2Introduction Confidentiality; including Caldicott Data Protection Information SharingFreedom of InformationRecords ManagementIM&T Security
3The consequences of not considering Information Governance in GP surgeries 2007April: Patient info found in skip behind building when GP branch being renovatedNovember: Patient Data losses at GP surgery – 30002008Jan: Dictaphone holding patient identifiable information stolen from GP practice room.June: GPs laptop stolen from home containing patient recordsJuly: Back up Tape lost from GP surgery containing 11,000 records
4ICO research into social concerns Environmental issuesPreventing crimeImproving educationThe National Health ServiceEqual rightsNational securityProtecting personal informationProtecting freedom of speechUnemploymentAccess to information held by public authorities
5ICO research into social concerns Preventing crime 94%Protecting personal information 92%The National Health Service 91%Equal rights 89%National security 89%Improving education 88%Protecting freedom of speech 86%Environmental issues 86%Unemployment 80%Access to information held by public authorities 79%
7for example - patient to clinician or carer to social worker ConfidentialityA duty of confidence arises when one person discloses information to another;for example - patient to clinician or carer to social workerin circumstances where it is reasonable to expect that the information will be protected and held in confidence.
8The Duty of Confidentiality continues after the death of a patient TRUE or FALSE
9TRUEAny information provided in confidence, for example, within a health record, must remain confidential following a patient’s death
10Confidentiality - Mail Envelopes – Marked Private & Confidential, For Addressee OnlyRoyal Mail - Special DeliveryCourier – Trusted, Tracked, with a Signed ConfirmationDelivery ConfirmationMail Opening Process
11Confidentiality – Fax Could it go by safer means Use Safe Haven or Secure fax numberMark as Private and Confidential to a named personConfirm recipients fax numberTransmit in 2 parts -Confirm receipt of first faxed sheetConfirm receipt of remaining sheets
12Confidentiality – Email ISMS Section 6 PII must only be sent in a password protected or encrypted fileDO NOT send PII in the ‘subject’ or content ofSent High Priority and ConfidentialIf possible use NHS NumberUse Safe Haven addressesConfirm receipt
13Confidentiality - Telephone Avoid exchanging sensitive PII unless it is a matter of life and deathOnly exchange PII in a closed (Safe Haven) roomIf you cannot prevent someone from giving you PII over the telephone:Take the callers full detailsVerify who the caller isRecord the PII carefullyRead back to confirm the detailsAsk for written confirmation using agreed anonymised identifier
14Confidentiality – Public Areas Always be aware who is in the vicinityWho can listen to telephone callsWho can listen to conversationsWho can see personal identifiable information on desksWho can see personal identifiable information on monitorsRespect the privacy of individuals
15Consent & Confidentiality ISMS Section 3Obtaining consent for treatment or for the disclosure of personal information;Consent is specific to the uses defined in the information process;3 types of consent - Implied, Informed and Explicit;Some laws override the need for consent, e.g. Children’s Act, Vulnerable Adults, Tax and Benefits; Crime and Disorder Act s115.
16Consent ISMS Section 3Consent is voluntary and even if it is signed it can be withdrawn at any time;Consent must be revisited regularly;Consent must be gained for any new use of personal information
18You always need consent before doing anything with personal information TRUE or FALSE
19FALSEThere are various conditions (other than consent) in the Data Protection Act which allow you to process personal information.
20BalanceHealthcare employees are entrusted with patients’ confidence and have a legal obligation to protect their privacy.The need for confidentiality must be balanced against the need for NHS staff to have access to patient information.
21What is Caldicott? ISMS Section 3 A set of principles and recommendations put forward by the Caldicott Committee in 1997 which apply to Health and Social Care Organisations to ensure Patient Identifiable information remains confidential and secure
22Caldicott Principles ISMS Section 3 Justify the purposeUse Patient Identifiable Information only if absolutely necessaryOnly use the minimum amount necessaryAccess only on a strictly need to know basisKnow your responsibilitiesUnderstand and comply with the law
23Key Requirements of Caldicott ISMS Section 3 Appoint a Caldicott Guardian or Lead (should be a Senior Clinician)Definition of Guardian ‘one who protects’Abide by Caldicott principlesEnsure Polices and Procedures to protect PII are in place and adhered to
24The best person to undertake the role of Caldicott Guardian in my GP surgery is the Practice Manager TRUE or FALSE
25FALSEThe best person to undertake the role of Caldicott Guardian would be a senior clinician as they would be expected to advise on individual cases where there are concerns about patient information
27Comply with the Law ISMS Section 3 Data Protection Act 1998 – It is your responsibility to understand the principles in relation to your role and your organisationActivity (takes around 15 minutes to complete):Split in to 2 groupsRead the Data Protection Act 1998 principles handoutMatch the principles with scenarios A to H on the following slides. There is only one scenario considered to be correct in this exercise but you may find that more than one principle may apply.
