Portsmouth Hospitals NHS Trust
Information Governance Strategy
2015 – 2017
Version
5
Name of responsible (ratifying) committee
Information Governance Steering Group
Date ratified
11 March 2015
Document Manager (job title)
Information Governance Manager
Date issued
01 June 2015
Review date
01 January 2018
Related Procedural Documents
Confidentiality Code of Conduct, ICT Security Policy,
Information Governance Policy, Data Protection Policy,
Records Management Strategy, Safe Haven Policy, Email Policy
Key Words (to aid with searching)
Information Governance, Confidentiality, Information
Security, Data Protection, Information Sharing,
Encryption, Records Management, Freedom of
Information
Portsmouth Hospitals NHS Trust – Information Governance Strategy 2015-2017
Page 1 of 10
1.
Introduction
1.1.
Information is a vital asset, both in terms of the clinical management of individual patients and
the efficient management of services and resources throughout the Trust. It plays a key part
in clinical governance, service planning and performance management.
1.2.
It is therefore of paramount importance that information is efficiently managed, and that
appropriate policies, procedures and management accountability and structures provide a
robust governance framework for information management to assure and demonstrate the
proactive use of information as determined by legislative acts, statutes, regulatory
requirements and best practice.
1.3.
Information Governance is a “framework for handling information in a confidential and secure
manner to appropriate ethical and quality standards in a modern health service”. It brings
together within a singular cohesive framework, the interdependent requirements and
standards of practice.
1.4.
Information Governance is not simply a matter of good corporate housekeeping. Good
Information Governance can undoubtedly lead to efficiency gains and make for more effective
management.
1.5.
The Trust is required to have effective arrangements in place to govern the uses of
information and information systems, as set out in the Information Governance Toolkit, the
CQC Essential Standards of Quality and Safety (to be replaced by new “Fundamental
Standards” from April 2015) and the NHS Litigation Authority Risk Management Standards.
1.6.
This strategy sets out the approach to be taken within the Trust to ensure legal and regulatory
compliance for the management of information.
1.7.
The principles cover all aspects of information handling within the Trust, including patient /
service user information, staff related information and Trust corporate / business information.
The principles cover all aspects of handling information, including structured record systems
(paper & electronic).
1.8.
The Information Governance agenda encompasses the following areas:
 Caldicott
 NHS Confidentiality Code of Practice
 Data Protection Act (1998)
 Freedom of Information Act (2000)
 Records Management (Personal and Corporate Records)
 Information Security
 Information Quality
 Confidentiality
 Openness
 Legal Compliance
2.
Aims and Objectives
2.1.
There are four fundamental aims of this Strategy:
 To support the provision of high quality care by promoting the effective and
appropriate use of information
 To encourage responsible staff to work closely together, prevent duplication of effort
and enable efficient use of resources
Portsmouth Hospitals NHS Trust – Information Governance Strategy 2015-2017
Page 2 of 10


To develop support arrangements and provide staff with appropriate tools and support
to enable them to carry out their responsibilities to consistently high standards
To enable the Trust to understand its own performance, manage improvement in a
systematic and effective manner and reduce risk
2.2.
Effective information governance can be demonstrated within the Trust by:
 Complying with all relevant legislation
 Establishing, implementing and maintaining policies for the effective management of
information
 Recognising the need for an appropriate balance between openness and
confidentiality in the management and use of information
 Ensuring all Trust staff follow and promote best practice
 Ensuring maintenance or year on year improvement with the Information Governance
Toolkit assessment
 Developing an Information Governance culture throughout the Trust
 Helping staff to manage personal information for the benefit of patient care
 Reducing duplication and looking at new ways of working effectively and efficiently
 Minimising the risk of breaches of personal data
 Minimising inappropriate uses of personal data
2.3.
The Trust must satisfy the NHS Constitution regarding peoples’ rights, which states “You can
expect the NHS to keep your confidential information safe and secure.”
2.4.
