Information governance strategy
Our Information Governance Framework 2021-2023.
This strategy describes the continuing development, implementation and embedding of a robust Information Governance (IG) framework required for the effective management and protection of NHS Counter Fraud Authority (NHSCFA) information.
IG describes the approach within which accountability, standards, policies and procedures are developed and implemented, to ensure that all information created, obtained or received by the organisation is held and used appropriately.
The strategy confirms NHSCFA’s commitment to compliance with information rights legislation and confirms our commitment to good practice. It sets out an approach that will deliver all of the essential compliance elements, in a way that also actively enables and supports the delivery of the organisation’s corporate objectives and allow it to exploit new and emerging opportunities.
NHSCFA has a responsibility to manage and protect a wide range of information to ensure that it remains confidential, preserves its integrity and availability. Such information includes:
This approach will allow NHSCFA to further its corporate objectives by being open and transparent about what it does and to be accountable for the actions it takes. It will give confidence to those who provide or share person identifiable information with us, that their information will be handled and managed appropriately.
This strategy is applicable to all NHSCFA staff and business units, information systems and records and other information assets of the organisation and includes within its scope:
This strategy excludes NHSCFA’s obligations in relation to the handling of information requests made to the organisation under the General Data Protect Regulation (GDPR) 2016, the Data Protection Act 2018 and the Freedom of Information Act 2000
In NHSCFA’s plan, as part of its strategic goal to develop and use its intelligence function, to analyse the crime risks across the NHS and wider health group, it is also committed to pursuing the following objectives:
If we are to achieve these objectives NHSCFA must create an environment which ensures that:
This information governance strategy is a clear statement of NHSCFA’s commitment to high quality information management and to technical and physical information security good practice. It recognises that investment in information governance supports and contributes to both our corporate objectives and our regulatory responsibilities.
NHSCFA as a data controller will be subject a legal framework, including but not limited to the:
Other related legislative and common law provisions:
Related guidance and codes of good practice:
There are three elements to NHSCFA’s information governance landscape; information security, data protection and records management. Each element requires policy, process and defined standards. While there are overlaps between the elements, each has its primary focus and together they form a complete information governance discipline. NHSCFA’s information governance aims are described below encompassing all of these elements and other important considerations. The achievement of these aims will not only help to deliver essential compliance requirements, but will also enable and support the organisation’s core business functions.
We have implemented a comprehensive information security management system (ISMS) aligned to the international best practice standard ISO 270001. This will ensure that NHSCFA has robust, proportionate and compliant information security measures in place so that the organisation is protected against threats from unauthorised or unintended access, destruction, disclosure or tampering.
All business units will work to ensure that information security policies are aligned with operational requirements and find solutions appropriate to NHSFCA’s risk appetite. NHSCFA will support its staff by ensuring that information security policies and processes are clear and easy to understand, that help, guidance is available when needed and by providing appropriate training to minimise the risk of error. NHSCFA will provide an assurance function that sets clear security standards against which all technology developments will be measured.
The General Data Protection Regulation (GDPR) 2016 and the Data Protection Act 2018 set out the requirements and safeguards which must be applied to personal data, to ensure the rights and freedoms of living individuals are not compromised. It is NHSCFA’s obligation as a Data Controller to comply with the Regulation and the Act.
We will ensure that staff competency in records management is developed and supported by appropriate processes and technologies, to achieve the following benefits:
It is essential that all information is not only used, communicated, transferred and stored in a manner that complies with the broader information management and security framework of the NHSCFA; but also ensures that disposal of records is undertaken in accordance with legislation, key guidance and the organisation’s Data Handling, Storage Retention & Records Management policy and accompanying data retention schedule.
Management and staff should be undertaking regular 6 -12 monthly reviews of the data they hold, to help guard against exposing the organisation to unnecessary and avoidable risk. Any data no longer required for the purposes for which it was obtained, should with the authority of the Information Asset Owner and/or the SIRO, be deleted.
NHSCFA will ensure that its information governance policies are embedded in the day to day operations of the organisation, that they are compliant with relevant legislation, standards and codes of practice, to demonstrate good practice and meet the public interest. The policies are based on a risk management approach that recognises that information has significant value, is commensurate with our stated risk appetite and is aligned with business requirements.
NHSCFA will aim to embed a high level of staff and stakeholder awareness of the organisation’s governance policy and processes, to help achieve compliance and reduce the risk of avoidable incidents and breaches through error. Fostering a culture of personal responsibility, ownership and commitment to the highest standards of information handling to support and enable our business functions.
NHSCFA will ensure that there are processes in place to check whether information governance policies are being adhered to and measure its effectiveness. The Governance and Assurance team will work with business unit leads and Information Asset Owners (IAOs) to gain feedback about the practical operation of policies and practice.
NHSCFA will act on this feedback and make appropriate changes where necessary. Governance and Assurance, Information Governance and IAOs will work together to share experience and maximise the opportunities to learn from examples of good practice, both internal and external.
We have appropriate structures in place to ensure that there are clear delegated duties, responsibilities, decision-making powers and processes embedded within NHSCFA’s operational processes. Roles and responsibilities are described in brief below.
Richard Hampton is the NHSCFA’s SIRO and is a member of the Senior Management Team (SMT). His role is to take ownership of the organisation's information risks, act as an advocate for the management of information risk to the SMT and provide written advice having considered the annual governance and assurance report/statement in respect of information risk.
The SIRO has overall responsibility for understanding how the strategic business goals of the organisation may be impacted by information risks and helping to promote information governance policy across the organisation.
NHSCFA’s Chief Executive Officer is the Caldicott Guardian and in their absence is supported by the Head of Operations. The Guardian plays a key role in ensuring that NHSCFA and stakeholder organisations satisfy the highest practical standards for handling person identifiable information, acting as the ‘conscience’ of the organisation.
The Caldicott Guardian also has a strategic role alongside the SIRO, to champion information governance requirements and issues across all of the business units as part of the organisation’s overall governance framework.
The Information Governance and Risk Management Lead is responsible for the provision of subject matter expertise to the organisation, in respect of legislative compliance and adhering to best practice in Information Rights, Records/Content Management and Information Security.
IAOs are accountable for the quality of and access to information created, received or obtained by their business area. Additionally, IAOs are responsible for identifying, assessing and managing the risk associated with their information assets.
All NHSCFA staff have a personal responsibility to understand and adhere to the organisation’s information governance policies and procedures, applicable to their specific role and business area.
NHSCFA will have independent, internal and external assurance arrangements in place to ensure compliance with information governance and information security legislation, regulations and good practice.
The implementation of the Information Governance strategy, policy and procedures will ensure that information is more effectively managed within NHSCFA.
This document will be reviewed at least biennially and an action plan developed against the IG toolkit to identify key areas for continuous improvement.
Was this page helpful?
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.