Delegate pack (PDF 2.43Mb) - Systems

Transcription

63658 NHS Digital Policy - 1-53
5/2/09
11:28
Page 1
Connecting for Health
Digital Information Policy
Setting the direction for
Information Governance
Delegate Pack
5/2/09
11:28
Page 2
Contents
Page
Introduction
4
Speaker Biographies
6
The UK Council of Caldicott Guardians
12
The National Information Governance Agenda
14
Cabinet Office: Data handling review
14
The Information Commissioner’s Office
15
The NHS Information Governance Assurance Programme
16
• Communications from David Nicholson and Matthew Swindells
16
• The NHS IG Assurance Programme closure report
18
• The Chief Information Officer for Health
19
• The Department of Health: Digital Information Policy team
19
• The National Information Governance Board
20
• The Ethics and Confidentiality Committee of the NIGB
22
• The Electronic Social Care Records Implementation Board
22
The NHS Information Governance Assurance Framework
24
• What is the NHS IG Assurance Framework?
24
• The NHS Operating Framework for 2009/10
24
• Responsibilities for all NHS Providers (including the PCT
provider function and general practice)
25
• Responsibilities for PCT Commissioners
26
• Responsibilities for Strategic Health Authorities
26
• The Information Governance Toolkit
26
• The NHS Connecting for Health IG Statement of Compliance
27
• The NHS Care Record Guarantee
27
• IG Education, Training and Development
28
• The IG Training Tool
28
• Other IG qualifications - Foundation Degree
32
• Experiences on the IG Masters course
35
1
5/2/09
11:28
Page 3
Information Sharing
37
• Richard Thomas and Mark Walport: Data sharing review
37
• Ministry of Justice: Response to data sharing review
41
• Case studies: Queries responded to by the UK Council of
Caldicott Guardians
44
Links and Contacts
47
• Departments and Bodies
47
• Products and Services
47
• Publications
48
• Helpdesk contacts
49
2
5/2/09
11:28
Page 4
Appendices
51
Appendix A: The UK Council of Caldicott Guardians
53
1.
Constitution
55
2.
Strategic work-plan
59
Appendix B: The National Information Governance agenda
69
1.
Cabinet Office: Data handling review
71
2.
David Nicholson's letter 4 December 2007
115
3.
David Nicholson's letter 15 January 2008
119
4.
Matthew Swindells' letter 30 January 2008
123
5.
Matthew Swindells' letter 29 February 2008
125
6.
David Nicholson's letter 20 May 2008
133
7.
David Nicholson's letter September 2008
139
8.
Information Governance Assurance Programme: Closure Report
145
9.
Ministry of Justice consultation on the Information Commissioner’s
inspection powers and funding arrangements under the Data
205
Protection Act 1998
Appendix C: The NHS Information Governance Assurance Framework
237
1.
The NHS Operating Framework for 2009/10
239
2.
Informatics Planning 2009/10
291
3.
The NHS Care Record Guarantee
321
4.
IG Serious Untoward Incident Checklist
341
Appendix D: Information Sharing
357
1.
Richard Thomas and Mark Walport: Data sharing review
359
2.
Ministry of Justice: Response to data sharing review
551
Appendix E: Separate publications
579
1.
Caldicott Guardian Manual 2006
2.
Confidentiality: NHS Code of Practice 2003
3.
The National Information Governance Board: Annual report
3
5/2/09
11:28
Page 5
Introduction
We have great pleasure in welcoming you to the National Information Governance
Conference 2009.
The conference is a key delivery area from the strategic work-plan of the UK Council
of Caldicott Guardians, it follows training needs analyses carried out for Caldicott
Guardians and IG leads during 2007 in which a national conference was one of the
preferred methods of training delivery.
The title of the conference is “Setting the Direction for Information Governance”.
As we all know the profile of Information Governance has risen exponentially over
the past 18 months, therefore, the overall aims of the conference are to:
• Raise awareness of the evolving role of the Caldicott Guardian and how
Caldicott Guardianship fits into the wider Information Governance agenda.
• Inform delegates of national developments in Information Governance
Assurance and the effect on NHS and social care organisations.
• Ensure delegates recognise the impact and applicability of the National
Programme for IT to their role.
• Assist delegates to identify sources of support and advice.
Many of you will be experienced Caldicott Guardians and IG professionals working
at the sharp end of implementation and with a deeper insight into what works and
what is achievable and sustainable. Therefore, this conference is also an opportunity
for you to ensure that your views are heard at a national level, to network with likeminded colleagues and to help ensure that we are all heading in the correct direction
at an achievable and sustainable pace.
There are a range of excellent speakers on today’s programme and the Council would
like to thank all of them for taking time out of their busy schedules to participate in
the conference. In view of its name and purpose, the Council is especially pleased to
welcome Dame Fiona Caldicott, Principal at Somerville College, University of Oxford.
The conference will be chaired by Stephen Hinde, outgoing Chair of the UK Council
of Caldicott Guardians. The keynote address is being delivered by the new Chief
Information Officer for Health, Christine Connelly. Our other morning speakers are
the Information Commissioner, Richard Thomas; David Johnstone, Chair of the
Electronic Social Care Records Implementation Board; Harry Cayton, Chair of the
National IG Board for Health and Social Care; and Phil Walker, Head of Digital
Information Policy, Department of Health.
4
5/2/09
11:28
Page 6
The afternoon is comprised of a series of workshops/seminars covering topical matters
such as information risk management, implementing information governance in social
care and the secondary use of personal data, the latter will be facilitated by Professor
Dame Joan Higgins, Chair of the Ethics and Confidentiality Committee of the NIGB.
An evening seminar titled “Information Governance as a profession” will take the
form of a discussion on developing and promoting information governance as a
professional discipline. Topic areas will include the practical evolution of IG, the career
progression framework and the creation of a professional body for IG staff.
We hope that you enjoy the conference and that you leave with ideas and methods
that you can apply to your own practice, and with contacts and sources of advice that
will be of assistance as you continue in your IG role.
UK Council of Caldicott Guardians
Digital Information Policy team
5
5/2/09
11:28
Page 7
Speaker Biographies
Stephen Hinde
Group Information Protection Manager & Caldicott Guardian,
Bupa Group
Stephen Hinde is Chairman of the UK Council of Caldicott
Guardians, who he represents on the National Information
Governance Board for Health & Social Care. He represents Caldicott
Guardians on the Scottish Information Governance Managed
Knowledge Network Steering Group.
Stephen is Chairman of the Data Protection Panel of the Association of British
Insurers, Chairman of the Confidentiality Working Group of the Independent
Healthcare Advisory Service, and Chairman of the Private Medical Insurance
Companies Confidentiality Forum. He is ex officio a member of the Financial Crime
Committee of the Association of British Insurers. He has been involved in Data
Protection since the early 1980s, and has lectured and written extensively on Data
Protection, Business Resumption Planning, Computer Security, Computer Audit and
Internal Audit.
Stephen is the Group Information Protection Manager & Caldicott Guardian for the
Bupa Group with responsibility to protect all parts of the Bupa Group from misuse or
misappropriation of patient, member or client confidential information. He also
Chairs Bupa’s Information Governance Committee.
Stephen is Chairman of the Professional Education and Qualification Committee of
the Faculty of Information Technology, Institute of Chartered Accountants in England
and Wales (ICAEW); Past President, Institute of Internal Auditors - UK and Ireland
(IIA-UK); Founding Editor, Computer Audit Update and Information Systems Auditor;
Computer Audit Editor, Computers and Security Journal; and was a regular contributor
to Computer Fraud & Security. He has also chaired, or been a member of various
education, training and research committees of ICAEW, IIA - UK, IIA Inc., and the
European Confederation of Institutes of Internal Auditing. He is an examiner in
advanced computer audit for IIA - UK, and was an examiner for the Advanced Case Study
for ICAEW. Stephen is a member of BSI Technical Committee IST-35 - Health Informatics.
He has held senior audit positions with various international accounting firms and
multinationals in a range of industries including consumer electronics, food, leisure
and health care.
6
5/2/09
11:28
Page 8
Dame Fiona Caldicott
Principal of Somerville College, Oxford
In the University of Oxford, Dame Fiona is a Pro-Vice-Chancellor
with specific responsibility for Personnel and Equality, a member
of Council, and chairman of the Personnel Committee. She was
Chairman of the Conference of Colleges from 2003 - 2005.
She is an Honorary Consultant Psychiatrist, having been Consultant and Senior Clinical
Lecturer in Psychotherapy for the South Birmingham Mental Health NHS Trust. She has
worked as a Unit General Manager, and as Clinical and Medical Director in that Trust.
She is the Acting Chairman and a Non-Executive Director of the Oxford Radcliffe
Hospitals NHS Trust. She was a Trustee of the Nuffield Trust from 1999-2008 and is
currently a Trustee of the Daphne Jackson Trust. She has recently completed a term
as President of the British Association for Counselling and Psychotherapy.
As President of the Royal College of Psychiatrists (1993-1996), she was also chairman
of the Academy of Medical Royal Colleges (1995-1996). From 1996-1997 she chaired
the Caldicott Committee on patient identifiable data for the National Health Service
Executive, the recommendations of which have been implemented. Also from 1996-1998,
she chaired a working group of the Nuffield Council on Bioethics that produced a
report on Genetics and Mental Disorder.
Christine Connelly
Chief Information Officer, Department of Health
Christine Connelly is the first Chief Information Officer for Health
and will focus on developing and delivering the Department’s
overall information strategy and integrating leadership across the
NHS. She took up post in September 2008.
Christine was CIO at Cadbury Schweppes from May 2004 to September 2007.
Prior to joining Cadbury Schweppes, Christine worked in various global roles at BP.
Her career included the senior IT position for both the Exploration & Production and
Refining & Marketing businesses as well as leadership roles in Business Simplification,
Technology, Innovation, Internal Audit and General Management. Her last position
in the company was as Chief of Staff for the Gas, Power & Renewables business.
Christine was born in Scotland and has a degree in Computer Science from
Aberdeen University.
7
5/2/09
11:28
Page 9
Harry Cayton
Chair of the National Information Governance Board for
Health and Social Care
Harry Cayton has been chief executive of the Council for Healthcare
Regulatory Excellence since August 2007. He was formerly National
Director for Patients & the Public at the Department of Health.
From 1992 to 2003 he was chief executive of the Alzheimer’s Society and from 1981 to
1992 Director of the National Deaf Children’s Society.
He is chair of the National Information Governance Board for Health and Social Care,
Co-Chair of National Voices, an advisor to The Health Foundation and to Macmillan
Cancer Support and a trustee of Comic Relief.
Harry has written many articles and book chapters and his co-authored book for
carers and people with dementia has been published in eight languages. He is a
regular speaker at national and international conferences.
