CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH

Transcription

1 CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH These notes are designed to be used in conjunction with the core training PowerPoint slides. The purpose of the session is to provide induction level training in information governance for individual involved in routine access to personal healthcare information and records. The content of the slides relates to the general information that all employees should be presented with. However, the differing organisational requirements across institutions may mean that some slides will need to be adapted to reflect local information. How you choose to present this information is up to you you know your own training style and have better insight into what your audience wants and needs. If you have the time, feel free to add exercises, games, video clips, etc. Further training may be required by individual organisations. In keeping with the guidance offered in the Core Skills Framework, it is anticipated that this session should last for 45mins to 1hour. IG Trainer Notes March 2014 Page 1 of 29

2 SLIDE 1: Information Governance This is an opportunity for you to introduce yourself and explain how you intend to run the session. This will depend on your own training style, but you should consider: when and how you will take questions? e.g. - Do you want these as you proceed through the presentation or at the end? what activities will you use? In addition to presentation, will you have exercises, activities, assessment, etc.? what happens next? e.g. -. how will their attendance and any subsequent assessment be recorded? Please remember to update this slide to reflect local information. IG Trainer Notes March 2014 Page 2 of 29

3 SLIDE 2: What you will learn in this session This relates to both the National and Local learning outcomes that have been defined as part of the Core Skills project. To make this more user-friendly, these are articulated as what participants will learn and also mapped against the Core Skills Framework learning outcomes as indicated overleaf: IG Trainer Notes March 2014 Page 3 of 29

4 What participants will learn Core skills framework learning outcome Level 1: Learning Outcomes for all staff working in healthcare organisations Principles of Information Governance and Understand the principles of Information their application to healthcare Governance and how they apply in every day organisations working environments How to practice and promote a confidential service Understand within the context of their specific role how to provide a confidential service to patients and service users in line with the duty of confidentiality Know how to ensure and maintain good record keeping. Principles of ensuring and maintaining good Level client 1a: Additional records Learning Outcomes for staff/students involved in routine access to information Protection of individuals confidentiality and Understand fundamentals of data protection, the Caldicott principles confidentiality and the Caldicott Principles Healthcare organisation s responsibilities Recognising & responding to Freedom of Information requests **Principles of ensuring and maintaining good client records Keeping Information Secure Information Governance resources including national legislation, guidance and local policies & procedures Understand the responsibilities of healthcare organisations under the Freedom of Information Act 2000 Understand individual responsibilities in responding to a Freedom of Information request Understand the principles of good record keeping. Understand, within the context of their role, how they can apply and maintain information security guidelines. Know where they can gain local access to policies, procedures and further information on Information Governance. IG Trainer Notes March 2014 Page 4 of 29

5 SLIDE 3: What is Information Governance Explain how Information Governance refers to how both employees and organisations handle information. Provide lots of different examples of the type of information this may include. Explain how good information governance practice will hopefully ensure the necessary safeguards for, and appropriate use of patient and service user s personal and sensitive information as well as the health and social care organisations records. This is a good opportunity to introduce the idea that there has to be an appropriate balance between the protection of the patient/ service users personal and particularly sensitive information and the obvious need for appropriate sharing of information to ensure high quality care delivery. Begin to introduce the principle of confidentiality. IG Trainer Notes March 2014 Page 5 of 29

6 SLIDE 4: What is Information Governance? This is similar to the above but allows you to expand on the principle of a framework. The Information Governance Framework for health and social care is formed by those elements of law and policy from which applicable information governance standards are derived, and the activities and roles which individually and collectively ensure that these standards are clearly defined and met. NHS Connecting for Health (2013). The central focus of information governance is how personal and sensitive information about patients and service users is managed from conception to destruction. Remember to inform participants that information governance applies tocorporate/organisations governance information. Discuss that it applies to information and the processing of information. The principles and framework for information governance are applied in the same way to: NHS Trusts (Acute, Paediatric, Mental Health Community) Foundation Trusts Independent sector NHS providers (through contractual arrangements) IG Trainer Notes March 2014 Page 6 of 29

7 SLIDE 5: What is Information? This slide if fairly self explanatory. Ask participants to provide further examples. Discuss where the information can be found. Ask participants for examples Health records, case notes, doctors, nurse, paramedic notes. Prescriptions. Databases, post it notes. It is important to introduce here that organisations are also responsible for their employee s personal data. What about HR files? Interview notes. Disciplinary procedures and notes. Corporate or organisation may include details of estates contracts, minutes of meetings. Notes that people take down at meetings in the wrong hands could be very damaging. IG Trainer Notes March 2014 Page 7 of 29

