Information Governance: The Refresher Module (Revision and Update)

Information Governance: The Refresher Module (Revision and Update) Introduction This is a printable copy of the Training Tracker e-learning refresher module on Information Governance. This is aimed at all staff who have completed one of the modules listed below: Information Governance - The Beginner s Guide. Introduction to Information Governance. Introduction to IG for General Practice. Information Governance for NHS CFH Staff. Information Governance for Pharmacy Staff. Information Governance for Dental Practices. Information Governance for Medical Secretaries. If you have not completed one of these modules you should do so and leave this refresher module for the following year. The refresher module should be completed every year to keep you updated with Information Governance best practice and to satisfy any requirements to undertake mandatory IG training annually. The purpose of the refresher module is to: update you on changes that have taken place since the original modules were created revise some key learning points from the original modules Indicate any topics which you need to fully review again (by completing whichever of the original modules mentioned above is appropriate for you). Navigation point The material in the course covers a number of important points. As you go through the course the topic heading will tell you whether it is revision or an update. 1

The areas covered are:. NHS IG Standards Confidentiality Care Record Guarantees and the NHS Constitution UK Law Data Protection Act 1998 UK Law Freedom of Information Act 2000 Records Management and Quality Records Security NHS IG Standards (Revision) After serious losses of personal information, including the loss in 2007 of computer disks containing the names, addresses and bank details of 25 million child benefit claimants, the Government conducted a Data Handling Review (June 2008). This sets out mandatory measures for public bodies on protecting personal data such as staff training and committed the Government to publicly reporting progress on putting these measures into place. In the next section we ll look at the progress of this review. NHS IG Standards (Update) The first progress report of the UK Government s Data Handling Review was published in January 2010 and noted the NHS progress in improving the following standards of information handling: Performance management to push improvements. Contracts with organisations being renegotiated to make sure confidentiality and security protections are in place. Older computer systems being replaced with modern systems that have state of the art security. Nearly one million encryption licences were in use under a nationally negotiated contract. Encryption had been mandated for all patient data held on portable devices (e.g. memory sticks, laptops). Online training was available to over one million staff (e.g. this module). 2

The information governance framework and guidance had been further developed so that NHS organisations were clear about expected standards. The NHS Operating Framework (Update) The Department of Health (DH) published an Operating Framework which set out objectives for the NHS. 2010/11 key themes included: Organisations must meet all Information Governance requirements set out by DH by 31st March 2011 (the level of compliance is then reported to DH and Care Quality Commission) Ensuring that all staff receive annual basic IG training (through the online NHS IG Training Tool) Reporting on the management of information risks Publishing security breaches in annual reports. A link to further reading is available in Read more about it at the end of this workbook. Confidentiality (Revision) It is important to understand what is meant by confidential information. Personal Information Information about an individual is personal information when it enables an individual to be identified. It is non-personal when it doesn t. This isn t always straightforward, e.g. a person s name and address are clearly personal information when presented together, but an unusual surname may itself enable someone to be identified. This is an important distinction in law. Sensitive Personal Information Personal information is legally classed as sensitive when it makes reference to particular matters of an identifiable person, such as his / her health, ethnicity, religion, criminal record or sexual life. These are also listed in the Data Protection Act 1998. 3

Other details, e.g. a person s bank account details, DNA or finger prints are not listed in the Data Protection Act 1998 but are still regarded as sensitive because of the damage and distress that could be caused if they were not properly protected. The rules set out in the Data Protection Act only apply to information about living individuals not the deceased. This differs to the common law duty of confidentiality which continues after the death of the patient. Confidential Information Health and Staff Information Personal and sensitive personal information is classed as confidential if it was provided in circumstances where an individual could reasonably expect that it would be held in confidence, e.g. a healthcare professional and patient. This applies to staff working on behalf of the health professional such as pharmacy / dental and eye care staff. Confidentiality is accepted to extend after the death of the patient. Personal or Sensitive Personal CAN be Confidential Information Whether it is confidential or not depends on the circumstances under which it was provided. If it is: private information about a person and given to someone who has a duty of confidence and expected to be used in confidence then it is confidential. 4

