1 / 22

NHS Information Governance

NHS Information Governance. Risk Management. Introduction. Information risk to be managed in a robust manner Assurance to be provided in a consistent manner Structured approach is necessary Identify Information Assets (IA) Assign ownership of those IA

trygg
Download Presentation

NHS Information Governance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NHS Information Governance Risk Management

  2. Introduction • Information risk to be managed in a robust manner • Assurance to be provided in a consistent manner • Structured approach is necessary • Identify Information Assets (IA) • Assign ownership of those IA • Formalise and standardise information risk management • Builds upon existing NHS Information Governance frameworks

  3. Three New NHS Roles • In common with other government and public service bodies, NHS organisations should in future establish three new roles to aid the structured management of their information risk: • Senior Information Risk Owner (SIRO) • Information Asset Owners (IAO) • Information Asset Administrators (IAA)

  4. Ownership and Responsibilities • The organisation’s management Board or equivalent ‘owns’ the information risk policy and its implementation • The organisation’s SIRO is responsible for ensuring Information Risk Policy is developed, implemented, reviewed and its effect monitored • Information Risk Policy should be available and communicated to all staff as part of their induction, training and ongoing personal development arrangements.

  5. Information Risk Management (IRM) Structural Model

  6. Key Local IRM Considerations • Maximise existing lines of authority and responsibility where these are fit for purpose • Associate tasks at appropriate management levels • Avoid adverse impacts on day to day business • Ensure information risk management arrangements are efficient, effective, accountable and transparent

  7. Roles: Accounting Officer • The Accounting Officer has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. • Information risks should be handled in a similar manner to other major risks such as financial, legal and reputational risks.

  8. Roles: SIRO • The SIRO is an executive who is familiar with information risks and their mitigations, including information risk assessment methodology. • The SIRO provides the focus for the assessment and management of information risk at Board level, providing briefings and reports on matters of performance, assurance and cultural impact.

  9. Aspect of SIRO Role (1)

  10. Aspect of SIRO Role (2)

  11. Aspect of SIRO Role (3)

  12. Aspect of SIRO Role (4)

  13. Roles: IAO • Information Asset Owners are senior individuals involved in running the relevant business. • Small organisations may have a single IAO, whereas larger ones are likely to have several. • The IAO’s role is to: • understand and address risks to the information assets they ‘own’; and • provide assurance to the SIRO on the security and use of these assets.

  14. Aspects of IAO Role (1)

  15. Aspects of IAO Role (2)

  16. Aspects of IAO Role (3)

  17. Roles: IAA • Information Asset Administrators will provide support to their IAO • ensure that policies and procedures are followed; • recognise potential or actual security incidents; • consult their IAO on incident management; • ensure that information asset registers are accurate and maintained up to date.

  18. Candidate IAA Tasks • Maintenance of Information Asset Registers; • Ensuring compliance with data sharing agreements within the local area; • Ensuring information handling procedures are fit for purpose and are properly applied; • Under the direction of their IAO, ensuring that personal information is not unlawfully exploited • Recognising new information handling requirements (e.g. a new type of information arises) and that the relevant IAO is consulted over appropriate procedures; • Recognising potential or actual security incidents and consulting the IAO; • Reporting to the relevant IAO on current state of local information handling; • Ensuring that local information handling constraints (e.g. limits on who can have access to the assets) are applied, referring any difficulties to the relevant IAO. • Act as first port of call for local managers and staff seeking advice on the handling of information; • Under the direction of their IAO, ensuring that information is securely destroyed when there is no further requirement for it

  19. NHS Information Assets 1 • Information assets come in many shapes and forms. • and the following list can only be illustrative. It is generally sensible to group information assets in a logical manner e.g. where they all related to the same information system or business process.

  20. NHS Information Assets 2

  21. Information Risk Management Policy • All NHS organisations need clear IRM policy • IRM should be a fundamental component of the organisation’s overall business risk management framework • Some organisations e.g. PCTs should develop policies that cover their smaller business partners e.g. local independent contractors

  22. Information Risk Management 2 • Key aspects of an IRM policy: • Provide support for the organisation’s business aims and objectives • Define how the organisation and its delivery partners will manage its IR • Identify how RM effectiveness will be assessed and measured • Define IRM escalation points and mechanisms

More Related