Information Governance for Practice Staff

advertisement
Information Governance
for Practice Staff
Information Governance for Practice Staff
Introduction
• Confidentiality; including Caldicott
• Data Protection
• Information Sharing
• Freedom of Information
• Records Management
• IM&T Security
Information Governance for Practice Staff
The consequences of not considering
Information Governance in GP surgeries
 2007
 April: Patient info found in skip behind building
when GP branch being renovated
 November: Patient Data losses at GP surgery –
3000
 2008
 Jan: Dictaphone holding patient identifiable
information stolen from GP practice room.
 June: GPs laptop stolen from home containing
11000 patient records
 July: Back up Tape lost from GP surgery
containing 11,000 records
Information Governance for Practice Staff
ICO research into social concerns
–
–
–
–
–
–
–
–
–
–
Environmental issues
Preventing crime
Improving education
The National Health Service
Equal rights
National security
Protecting personal information
Protecting freedom of speech
Unemployment
Access to information held by public authorities
Information Governance for Practice Staff
ICO research into social concerns
–
–
–
–
–
–
–
–
–
–
Preventing crime 94%
Protecting personal information 92%
The National Health Service 91%
Equal rights 89%
National security 89%
Improving education 88%
Protecting freedom of speech 86%
Environmental issues 86%
Unemployment 80%
Access to information held by public authorities 79%
Information Governance for Practice Staff
Information Governance for Practice Staff
Confidentiality
A duty of confidence arises when one
person discloses information to another;
for example - patient to clinician or
carer to social worker
in circumstances where it is reasonable
to expect that the information will be
protected and held in confidence.
Information Governance for Practice Staff
The Duty of Confidentiality
continues after the
death of a patient
TRUE or FALSE
Information Governance for Practice Staff
TRUE
Any information provided in
confidence, for example,
within a health record, must
remain confidential following
a patient’s death
Information Governance for Practice Staff
Confidentiality - Mail
• Envelopes – Marked Private & Confidential,
For Addressee Only
•
•
•
•
Royal Mail - Special Delivery
Courier – Trusted, Tracked, with a Signed Confirmation
Delivery Confirmation
Mail Opening Process
Information Governance for Practice Staff
Confidentiality – Fax
• Could it go by safer means
• Use Safe Haven or Secure fax number
• Mark as Private and Confidential to a
named person
• Confirm recipients fax number
• Transmit in 2 parts – Confirm receipt of first faxed sheet
– Confirm receipt of remaining sheets
Information Governance for Practice Staff
Confidentiality – Email
ISMS Section 6
• PII must only be sent in a password
protected or encrypted file
• DO NOT send PII in the ‘subject’ or content
of Email
• Sent High Priority and Confidential
• If possible use NHS Number
• Use Safe Haven Email addresses
• Confirm receipt
Information Governance for Practice Staff
Confidentiality - Telephone
• Avoid exchanging sensitive PII unless it is a
matter of life and death
• Only exchange PII in a closed (Safe Haven)
room
• If you cannot prevent someone from giving
you PII over the telephone:
–
–
–
–
–
Take the callers full details
Verify who the caller is
Record the PII carefully
Read back to confirm the details
Ask for written confirmation using agreed
anonymised identifier
Information Governance for Practice Staff
Confidentiality –
Public Areas
Always be aware who is in the vicinity
• Who can listen to telephone calls
• Who can listen to conversations
• Who can see personal identifiable
information on desks
• Who can see personal identifiable
information on monitors
• Respect the privacy of individuals
Information Governance for Practice Staff
Consent & Confidentiality
ISMS Section 3
Obtaining consent for treatment or for the disclosure
of personal information;
Consent is specific to the uses defined in the
information process;
3 types of consent - Implied, Informed and Explicit;
Some laws override the need for consent, e.g.
Children’s Act, Vulnerable Adults, Tax and Benefits;
Crime and Disorder Act s115.
