IGPOL53 Information Security Policy V13.1 by Provide Community

Information

Version: V13.1

Ratified by: Finance & Risk Committee

Date ratified: 06/12/2023

Job Title of author: Information Governance Manager

Reviewed by Committee or Expert Group Technology Programme Board

Equality Impact Assessed by: Information Governance Manager

1. Introduction

Provide is dependent on reliable, secure information systems to support the delivery of healthcare. All healthcare organisations have a responsibility for the safe operation and management of their information systems to ensure they are appropriately protected from security breaches. Whilst security is an integral part ofrisk management and is continually assessed, it is vital that staff are fully aware of all aspects of information security and are supported by appropriate guidelines and policies.

Applying this policy to working practice will greatly reduce the risk of loss, damage or misuse of information.

The underlying principles of this policy have been written in accordance with national guidance, local policy and UK Law surrounding Information Security.

2. Aim of Information Security

The fundamental aim of Information Security is to protect.

Confidentiality of information – protecting information from unauthorised disclosure or interception.

Integrity of information - safeguarding the accuracy and completeness of information.

Availability of information - Ensure that information is available to authorised users.

3. Purpose

The purpose of this policy is to provide a framework of control to ensure the Confidentiality, Integrity and Availability of information and IT systems used within Provide is maintained by:

• Striving to ensure that all Provide personnel are aware of, and are fully compliant with the relevant legislation as described in this and other policies

• Introducing a consistent approach to information security, and ensuring that all members of staff fully understand their own responsibilities in relation to this; and

• Identifying and Introducing controls to protect assets under the control of the organisation.

This Policy forms part of the organisation’s ISO27001 Information Security Management System (ISMS)

4. Scope

This policy applies to all information, information systems, networks, applications, locations and users within Provide, and will overarch specific policy and procedure related to these assets.

Whilst directed at Provide staff it is also relevant to anyone working in and around the organisation to include contractors, agency staff, students and volunteers.

5. Policy Compliance

Contravention of this policy and associated procedures by staff, will be considered a serious matter and will be dealt with through Provide formal disciplinary process.

Breaches of information by third parties/ contractors will be dealt with under the terms of the contract with the organisation and/ or criminal prosecution if applicable.

6. Responsibilities

Chief Executive

The Chief Executive of the Organisation has ultimate accountability for security of information in the organisation.

Senior Information Risk Owner (SIRO)

Through designation from the Chief Executive, the Senior Information Risk Owner (SIRO), responsible for enforcement of the Policy, is the Group Chief Finance Officer.

Director of IT & Transformation

The Director of IT & Transformation is responsible for the ‘day to day’ IT Security element of information security systems i.e.:

• Ensuring that efficient and effective IT services are available at all times, and that Technology staff are provided with the appropriate skills, knowledge and tools to maintain the efficiency of the service

• Developing protocols for disaster recovery / contingency plans, and for implementing programmes of security improvements; and

• Ensure that where required training is provided to users of information systems either through in-house courses or via third party agreements.

The Director of IT & Transformation is also responsible (either directly or via any outsourced Provider) for:

• Providing effective and efficient IT and information services, and for ensuring necessary controls are in place for the protection of IT systems.

• Granting appropriate access to approved users as authorised by the appropriate organisation line managers

• Maintaining a register of all computers, other hardware and network assets

• Regular audits of computers to ensure that antivirus software is installed and is up to date; to ensure that unauthorised software is not installed and in the case of mobile computers, that they are encrypted to the required level.

• Regular back-up procedures and maintaining efficient storage of information.

• Responding to potential security risks, e.g. virus threats, and notifying and advising staff as appropriate.

Technology Operations Manager

• Following appropriate procedures for the specification of equipment and subsequent installation of any IT equipment; and

• Maintaining a log of internet access and producing reports on this for the organisation.

Information Governance and IT Projects Manager

The organisation’s Information Governance and IT Projects Manager will have a sound knowledge of Information Security and Data Protection Legislation requirements and will also be responsible for communicating security requirements to the organisation, providing advice in respect of the protection of patient, personal and confidential information.

Provide Managers

Provide Managers are individually responsible for the security of their own physical environments. They are responsible for ensuring that all of their staff (including temporary workers, third parties and contractors) understand the principles set out within this policy. Managers will ensure that their staff attend appropriate training courses on the use of information systems.