Strategic Objectives 2015 – 2017
Requirement / Plan
Monitoring /
Assessment
Continue to achieve
‘Satisfactory’
compliance with the
NHS Information
Governance Toolkit
Overarching and
individual action and
improvement plans are
set out on the Trust
intranet
Submissions using the
Information
Governance Toolkit /
Internal Audit
Promote responsible,
patient-centred
information sharing in
line with the principle
recommendations of
the Caldicott 2:
Information
Governance Review
Central monitoring
being undertaken by
the Information
Governance Alliance
(IGA)
Objective
Many risk mitigation
activities as part of the
Information Risk
Identify and reduce
Management agenda,
Information Risks and
which requires regular
reduce the potential
reporting from
impact of Information
Information Assets
Governance incidents
Owners to Senior
Information Risk Owner
and on to Trust Board
Lead / Target
Date
Information
Governance
Manager
March 2015
March 2016
Quarterly submissions
to the IGA
Information
Governance
Manager
July 2015 (for
initial targets)
Dedicated Information
Risk Assurance reports
to the Senior
Information Risk Owner
/ Information Risk
Annual Report to Trust
Board
Regular analysis of
Information
Governance incidents /
Bi-annual report on
Portsmouth Hospitals NHS Trust – Information Governance Strategy 2015-2017
Page 3 of 10
Senior
Information Risk
Owner /
Information
Governance
Manager
Ongoing work
programme
incidents to the
Information
Governance Steering
Group
Promote a culture of
openness and
transparency in line
with the spirit of the
Freedom of
Information Act and
the Government’s
Transparency
Agenda
Understand the
implications and
prepare for the
impact of changes to
EU Data Protection
legislation
Achieve and maintain
compliance with
informal and formal
Freedom of Information
requirements
Proactively publish
information and
datasets in line with
matters of public
interest and the
Government’s
Transparency Agenda
Maintain awareness of
the EU Data Protection
Directive proposals and
ensure appropriate
staff in the Trust are
briefed
Develop plans to
ensure compliance as
requirements become
formalised at EU level
Promote the
principles of Privacy
by Design and
Promotion of the use of
embed a culture that
Privacy Impact
understands the
Assessments
value of early privacy
assessment in the
project / change cycle
Bi-annual report on
Freedom of Information
compliance to the
Information
Governance Steering
Group
Transparency Agenda
expectations reported
to relevant staff on an
ad hoc basis
Reporting to
Information
Governance Steering
Group as required in
order to promote
awareness or raise
issues for decisions
Presentation of Privacy
Impact Assessments to
the Information
Governance Steering
Group as necessary
Bi-Annual completion
of Information
Governance
Compliance Monitoring
Tools assessing
awareness of Privacy
Impact Assessments
Information
Governance
Manager
Ongoing work
programme
Information
Governance
Manager
To be
determined by
legislative
timelines
(expected to be
during 2016)
Information
Governance
Manager
Ongoing work
programme
3. Strategy Implementation
3.1.
This strategy is underpinned through development, monitoring and enhancement of the
following measures:
3.1.3. Information Governance Management Framework
Role
Senior Roles
Filled By
Portsmouth Hospitals NHS Trust – Information Governance Strategy 2015-2017
Page 4 of 10
Details
Accountable Officer
Chief Executive
Officer
Information
Governance Lead
Information
Governance
Manager
Senior Information
Risk Owner (SIRO)
Company Secretary
Caldicott Guardian
Medical Director
Overall responsibility for all aspects
of Information Governance
Responsibility for assessing,
monitoring and reporting compliance
with, and emerging issues in,
Information Governance
Implement and lead the Information
Governance risk assessment and
management process
Responsibility for safeguarding the
confidentiality of, and access to,
patient information
Head of Patient
Safety
Information
Governance Incident
Management
Senior Information
Risk Owner
Information
Governance
Manager
Data Protection and
Freedom of
Information Lead
Information
Governance
Manager
Information Quality
Lead
Business Intelligence
Manager
Health Records Lead
Records
Management Lead
Operational Manager
– Health Records
Library
Information
Governance
Manager
Responsibility for the incident
management process / chairing
incident panels / investigations and
investigation subject matter expertise
Responsibility for assessing and
monitoring compliance with Data
Protection and Freedom of
Information legislative requirements
Responsibility for promoting
awareness of the importance of Data
Quality within the Trust
Management of the Trust’s Health
Records Library function
Advice on, and monitoring
compliance with, legal and best
practice in records management
3.1.4. Information Governance Policies
Key Policies
All policies are distributed to CSC General Managers and to all CSCs and Corporate
Functions via their IGSG (or other approving body) representative
Policy Name
Responsible Manager
Ratifying Body
Access to Personal
Records Policy
Information Governance
Manager
Information Governance
