General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made.

1. FUNCTION

NHS Fife and the Health and Social Care Partnership relies increasingly upon Information Technology and Digital Services to deliver patient care. The interdependencies between the elements of the IT infrastructure are complex and the results of changes made to one element may have serious consequences for the others.

The uncontrolled implementation of changes to NHS Fife's digital systems and IT infrastructure utilised to perform its core business functions presents a significant risk to NHS Fife and the Health and Social Care Partnership. Changing system requirements, resolution of known issues, implementation of new services and routine maintenance all require appropriate Change Management.

Change Management is an operational function that ensures the stability of systems and IT infrastructure by; the identification and mitigation of associated implementation risks and the minimisation of disruption to NHS Fife's operations, consequently improving the services and service levels provided to the organisation.

Change management also acts as an enabler by supporting and facilitating the implementation and delivery of projects with IT dependencies driven by any NHS Fife delivery programme.

NHS Fife has adopted a change management policy following the industry best-practice standards of ITIL – the IT Infrastructure Library, with a risk-based approach.

This policy outlines the IT Change Management process, including its roles and accountabilities. The policy covers all IT based systems or services regardless of department. Breaches of policy will be recorded as a Datix Incident and reported to the Information Governance & Security (IG&S) Steering Group.

2. LOCATION

This policy includes all IT related infrastructure, applications, or systems upon which any department or service within NHS Fife relies upon in order to perform their normal duties, including the Health and Social Care Partnership. The Digital and Information (D&I) department is the custodian of IT Change Management, but Information Technology is a function which spans the entire organisation, and any area could introduce IT related change.

All changes to any of NHS Fife's IT related systems are required to follow the established “IT Change Management Process”, to ensure the mitigation of associated risks and minimise disruption to business-critical services.

3. RESPONSIBILITY

3.1 SIRO (Senior Information Risk Owner)

The SIRO takes ownership of the organisational risks associated to Information Assets and acts as an advocate for information risks to the Board, providing advice to the Chief Executive as Accountable Officer. The SIRO is ultimately responsible to the Board for Information Asset Risk and the corresponding information asset policies, management, and governance. Information Asset changes, which in the context of this policy may be subject to SIRO interest, are as follows:
- Changes to the availability of information outside of the organisation.
- Changes which pose significant risk to the availability of information within the organisation.
- Fundamental changes to the logical or physical security of information assets.
- Fundamental changes to the business continuity capability, or changes which pose significant risk to the organisation’s ability to invoke the disaster recovery of information assets.

3.2 Associate Director of Digital & Information

The Associate Director of Digital & information is responsible for the provision of formal assurance concerning the Information Assets managed by the Digital & Information (D&I) department, directly or via subcontractors.

3.3 Change Owner (Project Manager or Senior Stakeholder)

The change owner, normally the change requester, is accountable for the request for change (RFC) and managing the delivery of the change as a project, whilst minimising associated risks.

The change owner may also be the senior stakeholder involved in purchasing the system or solution who must fully engage with the Change Management Procedure before placing any order for IT equipment, or equipment which requires IT infrastructure or services to function.

The change owner must ensure projects under the IT delivery programme follows this policy in relation to any changes associated with its implementation. They must follow the IT Change Management Procedure and related best practices.

The change owner must arrange the resources required for the change to happen and ensure successful delivery of the project by covering; planning, scheduling, risk analysis, implementing, communicating, testing, training, and user acceptance, amongst other project management duties.

From the Business Management perspective, the change owner is responsible for ensuring adequate allocation and management of the budget required to deliver a particular change or series of changes, and to provide visibility of financial risks associated with changes.

It is the responsibility of the change owner to ensure the information asset is not in use, including any new processing of information, until the legal basis for such processing is identified by the Data Protection Office as part of the initial asset registration process or any following updates as needed according to the RFC.

It is also the responsibility of the change owner to ensure that the Information Asset Register (IAR) is updated correctly following any changes or additions.

