Protecting your client’s/clients’ information James Partridge CEO and Interim Head of the Skin Camouflage Service Changing Faces Based on guidance from the IG Policy Team, NHS Connecting for Health
Key Learning Points What is Information Governance? What do YOU need to do to make this work? 1.Follow the Caldicott Guidelines to provide a confidential service 2.Comply with the Law Activity Understand the Data Protection Act Principles Activity Recognise a Freedom of Information Act request 3.Keep good records 4.Keep information secure Activity Assessment questions Activity
What is IG? IG is to do with how NHS/Social Care organisations and individuals handle information
Information means: E.g. Name, Date of Birth, Home address E.g. ethnicity, disease, medical condition, sexual life E.g. Contracts for suppliers, minutes of meetings, finance details Personal Sensitive Corporate
Handling information well means H olding it securely and confidentially O btaining it fairly and efficiently R ecording it accurately and reliably U sing it effectively and ethically S haring it appropriately and lawfully
What is IG? IG is to do with how NHS/Social Care organisations and individuals handle information IG is a series of best practice guidelines and principles of the Law to be followed by NHS/Social Care organisations and individuals
Core elements of IG Data Protection Act 1998 Freedom of Information Act 2000 Information Security Standards – ISO/IEC 17799: 2005 and IS Management NHS Code of Practice The NHS Confidentiality Code of Practice The Records Management NHS Code of Practice Information Quality Assurance
IG Toolkit Organisation Self Assessment against national set of standards. Annual submission. Adopted by NHS, Social Care, GP and Commercial Third Parties. Online Tool Process may be subject to internal and external audit Past reports available online For further information on the IG Toolkit go to:
What is IG? IG is to do with how NHS/Social Care organisations and individuals handle information IG is a series of best practice guidelines and principles of the Law to be followed by NHS/Social Care organisations and individuals IG is the core foundation for high quality healthcare using good quality information
IG is the responsibility of everyone at Changing Faces! What do YOU need to do to make this work?
1. Confidentiality Do not share without consent 1997 Caldicott Report The Caldicott Guardian
Follow the Caldicott Principles to ensure Patient/Client Confidentiality 1.Justify the purpose of disclosing confidential information 2.Only disclose it when absolutely necessary 3.Use the minimum info required 4.Allow access to it on a strict need- to-know basis 5.Understand your responsibility to client confidentiality 6.Understand and comply with the law
Scenario ‘A famous celebrity is taken ill while performing at a local theatre. Appendicitis is diagnosed and the celebrity requires emergency surgery. The anaesthetic practitioner recognises the celebrity and following the surgery rings a friend to tell them about this surgery and other information of this celebrity’s past healthcare history. The following day the newspaper publishes details of the surgery and other health issues the celebrity has.’
If you are not sure, don’t disclose and seek further advice from the Operational Delivery Team (if you are a volunteer) or the Caldicott Guardian (if you are a member of staff)
Providing a Confidential Service in practice Protect an individual’s information by recording relevant data accurately, consistently, keeping it secure and confidential. Inform a client how their information is used and when it may be disclosed Provide choice to clients to decide whether their information can be disclosed Always look to Improve the way you/the charity protects, informs and provides choice to its clients (volunteers, employees and supporters). Improve Protect Inform Provide Choice Improve Personal information shared in confidence should not be used or disclosed further without the consent of the individual (Common Law Duty of Confidence)
Double click here 2. Comply with the Law Data Protection Act 1998 – It is your responsibility to understand the principles in relation to your role in Changing Faces. Activity (takes minutes to complete): Read the ‘Quick reference to Caldicott & the Data Protection Act 1998 principles’ booklet – specifically page 4 to 14 Match the breaches of the Data Protection Act’s principles with scenarios A to H on the following slides. DP and Confidentiality Principles Quick Reference March 06.pdf Produced by the Surrey Health Informatics Service IG Team on behalf of the Surrey Health Community
Scenario A Mr Peters receives a call from Changing Faces asking to speak to the parent/guardian of six year old Grace Hill regarding her Skin Camouflage appointment. Mr Peters is shocked to receive this call as he and Mrs Hill have been divorced for 10 years. He was aware his wife remarried his best friend (John Hill) but was unaware they had had a child together. Mr Peters informed the charity that they were no longer married nor living at the same address. Scenario B Activity (takes 5 minutes to complete): Which Principle/s do these scenarios relate to/breach? A Practitioner leaves a voic for a 17 year old client on the family landline. The mother picks up the message which contains details of a Skin Camouflage appointment for her daughter’s self harm scars. The daughter calls the Practitioner in tears because she had not told her Mum about the scars nor the appointment and wished it to stay that way.
