SEPT - MANDATORY TRAINING How to Find Your Way Around… 1. You can play the PowerPoint, and find the Test here SEPT - MANDATORY TRAINING 2. You can minimise this column and make the main page bigger by clicking this icon. Click it again to bring it back. SEPT - MANDATORY TRAINING 3. Always click this ‘Home’ icon to save your progress and log off. This is very important! SEPT - MANDATORY TRAINING Information Governance Introduction Taken in its widest context, Information Governance is the framework, structures and processes that ensure the security, confidentiality and integrity of the Trust’s data and information, about its patients / clients and employees, in particular, personal sensitive information, including corporate information. It allows the Trust and individuals to: • Ensure that personal information is dealt with legally, securely, efficiently and effectively; • Provides a framework to bring together all of the requirements, standards and best practices that apply to the handling of all information; • Focus on setting standards and giving the Trust the tools to achieve these standards; • Achieve the goal to be consistent in the way it Information Governance is a framework for handles personal / corporate information; handling information in a confidential and secure • Lead improvements in information handling, manner, to appropriate ethical and quality patient confidence in the Trust and employee standards, in a modern health service Trust. training and development. SEPT - MANDATORY TRAINING Information Governance • • • • • • Working with Others Information Governance also helps employees to work with others outside of their own areas. It depends on teamwork and good communication among all staff to encourage: Sharing of good practice ideas across directorates and departments; Joint initiatives between other health care organisations; Avoidance of duplication through shared efforts. Information Governance helps ensure that all Trust employees follow best practice guidelines on information handling. Information Governance helps all employees to manage personal information for the benefit of the patient, service user or employee. Patients, service users and staff will know that their records will not be disclosed inappropriately, which will: Give them greater trust in our working practices; Encourage them to be more open to sharing Will learning about information important personal information; governance assist me to follow best Ensure they receive the best quality care. practice guidelines and manage personal information more effectively? SEPT - MANDATORY TRAINING Information Governance Framework Information Governance provides a consistent way for Trust staff to deal with the main information handling requirements. The foundation of the IG framework is provided by legislation as well as the NHS guidance. These include: • Data accreditation and quality; • Caldicott sharing of patient identifiable information; • Consent to sharing of personal information; • 1S027000 Series - Information security management; • Common law of confidentiality; • The Data Protection Act 1998; • The Freedom of information Act 2000; • Environmental Information Regulations 2004 • Records Management. Information Handling Standards The Department of Health has developed clear standards of information handling to ensure that information is: • Held securely and confidentially; • Obtained fairly and efficiently; • Recorded accurately and reliably; • Used effectively and ethically; • Shared appropriately and lawfully. The information standards assist the Trust to ensure that: • Appropriate management structures and personnel are in place to oversee the IG arrangements; • Information within computerised and paperbased systems is held securely, is accurate and available when and where required; • Processes and procedures for information and records are efficient and effective; • Employees are provided with guidance and appropriate, effective mandatory training; • Information Governance assessments are performed annually by the Trust to help identify good practice and highlight areas that can be improved. SEPT - MANDATORY TRAINING Duty of Confidentiality • • • • • • • • • • • • All employees of the Trust who record, handle, store or otherwise come across information, have a personal common law duty of confidence to patients and staff. Health professionals have, by virtue of professional regulation, an ethical ‘duty of confidence’, which when considering whether information should be disclosed, includes paying special regard to the health needs of the patient and to their wishes. Remember: Keep personal information private ( i.e. avoid gossip and inappropriate venues for discussion of patient care / employee information); Ensure confidential information is not unlawfully or inappropriately accessed; (leaving answer phone messages with no PID) Report any breaches in confidentiality to your line manager and to the Information Governance Team; Ensure you know who you are communicating with before disclosing confidential information ( i.e. on the telephone); Comply with the Trust’s computer safety / information security procedures; Do not leave manual records unattended; Lock rooms and cupboards where confidential information is stored; Dispose of confidential information in an appropriate manner. This applies equally to those, such as students or trainees, on temporary placements. SEPT - MANDATORY TRAINING Information Security Information security is the protection of information from loss, corruption or misuse. It means providing safeguards for personal information about patients and staff as well as personal and commercial sensitive information, such as patient information, business plans and activity data. It is concerned with: • Confidentiality – only staff who are authorised to process information can access it; • Reliability – personal information should be accurate and suitable for the processing purpose; • Availability – authorised information users should be able to access the information if they need it for specific purposes. • Information security is vital if the South Essex Partnership University NHS Foundation Trust (the “Trust”) is to provide partnership services in Bedfordshire, Essex and Luton. Maintaining Confidentiality • • Everyone involved in the collection and use of health information in the NHS has a legal duty of confidence, both towards patients and towards their employer. This is documented in all Trust employees’ contract of employment and in the Trust’s disciplinary procedures. The general rule is that information provided in confidence should not be used or passed on except as originally understood by the confider, unless they have given their express permission (consent). SEPT - MANDATORY TRAINING Patient Information You must always make sure you are using information for legitimate purposes and sharing it only with people who have an authorised need to know. Legitimate purposes will include, apart from the primary purpose of delivering patient care: • Necessary healthcare administration; • Clinical audit; • Monitoring and protecting public health; Patient information will routinely be seen and used by a number of medical and administrative staff in the course of their duties, including staff based in hospitals, GP practices, health centres and health authorities, according to their job role and permitted levels of access. It may occasionally be necessary to pass information to a third party for purposes, which are not routine, or not reasonably foreseeable by the patient. Such disclosures should normally be made on the decision of the clinician responsible for the patient’s care, who can demonstrate proper legal and ethical justification, and wherever practicable with the prior knowledge and consent of the patient. Patient Information Be aware of Trust protocols for sharing patient information, and ensure you comply with them. Avoid disclosing the identify of individual patients if the recipient can use anonymised data. And in every case, where information about patients is shared, keep identifying details to the minimum. Finally, you should never seek out information for your own curiosity, or at anyone else’s request if they do not have a legitimate professional reason for asking. Obtaining or passing on information in these circumstances can cause distress to the patient and harm the good reputation of the Trust. Deliberate breaches will be treated as a disciplinary matter and may result in dismissal, or prosecution for a criminal offence. SEPT - MANDATORY TRAINING Data Quality • ‘Data quality’ is the umbrella we use for the reliability of recorded information in all its forms. High quality data is accurate, complete, recorded in a timely manner and readily available to those who need to use them. The Trust recognises that the efficiency and effectiveness of its healthcare services depend on high quality data. • If you collect or record any information, especially if it relates to individual people, take care to ensure its accuracy and completeness. This is normally best achieved by capturing data as close as possible to the event, preferably involving the clinician or person themselves. It also means knowing and applying any documented standards and procedures that relate to the particular systems or data. If you think something looks wrong, deal with it there and then, or refer it to your line manager or the data protection officer. SEPT - MANDATORY TRAINING Computer Security • • • • • • • • • • • • Most employees now use computers as part of their job role and therefore have specific responsibilities for information security. Access to Trust computers and networks is conditional on your agreement to abide by the ten essential security rules, which represent a minimum standard of good practice: Always work under your own user name and password. Choose a password that is not obvious to anyone and change it if you have any reason to suspect it has become compromised. Never allow anyone else to work under your user name. Always lock your screen log out or disconnect your session on a Windows Terminal before leaving your PC. Keep sensitive information out of sight. Position screens carefully and file confidential papers safely when not in use. Understand how to save your work onto the network in your secure folders so that it is secure, available to those who need it, and backed up appropriately. Never save your work to 'my documents' or C://Drive etc. Do not attempt to access any information, which you are not authorised to see. Do not use the Trust’s equipment, software or data for any purpose other than official business. Do not introduce games, or any software unless it is formally authorised and licensed for use on Trust premises. If you suspect a security weakness, virus infection or breach of any of these rules, report it immediately to your manager. SEPT - MANDATORY TRAINING Passwords Would you tell a stranger your credit card PIN number? • Never disclose your passwords to anyone, not even your closest colleagues. If you suspect someone may know it, change it immediately, and: • Change your password regularly; • Add some numbers and special characters, such as - £ $ & @ # to further increase security; • Choose a password that cannot be guessed; • Always ensure no one is watching as you enter your password; • Never share your password; • Never attempt to gain access to a system using someone else’s password. Laptops & Mobiles The Trust now has a large number of portable, hand-held and laptop computers, which are used throughout its premises. These are valuable items, especially attractive to thieves and extra precautions are called for: Do not leave the computer unattended at any time; • Particular