Confidentiality Audit Procedure - NHS Greenwich CCG · Confidentiality Audit Procedure Page 4 of 25...

Confidentiality Audit Procedure of 25

Confidentiality Audit Procedure

Author(s)

Andrew Thomas

Version

1.0

Version Date

09 September 2013

Implementation/approval Date

11 September 2013

Review Date

September 2014

Review Body Information Governance Steering Group

Policy Reference Number

024

Version Author Date Reason for review

0.0 Andrew Thomas July 2013

0.1 Neil Taylor September2013

Formatting Adjustments to match CCG Policy on Polices

1.0 September2013

Final


Contents Page

1.0 Introduction ....................................................................................................... 3

2.0 Monitoring Confidential Information .................................................................. 3

3.0 Auditing Access to Confidential Information ..................................................... 4

4.0 Audit Method .................................................................................................... 4

5.0 Frequency ........................................................................................................ 4

6.0 Choosing Appropriate Auditors ......................................................................... 5

7.0 Pre-Audit Questionnaires ................................................................................. 5

8.0 Pre-Audit Meeting ............................................................................................. 5

9.0 Audit Checklist .................................................................................................. 6

10.0 Conducting the Audit ..................................................................................... 6

10.01 Questioning Techniques ............................................................................ 6 10.02 Staff Awareness Interviews ........................................................................ 6

11.0 Reporting ...................................................................................................... 7

11.01 Non-Compliance ........................................................................................ 7

11.02 Concerns Observed ................................................................................... 8

12.0 Audit Report .................................................................................................. 8

13.0 Closing Meeting ............................................................................................ 8

14.0 Audit Follow Up ............................................................................................. 8

15.0 Audit Closure ................................................................................................. 8

16.0 Review .......................................................................................................... 9

17.0 Monitoring Compliance with this Procedure .................................................. 9

17.01 Monitoring of compliance ........................................................................... 9 17.02 Non Compliance ........................................................................................ 9

18.0 Implementation and dissemination of document ......................................... 10

19.0 Training Requirements ................................................................................ 10

20.0 Latest Version ............................................................................................. 10

21.0 Associated Documents ............................................................................... 10

22.0 Appendices ................................................................................................. 11

Appendix 1 Equality & Equity Impact Assessment Checklist ............................ 12 Appendix 2 Consultation History ....................................................................... 13

Appendix 3 Compliance Audit Template ........................................................... 14 Appendix 4 Audit Programme ........................................................................... 18 Appendix 5 Pre Audit Questionnaire ................................................................. 19

Appendix 6 Audit Checklist ............................................................................... 20 Appendix 7 Interview Record Sheet .................................................................. 21 Appendix 8 Non-Compliance Observation Sheet .............................................. 22 Appendix 9 Recommendation Sheet ................................................................. 23

Appendix 10 Audit Report ................................................................................... 24


1.0 Introduction

With advances in the electronic management of both health and employment information within the NHS brought about by the advent of the NHS Care Record Service, Electronic Prescribing, Choose and Book and the Electronic Staff Record, the requirement to monitor access to such confidential information has become increasingly important. With the large number of staff using these systems, it is imperative that access is strictly monitored and controlled. Furthermore, with the increased use of electronic communications, the movement of confidential information via these methods poses the threat of information falling into the hands of individuals who do not have a legitimate right of access to it. Failure to ensure that adequate controls to manage and safeguard confidentiality are implemented and fulfil their intended purposes may result in a breach of that confidentiality, therefore contravening the requirements of:

Caldicott

Data Protection Act 1998

Human Rights Act 1998

Common Law Duty of Confidentiality

These procedures provide an assurance mechanism by which the effectiveness of controls implemented within the CCG are audited, areas for improvement and concern highlighted and recommendations for improved control and management of confidentiality within the CCG are made. GP and Dental practices within the CCG catchment area are encouraged to implement their own procedure and they are free to model their procedure on this if they wish. In this case NHS Greenwich CCG will waive their copyright on this procedure.

