View the Replay on YouTube The ICO s take on Information Sharing in the NHS FairWarning Ready Executive Webinar Series 27 June 2013
Today s Panel Dawn Monaghan Group Manager Strategic Liaison ICO UK Dawn.Monaghan@ico.org.uk Tim Dunn General Manager FairWarning Software Limited Tim.Dunn@FairWarning.com
Major Change in Healthcare Markets - in UK and Internationally The Patient has more power - where they go for treatment, who can see their records Commercial viability and competitive strength are a reality for federal run healthcare systems, as well as private sector markets Electronic (paperless?) records are critical to effective 21 st century healthcare Privacy and Data Protection Regulations increasing and being enforced more robustly
What s next for the NHS? Is the NHS ready to become best in class globally for Health Service Delivery? How can the NHS offer patients an integrated National Service? What role will Information Governance play in the evolution of the NHS (and where should it sit in the priorities)? What impact will Caldicott2 and The Francis report have on Information Governance?
Webinar The ICO s take on Information Sharing in the NHS Dawn Monaghan, Group Manager, Strategic Liaison ICO UK
Myths and Legends of Data Sharing Data Protection Act is a barrier The default position should be to withhold information A Data Sharing Agreement provides legal indemnity If you share data you are more likely to receive a CMP You must have consent to share Informing is the same as consent!
An Enabler not a Barrier! The Data Protection Act should not be perceived as an obstruction to change, data sharing or other business processes The aim of the legislation is to allow data to be processed and shared without risk to privacy Consider the Information Governance impacts of new procedures, processes and systems when they are first conceived Identify the risks and associated impacts to mitigate and manage those risks Share when it is safe, secure and sensible to do so
The default position should be to share non identifiable data! Sharing information can facilitate protection, aid service and reduce anxiety and bureaucracy Often the information required is not personal data The sharing of the data can be done in a safe, secure and sensible manner Know not only what you are sharing and how you are sharing it but WHY you are sharing it
A Data Sharing Agreement is a common set of rules The ICO expect a data sharing agreement to be in place Consult the Data sharing code of practice Chapter 14 It is not; a Service Level Agreement a contract which will ensure you don t need to worry about fines! It will; provide you with an assurance that you have considered the relationship to the data of your organisation and others Assist you in identifying risks and mitigating them Enable you to demonstrate your approach to the sharing if asked to do so
What a Data sharing Agreement should include Purpose of the data sharing The organisations involved in the sharing Data items to be shared Basis for sharing Access to rights Information Governance processes and procedures
CMPs are issued for Breaches of one or more of the DPA Principles To date CMPs have generally been served on NHS organisations for insecure practice The breach has generally occurred through a lack of preparation, understanding, and or monitoring of a process which has resulted in a breach of Principle 7 Providing when sharing you follow policies, procedures and process which enable you to identify risk and mitigate it, it is unlikely you will breach the DPA
You must have consent to share To meet the requirements of the DPA you do not always require consent to share You must satisfy a schedule 2 and schedule 3 condition NHS professionals sometimes become confused about their obligations under DPA and the obligations of the Common law of confidentiality You may require consent if there is an expectation that the information will be kept confidential
Individuals should be informed There is a legal obligation under DPA to inform individuals about what you are doing with their data You must notify with the ICO You must also have privacy notices in place Individuals should be able to easily access their rights such as Subject Access and the s10 right to object You will not always require consent you will always need to inform
Reducing the risks Personal data is an asset and Information Governance is a key business process Consider then; Why do you need to share (purpose/s) What do you need to share to facilitate that process Can it be anonymised data If not what are the risks How can they be minimised Who will the data be shared with relationships to the data How will the data be shared Data Sharing agreements Fair processing Constant monitoring of need, understanding and process
How the ICO and others can help Guidance on the website Code of Practice Data Sharing Privacy Impact assessment handbook Press releases enforcement cases E newsletter Code of Practice on Confidentiality Information Governance Review report Caldicott Principles
Who s guidance should I follow? It is helpful to have a variety of sources for information and assistance ICO are generally involved in development of guidance and other initiatives There can be confusion over which principles to follow The 8 DPA principles are a legal requirement and must be met Compliance with them will enable you to meet other requirements, equally following Caldicott principles and the principles of the Code of Practice of confidentiality will assist you in meeting your legal obligations
Questions Other data sharing issues? What happens if a breach occurs? ICO involvement in the Information Governance Review? Anything else?
Keep in touch Subscribe to our e-newsletter at www.ico.gov.uk or find us on www.twitter.com/iconews
Contact Information Dawn Monaghan Group Manager Strategic Liaison ICO UK Dawn.Monaghan@ico.org.uk Tim Dunn General Manager FairWarning Software Limited Tim.Dunn@FairWarning.com