INFORMATION GOVERNANCE Awareness for Acute Services Staff

WHAT IS INFORMATION GOVERNANCE? Caldicott Confidentiality Data Protection Data Quality Freedom of Information Information Security Records Management

OBJECTIVES Refresher on data protection and confidentiality Legal obligations Keeping information safe Reporting Breaches NHSGG&C policies and procedures

WHAT IS DATA PROTECTION? “DATA PROTECTION IS CONCERNED WITH THE SAFEGUARDING / PROTECTING OF PERSONAL IDENTIFIABLE DATA, WHETHER IT RELATES TO PATIENTS, STAFF OR OTHERS”

RESPONSIBILITY FOR DATA PROTECTION The Information Commissioner’s Office is responsible for ensuring organisations comply with the Act. They can: Impose monetary fines of up to £500,000 Audit health boards – inspect and confiscate files Interview staff Prosecute and/or fine individuals Impose other sanctions

8 PRINCIPLES

Principle 6: What Can People Access? Health / Occupational Records Personnel File Payroll Information Complaint / Grievance Files Datix Reports Emails Witness Statements

QUIZ Your Aunt phones and asks if you can check when her appointment is due. You check Trak and tell her. Is this appropriate? You are worried about a recent hospital appointment you attended and when you are back at work you have a look at Clinical Portal to Portal to check your information. Is this appropriate? Can you use unencrypted USB memory sticks within the Health Board?

WHO IS RESPONSIBLE? Everyone! Legal Obligation Terms of Employment NHS Scotland Code of Practice Policies and Procedures

HOW DO BREACHES HAPPEN? Faxing/Emailing information to the wrong recipient Theft/Loss of files, notes or papers Theft/Loss of IT equipment Posting information about patients on social networking sites Inappropriate access to information (eg. your own, family etc)

BREACHES The Individual The Organisation The staff member responsible A breach of confidentiality can have serious consequences for: The Individual The Organisation The staff member responsible

INFORMATION COMMISSIONER Over 50 organisations have been fined between £1,000 - £325,000 Ministry of Justice fined £180,000 Crown Prosecution Service fined £200,000 Glasgow City Council fined 150,000 Belfast Health & Social Care Trust fined £225,000 Pharmacist fined for unlawfully accessing family, colleagues and friends health records. Dismissed from her post Total money received in penalties over 5.5 million

NHSGGC Breaches Two letters to GP sent to one of the patients with same surname as GP Two referrals from another HB sent to one of the patients in error – contained sensitive clinical history Letter to GP re patient and fertility treatment sent to Dentist in error Doctor left patient files at bus stop – handed into RAH by member of the public Nurse left 15 patient files in car boot over weekend – car stolen and files never retrieved Patient letters found in hospital grounds from burst bag

SCENARIO In the course of your working duty, you see someone who is known to you attending an outpatient clinic. You then go home and discuss this with family/friends. Have you breached your duty of confidence?

Further guidance available in Data Breach Policy REPORTING BREACHES All ACTUAL, SUSPECTED or POTENTIAL breaches should be reported using the Datix system as soon as possible. This should be done as soon as the breach occurs Inform your line manager If IT equipment is missing/stolen – report to Police and IT Service Desk If appropriate, also inform the Information Governance Department Further guidance available in Data Breach Policy

POLICIES AND GUIDELINES Search for Information Governance Framework on Staff Net

CONTACT DETAILS Simone Rattray, Data Protection Advisor Email: simone.rattray@ggc.scot.nhs.uk Tel: 0141 355 2059 Isobel Brown, Information Governance Manager Email: Isobel.Brown@ggc.scot.nhs.uk Tel: 0141 355 2020 Or: dataprotection@ggc.scot.nhs.uk