Information Governance A refresher for all staff who have previously gone through the full course
Agenda (revision course) NHS Information Governance Standards Confidentiality UK law Records Management and quality records Security
NHS Information Governance Standards January 2010 – first progress report of the UK Government data handling review – 7 areas in NHS improved: performance management renegotiated contracts with organisations to protect confidentiality and security new, more secure computer systems national contract for over 1 million encryption devices all portable devices encrypted 1 million staff IG trained online IG Governance framework clearer NHS operating framework 2010/11 key themes: organisations must meet all IG requirements set out by DoH all staff must receive annual basic IG training reporting on management of information risks
Confidentiality Personal information: When you can identify someone by it Sensitive personal information: When it refers to particular matters of a living or deceased patient Confidential information (health and staff): When it is reasonable to expect it should be held in confidence Personal or sensitive information can be confidential when: It is private about a person It is used by a person with a duty of confidence It is expected to be used in confidence 3 Criteria for disclosing information: The person has given consent and/or There is a legal base permitting it and/or There are exceptional circumstances in the overriding public interest
Confidentiality (patient welfare): Duty of confidence does not prevent adequate welfare arrangements being made as long as the patient is happy for this to happen - check with them Confidentiality role of the Caldicott Guardian/IG lead: 1997 Report on the review of patient identifiable information: A senior clinician to be nominated in each Trust to act as the Trust’s conscience for this They are known as the “Caldicott Guardian”. 7 Caldicott Principles: Justify the purpose for using confidential information Use only when absolutely necessary Use the minimum required Access on a strict ‘need to know’ basis Everyone must understand their responsibilities Everyone must understand and comply with the law The duty to share information can be as important as the duty to protect patient confidentiality Q. Who is our Caldicott Guardian? A.John Sykes Confidentiality
NHS care record guarantee: Reviewed yearly by the National Information Governance board All NHS Staff and organisations working for them must comply The 2005 NHS care record guarantee included how patient information is used in the NHS including: People’s access to their own records Controls, monitoring and policing staff access to patient files Options patients have to limit access Access in an emergency What happens when someone cannot make decisions for themselves Social care record guarantee for England: Explains to service users how the information they provide to social care staff is used and what control they have over it The NHS constitution: First published 21 st January 2009 Updated after public consultation March 2010 One of the key rights is ‘You can expect the NHS to keep your confidential information safe and secure’ The NHS constitution will be renewed every 10 years
UK Law- Data Protection Act 1998 The Data Protection Act 1998 This governs how organisations such as the NHS may use personal, sensitive and confidential information about living people Under the Act the NHS Trust must register with the ICO as a Data Controller The ICO investigates any complaints made in relation to DPA breaches Covers the lawful sharing and disclosure of information Subject Access Requests - every person has the right to access their records Governance Toolkit Handling, storage and transfer of records If you have any queries the Records Management Department can help
UK Law- Freedom of Information Act 2000 FoI 2000 The FoI deals with requests for corporate information, but some information may be rightfully withheld All FoI requests are managed by Corporate Affairs at the Ashbourne Centre Public Authorities (including the NHS) have 20 working days to formally respond to requests The ICO is the independent regulator for this
Records Management and Quality Records Records Management The ‘Records Management NHS Code of Practice’ sets out guidelines on the length of time to keep documents relating to NHS Patients and NHS Organisations Records Management & Information Quality Public Bodies (including ourselves in the NHS) are subject to the following legislation: Personal Information – The Data Protection Act 1998 legally obliges us to have: - data that is accurate - data kept no longer than necessary - only the information needed for the intended legal purpose is obtained. Public Records – The Public Records Act 1958 has a process whereby there is a public right of access to records over 20 years old
Records Management and Quality Records Information quality It’s not just about accuracy must be available in the right place at the right time must be of a high quality to ensure patient care, funding and our good reputation (CARAT): Complete - to ensure the correct record for the correct patient Accurate - ensure the information is correct and clear Relevant - to ensure safe, appropriate care Accessible - to staff and patients Timely - contemporaneously and up to date Sufficient for the primary purpose of patient care or anonymised for planning Records and information additional guidance A Clinician’s guide to Record standards: produced by the Royal College of Physicians in partnership with NHS Connecting for Health – this will improve patient safety by standardising the information held on patients throughout their stay in hospital Policy - Minimum Standards for Health Records Recording Care training
Security 3 types of security measures: physical measures people measures electronic measures Key principle is to ‘overlap’ security measures, e.g. a door should be locked (physical) overlapped with a staff member routinely checking it (people) Organisational responsibility – to ensure we follow the security policies in our place of work Security is everybody’s responsibility report security incidents and security weaknesses manage information risks through Senior Information Risk Owner (SIRO)
Security Data security breaches and measures to reduce The major cause of the 1007 breaches reported to the ICO since late 2007 has been due to stolen data/hardware Of the 1007 – 305 were reported by NHS organisations: 116 due to stolen data/hardware 87 due to lost data/hardware Basic measures we can take to reduce breaches are: encrypt data and keep passwords secure report incidents and security weaknesses confirm that you are sending any information to the correct recipient whether it be by , mail, fax or by telephone
Security Additional training for NHS staff Online training is available in the following areas at no extra cost: Business continuity management Information security management Secure handling of confidential information Short message service (SMS texting) Maintenance and secure disposal of digital printers copiers and multifunction devices NHS information governance: guidance on blogging and social networking