Information Governance in
Commissioning
Mental Health Commissioners
Collaborative
Introduction
David Stone
Head of Information Governance
Apira Limited
david.stone@apira.co.uk
07947 052704
2011/12 Standard Terms and Conditions for Mental
Health and Learning Disability Services
Context
Law/Contract
Regulation
Risk/Liability
Contract compliance/Assurance
Incidents/Breaches
Patient Identifiable Data/Secondary Use
Dear colleague Gateway Ref: 16607
We want to call your attention again to a significant change
that came into force on 6 April 2010, which enables the ICO
to order organisations to pay up to £500,000 as a penalty
for serious breaches of the Data Protection Act 1998.
Obviously we are all hoping that it will not be necessary for
the enhanced powers to be exercised, but at present a
significant percentage of all data breaches reported to the
ICO relate to NHS organisations.
The purpose of this letter is to outline the actions that we
jointly recommend to ensure your systems and practices
deliver adequate information governance and that
commissioning criteria adequately reflect its importance.
Nicholson, NHS CEO and Graeme, IC to all NHS CEOs, 05/09/11
Law/Contract
Data Controller/Data Processor
– The Commissioner is a Data Controller in law (27.3)
– The Commissioner may be Data Controller Jointly or
In-common, but remains legally liable, even after the
end of the contract (for the data)
– The Information Commissioner will pursue the Data
Controller in the event of a breach
Service Level Agreements are not valid in law (unless
bound in contract)
– The Data Protection Act (1998) trumps the NHS &
Communities Act (1990)
Case Study
In February 2011, London Boroughs of Hounslow and
Ealing were fined £70,000 and £80,000 respectively under
the Data Protection Act 1998 (DPA).
The Monetary Penalty Notice (MPN) arose from the theft
of two unencrypted laptops from an employee of Ealing
Council. The laptops contained the personal data of
approximately 1,000 Ealing service users and
approximately 700 Hounslow service users.
Hounslow were found to be in breach of the DPA because
they had failed to have a valid legally contract in place
with Ealing and because they had not monitored Ealing’s
operational compliance of their commissioned service.
Regulation
Monitor
– “Monitor would look to commissioners, the
Information Centre and Information Commissioner to
lead on policing IG at FTs and it is not our role to
otherwise interpret information requirements. Only
where other bodies have exhausted their powers
would Monitor generally consider acting in the
absence of other breaches of the authorisation.”
(email response 04/08/2011)
Regulation
CQC
– The Commission uses the information from the
Information Governance Toolkit in our Quality and
Risk Profiles.
– Quality and Risk Profiles are an essential tool for
providers, commissioners and our own staff in
monitoring compliance with the essential standards
of quality and safety.
– They help in assessing where risks lie and can play a
key role in providers’ own internal monitoring as well
as informing the commissioning of services.
(email response 10/08/2011)
Regulation
Department of Health
– The IGT is not a required central return as the
Department of Health is just one, and not the
main, interested party. The Department
expects commissioners to drive
improvements in provider information
governance and to insist that their contractual
requirement to publish an IGT assessment
continues to be met.
Contract Compliance
27.2 Data Protection
– The Provider shall achieve a minimum level 2
performance against all requirements in the relevant
NHS Information Governance Toolkit relevant to it.
Where the Provider has not achieved level 2
performance by the Service Commencement Date,
the co-ordinating Commissioner may, in its sole
discretion, agree a plan with the Provider to enable
the Provider to achieve level 2 performance within a
reasonable time.
Risk/Liability
IGT v8
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
89%
75%
68% 70% 68% 67%
58%
53%
39%
Red = Unsatisfactory in IGT
80%
Consent
9.1 Consent
– The Provider shall operate a Service User consent
policy to comply with Good Clinical Practice, good
Health and/or Social Care Practice and the Law
NHS Care Record Guarantee Commitment 4
– Legally, no-one else can make decisions on your
behalf about sharing health information that
identifies you.
European WP29
– Consent is recognised as an essential aspect of the
fundamental right to the protection of personal data
Person Identifiable Information
All health data is ‘sensitive’ under the Data Protection Act
SUS is only legal for limited use (S251)
– 18 weeks, PBr, planning care provision
Contested payments/Challenges
New Safe Haven operation
Pseudonymisation/secondary use
Not Applicable Contract Clauses
The following clauses do not apply to data that comes
with the scope of the Data Protection Act (1998)
– 15.5: Incident reporting
– 29, especially 29.9: require information
• Note: the contract cannot require the Provider to
break the law
– There may be others in the schedules
Assurance
Schedule 5
– Independent audit of IGT self-assessment scores and
information risk must be shared with the
commissioner
– Information incident reporting (or as Schedule 7) in
compliance with Gateway 13177
– Information Lifecycle: what happens to the data at
termination? (35/36)
– Clarification of the right to disclose confidential
information (39.1.4)
– Transport of data using N3
– Use of NHSmail
Conclusion
The Commissioner is a Data Controller in law and legally
liable for what happens to the data, even after the end
of the contract
A legally binding contract is required by law for every
commissioned service
The standard commissioning contract does not meet all
legal requirements without additions in Schedule 5
The standard contract is not always correct when
applied to information covered by the Data Protection
Act
All but one MHT in London failed to meet the standard
required in contract