He was awarded the OBE in 2001 for services to people with dementia. He received the
Alzheimer Europe Award in 2004, and was Distinguished Graduate of the University of
Ulster 2005. In 2007 he received a Lifetime Achievement Award from the Royal College
of Psychiatrists and a Fellowship through Distinction from the Faculty of Public Health.
David Johnstone
Chair of the Electronic Social Care Record Implementation Board
David Johnstone is Executive Director of Adult & Community
Services in Devon and is a member of the Executive Council of the
Association of Directors of Adult Social Services. He is extensively
involved in the development of electronic care records in health
and social care, as a board member of the National Programme for IT and
co-chairperson of the Electronic Social Care Record Implementation Board. He has
been recently appointed to the NHS Clinical Advisory Team.
Phil Walker
Head of Digital Information Policy, NHS Connecting for Health
Phil Walker supported the Caldicott Committee during 1996/97
and was responsible for implementing the recommendations of the
Committee, including the introduction of Caldicott Guardians into
the NHS and Social Care providers. Phil was also the principal author
of the Department of Health’s strategy for protecting and using patient information
published in 2001. This strategy established the concept of information governance in
the NHS and is the basis for the confidentiality architecture for the NHS that is now
being implemented through the National Programme for IT.
Phil currently heads a policy team that develops policy across the broad information
governance agenda and is leading work to deliver an information governance
assurance framework for all parts of the NHS and its business partners.
8
5/2/09
11:28
Page 10
Richard Thomas
The Information Commissioner
Richard Thomas has been the Information Commissioner since
November 2002. His term of office has been extended until June
2009. He is appointed by HM Queen and has independent status,
reporting directly to Parliament, with a range of responsibilities
under the Freedom of Information Act 2000, the Data Protection Act 1998 and
related laws. The functions of the Information Commissioner’s Office (ICO) include
promoting good practice, ruling on complaints and taking regulatory action.
Richard's previous career has included:
• Director of Public Policy at Clifford Chance;
• Director of Consumer Affairs at the Office of Fair Trading;
• Head of Public Affairs and Legal Officer at the National Consumer Council;
• Solicitor with the Citizens Advice Bureau Service and
Freshfields Bruckhaus Deringer.
He has also previously held various public appointments, including membership of
the Lord Chancellor’s Civil Justice Review Advisory Committee and the Board of the
Financial Ombudsman Service.
Richard has been awarded an honorary Doctor of Laws degree by the University of
Southampton and is a visiting Professor at the University of Northumbria.
He has been married to Julia since 1974 and they have three adult children.
Alistair Donaldson
NHS Information Security Policy Manager, NHS Connecting for Health
Alistair Donaldson is the Department of Health official responsible for NHS Digital
Information Security and Risk Management Policy. He is a member of the Digital
Health and Information Policy Directorate within NHS Connecting for Health
providing support to Ministers, Management and strategic advisory groups. In
addition, he regularly chairs both the UK E-health Information Security Liaison Group
involving NHS England, Scotland, Wales, NI, Isle of Man Govt and Ministry of Defence,
and the NHS CFH Information Security Management Forum involving key commercial
services providers and systems integrators to the NHS National Programme for IT.
Alistair is a member of several UK government information security and assurance
committees working closely with Cabinet Office, the Centre for the Protection of
the National Infrastructure, CESG and others representing the NHS on a range of
information assurance topics.
9
5/2/09
11:28
Page 11
James Wood
Head of IT Security, NHS Connecting for Health
James Wood is the Head of IT Security within the NHS Connecting for Health (CFH),
Technology Office. His main focus is with Infrastructure and Information Security
Assurance and he leads a team of security subject matter experts focussed on the
delivery of security into the National Programme for IT and the NHS. James is
managing the development of the NHS Public Key Infrastructure (PKI) and is
chairperson for the Policy Management Authority which oversees its ongoing
operation and management. In addition, James represents NHS CFH on a number
of Pan Government working groups including Secure File Transfer, Vulnerability
Assessment and cross government networking and he also provides advice and
direction to the CREST Industry Advisory Panel.
Professor Dame Joan Higgins
Chair of the Ethics and Confidentiality Committee of the NIGB
Professor Dame Joan Higgins has held the positions of Professor
Emerita of Health Policy, University of Manchester and Professor of
Social Policy at the University of Southampton. She has chaired the
national Patient Information Advisory Group, now the Ethics and
Confidentiality Committee of the NIGB, since it began. Joan has been a non executive
director in the NHS for over 20 years and was Chair of the Christie NHS Trust from
2002 until 2007. Joan was appointed as Chair of the NHS Litigation Authority (NHSLA)
in January 2007.
Ben Heal
Ben Heal is a founder member of the UK Council of Caldicott Guardians on which
he represents the Social Care sector. He is the Caldicott Guardian for Adults and
Children’s Services at Sefton Council in the Health and Social Care Department. He has
been Caldicott Guardian for 5 years and is also the lead welfare emergency planner
for the Council.
10
5/2/09
11:28
Page 12
David Riley
David Riley is one of the Social Care representatives on the UK
Council of Caldicott Guardians. He is the Information Governance
Manager and Caldicott Guardian for the London Borough of
Greenwich, and has been Caldicott Guardian since February 2002.
David is actively engaged in the Council ESCR Project, eSAP, CAF and other IT supported
projects dealing with sensitive personal information for both Adults and Children.
David has worked for Greenwich Social Services Department for 15 years starting as
Head of Strategic & Management Support Services. He has a managed range of
functions including: Information & Advice Services, Research & Planning, Press &
Public Relations, Information Management & Performance Review, Community Care
Finance, Protection of Property and administration and management support. He
previously worked for Lewisham Council for 15 years where he was a founder of the
Policy & Performance Review Network (now the Policy Network), and chaired the
Steering Group during its transition to a Ltd Company and Registered Charity.
11
5/2/09
11:28
Page 13
The UK Council of Caldicott Guardians
A Caldicott Guardian is a senior person responsible for protecting the confidentiality of
patient and service-user information and enabling appropriate information-sharing.
The Guardian plays a key role in ensuring that NHS, Councils with Social Services
Responsibilities and partner organisations satisfy the highest practical standards for
handling patient identifiable information.
Acting as the 'conscience' of an organisation, the Guardian actively supports work to
facilitate and enable information sharing and advise on options for lawful and ethical
processing of information as required.
The Caldicott Guardian also has a strategic role, which involves representing and
championing Information Governance requirements and issues at Board or
management team level and, where appropriate, at a range of levels within the
organisation's overall governance framework.
The UK Council of Caldicott Guardians is an elected body made up of Caldicott
Guardians from health and social care. It was established in 2005 following work
carried out by Janine Brooks, Caldicott Guardian of the former NHS Information
Authority. The Council meets four times per year.
The Council has formal terms of reference which include the following objectives:
• To be the national body for Caldicott Guardians.
• To promote the roles and activities of Caldicott Guardians within the
United Kingdom.
• To be a forum for the exchange of information, views and experience
amongst all Caldicott Guardians.
• To seek, consider and to represent the views of Caldicott Guardians on
matters of policy relating to the organisation and delivery of Information
Governance.
• To be a channel of communication upon Caldicott matters with national
organisations concerned with the NHS, the independent health sector,
local government and health and social care professionals.
• To act as a resource centre, provide support and arrange learning
opportunities for Caldicott Guardians, both current and of the future.
The full terms of reference are available in the Council's Constitution document
(see Appendix A).
12
5/2/09
11:28
Page 14
Members of the Council demonstrate a commitment to Caldicott Guardianship, to
protecting and appropriately sharing personal information, and are prepared to
develop and maintain links with their constituent sector and with other national
organisations to ensure that the work of the Council is broadly disseminated.
The Council has committed to a work plan, (see Appendix A) which includes education and
training development, improving and developing communications to raise the profile of
Caldicott Guardians, and providing access to advice and guidance. The work to date has
encompassed reviewing papers, training materials and consultations, preparing responses
for Caldicott queries (see page 44), submitting articles for the Caldicott Guardian
newsletter and representing the Council on the National IG Board and at external
events. The Council’s website contains all its published materials which can be viewed
at: http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/caldicott
At the time of writing, elections are being held for new Council members. However,
the current members of the council are:
• Chairman: Mr Stephen Hinde, Group Information Protection Manager, Bupa
• Vice Chair: Dr Stephen Watkins, Director of Public Health, Stockport PCT
• Dr. Stella Clarke, Association of Medical Directors Fife NHS
• Dr. Tom Dening, Medical Director, Cambridgeshire & Peterborough Mental
Health Partnership NHS Trust
• Ms. Stephanie Ellis, Chair of Camden and Islington Community NHS Local
Research Ethics Committee
• Dr. Elizabeth Fellow-Smith, Medical Director, West London Mental Health
NHS Trust
• Mr. Ben Heal, Caldicott Guardian, Sefton Social Services
• Professor Dame Joan Higgins, Chair of the Ethics and Confidentiality
Committee of the NIGB
• Dr Alex Horne, Medical Director, North East London NHS Foundation Trust
• Dr. Emyr Wyn Jones, Consultant Physician and Medical Director, Doncaster
& Bassetlaw Hospitals NHS Foundation Trust
• Dr Alison McCallum, Director of Public Health and Health Policy, NHS Lothian
• Dr Lorna Ramsay, Associate Specialist PHM (Health Informatics), ISD Clinical
Lead for eHealth, National Clinical Dataset Development Programme
(NCDDP), & NHS Scotland Information Governance Programme
• Mr. David Riley, Information Governance Manager and Caldicott Guardian,
London Borough of Greenwich
• Dr. Guy Turner, Consultant Anaesthetist / Caldicott Guardian, Royal West
Sussex NHS Trust
• Mr. Phil Walker, Deputy Head of Digital and Health Information Policy,
NHS Connecting for Health
13
5/2/09
11:28
Page 15
The National Information Governance Agenda
Since late 2007 a series of Government initiatives to obtain assurances around public
sector information has greatly raised the profile of Information Governance.
Cabinet Office: data handling review
Following the data loss, reported by Her Majesty’s Revenue and Customs office in
November 2007, the Prime Minister asked the Cabinet Secretary to work with security
experts to ensure that all Government departments and their agencies check their
procedures for the storage and use of personal data and provide formal assurance on
personal information for themselves, their agencies and any organisations they were
responsible for. Consequently, the NHS Chief Executive, David Nicholson, initiated an
urgent, Information Governance Assurance programme for the NHS (see Information
Governance Assurance Programme below).
The Interim Report by the Cabinet Office, published on 17 December, summarised
action taken across Government, and set out initial directions of reform to strengthen
the Government's arrangements. The final report, published in June 2008,
summarised the work conducted in Departments to improve data handling and set
out how the Government was improving information security by putting in place:
• core measures to protect personal data and other information across
Government.