Scenario C A Practitioner is holding a clinic in a side room of a busy hospital. She spreads her paperwork out on the desk ready for her clinic. After seeing the first two clients she pops out for lunch, leaving the door open and the paperwork on the desk. After an hour she returns to continue with her clinic. Scenario D Activity Which Principle/s do these scenarios relate to/breach? Mr Y moves from London to Leeds. He has previously had a Skin Camouflage appointment in London but wishes to have a re-match in Leeds. The Leeds Practitioner goes through the referral notes and finds abbreviations such as HT and NLM. When she calls the dermatologist who referred Mr Y to enquire what these mean, they laugh and say “Oh that means ‘Hot Totty’ and ‘Nice Looking Man’”
Scenario E A Practitioner is approached by the brother of a client enquiring how the appointment went for his brother’s vitiligo cover creams. The Practitioner mentions that the colour match was successful but asks why his brother had stopped using his Topical Corticosteroids to help manage his vitiligo which the client mentioned to her during his appointment. The client is later surprised to discover his brother is aware he stopped using the steroid cream, which he had only told his wife and the Practitioner about. Scenario F Activity Which Principle/s do these scenarios relate to/breach? Kathryn is approached by ‘XYZ Derma’ who wanted to distribute new kit items to the Practitioners. The company’s rep asks for the home addresses of all the Practitioners currently volunteering for Changing Faces. Assuming the Practitioners would like this information, Kathryn provides the names and addresses without asking the Practitioners or giving them the option to opt out first. Later Kathryn receives calls from unhappy Practitioners complaining that their details were given to a third party.
Scenario G A Practitioner is approached by a fast-growing US charity which wants to offer a similar Skin Camouflage Service as Changing Faces’ in the USA. The US charity asks the Practitioner for a report about what a standard appointment involves and some real life case studies to show the success of her methods. Wanting to help, the Practitioner sends the account and some case studies based on her recent clients to the charity via . Scenario H Activity Which Principle/s do these scenarios relate to/breach? A Practitioner holds a clinic and returns all the Client Service Record Cards to the Changing Faces office by post. But she decides to keep the referral information in a locked case at her home in case one of the clients wants to come back for a rematch at a later date.
Freedom of Information Act Can you recognise a Freedom of Information (FOI) Act Request? Dear Sir/Madam I would like to know how much the Trust is spending on the refurbishment of the A&E ward, due to be completed in March I would like a list of the new medical and non medical equipment being purchased for this ward. Yours sincerely Mickey Mouse Dear FOI Lead I have recently undergone an operation on my hip at your Trust and would like to see all the notes in my Health Record regarding this period of care. Please give me an indication of when this information can be provided to me. Yours sincerely Betty Boo Which of A or B is an FOI request?
What you need to know about FOI Gives the public the right to access/view all non-personal public authority information upon request Requests must be in writing All staff must know who their FOI Lead is and be able to access/refer to their contact details. The requester may not and need not quote the FOI Act The organisation must respond within 20 working days Exemptions may apply for non disclosure – FOI Lead will determine this.
What you need to know about FOI Penalties for non compliance with or breach of the Act applies to the: Organisation Chief Executive Possibly Individual staff
3. Keep good records Best Practice guidance states: All staff and volunteers have a legal and professional obligation to be responsible for any records which they create or use in the performance of their duties. Any record created by an individual, up to the end of its retention period, is a public record and subject to Information requests (FOI and Subject Access).
Record Lifecycle Determine whether records are worthy of permanent archival preservation Record Lifecycle CreationUsing Retention Create & log Quality information Use/handle in accordance with Data Protection Act Keep/maintain in line with Changing Faces’ Retention Schedule Dispose appropriately according to policy AppraisalDisposal Close Record
4. Keep Information Secure Follow Organisation Policies Protect Information Physically Practice Password Management Transfer Information Securely Report Breaches of Security to Management It is your responsibility to keep all personal and sensitive information secure
Information Governance is the responsibility of everyone at Changing Faces, so keep up the good work and aim to be 100% compliant. THANK YOU VERY MUCH!
Further Guidance and useful links DH: Confidentiality NHS Code of Practice DH: Records Management NHS Code of Practice The Data Protection Act 1998 The Freedom of Information Act 2000 The IG Policy Team website The Department of Health website Information Commissioners Office website (more information and guidance on FOI and DPA)
WELL DONE! THANK YOU VERY MUCH!