Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016
West Lancashire CCG is committed to ensuring that, as far as it is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on the basis of their age, disability, gender, race, religion/belief or sexual orientation. Should a member of staff or any other person require access to this policy in another language or format (such as Braille or large print) they can do so by contacting the West Lancashire CCG who will do its utmost to support and develop equitable access to all policies. Senior managers within the CCG have a responsibility for ensuring that a system is in place for their area of responsibility that keeps staff up to date with new policy changes. It is the responsibility of all staff employed directly or indirectly by the CCG to make themselves aware of the policies and procedures of that CCG. 2
CONTENTS PAGE 1 PURPOSE 4 2 SCOPE 4 3 GUIDANCE 4 3.1 Information and Data Sharing 4 3.2 Tier Zero Information Sharing Agreements 6 3.2.1 Tier Zero 6 3.2.2 Tier One 6 3.2.3 Tier Two 6 4 REFERENCES AND BIBLIOGRAPHY 7 5 ASSOCIATED DOCUMENTS 8 5.1 Other Associated Documents 8 6 APPENDICES 9 Appendix 1 Data Protection/Caldicott Principles 9 Appendix 2 Tier 2 Checklist 10 Appendix 3 Tier 2 Template 15 3
1.0 PURPOSE The purpose of this policy is to define clear rules (and associated authorisation governance processes) about what information (data) may and may not be shared, with whom, and for what purposes. There are also explicit requirements around data handling that ensures data is handled in a secure and confidential manner. This document seeks to provide all NHS West Lancashire Clinical Commissioning Group (CCG) personnel who use patient data with guidance to safeguard the confidentiality of the patient when the data is used for purposes other than direct patient healthcare. This policy is concerned with the security of patient information when used for purposes other than direct patient care. This policy is in line with the NHS Operating Framework and the Information Commissioner s statutory Code of Practice. 2.0 SCOPE This policy applies to all staff employed by or working on behalf of NHS West Lancashire CCG including contracted, non-contracted, temporary, honorary, secondments, bank, agency, students, volunteers or locums. 3.0 GUIDANCE 3.1 INFORMATION AND DATA SHARING Information sharing is essential to support patient care and to facilitate operational processes. Before developing an information sharing agreement it is recommended that a Privacy Impact Assessment is completed. This will provide a guide to ensuring that all aspects of privacy have been addressed and considered. Contact your Information Governance lead for a copy of the Privacy Impact template and to register your Privacy Impact Assessment. When sharing information it is important to remember that where possible anonomysed information should be used. Sharing information should comply with the Data Protection Act 1998, which breaks down the requirements into eight Principles to make it easier to follow. The principles are listed in Appendix 1 at the rear of this document. In addition the Caldicott Principles must also be considered to ensure that the information being used is done so in best interests of the patients. The Caldicott 4
Principles can be found in Appendix 1 of this document. The following points define the NHS West Lancashire CCG approach for the sharing of information and data: Information / data use and sharing will meet legal requirements All patient identifiable data flows to NHS West Lancashire CCG will be securely managed via the New Safe Haven (as required under pseudonymisation) Patient identifiable data will only be used for authorised primary use (direct patient care related) purposes. For secondary use purposes, national pseudonymisation rules will be implemented. Access to patient identifiable data will be: - To use the minimum amount of information required. - On a need to know basis. - Within a secure system (technical and organisational). Person identifiable data will not be shared or otherwise released unless appropriately authorised. All information sharing must have agreed processes for authorising the use of patient identifiable data. Where there is no approved process already in place, the Caldicott Guardian holds responsibility for authorising (or not) the release of patient identifiable data. Any patient level data sharing with other organisations outside NHS West Lancashire CCG will be documented and reflected in authorised data sharing agreements and processes. Individual consent to sharing information will be sought where appropriate/possible (for example within approved Research Projects). Transfer of data will be via approved secure processes (technical and organisational) to prevent loss or unauthorised access. Publication rules will be adopted to ensure confidentiality issues, data sources, data quality; audit trails are sufficiently addressed / documented in published information. Aggregate data will usually be available to the public unless falling under Freedom of Information Act exemptions. 5