care should be taken in public areas or when travelling between locations. Never leave the computer visible in your car (keep it in the boot); • Data should never be stored on the hard drive of any mobile device. • Ensure floppy, compact and flash disks are held securely away from the computer; • If files contain sensitive or personal information they should be password protected; • Should loss or theft occur, in the first instance report the incident to the Police, obtain a crime reference number and report it via Datix, to the ITT Department and the Information Governance Team. SEPT - MANDATORY TRAINING Smartcards Smartcards are required to access national information systems (e.g. NHS Care Records Service, Electronic Staff Record; SytmOne, etc.). They are used in conjunction with a PIN number, providing an additional layer of security to help prevent unauthorised access to the systems and the information held within them. You are personally responsible for ensuring that patient / staff information is protected and only used for specific and lawful purposes. Smartcards are issued to individual members of staff and must only be used by the person whose name is on the card. USB Memory Sticks They have many names including USB pens, USB keys, mini-USB drives, Flash drives etc. They use ‘flash’ memory to store data, this is a form of memory that keeps its content even when unplugged and power is removed. USB memory sticks are very convenient method for carrying information and data around with you. However, the risks associated with these are great because they are very small, weigh next to nothing, so can easily be lost. These devices should only be used for transferring information and not for storage and only Trust issued devices should be used as these are protected by encryption. Please refer back to Trust policy and guidance before requesting device. SEPT - MANDATORY TRAINING Faxing Safe Haven is an agreed set of administrative and physical security procedures for minimising the risk of breach of confidentiality when sending information via fax. Do not fax personal or confidential information unless it is absolutely necessary. If it is necessary, ensure that you fax the information to a ‘Safe Haven’/ secure fax. If faxing personal or confidential information: • Double check the fax number; • Send a front cover sheet only and ask the recipient to confirm receipt of the fax; • Ensure you mark the fax header “Private and Confidential”. • Use the redial button to ensure the fax goes to the same place. • Same the transmission slip with the fax in the appropriate record. • Personal details (e.g. name & address) should be faxed separately from clinical details, which must be accompanied by the relevant patient identification number. E-mail An e-mail is the term given to an electronic message that is sent via a computer over a network to another user, who will read it in much the same way as a letter. Unfortunately e-mails can be intercepted by the wrong people. For this reason, it is essential to ensure that: • The body of any e-mail text does not contain patient/staff identifiable /sensitive or corporately sensitive information. • NHS Mail (nhs.net accounts) is a secure, encrypted, approved method of sending such sensitive information. When sending from nhs.net to nhs.net (or other secure networks – please see Trust policy) password protection is not required. • If using Outlook (@sept.nhs.uk) then password protected attachments MUST be used for such sensitive information and no information is to be held in the body or the header of the email which could identify a person. • When using password protection, best practice is to telephone or text through the password – where this is not possible ensure that a suitable time delay lapses before any password is sent in a separate SEPT - MANDATORY TRAINING Remember the Dos • • • • • • • • • • Ensure all patient/staff identifiable information is password protected; Use Trust purchased devices only; Ensure any portable media (i.e. Laptops, USB keys, PDA, Mobile phones, Discs, etc) is access protected by password; Send equipment (Computers, USB keys, Discs, etc) to the IT&T Department for secure disposal; Read the Trust policies and procedures to ensure you are aware of your responsibilities in keeping information confidential and secure; Keep smartcards in a safe and secure place at all times; Lock screens or log off when not using any computer Always use Safe Haven procedures when sending/receiving patient/staff identifiable information; Ensure that anything sent in an e-mail is either password protected or sent by NHS.net; Change passwords regularly, adding some numbers and special characters. Remember the Don'ts • • • • • • • • • • • Use personal USB memory sticks; Never store patient/staff identifiable information on any USB key, organiser/electronic diary, laptop); Tough books; - only use them for transfer Never leave portable media (i.e. USB memory sticks, Laptops, Tough books, Discs, etc) in view in a car or overnight; Never leave patient/staff identifiable information on an ‘open’ PC screen when the office is unattended; Never share passwords; Use another staff member’s smartcard to gain access to computer systems; Leave smartcards inserted into the keyboard when not in use; Send patient/staff identifiable/sensitive information across the e-mail unless absolutely unavoidable; Send/store passwords in the same ‘file’ as the data; Use someone else’s password. Leave the keys in lockable cupboards / drawers SEPT - MANDATORY TRAINING Data Protection Act 1998 • • • • The Data Protection Act ( the “Act”) protects an individuals’ personal information (known in the Act as ‘personal data’), to give rights of access to such information, and to establish a supervisory body to enforce the law. The Act applies to the ‘processing’ of personal information, held on computer and