• a culture that properly values protects and uses information.
• stronger accountability mechanisms within Departments, and
• stronger scrutiny of performance.
The measures put in place, which represented a new set of minimum mandatory
standards for Departments, include:
• introducing new rules on the use of protective measures, such as encryption
and penetration testing of systems.
• standardising and enhancing the processes by which Departments understand
and manage their information risk, identifying the key individuals responsible
for information assets and setting out their responsibilities.
• requiring quarterly risk assessment within each Department of the
confidentiality, integrity and availability of information.
• introducing mandatory training for all staff involved in handling personal data,
with training taking place on appointment and reinforced on an annual basis.
• requiring the use of Privacy Impact Assessments when introducing new policy
or processes that involve the use of personal data.
• introducing greater scrutiny and monitoring through the inclusion of
information risk in Statements on Internal Control, which are scrutinised
by the National Audit Office and through spot checks by the Information
Commissioner.
14
5/2/09
11:28
Page 16
• further enhancing transparency of arrangements, through annual reporting
to Parliament on progress and the use of Information Charters which provide
clarity to citizens about the use and handling of personal data, and
• a range of other measures to improve information security across Government.
The report concluded by saying that:
“Effective public services depend on information about the people they serve.
But in order to command public confidence, that information needs to be
safely stored and protected. The Government is determined to take the
necessary steps to improve data security. The measures outlined [today] are an
important part of that process.”
The Information Commissioner’s Office
The Information Commissioner’s Office (ICO) is the UK's independent public body set
up to protect personal information and promote access to official information. It is
sponsored by the Ministry of Justice.
The ICO enforces and oversees the Data Protection Act, the Freedom of Information
Act, the Environmental Information Regulations, and the Privacy and Electronic
Communications Regulations. Its main functions are:
• educating and influencing - promotion of good practice and giving
information and advice.
• resolving problems - resolution of eligible complaints from people who think
their rights have been breached.
• enforcing - use of legal sanctions against those who ignore or refuse to
accept their obligations.
• undertaking research - gaining a deeper understanding of policy and how it
affects individuals.
The powers of and sanctions available to the ICO have been considered in two recent
consultations:
• The Thomas/Walport Data Sharing consultation (see Appendix B).
• The Ministry of Justice consultation on the ICO’s inspection powers and
funding arrangements under the Data Protection Act 1998 (see Appendix B).
Additionally, following the publication of the Data handling review (DHR) it is
mandatory for Government departments, including NHS organisations, to share
details of significant actual or potential losses of personal data with the ICO.
15
5/2/09
11:28
Page 17
The NHS Information Governance Assurance Programme
In line with the Government directive of November 2007 (before the interim Cabinet
Office report) the NHS Chief Executive, David Nicholson, initiated an urgent
Information Governance Assurance Programme for the NHS. Its remit was firstly to
provide assurances regarding the current processing of person identifiable information
in line with the requirements of the DHR, secondly to produce an Information
Governance Assurance Framework (see page 24) for the healthcare sector and thirdly to
provide continuing assurance that sensitive person identifiable information is managed
securely and confidentially.
The Programme recognised that NHS organisations were already providing some forms
of assurance through their submission of the Information Governance Toolkit
assessment to the Department of Health. This also included reporting to the Healthcare
Commission on standards C9 and C13 of the Standards for Better Health.
In order to clarify new and existing requirements, a series of communications was issued
to NHS organisations setting out the organisations' responsibilities for information
governance and for providing additional assurances on information governance to each
strategic health authority (SHAs), or to Monitor, the Independent Regulator of NHS
Foundation Trusts. The communications are reproduced in Appendix B.
David Nicholson letters: December 2007 and January 2008
The first of these communications was a letter from David Nicholson, sent to all Chief
Executives in the NHS (and copied to Monitor), which restated the responsibility and
accountability framework already in place for securing effective information
governance, and the actions already required by organisations as part of the
assurance process.
The letter also set out specific requirements for securing data in transfer. Page three
of the letter made reference to a checklist of immediate actions to be taken for
securing personal data in transit.
The checklist was published by NHS Connecting for Health (NHS CFH) in the form of
Good Practice Guidelines, which cover the transfer of batched person identifiable
data by means of portable electronic media, including:
• tapes
• floppy discs
• removable hard discs
• laptop & handheld computers
• optical discs - DVD & CD-ROM
• solid state memory cards, memory sticks and pen drives
David Nicholson followed his initial communication with a letter to SHA Chief
Executive's asking them to take immediate actions to ensure patient data was
protected across their patch.
16
5/2/09
11:28
Page 18
The letter clarified the specific requirements for ensuring personal data was protected
in transit, including the suspension of all courier and postal transfers of unencrypted
patient data unless the transfer was essential to patient care. Interim information was
provided on the reporting of data losses and security breaches as serious untoward
incidents, and the measures being taken centrally to support the NHS.
Matthew Swindells letters: January and February 2008
In late January 2008 Matthew Swindells, the Department of Health's interim Chief
Information Officer, wrote a letter to SHA Chief Information Officers (CIOs).
The letter formally confirmed that the movement of unencrypted person identifiable
data held in electronic format is not permitted in the NHS unless prevention of
movement would adversely affect patient care. Additionally, if an organisation
decides to store or transfer such data without encryption, a risk assessment must be
carried out.
The letter also informed CIOs that technical guidance on encryption was being
prepared by NHS Connecting for Health.
At the end of February 2008, Chief Executives and SHA CIOs were the recipients of
a further letter from Matthew Swindells, regarding the defining and reporting of
serious untoward incidents. The letter contains a document setting out the reporting
arrangements and describes the actions that need to be taken in terms of
communication and follow-up when a serious untoward incident occurs.
David Nicholson letters: May and September 2008
In May 2008 David Nicholson wrote to Chief Executives and SHA CIOs, with copies to
Directors of Finance and Monitor. The letter set out further actions for SHAs
regarding review of IG Toolkit scores for PCTs and Trusts and requiring that SHAs have
access to information governance subject matter experts.
All NHS organisations were required to include information on serious untoward
incidents in their annual reports; appoint a board-level Senior Information Risk
Owner; and include information assurance in their Statements on Internal Control.
Organisations were informed of future actions regarding staff training and potential
disciplinary measures for breaches of confidentiality.
Annex A of the letter contains information about the reporting of personal data
related incidents within annual reports, and Annex B provides guidance on including
how risks to information are managed and controlled within the Statement on
Internal Control (SIC).
A further letter (September 2008) from David Nicholson was written to Chief
Executives and copied to SHA CIOs and Monitor. The letter informed organisations to
conduct a review to ensure that the policy to encrypt all removable data has been
fully implemented.
17
5/2/09
11:28
Page 19
The letter draws readers' attention to the report of the Cabinet Office Data Handling
Review and asks them to review their internal processes against the recommendations
in the report; the recommendations are reproduced in Annex 1 of the letter. It also
highlights the data sharing review carried out by Richard Thomas (the Information
Commissioner) and Mark Walport (the Director of the Welcome Trust).
Importantly, the letter sets out a number of actions to be carried out by general
practices and PCT responsibility for ensuring the actions are performed. Other areas
covered are encryption, serious untoward incidents and the secure destruction of
optical media - this includes Write Once (e.g. CD-ROM, DVD-R) and Write Many (e.g.
CD-RW, DVD-RW).
The NHS IG Assurance Programme: Closure report
As the programme had broadly achieved its objectives and reached a natural
conclusion, it was decided to close it to ensure that Information Governance returned
to a ‘business as usual’ activity and did not rely upon the existence of a transient
programme of work. This closure document makes a number of recommendations to
facilitate the transition to ‘business as usual’ and to ensure that an appropriate focus
on Information Governance is maintained.
The report sets out all the actions and activities that have taken place allowing the
programme to close, and contains recommendations for the Department of Health,
where the programme team and the programme board feel that these are
appropriate, in order to ensure that the Department and its constituent organisations
can continue to deal effectively with Information Governance issues.
The outcomes of the Information Governance Assurance Programme can be
summarised as:
• The main components of an Information Governance Assurance Framework
have been established (see page 24).
• The existing NHS policy framework has been strengthened, and clarified to
reflect the Cabinet Office Data Handling Review. This has been translated into
a clear set of IG requirements applicable to all organisations.
• The IG Toolkit has been developed as the principle mechanism by which IG
policy can be synthesised into measurable requirements for IG. It
demonstrates how organisations can be assessed in terms of performance. Its
output will be used to inform not only those concerned with policy, e.g. the
NIGB, but also those concerned with assessing performance, including
Monitor and SHAs.
• The critical importance of compliance with the IG requirements has been
firmly established on the agendas of Boards, Audit Committees, executive
and non executive Directors.
• The requirement for internal audit of IG has been formally established by
including IG performance in the Statements on Internal Control, and the
potential established to further enhance assurance via external audit.
18
5/2/09
11:28
Page 20
• The principle regulatory bodies have included IG assurance on their
performance assessment and management agendas; most notably the
Healthcare Commission, but also Monitor in respect of Foundation Trusts.
• The management of information risk has been strengthened by new
requirements for Senior Information Risk Owners, and a clarified role
for a supporting framework of information asset owners within each
major organisation.
• A substantial start has been made to the task of building capability and
capacity by launching important training initiatives, which have been very
well received. This has been done by ensuring that IG is included in the
advisory and support material available to Board members.
The closure report recognised that capacity and capability is a limiting factor across
all organisations in respect of Information Governance.
The Chief Information Officer for Health
Many of the recommendations in the IG Assurance Programme closure document are
now “owned” by the first Chief Information Officer (CIO) for Health, Christine
Connelly. Her remit is to focus on developing and delivering the Department of
Health's (DH) overall information strategy and integrating leadership to the key
informatics organisations inside and outside DH including NHS Connecting for Health,
the Information Centre and DH Information Services. The post includes responsibility
for information governance and assurance and managing key external stakeholder
relationships.
The CIO is a member of the NHS Leadership Team and of the DH Corporate
Management Board, and has a direct reporting line to David Nicholson (the Chief
Executive of the NHS).
The Department of Health: Digital Information Policy Team
The Digital Information Policy team is part of the Digital & Health Information Policy
Directorate of the Department of Health. Based within NHS Connecting for Health, it
is comprised of civil servants and NHS staff members. The team’s role is to set policy
for the NHS and adult social care in relation to the use of personal and corporate
information. This includes the provision of advice, guidance and codes of practice to
NHS and adult social care organisations to help them implement the Information
Governance agenda. The team is involved in cross-Government work, particularly on
ensuring there are appropriate confidentiality and security standards in place when
information sharing is being considered. Advice is also provided to members of the
public on information governance issues.
