OPERATIONAL DIRECTIVE. Data Stewardship and Custodianship Policy. Superseded By:

Transcription

1 OPERATIONAL DIRECTIVE Enquiries to: Ruth Alberts OD number: OD0321/11 Performance Directorate Phone number: Date: February 2011 Supersedes: OD 0107/08 File No: F-AA Subject: Data Stewardship and Custodianship Policy In the course of its operations, WA Health collects, stores, uses and discloses a large volume of data. The data is an important resource used for the clinical care of patients, for funding, management, planning, monitoring, improvement, research and evaluation of health and health services in the state. The State of WA is the owner of all data collected by and within WA Health. The responsibility for its security, management and (legitimate) disclosure are delegated to the Director General of the Department of Health (DG). Through the various instruments of delegation, the DG delegates a number of these responsibilities to senior officers to administer and/or manage. Data Stewards have delegated responsibility for setting the overall strategic direction of data collections to ensure the collection is developed, maintained and utilised in accordance with the strategic goals of WA Health. Data Stewards are also responsible for authorising the access, use and disclosure of data from data collections for clearly defined purposes that comply with WA Health s statutory obligations. Data Custodians have delegated responsibility for the ongoing development, data collection maintenance and review of data collections. They are responsible for the quality of the data, its security, timeliness and adherence to standards. Data Custodians are nominated and endorsed by the Data Stewards. This policy documents the appointment of Data Stewards and Data Custodians and their associated roles and responsibilities. Kim Snowball DIRECTOR GENERAL DEPARTMENT OF HEALTH WA This information is available in alternative formats upon a request from a person with a disability. 1

2 Data Stewardship and Custodianship Policy Data Custodian Policy 1. BACKGROUND In the course of its operations, WA Health collects, stores, uses and discloses a large volume of data. The data is an important resource used for the clinical care of patients, for funding, management, planning, monitoring, improvement, research and evaluation of health and health services in the state, including accountability to the Minister for Health and Parliament. The State of Western Australia (WA) is the owner of all data collected by and within WA Health irrespective of the method of storage or size of the collection. The data is a valuable corporate asset that is managed to support the business of WA Health for the benefit of all Western Australians. WA Health data also includes highly sensitive business and personal information which needs to managed to ensure that confidentiality and privacy are maintained in compliance with the common law and all applicable legislation. 2. SCOPE This policy applies to all data collections, including those provided for by statute, held by or within WA Health. It includes collections of patient, corporate, financial and workforce information. The scope of this policy includes both paper-based and electronic data. For the purpose of this policy, a data collection includes both operational data collections and data repositories. 3. PURPOSE The purpose of the Data Stewardship and Custodianship Policy is to ensure that data is collected for a legitimate purpose, managed appropriately and only disclosed for an approved purpose. This is achieved through the allocation of accountability and responsibility for all data collections in WA Health by documenting how Data Stewards and Custodians are appointed and their roles and responsibilities. 4. POLICY A Data Steward and Custodian will be formally assigned to all data collections, regardless of size, where one or more of the following conditions are met: The data collection is used to meet business, operational or legislative requirements; The State of WA has a strategic need for the data; The data collection contains personal information; The data collection is used for reporting at a state level, national level or external to the health service where the data collection resides; or The data collection is used across multiple health services. Page 1 of 10

3 5. DELEGATED AUTHORITIES The State of WA is the legal owner of all data collected by and within WA Health. The responsibility for its security, management and (legitimate) disclosure are delegated to the Chief Executive Officer of the various government agencies. Within WA Health, the Director General of the Department of Health (DG) is the delegated owner of all data and information collected, stored, used and disclosed within the various entities. Through the various instruments of delegation, the DG delegates a number of these responsibilities to senior officers to administer and/or manage. Data Stewards have delegated responsibility for setting the overall strategic direction of the specific data collection to ensure the collection is developed, maintained and utilised in accordance with the strategic goals of WA Health. Data Stewards are also responsible for authorising the access, use and disclosure of data from the data collection for clearly defined purposes that comply with WA Health s statutory obligations. Data Custodians have delegated responsibility for the ongoing development, data collection, maintenance and review of the collection. Data Custodians are responsible for the quality of the data, its security, timeliness and adherence to standards. Data Custodians must be nominated and endorsed by the Data Stewards. The data collections within WA Health are stored in enterprise systems and local systems. 5.1 Enterprise Systems Enterprise systems are large-scale, integrated information systems which support processes, information flows, reporting and data analytics across WA Health. Typically enterprise systems are classed as tier 1 applications requiring 24 hour, 7 day per week availability and technical support. Enterprise systems for WA Health include EDIS, TOPAS, HCARe, icm, Psolis, TMS, AIMS/Clinical Incident Management System, Stork, ipharmacy, icm, Oracle Financials, Alesco and Objective. The Executive Director, Performance Activity and Quality Division (PAQ), is the Data Steward for enterprise systems. 5.2 Local Systems Local systems are small to medium scale information systems which support processes, information flows, reporting and data analytics within a local area. Typically local systems are classed as tier 2 and 3 applications requiring availability and technical support during business hours only. Data collections/information systems used within individual areas such as the Hospital Morbidity Data Collection, Finance Data Warehouse and Vehicle Booking Systems are considered to be local systems under this policy. Page 2 of 10

