IP-PGN-14 Part of NTW(O)05 Incident Policy

Transcription

1 Incident Policy Practice Guidance Note Information Governance Incident Reporting Management V01 Date Issued Planned Review PGN No: Issue 1 October 2014 October 2017 IP-PGN-14 Part of NTW(O)05 Incident Policy Author / Designation Responsible Officer / Designation Information Governance Risk and Compliance Manager Executive Director of Performance and Assurance Contents Section Description Page No. 1 Introduction 1 2 Identifying Information Governance Incidents 1 3 Flowchart showing Information Governance Incident Reporting and Review Process during Normal Working 2 Hours 4 Reporting of Information Governance Incidents 3 5 Information Governance Incidents where further Investigation is required 4 6 Incident Management Group 6 7 Rating of Information Governance Serious Incidents 7 8 Information Governance Incidents rated Level 2 and above 8 9 Information Governance incidents rated Level 1 and below 8 Appendices listed separate to PGN Appendix 1 Appendix 2 Appendix 3 Appendix 4 Appendix 5 Appendix 6 Appendix 7 Serious Incidents Requiring Investigation Breach Types Defined Guidance Notes for Completing IR1 Form Template for Non-clinical Incidents Serious Incident Review Report Proforma Template for Assessing the Severity of IG Incidents Serious Incident Review Action Plan Template Table 1 Template Level 2 IG SIRI s Annual Report Table 2 Template Level 1 IG SIRI s Annual Report

2 1 Introduction 1.1 All Health, Public Health and Adult Social Care services must ensure that all Information Governance Serious Incidents Requiring Investigation (IG SIRI s) are reported and handled effectively. 1.2 From 1st June, 2013 the organisations which process health and adult social care personal data are required to grade all IG SIRI s using the criteria implemented by the HSCIC. All IG SIRI s graded Level 2 and above must be reported through the IG Toolkit Incident Reporting Tool. This information will then be accessed by Department of Health, Information Commissioners Office (ICO) and other regulators. 1.3 To assist and support organisations with this process, guidance has been issued by the Health and Social Care Information Centre (HSCIC). 1.4 The content of this Practice Guidance Note reflects the guidance issued by the HSCIC and the purpose of this Practice Guidance Note is to inform Trust staff on how all Information Governance Incidents should be reported and handled within the new framework. 2 Identifying Information Governance Incidents 2.1 There is no simple definition of an Information Governance (IG) Incident. IG Incidents will involve service user / carer / staff or third party information held on various media such as paper, computers, digital recordings and images. Serious IG Incidents may clearly be identifiable from the outset because of the type of breach, but the severity of some incidents may not be fully established until further investigation work has been carried out. 2.2 As a guide, an IG Incident can be: Any incident which involves actual or potential failure to meet the requirements of the Data Protection Act 1998 and / or the Common Law of Confidentiality; This includes an unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data, information security breaches and inappropriate invasion of people s privacy; Such personal data breaches which could lead to identity fraud or have other significant impact on individuals; Applies irrespective of the media involved and includes both electronic media and paper records. 2.3 A full list of breach types and examples can be found as Appendix 1 in this Practice Guidance Note. If staff need any assistance in identifying a IG breach they should contact the IG or the Caldicott Teams for advice. 2.4 However if a breach occurs and there is uncertainty that it is an IG Incident, the service should contact the IG Team / Caldicott and Legal Affairs Team for advice and support. 1

3 3 The following Flowchart shows the Reporting and Review Process for Information Governance Incidents during Normal Working Hours Reporting of Information Governance Incidents. 4 Reporting of Information Governance Incidents 4.1 Once an incident has occurred and the situation stabilised, the incident should be reported in line with the IP-PGN-01 Incident Reporting and Management by the Service where it occurred. The Service / Directorate 2

