INFORMATION GOVERNANCE STAFF HANDBOOK

Transcription

1 INFORMATION GOVERNANCE STAFF HANDBOOK

2 Contents Why do YOU need to know about Information Governance (IG)?... 2 Keeping Information Safe... 2 Confidentiality... 2 Deciding to Communicate Important Information... 3 Information Sharing... 3 Internet... 3 Protecting Important Information Stored on Computers... 4 Usernames and Passwords (including Smartcards - Registration Authority)... 4 Why we need to get it right... 5 Information Quality Assurance... 5 Records... 5 What happens when something goes wrong?... 6 Incident reporting... 6 We are all accountable... 6 Data Protection... 6 Freedom of Information... 6 Information Commissioner... 7 Where do I get help?... 8 Glossary of IG Terms... 9 Information Governance Policies IG Handbook E SCHNHST V9 September 2014 MASTER.doc 1

3 Why do YOU need to know about Information Governance (IG)? Everyone who works in healthcare must be aware of: The importance of the information we hold which may be confidential or sensitive and relate to patients, staff or the Trust What legislation, best practice and guidelines there are for looking after such important information Why you must take responsibility for how you obtain, record, use, keep and share information All staff, whether permanent, temporary or contracted, are responsible for making themselves aware of Shropshire Community Health Trust s IG requirements and complying with them on a day to day basis. Managers are also responsible for promoting Information Governance standards and ensuring compliance by their team members. Information Governance is EVERYONE S responsibility. Use this IG Handbook as a reference to signpost you to the Trust s IG policies, procedures and guidance Keeping Information Safe Confidentiality Confidentiality is defined as the right of the patient to know that information given is not shared freely either within the organisation where there is no need, or between agencies. Generally information can only be shared when there is consent. We work in complex areas in a community trust often closely with other agencies, so we all have to be very careful when we share information e.g. through notes, s telephone calls and just in talking to others. There are principles governing when information can be shared and these are the Caldicott principles. As a general principle be thoughtful and cautious and always seek advice if asked for information. If the situation appears very difficult seek advice from the Caldicott Guardian, Steve Gregory steve.gregory@shropcom.nhs.uk or initial advice can be sought from the Records Manager, Alan Ferguson, alan.ferguson@shropcom.nhs.uk, in his role as Caldicott support. IG Handbook E SCHNHST V9 September 2014 MASTER.doc 2

4 Deciding to Communicate Important Information Care and consideration should be given when deciding to communicate or transfer information. Consider if you actually need to send the information at all, or can it be accessed securely by other means and kept safe where it already is. Think about the most appropriate method of communication , USB memory stick, telephone call, fax or letter and how you can make sure the right person receives it. Information Sharing The Trust keeps records about the healthcare of patients to help ensure they receive the best possible care and we have a legal duty to keep this information confidential and secure. This information sometimes needs to be shared with other NHS organisations, social care or third parties. It can only ever be shared with the consent of the patient or under the terms of the Fair Processing notices we display and publish. These are posters or leaflets that explain to patients why we hold their information and why we may need to share it. The Trust must also comply with the NHS Care Record Guarantee which sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It is based on professional guidelines, best practice and the law and applies to both paper and electronic records. Internet The Internet is used a lot more in our day to day life and key risks to be aware of are: Phishing - a way of attempting to acquire confidential and sensitive information such as usernames, passwords and credit card details by websites masquerading as legitimate organisations. Malware/Virus - malicious computer programs designed to gather information that leads to loss of privacy or exploitation and gain unauthorised access to computer systems. Social Networking placing inappropriate information on social networking sites or other public forums such as Facebook. IG Handbook E SCHNHST V9 September 2014 MASTER.doc 3

5 Protecting Important Information Stored on Computers When you communicate using computer equipment, for example by , you must always ensure you protect it by encryption. The Trust s systems have the facility to do this; but it is your responsibility to understand how this should be used. The Trust s laptops and USB memory sticks are always protected by encryption. You should only use the Trust s computer equipment and systems to store, transfer or look at Trust Information. Refer to the Trust s Information Security Policy for more advice. Just as you would not leave important papers lying around, you must not leave your computer system vulnerable to others. So, when you move away from your computer e.g. for a coffee-break, meeting or to go home you should always leave the system safe. That could mean logging out, removing your smartcard, removing your USB memory stick, or switching off the equipment. Usernames and Passwords (including Smartcards - Registration Authority) In order to use the Trust computer systems you and your manager may need to apply for access. This may result in you being given a Smartcard, electronic token, username(s), initial password(s) and passcode depending upon the number and type of computer systems you need to access. Your password(s) and passcode are specific and identifiable to you and should be treated in the same way as a bank card PIN, for example, not shared with other people. Think where you keep a note of your password, e.g. it s pointless if you keep it in the case with your laptop or stuck to the side of your PC. You will need a Smartcard to access NHS Systems such as Lorenzo/iPM, Electronic Staff Records (ESR), Summary Care Records (SCR), (the Trust s main information systems). Smartcards are similar to a chip and PIN credit or debit card but they are more secure than a credit or debit card. A user s Smartcard is printed with their name, photograph and unique user identity number (UUID). The PIN is regarded as a digital signature and is auditable, so activity can be tracked back to an individual. It is not an identity card For further information contact your RA Team on or ra.admin@shropcom.nhs.uk or ra.admin@nhs.net IG Handbook E SCHNHST V9 September 2014 MASTER.doc 4