Confidentiality Disclosing information (Revision) Confidential information should not normally be used (which includes sharing and disclosing) unless one of the following criteria are met. 1. The person has given consent for the disclosure. For patients: Consent may be implied for care purposes and related purposes that support or check the quality of care provided. For other purposes consent should be specifically sought. 2. There is a legal basis which permits or requires disclosure of confidential information. 3. There are exceptional circumstances (e.g. investigation or prevention of serious crime) where the overriding public interest outweighs the duty of confidentiality. Confidentiality Patient Welfare (Revision) The duty of confidence does not prevent adequate welfare arrangements being made with, for example, a patient s partner, carer, friend or support agency, as long as the patient is happy for this to happen. It is sensible to check with the patient if there is any doubt what the patient s expectations and wishes are. Detailed guidance is available Confidentiality: NHS Code of Practice. This can be found in the Read more about it section on the menu. Confidentiality Caldicott Guardian/IG Lead (Revision) In 1997 a review was carried out into the use of patient identifiable information in the NHS. This was carried out because there were concerns about how patient information was being handled and transferred. Dame Fiona Caldicott chaired the Caldicott Review. The report set out principles and recommendations for the security of patient information. An important recommendation was that a senior clinician should be nominated in each NHS Trust to act as the Trust s conscience for the uses of patient identifiable information. These senior clinicians are known as Caldicott Guardians. 5

In independent contractor organisations such as General Practice, Pharmacy, Dental Practice and Eye Care Services a person, normally the practice manager, will act as the Information Governance Lead and coordinate Information Governance issues including the Caldicott principles and recommendations. Confidentiality Six Caldicott Principles (Revision) The six Caldicott principles published in the report support the confidentiality and security controls on using patient information. The principles should be used whenever a use of confidential information is being considered and in particular when there is an intention to transfer confidential information to another organisation: 1. Justify the purpose for using confidential information. 2. Only use it when absolutely necessary. 3. Use the minimum required. 4. Access should be on a strict need-to-know basis. 5. Everyone must understand their responsibilities. 6. Everyone must understand and comply with the law. If you do not know who the Caldicott Guardian or Information Governance Lead is in your organisation, then you should find out. Detailed guidance about Caldicott Guardians is available in Read more about it. Confidentiality NHS Care Record Guarantee (Revision) The National Information Governance Board is a statutory body which champions the confidentiality and security of health and social care services records, especially records containing clinical and care information. The Board published the NHS Care Record Guarantee in 2005. The Guarantee sets out rules that govern how patient information is used in the NHS. This includes: people s access to their own records controls; monitoring and policing staff access to patient files 6

options that patients have to limit access access in an emergency what happens when someone cannot make decisions for themselves. Confidentiality Care Record Guarantees (Update) The Guarantees set out rules governing how patient and service user information can be used. NHS Care Record Guarantee An annual review of the NHS Care Record Guarantee for England is carried out by the National Information Governance Board. Everyone who works for the NHS or for organisations delivering services under contract to the NHS has to comply with this guarantee as far as they possibly can. A link to further reading is available in Read more about it at the end of this workbook. Social Care Record Guarantee for England In addition to the NHS Guarantee, in 2009 the National Information Governance Board published the Social Care Record Guarantee for England. The Guarantee explains to service users how the information they provide to social care staff is used and what control they can have over this. It complements the NHS Care Record Guarantee for England. A link to further reading is available in Read more about it at the end of this workbook. Confidentiality The NHS Constitution (Update) The NHS Constitution was first published on 21 January 2009 and was updated after public consultation in March 2010. It describes the principles of the NHS in England and the rights and responsibilities of patients, public and staff. 7

One such right is that patients can expect the NHS to keep their confidential information safe and secure. All NHS bodies and private and third sector providers supplying NHS services are required by law to take account of the NHS Constitution in their decisions and actions. The NHS Constitution will be renewed every ten years. A link to further reading is available in Read more about it at the end of this workbook. A new training module for medical students and junior doctors is being developed for release soon. It will cover the secure handling of confidential information. UK Law The Data Protection Act 1998 (Revision) UK law in the form of the Data Protection Act 1998 governs how organisations may use personal information (about living people), including how they acquire, store, share or dispose of it. The Information Commissioners Office (ICO) is the UK s independent regulator set up to uphold the public s information rights by promoting data privacy for individuals (and openness by public bodies). The ICO investigates complaints made by the public and provides guidance for the public and organisations. Under the Act, organisations that process personal information must notify the ICO (unless they are exempt). The organisations details are entered on a public register (available on the internet). Failure to notify is a criminal offence. UK Law The Data Protection Act 1998 (Update) There have been some recent changes to enforcement of the Act and public awareness of the Act is growing. 8