28Scenario A Scenario B Activity Which Principle does the scenario breach relate to?Scenario AScenario BMr X receives a call from Wrexham hospital to tell him that his pregnant wife has been admitted. Mr X was shocked as they have been divorced for 10 years and his ex-wife remarried with his best friend. Mr X informed the hospital that he is no longer her Next of Kin.A Mother asks to see her 16 year old daughter’s School Nurse reports as she suspects her daughter is sexually active. The School Nurse says no problem, asks for the request to be in writing and she will provide a copy of recent notes within 21 working Days.
29Scenario C Scenario D Activity Which Principle does the scenario breach relate to?Scenario CScenario DA health records assistant has been tasked with checking 100 random health records to see whether they are labelled with the correct NHS Number. She decides that there is not enough space in her department to do this task comfortably, so she finds a quiet meeting room in the Post Grad Centre to do this. She pops out for lunch for 1hr leaving the notes unattended and room unlocked.Mrs Y moves from Mold to Swansea and registers herself with a new GP in Swansea. The GP goes through her records to get familiar with his new Patient’s health history. He finds abbreviations such as HT and NLW in the notes. When he asks the previous GP to explain – he laughs and says oh that means ‘Hot Totty’ and ‘Nice Looking Woman’.
30Scenario E Scenario F Activity Which Principle does the scenario breach relate to?Scenario EScenario FNurse Hughes is approached by PC Jones asking how his Brother (also a Police Officer) is doing after having been shot in the line of duty. Nurse Hughes mentions that he is stable in terms of the gun wound, but they have found that his cancer has spread. When the Brother regained consciousness he was surprised to find that his Brother (PC Jones) knew about the cancer. Only his wife knew until now.HR were approached by the their Trusts communications team asking for all staff home addresses to do a mail shot regarding the benefits for staff and training opportunities available when the implementation of the new National Programme for IT is complete at their Trust. HR agree to the staff database to the communications team a.s.a.p.
31Scenario H Scenario G Activity Which Principle does the scenario breach relate to?Scenario HScenario GA Finance Assistant is tasked with disposing of any old requisitions filed. Her colleague tells her to get rid of any cleared requisitions which are more than 18 months old. The assistant found 50+ requisitions nearly 3yrs old which exceeds the recommended retention period in the DH Records Management NHS: Code of PracticeA USA Social Services team heard that a UK Social Care team were using new and successful techniques to handle manic depressive young teenagers. USA team ask for a report on the methodology supported by real life case reports so that they can learn from UK findings. UK send case notes and reports via to the USA team.
32Subject Access Requests ISMS Section 3 Gives patients and staff the right to know what personal information the organisation holds on themRequests must be in writingThe requester may not and need not quote the DPAThe organisation must respond within 40 days. The clock starts as soon as the request is received by the organisation
33Sharing Personal Information ISMS Section 3 Sharing information about an individual within and between partner agencies is vital to the provision of co-ordinated and seamless care to that individual. This care includes:Improving the health and social care of people;Arranging and delivering services;Supporting the people in need;Investigating complaints.
34Sharing Personal Information ISMS Section 3 The principles underpinning the sharing of person identifiable information are governed by legislation, including:Data Protection Act 1998Access to Health Records Act 1990Human Rights Act 1998Freedom of Information Act 2000Children’s Act 1989Computer Misuse Act 1990Human Fertilisation and Embryology Act 1990Health and Social Care Act 2001NHS Venereal Diseases Regulation 2000Abortion Act 1967, regulations 1991
35Examples of Information Sharing For health care purposesWith NHS staff involved in the provision of careParents and Guardians (generally children under 16)For purposes other than direct health careSocial careResearchersBodies with statutory Investigative Powers – GMC, audit commissionNon health care purposesPolice (with a valid request)Solicitors (with explicit consent from the patient)
36Information Sharing Protocols – what are they? ISMS Section 3 A written agreement, between parties, i.e. different groups of people who are involved in sharing patient information, that:Documents how information should be shared;Ensures information is shared consistently, appropriately and lawfully;Clearly defines individuals’ responsibilities when sharing information to uphold patient confidentiality.
37Information Sharing Protocols – the benefits? ISMS Section 3 Protocols go a long way in reducing the risks of breaches because:They provide clear guidelines on how much and what way and to whom information should be shared;They allow individuals to make informed, confident and timely decisions about sharing information, to allow better patient care.
38The organisation I work for has signed up to a local information sharing protocol therefore I can share personal information with any organisation that has also signed the protocolTRUE or FALSE
39FALSEYou still need to ensure all the legal requirements have been met before sharing information
40When should Information Sharing Protocols not be used? If there are concerns relating to child or adult protection issues, they should refer to the relevant documents:All Wales Child Protection Procedures;The Multi-agency Inter-agency Information Sharing Protocol for the Assessment of Children in Need and in Need of Protection;Policy and procedures for responding to the alleged or confirmed abuse of vulnerable adults.
