Informaon Governance eassessment FACT SHEET

Transcription

1 Based on the Core Skills Framework Informaon Governance eassessment FACT SHEET Wrien by Developed in collaboraon with Information Governance and Health Records Audit and Compliance Manager Data protecon Freedom of Informaon Act 2000 Informaon security RUH golden rules Contact details eassessment Produced by: Learning & Development Page 1 Please note: there are only 2 a empts at the eassessment.

2 Introducon This fact sheet will give you key guidance on Informaon Governance. It aims to provide you with an update on the importance of maintaining data confidenality and security. Further informaon can be found on the Trust intranet site or by compleng one of the 3 elearning programmes on ESR. You might like to refresh your training with this factsheet if you are about to aempt the online eassessment. Learning Objecves The following learning outcomes reflect a minimum standard understand the principles of Informaon Governance and how they apply in every day working environments understand within the context of their specific role how to provide a confidenal service to pa- ents and service users in line with the duty of confidenality know how to ensure and maintain good record keeping. understand fundamentals of data protecon, confidenality and the Caldico Principles understand the responsibilies of healthcare organisaons under the Freedom of Informaon Act 2000 understand individual responsibilies in responding to a Freedom of Informaon request understand the principles of good record keeping. understand, within the context of their role, how they can apply and maintain informaon security guidelines. know where they can gain local access to policies, procedures and further informaon on Informaon Governance. Training Protect yourself by ge8ng trained. Staff who have been trained have not been prosecuted when making accidental breaches. Below is a list of the elearning available on ESR: 000 Introducon to Informaon Governance Staff with access to paent and/or staff informaon. 000 The Beginners Guide to Informaon Governance Staff with no access to paent and/or staff informaon 000 Informaon Governance The Refresher Module All staff who have already done the elearning before. Page 2

3 Secon 1: Data Protecon Act (DPA) UK law in the form of the Data Protection Act 1998 governs how organisations may use personal information (about living people), including how they acquire, store, share or dispose of it. The Information Commissioners Office (ICO) is the UK s independent regulator set up to uphold the public s information rights by promoting data privacy for individuals (and openness by public bodies). The ICO investigates complaints made by the public and provides guidance for the public and organisations. Under the Act, organisations that process personal information must notify the ICO (unless they are exempt). The organisations details are entered on a public register (available on the internet). Failure to notify is a criminal offence. The DPA concerns any data that is idenfiable, e.g. name, postcode, address, dates of birth, about living individuals. We must comply with 8 principles of the act: 1. Fair and lawful processing (consent must be provided). 2. Specified purpose. 3. Adequate and not excessive. 4. Accurate and kept up to date (data quality). 5. Should not be kept longer than necessary. 6. Rights of access. 7. Should be kept secure. 8. Should not be transferred to a country outside the EEA, without adequate protecon. Strengthening the ICO Powers In April 2010, the ICO was given new powers. It can now fine organisaons (including Government Departments) and individuals 500,000 for serious data security breaches such as deliberately or recklessly breaking the data protecon principles. I could be fined 500,000! The new powers also permit the ICO to carry out spot checks on the data protecon pracces of Government departments without their permission and without prior noce. Page 3

4 Secon 2: Freedom of Informaon Public Authories (including NHS Trusts, Local Authories, Densts, Doctors, Eye Care Services and Pharmacists), are subject to the legal obligaons of the Freedom of Informaon (FOI) Act Public Authories have only 20 working days to respond to wrien informaon requests. This is the limit set out by law. Speak to the Informaon Governance Manager if you are unsure about the trusts procedures for dealing with FOI requests. The Informaon Commissioners Office (ICO) is the independent regulator (for FOI in England and Wales) set up to uphold people s informaon rights by promong openness for public bodies (and data privacy for individuals). The ICO invesgates complaints made by the public and provides guidance for the public and organisaons. Some sensive informaon might not be made available to members of the public. Trusts can turn down a freedom of informaon request if they think it will cost more than 450 to deal with. Secon 3: Sharing data outside of the NHS Paent or staff confidenal informaon should not normally be used (which includes sharing and disclosing) unless one of the following criteria are met. 1. The person has given consent for the disclosure. For paents: Consent may be implied for care purposes and related purposes that support or check the quality of care provided. For other purposes consent should be explicit and obtained in wring, e.g. for a surgical procedure. 2. There is a legal basis which permits or requires disclosure of confidenal informaon, e.g. Childrens Act 3. There are exceponal circumstances (e.g. invesgaon or prevenon of serious crime) where the overriding public interest outweighs the duty of confidenality. What to do if you get a request If there is a request or business need to share informaon outside of the NHS, then you should obtain authorisaon from your Informaon Asset owner or the Informaon Governance Manager as there are some legal implicaons to consider (such as the Data Protecon Act). To find out who the Informaon Asset Owner for your department or area is, contact the Informaon Governance Manager on ext 5556 who can advise, or check the list of IAO s published on the Intranet under Staff Resources, About Governance, Informaon Governance. Page 4

