Trust Board Meeting: Wednesday 13 May2015 TB2015.64 Title
advertisement
Trust Board Meeting: Wednesday 13 May2015 TB2015.64 Title Information Governance Annual Update Status For information History This report forms part of the Trust’s annual cycle of business, and was considered by the Trust Management Executive at its meeting on 23 April 2015 Board Lead(s) Mr Andrew Stevens, Director of Planning & Information Key purpose Strategy Assurance TB2015.64 Information Governance Annual Update Policy Performance Page 1 of 11 Oxford University Hospitals TB2015.64 Executive Summary 1. This report aims to provide assurance on the key issues and risks relating to information governance and data quality. 2. The Trust’s performance measured in the Information Governance Toolkit return at the end of March 2015 was significantly improved from the previous year, increasing from 86% to 91% and maintaining the top level rating of satisfactory. The Trust remains at Level 2. 3. The staffing of the team managing Information Governance in support of the Senior Information Risk Officer and Caldicott Guardian has recently been strengthened by the appointment of new staff. 4. The number of Serious Incidents Requiring Investigation (SIRIs) remains low and management of action plans to remedy the issues reported is designed to achieve closure as soon as is practicable. 5. Requests for information under the Freedom of Information Act have increased significantly over the last year and a review of the Trust Publication Scheme has commenced with a view to placing more information in the public domain. 6. This report was considered by the Trust Management Executive [TME] at its meeting on 23 April 2015. TME supported submission of the Annual Update to the Trust Board. 7. Recommendation The Trust Board is asked to note and consider this report. TB2015.64 Information Governance Annual Update Page 2 of 11 Oxford University Hospitals TB2015.64 Information Governance Annual Update 1. Purpose 1.1 The Information Governance updates are provided on a six-monthly basis. The purpose is to provide assurance on risks and issues relating to information governance and data quality. 2. Background 2.1 The Information Governance Group and the Data Quality Group merged in May 2013 to form the Information Governance & Data Quality Group (IGDQG). The joint work programme covers the actions required to improve compliance with the annual information governance assessment (the Information Governance toolkit), the recommendations arising from internal audit reports, and any other issues that the group considers necessary. The annual work programme is reviewed at the six-weekly meetings of the IGDQG. 3. Key issues 3.1. Information Governance Self-Assessment. 3.1.1 The Trust’s overall attainment level in the Information Governance Toolkit continues to improve. 2011/12 – 71%, Not Satisfactory 2012/13 - 81%, Not Satisfactory 2013/14 – 86%, Satisfactory 2014/15 – 91%, Satisfactory 3.1.2 To achieve the higher rating of ‘Satisfactory’, all 45 requirements must meet Level 2 criteria but additionally the Trust has reached the top Level 3 rating in 33 requirements. 3.1.3 Attachment 2 details the achieved level for each requirement. 12 requirements remain at Level 2, this is an improvement increasing 5 Level 2 requirements during 2013-14 up to Level 3. 3.1.4 The Information Governance Toolkit submission is subject to review by the Trust’s internal auditors. The audit published in April 2015 provided a rating of significant assurance with minor improvement opportunities. 3.1.5 The content of the IG induction training has been reviewed and updated and is also now a more interactive session. 3.1.6 Version 13 of the IG Toolkit assessment for 2015-16 is likely to be released in June and may contain potential changes from the previous version that will need to be reviewed. 3.1.7 The IGDQG will continue to monitor progress against the work programme at its regular meetings. 3.2. Supporting the Senior Information Risk Officer (SIRO) TB2015.64 Information Governance Annual Update Page 3 of 11 Oxford University Hospitals TB2015.64 3.2.1 The SIRO (Mr Andrew Stevens) and the Caldicott Guardian (Dr Chris Bunch) continue to be supported by the Information Governance Manager, Information Governance Officer and Freedom of Information (FOI) Officer. Additional IG support is provided by the Director of IM&T and Head of Medical Records and their teams. All Divisions and relevant corporate Directorates are represented at the IGDQG. 3.2.2 Each of the Divisions have their own Information Governance and Data Quality structures supported by the central team. 3.2.3 The IG work programme aims to ensure the SIRO is fully informed on all information risks and breaches in confidentiality. 3.3. Information Governance Risks 3.3.1 The top risks related to information governance are registered on Health Assure and are reviewed by the IQDQG. No new risks have been identified or added to the register. 3.3.2 The review of fax machines as highlighted in the previous report is still underway with an initial scoping exercise complete. 3.3.3 A risk assessment of the Trust’s use of mobile devices was reviewed and accepted by the Information Governance and Data Quality Group. The suggested level of risk and the existing mitigations were acknowledged and it was agreed that the management of mobile devices did not need to be added to the risk register as a new item as it was already covered. 