Version 3.0 LOGOLOGO Information Governance Strategy Includes ‘Information risk’ & incident management methodology Approved by: Quality Assurance Group Ratification date: February 2017 Review date: January 2019 1 Information Governance Strategy Document Status Information Governance Strategy Document Status Version 5.0 Document Author(s) Kate Tregale Document Owner Chief Financial Officer & Caldicott Guardian Client Clinical Commissioning Group File Reference Date Issued February 2017 Approved by and date of approval QAG February 2017 via exceptional reporting Version 3.0 Version 3.0 Revision History South, Central & West Commissioning Support Unit Document status: current Version Date Comments 1.0 17th December 2004 First draft for comment & PCT specific tailoring 1.1 28th January 2005 Minor amendments following team comment 1.2 04 May 2005 Made current following PCT board approvals – included one amendment relating to scope including support for independent contractors. 1.3 January 2006 Minor update in line with revised Information Governance Policy and to reflect up coming PCT structure changes. 1.4 October 2008 Review and update to reflect organisational and sector developments, particularly the role of Senior Information Risk Owner 1.5 November 2010 Review and update to reflect changes in IG toolkit and to set out as suitable for future planned organisational structures – no fundamental changes, but improved throughout 1.6 Jan 2012 Reference BNSSG Cluster and Information Risk Group 1.7 Jan 2013 Prepared and altered for Clinical Commissioning Groups 1.8 June 2013 Amended to reflect changes to incident reporting via IG toolkit. 2.0 February 2014 Annual update – including Caldicott 2 recommendations 3.0 January 2015 Review in relation to audits of IG Toolkit and v12 4.0 January 2016 Annual review. 5.0 February 2017 In year review 2 Version 3.0 Contents Information Governance Strategy.......................................................................... 1 1 Purpose ......................................................................................................... 1 2 Background................................................................................................... 1 3 Scope ............................................................................................................. 1 4 Strategic approach & objectives/deliverables ........................................... 2 5 Accountability ............................................................................................... 4 6 Key Policy Framework ................................................................................. 5 7 Management of work plan and compliance assessment .......................... 5 8 South Central & West Commissioning Support Unit & Resources .......... 6 9 Monitoring providers .................................................................................... 6 10 Risk, Incident and Query Management ....................................................... 6 10.1 Risk Management methodology: .................................................................. 6 10.2 Incident reporting, management & investigation ........................................... 8 11 Access control & data transfer principles .................................................. 9 12 New developments – ensuring compliance ............................................... 9 13 Education Strategy ....................................................................................... 9 14 Development, approval and implementation of guidance ........................ 11 15 Communication with patients and how their information is used ........... 12 16 Review of Strategy, policy & guidance ....................................................... 15 3 Information Governance Strategy 1 Version 3.0 Purpose The organisation is required to have effective arrangements in place to govern the uses of information and information systems in the organisation. This Strategy sets out the scope and approach that the organisation will operate to ensure legal and regulatory compliance and where practical best practice in handling information is achieved. 2 Background Information Governance has developed a programme of work to encompass all aspects of handling information and compliance with legislation including Data Protection Act (1998) and the Freedom of Information Act (2000), and meeting regulatory standards for records management, information security and data quality. It recognises the significant overlap in activities, knowledge and skills required for these areas and aims to ensure consistency and efficiency of approach to deal with related matters. NHS Digital (formerly Health & Social Care Information Centre) have set standards and a measure of compliance within the ‘Information Governance’ toolkit. Performance of organisations relates to a number of core standards set by the Care Quality Commission. It is also an intrinsic part of processes such as CCG authorisation and commissioner/provider contracts. In the wider context organisations are now subject to significant monetary penalties if they are found to have failed in their responsibilities under the Data Protection Act 1998. Numerous large fines have been imposed by the Information Commissioner’s Office. As a result organisations are required to report any Serious Incidents Requiring Investigation (SIRI) and provide assurance of compliance with information governance standards in the annual report. In 2013, the Information Governance Review ‘To share or not to share’ (Caldicott 2) was published. This strategy has been revised in light of the recommendations accepted by the Government response. A third report by Dame Fiona Caldicott was published in July 2016 reviewing Data Security, Consent and Opt-Outs. This report made a number of recommendations along with a report by the Care Quality Commission (CQC) into how data is safely and securely managed in the NHS. Although these recommendations are being considered and not yet implemented the organisation is mindful of possible future changes and will prepare as far as possible and review this policy when further information is known. The UK Data Protection Act will be replaced by the General Data Protection Regulation or similar legislation during the next couple of years. Information Governance activities and practices will be mindful of the requirements of this new approach to Data Protection and action plans to ensure compliance created. It is also recognised that effective governance of information is a key supporting element to making best use and gaining real benefit from the information resources. 