INFORMATION GOVERNANCE - Induction Package 2012-13

advertisement
SEPT - MANDATORY TRAINING
How to Find Your Way Around…
1. You can
play the
PowerPoint,
and find the
Test here
SEPT - MANDATORY TRAINING
2. You can
minimise this
column and
make the main
page bigger by
clicking this
icon.
Click it again to
bring it back.
SEPT - MANDATORY TRAINING
3. Always
click this
‘Home’ icon
to save your
progress and
log off.
This is very
important!
SEPT - MANDATORY TRAINING
Information Governance
Introduction
Taken in its widest context, Information Governance is
the framework, structures and processes that ensure
the security, confidentiality and integrity of the Trust’s
data and information, about its patients / clients and
employees, in particular, personal sensitive information,
including corporate information.
It allows the Trust and individuals to:
• Ensure that personal information is dealt with
legally, securely, efficiently and effectively;
• Provides a framework to bring together all of
the requirements, standards and best
practices that apply to the handling of all
information;
• Focus on setting standards and giving the
Trust the tools to achieve these standards;
• Achieve the goal to be consistent in the way it
Information Governance is a framework for
handles personal / corporate information;
handling information in a confidential and secure
• Lead improvements in information handling,
manner, to appropriate ethical and quality
patient confidence in the Trust and employee
standards, in a modern health service Trust.
training and development.
SEPT - MANDATORY TRAINING
Information Governance
•
•
•
•
•
•
Working with Others
Information Governance also helps
employees to work with others
outside of their own areas.
It depends on teamwork and good
communication among all staff to
encourage:
Sharing of good practice ideas across
directorates and departments;
Joint initiatives between other health
care organisations;
Avoidance of duplication through
shared efforts.
Information Governance helps ensure that all
Trust employees follow best practice guidelines
on information handling.
Information Governance helps all employees to
manage personal information for the benefit of
the patient, service user or employee.
Patients, service users and staff will know that
their records will not be disclosed inappropriately,
which will:
Give them greater trust in our working practices;
Encourage them to be more open to sharing
Will learning about information
important personal information;
governance assist me to follow best
Ensure they receive the best quality care.
practice guidelines and manage personal
information more effectively?
SEPT - MANDATORY TRAINING
Information Governance
Framework
Information Governance provides a consistent
way for Trust staff to deal with the main
information handling requirements.
The foundation of the IG framework is provided
by legislation as well as the NHS guidance.
These include:
• Data accreditation and quality;
• Caldicott sharing of patient
identifiable information;
• Consent to sharing of personal
information;
• 1S027000 Series - Information
security management;
• Common law of confidentiality;
• The Data Protection Act 1998;
• The Freedom of information Act
2000;
• Environmental Information
Regulations 2004
• Records Management.
Information Handling Standards
The Department of Health has developed clear
standards of information handling to ensure that
information is:
• Held securely and confidentially;
• Obtained fairly and efficiently;
• Recorded accurately and reliably;
• Used effectively and ethically;
• Shared appropriately and lawfully.
The information standards assist the Trust to ensure
that:
• Appropriate management structures and
personnel are in place to oversee the IG
arrangements;
• Information within computerised and paperbased systems is held securely, is accurate
and available when and where required;
• Processes and procedures for information and
records are efficient and effective;
• Employees are provided with guidance and
appropriate, effective mandatory training;
• Information Governance assessments are
performed annually by the Trust to help
identify good practice and highlight areas that
can be improved.
SEPT - MANDATORY TRAINING
Duty of Confidentiality
•
•
•
•
•
•
•
•
•
•
•
•
All employees of the Trust who record, handle, store or otherwise come across information, have a
personal common law duty of confidence to patients and staff.
Health professionals have, by virtue of professional regulation, an ethical ‘duty of confidence’,
which when considering whether information should be disclosed, includes paying special regard to
the health needs of the patient and to their wishes.