The team have developed a number of tools and processes to help organisations
understand the concepts and requirements of Information Governance and to help
them assess and improve compliance. These include the IG Toolkit, the IG Training
Tool, attendance at workshops and IG network meetings, and helpdesks.
19
5/2/09
11:28
Page 21
The National Information Governance Board for Health and Social Care
The National Information Governance Board for Health and Social Care (NIGB) is a
statutory body formally established by the Health and Social Care Act 2008. The
Board’s aim is to provide leadership and promote consistent standards for
information governance across health and social care. It will also tackle the ethical
and legal interpretation and application of these policies and give advice on matters
at national level.
The Board reports annually to the Secretary of State for Health and publishes the NHS
Care Record Guarantee for England.
Members of the Board are either members of the public appointed by the
Appointments Commission or represent stakeholders in health and social care
information governance. The Chair, Harry Cayton, was appointed by the Secretary of
State for Health and is the Chief Executive of the Council for Healthcare Regulatory
Excellence.
Overall the role of the NIGB is to support improvements to information governance
practice in health and social care. Its full terms of reference are to:
• provide leadership and promote consistent standards for information
governance across health and social care, to enable ethical, legal and policy
issues to be appropriately dealt with.
• monitor information governance trends and issues through analysis of annual
information governance returns from all bodies using or holding NHS or
Social Care information.
• arbitrate on the interpretation and application of information governance
policy and give advice.
• have oversight of and advise on the confidentiality management and access
control frameworks implemented through the National Programme for IT.
• own and review the NHS Care Record Guarantee for England annually.
• advise the Secretary of State on any matters of information governance that
should be brought to their attention and to produce an annual report to the
Secretary of State.
• deal with other such matters as required by the Secretary of State and other
appropriate bodies, and
• work with appropriate bodies, including those in the home countries, on
issues within its remit.
The NIGB’s remit covers all organisations that gather information as part of the
delivery of NHS and adult social care in England. The Board provides both assurance
information and advice to the Secretary of State and others of the state of IG practice
in the NHS and adult social care. They can provide advice to anyone using personal
information gathered for delivery of NHS and adult social care, and additionally can
20
5/2/09
11:28
Page 22
advise NHS and adult social care organisations even where advice has not be sought.
NHS and social care organisations must give due regard to any advice issued as the
NIGB can ask for evidence of any compliance steps taken.
The NIGB fulfils its remit by providing:
• Leadership - Stakeholder organisations represented at the NIGB includes both
health and social care organisations and with and through these the NIGB
provides leadership and promotes consistent standards for information
governance across both health and social care.
• Giving patients and the public a voice - Half of the members of the NIGB are
members of the public, appointed by the independent Appointments
Commission after a public recruitment campaign. The public members ensure
that the perspective of patients and the public is taken into account when the
board discusses or provides advice or guidance on governance matters.
• Advice to care professionals - The NIGB provides advice on the interpretation
of policies, guidelines and legislation relating to information governance. The
NIGB provides a forum where Caldicott Guardians and information
governance boards or committees can seek guidance on the interpretation of
legislation, policies and guidelines in situations where they feel unable to
decide on the correct action.
• Advice to service users and the public - The NIGB owns and reviews the NHS
Care Record Guarantee for England
• Monitoring and oversight
• NHS organisations are required to assess their information governance
performance annually using the Information Governance Toolkit. The NIGB
oversees the content of the Toolkit and uses the annual returns to monitor
information governance trends and issues in the NHS, social care and the
independent sector. The NIGB is supporting work to increase the use of the
Toolkit within social care.
• New IT systems are being implemented in all NHS organisations in England as
part of the National Programme for IT. The NIGB maintains an oversight and
provides advice on the confidentiality management and access control
frameworks which the National Programme for IT uses.
• Links with other countries - The devolution of government has led to
differences in the way that healthcare and social care services are delivered
across the UK. The NIGB works closely with similar boards in Wales and
Scotland.
The Board has agreed a set of principles that it will use to promote a consistent
approach to its decision making and the provision of advice and guidance.
21
5/2/09
11:28
Page 23
The Ethics and Confidentiality Committee of the NIGB
On January 1 2009, the NIGB became responsible for providing advice on issues of
national significance involving the use of patient information and for overseeing
arrangements created under Section 251 of the NHS Act 2006 (originally enacted
under Section 60 of the Health and Social Care Act 2001). These responsibilities were
previously administered by the Patient Information Advisory Group (PIAG), and will
now be carried out by the Ethics and Confidentiality Committee whose members are
primarily drawn from PIAG. Professor Dame Joan Higgins will continue as the Chair of
the Committee.
Section 251 permits the common law duty of confidentiality to be set aside in specific
circumstances for medical purposes. It provides a power to ensure that patient
identifiable information needed to support essential NHS activity can be used without
the consent of patients. The power can only be used to support medical purposes that
are in the interests of patients or the wider public, where consent is not a practicable
alternative and where anonymised information will not suffice.
The Electronic Social Care Records Implementation Board
The ESCR Implementation Board is sponsored by David Behan, Director General for
Social Care and jointly chaired by Glen Mason for the Department of Health and
David Johnstone for the Association of Directors of Adult Social Services. The Board
functions as a sub-group of the national Care Records Service Board.
The overall purpose of the ESCR Implementation Board is to:
• Develop the Electronic Social Care Record as the national record for social care.
• Oversee development and implementation of the Electronic Social Care
Record (ESCR); ensuring appropriate links are made with the NHS Connecting
for Health Programme and with the Department of Children, Schools and
Families (in respect of the children’s social care component of the ESCR).
• To contribute to the Communities and Local Government’s information
strategy for Local Government.
The remit of the Board is to:
• Oversee the national implementation of the Electronic Social Care Record.
• Ensure consistent implementation of ESCR by Councils with Social Services
Responsibilities (CSSR’s)
• Coordinate further developments in support of the national ESCR
implementation programme, (a) between CSSR’s; (b) between Government
Departments and NHS.
• Provide a forum for the discussion of policy issues and to resolve problems or
where necessary to make recommendations for action through the NHS
National Care Records Service Board.
22
5/2/09
11:28
Page 24
• Ensure that the ethical principles established for the NPfIT are interpreted and
applied to the ESCR.
• Progress the ESCR development programme within the context of the national
development programme for health and social care.
• Identify links with other Local Authority information initiatives and advise on
development opportunities/potential conflicts arising from them.
• Establish a national framework training programme for all users, to encourage
consistency in understanding and the implementation of standards in the
collection, recording and sharing of information.
• Identify and disseminate good practice in social care.
• Review ESCR guidance and targets including:
•
A review of implementation timescales.
•
Identification of further developments given the range of new initiatives
since the publication of ‘Information for Social Care’.
The ESCR has the following responsibilities in relation to standards:
• Establish national standards for the electronic exchange of information
between health, children’s and adult services in support of the
implementation of ESCR and other electronic care records and to recommend
these to the Department of Health.
• Propose Information Governance standards for the ESCR according to the
direction of the National Information Governance Board (for England),
consistent with the Care Record Guarantee, including the use of common data
coding, retention and archiving, role based access and legitimate relationships.
• Ensure that the standards for CSSR’s are consistent with the same for the NHS
by working with the Health and Social Care Information Standards Board.
• In partnership with the Information Standards Board for Health and Social
Care to promote information standards and definitions in social care.
23
5/2/09
11:28
Page 25
The NHS Information Governance Framework
What is the NHS Information Governance Assurance Framework?
The NHS Information Governance Assurance Framework is “the mechanism by which:
• IG policies and standards are set.
• regulators can check an organisation’s compliance, and
• an organisation can be performance managed.”
The Information Governance Assurance Programme: Closure report page 6
The Framework therefore includes annual assessment using the Information
Governance Toolkit, completion of the NHS CFH IG Statement of Compliance,
organisational compliance with the commitments in the NHS Care Record Guarantee,
performance monitoring (by the National IG Board, the Healthcare Commission and
Monitor) and internal and, in the future, external audit of the IG standards.
In undertaking its work, the NHS Information Governance Assurance Programme
developed a number of principles to support Information Governance work going
forwards. These principles are as follows:
• All NHS organisations, NHS provider organisations, the broader "family" of
NHS organisations and the DH and its ALBs should be, as much as possible,
part of the same Information Governance Assurance Framework.
• Information Governance should be as much as possible integrated into the
broader governance of an organisation, and regarded as being as important
as financial and clinical governance in organisational culture.
• The Framework will provide assurance to the several audiences interested in
the safe custody and use of sensitive person identifiable information in
healthcare. This involves greater transparency in organisational business
processes around Information Governance.
• The requirements of the Cabinet Office Data Handling review will be
implemented in DH and its ALBs and should, as much as possible, be applied
to all NHS organisations.
The NHS Operating Framework for 2009/10
The NHS Operating Framework for 2009/10 sets out key priority areas for the service for
2009/10 including the need to focus on the overriding long-term goal of systematically
improving quality across the NHS. It restates the requirements set out in the
Information Governance Assurance Programme closure report.
The use of informatics to support quality is discussed from paragraph 50 on page 30 of
the Framework document. The Framework reaffirms the role of robust information
governance in maintaining public and patient confidence in the way that the NHS
handles all health information, and recognises the progress that has been made to
strengthen requirements in relation to secure storage and transfer of patient
24
5/2/09
11:28
Page 26
identifiable data. The importance of data quality is not overlooked with the recognition
that consistent and effective use of NHS numbers and the Personal Demographics
Service will reduce the number of mis-associated records and will support the
appropriate sharing of patient information with partners in the delivery of patient care.
There are a number of requirements placed on the NHS, for example:
• All NHS organisations will need to demonstrate compliance with information
governance standards through the achievement of a minimum of Level 2
performance against key requirements in the Information Governance Toolkit.
• NHS accounting officers are required to report on the management of
information risks in Statements on Internal Control from 2008/09 and to include
details of data loss and confidentiality breach incidents in annual reports.
• Information governance performance, controls and reporting will be subject to
audit. Quality and safety of patient care will be improved through better data
quality. Data quality metrics for the NHS number, patient demographics, secondary
uses and other key priority areas will be routinely published and monitored.
Guidance and more detailed expectations are provided in Informatics Planning
2009/10, published alongside the NHS Operating Framework. The supplementary
document includes a link to supporting tools for Chief Executives and other key
stakeholders, and contains national expectations that should be used by all NHS
organisations to refresh and re-focus their informatics plans.
The section within the document concerned with Information Governance requires
that all bodies that provide or support the provision of NHS services work within the
NHS Information Governance Assurance Framework and demonstrate compliance
with all key information governance requirements. Expectations are set out
separately for:
• All NHS providers, including the provider side of PCTs.
• PCTs and Care Trusts in their role as commissioners (“PCT Commissioners”).
• Strategic Health Authorities.
