Document Title IT Procurement Policy · 2020-02-11 · All approved projects will be managed using...

CNTW(O)63

Document Title IT Procurement Policy

Reference Number CNTW(O)63

Lead Officer Darren McKenna,

Director of Informatics

Author(s) (name and designation)

John Gair, Head of Informatics - Infrastructure

Ratified by Business Delivery Group

Date ratified Nov 2017

Implementation Date

Nov 2017

Date of full implementation

Nov 2017

Review Date Nov 2020

Version number V05.1

Review and Amendment

Log

Version Type of Change

Date Description of Change

V05 Review Nov 17 Minor changes-Clinical Transformation- change of author

V05.1 Review Oct 19 Governance changes

This policy supersedes:

Document Number Title

CNTW(O)63 – V05 IT Procurement Policy

CNTW(O)63

IT Procurement Policy

Section Contents Page No.

1 Introduction 1

2 Purpose 1

3 Duties, Accountability and Responsibilities 1

4 Definition of Terms 2

5 Procedure / Process 2

6 Policy Administrative Process 4

7 Communication and Consultation with Stakeholders 5

8 Approval and Review of Document 5

9 Training 5

10 Implementation 5

11 Monitoring Compliance 6

12 Equality and Diversity 6

13 Fair Blame 6

14 Fraud, Bribery and Corruption 6

15 Associated Documents 7

16 References 8

Standard Appendices – attached to Policy

A Equality and Diversity Screening Toolkit 9

B Training Checklist and Training Needs Analysis 11

C Audit Monitoring Tool 13

D Policy Notification Record Sheet - click here

Practice Guidance Note – listed separate to Policy

Document No: Description

ITP-PGN-01 IT Procurement Guidelines

https://www.cntw.nhs.uk/about/policies/appendix-d-policy-notification-record-sheet/

CNTW(O)63

Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)63 IT Procurement Policy – V05.1 Oct 19

1

1 Introduction 1.1 Cumbria Northumberland Tyne and Wear NHS Foundation Trust (the

Trust/CNTW) has agreed standards in place for desktop software, operating systems, computer networks and computer hardware and peripherals. This standardisation is essential as it allows the Trust’s Informatics Department to provide a quality service.

1.2 The Trust has agreed standards in place for:-

PC

Laptop

Blackberry

Peripherals - printers, scanners

Software

Software maintenance and support contracts

Telephones

Camera, Camcorder and Audio device

USB Memory Stick

1.3 The main benefit areas are:

Informatics Support Staff are familiar with hardware and peripherals, thus speeding up fault finding

The Informatics Department is able to stock standard spares in order to reduce down time

Network installations are planned and coordinated centrally by experienced network engineers

Informatics staff with relevant skills are recruited

1.4 This policy documents the standards and controls which must be in place to achieve these benefits and to ensure the purchase, delivery and installation of IT equipment is coordinated successfully.

2 Purpose 2.1 The purpose of this policy is to provide a framework for the procurement of

IT hardware and software within the Trust, and to assist in the management and control of IT expenditure across all areas of CNTW.

3 Duties, Accountability and Responsibilities 3.1 Responsibility for implementation and compliance to this Policy lies with the

Chief Executive

CNTW(O)63


2

3.2 Associate Directors must ensure ownership for implementation throughout their respective Locality Care Groups.

3.3 It is the responsibility of the Director of Informatics to ensure that IT

hardware or software is purchased in accordance with this policy only. 3.4 All purchasers of computer hardware and software have a responsibility to

ensure that this policy is adhered to. 3.5 It is the responsibility of the Informatics Service Helpdesk in conjunction with

the Procurement Team to ensure that all IT purchases are dealt with in accordance with this Policy and in a timely manner

4 Definition of Terms 4.1 ISO/IEC 27002:2005 International Standard for Information Security. 5 Procedure / Process 5.1 Procurement: 5.1.1 The Informatics Department is the sole authority for submitting requisitions

for IT equipment on behalf of any Ward or Department that has had approval for obtaining such equipment. The Director of Informatics retains the right to question any request for IT equipment, to ensure that purchases offer value for money etc.

5.1.2 All IT related hardware and software will be specified by the Director of

Informatics. Hardware and software cannot be purchased without a completed Online User Request. This needs to be approved by the department’s Cost Centre Manager.

