INFORMATION GOVERNANCE Joyce Green Helen Williams
What is Information Governance? The way that information is used, kept secure and overseen is known as ‘Information Governance (IG)’ It is the term used to describe the principles, processes and legal and ethical responsibilities for managing and handling information. It sets the requirements and standards that need to be achieved in order to ensure that personal information is handled legally, securely, efficiently and effectively. Responsibilities under Information Governance: Provision of a confidential service to both patients and staff Recording of Information accurately Respecting the rights of individuals
CQC Information Governance: to be included in inspections; issues can be indicative of broader organisational issues; Improved understanding of how Information Governance issues impact on the quality and safety of care; Final submission Information Governance Toolkit assessment scores are accessed, and used.
Core Legislation Legislation covering personal information: Data Protection Act 1998 (DPA), The Common Law Duty of Confidentiality Human Rights Act 1998 Plus other standards and initiatives
It just makes them follow rules. How the DPA works The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give legal rights to people who have information stored about them. Basically it works by: setting up rules that people have to follow having an Information Commissioner to enforce the rules It does not stop organisations storing and using information about people. It just makes them follow rules.
The Data Protection Act has two aspects: Giving people the ‘right to know’ what information organisations hold about them; Providing a framework for organisations handling personal data. The primary purpose of data protection legislation is to protect individuals against possible misuse of personal information about them, held by others. The Act is underpinned by eight straightforward, common-sense principles.
DPA Principle 1 Personal information must be processed (used) fairly and lawfully: There should be no surprises. Inform the public why you are collecting their personal information, what you are going to do with it and who you may share it with. Be open, honest and clear.
DPA Principles 2, 3 & 4 2. Processed for specified purposes only used for the purpose it was collected 3. Personal information must be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed. 4. Personal information must be accurate and, where necessary, up to date. Letters Telephone Calls
DPA Principle 5 Not kept for longer than necessary
Good Record Keeping Record keeping is an integral part of professional practice; Demonstrates high standards of care; Ensures openness and transparency for patients; Decisions taken can be justified if challenged; Promotes better communication and sharing of information between members of the Care team; The quality of the record is a direct reflection of the standard of working practice; Incomplete record keeping will create a poor representation of work practice.
Poor Record Keeping Undermines patient care; Makes you vulnerable to legal and professional problems; Difficulty in responding to complaints; Generates questions when patients/carers/relatives/solicitors request a copy; Increases your workload.
DPA Principle 6 Personal information must be processed in accordance with the rights of data subjects (patient/staff have the right to view, or obtain a copy, of any information that an organisation holds about them). Be aware that people have a right to know what information is held about them and why. Timeliness – only 40 calendar days to respond
Fine for GP surgery that failed to protect patient’s personal data A GP practice that revealed confidential details about a woman and her family to her estranged ex-partner has been fined £40,000 by the Information Commissioner. A GP Practice in Hertfordshire, gave out the information despite express warnings from the woman that staff should take particular care to protect her details. The information was provided after the ex-partner made a request for the medical records of the former couple’s son. Staff at the GP practice responded with 62 pages of information that included the woman’s contact details as well as those of her parents and an older child the man was not related to.
DPA Principle 8 Not transferred outside the European Economic Area without adequate protection check where your information is going e.g. where are your suppliers based?
DPA Principle 7 Ctrl, alt, delete Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal information and against accidental loss or destruction of, or damage to personal information. Ctrl, alt, delete
You need to remember these points Do not leave personal information visible; Lock filing cabinets/cupboards (where is the key); Do not leave computers logged on and unattended; Never send anything by fax or e-mail that you would not put on the back of a postcard; Do not disclose any personal information without the data subject’s consent; Sending a letter? Whose information is enclosed? Sending information via email – how do you secure it? What part of an encrypted email is not secure? What else do you need to think about?
Enforcement of Act Information Commissioner’s Office Has specific responsibilities set out in the Data Protection Act 1998 and the Freedom of Information Act 2000. Monetary Penalties This can be as much as £500,000; due to rise to £1 million or, if a ‘for profit’organisation, 2% of profit. Audits & Visits Can make unannounced visits to inspect the organisation’s management of personal information.
Fine but Fine Serious breaches The breach was deliberate knew there was a risk of a breach Likely to cause substantial damage or substantial distress Serious breaches You failed to take reasonable steps to prevent it Fine but should have known there was a risk of a breach
Sept 2015; Findings from the Advisory Visit by the Information Commissioner There was little if any formal training for data protection and associated issues such as security of personal data and records management; The use of shared generic accounts to gain access to IT systems was widespread. Where system access was password protected these were seldom complex; Passwords were also not changed regularly; Encryption of personal data held on portable devices was often not implemented; There was little in the way of formal policies and procedures in place for data protection and even less for data sharing specifically;
Sept 2015; Findings from the Advisory Visit by the Information Commissioner Retention schedules were seldom in place and often only applied to manual records. Adequate information for individuals about how the organisations were going to process their personal data was not always supplied. There were instances of where processing information was written, but was not communicated to residents as well as it could have been.
Training for Staff Face to face sessions Annually
How can you demonstrate that you recognise the value of the personal information you are responsible for?
Nursing Home Fined August 2016 A nursing home has been fined £15,000 for breaking the law by not looking after the sensitive personal details in its care. An investigation by the Information Commissioner’s Office (ICO) found widespread systemic failings in data protection at Whitehead Nursing Home at the time of a data breach. Our investigation revealed major flaws in the nursing home’s approach to data protection. The breach came when a member of staff took an unencrypted work laptop home, which was stolen during a burglary overnight. The laptop contained sensitive personal details relating to 46 staff including reasons for sickness absence and information about disciplinary matters. It also held some details about 29 residents including their date of birth, mental and physical health and ‘do not resuscitate’ status.
Information Governance Toolkit Care/Residential Homes to complete in 2016/17; A performance tool which provides the basis for assuring information handling in accordance with the law, guidance and best practice; A set of mandatory requirements, within 4 initiatives, submitted annually; Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurance
Information Governance Toolkit 14 -114 Responsibility for Information Governance has been assigned to an appropriate member, or members, of staff 14-115 There is an information governance policy that addresses the overall requirements of information governance 14-116 All contracts (staff, contractor and third party) contain clauses that clearly identify information governance responsibilities 14-117 All staff members are provided with appropriate training on information governance requirements
Information Governance Toolkit Access to the IGT via the web link https://www.igt.hscic.gov.uk