3 Scope Information Governance is an ‘umbrella’ term for a number of linked initiatives which are categorised in the Information Governance toolkit as follows: Confidentiality & Data Protection – staff responsibilities and patients’ rights Corporate information – Freedom of information and records management Clinical information – Health records management Information Governance Management – operational framework -1- Information Governance Strategy Version 3.0 Secondary Uses of information – appropriateness and quality Information Security – technical and organisational security processes The scope is clearly wide with some impact on every member of staff. For an organisation to ensure an appropriate level of compliance, many individuals and groups across the organisation are required to have specified responsibilities. The groups and staff are identified later and responsibilities are detailed in the Information Governance Policy (IGMS). The scope of this strategy is to set out the structure for Information Governance Management and activity, ensuring that the organisation addresses all areas effectively. 4 Strategic approach & objectives/deliverables The fundamental objective for the strategy is to promote positive compliance with legislation and standards and by consequence reduce risk, with risk being identified in a number of categories: Loss of public trust/confidence in the organisation (due in particular to losses/inappropriate disclosures) Contribution to, or cause of, clinical or corporate negligence (due to unavailable, inaccurate, incomplete or out of date information) Legal action including fines, for non-compliance with Data Protection, Common Law, Human Rights and Freedom of Information legislation So in assessing activities to comply, the Information Governance lead and other staff will evaluate requirements from a risk management perspective, utilising where possible existing risk assessment methods (CRAMM) and standards (ISO27000 series). A ‘whole systems’ approach is fundamental to an effective Information Governance framework. To this extent the work of the Information Governance team will incorporate the following core work streams, directed towards ensuring implementation of the IG policy and requirements of compliance with the IG toolkit: Information Governance Management System – ensuring that the approaches and methods for handling information are clearly documented and evidenced. This will include oversight of information governance work by appropriate committee. o Education and awareness programme – of staff, partners, contractors and patients, achieved via formal and informal education and awareness programmes and a process to review and ensure compliance for all new uses of information both in terms of information systems and development of healthcare services. This stream is guided by the IG Education Strategy and Communication with patients and how their information is used o Deliverables - a robust framework of policy and guidance that is approved, owned and promoted by the organisation, incorporating work plans to maintain and improve compliance. Deliverables – A programme of educational activities that provide core education to all staff, which assesses staff knowledge and provides further support as required. Additional educational activities delivered to staff that need them via periodic organisation wide training needs analysis. Technical security solutions – establishing where technical solutions can aid the reduction of risk around handling data, but do not put unnecessary burdens on staff working practices. This is overseen by the Information Governance Group 2 Information Governance Strategy Version 3.0 and managed on a day to day basis by an integrated programme between IG and IT services and linked to audits and risk assessment activities to identify requirements. o Deliverables – Any technical solution to improve security will be part of a defined business case (if needing funding) and project plan. Deliverables will be specifically defined within these. Information risk assessment programme (including security) – relating to compliance with policy and process and effectiveness of technical solutions and covering all aspects of related work, including system use, facilities, corporate records etc. This area includes specific local and internal audit programmes. This has a specific focus on knowing what information is held (information assets), where it comes from and where it goes (information flows) and managing times when it is unavailable (business continuity) o Deliverables – regular risk reviews of systems, processes as part of the annual assurance and improvement work plan for information governance. Annual reviews of the security of key information assets and information flows will be undertaken to ensure security is achieved and maintained as far as possible. Confidentiality & system usage audits will also be undertaken. There are also significant work programmes in other areas that support Information Governance compliance, namely: Data Quality work – linked to performance, contract monitoring and secondary uses of data extracted from the patient record. This also incorporates work to ensure that the use of Personal Confidential Data (PCD) is controlled appropriately within the framework of ‘Accredited Safe Havens’ and ‘Controlled Environment for Finance (CEfF)’. (This service is provided by South, Central & West Commissioning Support Unit to NS CCG). An annual work plan for assurance and improvement will be established as part of the end of year IG toolkit compliance assessment - see section 6 for more detail. Compliance objectives: April 2015 – Sept 2016 (achieved): Enhanced IG Strategy, integrated with overall CCG strategic aims Ensured 95% of staff achieved a pass in core IG knowledge assessment. CCG moved from locally provided online IG training compliance assessment to Skills for Health training tool via ConsultOD Moved activities to regular review, including information asset, data flow risk reviews stating the legitimate purpose for processing personal confidential data (PCD). Established rolling programme of detailed risk assessments for key assets. Maintain strong, robust IG approach supporting requirements such as DSCRO, ASH and CEfF September 2016 onwards 3 Information Governance Strategy 5 Version 3.0 Maintenance of level 2 or greater compliance with IG toolkit Implementation of recommendations from the National Data Guardian and CQC information security reviews when finalised. Implementation as required of policy and procedural changes required for compliance with General Data Protection Regulations or the new UK equivalent Compliance with NHS Digital’s data sharing framework contract and data sharing agreements Accountability Accountable officer: As required by the ‘statement of internal controls’ the accountable officer is the Chief Financial Officer. Support is provided by the following roles: Senior Information Risk Owner (SIRO): The role currently resides with the Chief Financial Officer and is required to be an executive board member. The role is to act as an advocate for ‘information risks’ and will provide the statement of internal control. The role will lead the identification and management of information risks that will affect the strategic direction of the organisation as well as being responsible for the management of serious incidents. Caldicott Guardian: The guardian should be ideally a board member and a registered clinical professional. The focus of the role remains the use of patient data and in terms of the work areas within information governance, the role will focus on confidentiality/data protection, clinical information and secondary uses of patient data. The roles of SIRO and Caldicott Guardian are vital components within the organisation’s framework for handling information appropriately, however as they have limited time for this area of work, there is also an operational and developmental support structure in place to develop, maintain and check the required areas of compliance. Information Governance (IG) Lead: The IG Lead for the CCG is the Senior Information Governance Manager. The Senior IG Manager will operate the IG Framework, in order to maintain, check and improve the required areas of compliance. They also act as the Information Security Manager, in conjunction with key roles in IT services. The table below illustrates the work areas, the key operational lead and the committees in place to oversee the required operational and development activities: Assurance Area (from NHS Digital IG toolkit) Overseeing committee Lead staff Confidentiality & Data Protection Quality & Assurance Group Caldicott Guardian / Senior Information Governance Manager Clinical Information Quality & Assurance Group Caldicott Guardian / Senior Information Governance Manager 4 Information Governance Strategy 6 Version 3.0 Information Governance Management Quality & Assurance Group SIRO / Senior Information Governance Manager Secondary Uses Quality & Assurance Group SIRO/Senior Information Governance Manager & Head of Business Intelligence Information Security Quality & Assurance Group SIRO/ Senior Information Governance Manager responsibilities as allocated in IT Services – IG responsibilities matrix Key Policy Framework The Information Governance Management System comprises of the overarching IG Policy, the Information Security policy, Data Protection & Confidentiality Policies. These are supported by the guidance set produced and managed by the Information Governance team: www.protectinginfo.nhs.uk/Staff_Guidance.asp 7 Management of work plan and compliance assessment An information governance work plan will be developed and maintained. It will be monitored by regular reports to the Quality & Assurance Group (QAG). Reporting will enable QAG to: Monitor and direct activities to improve compliance with requirements To review and agree policies, processes and guidance To ensure operational support for queries, education, service development and audit/assurance is in place and effective. The work plan will be managed by the Senior Information Governance Manager (SWCSU). It will be overseen by the Senior Information Risk Owner and Caldicott Guardian. Improvements will generally be measured by increase in scores within the IG toolkit, unless a specific goal is linked to a particular activity. The programme will identify the resources required and responsibilities within the CCG and SWCSU to deliver the programme. It will also identify timescales by which activities are intended to be completed. The SWCSU Information Governance team will undertake the annual assessment required by the IG toolkit and will submit the results within the time frame dictated by NHS Digital this is currently end of the financial year. In addition any mandated ‘mid-year’ assessments will also be undertaken Improvement and update of the scoring will be undertaken throughout the year, so that the audit is not left until the last month or two of the financial year. Approval of the score to be submitted will be gathered from the SIRO and Caldicott Guardian and Quality & Assurance Group. 