The Information Governance (IG) Policy (the Policy) sets out the Royal College of Obstetricians and Gynaecologist (RCOG)’s cross-College IG framework to ensure that our records, information and intellectual property are effectively managed and properly protected.
IG provides a framework for bringing together all the legislative and regulatory requirements, standards and best practices in relation to the following areas:
- information asset and records management, including data quality
- information rights compliance (such as GDPR, FOIA, and PECR)
- information risk assurance and management, and
- information security (IM&T).
The Policy applies to:
- all staff (employed and contracted), officers, trainees, members, College representatives and suppliers who handle and use our information (where we’re the 'Controller' for the personal data being processed), whether we hold it on our systems (manual and automated) or if others hold it on their systems for us
- all personal data processing we carry out for others (where we’re the 'Processor' for the personal data being processed)
- all formats, e.g. printed and digital information, text and images, documents and records, data and audio recordings.
The Policy’s overarching objective is to ensure the College is creating, managing, using, sharing and disposing of its records and information efficiently, appropriately and lawfully.
- comply with information rights legislation, e.g. GDPR 2016 and DPA 2018, Freedom of Information Act 2000 (when working in partnership with public authorities), Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)
- protect the rights of our staff, officers, trainees, members, College representatives, suppliers, clients, customers and public users, e.g. procedures to govern Individual Rights’ request handling
- assess, mitigate and monitor information risks faced by the College, e.g. encrypt special category personal data
- assist the College in protecting its intellectual property.
- encompasses the multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an organisation level,
- supports its immediate and future regulatory, legal, risk, environmental and operational requirements
- determines the balance point between two potentially divergent organisational goals: extracting value from information and reducing the potential risk of information
- defines the roles and responsibilities of all stakeholders involved in handling and managing College information.
Information is a key asset for the RCOG. It is central to the College’s business processes, decision making and service delivery, and provides evidence and accountability concerning RCOG actions and performance. It is crucial that information is managed efficiently and effectively to maximise its value for the RCOG and its stakeholders, and to stop it becoming a liability and a risk.
Please see Appendix 1 below for a glossary of terms.
Roles and responsibilities
The College has defined its IG roles and responsibilities as follows:
- Trainees, members, College representatives and suppliers must follow all the IG requirements in their respective role descriptions, contracts, terms and conditions and/or Code of Conduct.
- Staff are responsible for managing the College’s records and information effectively and appropriately.
- Line managers and Officers must ensure their line reports are familiar with relevant IG policies, procedure and guidance, and ways of working to comply with legislative and regulatory requirements.
- Information Asset Ownership (IAO) across the College has been delegated to Directors who are responsible for enabling effective IG within their respective areas and teams, such as s making decisions about how information is processed e.g. what’s collected, how it’s used, who it’s shared with, when it’s deleted, and whether information risks are mitigated further or accepted by us. They must
- understand what information assets their team(s) process(es)
- understand its value to the College and the related approach, appetite and capacity for risks and opportunities in conjunction with the College’s risk management standards
- make sure the information is managed according to this and all relevant IG, Data Security and Protection Policies
- nominate a local Information Governance Lead (IG Lead)
- provide senior management support to IG Lead in discharging their role, and
- identify, oversee and support the work of information asset administrators within their areas of responsibility.
- Information Asset Administrators (IAAs) individuals nominated by Information Asset Owners to assist with the operational responsibility for information asset management within their respective service areas. This involves the:
- application of IG rules
- identification of information assets to the IG Team, and
- up-dating RCOG records and information to ensure data integrity and quality.
In some departments, the IG Lead is also the IAA.
- Information Governance (IG) Leads are staff who have been nominated by the Information Asset Owners and must
- champion IG, including data protection and records management, within their departments
- be the first point of contact on all IG related matters within their departments, including data protection and records management, within their departments
- raise and monitor awareness of good IG practice within their departments, especially the processing of personal data, and
- contribute to the annual DSPT audit, submission and improvement plan
- to act as a contact point with the IGO concerning the retention, disposal and transfer of records
- to assess the records management procedures as they relate to each function
- to assist staff on team records management procedures.
