IGPOL65- Transferring Confidential Information V8 by Provide Community

Transferring Confidential Information

and Procedures

Version: V8

Ratified by: Finance & Risk Committee

Date ratified: 26/01/2022

Job Title of author: Information Governance Manager

Reviewed by Committee or Expert Group Technology Programme Board

Equality Impact Assessed by: Information Governance Manager

1. Introduction

Every person working for, or on behalf of Provide (the organisation) must ensure that confidential information is only made available to those who have been authorised to receive it. Every effort must be made to ensure that any information being shared or transferred electronically or manually is done so securely. Additionally, under the terms of the Data Protection Act 2018 and specifically when sending personal or sensitive personal information the organisation has a duty to ensure that sufficient security controls have been used to protect the information.

Transferring confidential information may be on an individual basis or as a bulk transfer. Examples of confidential information transfers include:

• Where internal post is used to send correspondence about a patient

• Transfer of a patient’s s record by a member of staff

• A number of paper patient records sent in one envelope from one building to another building, by internal post, external post, courier etc

• Several hundred electronic records sent via e-mail to somebody outside of the organisation

• 50 electronic staff records copied onto removable media and taken out of the building to another location. E.g. To be uploaded to another computer

• Emailing a sensitive bid document

2. Purpose

The aim of this policy is to provide employees with a comprehensive framework through which confidential information is transferred.

The policy details required practice for those who work within or under contract to the organisation concerning maintaining confidentiality for all personally identifiable information and corporate business information. Whilst directed at Provide staff it is also relevant to anyone working in and around the organisation to include contractors, agency staff, students and volunteers.

All employees are obliged to keep any personal identifiable information e.g. service user and employee information and any corporate information, strictly confidential. All corporate information should be treated as confidential unless specifically placed in the public domain.

This policy has been produced to protect employees by making them aware of the correct procedures so that they do not inadvertently breach any of these requirements. Breach of confidentiality of information gained, either directly or indirectly in the course of duty is a disciplinary offence that could result in dismissal. Breaches of confidentiality should be recorded as an incident and the ‘data subject’ e.g. patient, staff member etc, made aware of any breach of their information as appropriate.

This policy forms part of the organisations Information Security Management System (ISMS) as part of its commitment to adhering to the standards under ISO27001. It also aims to ensure that suitable technical and organisational controls are in place to ensure the security of information in transit as is required under the Data Protection Act 2018.

3. Definitions

Confidential Information

Confidential information is commonly thought of as health information; however, it can also include information that is private and not public knowledge or information that an individual would not expect to be shared. It can take many forms including patient level health information, employee records, occupational health records, etc. It also includes Provide confidential business information.

Personal Information

This is also referred to as, ‘person-identifiable information (PID)’ and relates to information about a person which would enable that person’s identity to be established by one means or another. This might be fairly explicit such as an unusual surname or isolated postcode or bits of different information which, if taken together, could allow the person to be identified. All information that relates to an attribute of an individual should be considered as potentially capable of identifying them to a greater or lesser extent.

Person-identifiable data can relate to information held about any individual, not just patients. It may, therefore, include information about staff, contractors, visitors and members of the public.

Sensitive Personal Information

This is information where loss, misdirection or loss of integrity could impact adversely on individuals, the organisation or on the wider community. These are defined under the Data Protection Act as:

• Health or physical condition;

• Sexual orientation;

• Ethnic origin;

• Religious beliefs;

• Political views;

• Criminal convictions; or

• Membership of a Trade Union

• Biometric data where processed to uniquely identify a person (UK GDPR)

• Genetic data (UK GDPR)

In addition to personal and clinical information, financial and security information is also likely to be deemed ‘sensitive’.

For sensitive personal information even more stringent measures should be employed to ensure that the data remains secure.

This Policy has been written to meet the requirements of:

• UK GDPR Data Protection Act 2018

• The Human Rights Act 1998;

• Telecommunications Regulations (2000);

• The Computer Misuse Act 1990;

• The Copyright Designs and Patents Act;

• The NHS Code of Practice on Confidentiality 2003; and

• The Caldicott Report.

