Risk management

Protecting your information, health, and safety

Risk Management

Our Governing Body has formally adopted a Risk Management Strategy that sets out our strategic direction for risk management  including:

  • the definition of risk
  • risk management objectives,
  • roles and responsibilities
  • the process,
  • risk appetite,
  • training, communication and monitoring

Key elements of the strategy are the Board Assurance Framework (BAF) which outlines systems in place to manage our strategic objectives and control the risks to these objectives, and the Risk Register that allows risks to be explored, prioritised for treatment and management actions to be programmed and monitored.  Every two months the BAF and the high level risk register is presented at our Governing Body meeting.

Health and safety

We have a statutory responsibility to protect the health, safety and welfare of anyone who could be affected by our work, including our staff. As part of our commitment to health and safety, we:

  • Identify and manage health and safety risks to meet legislative requirements and achieve the standards of best practice
  • Do everything we can to ensure people are not exposed to unacceptable risk
  • Implement a safety management system that supports people to manage identified or potential health and safety risks
  • Clearly define our expectations and standards for health and safety and ensure we document our local arrangements
  • Ensure our staff and managers have the guidance, understanding and opportunities to maintain and improve their welfare, safe working environment and safe working practices
  • Ensure our staff and managers are clear on their responsibilities around health and safety
  • Work with NHS Property Services and the other occupiers of Southgate House to ensure our health and safety are maintained

Information Governance

Information Governance provides a framework to bring together all the legal rules, guidance and best practice that apply to the handling and safeguarding of information to ensure it is:

  • Held securely and confidentially
  • Obtained fairly and efficiently
  • Recorded accurately and reliably
  • Used effectively and ethically
  • Shared appropriately and lawfully

As part of our information governance, we must comply with the following legislation:

  • Data Protection Act 2018
  • General Data Protection Regulations 2016
  • Access to Health Records Act 1990
  • Caldicott Principles (updated 2013)
  • Freedom of Information Act 2000
  • Environmental Information Regulations

At its core, our Information Governance is about setting a high standard for storing/handling information, and having the tools, systems and processes in place to achieve that standard.

How we manage information governance

Our information governance is managed through our Information Governance Group, which is attended by our Data Protection Officer (DPO) and Caldicott Guardian (CG), and chaired by our Senior Information Risk Owner (SIRO).

  • The SIRO is responsible for information risk across the CCG. They ensure everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately. They also ensure our Governing Body and the Accountable Officer are kept up-to-date on all information risk issues. Our SIRO is Steve Perkins, Chief Financial Officer.
  • The Caldicott Guardian is responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. They ensure there is a balance between maintaining confidentiality and the delivery of appropriate care as well as advising our Governing Body on any major issues that may arise. Our Caldicott Guardian is Dina McAlpine, Director of Nursing and Quality/Registered Nurse.
  • The DPO is responsible for tasks as defined in Article 39 of the General Data Protection Regulations (GDPR). These tasks include informing the CCG and its staff about obligations to apply with GDPR and monitoring compliance, cooperating with the ICO and being the first point of contact for the ICO and individuals whose data is processed by the CCG. Our DPO is John Dudgeon, Associate Director, Information.

Our SIRO, Caldicott Guardian or DPO can be emailed at communications.wiltshireccg@nhs.net.

To ensure our staff demonstrate information governance best practice, we provide them with training which is provided by NHS Digital. We also have a number of policies to support good information governance:

Keeping information confidential

Everyone working in/for the NHS is responsible for ensuring the personal data of patients and staff is kept secure and confidential. Personal data is information about any living person which can lead to them being identified. Examples of personal data are:

  • Name
  • Address
  • Email address
  • Date of birth
  • Medical records

We may hold personal data manually or electronically, for example in filing cabinets or on computer disks. The use of personal data is controlled by the seven Caldicott Principles and the Data Protection Act Principles.

Subject Access Requests

Under the Data Protection Act 1998, all living individuals or ‘Data Subjects’ have a right to be informed about:

  • if and/or what personal data we hold, store or process about them
  • about the purpose and source of their personal data
  • who we may disclose the data to

Individuals also have a right to request a copy of any personal data we hold about them. These requests are known as Subject Access Requests (SARs).

Any CCG staff member may receive a SAR, however all our SARs are managed by the South Central and West Commissioning Support Unit. If you would like to make a SAR, please submit it in writing (paper or email) to:

Governance & Risk Manager
Wiltshire Clinical Commissioning Group
Southgate House, Pans Lane
Devizes, SN10 5EQ

In line with the Access to Health Records Act 1990, personal data about deceased individuals can be requested. These requests will be treated in the same way as SARs.

There will not normally be a charge for a right to access request (SAR).

Freedom of Information

To be open and transparent, and in line with the Freedom of Information (FOI) Act 2000, we publish records of our management and decision-making processes. To find out more, including how to submit an FOI request, visit our Freedom of Information webpage.