to ‘structured’ paper records, together with images recorded on CCTV surveillance equipment. It regulates the use of personal information that, on its own or in conjunction with other information, enables a living person to be identified. This includes name, address, age, race, religion, physical, mental or sexual health. For the purposes of the Act, the Trust is a ‘Data Controller’, which means that we hold and use patient / staff information. Personal Data Personal data is information relating to a living person, and includes any expression of opinion about the person. For the Trust, all of the information held about patients and staff, whether electronically or on paper, falls within the definition of data prescribed by the Act. SEPT - MANDATORY TRAINING Act Principles The Act is based on eight protection principles, or rules for good information handling. In summary, the information must be: • Processed fairly and lawfully • Processed only for specified and lawful purpose • Data shall be adequate, relevant and not excessive • Data shall be accurate and kept up-to-date • Not kept longer than necessary • Respectful of Data Subjects’ rights • Kept secure by technical/organisational means • Transferred outside the EEA only if privacy respected Your Role Does the Act affect you? Yes! The Act applies to anyone who handles or has access to information about any individual. The Act ensures that information held on computers and in paper-based systems is managed properly. You must ensure that you protect personal information by following the eight principles of good practice. SEPT - MANDATORY TRAINING Access Rights The Data Protection Act gives an individual several rights in relation to the information held about them. This is known as the right of subject access and includes: • The right to seek access to their records held by the Trust; • The right to obtain a copy of the record in permanent form or to view a record without obtaining a copy; • The right to rectification, blocking, erasure and destruction of information…………..apply to a court to order Trust to rectify, block or destroy personal details if they are inaccurate or contain expressions of opinion based on inaccurate information; The right to ask the Information Commissioner to assess whether the Act has been contravened. When an access request is made there are two circumstances under which access may be denied or restricted: • If the record contains third party information, where that third party has not consented to their information being disclosed • If access to all or part of the record will seriously harm the physical or mental wellbeing of the individual, or any other person. If possible the individual should be provided with access to that part of the record that does not pose the risk of serious harm SEPT - MANDATORY TRAINING Exempt Information • • • • • • The Trust (as the data controller) can withhold certain kinds of ‘exempt’ Information, including: Personal information about someone else (third party); Information that would identify someone who has supplied information about the data subject; References – confidential reference from the person / body which gave it Adoption records and reports; Information that could cause harm / distress to an individual/s Disclosure Rules If you, or the Trust, disclose personal data to somebody who is not entitled to have it you can be prosecuted - it is a criminal offence. Here are two golden rules to remember: 1. Make sure you know who you are dealing with. Checking and verifying the identity of the person making a data request will help to protect against disclosing data to people, who are not authorized to have it 2. Never make assumptions! Always check and, if in doubt, refuse to supply the data. As long as you are polite, whose who are making legitimate data requests will understand that you are acting in the best interests and protecting their confidentiality. If in doubt contact your line manager or the Data Protection Officer SEPT - MANDATORY TRAINING Best Practice Guidelines - Telephone • • • • • • • Be careful about leaving messages on answerphones; Be careful when taking messages off answerphones and ensure that messages cannot be overheard whilst being played back. When receiving calls requesting personal information: Verify the identity of the caller; Ask for a reason for the request; If in doubt as to whether information should be disclosed tell the caller you will call them back. Seek advice from your line manager or the data protection officer; Call back to main switchboard or known and trusted numbers only – not direct lines you do not recognise or mobile telephones. Best Practice Guidelines - Faxing Do not fax personal or confidential information unless it is absolutely necessary; If it is necessary, ensure that you fax the information to a ‘Safe Haven’/ secure fax. Safe Haven is an agreed set of administrative and physical security procedures for minimising the risk of breach of confidentiality when sending information via fax. If faxing personal or confidential information: • Double check the fax number; • Ask the recipient to confirm receipt of the fax; • Ensure you mark the fax header “Private and Confidential”; Personal details (e.g. name & address) should be faxed separately from clinical details, which must be accompanied by the relevant patient identification number. SEPT - MANDATORY TRAINING Best Practice Guidelines - E-mail An e-mail is the term given to an electronic message that is sent via a computer over a network to another user, who will read it in much the same way as a letter. Unfortunately e-mails can be intercepted by the wrong people. For this reason, it is essential to ensure that: • the body of any e-mail text does not contain patient/staff identifiable /sensitive information. Any such information that needs to be sent via e-mail must always be sent as an