Strengthening the ICO Powers In April 2010, the ICO was given new powers. It can now fine organisations (including Government Departments) and individuals 500,000 for serious data security breaches such as deliberately or recklessly breaking the data protection principles. The new powers also permit the ICO to carry out spot checks on the data protection practices of Government departments without their permission and without prior notice. Changes to the Notification Fee From 1st October 2009 a two-tiered fee structure was introduced. The fee for any organisation with fewer than 250 staff remains at 35. A higher fee of 500 is payable by large organisations. All organisations must notify the Information Commissioner when they propose to process personal data. The ICO Annual Report The annual report for 2009/2010 included survey findings about data protection which showed: Public awareness. Individuals awareness of the right to see information held about them is at its highest level ever. 91% of people are now aware of this right. Complaints - Health Sector. Of the total complaints received by the ICO on Data Protection matters, the Health sector comprised only 7%. Common Complaint: The most common complaints made to the ICO were from people having problems getting copies of information about them from organisations (these are called Subject Access Requests). A link to the ICO website is available at the end of this document. Additional Guidance. Guidance for Access to Health Records Requests was published on 19th February 2010. This assists NHS organisations in England, through the process of dealing with an access request in accordance with the UK Law (common law duty of confidence, Data Protection Act 1998 and the Access to Health Records Act 1990). 9

A link to the guidance is available in Read more about it at the end of this workbook. UK Law The Freedom of Information Act 2000 (Revision) Public Authorities (including NHS Trusts, Local Authorities, Dentists, Doctors, Eye Care Services and Pharmacists), are subject to the legal obligations of the Freedom of Information (FOI) Act 2000. Public Authorities have only 20 working days to respond to written information requests. This is the limit set out by law. Speak to your Line Manager if you are unsure about your organisation s procedure for dealing with FOI requests. The Information Commissioners Office (ICO) is the independent regulator (for FOI in England and Wales) set up to uphold people s information rights by promoting openness for public bodies (and data privacy for individuals). The ICO investigates complaints made by the public and provides guidance for the public and organisations. The Read All About It section contains a link to the Information Commissioner s Office which publishes public guidance on how the Act works. What can be asked for using the FOI Act? (Revision) People have a right to ask for any information at all - but some information might be withheld to protect various interests which are allowed for by the Act (such as confidential health and social care case notes). If this is the case, the public authority must tell the person who requested the information why it has been withheld. If a person asks for information about him/herself, then the request will be handled under the Data Protection Act instead of the Freedom of Information Act - because the Data Protection Act governs the disclosure of personal Information. 10

FOI Act The ICO Annual Report (Update) The ICO s Annual Report for 2009/2010 included survey findings about the Freedom of Information Act which showed: Awareness: People s awareness of the Freedom of Information right to request information rose from 75% in 2008 to 85% in 2009. This is shown in the bar chart. Reasons for complaints: The sector generating most complaints from the public to the ICO is Local Government. The Health sector comprised only 7% of complaints while Private Companies comprised 1% (but the Act only applies to a very small number of private companies). Records Management and Information Quality (Revision) Public bodies, including the NHS, are subject to legislation covering subjects such as: Personal Information. The Data Protection Act 1998 which sets outs legal obligations for using personal information such as making sure it is accurate, kept for no longer than is necessary and only the information needed for the intended legal purpose is obtained. Public Records. The Public Records Act 1958 which set out a process of preserving public records and giving a public right of access to these records after 50 years (later reduced to 30 then to 20 years). The Freedom of Information Act (covered earlier in this module) replaced those parts of the Public Records Act relating to accessing all records (both current and archived). 11

