Add to collection(s) Add to saved
  1. Science
  2. Health Science

Acceptable Use of Personally Identifiable Information (PID) Policy

advertisement 
Acceptable Use of
Personally Identifiable
Information (PID) Policy
North Cumbria University Hospitals NHS Trust
Acceptable Use of Personally Identifiable Information (PID) Policy
Publication Date: 28/02/2013
Author/Contact
Version 1.0
DOCUMENT CONTROL
Deputy Director of IM&T
Tel: 01228 814080
Email: paul.wiggins@ncuh.nhs.uk
Equality Impact Assessed
N/A
Version
1.0
Status
Approved
Publication Date
28/02/2013
Review Date
28/02/2016
Approved by: Information Governance Group
Date: 21/01/2013
Trust Policy Group
Date: 19/02/2013
Governance & Quality Committee (for noting)
Date: 12/02/2013
Please note that the Intranet version of this document is the only version that is
maintained.
Any printed copies should therefore be viewed as “uncontrolled” and as such, may not
necessarily contain the latest updates and amendments.
Approved documents related to this policy
Name Policy
Document Reference / Hyperlink
Safe Haven Procedure (ISMS 1018)
Statement of changes made
Version
Date
Changes / comments received from
0.01
19/11/2010 Initial draft in policy format – IG Support Officer
0.02
26/11/2010 Policy name changed to differentiate this policy from the
existing Safe Haven policy
0.03
08/12/2010 Rewording of document to differentiate between existing
Safe Haven terminology and new secure environment
0.04
13/12/2010 Further rewording
0.05
11/01/2011 Minor changes to document, including reference hyperlinks
0.06
12/01/2011 Reviewed prior to presentation to Project Board
0.07
02/03/2011 Minor amendments from Caldicott Guardian
0.08
09/03/2011 Minor amendments from Information Systems Manager
(Clinical)
0.09
15/03/2011 Minor amendments from Data Protection Officer
0.10
21/03/2011 Addition of definitions table
0.11
21/03/2011 Minor amendments to wording in definitions section.
Page 2 of 11
North Cumbria University Hospitals NHS Trust
Acceptable Use of Personally Identifiable Information (PID) Policy
Publication Date: 28/02/2013
Version 1.0
List of Stakeholders who have reviewed the document
Name
Graham Putnam
Paul Wiggins
Fiona Armstrong
Title
Caldicott Guardian
Data Protection Officer / Deputy Director
IM&T
Information Systems Manager (Clinical)
SUMMARY
The Department of Health has mandated NHS organisations via its Operating
Framework to ensure that where patient data is used for secondary purposes (i.e. other
than direct patient treatment or administration) it should be either completely
anonymised or pseudonymised. The latter phrase denotes a privacy enhancing
technique which allows an identity to be converted into a format which can’t be directly
seen by the user but can be converted back to clear if there is a valid reason for doing
so. It is recognised that these concepts may be difficult for staff to understand and
apply in the correct context.
This policy defines the means of managing access to authorised users to identifiable
data for the technical functions relating to processing for secondary purposes and for
supporting the de-identification of identifiable data. In addition some users may be
allowed to continue to process identifiable patient data where Regulations are in place
and a system needs to be put in place to authorise this.
All patient information systems and data bases must be within a secure environment
where access is limited and password controlled for each authorised user
The new process will be defined in terms of
a) a role given to identified members of staff approved for purposes conforming
with this policy by the Caldicott Guardian, and;
b) the processes required to both set this up and embed it in day to day working
practice.
Page 3 of 11
North Cumbria University Hospitals NHS Trust
Acceptable Use of Personally Identifiable Information (PID) Policy
Publication Date: 28/02/2013
Version 1.0
TABLE OF CONTENTS
SUMMARY .................................................................................................................. 3
1.
INTRODUCTION .............................................................................................. 5
2.
PURPOSE OF THE DOCUMENT .................................................................... 5
3.
