Contents
1 Introduction
This information risk management policy can be seen as an articulation of threats to its information, and the legal and contractual requirements for all other detailed information assurance and security policies. This policy provides the framework to allow an information risk appetite for different information assets to be defined and is the starting point that dictates how to protect and safely exploit information.
Rotherham, Doncaster and South Humber NHS Foundation Trust’s (hereafter referred to as ‘the trust’) approach to Information risk management aims to be forward looking, innovative and comprehensive; to make the effective management of information risk an integral and business-enabling part of everyday practice. It also aims to support a culture which encourages continuous improvement and development and a focus on proactive rather than reactive information risk management, supporting well informed decision-making.
2 Purpose
The aim of the trust is to provide high quality, effective and safe services which improve the health, wellbeing and independence of the population it serves. The board recognises information risk is inherent in the provision of healthcare and its services. Therefore, a defined approach is necessary to identify the information risk context, ensuring that the trust understands and is aware of the risks it is prepared to accept to its information, in the pursuit of the delivery of the trust’s aims and objectives. Understanding and working within the trust’s information risk appetite is at the core of protecting the information which drives and supports its business.
3 Scope
Policy sets out the trust’s approach to risk as it relates to all information obtained and processed within the trust held in electronic, paper-based and other formats, whether stored in automated or manual systems, relating (but not limited) to:
- patient, client, or service user information
- employees and personnel information
- organisational, business, commercial and operational information
- research, audit and reporting information
This policy shall be reviewed every two years or in response to significant changes due to security incidents, variations of law and, or changes to organisational or technical infrastructure.
In the event of a national health emergency such as the COVID-19 pandemic, this policy still applies, unless it is superseded by specific clauses mandated by the trust’s business continuity policy.
4 Responsibilities, accountabilities and duties
The management of information risk is an integral part of management and clinical practice. Every individual within the trust is therefore responsible for identifying and managing risk. The following individuals have specific risk management responsibilities, accountability and authority, as part of their existing roles.
The senior information risk owner (SIRO) is accountable for information risk across the trust. This includes ensuring that key risks are appropriately logged on the corporate risk register. Processes shall also be in place for the monitoring of reported Information security incidents.
The information asset owners (IAOs) are responsible for the information assets within their operational or business area.
The head of information governance or deputy SIRO (HOIG) or (DSIRO) is responsible for the day-to-day operational monitoring of information governance (IG) and information handling. Roles and responsibilities are described in more detail in the IG policy and management framework.
The board shares collective responsibility for the success of the trust, including the effective management of risk and compliance with relevant legislation. The board provides the strategic direction and leadership to the trust including:
- protecting the reputation of the trust
- providing leadership on the management of risk and ensuring the approach to risk management is consistently applied
- determining the information risk appetite for the trust
- ensuring that assurances demonstrate that risk has been identified, assessed and all reasonable steps taken to manage it effectively and appropriately
- endorsing risk related disclosure documents
The trust’s board shall require the SIRO, supported by the IAOs, HOIG or DSIRO and relevant teams, to fully monitor and report on compliance activities required to provide assurance that its information risk management and cybersecurity activities are in accordance with the standards set out in the Caldicott review, recommendations from the national data guardian, the data security and protection toolkit developed by NHS digital and all relevant legislation.
4.1 Terminology
Term | Definition |
---|---|
Shall | This term is used to state a mandatory requirement of this policy |
Should | This term is used to state a recommended requirement of this policy |
May | This term is used to state an operational requirement of this policy |
A failure to follow the requirements of this policy may result in investigation and management action being taken as considered appropriate. This may include formal action in line with the trust’s disciplinary or capability procedures for trust staff; and other action in relation to other workers, which may result in the termination of an assignment, placement, secondment, honorary arrangement or contract for services. Additionally, failure to follow the requirements of the Policy may result in a breach of the law or a criminal offence.
5 Procedure or implementation
5.1 Threat background
In order to give context to the information risk management process, the key types of threats to the trust are summarised below. These threats are not hypothetical examples; in common with all UK government entities, the NHS and its constituent bodies have been subject to a growing number of each of these attacks each year. Similar threats also apply to commercial entities processing or holding information on behalf of the trust.
Threats can be categorised as either external or internal. Although the mechanisms of these threats are different, both are equally capable of causing damage to the trust, its patients, its partners and employees.
