Information Governance
What you will learn
in this session?
1. Principles of Information Governance
and their application to health and social care organisations
2. Accessing Information Governance resources including
national legislation, guidance and local policies & procedures
3. Health and social care organisations’ responsibilities
4. Protection of an individual’s confidentiality
and the Caldicott Principles
5. How to practice and promote a confidential service
6. Principles of ensuring and maintaining good client records
7. Recognising / responding to Freedom of Information requests
8. Keeping Information Secure
What is Information
Governance?
Information Governance is
about how health and social
care organisations and their
employees must handle
sensitive information IG is to do
with how NHS/Social Care organisations and
individuals handle information
What is Information
Governance?
How
organisations
& individuals handle
personal & sensitive
information
A framework of legal
and ethical principles
that apply when
sensitive information
is collected,
Excellent
processed
Different Care is built on a
Data Sets:
and shared
Foundation of
• Personal &
Sensitive
(Healthcare records)
confidence
& trust
• Person based &
anonymous (Research data)
• Corporate (Trust
Financial Accounts)
Slide 4 of 21
Principles
of Law
and
best practice
What is Information?
Examples
 Personal
 Name, Address,
Date of Birth,
Next of Kin
 Sensitive
 Ethnicity, Diagnosis,
Illness & Disorders,
Sexual Orientation
 Corporate
 Minutes of Meetings,
Employee Details,
Financial Information
Why is Information
Governance so important?
For patients
and
service users
 Information is critical
for safe, timely and
effective care
 Information is sensitive
 Excellent healthcare
is built on a foundation
of confidence & trust
Why is Information
Governance so important?
 Sensitive information
For an
employee
 Ethical and legal
responsibility
of every employee
 Information must be:
accessed, used &
shared appropriately
Why is Information
Governance so important?
For a health or
social care
organisation
 Ethical and legal
responsibility
of every organisation
 Breaches of
confidentiality
costs money
and reputation
Information Governance
requirements for health & social
care organisations
;
All Trust
information
must be:
policies, guidelines and
procedures
H eld securely and confidentially
O btained fairly and efficiently
R ecorded accurately and reliably
U sed effectively and ethically
S hared appropriately and lawfully
The Law and Information
Governance

Common Law Duty
of Confidentiality

People have legal rights through
common law to confidentiality

Computer Misuse
Act 1990

It is an offence to access / attempt
to access computer systems
without appropriate authorisation

Data Protection
Act 1998

States legal obligations for the
collection, use, sharing and
disclosure of personal information

The Human Rights
Act 1998

Enshrines a basic human right
for all to have the right to privacy

The Freedom of

Information Act 2000
Allows the public to request
information held by Public
Authorities
Standards, Policies &
Codes of Practice

Information Security Standards – ISO/IEC 17799:
2005 and IS Management NHS Code of Practice

The NHS Confidentiality Code of Practice

The Records Management NHS Code of Practice

Information Quality Assurance
Always follow the
Caldicott Principles
The Caldicott principles must be used when accessing and using Patient
Identifiable Information (PID) or confidential information and which
must be maintained by all healthcare organisations.

