Page 41 Agenda Item 7 HEALTH AND WELL BEING SCRUTINY COMMITTEE 9 JULY 2009 Sharing Data with and Connecting to the NHS Overview 1 Background 1.1 This briefing paper explores the options we have in order to improve how we can share data with and connect to the NHS. 1.2 This briefing paper covers four issues: i) Information sharing agreements ii) Access to shared and secure email iii) Connecting to the NHS Network and accessing NHS systems iv) Data Integration between NHS systems and Council systems 2 Current Position 2.1 The current position is that we have established both information sharing agreements and have facilities in use to allow us to send and receive email by secure email channels. 2.2 We have not been in a position to submit a request to connect to the NHS network because our network security was not acceptable. However following the successful achievement of the Government Connect secure connection we have upgraded our network security. There will be a requirement for additional security firewalls, but the work now required on the technical side is much reduced. We have not undertaken any detailed work to consider how we may approach data integration (imports and exports) between NHS and Social care systems. 3 Information Sharing Agreements 3.1 A number of information sharing agreements have been made between the Council (and is some cases shared with other councils) and different parts of the NHS. These cover both the Primary Care Trust and the Mental Health Trust. 3.2 These agreements govern the policies and procedures within which we can share data with the NHS and cover information shared both electronically (by email, memory stick) or in paper format. 3.3 These agreements are not however sufficient as a basis for connecting to the National NHS Network. In order to do that we need to follow the requirements of the Connecting to Health Information Governance Toolkit (see section 5 below).
Agenda Item 7 Page 42 4 Access to shared and secure email 4.1 We already have both the facilities in place and a number of council staff who have access to send and receive email via secure email channels. 4.2 There are now three different ways this can be achieved: i) Via the Criminal Justice Secure email gateway ii) By staff signing up for an NHS email account iii) Via the Government Connect secure email gateway. 4.3 A number of staff are using the Criminal Justice Secure email gateway, this is a simple procedure where all the employee has to do is add a different suffix to emails they send; and ask NHS staff to send emails to the council addressed with a different suffix. A guidance note has been issued and is available on the Intranet. 4.4 Council staff can apply for an NHS email account, which if the NHS agree will result in them being issued with a remote access token and a web address. This allows then to log on to an NHS extranet to collect and receive emails. 4.5 As from April this year staff can send secure emails through the government connect gateway. This follows the same procedure as the criminal justice email. We have not rolled this out as one of the prerequisites is that all staff complete mandatory on line information security training. 4.6 During 2010/2011 we will need to migrate our secure email channel to use the government connect gateway as the criminal justice secure email gateway will become part of the government secure intranet. 5 Connecting to the NHS Network and Accessing NHS Systems 5.1 The NHS do permit both NHS and non NHS bodies to connect to the national NHS network. There is a four step process to follow in order to achieve such a connection. 5.2 The four steps are: i) We need to complete the NHS Information Governance Toolkit providing both a compliance statement and an action plan against 51 controls that apply to social care organisations. ii) We need a letter from an NHS organisation which can be the Sutton and Merton PCT to sponsor our application for an NHS connection. iii) The Councils Chief Executive must submit a formal application requesting access to the NHS network, called a statement of compliance
Page 43 Agenda Item 7 iv) We need to submit a Logical Connection Architecture document, which unlike the Information Governance Toolkit is primarily the technical information such as network configuration diagram, security firewalls, and intrusion detection and prevention systems 5.3 It is estimated that this process will take between 3 and 6 months to complete, with the biggest hurdle being completion of the Information Governance Toolkit. Most of the work we undertook for the government connect submission can be edited and resubmitted for the statement of compliance. 5.4 Completing the Information Governance Toolkit will mainly involve managers within the social care function and needs to be led by what the NHS title a Senior Information Risk Officer (SIRO), the advice is this needs to be a Board level manager (the PCT SIRO is Dr Martyn Wake (Joint Medical Director). 5.5 The Primary Care Trust have 3 years experience of working with the toolkit and are willing to provide advice and guidance to the Council. They already share with us model polices adopted within the PCT and it should be possible to use these reduce the amount of work we need to undertake. 5.6 We can also engage security consultants to assist us with both the toolkit and the statement of compliance. Hytec who assisted us with the government connect submission, also provide similar services to both Councils and to other parties and are recognised by the NHS as approved security consultants. The cost for government connect work was 18,000 and was invaluable in achieving the required compliance. 5.7 We are now advertising for an Information Security Officer as a new post, their role will include working on the annual submissions required for both Government Connect and NHS connect. 5.8 If we connect to the NHS network this will allow council staff to access NHS email accounts (without having to send email through separate gateways) and subject to the application rules to access a number of NHS business applications. Such access could be limited to specific data or on a read only basis. 5.9 It would not allow the NHS to connect to the council systems, however there is a way we could permit this once the NHS N3 network is fully connected to the Government Secure Intranet. However in order to do that the PCT may have to complete a Government Secure Intranet code of compliance in the same way we have to complete the NHS IG Toolkit and submit a Logical Connection Architecture document.
Agenda Item 7 Page 44 6 Data Integration Between NHS and Council Systems 6.1 In theory we could progress such data integration before achieving the NHS connection; however in practice it is unlikely this would be permitted. 6.2 The main issue involved with resolving data integration issues is not the connectivity but is the format or records and fields in which the data is held. The NHS use the NHS number and other referencing systems and the way data such as name and address is held may be different. 6.3 In order to resolve this we would need to analyse what data it is we want to share, and how this is held in the different databases. This would result in a data mapping and data transformation diagram which could be used to develop either one or two way interfaces from the NHS to the council (and back). 6.4 The council has some experience in providing such interfaces as we have done this for a number of projects including linking our streetscene and customer relationship management systems and transferring data from the Paris social care application to both our ledger and to the local Contact Point database. 6.5 We also have tools that allow us to match data for example matching J Smith on one system to Jane Smith on another. This uses a combination of common data fields and setting rules that say if more than x % of data is common we believe the record is the same person, if that threshold is not met then further work is required before we can copy data from one system to another. 6.6 It is not possible to estimate how much such data integration may cost without having a clearer understanding of the requirements as this will involve a number of different parties including the suppliers of the respective NHS and council IT systems. 6.7 Using our own internal experience of data integration the street-scene to CRM system has been a success because the annual volumes of transactions exceed 50,000 in each direction. We have not however progressed integration from many of our web forms because the volume of transactions has not reached a high enough number to justify the cost of integration. 6.8 Thus in order to develop a business case for data integration we would need to understand the volume of data to be transferred, the current costs of duplicating data entry or the opportunity cost of not having access to the data. 6.9 We would also need to check if the respective IT system suppliers already had interfaces or integration adaptors provided for other
Page 45 Agenda Item 7 customers; or if not if other customers were also seeking to develop such. This could significantly reduce any supplier costs. The fact we are one of a small number of council s using the Paris social care system means this is less likely. 6.10 If required we can develop a business case for such data integration. 6.11 Currently there is a social services IT programme board chaired by Adi Cooper with the remit of dealing with Adult and Childrens Social services IT improvements. This board was set up in response to a previous scrutiny investigation. The business case for data integration between the NHS and London Borough of Sutton will be considered by this board. Nick O'Reilly Head of IT - Resources Group Email: nick.oreilly@sutton.gov.uk Tel.: 5839, FAX: 6323
Page 46 This page is intentionally left blank