Information Governance (IG) is a set of multi-disciplinary structures, policies, procedures, processes and controls, implemented to manage information at an organisational level.

Information Governance supports Woodcock Road Surgery’s immediate and future regulatory, legal, risk, environmental and operational requirements. Information is a vital asset, both in terms of commercial development and the efficient management of services and resources. It plays a key part in governance, service planning, and performance management.

It is therefore of critical importance to ensure that information is appropriately managed, and that policies, procedures and management accountability and structures provide a robust governance framework for information management.

Woodcock Road Surgery recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. Woodcock Road Surgery fully supports the principles of clinical and corporate governance and recognises the power of public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients, the public and staff and commercially sensitive information. Woodcock Road Surgery also recognises the need to share information with commissioners, partners and other third parties in a controlled manner consistent with the established lawful basis.

This overarching Information Governance Policy and the associated protocols sets out Woodcock Road Surgery’s policy concerning the governance of:

• Privacy
• Information and cybersecurity
• Data quality and records management

Statutory Mandatory Framework

This policy serves to support Woodcock Road Surgery to navigate and comply with the complex framework within which Information Governance operates.

This framework includes but is not limited to:

• NHS Act 2006
• Health and Social Care Act 2012
• Data Protection Act 2018
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• Computer Misuse Act 1990
• General Data Protection Regulations (EU) (2016/679)
• Mental Health Capacity Act 2005
• Children Act 1989
• DH Records Management Code of Practice
• DH Information Security Code of Practice
• DH Confidentiality Code of Practice

Accountable Parties

Dr D Ling has overall responsibility for Information Governance at Woodcock Road Surgery.

As the senior accountable officer, he is responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to provide the necessary assurance to internal and external stakeholders.

Dr D Ling has a particular responsibility for ensuring that Woodcock Road Surgery meets its corporate legal responsibilities, and for the adoption of internal and external governance requirements.

Senior Information Risk Owner (SIRO)

The SIRO:

• Leads and fosters a culture that values, protects and uses information for the success of the organisation and benefit of its customers.
• Owns the organisation’s overall information risk policy and risk assessment
  processes and ensuring they are implemented consistently by Information Asset Owners / Administrators.
• Owns the organisation’s information incident management framework

Information Asset Owners (IAOs)

The IAO will hold local responsibility for information risk management, devolved to the relevant directors, department leads by the SIRO. Business function leads within Woodcock Road Surgery have overall responsibility for the management of risks generated by their information assets and are supported on a daily basis by Information Asset Administrators.

Caldicott Guardian Function

The Caldicott guardian will:

• Produce procedures, guidelines and protocols to support staff in the appropriate management of patient information.
• Provide a point of escalation and specialist advice for staff with respect to information sharing, acting as the conscience of the organisation.
• Bring to the attention of the relevant manager any occasion where the appropriate procedures, guidelines and protocols may have not been followed and raise concerns about any inappropriate uses made of patient information where necessary.

Data Protection Officer (DPO)

The DPO will:

• Inform and advise the organisation and its employees about their obligations to comply with the data protection legislation.
• Monitor compliance with the data protection legislation, including managing internal data protection activities, advice on data protection impact assessments; train staff and conduct internal audits.
• Be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, patients etc).

All Staff

All staff, whether clinical or administrative, who create, receive and use data have information governance responsibilities. Employees have a contractual and legal obligation to read and comply with all company policies and to attend mandatory training to support the appropriate management of information.

Openness

Non-confidential information related to Woodcock Road Surgery and its services will be available to the public through a variety of media, in line with Woodcock Road Surgery’s overall commitment to transparency.

Woodcock Road Surgery will adopt and maintain clear procedures and arrangements for liaison with the press and broadcasting media. It will adopt and maintain an information right and access protocol and a Freedom of Information protocol to provide guidance for handling queries from data subjects and the public.

Privacy and Information Rights

• Woodcock Road Surgery is committed to the privacy of its patients, staff and the public. Woodcock Road Surgery will undertake or commission annual assessments and audits of its compliance with privacy legislation and will adopt and maintain a protocol for completion of data protection impact assessments.
• Woodcock Road Surgery regards all Personal Data relating to staff as confidential except where national policy on accountability and openness requires otherwise.
• Woodcock Road Surgery will adopt and maintain protocols to ensure compliance with the Data Protection Act, General Data Protection Regulations, Human Rights Act and the common law confidentiality.
• Woodcock Road Surgery will establish and maintain protocols for the controlled and appropriate sharing of personal information with other agencies, taking account of relevant legislation (e.g. Data Protection Act, Human Rights Act).
• Woodcock Road Surgery will ensure that contractual or best practice documents are in place for routine sharing of information between sharing partners.

Information Security

• Woodcock Road Surgery will adopt and maintain protocols for the effective and secure management of its information assets and resources.
• Woodcock Road Surgery will undertake or commission annual assessments and audits of its information and IT security arrangements.
• Woodcock Road Surgery will promote effective information and cybersecurity practice to its staff through policies, procedures and training.
• Woodcock Road Surgery will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of information and cybersecurity.

Information Quality and Records Management

• Woodcock Road Surgery will establish and maintain protocols and procedures for information quality assurance and the effective management of records.
• Woodcock Road Surgery will undertake or commission annual assessments and audits of its information quality and records management arrangements. Managers will be expected to take ownership of, and seek to improve, the quality of information within their services. Wherever possible, information quality will be assured at the point of collection.
• Data standards will be set through a clear and consistent definition of data items, in accordance with national standards.
• Woodcock Road Surgery will promote information quality and effective records management through protocols, procedures/user manuals and training.