BCS ASSIST Health and Safety NHS IG: Vision and Practice – Exploring (or mind) the gap

Health and Safety
NHS IG: Vision and Practice –
Exploring (or mind) the gap
•
•
•
•
Fire exits, fire alarms and assembly points
Catering
Smoking
Mobile phones
BCS ASSIST
BCS ASSIST
Introductions
Wally Gowing
Associate Consultant
Capita Limited
[email protected]
Local Branch Chair
David Stone
Managing Consultant
Apira Limited
[email protected]
Introductions
Who are you?
Aims
•
•
•
•
•
Opportunity to reflect
Look at IG at a time of transition
Explore the gap ‐ examine issues and themes
What can BCS ASSIST do to help?
To publish ….. a report on state of IG, issues and how to improve
Structure
What is IG? ‐ Wally
How is IG viewed? – David
Structured approach to implementing IG ‐ David
The Gap ‐ Issues, problems & sharing good practice ‐ All
• Emerging themes ‐ Wally
• What should BCS ASSIST do to help? ‐ All
• Summing up – Local Branch Chair
•
•
•
•
What is IG?
• ‘IG ensures necessary safeguards for, and appropriate use of, patient and personal information’ ‐ CFH
• IG ‐ principles, processes, legal and ethical responsibilities for managing and handling information ‐ NIGB
• IG ‐ lawful & ethical use of patient information both for the benefit of the individual to whom the information relates & for the public good ‐
NIGB
Vision?
•
•
•
•
•
Enabling use of personal information
Public good
Protecting privacy
Lawful & ethical constraints
Trying to keep everyone happy?
Compliance
Reality?
•
•
•
•
•
•
Too complicated
Mountains out of molehills
Tick box exercise
Another Health & Safety type industry
IG says NO
Barrier ‐ something to be got round
Information Rights Advocacy
Information Security
Health Informatics
Information Risk
Managing risk in the gap
Liberating the NHS: the information Revolution
IG in the abstract
Integrated Information Vision
Security
Data Quality
Information
Strategy
Governance
Identifying Information Risks (in transit)
308
202
209
324
207
Information Assets (ISO27005)
Primary assets
• Business processes & activities
– Information in transit
• Information
– Information at rest
110
Primary Assets
Secondary assets
•
•
•
•
•
•
Hardware
Software
Network
Personnel
Site
Organization’s structure
– Risks and mitigations
=
Secondary Assets
Primary Assets
+
‐
Managing Information Assets (IAs)
•
•
•
•
•
•
•
•
Managing Information Assets (IA)
IA registration, characteristics and risk assessment
301: Risk assessment programme
307: Risk register
323: Risk assessment
303/304/305: Access control
309/310: Business Continuity and Disaster Recovery
311: Virus protection
313: Network security
314: Mobile, home and remote working security
Secondary Assets
• Is the data personal, sensitive or corporate?
• What is the retention schedule?
• Who is accountable?
• Who is responsible?
• Who has access?
• How much is the risk inherited from the secondary assets?
• What controls mitigate the risk?
•
•
•
•
Hardware
Software
Network
Environment
Obtaining consent and respecting dissent
Audit of IAs
• 206: Confidentiality Audit
• 404: Multi‐professional records audit
• 406: availability of records audit
• 505: Internal and external coding audit
• 506: Coding audit programme
• 507: Completeness and Validity Audit
• 604: Information lifecycle audit
Content
People Controls
Organisational Controls
Issues
Sharing problems & good practice
BREAK
Emerging Themes
What can BCS ASSIST do to help?
Summing Up
Local Branch Chair
END