North West Core Skills Programme. Information Governance Implications

Transcription

1 North West Core Skills Programme Information Governance Implications Version number: 0.3 Author: Mike Farrell, North West Core Skills Programme Effective from: October 2012 Due for review on: October 2013

2 1. Purpose of Paper This paper considers the potential Information Governance issues and management implications generated by the implementation of the North West Core Skills Framework. 2. Background Healthcare organisations as part of their statutory and compliance responsibilities need to ensure that their staff have received training in core areas such as fire awareness, health and safety and conflict management. Typically, delivery of this type of training is undertaken on commencement of employment, with the need for organisations to also ensure arrangements for providing training updates on these subjects. The induction of new staff, including healthcare students on clinical and work placements, represents a significant organisational investment in terms of staff time (salary), logistics and resources. Given the movement of staff and students within the NHS and wider healthcare sector, evidence suggests that there is frequent duplication of learning and considerable variance in induction and updating arrangements, this has an adverse cost for organisations and impairs learner impact (PASA 2009). There is widespread interest in exploring how such training could be rationalised and from a learning perspective more effective. If this is achieved it is envisaged that a significant cost-benefit will also be realised. One of the ways these issues are being addressed is through the development of an agreed Core Skills Framework. There is a programme of work to implement such a framework across the North West which sets out guidelines in relation to expected learning outcomes and standards for delivery of a defined range of statutory and mandatory subjects. Details about the programme of work can be found at If the expected benefits of the Core Skills framework are to be realised there is a specific need to ensure that particular data related to a learners record of Core Skills Training, including elements of personal identifiable data, is collected and processed. To assist in collecting, managing and enable the appropriate sharing of learner data by authorised organisations/persons in relation to the use of the Core Skills framework across the North West a database tool called the Core Skills Register will be used. It is envisaged that those organisations involved in developing the healthcare workforce, such as education providers, post graduate deaneries and healthcare organisations involved in the delivery of mandatory training will utilise the Core Skills Register to submit, update or review learner data. It is anticipated that the use of the Core Skills Register will have potential Information Governance implications and this paper seeks to identify these implications and indicate how these will be managed.

3 3. Information Governance Implications 3.1 Why is the Core Skills Register needed? Many organisations can contribute to the delivery of Core Skills type training, however for some key groups of learners, most particularly healthcare students and doctors in training, they can be required to undertake and duplicate Core Skills training across a number of healthcare organisations. While these learner groups will be required to undertake such training as part of local organisational compliance needs, the lack of a centrally accessed record of learning in relation to Core Skills prevents the system-wide ability to know and recognise what Core Skills have been undertaken and achieved and when they need to be updated. Therefore, with the prime aim of preventing duplication of learning for both the benefit of learners and organisations involved in the delivery of Core Skills training, the Core Skills Register seeks to and enable easy, sufficient but robust recording of the Core Skills learning undertaken for the identified key learner groups. enable healthcare organisations to use the data to focus on planning training developments. For example, a healthcare student leaving university on completion of their healthcare programme may have undertaken all elements of the Core Skills framework and if this is captured and a record of this is then shared with their prospective employer, it is anticipated that the receiving organisation will accept this as evidence and adjust their induction programme so that they can avoid any duplication of learning. It is also envisaged that this record would also indicate when refresher training is required and thus aid logistical organisational planning and reporting. 3.2 How is Core Skills Training Information currently collected and shared? Currently, there is no standard way in which Core Skills type training is recorded. In part this is because of a lack of a consistent collecting and naming conventions for the recording of this type of learning activity. NHS organisations will collect Core Skills training type information and record this on their training management data systems. For most organisations, the Electronic Staff Record- Oracle Learning Management functionality will be used for this purpose. However, this information will only be collected for those staff directly employed by the NHS organisation. Education Providers are involved in supporting the delivery of some types of Core Skills training as part of their requirements to prepare learners undertaking healthcare programmes for safe clinical practice. Education Providers will record evidence of Core Skills type learning for students in a variety of ways, for example, through activity recorded on Learning Management Systems and attendance registers. This information may then be

