NHS WOLVERHAMPTON CITY CLINICAL COMMISSIONING GROUP

Transcription

1 NHS WOLVERHAMPTON CITY CLINICAL COMMISSIONING GROUP INFORMATION ASSET RISK ASSESSMENT PROCEDURE 1

2 Document Description Document Type Procedure Service NHS Wolverhampton CCG (Wolverhampton CCG) Application Version 0.1 Ratification date Review Date March 2013 Name Paul Couldrey Andy Thompson Lead Author(s) Position within the Organisation Head of Information Governance Information Governance Senior Officer Presented for discussion, approval and ratification to Change History Version Date Comments Localised for WCCCG Links to CCG Values 2

3 SUMMARY SHEET The purpose of this policy is to provide the NHS Wolverhampton CCG (Wolverhampton CCG) staff with a framework in regards to Information Asset Risk Assessment. This procedure is for all Information Asset Owners to follow when conducting a risk assessment of the information assets within their area. The Wolverhampton CCG is committed to ensuring the confidentiality and security of Personal Identifiable Data and ensures that the records management is of a high quality. This can be verified and maintained through annual risk assessments of the Wolverhampton CCG s information assets. Related Organisational Documents Risk Management Strategy Pseudonymisation Policy Confidentiality Code of Conduct Data Protection Policy Information Governance Policy Retention/Destruction Procedure Related Legislation and Guidance Data Protection Act 1998 Caldicott: Report on the Review of Patient Identifiable Information 1997 Department of Health: Information Risk Management Good Practice Guidance. This procedure will be reviewed annually by the Information Governance Team in line with the Information Governance Toolkit and any new guidance or changes within procedure. Distribution This procedure will be available for all staff to view on the Wolverhampton CCG s Intranet. Managers of staff without direct access to the Wolverhampton CCG s Intranet must provide access to an up to date paper copy of the procedure within the Department. 3

4 Contents Item Page 1.0 Introduction Responsibilities Information Assets Risk Assessment Abnormal Occurrences Appendix 1 Risk Assessment 7 4

5 1.0 Introduction 1.1 Information and information systems are important assets to the Wolverhampton CCG and they can be essential for the corporate identity of the Wolverhampton CCG and for patient care. This procedure ensures that information risk is managed in a robust way within the Wolverhampton CCG. 1.2 Risk is the threat that an event or action will adversely affect the Wolverhampton CCG s information assets. This procedure outlines the process regarding information assets to identify risks, analyse the likelihood and impact of their occurrence and then decide what action to take to prevent, minimise, accept or transfer these risks. 1.3 All CSU s are required to: Regularly assess the risk of all information assets Monitor access to all information assets Provide assurance to the Senior Information Risk Officer (SIRO) and Accountable Officer 1.4 The Wolverhampton CCG must also monitor the use of personal identifiable data (PID) for secondary uses. The Wolverhampton CCG must ensure that the information assets used for secondary uses are in line with the Organisation s Pseudonymisation Policy. As part of the risk assessment process the pseudonymisation solution must also be checked to ensure that the data is fully pseudonymised. 2.0 Responsibilities 2.1 Accountable Officer The Accountable Officer for the Wolverhampton CCG is the Chief Executive. The Accountable Officer has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. 2.2 SIRO The SIRO for the Wolverhampton CCG is the Assistant Chief Executive (Board Secretary). The SIRO is the advocate for information risk within the Wolverhampton CCG. 2.3 Information Asset Owner (IAO) Information Asset Owners are senior individuals, usually Directors or Heads of Services. Their role is to understand and address risks for the information assets they own and to provide assurance to the SIRO. 2.4 Information Asset Administrator (IAA) 5

6 2.4.1 Information Asset Administrators are the deputies for the IAOs and are usually Department Managers. The IAA ensures that staff adhere to policies and procedures. The IAA must consult their IAO on any potential or actual risks to the asset and ensure that information asset registers are accurate and up to date. 3.0 Information Assets 3.1 Information Assets can be an arrangement of forms and documents. The below is a list of what may be an asset, please note that this list is not exhaustive: 4.0 Risk Assessment Databases (including excel and access files) Data files Paper records Back-up and archive data Applications System software Policies and procedures Audit information Encrypted data 4.1 The risk assessment for the assets must be standardised across the Wolverhampton CCG. Appendix 1 provides a standard checklist for which information assets must be assessed for. 4.2 The grading and scoring of the risk must be in line with the Wolverhampton CCG s Risk Management Policy which is available via the following link; All risk assessments undertaken will be sent to the Governance Department to be entered on to the Risk Register. The reports will be reported to the SIRO via the Quality and Safety Committee. 5.0 Abnormal Occurrences 5.1 If a member of staff has been made aware of an immediate risk due to an unusual occurrence, for example virus threat, they must inform the IAA or IAO who must take all reasonable steps to avert the risk/threat. Following this a risk assessment must be completed showing the risk and actions taken and the likelihood of a reoccurrence. 6

7 6.0 Appendix 1 Risk Assessment Threat Unauthorised use of Application Risk Possibility L S LxS Comments Actions Outcome Mis-use of Asset Communications Interception Network Failure Server Failure Storage Capacity Pseudonymisation Technical Failure Data Quality User Error Other risks identified 7