Patient Health Record

A single record with a unique identifier containing information relating to the physical or mental health of a given patient which can be identified from that information and which has been recorded by, or on behalf of, a health professional, in connection with the care of that patient. This may comprise text, sound, image and/ or paper and must contain sufficient information to support the diagnosis, justify the treatment and facilitate the ongoing care of the patient to whom it refers.

Sensitive Business or Corporate Information

Privileged or proprietary information which, if compromised through alteration, corruption, loss, misuse, or unauthorised disclosure, could cause serious harm to the organisation. e.g. trade secrets, profit margins or new ideas.

4. Risks in Transferring personal Information

There are a number of risks associated with transferring confidential information. Without adequate security processes to protect confidential information in transit there will always be risks to that information. The severity and type of these risks will vary depending on the method of transfer. Examples of such risks include:

• Information being lost, damaged or intercepted in transit e.g. stolen laptops, lost memory sticks, opened envelopes;

• Delivery service delivering mail incorrectly;

• Information being sent to the wrong address via e-mail, post or fax;

• Information received by the organisation but not delivered to the correct person;

• Confidential conversations being overheard;

• Confidential information not being disposed of appropriately.

5. Safe Haven Procedures

All NHS organisations and providers of NHS Services require procedures to maintain the privacy and confidentiality of all service users, staff and organisational information. The implementation of these procedures facilitates compliance with the legal requirements placed upon the organisation.

The term ‘Safe Haven’ describes an agreed set of administrative procedures to ensure the safety and secure handling of confidential information. It can also be considered to be a location within the organisation where confidential information is both received and stored in a secure manner.

Safe haven procedures should be in place in any location where confidential information is being received, held or communicated, especially where information is of a sensitive nature.

6. Transfer of Confidential Information

Confidential information may be shared or transferred via telephone, e-mail, removable media, post (Royal Mail, courier or internal mail) or by hand.

Telephone

The following best practice guidelines are to be used when transferring confidential information via telephone:

Transferring to an organisation

• Establish the types of information that may be received over the telephone (refer to line manager or Information Governance team if in doubt);

• Always confirm the identity of the other party by asking for their name, department and organisation;

• Confirm the reason for the information request is appropriate;

• Take a contact telephone number. In order to check the identity of the other person call back on published main switchboard numbers and ask for the person;

• With regards to conversations about patient’s ensure that the correct patient has been identified using at least two pieces of identifying information, such as their NHS number (preferable) or name and date of birth;

• Ensure that the information requested can be provided. If in doubt, check first and call the person back;

• Provide the information only to the person who has requested it (and in the case of patient information do not leave messages with patient identifiable information); and

• Ensure that you record your name, date and the time of disclosure, the reason for it and who authorised it. Also record the recipient’s name, job title, organisation and telephone number.

See Appendix 1 for poster/aide memoire.

Transferring to a private individual

Upon receipt of a telephone call

• Confirm the caller’s identity by asking the following verification questions that you have recorded on the clinical system/record: full name, DOB, 1st line / full address and relationship to the patient (if third party request). When verifying information

such as address, telephone, DOB, etc., please do not read out what is currently recorded on the clinical system/record. Ask the caller to provide that information for you and never disclose details if different. Review icons and any reminders on the clinical system/patient record which could indicate that the information should not be disclosed.

• Any uncertainty when verifying identity or during call then advise of the need for further clarification before handling enquiry further. Seek advice and arrange call back.

Making a call out

• Advise on a generic reason for the call, (e.g., I am calling to book your physiotherapy appointment). Before you proceed further, please verify caller’s identity: full name, DOB, 1st line / full address and relationship to the patient (if third party request).

• When verifying information such as address, telephone, DOB, etc., do not read out what is currently recorded on the clinical system/record. Ask the caller to provide that information for you and never disclose details if different. Review icons and any reminders on the clinical system/patient record which could indicate that the information should not be disclosed.

• If the caller declines to identify themselves, suggest that they call back looking up our details online.

Fax

The use of fax physical machines or other faxing services is prohibited.

When sending data about individuals by e-mail, the data must be properly protected if the data is detailed enough that the individual(s) could be identified from it (i.e. if it is personidentifiable data).

