BCS ASSIST s response to the Information Governance Review

Transcription

1 BCS ASSIST s response to the Information Governance Review A response from Informatics professionals and Information Governance specialists BCS ASSIST September 2012 BCS First Floor, Block D North Star House North Star Avenue Swindon SN2 1FA About BCS ASSIST BCS ASSIST, a professional association for those working in informatics in health and social care, is a member group within BCS (The Chartered Institute for IT). BCS ASSIST's key objectives are to: provide a network for the exchange of information, good practice and to address current issues provide a forum for activities and events at branch and national levels influence policy at national and local levels, and offer advice on health and social care informatics issues promote, raise and maintain professional standards in informatics. The Association is run by an elected national council, and consists of a network of regional branches that run educational and informative events throughout the year. This programme of events is supported by a national annual conference and AGM. National Council would particularly like to thank Wally Gowing and David Stone for pulling together this response to the review and facilitating the workshops that led to the content of this report. Questions regarding this response should be addressed to adam.drury@bcs.org Visit our webpage for further information BCS ASSIST s response to the Information Governance Review Page 1 of 10

2 1. Introduction BCS ASSIST welcomes the opportunity to input into this review on Information Governance (IG) and to provide a perspective from the viewpoints of informatics professionals and IG specialists that are members of the association. The Power of Information indicates the role that information must play in developing and delivering patient centric healthcare. In turn, this means that IG becomes crucial to enable effective information sharing within and between organisations to be achieved whilst protecting the confidentiality of users of health and social care services. BCS ASSIST members have had concerns about many aspects of IG for some time and the roles played by them in the operation of IG. These concerns led to a set of workshops to air and discuss IG issues in April / May The evidence gathered from these workshops also forms the basis for the development of this submission by BCS ASSIST to the Information Governance Review that we trust the review panel will find useful. BCS ASSIST welcomes the opportunity to discuss our submission in more detail should the opportunity arise. 2. Background Following discussions within BCS ASSIST concerning the state of NHS IG in December 2011, BCS ASSIST National Council commissioned a set of workshops entitled NHS IG Vision and Practice. The aim of the workshops was to enable BCS ASSIST members working in or affected by IG to reflect on the current state of IG in the context of the imminent Information Revolution, and to discuss the gap between current practice and future vision for IG. This in turn would be expected to identify major issues and problems, some of which may be solved within the workshops. However, the state of play in IG and the more knotty matters raised would help form the basis of a BCS ASSIST thought piece on the state of IG as perceived by practitioners. Three workshops were held for BCS ASSIST members in the North West, Yorkshire & Northern and London & South East Branches in April and May Approximately 120 people attended the three sessions representing some 80 NHS organisations that utilise patient data in their operations. The delegates were a mix of IG practitioners, senior IG managers, some Trust directors, senior managers from other allied disciplines as well as users of data and external consultants working in IG. The format of the workshops was a presentation about the purpose of IG and aspects of the implementation and operation within the NHS in England. This was followed for the larger part of each workshop with facilitated discussion of points raised by attendees, with Chatham House rules being applied. The timing of the workshops coincided with the announcement of the IG Review, giving an added impetus to the workshops for potentially developing a BCS ASSIST submission to the Review. A report 1 set out the main issues and findings arising in the lively workshops. This identified a set of themes and associated problems to which possible solutions were derived, leading to a set of conclusions. The content of the report forms the basis of this submission. 1 See BCS ASSIST s response to the Information Governance Review Page 2 of 10