Information Governance for Practice Staff
Consent
ISMS Section 3
• Consent is voluntary and even if it is
signed it can be withdrawn at any time;
• Consent must be revisited regularly;
• Consent must be gained for any new use
of personal information
Information Governance for Practice Staff
Right of patients
to have access
to Health records
What information
is held on
Patient?
Who
Information will
be shared with?
Information
Leaflets/Posters
Why information
is collected?
Information given
by patient
will be recorded
Records treated
with respect and
confidentiality
Use of record for
local clinical/
performance
audits
Information Governance for Practice Staff
You always need consent
before doing anything with
personal information
TRUE or FALSE
Information Governance for Practice Staff
FALSE
There are various conditions
(other than consent) in the
Data Protection Act which
allow you to process personal
information.
Information Governance for Practice Staff
Balance
Healthcare employees are entrusted
with patients’ confidence and have a
legal obligation to protect their
privacy.
The need for confidentiality must be
balanced against the need for NHS
staff to have access to patient
information.
Information Governance for Practice Staff
What is Caldicott?
ISMS Section 3
A set of principles and
recommendations put forward by the
Caldicott Committee in 1997 which
apply to Health and Social Care
Organisations to ensure Patient
Identifiable information remains
confidential and secure
Information Governance for Practice Staff
Caldicott Principles
ISMS Section 3
• Justify the purpose
• Use Patient Identifiable Information only if
absolutely necessary
• Only use the minimum amount necessary
• Access only on a strictly need to know basis
• Know your responsibilities
• Understand and comply with the law
Information Governance for Practice Staff
Key Requirements of Caldicott
ISMS Section 3
• Appoint a Caldicott Guardian or Lead
(should be a Senior Clinician)
• Definition of Guardian ‘one who
protects’
• Abide by Caldicott principles
• Ensure Polices and Procedures to
protect PII are in place and adhered to
Information Governance for Practice Staff
The best person to
undertake the role of
Caldicott Guardian in my
GP surgery is the Practice
Manager
TRUE or FALSE
Information Governance for Practice Staff
FALSE
The best person to undertake
the role of Caldicott Guardian
would be a senior clinician as
they would be expected to
advise on individual cases
where there are concerns
about patient information
Information Governance for Practice Staff
ICO’s Video
‘The lights are on’
Information Governance for Practice Staff
Comply with the Law
ISMS Section 3
Data Protection Act 1998 – It is your
responsibility to understand the principles in
relation to your role and your organisation
Activity (takes around 15 minutes to complete):
Split in to 2 groups
Read the Data Protection Act 1998 principles
handout
Match the principles with scenarios A to H on the
following slides. There is only one scenario
considered to be correct in this exercise but you
may find that more than one principle may apply.
Information Governance for Practice Staff
Activity
Which Principle does the scenario breach relate to?
Scenario A
Mr X receives a call from
Wrexham hospital to tell him
that his pregnant wife has
been admitted. Mr X was
shocked as they have been
divorced for 10 years and his
ex-wife remarried with his
best friend. Mr X informed
the hospital that he is no
longer her Next of Kin.
Scenario B
A Mother asks to see her 16
year old daughter’s School
Nurse reports as she suspects
her daughter is sexually
active. The School Nurse
says no problem, asks for the
request to be in writing and
she will provide a copy of
recent notes within 21
working Days.
Information Governance for Practice Staff
Activity
Which Principle does the scenario breach relate to?
Scenario C
A health records assistant has
been tasked with checking 100
random health records to see
whether they are labelled with
the correct NHS Number. She
decides that there is not
enough space in her
department to do this task
comfortably, so she finds a
quiet meeting room in the Post
Grad Centre to do this. She
pops out for lunch for 1hr
leaving the notes unattended
and room unlocked.
Scenario D
Mrs Y moves from Mold to
Swansea and registers herself
with a new GP in Swansea.
The GP goes through her
records to get familiar with his
new Patient’s health history.
