Registration Authority and the IG Toolkit

More than just 303 and 304

Alex Beisser IG and RA Manager

1

Some questions

• How many of you have heard about the IG Toolkit

(IGT)?

• Have you been asked to provide evidence for the

IGT?

• Were questioned about the evidence that you

provided?

• What level of compliance have you achieved in the

RA Standards?

2

Introduction to IGT

• A best practice framework around confidentiality

and data protection based on ISO 27001/2 model

for the NHS and its partners

• Now in its 10th version

• 24 different set of standards for organisations

• 45 standards for an acute organisation split into

Information Governance Management – 5 Standards

Confidentiality and Data Protection Assurance - 9

Standards

Information Security Assurance – 15 Standards

Clinical Information Assurance – 5 Standards

Secondary Use Assurance – 8 Standards

Corporate Information Assurance – 3 Standards

3

Not all the same

• Pharmacies – IGT 10-304

• General Practice – IGT 10-304

• Prison Health – IGT 10-304 and 10-305

• Lucky you...

4

Other providers

• What standards are affected for:

Acute Trusts

Mental Health Trusts

Community Health Trusts

Any Qualified Provider – Clinical Services

Commissioning Organisations

Ambulance Service

5

Have a look

• IGT 10-101

• IGT 10-105

• IGT 10-110

• IGT 10-111

• IGT 10-112

• IGT 10-200

• IGT 10-206

• IGT 10-300

• IGT 10-301

• IGT 10-302

• IGT 10-303

• IGT 10-304

• IGT 10-305

• IGT 10-308

• IGT 10-309

• IGT 10-400

• IGT 10-601

17 Standards affected

6

The details

101:

There is an adequate Information Governance

Management Framework to support the current

and evolving Information Governance agenda.

Required evidence:

• RA Manager or representative should sit in IG

Steering Committee or Group (ToR)

7

The details

105:

There are approved and comprehensive

Information Governance Policies with associated

strategies and/or improvement plans.

Required evidence:

• Up-to-date and reviewed RA policy and

accompanying procedures (i.e. UIM, ESR, IIM)

8

The details

110:

Formal contractual arrangements that include

compliance with information governance

requirements, are in place with all contractors and

support organisations

Required evidence:

• Service Level Agreements if you provide RA

services to other organisations

9

The details

111: Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation

Required evidence:

• Employment contracts and Job Descriptions for RA Staff

• CRB and staff vetting procedures (recent changes) and recording of them in ESR (eGIF flag)

• Identifying smartcard use within Job Descriptions

10

The details

112:

Information Governance awareness and

mandatory training procedures are in place and

all staff are appropriately trained.

Required evidence:

• Is RA mentioned in your IG Training?

• End user smartcard usage training

11

The details

200:

The Information Governance agenda is supported

by adequate confidentiality and data protection

skills, knowledge and experience which meet the

organisation’s assessed needs

Required evidence:

• Have your RA staff been trained appropriately

• RA Staff’s Job Description

• RA procedures and guidance material

12

The details

206:

There are appropriate confidentiality audit

procedures to monitor access to confidential

personal information.

Required evidence:

• RA access control audits

13

The details

300:

The Information Governance agenda is supported

by adequate information security skills, knowledge

and experience which meet the organisation’s

assessed needs

Required evidence:

• Does the RA Manager has the required knowledge

and expertise to run and manage RA?

• RA Manager’s Job Description

• RA staff are key to organisation’s IG agenda

• Is the RA function represented in IG Steering

Group?

14

The details

301:

A formal information security risk assessment

and management programme for key Information

Assets has been documented, implemented and

reviewed

Required evidence:

• Risk Assessment of RA function (including software,

hardware and staff)

15

The details

302: There are documented information security incident / event reporting and management procedures that are accessible to all staff

Required evidence:

• Reported smartcard incidents (sharing cards, loss, theft, miss-use etc.)

• Procedure for detailing with RA breaches

• Incident Policy should refer to RA function

• RA audit logs

16

The details

303:

There are established business processes and

procedures that satisfy the organisation’s

obligations as a Registration Authority.

Required evidence:

• Your RA framework

17

The details

304:

Monitoring and enforcement processes are in place

to ensure NHS national application Smartcard users

comply with the terms and conditions of use

Required evidence:

• RA Monitoring plan (how will you do it?)

• Responsible officer (who will do it?)

• Procedure for dealing with smartcard breaches (links to 302)

• Improvement and action plan

• Improvement and action plan has been audited (spot checks)

18

The details

305:

Operating and application information systems (under the

organisation’s control) support appropriate access

control functionality and documented and managed

access rights are in place for all users of these systems

Required evidence:

• PBAC access control documentation (incl. reviews undertaken in

2012/13)

• UIM / IIM Procedures

• Smartcard request procedures

• RA Structure (Sponsors): “... ensured that there are approved access

controls in place for each key information asset under their control”

• Samples of access requests

19

The details

308:

All transfers of hardcopy and digital person

identifiable and sensitive information have been

identified, mapped and risk assessed; technical and

organisational measures adequately secure these

transfers

Required evidence:

• Service Level Agreements if you provide RA

services to other organisations (links to 110)

20

The details

309:

Business Continuity Plans are up to date and

tested for all critical information assets (data

processing facilities, communications services and

data) and service - specific measures are in place

Required evidence:

• RA Business Continuity Plan

21

The details

400: The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience

Required evidence:

• Are your access levels appropriate for staff accessing clinical systems (RiO, EMIS web, Cerner, SCR, etc.)?

• Can the staff do their day job without a smartcard?

• Gateway documents for RiO R1.1

22

The last one

601:

Documented and implemented procedures are in

place for the effective management of corporate

records

Required evidence:

• Old RA forms (including from predecessor

organisations)

• RA request forms, emails, notes etc.

23

If you don’t have enough...

604:

As part of the information lifecycle management

strategy, an audit of corporate records has been

undertaken

Required evidence:

• Audit of RA forms and requests

24

Are happy, worried or confused?

• Organisational structures change all the time

• I have been through it all this twice and will soon go

through it for a third time

• https://nww.igt.connectingforhealth.nhs.uk/

25