4 The Data Stewards for local systems are: Chief Executives (Tier 1b) for Metropolitan Area Health Services (AHS) Chief Executive (Tier 1b) for the WA Country Health Service (WACHS) Executive Directors (Tier 2) for the Department of Health (DOH) The diagram below illustrates the delegations of authority. Ownership State of WA Responsibilities Delegated Director General Data Steward Enterprise Systems: Executive Director PAQ Local Systems: Tier 2 (DOH) Tier 1b (AHS) Tier 1b (WACHS) Data Custodian Nominated and Approved by Data Steward 6. ROLES AND RESPONSIBILITIES OF DATA STEWARDS Data Stewards are responsible for: Setting the strategic direction for the data collection; Ensuring that information and communications technology (ICT) and information management investment for the data collection is aligned to the strategic goals of WA Health; Ensuring that projects and initiatives are aligned and coordinated to deliver the best value; Ensuring the use, disclosure and access to data meets legislative responsibilities and other arrangements entered into by the State; Developing a role based Access Control model which specifies the types of users that can access the data collection and the level of access permitted; Developing an Information Disclosure model which specifies the level of approval required prior to releasing information from the data collection based on the granularity and sensitivity of the information requested; and Nominating a Data Custodian for the day-to-day management, operation and support of each data collection. Page 3 of 10

5 7. ASSIGNMENT OF DATA CUSTODIANS Data Custodians are responsible for the day-to-day management of data from a business perspective. The Data Custodian aims to improve the accuracy, usability and accessibility of data with the data collection. For enterprise systems, Data Custodians must be nominated and endorsed by the Data Steward. For local systems, Data Custodians must be nominated and endorsed by the Data Steward following recommendation from the relevant Executive Team(s) within AHS, WACHS and DOH. Data Custodians are accountable to the nominated Data Steward for the data collection. The nominated Data Custodian for the data collection must complete the proforma in Attachment A, providing a summary of the data collection. The completed proforma must be endorsed by the Data Steward and submitted to the Information Development and Management (IDM) branch within the PAQ Division. IDM will submit relevant details on behalf of the Data Steward to the SHEF Performance Reporting and Governance Sub Committee for noting. 7.1 New Data Collections Prior to establishing a new data collection, a Data Custodian must be appointed for the data collection. All proposals for new data collections must designate a Data Custodian in accordance with this policy. 7.2 Existing Data Collections Data Stewards are responsible for coordinating the assignment of Data Custodians to existing data collections. This includes: Identifying data collections within the scope of this policy; Identifying the appropriate Data Custodian for each data collection by applying the criteria for selection specified in this policy in consultation with stakeholders; and Notifying the Data Custodian of their responsibilities. 7.3 Criteria for selecting Data Custodians The criteria for selecting the appropriate Data Custodian include: Competence, skills and authority to discharge the custodianship responsibilities; Understanding of the relevant legislation and policies; and Understanding of business needs of all users. Custodianship responsibilities for data collections may be allocated to an office or position but not to a named person. Page 4 of 10

6 7.4 Assignment of Custodianship Where powers and responsibilities for collection of data are assigned by statute they will be held and exercised in accordance with the relevant legislation and may only be delegated in accordance with the relevant legislation. Where custodianship responsibilities for data collections are not assigned by statute then the Data Steward must endorse the assignment of custodianship of the data collection. The assignment of custodianship will be in writing specifying details of the relevant data collection and the responsibilities allocated. Attachment A provides a template which needs to be completed. A list of officers assigned custodianship responsibilities will be published on the web to provide potential users of the data with a point of contact to discuss their requirements. 8. ROLES AND RESPONSIBILITIES OF DATA CUSTODIANS Data Custodians are responsible for the day-to-day management of data on behalf of the State of WA. This encompasses a range of responsibilities. Data Custodian s responsibilities include, but are not limited to, the following: (a) Data Collection Planning The responsibilities include ensuring that the design of the information system in which the data is stored, the implementation of changes to existing systems and the development of new systems, meets business needs. This includes: Identifying the information requirements including identifying and consulting with key stakeholders and users of the information system; Identifying the data items needed to meet the requirements; Identifying existing or overlapping sources of information; Identifying relevant standards, policies and guidelines; Identifying requirements to meet legislative responsibilities and other arrangements entered into by the State; Adhering to organisational metadata standards; Adhering to organisational data quality standards; Adhering to organisational data security standards; and Developing and maintaining system metadata. (b) Data Collection Management and Production Responsibilities include the day-to-day management and production of the data. This includes: Establishing data collection procedures; Ensuring data meets data quality standards; Ensuring data security; Ensuring data is not misused; Ensuring data is not misrepresented; Page 5 of 10