Steering Group
Adverse Incidents and
Near Misses Policy
Head of Patient Safety
Patient Safety Working
Committee
Clinical Records
Management Policy
Information Governance
Manager
Information Governance
Steering Group
Confidentiality Code of
Conduct
Information Governance
Manager
Information Governance
Steering Group
Portsmouth Hospitals NHS Trust – Information Governance Strategy 2015-2017
Page 5 of 10
Data Protection Policy
Information Governance
Manager
Information Governance
Steering Group
Data Quality Policy
Business Intelligence
Manager
Information Governance
Steering Group
Disclosure of Information
to the Police Policy
Information Governance
Manager
Information Governance
Steering Group
E-mail Policy
Head of ICT Operations
ICT Strategy Group
Freedom of Information
Policy
Information Governance
Manager
Information Governance
Steering Group
Freedom of Information
Request Handling Policy
Information Governance
Manager
Information Governance
Steering Group
ICT Security Policy
ICT Security Lead
Information Governance
Steering Group
Information Risk Policy
Information Governance
Manager
Information Governance
Steering Group
Photographic Imaging,
Consent and
Confidentiality Policy
Information Governance
Manager
Information Governance
Steering Group
Pseudonymisation Policy
Information Governance
Manager
Information Governance
Steering Group
Records Management
Strategy
Information Governance
Manager
Information Governance
Steering Group
Information Governance
Policy
Information Governance
Manager
Information Governance
Steering Group
Information Governance
Strategy
Information Governance
Manager
Information Governance
Steering Group
Investigation of Incidents,
Complaints and Claims
Policy
Head of Patient Safety
Patient Safety Working
Group
Non Clinical Records
Management Policy
Information Governance
Manager
Information Governance
Steering Group
Portable Computing
Devices Policy
Director of ICT
ICT Steering Group
Records Retention and
Disposal Policy
Information Governance
Manager
Information Governance
Steering Group
Safe Haven Policy
Information Governance
Manager
Information Governance
Steering Group
Portsmouth Hospitals NHS Trust – Information Governance Strategy 2015-2017
Page 6 of 10
Serious Incidents
Requiring Investigation
Management Policy
Head of Patent Safety
Serious Incident Review
Group
3.1.5. Information Governance Training and Assessment Programme
Training Type
Induction
Essential Skills Handbook
(ESH) and e-assessment
via the Electronic Staff
Record (ESR)

Information Governance
Training and Assessment
Booklet
Specialist Information
Governance modules
Training and Guidance
Details
All staff receive
Information Governance
training as part of their
corporate induction
All staff to read through
ESH and then access and
complete the eassessment on ESR
A hard copy training and
assessment booklet – to
be used only as an
alternative training option
where the ESH and ESR
assessment are
impractical
Particular staff groups
identified to undertake
specialist IG training
(provided by Connecting
for Health IGTT)
Frequency
One time only
Annual – Mandatory
Training Requirement
Frequency determined by
the specific modules
3.1.6. Governance Bodies
Group / Committee
Information
Governance Steering
Group
Governance and
Quality Committee
Local Governance
Meetings
Information Risk
Management Group
Key Governance Bodies
Accountability
Responsibility
Promote effective Information
Governance, maintain a framework
Governance and
to ensure legal compliance, promote
Quality Committee
local-level responsibility and
accountability
Implementation and monitoring of the
Trust Board
Governance and Quality Strategy /
national standards and requirements
Governance and
Localised compliance monitoring and
Quality Committee
reporting
The identification, planning and
No direct
implementation of the Information
accountability
Risk Management Agenda
3.1.7. Major Information Governance Work Programmes
Aspects
Work Programmes
Lead(s)
Portsmouth Hospitals NHS Trust – Information Governance Strategy 2015-2017
Page 7 of 10
Requirement
Employee Resourcing
Manager
Staff contracts
Information Governance
Manager
Contracts with
third parties
Information Governance
Manager
Information Asset Owners
Senior Information Risk Owner
Information
Assets
Information Governance
Manager
Information Asset Owners
Information Asset Owners
Data Flow
Mapping
Information Governance
Manager
Freedom of
Information
Requests
Performance
Information Governance
Manager
Freedom of
Information
Publication
Scheme
Information Governance
Manager
Health Records
Quality Audit
Assessment of compliance
with Information Governance
requirements, such as Data
Protection and Freedom of
Information clauses
Identification of all information
assets
Risk assessment of
information assets and training
for staff with responsibilities
Review of flow of Person
Identifiable Data into and out
of the Trust
Assessment of risk and
mitigating action / risk
reporting where necessary
To respond to at least 85% of
requests within 20 working
days (currently an unofficial
national target). Internally, to
respond to requests within 10
working days.
