Presentation on theme: "Clare Sanderson Executive Director of Information Governance The NHS Information Centre for health and social care."— Presentation transcript:
Clare Sanderson Executive Director of Information Governance The NHS Information Centre for health and social care
Agenda The NHS Information Centre for Health and Social Care Who we are What we do Protecting Patient Confidentiality Information Governance Controls What
Who we are Established in 2005,The NHS Information Centre is the central authoritative source of health and social care information, acting as a ‘hub’ for high-quality, national and local, comparative data for all ‘secondary uses’
Our products and services The NHS Information Centre provide a wealth of products and services to help commissioners and providers improve patient and client care within the following areas: Workforce Finance and performance Social care Commissioning Clinical Public Health Our products and services
What we do for Research Medical Research Information Service Current status Long term follow up List Cleaning Studies include: The Million Women Study Mortality of Gulf War Veterans Avon Longitudinal Study of Parents and Children (ALSPAC!!!)
What we do for Research Trusted Data Linkage Service Data Linkage Services Linkage to Hospital Episode Statistics & ONS Death data Pseudonymisation Services Data linkage studies include: Linking data on road traffic accidents to HES Linking hospital prescribing data to HES Lining GP data to HES & ONS
Patient Confidentiality – why bother? Confidentiality is fundamental to medical practice Enshrined in the hippocratic oath and international laws The patient/ health care professional relationship is based on trust
Headlines that worry the public 'Unacceptable' level of data loss – NHS ‘worst offenders’ says Information Commissioner THE Daily Planet Prime Minister Gordon Brown has said he "profoundly regrets" the loss of 25 million child benefit records Over twenty years worth of personal information relating to workers at Queen Mary's Hospital in Sidcup has gone missing. A hospital trust in Cambridgeshire has been ordered to tighten security after a memory stick with medical treatment details of 741 patients went missing. The information commissioner has told the NHS to improve its data security, after breaches involving the loss of thousands of personal medical records
The ‘Confidentiality Continuum’ Patient Identifiable Data Effectively Anonymised Data Explicit Patient Consent / Section 251 support De-identified / Pseudonymised / technology protected data Terms and conditions to protect & control use Publicly available
Section 251 Support – for NHS data in England Allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for medical purposes where it is not possible to use anonymised information and where seeking individual consent is not practicable.
Requirements for Section 251 Support Details of the Organisation Details of the data required, what is to be done with it and for what purpose Justification for using patient identifiable data How the proposed use of the data will improve patient care or serve the wider public interest Justification for not obtaining patient consent Involvement of other stakeholders Details of security and audit measures used to secure access to, and limit use of, patient identifiable information Details of system security Details of the exit strategy !
Legal Compliance in England Common Law Duty of Confidentiality National Health Service Act 2006 Data Protection Act 1998 The Human Rights Act 1998 Freedom of Information Act 2000 ??? Copyright Designs and Patents Act 1988 Re-Use of Public Sector Information Regulations 2005
What is Information Governance? “the structures, policies and practice of the DH, the NHS and its suppliers to ensure the confidentiality and security of all records, and especially patient records, and to enable the ethical use of them for the benefit of individual patients and the public good”.
Information Governance Framework In Collaboration with the Research Capability Programme
IG Framework Themes Organisational - standards that provide assurance that the organisations have good and reliable internal processes Security - standards that apply to processing, storing, reporting and transmitting information Service - standards that apply to key processes such as linkage and pseudonymisation Developmental – progress toward compliance with Internationally recognised standards
Organisational Theme Annually reviewed, board approved IG policies Appropriate job specific IG training Documented process for serious security incidents Assigned responsibility for DPA Processes to support confidential service Caldicott Guardian and resourced Caldicott function Contracts include IG requirements and staff understand Access to PID controlled, monitored and audited Appropriate disaster recovery plans Business continuity plans for business critical systems Evidence required: IGT 112 Level 3 113 Level 3 509 level 3 and / or Training programme and attendance lists Measures to evaluate training effectiveness Reviews and update of materials Appropriate training for information quality and records management staff Quality system training for all staff Confidentiality and security training for all staff
IG Toolkit v9 Includes a new organisation type – Hosted Secondary Use Team Total of 14 requirements for this type For each requirement: Identifies the requirement Describes the background Provides a knowledge base for achieving target Three levels of achievement Overall achievement measured through % score
Hosted Secondary Use Team Responsibility for IG assigned to an appropriate member of staff IG policy for overall requirements of IG All contracts clearly identify IG responsibilities All staff trained appropriately on IG PID only used lawfully & dissent treated appropriately Confidentiality audit monitors access to PID PID outside UK complies with the DPA & DH policy Transfer of PID & sensitive information is secure Security of mobile computing & teleworking Availability of information asset register Security of premises, equipment, records & assets Incident management & reporting Pseudonymisation & anonymisation used where appropriate Presence of Safe Haven Ensure that appropriate IG training is made available to all staff, including temps, locums and volunteers. There should be a clearly documented and communicated process for making all staff aware of the availability and importance of training. NHS IG Training Tool provides a valuable base. It comprises a structured e-learning programme with Introductory, Foundation and Practitioner level modules covering all aspects of IG. Exemplar materials include guidance available for use in training – e.g. Information Security - NHS Code of practice. Training scenarios provided for local adoption / adaption Achievement Level 0 – no evidence 1 – appropriate training provided inc induction for starters 2 - All staff have completed IG training & training needs are regularly reviewed 3 - Staff understanding of IG tested & support provided where needs are identified. Training provision is regularly reviewed.
What is the Alternative? Use of ‘Honest Broker’ Services including: Anonymisation Services Pseudonymisation Services De-pseudonymisation Services Derivation services Cohort management s 251 Application Support (where applicable) Data linkage services – deterministic / probabilistic Data sets management and expertise……..
Security Theme Ability to detect and remove malicious code Secure operation of communications networks Secure and structured implementation of new assets Secure mobile working Controlled, audited access to PID New processes comply with confidentiality and DPA requirements
Security Theme ctd Independently audited Information Risk assessment & Management Formal Information Risk hierarchy Documented data flows for PID Safe Haven procedures implemented Effective management & control of software assets Effective encryption of PID Appropriate asset access control with regular reviews
Service Theme Confidentiality of PID protected through de-identification techniques Appropriate standard of data linkage adopted Documented records Management processes Board consideration of ethics and validity of research question Robust legal basis for processing IG included in contractual arrangements Board agreed protocol for sharing PID ALL PID processed outside EU complies with DPA; DH etc Documented and and available FOI process
Developmental Theme Organisational commitment to achieving: ISO 27001 Information Security Management Highest standards of business continuity and disaster recovery ISO 20000 - 1 IT service management Part 1 ISO9000 – Quality Management Code of Practice Development of new standards when required