Information Governance Policy Framework
1.1 This document sets out the Imperial College London Information Governance Policy Framework. It sets out the policies, codes of practice and guidelines that constitute the Framework, as well as the governance framework and the commitment to training and awareness that is necessary to promote these documents across the staff and student communities.
1.2 It pulls together all of the requirements for information governance so that all College information is processed legally, securely, efficiently and effectively. Information plays a key part in the corporate governance in the College. The quality of its services, planning, performance measurement, assurance and financial management relies upon accurate and available information. Robust information governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. This Framework addresses requirements, standards and best practice that apply to the handling of information. It encompasses efficient ways of handling records and information, risk management and compliance.
1.3 Information governance is a key responsibility of each and every member of staff, student, and third party at Imperial. Everyone has a part to play in implementing and embedding our policies and codes of conduct into the every day working practices at the College.
1.4 This framework helps the College deliver :
- Our legal (legislation and common law), regulatory and contractual requirements
- Robust corporate governance
- High quality service delivery
- Value for money and protection of public funds
- Appropriate business continuity requirements
- Continuous improvement in the way we handle, utilise and protect our information
1.5 The College holds and processes huge volumes of standard and sensitive data (as defined in the framework) that is necessary for service provision, commercial engagement, research and the safeguarding of everyone across the College estate.
2.1 The scope of information governance, taken at its widest, includes the management of information in all locations and all mediums. It includes:
- Corporate records such as finance, HR and legal
- Student records such as fees, course details
- Research across all departments
- Structured (e.g. databases) and unstructured (e.g. paper and electronic documents)
- Internet, intranet and e-mail communications and information
- Transient documents, work in progress and telephone notes
- Information shared with third parties
- Blogs, wikis and discussion threads in social media
- Vital records essential for the continuation of College business and long-term records that must be preserved through many generations
2.2 The framework applies to:
- All staff and students
- All third parties engaged with the College
- All information used by the organisation
- All information systems managed or used by Imperial
- Any individual using information ‘owned’ by the College
The framework is split into two parts – an overarching Information Governance strategy and the Information Governance roles and responsibilities, policies and training.
3. INFORMATION GOVERNANCE STRATEGY
3.1 Purpose of the Strategy
3.1.1 This strategy recognises the high standards expected of the College as well as the ongoing task of maintaining appropriate standards of security to embed the security culture fully through the College.
3.1.2 The aim of this strategy is for Imperial College to meet its information management and security responsibilities so that customers, businesses, partners and suppliers have the confidence that information is handled and stored with due regard to its value and risk. Individuals must understand the importance of using it correctly, sharing it lawfully and protecting it from improper use.
3.2 Statement of intent
The intention of this strategy is to enable Imperial College London to meet its legal and ethical obligations in terms of:
• The use and security of personal identifiable information
• Appropriate disclosure of information when required
• Regulatory frameworks for the management of information
• Professional codes of conduct for consent to the recording, sharing and uses of information
• Operating procedures and codes of practice adopted by the College
• Information exchanged with third parties
3.3 Strategic objectives
These are the overarching Information Governance objectives of Imperial College London. We want:
• Information Governance Framework to act as an enabler to College strategies and business transformation programmes and that Information Assurance practices are embedded within the design and implementation of strategies and programmes
• The infrastructure and processes for service delivery to provide the right information to the right people at the right time for the right purpose and promote the provision of high quality services by promoting the ethical, legal, effective and appropriate use of information
• To provide innovative solutions to Information Governance issues with a view to transforming business processes
• To promote information governance ensuring that it is embedded throughout the organisation and direct organisational wide cultural change to so that information is regarded as a key asset
• To build into staff competencies and job descriptions specific requirements around the governance of information
• To encourage staff to work closely together, preventing duplication of effort and enabling more efficient use of resources.
• To work to achieve required standards to comply with legislative, regulatory and contractual obligations and relevant policies
• To identify and support effective practice in the management of information across all business areas, including preventing duplication of effort and enabling efficient use of resources
• To identify and manage information assets corporately and introduce an information risk management regime that balances risks with opportunities
• To implement and operate proportionate controls that apply best practice standards to protect information assets and give confidence to all interested parties
• To provide adequate training and awareness to all staff and key partners and embed a culture of care and responsibility in handling of all information throughout the College.