41The Police have that power. A Policewoman turns up at reception and demands a copy of Mr A’s medical notes immediately for an investigation.The Police have that power.TRUE or FALSE
42FALSEUnless you are provided with a copy of a court order for release, the police must provide a written request under a relevant act which should be considered by the practice prior to release
43Requests from the Police ISMS Section 3They can request records under DPA S.29 or under S.115 of the Crime & disorder Act 1998.They must provide an official written request signed by the S.I.O. (DCI or above).You only need to disclose what is ‘Minimum and Relevant’ and get a signed receipt.You may have to make an immediate release if they have a dated Court Order – you must obey a Court Order to the letter so read it carefully.If their case or a Court Order requires you to release the original records, you MUST make a numbered ‘best’ copy of the records to retain.
44Thought………Treat other people’s information as you would like your own to be treated – with respect and confidentiality
46Freedom of Information Act 2000 ISMS Section 4 Gives individuals the right to access informationHave you got it? May I see it?NON Personal Identifiable Information (PII)The Act does not have to be quoted when making a request20 working days to processExemptions apply
48GP Publication Schemes ISMS Section 4 Under the FOI Act it is the duty of every public body to adopt and maintain a publication schemeDemonstrate a commitment to opennessA new model publication scheme developed specifically for GP practices Jan 09 (Guide to Information)The new guide contains details on how information can be obtained and what the costs areVisit for more information
49The contents of an can be disclosed under the Data Protection Act and Freedom of Information Act?TRUE or FALSE
50TRUEs are corporate records of an organisation and therefore they may be disclosable by any public body
51Why do we need Records Management ISMS Section 4 Meeting legal/statutory requirementsSupporting administrative and managerial decision-makingEfficiency within the surgeryPromoting professional image
52Definition: Record ISMS Section 4 Recorded information regardless of media or format, created or received in the course of individual or organisational activity, which provides reliable evidence of policy, actions and decisions.
53Types of Records ISMS Section 4 Health recordsAdministrative recordsPhotographsMicrofilmAudio (telephone conversations)tapes, cassettes, CD-ROMVideo, CCTVDiariess, Text messages
54Record Quality Information ISMS Section 4 All staff have a legal and professional obligation to be responsible for any records which they create or use in the performance of their dutiesUsers must ensure that records are:Secure;Accurate;Up to date;Complete;Quick and easy to find;Free from duplication;Free from fragmentation.
55Record Lifecycle Record Lifecycle Creation Using Retention Appraisal Close RecordRetentionAppraisalDisposalCreate & log Quality informationUse/handle in accordance with Data Protection ActKeep/maintain in line with NHS recommended Retention ScheduleDetermine whether records are worthy of permanent archival preservationDispose appropriately according to policy
56Return of the Patient Medical Record ISMS Section 3 The LHBs are the Data Controllers for Patient Records no longer registered with a practiceRecords must be returned to the BSC via Courier BagsComplete record must be returned including clinical system printsChecklist on ISMS website to aid processBSC can provide copies for medical reportsSolicitors and Insurance requests are dealt with by the BSC
57Simple things we can all do... Computer Systems - Clear Screen RegimeApply the screen lockdown when you are going away from your desk – CTRL+ALT+DEL and click on Lock Computer in the Computer Security Dialog BoxLog out if you’ll be away from your desk for a significant time - also at the end of the dayEnsure PII is saved to the practice network- not desktop or C driveManual Records - Clear Desk RegimeLock PII files or papers away when you leave for the day, or if you’ll be from your desk for a significant period.
58UNLESS ABSOLUTELY NECESSARY Removing or Transporting of Patient or Person Identifiable Information ISMS Section 7Inform the your Caldicott Guardian and Information Security Officer or Practice ManagerRisk Assessment undertakenAuthorisation must be obtained prior to removal off siteRecords removed must be loggedDON’T REMOVE SENSITIVE INFORMATION FROM SITEUNLESS ABSOLUTELY NECESSARY
59Physical Infrastructure ISMS Section 7Entry control systems to buildings/corridorsLockable filing cabinets etcA Safe Haven Room with fax and phoneA confidential waste paper serviceA confidentiality cultureA visitor monitoring processA ‘key/card security’ processAn ‘exit’ process for leavers
60Laptop Security ISMS Section 7 Ensure laptops, memory sticks and patient notes are locked in the boot of your car when being transported; and must be removed when the car is left unattendedDo not allow family members and friends to access any laptop belonging to the surgeryEnsure no PII is saved to the ‘C’ drive or desktop of laptop (or PC) unless encryptedEnsure the laptop is regularly connected to the network for back up purposesLaptops must only be used by the staff they were issued to
61Portable Media Devices PII must only be stored on encrypted devicesEncrypted sticks must not be used for long term storage of PIIPII must be transferred from devices onto the practice clinical system regularlyIf sending PII on portable devices –only send the minimum necessaryMedia devices containing PII must only be sent by Government MailDON’T SAVE SENSITIVE INFORMATION ONTO PORTABLE DEVICES OR MEDIA UNLESS ABSOLUTELY NECESSARY