Senior Information Risk Owner (SIRO)
Information is a valuable resource: its loss can damage services and reputations, and its misuse can damage individuals and organisations. Managing information risks is something organisations need to do, and be seen to do, well. The NHS information governance framework mandates the appointment of two senior roles, typically at Board or Governing Body level within each organisation. These are the Caldicott Guardian and the Senior Information Risk Owner.
These are distinct but complementary roles. Whilst Caldicott Guardians were introduced to the NHS in 1998 and to social services in 2002, the SIRO role was not mandated for the NHS until June 2008 and local authorities were required to appoint a SIRO later that year. Caldicott Guardians are primarily responsible for maintaining the confidentiality of personal information; SIROs have responsibility for understanding how the strategic business goals of the organisation may be impacted by any information risks, and for taking steps to mitigate them.
Caldicott Guardians’ activities are particularly concerned with the seven Caldicott principles and the common law duty of confidentiality, whilst the SIRO is mainly involved in ensuring compliance with the Data Protection Act and other relevant legislation. It is important to stress however that these are not absolute distinctions: there is much overlap and close working and partnership between the two is essential.
Information governance is a broad framework for ensuring and assuring that information is managed legally and safely. It may encompass information risk management, knowledge management, records management, freedom of information and access to information legislation.
Caldicott Guardians are an integral part of organisations’ arrangements for information governance: their primary concern is who should be able to access personal information.
In addition to the SIRO, information governance within an organisation may fall to several individuals or roles, for example information governance manager, data protection officer, freedom of information (FOI) officer. Caldicott Guardians need to work closely with their IG team and vice versa.
Many organisations will also have information asset owners (IAOs) — usually senior individuals responsible for ‘information assets’, which may include information systems, databases etc. Caldicott Guardians should be aware of any information assets that store or use person-identifiable information and their owners and, with the SIRO, ensure that the arrangements for their secure use are satisfactory.
Dame Fiona Caldicott has often remarked that information governance and clinical governance are or should be closely-related functions, but historically more often than not they are managed separately with IG being closer to corporate governance. An important role for the Caldicott Guardian is to bridge any gaps between information governance and clinical governance.
Information management and technology (IM&T)
Information technology is a universal aspect of our lives and central to the smooth running of any modern organisation. In many hospital Trusts IM&T is provided in house (though some aspects may be outsourced) but in others — for example local authorities, Clinical Commissioning Groups (CCGs) and GP practices— it is typically managed by a third party. Either way, the governance arrangements for IM&T are critical and should be integrated into the organisation’s IG arrangements.
Information protection is a core function for both IG and Caldicott Guardians, and close working relationships with IM&T providers are essential. For example, Information Governance, with input from the Caldicott Guardian for aspects that affect the use of personal information, will need to ensure that information protection and security policies are fit for purpose, and that system procurement and data processing contracts are robust and include privacy impact assessments.
Caldicott Guardians are increasingly involved in their organisations’ partnership with external agencies and ideally will have good lines of communication with relevant contacts. The Government has encouraged joined up solutions to many problems, including better support for vulnerable children and adults. It is important for Caldicott Guardians to facilitate this and to ensure that information is shared appropriately, and is proportionate and handled securely. This may require privacy impact assessments, information sharing agreements & protocols, systems for consent and the like but, important though these are, they must not impede the underlying aim to promote positive outcomes for vulnerable individuals.
Ill-informed decisions in child protection domestic violence assessments have historically led to neglect, injury and even death. The Caldicott Guardian’s ethical view on the primacy of human life and welfare can ensure the correct balance between guarding and sharing such sensitive data.
Effective collaboration may be impeded by:
- misunderstandings about what specific data can be shared;
- uncertainty about mental capacity and consent to share;
- fear of the consequences of sharing overshadowing the need to share;
- cultural differences leading to professional mistrust of other agencies' staff.
The ideal is a balance between sharing where there is good cause to do so, and withholding when there is not. This would enable an effective, joined-up outcome with a low risk of data breach. Further considerations for safe and effective sharing are given on page 21.
The protection of children and adults from abuse and harm is a major social priority. Effective safeguarding requires the judicious sharing of information about those at risk between the agencies involved, and is a good example of multi-agency collaboration. In some but not all situations sharing information for safeguarding is now mandated by law, and in all instances, appropriate sharing agreements and policies need to be in place. Caldicott Guardians should ensure that these afford appropriate protection for the shared information, and that sharing is proportionate. They may also be asked and should be prepared to advise or adjudicate in specific cases.
Most health and social care organisations will have persons responsible for safeguarding. Caldicott Guardians should be aware who they are and work closely with and support them.