IG Overview Workshop 1 st October 2009 CAF Demonstrator Information Governance Model Jan Hoogewerf Projects Manager, Health & Social Care Integration Programme.

Slides:



Advertisements
Similar presentations
Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
Advertisements

Good Medical Practice Evidence to use for Appraisal Good Medical Practice 2006.
GP2GP Electronic health record transfer 1. What is GP2GP? GP2GP is a software application that can be used to transfer a patient’s electronic health record.
Health Records Management Practitioner
EMIS Web Sorting out RBAC.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Environmental Management System (EMS)
The situation The requirements The benefits What’s needed to make it work How to move forward.
National Update: The information revolution and the 2012 Caldicott Review Simon Richardson – Information Rights Manager.
GCP compliance for GenISIS  This presentation is intended for clinical staff involved in recruiting patients to the GenISIS (Genetics of Influenza Susceptibility.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Information Security Policies and Standards
Computer Security: Principles and Practice
OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.
Promoting Excellence in Family Medicine Enabling Patients to Access Electronic Health Records Guidance for Health Professionals.
Session 3 – Information Security Policies
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Network security policy: best practices
Moving Forwards with HealthSpace Gillian Braunold Clinical Director Summary Care Record & HealthSpace.
Data Protection Recruitment Process
NHS England Interoperability Programme Workshop Information Governance 16 th December 2014.
Safeguarding Adults The Care Act 2014 Jo Wilkins Team Manager, Safeguarding Adults Team Reading Borough Council.
Release & Deployment ITIL Version 3
Implementation of Security and Confidentiality in GP Practices.
Topic 4 How organisations promote quality care Codes of Practice
Introduction to the Summary Care Record (SCR)
NHS Connecting for Health A National Framework For Implementing Electronic SAP Summary of Recommendations.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
OPEN UP! Introduction to handling Freedom of Information requests.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Shaping Solihull – Everything We Do, Everyone’s Business Meeting Core Objectives for Information, Advice, Advocacy and Support Services in Solihull Partners'
Community Pharmacy Summary Care Record (SCR) Privacy Officer End-user.
Data protection—training materials [Name and details of speaker]
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
AssessPlanDo Review QuestionYesNo? Do I know what I want to evaluate and why? Consider drivers and audience Do I already know the answer to my evaluation.
Information Sharing for Integrated Care A 5 Step Blueprint.
1 Consultation: Framework Contract for Home Support and Care Homes with/out nursing 1 June 2011.
Sharing Personal Information Programme Wales Accord on the Sharing of Personal Information (WASPI) for organisations involved in the protection, safety,
Revised Quality Assurance Arrangements for Registered Training Organisations Strengthening our commitment to quality - COAG February 2006 September 2006.
A Common Assessment Framework for Adults – Development 12 February 2008 Carl Evans Social Care, Local Government and Care Services Directorate Department.
Department of Health Strategic Improving Information Programme Personalisation a change in Social Care Alan Allman & Penny Hill Adult Social Care Leads.
The Common Assessment Framework (CAF) & Lead Professional (LP)
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Understanding Privacy An Overview of our Responsibilities.
Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
AUDIT STAFF TRAINING WORKSHOP 13 TH – 14 TH NOVEMBER 2014, HILTON HOTEL NAIROBI AUDIT PLANNING 1.
Records without boundaries? Penny Hill. Objectives of the session To identify the issues around managing record boundaries and how the CRDB is addressing.
Understanding Privacy An Overview of our Responsibilities.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
ETHICAL ISSUES IN HEALTH AND NURSING PRACTICE CODE OF ETHICS, STANDARDS OF CONDUCT, PERFORMANCE AND ETHICS FOR NURSES AND MIDWIVES.
Information Governance A refresher for all staff who have previously gone through the full course.
General Data Protection Regulation (EU 2016/679)
Designing Effective Accommodation Plans in Clinical Placement & Internship Settings
Information Sharing for Integrated care A 5 Step Blueprint
General Data Protection Regulation
GDPR Overview Gydeline – October 2017
GDPR Overview Gydeline – October 2017
GENERAL DATA PROTECTION REGULATION (GDPR)
6 Principles of the GDPR and SQL Provision
G.D.P.R General Data Protection Regulations
General Data Protection Regulation
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
How we use Your Health Records
Confidentiality Policy
Safeguarding Adults local procedures
Welcome IITA Inbound Insider Webinar: An Introduction to GDPR
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Evidence to use for Appraisal Good Medical Practice 2006
Presentation transcript:

IG Overview Workshop 1 st October 2009 CAF Demonstrator Information Governance Model Jan Hoogewerf Projects Manager, Health & Social Care Integration Programme

CAF Consultation From responses to the consultation it was clear that: Vast majority want assessment and care and support plan information to be shared between health and social care providing conditions are met: Only those directly involved in care Information relevant to care being provided (e.g. NHS don’t need to know about individual’s finances) Training for staff in confidentiality, consent, etc. Comparable IG standards across agencies

CAF Consultation Differing views on wider community services: Need similar conditions to health/social care information sharing Concerns about staff skills and adequacy of security Only sharing essential information, e.g. support plan More concerns about sharing with financial/ employment services, and need for further investigation?

Status Of CAF IG Model IG model for CAF developed with CAF demonstrators and influenced by CAF consultation Provides a model for the way in which information will be shared using NHS CFH services Comprises general information sharing principles and how they will be implemented using existing NHS CFH technology Model taken to National IG Board (NIGB) on 10th September NIGB approved approach, with requirement for progress reports and evaluation. Particular interest in training, guidance and lessons learned in implementing the approach

CAF IG requirements NHS Care Record Guarantee Social Care Record Guarantee Standard IG framework (policies, procedures, tools) - IG Statement of Compliance Standard set of IG controls (NHS CFH) Individual explicit consent

Consent Sharing between health & social care subject to: Informed consent, i.e. what information shared with whom for what purposes and knowledge of the implications of different choices What: health & social care assessments and integrated care and support plans With whom: NHS and social care organisations involved with an individual in assessing and arranging care and support What purposes: integrated assessment and care and support planning process Consent obtained and recorded as part of assessment & care planning process, where need to share information

What Information? Specific information set: Demographics Contact/initial assessments Holistic/overview assessments Outcomes of specialist assessments Integrated care and support plans Delayed discharge notifications Continuing care assessments Need to review in light of personalisation and new assessment types, e.g. SAQs Individual can place limitations on explicit consent: Time limits, e.g. review at each assessment Sensitive information – what and with whom it is shared And regular review of consent is good practice

With Whom? Only individuals with: Direct care relationship with individual (e.g. part of team involved in assessment and care planning or emergency service) Role requiring recording and access to clinical and care information Registered users, authenticated, using smartcards to access Responsibilities in contract and/or code of practice regarding data handling practice Adequate IG controls in place on systems

Training & Guidance Training and guidance for staff in explaining and seeking consent and in regular review of consent, e.g. The need to seek consent and consequences of not doing so When and how to seek consent, what information will be shared, for what purposes, with whom What to do if a person lacks capacity and who is able to take a decision on behalf of another person The procedures for recording and storing consent to share information The procedures for recording limitations of consent to share and procedures to be followed when consent is limited The circumstances under which information may be disclosed without consent, who can authorise this and what records must be kept Communications for public, explaining the above Need to be developed early to test out practicalities Do once and share?

Information Sharing Statement Clear statement of information sharing needs to be developed, e.g.: Are you happy for me to see your health and social care assessments and care plans on the NHS Summary Care Record? This means not the whole record, just those documents that you have agreed social care can see. You can time limit this if you would like to do so. Options are: just this once, until your next assessment/review, until you no longer need social care or you can leave it open- ended? Are you happy for me to add the record of this health and social care assessment or care plan to the NHS Summary Care Record? Needs developing early to test whether people understand Do once and share?

Information Sharing Protocols Existing protocols may need updating 3 tier model, and examples of good practice available Contents include, e.g.: Principles for sharing and handling information confidentially and effectively Governance arrangements for managing protocol Purposes for which information will be shared Processes by which information will be shared: what information, how it will be shared and how the sharing will be managed Agencies signed up to protocol Do once and share?

Areas For Further Investigation 3 rd party information (i.e. information provided by 3 rd party and individual providing information about 3 rd party). How to obtain and record consent, what to do if consent cannot be obtained or if 3 rd party dissents Individual access to own records: registration, authentication, access controls, delegating access to others. Healthspace model may provide basis? Mental capacity: recording MC assessments, seeking consent from others (IMCA, power of attorney, etc.) and sharing information in best interests. Record retention policies: differences in length of time social care and health records are held. NIGB working group may be set up to review.

Questions From Networking Survey How do we preserve ownership of and accountability for information as it is shared between systems through messaging? Answer: The assessment or care plan message will identify the author of the assessment or care plan. When the message is received into another organisation, that organisation becomes accountable for the handling of the message and the data in their system.

Questions From Networking Survey Why is there an additional layer of consent for Social Care applications accessing the PDS? Answer: Original requirement from NIGB that consent should be sought before accessing any NHS Care Record Service, incl. PDS. Practical issues around recording consent prior to accessing PDS were taken to NIGB. NIGB agreed that consent does not need to be sought prior to social care accessing PDS, providing only demographic data is obtained.

Questions From Networking Survey How do demonstrators propose to deal with patients who do not wish their information to be shared electronically? Answer: Need to print out and share on paper. Record in messages who information is being copied to and whether electronic or paper.

