Information Governance Policy
Care service name: Jasmine Care South East Ltd
Introduction and Policy Aims
Information governance represents the systems, policies, procedures and processes adopted by the care service to ensure that data is always:
⦁ obtained fairly and lawfully
⦁ held securely and confidentially
⦁ recorded accurately and reliably
⦁ used effectively and ethically
⦁ shared and disclosed appropriately and lawfully
⦁ disposed of safely to the standards required, when no longer needed.
The policy describes how this care provider manages any data, which it keeps and to which it has access, so that the information is always held safely and securely, and is lawfully used. In carrying on its business of providing care and treatment, the care service will obtain and use the personal data of different groups of people: its service users and others relevant to them, its employees and others, such as contractors and suppliers of goods and services. The care service is bound by law and its registration requirements to achieve established standards in its handling and management of information.
The information governance framework includes several interrelated policies and procedures that contribute to its effectiveness. They include:
⦁ access to employees' data
⦁ applications for access to a deceased service user's care records
⦁ Caldicott principles
⦁ computer systems and internet: acceptable use
⦁ confidentiality of service users' information
⦁ data protection
⦁ internet use: staff
internet use: service users
⦁ IT disposal
⦁ the use of mobile telephones
⦁ quality assurance: monitoring and reviewing the service provision
⦁ record keeping
⦁ sharing information with other providers
⦁ social media.
The care service recognises that information governance requirements have developed from a raft of legislation and statutory guidance, including:
⦁ Data Protection Act 1998
⦁ the Common Law duty of confidentiality as applied, for example, in the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014
⦁ Freedom of Information Act 2000
⦁ Human Rights Act 1998
⦁ the Caldicott Report and Principles (and their application under the Office of the National Data Guardian)
⦁ Health and Social Care Act 2008 (and regulations)
⦁ Health and Social Care Act 2012
⦁ Information Governance Alliance: Records Management Code of Practice for Health and Social Care 2016.
It also acknowledges the importance of complying with Regulation 17: "Good Governance" of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, which requires registered care providers to have effective systems and processes for, among other aspects of administration, keeping records on every service user, maintaining records and striving for continuous improvements to their systems (see regulations 17(c), (d), and (f)).
The care service recognises that it must also comply with the Information Governance Alliance: Records Management Code of Practice for Health and Social Care 2016 (referred to here as the Records Management Code of Practice), if, as an adult social care provider, its care records are integrated and used with service users’ NHS records. This will be the situation of nursing agencies and domiciliary care services with contracts with local Clinical Commissioning Groups, which expect the services they commission to apply the Records Management Code of Practice.
Included in a contract could be a requirement that the care service will achieve the information governance quality standards as set out in the Code of Practice, by regularly completing the Information Governance Toolkit (IGT], an online self-assessment framework that has become standard for NHS bodies and partner organisations to use.
The Information Governance Framework
The information governance framework for this care service covers all records used for or with the care and treatment of its service users, staff records and administrative records likely to contain confidential information. All such records will be handled and kept safely, securely and lawfully to the same standards established by the Records Management Code of Practice regardless of their formats, including written records, forms, photographs, audio-visual, CCTV records, computer and smart device electronic records.
The Component Parts
The care service recognises that it must achieve agreed standards for each aspect of its information governance system, which, following the Records Management Code of Practice, requires attention to the following.
Records system design
Each set of records and record keeping arrangements are designed so that they are always fit for purpose (including using an appropriate format] and can be correctly handled and maintained. All features of the record keeping arrangements are kept under constant review, regularly audited and changed or replaced if they become unfit for purpose and fail to achieve the required standards.
Records handling and use
The care service has put into place effective procedures to ensure that records storage, arrangements for authorised access, information sharing, transfer of records, and quality of recording are all maintained to the required standard as per the respective policies referred to in the Introduction.
Audit, review and retention
All records are regularly audited and reviewed for their current purpose and quality in line with the care service’s auditing schedules. Records that are no longer needed will be stored or archived safely and securely for the retention periods set out in the Records Management Code of Practice (Appendix 3).