3.4.1 Information Governance and Assurance is integrated into all aspects of College operations. In delivering information governance services, four key elements of College operations will be considered:
3.4.2 All information governance, improvement and assurance activities will consider how these factors need to operate in combination to achieve our strategic objectives
3.4.3 The delivery of our information governance strategic objectives will be through a range of business projects and a dedicated Information Governance Improvement Programme. The Improvement Programme will define each information governance project, and these will be implemented and monitored in accordance with the stated governance arrangements and the approach detailed within the Information Governance Policy
3.5 Business Benefits
The following benefits do not constitute an exhaustive list but do provide an overview of the main benefits that should be derived through the delivery of this strategy
• Consistent and effective management of information across the College
• Increased understanding of, and compliance with, relevant legislation
• Reduced number of information security incidents
• Reduced staff time and effort
• Improved data quality
• Clear responsibilities in relation to Information Governance and Assurance
• Effective management of information risks
• Greater confidence that information risks are effectively managed
• Better management of research data, with protection of intellectual property
Achieving maturity towards the strategic objectives will enable the College to generate greater trust in its information systems and processes. The success of this strategy will be determined by improvement in maturity as measured using the criteria contained within the NHS Information Governance Toolkit and the Information Assurance Maturity Model – and the business benefits this brings.
3.6 Strategy governance
The College Secretary and Registrar (and Senior Information Risk Owner - SIRO) are responsible for this strategy and the Information Governance Steering Group is responsible for monitoring and reporting progress on the improvement programme throughout the year.
The Information Governance Strategy will be implemented through the agreed policies, improvement programme and through wider agreed business change projects.
Annually, the Information Governance Steering Group will agree the Improvement Programme for the coming year, based on agreed priorities and available resources. The SIRO will annually ratify the improvement programme agreed by IGSG.
4. INFORMATION GOVERNANCE POLICY
4.1.1 This Policy will act as a single reference point for the principles and practices that will govern information management. This will mean that College information is:
• Fit for purpose
• Legally admissible as appropriate
4.1.2 This development and implementation of this Policy should mean:
• That the College has the necessary resources and expertise to create, publish, share, store and retrieve information to maintain and support its business processes
• That information is governed by the appropriate standards, rules and guidelines
• That the College has the appropriate knowledge and management information to support effective decision making
• Information is used to support the most effective ways of working to leverage efficiencies and reduce cost and risk
• The College can respond to new initiatives
• Information systems and information technologies are used to realise their maximum value to the operation of the College.
4.2 Key Roles and Responsibilities
4.2.1 College Secretary & Senior Information Risk Owner (SIRO)
The College’s Accountable Officer is the College Secretary & Registrar, who has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risks are handled in a similar manner to other risks, such as financial, legal and reputational risks. The SIRO has overall responsibility for disseminating policy and awareness to all who need to know.
4.2.2 Chief Information Officer
The Chief Information Officer (CIO) provides a critical interface between the business and ICT. The CIO with the operational support of ICT work together to align capability with the overarching College strategy.
4.2.3 Heads of Department
Heads of Department are responsible for consideration of IG implications across their department and when working with partners
4.2.4 Trust Caldicott Guardian
The Caldicott Guardian is the senior person responsible for protecting the confidentiality of patients whose data might be used for research purposes. The Caldicott Guardian acts as the conscience of an organisation and carries out an advisory role. They are the focal point for patient confidentiality and responsible for overseeing completion of the Information Governance Toolkit.
The Caldicott Guardian for Imperial College Healthcare NHS Trust is Sanjay Gautama. He plays a key role in ensuring the College abides by the highest level for standards for handling patient data and adherence to the Caldicott principles.
4.2.5 Information Asset Owners (IAO)
IAOs are senior/responsible individuals working in a relevant business area. Their role is to understand what information is held within their business area, what is added and what is removed, how information is moved, who has access and why. As a result they are able to understand and address risks to the information that information is used within the law for the public good, and provide written input to the SIRO annually on the security and use of their assets.
An IAO will be responsible for an information asset in terms of:
• Identifying risks associated with the information asset
• Managing and operating the asset in compliance with policies and standards and;
• Ensuring controls implemented manage all risks appropriately.