3.4. Information Governance Training 3.4.1 Information Governance (IG) training is mandatory for all staff. The Information Governance toolkit requires that all staff undergo training and is an indicator on the Foundation Trust self-certification returns. 3.4.2 Information governance (IG) training is mandatory for all staff. 3.4.3 Training is delivered primarily via the Trust’s e-Learning Management System (eLMS); training materials have been approved by NHS Connecting for Health and include an online competency assessment. Staff have 3 attempts to pass before being asked to complete either the paper-based workbook or assessment or attend a face to face training session. 3.4.4 In addition to this, the IG Team have held a number of drop-in sessions from January – March 2015 in order: • To improve the Trust’s overall IG training target • To provide more one-to-one training to improve staff knowledge 3.4.5 The IG induction training has been redeveloped to update the content provided and to develop a more interactive session with new starters. 3.5. Work Plan 3.5.1 The main key area of work planned for 2015/16 will focus on reviewing the Information Asset Register. The Trust currently holds and regularly maintains the register throughout the year, however it is recognised that improvements could be made to this. It is envisaged that the register TB2015.64 Information Governance Annual Update Page 4 of 11 Oxford University Hospitals TB2015.64 will be updated to an SQL database, or similar, to provide improved access to Information Asset Owners. The data flows of the assets will also be explored with the option of this being included in the register to secure better management of both assets and flows. 3.5.2 Another piece of work will be reviewing the training currently being provided. Training now needs to be delivered to more targeted groups, focusing on individuals who work closely with Personal Confidential Data (PCD). Training methods were reviewed a couple of years ago and it is recognised that these may need to be updated. 3.6. Information Incidents 3.6.1 IGDQG receives monthly incident reports relating to breaches in confidentiality and information security. Serious Incidents Requiring Investigation (SIRIs) – There have been no reportable incidents this year. Complaints – There were four complaints from patients and staff, which involved an element of information governance. 3.7. Freedom of Information 3.7.1 In 2014/15 the Trust received 618 Freedom of Information requests which was an 8% increase on requests in the previous year. In the past six months 74% of these requests were answered within the 20 day statutory limit. This is a 16% increase in responsiveness in comparison to 2013/14. The vast majority of requests continue to come from journalists and private companies with significant additional requests coming from researchers both inside and outside the NHS. It should be noted that the FOI 20 day response rate has increased alongside changes to the way responses are produced which has ensured responses comply fully with the FOI legislation but has meant an increase in workload on each request. In addition, requests for a review of responses by requestors are extremely low with only two across the whole year (0.3% of requests). 3.7.2 Over the past six months, work has continued in reviewing and updating the Freedom of Information systems and processes, with a new Standard Operating Procedure agreed and implemented through the Trust as well as ensuring a dedicated Freedom of Information Officer is working on answering requests. Additional checks have been implemented to ensure correct information is provided in accordance with the legislation and executive oversight has been increased so relevant issues or limitations of the data held are acknowledged. 3.7.3 In relation to our requirement to maintain a publication scheme, the Trust has reviewed the existing arrangements and ensured it meets the recommended requirements as set out by the regulator. Following the publication of new guidance for healthcare providers in relation to FOI publication schemes a review of the information released and required under this framework is under review. TB2015.64 Information Governance Annual Update Page 5 of 11 Oxford University Hospitals TB2015.64 3.8 Data Quality Assurance Framework 3.8.1 At the heart of the Trust’s data quality approach is the data quality assurance framework. Under this framework the data underpinning all of the key performance indicators included in the Integrated Performance Framework are given a two component rating by the Information Governance and Data Quality Group. The first component of the rating is a ranking on a scale of 1-5 to reflect the level of assurance that is available around the data quality. The second component comprises a traffic light rating to indicate the level of data quality that the assurance mechanisms have found. 3.8.2 The ratings for all indicators are reviewed informally by the indicator owners on a quarterly basis. Any proposed changes have to be approved by the IGDQG. In addition, the ratings of all indicators are formally considered on an annual rolling basis by the IGDQG. At these formal reviews, the indicator owners are required to present the evidence supporting the proposed rating for the data underpinning each indicator to the IGDQG. The IGDQG then considers the evidence and rates it against the framework. 