Records Management (Revision) There are also codes of practice supporting these Acts which have been produced by the Department of Health (DH). In 2005 the DH published Records Management: NHS Code of Practice. If you need to find out guidelines on the length of time to keep documents relating to NHS patients and NHS organisations, then this is where you will find them. The Code applies to NHS records (hard copy and electronic). The Read more about it section contains a link to the Records Management: NHS Code of Practice. Information Quality (Revision) It may seem obvious that information and records must be accurate but it's not just accuracy that matters. Right information, Right place, Right time Accuracy is just one quality that we expect in records. But other qualities are also needed for the information to be useful, e.g. it would be pointless having information which was 100% accurate but wasn t available in time for it to be used. Information is used to make decisions throughout the health sector each day in all sorts of situations. Sometimes this information needs to be extremely high quality, such as quick and accurate test results to help decide a patient s urgent condition and treatment. Other information may be less urgent or the level of accuracy may be less vital, such as an annual national comparison of flu injections for forward planning. Whatever the situation, the right information should be in the right place at the right time - and that needs to be achieved every time. Poor quality information Poor quality information is bad for patient care, bad for funding and bad for reputation, e.g. 12 Incomplete, inadequately analysed data can lead to serious failures in service. Poor demographic data results in duplicate and confused entries on patient record systems. Confused patient identity numbers can lead to the wrong patient being treated.

Inadequate records lead to poorly planned care. Poor data results in poor commissioning, monitoring, planning and financing of services. High quality information The NHS takes Information Quality very seriously because the consequences can be vital to patient outcomes or, in the case of planning, result in too much or not enough service provision. High quality means: C omplete A ccurate R elevant A ccessible T imely A link to the Records Management: NHS Code of Practice is available in Read more about it at the end of this workbook. Records and Information NHS Quality, Innovation, Productivity and Prevention (Update) Investment in the NHS in England in 2010/11 is planned at 102 billion. Roughly 1 of every 13 produced by the UK economy is spent on healthcare a level that matches most other European countries. Quality information is needed to support the NHS Quality, Innovation, Productivity and Prevention Programme. To meet the increasing demands of an ageing population and increasing costs, the NHS needs to concentrate on improving productivity and eliminating waste while focusing relentlessly on clinical quality and patient safety. So whenever we record information we need to make sure it is of sufficient quality for the primary purpose, e.g. patient care. If it will also be used in an anonymous form for planning then it must also be of sufficient quality for that too. 13

Records and Information Additional guidance (Update) A Clinicians' Guide to Record Standards. The Royal College of Physicians (in partnership with NHS Connecting for Health) has developed standards for hospital patient records, approved by the Academy of Medical Royal Colleges. The new standards (accompanied by a two-part clinicians' guide) will improve patient safety by standardising the information held on patients throughout their stay in hospital, reducing the likelihood of mistakes and missing information at admission, handover and discharge. The standards are available from the Royal College of Physicians website in Read more about it at the end of this workbook. Security (Revision) Security supports the ability of the organisation to provide a reliable service. Security Measures Security measures protect business assets (staff, buildings, equipment and information) against dangers (such as physical attacks, floods and fires, theft or failure of equipment). If the level of danger is not acceptable to the organisation, then measures need to be put in place to reduce the danger - or reduce the impact that it would cause to the organisation. The measures can be grouped into three types: Physical Measures. People Measures. Electronic Measures Key Principle A key principle is to overlap security measures whenever possible to avoid situations where only one measure protects against the danger. 14

Overlapping is good practice as it avoids total reliance upon a single measure that may fail, e.g. an outside security door (a physical measure) may be left open by staff, but security staff carrying out routine checks (a people measure) at the end of the day discover the open door and secure it before anything is stolen. The open door needs to be reported as a security incident or it may happen again, and next time the security staff may not notice it. Organisational Responsibility The security measures in your work area are part of the overall plan to ensure adequate security is in place. Your organisation may spend lots of money ensuring computers can be locked by pressing a few buttons on the keyboard and that a password is needed to log back in, but these measures have no effect if passwords are written down and left in the desk drawer, or an encrypted memory stick holding sensitive information has the password taped to the stick. Security Is Everyone s Responsibility Security is not the sole responsibility of a duty manager, security staff or a cleaner who may be left to lock up on his/her own. Employees are each responsible for their own actions, complying with the security measures put in place by their employer and failure to do so can lead to disciplinary measures and legal action. We all need to make sure that we take security seriously, such as making sure: we discuss confidential information out of earshot of others if we need to send or take confidential information to another place then we do so securely we consider the security risks in our work area and what measures are in place or could be in place to reduce those risks. Reporting Incidents and Security Weaknesses An important element of security is the reporting of incidents and weaknesses. We all can and must report problems that we see. You are the expert in your work area in noticing potential problems, such as doors or windows that don t lock properly or confidential waste put in office waste baskets instead of being properly disposed of. We all have an obligation to act responsibly and know what our local policy is and the procedures for reporting. Early intervention will help minimise impacts and ensure corrective actions are taken swiftly. Managing Information Risks In large organisations like an NHS Trust, each important information system that organisations rely upon is 'owned' by a senior manager called an 'Information Asset Owner'. The system (or asset) may be a computer system, 15

