The information held by the NHS Counter Fraud Authority (NHSCFA) represents one of its most valuable assets. Without ‘information’ the NHSCFA could not undertake its functions and therefore it is essential that all information and information systems at NHSCFA's sites, are protected against the many threats which may affect its integrity and confidentiality as well as its overall service provision. Such threats can range from accidental damage to deliberate disclosure of sensitive information.
Information security is the responsibility of every member of NHSCFA staff. The information systems currently in use employ technical processes to help in maintaining the confidentiality, integrity and availability of the information they hold. However, these security measures can be weakened through carelessness such as writing down or sharing a password.
The scope of this Information Governance (IG) policy is to support the protection, control and management of NHSCFA’s information assets. The policy is concerned with all information systems, electronic and non-electronic and will apply to all business units and sites within NHSCFA, as well as to any contractors or third-party service providers. It will cover all information within the NHSCFA, which could include data and information that is:
- stored on computers
- transmitted across internal and public networks such as email or intranet/internet
- stored within databases
- printed or handwritten on paper, white boards etc.
- sent by any other electronic communications method
- stored on removable media such as CD-ROMs, hard disks, memory sticks, tapes and other similar media
- held on film or microfiche
- presented on slides, overhead projectors or other visual and audio media
- spoken during telephone calls, in meetings or conveyed by any other method.
The NHSCFA is committed to properly protecting the information that it holds. This policy and associated practices and procedures have been agreed by the Board.
This document defines the IG policy for the NHSCFA.
The IG policy applies to all information obtained and processed by the NHSCFA and its staff.
- sets out the NHSCFA’s policy for the protection of all information obtained and processed; and
- establishes the responsibilities for IG.
There are four key interlinked strands to this policy:
- legal compliance
- information security
- quality assurance
- The NHSCFA recognises the need for an appropriate balance between openness and confidentiality in the management and use of information.
- Information will be defined and where appropriate kept confidential, underpinning the principles of Caldicott and the regulations outlined in the General Data Protection Regulations (GDPR) 2016 and the Data Protection Act 2018. Non-confidential information about the NHSCFA and its services will be available to the public through a variety of means, one of which will be the provisions of the Freedom of Information Act (FOIA) 2000.
- There are clear procedures and arrangements in place for handling queries from members of the public.
- The NHSCFA, will through its Organisational Development Unit’s Standard Operating Practices (SOPs), have clear procedures and arrangements for liaison with the press and broadcast media.
- Integrity of information will be developed, monitored and maintained to ensure that it is appropriate for its intended purposes.
- Availability of information for operational purposes will be maintained within set parameters relating to its importance via appropriate procedures and computer system resilience.
- The NHSCFA regards all identifiable personal information relating to members of the public as confidential, compliance with legal and regulatory frameworks will be achieved, monitored and maintained.
- The NHSCFA regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness otherwise requires.
- Awareness and understanding of all staff, with regard to their responsibilities, will be routinely assessed, recorded and appropriate training and awareness provided.
- Risk assessment(s) in conjunction with overall priority planning of NHSCFA activity by the Board, will be undertaken to determine appropriate, cost-effective IG controls are in place.
- The NHSCFA regards all identifiable personal information relating to members of the public as confidential except where national policy on accountability and openness requires otherwise
- The NHSCFA will undertake annual internal and external assessments and audits of its compliance against legal requirements. This will be agreed by the Board through an approved Governance and Assurance exercise or through the commission of an external audit
- The NHSCFA regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise
- The NHSCFA will establish and maintain organisational policies and procedures to ensure compliance with the GDPR, DPA FOIA, Human Rights Act (HRA) 1998 and the common law duty of confidentiality
- The NHSCFA will establish and maintain Information Sharing Agreements (ISAs) and policies for the controlled and appropriate sharing of person and/or patient identifiable information with other agencies, taking into account relevant legislative provisions.
- The NHSCFA will establish and maintain policies for the effective and secure management of its information assets and resources.
- Internal and/or external audits will be undertaken to assess information and IT security arrangements.
- The NHSCFA’s incident reporting systems will be used to report, monitor and investigate all breaches of information and information and security.
Information quality assurance:
- The NHSCFA will establish and maintain policies for information quality assurance and the effective management of records.
- Board approved audits will be undertaken or commissioned of the NHSCFA’s quality of data and records management arrangements.
- Unit Leads will be expected to take ownership of and seek to improve, the quality of data within their business units, within cost effective resource parameters
- Wherever possible, information quality will be assured at the point of collection.
- The NHSCFA will promote data quality through ISAs, policies, procedures and training.
This policy and any associated procedures will be reviewed at biennially by the Information Governance Lead. Where review is necessary due to legislative changes this will take place immediately.
This policy covers all forms of information held by the NHSCFA, including but not limited to:
- information about members of the public
- staff and personnel information
- organisational, business and operational information
This policy applies to all aspects of information handling, including but not limited to:
- structured record systems (paper and electronic)
- information recording and processing systems whether paper, electronic, video or audio records
- information transmission systems, such as internet portals, e-mail, portable media, post and telephone.
This policy covers all information systems purchased, developed and managed by or on behalf of, the NHSCFA and any individual directly employed or otherwise by the organisation.
IG is a function of corporate governance that helps ensure the confidentiality, integrity and availability of NHSCFA’s information assets. It is concerned with the facilitation of delivering accurate contextual information to those who require it for a recognised purpose, whilst complying with legal and regulatory frameworks.
An Information Governance System (IGS) which comprises associated policies, procedures, protocols & guidelines and their on-going monitoring, ensures that the risks to such information assets are identified, assessed and adequately controlled in compliance with:
- the current legislative framework
- applicable NHS codes of practice and regulations
- recognised best practice for information handling and information security; and
- information governance requirements
Developing an overall IGS will include:
- defining an IG policy and strategy
- identifying (auditing of) all existing information assets and its documentation thereof, in an appropriate information asset register
- completion of a formal risk assessment, identifying threats and vulnerabilities to assets and systems and the potential associated impacts on delivery that each risk could eventually cause
- assessment, costing, selection and implementation of appropriate controls and the development of procedure and process-related documentation
- production of and the combining of documentation to allow where desired formal accreditation to the adopted standard of information security (e.g. ISO 27001)
- the on-going monitoring of the effectiveness of the IGS and review of controls accordingly
- compliance with the NHS Digital IG toolkit standards
Information Governance responsibilities
It is the role of the NHSCFA Information Governance Team, with the approval of the Board to define NHSCFA policy in respect of IG, taking into account legal and NHS requirements. The Board is responsible for ensuring that sufficient resources are provided to support the requirements of this policy.
The Board, whilst retaining their legal responsibilities, have delegated IG compliance to the Director of Finance who heads the Finance & Corporate Governance Unit.
The Information Governance Team is responsible for overseeing day-to-day IG issues; developing and maintaining policies, standards, procedures and guidance, coordinating IG in the NHSCFA and together with the Organisational Development Unit raise awareness and adopt best practices.
Unit Leads within the NHSCFA are responsible for ensuring that this policy and its supporting guidance documents are built into their (SOPs), to facilitate on-going compliance.
All staff whether permanent, temporary or contracted are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring their compliance in accordance with organisational training.
Validity of this policy
This policy will be reviewed biennially under the authority of the Board.
Associated IG standards will be subject to periodic on-going development and review.