7 Establishing procedures to permit and review access to information as required by relevant legislation and in accordance with the requirements of the Data Steward; Ensuring data continues to meet business requirements; Ensuring access to and disclosure of data is in accordance with the Access Control model and Information Disclosure model as specified by the Data Steward; Extracting data for authorised uses; Providing data to authorised recipients; and Ensuring the retention, storage and disposal of data is in accordance with relevant legislation and organisational policies. Data Custodians may assign day-to-day tasks associated with their responsibilities to directly supervised staff. 9. RESPONSIBILITIES OF USERS All those who contribute to or use data collections within WA Health have responsibilities to other users, Data Stewards, Data Custodians, the DG and the State of WA. These responsibilities include: Maintaining agreed standards when collecting and submitting information to data collections; Using the data in an appropriate manner consistent with accompanying metadata; Citing the source and currency of information they use; Advising Data Custodians of any changes to their information requirements; Advising the Data Custodian of any errors or omissions in the data sets or information products they receive; and Maintaining confidentiality and security of the information in accordance with conditions of use and relevant legislation. Users who breach confidentiality and security may be subject to disciplinary action and other remedies available through legislative provision such as the Public Service Regulations and the Criminal Code. Unauthorised access, use and disclosure of confidential information is misconduct pursuant to the WA Health Code of Conduct and suspected cases may be reported to the Corruption and Crime Commission (refer to Information Security Policy). 10. DEFINITIONS A Data Collection is a systematic gathering of data for a particular purpose from various sources, including manual entry into an application system, questionnaires, interviews, observation, existing records and electronic devices. This includes both operational data collections and data repositories. A Data Repository includes data that is collected from various sources, including operational data collections for the primary purpose of monitoring, evaluation, reporting and research. Examples of data repositories include data held within the Hospital Morbidity Data Collection, Finance Data Warehouse and the Emergency Department Data Collection (EDDC). Page 6 of 10

8 An Operational Data Collection includes data that is collected as part of the day-today activities of an area for the primary purpose of tracking and managing the operational aspects of the area. The operational data collection is typically a transaction-based system which contains detailed data elements to represent the activities of the area. Examples of operational data collections include data held within Patient Administration Systems, TRIM, Financial Systems and Human Resource Management Systems. Personal information means information about an individual whose identity is apparent or can reasonably be ascertained. It includes both information of a sensitive nature (e.g. name, address, age, salary) and health information (e.g. diagnosis, treatment). WA Health incorporates the legal entities of the Metropolitan Health Service, WA Country Health Service, Department of Health and the administrative entities of North Metropolitan Area Health Service and South Metropolitan Area Health Service. 11. RELEVANT POLICIES Database Administration Standard Data Management Policy Information Security Policy Information Classification Policy Acceptable Use Standard Computing and communications facilities 12. RELEVANT LEGISLATION Hospitals and Health Services Act 1927 Health Legislation Administration Act 1984 Health Act 1911 Human Reproductive Technology Act 1991 Freedom of Information Act 1992 State Records Act 2000 WA Mental Health Act 1996 Financial Management Act 2006 Public Sector Management Act SUPPORTING DOCUMENT NSW Health Process for Approval of New or Modified Data Collections. NSW: NSW Health. (accessed on 17 January 2010) Page 7 of 10

9 Assignment of Data Custodian Please complete the questions below: Q1. Name of Data Collection Q2. Brief description and purpose of Data Collection Q3. The Data Collection is classified as: An Enterprise System A Local System Q4. Data Custodian (Include Name and Role or Position - names only are not acceptable) Name: Position/ Role: Q5. Do the data items that are being collected exist in another data collection? Yes If yes, specify the collection and the reasons it is not utilised No Health Data Collections Templates

10 Assignment of Data Custodian Q6. Impact of data collection on WA Health (e.g. supports reform initiatives; supports mandatory National requirements; required by legislation) Q7. Issues associated with data collection and how they will be resolved Q8. Estimated cost to establish and maintain data collection (if known) Health Data Collections Templates

11 Data Steward and Custodian Sign-Off Data Custodian Sign Off Name and Position or Role: HE Number/Signature: Date: Contact Details: Data Steward Sign Off Name and Position HE Number/Signature: Date: Contact Details: Name: Position/ Role Phone: Name: Position: Phone: Please submit completed template to the Senior Policy Officer (Ruth Alberts) within the Performance Activity and Quality Division. Ruth Alberts can be contacted on (08) if you require any assistance in completing the attached template. Health Data Collections Templates