Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Governance in Commissioning Mental Health Commissioners Collaborative.

Published byLauren Reynolds Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Governance in Commissioning Mental Health Commissioners Collaborative."— Presentation transcript:

1 Information Governance in Commissioning Mental Health Commissioners Collaborative

2 Introduction David Stone Head of Information Governance Apira Limited david.stone@apira.co.uk 07947 052704

3 2011/12 Standard Terms and Conditions for Mental Health and Learning Disability Services Context Law/Contract Regulation Risk/Liability Contract compliance/Assurance Incidents/Breaches Patient Identifiable Data/Secondary Use

4 Dear colleague Gateway Ref: 16607 We want to call your attention again to a significant change that came into force on 6 April 2010, which enables the ICO to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act 1998. Obviously we are all hoping that it will not be necessary for the enhanced powers to be exercised, but at present a significant percentage of all data breaches reported to the ICO relate to NHS organisations. The purpose of this letter is to outline the actions that we jointly recommend to ensure your systems and practices deliver adequate information governance and that commissioning criteria adequately reflect its importance. Nicholson, NHS CEO and Graeme, IC to all NHS CEOs, 05/09/11

5 Law/Contract Data Controller/Data Processor –The Commissioner is a Data Controller in law (27.3) –The Commissioner may be Data Controller Jointly or In-common, but remains legally liable, even after the end of the contract (for the data) –The Information Commissioner will pursue the Data Controller in the event of a breach Service Level Agreements are not valid in law (unless bound in contract) –The Data Protection Act (1998) trumps the NHS & Communities Act (1990)

6 Case Study In February 2011, London Boroughs of Hounslow and Ealing were fined £70,000 and £80,000 respectively under the Data Protection Act 1998 (DPA). The Monetary Penalty Notice (MPN) arose from the theft of two unencrypted laptops from an employee of Ealing Council. The laptops contained the personal data of approximately 1,000 Ealing service users and approximately 700 Hounslow service users. Hounslow were found to be in breach of the DPA because they had failed to have a valid legally contract in place with Ealing and because they had not monitored Ealing’s operational compliance of their commissioned service.

7 Regulation Monitor –“Monitor would look to commissioners, the Information Centre and Information Commissioner to lead on policing IG at FTs and it is not our role to otherwise interpret information requirements. Only where other bodies have exhausted their powers would Monitor generally consider acting in the absence of other breaches of the authorisation.” (email response 04/08/2011)

8 Regulation CQC –The Commission uses the information from the Information Governance Toolkit in our Quality and Risk Profiles. –Quality and Risk Profiles are an essential tool for providers, commissioners and our own staff in monitoring compliance with the essential standards of quality and safety. –They help in assessing where risks lie and can play a key role in providers’ own internal monitoring as well as informing the commissioning of services. (email response 10/08/2011)

9 Regulation Department of Health –The IGT is not a required central return as the Department of Health is just one, and not the main, interested party. The Department expects commissioners to drive improvements in provider information governance and to insist that their contractual requirement to publish an IGT assessment continues to be met.

10 Contract Compliance 27.2 Data Protection –The Provider shall achieve a minimum level 2 performance against all requirements in the relevant NHS Information Governance Toolkit relevant to it. Where the Provider has not achieved level 2 performance by the Service Commencement Date, the co-ordinating Commissioner may, in its sole discretion, agree a plan with the Provider to enable the Provider to achieve level 2 performance within a reasonable time.

11 Risk/Liability Red = Unsatisfactory in IGT

12 Consent 9.1 Consent –The Provider shall operate a Service User consent policy to comply with Good Clinical Practice, good Health and/or Social Care Practice and the Law NHS Care Record Guarantee Commitment 4 –Legally, no-one else can make decisions on your behalf about sharing health information that identifies you. European WP29 –Consent is recognised as an essential aspect of the fundamental right to the protection of personal data

13 Person Identifiable Information All health data is ‘sensitive’ under the Data Protection Act SUS is only legal for limited use (S251) –18 weeks, PBr, planning care provision Contested payments/Challenges New Safe Haven operation Pseudonymisation/secondary use