• Responsibilities for all NHS Providers (including the PCT provider function
and general practice)
•
achieve a minimum of Level 2 performance against key requirements
published through the NHS Information Governance Toolkit.
•
actively manage information risks and take all reasonable steps to keep
personal information secure.
•
continue to meet the standards for handling patient personal information
set out in the NHS Care Record Guarantee, ensuring that access to
information is effectively controlled and that the transfer, use and
disclosure of information are subject to effective authorisation procedures.
25
5/2/09
11:28
Page 27
•
support staff through the provision of clear guidance on expected
working practices (including cross sector working e.g. for the use of
ContactPoint for children’s services) and through annual information
governance training.
• Responsibilities for PCT Commissioners
PCT Commissioners should ensure that all organisations from which care is
commissioned, including independent contractors and the third sector, are
brought within the NHS Information Governance Assurance Framework.
• Responsibilities for Strategic Health Authorities
SHAs should ensure patch wide compliance with the requirements of the NHS
Information Governance Assurance Framework.
Information Governance Toolkit
Legal and regulatory requirements relating to information handling will always be core
to the national IG agenda. The Information Governance Toolkit provides a mechanism
to allow organisations to measure and ensure compliance with these requirements
through a process of annual assessment. The requirements include the:
• Data Protection Act 1998.
• Confidentiality NHS Code of Practice.
• International Security Standard: ISO/IEC 27002:2005.
• Information Security NHS Code of Practice.
• Records Management NHS Code of Practice.
• Freedom of Information Act 2000.
The standards relating to each of the above initiatives also support and impact other
performance and quality initiatives in the NHS, including ISO / IEC standards, the NHS
Care Record Guarantee (CRG) and the IG Statement of Compliance.
The Toolkit is therefore a key component of the IG Assurance Framework. It is a
performance tool mandated by the Department of Health (DH), which requires NHS
organisations, including Foundation Trusts, to complete and submit an annual return by
31 March each year. Each annual return is mandated by a Gateway number and Review
of Central Returns reference number (ROCR).
Year end assessment scores reported by organisations are used by the Healthcare
Commission as a cross check for compliance with core standard C9 of Standards for
Better Health. Version 6 of the IG Toolkit was released on 30 June 2008 and, as a direct
result of the Cabinet Office review and Information Governance Assurance Programme
discussed above, it included three new requirements; one relating to the establishment
of the Senior Information Risk Owner role and two relating to Registration Authority
responsibilities. Version 6 also introduced specific assessment sets for completion by
NHS Business Partners/ Independent Treatment Centres/ Arms Length Bodies and
developmental requirements for Dentists and Pharmacies.
26
5/2/09
11:28
Page 28
The Digital Information Policy team are responsible for maintenance and updating of
the IG Toolkit, and providing assessment sets for new organisation-types as they are
brought within the IG Assurance Framework.
The NHS Connecting for Health IG Statement of Compliance
NHS Connecting for Health (NHS CFH) is supporting the NHS to deliver better, safer care
for patients by introducing new information technology systems and services which improve
the way information is stored and shared in the NHS. The new information technology
systems and services are together known as the National Programme for IT (NPfIT).
NHS CFH is also responsible for existing business critical national NHS IT systems and
legislative and digital policy advice on information systems for the NHS.
All organisations wishing to access and use NHS CFH systems and services, including the
N3 network, must meet the terms and conditions in the IG Statement of Compliance
(IGSoC). The IGSoC is the agreement between NHS CFH and Approved Service Recipients
that sets out the information governance policy and terms and conditions for use of
NHS CFH services. The IGSoC contains a number of obligations which aim to preserve
the integrity of these services.
The IGSoC requires:
• No patient identifiable data or other sensitive data is stored or processed offshore,
where the location is deemed non-compliant with the NHS CFH Offshore Policy.
• The right of audit by NHS CFH or nominated third parties.
• Change Control Notification procedures and approvals processes.
• Organisations to achieve, or be working towards, ISO27001.
• Organisations to report security events and incidents.
The IGSoC process is supported by annual completion of the IG Toolkit with a
minimum of Level 2 performance against key requirements.
The NHS Care Record Guarantee
The NHS Care Record Guarantee sets out the rules that will govern information held
in the NHS Care Records Service. It is reviewed at least every twelve months by the
National Information Governance Board for Health and Social Care (NIGB). It was
developed by the NIGB’s predecessor organisation, the Care Record Development
Board (CRDB). The Guarantee covers:
• people's access to their own records.
• controls on others' access.
• how access will be monitored and policed.
• options people have to further limit access.
• access in an emergency, and
• the procedure when someone cannot make decisions for themselves.
27
5/2/09
11:28
Page 29
The Guarantee was first published in 2005 and revised in 2006 and 2007. The 2007
version of the Care Record Guarantee has emphasised and strengthened the clear
commitment to the confidentiality and security of patient's information. There are
several minor changes including the introduction of standardised terms to reduce
ambiguity and improve clarity. The implementation of the 2005 Mental Capacity Act
has been referred to, and there are several new sections regarding:
• the Summary Care Record - introducing the summary care record and
indicating that patients have the choice to not have one at all.
• information for parents and young people - emphasising the importance of
parents and healthcare professionals in supporting and encouraging children
to make decisions for themselves.
• an extra section that clearly outlines the processes involved in keeping
patient electronic records secure and confidential, and
• a 'how to complain section', which directs patients to their local PALs office if
they feel the commitments of the Care Record Guarantee are not being upheld.
IG Education, Training and Development
The Information Governance Training Tool (IGTT)
The IG Training Tool is an online tool focusing on all aspects of Information
Governance (IG) learning. It has been designed by NHS Connecting for Health Digital
Information Policy team in conjunction with Epic (e-learning design and development
specialists). The aim of the tool is to develop and improve staff knowledge and skills
regarding information governance, to support the provision of high-quality health &
social care.
The materials are available to any interested individuals through the ‘Guest tour’ view
but if an organisation wishes to make full use of the user e-learning management
and reporting tools they must be registered.
In addition to the IG e-learning modules, the site includes a suite of introductory IG
training materials that can be used as online training or as face to face classroom
based training. The tool provides best practice guidelines to ensure confidential and
secure processing of personal information. The aim of the tool is to improve IG
standards through education and awareness.
The IGTT enables NHS organisations to train all their staff in IG principles and to truly
embed IG into an organisation. The initial release provides introductory materials
relevant to all staff but over the next two years it will expand to provide a structured
e-learning programme with Introductory, Foundation and Practitioner level modules.
Introductory materials are aimed at all staff members. Foundation materials build on
the introductory modules and are relevant to all those who process personal
information routinely as part of their role; they will also be relevant for those with
supervisory responsibilities. Practitioner materials will be primarily for those engaged
in or intending to take on specialist IG roles.
28
5/2/09
11:28
Page 30
The IGTT is an excellent example of a successful deployment of IT in support of real
business needs. For many years, NHS organisations have spent a lot of money on
private training providers. The IGTT is free to NHS users and therefore allows
organisations to redirect those resources. Furthermore, as it is a web-based resource
there is no need to release several staff at once to attend face to face training. Staff
can undertake the training at their own pace and have the opportunity to take an
assessment and obtain a certificate on successful completion. Work is also underway
on the development of an accredited certificate with the British Computer Society.
Locum, contract and agency staff can easily be directed to undertake the training.
The reporting function allows organisation administrators to monitor and review user
training performance and progress. Further developments are being made to improve
the user management and reporting functionality.
Development and design of the tool
The NHS has been making steady progress towards improving its information
governance over the last few years. The HM Revenue and Customs loss of two discs
containing personal data has, however, had a major impact, markedly raising the
profile of IG and generating a need for assurances of IG processes. As set out in other
areas of this delegate pack, David Nicholson, Chief Executive of the NHS, issued a
series of letters containing specific actions that NHS organisations should take to
provide IG assurances, including induction and training.
The Digital Information Policy team was already developing the IGTT to support the
existing IG Toolkit. The content of the tool has been driven by the training needs
analyses carried out in 2007 for Caldicott Guardians and IG leads; and by the
requirement for NHS organisations to provide IG assurances, including induction and
mandatory IG training for their staff. The content of some of the modules within the
tool has been reviewed by IG Leads and their feedback incorporated, additionally,
introductory materials have been piloted in general practice and PCT workshops.
Future developments
Over the coming two to three years several improvements are planned for the IGTT,
some of which have been proposed by users.
Development of 40 hours worth of new e-learning modules: to include a
combination of IG topic areas at Foundation and Practitioner level. Some materials
currently under development and due for release in 2009 are:
• Information risk management at Introductory and Foundation level.
• The roles of the Senior Information Risk Owner and Information Asset Owners.
• The role of the Caldicott Guardian in an NHS trust.
• Dealing with consent and confidentiality issues.
• A series of records management modules covering both corporate and
health records.
• Laying the foundations for good medical practice - medical record keeping.
• Information security management and business continuity.
29
5/2/09
11:28
Page 31
Creation of a formally accredited qualification: this is being developed in conjunction
with the British Computer Society (BCS). In time, staff will be able to use the IGTT as
course material in preparation for the BCS computer centre based exam and obtain
formal IG qualifications at Introductory, Foundation and Practitioner levels. The
examination question bank and process will be piloted during the month of May
2009, with a view to launch the formal qualification soon after.
New administration permissions: the first will allow Organisation Administrators to
set up Support Administrators, who will have similar user rights and access. The
second will allow Superusers to set up an IG training lead as the Organisation
Administrator for more than one organisation, allowing the Administrator to manage
and access reporting for more than one organisation.
Widening the criteria for registered access: currently registration on the IGTT is
restricted to those with NHS, Social Care or Government email addresses. Users who
work on behalf of, or closely with, these organisations but do not have permitted
email addresses can now apply for registration access through the IGTT helpdesk and,
if appropriate, the team will arrange registration.
Bulk uploads of users: this will allow Organisation Administrators to upload a CSV file
of data to add all staff employed within their organisation onto IGTT. This will
automatically register staff and hence give Administrators an holistic view of IG
training engagement and progress.
Reporting tool improvements: these will enable Organisation Administrators for SHAs
and PCTs to run in-depth reports, for example:
• SHA leads will be able to obtain summary and detailed reports for
organisation and user engagement with the IGTT for all NHS Trusts and PCTs
within the SHA region.
• PCT leads will be able to obtain summary and detailed reports for Practice
and user engagement with the IGTT for all Practices within the PCT area.
• The Digital Information Policy team will have enhanced reporting tool on all
organisations and users registered on the IGTT.
New Department field: Organisation Administrators will be able to set up a drop down
list of all departments or directorates they would like to report by. Once activated by
the Administrator, all their staff will be able to select the appropriate department
they work for upon registration or within ‘Your profile’ when logged in. This
additional field was requested by Administrators to assist performance monitoring.
