Information governance


The outcome from the review is a series of commendations and recommendations for consideration by the directorate.   An account of the review, including the recommendations and recommendations, is prepared for submission to the NES Executive Team and Educational & Research Governance Committee for final approval. The approved report is published onIn NHS Scotland, making sure we have the right information, in the right place and at the right time, and that information is shared and/or protected appropriately, is vital to patient care, effective service delivery and accountability.  The policies, procedures and behaviours we need to achieve this are described together as Information Governance. In NHS Scotland, making sure we have the right information, in the right place and at the right time, and that information is shared and/or protected appropriately, is vital to patient care, effective service delivery and accountability.  The policies, procedures and behaviours we need to achieve this are described together as Information Governance.the NES intranet and external website.

Potentially any written request (including email or social media) received from outwith NES could be an FOI request.

If you think you may have received one contact Frank Rankin or Nick Cowan, immediately foidp@nes.scot.nhs.uk

NES directorates are individually responsible for collating the information required to respond to a request, but all responses should be issued by the Information Governance team to ensure consistency and that we are fully complying with the Act.

For background information see the website of the Scottish Information Commissioner.

For advice, contact the IG team at foidp@nes.scot.nhs.uk

In deciding what documents you and your colleagues should keep as records, you should consider issues such as:

  • Is there a legal, audit, procedural or best practice requirement for me to keep this document?
  • Does the document tell us something important about what NES has done or how a decision was arrived at?
  • Is the information likely to be of any future value to NES?
  • Is this the only or most important copy of this document?

For most records held electronically they should be stored within the appropriate site and folder in Alfresco and, where this has been agreed as the process, declared as a record at the appropriate time.

Some non-standard record types may be held elsewhere – for example, in a line of business system or on network folders

Paper records may be stored off-site when no longer required for current business.

For advice, contact the IG team at foidp@nes.scot.nhs.uk

NES has a corporate records retention schedule which details how long we keep records to meet our statutory, regulatory and audit obligations and our business requirements.

Documents declared as records in Alfresco will be subject to automated retention and disposal periods.

For advice, contact the IG team at foidp@nes.scot.nhs.uk

Everyone in NES is responsible for ensuring that personal data about individuals is only held when truly necessary for our business requirements, is protected from inappropriate disclosure or sharing, and is not held any longer than necessary. NES has a Data Protection Procedure related to the Information Governance policy with which all NES employees must comply.

For advice, contact the IG team at foidp@nes.scot.nhs.uk

If you suspect a potential or actual breach of security, or have identified a risk to information security, please contact immediately (in confidence, if necessary) the IG team at foidp@nes.scot.nhs.uk

All NES staff are responsible for ensuring that the business information they work with is protected from inappropriate access, tampering, damage or loss, by complying with the NES Information Security Policy and with the related guidance.

This includes:

Protecting your system passwords;
Locking workstations when away from your desk;
Keeping files and papers locked away when not in use;
If you have to use mobile devices or media, they must be encrypted;
Use official NES email (not personal email accounts) for communication and transferring data;
Particular care must be taken by users of laptops, flashdrives, PDAs or any other mobile computing devices.

NES is also subject to the NHS Information Security Code of Practice and the NHS Scotland Information Security policy

Information Governance Factshees

A new Information Security Acceptable Use Policy is now in effect. This policy applies to all users who undertake work for NES or use any part of NES’s digital infrastructure. This includes employees, trainees, contractors, partner agencies, external consultants and third-party suppliers. 

Its overall purpose is to; 

  • Outline the information security requirements that staff must follow to protect the information assets owned and used by NES from threats, whether internal or external, deliberate or accidental.
  • Empower staff to make appropriate use of information assets.

The policy applies to information in any format or medium held on NES premises, equipment and infrastructure, on cloud and/or other hosted environments. This policy covers the following: 

  • Incident Management;
  • Physical Security;
  • Clear Desk and Clear Screen;
  • Secure Disposal;
  • Passwords and Pass Codes;
  • Malware (Virus);
  • Mobile Devices and Bring Your Own Device (BYOD) and Remote Working;
  • E-Mail and Internet Acceptable Use;
  • Social Media Use.

By implementing and maintaining effective Information Security procedures and behaviours we can ensure that: 

  • Ensure NES meets all regulatory and legislative requirements.
  • All information assets are protected against unauthorised access and disclosure;
  • Confidentiality of information is assured;
  • Integrity of information is maintained;
  • Business requirements for availability of information are met;
  • Breaches of security both actual and suspected are reported and investigated;
  • Ownership of information assets are identified and recorded.

What you should do: