Information Sharing Protocol South Central PCTs, General Practices and Tribal Consulting Limited Commissioning Enablement Service (Analytics)
Document Control Date Version Author Comment 08/02/10 0.1 A. Bonfield Initial Draft 17/02/10 0.2 A. Bonfield Inclusion of comments from Jon Fistein & Wally Gowing (Tribal) 10/03/10 0.3 A. Bonfield Inclusion of comments from Simon Hay, CES Team 16/03/10 0.4 A. Bonfield 19/03/10 0.5 A. Bonfield Inclusion of comments from NHS Oxfordshire & Beechcrofts Update following further feedback from Tribal 23/03/10 0.6 A. Bonfield Rationalised version 24/03/10 0.7 A. Bonfield 25/03/10 1.0 A. Bonfield Final 15/09/10 1.1 A. Bonfield Oxford & Tribal final comments included Updated to include General Practices SCPCTA ISP001 Information Sharing Protocol v1.1 2
Table of Contents 1. Introduction & Background...4 2. Purpose of the Protocol...5 3. Information covered by this Protocol...5 4. Key Principles...6 5. The Legal Framework...7 6. Procedure for Sharing Information...7 7. Responsibilities...8 8. Governance and Compliance...9 9. CES Analytics Toolset & Tribal s obligations...10 Appendix 1 ISP Agreement Signature Page...11 Appendix 2 Template Subject Specific Information Sharing Agreement (SSISA)...12. SCPCTA ISP001 Information Sharing Protocol v1.1 3
1. Introduction & Background South Central PCT Alliance ("SCPCT Alliance") are working in collaboration with Tribal Consulting Limited ("Tribal") to develop a service that provides the world class information, tools and skills required to optimise patient care and reduce costs over the next four years. As part of this programme of work, Tribal will deliver a Commissioning Enablement Service (CES) that will enable South Central PCTs and General Practices to: analyse the quality and effectiveness of clinical services across South Central ensure that patients receive treatment in the best possible setting (e.g. at home, in their communities or in hospital) manage contracts and financial systems more effectively across the PCTs by avoiding duplicated effort, and understand the health profile of people in South Central, predict their future healthcare needs and plan for the resources that might be required. These improvements will help the PCTs, General Practitioners and clinicians to provide better care by identifying the patients who most need care, making sure they receive it at the right time and ensuring that the health service plans for the future. By working in this way, PCTs and General Practices can make sure they reduce waste and inefficiency at the same time as increasing standards of care. At the heart of the service is the principle that poor quality care wastes money. To facilitate the required analyses, it is imperative that there is access to good quality information from across the South Central area that can be interrogated and manipulated by the CES Analytics Service (initially a Tribal based team). Therefore there is a requirement to have a co-ordinated approach to information sharing between the PCTs, General Practices and Tribal to ensure that a consistent process is in place and managed appropriately. This Protocol, therefore, is an overarching framework that identifies the guidelines and principles under which sharing of information between the signatories will be undertaken to ensure that data is managed according to currently available best practice guidance on the protection and use of confidential information. This Protocol will be supported by Subject Specific Information Sharing Agreements (SSISAs), which will detail by dataset the items to be shared and the associated controls around their use and management. This document has been developed to be read in its entirety, it should be a publicly available document, accessible from each organisation s web site. SCPCTA ISP001 Information Sharing Protocol v1.1 4
2. Purpose of the Protocol The purpose of this Protocol is: To identify the categories of information that are covered by this agreement; To set out the principles which underpin the sharing of information. To confirm the legal framework obligations for the secure sharing of confidential information. To identify the process for initiating the sharing of datasets. To set out the responsibilities of all parties involved in this programme. To identify the governance arrangements in place to manage and maintain this Protocol 3. Information covered by this Protocol This Protocol refers to all information, in whatever form that is shared between the SCPCT Alliance, General Practices and Tribal in support of the CES Analytics Service. Data provided would constitute use under the Healthcare Medical and Non-Healthcare Medical purposes as defined by the Connecting for Health document NPFIT-FNT-TO- BPR-0023.01, Pseudonymisation Implementation Project (PIP) Reference Paper 1, Guidance on Terminology dated 20/11/2009 see table 1 below; Table 1 Terminology Term Healthcare Medical Purpose Description Includes; the uses which directly contribute to the diagnosis, care and treatment of an individual and the Audit/Assurance of the quality of healthcare provided. In these cases person identifiable data can be used, but only the minimum amount of data should be used, and appropriate safeguards should be in place. Non-Healthcare Medical Purpose Includes; the Management of Health Care Services (PbR, World Class Commissioning). In these cases generally effectively anonymised data should be used, unless consent has been gained from the patient or there are special circumstances, such as an overriding public interest, or a route such as via Section 251 of the NHS Act 2006 or the Health Service (Control of Patient Information) Regulations 2002. Effectively Anonymised Data from which the recipient is unable to infer the identify of an individual without the application of unreasonable effort. SCPCTA ISP001 Information Sharing Protocol v1.1 5
4. Key Principles The parties recognise the importance of sharing information with each other in line with this Protocol and the law and agree to co-operate fully with each other in that respect. The parties agree to share information in accordance the Data Protection Act 1998 and the Caldicott guidelines on the protection and use of patient information. The obligations of both parties are given in the External Support Services Agreement (ESSA). For ease of reference, these are summarised below:: The Data Protection Act 1998 provides that data should be: fairly and lawfully processed; processed for limited purposes; sufficient and relevant; accurate; not stored for longer than is necessary; processed in line with the relevant individuals' rights; secure; and transferred only to countries with adequate security. The Caldicott guidelines reflect those key principles: Justify the purpose(s) of using person-identifiable and confidential information; Only use it when absolutely necessary; Use the minimum that is required; Access should be on a strict need-to-know basis; Everyone must understand his or her responsibilities; and Understand and comply with the law In compliance with these principles and the ESSA agreement in place between the SCPCT Alliance, General Practices and Tribal, the parties will ensure that: Data will only be shared where a SISSA has been signed by the relevant signatories. Data will only be used for the purpose detailed within the relevant SSISA. Data will be transmitted between parties via secure means in line with the requirements laid down in the SSISA, NHS Information Governance standards and ISO27002 Data will be held by Tribal in a secure data centre at McKesson Information Solutions UK Ltd, European Headquarters, Warwick Technology Park, Warwick, CV34 6NZ and the CES office in Reading and appropriately protected in line with NHS Information Governance and ISO27002 guidance. No data will at any time be processed or transferred outside of the data centre other than for back-up / disaster recovery purposes. In which case such data will be held in another McKesson secure Data Centre at Benfield Road, Newcastle upon Tyne, NE6 4PZ. To support the analytical programme, subsets of data will also be held at Tribal s secure site at Premier House, 60 Caversham Road, Reading, RG1 7EB. The prior written consent of the SCPCT Alliance is required for any arrangements other than those described in this paragraph; such consent may be granted by way of a fully executed SSISA which describes the alternative arrangements. SCPCTA ISP001 Information Sharing Protocol v1.1 6
Robust procedures will be developed by Tribal (and shared with the SCPCT Alliance) to manage the access and use of data when within the Tribal managed environment. The data lifecycle will be managed as per the SSISA Data sharing will operate within existing ethical and legal frameworks to ensure that the rights of the individual are protected. The information governance manager at NHS Oxfordshire (the "Information Governance Manager") will review and ensure compliance with these key principles and the parties are required to co-operate with the Information Governance Manager in that respect. 5. The Legal Framework Each signatory to this Protocol undertakes that it will adhere to the legal principles outlined in the ESSA when considering the sharing of information. These are listed here for convenience: Human Rights Act 1998 Data Protection Act 1998 Access to Health Records Act 1990 The Freedom of Information Act 2000 The Environmental Information Regulations 2004 Caldicott Guardian Manual 2006 Confidentiality NHS Code of Practice 2003 The Common Law Duty of Confidentiality The NHS Information Governance Toolkit It should be noted that Tribal will be undertaking the processing of data for which the individual PCTs and General Practices are the Data Controllers. Organisations must amend their Data Protection Act registrations to record the fact that Tribal will be acting as Data Processors for them. Additional legislation may need to be referenced when sharing specific information; this will be set out in the relevant SSISAs as required. 6. Procedure for Sharing Information In so far as possible, information will be deidentified before it is processed and care should be taken to ensure that deidentified data, whether alone or when read together with any other information in the possession of the recipient, does not identify an individual either directly or indirectly (i.e. to ensure that it is effectively anonymised ). Where it is not possible to use effectively anonymised information, consent from service users may be required. The parties acknowledge that any disclosure without consent will need to be fully considered to ensure compliance with the law. In order to facilitate the sharing of a specific dataset, a Subject Specific Information Sharing Agreement (SSISA) must be completed and signed by the nominated individuals SCPCTA ISP001 Information Sharing Protocol v1.1 7
from the relevant parties see Appendix 2. This document will identify the data items to be shared and the controls that will be in place to ensure the security and confidentiality of those data items. Once a SSISA has been signed, it must be forwarded to the Information Governance Manager at NHS Oxfordshire (via the CES Data Governance Lead), where it will be formally logged and filed. The Information Governance Manager will then facilitate the undertaking of the SSISA with colleagues within the SCPCT Alliance in accordance with the principles set out within this document and the requirements of the SSISA. After the data has been provided to Tribal, the Information Governance Manager will monitor the adherence of the details of the SSISA in relation to the use and lifecycle arrangements for the dataset. It should be noted that no data will be shared unless a signed SSISA has been received by the NHS Oxfordshire Information Governance Manager. 7. Responsibilities South Central PCTs and General Practices Confirm that the Caldicott Guardian will be the lead in respect of this Protocol. Ensure that Executive IG Leads, Caldicott Guardians, Practice Staff, Information Managers and Information Governance Managers are aware of this Protocol and the organisation s responsibilities. Ensure that there is a local procedure in place to expedite approval of requests for information sharing under this Protocol. Ensure that where required, queries relating to requests under this Protocol are identified and raised with the NHS Oxfordshire Information Governance Manager within 3 days of receipt of the request. Ensure that appropriate training and information is provided to the relevant members of their staff to ensure their compliance with this Protocol and that compliance is effectively monitored. Ensure that standards and procedures are in place for ensuring that, where required, consent to disclose personal data constitutes informed consent and is given freely. A written record should be kept of service users' consent given or withdrawn. Ensure efficient and effective procedures to address complaints relating to the disclosure or use of personal data are in place. Tribal Ensure that requests for information are raised through the Information Governance Manager in line with the procedure identified in this Protocol and the relevant SSISA. Ensure that data transmission is via N3 or other secure means (agreed in advance by all parties in the SSISA or otherwise in writing). Provide details of local procedures implemented to ensure the security and confidentiality of data residing within the Tribal environment. Provide details of the access controls processes in place to allow appropriate access to data for Tribal based staff Undertake annual IG Toolkit assessments SCPCTA ISP001 Information Sharing Protocol v1.1 8
Ensure that appropriate training and information is provided to the relevant members of its staff to ensure their compliance with this Protocol and that compliance is effectively monitored. Ensure that procedures are in place so that information is only accessed by those members of its staff that have a reasonable need to know such information, are aware of and are required to act in strict compliance with this Protocol. Appropriate audit controls should be in place to record who has accessed the data, what has been accessed, when such access took place and why. Notify the Information Governance Manager of any breach of confidentiality or incident involving a risk or breach of the security of information as soon as it has been identified and co-operate fully with the Information Governance Manager in that respect. Comply with its