NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB NIGB IG Collaborative Workshops The Reality of Delivering the Information Revolution Break out Sessions Commissioners/ Transition #NIGB #HSCIG Leeds – Birmingham - London NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Transition from Integration and Closure Debbie Terry Information Governance Lead NIGB Workshops Wednesday 27 – 29 June 2012 NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB • Where are we now? From clustering & closure • To what next? • NIGB Transition guidance • ICO workshops on IG in transition • H & SC Act 2012 • NHS CB, CCGs, CSSs, DMICs • Risks and Issues • What can you do? • What can NIGB / the centre do? NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Background • NIGB Transition Guidance last autumn– supplementary guidance May 2012 • Headlines - 14 action points, 6 recommendations • Legal compliance - data controller & data processor roles, appropriate contractual arrangements, legal status of CCGs & CSSs • Organisational requirements – health records management, CCGs and clusters adherence to IG reqs • Engaging with patients and the public about the changes • Secondary uses & managing conflicts of interest NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB ICO Transition Workshops • ICO recognised the difficulties in maintaining good IG given the scale and speed of the changes - 2 seminars looking at IG in transition - Headlines: • Moving goalposts in relation to mapping data flows; • Ownership of data control in relation to data held in shared warehousing • Lack of clarity about data controllership • Record Management of “non-live” records – all need cataloguing and a decision made about retention – who responsible for records that need to be retained for medico-legal reasons? Applies to paper & EHRs, but also corporate records – Public Records Acts etc NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Health and Social Care Act 2012 • New powers for the Information Centre to obtain information including confidential patient information BUT only mandatory where request from CQC, Monitor, NICE, or already required or permitted to disclose – Part 9, S256 • Act includes NHS CB & CCGs but not Commissioning Support Services (CSSs) or Data Management & Integration Centres (DMICs) – so what is legal basis for them processing confidential patient information and other personal data? NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB CSSs & DMICs • Current intention – c. 25 CSSs, up to 10 of which may become DMICs – but CCGs free to choose AQP – implication many more CSSs and proliferation of data stores – instead of addressing IG risk, increases it and for CCGs and GPs as Data Controllers – increased responsibilities for governance of AQPs NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB CSSs & DMICs • Commissioned by CCGs, contractual arrangements therefore will need to be with CCGs and as GPs are DCs with them directly – need for standardised contracting arrangements with minimal local variation – how will oversight be maintained? • What is required level of pre contract due dilligence and post contract performance management? • Many new bodies needing to develop relationships and contracts with other new organisations – new risks NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB CSSs & DMICs • NHS CB leading on evaluating prospective DMICs against criteria – application process already under way – to what extent does IG feature in these criteria? • Definition of safe havens and honest brokers and the IG requirements to be applied to them become critical • In an increasingly fragmented system – how do we continue to maintain contact with and support one another • How do we provide assurance to patients and the public in relation to the confidentiality of their information going forward? And what do we tell them to meet fair processing requirements? NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Where are we now? • We have looked at issues here and now and I recognise the continued need to focus on what’s needed here and now and with winding organisations up safely • There is also a need to look to the future – how do we embed IG in the emerging structures – opportunity here to get it right from the beginning but signs that IG may not be being integrated – many of you will be engaged in trying to do this already • How do we get privacy by design? • How do we do this in an environment which is increasingly hostile to IG as “bureaucratic red tape” NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB What next? • Identifying the Data controller – making sure the organisation know they are the data controller and what that means • Contracting arrangements with processors and agreements between DCs for shared records and warehousing arrangements – getting them in place for 1 April 2013. NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB An example - EoLCC • End of Life Co-ordinated Care Registers • Nationally agreed data set (approved by ISB) • Includes Care Plans and Advanced Directives - Do not resuscitate instructions – important for care • Shared across primary, secondary, ambulance and community care services • Clarity about data controllership vitally important for the integrity of the record – significant implications for care • Contrast with another example of pooled data – TPP SystmOne – how ensure the integrity of the record where multiple contributing bodies? NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB • What else do you want from NIGB? • What from other central bodies? • Other comments / questions? NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB NIGB IG Collaborative Workshops The Reality of Delivering the Information Revolution Break out Sessions Commissioners/ Transition #NIGB #HSCIG Leeds – Birmingham - London Information Governance Collaborative Workshops Secondary Use – What is it? Clare Sanderson Agenda • Who am I? • What is the HSCIC and what do we do? • What is secondary use and what are the issues? • Implications of the Health and Social Care Act? Who am I? • Director of Information Governance • Senior Information Risk Owner • Work closely with Dr Mark Davies – Caldicott Guardian • Responsible for the Medical Research Information Service Background to the HSCIC • HSCIC is the central authoritative source of health and social care information, acting as a ‘hub’ for high-quality, national and local, comparative data for all ‘secondary uses’ including – public accountability (e.g. National Statistics and Parliamentary Questions) – patient choice – improvements in health and social care services – research Key Functions of the HSCIC National Data Repository Data Collection & Quality Data collection hub / repository Information for service planning Data Quality assurance Information for policy makers PQs Reducing Burden National & Official Statistics Custodian of national methodologies Indicators Providing linkage services & rules Better Access Open Data Access, syndication and sharing of data What is a Secondary Use or Purpose? The processing of patient information for secondary purposes Similarly applies for adult social care information Processing? Processing includes – the recording and holding of information; – the retrieval, alignment and combination of information; – the organisation, adaption or alteration of information; – the blocking, erasure and destruction of information. Patient Information? Patient information relates to the physical or mental health condition of an individual and is “confidential patient information” where the identity of the individual can be ascertained and as was obtained by a person who owed an obligation of confidence to that individual. Secondary Purpose? Secondary purposes refer to medical purposes other than determining the care and treatment given to a particular individual. Commitments to patients • Care Record