It is Provide’ as well as National Policy that, all the electronic transfer of patient identifiable data must be encrypted.

Staff must only send patient identifiable information via a securely encrypted email account.

NHSmail (*.nhs.net)

NHSmail is a secure, encrypted national email service which enables the safe and secure exchange of sensitive and patient identifiable information within the NHS and with local/central government.

Using NHSmail ensures the message is readable by authorised recipients, does not require any special software and removes the need to manually encrypt or password protect attachments.

Provide has implemented NHS Mail as its sole Email system due to the benefits it provides.

NHSmail is available at no cost to every NHS organisation (and in some cases, organisation’s providing NHS Services) in England and Scotland providing easy access to

patient data across the NHS without the need to encrypt any content between NHSmail users.

Information is secure so long as it is sent from one NHS.NET account to another.

Using NHSmail to email central and local government

The following email addresses are also classed as “Secure” if sent to from NHS Mail.

Secure email domains in Central Government:

• *.gov.uk (for local and central government)

• *.cjsm.net (for Police/Criminal Justice)

• *.pnn.police.uk (for Police/Criminal Justice)

• *.mod.uk (for Ministry of Defence)

• *.parliament.uk (for Parliament)

Secure email domains in Health and Social Care

Locally run email services that meet the secure email standard need no additional action or protection apart from ensuring you have the correct recipient:

• *.secure.nhs.uk

• *providewellbeing.co.uk

• For a full updated list with the organisation which meet the secure email standard please go to: https://digital.nhs.uk/services/nhsmail/the-secureemail-standard

Emailing to non- accredited or non-secure email services

NHSmail includes an encryption feature that allows users to exchange information securely with users of non-accredited or non-secure email services.

If users need to exchange information securely outside of the above secure email boundary, they must do so by using the NHSmail encryption feature (Please refer to Appendix 2 for further details). Please also refer to IGSOP02 with regards to emailing patients.

Non-secure email accounts include local NHS and Local Government Email services such as those ending in .nhs.uk and as well as usual .co.uk, .com and .org.uk addresses. Please note that this list is not exhaustive.

Emailed Referrals

Where services are receiving referrals from health professionals outside of Provide staff must be aware that on occasion these may not have been sent by an encrypted and secure email account. In such cases the guidance in Appendix 1 – ‘Responding to referrals by email’ must be followed when responding.

General Email Guidelines

It is not acceptable to:

Exchange PID to a non-secure email account unless using the NHSmail encryption feature described above or other approved encryption service

Protect PID simply within a password-protected file (e.g. a Word document or an Excel workbook). Such protection is weak and can be circumvented relatively easily using software tools; or

Protect PID within a WinZip file using the standard Zip 2.0 encryption. This too is known to be relatively weak. (N.B. Certain versions of Winzip and 7Zip Software can encrypt to 256Bit AES Encryption . Please check with the IT or IG department)

Before sending any confidential information ensure you understand the limitations of the service (contact the Information Governance team for further information).

See Appendix 1 – ‘Guidance for emailing person identifiable information’ for poster/aide memoire.

Sending Personal Information by Post

Provide adopts ‘Digital first approach’ by using a secure email when transferring information Secure email should be used as the preferred method of transferring ALL information Please refer to the Guidance for emailing information.

In cases where posting the information is the only option available, you must:

• Check that there are no unprocessed changes to recipient’s address (e.g. change of address tasks and high priority reminders on SystmOne)

• Confirm the name and address of the recipient if you are speaking to the recipient and update the record if necessary All staff have a responsibility to ensure that records and details on electronic patient records (e.g. SystmOne), including next of kin within the Groups and Relationships section, are up to date and correct. Managers are responsible to ensure staff are competent, aware and trained to maintain up to date and correct patient records

• Addresses on clinical systems are verified via PDS or previous service/organisation where information has come from another health or social care organisation Working with other NHS/Local Authority electronic patient records systems, i.e. Inform, staff can check PDS directly with a smartcard (relevant rights required) ESR allows staff to maintain their own data

• An annual exercise to update demographic details should take place

The decision on how to send Personal information by Post needs to be based on the following factors:

• The required delivery timescale

• The costs of sending the item

• If there is a need to prove the item was sent

• If there is a need to confirm receipt

• If the item is of value or importance or contains sensitive information and there will be repercussions if lost

Normal Post/Synertec - if practical, always adopt the ‘Digital first approach’.