Methods of transferring data will be secure and encrypted. Nhs.net to nhs.net using the Secure File Transfer is the preferred NHS West Lancashire CCG method of transferring data electronically. 3.2 Tier Zero Information Sharing Agreements When information cannot be shared in an anonomysed format with partner agencies, it becomes necessary that personal identifiable data needs to be shared between partners. In order to ensure the information being supplied is restricted to being within necessary bounds an Information Sharing Framework needs to be used. NHS West Lancashire CCG along with many other NHS and local authorities have signed the Tier Zero Information Sharing process in order to produce clarity and transparency, in addition to simplifying information sharing for staff and partner organisations. 3.2.1 Tier Zero The Tier Zero is a simple two page overarching agreement signed once by the accountable officer of each partner organsiation. Once signed this document is held by the agreed custodian and added to the matrix of partners, which should be displayed on NHS West Lancashire CCG s internet for transparency. A copy of Tier Zero can be obtained from the Information Governance Lead. 3.2.2 Tier One Tier One is the legislative part and the guidance that staff must follow which has been assimilated into one document to support the writing and compliance of the actual information sharing document. A copy of the agreed Tier One is available from the information governance team at the commissioning support unit (CSU). This document is reviewed every two years or when new or additional legislation is introduced. 3.2.3 Tier Two The Tier Two part of the information sharing agreement to the actual mechanics of: The reason for sharing information What information, is to be shared By who To whom In what format What frequency 6
How it will be transferred Security arrangements Retention arrangements To this end a checklist to completing the Tier Two has been completed and can be found at Appendix 2. Tier Two documents should be completed and agreed by the practitioners involved using the Tier Two document, which can be found at Appendix 2 and 3. Once agreed the Tier Two should be signed by the Caldicott Guardian once they are satisfied that the arrangements are suitable and guidance has been followed. A copy of a fully signed Tier Two should be given to all parties for safe keeping. 4.0 REFERENCES AND BIBLIOGRAPHY There are several acts and national guidance by which Information Governance abides. These include but are not limited to: Data Protection Act 1998 available from www.opsi.gov.uk Access to Health Records Act 1990 available from www.opsi.gov.uk Human Rights Act 1998 available from www.opsi.gov.uk Freedom of Information available from www.opsi.gov.uk Record Management available from: http://www.nationalarchives.gov.uk/recordsmanagement Common Law of Confidentiality NHS Confidentiality- code of Practice available from: http://www.dh.gov.uk/en/publicationsandstatistics/publications/publicatio nspolicyandguidance/dh_4069253 Caldicott Report available from: http://www.dh.gov.uk/en/publicationsandstatistics/lettersandcirculars/he althservicecirculars/dh_4004793 NHS For the Record available from: http://www.dh.gov.uk/en/managingyourorganisation/informationpolicy/re cordsmanagement/index.htm The Abortion Regulations Act 1991 available from: http://www.opsi.gov.uk/si/si1991/uksi_19910499_en_1.htm The Computer Misuse Act 1990 available from: http://www.opsi.gov.uk/acts/acts1990/ukpga_19900018_en_1.htm The Census (Confidentiality) Act 1991: http://www.opsi.gov.uk/acts/acts1991/ukpga_19910006_en_1.htm The Civil Evidence Act 1995: http://www.opsi.gov.uk/acts/acts1995/ukpga_19950038_en_1.htm The Electronic Communications Act 2000: http://www.opsi.gov.uk/acts/acts2000/20000007.htm 7
The Public Interest Disclosure Act 1998: http://www.opsi.gov.uk/acts/acts1998/19980023.htm Crime and Disorder Act 1998: http://www.opsi.gov.uk/acts/acts1998/19980023.htm NHS For the Record available from: http://www.dh.gov.uk/en/managingyourorganisation/informationpolicy/re cordsmanagement/index.htm NHS Retention of Records available from: http://www.dh.gov.uk/en/publicationsandstatistics/publications/publicatio nspolicyandguidance/dh_4131747 5.0 ASSOCIATED DOCUMENTS Report on the review of patient-identifiable information (the Caldicott report) Dame Fiona Caldicott. 1997. Provided a set of rules and regulations concerning the use of patient data by the NHS. (http://www.dh.gov.uk/en/publicationsandstatistics/publications/publicatio nspolicyandguidance/dh_4068403)data Protection Act 1998 Legislation governing the use of information about living individuals. (http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1) NHS Connecting for Health guidance on information mapping and data flows of Personal Identifiable Data (PID). (https://www.igt.connectingforhealth.nhs.uk/whatsnewdocuments/inform ation%20mapping%20guidance%20document%2007%2001%200 8.doc) 5.1 0THER ASSOCIATED DOCUMENTS Document Title Information Governance Policy Email And Internet Usage Policy Pseudonymisation Policy Information Security Policy 8