- The Information Governance Officer is part of the IG Team in Research and Information Services, reports to the Deputy SIRO and must
- provide day to day management of IG and data protection compliance across the College
- provides advice and support to the IG Leads, Information Asset Owners and the wider organisation
- act as Administrator for the Toolkit
- implement records management best practice
- investigate security incidents and breaches
- coordinate Individual Rights requests, e.g. Subject Access Requests (SARs).
- The Deputy SIRO is the Head of Research and Information Services and is responsible for the strategic improvement, day-to-day operation and delivery of IG within the RCOG. This includes, but is not limited to:
- supports the SIRO and Caldicott Guardian
- leads on the following IG areas – information rights compliance, information asset and records management, and information risk assurance and management
- manages the handling of requests for information (RFIs) under according to information rights and copyright legislation
- co-ordinating, maintaining and developing the information asset register (IAR), including information sharing protocols and agreements
- data security and protection incident reporting and
- maintenance of the information risk register, ensuring remedial actions have been undertaken
- leads on the annual Data Security and Protection (formerly IG) Toolkit submission to NHS Digital and the College’s subsequent improvement plan
- develops and oversees the College’s IG strategy and associated work programmes providing specialist advice and assistant to staff where required on areas of information governance legislation, ensuring specialist knowledge is kept up to date and changes in legislation or national and local policy are communicated effectively to staff at all levels of the organisation
- establish, develop and deliver both mandatory and discretionary staff training
- establish, develop and deliver IG policies, procedures, guidance notes and ways of working
- preserving and providing access to the RCOG’s Archives
- lead liaison with external regulators, such as the Information Commissioner’s Office (ICO)
- creation, analysis and presentation of performance indicators, such as a quarterly IG Dashboard
- provide a public frontline information rights handling and enquiries service
- deliver a functioning records management service the College’s structured and unstructured records
- maintain the RCOG Retention Schedule,
- advising the SIRO and Executive Committee on potentially reportable data security and protection incidents/breaches, and
- deputising for the SIRO, as required.
The current Deputy SIRO, is the Head of Information and Governance, Ciara Shimidzu.
- The Information Governance Management Group is chaired by the SIRO and has delegated responsibility from the Executive Committee for the development and delivery of effective IG throughout the RCOG, including data protection. In particular, they
- provides the necessary ownership and advocacy required to support, co-ordinate, promotes, monitors and assures IG compliance
- reports to the Audit and Risk Committee via the Deputy SIRO and SIRO.
It is made up of representatives that are suitably senior and/or possess the necessary professional and technical expertise. The terms of reference for IGMG are in Appendix 2.
- The Senior Information Risk Officer (SIRO) is nominated by the Executive Committee and has delegated authority for information risk and mitigation, including responsibility for implementing and leading on IG risk assessment and management processes with the College and must
- lead and foster a culture that values, protects and uses records and information for the success of the organisation and benefit of its members, trainees, staff and other stakeholders
- own the RCOG’s overall information risk assessment processes and ensuring they are implemented consistently
- ensure the Board of Trustees, Officers and the Executive Committee are adequately briefed on IG issues and associated risks
- lead on the of security incidents and data protection breaches
- own the College’s Data Security and Protection Incident Handling policy and procedures
- provide the final point of resolution for any IG risk issues, and
- Chair the IGMG (IG Management Group).
The current SIRO is the Executive Director of Finance and Resources, Ian Hill
- The Caldicott Guardian is primarily responsible for the protection of confidential, personal information and ensure it is used in line with the Caldicott Principles. They are responsible for:
- protecting the confidentiality of patient information
- enabling appropriate information-sharing
- ensuring the College satisfies the highest practical standards for handling patient identifiable information
- acting as the 'conscience' of the organisation
- actively supporting work to enable information sharing where it is appropriate to share, and
- advising on options for lawful and ethical processing of information.
The current Caldicott Guardian is the Director of Clinical Quality, Dan Wolstenholme.
- Executive Directors sitting in the Executive Committee have overall responsibility for IG which involves:
- providing high-level support to ensure each directorate applies the relevant policies and controls – e.g. mandatory training requirements
- facilitating the development and implementation of IG practices – e.g. Executive Directors will nominate/confirm individuals to sit on relevant groups and to carry out specific responsibilities
- escalate issues in line with IG priorities.
The College commits to maintaining and developing the following ways of working as per the roles and responsibilities outlined above to ensure ongoing legal compliance and IG best practice.