Suitable for small items, such as appointment letters, immunisation letters, test results and general correspondence between health professionals and with patients. This may be a large number of items sent regularly but separately. Suitable for where proof of posting or receipt is not needed. Not suitable for sending occasional items about more sensitive subjects or for sending patient health records.

Synertec should be the preferred option over the normal post. Not only does it improve the efficiency of the department by allowing staff to concentrate on their primary role it also reduces postal costs incurred and also offers a higher grade of security by reducing the risk of misdirected post and giving full auditability of sent items.

Royal Mail Signed For 1st or 2nd Class – if practical, always adopt the ‘Digital first approach’.

Suitable for large items about one (or a few) individuals, such as a request by a patient for a copy of their patient health record. Signed for delivery is also suitable for sending individual items (such as reports, correspondence, care plans) of a more sensitive nature. It is not suitable for the sending of Sensitive Patient Health Records (see definition in section 3.3).

This service does not track an item between it being sent and received. Use where proof of posting and receipt is important, but damage from loss is relatively small

Items sent by signed for delivery can be tracked via the Royal Mail’s Track and Trace Service once the item has been signed for at the point of delivery.

Special Delivery – if practical, adopt the ‘Digital first approach’.

Suitable for larger amounts of data on individuals, where proof of posting, tracking during transfer and confirmation of receipt is required. This method is to be used to send patient health records of a higher sensitivity such as safeguarding records. It must also be used for the transfer of 5 or more patient health records (regardless of their sensitivity)

Whilst loss is still possible the risk is reduced as far as possible and the potential to narrow down the area of loss is present. The impact of loss could be high, but using this method reduces probability as far as possible.

Items sent by special delivery can be tracked via the Royal Mail’s Track and Trace Service at all stages in the mail network.

Internal Mail Facilities - if practical, adopt the ‘Digital first approach’. Such as those provided by Mid Essex Hospital (MEHT) and Colchester Hospitals University Foundation Trust (CHUFT) provide a higher level of protection than external mail facilities and should be used to transfer information between Provide services/ locations and other external services on the Internal Mail Run (e.g. MEHT, CHUFT, CCG, G.P Practices) It is permissible to send patient records through the internal mail facilities so long as the below guidelines are observed. It is not permissible to send bulk records (over 50 records) via the internal mail facilities.

Courier – if practical, adopt the ‘Digital first approach’.

Much the same as special delivery, however can be faster and carry larger items. Couriers other than Royal Mail must be under contract approved by the Information Governance Manager and the Contracts team.

Bulk Transfers – Where bulk transfer of patient notes and other confidential information is required e.g. moving of notes due to premises move etc., then suitable arrangements must be made. (N.B A bulk transfer is defined as more than 50 records or items being transferred/ sent at once) Bulk transfers of notes must be arranged with an approved transportation company under contract.

Movement of Archived Records – The organisation has a contract in place with PDM for the archiving of records which includes the secure transportation of confidential records and files to and from the archive store. Services must not utilise other methods of transporting these records and files either between the archive store and Provide sites without the prior authorisation of the Information Governance Manager.

Regardless of the method used, the following must be observed for all mail items:

• Before any information is sent confirm the details of the recipient e.g. name, job title, department, address, postcode etc.

• Packaging is to be sufficient to protect the contents from any physical damage likely to arise during transit such as exposure to heat or moisture i.e. an envelope for letters, a jiffy bag for larger records, a secure box or transit bag for larger packages etc.

• Where patient notes are being transferred by internal mail, protective mail bags must be utilised

• It is NOT permissible to send bulk transfers of patient notes by internal mail or by normal royal mail post

• Mark the envelope/package with the details of the person to whom the letter/package is being sent

• Include a return address details where this will not compromise confidentiality

• Mark with ‘Private and Confidential’

• For sensitive records, request confirmation of receipt

Postal Summary

The below table details different types of Information and ways in which they should be sent:

Adopt ‘Digital first approach’ by using a secure email when transferring information. Secure email should be used as the preferred method of transferring ALL information Please refer to the Guidance for emailing information.

