Beruflich Dokumente
Kultur Dokumente
Executive Summary
This policy sets out the technical and organisational
measures required to protect the Trusts information
assets, including systems and networks, patient records
and other corporate information, from all threats to their
security, integrity and availability.
3 Policy Statement 9
4 Equality analysis 11
5 Accountability 11
6 Consultation, Assurance and 14
Approval Process
7 Review and Revision 15
Arrangements
8 Dissemination and 16
Implementation
9 Document Control including 17
Archiving
10 Monitoring Compliance and 18
Effectiveness
10.1 Process for Monitoring 18
Compliance and Effectiveness
13 External References 20
14 Appendices 20
3 Policy Statement
3.1 Principles
3.1.4 The Foundation Trust will develop, maintain and use its
information resources in the interests of high quality,
seamless patient care. To this end, it will actively
promote the appropriate sharing of information between
providers, whilst ensuring the proper protection of that
information.
3.2 Practice
3.2.1 The Foundation Trust will establish and maintain a
comprehensive Information Security Management System
(ISMS). This will be based on the NHS Information
Governance Toolkit, underpinned by British and
International Standards for information security (BS
ISO/IEC 27001/2:2005, BS 7799-1/2:2005 etc). The ISMS
will be developed in accordance with successive versions
of the Toolkit.
5 Accountability
5.1 Chief Executive
5.9 Auditors
a. Information
Security 1. In-year Director of Ongoing via Information Director of Information
Standards within reviews and Systems & regular Governance Systems & Governance Group
Information evidence Network Services Standards Group Network Services
collection and SNS IG meetings and SNS IG Corporate Risk
Governance
Standards Group Standards Group Management
Toolkit
Group
Executive Board
Trust Board
11 Training
Training requirements should be identified during the
development stage.
Any training requirements identified within this policy that are
of a Corporate Statutory or Mandatory nature will be outlined
in the Statutory/Mandatory Training Brochure. This can be
accessed via the link on Staff Room (the Trust Intranet), on
the network at Q:\York Hospital Trust\Mandatory Training or
the Learning Hub (the organisations online learning
platform).
If this training is deemed to be Statutory or Mandatory and is
not identified within the Statutory/Mandatory Training
Brochure then application must be made by the Policy
Author to the Corporate Learning and Development Team to
have it added.
These training requirements are used to develop the
customised profiles that can be viewed by learners when
they access their personal online learning account. It is then
the learners responsibility to undertake this learning with the
support of their line manager and the line managers
responsibility to review this at annual KSF appraisal.
The Corporate Statutory and Mandatory Training
Identification Policy and Procedure document describes the
processes relating to the identification, review, delivery and
monitoring of statutory and mandatory training including non-
attendance.
12 Trust Associated Documentation
Information Governance Policy and Strategy
Data Protection Policy
Acceptable Use of Internet and E-Mail
User Access Protocol
Data Quality Policy
Records Management Policy
Risk Management Policy and Procedure
AIRS Policy, Serious Incident Policy
Information Governance Staff Guide Series
13 External References
Health and Social Care Information Centre Information
Security:
http://systems.hscic.gov.uk/infogov/security
Information Governance Toolkit:
https://nww.igt.hscic.gov.uk/
Information Commissioner: www.ico.gov.uk/
14 Appendices
g Religion or Belief
This policy is inclusive and does not differentiate between people
on the basis of this characteristic.
i Carers
This policy is inclusive and does not differentiate between people
on the basis of this characteristic.
j Other Identified Groups
None
4. Engagement and Involvement
a. Was this work subject to consultation? Yes
b. How have you engaged stakeholders Via consultation with
in constructing the policy Information Governance
Group
c. If so, how have you engaged As above
stakeholders in constructing the policy
d. For each engagement activity, please state who was involved, how
they were engaged and key outputs
Medical Director / Caldicott Guardian, Senior Information Risk
Owner and representatives of Departments and Directorates on
the Information Governance Group
Outputs = review, approval, systems for training and compliance
5. Consultation Outcome
Now consider and detail below how the proposals impact on
elimination of discrimination, harassment and victimisation,
advance the equality of opportunity and promote good relations
between groups
a Eliminate discrimination, harassment Makes information rights
and victimisation available to all
b Advance Equality of Opportunity Makes information rights
available to all
Yes/No/
Title of document being reviewed: Comments
Unsure
1 Development and Management of Policies
Is the title clear and unambiguous? Yes
Is it clear whether the document is a
guideline, policy, protocol or Yes
procedures?
2 Rationale
Are reasons for development of the
Yes
document stated?
3 Development Process
Is the method described in brief? Yes
Are individuals involved in the
Yes
development identified?
Do you feel a reasonable attempt has
been made to ensure relevant expertise Yes
has been used?
Is there evidence of consultation with
Yes
stakeholders and users?
Has an operational, manpower and
financial resource assessment been Yes
undertaken?
4 Content
Is the document linked to a strategy? Yes
Is the objective of the document clear? Yes
Is the target population clear and
Yes
unambiguous?
Are the intended outcomes described? Yes
6 Approval
Does the document identify which Yes
committee/group will approve it?
If appropriate, have the staff side Yes
committee (or equivalent) approved the
document?
7 Dissemination and Implementation
Is there an outline/plan to identify how Yes
this will be done?
Does the plan include the necessary Yes
training/support to ensure compliance?
8 Document Control
Does the document identify where it will Yes
be held?
Have archiving arrangements for Yes
superseded documents been
addressed?
Individual Approval
If you are happy to approve this document, please sign and date it and
forward to the chair of the committee/group where it will receive final
approval.
Name Sue Rushbrook Date May 2014
Signature Sue Rushbrook
Committee Approval
If the committee is happy to approve this document, please sign and date it
and forward copies to the person with responsibility for disseminating and
implementing the document and the person who is responsible for
maintaining the organisations database of approved documents.
Name Approved by the Date June 2014
Signature Chair of the Information Governance Group
Dissemination Grid
To be disseminated to: Notice of update to all
staff with summary of
requirements
Method of dissemination Induction
Mandatory Training
Programme
Staff Room
who will do it? Systems and Network
Services Team
IG Team
and when? Next available
Format (i.e. paper Electronic
or electronic)
Dissemination Record
Date put on register / library On Approval
Review date Unknown
Disseminated to All staff via Staff Room
Format (i.e. paper or electronic) Electronic
Date Disseminated
No. of Copies Sent N/A
Contact Details / Comments No substantial change to
communicate. Supporting IG Staff
Guides set out detailed
requirements.