Andy Evans
Programme Director, Connected
Nottinghamshire
Information sharing – the complete
picture
• Why share?
Content
• How can we share? Technology Roadmap
• “To share or not to share” – Information Governance
• Results so far
• A balance of risk
• Questions
Why share?
Why share?
• There is a legal and professional duty to do so:
– Health and Social Care (Safety and Quality) Act
2015
– Caldicott Principle 7 “The duty to share
information can be as important as the duty to
protect patient confidentiality”
– Health and Social Care Act 2012 (direct care not
the secondary uses element!)
Why share?
Feedback from the pilot areas in Nottinghamshire:
• Nobody thought that it wasted more time than it saved
in using it.
• 92 % of Clinicians thought that the MIG had enabled
them to improve their overall care for patients.
• 60% thought that it had saved approx. 2 minutes out of
a 15 minute appointment slot
• One clinician estimated that the sharing had helped
him prevent at least one hospital admission a month
since the service started
• Reduced the number of calls/faxes
• Improves the quality of 7 day week working (the
information is always there)
How can we share? Technology
Roadmap
• There isn’t a single or perfect solution (at the
minute)
• The abilities come through the NHSE
Commissioned GP Systems of Choice Contract
(for now at least)
• You already receive several “feeds” from
providers
• More information will flow in to GP systems
over time
• It is a developing landscape
How can we share? Technology
Roadmap
• Local Roadmap:
Medical Interoperability Gateway
GP System shares e.g. eDSM (TPP)
“Portal” – technologies
Data flowing in as well as out of GP Systems
Priority pathway data sets; Comprehensive
Geriatric Assessment, EPaCCS, Urgent &
Emergency Care
How can we share? Technology
Roadmap
How can we share? Technology
Roadmap
• NHS England looking at changes to the GPSoC
Contract to make it simpler/more effective for
sharing
• HSCIC creating a set of new standards for
messaging and information exchange
• Social Care now have access to NHS numbers (in
law now that they should have a “share
identifier”
• Personalised records are going to be at the heart
to the changes
“To share or not to share”
Information
Governance has been
made complicated!
“To share or not to share”
..but it doesn’t need to be that difficult.
• There is lots of guidance – possibly too much
• Historically we have done a great job in frightening people into not
sharing (since the original Caldicott review 1997)
• If you lose a memory stick or laptop with accessible data on it then you
will attract the attention of the Information Commissioner
• If you share information with other care professionals for direct care in
accordance with the ICO data sharing checklist then you will be fine
• If you don’t share there is a risk of significant penalties
• Trust your judgement – you do it already every day
“To share or not to share”
What is the risk of sharing?
Examples of Information Commissioner’s Office actions up to December 2014
•
June 2013. A monetary penalty (£55,000) notice has been served to North Staffordshire Combined Healthcare
NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.
•
July 2013, A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal
data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now
been dissolved outstanding issues are now being dealt with by the Department of Health.
•
In January 2012, a former health worker was prosecuted and pleaded guilty to unlawfully obtaining patient
information by accessing the medical records of five members of her ex-husband’s family in order to obtain
their new telephone numbers.
•
In December 2011, a receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out
about the medication she was taking was found guilty of an offence under section 55 of the Data Protection Act.
•
In June 2012, a personal injury claims company employee was prosecuted for illegally obtaining NHS patients’
information.
•
In August 2012, a monetary penalty of £175,000 was issued to Torbay Care Trust after personal confidential data
relating to 1,373 employees was published on the Trust’s website.
•
In May 2012, a monetary penalty notice for £90,000 was served on Central London Community Healthcare NHS
Trust for a serious contravention of the DPA, which occurred when personal confidential data was faxed to an
incorrect and unidentified number. The contravention was repeated on 45 occasions over a number of weeks
and compromised 59 data subjects’ personal data.
•
In April 2012, an undertaking to comply with the seventh data protection principle was signed by Leicestershire
County Council, following the theft of a briefcase containing personal confidential data from a social worker’s
home.
•
In February 2012, a monetary penalty of £100,000 was issued to Croydon Council after a bag containing papers
relating to the care of a child sex abuse victim was stolen from a London pub.
“To share or not to share”
“The ICO told the Review Panel that no civil
monetary penalties have been served for a breach
of the Data Protection Act due to formal data
sharing between data controllers in any
organisation for any purpose. It says breaches of
the Data Protection Act are usually the result of lack
of due consideration. Yet it finds that organisations
frequently shy away from data sharing and cite data
protection as a reason. The data sharing code
produced by the ICO in May 2011 helps
organisations to share data in a secure and proper
way. They should use it.” Dame Caldicott, 2013
“To share or not to share”
“ In the absence of evidence to the contrary,
patients are normally considered to have given
implied consent for the use of their information
by health professionals for the purpose of the
care they receive.”