6 Why we need to get it right Information Quality Assurance Data quality is crucial to patient safety and the availability of complete, accurate and timely data is important in supporting patient care, clinical governance and management and service agreements for healthcare planning and accountability. For example risk issues may arise if we are unable to uniquely identify patients or send correspondence to the incorrect address; this is why using the NHS number is so important. The Trust recognises the importance of reliable information as a fundamental requirement for the speedy and effective treatment of patients; therefore Good data quality is not an optional extra it is a fundamental basis for the business of the Trust. All staff who record information, whether on paper or by electronic means, have a responsibility to take care to ensure that the data is accurate and as complete as possible. The data needs to be present at the time that processes require it, for both service delivery and reporting purposes so key staff must be aware of relevant deadlines. Individual staff members are responsible for the data they enter onto any system. We have to keep personal and public information accurate and up-to-date to comply with the Data Protection Act 1998 so if you see any inaccuracies or errors in paper or electronic records please report these to an appropriate person for correction. Records Records are important to any organisation; they are the means of providing evidence and information about that organisation. In simple terms without them there is no way to know who has done what. Records Management is the term used to cover the processes the Trust has in order to meet its legal and regulatory requirements. This covers any record generated whether paper or electronic and includes staff, corporate and health related records. Record keeping is also a requirement of professional practice e.g. e.g. General Medical Council and Nursing and Midwifery Council. Good record keeping practices ensures we have accurate and up to date records and that staff can work efficiently and don t waste time searching for documents. It is important that records management processes are documented and are included in new staff inductions and as part of their continued personal development. Records management covers the full lifecycle of a record from creation through to disposal. Whether it is a policy, contract, personnel or health record there must be an efficient means of finding it when required. Old records must be retained for set periods of time and then destroyed under appropriate confidential conditions. Good record keeping is the responsibility of all staff. IG Handbook E SCHNHST V9 September 2014 MASTER.doc 5

7 What happens when something goes wrong? Incident reporting You have a responsibility to identify and report any information security risks in order for the Trust to investigate and learn from them, e.g. you find a copy of patient notes in a photocopier, you see unattended computers in an area where they can be viewed by the public showing patient records or logged into a trust system. All IG serious incidents should be reported immediately to your line manager and on the incident reporting system, Datix. If applicable it should also be reported to the police and the IT Service Desk e.g. stolen laptop. Your line manager is responsible for confirming that all relevant people within the Trust have been informed. We are all accountable Data Protection The Trust needs to collect and use information about people in order to operate. These include current, past and prospective patients, staff and suppliers. There are legal safeguards to ensure this in the Data Protection Act 1998 and the Trust s Data Protection Policy provides more detail on the Act and the allocation of responsibilities. Under the Data Protection Act 1998 anyone has the right to see and have a copy of information which is held by the Trust about them. Ask your line manager to tell you who is the nominated Data Protection Liaison Officer for your service. This person will be trained to deal with requests for information and will know when information should not be released. For all other Data Protection enquiries please contact Gill Richards, Project Manager Information Services gill.richards@shropcom.nhs.uk Freedom of Information The Freedom of Information (FOI) 2000 gives members of the public the right to access information held by, or on behalf of, a public authority that does not relate to personal information (this would be where the Data Protection Act applies) As a general principle the Freedom of Information Act is applicant and motive blind. In other words it does not matter who the requestor is or why they want the information, they don t have to give a reason. For a request to be valid under the Freedom of Information Act it must simply be in writing stating the name and address of the requestor and describing the information requested then the Trust has to respond within 20 working days. IG Handbook E SCHNHST V9 September 2014 MASTER.doc 6

8 The request can be made to anybody in the Trust but we all need to know what to do with it. We will also have to respond to any request on environment such as air, water, soil and land under the Environmental Information Regulations 2004 (EIR) in the same way as we would deal with FOI requests made to the Trust. Please pass on any request to the Soma Moulik, FOI Manager, without any delay as the 20 working days limit begins as soon as a request is received in the Trust. Information Commissioner The Information Commissioner s Office (ICO) is the UK s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Information Commissioner can prosecute an organisation for failing to follow the IG rules for handling information. The ICO has the power to fine a data controller (that would be the Trust) or individuals as well if found personally responsible for a breach. Examples of recent fines and undertaking by the ICO: A fine of 120,000 was issued to Surrey County Council for a serious breach of the Data Protection Act after sensitive personal information was ed to the wrong recipients on three separate occasions A fine of 80,000 was issued to Ealing Council following the loss of an unencrypted laptop which contained personal information. Ealing Council breached the Data Protection Act by issuing an unencrypted laptop to a member of staff in breach of its own policies. An undertaking has been signed by Dartford and Gravesham NHS Trust following the accidental destruction of 10,000 archived records. The records which should have been kept in a dedicated storage area were put in a disposal room due to lack of space. An undertaking has also been signed by Poole Hospital NHS Foundation Trust after two diaries containing information relating to the care of 240 midwifery patients - were stolen from a nurse s car. The diaries included patients names, addresses and details of previous visits and were used by the nurse during out of hours duty. IG Handbook E SCHNHST V9 September 2014 MASTER.doc 7

