IG Information Risk

Purpose

The purpose of this policy is to set out how the organisation identifies, assesses, manages, and mitigates information risks to ensure the confidentiality, integrity, and availability of the information it holds. It ensures compliance with statutory, regulatory, and contractual obligations including:

• Data Protection Act 2018 / UK GDPR
• NHS Data Security and Protection Toolkit (DSPT)
• NCSC Cyber Assessment Framework (CAF)
• Caldicott Principles

Scope

This policy applies to all employees, contractors, temporary staff, and third parties who access, process, store, or manage organisational information, regardless of format or location.

Policy Statement

BrisDoc is committed to managing information risk effectively and proportionately as part of our overall governance framework. We aim to maintain the trust of patients, staff, partners, and the public by embedding a culture of responsible information stewardship.

Roles and Responsibilities

Board

• •  Overall responsibility and accountable for Information risk

CEO

• • SIRO accountable to the CEO and is responsible for day-to-day assurance

Senior Information Risk Owner (SIRO)

• • Leads the organisation’s information risk management programme
  • Provides assurance to the Board on the effectiveness of controls
  • Chairs the Information Governance Board
  • Produces annual assurance report

Caldicott Guardian

• Ensures patient confidentiality and compliance with the Caldicott Principles
• Works with the SIRO on risks involving patient and staff identifiable information

Information Governance (IG) Leads

• Supports the implementation of risk management controls
• Co-ordinates the maintains the Information Asset Register (IAR) with Information Asset Owners.
• Coordinates IG training and awareness

Information Asset Owners (IAOs)

• Accountable for the protection of information assets within their domain
• Conduct regular risk assessments and report incidents
• Maintain Information Asset Registers

All Staff

• Must comply with policies and report suspected information risks or breaches
• Complete mandatory IG and cybersecurity training annually

Risk Identification and Assessment

Information risks are identified through a combination of:

• Risk assessments by IAOs and the IG Lead/SIRO
• Reviews of incidents, near misses, and audit findings
• Change management processes (e.g. new systems or suppliers)

• Threat intelligence from sources including NCSC and NHS England
• Information risks are logged on the corporate risk register, reviewed by IG Board and Senior Leadership Team (SLT)

Risk Appetite

BrisDoc’s risk appetite reflects our commitment to patient safety, compliance, and innovation. The following categories define our tolerance levels:

• Patient Safety
  • Appetite Level: None
  • No tolerance for risks that could harm patients or compromise clinical care.
• Legal & Regulatory Compliance
  • Appetite Level: None
  • No tolerance for breaches of UK GDPR, Data Protection Act, or NHS DSPT requirements.
• Confidentiality & Privacy
  • Appetite Level: Very Low
  • Minimal tolerance for risks that could lead to unauthorised disclosure of personal data.
• Operational Continuity
  • Appetite Level: Low
  • Limited tolerance for minor disruptions if mitigated and recovery plans exist.
• Innovation & Digital Transformation
  • Appetite Level: Moderate
  • Controlled tolerance for risks that enable innovation, provided safeguards are in place.
• Financial Impact
  • Appetite Level: Low
  • Limited tolerance for risks causing minor financial loss; none for significant penalties.
• Reputational Impact
  • Appetite Level: Very Low
  • Minimal tolerance for risks that could damage public trust or organisational reputation.

Third-Party & Supplier Risk

BrisDoc recognises that third-party suppliers and partners play a critical role in delivering services and managing information. To ensure the confidentiality, integrity, and availability of organisational data, we will:

• Due Diligence
  • Conduct risk assessments on all suppliers handling sensitive or personal information prior to engagement as part of the onboarding process, to verify compliance with relevant standards such as UK GDPR, NHS DSPT, and Cyber Essentials.
• Contractual Controls
  • Include clear information governance and security clauses in all contracts, covering data protection, breach notification, and audit rights.
• Ongoing Assurance
  • Monitor supplier compliance through regular reviews, audits, and DSPT submissions where appropriate.
• Incident Management
  • Ensure suppliers have robust incident response processes and agree to notify BrisDoc within defined timeframes for any data breach or security incident.
• Termination & Exit
  • Implement secure data return or destruction processes at contract end to prevent unauthorised retention or disclosure.

Risk Reporting and Assurance

• IAOs review information risks at least annually
• The SIRO reports information risk quarterly to the Board or Audit Committee
• The DSPT are used to benchmark and monitor progress
• Internal and external audits provide independent assurance

Incident Management

All information risk incidents must be reported via the Learning Events Portal and assessed for:

• Impact to individuals, services, or systems
• Notifiability to the Information Commissioner’s Office (ICO) or NHS England
• Root cause and required remedial action

Serious incidents are reviewed by the SIRO and Caldicott Guardian, details are logged in the Learning Event portal when required.

Training and Awareness

• Mandatory IG and cyber training is required annually for all staff
• SIRO/CG receive enhanced training on risk ownership and mitigation
• Lessons from incidents are shared and used to improve awareness

• The IG Board monitors staff completion of mandatory training quarterly. Lessons from incidents are used to enhance the training content.

Monitoring and Review

This policy will be reviewed annually or following:

• Major changes in legislation or guidance
• Significant security or information incidents
• Organisational restructure or IT transformation

The policy will be shared with the IG Board membership and via BrisDoc’s intranet ‘radar’.

Related Policies and Guidance

• Privacy by Design Policy
• Data Protection and Confidentiality Policy
• Cyber Security Policy
• Information Governance Framework
• Acceptable Use Policy
• Business Continuity and Disaster Recovery Plan

 

 

Version Control

Date	Version	Author	Change Details
14/07/25	Vn 1.0	DL	First draft policy produce as a result of SIRO training and discussion with DPO