3.8.3 During 2014/15, significant progress was made in ensuring that the evidence supporting each rating is held on the Health Assure assurance tool. 3.8.4 The Data Quality Assurance Framework is underpinned by a programme of data quality audits undertaken by services themselves as well as by the Trust’s own internal auditors and other external bodies. The results of these audits and the associated action plans are monitored at each meeting of the IGDQG. 3.8.5 The Trust also benchmarks its data quality performance using the Secondary User Service Data Quality Dashboard. The Trust performs strongly against both national benchmarks and local peer organisations. 3.9 False & Misleading Information (FOMI) 3.9.1 In early February, the Department of Health announced the results of a consultation held in mid-2014 on proposed new legislation. The new legislation would make it a criminal offence for an NHS body to intentionally or negligently provide information that they must report as part of their statutory duties. 3.9.2 The offence forms part of the Government’s overall drive to improve openness and transparency in the provision of health services, by making clear that a sanction exists for failing to provide or publish accurate or honest information about the performance of services. The FOMI offence should act as a driver to improve the integrity of both data requests made to NHS providers and also the data received. This should, in turn, improve the overall quality of data. 3.9.3 The datasets included in this proposed legislation have been provided have been reviewed and compared to those in the Integrated Performance Report (IPF) to identify any data sets that are not covered by the The Data Quality Assurance Framework (DQAF). The DQAF that is primarily focused on the Integrated Performance Framework (IPF) sets TB2015.64 Information Governance Annual Update Page 6 of 11 Oxford University Hospitals TB2015.64 out an established methodology to ensure the accuracy of the data underpinning the indicators in the IPF 3.9.4 All but two of the datasets that fall under this new legislation are already captured by the Trust within the IPF, however, it adds an additional emphasis to ensuring that data collection, validation and reporting is given the resources and tools required to provide due diligence in light of this new legislation. 3.9.5 The Trust is looking to apply the Data Quality Assurance Framework to the datasets not already covered. 3.10 Cyber Security 3.10.1 Cyber security represents an increasing risk to all organisations. In recognition of this the Audit Committee received a presentation on cyber security issues from its internal auditors at its meeting in February 2014. Following this, the Trust commissioned an audit of its cyber security maturity from its internal auditors. This audit and the associated recommendations were reported to the Audit Committee at its meeting in September 2014. 3.10.1 The audit report and its recommendations have formed the basis of a cyber security action plan. 3.10.2 An update on cyber security issues was considered by the Audit Committee at its meeting on 27 April 2015. The report: • Provided an update on progress against the actions within the cyber security action plan. • Identified key cyber security issues and the Trust’s response. • Set out future priorities/next steps. 4. Conclusion 4.1. The Information Governance and Data Quality Group continue to monitor the Trust’s activities that manage confidentiality and data quality and to review significant issues as these arise. This report summarises the key issues from the last twelve months. 5. Recommendation 5.1 The Trust Board is asked to note and consider this report. Mr Andrew Stevens Director of Planning and Information May 2015 Report prepared by Francine Tanner- Data Quality Programme Manager Rebecca Hough- Information Governance Officer Tom Mansfield- Freedom of Information Officer TB2015.64 Information Governance Annual Update Page 7 of 11 Oxford University Hospitals TB2015.64 Appendix 1 Version 12 (2014-2015) Assessment Requirements List Printable version | Downloads and booklets Show Owners Show Comments Back To Assessments Page Req No Description Status Attainment Level Action Information Governance Management 12101 There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda Confirmed Complete 12105 There are approved and comprehensive Information Governance Policies with associated strategies and/or improvement plans Confirmed Complete 12110 Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations Confirmed Complete 12111 Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation Confirmed Complete 12112 Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained Confirmed Complete Level 3 View Level 3 View Level 3 View Level 3 View Level 2 View Level 3 View Level 3 View Level 3 View Confidentiality and Data Protection Assurance 12200 The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation’s assessed needs Confirmed Complete 12201 Staff are provided with clear guidance on keeping personal information secure, on respecting the confidentiality of service users, and on the duty to share information for care purposes Confirmed Complete 12202 Personal information is shared for care but is only used in ways that do not directly contribute to the delivery of care services where there is a lawful basis to do so and objections to the disclosure of confidential personal information are appropriately respected Confirmed Complete TB2015.64 Information