Remember:
Keep personal information private ( i.e. avoid gossip and inappropriate venues for discussion of
patient care / employee information);
Ensure confidential information is not unlawfully or inappropriately accessed; (leaving answer
phone messages with no PID)
Report any breaches in confidentiality to your line manager and to the Information Governance
Team;
Ensure you know who you are communicating with before disclosing confidential information ( i.e.
on the telephone);
Comply with the Trust’s computer safety / information security procedures;
Do not leave manual records unattended;
Lock rooms and cupboards where confidential information is stored;
Dispose of confidential information in an appropriate manner.
This applies equally to those, such as students or trainees, on temporary placements.
SEPT - MANDATORY TRAINING
Information Security
Information security is the protection of information from loss, corruption or misuse. It means providing
safeguards for personal information about patients and staff as well as personal and commercial sensitive
information, such as patient information, business plans and activity data. It is concerned with:
•
Confidentiality – only staff who are authorised to process information can access it;
•
Reliability – personal information should be accurate and suitable for the processing purpose;
•
Availability – authorised information users should be able to access the information if they need it for
specific purposes.
•
Information security is vital if the South Essex Partnership University NHS Foundation Trust (the “Trust”)
is to provide partnership services in Bedfordshire, Essex and Luton.
Maintaining Confidentiality
•
•
Everyone involved in the collection and use of health information in the
NHS has a legal duty of confidence, both towards patients and towards
their employer. This is documented in all Trust employees’ contract of
employment and in the Trust’s disciplinary procedures.
The general rule is that information provided in confidence should not
be used or passed on except as originally understood by the confider,
unless they have given their express permission (consent).
SEPT - MANDATORY TRAINING
Patient Information
You must always make sure you are using information for legitimate purposes and sharing it only with people
who have an authorised need to know. Legitimate purposes will include, apart from the primary purpose of
delivering patient care:
• Necessary healthcare administration;
• Clinical audit;
• Monitoring and protecting public health;
Patient information will routinely be seen and used by a number of medical and administrative staff in the
course of their duties, including staff based in hospitals, GP practices, health centres and health authorities,
according to their job role and permitted levels of access.
It may occasionally be necessary to pass information to a third party for purposes, which are not routine, or
not reasonably foreseeable by the patient. Such disclosures should normally be made on the decision of the
clinician responsible for the patient’s care, who can demonstrate proper legal and ethical justification, and
wherever practicable with the prior knowledge and consent of the patient.
Patient Information
Be aware of Trust protocols for sharing patient information, and ensure you comply with them.
Avoid disclosing the identify of individual patients if the recipient can use anonymised data. And in every
case, where information about patients is shared, keep identifying details to the minimum.
Finally, you should never seek out information for your own curiosity, or at anyone else’s request if they
do not have a legitimate professional reason for asking. Obtaining or passing on information in these
circumstances can cause distress to the patient and harm the good reputation of the Trust. Deliberate
breaches will be treated as a disciplinary matter and may result in dismissal, or prosecution for a
criminal offence.
SEPT - MANDATORY TRAINING
Data Quality
•
‘Data quality’ is the umbrella we use for the reliability of recorded information in all its forms. High
quality data is accurate, complete, recorded in a timely manner and readily available to those who need
to use them. The Trust recognises that the efficiency and effectiveness of its healthcare services
depend on high quality data.
•
If you collect or record any information, especially if it relates to individual people, take care to ensure
its accuracy and completeness. This is normally best achieved by capturing data as close as possible
to the event, preferably involving the clinician or person themselves. It also means knowing and
applying any documented standards and procedures that relate to the particular systems or data. If you
think something looks wrong, deal with it there and then, or refer it to your line manager or the data
protection officer.
SEPT - MANDATORY TRAINING
Computer Security
•
•
•
•
•
•
•
•
•
•
•
•
Most employees now use computers as part of their job role and therefore have specific
responsibilities for information security. Access to Trust computers and networks is conditional on
your agreement to abide by the ten essential security rules, which represent a minimum standard
of good practice:
Always work under your own user name and password.
Choose a password that is not obvious to anyone and change it if you have any reason to suspect
it has become compromised.
Never allow anyone else to work under your user name.