5 Secon 4: Informaon security Transmission & Storage Check What does trust policy say? Important Faxing Could this informaon be sent via NHS mail instead? Ensure the correct number before sending a fax. Google must not be used to look up fax numbers. Is it encrypted and Only use NHS.net Some hospital secure? accounts. Only these accounts are not encrypted accounts are encrypted e.g. mary.smith@glos.nhs.uk and secure. Disk, CD, Is it encrypted? Only use encrypted When destroying or archiv- Memory sck memory scks for paent and staff data ing use the Trust destrucon template. Paper Who can see it? No handover, ward or theatre lists to go off site When destroying or archiving use the Trust destrucon template Telephone Do you know who you are talking to? Validate by calling back? Security Quesons for GP surgeries/nhs Bodies Validate: The paent s Medical Records number (RUH Number) or NHS Number, who their GP is, and the paent s full name. Mobile Phone Do you know who you are talking to? Validate by calling back? No paent idenfiable informaon saved on personal equipment Security Quesons for GP surgeries/nhs Bodies Validate: The paent s Medical Records number (RUH Number) or NHS Number. Who their GP is. The paents full name. Computer Only share paetnt Don t save to the C drive Do not put any paent iden- idenfiable data with Don t share passwords/ fiable data or images on those who need to smartcards social networking sites. know. Who can see my screen? Only access paents records if you have a legimate relaonship Ensure paent data is not lem visible on screen to others who don t need to see it. Laptop Is it encrypted? Only use encrypted laptops for paent and staff data. No paent idenfiable informaon saved on personal equipment. Don t save to the laptop desktop use a memory sck for paent idenfiable data. Page 5

6 Sharing very large files outside of the Trust is subject to size limits and is not always the most suitable way of sending large files larger than 5 MB. Another method is to use what is called the Secure File Transfer Service. This allows those with NHS.net accounts to transfer large amounts of data, avoiding having to send an . Informaon on this if required is available from the website hps://nww.sm.nhs.uk/sm/upload1. Secon 5: NHS Constuon The NHS Constuon was first published on 21 January 2009 and was updated amer public consultaon in March It describes the principles of the NHS in England and the rights and responsibilies of paents, public and staff. One such right is that paents can expect the NHS to keep their confidenal informaon safe and secure. All NHS bodies and private and third sector providers supplying NHS services are required by law to take account of the NHS Constuon in their decisions and acons. The NHS Constuon will be renewed every ten years. Other reasons why we should work hard on maintaining confidenality are: 1. For paents to disclose confidenal informaon to us they have to trust that we will keep it secure 2. Paents have a right to a private life (European Convenon of Human Rights and Human Rights Act 1998) 3. NHS Contracts of employment require confidenality 4. We are a public service 5. Damage to reputaon 6. Legal imperave we could be fined 7. Hippocrac oath for physicians Secon 6: Caldico Principles (1997) In 1997 a review was carried out into the use of paent idenfiable informaon in the NHS. This was carried out because there were concerns about how paent informaon was being handled and transferred. Dame Fiona Caldico chaired the Caldico Review. The report set out principles and recommendaons for the security of paent informaon. An important recommendaon was that a senior clinician should be nominated in each NHS Trust to act as the Trust s conscience for the uses of paent idenfiable informaon. These senior clinicians are known as Caldico Guardians. At the RUH the role of Caldico Guardian is held by the Medical Director. Page 6