Information Asset Register (IAR)
The Information Asset Register is reviewed in the annual DSPT audit by the IG Team and updated by the IAOs and the IAAs, supported by the IG Leads, in readiness for the annual DSPT submission at the end of March.
All agreed actions are then implemented as part of the DSPT improvement plan completed in the six months after submission.
Records Management (RM)
The RCOG Records Management Policy is to be reviewed annually with accompanying procedures and protocols, such as the Retention Schedule, to be reviewed and updated every two years unless the overarching RM policy alters substantially. College-wide data cleansing exercises are to be undertaken by the IAOs and the IAAs, supported by the IG Leads, to be undertaken annually, implementing ongoing and changes made to the Retention Schedule.
Intellectual Property Register
The Intellectual Property Register enables the College to evaluate and assure compliance with IG policies and processes as well as intellectual property legislation, recording and highlighting risk as appropriate.
Information Governance Risk Register
The IG Team maintain an IG Risk Register for the College which is aligned to the Corporate Risk Register and includes all information risks generated from:
- DSP incidents and breaches
- waivers to DSP policies
- privacy risks accepted following DPIA
- risks highlighted during the annual IAR review and update.
The register is reviewed routinely by IGMG who ensure these risks are actively controlled, assessed and managed. The SIRO or Deputy the present these risks to the Executive Committee and RCOG Audit and Risk Committee.
Data Security and Protection (DSP) Incident and Breach Reporting
The IG Team maintains a log of all DSP incidents and breaches which is regularly reviewed by IGMG. All staff must comply with the DSP Incident Handling Policy and Procedures. All “HIGH” risk incidents and breaches are assessed by the Deputy SIRO using NHS Digital and ICO assessment tools to generate a report for the SIRO as to whether the incident/breach needs to be reported to the ICO, Charity Commission and the Data Subjects affected. The DSP incident reporting process to be aligned to the College’s Incident Handling framework.
Annual Audit, DSPT Submission and Improvement Plan
The Deputy SIRO leads an annual IG Audit based on the latest DSPT each October. The audit informs the annual DSPT submission to NHS Digital for 31 March and the six-month improvement plan from 01 April. The DSPT Submission and Improvement Plan is reviewed by IGMG, approved by the Executive Committee and presented to the RCOG Audit and Risk Committee both of whom will receive quarter reports on progress.
- The IAOs must retain the accuracy of the IAR and the information flows with at least annual updates to ensure an up-to-date version can be submitted as evidence in the annual DSPT submission
- All staff to participate in regular, College-wide data cleansing exercises led by the IAOs and IAAs, facilitated by the IG Team
- All staff to comply with the framework of IG (including Data Security and Protection) policies, e.g. Data Protection, Privacy, Records Management, and Data Security and Protection Incident Handling
- All relevant staff to assist the Deputy SIRO in the annual DSPT audit and submission.
For further advice concerning any aspect of this policy, please contact the Information Governance (IG) Team by email at email@example.com or by calling +44 20 7772 6200.
Appendix 1: Glossary of Information Governance Terms
Archives: are the records which are retained permanently because of their continuing business, evidential, historical or informational value to the RCOG.
Business Information Systems: are databases, or other software, that create or capture information in relation to RCOG business. They are primarily used for reference but can be used for workflow or data sharing. Systems that hold information the RCOG would rely on as evidence should be able to manage their content as records and be Record Keeping Systems.
Data: is the raw input from which information of value is derived.
Data Controller: an individual or organisation who:
- decides to collect or process personal data
- decides what the purpose or outcome of processing is to be
- decides what personal data should be collected
- decides which individuals to collect personal data about
- obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller
- processes personal data as a result of a contract between us and the data subject
- whose data subjects are the employees
- makes decisions about the individuals concerned as part of or as a result of the processing
- exercises professional judgement in the processing of the personal data
- has a direct relationship with the data subjects
- has complete autonomy as to how the personal data is processed
- has appointed processors to process the personal data on our behalf.
Joint Data Controllers: two or more individuals or organisations who:
- has a common objective with others regarding the processing
- processes the personal data for the same purpose as another controller
- use the same set of personal data (e.g. one database) for this processing as another controller
- designs the processing with another controller
- has common information management rules with another controller.
