Information Asset Management Policy Document Summary This policy supports the identification, implementation and management for all information assets within the trust.

POLICY NUMBER

POL/002/076

DATE RATIFIED

1 November 2015

DATE IMPLEMENTED

November 2015

NEXT REVIEW DATE

November 2018

ACCOUNTABLE DIRECTOR

Director of Strategy and Support Services

POLICY AUTHOR

Information Asset Management Officer

Important Note: The Intranet version of this document is the only version that is maintained. Any printed copies should therefore be viewed as “uncontrolled” and, as such, may not necessarily contain the latest updates and amendments.

Information Asset Management Policy August 2015

Contents 1.

Scope ............................................................................................................................................ 2

2.

Introduction ................................................................................................................................... 2

3.

Statement of Intent ...................................................................................................................... 2

4.

Definitions ..................................................................................................................................... 2

5.

Duties ............................................................................................................................................ 3

6.

Arrangements/Detail ................................................................................................................... 8

7.

Training ....................................................................................................................................... 13

8.

Monitoring compliance with this policy ................................................................................... 14

9.

References/ Bibliography ......................................................................................................... 15

10.

Related Trust Policy/Procedures ......................................................................................... 15

11. Appendices ................................................................................................................................... 15

1

1. Scope The scope of this document is to outline the Trust’s approach and methodology for Information Asset Management. This policy applies to all staff and services within the Cumbria Partnership NHS Foundation Trust, including private contractors, volunteers and temporary staff and to those organisations where we provide commissioned services e.g. CCG.

2. Introduction The management of information assets is crucial in achieving a secure information handling and management structure within the organisation. Information is an invaluable resource to Cumbria Partnership NHS Foundation Trust (CPFT) and its loss can damage its reputation, service delivery, and its misuse can damage the organisation and individuals. CPFT has a legal obligation to comply with all appropriate legislation in respect of data, information and IT security. It also has a duty to comply with guidance issued by the Department of Health, Information Commissioner’s Office, Health and Social Care Information Centre (HSCIC), and other advisory groups and professional bodies that provide guidance to staff. This document should be read in conjunction with all Trust information governance, risk and information security policies which are available on the intranet.

3. Statement of Intent The Trust has a commitment to ensure that information assets are managed in accordance with all relevant regulations and guidance. This policy supports the implementation, identification and management for all information assets within the trust.

4. Definitions 4.1 Information Asset An information asset can be defined as a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively (for examples see appendix 11.1). The Information Governance Toolkit categorise an information asset as:  Information: Databases, system documents and procedures, archive media/data, paper records etc.  Software: Application programs, system, development tools and utilities.

Information Asset Management Policy August 2015

   

Physical: Infrastructure, equipment, furniture and accommodation used for data processing. Services: Computing and communications, heating, lighting, power, air conditioning used for data processing. People: Their qualifications, skills and experience in use of information systems. Intangibles: For example, public confidence in the organisation’s ability to ensure the Confidentiality, Integrity and Availability of personal data.

An asset can be a single significant document or a set of related data, documents or files; it can be shared or be confined to a specified purpose or organisational unit. It will have recognisable and manageable value, risk, content and lifecycle. The Trust has hundreds of such systems, both electronic and paper that hold information relating to service users and staff. To assess whether a body of information should be considered an information asset the questions below should be asked:  Does the information have a value to the organisation?  Does the group of information have a specific content?  Does the information have a manageable lifecycle?  Is there a risk associated with the information?  Does the information have a purpose?  Does the information have a disposal schedule?

4.2 Critical Information Asset A critical information asset is one which the organisation is reliant on and cannot operate without. The result of the information asset being unavailable for up to 24 hours will disrupt and have an effect patient care, quality of service and the operations of the organisation. All critical assets must have a PIA, SLSP and business continuity plan in place.

5. Duties Senior roles within the organisation supporting the Information Asset Management process are held by the organisation’s Senior Information Risk Owner (SIRO), the Caldicott Guardian, the Head of Information Governance; all are supported by the IG Team. For further information on the roles below see Information Governance Toolkit.

