Contents
1 Introduction
It is vitally important that all colleagues are made aware of Rotherham, Doncaster and South Humber NHS Foundation Trust’s (hereafter referred to as ‘the trust’) information governance (IG) requirements at the earliest opportunity and clear guidance is given about their own individual responsibilities for compliance. Particular emphasis must be placed on how IG requirements affect their day-to-day work practices. It is equally imperative that IG remains embedded with each individual throughout their daily working practices.
This board-level starters, movers and leavers policy aims to ensure that all colleagues, suppliers and third parties (hereafter collectively referred to as ‘colleagues’) of the trust:
- have appropriate access to the information needed to deliver patient care and the trust’s objectives.
- understand their responsibilities in safeguarding the trust’s physical and digital information assets.
- ensure the appropriate confidentiality, integrity and availability of those assets at all times.
- understand this as a personal, as well as professional, commitment.
This policy underpins the trust’s IG policy and management framework, information risk management policy and relevant HR policies.
2 Purpose
The purpose of this document is to set out the trust’s policy on onboarding and off-boarding employees, and how this also applies to colleagues moving internally within the trust. It looks to outline how the trust ensures that information management is not disrupted at any point during the staff lifecycle. As well as this, it ensures that starters, movers and leavers understand their collective responsibilities towards safeguarding the trust’s information assets.
3 Scope
This policy details the amount of acceptable information risk the trust is willing to take in relation to all starters, movers and leavers with access to the trust’s information assets. This policy covers access to all types of information: patient, employee, financial, corporate and other, which may be created, handled, shared, stored, and disposed of, in all types of media. This includes:
- IT systems
- phone
- paper
- voice conversations
- photographs
- CCTV footage
The scope applies to the trust’s information assets wherever and whenever they are used, including out-of-working hours and remotely.
This policy shall be reviewed every two years or in response to significant changes due to security incidents, variations of law and/or changes to organisational or technical infrastructure.
4 Responsibilities, accountabilities and duties
This document applies to and is relevant across the following services or departments or care groups:
- starters, all colleagues joining the trust who require access to the trust’s information which may include a user account on and access to the trust’s information technology (IT) and electronic communications system(s)
- movers, colleagues who are already part of the trust who are transferring to a different role within organisation
- leavers, colleagues who are leaving the trust and no longer require access to the trust’s information and or IT system(s)
It also includes subcontractors and third party colleagues who may be authorised to access the trust’s IT systems and information in the course of their work.
5 Procedure or implementation
The head of department and the head of workforce information and transactional services are responsible for implementing and overseeing compliance to this policy.
Line managers and information asset owners (IAOs) are accountable for ensuring this policy is implemented, managed, maintained and improved within their respective areas of business responsibility.
5.1 Core responsibilities starters
It is vital that colleagues joining have appropriate access to the information needed to deliver patient care and the trust’s objectives.
5.1.1 HR services shall
- Ensure the appropriate pre-employment checks and screening are undertaken. Where access to more sensitive information or information systems is required, further vetting processes against standards shall be required.
- Ensure that colleagues commence employment only with the appropriate paperwork and checks completed and received.
- Ensure that colleagues security risks are effectively managed through robust security processes to ensure actions are in accordance with the trust’s legal obligations.
- Provide a legally binding contract of employment. The contract of employment shall explicitly state all applicable roles, benefits and responsibilities bestowed on the colleagues by the trust. From an information security perspective, it shall include the expected staff code of conduct, confidentiality clauses, required compliance to legal requirements, policies and procedures, and the consequences of non-compliance and subsequent information breaches.
- Ensure that prior to recruitment the security responsibilities are outlined to the candidates. This includes embedding these responsibilities appropriately into each job description.
5.1.2 Recruiting line managers shall
- Follow the trust’s recruitment and screening processes at all times;
- Ensure they understand the needs of the starter and what is expected of them, including all relevant policies.
- Ensure the starter shall not have access to the trust’s IT systems until they have read and signed the information governance staff code of conduct.
- Identify at the outset what IT assets, systems, access and general training the post holder(s) shall require.
- Prepare and implement a comprehensive induction programme covering the role, the responsibilities assigned to the individual, the trust’s IG policy and management framework and associated policies, the assets associated with the role and the access permissions granted.
- Identify relevant training for the individual, including Information security training.
- Ensure the employee member is familiar with all relevant information security policies, including the incident management policy.
- Provide the employee with an overview of information handling within the department, including electronic and paper.