DEFINITION OF TERMS USED / ABBREVIATIONS ....................................... 5
4.
SCOPE ............................................................................................................. 7
5.
DUTIES (ROLES & RESPONSIBILITIES) ....................................................... 7
5.1
The Chief Executive ......................................................................................... 7
5.2
The Senior Information Risk Owner (SIRO) ..................................................... 7
5.3
The Caldicott Guardian .................................................................................... 8
5.4
The Deputy Director of IM&T and Data Protection Officer ............................... 8
5.5
The Head of Information through the Data Quality/Information Management
Team ................................................................................................................ 8
5.6
All Trust Staff .................................................................................................... 8
5.7
Information Governance Group ........................................................................ 8
6.
POLICY ............................................................................................................ 8
6.1
Principles .......................................................................................................... 8
6.2
Data Flows........................................................................................................ 9
6.3
Acceptable Use Processing.............................................................................. 9
6.4
Technical processes ......................................................................................... 9
6.5
Secondary use of patient data business processes ....................................... 10
7.
IMPLEMENTATION AND TRAINING REQUIREMENTS ............................... 10
8.
PROCESS FOR MONITORING COMPLIANCE WITH POLICY .................... 10
9.
REFERENCES ............................................................................................... 10
Page 4 of 11
North Cumbria University Hospitals NHS Trust
Acceptable Use of Personally Identifiable Information (PID) Policy
Publication Date: 28/02/2013
1.
Version 1.0
INTRODUCTION
Pseudonymisation is a privacy enhancing technique now being implemented in
the NHS in the context of secondary use of patient identifiable information
The NHS has used the principle of information Safe Havens for over 20 years to
ensure appropriate measures are in place for handling of confidential patient
identifiable information. It was first defined to ensure security when fax
machines were widely used to transmit patient data. In that case a physical
location of a locked room was used to restrict access to fax machines and hence
to patient identifiable information. Later safe haven principles defined secure
conditions necessary for the handling of personally identifiable data in a wider
context. These are defined in an existing Trust Procedure (Isms1018 ‘Safe
Haven Procedure’).
In 2009 the NHS Connecting for Heath pseudonymisation Project defined NEW
Safe Haven principles which include the concept of restricting access to
identifiable data which is required to support the process of de-identifying or
pseudonymising records when required for secondary purposes. This approach
applies to the processing of patient information to achieve these new
requirements and to avoid confusion is hereafter referred to as Acceptable Use
of Patient Identifiable Data. Some secondary processing is exempted by
Regulation but controls still need to be put in place.
These requirements do not replace existing safe haven arrangements. There are
however very specific requirements for managing the transformation of data from
primary sources (patient records) into de-identified data for secondary purposes.
This also applies where controlled access to personally identifiable data is
permitted by law.
The objective of this policy is to define the necessary supporting processes
within North Cumbria University Hospitals Trust (NCUHT).
2.
PURPOSE OF THE DOCUMENT
This document defines the policy of North Cumbria University Hospitals NHS
Trust to implement the new requirements to manage Exempted, De-indentified
or Pseudonymised processes for the secondary use of patient identifiable
information.
3.
DEFINITION OF TERMS USED / ABBREVIATIONS
Term
Anonymisation
Definition
Where data has been de-identified so that individuals cannot
be identified from the data in the record. Anonymised data
cannot be re-identified.
Page 5 of 11
North Cumbria University Hospitals NHS Trust
Acceptable Use of Personally Identifiable Information (PID) Policy
Publication Date: 28/02/2013
Term
Data Provider
New Safe Haven
De-identification
Healthcare
Medical Purposes
Non-Healthcare
Medical Purposes
Patient Identifiable
Data (PID)
Primary
Data
Use
of
Pseudonymisation
Pseudonymisation
Implementation
Project (PIP)
Re-identification
Secondary Use of
Data
Transition Process
Version 1.0
Definition
An organisation or individual that provides electronic data to
users from an electronic store of data. Where the electronic
data store contains PID the Data Provider is by definition a
New Safe Haven
An organisation or individual that has been approved as a
Safe Haven for receiving, supplying, handling and storage of
PID
The process of removing or obscuring PID from datasets
Primary uses of data which directly contribute to the
diagnosis, care and treatment of an individual; or the
audit/assurance of the quality of the healthcare provided.