5.1 Accountable Officer The Trust’s Accountable Officer is the Chief Executive who has overall accountability and responsibility for Information Governance. The Accounting Officer is required to provide assurance, through the Statement of Internal Controls, that all risks to the

3

organisation, including those relating to information, are effectively managed and mitigated to an acceptable level. The Accounting Officer is required to sign the Statement of Internal Control annually. For further information on the role of the Accountable Officer see requirement 307 of the Information Governance Toolkit.

5.2 The Caldicott Guardian The Caldicott Guardian ensures CPFT satisfy the highest practical standards for handling patient-identifiable information. Acting as the ‘conscience’ of the organisation, the Caldicott Guardian actively supports work to facilitate and enable information sharing where it is appropriate to share, and advise on options for lawful and ethical processing of information as required. The Caldicott Guardian also has a strategic role, which involves representing and championing confidentiality and information sharing requirements and issues at senior management level and, where appropriate, at a range of levels within the organisation's overall governance framework. This role is particularly important in relation to the implementation of national systems. The Caldicott Guardian also holds the position as Medical Director and is a member of the Information Governance Board. For further information on the role of the Caldicott Guardian see requirement 200 of the Information Governance Toolkit.

5.3 Senior Information Risk Owner (SIRO) The SIRO is an executive board member with allocated lead responsibility for the Trust’s information risks and provides a focus for the management of information risk at board level. The SIRO takes ownership of the Trust’s information risk policy, acts as an advocate for information risk on the board and provides written advice to the accounting officer on the content of their statement of internal control in regard to information risk. The SIRO chairs the Information Governance Board. The Information Governance Toolkit defines that every organisation must have a SIRO. For further information on the SIRO role see the Information Governance Toolkit requirement 307. The role of the SIRO:  Is accountable for approving all Information Assets;  Fosters a culture for protecting and using data;  Provides a focal point for managing information risk and incidents  Is concerned with the management of all information assets.  To provide a focal point for the resolution and/or discussion of information risk issue  Ensure that all care systems information assets have an assigned Information Asset Owner.  Ensuring the Organisation has a plan to achieve and monitor the right Information Governance culture, across the organisation and with its business partners  Approval of all information asset business continuity plans

Information Asset Management Policy August 2015

  

Document a plan for information security assurance that identifies the support necessary to ensure work related to information security management is appropriately carried out Oversee the development of an Information Risk Policy, and a Strategy for implementing the policy within the existing Information Governance Framework. Review and agree action in respect of identified information risks.

5.4 Information Asset Owners (IAO) The IAOs must ensure that any information asset they are responsible for are properly protected and their value to the organisation is fully recognised. The IAOs have the responsibility for day to day management of the information risk for their asset. Their role is to understand what information is held, what is added, and what is removed, how information is moved, who has access and why. The IAO provides an understanding of what information they hold, how important it is, how sensitive it is, how accurate it is, how reliant they are on it, and who’s responsible for it. The IAO of Information Assets should be linked to a post, rather than a named individual, to ensure that responsibilities for the asset are passed on, should the individual leave the organisation or change jobs within it. For further information see the Information Governance Toolkit requirement 307. The role of the IAO is to:  Be directly accountable to the SIRO and will provide assurance that information risk is being managed effectively for their assigned information assets.  Ensure their team and those interacting with the asset understand information security and are confident in their handling of information  Lead and foster a culture that values, protects and uses information for public good  Know who has access and why, and ensure that their use of the asset is monitored  Understand and address risks to the asset, provide assurance to the SIRO and ensure any data loss incidents are reported and appropriately managed  Ensure any new information assets have a completed privacy impact assessment and are entered on the Information Asset Register  Any changes to an information asset are documented on the Information Asset Register and follow the correct change control process  Put procedures and controls in place to ensure the integrity and availability of their information assets  Put in place a business continuity plan for any key information assets  Are aware of what information is held, and the nature of and justification for information flows to and from the assets for which they are responsible.  Ensure there is good understanding of the hardware and software composition of their assigned assets to ensure their continuing operational effectiveness. This includes establishing and maintaining asset records that will help predict when asset configuration changes may be necessary.  Assign Information Asset Administrators (IAA) to their information assets  Review their information assets on an annual basis at a minimum  To provide a report on the status of the asset to the IG Board on yearly basis.