External threats may include:
- state-sponsored cyber activities: disruption, denial of service, malware attack, etc
- serious organised crime
- online political activists (sometimes referred to as “hacktivists”)
- environmental (extreme weather events)
- industrial espionage and competitor threats, including commercial interests
Internal threats may include:
- malicious insiders
- non-malicious insiders, caused by:
- inadequate IT design
- lack of physical or IT controls
- lack of procedural controls, training and or awareness
It should be noted that internal threats can arise as a result of wide-ranging individual and or workplace factors. Mitigation of internal threats should therefore take into account the trust’s HR policies regarding workplace culture and duty of care towards employees, as well as any related disciplinary procedures.
5.2 Information assets
Information assets may be held electronically, in hard copy, and in a range of formats such as X-rays, CDs, video and audio. Information assets of particular importance to the trust include:
- patient records and data
- employee records and data, such as HR information and payroll for colleagues, contractors and sub-contractors
- commercial, procurement, or supplier information
- corporate information, for example, procurement strategy, financial plans etc
- intellectual property, such as information relating to any clinical or research programmes undertaken by, or in partnership with the trust
- communications information, information generated, collected and stored for internal or external communications purposes
- bulk information, any information, particularly personal data, that is held or stored in bulk
5.3 Business critical information assets
A holistic approach should be taken when assessing information risk within and across the trust’s activities. This means that all information assets should have proportionate controls in place that allow information assets to be fully exploited whilst managing the risks.
In order to ensure that the information risk management process is focused on assets that are most critical to the business, the trust shall ensure that all business critical information assets are individually identified, recorded and monitored in accordance with this policy.
A business critical information asset is defined as follows:
- a body of knowledge or information that, if access to it were denied (lost, unavailable, compromised or stolen) the business would cease to function, operate, or realise its business outcomes for a period of time
- an information asset that would seriously undermine the ability of the trust to fulfil its obligations as part of UK critical national infrastructure, if a third party organisation were to obtain it
In determining its business critical information assets, the trust, led by the board, shall consider:
- if the relevant colleague does not have access to the information asset when it is needed, they will not be able to perform their duties in support of a healthcare or other business outcomes, if yes, it is a critical asset
- if the information has been compromised such that it has lost its integrity and it cannot be used when needed, the relevant Staff will not be able to perform their duties in support of a healthcare or other business outcome, if yes, it is a critical asset
- if the asset is lost or stolen, could it compromise national security? if yes, it is a critical asset
- if the asset is lost or stolen, could it give competitors or commercially interested parties advantage over the trust? if yes, it is a critical asset
It should be noted that, in addition to those assets that are business critical, some assets will require sensitive handling for reasons of legal compliance, notably, personal data. While not necessarily critical to the day-to-day functioning of the trust, the impact of their loss could be considerable, such as the imposition of heavy financial penalties, and the impact on institutional reputation. In addition, there may be information assets that are critical to the workings of the trust, but which are not held or owned by the trust itself.
5.4 Information risk appetite
Information risk appetite provides an organisation with defined acceptable boundaries, using the same terms as those in which the risk is expressed. Risk appetite is best expressed as a series of boundaries, appropriately authorised by senior management, which give each level of the organisation clear guidance on the limits of risk which they can take, whether their consideration is of a threat and the cost of control, or of an opportunity and the costs of trying to exploit it.
The concept of Information risk appetite may be looked at in different ways depending on whether the risk being considered is a threat or an opportunity. The concept of risk appetite embraces the level of exposure which is considered tolerable and justifiable should it be realised. It is about comparing the cost (financial or otherwise) of constraining the risk, with the cost of the exposure should the exposure become a reality, then finding an acceptable balance.
When considering opportunities, the concept embraces consideration of how much one is prepared to actively put at risk in order to obtain the benefits of the opportunity. In this sense it is about comparing the value, financial or otherwise, of potential benefits with the losses that might be incurred (note that some losses may be incurred with or without realising the benefits).