14 Not Applicable Contract Clauses The following clauses do not apply to data that comes with the scope of the Data Protection Act (1998) –15.5: Incident reporting –29, especially 29.9: require information Note: the contract cannot require the Provider to break the law –There may be others in the schedules

15 Assurance Schedule 5 –Independent audit of IGT self-assessment scores and information risk must be shared with the commissioner –Information incident reporting (or as Schedule 7) in compliance with Gateway 13177 –Information Lifecycle: what happens to the data at termination? (35/36) –Clarification of the right to disclose confidential information (39.1.4) –Transport of data using N3 –Use of NHSmail

16 Conclusion The Commissioner is a Data Controller in law and legally liable for what happens to the data, even after the end of the contract A legally binding contract is required by law for every commissioned service The standard commissioning contract does not meet all legal requirements without additions in Schedule 5 The standard contract is not always correct when applied to information covered by the Data Protection Act All but one MHT in London failed to meet the standard required in contract

17

Download ppt "Information Governance in Commissioning Mental Health Commissioners Collaborative."

Similar presentations

NATIONAL INFORMATION GOVERNANCE BOARD

NATIONAL INFORMATION GOVERNANCE BOARD
The Mental Capacity Act and Deprivation of Liberty Safeguards Implications for Commissioners and Care Providers Bruce Bradshaw Patient Experience Manager.

The Mental Capacity Act and Deprivation of Liberty Safeguards Implications for Commissioners and Care Providers Bruce Bradshaw Patient Experience Manager.
Introduction to Information Governance (IG)

Introduction to Information Governance (IG)
Document management Rev. Description Author Date 0.0 First draft

Document management Rev. Description Author Date 0.0 First draft
Rev.DescriptionAuthorDate 0.0First draftDavid Stone14/07/10 0.1ReviewPhil Walker Magi Nwoli Tony Heap Vanessa Kaliapermall 15/07/10 1.0FinalDavid Stone18/07/10.

Rev.DescriptionAuthorDate 0.0First draftDavid Stone14/07/10 0.1ReviewPhil Walker Magi Nwoli Tony Heap Vanessa Kaliapermall 15/07/10 1.0FinalDavid Stone18/07/10.
Equality Act 2010 The Public Sector Equality Duty - how will it affect the third sector? Overview of where we are with legislation that came into force.

Equality Act 2010 The Public Sector Equality Duty - how will it affect the third sector? Overview of where we are with legislation that came into force.
What CQC do CQC are the health and social care regulator for England CQC register and monitor all health and social care providers in the country to ensure.

What CQC do CQC are the health and social care regulator for England CQC register and monitor all health and social care providers in the country to ensure.
Confidentiality & Records Management. What is Information Governance? What is Records Management?

Confidentiality & Records Management. What is Information Governance? What is Records Management?
Workshop 501 and 505 Review barriers to communication

Workshop 501 and 505 Review barriers to communication
“Reform of the Child Care System: Taking Stock and Accelerating Action” South East Europe 3 – 6 July 2007, Sofia.

“Reform of the Child Care System: Taking Stock and Accelerating Action” South East Europe 3 – 6 July 2007, Sofia.
National Update: The information revolution and the 2012 Caldicott Review Simon Richardson – Information Rights Manager.

National Update: The information revolution and the 2012 Caldicott Review Simon Richardson – Information Rights Manager.
About CQC Sarah Seaholme Ram Sooriah 1 1.

About CQC Sarah Seaholme Ram Sooriah 1 1.
MCA DoLS a view from the CQC. The Mental Capacity Act is the essential framework for balancing FREEDOM (wherever possible) with PROTECTION (when essential,

MCA DoLS a view from the CQC. The Mental Capacity Act is the essential framework for balancing FREEDOM (wherever possible) with PROTECTION (when essential,
Information Governance

Information Governance
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Health and Safety.

Health and Safety.
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Information Law Report.

National Smartcard Project Work Package 8 – Information Law Report.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview

Similar presentations

Ads by Google