Always lock your screen log out or disconnect your session on a Windows Terminal before leaving
your PC.
Keep sensitive information out of sight. Position screens carefully and file confidential papers
safely when not in use.
Understand how to save your work onto the network in your secure folders so that it is secure,
available to those who need it, and backed up appropriately.
Never save your work to 'my documents' or C://Drive etc.
Do not attempt to access any information, which you are not authorised to see.
Do not use the Trust’s equipment, software or data for any purpose other than official business.
Do not introduce games, or any software unless it is formally authorised and licensed for use on
Trust premises.
If you suspect a security weakness, virus infection or breach of any of these rules, report it
immediately to your manager.
SEPT - MANDATORY TRAINING
Passwords
Would you tell a stranger your credit card PIN number?
• Never disclose your passwords to anyone, not even your closest colleagues. If
you suspect someone may know it, change it immediately, and:
• Change your password regularly;
• Add some numbers and special characters, such as - £ $ & @ # to further
increase security;
• Choose a password that cannot be guessed;
• Always ensure no one is watching as you enter your password;
• Never share your password;
• Never attempt to gain access to a system using someone else’s password.
Laptops & Mobiles
The Trust now has a large number of portable, hand-held and laptop computers, which are used throughout
its premises. These are valuable items, especially attractive to thieves and extra precautions are called for:
Do not leave the computer unattended at any time;
• Particular care should be taken in public areas or when travelling between locations. Never leave
the computer visible in your car (keep it in the boot);
• Data should never be stored on the hard drive of any mobile device.
• Ensure floppy, compact and flash disks are held securely away from the computer;
• If files contain sensitive or personal information they should be password protected;
• Should loss or theft occur, in the first instance report the incident to the Police, obtain a crime
reference number and report it via Datix, to the ITT Department and the Information Governance
Team.
SEPT - MANDATORY TRAINING
Smartcards
Smartcards are required to access national information systems (e.g. NHS Care Records Service, Electronic
Staff Record; SytmOne, etc.).
They are used in conjunction with a PIN number, providing an additional layer of security to help prevent
unauthorised access to the systems and the information held within them.
You are personally responsible for ensuring that patient / staff information is protected and only used for
specific and lawful purposes.
Smartcards are issued to individual members of staff and must only be used by the person whose name is on
the card.
USB Memory Sticks
They have many names including USB pens, USB keys, mini-USB drives, Flash drives etc.
They use ‘flash’ memory to store data, this is a form of memory that keeps its content even when unplugged
and power is removed.
USB memory sticks are very convenient method for carrying information and data around with you. However,
the risks associated with these are great because they are very small, weigh next to nothing, so can easily be
lost.
These devices should only be used for transferring information and not for storage and only Trust issued
devices should be used as these are protected by encryption.
Please refer back to Trust policy and guidance before requesting device.
SEPT - MANDATORY TRAINING
Faxing
Safe Haven is an agreed set of administrative and physical security procedures for minimising the risk of
breach of confidentiality when sending information via fax. Do not fax personal or confidential information
unless it is absolutely necessary. If it is necessary, ensure that you fax the information to a ‘Safe Haven’/
secure fax.
If faxing personal or confidential information:
• Double check the fax number;
• Send a front cover sheet only and ask the recipient to confirm receipt of the fax;
• Ensure you mark the fax header “Private and Confidential”.
• Use the redial button to ensure the fax goes to the same place.
• Same the transmission slip with the fax in the appropriate record.
• Personal details (e.g. name & address) should be faxed separately from clinical details, which must
be accompanied by the relevant patient identification number.
E-mail
An e-mail is the term given to an electronic message that is sent via a computer over a network to another
user, who will read it in much the same way as a letter. Unfortunately e-mails can be intercepted by the wrong
people. For this reason, it is essential to ensure that:
• The body of any e-mail text does not contain patient/staff identifiable /sensitive or corporately
sensitive information.
• NHS Mail (nhs.net accounts) is a secure, encrypted, approved method of sending such sensitive
information. When sending from nhs.net to nhs.net (or other secure networks – please see Trust
policy) password protection is not required.