8 SLIDE 6: Why is Information Governance so important It s important both ethically and legally. There are many laws, principles, policies and procedures that have been developed in order to protect individuals including patients, service users and employees. However if followed correctly these will also guide and protect public organisations. IG Trainer Notes March 2014 Page 8 of 29

9 SLIDE 7: Why is Information Governance so important? It s important both ethically and legally. There are many laws, principles, policies and procedures that have been developed in order to protect individuals including patients, service users and employees. However if these are followed correctly it will also guide and protect public organisations. IG Trainer Notes March 2014 Page 9 of 29

10 SLIDE 8: Why is Information Governance so important? It s important both ethically and legally. There are many laws, principles, policies and procedures that have been developed in order to protect individuals including patients, service users and employees. However if followed correctly these will also guide and protect public organisations. The NHS Chief Executive has made it clear that ultimate responsibility for information governance in the NHS rests with the board of each NHS organisation (for staff new to the NHS you may need to explain who the board is and also their role). Each organisation is required to have a board-level Senior Information Risk Owner (SIRO) and a senior Information Asset Owner should be designated for every separate database or other major information asset. The SIRO Is accountable Fosters a culture for protecting and using data Provides a focal point for managing information risks and incidents Is concerned with the management of all information assets The SIRO s role is different to the Caldicott guardian (see below for role of the Caldicott Guardian). IG Trainer Notes March 2014 Page 10 of 29

11 The SIRO however does have to closely with the Caldicott Guardian and consult him/her where appropriate when conducting information risk reviews for assets which comprise or contain patient information. SLIDE 9: Information Governance requirements for health & social care organisations This slide is about how information is handled which is the key element of Information Governance. Introduce here the HORUS model developed by the Department of Health for managing information. IG Trainer Notes March 2014 Page 11 of 29

12 SLIDE 10: The Law and Information Governance Firstly discuss the differences between Common law and legislation (Acts of Parliament). Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judgemade' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent. Introduce each point separately. Common Law of Confidentiality: Taken from Department of Health 2013 The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent. In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies. Three circumstances making disclosure of confidential information lawful are: where the individual to whom the information relates has consented; where disclosure is in the public interest; and where there is a legal duty to do so, for example a court order. IG Trainer Notes March 2014 Page 12 of 29

13 Computer Misuse Act: It is an offence to access or attempt to access computer information without appropriate authorisation. Data Protection Act: The Data Protection Act controls how an individual s personal information is used by organisations including health and social care organisations. Everyone who is responsible for using data has to follow strict rules called data protection principles. They must make sure the information is: used fairly and lawfully used for limited, specifically stated purposes used in a way that is adequate, relevant and not excessive accurate kept for no longer than is absolutely necessary handled according to people s data protection rights kept safe and secure not transferred outside the UK without adequate protection There is stronger legal protection for more sensitive information, such as: ethnic background political opinions religious beliefs health sexual health criminal records The Human Rights Act: The Human Rights Act 1998 (also known as the Act or the HRA) came into force in the United Kingdom in October It is composed of a series of sections that have the effect of codifying the protections in the European Convention on Human Rights into UK law. All public bodies (such as courts, police, local governments, hospitals, publicly funded schools, and others) and other bodies carrying out public functions have to comply with the Convention rights. This means, among other things, those individuals can take human rights cases in domestic courts; they no longer have to go to Strasbourg to argue their case in the European Court of Human Rights. The Act sets out the fundamental rights and freedoms that individuals in the UK have access to. Freedom of Information Act: IG Trainer Notes March 2014 Page 13 of 29

14 The Freedom of Information Act gives individual the right to ask any public sector organisations including health and social care organisations for all the recorded information they have on any subject. Anyone can make a request for information there are no restrictions on your age, nationality or where you live. A request will be handled under the Data Protection Act if they ask for information about themselves. SLIDE 11: Standards, Policies & Codes of Practice IG Trainer Notes March 2014 Page 14 of 29

15 SLIDE 12: Always follow the Caldicott The Caldicott Principles are legal and must be applied. IG Trainer Notes March 2014 Page 15 of 29

16 SLIDE 13: Caldicott Guardians The Caldicott Guardian Is advisory Is the conscience of the organisation Provides a focal point for patient confidentiality & information sharing issues Is concerned with the management of patient information IG Trainer Notes March 2014 Page 16 of 29