3 3. Outline of perceived problems The problems in the world of NHS IG as perceived by BCS ASSIST members can be grouped into a set of themes, namely labelled as: A. Culture B. Organisational change C. IG expertise and staff D. Specific issues. A. Culture Evidence of poor IG culture and operation Widespread lack of senior management engagement except in a limited number of organisations, mainly where breaches have occurred, fines been imposed or have been narrowly averted Lack of leadership from the top of the NHS, evidenced by the expected annual threatening letters from the NHS CEO In some organisations, IG is marginalised as a silo activity within the organisation with Senior Information Risk Owners (SIROs) and Caldicott Guardians (CGs) who have more pressing core roles IG is stereotyped in parts of the NHS as IG says NO and is considered in terms of absolutely no risks instead of risk management to be assessed on a case by case basis Abuse of identifiable data, with lip service paid to IG rules and with arm twisting of IG staff to enable inappropriate access to identifiable data Technical jargon preventing intelligent discussion within organisations The IG Toolkit (IGT) for assessing the state of implementation of IG within an organisation has become a tick-box exercise and is often not completed honestly within the spirit that it was intended Lack of clarity in understanding, implementing and operating IG it is not always clear to IG practitioners on the ground which is the most important item of legislation or policy to apply; clinical staff have guidance produced by Royal Colleges that may be at odds with NHS policy guidance; different rules on a specific subject may be operated in neighbouring organisations. There was also citing of some variation in the knowledge and skills of practitioners Lack of authoritative guidance when seeking to resolve unfamiliar issues, the lack of clarity above leads to confusion as there is a Department of Health Informatics Directorate (DHID) policy body, the IGT, National Information Governance Board (NIGB), Ethics and Confidentiality Committee (ECC) and Information Commissioner s Office (ICO) for seeking guidance related to approving developments (such as research applications within an organisation), but there is not a single body that NHS staff can turn to for authoritative guidance Inconsistent implementation across the NHS as evidenced by the range of IGT scores and anecdotes concerning the variation in how issues have been resolved in different organisations. BCS ASSIST s response to the Information Governance Review Page 3 of 10

4 B. Organisational Change Evidence of shortfall Awareness of organisational changes taking place is high, but only superficially of the resulting impact on IG. Previous experience of organisational change indicates that major changes to NHS organisations or operating practices affect the sharing of data and related IG without the ramifications being thought through. These changes need clarity and leadership with authoritative good practice guidance to enable accurate and smooth transition The policy of Any Qualified Provider (AQP) is expected to cause further problems with contracting and having appropriate IG expertise in the commissioning function (i.e. Clinical Commissioning Groups (CCG)) and data processing organisations (i.e. Commissioning Support Units (CSU)) going forward to make sure that the various legislation and good practice is adhered to Major changes to NHS organisations and operating practices where effective guidance and support is required include o Health & Social Care integration o Multi-agency working o AQPs o The transition process from PCTs to sub-clusters to NHS Commissioning Board (NHS CB) Clusters with CCGs and CSUs Information lifecycle previously has not been a significant issue, but situations are arising for which guidance and experience are lacking, such as o Ending of contracts through exit or bankruptcy o Organisations ceasing to exist, e.g. PCTs commissioning arms, providers and SHAs. Legal issues abound, such as o Data Controller and Data Processors impact on CCGs, e.g. not legal entities yet o Information sharing and contracts o Identifiable data requested for commissioning purposes by CCGs. C. IG expertise and staff Evidence of shortfall As raised under Theme A, the use of jargon by IG staff, i.e. technical terms that may not be clear to other health service staff Attitude of other staff to data subject privacy, e.g. response of IG says NO, arm twisting of IG staff to enable inappropriate access to identifiable data Difficulty in knowing where to turn to gain advice which indicates lack of expertise locally, lack of recognisable source of expertise and lack of effective communications and networks in IG across the NHS Individual staff seem to be expected to master the full range of IG issues, whereas the reality is that IG needs input from a range of people with different skills and background, e.g. IG policy, legal, technical, clinical, managerial Significant variation can be seen between NHS organisations in the numbers of IG staff, their grading and status Observed reduction in staff numbers in IG during the reorganisation, especially in commissioning organisations. BCS ASSIST s response to the Information Governance Review Page 4 of 10