9 Where do I get help and training? If you re new to the Trust please make sure, as an absolute priority, that you complete the IG training Mandatory Introductory Module (e-learning), which may be followed by a short face-to-face session. Every year you will need to update your IG knowledge via an e-learning Mandatory Refresher Module or workshop as required by your line manager or the IG Operational Group. If you are involved in an IG incident you will be required to undertake the face-to-face session. Specialist Information Governance training is available to those groups working within specific areas of expertise e.g. Records Management, Caldicott etc. All e-learning is accessible through the Trust s learning management system, Oracle Learning Management (OLM). The user guide How to access e-learning in ESR/OLM 825 is available on the Trust s website in the Staff Zone. Information Governance Contact List for Shropshire Community Health NHS Trust IG Role Name Contact Details Chief Executive Officer and Accounting Officer for Information Director of Finance and SIRO (Senior Information Risk Owner) Director of Nursing and Operations and Caldicott Guardian Records Management and Caldicott Support Data Protection and Information Governance Lead and Support Freedom of Information Information Security Information Quality Assurance Corporate Risk Manager Assistant Risk Manager IG Mandatory Training Registration Authority (RA) Smartcards Media Enquiries Local Counter Fraud Specialist Jan Ditheridge Trish Donovan Steve Gregory Alan Ferguson Gill Richards Sarah Hirst Soma Moulik Paul Stokes Lee Osborne Peter Foord Anita Bishop Deborah Hammond Sylvia Jones Gill Richards Andy Rogers Terry Feltus William Farr House jan.ditheridge@shropcom.nhs.uk William Farr House trish.donovan@shropcom.nhs.uk William Farr House steve.gregory@shropcom.nhs.uk William Farr House alan.ferguson@shropcom.nhs.uk William Farr House gill.richards@shropcom.nhs.uk sarah.hirst@shropcom.nhs.uk William Farr House soma.moulik@shropcom.nhs.uk William Farr House paul.stokes@shropcom.nhs.uk William Farr House lee.osborne@shropcom.nhs.uk William Farr House peter.foord@shropcom.nhs.uk anita.bishop@shropcom.nhs.uk Mercian House IT Training Centre, Oxon deborah.hammond@shropcom.nhs.uk sylvia.jones@shropcom.nhs.uk William Farr House gill.richards@shropcom.nhs.uk William Farr House andy.rogers@shropcom.nhs.uk William Farr House Mobile: terry.feltus@shropcom.nhs.uk IG Handbook E SCHNHST V9 September 2014 MASTER.doc 8

10 Glossary of IG Terms Term / Abbreviation Caldicott Guardian Care Record Guarantee Choose and Book (CAB) DATIX e-learning Encryption Explanation / Definition A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing The NHS Care Record Guarantee includes information on: people's access to their own records, how access to an individual's healthcare record will be monitored and policed and what controls are in place to prevent unauthorised access, options people have to further limit access, access in an emergency, what happens when someone is unable to make decisions for themselves. A national electronic referral service which gives patients a choice of place, date and time for their first outpatient appointment in a hospital or clinic. This is the system used by the Trust for healthcare risk management, incident reporting and adverse event reporting. Learning through electronic media The process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. All Trust Laptops and USB Memory Sticks are protected by encryption EIR Environmental Information Regulations 2004 EPS ESR Fair Processing FOI ICO IM&T IG IGT IGTT IT NCRS OLM Pseudonymisation SIRO Universal Serial Bus (USB) Electronic Prescribing Service Electronic Staff Record Fair Processing is the conditions which have to be met for any activity involving personal data to be lawful and ensure compliance with the Data Protection Act Freedom of Information Information Commissioner s Office Information Management and Technology Information Governance Information Governance Toolkit Information Governance Training Tool Information Technology NHS Care Record Service Oracle Learning Management A method which disguises the identity of patients by creating a pseudonym for each patient identifiable data item. Senior Information Risk Owner Universal Serial Bus (USB) is a specification for transferring data to and from electronic devices; in this case the electronic device is a memory stick which is used to store or transfer information. All Trust USB Memory Sticks are protected by encryption. IG Handbook E SCHNHST V9 September 2014 MASTER.doc 9

11 Information Governance Policies Confidentiality Code of Practice Data Protection Freedom of Information Information Governance Policy Information Quality Assurance Information Security Pseudonymisation Records Management IG Handbook E SCHNHST V9 September 2014 MASTER.doc 10