Identification of information
suitable for publication on
Trust website
Regular review and update
Information Governance
Manager
Specialty Audit Leads
Information
Governance
Compliance
Monitoring and
spot checks
Review and assessment of
staff Information Governance
clauses to ensure they remain
compliant with regulatory and
legal requirements
Review and update of all
contracts relevant to
Information Governance
Information Asset Owners
Information Governance
Manager
Data Protection –
Patient Surveys
Information Governance
Manager
Information Risk
Management
Programme
Senior Information Risk Officer
Information Governance
Portsmouth Hospitals NHS Trust – Information Governance Strategy 2015-2017
Page 8 of 10
Annual Trust wide audit of
clinical record keeping
standards
Monitoring compliance with
various legal and regulatory
practices (as identified in the
Information Governance
Toolkit)
Routine assessment of patient
satisfaction with Data
Protection processes in
support of patient awareness,
consent and satisfaction
Development and
maintenance of Information
Risk Management Action Log
Manager
and annual report to the Trust
Board
3.1.8. Information Governance Incident Management
Incident Type
Incident Management
Staff
Information Governance
(SIRI)
SIRO and Information
Governance Manager
All Information
Governance SIRIs
Head of Patient Safety
SIRI – Level 2+
Information Governance
Manager
Role
Part of initial and full
incident panel /
investigation teams
Reporting all SIRIs to the
SHA / Commissioners
Reporting all Level 2+
incidents to the
Information Commissioner
3.1.9. Information Governance Resources
Area
Resources
Roles
The Information
Governance Manager
assumes the roles of
Information Governance
Lead, Data Protection
Lead, Freedom of
Information Lead and
Records Management
Lead
Information Governance
Corporate and Clinical
Governance
responsibilities and
resources sit within local
Governance functions
Freedom of Information
The Trust’s Data Quality
Lead is a Business
Intelligence Manager
Governance Administrator
responsible for Freedom
of Information request
administration
Information Risk
Management
Senior Information Risk
Owner and Information
Asset Owners (and
Administrators)
Information Governance
Toolkit
Standards Leads are
responsible for action
planning, implementation,
monitoring and reporting
compliance with relevant
Toolkit standards
Portsmouth Hospitals NHS Trust – Information Governance Strategy 2015-2017
Page 9 of 10
Resources
The Information
Governance Manager has
no dedicated budget or
identified in-year
expenditure
The Trust relies heavily on
its embedded Governance
framework, Information
Asset Owner structure and
bespoke structures for
Information Governance
programmes in order to
deliver the Information
Governance Agenda
No specific resource.
Workload determined by
volume and frequency of
requests
A network of
approximately 22
Information Asset Owners
and 125 Administrators to
manage this agenda
No specific resource. May
be required to co-opt
additional staff for specific
requirements
4. Conclusion
4.1.
The successful implementation of this Strategy’s objectives and the supporting policies and
action plans will ensure that information is legally, effectively and efficiently managed within
the Trust.
5. Monitoring the Strategy
5.1.
The Information Governance Steering Group will monitor the implementation of this Strategy
through specific reports relating to the Strategic Objectives and reports associated with other
Information Governance initiatives.
6. References and Associated Documentation
Access to Health Records Act (1990)
http://www.opsi.gov.uk/acts/acts1990/ukpga_19900023_en_1
Caldicott Review of Patient Identifiable Information (1997)
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidanc
e/DH_4068403
Confidentiality: NHS Code of Practice (2003)
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/codes/confcode.pdf
Data Protection Act (1998)
http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1
Department of Health Information Strategy – The Power of Information (2012)
http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digitala
sset/dh_134205.pdf
Department of Health – NHS Informatics Planning 2010/11
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/links/informaticsplanning2
010-2011.pdf
Freedom of Information Act (2000)
http://www.opsi.gov.uk/Acts/acts2000/ukpga_20000036_en_1
Human Rights Act (1998)
http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980042_en_1
Information Security Management: NHS Code of Practice (2007)
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/codes/securitycode.pdf
NHS Care Record Guarantee (2011)
http://www.nigb.nhs.uk/pubs/nhscrg.pdf
NHS Information Governance Toolkit (Connecting for Health)
https://nww.igt.connectingforhealth.nhs.uk/
Records Management: NHS Code of Practice (2006)
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidanc
e/DH_4131747
Portsmouth Hospitals NHS Trust – Information Governance Strategy 2015-2017
Page 10 of 10