4 Manager should contact the Information Governance (IG) Team or the Caldicott and Legal Affairs Team for advice and support. 4.2 The Service / Directorate Manager should complete an IR1 Form and submit it to the Safety Team for inputting into the Safeguard Risk Management System. The IR1 should contain all following information: Details of the person affected; Nature of the incident; Nature of information involved. (i.e. Clinical appointment letter etc.); Number of persons potentially affected. (i.e. Service Users / carers / Staff, etc.); What remedial action has been taken?; If a document / letter has been sent to the incorrect recipient what steps have been taken to retrieve it? 4.3 The IR1 should also describe what remedial action was taken to reduce the impact of the breach and what action will be taken to ensure it does not occur again. The IR1 should contain all following information: Steps taken to notify persons potentially affected. (i.e. Apology given); Details of any after action review whether informal or formal; What procedures have been put in place to ensure type of incident does not reoccur; How has this action been communicated to the relevant people?; Is there an HR process being instigated / implemented?, 4.4 It is of vital importance that the correct information is completed on the IR1 Form as it is the basis of the investigation work carried out by the IG Team and may impact on the rating of the incident under the HSCIC Guidance. Please refer to Appendix 2, Guidance for the Completion of the IR1 Form. 4.5 If the breach has resulted in person identifiable information being sent to the wrong individual, then all efforts must be taken by the Service / Directorate to ensure that the information is retrieved. 4.6 In all incidents where personal information has been breached then the person affected, should be contacted by the Service / Directorate, informing them of the breach, an apology given and provided with details of how to make a complaint through the Trust s complaints process. 3

5 4.7 If, however, the disclosure of the breach would have an adverse effect on the person concerned, then a clinical decision to withhold the information may be taken. However, this should be documented clearly in the patient s records and clear justification must be given for the patient not being informed. 4.8 Once the incident has been reported it is assigned an incident number from the Safeguard Risk Management System and any further information collected should be entered onto that system. The incident will then appear on the Information Governance Weekly Report Open Cases and the Information Governance Detailed Daily Report. 4.9 The IG Team will go into the Safeguard Risk Management System and add in any additional information about the incident they have collected. Based on the information provided, the Team will then provide an initial grading of the impact of the incident following the rating process identified in the HSCIC Guidance to the IG Incident Management Group. (Under Section 7). 5 Information Governance (IG) Incidents where further Investigation is required 5.1 All IG Incidents will be categorised depending on their severity on what level of investigation is required. 5.2 The categories of investigation are as follows: Full Serious Incident Investigation; Formal After Action Review; Team After Action Review. 5.3 All IG Incidents should have either an informal (Team / Department) or formal review of the circumstances around the issue and what steps should be taken to reduce the risk of reoccurrence. 5.4 Some reviews will take the format of an after action review (AAR) and others will have the corrective actions recorded on the IR1. This depends on the severity of the IG Incident. The process entails discussing an IG Incident and recording what actions should be taken by looking at the following: What happened?; Why did it happen?; What went well?; What needs improvement?; What lessons can be learned from the experience. 4

6 5.5 Full Serious Incident Investigation. (Information Governance Incidents) Where a serious IG Incident has occurred then the process for serious incidents should be followed. There are differences to the documents completed due to the nature of IG Incidents but overall the process is the same The Medical Director (Caldicott) and the Executive Director of Performance and Assurance (SIRO) will assign an Investigating Officer to look into the circumstances around the IG Incident. The Investigating Officer should ensure that the investigation is completed within 30 working days The Investigating Officer will also be responsible for collecting witness statements, facilitating the After Action Review (within 10 days) and summarising all the information received into the final Report. The template for the Report is attached as Appendix The completed Serious Incident Review Report should be forwarded to the Directorate Manager and Safety Team for quality checking and signature prior to submission to Incident and Claims Department for the Incident Review Panel. An electronic copy of all the information gathered should be forwarded to the Incident and Claims Department to be attached to the Electronic Incident Record. If this is not possible, Incident and Claims will scan the documents, when they receive them from the Investigating Officer The Incident and Claims Department will construct a Serious Incident Investigation Electronic File for the office and send an electronic pack to the appointed Investigating Officer and relevant people involved in the investigation. The Investigating Officer will be notified of the date of the Serious Incident Review Panel and when papers are due with Incident and Claims The Incident and Claims Department will report the incident on the Strategic Executive Information System (STEIS) to inform the Commissioners / Clinical Commissioning Groups. 5.6 Serious Incident Review Panel In the case of Serious Incidents (SI s) Review Panel for an IG Incident the panel should include members with an Information Governance background as well as clinical and operational representation Therefore the Panel should contain at least three members of the IG Incident Management Group The Panel will consider the Investigating Officers Report and ask questions where issues need clarification. The Panel will also agree the actions recommended by the Investigating Officer on their Report and if necessary add additional actions. 5