Secondary uses of data such as preventative medicine,
medical research, financial audit and the management of
health [and social] care services
Personally Identifiable Data or PID is used to describe the
data item(s) that could be used to identify an individual in a
set of data. This could be one piece of data, for example a
person’s name, or a collection of information such as name,
address, and date of birth. In the context of this policy this
acronym equally applies to Patient Identifiable Data as
defined in S.251 of the NHS Act 2006.
Purposes that directly contribute to the safe care of patients
are classified as primary uses and include diagnosis, referral
and treatment processes and the administration thereof.
A technique for achieving ‘Effective Anonymisation’. Where
data has been de-identified so that individuals cannot be
identified from the data in the record. Pseudonymised data
can be re-identified by the Data Provider. De-identification
can be achieved by removing patient identifiers, using
alternatives such as value ranges or by the use of a
pseudonym which can be “reversed” to “reconstruct” the
original identifier if required for a legitimate reason.
The pseudonymisation Implementation Project (PIP) is
concerned with enabling the NHS to undertake secondary
use of patient data in a legal, safe and secure manner
The process of linking pseudonymised data to an identified
source individual
Secondary use takes place where PID is used for non health
care purposes, which are not related to the direct delivery of
care.
The process of de-identifying PID into pseudonymised or
anonymised data, or re-identifying the source patient from
pseudonymised data.
Further explanation of ‘Secondary use of data’
There is an important distinction between the primary and secondary use of
data. Secondary use takes place where PID is used for non health care
Page 6 of 11
North Cumbria University Hospitals NHS Trust
Acceptable Use of Personally Identifiable Information (PID) Policy
Publication Date: 28/02/2013
Version 1.0
purposes, which are not related to the direct delivery of care. In these
circumstances the PID must be effectively anonymised or de-identified unless
the patient has given consent or the processing is covered by law, for example
given approval under S.251 of the NHS Act 2006 by the National Information
Governance Board (NIGB) Ethics and Confidentiality Committee or its successor
body under the Care and Quality Commission.
A
Register
of
section
251
approvals
can
be
found
at
http://www.nigb.nhs.uk/s251/registerapp/s251register.xls. It is expected that this
will include general purposes such as undertaking data quality work and indeed
the processing required producing pseudonymised output for secondary use.
Local information sharing for local audit which will feed back into quality assuring
care does not require section 251 approval and may be processed using PID.
However if the data is to be submitted in identifiable format to a National audit
then section 251 should be in place.
Examples of secondary use of data include performance management,
commissioning and contract management.
A Primary Targeting List (PTL) for Waiting list patients is an example of primary
use where it is used to identify offer of admission dates to patients but if it is also
used to manage performance this would be a secondary use. If this latter
purpose is met by staff given “Access to PID” status circulating only a “Pivot
Table” excluding the personally identifiable data, the law has been complied
without having to apply peudonymisation techniques.
4.
SCOPE
This policy is concerned with the security of patient information when used for
purposes other than direct patient care and is in line with the NHS Connecting
for Health Guidance on business processes and New Safe Havens (November
2009). It applies to all staff who are involved in handling such data or are
responsible for managing services which require to access de-identified
information.
5.
DUTIES (ROLES & RESPONSIBILITIES)
5.1
The Chief Executive has ultimate responsibility for ensuring that the appropriate
systems and processes are in place to protect the collection, recording, retention
and use of patient identifiable data or information.
5.2
The Senior Information Risk Owner (SIRO) is responsible to the Chief
Executive and the Board of Directors for the development and implementation of
the information risk policy and risk assessment, act as an advocate for
information risk on the board and in internal discussions, and provide written
advice to the Chief Executive on the content of the Statement of Internal Control
relating to information risk.