An Information asset will have a different information risk appetite applied to it, depending on the sensitivity or value of that asset. The six categories the trust aligns to are outlined below:
Classification | Description |
---|---|
Avoid | Avoidance of risk and uncertainty is a key organisational objective |
Minimal (as little as reasonably possible) | Preference for ultra-safe delivery options that have a low degree of inherent risk and only for limited reward potential |
Cautious | Preference for safe delivery options that have a low degree of inherent risk and may only have limited potential for reward |
Open | Willing to consider all potential delivery options and choose the one that is most likely to result in successful delivery while also providing an acceptable reward (and value for money etc.) |
Seek | Eager to be innovative and to choose options offering potentially higher business rewards (despite greater inherent risk) |
Mature | Confident in setting high levels of risk appetite because controls, forward scanning and responsiveness systems are robust |
5.5 Risk ranking
The trust’s information risk appetite will have a direct relationship with the severity of the impact. A financial measure can also be allocated to each ranking. For the purposes of the trust’s decision-making, this should include factors such as applicable fines for data breaches or other non-compliance with the Data Protection Act 2018 and other applicable legislation and regulations. Guidance for risk likelihood is shown in figure 2 below:
Risk ranking | Impact description |
---|---|
Catastrophic | The impact of the risk materialising would have a disastrous impact on the organisation’s reputation and business continuity. Comprehensive action is required immediately to mitigate the risk |
Major | The consequences of the risk materializing would be severe but not disastrous. Some immediate action is required to mitigate the risk, plus the development of a comprehensive action plan |
Moderate | The consequences of the risk materialising would have a moderate impact on day-to-day delivery. Some immediate action might be necessary to address risk impact, plus the development of an action plan. Status of the risk should be monitored regularly |
Minor | The consequences of the risk materializing would have a minor impact. No immediate action is required, but an action plan should be actively considered. Status of the risk should be monitored periodically |
Negligible | The organisation accepts this risk or impact of risk would be insignificant. Status of the risk should be reviewed occasionally |
Likelihood score | Descriptor | Frequency | Probability or chance of occurrence |
---|---|---|---|
1 | Rare | This will probably never happen or recur | 0 to 5% extremely unlikely or virtually impossible |
2 | Unlikely | Do not expect it to happen or recur but it is possible it may do so | 6% to 20% low but not impossible |
3 | Possible | Might happen or recur occasionally | 21% to 50% fairly likely to occur |
4 | Likely | Will probably happen or recur, but it is not a persisting issue or circumstance | 51% to 80% more likely to occur than not |
5 | Almost certain | Will undoubtedly happen or recur, possibly frequently | 81% to 100% almost certainly will occur |
Risk category | Inherent risk ranking |
---|---|
Personal data, major | A breach in personal data of patients and or employees will incur fines and carry reputational impact. There is a need to also consider potential impact on the organisation regarding exposure of employee data, depending on: where the employee member works, what Information Assets they have access to, should others seek to exploit that personal data |
Sensitive personal data | Catastrophic, breach likely to incur fines and significant damage to reputation |
Public or citizen data | Major, breach likely to incur fines and significant damage to reputation |
Commercial or procurement or supplier information | Major, losing information about bid processes and supplier arrangements could have a major impact on contract negotiations and costs |
Client information | Moderate to major, losing any client information will not only damage client relationships, but lower trust in the organisation, impacting future pipeline and partnerships |
Corporate information, financial, strategy etc. | Moderate to major, much strategic and financial information is in the public domain including the annual report, but the impact may vary if, for example, the organisation is involved in sale or development of land or other assets. |
Intellectual property | Moderate to major, where the organisation is in partnership with a research body, there may be an impact to that research in the event of data loss or data corruption |
Project information | Moderate to catastrophic, depending on the project |
Marketing and comms | Negligible, this material is meant for wide, often public consumption |
Bulk information | Moderate to major, data aggregation must be considered when storing, or circulating large information sets, irrespective of media |
5.6 Risk appetite statement
The trust’s SIRO shall utilise the information risk appetite framework to agree and set risk tolerances with the IAOs of each business area. If for any reason operational requirements require a specific unit or business area to reduce the agreed level of information risk appetite, then a risk balance case shall be presented to the SIRO or, where applicable, the board for formal approval, and the decision recorded.
Likewise, if the impact of a risk has the potential to extend beyond the unit or business area across the trust more widely (for example, reputational), IAOs must consult with the trust SIRO to determine the way ahead.
Each Department will have different Information risk appetites depending on the scale of organisational impact and types of business.
5.6.1 Human resources
- Personal data: Avoid.
- Sensitive personal data: Avoid.
- Public data: Cautious.
- Commercial information: Cautious.
- Other sensitive information: Avoid.
- Corporate information: Minimal.
- Intellectual property: Avoid.
- Project information: Avoid.
- Marketing and comms: Seek.
- Bulk information: Minimal.
5.6.2 Finance
- Personal data: Avoid.
- Sensitive personal data: Avoid.
- Public data: Cautious.
- Commercial information: Cautious.
- Other sensitive information: Avoid.
- Corporate information: Minimal.
- Intellectual property: Avoid.
- Project information: Avoid.
- Marketing and comms: Seek.
- Bulk information: Minimal.