Justify the purpose of using confidential information

Only use it when absolutely necessary

Use the minimum information required

Allow access on a strict need-to-know basis

Always understand your responsibility

Understand and comply with the law

The duty to share information can be as important as the duty to protect
patient confidentiality
Slide 12 of 21
Caldicott Guardians
Q. Who is a Caldicott Guardian?
A. A senior person in the organisation responsible for
ensuring the Caldicott principles are applied and
maintained
Q. Are you unsure whether to disclose?
A. Don’t disclose
Ask your manager or the Caldicott Guardian
Subject Access Requests
Individuals have the right to access sensitive
information including paper, computer records and
other related information
 Patients can request access to their medical record
 Employees can request access to their personal records
What is a Freedom of
Information (FOI) Request?
 A request for official information
held by Public Bodies such as hospital trusts
 Public have a right to access/view
all non-personal, public authority information
 Purpose is to promote openness & accountability
 Requests must be made in writing
 There are Exemptions
 Law requires that any FOI request
must receive a response within 20 days
Direct Freedom of Information requests
to the Lead in your Organisation
Can you recognise a
Freedom of Information (FOI)
Request?
Dear Sir/Madam,
Dear FOI Lead,
I would like to know how much
the Trust is spending on the new
A&E unit due to be completed in
March 2014.
I have recently undergone an
operation on my hip at your Trust
and would like to see all the
notes in my health record
regarding this period of care.
I would like a list of the new
medical and non medical
equipment being purchased for
this unit.
Please give me an indication of
when this information can be
provided to me.
Yours sincerely
Yours sincerely
Daniel Radcliffe MP
Mrs A Smith
Duty of Confidence
You have a legal duty
to protect and maintain confidentiality
 There’s a confidentiality clause
in your contract of employment
 You have a professional duty of confidence
It’s in your Code of Professional Conduct
Slide 17 of 21
Duty of Confidence
Be careful and cautious when answering the telephone:
 Callers request information under false pretences
 Requests for information need to be verified
 If possible, always obtain requests in writing
Are you unsure? Don’t disclose
Ask your manager or the Caldicott Guardian who’s
responsible for ensuring confidentiality
Good Quality
Record Keeping







Does a record already exist?
Records must be clear, factual, accurate & complete
Can everybody else read them?
Complete them quickly!
Make sure they dated, timed and signed
Keep information up-to-date
Store them safely
Read them, check them, then check again!
Slide 19 of 21
Good Quality
Record Keeping
 Check the minimum period records have to be retained
 Are you deleting records?
If so check the organisation’s
Disposal of Records Policy and Procedures
Information Security
Information security
is about ensuring
information is:
 Protected and secure
 Reliable
 Available to authorised
users only
Any breaches of
data security,
no matter how small
must be reported
Your responsibilities
are to ensure:
 Records are correctly stored
 Passwords are kept secure
 Report inappropriate
disclosures
 Safe Haven processes when
faxing are used
 Delete spam mail without
opening
 You don’t download
unauthorised software
 You use IT equipment
correctly
Information Security – A
serious matter
Organisations have systems in place to monitor the
access, use of systems and information by staff
Failure to comply with legal obligations or organisational
policy & guidelines could mean disciplinary and legal
action being taken
Your Responsibilities
DO
DON’T
 Protect an individual’s information
 Be aware of national & local
information, Policy & Procedures
 Inform patients how information
is used and when it may be
disclosed
 Help to improve the way
organisation protects information
 Report any suspected or actual
breaches of information security
 Seek advice from the appropriate
leads if you have any Information
Governance concerns
 Send confidential, personidentifiable data without applying
the required encryption/security
measures
 Store Personal/Sensitive
information on unencrypted and
unauthorised portable devices
 Disclose confidential information
with unauthorised people
 Leave person-identifiable data
(PID) unattended or in vehicles
 Access inappropriate websites
 Use an organisation's equipment or
information to promote private
business or for financial gain
Useful sources of
Information and links
Further advice
Contact your local Information Governance Manager or Lead
Useful Links

Information Commissioners Office
www.ico.org.uk/

Connecting for Health Toolkit
www.igt.hscic.gov.uk/
Thank you for the support
in developing these materials

Michael Abbotts
St Helens and Knowsley NHS Hospitals Trust

Jonathan Mayes
Information Risk Manager
Pennine Care NHS Foundation Trust

Trish Noon

Barbara Smart
Data Protection Liaison Officer
Royal Liverpool and Broadgreen University Hospitals NHS Trust

Cora Suckley
Information Governance Project Coordinator
The Clatterbridge Cancer Centre NHS Foundation Trust

Menna Harland
Academic Lead for Practice Learning
Liverpool John Moores University

Nick Moseley
Moseley Multimedia Ltd
Information Governance Manager
Pennine Acute Hospitals NHS Trust
Trish’s original presentation was used as the basis for these materials
THANK YOU
Any Questions?
Insert trainer’s name, telephone number and email here