7 5.6.4 The Action Plan should be finalised at the Serious Incident Review Meeting and timescales set against the actions for completion. The template for the Action Plan is attached as Appendix 4. 6 Information Governance (IG) Incident Management Group 6.1 The IG Incident Management Group Members include but are not limited to the following: Executive Director of Performance and Assurance (Chair); Director of Informatics; Head of Safety / Patient Experience; Caldicott and Legal Affairs Lead; IG Risk and Compliance Manager; Representative from Human Resources. 6.2 The Information Governance Incident Management Group meets on a fortnightly basis to look at all IG Incidents and update on what actions have been taken to resolve those incidents. 6.3 The Group will also discuss Action Plans from Serious Incident Reviews and map progress of open actions. Clinical Group IG Incident Action Plans will be signed off by the clinical Q and P Group. IG Incidents which do not report to a Q and P Group will be signed off by the appropriate Senior Manager. (For example, Medical, Finance, Performance, Workforce). 6

8 6.4 Once an action has been completed the Incidents and Claims Department will update the Action Plan. Once all actions have been completed it will be signed off by the appropriate group / Senior Manager and the IG Incident will be closed by the IG Incident Management Group. 6.5 The Group receive a weekly report which shows the IG Incidents which have occurred and are still open. Each Incident is discussed and where necessary a Case Manager is assigned from the Group to investigate further the circumstances surrounding the IG Incident. 6.6 The Case Manager will feedback any further information in relation to the IG Incident to the Group. The Group will then decide if any further action needs to be taken or to close the incident. 6.7 The Incident Group will also use the above information provided by the Case Manager to re-evaluate the rating of each IG Incident initially scored by the IG Team. (Under 4.9). 6.8 Once the final ratings of the IG Incidents has been agreed by the Incident Management Group, it will be then sent to the next Senior Management Team (SMT) Meeting for approval. 6.9 Further information in relation to IG Incidents rated Level 2 and above will be provided to SMT for approval prior to submission on the Information Governance Toolkit by the IG Team Once the final ratings have been ratified by the SMT, the Level 2 and above Incidents will be uploaded onto the Information Governance Toolkit under the Incident Reporting Tool by the IG Team All IG incidents rated Level 1 will be reported in the Trust s Annual Report. 7 Rating of Information Governance Serious Incidents Requiring Investigation (IG SIRI) 7.1 The IG SIRI category is determined by the context, scale and sensitivity of the Incident. Every Incident can be categorised as: Level 1 Confirmed IG SIRI but no need to report to ICO, DH and other central bodies; Level 2 Confirmed IG SIRI that must be reported to ICO, DH and other central bodies. 7.2 A further category of IG SIRI is also possible and should be used in Incident Closure where it is determined that it was a near miss or the Incident is found to have been mistakenly reported: Level 0 Near miss / non-event. 7.3 Where an IG SIRI has found not to have occurred or severity is reduced due to fortunate events which were not part of pre-planned controls this 7

9 should be recorded as a near miss to enable lessons learned activities to take place and appropriate recording of the event. 7.4 The initial grading of the incident may change once all the facts of the incident have been established. 7.5 The Checklist Template to produce the appropriate rating for each incident is attached to this document as Appendix Guidance on how complete the grading can be found by clicking on the following link: g%20tool%20publication%20statement_final_v2%200.pdf 8 Information Governance Incidents (IG SIRI) rated Level 2 and above 8.1 Once an IG SIRI rating has been assessed and approved as level 2 or above by the Senior Management Team, the IG team will then upload the information on to the IG Incident Reporting Tool through the IG Toolkit. 8.2 Guidance on how to upload the information on to the IG Incident Reporting tool can be found by clicking on the following link: ool%20user%20guide.pdf 8.3 Detailed definitions and examples of breach types are attached as Appendix The HSCIC guidance also states that Incidents classified at an IG SIRI severity Level 2 need to be detailed individually in the annual report in the format provided as Table 1 attached as Appendix All reported incidents relating to the period in question should be reported, whether they are open or closed incidents. 9 Information Governance Incidents (IG SIRI) rated Level 1 and below 9.1 If an IG SIRI rating has been assessed and approved as Level 1 or below, this does not have to be reported through the IG Toolkit. 9.2 IG SIRI s rated Level 1 and below would be reported using Table 2 in Appendix 7 within the Trust s Annual Report. 8