5

5.5 Information Asset Administrators (IAA) The IAA work with an information asset on a day to day basis. They have day to day responsibility, ensure that policies and procedures are followed by staff and recognise actual or potential security incidents, and consult their IAO on incident management. The role of the IAA is to:  Understand and be familiar with information risks in their area or department.  Implement the organisation’s information risk policy and risk assessment process for those information assets they support and will provide assurance reports to the relevant Information Asset Owner as necessary.  Ensure the data quality of their Information Asset and report areas of concern to the IAO  Ensuring that personal information is not unlawfully exploited, under the direction of the IAO  Recognising potential or actual security incidents and consult the IAO  Under the direction of their IAO, ensuring that information is securely destroyed when there is no further requirement for it  Ensuring compliance with data sharing agreements within the local area  Ensuring that local information handling constraints (e.g. limits on who can have access to the assets) are applied, referring any difficulties to the relevant IAO  Reporting to the relevant IAO on current state of local information handling.

5.6 Information Governance Lead The Information Governance (IG) Lead is the Head of Information Governance. The Head of Information Governance is responsible for ensuring the organisation meets is statutory and corporate responsibilities and engender trust from the public in the management of their personal information. The Head of Information Governance is the designated Data Protection Officer and Data Privacy Officer and is accountable for ensuring effective management, accountability, compliance and assurance for all aspects of IG. The key tasks include:  Responsibility for delivering a high quality specialist Information Governance Service to the Trust and its customers (i.e. Cumbria Clinical Commissioning Group);  To provide strategic direction, planning and guidance to ensure compliance with information governance legislation and the national agenda  Ensure work practices are evaluated and supported through the development of appropriate policy and procedures across the organisation.  Acts as Data Controller for the Trust.

Information Asset Management Policy August 2015

5.7 Information Governance Team The Information Governance team are responsible for providing support and guidance to staff with regard to the management of their Information Assets. The IG team will:  Promote information asset awareness throughout the Trust by organising training, awareness campaigns and providing written procedures/guidance that are widely disseminated and available to staff;  Assist with investigations into breaches of confidentiality or data loss of personal and sensitive information;  Co-ordinate the notifications of such breaches with the Information Commissioner’s Office (ICO), our commissioners  Develop and maintain the Information Asset Register working with Information Asset Owners;  Working with the IAO to help mitigate risks to their information assets

5.8 Registration Authority The team are responsible for the registration process by which users of Smartcardenabled IT applications are authenticated (proven who they say they are beyond reasonable doubt) and authorised (enabled to have particular levels of access to particular patient data). The Registration Authority is the governance framework within which the Trust can register individuals as users to access the NHS Smartcard enabled system(s) maintaining the confidentiality and security of patient information at all times. RA use a common and rigorous approach to how users are registered and are given access to the national services, and other services, is an integral part of protecting the confidentiality and security of every patient's personal and health care details.

5.9 Applications The Applications team are responsible for the implementation and administration; to some extent, of all applications. The apps team will be consulted with to check the details within the accreditation documents to ensure they are accurate, within the scope of their expertise.

5.10 All Trust Employees All Trust employees and anyone else working for the organisation (e.g. agency staff, honorary contracts, management consultants etc.) who use and have access to Trust information and/or ICT Systems must understand their personal responsibilities for information asset management. All staff must comply with Trust policies and are responsible for Information Security and the correct use of the Information Asset. Staff must be aware that confidentiality and security of information includes all information relating to patients, service users, carers and employees. Such

7

information may relate to staff or patient/client’s records, electronic databases or methods of communication containing personal identifiable information. Staff will be expected to:  Adhere to the Data Protection Act Policy and any associated procedure and/or guidelines  Attend all mandatory training and awareness programmes  Ensure that all personal identifiable information is accurate, relevant, up-todate and used appropriately on both electronic and manual records and devices  Share information on a ‘need to know’ basis only  Ensure that all personal identifiable information is kept safe and secure at all times.  Ensure they report any incidents and or events that could have an impact on the information asset.