7 The Caldico Principles are: 1. Jus fy the purpose of using confiden al informa on 2. Only use it when absolutely necessary 3. Use the minimum required 4. Allow access on a strict need-to-know basis 5. Understand your responsibility 6. Understand and comply with the law 7. The duty to share informa on can be as important as the need to protect pa ent confiden ality. The duty to share informa on can be as important as the need to protect pa ent confiden ality Caldico 2 report 26th April 2013 Sec on 7: Informa on Quality Accuracy is just one quality that we expect in records. But other quali es are also needed for the informa on to be useful, e.g. it would be pointless having informa on which was 100% accurate but wasn t available in me for it to be used. Informa on is used to make decisions throughout the health sector each day in all sorts of situa ons. Some mes this informa on needs to be extremely high quality, such as quick and accurate test results to help decide a pa ent s urgent condi on and treatment. Other informa on may be less urgent or the level of accuracy may be less vital, such as an annual na onal comparison of flu injec ons for forward planning. Whatever the situa on, the right informa on should be in the right place at the right me - and that needs to be achieved every me. Poor quality informa on is bad for pa ent care, bad for funding and bad for reputa on, e.g.: Incomplete, inadequately analysed data can lead to serious failures in service. Poor demographic data results in duplicate and confused entries on pa ent record systems. Confused pa ent iden ty numbers can lead to the wrong pa ent being treated. Inadequate records lead to poorly planned care. Poor data results in poor: commissioning monitoring planning and financing of services. The NHS takes Informa on Quality very seriously because the consequences can be vital to pa ent outcomes or, in the case of planning, result in too much or not enough service provision. Page 7

8 High quality means: C A R A T Complete Accurate Relevant Accessible Timely Secon 8: RUH 8 Golden Rules 1. Don t save to the C drive 2. Don t share passwords/smartcards 3. Don t save paent idenfiable data on personal equipment 4. Do ensure handover, ward or theatre lists don t go off site 5. Do access paents records only if you have a legimate relaonship 6. Do use encrypted memory scks and laptops 7. Do share paent idenfiable data with those who need to know 8. Do use the Trust destrucon template when destroying or archiving. Secon 9: Responding to verbal requests Security Quesons for GP surgeries/nhs Bodies: The paents Medical Records number (RUH Number) or NHS Number Who their GP is The paents full name. Page 8

9 Secon 10: Fines and breaches Informaon Commissioners Office (ICO) have levied a number of fines on trusts. Below are some examples. Date What happened Trust Fine 1 st June 2012 Hard drives sold on Ebay, amer supplier Brighton and Sussex 325K engaged without contract NHS Trust 19 th June 2012 Thousands of records lem at disused sites Belfast Health and Social Care 225K 12 th July leers sent to an old address St George s Healthcare NHS Trust 60K 15 th Feb 2013 Fined for sending un-ecrypted discs for serious case review to hotel discs never arrived. Nursing Midwifery Council (NMC) 150K Recent accidental breaches Breaches must be reported to the NHS Commissioning Board. Below are some recent breaches. Fortunately, the staff involved had all been trained in Informaon Governance and the breaches were accidental. Date Incident 19/6/13 Diary with details of 8 paents lem in car park 10/7/13 Request for consultant s opinion about a 73 year paent found outside Waitrose in Bath 22/7/13 Oncology leer sent to wrong paent (same name) 2/8/13 Endocrine and Breast surgery handover sheet found in PAW corridor 27/8/13 A paent received their leer plus 15 more leers about other paents 150K thanks Page 9

10 Secon 11: Contacts Trust Lead Job Title Contact details Simon Edwards Informaon Governance Lead 5556 Dr Tim CraM Trust Caldico Guardian 6192 David Davis Chief Informaon Officer 6250 IT Service Desk 5444 Sarah Truelove Finance Director 4308 File Locaon: \\Tatooine\educaon\Shared Folders\10 \02 )\11 \01 \10 Informaon Governance Date of Publicaon : December 2013 Royal United Hospital Bath NHS Trust Page 10