5.1.3 The Informatics Department will ensure that all of the Trust’s Informatics policies and procedures are followed when setting up software and hardware.

5.1.4 Installation of replacement equipment will be given priority over new

equipment in order to maintain continuity in the existing service. 5.1.5 The following general principles will be applied to all IT purchases:

The Standing Financial Instructions which govern all procurement of goods and services across CNTW

All purchases will be suitable for purpose

All purchases will be of an acceptable quality

CNTW(O)63


3

All purchases will have technical approval and financial approval from both the budget holder and the Director of Informatics

Request for replacement of equipment must be identified as faulty by the IT Team or fall outside the replacement criteria for the age of equipment

All purchases will be on the approved products list unless authorisation has been obtained from the Director of Informatics to purchase non-approved products

All solutions purchased to comply with the Trust Information Security Policy CNTW(O)35

All approved projects will be managed using PRINCE2 methodology

5.2 Procurement Policy: 5.2.1 Staff who wish to purchase IT equipment will:

Consider value for money

Identify maintenance requirements

Identify training requirements 5.3 The Purchaser or Line Manager will:

Ensure that the Online Order is completed, and approved by the budget holder

5.4 The Budget Holder will:

Ensure that all relevant paperwork is complete and give authority to proceed after approval by the Informatics Department.

5.5 The IT Department will:

Ensure that all purchase requests are dealt with in a timely manner

Ensure equipment is checked against delivery receipt and asset tagged

Ensure that all It equipment is configured appropriately by a trained member of staff

Used only in an approved environment

CNTW(O)63


4

Maintained in a safe and reliable way

Replaced in accordance with statutory requirements, guidelines and changes in technology

Ensure that all software licences are checked for quantity and held securely

Decommissioned and disposed of in line with the Trust secure disposal guidelines

5.6 The Procurement Team will:

Accept Procurement (Oracle) requisitions from the Informatics Service Helpdesk and deal with these in a timely manner

Ensure That adequate information has been provided to complete the procurement

Raise a Purchase Order for the equipment, and forward this to the supplier

Will make reference to standardised list of products

Existing catalogues and contracts to be used by supplies where appropriate

Informatics will liaise with Procurement in order to determine source of supply for commonly used products

Supplies will use the Commercial Support Unit (formerly PRONE) for the supply of PCs and Laptops

6 Policy Administrative Process 6.1 The development, consultation and dissemination of this policy has been

undertaken in accordance with the Trust’s Policy CNTW(O)01, Development and Management of Procedural Documents and in conjunction with the policy administration process.

6.2 It has been circulated within the Trust CEO Bulletin and is available on the Trust Intranet site and also from policy administration.

6.3 Archiving of this policy will be in accordance with the Trust’s Policy, CNTW(O)01, Development and Management of Procedural Documents.

CNTW(O)63


5

7 Communication and Consultation with Stakeholders 7.1 This is an existing policy which has only minor changes that do not relate to

operational and / or clinical practice therefore did not require a full consultation process

North Locality Care Group

Central Locality Care Group

South Locality Care Group

North Cumbria Locality Care Group

Corporate Decision Team

Business Delivery Group

Safer Care Group

Communications, Finance, IM&T

Commissioning and Quality Assurance

Workforce and Organisational Development

NTW Solutions

Local Negotiating Committee

Medical Directorate

Staff Side

Internal Audit

8 Approval and Review of Document

8.1 This document has been approved by the Corporate Decision Team and will be reviewed 1 year from date of issue, unless by exception, i.e. due to change in legislation or standards.

9 Training 9.1 Training for this policy is incorporated into the annual Information

Governance Training Mandated to all staff 9.2 The Corporate Decision Team (CDT) has:

Given full consideration to any training needs that have been identified during the development of a policy

Ensured that a full Trust wide training needs analysis has been undertaken

Identified who this will effect what level of training is required

How often training should be undertaken

Any resource implication

CNTW(O)63


6

9.3 Where additional training is required it is the responsibility of both managers and staff to ensure that this is undertaken and that attendance is verified and recorded.

10 Implementation 10.1 Taking into consideration all the implications associated with this policy, it is

considered that a target date of May, 2014 is achievable for the contents to be implemented across the Trust.

10.2 This will be monitored by the CDT during the review process. If at any stage

there is an indication that the target date cannot be met, then the Group will consider the implementation of an action plan.