5 Information Governance Strategy 8 Version 3.0 South Central & West Commissioning Support Unit & Resources SCW CSU will be undertaking a number of key activities on behalf of the CCG. The CCG will therefore require assurance from SCW CSU that the processing of personal data that it undertakes on behalf of the CCG is done in an appropriate and secure manner. SCW CSU is required to undertake regular assessment of compliance with information governance and improvement action where required. The Service Level Agreement and or Information Sharing Agreement will include the core purposes for processing data, as well as key principles and methods compliant with Caldicott principles to only use personal data when necessary and to use the minimum amount of personal confidential data. A lead individual in the Information Governance team will be identified to fulfil the role of ‘Information Governance Manager’ for the organisation. In order to maintain a quality service of ‘accessible expertise’ staff within the IG team who fulfil the role of ‘Information Governance Manager’ will have access to expertise and ISEB qualified data protection practitioners (or equivalent). The IG team will provide support in both pro-active and reactive ways: 9 Education – pro-actively through an ongoing programme of mandatory sessions and re-actively to incident reports and queries Audit – to meet requirements placed on the organisation by NHS Digital and any local audit procedure and to continually develop and maintain a programme of pro-active compliance audit with policy and procedure within the information risk management programme. Expert support – to service and system development programmes Monitoring providers As a commissioner of services, the CCG will establish a monitoring process to identify compliance levels within their commissioned providers. This will be via the IG toolkit and where required further discussion and investigation of provider compliance. This will also include ensuring providers are investigating, managing, reporting and publishing details on incidents appropriately. Any monitoring activity will link to and utilise the NICE Quality Standard 15 (Patient experience statements in adult NHS services) in particular statement 12 related to information exchange. 10 Risk, Incident and Query Management 10.1 Risk Management methodology: It is important to define the difference between a risk and an incident. In terms of this methodology, a risk is where a problem has been identified that could lead to an incident. Defining a problem as a ‘risk’ allows for either corrective action, or documented acceptance of that risk to be in place prior to any potential incident and where possible the probability of or impact from an incident to be reduced. The methodology applied is consistent with the general approach to risk management within the organisation. Identification of risks: There are several ways in which a risk will be identified: 6 Information Governance Strategy Version 3.0 Query raised by staff member Assessment of new service or system by information governance team Compliance audit by information governance team Investigation of an incident/near miss that identifies where risk remains Assessment of risks: Where an information governance risk has been identified in any of the above situations, assessment of the risk will be undertaken by information governance support. The level of documentation on these assessments will vary depending on the situation where the ‘risk’ has been identified. Risks will be assessed on the ‘5 x 5’ matrix of probability and impact, defined in the organisation risk management policy and utilising the following guidance on potential impacts: Level 1 Level 2 Level 3 Level 4 Level 5 Minor non compliance with standards Non compliance with standards Non compliance with core standards Enforcement action or fine. Major or repeated non compliance with core standards Prosecution/severe fine. Severely critical report Query – in many cases the advice provided in response to a query will mitigate the risk either entirely or to a reasonable degree. Responses to queries other than those that can be easily answered will be logged by the IG team. Should any real risk remain following the response, this will be included in the log and a risk assessment entered as a ‘compliance’ risk on the risk register. Assessment of new service or system – as with queries, advice provided should mitigate risk entirely or as far as reasonably possible. Should risk remain it will be assessed and where necessary highlighted in either the project risk log or the overall risk register. Compliance audit – any audit activity will produce a report that will highlight risks if necessary and potential action to reduce risk. Where the audit activity is part of formal internal or external audit, the formal audit processes will monitor activity to reduce risk and will liaise about appropriate entry in risk registers. Where audit has been undertaken by the information governance team, a report will be produced and any risks included on the risk register until they have been reduced. Investigation of an incident or near miss – as with the process to manage incidents the risk will be assessed and reduction actions planned. The process will see the risk reported to the Risk Manager for inclusion in the risk register. Reporting of risks: The majority of risks raised to the information governance team to assess will come from the department that will ‘own’ the risk and will be seeking ‘expert’ assessment. Therefore inclusion in the relevant risk register is the responsibility of the staff member reporting the risk. This will be re-iterated by the information governance team when assessing the risk. Where the information governance team identify, potentially through pro-active audit activity, risks that otherwise might not be identified, they will ensure that the relevant manager in the department is made aware of the risk, in order that it can be included in departmental or corporate risk registers where appropriate. Reporting to the SIRO: Any risk scoring over 8, will be reported to the Senior Information Risk Owner (SIRO). Risks scoring over 15 should be reported immediately to the SIRO, Risk Manager and Head of Information Governance (SCWCSU). Any risk scoring 25 will be reported immediately, via the SIRO to the Chief Executive, or direct in the absence of the SIRO. Risks scoring less than 8 will not be routinely reported. 7 Information Governance Strategy 10.2 Version 3.0 Incident reporting, management & investigation Incident reporting: The reporting of incidents relating to issues about information is part of the organisation’s general ‘incident reporting’ procedure. Regular information governance education informs all staff to report issues relating to information via the organisation incident reporting process. Incident management: Management of any incident will require collaboration between the risk manager and information governance team. Each incident is specific and will require its own management plan, however there are some forms of incident where swift action is necessary and the information governance team may assume a lead role in management. Allegation or suspected misuse of systems: It can be vital that potential evidence is preserved. If a case of potential misuse is brought to the attention of the information governance team, they will assess and determine if action is necessary to prevent further user access to system(s) and for IT equipment to be removed from further use for potential forensic examination. As expertise to undertake a forensic examination is limited, the engagement of professional services (NHS Forensic Computing Unit) will be considered. Decision will be taken by the Head of Information Governance and or Senior Information Governance Manager or in their absence by either the Head of IT Services, Head of SCW CSU or Chief Officer of the CCG. This is most likely in cases of email, internet or office systems misuse. If a member of staff may be potentially suspended from duty, discussion will take place with HR to determine if access should be temporarily halted, prior to discussion about suspension. Once suspension is confirmed access must be halted to all systems immediately. Data loss: Where an issue relating to data is reported the Information Governance team will undertake an immediate assessment and determine any potential containment actions. Following all efforts to contain an incident, an initial classification in relation to the published ‘Serious Incident Requiring Investigation’ scale will be determined. Any incidents with an initial classification of 1 or more will be notified to the Senior Information Risk Owner immediately. Where classification is difficult due to a lack of facts about a case, a ‘worst case scenario’ will be established and scored and if appropriate (i.e. level 1 or greater) the SIRO will be informed. The SIRO will determine if the incident should be reported or whether further time will be allowed to establish facts. Reporting will be done by the IG Incident reporting tool in the IG toolkit. The Information Governance team will endeavour to establish a realistic score within one working day, depending on the availability of staff involved to answer questions relating to the loss. Informing individuals affected: Where an incident has either, a potential or direct impact on individuals, then the individuals will be informed. An explanation and apology will be provided. Where possible each person will be contacted individually, unless this will put a significant undue burden on resources and where other methods (i.e. via press release/local media) can be used. Individuals will be contacted by default unless there is a robust reason where informing will cause more harm and distress. Incident investigation: The Information Governance team will utilise the ‘Information Security incident’ investigation procedure. In addition to scoring on a level as per the risk assessment, the investigation procedure will categorise the impact in relation to the category set in the CRAMM (Computerised Risk Assessment and Management Methodology) tool. 8 Information Governance Strategy Version 3.0 Incident publication: Any incident classed as level 2 will be logged on the IG toolkit incident reporting tool. When concluded these will be closed and therefore open to publication by NHS Digital. In addition a statement on incidents will be included in the annual CCG statement of control. 11 Access control & data transfer principles The fundamental risks to data are the risks of inappropriate disclosure or unavailability (temporary or permanent). If either of these risks occur public confidence in organisations can be severely damaged, as witnessed since significant ‘losses’ of data became front page headlines from November 2007. The following strategic approaches to accessing and transferring data are promoted: 12 Access on a ‘need to know’ basis determined where possible by job role, location, organisational structure and where appropriate a care or service relationship with the patient or individual. These to be determined by the Information Asset Owner. Access control systems to support audit of accesses made. Storage of data to be on central servers accessed by a network of connected devices, to reduce the need to copy data ‘off network’. Data taken ‘off network’ to be encrypted if it contains personal identifiable data or is classed as organisationally sensitive. Technical controls over removal of data from network including restriction to organisation owned devices, and authorisation of copying to CD/DVD. Secure methods of transfer including NHSmail, encryption and secure file transfer tools to be used. Assessment of paper based transfers such as fax and post via information flow mapping reviews. New developments – ensuring compliance The organisation will ensure that all service development plans (including service redesign), system development plans and other activities that may use personal data will be reviewed to ensure compliance with relevant legislation. This will include both new activities and new ways of working. The organisation will operate a process, in line with the ‘Privacy Impact Assessment’ from the Information Commissioner’s Office to assess and advise on how information should be obtained, stored, used, retained and disposed of in the lifecycle of any activity. It will be a formal requirement of any project to ensure consultation has taken place with Information Governance staff. 13 Education Strategy Background and Current Position The headline data losses that occurred in 2007/08 resulted in a number of central government and ombudsman reports requiring organisations: ‘review and enhance the training that they give to their staff’ (ICO report July 08) ‘roll out basic level of mandatory training to all users of personal data, to be completed on appointment and annually’ (O’Donnell report June 08) Responsibility for education programme 9 Information Governance Strategy Version 3.0 The Information Governance Team is responsible for the design, implementation and integration of the education items described in this strategy. This is linked to the workforce development leads within the organisation. The IG toolkit assessment requirements will be used to monitor the implementation of education activities. Induction Upon employment all staff will receive an ‘acceptable use’ email and will undertake the ‘online assessment’ on core information governance responsibilities. This will be used to raise awareness and measure their current level of knowledge. Staff will receive an induction session as soon as possible after starting employment. This will run 15 minutes in length. The intended outcomes are to: Ensure staff are aware of the importance of handling information appropriately Are aware how support and guidance can be accessed Are aware of the key policy statements they must comply with This will be by a facilitated presentation, supported by effective hand out materials. Annual Requirement All directives, whether they come from government investigatory reports, or the IG toolkit make a strong case to provided IG education on an annual basis. Furthermore, there are growing requirements to evidence that the education is inclusive, effective, tailored and regularly reviewed. Below is the revised programme to be provided. Assessment and self-directed improvement: The minimum requirement for each member of staff is to undertake an annual assessment to prove they have a minimum level of knowledge. This is via the ‘Online assessment’ set up on ConsultOD. This links to the online ‘code of conduct’. Staff are expected to achieve a minimum of 70% score to pass the module. Re-takes are allowed and staff advised to use online materials to self-direct their learning if they are struggling. New starters are expected to achieve this within 01 month of starting therefore checks on levels of compliance will exclude staff starting within the last month. Further educational support: Other items, including those below, will be available on request: Face to face ‘Core information Governance’ – as required for those unable to take online training Patient access requests & information rights – if applicable to those CCG staff members who handle personal confidential data. Information Assets, data flows & risk assessment (can be delivered as group or by 1-1 facilitated work with information asset owner) Specific team briefs – this will cover topics such as new processing and uses of data, records management and Freedom of Information Face to face Core Information Governance These sessions will run for approximately 2 hours and will be provided when there is identified demand. Attendance will be for 20 staff (overbooked to 25 in case of drop off). Below is a list of topics, these can be tweaked if a session is being specifically delivered 10 Information Governance Strategy Version 3.0 for patient facing or non-patient facing roles. All sessions will be interactive and guided by the requirements of the attendees, therefore tailored to their requirements ‘on the go’. Topics covered include: Definitions – confidentiality, personal, sensitive Legal fundamentals – data protection, freedom of information & other legislation Key principles – informing, protecting, sharing, necessity, proportionality Consent, public interest, legal duties – in relation to sharing information Individual rights The fundamentals and benefits/impacts of quality and accuracy Key checks on accuracy, managing errors The spectrum of uses of data in the service Why information needs to be secured, the perils of information loss/unavailability The balancing act when protecting information, Key security requirements – re mobile working, media, storage, acceptable use, phones, faxes, emails, physical security Monitoring, personal use Passwords and PINs What is a record? Record legislation including Freedom of Information Access to records – personal and organisational (incl. Subject Access (if applicable) & Freedom of Information) Filing and maintaining effective records Retention and destruction There is a requirement in the IG toolkit to provide education tailored to staff groups. This will be met as it is already by ensuring all sessions are facilitated education sessions, rather than formal training sessions with rigid content. The facilitators will ensure that the discussion and group work is angled to the roles of the staff present as much as possible and invite specific participation. Other education activities As well as the above facilitated sessions the following activities will support staff education: 14 All user emails on specific topics, authored by key Directors/Managers Publicity materials for items such as memory sticks, printing, faxes etc Screensavers Sessions at team/department meetings on request (or as result of incident resolution) Use of products such as NHS Digital National IG training tool that provide on line learning opportunities. It is noted that the current modules may well be suitable for staff who have specific additional responsibilities, such as the Caldicott Guardian, Senior Information Risk Owner and the Information Asset Owners. Development, approval