an MRI scanner or even an operating theatre. The asset owner is responsible for making sure the asset is protected against threats. Asset owners report to a Board level member (known as the Senior Information Risk Owner) who has been appointed in each Trust to be accountable, lead and co-ordinate management of 'Information Risks'. Issues of concern should be reported to ensure that these individuals are made aware of possible weaknesses and do something about it. A link to the NHS Information Risk Management web pages is available in Read more about it at the end of this workbook. Security Data Security Breaches (Update) On 28 May 2010, the UK Information Commissioner s Office published details of the 1007 data security breaches since late 2007. Can you guess which category was the major cause of breaches? Information disclosed in error Lost data/hardware Information lost in transit Stolen data or hardware A technical or procedural failure Breach arising from non-secure disposal The highest number of breaches involves stolen equipment, for example, laptops and memory sticks. Another common reason is where information has been disclosed in error, which often happens when automated machinery is incorrectly used and letters are sent to the wrong addresses. Stolen data/hardware, Lost data/hardware and Disclosed in error feature highly across several sectors including the private sector, local government, the NHS and other public sector bodies. 16

Security NHS Data Security Breaches (Update) Of the 1007 security breaches reported to the ICO, 305 were reported by NHS organisations. The NHS is the UK s largest employer with over 1 million staff. NHS rules require that all serious breaches must be reported to the ICO (other sectors do not). The actual number of breaches for other sectors may be significantly higher than those actually reported. You can see that: the stolen data/hardware column shows 116 breaches. the lost data/hardware column, shows 87 breaches. Together the loss and theft of data/hardware accounted for 203 breaches, which is 67% of the NHS total security breaches since 2007. Security Everyone s Responsibility (Update) All employees have a duty to maintain confidentiality and security. Basic measures we can take to reduce breaches are: Encryption - Ensure patient and other sensitive data is encrypted if held on portable computing devices such as laptops or memory sticks (this is a mandatory NHS measure). Secure passwords - Use the security measures that are in place to protect information such as encrypted memory sticks, your computer login and PIN numbers for door locks avoid using passwords which are easily guessed or known to others Reporting incidents and security weaknesses - Every organisation needs to be aware of and learn from incidents so that steps can be taken to prevent them happening again. The same applies to reporting security weaknesses. We do not need to wait until an incident happens. Early reporting can avoid the incident happening in the first place. 17

Eavesdropping - Be careful that your conversations are not overheard by people who do not need to know. Check Automated Mailing - Ensure that mail merge and automated mailing machinery is used correctly and quality controls identify problems before letters are sent out. Email - Ensure you know who you are sending information to before you press send. Check the address if you are unsure. Mail - Ensure you are using the most up to date and confirmed address details. Fax - Confirm the number and that someone is there to receive the fax before pressing send. Telephone Security - Confirm the identity of the caller and justify the need to disclose confidential information to them before doing so. Training. Make sure that you and your colleagues are aware of information governance. Always consider the dangers in your work area, what measures are in place or should be in place to reduce those dangers. Security Additional Training The NHS has its own online training which is available to over one million NHS staff at no cost to individuals or their organisations. If your colleagues are not aware let them know! There is more training and guidance available for you. It covers a number of issues. 18