Guarantee – We will only use your information in ways which respect your rights and contribute to your health and well being • NHS Constitution – You have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure Legal Considerations • Data Protection Act • The Common Law Duty of Confidentiality • Article 8 – Human Rights Act Using confidential information for secondary purposes • Supports – – – – – – – – – the management of health and social care medical research preventative medicine the monitoring and audit of health/health related care provision the surveillance and analysis of health and disease delivery of safe high quality care for patients assessment of the health and social care needs of local and national populations public choice accountability commissioning Do you need identifiable data? Consider the purpose • Confirm the quality and integrity of data • Linking data from multiple sources? • Managing cohorts of patients What is the alternative: • use de-identified data – e.g. pseudonymisation What is the legal basis for using identifiable data? • Informed and explicit patient consent • Other legislative basis e.g. – The Health Service (Control of Patient Information) Regulations 2002 (Statutory Instrument 2002:1948) regulations – Health Service Act 2012 (from 1 April 2013) • Section 251 support from the ECC Looking to the future • Health and Social Care Act • IG Review • Consultation on the NHS Constitution Commissioning Landscape…. Health and Social Care Information Centre Commissioning Board DMIC Health and Social Care Providers Commissioning Support Services CCG CCG Commissioning Support Services CCG CCG CCG CCG The Health and Social Care Act • Grants HSCIC new powers and responsibilities to collect, analyse and publish information • Requires those seeking data collections to first consult the HSCIC • Identifies HSCIC role to undertake Data Quality Assurance • Requires HSCIC to undertake assessment of Burden of data collections • Requires HSCIC to develop a Code of Practice for Confidential Information Establishing information systems in HSCIC Commissioning Board Direct to collect or analyse information consult consult Secretary of State Request Code of Practice for confidential information Request to collect or analyse information Other Body (inc CCG’s & devolved authorities) Require consult consult Health and Social Care Information Centre Mandatory NICE / Monitor / CQC Health & Social Care Providers De-identification Standard • Methodology for de-identifying data • Recognise that identifiably if context driven so there is a ‘grey area’ where data is not identifiable but cannot be published • Accompanying guidance provides advice on how to manage data release from the ‘grey area’ • Methodology currently being reviewed by Information Standards Board Code of Practice for Confidential Information • Section 263 of the HSC Act states: The Information Centre must prepare and publish a code in respect of the practice to be followed in relation to the collection, analysis, publication and other dissemination of confidential information concerning, or connected with, the provision of health services or of adult social care in England. Terms of Section 263 • The IC must consult – the Secretary of State, – the Board, and – such other persons as the Centre considers appropriate. • The code must be approved by Secretary of State and Commissioning Board • The IC must publish the code • The code will apply to all health and social care bodies and any person commissioned to provide health services or adult social care in England when processing confidential information Approach • Steering group of stakeholders to advise on development of the code • Aim to provide draft code in Autumn for wider consultation • Recognise potential impact of IG review and consultation on NHS Constitution Thank you Any Questions? NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB NIGB IG Collaborative Workshops The Reality of Delivering the Information Revolution Break out Sessions Commissioners/ Transition #NIGB #HSCIG Leeds – Birmingham - London Consent, Privacy Notices and what is fair processing David Evans, Senior Policy Officer Consent – what it is and what isn’t consent Not defined in the DPA but European Data Protection Directive states that consent is: “…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”. Sensitive personal data – consent must be explicit “Consent” obtained under duress or on the basis of misleading information does not work More consent One condition for processing personal data Other conditions; • The processing is necessary: - in relation to a contract which the individual has entered into; or - because the individual has asked for something to be done so they can enter into a contract. • The processing is necessary because of a legal obligation that applies (except an obligation imposed by a contract). • The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident. • The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions. • The processing is in accordance with the “legitimate interests” condition. Even more consent Conditions for processing sensitive personal data; • • • • • • • • • The individual who the sensitive personal data is about has given explicit consent to the processing. The processing is necessary so that you can comply with employment law. The processing is necessary to protect the vital interests of: - the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or - another person (in a case where the individual’s consent has been unreasonably withheld). The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. The individual has deliberately made the information public. The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights. The processing is necessary for administering justice, or for exercising statutory or governmental functions. The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality. The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals. The last consent slide More conditions for processing sensitive personal data Data Protection (Processing of Sensitive Personal Data) Order 2000 These regulations permit the processing of sensitive personal data for a range of other purposes – typically those that are in the substantial public interest, and which must necessarily be carried out without the explicit consent of the individual. Fair processing Fairness generally requires you to be transparent – clear and open with individuals about how their information will be used More fair processing Fairness requires you to: • be open and honest about your identity • tell people how you intend to use any personal data you collect about them (unless this is obvious) • usually handle their personal data only in ways they would reasonably expect • not use their information in ways that unjustifiably have a negative effect on them Privacy notices • The duty to give a privacy notice is strongest when the information is likely to be used in an unexpected, objectionable or controversial way, or when the information is confidential or particularly sensitive. • There is no point telling people the obvious when it is already clear what their information will be used for. Privacy Notices – key points All about “how we use your information” • Do they already know who is collecting the information and what it will be used for? • Is there anything they would find deceptive, misleading, unexpected or objectionable? • • Are the consequences of providing the information, or not providing it, clear to them? How to and how not to More examples Keep in touch Subscribe to our e-newsletter at www.ico.gov.uk or find us on… www.twitter.com/iconews NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB NIGB IG Collaborative Workshops The Reality of Delivering the Information Revolution Break out Sessions Commissioners/ Transition #NIGB #HSCIG Leeds – Birmingham - London
© Copyright 2026 Paperzz