Data Processor: an individual or organisation who:
- follows instructions from someone else regarding the processing of personal data
- is given the personal data by a customer or similar third party, or told what data to collect
- does not decide whether to collect personal data from individuals
- does not decide what personal data should be collected from individuals
- does not decide the lawful basis for the use of that data
- does not decide what purpose or purposes the data will be used for
- does not decide whether to disclose the data, or to whom
- does not decide how long to retain the data
- make some decisions on how data is processed, but implements these decisions under a contract with someone else
- is not interested in the end result of the processing.
Data Protection Act 2018: is an Act of Parliament which enacted GDPR 2016 and established UK only derogations.
Data quality: is a recognition that the accuracy, coverage, timeliness and completeness of data can significantly impact on the value of its use.
Data subject: a living individual who can be identified from the personal data or from additional information held, or obtained, by the RCOG. For example, a CCTV image which can identify someone when linked to building access control codes.
File Plan: is a governance tool that classifies RCOG records in terms of function and activity; it acts as the baseline to connect this policy, and its related guidance and procedures, to the business processes that create, manage, use and dispose of College records.
Freedom of Information Act 2000: provides the public with a general right of access to all information held by, or on behalf of, public authorities. Any individual or organisation may request any information held by a public authority. The public authority must tell the applicant (normally within 20 working days) whether it holds the information. If it does, it must supply it, unless an exemption applies. The RCOG, as an independent charity, is not a public authority, and is not directly subject to the Act. However, the College may hold information ‘on behalf of’ a public authority since it performs work for them under contract. Information relating to these activities may be caught by the Act.
General Data Protection Regulation (EU) 2016/679 (GDPR): sets out data protection and privacy rights of all individuals within European Union. It also applies to transfer (export) of personal data outside the EU as well as non-EU personal data processed by processors based within the EU.GDPR comes into force on 25 may 2018.
Information Asset: a body of information defined and managed as a single unit or aggregate so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.
Information Asset Register: a governance tool that lists the RCOG’s key information assets.
Information Commissioner or ICO: is responsible for the regulation of the GDPR 2016 and DPA 2018 throughout the UK. The Information Commissioner is appointed by the Queen and is independent of the UK Government.
Information governance compliance: ensures compliance with all statutory requirements governing the management of information, including rights of access under Freedom of Information and Data Protection legislation.
Information Governance Framework: is a suite of policies, procedures, guidance and standards covering the following areas;
- information asset and records management, including data quality
- information rights compliance (such as GDPR, FOIA, and PECR)
- information risk assurance and management, and
- information security (IM&T).
Information Notice: can be issued by the Information Commissioner and requires a data controller to provide his office with information that he requires to carry out his functions. Failure to comply with an Information Notice is a criminal offence.
Information security: ensures that RCOG information is not compromised by unauthorised access, modification, disclosure or loss.
Information sharing: ensures that RCOG information is shared in a compliant, controlled and transparent manner.
Notification: the RCOG is required to notify the Information Commissioner annually about the categories of personal information it processes and the purposes the personal information is being processed for. Failure to notify is a criminal offence. The Information Commissioner maintains, and publishes, a Register of Data Controllers.
Open data: data that is accessible (usually via the internet), in a machine readable form, free of restriction on use. It supports transparency and accountability, effective services and economic growth.
Payment Card Industry Data Security Standards: Visa, MasterCard and Amex have all worked together to produce a set of minimum standards to be applied by anyone handling payments using credit and debit cards to ensure the safety of payment card transactions called PCI-DSS.
Personal data: is all information that relates to an identifiable living person who can be identified from that information or from additional information held, or obtained, by the RCOG. Examples of personal data are contained in paper files, electronic records and visual and audio recordings.
Processing: is all actions relating to personal data. Gathering, recording, analysing, amending, using, sharing, disclosing, storing and destroying personal data are all covered by this definition.
RCOG Records: are defined as;
- recorded information in any format (including paper, microform, electronic and audio-visual formats);
- which are created, collected, processed, and/or used by RCOG staff, Trustees, Council, Officers, FMTs and other stakeholders when undertaking RCOG business, predecessor bodies (e.g. Velindre NHS Trust, RC Psych) or contractors performing an RCOG function or service; and
- are then kept as evidence of that business.
