Version: 5.0
Ratified By: Finance & Risk Committee
Date ratified: 05/09/2023
Job Title of Author: Assistant Director – IT & Systems
Reviewed by Sub Group or Expert Group: Technology Programme Board
Equality Impact Assessed by: Assistant Director – IT & Systems
Related Procedural Documents: ITSOP002 Technology Disaster Recovery Plan
Review Date: 05/09/2026
It is the responsibility of users to ensure that you are using the most up to date document template – i.e. obtained via the intranet.
In developing/reviewing this policy Provide Community has had regard to the principles of the NHS Constitution.
Version Control Sheet
Version Date Author Status Comment
Final v2 11/01/2015 Head of IT & Data Awaiting approval by TPB Adjusted to include comments from MP and AC
Final v2.1 15/01/2015 Head of IT & Data Approved by TPB
3.0 17/01/2017 Head of IT & Data Updated Approved by TPB
3.1 20/06/2017 Head of IT & Data Updated following a Major Incident
4.0 02/01/2020 Assistant Director – IT & Systems Approved by TPB on 14/01/2020 Minor updates
5.0 01/07/2023 Acting Assistant Director of IT, Systems & Development Approved by FIC 05/09/23 Minor updates and personnel changes.
1. Introduction
Provide services are increasingly reliant on its technology systems and this reliance will continue to grow as services increase their use of systems and data.
This policy is in place to ensure all reasonable steps are taken to ensure that in the event of IT Service Disruption, we will be able to restore the IT services as soon as possible in the circumstances prevailing at the time.
2. Scope
This policy applies to all technology systems including telephony systems and infrastructure that is currently owned by, managed by, being procured by or being disposed of by Provide.
The disaster recovery of hosted systems will remain the responsibility of the host, these include:
• SystmOne Community
• SystmOne Child Health
• SystmOne Community Hospitals
• SystmOne Mobile
• Electronic Referral System
• Summary Care record
• Patient Demographic Service
• Secondary User Services
• Northgate
3. Principles
This policy sets out principles, guidance and requirements with the aim of ensuring that:
➢ Critical technology systems can be restored in an efficient manner following any major failure, adverse event, disaster or loss of technology systems.
➢ Appropriate business continuity and disaster recovery plans are in place.
➢ Critical technology systems are identified.
➢ Risks to technology systems are continually being reviewed and avoided or reduced.
➢ Full documentation, including test plans are in place.
➢ All major failures, adverse events and incidents are fully investigated and lessons learnt.
4. Implementation of Disaster Recovery
The Provide Technology Team will maintain a Disaster Recovery Plan to ensure that all critical technology systems are identified and can be restored in an efficient manner with the least disruption to essential services in the event of a disaster.
The Disaster Recovery Plan can be invoked following agreement by the majority of the Technology Major Incident Team (TMIT) which can be convened by any member of the TMIT, examples of when this may occur are:
1. Critical data corruption
2. Deliberate external or internal attacks
3. Theft of essential network equipment
4. Essential component failure
5. Major power outage
6. Physical damage to essential hardware
7. Loss of access to essential equipment
Disaster Recovery (DR) should only be invoked if a prolonged outage to the systems or system is envisaged following an incident, this may be following a period of operation of the Business Continuity Plan. For example; a failure of a critical component that is under contract to be replaced within 4 working hours should not necessitate the DR being invoked. If the component is not available and likely to take 2 days to be replaced then DR may be invoked.
Members of the TMIT will need to be familiar with Provide’s Major Incident Plan as the loss of critical IT systems may lead to the organisation declaring a Major Incident and nontechnology related Major Incident such as a large fire, could cause a Technology Major Incident.
