David Murphy Communications Group Manager Claire Chadwick Team
- Slides: 37
David Murphy Communications Group Manager Claire Chadwick Team Manager Michael Thewlis Lead Auditor Logging, tracking, movement and storage of manual records in the health sector Wednesday 15 March 1: 30 pm
Audit Outcomes RM Framework Compliance & Reporting Storage, maintenance & destruction
How do you identify information assets? Who should be responsible for them? How do you keep track of them? How should it all work in practice?
Real life scenario – Member of the public finds sensitive Care Home records in derelict garage… A member of the public found several boxes of documents left unsecured in a derelict garage, they then reported the matter to the Police and a local newspaper. The Police attended the garage and seized the documentation. The documentation related to a Care Home and included staff details; bank a/c information, details of home visits, medication and other personal and sensitive personal data. The records dated back to 2004.
Key issues… The company was unaware that this information was being stored in the garage and there were no storage or retention policies in place at the Home to provide guidance to staff on how to store records securely. The Home did not have a record or register of records they held, where they were stored or who was responsible for them. They had also not risk assessed their storage facilities.
Root causes Lack of resources and understanding of how to set up an IAR Lack of resources and understanding of what an IAO is Lack of appropriate IAO training No buy in from senior management
Information Assets What is an Information Asset? “A body of information, defined and managed as a single unit, so that it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles. ” National Archives
Identifying your information assets Talk to representatives from across the organisation What information enters the organisation? Where does it flow internally? Where does it leave and where does it go? Identify existing documentation to help you Previous records audits Management databases Asset lists Categorise the data Broad definitions / categories Department / local level Process / task
Confirming it meets the definition of an ‘information asset’. . Is it of value to the organisation? Is there a risk associated with it? Does it have a manageable lifecycle? Do you know what the information is and what it is for?
Information Asset Registers What is an Information Asset Register? “A mechanism for understanding and managing an organisation’s assets and the risks to them; including the links between the information assets, their business requirements and technical dependencies” National Archives
Information Asset Registers What does an IAR look like? Asset number / ID Description of Asset Location (physical or electronic) Owner IG 001 Complaint Files for 2014/15. Complaints from members of the public in relation to Subject Access Requests. Paper files in IGO’s office. Head of Information Governance Electronic copies on shared drive: d: IGDPComplaints 1415
Information Asset Registers What does an IAR look like? Volume Personal Data? Access Controls? Shared? 60 Files Yes, including sensitive Restricted to IG Team. Shared with ICO where necessary
Information Asset Registers What does an IAR look like? Format Published? Retention Risks / Impact Paper case files No 3 years from conclusion of complaint – Business Requirement Loss of Confidentiality: privacy impact, reputational damage Excel spreadsheets, PDFs, Copy emails Loss of availability: Ability to respond to queries, compromised trend analysis Loss of integrity: See above
Information Asset Registers What do we look for during our audits?
Is there an identified owner? Is it connected to Retention Schedules and Risk Registers? Is it reviewed and updated regularly?
Information Asset Owners What is an Information Asset Owner? • The owner of an Information Asset is responsible for ensuring that the asset is managed appropriately, to meet the requirements of the organisation, and that risks and opportunities are monitored.
Information Asset Owners What do we look for during our audits?
Role descriptions Clear reporting lines Specialist training Support of senior management
Day to day asset management Risk assessment Asset review Managing incidents
Culture Training Raising awareness
Information Asset Owners The importance of networking
Information Asset Owners and Risk An IAO should understand: • The risks associated with their asset • The consequences of those risks materialising • What steps are required to manage those risks
Information Assets and Risk Confidentiality Integrity Availability
Tracking & movement of records
Root causes Training & awareness Staff oversight or errors Ineffective tracking systems Failure to identify ‘lost’ records
Scenario – Social worker looses sensitive records A folder belonging to a social worker employed by a local NHS Trust, was left in a café. The folder contained confidential and sensitive patient information. The social worker was transporting excessive information, as the lost folder contained personal data which was not relevant to the meetings the individual had scheduled that day. The incident was contained promptly as the information was returned immediately by the café owner and was not further disseminated.
The key issues… The social worker had not received any RM training, particularly about the secure movement of records. The Trust did not have any remote working procedures in place covering manual records. There were no tracking mechanisms for the movement of manual records off-site. The Trust had not provided any secure means of transporting sensitive records whilst off-site.
More practical tips… • When sending out records or files from storage set a 'return by' date. • Monitor return dates and follow up any that exceed the deadline. • Complete compliance checks to make sure the complete record has been returned. • Conduct regular reconciliation checks across all records stored. • Raise awareness on what is classed as an information security event and how to report one.
Further guidance http: //www. nationalarchives. gov. uk
Further guidance ico. org. uk/healthresources
Any Questions? Helpline: 0303 123 1113 Live chat: ico. org. uk/livechat Keep in touch by subscribing to our e-newsletter at www. ico. org. uk or find us on… • www. twitter. com/icone ws
Cisco unified communications manager tutorial
Cisco unified communications manager tutorial
Hegar's sign- Democritus
Isabel chadwick
James chadwick modelo atomico
Chadwick atomic model
What did james chadwick discover
Atomic structure timeline
Sir james chadwick atomic theory
Scot chadwick
Kirstie chadwick
Chadwick prima
Nanette chadwick
James chadwick descubrimientos
Goldstein adalah penemu
James chadwick
Thomson atom modeli
John dalton stated:
James chadwick atomic model
Chadwick model
William crookes cathode ray tube
James chadwick
Fe323
David tse wireless communications
Senior manager vs general manager
Portfolio manager synergy manager parental developer
Crisis communications working group
Tactical communications group
Communications solutions group
Team manager responsibilities
Going native project management
Team spirit becomes team infatuation
The white team cheers for the blue team, just like
David sweeney manager
Qa group manager
Difference between group and team
What's the difference between group and team
