Information Governance for Practice Staff. Introduction Confidentiality; including Caldicott Data...
-
Upload
darrion-powers -
Category
Documents
-
view
215 -
download
0
Transcript of Information Governance for Practice Staff. Introduction Confidentiality; including Caldicott Data...
Information Governance for Practice Staff
Information Governance for Practice Staff
Information Governance for Practice Staff
Introduction
• Confidentiality; including Caldicott• Data Protection• Information Sharing• Freedom of Information• Records Management• IM&T Security
Information Governance for Practice Staff
The consequences of not considering Information Governance in GP surgeries 2007 April: Patient info found in skip behind building
when GP branch being renovated November: Patient Data losses at GP surgery –
3000 2008 Jan: Dictaphone holding patient identifiable
information stolen from GP practice room. June: GPs laptop stolen from home containing
11000 patient records July: Back up Tape lost from GP surgery
containing 11,000 records
Information Governance for Practice Staff
ICO research into social concerns
– Environmental issues– Preventing crime– Improving education– The National Health Service – Equal rights– National security– Protecting personal information– Protecting freedom of speech– Unemployment– Access to information held by public authorities
Information Governance for Practice Staff
ICO research into social concerns
– Preventing crime 94%– Protecting personal information 92%– The National Health Service 91%– Equal rights 89%– National security 89%– Improving education 88%– Protecting freedom of speech 86%– Environmental issues 86%– Unemployment 80%– Access to information held by public authorities 79%
Information Governance for Practice Staff
Information Governance for Practice Staff
Confidentiality
A duty of confidence arises when one person discloses information to another;
for example - patient to clinician or carer to social worker
in circumstances where it is reasonable
to expect that the information will be protected and held in confidence.
Information Governance for Practice Staff
The Duty of Confidentiality continues after the
death of a patient
TRUE or FALSE
Information Governance for Practice Staff
TRUE
Any information provided in confidence, for example,
within a health record, must remain confidential following
a patient’s death
Information Governance for Practice Staff
Confidentiality - Mail
• Envelopes – Marked Private & Confidential, For Addressee Only
• Royal Mail - Special Delivery
• Courier – Trusted, Tracked, with a Signed Confirmation
• Delivery Confirmation• Mail Opening Process
Information Governance for Practice Staff
Confidentiality – Fax
• Could it go by safer means• Use Safe Haven or Secure fax number• Mark as Private and Confidential to a
named person• Confirm recipients fax number• Transmit in 2 parts -
– Confirm receipt of first faxed sheet– Confirm receipt of remaining sheets
Information Governance for Practice Staff
Confidentiality – EmailISMS Section 6
• PII must only be sent in a password protected or encrypted file
• DO NOT send PII in the ‘subject’ or content of Email
• Sent High Priority and Confidential• If possible use NHS Number • Use Safe Haven Email addresses• Confirm receipt
Information Governance for Practice Staff
Confidentiality - Telephone• Avoid exchanging sensitive PII unless it is a
matter of life and death• Only exchange PII in a closed (Safe Haven)
room• If you cannot prevent someone from giving
you PII over the telephone:– Take the callers full details– Verify who the caller is– Record the PII carefully– Read back to confirm the details– Ask for written confirmation using agreed
anonymised identifier
Information Governance for Practice Staff
Confidentiality – Public Areas
Always be aware who is in the vicinity• Who can listen to telephone calls• Who can listen to conversations• Who can see personal identifiable
information on desks• Who can see personal identifiable
information on monitors• Respect the privacy of individuals
Information Governance for Practice Staff
Obtaining consent for treatment or for the disclosure of personal information;
Consent is specific to the uses defined in the information process;
3 types of consent - Implied, Informed and Explicit;
Some laws override the need for consent, e.g. Children’s Act, Vulnerable Adults, Tax and Benefits; Crime and Disorder Act s115.
Consent & ConfidentialityISMS Section 3
Information Governance for Practice Staff
ConsentISMS Section 3
• Consent is voluntary and even if it is signed it can be withdrawn at any time;
• Consent must be revisited regularly;
• Consent must be gained for any new use of personal information
Information Governance for Practice Staff
Information Governance for Practice Staff
You always need consent before doing anything with
personal information
TRUE or FALSE
Information Governance for Practice Staff
FALSE
There are various conditions (other than consent) in the
Data Protection Act which allow you to process personal
information.
Information Governance for Practice Staff
Balance
Healthcare employees are entrusted with patients’ confidence and have a
legal obligation to protect their privacy.
The need for confidentiality must be balanced against the need for NHS
staff to have access to patient information.