Business Continuity Management (BCM).This is a foundation level module designed to provide staff awareness of business continuity, focussing on ways to address the continuity of information assets as a core component of an organisation s overall approach to business. You can link to the IG Training Tool website from the Read more about it section but you should register first to be able to log on to view this module. If you are already logged on you just need to return to the learning tool page. Information Security Management Robust information security management arrangements are needed for the protection of patient records and information services generally. This new foundation module is aimed at newly appointed staff and those needing to know a little more about the role of ISM. You can link to the IG Training Tool website from the Read more about it section but you should register first to be able to log on to view this module. If you are already logged on you just need to return to the learning tool page. Secure Handling of Confidential Information A new module covering this topic is in development, suitable for Medical Students and Junior Doctors (due for release in 2011). You can link to the IG Training Tool website from the Read more about it section but you should register first to be able to log on to view this module. If you are already logged on you just need to return to the learning tool page. Short Message Service (SMS) & Texting Guidance was published in May 2010 and provides NHS organisations with a general awareness of the associated risks of Short Message Service (SMS) and texting that could affect the effectiveness of local services. You can find a link to this guidance from the Read more about it section. Maintenance and Secure Disposal of Digital Printers, Copiers and Multifunction Devices Guidance was published in July 2010 to provide NHS organisations with a general awareness of the associated risks for maintenance and disposal of digital printers, copiers and multifunction devices. You can find a link to this guidance from the Read more about it section. NHS Information Governance: Guidance on Blogging and Social Networking Guidance was published in December 2009. You can find a link to this guidance from the Read more about it below. 19

Summary Information Governance Standards The Data Handling Review set out measures across Government to improve protection of personal information. The NHS Operating Framework demonstrates the NHS s commitment to improving awareness and best practice around information governance. The measures include improving security of information by strengthening the management framework, using encryption to protect data and making training mandatory for all NHS staff. The NHS Operating Framework demonstrates the NHS s commitment to improving awareness and best practice around information governance. The measures include: 20 improving security of information by strengthening management framework using encryption to protect data making training mandatory for all NHS staff. Confidentiality The NHS deals with vast amounts of confidential information which needs to be protected but easily available to authorized staff. Balancing security and availability is difficult but can be made easier if all staff understand what information is confidential and how it must be handled in care settings. 'Confidential' information is defined in law, NHS regulations and professional ethics. The Caldicott Review sets out 6 principles for the use of patient identifiable information. The NHS Care Record Guarantee sets out rules that govern how patient information is used. The NHS Constitution records that patients have the right to expect the NHS to keep their confidential information safe and secure. Balancing security and availability is difficult but can be made easier if all staff understand what information is confidential and how it must be handled in care settings. UK Law - The Data Protection Act 1998 The Information Commissioner is the regulator charged with making sure that personal information is used lawfully. From April 2010, the Information Commissioner s Office has powers to fine individuals and organisations up to 500,000 for serious breaches of data protection. The Commissioner s annual report shows the health sector is responsible for about 7% of complaints it receives. These complaints include difficulties

in getting copies of health records, inaccurate information and improperly disclosing information. UK Law - The Freedom of Information Act 2000 The health sector is subject to the legal obligations of the Freedom of Information Act 2000 which applies to all Public Authorities. This law gives people the right to ask NHS organisations for any information at all and any request must be responded to in 20 working days. Public awareness of this right has now reached 85% of the population, so requests for information are likely to continue increasing. NHS organisations must have processes in place to deal with requests within the legal time limits. Records Management and Quality Records Decisions affecting care must be based on high quality information. This applies to the direct care of patients as well as information used to support service management and planning. Information has enormous value in care but only if it has the right qualities, The Right information in the Right place at the Right time. High quality information is: C omplete A ccurate R elevant A ccessible T imely Security Security measures protect business assets from dangers such as assaults against staff and theft of equipment. A key practice is to mix and overlap the types of measures: Physical measures People measures Electronic measures Security is everyone s responsibility. We all have a part to play in maintaining good security and reporting incidents and weaknesses. Lost and stolen computers are the major causes of security breaches in the NHS. Encryption prevents compromise of confidential information as long as the password to the encryption is kept safe. 21

Read More About It Press Ctrl & Click the following links for more information: Revision to the NHS Operating Framework for 2010/11 The NHS Constitution for England NHS Care Records Guarantee Social Care Record Guarantee for England Confidentiality: NHS Code of Practice NHS Caldicott Guardians Guidance for Access to Health Records Requests Data Protection Act 1998 Information Commissioner s Office Freedom of Information Act The Records Management NHS Code of Practice Royal College of Physicians (RCP) Information Security Management: NHS Code of Practice NHS Information Risk Management NHS Connecting for Health Information Governance Website Short Message Service (SMS) and Texting Maintenance and Secure disposal of Digital Printers, Copiers and Multi Function Devices NHS Information Governance: Guidance on blogging and social networks. 22