Provide managers must also be aware of the procedures for reporting breaches of information security, and must act appropriately and quickly on any suspected or actual security breaches.

All Staff

All staff (including third parties and contractors) must be aware of their responsibilities when using information, and must ensure that the confidentiality, integrity and availability of the information they use is maintained to highest standard.

7. Personnel Security

Employed Staff

Security requirements are addressed at the recruitment stage, and are included in job descriptions and in contracts of employment. Terms and conditions of employment include the employees’ responsibility for information security.

Staff are expected to formally agree to this policy and to the IGPOL31 Data Protection Policy through the use of MetaEngage. Those staff who do not have regular access to a computer must complete the compliance statement in Appendix1.

Permanent and Temporary Contract Staff

Permanent and temporary contract staff are expected to formally agree to adhere to this policy and their responsibilities for information security and to the IGPOL31 Data Protection Policy by signing the Compliance Agreement (see Appendix 1). They must be given instructions on how to access advice on security matters through an appropriate line manager.

Contracts with external contractors who access the organisation’s information systems will be formally agreed before access is allowed. Any agreement to exchange data with third parties / external contractors will contain a reference to the obligation to adhere to policy.

Where third party maintenance agreements are in force, the third parties are expected to comply with this policy, Data Protection Policy and Provide’s confidentiality code of conduct Policy as well as any other local policies in place. Maintenance and repairs will only be made on approval by designated technology Staff.

All contracts with 3rd parties where data is to be hosted off site must sign up to the terms of the Information Security Policy and Data Protection Policy.

Information Security Awareness

The Director of IT and Transformation will assist the Information Governance Manager in raising awareness of Information Security throughout Provide.

The Learning and Development team supported by the Information Governance and IT Projects Manager will establish an on-going training programme, to ensure that staff awareness is refreshed and updated as necessary. All new starters will attend Corporate Induction, which will include advice on the security and confidentiality of information. Temporary staff and contractors must also be made aware of security guidelines.

All staff must complete Information Governance training appropriate to their role as referenced in the Information Governance Policy and Strategy (IGPOL62) This training contains Information Security guidelines. All staff are required to complete the refresher module annually.

The Technology team will provide additional training on computer systems where any specific needs or gaps are identified.

8. Security of Information on Paper

Most paper records will contain sensitive or confidential information. It is therefore essential that security and confidentiality be safeguarded at all times.

Storage of Paper Records

Staff located at the Provide Headquarters are expected to comply with the clear desk Policy in place. Where practicable, other departments should adopt a clear desk policy for paper and any removable storage media. As a minimum sensitive or business critical information must be locked away in an appropriate secure area when it is not in use, and should not be left on public view.

Paper records should only be maintained in exceptional circumstances. They must be appropriately filed, in accordance with Provide Records Management Policy

Transportation of Paper Records

Staff are responsible for ensuring that paper records are kept confidential when in their possession or during transit. Staff must follow the procedures laid out in the organisation’s Transferring of Personal Information Policy (IGPOL65)

The transportation of printed patient visit lists for use during a visit schedule is prohibited. The only exceptions to this are documents and/or plans of care that require inclusion in patient held notes, signatory responsibilities or other information required to aid the delivery of care. If such documents are to be transferred, then staff must be fully aware of Provide Policy IGPOL65 – Transferring Confidential Information Policy and Procedures.

Disposal of Paper Records

All employees should be aware of how easy it is to breach confidentiality by incorrect disposal of records containing sensitive and confidential information.

Staff must dispose of confidential waste products by shredding, or putting information into confidential waste bins. This includes patient, staff and business sensitive information.

All confidential information, regardless of the way in which it is held or stored, will be governed by procedures for the retention of records. Staff should refer to Provide Records Retention Policy for further guidance.

9. Security of Electronic Information Systems and Electronic Records

Staff are advised that the intentional or unintentional act of disclosing usernames and passwords to allow unauthorised access and processing of data may constitute a breach of the Computer Misuse Act (1990). The disclosure of usernames and passwords will also be considered a breach ofthis policy which may lead toDisciplinary action.

