Information Governance

1. Overview

IVW Medical Services maintains a comprehensive Information Governance framework to ensure the confidentiality, integrity, and availability of all information assets, particularly patient health records. Our policies comply with NHS England information governance standards and the Data Security and Protection Toolkit (DSPT) requirements.

2. Data Protection and Confidentiality

We are committed to protecting the confidentiality and security of personal data in accordance with:

• UK General Data Protection Regulation (GDPR)
• Data Protection Act 2018
• NHS Information Governance standards
• Common Law Duty of Confidence

3. Patient Records Management

Patient records are maintained securely with restricted access to authorised clinical and administrative staff only. All records are:

• Stored in secure, access-controlled systems
• Encrypted both in transit and at rest
• Maintained in accordance with the NHS Records Management Code of Practice
• Retained in accordance with the Records Management Standard (RM Standard) guidelines
• Regularly backed up to prevent loss

4. Access Controls and Audit Trails

All access to patient information is logged and monitored. We maintain:

• Role-based access controls (RBAC)
• Comprehensive audit trails of all data access
• Regular reviews of user access permissions
• Multi-factor authentication for system access

5. Data Breach Response

In the event of a suspected data breach, we will:

• Investigate the breach immediately
• Notify affected individuals and regulatory authorities within 72 hours (or as required)
• Document all findings and remedial actions
• Implement preventative measures to avoid recurrence

6. Staff Training and Responsibilities

All staff members are required to:

• Complete annual information governance and data protection training
• Sign a confidentiality agreement
• Adhere to acceptable use policies
• Report any suspected breaches or security incidents immediately

7. Third Party Management

All third-party service providers are required to:

• Sign Data Processing Agreements (DPA)
• Demonstrate equivalent security and governance standards
• Undergo security assessments prior to engagement
• Comply with NHS information governance standards

8. Incident Reporting

We maintain a formal incident reporting and management process. All information security incidents are:

• Reported to our Information Governance Team
• Assessed for risk and impact
• Escalated as required to regulatory bodies
• Documented and reviewed for lessons learned

9. Compliance and Audit

IVW Medical Services maintains compliance through:

• Annual Data Security and Protection Toolkit (DSPT) assessment
• Regular internal and external audits
• CQC compliance with Standard 17 (Secure and confidential care)
• Regular reviews of policies and procedures

10. Subject Access Requests

Individuals have the right to access their personal data held by IVW Medical Services. Requests are:

• Processed within 30 calendar days
• Provided at no charge (usually)
• Supplied in a clear, intelligible format
• Assessed for exemptions where applicable

To submit a Subject Access Request, contact: info@ivwmedical.co.uk

11. Policy Review

This Information Governance Policy is reviewed annually and updated as required to reflect changes in legislation, regulatory requirements, and best practice.