and organisational measures taken to ensure the security of personal data.

14.0 DATA BREACH

14.1 A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This means that a breach is more than just losing personal data.

14.2 We are required to notify Information Commission Office (ICO) of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed, such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

14.3 We will assess any data breach on an individual basis to establish the seriousness of the incident. Where the breach is considered serious for example theft or loss of a Service Users personal information we will notify the Information Commissioners Office (ICO) relevant about a loss.

Notifying Service Users

14.4 Where a breach is likely to result in a high risk to the rights and freedoms of Service Users, Staff or volunteers, we must notify those concerned directly.

14.5 A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the Information Commission Office (ICO).

What information must a breach notification contain?

14.6 The nature of the personal data breach including, where possible:

The categories and approximate number of individuals concerned; and the categories and approximate number of personal data records concerned;

The name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
A description of the likely consequences of the personal data breach; and
A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

How do I notify a breach?

14.7 A notifiable breach has to be reported to the Information Commissioners Office (ICO) within 72 hours of our Service becoming aware of it. The (UKGDPR) recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.

Response and Evaluation of the breach

14.8 Following a data breach we will investigate the causes of the breach and evaluate the effectiveness of our response to it.

14.9 We will take steps to prevent any further incidents of data breach including:

Making sure that we are fully aware of what personal data is held and where and how it is stored;
Establish where the biggest risks lie. For example, how much sensitive personal data we hold;
Give consideration to risks that will arise when sharing with or disclosing to others;
Ensure method of transmission is secure and only share or disclose the minimum amount of data necessary thereby even if a breach occurs, the risks are reduced;
Identify weak points in our existing security measures such as the use of portable storage devices or access to public networks;
Monitor staff awareness of security issues and look to fill any gaps through training or tailored advice;
Consider whether we need to establish a group of technical and nontechnical staff who discuss ‘what if’ scenarios – this would highlight risks and weaknesses as well as giving staff at different levels the opportunity to suggest solutions;
Where a Business Continuity Plan for dealing with serious incidents is in place, consider implementing a similar plan for data security breaches;
Identify a group of people responsible for reacting to reported breaches of security.

15.0 MONITORING AND COMPLIANCE

15.1 We recognise that having data protection policies and procedures in place is not enough. We need to ensure through monitoring and review that they are working as intended in practice.

15.2 We will continually monitor and audit how information is handled and processed as part of the management review process of our Service.

15.3 This policy will be reviewed annually to ensure it continues to meet (UKGDPR) and information governance requirements.

Mercia Homecare Limited’s Data Controller is David Deuchar and he can be contacted at david@merciahomecare.co.uk or by phone on 0333 772 1161

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Mercia Home Care

Innovation in Care

Information Governance Policy

Contact

We provide

Registered with

Provider ID: 1-11140111395