5.6.3 Research
- Personal data: Avoid.
- Sensitive personal data: Avoid.
- Public data: Cautious.
- Commercial information: Cautious.
- Other sensitive information: Avoid.
- Corporate information: Minimal.
- Intellectual property: Avoid.
- Project information: Avoid.
- Marketing and comms: Open.
- Bulk information: Minimal.
5.6.4 ICT
- Personal data: Avoid.
- Sensitive personal data: Avoid.
- Public data: Cautious.
- Commercial information: Cautious.
- Other sensitive information: Avoid.
- Corporate information: Minimal.
- Intellectual property: Avoid.
- Project information: Avoid.
- Marketing and comms: Seek.
- Bulk information: Minimal.
5.6.5 Risk management services
- Personal data: Avoid.
- Sensitive personal data: Avoid.
- Public data: Cautious.
- Commercial information: Cautious.
- Other sensitive information: Avoid.
- Corporate information: Minimal.
- Intellectual property: Avoid.
- Project information: Avoid.
- Marketing and comms: Seek.
- Bulk information: Minimal.
5.6.6 Public interface (helpdesk)
- Personal data: Avoid.
- Sensitive personal data: Avoid.
- Public data: Cautious.
- Commercial information: Cautious.
- Other sensitive information: Avoid.
- Corporate information: Minimal.
- Intellectual property: Avoid.
- Project information: Minimal.
- Marketing and comms: Seek.
- Bulk information: Minimal.
Example information risk appetite by department.
5.7 Controls
Controls are mechanisms to mitigate the risk or address any vulnerabilities. These may be procedural or physical as well as technical. Relevant policies may include:
- information handling and classification policy
- removable media policy
- security policy
- information technology (IT) security policy
Information assets towards which the trust has an adverse information risk appetite will require much stricter controls than those where an open or hungry information risk appetite is allocated.
6 Training implications
6.1 Managers
- How often should this be undertaken: Introduction of the policy document and on revision of the policy or new appointment or promotion.
- Length of training: Not applicable.
- Delivery method: Team meetings.
- Training delivered by whom: HR department through the communications department and via managers for promotions and newly appointed colleagues.
- Where are the records of attendance held: Not applicable.
6.2 Existing employees
- How often should this be undertaken: Introduction of the policy document and on revision of the policy or new appointment or promotion.
- Length of training: Not applicable.
- Delivery method: Local induction and team meetings.
- Training delivered by whom: Managers.
- Where are the records of attendance held: Not applicable.
The governance and risk management e-Learning and e-assessment module is mandatory for all colleagues. Employees that are unable to achieve the required level of e-assessment competency will be identified through the trust electronic training monitoring system, with face-to-face training provided regularly in response to employee need. Attendance will be recorded, monitored and appropriate follow up will occur in line with the trust’s organisational policy.
7 Monitoring arrangements
7.1 Policy
- How: Review of best practice against the policy will be undertaken annually through auditing.
- Who by: Head of information governance.
- Reported to: Information governance group and health informatics group.
- Frequency: Annually.
8 Equality impact assessment screening
To access the equality impact assessment for this policy, please email rdash.equalityanddiversity@nhs.net to request the document.
8.1 Privacy, dignity and respect
The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.
As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).
8.1.1 How this will be met
No issues have been identified in relation to this policy.
8.2 Mental Capacity Act 2005
Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals’ capacity to participate in the decision-making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.
Therefore, the trust is required to make sure that all colleagues working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005) to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.
8.2.1 How this will be met
All individuals involved in the implementation of this policy should do so in accordance with the principles of the Mental Capacity Act (2005).
9 Links to any associated documents
- Information governance policy and management framework (includes data protection policy content)
- Information handling and classification policy
- Removable media policy
- Security policy
10 References
- Caldicott Principles.
- UK GDPR 2018.
- DPA 2018.
- HMT Orange Book.
- The Caldicott review: information governance in the Health and Care System.
- National Data Guardian website.
- NHS Digital portal to the Data Security and Protection Toolkit (DSPT).
Document control
- Version: 2.1.
- Unique reference number: 613.
- Date approved: 15 January 2024.
- Approved by: Corporate policy approval group.
- Name of originator or author: Head of IG or DPO.
- Name of responsible individual: Director of health informatics or SIRO.
- Date issued: 16 January 2024.
- Review date: 31 August 2026.
- Target audience: Audience: All employees.
Page last reviewed: October 29, 2024
Next review due: October 29, 2025
Problem with this page?
Please tell us about any problems you have found with this web page.