30
5/2/09
11:28
Page 32
Newsletter and prompting absent user functions: The newsletter tool will provide the
Organisation Administrators with the ability to communicate via email to all the users
registered under their Organisation’s National Administrative Code. The prompt
function will be set by the DIP team for modules deemed to be mandatory/essential
for users to complete. This means that the tool will automatically email users who
have registered on the tool but not completed the module or passed the module
assessment, within a certain period of time.
Link with the Electronic Staff Record (ESR): work is underway to link the IGTT to ESR
through the National Learning Management System. This is at very early stages of
development and due to the complexity of the products concerned it will take some
time until the migration or implementation of such relationship.
31
5/2/09
11:28
Page 33
Other IG qualifications - Foundation Degree
There have been several major changes within the NHS all impacting on Information
Governance (IG), particularly for SHAs and PCTs who have been assigned additional
responsibilities following the Data Handling Review. These two organisation types are
already the least mature in their IG capability and so are not well-prepared for extra
responsibility. The IG resourcing project carried out by the Digital Information Policy
team identified a skills shortage and recruitment and retention problems within the
field of IG, particularly within these organisation-types. Recruiting an IG manager
that can meet all requirements has proved to be extremely difficult in many areas of
the country. One of the alternative approaches put forward is to assign an associate
director level to oversee IG issues (perhaps one day a week) and develop a more
junior person into the IG lead role.
To facilitate the progression of staff from IG assistant or other junior informatics roles
moving into IG officer roles, and the sideways movement of practitioner level staff
from non-IG roles, it is proposed to create a Foundation Degree in Information
Governance, which will be developed in accordance with the guidance contained
within Skills for Health: Foundation Degree Framework for the Health Sector.
The aims of the Foundation Degree in Information Governance are to:
• Assist NHS organisations to begin to address the identified recruitment and
retention difficulties.
• Assist students to pursue or develop a career in IG by providing:
•
In depth knowledge of Information Governance principles and concepts.
•
Professional accreditation and a qualification in Information Governance.
•
A firm preparatory base for those students wishing to continue their
studies to full degree level and beyond.
The learning outcomes of the Foundation Degree in Information Governance will
comprise three levels:
• Core learning outcomes.
• General learning outcomes.
• Subject specific learning outcomes.
An overview of each level is reproduced below.
Core learning outcomes: overview
These will be based on National Occupational Standards (NOS) and incorporate the
core learning common to all foundation degrees. Recognising that students may
come from a range of educational backgrounds, each student will have the
opportunity to develop the following individual skills:
• study skills – academic and work-based
• personal and professional development planning/portfolio building
• literacy, numeracy, communication
32
5/2/09
11:28
Page 34
• interpersonal skills and team-working
• research and evidence appraisal skills
Students will also be required to demonstrate that they have obtained IG skills in
relation to:
• health and social care context
• service users rights, equality and diversity
• codes of conduct, ethics and the law
• user centred service
• health and safety
• risk assessment
General learning outcomes: overview
The Foundation Degree in Information Governance will have two types of general
learning outcomes:
• NHS Knowledge and Skills Framework Core dimensions - there are 6 core
dimensions, relevant to every post in the NHS, which will be embedded at the
below levels within the Foundation degree and clearly mapped:
•
C1 - Communication, Level 3: Develop and maintain communication with
people about difficult matters and/or in difficult situations
•
C2 - Personal and people development, Level 3: Develop oneself and
contribute to the development of others
•
C3 - Health, safety and security, Level 3: Promote, monitor and maintain
best practice in health, safety and security
•
C4 - Service improvement, Level 2: Contribute to the improvement of services
•
C5 - Quality, Level 3: Contribute to improving quality
•
C6 - Equality and diversity, Level 2: Support equality and value diversity.
• Quality Assurance Agency for Higher Education (QAA) level descriptors - the
Foundation degree is an intermediate qualification within the QAA Framework
for Higher Education Qualifications. This requires that students will have
developed a sound understanding of the principles in their field of study, and
will have learned to apply those principles more widely. Through this, they
will have learned to evaluate the appropriateness of different approaches to
solving problems. Their studies will have a vocational orientation, enabling
them to perform effectively in their chosen field. They will have the qualities
necessary for employment in situations requiring the exercise of personal
responsibility and decision-making. The detailed QAA descriptors will be
taken into account during the design and delivery of the Foundation degree,
see: www.qaa.ac.uk/academicinfrastructure/fheq/ewni08/#p4.2
33
5/2/09
11:28
Page 35
Subject specific learning outcomes
Subject specific learning outcomes will be drawn from a number of areas:
• QAA subject benchmarks - the health and social care benchmark statements
available are not relevant to the field of IG. Additionally, there are no
intermediate (i.e. Foundation degree) level statements; therefore
consideration will be given to drawing information from the benchmark
statements for “librarianship and information management” and tailoring it
to an intermediate level course. See:
www.qaa.ac.uk/academicinfrastructure/benchmark/statements/
Librarianship07.asp
• Health Informatics Career Framework - the Framework contains the job roles
of Information Governance Officer set at career framework level 6 and
Information Governance Assistant set at career framework level 4. It is
intended that students will achieve competences, skills and qualifications
somewhere between these two levels once they have completed the
Foundation Degree. This will provide a progressive and achievable route for
staff already working at level 4 whether within or outside of IG roles.
Therefore, initial work has commenced on the development of a new job role
(i.e. junior Information Governance Officer) with linked competences etc at
career framework level 5. As with existing HICF job roles, the new job role
will include National Occupational Standards linked to KSF dimensions (in
addition to those set out under general learning outcomes), which will be
used to form subject specific learning outcomes. Current job roles are
available on the Health Informatics Career Framework website at:
www.hicf.org.uk/ and relevant National Occupational Standards are at:
http://www.hinos.org.uk/
• The IG Toolkit - the course forms part of the IG Training Strategy for the NHS
and therefore it will be closely aligned to the standards within the NHS
Connecting for Health IG Toolkit. See: www.igt.connectingforhealth.nhs.uk
• Professional standards - learning outcomes will also be drawn from the
United Kingdom Council for Health Informatics Professions (UKCHIP) level 2.
See: www.ukchip.org.uk Level 2 is for people who are establishing their
career in HI and have a significant degree of autonomy in their post. A
minimum of 2 years experience and a qualification of at least NQ level 3 (e.g.
A levels or first degree) is required.
At the most basic level, on completion of the course; a student should be able to:
• Understand and explain each of the component parts of Information
Governance including how to:
•
Set up and maintain an IG framework.
•
Ensure compliance with the legal aspects of IG.
•
Improve and maintain good records management within their organisation.
34
5/2/09
11:28
Page 36
• Evidence how to resolve and reduce the occurrence of confidentiality and
security incidents.
• Demonstrate an awareness of current issues affecting IG, e.g. the systems and
services being delivered by the National Programme for IT.
• Demonstrate an ability to address through relevant implementation an
improvement to existing IG practice within their organisation.
Anyone interested in assisting the development of the Foundation Degree in
Information Governance should contact the project lead at: [email protected]
Experiences on the IG Masters course - Qualifications in Healthcare Information
Governance (HIG)
The University of Bath School for Health introduced a range of qualifications in HIG
in 2006. At the time this was the only post-graduate course in the UK specifically
about information governance for healthcare professionals. The programme was
developed by the university with The Royal College of Surgeons of Edinburgh, and
offered PG Certificate, PG Diploma, and MSc qualifications, of one, two and three
years duration respectively.
The first students started in October 2006, and I enrolled with the first cohort; most of
whom were from Scotland. I am now in the third, research project, year.
Having submitted my CV and application form in a moment of bravado I was
delighted, but also a little frightened, to be accepted. As something of a
technophobe, my worst fear was having to use MOODLE (the university’s virtual
learning environment - VLE), this is an interactive website with a number of features
and activities designed to “engage learners and promote collaborative studentcentred learning”.
Within a few weeks I was attending a face-to-face induction day in Edinburgh at
the Royal College of Surgeons. This was a great day: I’ve always loved Edinburgh,
and meeting the other participants in such prestigious surroundings was an
amazing bonus.
The first unit covered Confidentiality and Data Protection in the NHS, within the
context of the wider UK and EU legislation, and the next; Freedom of Information
and Records Management, a really useful module. The last Unit of the first year was
Information Security surrounding the EPR.
In the second year we tackled Clinical Systems, in two parts. The first was learning
about system development methods. At the time these seemed very difficult and it
wasn’t until later that I understood and appreciated why they were part of the
course. Because system development is a large part of Information Management,
and destined to be a much greater part, understanding how systems are developed,
and being able to see why they may not work as well as they could, is a key skill for
anyone using them. It also enables IT and IG people to talk to one another in the
same language – as a result I feel much better able to get IG principles incorporated
into IT.
35
5/2/09
11:28
Page 37
The course has also included several “residentials” at Edinburgh and Bath, and at
these we have had lectures from various professionals on subjects as diverse as:
Communication; leadership and the organisation of change; IT security and
governance, and Knowledge and Information Management.
My chosen Diploma-level (second year) units covered leadership and the management
of organisational change. These are topical and divergent, especially in workplaces
like public authorities which are notoriously resistant to change. I found the
distinction between leadership and management a very interesting exercise.
The HIG-in-practice portfolio part of the course, running alongside the other units,
involved various milestone exercises in the workplace, including shadowing a member
of staff in a different work area, to identify the present and potential impacts of the
requirements of the Information Governance Assurance Framework. I thought I knew
all about information flows, having worked in Medical Records, Coding and Data
Quality before accepting the HIG lead role, but the extent to which HIG principles
permeate every part of the hospital still came as something of a surprise.
For the dissertation year, all the third year MSc students at the Bath University School
for Health came together for lectures and advice on their choice of subject and
guidance about getting started. Much of the early effort is writing a protocol for
the dissertation and getting that accepted by the University as suitable as a Master’s
level project.
I found meeting doctors (medical ones) and Health Informatics students very interesting,
and was reassured that we all shared many of the same concerns and anxieties.
If anyone is contemplating embarking on this or a similar course of study they should
be sure they have the time and support from their employers for the considerable
commitment necessary. I have not yet completed the course, but have already found
what I have learned beneficial in my current job, though it has been, I must admit,
extremely hard work.
For further details of entry requirements, the current syllabus, etc., and to apply,
contact the University at www.bath.ac.uk/health/programmes/hig
Jill Stretton
Healthcare Information Governance Manager
Shrewsbury and Telford Hospital NHS Trust
36
5/2/09
11:28
Page 38
Information sharing
Richard Thomas and Mark Walport: Data sharing review
On 25 October 2007 the Prime Minister asked Dr Mark Walport of the Wellcome Trust
and the Information Commissioner, Richard Thomas, to independently review the
framework for the use of personal information in the public and private sectors.
