WHY DO YOU NEED TO KNOW ABOUT INFORMATION GOVERNANCE (IG)?
Everyone who works in healthcare must be aware of:
•
The importance of the information we hold which may be confidential or sensitive and
relate to patients, staff or the Trust
•
What legislation, best practice and guidelines there are for looking after such important
information
•
Why you must take responsibility for how you obtain, record, use, keep and share
information
•
All staff, whether permanent, temporary or contracted, are responsible for making
themselves aware of Shropshire Community Health Trust’s IG requirements and
complying with them on a day to day basis. Managers are also responsible for promoting
Information Governance standards and ensuring compliance by their team members.
Information Governance is everyone’s responsibility
Please use this Information Governance Handbook to support your learning, as a source of
reference and also to signpost you to the Trust’s key contacts, policies and procedures
www.shropscommunityhealth.nhs.uk/policies
KEEPING INFORMATION SAFE
Confidentiality
Confidentiality is defined as the right of the patient to know that information given is not
shared freely either within the organisation where there is no need, or between agencies.
Generally information can only be shared when there is consent.
We work in complex areas in a community trust often closely with other agencies, so we
all have to be very careful when we share information e.g. through notes, e-mails
telephone calls and just in talking to others.
There are seven principles governing when information can be shared and these are the
called the Caldicott principles. As a general principle be thoughtful and cautious and
always seek advice if asked for information.
If the situation appears very difficult seek advice from the Caldicott Guardian, Steve
Gregory [email protected] or initial advice can be sought from the
Records Manager, Alan Ferguson, [email protected], in his role as
Caldicott support.
THE 7 CALDICOTT PRINCIPLES
DECIDING TO COMMUNICATE PERSONAL INFORMATION
Care and consideration should be given when deciding to communicate or transfer
information.
Consider if you actually need to send the information at all, or can it be accessed
securely by other means and kept safe where it already is.
Think about the most appropriate method of communicating in a secure and confidential
communication. A range of help guides is available on the Trust website to support you.
Make sure the right person receives the information
The Trust’s website
has some useful IG
resources.
INFORMATION SHARING
The Trust keeps records about the healthcare of patients to help ensure they
receive the best possible care and we have a legal duty to keep this
information confidential and secure. This information sometimes needs to
be shared with other NHS organisations, social care or third parties.
Staff must keep patients informed of how their information is used and
shared and the Trust’s leaflet explains this – please see “Your Information
What you need to know”
The Trust must also comply with the NHS Care Record Guarantee which sets
out the rules that govern how patient information is used in the NHS and
what control the patient can have over this. It is based on professional
guidelines, best practice and the law and applies to both paper and
electronic records.
The Health and Social Care Information Centre (HSCIC) has produced a
guide describing the 5 rules of confidentiality that people are entitled to
expect to be followed in care settings run by the NHS or publicly funded
adult social care services.
For non-direct care a Data Sharing agreement may be required. This is
usually linked to contract arrangements and staff should seek advice.
A guide to confidentiality in Health
and Social Care: Treating
confidential information with respect’
published in September 2013.
http://www.hscic.gov.uk/media/12822/G
uide-to-confidentiality-in-health-and-socialcare/pdf/HSCIC-guide-toconfidentiality.pdf
INTERNET
The Internet is used a lot more in our day to day life and NHS staff must be aware of the associated
risks such as:
Phishing - a way of attempting to acquire confidential and sensitive information such as usernames,
passwords and credit card details by websites masquerading as legitimate organisations.
Malware/Virus - malicious computer programs designed to gather information that leads to loss of
privacy or exploitation and gain unauthorised access to computer systems.
Social Networking – placing inappropriate information on social -the Trust Policies on
Information Security and Social Media Principles
PROTECTING IMPORTANT INFORMATION STORED ON COMPUTERS
When you communicate using computer equipment, for example by email, you must always ensure you
protect it by encryption. The Trust’s Email systems have the facility to do this; but it is your responsibility to
understand how this should be used. The Trust’s laptops, mobile phones and USB memory sticks are
always protected by encryption.
You should only use the Trust’s computer equipment and systems to store, transfer or look at Trust
Information. Refer to the Trust’s Information Security Policy for more advice.
Just as you would not leave important papers lying around, you must not leave your computer system
vulnerable to others. So, when you move away from your computer e.g. for a coffee-break, meeting or to go
home you should always leave the system safe. That could mean logging out, removing your smartcard,
removing your USB memory stick, or switching off the equipment.
USERNAMES AND PASSWORDS INCLUDING SMARTCARDS
To use some NHS or Trust computer systems you will
need a Smartcard – for example the IPM/Lorenzo or the
new Electronic Patient Record (EPR), Summary Care
Record, Electronic Staff Record (ESR).
Your password(s) and passcode are specific and
identifiable to you and should be treated in the same way
as a bank card PIN, for example, not shared with other
people.
Smartcards are similar to a chip and PIN credit or debit
card and are are more secure than a credit or debit card.
The PIN is regarded as a digital signature and is auditable,
so activity can be tracked back to an individual.
For further information contact your RA Team on
01743 871967 Email: [email protected]
WHY WE NEED TO GET IT RIGHT
Data quality is crucial to patient safety and the availability of complete, accurate and timely data
is important in supporting patient care, clinical governance and management and service
agreements for healthcare planning and accountability. For example risk issues may arise if we
are unable to uniquely identify patients or send correspondence to the incorrect address; this is
why using the NHS number is so important.
The Trust recognises the importance of reliable information as a fundamental requirement for
the speedy and effective treatment of patients; therefore Good data quality is not an optional
extra it is a fundamental basis for the business of the Trust.
All staff who record information, whether on paper or by electronic means, have a responsibility
to take care to ensure that the data is accurate and as complete as possible. The data needs to
be present at the time that processes require it, for both service delivery and reporting
purposes so key staff must be aware of relevant deadlines.
Individual staff members are responsible for the data they enter onto any system. We have to
keep personal and public information accurate and up-to-date to comply with the Data
Protection Act 1998 so if you see any inaccuracies or errors in paper or electronic records
please report these to an appropriate person for correction.
The Trust has a responsibility
for collecting data
RECORDS
Records are important to any organisation; they are the means of providing evidence and information about
that organisation. In simple terms without them there is no way to know who has done what.
Records Management is the term used to cover the processes the Trust has in order to meet its legal and
regulatory requirements. This covers any record generated whether paper or electronic and includes staff,
