2. Reporting The national clinical audit is on the list of mandatory national audits for inclusion in Trust s Quality Accounts.

Transcription

1 National clinical audit of rheumatoid and early inflammatory arthritis Information for Caldicott Guardians 1. Overview The national clinical audit of rheumatoid and early inflammatory arthritis is part of the National Clinical Audit and Patient Outcomes Programme (NCAPOP), overseen by the Healthcare Quality Improvement Partnership (HQIP). NCAPOP is a closely linked set of centrally-funded national clinical audit projects that collect data on compliance with evidence based standards and provide local Trusts with benchmarked reports on compliance and performance. They also measure and report patient outcomes. Following the award of a three-year contract to develop a national clinical audit for inflammatory arthritis as part of the National Clinical Audit and Patient Outcomes Programme (NCAPOP), the data collection for the BSR national clinical audit for inflammatory and rheumatoid arthritis will commence on: 1 st February The HQIP funded project will provide a national comparative audit of the assessment, management and outcomes of adults presenting with rheumatoid and early inflammatory arthritis in all NHS secondary care settings in England and Wales where the service is provided. The audit is being designed so that results help clinicians improve the quality of care for patients and control their joint inflammation. For patients the aim is that they will be more aware of their care and more able to take control of their personal health. 2. Reporting The national clinical audit is on the list of mandatory national audits for inclusion in Trust s Quality Accounts. We will publish an annual report from October 2015 that will include key outcome data, with a lay version published from November In addition, we will produce quarterly reports at named hospital level. There will be also be a reporting functionality within the audit tool for hospitals/trusts to access data outside of the standard reporting timeframe. 3. Governance Formal oversight of the national clinical audit is provided by a Project Steering Committee consisting of key national stakeholders. A Project Working Group meets quarterly and the project is delivered operationally by a core project team. National clinical audit - project structure an 1 Funded by:

2 4. Data collection 4.1 Clinician derived HQIP - clinician derived baseline data HQIP - clinician derived follow up data 4.2 Patient derived HQIP - patient data collection form - at rec HQIP - patient data collection form - at rec HQIP - patient data collection form - follow 4.3 Organisational (annual) HQIP - organisational data collection form Time period for data collection Data collection commences on 1 st February 2014 and runs continuously for 3 years. Data for each individual patient is collected over a 3 month timeframe: Clinician derived: Patient derived: baseline and at each subsequent follow up appointment up to and including 3 months baseline and nearest appointment to 3 months Organisational: Annual, with the first collection due to be submitted online no later than 28 February The period of data collection may be subject to an extension should the contract be amended/updated. 5. Patient participation Patients will be informed about the audit via posters in rheumatology department waiting rooms and via patient organisation websites, such as the National Rheumatoid Arthritis Society (NRAS). Patients will be requested to provide verbal consent to participation in the audit and their consent will be noted on the clinician derived baseline form. 6. Data transfer Data will be extracted from the web based tool monthly by Northgate Public Services (Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NW Tel: ) 2 Funded by:

3 Following extraction, data will be aggregated and anonymised. Data will then be electronically transferred via a secure N3 link to the MRC Lifecourse Epidemiology Unit at the University of Southampton for statistical analysis. Patient identifiable data will not be transferred, not will be it used for analysis and reporting purposes. 7. Data security The application is available on the N3 network only and uses a Secure Socket Layer (SSL) Certificate to ensure data is encrypted between the users web browser and the Audit Tool web server. The complete infrastructure is monitored on a 24x7 basis by specialist network and security systems that are in place to cover all hosted Northgate and customer systems. 8. Data in Transit Where required, as per the Audit contract, any datasets created by Northgate with patient identifiers are submitted over the N3 network using Connecting for Health s approved SFT (Secure File Transfer) client. Alternatively, where the recipient does not have N3 access, the data will be sent via Secure File Transfer Protocol (SFTP) and the data will be encrypted to AES 256bit as per NHS/CfH requirements. All data is backed up nightly and the data tapes moved to a secure off-site storage facility. The data is encrypted and moved by specialist couriers. 9. Data access The requirements for access to, and the use of Northgate systems are covered in corporate security and ICT policies. All systems and data are hosted within Northgate's ISO27001 accredited data centre which ensures access is highly restricted using both physical and procedural means. The full identifiable dataset will be retained in its original form within Northgate's ISO27001 accredited data centre. The project team, project working group and Steering Committee will not have access to the full identifiable dataset. Personal identifiers on the database are protected by two layers of encryption. Individual sensitive fields within the database are encrypted using AES 256bit field-level encryption. In addition, industry-standard encryption applies to the entire database. The encryption conforms to the relevant e-government Strategy Framework Policy and NHS/CfH Guidelines Each registered Trust will be able to access data for all of its registered hospitals. Hospitals will have access to their own hospital data only. Individual users who work across a number of hospital sites will have access to data for each hospital site for which they have been registered, through a separate log-in per hospital. Members of the project teams employed by the NHS will be subject to standard NHS confidentiality agreements. Non-NHS members of the project teams are aware of their responsibilities and obligations to respect patient confidentiality. It is a condition of employment that all employees abide by their organisation s Data Protection Policy and confidentiality clause within their contract of employment. 3 Funded by:

4 10. Data storage The audit is contracted to collect patient data for a 3 year period from 1 February 2014, with the potential to extend for a further 2 years. Data collected during this time period will be stored on a server hosted by Northgate Public Services in a secure data centre. 11. Data disposal Data will be overwritten or destroyed in line with NHS approved information destruction/deletion standards. 12. Caldicott Principles Principle 1 - Justify the purpose(s) Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian. The national clinical audit of rheumatoid and early inflammatory arthritis is collecting data to improve the quality of care delivered to patients seen within rheumatology outpatient departments. It will collect only that data required for the published process and outcome measures. These have been specifically linked to evidence based published standards of care. It will also collect sufficient data to risk adjust cases in order to produce meaningful comparisons between hospitals. Documents will be produced that explain the explicit links between the data being collected and the process and outcome measures, and published standards of care. These documents will be in the public domain via the British Society for Rheumatology website ( All process and outcome measures, and related data, have been subject to peer review by a Project Steering Committee that meets quarterly, consisting of key stakeholders including patient representation. The dataset will be analysed at least annually by the project team to ensure that it remains fit for purpose. Principle 2 - Don't use personal confidential data unless it is absolutely necessary Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s). In order to successfully link data collected as part of the audit with other databases in the future, personal confidential data is required. The only personal confidential data being requested is patient NHS numbers. Identifiable data will not however be analysed or reported on. For analyses purposes the NHS number will be replaced by a unique Audit patient identifier. Potential future linkage will be made with additional databases such as: Hospital Episode Statistics (HES) for data validation Patient Episode Database for Wales (PEDW) for data validation 4 Funded by:

5 Principle 3 - Use the minimum necessary personal confidential data Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out. Each individual item within the dataset has been peer reviewed by the Project Steering Committee, and the minimum data necessary to draw adequate conclusions about the care provided is being collected. The dataset has been informed by evidence based documentation, including the NICE Quality Standards (QS33) for Rheumatoid Arthritis. In order to successfully link with the relevant databases listed above, personal confidential data is required. The only personal confidential data being requested is the minimum required in order to successfully link with these databases. Principle 4 - Access to personal confidential data should be on a strictly need-to-know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes. Access to the audit tool will be via unique usernames and passwords issued to each registered user. This will ensure that only users who have a legitimate reason to use the data collection tool will be granted access. A database of users will be maintained by the project team. Local hospital users will only have access to their own hospital s data. Principle 5 - Everyone with access to personal confidential data should be aware of their responsibilities Action should be taken to ensure that those handling personal confidential data - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality. Members of the project team employed by the NHS will have completed Information Governance training in accordance with their own Trusts requirements. Non-NHS members of the project team are aware of their responsibilities and obligations to respect patient confidentiality. It is a condition of employment that all employees abide by their organisation s Data Protection Policy and confidentiality clause within their contract of employment. Clinical and non-clinical staff entering data will be reminded of their obligations surrounding the use of confidential data when registering to use the data collection tool and when signing in. These obligations will also be explicitly stated on a separate area of the data collection website. Principle 6 - Comply with the law Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements. Users submitting data will be subject to Information Governance training in accordance with their own Trusts requirements, which will set out their legal responsibilities and requirements. 5 Funded by:

6 Each hospital has been asked to nominate a designated lead from the Clinical Audit Department who will be familiar with the legal requirements due to the nature of their role within an NHS Clinical Audit Department. Members of the project team are aware of their obligations and legal requirements regarding personal confidential data. It is a condition of employment that all employees abide by their organisation s Data Protection Policy and confidentiality clause within their contract of employment. Northgate Public Services are the Data Controller for this audit. Principle 7 The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies. All NHS employees are appropriately supported in this way. Medical staff will be aware of their responsibilities as part of the General Medical Council s guidance on Good Medical Practice and Duties of a Doctor. This will be augmented by specific Trust policies. Other health care professionals will also be supported by their respective professional bodies (eg Nursing and Midwifery Council) and Trust policies. Other non-nhs staff are aware of their responsibilities as set out in their respective organisation s Data Protection Policies 12. Further information For further information please contact Paula Beare, Project Director: pbeare@rheumatology.org.uk 6 Funded by: