NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Building information governance for personal health information Karen Thomson Information Governance Lead 19 March 2010 BCS ISSG Conference NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB • Role of the NIGB • Definitions • What are the issues with building Information Governance for personal health information NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB The role of the NIGB • To support improvements in information governance in health and social care • To advise on the use of powers under section 251 of the NHS Act 2006 NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB The NIGB as a Statutory Body • The NIGB is an Advisory Non-departmental Public body • Reports to the Secretary of State and of Health • Its Statutory powers support it in delivering its terms of reference NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB The Care Record Guarantees NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB The NIGB has provided advice and guidance on: • Information governance during the swine flu pandemic • The implications of the Coroners and Justice Bill • Parental controls on information sharing for children • Access to clinical information by social workers • The use of third parties to support collaborative care NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB The NIGB Ethics and Confidentiality Committee • Provides a legal basis for the use of information in medical research and other NHS activities without consent • Administers applications for support from section 251 of the NHS Act 2006 and advises on its use NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB What is information governance? ‘Information governance describes the structures, policies and practices which are used to ensure the confidentiality and security of records of patients and service users. Correctly developed and implemented it enables the appropriate and ethical use of information for the benefit of individuals and the public good’. NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB What is personal health information? DPA definition of “Personal data” “Data which relate to a living individual who can be identified – a) From those data, or b) From those data and other information, which is in the possession of, or is likely to come into the possession of the data controller…” NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB DPA definition of “Sensitive personal data” “Personal data consisting of information as to – (e) His physical or mental health or condition” Or racial or ethnic origin, political opinions, religious or other beliefs, membership of a trade union, sexual life, the commission of any offence or court proceedings related to any offence. NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB NHS Act 2006 definition of “Patient information” S251(10)(a)“Information (however recorded) which relates to the physical or mental health or condition of an individual, to the diagnosis of his condition or to his care or treatment, and (b) Information (however recorded) which is to any extent derived from, directly or indirectly, from such information, whether or not the identity of the individual in question is ascertainable from the information.” NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Definition of “Confidential patient information” S251(11) “Patient information wherea) The identity of the individual in question is ascertainable – i. From that information, or ii. From that information and other information which is in the possession of, or likely to come into the possession of, the person processing the information, and b) That information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual.” NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB • Personal = Identifiability • Health Information in broadest terms includes derived data & could just be demographic information • Two sets of definitions whilst subtly different do reflect one another. • Information governance – how to use and handle data appropriately to keep it confidential and secure. NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Information Governance might be divided into a number of areas: • Data Protection & Confidentiality • Information security & risk management • Records management & information quality NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Confidentiality & Data Protection Policies & procedures to cover: – Consent for use & disclosure – De-identification processes – Information sharing protocols – Fair & lawful processing & DP notification – SARs & other DP requirements – Offshore processing – Confidentiality Code of Conduct & demonstrate compliance with the Confidentiality Code of Practice & NHS Care Record Guarantee NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Legal requirements Legal requirements for processing confidential personal data Common law duty of Confidentiality Data Protection Act 1998 Human Rights Act 1998 NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE Common Law of Confidentiality NIGB • Information must be confidential in nature • Information that is communicated as part of a relationship where there is an expectation of confidentiality • May be limited by the circumstances – Consent – Statute/Court order – Public interest favours disclosure Legal and DH policy requirements are set out in The NHS Confidentiality Code of Practice NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE Human Rights Act 1998 NIGB • Right to freedom from interference by the State in one’s privacy (Article 8) • BUT breaches may be justified provided they are “necessary [for]…public safety… [and] the protection of health” • Disclosures must be proportionate based on the particular circumstances of individuals • 3 tests – has there been interference with privacy? is there justification? is the justification proportionate to the breach? NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE Data Protection Act - 8 principles NIGB 1) Fairly and lawfully; 2) Obtained for specific purposes and only used for compatible purposes; 3) Adequate, relevant & not excessive; 4) Accurate NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE Data Protection Act - 8 principles NIGB 5) Only kept for as long as necessary for the agreed purpose; 6) In accordance with the rights of the subject; 7) Kept securely; 8) Only transferred outside EEA with equivalent protections. NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Information security & risk management Policies & procedures to cover: – Business continuity & disaster recovery – Physical & Network security – Remote working & secure data transfer – Access controls & management – Data & media destruction – Local data warehousing – Cross boundary information sharing To demonstrate compliance with the IS CoP NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Records Management & Information quality Policies & procedures to cover: – Record management – Data flow mapping – Retention & archiving – Data quality including NHS number implementation – Freedom of Information Act – Environmental Information Regulations – Re-use of public sector information regulations. NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Building information governance for personal health information • Reliable information available at the point of care is essential to supporting quality care • Information governance is about making it available where and when it is needed to support care whilst also protecting patient and service user’s confidentiality and privacy NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB • Information security is not really the problem • Most of the data losses and breaches due to carelessness, stupidity or wrongdoing of people, not weaknesses in systems • IG is about helping humans to use systems effectively and efficiently • Technology supporting people NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB • Technology becomes a problem when “clunky” or where changes to business processes are necessary but not supported through training, encourages workarounds • Technology supporting people • Staff supported through training – Every level – Specialist capacity to provide advice – IG managers, SIROs, IAO. NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Technology can support people • Allowing or preventing access & managing where uncertain • Prompts – do you need to access? why do you need to access? • Audit trails – not just where made changes but where viewed • Alerts – direct reports & unusual patterns analysis NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Supporting secondary uses of data • De-identification tools - Data derivation - Pseudonymisation • Electronic recording of consents & dissents NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Key Messages • IG - Making personal health information available where it is appropriate & necessary • Preventing inappropriate access • Transforming personal health information into de-identified information for secondary uses or recording consent to allow its use in identifiable form • Technology supporting people NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Contact details • • • • www.nigb.nhs.uk Phone us – 0207 633 7052 Email us – nigb@nhs.net Write to us: NIGB, Floor 7, New King’s Beam House 22 Upper Ground London SW1 9BW NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE NIGB Questions?