6.0 APPENDICES 6.1 Appendix 1 Data Protection/Caldicott Principles DATA PROTECTION ACT 1998 PRINCIPLES AND PRACTICES TO ENSURE COMPLIANCE Principle 1: Personal data shall be processed fairly and lawfully Principle 2: Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes Principle 3: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed Principle 4: Personal data shall be accurate and, where necessary, kept up to date Principle 5: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes Principle 6: Personal data shall be processed in accordance with the rights of data subjects under this Act Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data Principle 8: Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data CALDICOTT PRINCIPLES for handling patient-identifiable information Principle 1: Justify the purpose(s) Principle 2: Don t use patient identifiable information unless absolutely necessary Principle 3: Use the minimum necessary patient identifiable information Principle 4: Access to patient identifiable information should be on a need to know basis Principle 5: Everyone should be aware of their responsibilities Principle 6: Understand and comply with the law 9
6.2 APPENDIX 2 Tier Two Checklist Paragraph Question number 3a Who are the organisations who are party to the agreement? Answer 3b Why do you want to share? What is the Purpose of Information Sharing? Does the purpose comply with the Data Protection Act and other key legislation listed in Tier 1 3c What will the benefits of sharing be? 3e Are there Statutory duties to share this information? Is it a partnership as a direct result of legislation or a government initiative? Are there any restrictions on sharing this information? Legal, commercial. 3f What information do you need to share? Is confidential or sensitive information to be shared? List specifically what data is intended to be shared 3g Are there any alternatives to sharing personal information?
Can the information be anonymised? 3h What are the consequences of not sharing information? 3i Who will be affected by the agreement? e.g. Children, older people, people living in a particular area, specific groups What are the risks in sharing the information? Is any individual likely to be damaged or harmed by information being shared? Is any individual likely to object? 3j What new processes or procedures will be required to enable information to be shared? Will new or changed authentication checks be required that could be intrusive? i.e. How will the information be obtained, who will access, when access necessary, audit trails, physical security and system security. How will staff be trained in using the new process/procedure? The procedures could be attached to the completed Tier 2 9
document or reference made to where they will be held. 3k Are outside contractors to be used? Contracts need to include confidentiality clause re Information Governance Security requirements. 4 How will the public be informed that their information will be shared? The public need to be told: a b c d e f g h What information will be shared? Who with, which staff/organisation will see it? When will information be shared? Is a Fair Processing Notice required? How will you distribute the fair processing information? Do the public know who to contact for enquiries? How will consent be obtained to share the information? What procedures will be in place to allow sharing without consent? Include risk assessments, documentation of decision 10
5a b c d e 6a b c d e f What quality assurance checks are in place to ensure recorded information is of an acceptable quality? When will information be recorded, who will record the information? Is the information collected relevant? Will all the information be needed? How will the quality of the information be reviewed? Who will be the data controller? What retention period has been agreed for the information? What is the review period for the retention policy? What are the legal requirements to retain or delete information? Will the information be archived or deleted when no longer required? How will this be done? Who will be responsible for holding the information? (The Information Asset Owner for the information) Who will be responsible for ensuring each organisation complies with the agreed retention policy and how will this be done? 11
7 a b c d Who will be responsible for security of the system holding the information? Who will monitor access to the system and report breaches/incidents? What process is in place to deal with incidents/breaches or staff non compliance with procedures? Who will be responsible for technical security? (user access issue of passwords, system restrictions, backup procedures for system) Is there organisational security in place to prevent access to offices, fax machines, computers or areas where personal information may be seen by the public? Who is the data controller for the information? Need to agree responsibilities of each organisation and document. 8 Who will process Subject Access Requests and how will this be done? Subject Access Request = where service users have requested to see their personal information i.e. Which organisation will process Subject Access Requests? 12