2.0 Monitoring Confidential Information

In order to provide assurance that access to confidential information is gained only by those individuals that have a legitimate right of access, it is necessary to ensure appropriate monitoring is undertaken on a regular basis. Monitoring should be carried out by the Information Governance Team in order that irregularities regarding access to confidential information can be identified and reported to the Caldicott Guardian and action taken to address the situation, either through disciplinary action, the implementation of additional controls or other remedial action as necessary. Actual or potential breaches of confidentiality should be reported using the CCG’s reporting system (refer to the Serious Incident Policy)


3.0 Auditing Access to Confidential Information

The Caldicott Guardian will ensure that audits of security and access arrangements within each area are conducted on a regular basis. Areas to be audited include:

Security applied to manual files e.g. storage in locked cabinets / locked rooms

Arrangements for recording access to manual files e.g. tracking cards, access requests by solicitors, police, data subjects etc.

Evidence that checks have been carried out to ensure that the person requesting access has a legitimate right to do so

The existence and location of whiteboards containing confidential information

The use of and disposal arrangements for post it notes, notebooks, other temporary recording material

Retention and disposal arrangements

The location of fax machines and answer phones which receive confidential information – are they designated safe haven faxes?

Confidential information sent or received via email, security applied and email system used

Information removed from the workplace – has authorisation been gained either for long term or short term removal?

Security arrangements applied i.e. transportation in secure containers

The understanding of staff within the department of their responsibilities with regard to confidentiality and restrictions on access to confidential information

Security applied to laptops, compliance with the CCG’s Remote Working Policy

Evidence of shared encrypted memory sticks

Verbal conversations with personal data exchange

passwords being used within the area being audited

4.0 Audit Method

The audit should be carried out through a series of interviews with Directors, Associate Directors or Team managers. The interview should be both informal and relaxed this will encourage the interviewee to be more open with answering questions. Interviews can be conducted either on a one to one basis, as a focus group, or a mixture of the two. During the interview, or focus group meeting, the interviewer should take brief notes which can be written up following the meeting. It is important that the individuals involved in the interview process do not feel intimidated as this could impact on the efficacy of the audit. As a last resort the audit could be carried out using questionnaires / observations (appendix 3); however this method is unlikely to yield the quality of response which could be gained through the use of interview method.

5.0 Frequency

Prior to commencing the audit process it will be necessary to decide how frequently audits will be carried out. It is recommended that each area is audited at least once a year. A programme of audits (appendix 4) should be produced detailing the date on


which each departmental audit will be conducted and the intended frequency in order to ensure the CCG has a systematic approach to the auditing process. Each audit should have a reference number which can be used on all documentation collated and used within the exercise. Once the audit programme has been produced it should be submitted to the Greenwich executive for approval prior to implementation. Once approval has been granted, the audit programme should be shared with all Directors, Associate Directors or Team managers affected to ensure that they are aware of when the audits are due to be carried out within their area.

6.0 Choosing Appropriate Auditors

Audits should be conducted by individuals who have no connection with the work function being audited in order that an objective view can be achieved. Auditors should have the ability to express concerns and ideas effectively in verbal and written form. It is recommended that individuals selected as Auditors receive appropriate training prior to commencing the audit process; however, this is not a mandatory requirement. It is recommended that the individuals selected have a good knowledge of the requirements of the Data Protection Act 1998, Caldicott Principles etc. Individuals conducting audits should:

Demonstrate an objective and responsible approach

Process sound judgment, excellent analytical skills and tenacity

Demonstrate a rational approach in diverse situations

Demonstrate the ability to understand complex processes

Demonstrate the ability to understand the role of the area being audited in the CCG as a whole

7.0 Pre-Audit Questionnaires

It will assist the audit process for the area to be audited to complete a pre-audit questionnaire (appendix 5) which will enable the auditor to gain an understanding of the function of the department and the processes carried out relating to confidential information, this will allow the auditor to ask informed questions when conducting the audit. The pre-audit questionnaire should be annotated with the name of the department or area, a contact name and number should be returned to the auditor in advance of the scheduled audit date.