Computer system users must:

• Keep their passwords secret and never disclose them to colleagues

• Not allow colleagues or third parties to access patient or staff record systems under the login details

• Not attempt to circumvent computer security controls in order to gain unauthorised access to computer systems. This includes but is not limited to using someone else’s username and password and modifying user access rights without appropriate authorisation

• Ensure that Smartcard’s are locked away or are kept their person when not in use

• Not share Smartcard’s or Smartcard Pin Numbers

• Not leave computers unattended without logging out of the system to a level that requires a password to gain access (Ctrl, Alt, Delete then click on ‘lock computer’ or press the Windows key and ‘L’ simultaneously)

• Ensure that computerised data is stored in appropriate network files and folders on the organisation’s computer network so that it can be securely backed up

• Ensure that sensitive and confidential data of any kind is not saved on the computer’s internal hard drive (C Drive). Data is not backed up and will be lost in the event of a failure of the individual computers hard disk drive; and

• Not relocate computing equipment as this should always be carried out by appropriate Technology staff

• Not use USB sticks that have not been issued by Provide

User Access Controls

In accordance with Data Protection Legislation and Computer Misuse Act (1990), access to the organisation’s computer network and associated patient and staff data is controlled and restricted to authorised users only.

Formal procedures are to be followed by Provide staff and any outsourced IT service providers to ensure that access to systems is secure. Access to Network utilities (including remote access, Internet and email) will only be granted to users with strict approval from line managers, and in line with the current access control procedures. The Provide Technology Service Desk must be informed of any new starters, leavers and movers, in order to ensure only authorised users have access.

All computer systems and clinical information systems will wherever possible be secured by 2 factor authentication via the use of a smartcard and associated PIN number. Other systems will be secured by unique user logins and passwords. Procedures will be followed for the distribution, disclosure, resetting and maintenance of passwords by the Technology Department. Password changes are enforced on systems to force users to change passwords at regular intervals. Users can also change their passwords and are expected to do so if there is concern that login details may have become compromised.

Staff using Provide Systems must be properly trained and made aware of their responsibilities before being given access to a live system.

For further details see – ITPOL11 – Access Control Policy

Laptops and Portable Devices

Staff should avoid storing Confidential Information on laptops and portable devices (including smart phones) due to risk of theft or hardware failure.

All Laptops, tablets, mobile phones or any mobile computing device, which holds person-identifiable data, must be encrypted to Department of Health recommended standards.

Laptops and tablet devices must have ‘full hard disk’ encryption software installed. This method of encryption encrypts the entire local hard disk drive, turning all the data on it into what appears to be meaningless code. In the event that the laptop is lost or stolen no data on it can be recovered without the individual staff members ‘key’ or password.

All new laptops are issued with the encryption software installed on them as standard and regular audits will be undertaken to ensure that encryption is deployed and operational.

Any contractors working with Provide must ensure that where authorised to do so, any Provide data held on their own laptops or mobile computing equipment is encrypted to 256 Bit AES Level or equivalent standard. Failure to comply with this section and use by staff of unapproved and unencrypted laptops and portable devices will be seen as a serious breach of this policy and may lead to disciplinary action or sanctions.

Provide complies with Department of Health policy and specifically that ALL removable media must be encrypted to AES 256Bit Encryption standard or equivalent. To comply with this the organisation has implemented the following:

Staff must:

• Only save/ write data to encrypted USB sticks that have been issued by Provide. Staff must not to use personal memory sticks.

• Not connect any other removable storage devices to the IT network without prior agreement and approval from the Provide Technology Team

Where transferring information to removable media such as CD–ROM, DVD or USB memory stick, staff must ensure that:

• The media selected is suitable to carry the data, so no data can be lost due to media malfunction. If in doubt staff should contact the Technology Service desk for advice

• Data, which has not been previously saved to a networked drive, is backed up to the network as soon as possible

• Once data is no longer required on the device it is deleted (once having been copied to a network location if necessary)

• Removable media containing sensitive or confidential data is disposed of securely when no longer required

Staff must not use Removable media devices as a way of backing up business critical data including patient information. Requirements should be discussed with the Technology team in the first instance.

Emailing Patient Identifiable and Sensitive Information

Emails containing Patient Identifiable information must be encrypted to 256Bit AES or equivalent Standards. For further information see IGPOL65 - Transferring Personal Information Policy and Procedures.