obligations under Paragraph 9 of this Protocol. SCPCT Alliance Information Governance Group Ensure that this Protocol is ratified and signed by all parties. Ensure that procedures are in place to review this Protocol. Ensure that procedures are in place to monitor compliance with this Protocol. Caldicott Guardian NHS Oxfordshire Act as the lead signatory on behalf of the SCPCT Alliance. Ensure that appropriate Information Governance assurances are undertaken on behalf of the SCPCT Alliance; to include; o Annual Tribal IG Toolkit Assessment o External Audit of Tribal IG infrastructure Information Governance Manager NHS Oxfordshire Act as the link between Tribal and the SCPCT Alliance in relation to all SSISA requests. Ensure requests received are logged and monitoring arrangements put in place Co-ordinate SCPCT Alliance SSISA sign-off Monitor the completion of IG Toolkit submission, external audit by Tribal. 8. Governance and Compliance This Protocol will be reviewed regularly by the Information Governance Group and will include consultation with SCPCT Alliance Caldicott Guardians. The first review will take place 6 months after implementation and annually thereafter. It will also be reviewed in line with updated or newly released legislation. Any of the signatories can request a review outside of this agreed time frame if they think it necessary and reasons are provided. NHS Oxfordshire will undertake to assess Tribal s compliance with the Information Governance Toolkit on behalf of the SCPCT Alliance annually or as reasonably required (including for instances where any breach of confidentiality has occurred in relation to service users' personal data). SCPCTA ISP001 Information Sharing Protocol v1.1 9
9. CES Analytics Toolset & Tribal s obligations Table 2 Description of CES Tools Tool Purpose Use InterQual Service Utilisation, Service Redesign, Performance Management Healthcare Medical InvComm Acute Invoice Validation (AIV) Healthcare Non-Medical Sollis Clarity Contract Management Healthcare Non-Medical HBI Performance Analytics, Healthcare Non-Medical Business Intelligence, Dashboards StratComm Geographical Analysis Healthcare Non-Medical ACGS Evidence Based Support for Risk Profiling, Predictive Modelling, Resource Allocation, Planning Healthcare Non-Medical & Healthcare Medical Technical and organisation measures and procedures Tribal is required to ensure that at all times: it has appropriate technical and organisational measures against accidental and unlawful destruction of data and loss, alteration, unauthorised or unlawful disclosure or access to data; it has adequate security programmes and procedures in place to prevent unauthorised access or processing of data; and provide the Information Governance Manager with a written description of these measures and procedures on request. The Information Governance Manager can on request, and exercised in line with Section 26 and Schedule 26 of the ESSA, access and audit such measures and procedures and Tribal's own audit logs to monitor whether they are sufficient to ensure that PCTs remain compliant with the law (including the Data Protection Act 1998). SCPCTA ISP001 Information Sharing Protocol v1.1 10
Appendix 1 ISP Agreement Signature Page Please complete this form to indicate your acceptance of this Information Sharing Protocol on behalf of your organisation. ISP Reference: SCPCTA-ISP001 Information Sharing Protocol between the members of the South Central PCT Alliance, General Practices & Tribal Consulting Limited for the supply of data to support the CES Analytics Service Organisation: Address: Phone: Email Address: Designation: Signature: Date: Once completed, please return this a copy of this page to: Alan Bonfield, CES Data Governance, South Central PCT Alliance, Mid Hampshire Office, Unit Three Tidbury Farm, Bullington Cross, Sutton Scotney, Hants SO21 3QQ Or email a scanned image of this page to : cesig@hampshire.nhs.uk SCPCTA ISP001 Information Sharing Protocol v1.1 11
Appendix 2 Template Subject Specific Information Sharing Agreement (SSISA) E X A M P L E Subject Specific Information Sharing Agreement [Dateset Name] [Organisation] and Tribal Consulting Limited SCPCTA SSISA999 [Dataset Name] 12
Document Reference: Linked To: SCPCTA-SSISA999 SCPCTA-ISP001 Document Control Date Version Author Review Date Comment SCPCTA SSISA999 [Dataset Name] 13
Table of Contents 1. Introduction & Background...15 2. Purpose for sharing the Information...16 3. Justification of purpose...16 4. Legislation...16 5. Nominated Senior Professional...16 6. Specific Instructions...16 7. Access / Storage / Destruction Details...17 8. Tribal Staff roles...17 9. SC PCT Alliance contact details for compliance, advice and arbitration issues concerning this SSISA...17 10. Data Transfer Procedure....18 11. Audit trail details for this SSISA...18 12. Agreed guidance for staff...19 13. Any other Information...19 Appendix 1: [Dataset Field Layout]...20 Appendix 2: SSISA Agreement Signature Page...21 SCPCTA SSISA999 [Dataset Name] 14