Delivery Method’s

Postal Item Normal Post/ Offsite Post (Synertec, Paragon)

Individual Items** such as appointment Letters, Booking Letters, Test results, Screening letters Referrals, general correspondence with or without inserts (NonSensitive)

Reports, Referrals, Correspondence, Staff Occupational Health Information etc. (Higher Sensitivity*)

Patient Health Records (Non Sensitive - up to 5 Records)

Patient Health Records (Nonsensitive - over 5 records)

Patient Health Records (Higher Sensitivity*)

Bulk Transfer of Patient Health Records (over 50 Records)

Transportation of Archived Patient Health Records

Internal Mail Signed for Delivered (where practicable, adopt the ‘Digital first approach’)

Special Delivery (where practicable, adopt the ‘Digital first approach’

Other Courier (Under Contract)

* Higher Sensitivity items are defined as any information that is likely to cause significant harm or distress to an individual in the case of an information loss or breach of confidentiality (Examples are Safeguarding or Child Protection Information

Information about Looked after Children, Mental Health Information and Sexual Health Information)

** This also refers to a large number of items sent individually e.g. a large number of appointment letters going out to different addresses.

Text

Due to increased use of mobile phones, transfer of information, especially individual information, is now being considered as a way of staff communicating with patient/service users and other staff.

If a service is considering using text messaging as a way of communicating with patients or between staff, it is essential to seek guidance on any potential security, confidentiality and records management implications from the IG team and where necessary have this agreed by the Caldicott Guardian.

When communicating with patient’s by text, the following points should be adhered to:

General

• Obtain the patient users consent to be contacted in this way

• Coded messages should be considered

• All messages should be documented immediately and should then be treated as any other patient/service user documentation

• It should be recognised that communicating to patients via text message is inherently insecure as they could be intercepted or sent to the wrong recipient and must not be used for conveying sensitive information.

Texting from/to mobile phone

• A dedicated work phone must be used for the purpose of transferring this personal information

• Named staff should be responsible for the dedicated phone/s to maximise confidentiality

• The mobile phone must be secured when not in use

• The mobile phone should have a passcode known only to the named staff members with responsibility for that phone

• All received and sent messages must be deleted immediately from the dedicated phone after documentation

• In the event of loss or theft of the mobile phone all precautions should be taken to protect the confidentiality of the patient/service user and the theft/loss should be reported through the incident reporting process and to the police where appropriate.

Further guidance may be available from professional bodies in relation to the use of text messaging services e.g. RCN Use of text message services guidance for nurses working with children and young people.

Removable Media

Removable media relates to:

• Data CDs or DVDs

• USB memory sticks/pens

• Zip Drives and portable hard drives

• MP3 players e.g. iPod etc

• PDA/Palm Top computers

• Mobile phones

• Digital cameras

• Secure Digital Card (SD card)/ Compact Flash (CF) and other types of memory Card

• Dictation Cassettes

This list is not exhaustive and will continue to reflect emerging technologies as they become available.

What is acceptable:

Encrypted removable media devices provided by the organisation provided there is a legitimate business reason, which in some cases may require agreement from the Caldicott Guardian;

What is not acceptable:

Use removable media for bulk transfer of data without the agreement of the Information Governance team and/ or the IT department; and

Use removable media as a permanent or indefinite storage device. Data must be transferred as soon as possible to a secure network drive and removed from the device.

Sending of Dictation Cassettes by post is prohibited. This includes internal post as well as Royal Mail and courier delivery. Services should use digital dictation services only where the recording are securely transferred electronically

Cloud Computing

Cloud Computing is a relatively new technology which refers to the delivery of computing and storage capacity over the internet. As such it allows for the easy sharing of electronic documents and files.

Cloud Computing introduces a number of security and privacy threats and vulnerabilities and there are complications with regards to the storage of information outside of the UK or EEA and the Data Protection requirements around this. As such it is not permissible to utilise Cloud computing solutions for the storage or transmission of information without the prior permission of the Information Governance Manager and the Caldicott Guardian where appropriate.