British Medical Association, Confidentiality
Toolkit 2015
“To share or not to share”
British Medical Association Guidance
Patient agreement can also be implied, signalled by the behaviour of an informed
patient. Implied consent is not a lesser form of consent but in order for it to be valid it
is important that patients are made aware that information about them will be
shared, with whom it will be shared, and of their right to refuse. Health professionals
bear responsibility for the disclosures they make, so when consent is taken to be
implied, they must be able to demonstrate that the assumption of consent was made
in good faith and based on good information. If not, it is no consent at all and some
other justification will be needed for its Confidentiality and disclosure of health
information tool kit
General information
British Medical Association 11 disclosure. In addition to information provided face to
face in the course of a consultation, leaflets, posters and information included with an
appointment letter from a hospital or clinic can play a part in conveying to patients the
reality and necessity of information sharing. Clearly, a combination of methods
provides greater security that patients have understood. It should be noted that the
more sensitive and detailed the data, the more likely it is that explicit consent will be
required, eg sexual health information.
“To share or not to share”
• In the foreword to the ICO data sharing code of practice, the
Information Commissioner said: “Organisations that don’t
understand what can and cannot be done legally are as likely to
disadvantage their clients through excessive caution as they are by
carelessness.”
• The Review Panel concludes that individuals should not be
discouraged from sharing simply through fear of doing this
incorrectly. With the help of the ICO’s data sharing code, and tools
such as privacy impact assessments, data sharing can be achieved,
where appropriate, in a secure and proper way.
• “Just because something is private, does not mean young people are
not willing to share the information with particular groups, provided
the information is not disseminated more widely.”
“To share or not to share”
• The Review Panel is clear that the remit for the
Data Protection Act remains with the Information
Commissioner, but individual breaches or failures
to share information by registered and regulated
health and social care professionals may be a
failure of professional duty.
• The Review Panel concluded that the professional
regulators should be involved more often in both
serious breaches and instances of poor
information sharing when it is clear it has
hampered direct care.
“To share or not to share”
ICO Data sharing checklist – systematic data sharing
Is the sharing justified?
Have you assessed the potential benefits and risks to individuals
and/or society of sharing or not sharing?
Do you have the power to share?
Any legal obligation to share information (for example a statutory requirement or a court order).
YES – a legal and Professional Duty for Direct Care
If you decide to share
What information needs to be shared.
The organisations that will be involved.
What you need to tell people about the data sharing and how you will
communicate that information.
Measures to ensure adequate security is in place to protect the data.
What arrangements need to be in place to provide individuals with access to their
personal data if they request it.
Agreed common retention periods for the data.
Processes to ensure secure deletion takes place.
“To share or not to share”
What is happening to safeguard sharing?
• Records and Information Group have produced a set of agreed
principles to form the Nottinghamshire Consent Model (especially with
things like eDSM)
• eDSM and MIG is the starting point to support sharing and has been
reviewed by the RIG (and other groups locally and nationally)
• Privacy Impact Assessment(s) has been completed on your behalf
• Information Sharing Agreements have been created where required
• Information Access Agreements are in place with the users of the
shared data/records
• A legal Contract is in place with software service providers (Healthcare
Gateway/TPP GPSoC)
• Audit processes are in place
• The Nottinghamshire Consent Model is an Explicit consent model for
anyone accessing the information (but we all have to make the records
available)
• For MIG it is only Coded Data (no free text or letters)
• The Data STAYS WHERE IT IS (it is not stored anywhere else)
Feedback so far
Local Evidence on sharing
• In one organisation ~3,000 records have been made available and 0
patients have dissented when presented with a consent choice (eDSM)
• In another organisation 27,000+ consultations and 9 patients said they
didn’t want their GP record to be viewed
• 92 % of Clinicians thought that the MIG had enabled them to improve
their overall care for patients.
• 67% thought that they had been able to clinically assess patients more
quickly than before they had MIG access ( the reminder neither agreed or
disagreed)
• 92% were satisfied with the amount of information that they had available
to them via the MIG to treat patients out of hours.
• 75% perceived that MIG access had helped with prescribing decisions
• 75% perceived that MIG access had helped them to make better informed
decisions around referring and planning patients’ care
• 50% that the access had prevented new or review appointments.
• 33.3% thought that it had prevented new or review appointments
• 50% thought that MIG access had reduced the time for Medicines
reconciliation.
Feedback so far
Local Evidence on sharing
• Practice federations accessing each others
records (TPP eDSM)
• Sherwood Hospital’s – now using the records
more and more (TPP eDSM)
• CNCS starting to access records (MIG)
Feedback so far
• Scenario A: Patient had been referred to the Out of Hours
service. The patient presented with bad back pain and
requested strong pain killer (Tramadol) noting that he had
run out of his current medication. This was not a regular
prescribed drug or acute prescription according to his
medication history. The Nurse Practitioner was able to
establish from viewing the elements of the record that the
patient had been prescribed the Tramadol from an
outpatient appointment until the patient could attend for
an operation. (Previous prescribing from the GP had been
at a Paracetamol and Ibuprofen level). The operation had
been cancelled – therefore the medication had run out.
Hence the requested OOH appointment.