He finds abbreviations such as
HT and NLW in the notes.
When he asks the previous GP
to explain – he laughs and says
oh that means ‘Hot Totty’ and
‘Nice Looking Woman’.
Information Governance for Practice Staff
Activity
Which Principle does the scenario breach relate to?
Scenario E
Nurse Hughes is approached
by PC Jones asking how his
Brother (also a Police Officer)
is doing after having been
shot in the line of duty.
Nurse Hughes mentions that
he is stable in terms of the
gun wound, but they have
found that his cancer has
spread. When the Brother
regained consciousness he
was surprised to find that his
Brother (PC Jones) knew
about the cancer. Only his
wife knew until now.
Scenario F
HR were approached by the
their Trusts communications
team asking for all staff
home addresses to do a mail
shot regarding the benefits
for staff and training
opportunities available when
the implementation of the
new National Programme for
IT is complete at their Trust.
HR agree to email the staff
database to the
communications team
a.s.a.p.
Information Governance for Practice Staff
Activity
Which Principle does the scenario breach relate to?
Scenario G
A USA Social Services team
heard that a UK Social Care
team were using new and
successful techniques to
handle manic depressive
young teenagers. USA team
ask for a report on the
methodology supported by
real life case reports so that
they can learn from UK
findings. UK send case notes
and reports via email to the
USA team.
Scenario H
A Finance Assistant is tasked
with disposing of any old
requisitions filed. Her
colleague tells her to get rid
of any cleared requisitions
which are more than 18
months old. The assistant
found 50+ requisitions
nearly 3yrs old which
exceeds the recommended
retention period in the DH
Records Management NHS:
Code of Practice
Information Governance for Practice Staff
Subject Access Requests
ISMS Section 3
• Gives patients and staff the right to know what
personal information the organisation holds on
them
• Requests must be in writing
• The requester may not and need not quote the DPA
• The organisation must respond within 40 days.
The clock starts as soon as the request is received
by the organisation
Information Governance for Practice Staff
Sharing Personal Information
ISMS Section 3
Sharing information about an individual
within and between partner agencies is
vital to the provision of co-ordinated and
seamless care to that individual.
This care includes:
–
–
–
–
Improving the health and social care of people;
Arranging and delivering services;
Supporting the people in need;
Investigating complaints.
Information Governance for Practice Staff
Sharing Personal Information
ISMS Section 3
The principles underpinning the sharing of
person identifiable information are governed
by legislation, including:
–
–
–
–
–
–
–
–
–
–
Data Protection Act 1998
Access to Health Records Act 1990
Human Rights Act 1998
Freedom of Information Act 2000
Children’s Act 1989
Computer Misuse Act 1990
Human Fertilisation and Embryology Act 1990
Health and Social Care Act 2001
NHS Venereal Diseases Regulation 2000
Abortion Act 1967, regulations 1991
Information Governance for Practice Staff
Examples of Information Sharing
• For health care purposes
- With NHS staff involved in the provision of care
- Parents and Guardians (generally children under 16)
•
-
For purposes other than direct health care
Social care
Researchers
Bodies with statutory Investigative Powers – GMC,
audit commission
• Non health care purposes
- Police (with a valid request)
- Solicitors (with explicit consent from the patient)
Information Governance for Practice Staff
Information Sharing Protocols
– what are they?
ISMS Section 3
A written agreement, between parties, i.e.
different groups of people who are involved in
sharing patient information, that:
• Documents how information should be shared;
• Ensures information is shared consistently,
appropriately and lawfully;
• Clearly defines individuals’ responsibilities when
sharing information to uphold patient confidentiality.
Information Governance for Practice Staff
Information Sharing Protocols
– the benefits?
ISMS Section 3
Protocols go a long way in reducing the
risks of breaches because:
• They provide clear guidelines on how much
and what way and to whom information
should be shared;
• They allow individuals to make informed,
confident and timely decisions about sharing
information, to allow better patient care.