4.2.6 Information Asset Administrators (IAA)
IAAs work on a day-to-day basis with information contained in an information asset. They have day-to-day responsibility for the asset, and make sure that policies and procedures are applied and adhered to by staff and can recognise actual or potential security incidents. They are responsible for reporting such incidents to their IAO and consulting the IAO on incident management. The role is flexible and will undoubtedly be performed in addition to existing duties
4.2.7 Compliance and Information Governance Manager (CIGM)
The CIGM is responsible for ensuring the organisation meets its statutory and corporate responsibilities and engenders trust from the staff and student communities in the management of all data. They are responsible for ensuring effective management, accountability, compliance and assurance for all aspects of IG. The key tasks include:
• Responsibility for delivering a high quality IG service to the College
• To provide strategic direction, planning and guidance to evidence compliance with information governance legislation and the national agenda
• Evaluate working practices and provide support through the development of appropriate policy and procedures across the organisation
4.2.8 Information Governance Steering Group (IGSG)
IGSG will oversee this information governance policy framework and the policies within it, as well as the Information Governance Improvement Programme. The group comprises of the following:
John Neilson, College Secretary and Registrar (JN) [Chair]
David Ashton, Academic Registrar (DA)
Alan Boobis, Professor Department of Medicine (AB)
Nigel Buck, Faculty Operating Officer (Medicine) (NB)
Lynne Cox, Director of the Research Office (LC)
Malcolm Edwards, Director of Strategic Planning (ME)
Paul Elliot, Chair in Epidemiology and Public Health Medicine (PE)
Jon Hancock, Head of Central Secretariat (JH)
Desmond Johnston, Clinical Consul for the Faculty of Medicine (DJ)
Okan Kibaroglu, Head of Governance (OK)
Mike Russell, Chief Information Officer (ICT) (MR)
Josephine Sutcliffe, Senior IP Executive, Research Office (JS)
Jon Tucker, Faculty Operating Officer (Business School) (JT)
4.2.9 Information Security Steering Group (ISSG)
This group is responsible for keeping the College Information Security and Data Protection Policies and Codes of Practice under review, with a view to striking a balance between access to and security of information held in the College, whilst ensuring compliance with current legislation, and to formulate such additional policies, codes of practice and guidelines as may be required to meet changes in the legislation in the future.
ISSG is also compelled to review the implementation of and compliance with the current College Information Security Policies and Codes of Practice in light of the annual reports received from Departments, Divisions and Centres and any reported breaches of information security.
The group also needs to consider the information security implications of any proposed changes to the College's Information Strategy, or of the introduction of new technology.
4.2.10 All College Staff and Students
All College staff, students and academics as well as anyone else working for the organisation (agency staff, honorary contracts, management consultants etc.) who use and have access to College information must understand their personal responsibilities for Information Governance and comply with UK law. All staff must comply with College policies, procedures and guidance and attend relevant education and training events in relation to IG.
4.3 Policy Development
4.3.1 The Information Governance Steering Group approves all information governance policies. All policies are made available to staff via the internet and are communicated via regular updates to staff.
4.3.2 Existing policies are updated and new policies introduced in line with requirements, with policies reviewed on an annual basis. These policies must be read in conjunction with staff employment contracts or student regulations as appropriate.
4.3.3 Policies outline scope and intent and provide staff, students and academics with a robust IG framework whilst setting out their responsibilities. The College is committed to ensuring that all staff and those working with it are familiar with the organisation’s objectives and what is expected in order for these to be achieved. Policies and procedures are one of the key means the College uses to communicate these expectations with staff and students.
4.4 Policy Framework
The Information Governance Policy Framework is divided into policies and codes of practice.
Type of document Reference Title
Policy IS_0 Information Security Policy
Policy DP_0 Data Protection Policy
Code of Practice DP_C01 Handling Personal Data
Code of Practice IS_C01 Information Security Risk Assessment
Code of Practice IS_C02 Connecting to College Network
Code of Practice IS_C03 Electronic Messaging
Code of Practice IS_C04 Inspection of Electronic Communications and Data
Code of Practice IS_C05 Passwords
4.5 Policies at a glance
4.5.1 Information Security Policy
Information Security and its management covers all aspects of information, whether spoken, written, printed, electronic or any other medium, regardless of whether it is being created, viewed, transported, stored or destroyed. This is contrasted with IT security, which is concerned with security of information within the boundaries of the technical domain, usually in a custodial capacity.