• If using Outlook (@sept.nhs.uk) then password protected attachments MUST be used for such
sensitive information and no information is to be held in the body or the header of the email which
could identify a person.
• When using password protection, best practice is to telephone or text through the password – where
this is not possible ensure that a suitable time delay lapses before any password is sent in a separate
SEPT - MANDATORY TRAINING
Remember the Dos
•
•
•
•
•
•
•
•
•
•
Ensure all patient/staff identifiable
information is password protected;
Use Trust purchased devices only;
Ensure any portable media (i.e. Laptops,
USB keys, PDA, Mobile phones, Discs,
etc) is access protected by password;
Send equipment (Computers, USB keys,
Discs, etc) to the IT&T Department for
secure disposal;
Read the Trust policies and procedures to
ensure you are aware of your
responsibilities in keeping information
confidential and secure;
Keep smartcards in a safe and secure
place at all times;
Lock screens or log off when not using any
computer
Always use Safe Haven procedures when
sending/receiving patient/staff identifiable
information;
Ensure that anything sent in an e-mail is
either password protected or sent by
NHS.net;
Change passwords regularly, adding some
numbers and special characters.
Remember the Don'ts
•
•
•
•
•
•
•
•
•
•
•
Use personal USB memory sticks;
Never store patient/staff identifiable
information on any USB key,
organiser/electronic diary, laptop); Tough
books; - only use them for transfer
Never leave portable media (i.e. USB
memory sticks, Laptops, Tough books,
Discs, etc) in view in a car or overnight;
Never leave patient/staff identifiable
information on an ‘open’ PC screen when
the office is unattended;
Never share passwords;
Use another staff member’s smartcard to
gain access to computer systems;
Leave smartcards inserted into the
keyboard when not in use;
Send patient/staff identifiable/sensitive
information across the e-mail unless
absolutely unavoidable;
Send/store passwords in the same ‘file’ as
the data;
Use someone else’s password.
Leave the keys in lockable cupboards /
drawers
SEPT - MANDATORY TRAINING
Data Protection Act 1998
•
•
•
•
The Data Protection Act ( the “Act”) protects an individuals’ personal information (known in the Act
as ‘personal data’), to give rights of access to such information, and to establish a supervisory
body to enforce the law.
The Act applies to the ‘processing’ of personal information, held on computer and to ‘structured’
paper records, together with images recorded on CCTV surveillance equipment.
It regulates the use of personal information that, on its own or in conjunction with other
information, enables a living person to be identified. This includes name, address, age, race,
religion, physical, mental or sexual health.
For the purposes of the Act, the Trust is a ‘Data Controller’, which means that we hold and use
patient / staff information.
Personal Data
Personal data is information relating to a living person,
and includes any expression of opinion about the
person.
For the Trust, all of the information held about patients
and staff, whether electronically or on paper, falls within
the definition of data prescribed by the Act.
SEPT - MANDATORY TRAINING
Act Principles
The Act is based on eight protection principles, or rules for good information handling. In summary, the
information must be:
• Processed fairly and lawfully
• Processed only for specified and lawful purpose
• Data shall be adequate, relevant and not excessive
• Data shall be accurate and kept up-to-date
• Not kept longer than necessary
• Respectful of Data Subjects’ rights
• Kept secure by technical/organisational means
• Transferred outside the EEA only if privacy respected
Your Role
Does the Act affect you?
Yes! The Act applies to anyone who handles or has access to
information about any individual.
The Act ensures that information held on computers and in
paper-based systems is managed properly. You must ensure
that you protect personal information by following the eight
principles of good practice.
SEPT - MANDATORY TRAINING
Access Rights
The Data Protection Act gives an individual several rights in relation to the information held about them. This
is known as the right of subject access and includes:
• The right to seek access to their records held by the Trust;
• The right to obtain a copy of the record in permanent form or to view a record without obtaining a
copy;
• The right to rectification, blocking, erasure and destruction of information…………..apply to a court
to order Trust to rectify, block or destroy personal details if they are inaccurate or contain
expressions of opinion based on inaccurate information;
The right to ask the Information Commissioner to assess whether the Act has been contravened.