Instant Message Systems

Provide’s approved standard and supported Instant Messaging software is MS Teams, Cisco Webex, Pando, Telegram and Cisco Jabber and SystmOne Instant Messaging for communicating confidential information. Users are prohibited from using any other software to communicate confidential (patient, staff or business), not approved by the organisation, for Instant Messaging.

Users must not circumvent, cause to circumvent, or use tools to circumvent established security and controls applied to instant Messaging Software.

The organisation reserves the right to monitor staff’s use of approved instant messaging systems (including SystmOne Instant Messaging, MS Teams and Airmid) to ensure compliance with this Policy.

10. Physical Security Measures

In order to minimise loss of, or damage to, Provide assets, equipment, wherever possible and practical, must be physically protected from security threats and environmental hazards. All IT equipment will be asset tagged.

Equipment Location and Protection

Computing equipment and Information processing/storage facilities must be positioned to reduce risk from environmental threats and from unauthorised access.

Where equipment must be positioned in public areas, it must be positioned to reduce the potential of unauthorised staff and patients seeing the display screen. This means that the screen must be positioned to avoid unauthorised viewing or the useof a screen privacy filter where this is not possible. IT equipment must be physically secured in reception areas and vulnerable or open areas wherever possible.

Laptops and tablet must not be left on docking stations or desks in plain sight where they can be easily removed/ stolen unless they have been secured by use of an approved security lock.

Physical Entry Controls

In order to minimise the potential loss or theft of information, secure or sensitive areas must be protected by appropriate entry controls.

All staff are required to wear identification at all times.

Only authorised personnel are to be given access to restricted areas. These include wiring closets, data centres and server rooms. Visitors to secure areas must be escorted by authorised Provide personnel and must be supervised.

Security of Offsite Information and Equipment

All staff are advised that they are personally responsible for the security and confidentiality of information entrusted to their care.

Sensitive information held offsite includes any patient, staff or corporate information held outside the organisation, office or department in which it is normally based, and refers to information in manual or electronic format.

Information is considered held offsite in the following circumstances (this list is not exhaustive):

• Working at home

• Information held in briefcases etc.

• Information or documents needed for a meeting and being transported between different sites

• Information held on a Provide owned PC/laptop/tablet etc.; and

• Information held on other types of electronic equipment (e.g. Smart Phone, USB memory sticks, CD-ROM etc.)

Please referto the Mobile Computing Devices Policy (IGPOL67)for furtherinformation

11. Administration of Computer Systems

The management of access to computers, networks and associated systems will be controlled by standards that are followed by the Head of IT and Data and any authorised outsourced IT service providers in line with their Service Level Agreement.

Changes to information systems, applications or networks must be reviewed and approved by the Head of IT and Data or designated staff. Systems will only be purchased, installed, repaired and operated by authorised competent or qualified IT personnel.

The Provide Technology Department will make every effort to ensure computer equipment is installed within safe and secure environments as provided by the organisation and required under the requirements of the Health & Safety at Work Act (1974).

Intellectual Property Rights

The organisation shall ensure that all information products are properly licensed and approved by authorised Technology Staff. Users shall not install software on the organisation’s property without permission from the Technology Department. It is a disciplinary offence for staff to install unauthorised or unlicensed software.

Installing, Removing and Procurement of Software

Any requests for installation and removal of software must be directed to the Technology Service desk in the first instance. Once installed it must not be altered, copied or modified.

All requests for procurement of software must be submitted to the Provide Technology Service Desk. This includes the procurement of physical software media, software licenses and electronic software downloads. Departments must not procure any software independently.  This is to ensure compatibility with other organisation systems, compliance with relevant licensing laws (such as the Copyrights Design and Patents Act 1988) and so that the organisation receives value for money (VFM) with all software purchases.

Malicious Software

Computer systems are continually at risk from virus infection. A computer virus infection can cause serious disruption to services, loss of data and can be difficult to remove. Viruses can be received via a number of sources, including email attachments, macros within documents, downloaded documents from the Internet and from external media such as USB memory sticks or CD/ DVDs. The following preventative controls will be taken by the organisation’s Technology Department:

• Ensure the latest anti-virus software is installed on all computers and is regularly updated

• Carry out regular audits of computer systems and software

All staff must be vigilant and inform the Technology Service Desk immediately of any suspicion that a computer has been ‘infected’ by a virus.