Information Governance Specification for Social Care Systems Danny Solomon Technical Architect

Objectives Recap relationship between system requirements and organisational requirements Provide clarity on IG requirements Across the board, but focussing on C Given NIGB position Re-jigging of requirement baselines Response to specific questions raised “It depends”

Ensuring the provenance, confidentiality, integrity and availability of sensitive personal information Driven by The Law (Data Protection Act and others) The Care Record Guarantee – hence patients’ expectations The need to deliver a service that is secure, useful, and usable -Management of Risk

A balancing act… Law Security Confidentiality Patient empowerment Individual autonomy Informed care Clinical safety Public interest Cost NHS efficiency Simplicity Pragmatism Public confidence Clinical acceptance

Threats and vulnerabilities Mr A.N. Other 15 Acacia Avenue Sometown DOB: … NHS No: Allergies: … Medications: … History: … HIV status: … Application Tier OS Web Tier Hardware Building Internet N3 Infrastructure Support Application Support

Organisational vs. System Organisations need to operate appropriately IG Statement of Compliance (IGSoC) NHS orgs, LAs, Software suppliers NHS CFH procured/assured systems Subject to specific IG requirements Verified as part of CAP through NIC assurance process

Policy and Principles Requirements SoftwareImplementation Law / DIPU NHS CFH IG Team ISV LA / CSSR

Overview of ESP IG Requirements Protect, Detect, Respond Controls limiting access Application level – who gets access, who can do what? Controls protecting against attack Infrastructure and process Monitoring What’s happening, what’s happened?

IGSoC System Requirements Registration Authentication RBAC Consent Legitimate Rel. Sealed Envelopes Content Commitment Network Access Workstation Access Secure Comms Secure Storage Security/Pen Testing Audit Alerts

This is me Registration Users are issued with Smartcards eGif Level 3 Registration with “role profiles” that define the posts that they occupy this is a process – no system requirements

I am using this system Registration Authentication Systems integrate with Spine Security Broker (SSB) Identity Agent software deployed at client workstations

Authentication Architecture Identity Agent (IA) SPINE Spine User Directory (SUD) LOCAL SYSTEM Registration Authentication RBAC Spine Security Broker (SSB) Client app Application server User URP 1 URP 2 Smartcard is inserted Session is created on SSB, IA has token ID Application starts – requests token ID from IA Token validity verified with SSB User information retrieved as a SAML assertion Register a Token Listener Use SAML assertion to define application rights … session SAML URP 1 URP 2

Controls which system functions a user can access not “which records a user can see” Driven by user information set up at registration Suppliers need to map a national standard model of role and activities to local access rights What can I do? Registration Authentication RBAC

RBAC Architecture Activity + Local system rights/permissions NRD Activities Baseline Policy from NRD Activity Job Role Area of Work Additional Activities Id Organisation Workgroups(s) URP Job Role Area of Work Additional Activities

Whose records can I see? Registration Authentication RBAC Consent Legitimate Rel. Given access to a particular system function, which specific records can be accessed Only permit access to records if there’s a business reason for doing so

Extra protection Registration Authentication RBAC Consent Legitimate Rel. Sealed Envelopes Allow patient control over who sees particular parts of their record

Consent It can be confusing, so how to ensure that informed consent is gained? Needs to be explainable, and explained Backed up by other comms mechanisms Goes hand in hand with reasonable expectations One Big Question Smaller Q Smaller Question

Consent-to-share Registration Authentication RBAC Consent Patient can express whether information can be shared across organisational boundaries within the NHS outside of normal clinical communications 1 2 3

SCR preference Registration Authentication RBAC Consent Patient can choose not to have a Summary Care Record upload under implied consent after a public consultation default is “ask-before-view” 1 2 3

Social Care consent Registration Authentication RBAC Consent Express consent is required from Social Care settings prior to access to any NHS information services Other than demographic info Consent needed prior to sending individual documents outside an organisation 1 3 2

Local System 4 3 “Consent-to-share” across (legal) organisational boundaries within the NHS SCR consent choice Local consent to access NHS information sources for non-demographic data Per-message consent Spine PDS ACF PSIS / SCR 1 2 Local System 4 3 Local GP System 2 !

Where is it documented? Previously, as part of the IG Baseline Specifically, section 3.16 of the ESP IG Requirements Now, part of HSCI Requirements Catalogue

IT Security Health Check (ITSHC) Content Commitment Network Access Workstation Access Secure Comms Secure Storage Security/Pen Testing Specific Deployment Shared Infrastructure Application Application is secure Shared components are securely deployed Deployment is secure: under contractual obligations and/or IGSoC

ITSHC (“penetration testing”) Testing performed by an approved third-party, at supplier cost NHS CFH involved at two stages: Testing scope Agreement of any work-off plan It’s not a “pass” or “fail” Understand the environment, managing any risk

Check your inputs!

Contact

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.