Table 1

The management audit organisational profile

TitleLevel 0Level 1LeveL 2
1.Information for patients/clients on the proposed uses of information about themNo information provided, or limited to simple posters and leaflets in waiting roomsAn active information campaign is in place to promote patient understanding of NHS information requirementsAn active information campaign is supported by comprehensive arrangements for patients with special/different needs
2.Staff code of conduct in respect of confidentialityNo code exists, or staff not generally aware of itCode of conduct exists and all staff aware of itCode regularly reviewed and updated as required
3.Staff induction proceduresNo mention of confidentiality and security requirements in induction for most staffBasic requirements outlined as part of induction processComprehensive awareness raising exercise undertaken and comprehension checked
4.Confidentiality and security
 Training needs assessmentTraining needs not assessed systematically for most staffTraining needs only considered as a consequence of organisational or systems changesSystematic assessment of staff training needs and evaluation of training that has occurred
5.Training provisions (confidentiality and security)No training available to the majority of staffTraining opportunities broadcast with take up left to line management discretionIn-house training provided for staff—for example compatible to health and safety training provision
6.Staff contractsNo reference to confidentiality requirements in staff contractsConfidentiality requirements included in contracts for some staffConfidentiality requirements included in all staff contracts
7.Contracts placed with other organisationsNo confidentiality requirements includedBasic agreements of undertaking are signed by contractorsFormal contractual arrangements exist with all contractors and support organisations
8.Reviewing information flows containing patient-identifiable informationInformation flows have not been comprehensively mappedInformation flows have been mapped and senior management has been informedProcedures are in place to regularly review information flows and justify purposes
9.Internal information/data “ownership” establishedInformation flows have not been comprehensively mapped“Ownership” established for all information/data sets and register establishedAll “owners” justifying purposes and agreeing staff access restrictions with the guardian
10.Safe Haven procedures in place to safeguard information flowing to and from the organisationNo Safe Haven procedures usedSafe Haven procedures used for some information flowsSafe Haven procedures in place for all patient-identifiable information
11.Protocols governing the sharing of patient-identifiable information with other organisations locally agreedNo locally agreed protocols in placePartner organisations clearly identified and information requirements understoodAgreed protocols in place to govern the sharing and use of confidential information
12.Security policy documentNo security policy availableSecurity policy exists but not reviewed within the last 12 monthsSecurity policy reviewed annually and reissued if appropriate
13.Security responsibilitiesNo information security officer appointed, or existing officer is not appropriately trainedAn appropriately trained information security officer is in postResponsibility for information security identified in various staff roles, coordinated by security officer
14.Risk assessment and managementNo programme of information risk management existsA risk management programme is underway and reports are availableA formal programme exists with regular reviews, outcome reports, and recommendations provided for senior management
15.Security incidentsNo incident control or investigation procedures existThe security officer handles incidents as they ariseProcedures are documented and accessible to staff to ensure incidents reported and investigated promptly
16.Security monitoringNo monitoring or reporting of security effectiveness or incidents takes placeBasic reporting of major incidents or problem areas onlyThere are regular reports made to senior management on the effectiveness of information security
17.User responsibilitiesNo guidance issued to staff for password managementUsers encouraged to change passwords regularly but this is at their discretionPassword changes are enforced on a regular basis
18.Controlling access to confidential patient informationStaff vigilance, and/or an “honour” system control access. Some physical controls, lockable rooms etc may existAccess for many staff controlled by “all or nothing” systems. Staff groups requiring access identified and agreed with the guardianAll staff have defined and documented access rights agreed by the guardian.
 Access is controlled, monitored, and audited