11 Monitoring Compliance 11.1 Responsibility for monitoring compliance with this policy locally lies with

Associate Directors and Line Managers. 11.2 The Information Governance Team will monitor compliance with this policy

through observation, spot checks and through incident management in line with the Trust Incident reporting process.

11.3 Compliance with this policy will routinely monitored through Internal and

External Audit. 11.4 Any compliance issues will be reported to the line managers concerned and

may be handled through staff disciplinary processes or contractual arrangements.

11.5 Incident Reporting

11.5.1 All incidents involving the loss of data whether encrypted or unencrypted

must be reported immediately to the Information Governance department and dealt with in accordance with the Trust incident reporting procedure (See Trust Policy, CNTW(O)05 Incident Reporting and Procedures).

12 Equality and Diversity Assessment 12.1 In conjunction with the Trust’s Equality and Diversity Officer this policy has

undergone an Equality and Diversity Impact Assessment which has taken into account all human rights in relation to disability, ethnicity, age and gender. The Trust undertakes to improve the working experience of staff and to ensure everyone is treated in a fair and consistent manner.

13 Fair Blame 13.1 The Trust is committed to developing an open learning culture. It has

endorsed the view that, wherever possible, disciplinary action will not be taken against members of staff who report near misses and adverse

CNTW(O)63


7

incidents, although there may be clearly defined occasions where disciplinary action will be taken.

14 Fraud, Bribery and Corruption 14.1 The Fraud Act 2006 represents an entirely new way of investigating fraud.

It is no longer necessary to prove that a person has been deceived. The focus is now on the dishonest behaviour of the suspect and their intent to make a gain or cause a loss.

14.2 The Trust is committed to taking all necessary steps to counter fraud and

corruption. To meet its objectives, it has adopted the seven-stage approach developed by NHS Protect:

The creation of an anti-fraud and corruption culture

Maximum deterrence of fraud and corruption

Successful prevention of fraud and corruption which cannot be deterred

Prompt detection of fraud and corruption which cannot be prevented

Professional investigation of detected fraud and corruption

Effective sanctions, including appropriate legal action against people committing fraud and corruption, and

Effective methods of seeking redress in respect of money defrauded.

15 Associated Documents

CNTW(O)05 - Incident Policy, (including the management of

Serious Untoward Incidents and associated practice guidance notes (PGNs))

CNTW(O)33 - Risk Management Policy

CNTW(O)35 - Information Security Policy

CNTW(O)36 - Data Protection Policy

CNTW(O)44 - Visual Imaging and Audio Policy (and associated

PGN)

CNTW(O)55 - Information Risk Policy

CNTW(O)62 - Information Sharing Policy

CNTW(O)63


8

CNTW(O)58 Issue and Use of Mobile Communication Devices Policy

16 References

ISO/IEC 27002:2005

Standard Financial Instructions

CNTW(O)63


9

Appendix A

Equality and Diversity Impact Assessment Screening Tool

Equality Analysis Screening Toolkit

Names of Individuals involved in Review

Date of Initial Screening

Review Date Service Area / Locality

J Gair V05- Nov 17 November 2020

Informatics

Policy to be analysed Is this policy new or existing?

CNTW(O)63 - IT Procurement Policy

Existing

What are the intended outcomes of this work? Include outline of objectives and function aims

To regulate the procurement of IT equipment across the Trust, and to ensure secure use of IT equipment

Who will be affected? e.g. staff, service users, carers, wider public etc

Staff

Protected Characteristics under the Equality Act 2010. The following characteristics have protection under the Act and therefore require further analysis of the potential impact that the policy may have upon them

Disability N/A

Sex N/A

Race N/A

Age N/A

Gender reassignment

(including transgender)

N/A

Sexual orientation. N/A

Religion or belief N/A

Marriage and Civil Partnership

N/A

Pregnancy and maternity

N/A

Carers N/A

Other identified groups N/A

CNTW(O)63


10

How have you engaged stakeholders in gathering evidence or testing the evidence available?

Through standard policy consultation mechanisms

How have you engaged stakeholders in testing the policy or programme proposals?