Information Data Backups and Retrieval

It is the responsibility of the Technology Department to ensure that regular backups are taken of server-based file systems, and that these backups are monitored, logged and tested for reliability at regular intervals.

All back-ups taken will be replicated into a secure storage account within Provide CIC’s Cloud infrastructure hosted in Microsoft’s Azure platform. The storage account will be hosted within the UK.

Staff must adhere to the appropriate locally agreed procedures when carrying out backups. The Provide Technology Service Desk should be contacted where clarification is required.

Requests to retrieve information from archived backup media should be made through the Provide Technology Service Desk.

Cabling Security

All business critical and major power, telecommunications and network cabling, carrying data or supporting information services, must be protected from interception or damage from theft, fire, water, electrical surges and power cuts.

Underground telecommunications lines are to be used where possible.

Where it is necessary for cables to terminate at a junction box or cabinet located in a public area, the junction box or cabinet must be treated as a sensitive area and must be kept locked at all times.

Power Supplies

Critical computer and telecommunications equipment are protected by uninterruptible power supplies (UPS). Disaster Recovery and Business Continuity plans have been developed to cover the action to be taken on failure of the UPS. UPS equipment are to be regularly tested, to ensure serviceability and capacity.

Multiple redundant power supplies will be installed into critical computer equipment (e.g. Servers), to avoid a single point of failure.

Secure disposal or re-use of hardware

Hardware and computer equipment that is no longer required must be properly disposed of in accordance with local procedures and national guidance for the destruction of electronic equipment.

The disposal and removal of computer hardware, and data on removable media, can only be authorised by the Provide Technology Department.

The organisation has a contract in place for the secure destruction of Computer Hardware and removable media. Other companies or contractors must not be used without prior authorisation from the Head of Technology and Data and without a written Data Processing Contract in place.

IT personnel must ensure that data on transportable media is purged of sensitive data before disposal or re-use, or ensure that it is otherwise securely destroyed.

12. Information Security Risk Management

Risk management involves identifying, selecting and adopting appropriate and costjustified security and contingency ‘countermeasures’, to reduce risks to an acceptable level. Risks may include loss, theft, damage or destruction of information and information systems, and may be deliberate acts of sabotage, or purely accidental.

To ensure that effective security countermeasures are introduced to prevent and reduce risk, the following mechanisms have been put in place.

Monitoring and Audit

Regular internal audit will be carried out on all information systems and assets, to ensure compliance with national legislation and requirements and the terms of this policy. External audit will be carried out as required.

An audit trail of system access and use will be maintained and reviewed on a regular basis where possible with existing systems. Any new system introduced must be capable of audit.

Assets Inventory

An up-to-date register of current information, software and hardware assets is maintained, to ensure that effective protection is applied to all Provide assets, and to guarantee there is effective asset management. Staff must comply with any audits that are undertaken from time to time and ensure that the equipment issued to them is made available to Technology Engineers during such time.

Business Continuity Planning and Disaster Recovery

The Director of IT and Transformation will ensure that disaster recovery plans are developed for all critical applications, systems and networks. Service leads must ensure that Business Continuity plans are in place for their business-critical processes.

Further information can be found in the organisation’s Business Continuity and Service Recovery Policy (HSPOL13)

Reporting Incidents

All staff are required to be aware of the potential threats to the security of information and information systems, and report any suspected/actual incidences of breaches in security to their line manager.

Security incidents will be reported and managed in line with Provide Incident Reporting Policy and procedures.

13. Monitoring and Review

All staff are responsible for monitoring their compliance with the principles and procedures detailed within this procedure: line managers and supervisors should also monitor compliance on a regular basis.

This policy will be reviewed every year by the Information Governance Manager. Earlier review may be required in response to exceptional circumstances, organisational change, or relevant changes in legislation.

14. Fraud

The organisation will implement strong access controls to detect and prevent fraud by limiting access to sensitive data and by protecting data from unauthorised access, disclosure, alteration or destruction. Systems and data will also be monitored for suspicious activity to help detect and prevent fraud. Types of fraud relevant to this policy include, but are not limited to, the following:

• Making false or misleading statements about the organisation's financial condition or performance.

• Misusing the organisation's funds or assets.

• Obtaining or using sensitive information for personal gain.

• Engaging in any other activity that is intended to deceive or defraud the organisation.