5 D. Specific Issues Evidence of issues There are a number of major issues arising from policy and legal changes, which will affect IG and its operation in all NHS related organisations. Currently IG staff are aware of the issues, but wish to be involved in understanding and making input to how the policy will be implemented or issues will be resolved, as well as gaining understanding in time to implement effectively. The issues include: Major developments with drive for patients access o How to give patients access to their data o Better understanding the risks and issues associated with patient access. Dissent and consent o In short term, managing dissent and in future consent o Impact of Draft EU Regulation with its emphasis on explicit consent. Cultural change in society regarding use of data and privacy rights. In addition there are specific subject matters where help/guidance was sought. These include: Privacy audits De-identification. 4. Improving IG from a practitioner s perspective The workshop attendees proposed ways of addressing the issues raised and a set of proposals for addressing the evident problems were developed. These are set out below against the same theme headings. A. Culture Undertake investigation of return on investment (RoI) to make the business case for operating IG appropriately in order that senior management can understand the need for investment in staff and processes to protect and utilise data. This has been brought sharply into focus with the ICO now being able to levy financial penalties. However, a firm and clear understanding of the purpose behind IG is necessary so that any RoI is not reduced to mitigating financial and reputational risk. It is important that IG is considered for any intrinsic value it may have, as opposed to the value attached by organisations covering their backs Ensure that Data and Information Management is a mandatory part of risk reporting at Boards of all NHS organisations (including the NHS Commissioning Board) and supplier organisations (via the standard commissioning contract if necessary). This could be summed up as an organisation wouldn t let the staff walk out, it wouldn t let its buildings fall down, so why would it leave valuable information vulnerable? Ensure that a board director that has direct responsibility for risk management (SIRO) has sufficient training and access to expert resource to undertake the role in a credible manner Everyone working in the NHS and providing NHS commissioned services should have a basic understanding of IG issues as part of their training and induction and their professional accreditation to enable information to be managed properly and patient privacy to be protected Decisions in IG on the use of identifiable data become context dependent in relation to the circumstances in which particular data are requested, for what purpose and for use by whom. Many such situations (possibly following the 80:20 rule) can probably be dealt BCS ASSIST s response to the Information Governance Review Page 5 of 10

6 within a straightforward framework. However, the remainder need to be seen in the perspective of the risks posed to the data subjects and the organisation and judgements undertaken by trained staff, the equivalent of the SIRO, CG and senior IG staff member IG definition develop a simpler and smarter all encompassing definition of IG to enable better understanding of purpose and to aid senior management and wider cultural engagement, in effect seek to simplify the language of IG. Shift the emphasis of IG to being about enabling use of sensitive personal data whilst properly respecting the privacy of the individual. An example slogan type statement that arose was protecting patient privacy while lawfully sharing data Modify the IGT to become a benchmark for a model of organisational IG maturity with independent auditing over a number of years. Require organisations to be audited and enable the development of sufficient accredited registered independent IG auditors NHS Commissioning Board to emphasise need for IG and to mount a suitable proactive publicity campaign within the NHS including some myth busters. This could build on some of the excellent work undertaken by NHS East Midlands in marketing Information Governance to NHS staff through simple key messages in 2009/10 A common or single version of the truth is required to avoid reinvention of the wheel and to ensure clarity across and between organisations (NB: this may already be being addressed by the NHS IG Code of Practice being developed by the Health and Social Care Information Centre (HSCIC) under section 263 of the Health and Social Care Act 2012) In addition to the Code of Practice, there is a need for a respected authoritative source of IG guidance. Whilst it is recognised that there may be legal implications associated with the provision of such guidance, ultimately provision of guidance on decision-making must be feasible ahead of an inappropriate decision that subsequently involves the ICO in punitive action. This may be the role of the NIGC (formerly NIGB) under CQC from April 2013 Improvements in sharing best practice are needed to promote the single version of the truth. Collaboration could be supported by appropriate collaboration tools and dedicated resources to support these steps. Ideally the latter would be led by a designated national authoritative source with the tools used to enable open discussions with experts to speedily generate relevant advice IG culture could be enhanced by utilising systems that facilitate the easier implementation of IG rules when implementing new solutions. For example it must be feasible for a small number of approved secure data warehouses to become the only sources of data, managing security and appropriate access to data, such as for Open Data Platform and the Data Management Integration Centres and Commissioning Support Units. Further, organisations should also be required to use these approved data sources, as in effect the data could be marked as from verified IG sources. Such data warehouses/systems would have to be supported with appropriate expert IG input. A formal professional standard of practice, possibly based on existing ISEB qualifications, structured specifically to meet health and social care needs. B. Organisational Change Transition guidance is needed with ongoing support as indicated in A above Clarity and leadership on change and associated IG facets is needed from the top Involvement of operational IG staff in resolving issues, so that learning and knowledge transfer takes place BCS ASSIST s response to the Information Governance Review Page 6 of 10