It is not permissible to utilise public Cloud computing solutions (e.g. Drop Box, Apple iCloud, Google drive, Mediafire etc) for storage and transmission of confidential information.

The storage or transmission of information to non-endorsed or non-approved systems will be treated as a Serious Breach of Policy.

Transfer of Confidential Information – By Hand

There may be situations when hand delivering confidential information is required for services that temporarily have no access to clinical systems upon joining the organisation.

When transporting or hand delivering confidential information staff must ensure that it is kept on them on their person at all times or in a secure location.

Staff must minimise the amount of confidential information that is taken out of Provide premises. If staff have to carry confidential information around during the day they must consider their travel plans, for example calling into shops or petrol stations when they are least likely to be carrying patient records.

The transportation of printed patient visit lists for use during a visit schedule is prohibited. The only exceptions to this are documents and/or plans of care that require inclusion in patient held notes, signatory responsibilities or other information required to aid the delivery of care.

Where a printed copy of electronic information is taken out of provide premises or staff’s usual place of work (for example for a meeting, patient visit etc.), these must be disposed of in confidential waste facilities as soon as possible when no longer required as per the requirements stipulated in IGPOL53 – Information Security Policy

If staff do need to carry confidential information they must ensure the following are considered and remember that there is personal liability under the Data Protection legislation and their contract of employment for breach of these requirements:

• Ensure any personal information is in a suitable container prior to them being taken out of Provide buildings.

• Make sure they are put in the boot of the car or carried on their person while being transported

7. Incident Reporting

Upon an incident occurring in relation to loss, damage or unauthorised access to personal information, a Datix form must be completed and a formal investigation launched. The incident must be reported immediately to the relevant line manager.

Appendix 1 - Flow Charts for sending information by Phone, Email, Post and Transporting of Information

Appendix 2: NHS Mail Encryption Function

for Non-Secure Accounts

NHS Mail now has a facility to be able to be able to send securely to non- secure email accounts.

In order to “trigger” the Encryption to Non-secure accounts it is important to follow the following steps:

1. The first really important bit: for the encryption to “trigger”, the email subject line must contain [secure]. This is not case sensitive – either [secure] or [SECURE] will work just fine. You must use square brackets [ ]

e.g.

2. The second really important bit: the recipient must sign up for the encryption service to be able to read the secure emails. If necessary email them the full instructions for recipients (link below). Please ensure that you are certain of the recipient’s identity and entitlement to the confidential information you propose to email, and double check email address spellings.

3. If you are sending to a recipient for the first time using this service send a test email with no confidential information from your NHS Mail account - for example

[secure] Confirmation

Thank you for signing up to the NHS secure email service. Please confirm receipt by responding to this message without editing the subject line (the Re: that the email system puts in front of your reply is OK). Thank you.

4. Wait for the recipient’s response that they can access the secure system.

5. Email the recipient with the information needed – remember [secure] in the subject line, and please double check for ‘typos’ in address and subject line. Attachments can be included. Some file formats are not allowed: Word documents, Excel documents and image files are all fine. Ask the recipient to reply and confirm receipt.

6. Do not assume that information has been received unless you have a response (not just a read receipt). If relevant, please save the confirmation to the relevant patient record on SystmOne (please print and black out any irrelevant information included in the email first if required, then scan and save.)

7. This service is only for users of insecure email systems only. If you include the [secure] subject line, however, secure recipients will still receive the email in the usual way without needing to sign up to the service. See section 7.3.3 for a list of secure email addresses. The most commonly used ones are NHS.NET for health colleagues and .gov for social care colleagues.

8. Alternatively, you can install an Egress Outlook Standard function on your Outlook. Please refer to the installation and how to guide which can be found on the intranet

For emailing patients, please see IGSOP02 – Emailing Patients/ Clients and Families/ Carers Procedure

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

Provide a brief summary (bullet points) of the aims of the initiative and main activities:

Project/Policy Manager:

Date:

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

Guidelines: Things to consider

Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.

Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?

It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

Guidelines: Things to consider

An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised. It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative. The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action. If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.disabilitynow.org.uk – online disability related newspaper www.efa.org.uk – Employers forum on age