3.4 Head of Digital Operations

The Head of Digital Operations is responsible for the management of the actual implementation of changes in the IT Infrastructure and any subsequent incidents and problems associated with the IT infrastructure, particularly in the production environment. The Head of Digital Operations is also responsible for ensuring that all NHS Fife staff are aware of the Change Management Policy and Procedures and that Change Management Process is followed.

The Head of Digital Operations must ensure changes are implemented according to this policy considering the NHSS Information Security Policy Framework where applicable.

3.5 Information Security Manager

The Information Security Manager acts on behalf of the Data Protection Officer in, providing advice, monitoring, and auditing the security and governance of information assets.

The Information Security Manager is representing the Data Protection Officer, who is by law in a position to perform their duties and tasks in an independent manner, including:
- Monitors completion of information risk assessments and the registration of information assets, ensuring they are documented.
- Informs and advises the organisation on how to carry out the change in compliance the regulations and legislation, with regards to information assets.
- Cooperates with supervisory authorities in the event information assets are not compliant or breach current legislation (e.g. implemented changes breach data protection act in terms or privacy or insufficient security controls).
- Ensures that compliance with the Network and Information Systems (NIS) Directive and the UK General Data Protection Regulation (GDPR) is achieved and that a Data Protection Impact Assessment can be completed if required.

3.6 IT Change Manager

The Change Manager is accountable for the overall process operation, including monitoring the process to identify and rectify issues and remove bottlenecks. The Change Manager also chairs Change Advisory Board (CAB) meetings, manages CAB approvals, and performs the tasks related to updating the RFC records, categorisation and reporting of change metrics.

Where the Change Manager becomes aware of a deviation to this policy a Datix incident will be logged.

The appointed Change Manager is the owner of the Change Management process and primary contact. When unavailable, the Head of Digital Operations or their deputy would take responsibility over the role or designate another member of the D&I Operations team.

3.7 Digital Change & Transition Specialist

The Digital Change & Transition Specialist is responsible for the day to day running and execution of the Change Management Process. This includes, but is not limited to:
• Organising and administering the Change Advisory Board.
• Supporting the Change Manager with matters relating to ensuring smooth and safe change and transition.
• Advising and supporting change owners to enable correct navigation of the process.
• Maintaining all documentation and records regarding the consistent management of change and transition.

3.8 Infrastructure Lead(s) / System Manager(s) / Technical Owners

For each element of the IT infrastructure (e.g., system, network) within the scope of this process, Infrastructure Lead(s) / System Manager(s) are accountable for continued operation in the live environment.

The Infrastructure Lead(s) / System Manager(s) are required to take part in the assessment of all RFC’s affecting any service and will also be accountable for authorisation of those RFC’s when required.

Where an Infrastructure Lead(s) / System Manager(s) is sponsoring an RFC, they may be part of the approval process but not approve without oversight from a peer or the CAB.

Infrastructure Lead(s) / System Managers(s) must contribute to the risk assessment by identifying the technical threats, vulnerabilities and controls associated to the asset(s) affected by the change.

Infrastructure Lead(s) / System Managers(s) are responsible for providing the necessary technical description of the asset required for the registration of the asset.

3.9 Change Advisory Board (CAB)

The Change Advisory Board reviews all significant changes in regard to their planned implementation (as detailed in the IT Change Management Procedure) and provides a rigorous assessment of the proposed change. The CAB considers business and technical risks, the compliance with existing policies and procedures, the impact on the live environment, and the benefits associated with the RFC amongst other criteria. The CAB also provides feedback as per the Forward Schedule of Changes (FSC), ensuring resources are available and allocated, coordinating the change window to minimise disruption to services.

3.9.1 Based on the aforementioned assessment, CAB members advise the IT Change Manager whether the change should be approved or, they will recommend modifications to the proposed plans in order to meet organisational requirements.