7 Workshops and updating relevant websites to disseminate good practice as developments occur. C. IG expertise and staff As indicated in Theme A, there is a need to simplify the language of IG in terms of definitions and couch in simpler terms concerning privacy Develop clear short statements of policy concerning access to identifiable data for use in all NHS organisations and those commissioned by the NHS to provide services Enable provision of education and training for IG staff, such as using business language instead of IG Speak ; dealing with real world issues by ensuring they partake in front-line work as part of their development; this has been described as bringing IG staff out of the back office Provision of education and training for IG staff should enable them to be proactive about management of data and associated risks that, with engagement by senior management, would enable proactive dialogue with staff Improve the education, training and development facilities available for IG experts Improve access to pooled expertise and IG networks, such as enabling the continuation of the existing SHA IG Groups and encourage wider membership Delivering appropriate IG services within an organisation needs to be seen to require a range of skills and knowledge, as indicated above (i.e. IG policy, legal, technical, clinical, managerial etc) Develop professional leadership and professional development of IG specialists (a task in which BCS ASSIST could provide help and support) IG staff are limited (as are many NHS staff working in Informatics) by the implementation of Agenda for Change. The base-lining of IG posts at Band 7 means that staff cannot seem to progress or suitable staff are not attracted to IG roles as a result of this seemingly arbitrary grading. The grading appears to be based on the view that IG is a purely technical subject, whereas elements are definitely strategic in nature especially in senior IG specialist roles. Whilst employment of IG staff will obviously be the subject of the same financial regime as other staff, there needs to be sufficient expertise available to NHS and NHS commissioned organisations to enable their legal obligations to be met. Guidance should be provided by the DH in the form of a minimum level of skills and knowledge required by organisations, whether employed directly or not, to meet their IG obligations. D. Specific Issues It is assumed that these issues could be addressed directly or indirectly through the improvements suggested in the above proposals for themes A to C, and the pro-active involvement of suitable on the ground IG staff in developing solutions and guidance. 5. Conclusions The IG practitioner and IG manager delegates at the BCS ASSIST workshops were open about the issues and the difficulties that they face in their work. The overall picture is that there is a large gap between the Practice of IG in the NHS compared with the previous and future Visions for IG ; this gap and how to close it are examined further below. Current state of play of IG and how to improve the implementation of IG - In the course of the workshops, it was evident from delegates, as set out above, that all is not well in the practice and operation of IG across the NHS and within NHS organisations. BCS ASSIST s response to the Information Governance Review Page 7 of 10

8 Given that patient information can be seen as the lifeblood of the effective operation of the NHS, there is clear evidence that the place of IG in the culture of the NHS is not what it should and needs to be. Examples are that patient privacy is not comprehensively well respected and IG is often treated as a side issue by management except where penalties may be incurred. Unfortunately, barriers have been created around IG seemingly because it has been treated as a niche specialist subject, often dealt with as a subset of Information and IT departments, coupled with the jargon and complex language used in IG policy documents and by IG practitioners. These elements are then compounded by the lack of clarity and leadership within the IG world, where authoritative and clear guidance is often lacking, leading to inconsistencies in implementation and further weakening the effective operation of well-intentioned IG policies. Further, IG needs to be seen as an integral component of the risks that organisations manage and be treated as such by senior management, instead of it being kept in a silo with the expectation of simple black and white answers. In addition to the context above, major organisational change is being undertaken and requires aspects of IG implementation and operation to be accurate (e.g. which organisations are Data Controllers) and effective (e.g. who has the right in new organisations to see identifiable data). The changes also bring with them the movement and, seemingly, a loss of IG staff at a time when there is more IG work to be undertaken than ever before. Fortunately, this reorganisation is being accompanied by a greater realisation of the importance of IG and of getting the IG right when making changes although there is a long way to go yet to get things right. This may have been aided by the recent announcements by the Information Commissioner s Office (ICO) of significant financial penalties in respect of other organisational change projects where IG developments have fallen short of basic standards. One benefit of the ICO s involvement is to heighten the awareness of the value of effective IG. The awareness could be considerably strengthened at senior management level by undertaking the suggested Return on Investment exercise. However, a major plank in achieving the aim of protecting patient privacy while lawfully sharing data lies with the proper training and education of staff in the NHS and NHS commissioned services about the elements of IG that are relevant to their work. If staff awareness about patient data and the related legal obligations is not changed, then it is difficult to see that the overall situation on IG can change. IG Toolkit - The IG Toolkit appears to be a good thing in providing a list of the things that need doing in IG and providing a means of tracking an organisation s progress in implementing and operating IG. On the other hand, feedback from practitioners has suggested that it has become a tick-box exercise that is gamed to provide a suitable status for the organisation through its use as a self-assessment mechanism. Whilst the IGT provides a knowledge base, it does not provide a framework to support, enable and assist organisations with their IG implementation and operations. It is suggested that such a framework be developed and that independent audit of IG progress (using the IGT where relevant) is undertaken at a sufficient scale to be effective (e.g. enough organisations each year over a three year cycle to ensure that all organisations are paying enough attention to IG). It may be appropriate that the independent audit is operated through a subscription service, especially as organisations can be expected to want to prove their IG worthiness. BCS ASSIST s response to the Information Governance Review Page 8 of 10