Information Governance for Practice Staff
The organisation I work for has
signed up to a local information
sharing protocol therefore I can
share personal information with
any organisation that has also
signed the protocol
TRUE or FALSE
Information Governance for Practice Staff
FALSE
You still need to ensure all the
legal requirements have been
met before sharing
information
Information Governance for Practice Staff
When should Information Sharing
Protocols not be used?
If there are concerns relating to child or
adult protection issues, they should refer to
the relevant documents:
• All Wales Child Protection Procedures;
• The Multi-agency Inter-agency Information
Sharing Protocol for the Assessment
of Children in Need and in Need of Protection;
• Policy and procedures for responding to the
alleged or confirmed abuse of vulnerable adults.
Information Governance for Practice Staff
A Policewoman turns up at
reception and demands a copy
of Mr A’s medical notes
immediately for an investigation.
The Police have that power.
TRUE or FALSE
Information Governance for Practice Staff
FALSE
Unless you are provided with
a copy of a court order for
release, the police must
provide a written request
under a relevant act which
should be considered by the
practice prior to release
Information Governance for Practice Staff
Requests from the Police
ISMS Section 3
• They can request records under DPA S.29 or under
S.115 of the Crime & disorder Act 1998.
• They must provide an official written request signed
by the S.I.O. (DCI or above).
• You only need to disclose what is ‘Minimum and
Relevant’ and get a signed receipt.
• You may have to make an immediate release if they
have a dated Court Order – you must obey a Court
Order to the letter so read it carefully.
• If their case or a Court Order requires you to release
the original records, you MUST make a numbered
‘best’ copy of the records to retain.
Information Governance for Practice Staff
Thought………
Treat other people’s information
as you would like your own to
be treated – with respect and
confidentiality
Information Governance for Practice Staff
Break
Information Governance for Practice Staff
Freedom of Information Act 2000
ISMS Section 4
• Gives individuals the right to access
information
• Have you got it? May I see it?
• NON Personal Identifiable Information (PII)
• The Act does not have to be quoted when
making a request
• 20 working days to process
• Exemptions apply
Information Governance for Practice Staff
ICO's ‘Tick Tock’ Video
Information Governance for Practice Staff
GP Publication Schemes
ISMS Section 4
• Under the FOI Act it is the duty of every public body
to adopt and maintain a publication scheme
• Demonstrate a commitment to openness
• A new model publication scheme developed
specifically for GP practices Jan 09 (Guide to
Information)
• The new guide contains details on how information
can be obtained and what the costs are
• Visit www.ico.gov.uk for more information
Information Governance for Practice Staff
The contents of an email can be
disclosed under the
Data Protection Act and
Freedom of Information Act?
TRUE or FALSE
Information Governance for Practice Staff
TRUE
Emails are corporate records of
an organisation and therefore
they may be disclosable by
any public body
Information Governance for Practice Staff
Why do we need
Records Management
ISMS Section 4
• Meeting legal/statutory requirements
• Supporting administrative and
managerial decision-making
• Efficiency within the surgery
• Promoting professional image
Information Governance for Practice Staff
Definition: Record
ISMS Section 4
Recorded information regardless of
media or format, created or received
in the course of individual or
organisational activity, which
provides reliable evidence of policy,
actions and decisions.
Information Governance for Practice Staff
Types of Records
•
•
•
•
•
•
•
•
•
ISMS Section 4
Health records
Administrative records
Photographs
Microfilm
Audio (telephone conversations)
tapes, cassettes, CD-ROM
Video, CCTV
Diaries
Emails, Text messages
Information Governance for Practice Staff
Record Quality Information
ISMS Section 4
• All staff have a legal and professional obligation
to be responsible for any records which they
create or use in the performance of their duties
• Users must ensure that records are:







Secure;
Accurate;
Up to date;
Complete;
Quick and easy to find;
Free from duplication;
Free from fragmentation.