Imperial College London is committed to achieving six key outcomes in terms of information security:
• Strategic alignment: aligning information security management to the College’s strategy and in support of its organisational objectives
• Risk Management: executing appropriate measures to mitigate risk and reduce potential impacts on information resources to an acceptable level
• Value delivery: maximising investment in information security in support of the College’s business objectives
• Resource optimisation: using information security knowledge and infrastructure efficiently and effectively.
• Performance measurement: monitoring and reporting on information security processes to determine objectives have been achieved
• Integration: integrating all relevant assurance factors so that processes operate as intended from end to end.
Information security is clearly a key consideration in terms of delivering any new project or capability within the College, as well as the more day-to-day protection of sensitive data. It is important with any initiative that colleagues across the three related areas of ICT, the Data Protection function within Legal Services and the Archives and Corporate Records Unit are engaged (where appropriate) at the earliest opportunity.
The Policy sits above codes of practice and guidelines – these should be considered as a cohesive policy set. It links to the Data Protection Policy and Retention Schedule (incorporating the Records Management Policy Statement).
The policy defines responsibilities for everyone in - and working with – the College. It discusses the College’s information asset register and information security risk assessments – a key mechanism for managing all information across the organisation. It discusses the obligation on all staff and students to report information security incidents, and the obligation on the College to provide training to, amongst other things, prevent such incidents occurring. It discusses the category of sensitive data (which includes personal and commercial data). It also contains the acceptable use requirements of College ICT systems, including discussion on using own devices, and the need for secure disposal of information assets at the end of their lifecycle.
4.5.2 Data Protection Policy
This Policy discusses the College’s obligations regarding the personal data held and accesses by staff and students. It uses the definition of personal data in the Data Protection Act 1998, and discusses security, retention, and access. It outlines specific responsibilities for key stakeholders, and discusses the particular issues around patient data.
4.6 Codes of Practice
4.6.1 Handling Personal Data
This Code of Practice discusses the College’s Data Protection Notification, including the obligation for people to notify the Data Protection Officer of any processing they undertake over and above our registration with the Information Commissioner’s Office. It discusses collection and processing of personal data, and includes a checklist for recording and retaining data.
4.6.2 Inspection of Electronic Communications and Data
This discusses the College’s approach to monitoring electronic communications and the inspection of electronic communication based on a changing legal framework. It discusses the need for any activities to have appropriate authorisation, though will require updating once the IP Bill has been granted Royal Assent later in the summer.
This document instructs staff to select a strong password and outline the need to protect and change passwords
4.7 Codes of Practice
4.7.1 Information Security Risk Assessment
This document gives guidance on the Information Security Risk Assessment, a tool to review the security of information assets, and raise awareness of risk management with all staff across the College. Information Asset Owners need to undertake these assessments when the information asset is created and on an annual basis thereafter. The document also outlines the structure of the information asset register.
4.7.2 Information Asset Register Template
This sets out the IAR structure and what information is required to complete the record for each information asset.
4.7.3 Connecting to College Network
The code of practice sets out the requirements to connect to the college network, and sets out the right the College has to disconnect devices which are disrupting its smooth operation
4.7.4 Electronic Messaging
This code of practice discusses communications within and outside of the College. Principally the focus is on email, but the document also covers Skype and Yammer. It identifies security requirements, the need for encryption where appropriate, provides advice on archiving and retention. It also discusses when it’s appropriate to forward emails.
4.8 Training and Development
4.8.1 Information Governance training and development is essential for the development and improvement of staff knowledge and skills relating to Information Governance across the College.
4.8.2 IG training must extend beyond basic confidentiality and security awareness in order to develop and follow best practice. Staff must understand the value of information and their responsibility for it, which includes data quality, information security, records management, confidentiality, etc…
4.8.3 Information Governance training should be a mandatory requirement for all staff and students. The College utilises the following methods to train on information governance.
• E-Learning through Blackboard.
• BeSecure awareness campaign
• Code of Conduct and Student Regulations
• Records Management taught courses
• Records Management e-Learning course
• Freedom of Information and Data Protection e-Learning course
5. MONITORING COMPLIANCE WITH THIS FRAMEWORK
The Framework and each individual policy outline the College’s approach for monitoring. IGSG retain overall responsibility for monitoring and review of each policy. Internal Audit would be expected to validate the policies and compliance through their programme of work.