9 It is important that one focus of the audits would need to be to raise awareness and improve the situation (i.e. fix the problems) rather than be punitive though this may be the only way to make change (e.g. ICO fines). Learning from the ICO could also be applied in the approach of giving sensible timeframes for fixing problems before imposing fines or other restrictions. IG Staff - The implementation and operation of effective IG depends on access to relevant expertise and knowledge by NHS organisations and commissioned external health care service suppliers. The expertise is delivered through SIROs, Caldicott Guardians and IG staff. In some organisations, these arrangements do not appear to be wholly effective. This situation can be aggravated by the status and position of the IG staff within an organisation and their need to have sufficient expertise, knowledge and experience to handle and manage the wide range of issues thrown up within IG. Appropriate development opportunities and professional standards are needed to prepare IG staff to enable them to function effectively to ensure that their organisations operate legally and effectively whilst protecting patients rights. One means of developing staff is through setting up staff rotation schemes, such that IG staff have to job-swap a set number of times in a period to gain wider experience as part of their formal training. This could be supported by a link into collaboration tools (mentioned above), as staff would need to support each other. This approach would need to be considered in terms of cost and effectiveness compared to more traditional training, but appears to offer greater breadth than currently is the case for IG practitioners. The standing and status of IG staff needs improving (especially senior, specialist staff), or at least achieving a reduction in the seemingly haphazard variation across areas. The suggested approach of improved Collaboration and networking could support relevant Continuing Professional Development (CPD), and IG professionals could reaccredit their skills. Senior IG staff need to be employed at appropriate grades with the higher-level and strategic nature of their roles in areas such as risk management and dealing with interpretation of law, policy and regulations recognised appropriately in the Agenda for Change mechanism. It is important that such posts do not lead to another silo of expertise and are recognised for their worth to the organisation, whether employed directly or through a service mechanism. This should be feasible in a future context of all NHS and NHS commissioned services staff having a basic understanding of IG as part of their training or induction and professional accreditation. The NHS delivers its services through the use of professional staff that are registered and regulated, both in clinical areas and support services (such as finance and human resources). The requirement for this degree of professionalism has not been extended to informatics in general, let alone IG in particular. However, the nature of the role IG staff could play in the NHS may be sufficient for serious consideration to be given to such a significant and costly step being undertaken for relevant IG staff. This move may be viewed as a good thing in its own right, but also in part on the basis that the Draft EU Regulation on Data Protection would require organisations (employing more than 250 persons) to have a Data Protection Officer (DPO). Whilst a DPO post may be more of a legalistic role, having professional IG staff could form a vital part of ensuring that NHS organisations could meet their legal obligations. BCS ASSIST s response to the Information Governance Review Page 9 of 10

10 In conclusion The workshop based exercise by BCS ASSIST identified a set of issues and barriers to effective practice and working of IG in NHS England and ways are proposed for attempting to tackle the resultant problems. BCS ASSIST offers the evidence and learning gained from their members to the IG Review to aid improvements in the effectiveness of IG and of their members contributions. As a professional association, BCS ASSIST is willing to be involved in on-going discussions and future developments relating to the professional development of staff working in IG in health and social care, and would welcome an on-going dialogue with the review panel on this matter. BCS ASSIST s response to the Information Governance Review Page 10 of 10