8.0 Pre-Audit Meeting

The auditor should arrange a brief pre-audit meeting with the Director, Associate Director or Team manager with the aim of discussing who will be involved in the audit, how long the audit is likely to take, what documentation will be required, what facilities will be required e.g. workspace, photocopiers etc. and what feedback will be provided to


the Director. The required documentation should be forwarded to the auditor prior to the audit commencing, this could include local procedures which are in place.

9.0 Audit Checklist

An audit checklist (appendix 6) should be produced which will enable the auditor to track the progress of the audit.

10.0 Conducting the Audit

10.01 Questioning Techniques Initially ask the question to establish the fact, listen to the interviewee’s answer then verify that you have understood the response correctly. Confirm that the information you have been given corresponds with the documented procedures, then check records and logs to ensure they demonstrate that procedures have been followed. Also check that the records and logs are up to date. It may be necessary to change the order of questioning to encourage better flow of information from the interviewee. Brief notes should be made on the audit checklist (appendix 6):

Column B should be used to record evidence put forward to support the responses to questions asked. Where documents form the evidence provided, the unique reference number of the document(s) should be included for ease of reference

Column C should be used to record the auditor’s assessment as to how the evidence demonstrates compliance with the requirement of the Data Protection Act 1998, the procedures and the Caldicott Principles

Column D should be used to record the auditor’s grading of the response to each

question. The following codes should be used when grading responses: o COM –

evidence demonstrates fully compliance o MAJ – evidence demonstrates major non-compliance o MIN – evidence demonstrates minor non-compliance o OBS – no evidence of non-compliance was found, but an observation was

made that there was the potential for problems to occur and improvements which could be made

10.02 Staff Awareness Interviews Staff awareness interviews give an opportunity for the auditor to assess the level of awareness of confidentiality issues. Interviews can be conducted either on a one to one basis or as a focus group the duration of which should be between 15 and 30 minutes. The interview will be conducted using directed questioning techniques, whereby the auditor opens with a broad question relating to a specific topic, this is then followed up with further questions which gradually narrow the scope of the question until finally the member or members of staff give a specific answer to the question posed.


Pre set questions should be used to establish:

Roles and responsibilities

Awareness of general confidentiality issues

Understanding of Data Protection Principles directly relating to their job

Understanding the requirements of policies, protocols and procedures relating to confidentiality

Training received The auditor’s questions and the interviewee(s) responses should be recorded on the Interview Record Sheet (appendix 7). During the interview process all observations should be recorded and should not be restricted to recording only negative observations, this will enable the final report to provide a more balanced view.

11.0 Reporting

A formal report should be provided to the area being audited, detailing the outcome of the audit. This can be valuable to the department or area being audited, as it provides information as to their compliance with confidentiality requirements including functions or processes which comply, functions or processes which do not comply and an improvement programme to ensure that the department or area fulfils all requirements.

11.01 Non-Compliance Where non-compliance is observed, this should be recorded as soon as possible, be sufficiently detailed, including all the facts and referring to any relevant evidence. The non-compliance should be recorded on the Non-Compliance Observation Sheet (appendix 8). The detail recorded should include an outline of what was observed, where it was observed, who was involved, the date of the observation and why it was considered to be non-compliant. Each non-compliance observed should have an associated recommendation which should be discussed and agreed with the Director, Associate Director or Team manager. Each recommendation should also include a target date for completion and a named individual who will be responsible for ensuring that the recommendation is implemented. Once the follow up meeting has taken place the auditor will complete the bottom section of the form (appendix 8), indicating implementation of recommendations and effectiveness of those recommendations. When the auditor is satisfied that the non-compliance has been resolved the auditor will sign the Non-Compliance Observation Sheet (appendix 8). Non-compliance can fall into one of two categories:

Major Non-Compliance: this would indicate that the non-compliance has occurred on a regular basis and could potentially have serious consequence

Minor Non-Compliance: these could include one off occurrences of non-compliance, there is little risk of the non-compliance causing more than a minor


irritation Where a number of minor instances of non-compliance are observed in the same functional area or department, this may indicate a more serious problem within that area. If this is the case, these instances of non-compliance should be combined into a major non-compliance.