- in the event of non-compliance report to the relevant IAO.
5.1.3 Employees shall
- Read and signed the information governance staff code of conduct before accessing the trust’s IT assets and systems.
- Read all policies relevant to their role, including IG policies.
- Ensure they understand their continued responsibilities under the appropriate governing laws, including the Caldicott principles and the Data Protection Act (DPA) 2018.
- Complete the data security awareness (IG) training within 4 weeks of their start date.
- Be aware of appropriate channels for reporting breaches in keeping with the incident management policy.
- Contact their line manager and the HR function should there be any dispute concerning the contract of employment.
5.2 Core responsibilities movers
The process starts following the agreement of a change in role for a current employee. This could be due to service redesign, change in business requirement, end of project, secondment, acting up, promotion or a complete change in role.
5.2.1 Existing and new line manager shall
- Ensure they understand the needs of the mover and what is expected of them and ensure compliance with the trust’s IG policies.
- Action all elements of the movers’ process in a timely manner.
- Document what assets and access rights the individual currently has and what the requirements of the new role are.
- Work together to develop and implement a joint action plan to ensure that the employee does not have access rights to any assets that are not needed for their new role.
- Inform the IAO to revoke any information access that is no longer required for the former role, and ensure all IT assets which are no longer required are returned.
- Make arrangements with the relevant IAO for the mover to receive the appropriate IT assets and access levels associated with the new role.
- Ensure the mover understands their continued responsibilities under the appropriate governing laws, including the Caldicott principles; the UK General Data Protection Regulation (GDPR) and the DPA 2018.
- Ensure that the mover receives information security training relevant to their new role, including reading all relevant policies.
5.2.2 Employees shall
- Ensure they understand the process and what is expected of them.
- Ensure they understand their continued responsibilities under the appropriate governing laws, including the Caldicott principles, the GDPR 2018 and DPA 2018.
- Comply with all elements of the mover process and return all of the organisational assets that are no longer required in their new role to their existing line manager.
5.3 Core responsibilities leavers
To ensure that colleagues exit the trust in an orderly manner in line with the trust’s relevant policies, leavers exiting from the trust shall be managed. All assets assigned to the individual shall be returned, and all access rights removed in a timely manner.
5.3.1 HR services shall
Support the leaver process with the line manager in a timely manner. This shall include notification of other relevant functions such as payroll and conducting of an exit interview.
5.3.2 Line managers shall
- Explain the leaver process to the employee and clarify any questions they may have.
- Initiate the leaver process and action all elements of the Leaver process in a timely manner.
- Remind the leaver of their terms and conditions of employment, including IG obligations, namely, that they must not leave with the trust’s information in any format. In addition, they shall respect confidentiality agreements and personal information requirements.
- Ensure the Leaver is aware that their OneDrive for business account will be deleted upon leaving the organisation and therefore all information saved in their OneDrive account will require deleting or transferring elsewhere. The dos and don’ts for OneDrive for business can be found at appendix A.
- Ensure the employee understands their post termination responsibilities under the appropriate governing laws, including the DPA 2018 and other relevant laws and regulations.
- Identify the trust’s assets to which the Leaver has, or has had access, and ensure that these are all returned, and access removed prior to, or on, the leave date.
- Ensure a robust handover is completed, and contact lists are updated, recorded and communicated to appropriate areas.
- Return the completed termination checklist to HR services confirming that all stages of the process have been actioned and ensure that an exit interview is carried out.
- Ensure, with the IAO, that the systems administrator has been informed that the employee is no longer entitled to access IT or equipment or the trust’s data and information.
- Report any non-compliance of the policy to the relevant IAO.
5.3.3 Employees shall
- Ensure they understand the process and what is expected of them.
- Ensure they understand their responsibilities under the appropriate governing laws, including the UK GDPR and DPA 2018.
- Comply with all elements of the leaver process and return all the organisational assets before leaving the trust.
5.4 Non-Compliance
Any circumstances requiring exemptions to this policy shall be referred to the relevant IAO. Where the risk sits outside their delegated authority, the IAO shall inform the senior information risk owner (SIRO) for consideration and approval.
5.4.1 HR services or line managers shall
- Manage the disciplinary process of any employee who, (after fact-finding), has been found to have breached security or violated this policy in a serious, wilful or repeated way.
- If there are reasonable grounds for suspecting misuse of IT assets, access may be suspended by the system manager in consultation with line manager or HR, pending further investigation.
