Post on 19-Jun-2015
Registration Authority and the IG Toolkit
More than just 303 and 304
Alex Beisser IG and RA Manager
1
Some questions
• How many of you have heard about the IG Toolkit
(IGT)?
• Have you been asked to provide evidence for the
IGT?
• Were questioned about the evidence that you
provided?
• What level of compliance have you achieved in the
RA Standards?
2
Introduction to IGT
• A best practice framework around confidentiality
and data protection based on ISO 27001/2 model
for the NHS and its partners
• Now in its 10th version
• 24 different set of standards for organisations
• 45 standards for an acute organisation split into
Information Governance Management – 5 Standards
Confidentiality and Data Protection Assurance - 9
Standards
Information Security Assurance – 15 Standards
Clinical Information Assurance – 5 Standards
Secondary Use Assurance – 8 Standards
Corporate Information Assurance – 3 Standards
3
Not all the same
• Pharmacies – IGT 10-304
• General Practice – IGT 10-304
• Prison Health – IGT 10-304 and 10-305
• Lucky you...
4
Other providers
• What standards are affected for:
Acute Trusts
Mental Health Trusts
Community Health Trusts
Any Qualified Provider – Clinical Services
Commissioning Organisations
Ambulance Service
5
Have a look
• IGT 10-101
• IGT 10-105
• IGT 10-110
• IGT 10-111
• IGT 10-112
• IGT 10-200
• IGT 10-206
• IGT 10-300
• IGT 10-301
• IGT 10-302
• IGT 10-303
• IGT 10-304
• IGT 10-305
• IGT 10-308
• IGT 10-309
• IGT 10-400
• IGT 10-601
17 Standards affected
6
The details
101:
There is an adequate Information Governance
Management Framework to support the current
and evolving Information Governance agenda.
Required evidence:
• RA Manager or representative should sit in IG
Steering Committee or Group (ToR)
7
The details
105:
There are approved and comprehensive
Information Governance Policies with associated
strategies and/or improvement plans.
Required evidence:
• Up-to-date and reviewed RA policy and
accompanying procedures (i.e. UIM, ESR, IIM)
8
The details
110:
Formal contractual arrangements that include
compliance with information governance
requirements, are in place with all contractors and
support organisations
Required evidence:
• Service Level Agreements if you provide RA
services to other organisations
9
The details
111: Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation
Required evidence:
• Employment contracts and Job Descriptions for RA Staff
• CRB and staff vetting procedures (recent changes) and recording of them in ESR (eGIF flag)
• Identifying smartcard use within Job Descriptions
10
The details
112:
Information Governance awareness and
mandatory training procedures are in place and
all staff are appropriately trained.
Required evidence:
• Is RA mentioned in your IG Training?
• End user smartcard usage training
11
The details
200:
The Information Governance agenda is supported
by adequate confidentiality and data protection
skills, knowledge and experience which meet the
organisation’s assessed needs
Required evidence:
• Have your RA staff been trained appropriately
• RA Staff’s Job Description
• RA procedures and guidance material
12
The details
206:
There are appropriate confidentiality audit
procedures to monitor access to confidential
personal information.
Required evidence:
• RA access control audits
13
The details
300:
The Information Governance agenda is supported
by adequate information security skills, knowledge
and experience which meet the organisation’s
assessed needs
Required evidence:
• Does the RA Manager has the required knowledge
and expertise to run and manage RA?
• RA Manager’s Job Description
• RA staff are key to organisation’s IG agenda
• Is the RA function represented in IG Steering
Group?
14
The details
301:
A formal information security risk assessment
and management programme for key Information
Assets has been documented, implemented and
reviewed
Required evidence:
• Risk Assessment of RA function (including software,
hardware and staff)
15
The details
302: There are documented information security incident / event reporting and management procedures that are accessible to all staff
Required evidence:
• Reported smartcard incidents (sharing cards, loss, theft, miss-use etc.)
• Procedure for detailing with RA breaches
• Incident Policy should refer to RA function
• RA audit logs
16
The details
303:
There are established business processes and
procedures that satisfy the organisation’s
obligations as a Registration Authority.
Required evidence:
• Your RA framework
17
The details
304:
Monitoring and enforcement processes are in place
to ensure NHS national application Smartcard users
comply with the terms and conditions of use
Required evidence:
• RA Monitoring plan (how will you do it?)
• Responsible officer (who will do it?)
• Procedure for dealing with smartcard breaches (links to 302)
• Improvement and action plan
• Improvement and action plan has been audited (spot checks)
18
The details
305:
Operating and application information systems (under the
organisation’s control) support appropriate access
control functionality and documented and managed
access rights are in place for all users of these systems
Required evidence:
• PBAC access control documentation (incl. reviews undertaken in
2012/13)
• UIM / IIM Procedures
• Smartcard request procedures
• RA Structure (Sponsors): “... ensured that there are approved access
controls in place for each key information asset under their control”
• Samples of access requests
19
The details
308:
All transfers of hardcopy and digital person
identifiable and sensitive information have been
identified, mapped and risk assessed; technical and
organisational measures adequately secure these
transfers
Required evidence:
• Service Level Agreements if you provide RA
services to other organisations (links to 110)
20
The details
309:
Business Continuity Plans are up to date and
tested for all critical information assets (data
processing facilities, communications services and
data) and service - specific measures are in place
Required evidence:
• RA Business Continuity Plan
21
The details
400: The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience
Required evidence:
• Are your access levels appropriate for staff accessing clinical systems (RiO, EMIS web, Cerner, SCR, etc.)?
• Can the staff do their day job without a smartcard?
• Gateway documents for RiO R1.1
22
The last one
601:
Documented and implemented procedures are in
place for the effective management of corporate
records
Required evidence:
• Old RA forms (including from predecessor
organisations)
• RA request forms, emails, notes etc.
23
If you don’t have enough...
604:
As part of the information lifecycle management
strategy, an audit of corporate records has been
undertaken
Required evidence:
• Audit of RA forms and requests
24
Are happy, worried or confused?
• Organisational structures change all the time
• I have been through it all this twice and will soon go
through it for a third time
• https://nww.igt.connectingforhealth.nhs.uk/
25