Active Records are about ongoing RCOG business and are regularly (at least once a month) added to, referenced or updated. Semi-Active (semi-current) Records are about RCOG business that has concluded and are no longer updated but are kept for reasons of reference or evidence and accessed less than approximately ten times a year. For Archived records, see Archives definition above.
Records management: processes and practices that ensure RCOG records are systematically controlled and maintained, covering the creation, storage, management, access, and disposal of records, in compliance with best practice, legal obligations and policy requirements.
Record Series: also known as a Primary, is a collection of records with a connection that are grouped together to be accessed and managed as a single item.
Special Categories of personal data: include data revealing:
- race or ethnicity
- religious or philosophical beliefs
- trade union membership
- a person’s health
- sex life or sexual orientation
- genetic or biometric data.
Subject Access Request: the right given by Data Protection legislation, to an individual to ask for a copy of personal data being processed by the College. The information must be supplied in an intelligible and permanent form unless this involves a disproportionate effort or the individual agrees otherwise. The RCOG may have to consider the Disability Discrimination Act requirements when providing personal data to an individual who may require the information to be provided in a certain format to take a special need into account. Individuals have a right to access information we hold on them and to correct inaccuracies in that information. This includes information in searchable electronic format (shared drives, Integra, Exchequer, Exchange server etc.) AND information held on paper in a structured format that can be searched. Individuals also have the right to ask for the information we hold about them to be deleted.
Following a request, the College must search and collate this information and return it within 40 days. This deadline decreases to 29 days once GDPR comes into force on 25 May 2018. The IG Manager currently deals with Subject Access Requests.
Universal Serial Bus (USB) is an industry standard that defines the cables, connectors and communications protocols used in a communication system for connection, communication, and power supply between computers and electronic devices.
Appendix 2: Information Governance Management Group Terms of Reference
- To provide strategic leadership for information governance and information risk management throughout the College, reporting into the Executive Committee, Officers (as appropriate) and Audit and Risk Committee with Director representation from key departments, namely those handling large volumes or high risk personal data, such as Clinical Quality, Membership, Education, Exams and People.
- To support, monitor and authorise the development of the Information Governance Framework and its implementation, including all accompanying policies, guidance and tools.
- To support the College’s Information Governance network of IG Leads.
- To oversee the College’s annual Data Security and Protection Toolkit Submission (formerly known as the IG Toolkit).
- To agree, support and monitor the annual Data Security and Protection Improvement plan to drive change, including plan revision and realignment to mitigate risk.
- To take ownership of the information risk management approach, including monitoring compliance with the Information Governance Framework, reporting and escalating information risks as appropriate, taking corrective actions where necessary, and maintaining the IG Risk Register.
- To receive and consider reports into breaches of confidentiality and security and, where appropriate, undertake or recommend remedial action.
- To develop solutions and implementation programmes (including training and raising awareness) to ensure that the RCOG complies with developing information governance requirements.
- To ensure that each directorate fulfil their responsibilities and apply relevant information governance policies and controls.
- To support directors and managers with the implementation of information governance standards and policies, the management of information risks, and in promoting awareness throughout their areas.
- To support audit and assessment arrangements for information governance (internal and external).
- To ensure that the College’s approach to information governance and information risk is effective in terms of resource, commitment and execution, and that it is communicated to all staff.
- To liaise with boards, committees and other working groups to ensure compliance with the College’s Information Governance Framework.
- To provide a focal point for the resolution and/or discussion of information governance and risk issue.
Appendix 3: Information Governance Management Group Forward Plan
The remit of the IGMG is broad and requires detailed monitoring of information risk. As such, the following forward plan is in place to ensure there is sufficient time to complete this work and to assist with the IGMG meeting agenda.
The following “standing items” to be included in the agenda for every meeting:
- Data Security and Protection (DSP) Submission and Improvement Plan – quarterly progress report
- IG Dashboard
- DSP Incident Register – review and escalation
The following “standing items” will be only included in the agendas of these quarterly meetings:
- Review and sign-off the revised DSP policy and procedures framework
- Review and sign-off the revised DSP ways of working, staff training and communications framework
- Review the Information Risk Register
- Review and sign-off updates to the Information Asset Register
- Review and approve the proposed DSP Toolkit Submission and Improvement Plan for the next year.