Governance Annual Update Page 8 of 11 Oxford University Hospitals TB2015.64 12203 Individuals are informed about the proposed uses of their personal information 12205 There are appropriate procedures for recognising and responding to individuals’ requests for access to their personal data Confirmed Complete 12206 There are appropriate confidentiality audit procedures to monitor access to confidential personal information Confirmed Complete 12207 Where required, protocols governing the routine sharing of personal information have been agreed with other organisations Confirmed Complete 12209 All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines Confirmed Complete 12210 All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements Confirmed Complete Confirmed Complete Level 3 View Level 3 View Level 3 View Level 3 View Level 3 View Level 3 View Level 2 View Level 2 View Level 3 View Level 3 View Level 3 View Level 3 View Level 3 View Level 2 View Information Security Assurance 12300 The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation’s assessed needs Confirmed Complete 12301 A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed Confirmed Complete 12302 There are documented information security incident / event reporting and management procedures that are accessible to all staff Confirmed Complete 12303 There are established business processes and procedures that satisfy the organisation’s obligations as a Registration Authority Confirmed Complete 12304 Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use Confirmed Complete 12305 Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems Confirmed Complete 12307 An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy Confirmed Complete 12308 All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers Confirmed Complete TB2015.64 Information Governance Annual Update Page 9 of 11 Oxford University Hospitals TB2015.64 12309 Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place Confirmed Complete 12310 Procedures are in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error Confirmed Complete 12311 Information Assets with computer components are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code Confirmed Complete 12313 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely Confirmed Complete 12314 Policy and procedures ensure that mobile computing and teleworking are secure Confirmed Complete 12323 All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures 12324 Level 2 View Level 2 View Level 2 View Level 3 View Level 2 View Level 3 View The confidentiality of service user information is protected through use of pseudonymisation and anonymisation Confirmed Complete Level 2 techniques where appropriate View Confirmed Complete Clinical Information Assurance 12400 The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience Confirmed Complete 12401 There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements Confirmed Complete 12402 Procedures are in place to ensure the accuracy of service user information on all systems and /or records that support the provision of care Confirmed Complete 12404 A multi-professional audit of clinical records across all specialties has been undertaken Confirmed Complete 12406 Procedures are in place for monitoring the availability of paper health/care records and tracing missing records Level 3 View Level 3 View Level 3 View Level 3 View Level 3 View Level 3 View Level 3 View Confirmed Complete Secondary Use Assurance 12501 National data definitions, standards, values and validation programmes are incorporated within key systems and local documentation is updated as standards develop Confirmed Complete 12- External data quality reports are used for monitoring and improving data quality Confirmed Complete TB2015.64 Information Governance Annual Update Page 10 of 11 Oxford University Hospitals TB2015.64 502 12504 Documented procedures are in place for using both local and national benchmarking to identify data quality issues and analyse trends in information over time, ensuring that large changes are investigated and explained Confirmed Complete 12505 An audit of clinical coding, based on national standards, has been undertaken by a Clinical Classifications Service (CCS) approved clinical coding auditor within the last 12 months Confirmed Complete 12506 A documented procedure and a regular audit cycle for accuracy checks on service user data is in place Confirmed Complete 12507 The Completeness and Validity check for data has been completed and passed 12508 Clinical/care staff are involved in validating information derived from the recording of clinical/care activity 12510 Training programmes for clinical coding staff entering coded clinical data are comprehensive and conform to national clinical coding standards Level 3 View Level 3 View Level 3 View Level 3 View Level 3 View Level 2 View Level 2 View Level 3 View Level 2 View Confirmed Complete Confirmed Complete Confirmed Complete Corporate Information Assurance 12601 Documented and implemented procedures are in place for the effective management of corporate records 12603 Documented and publicly available procedures are in place to ensure compliance with the Freedom of Information Act 2000 Confirmed Complete 12604 As part of the information lifecycle management strategy, an audit of corporate records has been undertaken Confirmed Complete TB2015.64 Information Governance Annual Update Page 11 of 11 Confirmed Complete
