Offshore and Internet Connection Addendum to the. Data Sharing Agreement. Version 1.3

Transcription

1 Offshore and Internet Connection Addendum to the Data Sharing Agreement Version 1.3

2 Document Control Owners IEP User Group Author Steve Jessop Document Preparation Date Version Author Comment 11/01/ Initial Draft 21/03/ IEP User Group First Issue 17/04/ Sally Jasper Updated to Include Internet Connectivity 12/06/ Stephen Updated to reflect Burnbank s role as data Jessop processor following feedback from IEP UEG 14/04/ Stephen Jessop Added transferring organisation signature field Document Review Date Version Reviewer Role Status 14/03/12 V0.1 IEP User Group 21/03/12 V1.0 IEP User Group 17/04/12 V1.1 IEP User Group 12/06/12 V1.2 IEP User Group 14/04/13 IEP User Group IEP User Group First Issue First Issue Documents Approval Date Version Approver Role Status 14/03/12 V0.1 Draft for Review 21/03/12 V1.0 IEP User Group First Issue 17/04/12 V1.1 IEP User Group 12/06/13 V1.2 IEP User Group 14/04/13 IEP User Group Related Documents Document Document Title Approved Version Page 2 of 10

3 reference number IEPUGDS A1 IEP Data Sharing Agreement Data Sharing Agreement Guidance Current Current Glossary of Terms/Acronyms Term Acronym Definition Offshore A location outside of the borders of England without access to the NHS N3 network Page 3 of 10

4

5 Contents 1.1. Introduction Audience Review and monitoring of this Offshore Addendum to the Data Sharing Agreement Key Contacts Signatory Organisations utilising the IEP for sending data offshore Responsibilities of Signatory Organisations Offshore Organisation Details Technical Solution Service Levels and Performance...10 Page 5 of 10

6 1.1. Introduction: This document must be read in conjunction with The IEP Data Sharing Protocol (IEPDSA) (ref IEPUGDSA1) and outlines the approach followed by the signatory organisations engaged in utilising the Image Exchange Portal for sending data offshore or outside of the N3 network. The Offshore Addendum to the Data Sharing Agreement aims to ensure that the signatory organisations are aware of their responsibility for protection of Patient Identifiable Data (PID) when transferring data offshore or outside of the N3 network. All existing members of the IEP Healthcare Community will be made aware of all connections permitted to the IEP for organisations operating from or sending to countries outside of England via (nww.iepservice.nhs.uk) or outside of the N3 network so that if required their own end to end risk assessments can be carried out. Organisations within the existing IEP Healthcare Community will not automatically have access (send or receive) to offshore organisations or organisations outside of the N3 network. Access to the specific offshore organisation/organisation outside of the N3 network named in this Addendum will be restricted to the signatory organisation. The NHS CFH Information Assurance Working Group (IAWG) having reviewed the design of the additional architecture required within the IEP to enable offshore connectivity and have confirmed that there were no implications that they need to investigate from a governance perspective. The IEP is designed to ensure the data is secure and in compliance with the Data Protection Act 1998 only during the data transfer, It is the responsibility of the referring organisation to ensure that it has obtained the relevant patient consent and to ensure that the recipient organisation complies with the Data Protection Act Audience This Addendum to the Data Sharing Agreement should be made available to all personnel across the IEP Healthcare Community who are stakeholders in the data-sharing mechanisms and processes defined within this document. It is recommended that as a minimum this should include: - Chief s - Senior Responsible Officer (SRO) - Senior Information Risk Owners (SIRO) - Caldicott Guardian - NHS Information Governance Leads - PACS Clinical Leads - IM&T Manager/Director - PACS Project Manager - PACS/RIS Manager - PACS Technical Lead - Systems Providers - System Users 1.3. Review and monitoring of this Offshore Addendum to the Data Sharing Agreement This Addendum shall be reviewed on a 12 monthly basis in conjunction with the IEPDSA, by the IEP User Group to ensure its continued adherence to relevant NHS CFH/DH Policy and Legislation. Page 6 of 10

7 The IG Leads within each participating organisation shall periodically monitor the data-sharing activity covered by the Offshore Addendum in conjunction with the IEPDSA, including a review of: - Organisations engaged in utilising the Image Exchange Portal for sending data offshore - Processes and procedures to ensure they are being adhered to. - The technology implemented to ensure it is working as documented. - The access controls and audit logs to ensure the system is being used in accordance with this protocol. All findings will be documented and made available to all participating organisations and any non-conformance will be reported to the Caldicott Guardians and Chief s for action. Page 7 of 10

8 2. Key Contacts Role Contact Telephone Chief Radiology Contact IEP Administrator Caldicott Guardian Information Governance contact Risk Management contact PACS Manager / Administrator PACS Manager / Administrator Out of Hours contact The content of the above table is available from Burnbank for use by any participating organisation in such that any participating organisations are able to find contacts for all participating organisations Page 8 of 10

9 3. Signatory Organisations utilising the IEP for sending data offshore. Details of the organisations utilising the IEP for sending data offshore or outside of the N3 will be made available upon request. 4. Responsibilities of Signatory Organisations. Prior to an organisation utilising the IEP for sending images and/or reports containing Patient Identifiable Data offshore or outside of the N3 network, they must: Undertake a full risk assessment ensuring mitigating controls are put in place. The risk assessment must include verifying that the offshore organisation has appropriate security arrangements in place (it is recommended that these are independently verified). The clinical requirement to share images and/or reports with an offshore organisation must be authorised on an individual user and user case basis by the Caldicott Guardian or a delegated representative of the Signatory Organisation Ensure the Data Protection Act and relevant DH guidance is adhered to. Complete Section 5 (Offshore Organisation details) of this Document and ensure a process is in place to notify Burnbank of any changes to the contact details within this section. Put processes in place to ensure that any changes undertaken by the offshore organisation/organisation outside of the N3 network which may alter any of the above are notified to the Signatory Organisation for action as appropriate. 5. Offshore Organisation Details. Organisation Name Address PDR, Cardiff Metropolitan University 200 Western Avenue, Llandaff Cardiff, UK CF5 2YB Role Contact Telephone Senior Contact with Antony Chapman the organisation Clinical Contact Dominic Eggbeer IEP Administrator Deryck Jones Information Governance contact PACS Manager / Administrator Out of Hours contact John Cappock N/A N/A 6. Technical Solution Page 9 of 10

10 The NHS CFH Information Assurance Working Group (IAWG) technical specialists reviewed the design of the additional technical architecture required to add an Internet connection to the Image Exchange Portal (required for offshore connectivity and organisations to connect outside of N3) and found it acceptable. In addition IAWG confirmed that there were no implications regarding offshore connectivity/connections outside of the N3 network that they needed to investigate from a governance perspective. 7. Service Levels and Performance By signing up to this protocol each organisation recognises that the transfer times to and from IEP are dependent upon the bandwidth availability on the Internet. As a consequence, and in line with all image transfer solutions using the Internet, although the performance of the IEP will be monitored by the service provider (Burbank), and Burnbank s Internet connection capacity reviewed accordingly, the response and delivery times cannot be guaranteed. It is the responsibility of the National IEP User Group to review services levels and report to the IEP users. Page 10 of 10