and implementation of guidance In order to support education programmes and staff queries, the IG team produce a number of guidance documents related to handling information. The following is the core process for development, approval and implementation: 11 Information Governance Strategy 15 Version 3.0 Guidance will be developed by the team following identification of a significant need. It will draw from sources available at the time including the Information Commissioner’s Office, Ministry of Justice and British Standards Institute. Following initial draft, key stakeholders across the organisation will be invited to comment Final drafts will be put to SIRO and Caldicott Guardian to determine if they need formal approval by the Quality & Assurance Group. Awareness will be raised via management channels, as appropriate to the subject and any degree of urgency. Methods will include induction and mandatory education sessions and ‘all staff’ communications. If required a specific awareness/implementation programme will be established, the need will be determined by the SIRO, Caldicott Guardian and Senior IG Manager (who constitute the CCG’s Information Governance Group) Communication with patients and how their information is used Background Whilst it is a requirement of the Data Protection Act 1998 to inform patients of the uses of information, it is also a requirement of compliance with the ‘common law of confidentiality’. Common law requires consent to process information, unless there is a legal duty, or a substantial public/vital interest, to use or share information. Many of the communication activities (both those in place and proposed) will suit implicit and explicit consent under common law requirements. Using information for the provision of care Where information is recorded, used and shared directly for the care of a patient, then the basis of consent will be ‘informed implied consent’, in line with the strategy of the Department of Health. This will be achieved as follows: Face to face communication with the patient – As part of general communication with patients, staff should ensure, in all appropriate circumstances, that when they record or share information that the patient is aware and they explain their actions, including informing the patient who will see the information and why. There is evidence that patients are more concerned about who information is to be shared with, or accessed by than the purposes it is used for, although each patient will have their own individual concerns. Clear ‘data collection’ forms – where patients are required to complete a form, then the provision of ‘explanatory text’ must be considered. This should not be lengthy but should ensure that any information the form asks for, where the purpose is not immediately clear to the patient is explained. If this isn’t practical, then forms should have a note stating ‘Please ask a member of staff if you want help completing or understanding this form’. Copying information to patients proactively – If a health professional considers that communication with the patient will be improved by making a copy of information (mainly letter, but also other items), then this should be actively considered, as it by default improves a patient’s knowledge of what information is recorded and shared about them. Provision of information leaflets, posters and website links (using previously supplied SCW CSU materials entitled - ‘How we handle your information’) – These should be made generally available in patient facing areas and where a patient 12 Information Governance Strategy Version 3.0 has raised a concern about information/confidentiality or a professional feels there will be benefit, then patient information leaflets should be provided. These must not be seen as a substitute for discussion with the patient, but as a compliment that may help provide a consistent message to patients. *SCW CSU ‘how we handle your information’ is available for use electronically but no longer in hard copy format. Organisations who wish to use hard copy material are required to produce their own versions. The NHS Care Records Guarantee – This is available to patients nationally but where there are queries from patients it will be used as a source of information and advice. Uses of information other than for the care of the patients There are many uses of information in the NHS that are critical to the provision of the service which are not directly related to the care of the patient, such as audit, research, education and service management. As dictated by ‘Caldicott’ principles and legal requirements, such uses should remove as much ‘identifying’ information as possible before using the data. However the laws and regulations do recognise there are situations where removing identifying data is not practical or, sometimes for specific reasons, not possible. This strategy is not a detailed explanation and analysis of such situations, as each use of information should be considered in detail and determine the legal basis for using information. In many instances the legal basis will be a form of consent. In principle such consent should be explicit where this is practical, for example in the majority of research studies. However there will be numerous situations where the scale of information use or other factors will mean that explicit consent is not practical. Implied consent is possible but Information Governance advice should be sought prior to the use of information. However for such uses, whether the basis of consent is implicit or explicit, is not the focus of this strategy. The strategy is concerned with making sure any such consent is valid as there has been effective communication with patients. There must be a base level of information made available to all patients. Specific one-off uses of information should determine if further details should be provided. Regular operational activities (within the organisation) such as clinical or administrative audit should be able to