Information Governance

Transcription

1 Attach 8 Information Governance CCG Accredited Safe Haven Application Information Governance CCG Accredited Safe Haven Application 1

2 1. Introduction 1.1. From the 1st April 2013 new information governance regulations were introduced by the Health and Social Care Act (HSCA)2012 about how patient confidential data (PCD) should flow within NHS commissioning organisations. The changes in regulation have brought challenges in the CCG ability to monitor and evaluate some of its commissioning activities This paper builds on information that has previously been presented at Management Team in relation to Patient Confidential Data flows and provides a proposal for the CCG formally applying to become a Commissioning Organisation Accredited Safe Haven (ASH) describing some of the benefits, risks, and current position. 2. Background 2.1 Prior to 1 st April 2013, commissioning organisations received data with one identifier (NHS number only) to which they would pseudonymise and utilise to carry out commissioning functions. However, CCGs were not automatically allowed this access even though they were still carrying out the majority of the commissioning responsibilities. The HSCA (2012) granted use of data for commissioning purposes to the Health and Social Care Information Centre (HSCIC) only. 2.2 The gap in HSCA (2012) legislation was acknowledged nationally and the need for a solution. NHS England made an application for legal provisions and exemptions to be made under section 251 of the NHS act These provisions allowed commissioning organisations to be able to access data with limited identifier for commissioning. However, before commissioning organisations were allowed to access data under these provisions, they were required to formally apply to be an ASH. 2.3 Currently South London CSU (SLCSU) has temporary access to data under the section 251 provisions to which it utilises to provide the core business intelligence support for the CCG. Not all CCG functions sit with the CSU. The CCG has mapped the information requirements for functions that currently sit in-house to which it has used to determine the need for the CCG to become an ASH so as to enable these functions to work properly. 3. What is an Accredited Safe Haven (ASH)? 3.1 An ASH is an accredited organisation, or a designated part of an organisation, which is contractually and legally bound to process data in ways that prevent the identity of individuals for commissioning purposes. It will be allowed to receive data with NHS numbers as the only identifier to which it will pseudonymised before use. This processing will be carried out in a strictly controlled environment with limited access. 3.2 Becoming an ASH does not mean the CCG will have free flowing data. It only allows access to data with NHS number only within the controlled environment for the purposes allowed in the section 251 permissions under strict conditions for limited number of staff. Information Governance CCG Accredited Safe Haven Application 2

3 . 4. Benefits to the CCG 4.1 If the CCG s application to become an ASH is approved, it will enable the CCG to receive data and utilise current resources to support monitoring and evaluation of a range of commissioning initiatives such as: The Quality Innovation Productivity and Prevention programme becoming an ASH will enable CCG to utilise existing resources to manage this function. Transformation Projects (Out of Hospital Strategy) Existing CCG resources will be utilised to undertake this work. Service Redesign Programmes Becoming an ASH will enable current analytics resources to be utilised to their maximum potential in order to reduce cost per case basis procurement from external bodies 4.2 The CCG will have more flexibility in how it plans for any future projects with the added options of in-house working or collaborative working with agencies such as SLCSU 4.3 There is also a potential for collaborative working with other CCG s and supporting future programmes 4.4 The Health and Social Care Information Centre (HSCIC) has provided a small window for allowing CCG s to become and ASH, it is expected that this chance will no longer be available in the future. 5 Options if CCG does not pursue becoming an ASH 5.1 Procure for routing of data flows via SLCSU - the SLCSU are applying to become an ASH, if successful CCG could route the required data flows through their safe haven for pseudonymisation. However this may have greater financial implications as we are not yet aware of their future pricing model (e.g. activity based charge) and will potentially limit flexibility to support other future programmes, such as integration. 5.2 Procure for routing of data flows via another CCG - The CCG could procure this service from another CCG that would have been approved as an ASH, however only a limited number of CCG s will be granted ASH status Information Governance CCG Accredited Safe Haven Application 3

4 6 Risks 6.1 It should be noted that there is a greater risk for CCG not going for ASH application as no NHS organisation has been granted permanent ASH status 6.2 A gap analysis carried out on the current list of requirements show the following areas as still requiring attention; All staff Information Governance Training Implementation of a pseudonymisation technical solution 6.3 ASH status can be withdrawn if CCG does not continue to maintain the requirements year on year 6.4 There may be additional risks when the requirements for the rest of the ASH application process become available 7 Costs 7.1 The CCG currently has an in-house analytics team to carry out the data processing requirements as an ASH. However, estimated additional costs identified to fully meet the requirements for stage 1 process include; Procure a software licence for pseudonymisation Approx. 30K (recurrent) Technical setup - Approx. 35K ( recurrent) Information Governance independent Audit- Approx. 5K (recurrent) 8. Current Position 8.1 The HSCIC has acknowledged the CCG expression of interest to become an ASH. The CCG has provided Information Governance (IG) evidence on the 30 th September 2013 to meet some of the stage 1 requirements. The CCG is awaiting further guidance on the next stages 8.2 It is expected that when all the stages are completed, the HSCIC will pass application for Approval/ or Not. If the CCGs application is approved, the CCG will sign a Data Sharing Contract (DSC) with the HSCIC. 8.3 If approved, continuous compliance with accreditation conditions such as year on year maintenance of level 2 (and above) of the Information Governance toolkit assurances and undertaking an annual audit of Information Governance assurances. A breach of these conditions will result in the ASH status being revoked 8.4 The CCG Information Governance Steering Group and Informatics & IMT Steering Group are currently working on an action plan for the tasks needed to fully achieve the current known requirements. The groups will also be assessing the controls that are required to manage the risks. Information Governance CCG Accredited Safe Haven Application 4

5 8.5 In addition to the CCG existing Information Governance risk management processes, the CCG will create an ASH specific Safe Haven Model which will be utilised if approved. This will detail data to be routed to the Safe Haven, pseudonymisation techniques, access controls, approval process for receipt and release of data, audit/monitoring and review process. 9. Conclusion 9.1 The CCG has undertaken a review of its commissioning functions, data access requirements and the need to manage the continuously evolving health intelligence requirements. This review was utilised to determine the need for CCG becoming an ASH. 10. Recommendation The Board is asked to; Approve the CCG ASH application subject to further guidance and final sign off to be via chairs action. Information Governance CCG Accredited Safe Haven Application 5