For each engagement activity, please state who was involved, how and when they were engaged, and the key outputs:


Summary of Analysis Considering the evidence and engagement activity you listed above, please summarise the impact of your work. Consider whether the evidence shows potential for differential impact, if so state whether adverse or positive and for which groups. How you will mitigate any negative impacts. How you will include certain protected groups in services or expand their participation in public life.

N/A

Now consider and detail below how the proposals impact on elimination of discrimination, harassment and victimisation, advance the equality of opportunity and promote good relations between groups. Where there is evidence, address each protected characteristic

Eliminate discrimination, harassment and victimisation

N/A

Advance equality of opportunity N/A

Promote good relations between groups N/A

What is the overall impact?

N/A

Addressing the impact on equalities N/A

From the outcome of this Screening, have negative impacts been identified for any protected characteristics as defined by the Equality Act 2010? NO

If yes, has a Full Impact Assessment been recommended? If not, why not?

Manager’s signature: John Gair Date: November 2017

CNTW(O)63


11

Appendix B

Communication and Training Check List for Policies

Key Questions for the accountable committees designing, reviewing or agreeing a new Trust policy

Is this a new policy with new training requirements or a change to an existing policy?

No this is an existing policy.

If it is a change to an existing policy are there changes to the existing model of training delivery? If yes specify below.

N/A

Are the awareness/training needs required to deliver the changes by law, national or local standards or best practice?

Please give specific evidence that identifies the training need, e.g. National Guidance, CQC, NHS Resolutions etc.

Please identify the risks if training does not occur.

In order to comply with Data Protection Legislation, and to adhere to Standing Financial instructions and Trust Policy.

Please specify which staff groups need to undertake this awareness/training. Please be specific. It may well be the case that certain groups will require different levels e.g. staff group A requires awareness and staff group B requires training.

Trustwide. All staff should have an awareness of the policy and staff who may purchase IT equipment should have more through training. .

Is there a staff group that should be prioritised for this training / awareness?

All staff who purchase IT equipment.

Please outline how the training will be delivered. Include who will deliver it and by what method. The following may be useful to consider: Team brief/e bulletin of summary Management cascade Newsletter/leaflets/payslip attachment Focus groups for those concerned Local Induction Training Awareness sessions for those affected by the new policy Local demonstrations of techniques/equipment with reference documentation Staff Handbook Summary for easy reference Taught Session E Learning

Team brief, CEO Bulletin, Intranet, face to face training, E learning, IT Security handbook

Please identify a link person who will liaise with the training department to arrange details for the Trust Training Prospectus, Administration needs etc.

Head of Information Governance and Medico Legal.

CNTW(O)63


12

Appendix B – continued

Training Needs Analysis

Staff/Professional Group

Type of training Duration of Training

Frequency of Training

All staff Awareness 1 hour Annually

Staff who purchase IT equipment

Use of system 1 hour Ad Hoc

Should any advice be required, please contact:- 0191 24 56770- Option 1( Internal 56770- Option1)

CNTW(O)63


13

Appendix C Monitoring Tool

Statement The Trust is working towards effective clinical governance and governance systems. To demonstrate effective care delivery and compliance, policy authors are required to include how monitoring of this policy is linked to auditable standards / key performance indicators will be undertaken using this framework.

CNTW(O)63 – IT Procurement Policy - Monitoring Framework

Auditable Standard / Key Performance Indicators

Frequency / Method / Person Responsible

Where results and any associate Action Plan will be reported to, implemented and monitored; (this will usually be via the relevant Governance Group)

1. All IT procurement to be authorised by appropriate manager.

Annual / Informatics Department / Monitoring for IG Toolkit submission. Report to CHIG.

Caldicott & Health Informatics Group

2. Request for replacement of equipment must be identified as faulty by the IT Team or fall outside the replacement criteria for the age of equipment.



3. All purchases will be on the approved products list unless authorisation has been obtained from the Director of Informatics to purchase non-approved products.



4. Ensure that all software licences are checked for quantity and held securely.



5. Decommissioned and disposed of in line with the Trust secure disposal guidelines



The Author(s) of each policy is required to complete this monitoring template and ensure that these results are taken to the appropriate reporting governance group as above in line with the frequency set out. front of policy files.

Document Title IT Procurement Policy · 2020-02-11 · All approved projects will be managed using...

Documents

Transcript of Document Title IT Procurement Policy · 2020-02-11 · All approved projects will be managed using...