rely on the general provision of information to patients about uses of data in the form of leaflets, correspondence and discussion. Where there are similar activities but there may be involvement from third party agencies (NHS or other) then careful consideration to the legal basis for using information must be given. One off uses of information – this maybe specific projects, or service developments, both within and across organisations and may well require additional detail to be provided to patients. This might be specific leaflet/mailings that could inform patients or request explicit consent if deemed as a requirement. Use of information for research initiatives – all manner of factors can influence the approach to using information, including the need to use data on all available cases of a condition regardless of the wishes of the patient. Each research study is subject to the controls of the Research Governance Framework. The ethics approval form must detail the approach to recruiting subjects and using information. Each ethics application is reviewed for compliance with Data Protection and common law requirements individually. There are provisions in the Health & Social Care Act (section 251) for patient information to be used without consent. A study wishing to use these provisions does have to make a formal documented application to the national Patient Information Advisory Group. Actions to comply with section 15 of this strategy 13 Information Governance Strategy Version 3.0 For both direct care and other purposes, there is a clear requirement to make information available to patients about general uses of their records and data by the organisation. Materials to achieve this are already in use, but their distribution must be improved and regularly reviewed. Rather than waiting for patients to ask, there must be a pro-active distribution of materials. Integration with regular communications with patients – rather than set up specific, costly, one off distribution to patients, materials detailing the use of patient information must be integrated with existing communications. If insertion of the leaflet in communications is not practical, then consideration should be given to using information as a standard paragraph at the foot of each letter, or printed on the reverse side of the letter. The following text could be used; ‘Your health record contains facts about your health, treatment and the professional opinions of the staff caring for you. All staff receive training and regular updates about how to handle your information. They are all bound by a legal duty to keep information confidential. If you wish to know more about the use of your information please speak to the person in charge of your care or the Patient Advice and Liaison Service for your area’. Providing information in other languages and media – To ensure accessibility the materials will be available on request (or where discussion with patients leads to provision as a course of action) in any other format. Due to cost constraints, translations or other media will not be developed until there is a request (in line with other literature). Requests for other languages or media are being handled by the relevant Patient Advice & Liaison Service. Current materials are available in the following languages and formats: Mandarin, Polish, Romanian, Somali Braille All of the above materials will be subject to regular review and update, always including checks for readability and suitability with a selection of organisations representing patients and minority groups. Staff awareness – Whilst distribution of the materials will generate a degree of staff awareness, it is not enough. The importance of communicating with patients, both for patient facing staff and those that do not see patients is included in education programmes. In addition staff guidance on handling information (code of conduct) will be distributed to all staff and other useful material via www.protectinginfo.nhs.uk. This includes key principles about keeping patients informed, offering them choice and how to share information. Support for patients and staff with queries about the use of information Whilst all members of staff have a responsibility to inform patients about the use of their information, they are not expected to handle all queries that patients may raise. They may also have their own questions relating to the use of information. If a member of staff is unsure how to respond to a patient query, they should direct the patient to the local Patient Advice and Liaison Service (PALS). PALS will engage other staff, particularly Information Governance leads where required to ensure a full and timely response is given to patients and staff. Staff are informed that queries can be directed via PALS and Information Governance during core Information Governance training. The staff code of conduct leaflet informs staff with queries about handling information to talk to their line manager in the first instance, as things may be dealt with there and then. If not line managers should know, again via core training, of the support facilities available to them in PALS and IG. 14 Information Governance Strategy Version 3.0 Acceptance and monitoring The patient materials will be put to patient representative groups when updated to ensure that they are understandable and acceptable to as many patients as possible. The Information Governance team will continually work with the organisation to ensure that distribution channels are maintained and developed. 16 Review of Strategy, policy & guidance The Strategy to be reviewed every two years to align itself with the review periods of; the information governance policy set (Information Governance Management System) and guidance documents ‘information governance reference pack’ contents. Individual items may be reviewed before this, due to changes in standards, methods or interpretation. Kate Tregale Senior Information Governance Manager February 2017 15
© Copyright 2024 Paperzz