6. Arrangements/Detail 6.1 General The Information Asset Management Process is managed by the Information Governance Team within the Trust. In order to give assurance that an asset is not going to be a major risk for the Trust a process of accreditation has been developed in line with national requirements to ensure that assurance can be given that as a Trust we are ensuring the highest level of security and mitigating risk as much as is possible. For information of how this fits in to the strategic direction of the IG department see 5.1 of the Information Governance Strategic Management Framework.

6.1.1 Information Asset Register An Information Asset Register is a mechanism for understanding and managing an organisation’s assets and the risks to them – including the links between the information assets, their business requirements and technical dependencies. The Trust uses the Alloy system to record assets. The purpose of the Information Asset Register is to obtain information about the information assets within the Trust, what their purpose is, where they are, what type of information is stored and who has access to them. It is a requirement for the Information Governance toolkit that a record of all Information Assets that the Trust holds, together with details on the Information Asset Owner and Administrator is held within an Information Asset Register. 6.1.2 Removing Assets from the Register An Information asset may be superseded by other work, or have come to the end of its lifecycle. The IAO will need to determine whether the Information

Information Asset Management Policy August 2015

Asset still needs to be kept and if so, will need to updated the IAR. Alternatively, it could be removed from the IAR as there is no longer a business need for it or it has been destroyed. IAOs need to ensure they gain the appropriate authority before any assets are removed. For assets that are archived, the IAO will remain in place and that they still maintain responsibility for that asset. 6.1.3 Accredited for Use The process detailed in 6.2 is vital in achieving the strategic aim of the Trust in ensuring data is secure and safe. Once the process is followed, all information is analysed and assessed for risks that need to be brought to the attention of the Senior Information Risk Owner (SIRO). The SIRO is presented with the information at the IG Board and he assesses the information and ‘signs the information asset of’ as ‘accredited for use’. 6.1.4 Risk Management IAOs should familiarise themselves with the risk management practices of their organisations, specifically how to identify, understand, manage, report and record risks. Understanding your organisation’s risk appetite is also important, as it will help you to align any risk-based decisions you make regarding assets for which you are responsible, with the wider organisational approach. An IAO’s role is a key element in an organisation’s efforts to manage information risk. SIROs will look to IAOs for the day to day management of information risk and to highlight systematic risks which the organisation may need to address. The IG department follow the Trusts scoring rationale. For your purposes risk appetite can be defined as; a threshold, set by your organisation, relating to the level of risk it considers acceptable and which should not be exceeded, unless approved by your SIRO.

6.1.5 Change Control Any major changes to information assets must be agreed by the Change Advisory Board (CAB), this includes new and or replacement software, system updates and installations, removal or archiving of an information asset and the creation of a new information asset. Any new projects will be managed through the Programme Management Office (PMO) methodology. A Privacy Impact Assessment (PIA) should be carried out whenever a new process or information asset is likely to involve a new use or significantly change the way in which personal data is handled. A Change Control Board form must be completed and submitted to the Change Authority Board.

9

All installations or updates must be communicated to the IT, Networks, Applications and Information Governance team and carried out by the appropriate team.

6.2 Information Asset Management Stages There are 8 stages in the process:

Identification of Asset

Identification of IAO/IAA

IG Assessment

SLSP

Business Continuity

Data Mapping

Information Sharing agreement

Review/Audit

6.2.1 Identification of Asset – Stage 1 The first stage in the process is the identification of the assets and the need for them to be accredited for use. The IG team will register the assets in Alloy; this is the current register for all Trust assets. Identification of Information Assets and moving forward as a Trust with the accreditation process will continue to help reduce the risks within the Trust and provide a mechanism for effectively identifying, mitigating and managing risks in relation to identified information assets. 6.2.2 IAO/IAA Identification – stage 2 When an asset needs a review of its accreditation or a new asset is to be accredited the Information Governance Team will assign a lead to help with the process. The first stage has to be the identification of responsibility and assigning an Information Asset Owner and Information Asset Administrator is essential. The IAO and IAA roles are defined in section 5.4 and 5.5. 6.2.3 IG Assessment – stage 3 6.2.3.1

The Privacy Impact Assessment is a form of risk assessment required for new or changes to systems dealing with personal identifiable / sensitive data. A PIA is mandatory on all Information assets or project processes that involve personal data, but the level of PIA can be proportionate. Please see the IG Assessment policy which includes a section on Privacy Impact Assessments.