4 maintained at faculty/programme level and/or included as part of any system used by the education provider to record overall details of student learning activity. Educational providers are asked to verify that students have undertaken any required core skill type training before commencing their clinical placements. However, given different Educational Provider processes and methods the way in which this information is shared with and received by healthcare organisations can be variable. This then impairs consistent monitoring. Key staff within healthcare organisations might then have to instigate their own data collection methods and systems in order to capture this type of activity. This creates the risk for further additional data collection activities which might then not be needed and which can then be inconsistent in terms of transparency and quality. The Deaneries within the North West collect data related to junior doctors learning activity in respect of Core Skills type training activity. This data, which typically reflects induction training undertaken by e-learning, is captured in the Deaneries learning management systems. Given that both Deaneries in the North West have a learning infrastructure in place to support doctors in training, some medical education support staff based in healthcare organisations can review and report on the data held in these learning management systems. Currently, the ways in which Core Skills type learning is recorded and shared between stakeholders who need to be aware and know what training has been undertaken is inconsistent and inefficient. Utilising a data collection system which captures and enables sharing of learning activity undertaken by key target groups and presents this information in a consistent way should have organisational and learner benefits in terms of promoting quality and consistency of information. This should also aid efficiency and data transparency. The following sections identify particular information governance issues 4. Data Collection 4.1 Who are the Key Data Target Groups? These will be those learners undertaking healthcare education/training programmes commissioned by NHS North West (and its successor bodies), where as part of any programme of study these learners will need to undertake any of the Core Skills training identified in the North West Core Skills Framework (and/or any national framework to which the North West Core Skills Framework is aligned). 4.2 What information will be captured? Learner Identifiable Data. Appendix 1 identifies the data items to be collected. Much of this information will already be collected and processed by the bodies identified in section 3.2.

5 4.3 Does it include any Person Identifiable Data? Personal Identifiable data, including Date of Birth, related to the learner will need to be collected. No patient identifiable information is needed or will be collected. Only the required data to ensure the correct identity of the learner will be collected. 4.4 Will it include contact information? Contact information will be collected however this will be collected for purpose of aiding identity rather than as a means for maintaining contact with learners (and sharing contact details with third parties). This contact information will include the: Learners full name and address Learners place of work or place of education study if undertaking a healthcare programme. 4.5 Will it include clinical / medical information (E.g. symptoms, medications)? The Core Skills Register will not contain any clinical or personal medical information. In addition no other sensitive personal information (i.e. Ethnicity, political opinions, religious beliefs, trade union membership, physical or mental health etc.) will be collected or shared. 4.5 How is the information submitted? To a secure database system, called the Core Skills Register, which will be managed through a website internet interface. 4.6 How will it be stored, kept up to date and disposed of when no longer required? The data will be electronically stored on a secure database. The data will be retained in line with training retention periods as identified in the NHS Records of Management - Code of Practice. 5. Information System Security 5.1 Who is responsible for data security? Skills for Health as the provider for the database functionality. 5.2 Is it through a log-in?

6 Access to the Core Skills Register database will only be allowed once an authenticated login identity has been established. 5.3 Is there an active audit log of access or access attempts? All Core Skills Register database connection attempts and all network accesses will be logged and retained for a fixed period of time. NHS North West have the ability to complete an audit report on all elements of the system (this has been recently added to the register at TGs request) 5.4 How are user identity details transmitted (encrypted?) and stored (encrypted, secure etc.)? SSL encryption will be used between browser and server and between servers in the data centre. User data in the database will be encrypted. 5.5 How will the information be stored? Learner data will be stored in a Moodle learning management system which has been engineered to utilise only the database functionality that this platform offers. The Moodle based database will be held on a dedicated server. 5.6 Are the servers physically secure (i.e. locked room etc.)? Physical servers upon which the Core Skills Register will be held are located in a purpose built data centre with controlled physical access. The data centre is ISO27001 certified. 5.7 Is the information encrypted? Data on the file system will be encrypted at the block level and decrypted when the server is booted. Data in the database is strongly encrypted using a shared key stored on the web server. 5.8 Is the information backed up (and are back-up media stored securely)? Learner data on the file system and encrypted data in the database will be backed up over an encrypted network tunnel, stored at a secure site, every 24 hours. 5.9 Are the servers subject to routine penetration testing?

7 The server and the application will be subject to penetration testing via a 3rd party, using tools such as Web Application Attack and Audit Framework Are the servers dedicated/separate or used to store other datasets? The virtual machines are dedicated to their respective purposes however they may reside on a physical server which hosts other services. 6. Access and usage of the Data 6.1 Who could access the data? Technical support staff from Skills for Health who will be hosting the database will be able to access the data as part of their role of responding to any technical issues related to data management or providing a support service to users of the database i.e. nominated users. Authorised persons, in roles supporting the development of the workforce and who will need to access the database to either update or review training data, will be able to access the data. Dependent upon their role and the type of organisation that they undertake work for persons will be able to access, review and update data based upon the following role profiles NHS North West System Administrator Healthcare Organisation Administrator Deanery Administrator/Medical Education Administrator Education Provider Administrator Reviewer 6.2 What vetting / written agreements & policies are in place for personnel who could access the data? Only nominated staff identified by the organisations involved in and supporting the delivery of the Core Skills Framework will be allocated the relevant database user profile permission. Those nominated staff will be issued with guidelines which will set out the purpose and expected responsibilities that they will need to maintain to ensure appropriate, secure and effective use of the database. These nominated staff will need to complete a confidentiality agreement. To ensure that organisations supporting the use of the Core Skills Register are aware of the purpose, scope and implementation implications of the Core Skills Register they will be given an action plan and asked to sign off on agreeing to and understanding the Information