17 SLIDE 14: Subject Access Requests This is a request from an individual l who wants to view the personal information that is held about them. Patients and service users may request to see their health and social care records Employees may request to see their HR records. There is a formal process which organisations should have in place to provide this information. IG Trainer Notes March 2014 Page 17 of 29

18 SLIDE 15: What is a Freedom of Information Request? Appropriate to emphasise here the difference between the Data Protection Act principles and Freedom of Information Act. Individuals have the right of access to information about them ('personal data'), which is held on computer, and in some paper files, under the Data Protection Act The Freedom of Information Act extended this right to allow the public to access to all other types of information held. That is non- personal public authority information. Provide more examples that might cause a stir! E.g. work s, handover notes, off duty rotas. The Act does, however, set out some exemptions to this right and it also places a number of obligations on public authorities about the way in which they provide information. Subject to the exemptions anyone making a request has the right to be told whether information exists and the right to receive the information. In general, a response must be provided within 20 working days. There is also a duty on public authorities to provide advice or assistance to anyone seeking information (for example in order to explain what is readily available or to clarify what is wanted). Summarise that the Act gives individual s the right to access/view all non-personal public authority information upon request; Emphasise that requests must be in writing. IG Trainer Notes March 2014 Page 18 of 29

19 Ask the group who their FOI Lead is. If they don t know discuss how they could find out. Provide some possible examples of exemptions. FOI Lead will decide. This could be made more real and interesting by demonstrating how participants have rights regards to information that may affect them and how they can access non personal information that may be affecting their personal lives. Organisations could face financial penalties if they don t comply or if they are in breech of the Act Slide 16: Can you recognise a Freedom of Information Request? IG Trainer Notes March 2014 Page 19 of 29

20 SLIDE 17: Your duty of Confidence The emphasis here is on ensuring participants understand they have a legal duty of confidence. This is a common law and statutory legal duty as well as a professional duty. IG Trainer Notes March 2014 Page 20 of 29

21 SLIDE 18: Duty of Confidence IG Trainer Notes March 2014 Page 21 of 29

22 SLIDE 19: Good Quality Record Keeping The emphasis here must be on the importance of producing good quality information and records. Talk about the principles applying to both records that are hand written and electronically produced. Emphasis with examples should be placed on how poor quality record keeping can place patients & service users, employees and organisations at risk. Poor quality records or inaccurate information put patients/service users at risk. Emphasis on factual information that is clearly written, concise, complete as well as legible. Have personal details changed? Highlight risks with duplicated records. One set may not be up to date. Crucial information could be missed. Refer students to Professional Standards of Practice and NHS guidance. Good record keeping is also essential in case of requests under the Data Protection Act or the Freedom of Information Act. IG Trainer Notes March 2014 Page 22 of 29

23 SLIDE 20: Good Quality Record Keeping IG Trainer Notes March 2014 Page 23 of 29

24 SLIDE 21: Information Security Information security is a very contemporary topic. Concerns about public sector data protection have resulted in the Government directing a range of standards for managing information risk, an important element of information governance. These standards are reflected within the NHS Information Governance Toolkit which can be accessed from There have been some significant breeches by high profile public figures. Provide some examples of recent breeches participants may have heard of. Discuss how they could have been avoided. What errors were behind these breeches? Simple actions can keep information secure and confidential. Some discussion here about local records management arrangements, and local processes such as your Safe Haven process. Discuss again the Department of Health, Records Management NHS Code of Practice guidance. Remember simple actions will keep information secure and confidential. However, it is also simple and thoughtless actions which often result in breeches of confidentiality. IG Trainer Notes March 2014 Page 24 of 29

25 SLIDE 22: Information Security A serious matter You should particularly highlight that the organisations may use surveillance methods to check that the use of any information and systems are being appropriately used. Learners need to appreciate that they have a legal responsibility to ensure the appropriate access and use of information and systems, and any failure by them could result in disciplinary and legal action So information Security is a serious matter. IG Trainer Notes March 2014 Page 25 of 29

26 SLIDE 23: Your responsibilities IG Trainer Notes March 2014 Page 26 of 29

27 SLIDE 24: Useful sources of information SLIDE 25: Acknowledgements IG Trainer Notes March 2014 Page 27 of 29

28 SLIDE 26: Thank you and any Questions Remember to leave some time at the end for questions and answers. Use this as an opportunity to remind them who you are and where they can go for extra information. IG Trainer Notes March 2014 Page 28 of 29

29 IG Trainer Notes March 2014 Page 29 of 29