WIXLIB

Core Responsibilities: Leavers5.6.To ensure that Employees exit the Trust in an orderly manner in line with theTrust’s relevant policies, leavers exiting from the Trust shall be managed, allassets assigned to the individual shall be returned, and all access rights removedin a timely manner.HR Services shall:5.6.1. Facilitate the Leaver process with the Line Manager in a timely manner.This shall include notification of other relevant functions such as payrolland conducting of an exit interview.Line Managers shall:5.6.2. Explain the Leaver process to the Employee and clarify any questions theymay have;5.6.3. Initiate the Leaver process and action all elements of the Leaver process ina timely manner;5.6.4. Remind the leaver of their Terms and Conditions of employment, includingInformation Governance obligations – namely, that they must not leavewith the Trust’s information in any format. In addition, they shall respectconfidentiality agreements and personal information requirements;5.6.5. Ensure that the Employee understands their post terminationresponsibilities under the appropriate governing laws, including the GDPR2018, the DPA 2018 etc.;5.6.6. Identify the Trust’s assets to which the Leaver has, or has had access, andensure these are all returned, and access removed prior to, or on, theleave date;5.6.7. Ensure that a robust handover is completed, and contact lists are updated,recorded and communicated to appropriate areas;5.6.8. Return the completed termination checklist to HR Support confirming thatall stages of the process have been actioned and ensuring that an exitinterview is carried out;5.6.9. Ensure, with the IAO, that the Systems Administrator has been informedthat the Employee is no longer entitled to access ICT or equipment or Trustdata and information; and5.6.10. Report any non-compliance of the Policy to the relevant IAO.Employees shall:5.6.11. Ensure that they understand the process and what is expected of them;9

5.6.12. Ensure they understand their responsibilities under the appropriategoverning laws, including the GDPR 2018 and DPA 2018;5.6.13. Comply with all elements of the Leavers process and return all theorganisational assets before leaving the Trust.Training and Awareness5.7.The Board is committed to leading and fostering a strong culture of informationsecurity awareness throughout the Trust and shall support the Senior InformationRisk Owner (SIRO) in managing associated risks.5.8.Information Governance, and associated requirements and responsibilities, shallbe included throughout the employee lifecycle from Starters, to Movers, toLeavers, and during post.HR Services including Learning and Development team shall:5.8.1. Ensure that all Employees receive relevant training regarding this Policyand the associated processes;5.8.2. Make such training available not only at key points such as starting andmoving but also throughout the entire employee lifecycle;5.8.3. Provide appropriate support to managers through the process, if required;5.8.4. Monitor compliance to the Policy and facilitate general and role-specifictraining to support this;5.8.5. Ensure that best practice and lessons learnt are promulgated to foster amature information security culture, in liaison with the SIRO;5.8.6. Ensure that organisational training records are kept, secured and updated.Line Managers / IAOs shall:5.8.7. Allow Employees appropriate time to attend any required informationsecurity training / awareness sessions throughout their tenure in post;5.8.8. Review and check completion of training requirements to support effectiveinformation handling and governance and include this in the performanceappraisal process;5.8.9. Have in place an appropriate level of ongoing Employee securitymanagement;5.8.10. Ensure regular formal reviews of access rights for their direct reports;5.8.11. Ensure that all staff are familiar with the Information Security IncidentReporting and Management Policy;10

5.8.12. Ensure that Employees only have authorised access to information assetsrequired to undertake their jobs and that they follow the Trust’s policies andprocedures;5.8.13. Ensure that ICT access, activity and monitoring will take place in line withTrust Policy and good practice as set out by the Regulator and inapplicable laws;5.8.14. Remind employees on an annual basis of the circumstances in which theTrust may access user information or monitor usage.Employees shall:5.8.15. Comply with all elements of the Starter, Mover and Leaver processincluding ongoing training while in post;5.8.16. Take responsibility to comply with all elements of this Policy and attendany required training, throughout the duration of their employment with theTrust;5.8.17. Comply with Trust policies and procedures, including relevant legalrequirements.Non-Compliance5.9.Any circumstances requiring exemptions to this Policy shall be referred to therelevant IAO. Where the risk sits outside their delegated authority, the IAO shallcomplete a Risk Balance Case and forward to the SIRO for approval.5.10. If there are reasonable grounds for suspecting misuse of IT assets, access maybe suspended by the system manager in consultation with Line Manager / HR,pending further investigation. Please refer to the Acceptable Use Policy for furtherinformation.6. Monitoring and Evaluation6.1.This Policy shall be reviewed every two years or in response to significantchanges due to security incidents, variations of law and/or changes toorganisational or technical infrastructure.6.2.This Policy is written and maintained by HR Director, in consultation with the SIROon behalf of the Board. Questions relating to its content or application should beaddressed through the Information Governance Structure (see InformationGovernance Policy for more details) to the SIRO who is responsible for facilitatingcommunication of this Policy throughout the organisation.6.3.Breach of this Policy may be dealt with according to disciplinary procedures setout in the Employees’ contracts.11

7. Related Policies7.1.Related policies referenced in this document are available on the intranet or byrequest to the Employee’s Line Manager and should be read in conjunction withthis Policy.12

8. Appendix 1 - C&I Equality Impact Analysis Guidance Document1. Please indicate the expected impact of your proposal on people with protected characteristicsCharacteristicsSignificant veSome veNeutralAgeSome -veSignificant -veXDisabilityXEthnicityXGender re-assignment:XReligion/Belief:XSex (male or female)XSexual OrientationXMarriage and civil partnershipXPregnancy and maternityXThe Trust is also concerned about key disadvantaged groups event though they are not protected by lawSubstance mis-usersXHomeless peopleXUnemployed peopleXPart-time staffXPlease remember just because a policy or initiative applies to all, does not mean it will have an equal impact on all.2. Consideration of available data, research and informationPlease list any monitoring, demographic or service data or other information you have used to help you analyse whetheryou are delivering a fair and equitable service. Social factors are significant determinants of health or employmentoutcomes. Monitoring data and other information should be used to help you analyse whether you are delivering a fair andequitable service. Social factors are significant determinants of health outcomes. Please consult these types of potentialsources as appropriate. There are links on the Trust website: Joint strategic needs analysis (JSNA) for each borough Demographic data and other statistics, including census findings Recent research findings (local and national) Results from consultation or engagement you have undertaken Service user monitoring data (including age, disability, ethnicity, gender, religion/belief, sexual orientation and) Information from relevant groups or agencies, for example trade unions and voluntary/community organisations Analysis of records of enquiries about your service, or complaints or compliments about them13

Recommendations of external inspections or audit reportsYour ResponseKey questions (supports EDS Goals)This meets objective EDS2 4.1 Inclusive leadership. Board andsenior leaders routinely demonstrate their commitment to promotingequality within and beyond the organisation.2.1What evidence, data or information haveyou considered to determine how thispolicy/ development contributes todelivering better health outcomes for all?Equality Act 2010, GDPR and Data Protection Act 20182.2What evidence, data or information haveyou considered to determine how thispolicy/ development contributes toimproving patient access and experience?As above2.3What evidence, data or information haveThis policy encourages staff to protect their assets as part of cybersecurity and with information securelyyou considered to determine how thisdevelopment/policy contributes to deliveringa representative and well supportedworkforce?2.4What evidence, data or information haveyou considered to determine how thispolicy/development contributes to inclusiveleadership and governance?Cyber security consists of technologies, processes and controlsdesigned to protect trust’s information assets such as systems,networks, programs, devices and data from cyber-attacks. Effectivecyber security reduces the risk of cyber attacks, effectively manageinformation risks and protects against the unauthorised exploitationof trust’s information assets resulting in better patient care.The Senior Information Risk Owner is responsible for cyber securitywith delegated responsibility the Information Asset Owners acrossthe trust. This has been explained in the roles and responsibilitiessection3. It is Trust policy that you explain your proposed development or change to people who might be affected by it, or theirrepresentatives. Please outline how you plan to do this.GroupMethods of engagementStaffIG Steering GroupThe policy will be published on the intranet and updates provided atdivisional leadership meetings as well as cascaded by the InformationAsset Owners across the trustsThe policy has been reviewed by HR, Comms, Caldicott Guardian , SIRO, ICT4. Equality Impact Analysis Improvement PlanIf your analysis indicates some negative impacts, please list actions that you plan to take as a result of this analysis toreduce those impacts, or rebalance opportunities. These actions should be based upon the analysis of data andengagement, any gaps in the data you have identified, and any steps you will be taking to address any negative impacts or14

remove barriers. The actions need to be built into your service planning framework. Actions/targets should be measurable,achievable, realistic and time framed.Negative impacts identifiedActions plannedBy whoThese policies will be available on intranet and a comms plan will bein place to ensure staff are aware where to access the cyber securitypoliciesIG SteeringGroupEDI LeadRaceThe application of this policy is both fair and consistent regardless ofrace, ethnicity or nationality.However, it is recognised there is a risk to any member of staffwhose first language is not English and support will be offered toensure the policy is translated to the required language.EDI LeadDisabilityThe application of this policy is both fair and consistent regardless ofthe disability and therefore does not impact on this protectedcharacteristic. This policy can be made available in another format, onrequest.Staff do not read or completerelevant training in cybersecurity5. Sign off and publishingOnce you have completed this form, it needs to be ‘approved’ by Service Director, Clinical Director or an Executive Directoror their nominated deputy. If this Equality Impact Analysis relates to a policy, procedure or protocol, please attach it to thepolicy and process it through the normal approval process. Following this sign off by the Sub Policy Group your policy andthe associated EqIA will be published by the Trust’s Policy Lead on the website.If your EqIA related to a service development or business /financial plan or strategy, once your Director or the relevantcommittee has approved it please send a copy to the Equality and Diversity Lead (equalityanddivesity@candi.nhs.uk), whowill publish it on the Trust’s website. Keep a copy for your own records.I have conducted this Equality Impact Analysis in line with Trust guidanceYour name: Mahwish NoorPosition Information Governance ManagerSigned: Mahwish NoorDate: December 2020Approved by: Equality and Diversity LeadYour name: Debra HallPosition: Equality and Diversity LeadSign:Date 13/01/202015

5.4.18. Complete the Information Governance and Information Security training within a timely manner of their start date; 5.4.19. Be aware of appropriate channels for reporting breaches in keeping with the Information Security Incident Management Policy; 5.4.20. Should there be any dispute concerning the contract of employment, the