A failure to follow the requirements of this policy may result in investigation and management action being taken as considered appropriate. This may include formal action in line with the trust’s disciplinary or capability procedures for the trust’s employee; and other action in relation to other workers, which may result in the termination of an assignment, placement, secondment, honorary arrangement or contract for services. Additionally, failure to follow the requirements of the policy may result in a breach of the law or a criminal offence.
6 Training implications
6.1 Managers
- How often should this be undertaken: Introduction of the policy document and on revision of the policy or new appointment/ promotion.
- Delivery method: Team meetings.
- Training delivered by whom: HR department through the communications department and via managers for promotions and newly appointed employees.
- Where are the records of attendance held: Not applicable.
6.2 Existing employees
- How often should this be undertaken: Introduction of the policy document and on revision of the policy or new appointment or promotion.
- Delivery method: Local induction and team meetings.
- Training delivered by whom: Managers.
- Where are the records of attendance held: Not applicable.
6.3 All employees DSA
- How often should this be undertaken: Upon commencement of employment and annually thereafter.
- Length of training: 1 and a half hours.
- Delivery method: E-learning or face to face.
- Training delivered by whom: IG or NHS Digital e-learning package.
- Where are the records of attendance held: ESR.
7 Monitoring arrangements
7.1 Policy
- How: Review of best practice against the policy will be undertaken annually through auditing.
- Who by: Head of information governance.
- Reported to: Information governance group and health informatics group.
- Frequency: Annually.
8 Equality impact assessment screening
To access the equality impact assessment for this policy, please see the overarching equality impact assessment.
8.1 Privacy, dignity and respect
The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’. As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).
8.1.1 How this will be met
No issues have been identified in relation to this policy.
8.2 Mental Capacity Act 2005
Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals’ capacity to participate in the decision-making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.
Therefore, the trust is required to make sure that all staff working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005) to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.
8.2.1 How this will be met
All individuals involved in the implementation of this policy should do so in accordance with the principles of the Mental Capacity Act (2005).
9 Links to any associated documents
- Appointment of staff policy
- Registration Authority (smart card) policy and procedure
- HR Policies
- Information governance policy and management framework (includes data protection policy content)
- Information risk management policy
- Data security and protection breaches or information governance incident reporting policy
10 References
- NHS employment checks standards
- National registration authority policy
- Caldicott principles
- GDPR 2018
- DPA 2018
11 Appendices
11.1 Appendix A Dos and don’ts for OneDrive
OneDrive is the Microsoft cloud service that can be used for storing personal files; like your RDaSH U drive.
It lets you store and protect your files, share them with others and access them from anywhere, on all your RDaSH provided devices.
OneDrive is not for work that needs to be accessed by other team members or for documents usually stored on the L Drive
Your OneDrive for business will be deleted on leaving the trust’s employment.
When you use OneDrive with an account provided by RDaSH, it’s called OneDrive for business (ODFB).
11.1.1 Do
Do
- avoid duplication between personal storage options. (U drive or OneDrive)
- save to the correct folder, creating folders first in your OneDrive for business will help you control the correct document type for the relevant location
- create folders for example, personal, expenses, training etc. to store private and personal files
- use adequate controls in sharing information with external organisations (for example, university work). If you are not sure, ask your manager
11.1.2 Do not
Don't
- do not log onto your own home computer with your NHS mail account and use OneDrive, this increases risks for breaches of security on confidential documents
- do not sync your personal OneDrive with your NHS OneDrive
OneDrive should only be accessed from trust provided devices.
Deliberate misuse of an RDaSH information system is an offence under the Data Protection Act 2018 and the Computer Misuse Act 1990, which could lead to criminal charges being brought against staff members and may also lead to trust disciplinary action.
All staff, on signing the staff code of conduct and RDaSH contract of employment, are agreeing to follow and adhere to all trust policies and procedures, including the Information security for starters, movers and leavers policy.
Staff should be aware that the contents stored within OneDrive for business may be subject to freedom of information and individual rights requests.
Document control
- Version: 3.1.
- Unique reference number: 616.
- Date approved: 15 January 2024.
- Approved by: Corporate policy approval group.
- Name of originator or author: Data protection officer or head of IG.
- Name of responsible individual: Director of health informatics or SIRO.
- Date issued: 16 January 2024.
- Review date: 31 December 2026.
- Target audience: Audience: All staff.
Page last reviewed: October 29, 2024
Next review due: October 29, 2025
Problem with this page?
Please tell us about any problems you have found with this web page.
Report a problem