Information Governance for Practice Staff
What is Caldicott?
ISMS Section 3
A set of principles and recommendations put forward by the Caldicott Committee in 1997 which
apply to Health and Social Care Organisations to ensure Patient Identifiable information remains
confidential and secure
Information Governance for Practice Staff
Caldicott PrinciplesISMS Section 3
• Justify the purpose• Use Patient Identifiable Information only if
absolutely necessary• Only use the minimum amount necessary• Access only on a strictly need to know basis• Know your responsibilities• Understand and comply with the law
Information Governance for Practice Staff
Key Requirements of CaldicottISMS Section 3
• Appoint a Caldicott Guardian or Lead (should be a Senior Clinician)
• Definition of Guardian ‘one who protects’
• Abide by Caldicott principles• Ensure Polices and Procedures to
protect PII are in place and adhered to
Information Governance for Practice Staff
The best person to undertake the role of
Caldicott Guardian in my GP surgery is the Practice
Manager
TRUE or FALSE
Information Governance for Practice Staff
FALSE
The best person to undertake the role of Caldicott Guardian would be a senior clinician as
they would be expected to advise on individual cases where there are concerns about patient information
Information Governance for Practice Staff
ICO’s Video‘The lights are on’
Information Governance for Practice Staff
Activity (takes around 15 minutes to complete):
Split in to 2 groups
Read the Data Protection Act 1998 principles handout
Match the principles with scenarios A to H on the following slides. There is only one scenario considered to be correct in this exercise but you may find that more than one principle may apply.
Comply with the LawISMS Section 3
Data Protection Act 1998 – It is your responsibility to understand the principles in relation to your role and your organisation
Information Governance for Practice Staff
Scenario AMr X receives a call from Wrexham hospital to tell him that his pregnant wife has been admitted. Mr X was shocked as they have been divorced for 10 years and his ex-wife remarried with his best friend. Mr X informed the hospital that he is no longer her Next of Kin.
Scenario B
Activity Which Principle does the scenario breach relate to?
A Mother asks to see her 16 year old daughter’s School Nurse reports as she suspects her daughter is sexually active. The School Nurse says no problem, asks for the request to be in writing and she will provide a copy of recent notes within 21 working Days.
Information Governance for Practice Staff
Scenario CA health records assistant has been tasked with checking 100 random health records to see whether they are labelled with the correct NHS Number. She decides that there is not enough space in her department to do this task comfortably, so she finds a quiet meeting room in the Post Grad Centre to do this. She pops out for lunch for 1hr leaving the notes unattended and room unlocked.
Scenario D
Activity Which Principle does the scenario breach relate to?
Mrs Y moves from Mold to Swansea and registers herself with a new GP in Swansea. The GP goes through her records to get familiar with his new Patient’s health history. He finds abbreviations such as HT and NLW in the notes. When he asks the previous GP to explain – he laughs and says oh that means ‘Hot Totty’ and ‘Nice Looking Woman’.
Information Governance for Practice Staff
Scenario ENurse Hughes is approached by PC Jones asking how his Brother (also a Police Officer) is doing after having been shot in the line of duty. Nurse Hughes mentions that he is stable in terms of the gun wound, but they have found that his cancer has spread. When the Brother regained consciousness he was surprised to find that his Brother (PC Jones) knew about the cancer. Only his wife knew until now.
Scenario F
ActivityWhich Principle does the scenario breach relate to?
HR were approached by the their Trusts communications team asking for all staff home addresses to do a mail shot regarding the benefits for staff and training opportunities available when the implementation of the new National Programme for IT is complete at their Trust. HR agree to email the staff database to the communications team a.s.a.p.
Information Governance for Practice Staff
Scenario GA USA Social Services team heard that a UK Social Care team were using new and successful techniques to handle manic depressive young teenagers. USA team ask for a report on the methodology supported by real life case reports so that they can learn from UK findings. UK send case notes and reports via email to the USA team.
Scenario H
Activity Which Principle does the scenario breach relate to?
A Finance Assistant is tasked with disposing of any old requisitions filed. Her colleague tells her to get rid of any cleared requisitions which are more than 18 months old. The assistant found 50+ requisitions nearly 3yrs old which exceeds the recommended retention period in the DH Records Management NHS: Code of Practice
Information Governance for Practice Staff
Subject Access RequestsISMS Section 3
• Gives patients and staff the right to know what personal information the organisation holds on them
• Requests must be in writing
• The requester may not and need not quote the DPA
• The organisation must respond within 40 days.The clock starts as soon as the request is received by the organisation
Information Governance for Practice Staff
Sharing Personal InformationISMS Section 3
Sharing information about an individual within and between partner agencies is vital to the provision of co-ordinated and seamless care to that individual.