11.02 Concerns Observed There may be instances where the auditor is concerned by what has been observed, but the instances are not actual non-compliances. In this case the auditor can make recommendations for improvements to be made to practice in order that potential problems do not occur. In this instance a Recommendation Sheet should be completed (appendix 9).

12.0 Audit Report

This should be produced once the audit has been completed, regardless of the fact that any non-compliance or concerns have been observed. This will include a summary of the findings of the audit, together with observations of non-compliance. Recommendations which have been made should also be included. Any follow up required and date of follow up should also be included in the report. The audit report should include an indication as to the scope. Please see appendix 10 for the report template.

13.0 Closing Meeting

This meeting will allow the auditor to present the findings from the audit. The audit summary will be presented along with detailed findings, as should recommendations for improvement and timescales within which those improvements should be made. Finally, agreement should be gained from the Director, Associate Director or Team manager concerned, with the non-compliance observations made. Any comments expressing disagreement should also be noted on the audit documentation.

14.0 Audit Follow Up

Once the audit process is complete, arrangements should be made for follow-up where non-compliance has been observed, this will allow the auditor to confirm that the recommended corrective action has been implemented. Where non-compliance relates to problems with documentation, the revised version should be checked as part of the follow up process.

15.0 Audit Closure

Once corrective action has been checked and agreed as compliant by the auditor, the audit can be formally closed.


16.0 Review

Review will take place of the 1st anniversary of adoption and subsequently every three years until rescinded or superseded.

17.0 Monitoring Compliance with this Procedure

17.01 Monitoring of compliance

Measurable Procedure Objective

Monitoring/Audit

Frequency of monitoring

Responsibility for performing the monitoring

Monitoring reported to which groups/committees, including responsibility for reviewing action plans

Audits are carried out on each CCG team/directorate

Completed Procedure Audit

Bi Yearly Compliance Manager

Information Governance Steering Group

Individuals are complying with requirements to keep PCD secure

Spot Checks

Bi Yearly Information Governance Lead


Individuals are complying with requirements to keep PCD secure

Completion of Staff Questionnaires



The organisation is mature in its understanding of Information Governance and reports breaches in an open an transparent way

Incidents Reported



17.02 Non Compliance Noncompliance with this Procedure by staff will be brought to the attention of the Information Governance Steering Group.

Failure to comply with the standards and appropriate governance of information as detailed in this procedure and supporting documents can result in disciplinary action. All staff are reminded that this procedure covers several aspects of legal compliance that as individuals they are responsible for.

Failure to maintain these standards can result in criminal proceedings against the individual.


18.0 Implementation and dissemination of document

The Procedure, once approved by the CCG’s governing body, or delegated group, will be shared with all staff through the all staff email, updated on the intranet, and shared with the CCG’s Management Board. A team briefing will be provided to support this dissemination.

19.0 Training Requirements

Training will be carried out for this procedure in line with the Information Governance Training Needs Assessment.

20.0 Latest Version

The audience of this document should be aware that a physical copy may not be the latest version. The latest version, which supersedes all previous versions, is available on the CCG Internet and Intranet.