• Any suspected fraud should be reported to the organisation's Local Counter Fraud Specialist or NHS Counter Fraud Authority on 0800 028 40 60. Please refer to the Anti-Crime Policy for further information

Appendix 1: Information Security Roles and Responsibilities

The purpose of this document is to describe the information security roles in the organisation and name the people who fulfil these roles.

Role Responsibility Name

Contact details Senior Information Risk Owner (SIRO) Has overall responsibility for the management of Information Security

Information Governance Manager Is responsible for ensuring the organisation complies with the Data Protection Act Legislation and in particular with regards to Information Security. Responsible for communicating security requirements to the organisation, providing advice in respect of the protection of patient, personal and confidential information.

Director of IT & Transformation Responsible for the ‘day to day’ IT Security element of information security systems

Caldicott Guardian Is responsible for guarding the confidentiality of patient information.

Data Protection Officer Oversight of data protection strategy and acting in an advisory capacity to ensure compliance with Data Protection requirements.

Philip Richards, Group Chief Finance Officer 07534 408769 Philip.Richards1@nhs.net

Petra Lastivkova, Information Governance Manager 07970 682870 p.lastivkova@nhs.net

Chris Wright

07837 571416 christopherwright1@nhs.net

Dr Paul Spowage, Medical Director paul.spowage@nhs.net

John Adegoke john.adegoke@nhs.net

Appendix 2: Information Security Policy Compliance Statement

Provide Staff, Agency Staff, Work Experience Students and Volunteers I,

Based at

(Please print name)

• Confirm that I have read and understand the Information Security Policy;

• Have read and understood the associated Data Protection Policy, Email Policy and Procedures, Internet Policy, Mobile Computing Devices Policy and Transferring of Personal Information Policy;

• Understand that the use of Provide IT Systems is audited for the purposes of detecting inappropriate and/ or unauthorised access to systems;

• Understand that mobile devices, e.g. memory sticks, laptops, tablets etc., are at high risk of loss or theft and that I must take all precautions to ensure their security;

• Will only use encrypted Provide approved memory sticks for Provide business and not use personally owned ones;

• Will ensure that appropriate approval has been given for the holding of any confidential, sensitive or person-identifiable data on any mobile computing device and that the device/data is encrypted to the latest Department of Health’s recommendations;

• Understand that any username, password or PIN Numbers issued to access Provide systems are for my use only and I will not disclose these details to others either deliberately or through carelessness behaviour;

• Will use any mobile computing devices in line with legislation e.g. Data Protection Act 2018 and the Seven Caldicott Principles ensuring that no information is kept for longer than is necessary;

• Agree to return any equipment to the organisation when it is no longer needed, or when I leave Provide;

• Agree to comply with the Information Security Policies as amended from time to time, and understand that it is my responsibility to appraise myself of any changes to the policies, when notified;

• Undertake when working within other partner organisations to comply with that organisation’s Information Security Policies;

• Understand that any failure to comply with this agreement (which I have signed) could result in disciplinary action which may ultimately lead to dismissal or criminal prosecution.

Signed: …………………………………….……. Date:

A signed copy of this declaration should be forwarded to: provide.recruitment1@nhs.net

*Where staff have regular access to a Provide computer then this agreement will be signed electronically via MetaCompliance.

Appendix 3: Information Security Policy Compliance Statement

For Third Parties accessing handling/processing Provide’s Information or accessing Provide’s systems

I confirm that I have read and understood the Information Security Policy and the Data Protection Policy;

I confirm that I understand and agree to comply with Provide Information Security Policy and the Data Protection Policy;

Signed:

Date: ………………………………………………………………….

A signed copy of this declaration should be forwarded to: provide.recruitment1@nhs.net

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

IGPOL53 Information Security Policy

Provide a brief summary (bullet points) of the aims of the initiative and main activities:

Information security

Project/Policy Manager: Petra Lastivkova

Date: 17/08/2023

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

N/A

Q2. Is there likely to be an adverse impact on one or more minority/underrepresented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?

N/A

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

N/A

Guidelines: Things to consider

Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.

Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?

It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

N/A

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

N/A

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

N/A

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

N/A

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

N/A

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

N/A

Guidelines: Things to consider

An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised.

It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.

The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.

If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.efa.org.uk – Employers forum on age

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage One: ‘Screening’