Page 7 of 11
North Cumbria University Hospitals NHS Trust
Acceptable Use of Personally Identifiable Information (PID) Policy
Publication Date: 28/02/2013
Version 1.0
5.3
The Caldicott Guardian: is appointed by the Board of directors to oversee the
safe and secure use and sharing of patient information. In the context of this
Policy, the Caldicott Guardian will approve requests for staff to have Access to
PID roles.
5.4
The Deputy Director of IM&T and Data Protection Officer is responsible to the
SIRO for the operational management of data protection, the confidentiality code
of conduct, and information security and for generally ensuring that the Trust
complies with all legal requirements in respect of its processing of Personally
Identifiable Data (PID). This will also include a register of staff approved to work
within the secure environment.
5.5
The Head of Information through the Data Quality/Information Management
Team is responsible for managing the new safe haven processes and applying
the rules of de-identification, pseudonymisation or anonymisation to data within
individual patient information systems or the data warehouse. Other staff will be
approved by the Caldicott Guardian to undertake these processes on a case by
case or exception basis.
5.6
All Trust Staff involved in the processing of person identifiable information and
Managers who have responsibilities for those staff must ensure the information
remains secure and confidential at all times.
5.7
Information Governance Group
The Information Governance Group is responsible to the Governance
Committee for the effective monitoring of this policy in the context of ensuring
compliance with the relevant Information Governance Requirement (IG 324).
6.
POLICY
6.1
Principles
All patient information systems and data bases must be within an electronic
environment whereby access is limited and password controlled for each
authorised user
When a patient record is used for primary (clinical) purposes the user must
be able to identify both the patient and clinical information in an effective and
safe manner to ensure appropriate delivery of care. All primary purposes
therefore require identifiable patient information to ensure patient safety
Before data is used for additional or secondary purposes not defined as
having a clinical purpose then identifiers should be removed unless an
exemption applies
The transformation of data into a suitable state for a secondary purpose is
considered to be an additional purpose and as such constitutes a secondary use
Page 8 of 11
North Cumbria University Hospitals NHS Trust
Acceptable Use of Personally Identifiable Information (PID) Policy
Publication Date: 28/02/2013
6.2
Version 1.0
Data Flows
Data flows within NCUHT were defined following a survey undertaken in October
2010. Information Asset Owners and Administrators must make the Information
Governance lead aware of new data flows which potentially impact on
pseudonymisation so that S.251 compliance can be confirmed.
The Trust is not responsible for secondary use of data within an organisation to
whom data is transferred but must ensure that its own processing of PID is
compliant prior to data transfer.
6.3
Acceptable Use Processing
With pseudonymisation comes the need to restrict access to those staff who
are either authorised to directly work with patient identifiable data for
secondary use (e.g. processing for national audits or checking data quality)
or who need to convert them into an acceptable format for wider use i.e.
facilities can only be used by a small number of authorised staff sufficient to
carry out the functions of de-identification of PID and provide cover and back
up to ensure continuity of service
Authorisation of the staff performing roles defined in this policy. Use of
Patient Identifiable Data should be through the Caldicott Guardian and will
be modelled on the local Registration Authority processes for accessing
spine based applications in terms of the definition of positions, roles and
permitted activities.
The systems used for the data de-identification processes should have
appropriate access control mechanisms to restrict access to authorised users
for the specific purpose of supporting de-identification processes
If there are paper based flows which involve patient identifiable data being
transferred then postal delivery and equipment such as fax machines should
be operated in secure areas in order to function effectively
Access to physical safe haven areas should be restricted and equipment must
have a coded password and be turned off during out of office hours. .