corporate and health related records. Record keeping is also a requirement of professional practice e.g. e.g.
General Medical Council and Nursing and Midwifery Council.
Good record keeping practices ensures we have accurate and up to date records and that staff can work
efficiently and don’t waste time searching for documents. It is important that records management
processes are documented and are included in new staff inductions and as part of their continued personal
development.
Records management covers the full lifecycle of a record from creation through to disposal. Whether it is a
policy, contract, personnel or health record there must be an efficient means of finding it when required. Old
records must be retained for set periods of time and then destroyed under appropriate confidential
conditions.
Good record keeping is the responsibility of all staff
WHAT HAPPENS WHEN SOMETHING GOES WRONG?
Incident reporting
You have a responsibility to identify and report any information security risks in order for the Trust to
investigate and learn from them, e.g. you find a copy of patient notes in a photocopier, you see unattended
computers in an area where they can be viewed by the public showing patient records or logged into a trust
system. All IG serious incidents should be reported immediately to your line manager and on the incident
reporting system, Datix.
If applicable it should also be reported to the police and the IT Service Desk e.g. stolen laptop. Your line
manager is responsible for confirming that all relevant people within the Trust have been informed.
Datix Incident Reporting can be
accessed through the Trust
website or via your pc desktop.
WE ARE ALL ACCOUNTABLE
Data Protection
The Trust needs to collect and use information about people in order to operate. These
include current, past and prospective patients, staff and suppliers. There are legal
safeguards to ensure this in the Data Protection Act 1998. The also has a Data Protection
Policy which provides more detail on the legislation and the allocation of responsibilities.
Under the Data Protection Act 1998 anyone has the right to see and have a copy of
information which is held by the Trust about them. Ask your line manager to tell you who is
the nominated Data Protection Liaison Officer for your service. This person will be trained to
deal with requests for information and will know when information should not be released. A
request under the Data Protection Act is known as a Subject Access Request (SAR).
For further advice you can contact Gill Richards, Information Governance Manager.
[email protected]
The Trust has a legal obligation to process and respond to SARs in 40 days
Guide to Data Protection
Find out what the Trust’s obligations are
under the Data Protection Act..
https://ico.org.uk/for-organisations/
FREEDOM OF INFORMATION
The Freedom of Information (FOI) 2000 gives members of the public the right to access
information held by, or on behalf of, a public authority that does not relate to personal
information (this would be where the Data Protection Act applies)
As a general principle the Freedom of Information Act is applicant and motive blind. In
other words it does not matter who the requestor is or why they want the information,
they don’t have to give a reason.
For a request to be valid under the Freedom of Information Act it must simply be in
writing stating the name and address of the requestor and describing the information
requested then the Trust has to respond within 20 working days.
The request can be made to anybody in the Trust but we all need to know what to do with
it. We will also have to respond to any request on environment such as air, water, soil
and land under the Environmental Information Regulations 2004 (EIR) in the same way
as we would deal with FOI requests made to the Trust.
Please pass on any request to the Soma Moulik, FOI Manager, [email protected]
The 20 working days begins as soon as a request is received in the Trust.
Freedom of Information
As a public authority we have a legal
obligation to make official information
available under the Freedom of Information
Act.
https://ico.org.uk/for-organisations/guide-tofreedom-of-information/
INFORMATION COMMISSIONER’S OFFICE (ICO)
The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to
uphold information rights in the public interest, promoting openness by public bodies and
data privacy for individuals.
The Information Commissioner can prosecute an organisation for failing to follow the IG
rules for handling information. The ICO has the power to fine a data controller (that would
be the Trust) or individuals as well if found personally responsible for a breach.
https://ico.org.uk/for-organisations/
WHERE DO I GET HELP AND TRAINING?
You can contact the Information Governance Manager for advice and guidance, details at the back of
this document.
The Training Programme is outlined in the Trust’s Information Governance Policy which is available on
the on the Trust Website Staff Zone and for most staff the e-Learning modules must be completed. All
e-learning is accessible through the Trust’s learning management system, Oracle Learning
Management (OLM). The user guide ‘How to access e-learning in ESR/OLM 825’ is available on the
Trust’s website in the Staff Zone.
Alternative training methods, such as DVDs and assessment packs, are available on the Trust website
staff zone under Information Governance. For some staff groups, such as Students, Agency Staff,
Hotel Services, Volunteers and non-Executive Directors, these methods of delivery may be more helpful
and suited to their needs. Staff should seek advice from their line manager to identify and agree the
what training to undertake.
The Trust also provides Specialist Information Governance Workshops to cover specific topics such as
Subject Access Requests, Data Sharing and Freedom of Information. Details will be advertised as they
become available.
Please contact the Information Governance Manager if you need further details
The ICO have produced a training film to help
answer questions about the Data Protection
Act, its impact on the working environment and
how to handle and protect people's information.
INFORMATION GOVERNANCE CONTACT LIST
IG Role
Name
Contact Details
Chief Executive Officer and
Accounting Officer for Information
Jan Ditheridge
William Farr House 01743 277500
[email protected]
Director of Finance and
SIRO (Senior Information Risk Owner)
Ros Francké
William Farr House 01743 277500
[email protected]
Director of Nursing and Operations
and Caldicott Guardian
Steve Gregory
William Farr House 01743 277500
[email protected]
Records Management and
Caldicott Support
Alan Ferguson
William Farr House 01743 277617
[email protected]
Information Governance Manager
(including Data Protection)
Gill Richards
Freedom of Information
Soma Moulik
William Farr House 01743 871998
[email protected]
William Farr House 01743 277500
[email protected]
INFORMATION GOVERNANCE CONTACT LIST
Information Security
Paul Stokes
William Farr House 01743 871951
[email protected]
Information Quality Assurance
Steve Price
William Farr House 01743 871992
[email protected]
Corporate Risk Manager
Assistant Risk Manager
Peter Foord
Anita Bishop
IG Mandatory Training
Simon Savage
Sylvia Jones
William Farr House 01743 277662
[email protected]
[email protected]
NHS Training Centre, Oxon 01743 276670
[email protected]
[email protected]
Registration Authority Manager
(Smartcards)
Gill Richards
William Farr House 01743 871998
[email protected]
Media Enquiries
Andy Rogers
William Farr House 01743 277662
[email protected]
Local Counter Fraud Specialist
Terry Feltus
William Farr House 01743 277894
Mobile: 07818 421404
[email protected]
GLOSSARY OF IG TERMS
Term / Abbreviation
Caldicott Guardian
Care Record Guarantee
DATIX
e-Referral
e-learning
Encryption
Explanation / Definition
A Caldicott Guardian is a senior person responsible for protecting the
confidentiality of patient and service-user information and enabling
appropriate information-sharing
The NHS Care Record Guarantee includes information on:

people's access to their own records,

how access to an individual's healthcare record will be monitored and
policed and what controls are in place to prevent unauthorised
access,

options people have to further limit access,

access in an emergency,

what happens when someone is unable to make decisions for
themselves.
This is the system used by the Trust for healthcare risk management,
incident reporting and adverse event reporting.
This is a tool to manage NHS referral services electronically
Learning through electronic media
The process of transforming information using an algorithm to make it
unreadable to anyone except those possessing special knowledge, usually
referred to as a “key”. All Trust Laptops and USB Memory Sticks are
protected by encryption
GLOSSARY OF IG TERMS
EIR
EPS
ESR
Fair Processing
FOI
ICO
IM&T
IG
IGT
IGTT
IT
NCRS
OLM
Pseudonymisation
SIRO
Universal Serial Bus (USB)
Environmental Information Regulations 2004
Electronic Prescribing Service
Electronic Staff Record
Fair Processing is the conditions which have to be met for any activity involving
personal data to be lawful and ensure compliance with the Data Protection Act
1998.
Freedom of Information
Information Commissioner’s Office
Information Management and Technology
Information Governance
Information Governance Toolkit
Information Governance Training Tool
Information Technology
NHS Care Record Service
Oracle Learning Management
A method which disguises the identity of patients by creating a pseudonym for
each patient identifiable data item.
Senior Information Risk Owner
Universal Serial Bus (USB) is a specification for transferring data to and from
electronic devices; in this case the electronic device is a memory stick which is
used to store or transfer information. All Trust USB Memory Sticks are
protected by encryption.
VISIT THE TRUST WEBSITE FOR POLICIES
To view the set of Information Governance Policies enter in the search criteria ‘Policy’ and
‘Information Governance and Records Management’.
http://www.shropscommunityhealth.nhs.uk/policies