encrypted (password) attached file with the password being sent under the cover of a separate e-mail; • always treat attachments on emails from outside the Trust with caution. Best Practice Guidelines - Post • • • • • Ensure envelopes are marked “Private and Confidential”; Double check the full postal address of the recipient; Choose a secure method of sending confidential information through the external post (e.g. recorded delivery or private courier); When necessary ask the recipient to confirm receipt; Ensure that incoming confidential post is handled appropriately. Best Practice Guidelines - Photocopying • • • Do not make excessive copies of confidential information; Do not leave confidential information on the photocopying machine; Regularly check/update your distribution list to ensure copies are not sent to staff who have left the Trust. SEPT - MANDATORY TRAINING Best Practice Guidelines - Waste Bin • Be sure that you dispose of confidential information appropriately; All personal information is confidential and should either be shredded or placed in ‘blue’ confidential waste bags. NEVER put confidential information in black refuse bags or recycling bins; Confidential waste paper must not be used as scrap paper for messages, notes etc. LEARN – what is a rubbish bin vs a recycling bin vs a confidential waste bin!! • • • Best Practice Guidelines - Office • Best Practice Guidelines - Filing Cabinet • • • • Ensure that filing cabinets containing confidential information are always kept locked when not in immediate use – REMOVE the keys; Ensure filing cabinets are not sited in areas which are accessible to members of the public/visitors; Ensure regular housekeeping of your files; When destroying information ensure you comply with NHS retention guidelines. Remember to lock and secure the office when it is unattended and at the end of the day; Best Practice Guidelines - Desk • Close and lock all windows / close the blinds Operate a clear desk policy, especially when ‘hot or curtains; desking’ or working in an open plan office; • Set the intruder alarm system, if fitted; Do not leave confidential information unattended or • Remember to wear your identity badge. out overnight , which is particularly important when hot desking or working in an open plan office. Best Practice Guidelines - Person Ensure you hold confidential conversations in an appropriate place. Inappropriate places include corridors, open plan offices, and at the photocopier; Gain the patient’s consent before sharing their personal information with relatives. SEPT - MANDATORY TRAINING Freedom of Information Act 2000 • • • It is a law giving people the general right to see recorded information held by public authorities, from central government departments, to much smaller bodies such as health trusts, parish councils and schools etc. The Act helps people get a better understanding of how public authorities carry out their duties, make decisions and spend public money. Access is to be granted without significant formality, without inquiry into the motives of the applicant and at a subsidised cost. Publication Scheme • • The public scheme is a guide to the information the Trust holds, and must be published. It gives people access to some information without them having to make specific requests. The current publication scheme may be found on the Trust’s internet site. Requesting Information • • • • • • • Anyone has a right to request information held by the Trust. Any person making a request for information to the Trust is entitled: • To be informed in writing whether it holds information; • If so, to have that information communicated to them; • Known as the ‘duty to confirm or deny’ (unless information is exempt). Some of the records requested might contain exempt information, which does not have to be provided when responding to a request. There are 23 exemptions from the general rights of access. For example; certain information relating to national security, commercially sensitive or personal confidential information. Exemptions that do not have a public interest test are known as ‘absolute exemptions’. Some of the exemptions require the Trust to consider whether it is in the public interest to withhold information. These are know as ‘qualified exemptions’ The Trust generally has 20 working days in which to respond to a request. SEPT - MANDATORY TRAINING Records Management Managing records effectively is essential for making access to information possible. Records management covers all aspects of a record’s life, from creating it to maintaining it, and then its disposal (either through storage in an archive or destroying it). Good records should be: Record Types • Factual, accurate; Records can be in physical or technical formats, • Relevant and useful; including: • Clear and concise; • In a paper record-keeping system; • Up to date; • On computer, including emails; • Complete. • On film records, such as CCTV (Subject NOT: Access through DPA). • Unnecessary jargon; ALSO COVERS: • Personal opinions; • Information located in ‘confidential’ waste; • Offensive language. • Information on computers; • Information stored on computer internal Records Disposal drives, USB memory sticks and CD - disks The Trust’s Corporate Procedural Guideline CPG9 (g) Storage, Retention and Destruction of Records will tell you which records should be kept and for how long, prior to disposal. Destroy records in a secure way. Place securely in blue ‘confidential waste’ bags or shred. Do not place patient/staff identifiable information in ‘waste paper bins’. Make a note of how, when and where the record(s) were destroyed, together with any reference numbers. SEPT - MANDATORY TRAINING Now You need to take the Test. Please click the ‘Test’ icon in the left column, and then click for Questions. Remember to click the ‘Home’ icon when you finish the Test to save your results