6.2.3.2

Patient safety Assessment - a form of risk assessment required for assets dealing with patient information. IAOs / IAAs are required to consider and

Information Asset Management Policy August 2015

answer a set of questions to ensure the asset is not a risk to the safety of patient’s and the data we hold and/or process about them. A Patient Safety Assessment is only for clinical systems that hold patient information. 6.2.3.3

Contractor Requirements - It is essential to ensure that when an asset is accredited for use that the correct checks are carried out on any contractors to reduce the risk to the Trust by ensuring the contractor is fit for purpose and can meet statutory and regulatory standards. The IG team will work to ensure the contractors meet the required IG standards (i.e. IG toolkit requirement 110). The checks are:  ICO register for data controllers  Information Governance Toolkit (110) for compliance with policy and standards  Company House for company details

See section 5.4 of the IG framework and the IG Standards in Relation to Third Party Suppliers and Contractors for more information. 6.2.4 System Level Security Policy – stage 4 In order to further reduce and / or be able to manage risk within the accreditation process a System Level Security Policy is completed to ensure that all aspects of security are considered. The SLSP template can be requested from the Information Governance Team via email: [email protected] A risk assessment is also carried out with links to the information recorded via the SLSP – each aspect of security is considered and if issues arise they are recorded as part of the risk assessment and all are presented to the SIRO to ensure the risks are acceptable risks for the Trust. 6.2.5 Business Continuity – stage 5 Each IAO is required to provide a Business Continuity Plan, which helps the accreditation process to mitigate risks within the Trust. We can be confident that a service has thought about service provision if a system becomes unavailable. Business continuity is a core component of corporate risk management and emergency planning. Its purpose is to counteract or minimise interruptions to an organisation’s business activities from the effects of major failures or disruption to its Information Assets (e.g. data, data processing facilities and communications). Approved Business Continuity Plans must be in place for all critical Information Assets and all staff is aware of their roles and responsibilities.

11

Information Asset Owners have implemented approved procedures and controls for their information assets and have effectively informed all relevant staff. Business continuity plans, and system specific procedures and control measures are regularly reviewed, and where necessary tested, to assess their ability to meet their business objectives. All business continuity plans are to be completed by the IAO and signed off for approval by the SIRO. 6.2.6 Data Mapping – stage 6 The IG Team are responsible for ensuring that all transfers of hard copy and digital person identifiable and sensitive information have been identified, data mapped and risk assessed. It is a legal responsibility of an organisation to ensure that transfers of personal information for which they are responsible (Data Controller) are secure at all stages and therefore as an outcome of this process technical and organisational measures can be put in place to secure these transfers. 6.2.7 Information Sharing Agreements – stage 7 The information sharing gateway provides a tool for IG professionals to work electronically with the ability to register recipient organisations and provides a level of assurance against their compliance (i.e. IG Toolkit, PSN etc.). It also signs the organisations up to common information sharing agreement framework. The solution then allows data mapping to take place capturing the frequency of data transfer and why, when and, how it’s being transferred. This enables a risk assessment rating so that as Data Controller we can confirm that flows are lawfully and fairly processed. This information sharing gateway provides details on where flows of data are coming from (i.e. which information asset) and complements the work being done on information asset management. Any information sharing agreements in place should be signed and logged on the portal.