1. Introduction & Background South Central PCT Alliance ("SCPCT Alliance") are working in collaboration with Tribal Consulting Limited ("Tribal") to develop a service that provides the world class information, tools and skills required to optimise patient care and reduce costs over the next four years. As part of this programme of work, Tribal will deliver a Commissioning Enablement Service (CES) that will enable South Central PCTs and General Practices to: analyse the quality and effectiveness of clinical services across South Central ensure that patients receive treatment in the best possible setting (e.g. at home, in their communities or in hospital) manage contracts and financial systems more effectively across the PCTs by avoiding duplicated effort, and understand the health profile of people in South Central, predict their future healthcare needs and plan for the resources that might be required. These improvements will help the PCTs, General Practitioners and clinicians to provide better care by identifying the patients who most need care, making sure they receive it at the right time and ensuring that the health service plans for the future. By working in this way, PCTs and General Practices can make sure they reduce waste and inefficiency at the same time as increasing standards of care. At the heart of the service is the principle that poor quality care wastes money. An over-arching Information Sharing Protocol (ISP) document reference SCPCTA-ISP001 has been implemented to facilitate the co-ordinated approach to managing information between South Central PCTs, General Practices and Tribal. The ISP sets out the operational framework for sharing of information and the required Information Governance controls/responsibilities. The ISP is supported by detailed Subject Specific Information Sharing Agreements (SSISAs) in relation to dataset requirements. This SSISA must be read in conjunction with the original ISP. SCPCTA SSISA999 [Dataset Name] 15
2. Purpose for sharing the Information 3. Justification of purpose 4. Legislation Please refer to section 5. The Legal Framework within the Information Sharing Protocol SCPCTA-ISP001. 5. Nominated Senior Professional The Nominated Senior Professional for the CES Service is the Caldicott Guardian for NHS Oxfordshire. The Nominated Senior Professional is responsible for ensuring that documented agreement has been approved and received by all signatory organisations prior to any release of data. The Nominated Senior Professional in conjunction with the GP Practices and PCT s nominated Caldicott Guardians will receive reports of any information incident in relation to this SSISA and will monitor compliance with this agreement to confirm that the necessary actions are taken to keep patient information secure at all times 6. Specific Instructions SCPCTA SSISA999 [Dataset Name] 16
7. Access / Storage / Destruction Details 8. Tribal Staff roles Name of Party Role Contact details 9. SC PCT Alliance contact details for compliance, advice and arbitration issues concerning this SSISA. Name of party Job title of staff Contact details SCPCTA SSISA999 [Dataset Name] 17
10. Data Transfer Procedure. 11. Audit trail details for this SSISA Both sending and receiving parties will keep an audit trail of their actions. The audit trail will include: Job role or Name of staff member accessing, collecting or sharing the information Organisation name Action [send/receive] Date sent or received Date of confirmation of receipt Identification of information shared Confirmation of secure disposal of fax How long the information is to be kept Secure disposal procedures SCPCTA SSISA999 [Dataset Name] 18
12. Agreed guidance for staff 13. Any other Information SCPCTA SSISA999 [Dataset Name] 19
Appendix 1: [Dataset Field Layout] [Dataset] Data Items Format Format (Identifiable / Pseudonymised / Aggregate) after load into Tribal system SCPCTA SSISA999 [Dataset Name] 20
Appendix 2: SSISA Agreement Signature Page By signing this document, I hereby give approval for the data detailed within the SSISA referenced to be released to Tribal in conjunction with the controls / restrictions set out within the SSISA and the Information Sharing Protocol (Reference: ISP001) SSISA Reference: SCPCTA-SSISA999 Dataset(s): Organisation: Address: Phone: Email Address: Designation: Signature: Date: Tribal Signature: Signature Name Date Once completed, please return this page only to: Alan Bonfield, CES Data Governance, South Central PCT Alliance, Mid Hampshire Office, Unit Three Tidbury Farm, Bullington Cross, Sutton Scotney, Hants SO21 3QQ Or email a scanned image of this page to : cesig@hampshire.nhs.uk SCPCTA SSISA999 [Dataset Name] 21