Information Governance, to the HRA, is a framework for handling not only personal and sensitive information but all information in a robust and transparent manner, applying confidentiality and security where appropriate and operating to high ethical and quality standards. It is therefore about:
- holding information securely and confidentially
- obtaining information fairly and efficiently
- recording information accurately and reliably
- using information effectively and ethically
- sharing information appropriately and lawfully.
To do this requires:
- striking an appropriate balance between openness and confidentiality in the management and use of information;
- fully acknowledging its public accountability, but equally placing an importance on the confidentiality of personal information and commercially sensitive information;
- recognising the need to share information with other organisations in a controlled manner consistent with the interests of research and, in some circumstances, the public interest.
Our HRA Confidentiality Policy sets out the standards that you can expect from us.
Accountability
To help maintain the highest standards we have the following management structure:
- the Deputy Director of Approvals is the Caldicott Guardian;
- the Deputy Chief Executive & Director of Resources is the Senior Information Risk Owner (SIRO);
- the Company Secretary is the Data Protection Officer and can be contacted at data@hra.nhs.uk
- an Information Governance Steering Group meets regularly to discuss current issues and monitor actions;
- it has a suite of policies in place to ensure information is processed properly by all staff;
- an established incident reporting procedure is in place that ensures all security information incidents are reported; and
- it produces an annual information governance report reviewed by the HRA's Audit & Risk Committee.
Relevant laws
The main codes, standards and laws which apply are:
- Data Protection Act 2018
- Freedom of Information Act 2001
- The Caldicott Principles
- Security policy framework
- Data Quality and Records Management (NHS Code of Practice 2006 Parts 1 and 2)
Information Asset Register
All information assets and associated systems are identified and included in an Information Asset Register and are subject to annual information asset assessments. The principal information assets managed by the HRA are:
- Integrated Research Application System: a web-based utility for researchers to make applications;
- The HRA Assessment Review Portal (HARP): an application that supports the administration of Research Ethics Committees;
- Business Services Authority (BSA) Human Resources (HR) division use the NHS Electronic Staff Records (ESR) system to store staff records;
- Shared Business Services (SBS) finance and payroll also make use of ESR;
- Electronic business information is stored on SharePoint
- The website;
- The training booking and management system;
Caldicott Guardian
A Caldicott Guardian is a senior person responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly.
All NHS organisations and local authorities which provide social services must have a Caldicott Guardian.
The HRA’s Caldicott Guardian is Jonathan Fennelly-Barnwell, Deputy Director of Approvals. We use The Caldicott Principles to ensure that we keep people’s information confidential and use it properly.
For more information please email caldicott.guardian@hra.nhs.uk.