21.0 Associated Documents

As a new organisation, the CCG is still developing a broad range of policies, protocols and procedures, which will be subject to further updates and additions. Related CCG policies, protocols and procedures currently include:

Consent to use PCD Policy

E-mail Policy

Information Governance Policy

Internet Policy

Mobile Device Policy

Records Management Policy

Acceptable Use Protocol

Confidentiality Code of Conduct Protocol

Freedom of Information Protocol

Information Sharing Protocol

Information Lifecycle Protocol

Pseudonymisation Protocol

Safe Haven Protocol

Confidentiality Audit Procedure

Subject Access to Health Records Procedure Supporting documentation also includes:

Information Governance Management Framework

Information Communication and Technology Framework

Information Governance Strategy

Information Governance Acronyms Document

Information Governance Roles & Responsibilities Document


Information Governance Steering Group Terms of Reference

Information Governance Training Needs Assessment

22.0 Appendices

Appendix 1 Equality Impact Assessment Checklist Appendix 2 Consultation history Appendix 3 Compliance Audit Template Appendix 4 Audit Programme Template Appendix 5 Pre Audit Questionnaire Template Appendix 6 Audit Checklist Template Appendix 7 Interview Record Sheet Template Appendix 8 Non-Compliance Observation Sheet Template Appendix 9 Recommendation Template Appendix 10 Audit Report Template


Appendix 1 Equality & Equity Impact Assessment Checklist

This is a checklist to ensure relevant equality and equity aspects of proposals have been addressed either in the main body of the document or in a separate equality & equity impact assessment (EEIA)/ equality analysis. It is not a substitute for an EEIA which is required unless it can be shown that a proposal has no capacity to influence equality. The checklist is to enable the policy lead and the relevant committee to see whether an EEIA is required and to give assurance that the proposals will be legal, fair and equitable.

The word proposal is a generic term for any policy, procedure or strategy that requires assessment.

Challenge questions Yes/No What positive or negative impact do you assess there

may be?

1. Does the proposal affect one group more or less favourably than another on the basis of:

Race No

Pregnancy and Maternity No

Sex No

Gender and Gender Re-Assignment No

Marriage or Civil Partnership No

Religion or belief No

Sexual orientation (including lesbian, gay bisexual and transgender people)

No

Age No

Disability (including learning disabilities, physical disability, sensory impairment and mental health problems)

No

2. Will the proposal have an impact on lifestyle?

(e.g. diet and nutrition, exercise, physical activity, substance use, risk taking behaviour, education and learning)

No

3. Will the proposal have an impact on social environment?

(e.g. social status, employment (whether paid or not), social/family support, stress, income)

No

4. Will the proposal have an impact on physical environment?

(e.g. living conditions, working conditions, pollution or climate change, accidental injury, public safety, transmission of infectious disease)

No

5. Will the proposal affect access to or experience of services?

(e.g. Health Care, Transport, Social Services, Housing Services, Education)

No

Document Author 14.8.13

Signature:

Equalities Lead (Carol Berry) 16.8.13

Signature:


Appendix 2 Consultation History

Stakeholders Name

Area of expertise

Date sent Date received Comments Changes made


Appendix 3 Compliance Audit Template

Records Management/Information Governance Compliance Audit

Site Location Directorate Date:

Aspect Records Management and Information Governance

Auditor

Section: ICT Security Documents Referenced

Comments Result

How many PC’s within the area?

How many PCs are within a public area?

How many are secured against theft?

How are they secured against inappropriate access?

Are any covered by CCTV or infra red security sensor?

Check to see if any are logged in and left unattended – observation

Is the screen viewable by the public?

Are all PCs linked to the network?

Random check of C drives for confidential information – observation

Random check of keyboards and draws to find passwords written down – observation

Is the equipment security marked?

Is the equipment protected against malicious software or code?

Is virus software up-to-date?


Section: Communications Documents Referenced

Comments Result

Where are the main calls to the dept routed to?

Is this the main reception area?

Is there facility for calls to be taken in privacy?

Check to see if calls can be heard from the public area – observation

Is there an answer phone in the public area?

Is this listened to whilst the public are present?

Where is the fax machine located?

Is this in a public area?

Is there a safe haven poster situated by the fax machine?

Check to see if any confidential information is on the machine – observation

Is it possible to reach across and remove a fax from the public area?