Do the public know how they can access their information? 9 What review period has been agreed for the Information Sharing protocol? Need to check that the sharing of information is still achieving its objectives, still appropriate and the safeguards still meet the risks. Who will undertake the review? 10 What is the process for dealing with complaints from service users? Who will process them? How will they be reported to partner organisations? 11 Detail process for resolution of a dispute between partner organisations. Nominated officers for dealing with dispute, Investigations, findings, remedial action, consequences, notification of affected service users and organisation. 12 Include a list of lead officers involved in agreeing this Information Sharing Protocol. Obtain signatures from lead officers when they have agreed and ensure copies of signed Information Sharing Protocol 13
given to all parties including the Information Governance Team for the organisation. 14
6.3 APPENDIX 3 Tier 2 Template NORTH WEST AND PARTNERS INFORMATION SHARING CODE OF PRACTICE Template for Information Sharing Code of Practice Operational Guidance for Staff (Tier 2) 2011
1. Tiered Framework of the Information Sharing Code of Practice This Overarching Standard for Information Sharing is designed to be used in conjunction with a set of documents within a Tiered Structure. The structure is designed to provide a framework for the secure and confidential sharing of information between the partner organisations that contribute to the wellbeing of residents and ensuring disclosure is in line with statutory requirements. Information may be stored in many different formats such as, physical, electronic, audio or video. There are 3 main tiers to the structure.- Tier Zero- This is a document signed by a Chief Executive of an organisation agreeing in principle to share information responsibly. The names of all agencies in agreement are listed and can be added to as more agencies became involved. Organisations should, if possible, place copies of tier 0 and tier 1, and a list of partner organisations, on their internet sites to reassure the public of their commitment to sharing responsibly. If not this Tier 0 document, a document similar to a Tier 0 document must be signed by the Chief Executive of all organisations wishing to take part. Only one Tier 0 document need be signed by the Chief Executive for any number of Tier 2 documents agreed beneath it. Tier One- This is an overarching standard outlining the agreed procedures for sharing information. It is this document which sets the standards for obtaining, recording, holding, using and sharing of information. - Outlines the supporting legislation, guidelines and documents which govern information sharing between partner organisations Tier Two- This gives guidance to operational practitioners on the production of a protocol for the safe sharing of information. These protocols should show what information should be shared and how and under what circumstances and by whom, and should be tailored to individual partnerships. This document will require authorisation of the participating partnership organisations. A copy of this document should be lodged with the Information Governance section. Guidance would suggest that the following are included - o Fair processing notices, o Consent leaflets, o Social Care Record Guarantee, o Confidentiality statement, o Subject access o Privacy Impact Assessment This Code of Practice is designed to simplify and strengthen the sharing of information between partner organisations in the North West, along with other partners which border the geographical area and with whom we may share information. 16
Tier 2 Information Sharing Code of Practice Guidance 2. Introduction The Government understands that it is most important that people remain confident that their personal information is kept safe and secure and that practitioners maintain the privacy of the individual, whilst sharing information to deliver better services. It is therefore important that practitioners can share information appropriately as part of their day-to-day practice and do so confidently. The Data Protection Act 1998 is not a barrier to sharing information but provides a framework to ensure that personal information is shared appropriately. SOLACE (Society of Local Authority Chief Executives) advise: Keep information safe and accurate - prevent leakages, respect the citizen's preferences for how it is used and retain sound and appropriate records. Share and exploit information - exploit for better services, adopt new practices, share information with partners, gain value for money and continuous improvements against targets. This template contains general guidance and descriptions of what an Information Sharing Protocol needs to contain. There are 10 areas which need to be covered. You can either cover each topic individually or you may find that with your particular document you are able to cover more than one topic in each section. You may also find that there are issues which you want to include but are not specified in this document, in which case you should go ahead and include anything which you feel is relevant and lawful. Some examples of suitable text are given although it is not possible to do this for the major part of the document as each new protocol is individual and specific to the project. It is advised that you look at the other tiers in the framework before embarking on the creation of your Information Sharing Protocol as a substantial amount of information is included in the other documents and time can be saved by not repeating any the text but by referring to the other tiers. Prior to implementing any joint working arrangement it may be appropriate to perform a short Privacy Impact Assessment (PIA). If you need further information regarding this you can find information from your Information Governance Group. 17