At the minimum retention date, records will be appraised to identify if they will be required further, and if not, they will be safely disposed of. Where service users' health and social care records have been integrated (as they might in an NHS owned or commissioned facility or joint health and care community service] the care service will
jasmine care south east
comply with the retention period stated in Appendix 3 of the Records Management Code of Practice.
The care service will safely dispose of all records that have passed their minimum retention period and are no longer needed. The methods of safe disposal will depend on the type of record. Paper records will always be confidentially shredded and records kept of the means and date. Electronic records stored on computers, smartphones or other such devices will be disposed of using approved methods and IT expertise.
The service has designated people for information governance in each of its locations and at organisational level. [The exact arrangements will depend on the organisational structure.] This includes the designation of people to be responsible for the coordination and completion of the IGT self-assessment work.
Where responsibilities are delegated to someone other than the registered manager, the person(s) will be responsible to the registered manager, who will be responsible to the registered provider (or service lead for information governance).
Every person with information governance responsibilities has clearly defined roles for ensuring the safe, secure and lawful use of the records for which they are responsible, for oversight of any or all stages of the lifecycle of the salient records from design to disposal (see above), and for maintaining standards.
Anyone with information governance responsibilities will be suitably inducted and trained to fulfil the requirements of their role and will be required to make regular reports to their line manager so that there is a clearly defined reporting process operating throughout and to the top of the organisation.
Achieving, Maintaining and Improving Information Governance Standards
The care service is committed to ensuring that all personal data that it creates, uses, handles and manages, achieves and maintains the highest standards of information governance possible. It recognises that the current benchmarks are provided by the IGT, which is the responsibility of NHS Digital (formerly the Health and Social Care Information Centre).
The care service might be required by its commissioning authority to make active use of the IGT. Without specific requirements, the care service considers that it is good practice to benchmark their information governance achievements against the ITG and to develop improvement plans from the results.
The care service considers that it will achieve the IGT standards (at level 1/2) by, for example:
jasmine care south east
⦁ having designated staff, who are suitably trained in the role, to be information governance leads for their respective record management duties
⦁ having an information governance management framework based on this policy that covers all aspects of information governance
⦁ ensuring that all care, nursing, non-care staff and contractors supplying goods and services understand how to keep confidential any personal information they receive, and in line with data protection requirements
⦁ ensuring that staff receive suitable training from induction onwards in the care service's policies and procedures for safe handling and using information
⦁ ensuring that all related policies and procedures on record keeping, confidentiality, consent, data protection are always adhered to by all staff, partners and stakeholders
⦁ ensuring that all personal data in any form is kept safe and secure
⦁ stating its commitment to continuously improving its information governance through its improvement plan.
Losses and Breaches of Information Safety and Security
The care service will act quickly to repair and mitigate any damage or harm caused by accidental or deliberate loss of sensitive data or breaches of the established policies and procedures in the handling of the data, especially if the events are harmful or potentially harmful to its service users.
The care service will always investigate thoroughly any loss of information or breaches in the handling of sensitive information and will fully co-operate with other organisations that might be involved in the loss or damage, including police if there is evidence that criminal acts have been committed.
Employees who fail in their duty of care to protect sensitive information will be subject to the service's disciplinary proceedings. If the service receives a complaint about the mishandling or loss of personal data, it will investigate the matter through its complaints procedures, which might also entail working with other organisations with whom the data is shared.
The care service will also take suitable action against any third parties with access to sensitive information, who have not followed the required policies and procedures over confidentiality, etc.
New care staff are trained in the care service's policies and procedures for record keeping, consent and confidentiality, etc as part of their induction training, which follows the Care Certificate Standards framework.
All staff can expect to receive instruction and dedicated training as needed in the service's record keeping policies and procedures.
Staff with specific roles and responsibilities for information governance at any level in the organisation can expect to receive the relevant training to achieve required information governance standards.
Signed: Jolanta Crampton
Policy review date: 05/07/2 018
©2017 Jasmine Care South East Ltd. All rights reserved.