5. Preventative Measures
Regular risk assessments should be undertaken by the Provide Technology Team to identify risks and actions to be taken to significantly reduce or avoid the risks that could lead to a disaster, these should include:
• Automated Fire Suppression fitted to major server rooms
• Electronic access control systems fitted to all server rooms
• Environmental monitoring systems fitted to all server rooms
• Dual Inter-linked air conditioning units fitted to all major server rooms
• Uninterrupted Power Supplies (UPS) fitted within all server rooms
• UPS connected to all critical IT equipment
• Backup generator power supply to all major server rooms
• Regular inspection of critical equipment
• Disaggregated systems to be used where feasible
6. Testing
Where the Disaster Recovery Plan has not been used and reviewed in the previous year, the Provide Technology Team will undertake a yearly disaster recovery test to:
• Ensure recovery times are minimised.
• Validate recovery process, ensuring smooth restoration in the event of a real disaster.
• Test resources required during a recovery such as power supplies.
• Confirm current systems will support a full and effective recovery.
• Ensure staff are familiar with their roles and responsibilities.
• Ensure documentation of this procedure is kept up to date.
• Ensure the process of returning to normal operational state after DR is effective and fully understood.
7. Roles and Responsibilities
To enable the successful management of Disaster Recovery plans and procedures, all staff should be aware of their roles and responsibilities:
7.1 Executive Directors
• Responsible for ensuring procedures are in place within their directorates that ensure staff are aware of their responsibilities contained within this policy and that these responsibilities are adhered to.
7.2
Director of IT & Transformation
▪ Ensuring there are appropriate plans in place to restore technology systems in the event of a disaster.
▪ Ensuring all critical applications and hardware have support contracts in place
▪ Ensuring that technology systems are designed for resilience.
▪ Ensuring that up to date documentation exists for all key technology processes.
7.3 Acting Assistant Director of IT, Systems & Development
▪ Ensuring computer systems including applications and servers are appropriately backed up.
▪ Ensuring all backup tapes are stored off-site.
▪ Ensuring that there are UPS units connected to all critical equipment in case of power failure.
7.4 Service Managers
▪ Responsible for ensuring they have their own Business Continuity Plan in place should technology systems be unavailable.
▪ Ensuring data for their service is saved in appropriate locations where it will be backed up and not on local devices.
▪ Ensuring that all incidents relating to data security are reported using DATIX.
▪ Ensuring their staff have read and understood this policy.
▪ Ensuring a hard copy of names and contact details for their team is kept.
7.5 All Staff
▪ Must ensure all desktops, laptops and tablets issued to them are regularly connected to the Provide network.
▪ Responsible for contacting the Technology Service Desk to report problems and any damage caused or discovered to IT equipment contemporaneously.
▪ Ensure that their data is saved in appropriate locations where it will be backed up and not on local devices.
▪ Ensuring IT equipment is used in an appropriate manner and only for work purposes.
▪ Comply with the terms of the Information Security Policy
7.6 Technology Team
▪ Ensuring own familiarity with DR procedures and plans.
▪ Ensuring planned tests are carried out and results documented.
▪ Ensuring changes to hardware and software are documented.
8. Monitoring
This effectiveness of this policy will be assessed after each DR test or real life event; the policy will be reviewed every 3 years or after implementation of new technology.
EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’
Name of project/policy/strategy (hereafter referred to as “initiative”): Disaster Recovery Policy
Provide a brief summary (bullet points) of the aims of the initiative and main activities:
Project/Policy Manager: Assistant Director – IT & Systems Date: 01/09/2023
This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.
Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.
Neutral
Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?
Neutral
Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.
No further action required, will be reviewed again should there be any major changes to the policy.
Guidelines: Things to consider
Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.
The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.
Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this –e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.
Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan. Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?
It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that datagathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.
It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.
EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:
(To be used where the ‘screening phase has identified a substantial problem/concern)
This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.
Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?
Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?
Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?
Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.
Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?
Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.
Guidelines: Things to consider
An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised.
It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.
The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.
If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.
Further information:
Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.disabilitynow.org.uk – online disability related newspaper www.efa.org.uk – Employers forum on age
© MDA 2007 EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage One: ‘Screening’