Jodie Stutely Primary Care Information Governance Manager Previously worked as the IG Manager at Colchester Hospital By law you need to get your DPO to be signing off new processes/systems (and therefore your DPIAs), reporting data breaches etc. Advisory role – templates, training, support and guidance Link into projects coming from the CCG Working with care homes to complete the DSPT to get nhs.net = no more faxing! Can provide extra training on GDPR/ SARs/ DSPT Happy to visit any practice, or attend PM meetings

Projects I am working with each of the projects below to ensure compliance with data protection: Population Health Health Intelligence – Diabetic Eye Screening Social Prescribing Care Home Local Enhanced Service Diabetes Complete/Eclipse Dementia – Meds Managament “at risk” register High Intensity User Group Julian project MyCOPD ACE Health Checks Biobank

Training I am happy to provide training sessions on any of the following: Subject Access Requests Data Security and Protection Toolkit Data Protection Act / GDPR Data Protection for Medical Secretaries Data Protection for Practice Managers Freedom of Information Let me know if there is any other related training you would like…

Factsheets I have created the following factsheets: Access to Systems Caldicott Guardian Clear Desk Policy Confidential Waste Consent Data Protection by Design and Default Data Protection Impact Assessments Data Protection Officers Dementia – Meds Management Due diligence questionnaire for software suppliers Faxes How to password protect a document Location and Environment Passwords Physical Security Types of information USB What to include in a Data Protection policy What to include in a spot check Email me to make a request

2019 Plan Future plan for next version of DSPT Multiple dates and bi-monthly workshops Broken down into bite size sections Will also be planning a Subject Access Request training session Organising Caldicott Guardian and SIRO training Continue adding documents to East CCG website GP members only area Attending GP events at Trinity Park Regular Articles/messages in weekly Inbox newsletter

Data Security and Protection Toolkit Deadline: 31st March 2019

Information Governance Toolkit vs. Data Security and Protection Toolkit Developed in response to the National Data Guardian review – which was the ‘Review of Data Security, Consent and Opt-Outs’ published in July 2016 – which is why is it now split into the 10 data security standards – the online guidance for the Toolkit is split into these 10 standards Also takes into account GDPR and new cyber security threats Terminology Information Governance Toolkit – to Data Security and Protection Toolkit “requirements” are now called “assertions” Text options/tick boxes rather than all to upload documents – don’t forget that you must still have this information collated in a folder ready for any CQC visit – as the CQC well led inspections will include data security Hadn’t changed in a long time - More intuitive/newer system Less duplication which means less “assertions” – 52 assertions – they are trying to give you more time to implement the standards than is spent on the toolkit itself Instead of meeting levels 1, 2 or 3 – now is just compliance with the mandatory evidence items. Option to see mandatory only assertions Be aware that it is possible that the non-mandatory questions may be mandatory next year – so have a look at them and have a think about how you could incorporate these into your work Deadline is the same 31st March to submit

My Guidance Documents that were linked in the newsletter…

Spreadsheet

Quick Checklist

My Guidance Documents that were linked in the newsletter…

Example from Data Security Standard 1 Breakdown

IT related assertions Assertion Requirement Notes on when you will still need to take action 1.4.4 Provide a list of all systems/information assets holding or sharing personal information. But you will need to do a list of any that you are using separately 1.4.5 List of systems which do not support individual login with the risks outlined and what compensating measures are in place. This is from the above 1.6.3 There are technical controls that prevent information from being inappropriately copied or downloaded. CCG can say what controls their systems have in place, but you still need to say what your practice does e.g. port control on the computers if you have it 4.3.1 All system administrators have signed an agreement which holds them accountable to the highest standards of use. If you are a system administrator for any system then you will need to do this 6.3.1 Name of anti-virus product. Unless you have your own one… 6.3.2 Number of alerts recorded by the AV tool in the last three months.   6.3.4 Number of spam emails blocked per month. 8.3.1 Provide your strategy for security updates. 8.3.2 How regularly do you apply security updates to desktop infrastructure. 9.1.1 The Head of IT at your IT Supplier confirms all networking components have had their default passwords changed. 10.1.1 The organisation has a list of its suppliers that handle personal information, the products and services they deliver, their contact details and the contract duration. You need to do any suppliers that you have e.g confidential waste 10.2.1 Basic due diligence has been undertaken against each supplier according to ICO guidance. You need to do due diligence on any supplier that you have e.g. confidential waste