This care includes:– Improving the health and social care of people;– Arranging and delivering services;– Supporting the people in need;– Investigating complaints.
Information Governance for Practice Staff
Sharing Personal InformationISMS Section 3
The principles underpinning the sharing of person identifiable information are governed by legislation, including:– Data Protection Act 1998– Access to Health Records Act 1990– Human Rights Act 1998– Freedom of Information Act 2000– Children’s Act 1989– Computer Misuse Act 1990– Human Fertilisation and Embryology Act 1990– Health and Social Care Act 2001– NHS Venereal Diseases Regulation 2000– Abortion Act 1967, regulations 1991
Information Governance for Practice Staff
Examples of Information Sharing
• For health care purposes- With NHS staff involved in the provision of care- Parents and Guardians (generally children under 16)• For purposes other than direct health care- Social care- Researchers - Bodies with statutory Investigative Powers – GMC,
audit commission • Non health care purposes- Police (with a valid request)- Solicitors (with explicit consent from the patient)
Information Governance for Practice Staff
Information Sharing Protocols– what are they?
ISMS Section 3
A written agreement, between parties, i.e. different groups of people who are involved in sharing patient information, that:
• Documents how information should be shared;• Ensures information is shared consistently,
appropriately and lawfully;• Clearly defines individuals’ responsibilities when
sharing information to uphold patient confidentiality.
Information Governance for Practice Staff
Information Sharing Protocols– the benefits?
ISMS Section 3
Protocols go a long way in reducing the risks of breaches because:
• They provide clear guidelines on how muchand what way and to whom informationshould be shared;
• They allow individuals to make informed,confident and timely decisions about sharing information, to allow better patient care.
Information Governance for Practice Staff
The organisation I work for has signed up to a local information sharing protocol therefore I can share personal information with any organisation that has also
signed the protocol
TRUE or FALSE
Information Governance for Practice Staff
FALSE
You still need to ensure all the legal requirements have been
met before sharing information
Information Governance for Practice Staff
When should Information Sharing Protocols not be used?
If there are concerns relating to child or adult protection issues, they should refer to the relevant documents:• All Wales Child Protection Procedures; • The Multi-agency Inter-agency Information Sharing
Protocol for the Assessment of Children in Need and in Need of Protection;
• Policy and procedures for responding to the alleged or confirmed abuse of vulnerable adults.
Information Governance for Practice Staff
A Policewoman turns up at reception and demands a copy
of Mr A’s medical notes immediately for an investigation.
TRUE or FALSE
The Police have that power.
Information Governance for Practice Staff
FALSE
Unless you are provided with a copy of a court order for release, the police must provide a written request
under a relevant act which should be considered by the
practice prior to release
Information Governance for Practice Staff
• They can request records under DPA S.29 or under S.115 of the Crime & disorder Act 1998.
• They must provide an official written request signed by the S.I.O. (DCI or above).
• You only need to disclose what is ‘Minimum and Relevant’ and get a signed receipt.
• You may have to make an immediate release if they have a dated Court Order – you must obey a Court Order to the letter so read it carefully.
• If their case or a Court Order requires you to release the original records, you MUST make a numbered ‘best’ copy of the records to retain.
Requests from the PoliceISMS Section 3
Information Governance for Practice Staff
Thought………
Treat other people’s information as you would like your own to be treated – with respect and
confidentiality
Information Governance for Practice Staff
Break
Information Governance for Practice Staff
Freedom of Information Act 2000ISMS Section 4
• Gives individuals the right to access information
• Have you got it? May I see it?• NON Personal Identifiable Information (PII)• The Act does not have to be quoted when
making a request• 20 working days to process• Exemptions apply
Information Governance for Practice Staff
ICO's ‘Tick Tock’ Video
Information Governance for Practice Staff
GP Publication SchemesISMS Section 4
• Under the FOI Act it is the duty of every public body to adopt and maintain a publication scheme
• Demonstrate a commitment to openness• A new model publication scheme developed
specifically for GP practices Jan 09 (Guide to Information)
• The new guide contains details on how information can be obtained and what the costs are
• Visit www.ico.gov.uk for more information
Information Governance for Practice Staff
The contents of an email can be disclosed under the Data Protection Act and Freedom of
Information Act?