The terms of reference of the review were to:
• consider whether there should be any changes to the way the Data
Protection Act 1998 operates in the UK and the options for implementing
any such changes.
• provide recommendations on the powers and sanctions available to the
regulator and courts in the legislation governing data sharing and
data protection.
• provide recommendations on how data-sharing policy should be developed
in a way that ensures proper transparency, scrutiny and accountability.
The review's final report concluded that:
• there is a lack of transparency and accountability in the way organisations
deal with personal information.
• there is confusion surrounding the Data Protection Act, particularly the way
it interacts with other strands of law.
• greater use could be made of the ability to share personal data safely,
particularly in the field of research and statistical analysis.
• the Information Commissioner needs more effective powers, and the
resources to allow him to use them properly.
The report made a series of recommendations aimed at transforming the personal
and organisational culture of those who collect, manage and share information. The
recommendations are grouped under the headings of developing culture, the legal
framework, the regulatory body, research and statistical analysis, and safeguarding
and protecting publicly available information:
Developing culture
• Recommendation 1: All organisations handling or sharing significant amounts
of personal information should clarify in their corporate governance
arrangements where ownership and accountability lie for the handling of
personal information.
• Recommendation 2: Companies should review at least annually their systems
of internal controls over using and sharing personal information; and they
should report to shareholders that they have done so.
37
5/2/09
11:28
Page 39
• Recommendation 3: Organisations should take the following good-practice
steps to increase transparency:
• Fair Processing Notices should be much more prominent in organisations’
literature, both printed and online, and be written in plain English. The
term ‘Fair Processing Notice’ is itself obscure and unhelpful, and we
recommend that it is changed to ‘Privacy Policy’.
• Privacy Policies should state what personal information organisations hold,
why they hold it, how they use it, who can access it, with whom they share
it, and for how long they retain it.
• Public bodies should publish and maintain details of their data-sharing
practices and schemes, and should record their commitment to do this
within the publication schemes that they are required to publish under the
Freedom of Information Act.
• Organisations should publish and regularly update a list of those
organisations with which they share, exchange, or to which they sell,
personal information, including selected third parties.
• Organisations should use clear language when asking people to opt in
or out of agreements to share their personal information by ticking boxes
on forms.
• Organisations should do all they can (including making better use of
technology) to enable people to inspect, correct and update their own
information – whether online or otherwise.
• Recommendation 4: All organisations routinely using and sharing personal
information should review and enhance the training that they give to their
staff on how they should handle such information.
• Recommendation 5: Organisations should wherever possible use
authenticating credentials as a means of providing services and in doing so
avoid collecting unnecessary personal information.
The legal framework
• Recommendation 6: Any changes to the EU Directive will eventually require
changes to the UK’s Data Protection Act. We recognise that this may still be
some years away, but we nonetheless recommend strongly that the
Government participates actively and constructively in current and
prospective European Directive reviews, and assumes a leadership role in
promoting reform of European data law.
• Recommendation 7(a): New primary legislation should place a statutory duty
on the Information Commissioner to publish (after consultation) and
periodically update a data-sharing code of practice. This should set the
benchmark for guidance standards.
38
5/2/09
11:28
Page 40
• Recommendation 7(b): The new legislation should also provide for the
Commissioner to endorse context-specific guidance that elaborates the
general code in a consistent way.
• Recommendation 8(a): Where there is a genuine case for removing or
modifying an existing legal barrier to data sharing, a new statutory fast-track
procedure should be created. Primary legislation should provide the Secretary
of State, in precisely defined circumstances, with a power by Order, subject to
the affirmative resolution procedure in both Houses, to remove or modify any
legal barrier to data sharing by:
• repealing or amending other primary legislation;
• changing any other rule of law (for example, the application of the
common law of confidentiality to defined circumstances); or
• creating a new power to share information where that power is
currently absent.
• Recommendation 8(b): Before the Secretary of State lays any draft Order
before each House of Parliament, it should be necessary to obtain an opinion
from the Information Commissioner as to the compatibility of the proposed
sharing arrangement with data protection requirements.
The regulatory body
• Recommendation 9: The regulations under section 55A of the Data Protection
Act setting out the maximum level of penalties should mirror the existing
sanctions available to the Financial Services Authority, setting high, but
proportionate, maxima related to turnover.
• Recommendation 10: The Government should bring the new fine provisions
fully into force within six months of Royal Assent of the Criminal Justice &
Immigration Act, that is, by 8 November 2008.
• Recommendation 11: Organisations should notify the Information
Commissioner when a significant data breach occurs. We do not propose this
as a mandatory requirement, but in cases involving the likelihood of
substantial damage or distress, we recommend the Commissioner should take
into account any failure to notify when deciding what, if any, penalties to set
for a data breach.
• Recommendation 12: The Information Commissioner should have a statutory
power to gain entry to relevant premises to carry out an inspection, with a
corresponding duty on the organisation to co-operate and supply any
necessary information. Where entry or co-operation is refused, the
Commissioner should be required to seek a court order.
39
5/2/09
11:28
Page 41
• Recommendation 13: Changes should be made to the notification fee
through the introduction of a multi-tiered system to ensure that the regulator
receives a significantly higher level of funding to carry out his statutory dataprotection duties.
• Recommendation 14: The regulatory body should be re-constituted as a multimember Information Commission, to reinforce its status as a corporate body.
Research and statistical analysis
• Recommendation 15: ‘Safe havens’ should be developed as an environment
for population-based research and statistical analysis in which the risk of
identifying individuals is minimised; and furthermore we recommend that a
system of approving or accrediting researchers who meet the relevant criteria
to work within those safe havens is established. We think that
implementation of this recommendation will require legislation, following
the precedent of the Statistics and Registration Service Act 2007. This will
ensure that researchers working in ‘safe havens’ are bound by a strict code,
preventing disclosure of any personally identifying information, and
providing criminal sanctions in case of breach of confidentiality.
• Recommendation 16: Government departments and others wishing to
develop, share and hold datasets for research and statistical purposes should
work with academic and other partners to set up safe havens.
• Recommendation 17: The NHS should develop a system to allow approved
researchers to work with healthcare providers to identify potential patients,
who may then be approached to take part in clinical studies for which
consent is needed.
Safeguarding and protecting publicly available information
• Recommendation 18: The Government should commission a specific enquiry
into on-line services that aggregate personal information, considering their
scope, their implications and their regulation.
• Recommendation 19: The Government should remove the provision allowing
the sale of the edited electoral register. The edited register would therefore no
longer serve any purpose and so should be abolished. This would not affect
the sale of the full register to political parties or to credit reference agencies.
40
5/2/09
11:28
Page 42
Ministry of Justice: Response to data sharing review
The response recognised that several of the recommendations within the
Thomas/Walport report complemented the recommendations of the Cabinet Office
data handling review (DHR). The report committed Government to implementing the
key recommendations of both reviews to improve data management. The report
provided a response to each of the recommendations, a summary of which follows:
• Recommendation 1: corporate governance arrangements and
• Recommendation 2: annual review of internal controls
It was highlighted that Government departments had made significant progress
implementing the requirements of the DHR. In particular, in relation to:
• Publication of information regarding data losses;
• Appointment of Senior Information Risk Owners (SIROs) and
• Ensuring that those in their delivery chain, including public and private
sector organisations, are aware of their responsibilities in relation to the
new data handling measures.
• Recommendation 3: good-practice steps to increase transparency
The response agreed with the main thrust of the recommendations but felt it
was for the organisations to determine the most appropriate terminology for
their business area in relation to fair processing notices.
• Recommendation 4: review and enhance training given to staff on handling
information
Training and awareness of good data security practice within Government
departments was discussed in the DHR. All Government departments are
already addressing core measures to provide data security training for all staff
accessing protected personal data.
• Recommendation 5: use authenticating credentials to provide services and
avoid collecting unnecessary personal information
Several authentication services were outlined with the Employee
Authentication Service (EAS) singled out as showing Government
commitment to such services. Initiatives that will streamline services and avoid
unnecessary collection of personal information include ‘Tell Us Once’, which
looks at the feasibility of a service where citizens can report a birth, death or
change of address to Government, only once ensuring Government responds
in a co-ordinated manner.
• Recommendation 6: the Government should actively participate in reviews of
the European Directive and promoting reform of European data law
The Government has committed to working to ensure that UK and European
law remains properly equipped to deal with challenges brought by
technological and social change.
41
5/2/09
11:28
Page 43
• Recommendation 7(a): a duty on the IC to publish a data-sharing
code of practice
The ICO will be asked to draft a code which will:
• provide practical guidance to the public, particularly data controllers and
data processors, about how to share personal data in accordance with the
requirements of the DPA; and
• promote good practice in the sharing of personal data
A breach of, or compliance with, the Code will be taken into account by the
courts, the Information Tribunal and the ICO whenever it is relevant to a
question arising in legal or enforcement proceedings
• Recommendation 7(b): a provision for the IC to endorse context-specific
guidance that elaborates the general code
Where sector-specific guidance is required, the ICO should consult with
business and those organisations that represent business in that sector to
ensure the guidance is as useful and relevant as possible.
• Recommendation 8(a): fast-track procedure for removing or modifying an
existing legal barrier to data sharing
Government will legislate to create a gateway for data sharing powers, which
will be subject to the Parliamentary Affirmative Resolution procedure. This
will create a more streamlined process, retaining the element of
parliamentary scrutiny to ensure transparency in data sharing policy and
ensuring such power is proportionate. We intend to bring forward legislation
to confer upon the Secretary of State a power to permit or require the
sharing of personal information between particular persons or bodies, so
long as a robust case can be made to use that power. The power will also be
used to simplify the data protection framework and remove any unnecessary
obstacles to data sharing.
• Recommendation 8(b): Government to obtain opinion from the IC as to the
compatibility of any proposed sharing arrangements with data protection
requirements
The ICO should provide independent oversight of proposals being taken
forward via this process.
• Recommendation 9: mirror the existing sanctions available to the Financial
Services Authority
The implementation of a model similar to that operated by the Financial
Services Authority is under consideration.
• Recommendation 10: bring the new fine provisions fully into force
It was hoped to bring the new fine provisions into force shortly.
42
5/2/09
11:28
Page 44
• Recommendation 11: notification of significant data breaches to the IC
Following the publication of the DHR it is mandatory for Government
departments to share details of significant actual or potential losses of personal
data with the ICO. A mandate will be given to the ICO to publish guidance for
organisations on when to notify breaches of the data protection principles.
• Recommendation 12: statutory power for IC to gain entry to relevant premises
The response to this recommendation is outlined in the package of measures
set out in the response to the Ministry of Justice consultation on the
Information Commissioner’s inspection powers and funding arrangements
under the Data Protection Act 1998. See Appendix B.