3.9.2 The fixed membership of the CAB includes:
• IT Change Manager
• Deputy Head of Digital Operations
• Change & Transition Specialist
• Infrastructure Manager (Core)
• Infrastructure Manager (Endpoint)
• Infrastructure Manager (Network & Telephony)
• Application Services Manager
• Application Support Manager
• Application Development Manager
• Application Delivery Manager
• Digital Resilience Manager
• Service Delivery Manager
• Cyber Security Manager
• Corporate Records Manager
• Information Security Manager
• Information Governance Manager

3.9.3 The non-permanent membership of the CAB includes the following, dependent on the type of change in question:
• Change Owner
• Programme /Project manager
• Support Team Leader(s)
• Primary Care IM&T Advisor
• Information Asset Owner
• IG Assurance Manager
• Infrastructure Lead(s) / System Manager(s) / Section Managers
• Labs / Radiology IT Managers
• Other Managers / Key users
• Technical Consultants / Engineers (internal or external)

3.9.4 To conduct and complete a CAB meeting or consultation, and in the event of fixed members being unavailable, their respective line managers can make a decision on their behalf. The members required to make a CAB decision are subject to the discretion of the IT Change Manager, and there is a minimum quorum that should be contemplated of at least three members.

3.10 Emergency Change Advisory Board (ECAB)

When urgent significant changes arise (as per the IT Change Procedure) there may not be time to convene the full CAB. This includes positive indication that the change falls into one or more of the 3 criteria listed in the Change Management Procedure as requiring the emergency change process to be invoked:
a. Delaying action will seriously affect the delivery of an essential service.
b. There will be a serious impact on the business unless the change is made.
c. There is a serious disruption to essential services and a change is needed to restore service.

In these cases, an Emergency Change Advisory Board (ECAB) can be assembled by the IT Change Manager or the CAB deputy chair or Change & Transition Specialist.

Members of the ECAB should be identified, with the authority to make emergency decisions; and these may vary depending upon the different criteria related to the change in question.

The members required to make an ECAB decision are subject to the discretion of the IT Change Manager where possible. During normal working hours a minimum quorum should be contemplated of at least three members. Out of hours, the duty on-call Manager will authorise emergency changes.
If the risks associated to the proposed emergency change are high, or the impact of its implementation is deemed to be of magnitude, the Associate Director of Digital & Information or appointed deputy should be engaged in the authorisation of emergency changes.

The CAB agenda prompts the review of emergency changes including the reasons for changes that have been processed as such but do not meet the criteria for invoking the emergency change procedure, analysis of these reasons and a conclusion regarding what needs to be done to avoid inappropriate use of the emergency change process in future.

3.11 Service Stakeholders

For each service within the scope of this process, the key stakeholders should be identified with help from the Change Owner. This allows those stakeholders the opportunity to provide an assessment of any risks or impact from their perspective, and any other relevant feedback. The process should ensure these stakeholders are notified of any changes which may affect key services NHS Fife provides (e.g., system outage, service disruptions, hardware/software upgrades, etc.).

3.12 Urgent approvals

In the event that a CAB/eCAB cannot be assembled within reasonable notice or the change is urgent, the Head of Digital IT Operations or deputy (on call for D&I is deputising out of hours) in consultation with any appropriate peers can deal with urgent change approvals, or delegate that responsibility as explained in the CAB section. The Associate Director of Digital & Information or deputy can also deal with urgent requests. The ultimate responsibility for Information Assets lies with the SIRO, who should be advised of urgent approvals if risk and impact on Information Assets is considered high.

4. OPERATIONAL SYSTEM

The operational system and application of this policy is detailed in the IT Change Management Procedure for normal non-emergency changes and is formalised in a separate document. The latest version of which can be located on the D&I document repository and available on NHS Fife’s website.
In turn, the operational system for urgent/emergency changes is formalised in the Emergency Change Procedure.

The IT Change Management Process provides assurance that standardised methods and procedures are used for efficient and prompt handling of all changes. A formal process of recording, assessment, authorisation, scheduling, and comprehensive communications is in place for all changes. This is done to minimise the impact of change-related Incidents upon service quality, and consequently to improve the day-to-day operations of the IT services that NHS Fife provides.