6.4
Technical processes
The processes that are involved in transforming the data into an acceptable
format for secondary use purposes include but may not be confined to-:
Data quality checks: ensuring that the data contained within the record is
accurate such as ensuring the patient’s NHS number, PCT code and GP
practice are correct
Undertaking derivations of identifiable data items: for example deriving age at
the start or end of an episode of care which relies on the patient’s date of
birth
Page 9 of 11
North Cumbria University Hospitals NHS Trust
Acceptable Use of Personally Identifiable Information (PID) Policy
Publication Date: 28/02/2013
Version 1.0
Undertaking record linkage: an example is to link records from different data
sets or over time usually based on NHS number and cross checking dates of
birth corroboration
Applying de-identification processes such as the production of reports from
the Trust “Data Warehouse” where patient identities and numbers are
converted into a non recognisable or pseudonymised format
6.5
Secondary use of patient data business processes
If business processes are not involved in the direct care of patients then they
must be undertaken with de-identified data. Existing processes must be
changed if they are currently undertaken using patient identifiable data
Examples of processes that must be undertaken only using de-identified data
are
Analysis and conversion into report format of waiting lists such as
numbers waiting by varying time periods
Monitoring of referral to treatment times such as number so patients
waiting by weeks
Financial management of contracts
Out of area treatments
7.
IMPLEMENTATION AND TRAINING REQUIREMENTS
The Trust’s in–house Information Governance (IG) Training (supplemented by
future developments of national IG e-learning when available) will address basic
staff awareness of pseudonymisation and the acceptable use of PID. Other user
specific training will be provided as part of the roll out to users of the Data
Warehouse.
8.
PROCESS FOR MONITORING COMPLIANCE WITH POLICY
Compliance with this policy will be assessed as part of the regular review by
Information Governance of compliance with Information Governance
Requirement 324.
9.
REFERENCES
The key legislation and policy guidance is set out below:
The Data Protection Act 1998 – Principle 7 “Appropriate technical and
Organisational measures shall be taken to make personal data secure”.
http://www.legislation.gov.uk/ukpga/1998/29/contents?view=plain
NHS Act 2006, section 251 - Control of patient information
http://www.legislation.gov.uk/ukpga/2006/41/contents?view=plain
Page 10 of 11
North Cumbria University Hospitals NHS Trust
Acceptable Use of Personally Identifiable Information (PID) Policy
Publication Date: 28/02/2013
Version 1.0
The NHS Code of Practice: Confidentiality 2003 - Annex A1 Protect patient
Information “Care must be taken, particularly with confidential clinical
Information, to ensure that the means of transferring from one location to
another is secure as they can be”.
http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/docu
ments/digitalasset/dh_4069254.pdf
The Information Commissioner’s Office (ICO) - This is the regulatory body
with responsibility for monitoring compliance with the Data Protection Act. The
Trust is required to register with the ICO to define what personal data it
processes and for what purpose
http://www.ico.gov.uk/
NHS Connecting for Health Pseudonymisation Implementation Project Reference Paper 2 – Guidance on Business Processes and new safe havens
http://www.connectingforhealth.nhs.uk/systemsandservices/sus/delivery/pseudo/
ref2busprosh.pdf
NHS Connecting for Health Information Governance Toolkit Requirement
324 (annually revised)
https://nww.igt.connectingforhealth.nhs.uk/RequirementQuestionNew.aspx?tk=4
06215495687531&lnv=4&cb=fc982fae-7dc7-4a90-bf40c30e724252f1&sViewOrgType=2&reqid=2014
Page 11 of 11
Related documents
Rubric
Rubric
National Honor Society 20142015 Essay Prompt (Pick one) 1. What
National Honor Society 20142015 Essay Prompt (Pick one) 1. What
The Open Pseudonymisation project
The Open Pseudonymisation project
Overview of Openpseudonymiser project
Overview of Openpseudonymiser project
Breast feeding rates by age (weeks): children born in 2003
Breast feeding rates by age (weeks): children born in 2003
Innovation Hub Presentation
Innovation Hub Presentation
Negative Space
Negative Space
Download
advertisement