• Recommendation 13: make changes to the notification fee
The response to this recommendation is outlined in the package of measures
set out in the response to the Ministry of Justice consultation on the
Information Commissioner’s inspection powers and funding arrangements
under the Data Protection Act 1998. See Appendix B
• Recommendation 14: re-constitute the Information Commission
Further work will be undertaken to consider the case for reconstituting the
Office of the Information Commissioner.
• Recommendation 15 and 16: development of safe havens
Through the Research Capability Programme, established via the NHS
Connecting for Health in 2007 programme, the Department of Health is working
with the Information Centre for Health and Social Care to develop safe havens.
They will be designed to enable appropriate processing for health research
purposes of patient information and other data derived from patient information.
• Recommendation 17: allow approved researchers to work with healthcare
providers to identify potential patients
The Department of Health will develop a system to allow approved
researchers to work with healthcare providers for this purpose, under a duty
of confidentiality equivalent to the duty owed by health professionals. The
Department will develop mechanisms to help healthcare providers operate
the system consistently, and will ensure they work with the employers of the
approved staff to deal effectively with any breaches of confidentiality. The
independent National Information Governance Board will monitor the
operation of the system.
• Recommendation 18: a specific enquiry into on-line services that aggregate
personal information
This recommendation was said to merit further consideration.
• Recommendation 19: remove the provision allowing the sale of the edited
electoral register
A public consultation will be held on this recommendation.
43
5/2/09
11:28
Page 45
Case studies: the UK Council of Caldicott Guardians
These case studies are from queries raised by the wider Caldicott community and
discussed by the UK Council of Caldicott Guardians. The responses expressed do not
constitute legal advice; they are the considered opinion of the Council. If you require
legal advice you should consult your organisation’s legal advisors.
The Council welcome any queries that promote similar discussion, so please see this as
your opportunity to raise issues, obtain a response and assist the Council to build up a
body of frequently asked questions and answers and develop expertise across the
community. Queries should be sent to: [email protected]
Proactive disclosure of information to the police
A day surgery unit are reviewing their policy on discharge. They give advice to
patients beforehand that they should not drive after having a general anaesthetic.
Occasionally, the patient is recovered and then wishes to drive themselves. The unit is
proposing to provide the following statement to these patients:
"We will inform the police if you state that you intend to drive yourself home
after recovering from a general anaesthetic".
Would this disclosure be classified as satisfying the "robust public interest
justification"?
Considerations
In reaching its decision the Council considered:
• The common law duty of confidence.
• The length of time that impairment of driving ability is likely to last in a
person recovering from day case surgery under general anaesthetic.
Confidentiality considerations
The Confidentiality NHS Code of Practice and the General Medical Council guidance:
"Confidentiality: Protecting and Providing Information” set out the circumstances
under which a disclosure of confidential information without consent is permitted if
it is in the substantial public interest to disclose.
The discloser must decide whether the public good that would be achieved by the
disclosure outweighs both the obligation of confidentiality to the individual patient
concerned and the broader public interest in the provision of a confidential service.
One example of where disclosure of personal information without consent may be
justified in the public interest is where failure to disclose may expose the patient or
others to risk of death or serious harm.
Clinicians also have a duty of care to people other than the patient, i.e. there are
times when the safety of others must take precedence. If the discloser is of the view
that disclosure is necessary to protect a third party from death or serious harm, the
information should be promptly reported to an appropriate person or authority.
44
5/2/09
11:28
Page 46
Anaesthetic considerations
Before disclosing, staff must consider how long the impairment of driving ability lasts
in a person recovering from day case surgery under general anaesthetic. According to
the Royal College of Anaesthetists impairment will vary (generally lasting between 24
to 48 hours) depending on the type of surgery; the length of time the patient is
anaesthetised; and other patient-specific factors.
However, it is accepted practice that patients must be informed that they should not
drive on the same day that they have received a general anaesthetic. Patients should
also be aware that their insurance is likely to be invalid if they do so.
The Council’s decision
If a circumstance arises where a patient insists on driving despite there being clear
evidence that he/she is likely to be a danger and to pose a significant "risk of death or
harm" to themselves or to others then, in the Council’s view, there is a public interest
duty of disclosure which over-rides the duty of confidentiality. The disclosure should be
made in line with the Confidentiality NHS Code and the GMC's guidance listed above.
The Council also suggested the following text would be more appropriate:
“We will inform the police if we believe you are still significantly affected by
general anaesthetic and you ignore our advice not to drive.”
Retention of investigation information relating to staff
The query was made following the enactment of the new legislation for the safe use
and management of controlled drugs.
An Accountable Officer has responsibility for ensuring that appropriate systems are in
place for reporting suspected criminal activity involving controlled drugs to the
police. Whilst developing a written protocol to meet this requirement, there was
uncertainty about what should be done with investigation information collected in
relation to the following scenarios:
• When a concern or suspicion is raised about a member of staff but the person
reporting the concern has no supporting physical evidence.
• When a concern or suspicion results in a police investigation into an
individual’s actions but the individual is not charged.
• When an individual is charged by the police but is not convicted.
The scenarios raised several queries, including:
• Should the information be retained if the individual is not convicted?
• If the information is retained how long should it be kept?
• What are the implications if the information is destroyed and subsequent concerns
or suspicion are raised about the same individual resulting in a conviction?
45
5/2/09
11:28
Page 47
Considerations
In reaching its decision the Council considered:
• Whether the information should be retained at all.
• If it was retained, that there should be a short retention period.
• Accessibility - i.e. who is able to gain access to the information etc.
Decision
Integral to the retention of information is that it is held in accordance with the
organisation’s overall information governance policy with due consideration for
security and confidentiality. The information gathered is extremely sensitive and
requires robust access controls so that only those with a genuine need to know
the information are able to access it.
Although all the scenarios relate to unsubstantiated or unproven allegations,
organisations need to be aware that such information could later add up and identify
provable criminal activity. Additionally, organisations should make sure that
individuals are aware of their rights under Data Protection Act, and that redacted
or complete information might have to be supplied about an allegation.
1. When a concern or suspicion is raised about a member of staff but the person
reporting the concern has no supporting physical evidence:
It is important to take into account that an unsubstantiated 'concern' could be
malicious. However, the concern will still need to be investigated and it would be
appropriate to hold a summary referring to any investigation carried out and the
fact that there was no evidence to support the allegation.
2. When a concern or suspicion results in an investigation into an individual’s actions
but the individual is not charged:
Information about the investigation, the evidence gathered and referral to the police
should be retained. It should be held as part of that person's record even if they were
exonerated.
3. When an individual is charged but is not convicted:
Information about the investigation, the evidence gathered and referral to the police
should be retained. It should be held as part of that person's record even though they
have not been convicted.
46
5/2/09
11:28
Page 48
Links and contacts
Departments and Bodies
Association of Directors of Adult Social Services
http://www.adss.org.uk/
Department of Health
http://www.dh.gov.uk/
Information Commissioner’s Office
http://www.ico.gov.uk/
National Information Governance Board for Health and Social Care
http://www.nigb.nhs.uk/
NIGB: Ethics and Confidentiality Committee
http://www.nigb.nhs.uk/ecc
NHS Connecting for Health
http://www.connectingforhealth.nhs.uk/
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/caldicott
Products and Services
Department of Health: Information Policy
http://www.dh.gov.uk/en/Managingyourorganisation/Informationpolicy/index.htm
Information Governance
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov
IG Toolkit
https://www.igt.connectingforhealth.nhs.uk/
IG Training Tool
http://www.igte-learning.connectingforhealth.nhs.uk/igte/index.cfm
IG Statement of Compliance
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/igsoc
47
5/2/09
11:28
Page 49
Ministry of Justice: Data sharing and protection
http://www.justice.gov.uk/guidance/datasharing.htm
NHS CFH: Information Security
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/security
NHS CFH: Infrastructure Security (N3 connection required)
http://nww.connectingforhealth.nhs.uk/infrasec
The NHS Records Management Roadmap
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/records
Publications
Caldicott Guardian Manual 2006
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/caldicott/caldre
sources/guidance
Confidentiality: NHS Code of Practice
http://www.dh.gov.uk/en/Managingyourorganisation/Informationpolicy/Patientconf
identialityandcaldicottguardians/DH_4100550
Information Security Management: NHS Code of Practice
http://www.dh.gov.uk/en/Managingyourorganisation/Informationpolicy/Information
security/index.htm
NHS Care Record Guarantee
http://www.nigb.nhs.uk/guarantee
NHS information governance: Guidance on legal and professional obligations
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAn
dGuidance/DH_079616
NIGB Annual Report 2008
http://www.nigb.nhs.uk/about/publications/NIGB_Annual_Report_2008.pdf
Records Management: NHS Code of Practice
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAn
dGuidance/DH_4131747
48
5/2/09
11:28
Page 50
Helpdesk contacts
The Department of Health and NHS Connecting for Health - Digital Information
Policy Team helpdesk services:
• IG Toolkit Helpdesk – [email protected]
• IG Training Tool – [email protected]
• Records Management – [email protected]
• Information security – [email protected]
Department of Health: Contact page:
http://www.dh.gov.uk/en/ContactUs/index.htm
[email protected]
General Medical Council: Standards & Ethics enquiries
• Tel: 020 7189 5404
• Fax: 020 7189 5401
• Email: [email protected]
• Web: http://www.gmc-uk.org/about/contacts/
Nursing and Midwifery Council: Standards
• Tel: 020 7333 6547
• Email: [email protected]/Individual contact details
• Web: http://www.nmc-uk.org/aArticle.aspx?ArticleID=1587
Medical Defence Union: Medico/dento-legal queries and claims
• 24-hour freephone: UK medical 0800 716 646; UK dental 0800 374 626;
Ireland 1800 535 935
• Fax: 020 7902 5900
• Email: [email protected]
• Web: http://www.the-mdu.com/topnav_contact_us_0/index.asp
Information Commissioner’s Office: Contact page
https://www.ico.gov.uk/Global/contact_us.aspx
49
5/2/09
11:28
Page 51
50
5/2/09
11:28
Page 52
Appendices
Appendix A: The UK Council of Caldicott Guardians
Appendix B: The National Information Governance agenda
Appendix C: The NHS Information Governance Assurance Framework
Appendix D: Information Sharing
51

Delegate pack (PDF 2.43Mb) - Systems

Transcription

Similar documents

MEETING • Feb. 17th, 2015 1. Welcome! a. President Zach Fisher b

CHSCP - Principles - Social Work Scotland

Information for Emergency Weekend Appointments Dental Access

Discharge advice for a 5th metatarsal base (foot) fracture

2012-DM No. 1206-Regional Technolympics Participants

The Anchor

The Eastern Eye

precedo news - Precedo Healthcare