Information Governance for Practice Staff
Record Lifecycle
Creation
Using
Create &
Use/handle
log Quality in accordance
information
with Data
Protection
Act
Close Record
Record Lifecycle
Retention
Keep/maintain
in line with
NHS
recommended
Retention
Schedule
Appraisal
Determine
whether
records are
worthy of
permanent
archival
preservation
Disposal
Dispose
appropriately
according to
policy
Information Governance for Practice Staff
Return of the
Patient Medical Record
ISMS Section 3
• The LHBs are the Data Controllers for Patient
Records no longer registered with a practice
• Records must be returned to the BSC via Courier
Bags
• Complete record must be returned including
clinical system prints
• Checklist on ISMS website to aid process
• BSC can provide copies for medical reports
• Solicitors and Insurance requests are dealt with
by the BSC
Information Governance for Practice Staff
Simple things we can all do...
Manual Records - Clear Desk Regime
• Lock PII files or papers away when you leave for the
day, or if you’ll be from your desk for a significant
period.
Computer Systems - Clear Screen Regime
• Apply the screen lockdown when you are going away
from your desk – CTRL+ALT+DEL and click on Lock
Computer in the Computer Security Dialog Box
• Log out if you’ll be away from your desk for a
significant time - also at the end of the day
• Ensure PII is saved to the practice network- not
desktop or C drive
Information Governance for Practice Staff
Removing or Transporting of Patient
or Person Identifiable Information
ISMS Section 7
• Inform the your Caldicott Guardian and
Information Security Officer or Practice Manager
• Risk Assessment undertaken
• Authorisation must be obtained prior to removal
off site
• Records removed must be logged
DON’T REMOVE SENSITIVE INFORMATION FROM SITE
UNLESS ABSOLUTELY NECESSARY
Information Governance for Practice Staff
Physical Infrastructure
ISMS Section 7
• Entry control systems to buildings/corridors
• Lockable filing cabinets etc
• A Safe Haven Room with fax and phone
• A confidential waste paper service
• A confidentiality culture
• A visitor monitoring process
• A ‘key/card security’ process
• An ‘exit’ process for leavers
Information Governance for Practice Staff
Laptop Security
ISMS Section 7
• Ensure laptops, memory sticks and patient notes
are locked in the boot of your car when being
transported; and must be removed when the car is
left unattended
• Do not allow family members and friends to access
any laptop belonging to the surgery
• Ensure no PII is saved to the ‘C’ drive or desktop of
laptop (or PC) unless encrypted
• Ensure the laptop is regularly connected to the
network for back up purposes
• Laptops must only be used by the staff they were
issued to
Information Governance for Practice Staff
Portable Media Devices
• PII must only be stored on encrypted devices
• Encrypted sticks must not be used for long term
storage of PII
• PII must be transferred from devices onto the
practice clinical system regularly
• If sending PII on portable devices –only send the
minimum necessary
• Media devices containing PII must only be sent by
Government Mail
DON’T SAVE SENSITIVE INFORMATION ONTO PORTABLE DEVICES
OR MEDIA UNLESS ABSOLUTELY NECESSARY
Information Governance for Practice Staff
The IG
Confidentiality
eLearning Toolkit
Information Governance for Practice Staff
The eLearning Toolkit covers a
range of key topics including:
•
•
•
•
•
•
Data Protection Act
Human Rights Act
Information Security
Disclosing and Sharing Information
Duty of Confidence
Caldicott
Information Governance for Practice Staff
Further Information
•
•
•
•
•
•
ISMS Website
http://howis.wales.nhs.uk/sites3/home.cf
m?orgid=542
ISMS Procedures, Policies & Toolkit
FAQs
Training Materials
Leaflets & Posters
Forum
News, Events and Hot Topics
Information Governance for Practice Staff
Any Questions?
Information Governance for Practice Staff
Download