When an access request is made there are two circumstances under which access may be denied or
restricted:
• If the record contains third party information, where that third party has not consented to their
information being disclosed
• If access to all or part of the record will seriously harm the physical or mental wellbeing of the
individual, or any other person. If possible the individual should be provided with access to that part
of the record that does not pose the risk of serious harm
SEPT - MANDATORY TRAINING
Exempt Information
•
•
•
•
•
•
The Trust (as the data controller) can withhold certain kinds of ‘exempt’
Information, including:
Personal information about someone else (third party);
Information that would identify someone who has supplied information
about the data subject;
References – confidential reference from the person / body which gave it
Adoption records and reports;
Information that could cause harm / distress to an individual/s
Disclosure Rules
If you, or the Trust, disclose personal data to somebody who is not entitled to have it you can be prosecuted
- it is a criminal offence.
Here are two golden rules to remember:
1. Make sure you know who you are dealing with. Checking and verifying the identity of the person
making a data request will help to protect against disclosing data to people, who are not
authorized to have it
2. Never make assumptions! Always check and, if in doubt, refuse to supply the data. As long as
you are polite, whose who are making legitimate data requests will understand that you are acting
in the best interests and protecting their confidentiality. If in doubt contact your line manager or
the Data Protection Officer
SEPT - MANDATORY TRAINING
Best Practice Guidelines - Telephone
•
•
•
•
•
•
•
Be careful about leaving messages on answerphones;
Be careful when taking messages off answerphones
and ensure that messages cannot be overheard whilst
being played back.
When receiving calls requesting personal information:
Verify the identity of the caller;
Ask for a reason for the request;
If in doubt as to whether information should be
disclosed tell the caller you will call them back. Seek
advice from your line manager or the data protection
officer;
Call back to main switchboard or known and trusted
numbers only – not direct lines you do not recognise
or mobile telephones.
Best Practice Guidelines - Faxing
Do not fax personal or confidential information unless it is absolutely necessary;
If it is necessary, ensure that you fax the information to a ‘Safe Haven’/ secure fax.
Safe Haven is an agreed set of administrative and physical security procedures for
minimising the risk of breach of confidentiality when sending information via fax. If
faxing personal or confidential information:
• Double check the fax number;
• Ask the recipient to confirm receipt of the fax;
• Ensure you mark the fax header “Private and Confidential”;
Personal details (e.g. name & address) should be faxed separately from clinical
details, which must be accompanied by the relevant patient identification number.
SEPT - MANDATORY TRAINING
Best Practice Guidelines - E-mail
An e-mail is the term given to an electronic message
that is sent via a computer over a network to another
user, who will read it in much the same way as a letter.
Unfortunately e-mails can be intercepted by the wrong
people. For this reason, it is essential to ensure that:
• the body of any e-mail text does not contain
patient/staff identifiable /sensitive information.
Any such information that needs to be sent
via e-mail must always be sent as an
encrypted (password) attached file with the
password being sent under the cover of a
separate e-mail;
• always treat attachments on emails from
outside the Trust with caution.
Best Practice Guidelines - Post
•
•
•
•
•
Ensure envelopes are marked “Private
and Confidential”;
Double check the full postal address of
the recipient;
Choose a secure method of sending
confidential information through the
external post (e.g. recorded delivery or
private courier);
When necessary ask the recipient to
confirm receipt;
Ensure that incoming confidential post is
handled appropriately.
Best Practice Guidelines - Photocopying
•
•
•
Do not make excessive copies of confidential information;
Do not leave confidential information on the photocopying machine;
Regularly check/update your distribution list to ensure copies are not sent to staff who have left the
Trust.
SEPT - MANDATORY TRAINING
Best Practice Guidelines - Waste Bin
•
Be sure that you dispose of confidential
information appropriately;
All personal information is confidential and
should either be shredded or placed in ‘blue’
confidential waste bags. NEVER put
confidential information in black refuse bags
or recycling bins;
Confidential waste paper must not be used as
scrap paper for messages, notes etc.
LEARN – what is a rubbish bin vs a recycling
bin vs a confidential waste bin!!
•
•
•
Best Practice Guidelines - Office
•
Best Practice Guidelines - Filing
Cabinet
•
•
•
•
Ensure that filing cabinets containing
confidential information are always kept
locked when not in immediate use –
REMOVE the keys;
Ensure filing cabinets are not sited in areas
which are accessible to members of the
public/visitors;
Ensure regular housekeeping of your files;
When destroying information ensure you
comply with NHS retention guidelines.
Remember to lock and secure the office when
it is unattended and at the end of the day;
Best Practice Guidelines - Desk
• Close and lock all windows / close the blinds
Operate a clear desk policy, especially when ‘hot
or curtains;
desking’ or working in an open plan office;
• Set the intruder alarm system, if fitted;
Do not leave confidential information unattended or
• Remember to wear your identity badge.
out overnight , which is particularly important when
hot desking or working in an open plan office.
Best Practice Guidelines - Person
Ensure you hold confidential conversations in an
appropriate place. Inappropriate places include
corridors, open plan offices, and at the photocopier;
Gain the patient’s consent before sharing their personal
information with relatives.
SEPT - MANDATORY TRAINING
Freedom of Information Act 2000
•
•
•
It is a law giving people the general right to see recorded information held by public authorities, from
central government departments, to much smaller bodies such as health trusts, parish councils and
schools etc.
The Act helps people get a better understanding of how public authorities carry out their duties, make
decisions and spend public money.
Access is to be granted without significant formality, without inquiry into the motives of the applicant
and at a subsidised cost.
Publication Scheme
•
•
The public scheme is a guide to the information the Trust holds, and must be published. It gives
people access to some information without them having to make specific requests.
The current publication scheme may be found on the Trust’s internet site.
Requesting Information
•
•
•
•
•
•
•
Anyone has a right to request information held by the Trust.
Any person making a request for information to the Trust is entitled:
• To be informed in writing whether it holds information;
• If so, to have that information communicated to them;
• Known as the ‘duty to confirm or deny’ (unless information is exempt).
Some of the records requested might contain exempt information, which does not have to be
provided when responding to a request.
There are 23 exemptions from the general rights of access. For example; certain information relating
to national security, commercially sensitive or personal confidential information.
Exemptions that do not have a public interest test are known as ‘absolute exemptions’.
Some of the exemptions require the Trust to consider whether it is in the public interest to withhold
information. These are know as ‘qualified exemptions’
The Trust generally has 20 working days in which to respond to a request.
SEPT - MANDATORY TRAINING
Records Management
Managing records effectively is essential for making
access to information possible. Records management
covers all aspects of a record’s life, from creating it to
maintaining it, and then its disposal (either through
storage in an archive or destroying it). Good records
should be:
Record Types
• Factual, accurate;
Records can be in physical or technical formats,
• Relevant and useful;
including:
• Clear and concise;
• In a paper record-keeping system;
• Up to date;
• On computer, including emails;
• Complete.
• On film records, such as CCTV (Subject
NOT:
Access through DPA).
• Unnecessary jargon;
ALSO COVERS:
• Personal opinions;
• Information located in ‘confidential’ waste;
• Offensive language.
• Information on computers;
• Information stored on computer internal
Records Disposal
drives, USB memory sticks and CD - disks
The Trust’s Corporate Procedural Guideline CPG9 (g)
Storage, Retention and Destruction of Records will tell
you which records should be kept and for how long, prior
to disposal.
Destroy records in a secure way. Place securely in blue
‘confidential waste’ bags or shred. Do not place
patient/staff identifiable information in ‘waste paper bins’.
Make a note of how, when and where the record(s) were
destroyed, together with any reference numbers.
SEPT - MANDATORY TRAINING
Now You need to take the Test.
Please click
the ‘Test’ icon
in the left
column, and
then click for
Questions.
Remember to click the
‘Home’ icon when you
finish the Test to save
your results
Download