6.2.8 Review/Audit– stage 8 The IG team will undertake yearly reviews of assets. The critical assets will be a priority.

Information Asset Management Policy August 2015

The IG team will conduct regular audits and spot checks on the Trust’s assets to ensure compliance. The IG team use the ICO Guide to Data Protection Audits as a guide. The focus of the audit approach will be to determine whether the organisation policies and procedures are being followed operationally with staff in order to reinforce and educate, regulate the processing of personal data; also to ensure that processing is carried out in accordance with such policies and procedures. When an organisation complies with its requirements, it is effectively identifying and controlling risks to prevent breaching the DPA. An audit will typically assess the organisation’s procedures, systems, records and activities in order to: • ensure the appropriate policies and procedures are in place; • verify that those policies and procedures are being followed; • test the adequacy controls in place; • detect breaches or potential breaches of compliance; and • recommend any indicated changes in control, policy and procedure.

7. Training Information Governance training is mandatory (set by the DoH) for all staff on induction and on a yearly basis. The Information Governance Team will work with the Learning Network team and managers to ensure that appropriate additional training is available to support staff. The Information Governance team will work the Senior Information Risk Owner, Information Asset Owners and other appropriate managers and teams to maintain continued awareness of confidentiality and security issues to both the organisation and staff through staff emails, newsletters, intranet etc.

SIRO, IAO and IAA Training Information Asset training is compulsory for the SIRO, Information Asset Owners and Information Asset Administrators - this is to be completed every three years. The training for the SIRO, IAO and IAA will be more in depth and relevant to their role IG will be required to undertake a separate training needs analysis and this will be in line with IG Toolkit standards. The SIRO, IAO and IAAs should have NHS Information Risk Management and Secure Transfer of Personal Data training on a three year basis. The Risk Management training will assist staff whose roles involve responsibility for the confidentiality, security and availability of information assets. The Secure and Personal Transfer of Personal Data will train staff on how to protect sensitive data

13

from unauthorised access and accidental loss, damage or destruction during transfer and how to dispose of sensitive data when it is no longer needed. The IAOs will also receive the National Archives Information Asset Owner handbook.

8. Monitoring compliance with this policy The table below outlines the Trusts’ monitoring arrangements for this policy/document. The Trust reserves the right to commission additional work or change the monitoring arrangements to meet organisational needs. Aspect of compliance or effectivenes s being monitored

Monitorin g method

Individual responsible for the monitoring

Frequency of the monitorin g activity

Group / committee which will receive the findings / monitorin g report

Group / committee / individual responsibl e for ensuring that the actions are completed Senior Information Risk Owner (SIRO)

Initial review of all information assets and annual review of information assets following the introduction of the new system. Quality check on assets to comply with policy Information Governance Training SIRO and IAO Training

Quarterly Report

Information Asset Officer

Quarterly

IG Board

Audit IG Methodolo Performance gy Manager

Annually

Performanc Head of IG e Group

Training will be monitored in line with the Learning and Development Policy. Training will be the HSCIC Information Governance Training Tool modules: NHS Information Risk Management for SIROs and IAOs, NHS Information Risk Management and Secure Transfers of Personal Data. IAOs will also be trained using the National Archives Information Asset Owner handbook.

Information Asset Management Policy August 2015

9. References/ Bibliography The NHS Information Governance Toolkit Data Protection Act 1998 Freedom of Information Act 2000 Access to Health Records Act 1990 Human Rights Act 1998 Information Security Management – ISO 27001 The Common Law Duty of Confidentiality The Caldicott Principles Records Management: NHS Code of Practice Information Security Management: NHS Code of Practice Confidentiality: NHS Code of Practice

10. Related Trust Policy/Procedures 1. Information Governance Strategic Management Framework 2. Information Governance Standards in Relation to Third Party Suppliers and Contractors 3. Information Risk Policy 4. IG Assessment Policy For all related IG policies see the IG section on the policy page. 11. Appendices 11.1 Appendix 1 Information Asset: Is an information holding asset

e.g. Clinical system, S drive folder

Asset: non-information holding but has a functional value

e.g. IT infrastructure, Mobile Devices

Project Process: a system of work or a e.g. operational request for contractor. project that requires an assessment of IG implications but is not in the above two categories.

15