8 Governance implications as offered here. They will also be required to agree to and support a data sharing protocol. 6.3 With whom is the information intended to be shared? Learners Healthcare organisations (Learning and Development/ Student Support services). Education Providers There is no expectation that information collected will be shared outside the European Economic Area. 6.4 Who owns the data? The organisations generating the data (Education Providers/ Healthcare Organisations) will be the owners of the information. 6.5 Who control the data? The Core Skills Register will be developed as a tool to support the delivery of the North West Core Skills Programme. This programme of work is overseen by a management board which comprises representatives from NHS North West Healthcare Organisations Education Providers North West Deaneries As the system manager, the data will be controlled by NHS North West (and or its successor body). 6.5 Who has authority to share it? The data owners will be asked to share the data for entry to the Core Skills register. It will be the role of the Data Controller to then enable sharing of data between stakeholders. Sharing of any data will be directed through the use of data sharing protocol. 6.6 Who is responsible for its accuracy? The data owners and those submitting entries to the Core Skills Register will need to ensure the accuracy of the data.

9 7. Fair Collection and Privacy Notice Given that most of the information identified in section 4.2 will already be collected by the bodies identified and for existing purpose it is envisaged that amendment of the bodies Fair Collection/Privacy notice should be sufficient to indicate that sharing of the learners data will also be allowed for the purpose of Core Skills. Those supporting learners in practice should ensure that details of the Fair Collection Notice related to the Core Skills Register are included in any handbooks or induction information and are shared with subjects whose details might be shared through the Core Skills Register. Appendix 1 identifies the suggested Fair Collection/Privacy Notice.

10 North West Core Skills Training Privacy Notice This notice has been developed to tell you about the need to share personal information about training you have undertaken with healthcare organisations who might be involved in supporting your training programme. Why is information about a specific aspect of my training being collected and shared? Healthcare organisations have to ensure that their staff and those undertaking training, work placements receive periodic mandatory training in order to ensure compliance with national quality and risk management standards. This type of training covers topics such as Health and Safety, Fire safety etc. Presently, there is significant duplication of mandatory training due to the rotational training systems in place, where a junior doctor and other healthcare students move for a training placement from one healthcare to another, may have to repeat training undertaken. One of the ways this issue is being addressed is through the development of an agreed Skills Framework, called the Core Skills Framework which is part of The North West Core Skills Programme. This programme of work is being supported by NHS North West which is one of the bodies responsible for the commissioning of healthcare training programmes. The aim through the use of the Core Skills Framework by healthcare organisations and Education Providers delivering healthcare training programmes is to prevent the duplication of mandatory training. This will be achieved by standardising the content of mandatory training and indicating expected refresher periods. Healthcare organisations and Education Providers within the North West are presently adopting the North West Core Skills Programme by ensuring their mandatory training is delivered to the standards defined in the Core Skills Framework. Further information regarding the programme please visit our website:- What and how will my information be shared? In order to prevent duplication there is a need to ensure training records related to those Core Skills training subjects that you have undertaken are accessible across healthcare Organisations. One of the ways this is being supported is through the development of a secured web-based application called the Core Skills Register. The Core Skills Register is designed to store records of Core Skills training undertaken and contains a small amount of personal identifiable information. This information will include, first name, surname, date of birth, , Registration Number (i.e. Student number, GMC/NMC Number), course name completion date. This type of data is required to ensure that the correct identity of individuals The ability to share your Core Skills training record and the agreed small amount of personal identifiable information will enable healthcare organisations/ education providers to review your mandatory training experience and have confidence you are trained to the appropriate level prior to a new placement and/or identify any specific updates that you might need. Only authorised personnel will be allowed to access these applications and view your record. The sharing of data between healthcare organisation/education providers will promote the efficient organisation and management of induction training, but also improve your own experience by not needlessly repeating mandatory training. A data sharing agreement/protocol has been developed that provides further information about the duties of those organisations involved. This is available from How can I get a copy of the record/information held? You will be able to obtain a copy of your record and information held via the authorised administrator within your employing healthcare organisation or education provider. What if I do not want my Core Skills Training Record to be shared?

11 Employer organisations and other bodies are required to carry out duties that may necessitate the sharing of your core skill training record. The rationale and agreement to share this data is set out in a data sharing protocol/agreement that is available online at If you do not wish to have your Core Skills Training Information shared via the Core Skills Register please notify enquiries@cmtpct.nhs.uk Further Information about the Core Skills Framework For further information regarding the Core Skills programme please contact enquiries@cmtpct.nhs.uk