Is the fax machine sited correctly? i.e. away from windows, away from counter etc


Section: Physical Security Documents Referenced

Comments Result

Is access to staff only areas restricted by a security device?

Is the device used or is the door left open or ajar?

Are there any public areas which are closed for any period i.e. lunch?

Is the area secured against entry during these periods?

Is there any CCTV coverage of the area?

If CCTV used is appropriate sign present?

Are Security staff present in the area?

Are there environmental controls to avoid damage via flooding, environmental issues?

Section: Security of Confidential Information

Documents Referenced

Comments Result

Is confidential information used in a public area?

What security is used to protect this information?

Are locked cabinets available?

Check the reception area, walls and desks to see if confidential information is clearly on view – observation

Within staff only areas, is confidential information kept secure?

Can confidential information be seen from outside of the area?

Any Other Observations?


Section: Records Security Documents Referenced

Comments Result

How are the records stored?

Where are supplementary records stored?

How do you archive your records?

Section: Disposal of Confidential Information


Comments Result

Do you use Confi Bags?

Do you use Confi Bins?

Do you use Shredder?

Section: Disposal of Confidential Information


Comments Result

Do you require training in any areas that we have covered today?

If answered yes to the question above, what areas of training would you require?

Additional information

KEY: = Issue addressed adequately ? = Issue not addressed adequately = No reference found to issue in documentation


Appendix 4 Audit Programme

Directorate/ Team

Audit Frequency

April May June July August September October November December January February March


Appendix 5 Pre Audit Questionnaire

Pre Audit Questionnaire Directorate/Team:

Audit Reference:

Location:

Contact Name:

Position

Telephone Number:

Summary of Directorate/Team Functions:

Number of Full Time Staff:

Number of Part Time Staff:

Number of Temporary Staff:

Data Protection Questions:

Question 1 (enter question here)







Appendix 6 Audit Checklist

Audit Checklist

Department:

Interviewee: Pg:

Process:

Auditor: Ref: Date:

Question or Check (A) Documentary Evidence (B) Findings and Observations (C) Result (D)


Appendix 7 Interview Record Sheet

Interview Record Sheet Directorate/Team:

Audit Date:

Audit Reference:

Page No:

Attendees

Name Position Time in CCG

Details of Interview:








Appendix 8 Non-Compliance Observation Sheet

Non-Compliance Observation Sheet Directorate/Team:

Audit Date:

Audit Reference:

Observation Reference

Details of Non-Compliance:

Extent of Non-Compliance (Tick as appropriate):

Auditor Name:

Date of Observation:

Major Minor Signature:

Recommendations:

Follow Up

Follow Up Date:

Additional Comments:

Follow Up:

Compliance Assessment (Tick as apporopriate):

Auditor Name: Date Re-Assessed:

COM Signature:

MIN

MAJ


Appendix 9 Recommendation Sheet

Recommendation Sheet Directorate/Team:

Audit Date:

Audit Reference:


Details of Observed:

Auditor Name:

Date of Observation:

Signature:

Recommendations:

Follow Up

Follow Up Date:


Follow Up:

Auditor Name:

Date Re-Assessed:

Signature:


Appendix 10 Audit Report

Audit Report Directorate/Team:

Audit Date:

Audit Reference:

Page No: 1 of 2

Audit Summary:

Auditor Name:

Date Closed:

Signature:


Directorate/Team:

Audit Date:

Audit Reference:

Page No: 2 of 2

Observation Summary


Details of Observation

Summary of Agreed Actions

Non-Compliance Reference

Action By Corrective Action to be Taken Date

Agreed Audit Follow up:

Auditor Name:

Date Closed:

Signature:

Audit Closed

Auditor Name:

Date Closed:

Signature:


Confidentiality Audit Procedure - NHS Greenwich CCG · Confidentiality Audit Procedure Page 4 of 25...

Documents

Transcript of Confidentiality Audit Procedure - NHS Greenwich CCG · Confidentiality Audit Procedure Page 4 of 25...