TRUE or FALSE
Information Governance for Practice Staff
TRUE
Emails are corporate records of an organisation and therefore they may be disclosable by
any public body
Information Governance for Practice Staff
Why do we need Records Management
ISMS Section 4
• Meeting legal/statutory requirements • Supporting administrative and
managerial decision-making• Efficiency within the surgery• Promoting professional image
Information Governance for Practice Staff
Definition: RecordISMS Section 4
Recorded information regardless of media or format, created or received
in the course of individual or organisational activity, which
provides reliable evidence of policy, actions and decisions.
Information Governance for Practice Staff
Types of RecordsISMS Section 4
• Health records• Administrative records• Photographs• Microfilm• Audio (telephone conversations)• tapes, cassettes, CD-ROM• Video, CCTV• Diaries• Emails, Text messages
Information Governance for Practice Staff
Record Quality InformationISMS Section 4
• All staff have a legal and professional obligation to be responsible for any records which they create or use in the performance of their duties
• Users must ensure that records are: Secure; Accurate; Up to date; Complete; Quick and easy to find; Free from duplication; Free from fragmentation.
Information Governance for Practice Staff
Determine whether
records are worthy of
permanent archival
preservation
Record Lifecycle
Creation Using Retention
Create & log Quality information
Use/handle in accordance with Data Protection
Act
Keep/maintain in line with
NHS recommended
Retention Schedule
Dispose appropriately according to
policy
Appraisal DisposalC
lose R
ecord
Record Lifecycle
Information Governance for Practice Staff
Return of the Patient Medical Record
ISMS Section 3
• The LHBs are the Data Controllers for Patient Records no longer registered with a practice
• Records must be returned to the BSC via Courier Bags
• Complete record must be returned including clinical system prints
• Checklist on ISMS website to aid process• BSC can provide copies for medical reports• Solicitors and Insurance requests are dealt with
by the BSC
Information Governance for Practice Staff
Simple things we can all do...
Computer Systems - Clear Screen Regime• Apply the screen lockdown when you are going away
from your desk – CTRL+ALT+DEL and click on Lock Computer in the Computer Security Dialog Box
• Log out if you’ll be away from your desk for a significant time - also at the end of the day
• Ensure PII is saved to the practice network- not desktop or C drive
Manual Records - Clear Desk Regime• Lock PII files or papers away when you leave for the
day, or if you’ll be from your desk for a significant period.
Information Governance for Practice Staff
Removing or Transporting of Patient or Person Identifiable Information
ISMS Section 7
• Inform the your Caldicott Guardian and Information Security Officer or Practice Manager
• Risk Assessment undertaken• Authorisation must be obtained prior to removal
off site• Records removed must be logged
DON’T REMOVE SENSITIVE INFORMATION FROM SITE UNLESS ABSOLUTELY NECESSARY
Information Governance for Practice Staff
• Entry control systems to buildings/corridors• Lockable filing cabinets etc• A Safe Haven Room with fax and phone• A confidential waste paper service• A confidentiality culture• A visitor monitoring process• A ‘key/card security’ process• An ‘exit’ process for leavers
Physical InfrastructureISMS Section 7
Information Governance for Practice Staff
Laptop SecurityISMS Section 7
• Ensure laptops, memory sticks and patient notes are locked in the boot of your car when being transported; and must be removed when the car is left unattended
• Do not allow family members and friends to access any laptop belonging to the surgery
• Ensure no PII is saved to the ‘C’ drive or desktop of laptop (or PC) unless encrypted
• Ensure the laptop is regularly connected to the network for back up purposes
• Laptops must only be used by the staff they were issued to
Information Governance for Practice Staff
• PII must only be stored on encrypted devices
• Encrypted sticks must not be used for long term storage of PII
• PII must be transferred from devices onto the practice clinical system regularly
• If sending PII on portable devices –only send the minimum necessary
• Media devices containing PII must only be sent by Government MailDON’T SAVE SENSITIVE INFORMATION ONTO PORTABLE DEVICES OR MEDIA UNLESS ABSOLUTELY NECESSARY
Portable Media Devices
Information Governance for Practice Staff
The IG Confidentiality
eLearning Toolkit
Information Governance for Practice Staff
The eLearning Toolkit covers a range of key topics including:
• Data Protection Act• Human Rights Act• Information Security• Disclosing and Sharing Information• Duty of Confidence• Caldicott
Information Governance for Practice Staff
Further Information
ISMS Website http://howis.wales.nhs.uk/sites3/home.cfm?orgid=542
• ISMS Procedures, Policies & Toolkit• FAQs• Training Materials• Leaflets & Posters• Forum• News, Events and Hot Topics
Information Governance for Practice Staff
Any Questions?