Feedback so far
• Scenario B Child with ear problems, parents came with
child who had ear infection, on viewing the record and
history of the patient Liz was able to see this was not an
isolated visit. It appears the child had been prescribed
antibiotics on numerous occasions and therefore after
consulting a colleague tasked the GP and recommended
referral to ENT for full assessment.
• Scenario C Care home called regarding a resident and as
the GP was able to view the patients’ medical record via
the MIG they were able to prescribe the relevant
medication. In doing so this prevented the patient being
admitted to hospital.
Feedback so far
Number of incidents to date:
Zero
A Balance of risk
A patient not understanding
your sharing and taking
offence/incur upset and
distress
Patient suffering preventable
harm, injury or death through
not making the information
available
Data protection act breach
Coroners notice
Caldicott principles (1-6)
CQC inspections
Legal/Professional Duty to share
Professional body investigation
Caldicott 7th principle
Questions?
http://www.hscic.gov.uk/media/12822/Guide-to-confidentiality-in-health-and-socialcare/pdf/HSCIC-guide-to-confidentiality.pdf
https://ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/290077
4_InfoGovernance_accv2.pdf
http://bma.org.uk/practical-support-at-work/ethics/confidentiality-and-healthrecords/confidentiality-tool-kit
To Share or Not To Share The Future of Data Sharing
Michael Wright
July 2015
Contents
•
•
•
•
•
•
Where are we going?
LMC/GP Engagement
GMC Good Medical Practice
8 Principles of the Data Protection Act (DPA)
Rights of Data Subjects under DPA
Right to object to processing that is likely to cause or is
causing damage or distress
• Can you defend a claim for compensation?
• Points to consider
Where are we going?
•
•
•
•
•
Inevitability of full data sharing and access to records
Drip feed of initiatives to move towards this
Contractual levers making this happen
Culture of openness and interconnectivity
Whose record is it anyway?
LMC/GP Engagement
• LMC representation on Patient Online Access Project
• LMC representation on MIG Project Board
• LMC representation on GPRCC (GP Repository for
Clinical Care)
• LMC representation on eDSM Project Board
• GP leadership (Dr Mike O’Neil) on MIG and GPRCC
• Guidance on the future landscape for General Practice
regards use of patient data
GMC Good Medical Practice
Circumstances in which patients may give implied consent to
disclosure
Sharing information within the healthcare team or with others
providing care
•
•
25. Most patients understand and accept that information must be shared
within the healthcare team in order to provide their care. You should make
sure information is readily available to patients explaining that, unless they
object, personal information about them will be shared within the healthcare
team, including administrative and other staff who support the provision of
their care.
26. This information can be provided in leaflets, posters, on websites, and
face to face and should be tailored to patients’ identified
needs as far as practicable.
8 Principles DPA
1.
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed
unless –
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not
be further processed in any manner incompatible with that purpose or those purposes.
3.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or
purposes for which they are processed.
4.
Personal data shall be accurate and, where necessary, kept up to date.
5.
Personal data processed for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or those purposes.
6.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
7.
Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction of, or damage to,
personal data.
8.
Personal data shall not be transferred to a country or territory outside the European Economic
Area unless that country or territory ensures an adequate level of protection for the rights and
freedoms of data subjects in relation to the processing of personal data.
6. Rights of Data Subjects under DPA
•a right of access to a copy of the information comprised
in their personal data;
•a right to object to processing that is likely to cause or is
causing damage or distress;
•a right to prevent processing for direct marketing;
•a right to object to decisions being taken by automated
means;
•a right in certain circumstances to have inaccurate
personal data rectified, blocked, erased or destroyed; and
•a right to claim compensation for damages caused by a
breach of the Act
Right to object to processing that is
likely to cause or is causing damage or
distress
What is meant by “damage or distress”?
The Act does not define what is meant by unwarranted
and substantial damage or distress. However, in most
cases:
•substantial damage would be financial loss or physical
harm; and
•substantial distress would be a level of upset, or
emotional or mental pain, that goes beyond annoyance or
irritation, strong dislike, or a feeling that the processing is
morally abhorrent.
Can you defend a claim for
compensation
You can obviously defend a claim if you have not breached the Act. If
there has been a breach, you can still defend a claim for
compensation, but only if you can show that you took such care as
was reasonably required in the circumstances to comply with the Act.
What you will have to prove will depend on the nature of the breach
in question. What is reasonable will depend on the circumstances.
In data protection terms, this means that you have looked at the way
you process and protect personal data and that you put in place
appropriate checks to prevent any problems occurring. Your defence
may rely on describing these checks. Some form of positive action is
often necessary and, if a reasonable step or precaution has not been
taken, then the defence is likely to fail.
Points to Consider
•What is our belief on data sharing in our Practice as data
controllers?
•Is it right/desirable to share patient data with other
healthcare providers?
•Should we ask our Medical Indemnity Organisations?
•How far can we consider Pragmatism versus legal
repercussions?
•Should we look at different ways of collecting explicit
consent? Are we pushing for explicit consent?
•What is the likelihood of us being sued by a patient?
Case law???
•LMC are here to support you!
Any Questions?