Your Information Sharing Tier 2 Document should relate to the following:- 3. Introduction You should begin your Tier 2 document with a general explanation of why you need to share information for your specific purpose / project. This explanation should include: a. Who are the organisations who are party to the agreement? b. Why do you want to share? Purpose of Information Sharing c. What will the benefits of sharing? d. What information do you need to share? e. Statutory duties to share, restrictions on sharing - is this partnership as a direct result of legislation or government initiative? f. Whether confidential or sensitive information is to be shared list specifically what data is intended to be shared g. Alternatives to sharing personal information h. What are the consequences of not sharing information i. You should include who will be affected by the agreement. Will it be children, older people, people living in a particular area, people with specific needs etc? j. Processes and procedures relating to the practicalities of the particular project can be included in this section of the document or can be added as an appendix. Alternatively the document can refer to a training document or specific available guidance. k. Are outside contractors to be used? Contracts need to include confidentiality clause re Information Governance Security requirements. 4. Fairness and transparency The protocol should say what steps will be taken to tell the public: a. what type of information about them may be shared, b. who it may be shared with and c. the likely consequences of sharing. This can be done by: d. Drafting fair processing notices e. Distribute fair processing information you will need to decide how you are going to do this and ensure that you provide informative, up to date notices (samples available in Appendices to Framework) f. Providing further information/dealing with enquiries g. How will consent be obtained to share the information? h. Providing details regarding circumstances when it may be necessary to share without peoples knowledge or consent Example of suitable text to use 4. Commitments to the public given through the Code of Practice The Code of Practice is a sign of commitment and a demonstration to the public about how information is used. When at all possible the public will be informed at first contact of the purpose of collecting information and how it will be stored, used and shared. Consent to share should also be gained at the first suitable opportunity. 18
The partnership organisations will: Ask for permission to collect and share the public's information. Explain why they are using the public s information, and will only use it for those purposes. Explain who will see it and limit access to the citizen s information only to persons who need it. Collect minimum personal and sensitive information to meet the identified needs of the citizen and not ask for information which is not relevant. Record and share citizen's needs with partner organisations as appropriate. Keep information about the citizens as accurate and up-to-date as possible with the citizen s help. Respect citizen s rights under the Data Protection Act 1998 including the citizen s right to see the information which has been recorded about them. Protect citizen s information with the highest standards of security and confidentiality. Tell citizens how they can get more information, including: How they safeguard their personal information; How citizens can check and correct any information they hold; How to raise a query or a complaint. Only keep the information for as long as needed or as required by statute. There may be occasions when information is shared without consent. In these cases the Data Protection Act 1998 will apply. The protocol should document how you intend to inform the service users at first contact - leaflets how often the information should be given to them etc. You may also want to include procedures to be followed should it be decided to share information without consent risk assessments, documentation of decision etc. 5. Information Standards It is important that a partnership makes a commitment to maintaining quality information. The following should be considered when producing your protocol:- a. Information Quality Quality assurance checks b. Recording Information where, under what circumstances, by whom c. Relevance d. Reviewing information quality e. Who will be the data controller 6. Retention of shared information The Data Protection Act 1998 states that information should only be kept for as long as necessary so the following will need to be considered and documented:- a. Retention periods b. Reviewing a retention policy c. Legal requirements to retain or delete d. Deletion and archiving e. Retaining information supplied by another organisation f. Compliance with each individual organisation's policies 19