Change Management also aims to provide NHS Fife with the ability to rapidly adapt to NHS Fife's requirements as they change, increasing its ability to ensure a customer focused operation is maintained at all times, while minimising disruption to key D&I systems and services.

5. RISK MANAGEMENT

5.1 The NHS Fife approach to Change Management relies on a Risk and Impact Management based approach. To comply with that, all changes must:
• Be properly documented as per the IT Change Management Procedure
• Be submitted for approval following the IT Change Management Procedure.
• Meet an agreed business need or fulfil a business case
• Be assessed for impact, risk and priority.
• Risks associated with Information Assets should be considered in line with the

NHSS Information Security Policy Framework for risk assessments. Advice should be sought from the SIRO or the Information Security Manager where appropriate.
• A back out plan should be produced, in case the change implementation has unforeseen consequences
• Where possible and proportionate be tested in advance
• Require approval in advance of implementation into the live environment
• Follow a communications protocol as per the IT Change Management Procedure.
• Have the supporting documentation updated to reflect the change (this includes end-user guidelines, technical documentation, service desk scripts and escalation protocols, service level agreements, and any other relevant service support documentation)
• Once implementation is complete, a review must be carried out

5.2 Only in exceptional circumstances may urgent/emergency changes be fully recorded and documented in retrospect as per the IT Emergency Change Procedure.

With regard to the relationship between NHS Fife and the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the effectiveness of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with:
• Legislation that affects NHS Fife;
• Implements its policies, procedures and guidelines with respect to access, use or disclosure of its information.

6. RELATED DOCUMENTS

• Appendix 1 - Service Now - Change Process and user Guide for Raising CRs
• Appendix 2 - Change Crib Sheet
• GP/I6 IT Change Management Procedure
• NHSS Information Security Policy Framework
• GP/I5 Information Security Policy

7. REFERENCES & GLOSSARY

IT: is an abbreviation for Information Technology and is used as a collective term to describe all systems and services associated with computers and data networks.

ICT: is an abbreviation for Information and Communications Technology, an umbrella term that includes any communication device or application, encompassing; phones, computer and network hardware and software, as well as the various services and applications associated with them, such as videoconferencing and distance learning.

ITIL: The IT Infrastructure Library is a collection of internationally recognised best-practices for delivering IT Services, covering all aspects of service provision, quality assurance, and providing a framework which allows customisation of internal processes.

Change Management: One discipline within the ITIL process framework which has the aim of ensuring appropriate controls are placed around changes to IT Systems and Services to mitigate risks, ensure stability, provide responsiveness to changing organisational requirements and minimise service disruption.
CAB: The Change Advisory Board. As can be inferred from the name, this body has no governance role, but is tasked with advising the IT Change Manager and Service Stakeholder of the perceived impact of a requested change. This body is made up of fixed and resident members representing all major core ICT Services and teams. The CAB incorporates other required stakeholders depending on the nature of the RFC being assessed.

ECAB: When urgent/emergency significant changes arise there may not be time to convene the full CAB. For these cases an Emergency Change Advisory Board (ECAB) should be assembled and provided with the authority to make emergency decisions. Membership of the ECAB may vary, depending upon the different criteria relating to changes.

RFC: Request for Change – is a paper or electronic form which contains all the required information for the process to be started, initiating the Change Management process.

GDPR: The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).

NIS: Network & Information Systems (NIS) the Security of Network & Information Systems Regulations 2018 (aka NIS Regulations or Directive) provide legal measures to boost the level of security (both cyber & physical resilience) of network and information systems for the provision of essential services and digital services.

Civil Contingencies Act 2004: Is an Act of the Parliament of the United Kingdom that establishes a coherent framework for emergency planning and response ranging from local to national level. It also replaces former Civil Defence and Emergency Powers legislation of the 20th century.