Specify how long data will be retained. Explain that if joint records are being created using the shared information, the retention period must be the longer of the retention periods as required by legislation governing each agency. If individual organisations already have retention and destruction policies mention them 7. Security of shared Information It should be made clear that all party organisations should have sufficient levels of security in place and the following should be considered:- a. All levels of security, monitoring access to records b. Technical security arrangements passwords, system restrictions c. Organisational security arrangements making sure public do not have access to fax machines, cannot see notice boards, confidentiality standards, CRB checks d. You should consider who is the data controller and associated responsibilities Security standards are covered in the Tier 1 document which can be referred to in this section. 8. Access to personal Information People should be informed how they can gain access to their information; your protocol should state how you are going to do this. Consideration should be given to:- a. Helping people get access to their information b. Other ways of giving access c. Providing all the information who will be responsible for editing and providing this? Example of suitable text 8. Data Subjects are entitled to know what information we hold about them. If any of their details are wrong, they should tell us and we will correct them. If data subjects would like access to their information they should apply in writing. Applications should be sent to: The Data Protection Officer (Please insert your own lead) PO Box 100 County Hall Preston PR1 0LD The relevant organisation is obliged to reply to the request within 40 days. 9. Review Outline arrangements for who will review the document and how regularly the document should be reviewed should be included in the protocol. Example of suitable text "9. Review and Monitoring of the Tier 2 document 20
The Parties will formally review the Information Sharing Protocol Tier 2 document 3 months, 6 months and 12 months after the commencement of this protocol, and thereafter at least once a year or earlier if requested in writing by either party. A template for listing lead officers can be found in the Appendices to the Tiered framework 10. Complaints There should be guidance on how each organisation is to handle complaints which may be against members of a partner agency. There should be a standard approach to handling such complaints. Named contacts for complaints advice in each agency should be included in this section. Example of suitable text "Each Partner Organisation will deal with the complaints in accordance with their own procedures which will ensure that: service users are aware that they can complain and of how to go about it; Complaints are resolved at first contact if possible; complaints are acknowledged promptly in writing; the complaint is investigated fairly and thoroughly; service-users are given an appropriate written response; if appropriate the appeals procedures are explained to the service-user. 11. Non Compliance and Partner Disagreement In the rare event that a dispute arises it should be clear what action should be taken. Example of suitable text "In the event of a suspected failure within their organisation to comply with this Agreement, Partner Organisations will ensure that an adequate investigation is carried out and recorded. If the Partner Organisation finds there has been a failure it will ensure that: necessary remedial action is taken promptly; service-users affected by the failure are notified of it, the likely consequences, and any remedial action; Partner Organisations affected by the failure are notified of it, the likely consequences, and any remedial action. If one Partner Organisation believes another has failed to comply with this Agreement it should notify the other Partner Organisation in writing giving full details. The other Partner Organisation should then investigate the alleged failure. If it finds there was a failure, it should take the steps set out above. If it finds there was no failure it should notify the first Partner Organisation in writing giving its reasons. Partner Organisations will make every effort to resolve disagreements between them about personal information use and sharing. When doing so 21
they should refer to the Tiered Agreements and Associated Documents. However, they recognise that ultimately each organisation must exercise its own discretion in interpreting and applying this Agreement in line with guidance from the Information Commissioner.. Nominated representatives should ensure they are notified at an early stage of any suspected or alleged failures in compliance or partner disagreements relating to their Partner Organisation." 12. Appendices A list of lead officers involved in agreeing this protocol should be included. 13. Signatures Explain that by signing this partners are signing to the whole of the Information Sharing Protocol, including the other tiers, and must agree to the principles. Example of suitable text Signed for and on behalf of Organisation a (this should be the Information Governance Lead).. Name Position Date.. Signed for and on behalf of Organisation b.. Name Position Date.. 22
23