Presentation on theme: "Data Share London Train-the-Trainer “Best Practice in Information Sharing” London Councils and Private Public Ltd would like to thank NIGB who allowed."— Presentation transcript:
1 Data Share London Train-the-Trainer “Best Practice in Information Sharing” London Councils and Private Public Ltd would like to thank NIGB who allowed us to include their materials into this workshop
2 Why are we here today? To share key resources about data sharing To share tools and materials that will support you in training your staffTo meet colleagues and exchange experienceTo exchange and generate ideas about good practice and the way forward
3 Training Session Plan Introduction Warm-up session: Group Exercise Presentation: Key Training Areas & Training TipsCoffeeForumFeedback forms
4 You have 30 minutes to complete this exercise Warm-up: Group ExerciseChoose 1 of the 3 scenarios on the tableAs instructed by your facilitator each person takes a cardBeginning with the oldest date each person decides who they would or would not share the information with, they then read the card to the groupDebate in your groups whether or not having all of the information would change any decisions madeYou have 30 minutes to complete this exercise
5 Outcomes of Your Training Session By the end of the session, you expect your trainees to be...Familiar with the principles of data sharingAware of resources and support materialsAble to ask and answer the key questionsMore confident about sharing dataUnderstand key processes betterOther?
6 What are we trying to achieve? Excellent Customer ServiceData ProtectionCompliance with law, local agreements and practiceConfidence & Engagement of StaffSafeguardingEfficiency and ProductivityOther outcomes?
7 Partners: With whom do we share information? Examples of multi-agency provision of public services –Inside and outside government networksLocal AuthoritiesMovement of homeless household to a new temporary accommodationRevenues and customs send info to the Department for Work and PensionsSharing data about children subject to Child Protection PlansChildren's Services send case information to the police Child Abuse Investigation TeamCentral GovernmentHealthPolice
8 Partners: With whom do we share information? Examples of multi-agency provision of public services – Inside and outside government networksCriminal JusticeExchange of Child Protection Plans with probation and other agenciesInformation exchange relating to a common assessment of a young personChildren's Services placing a child in a care home and communicating sensitive care assessment detailsSchoolsPrivate / Third Sector
9 Partners: Mapping out the interactions Take a typical service user for your area, and describe a map of the relevant data sharing interactions, by answering the following questions:Why information is to be sharedWhat information to shareWhat consent exists to share informationWho information is to be sent toHow to securely share informationWhat to do with the information
10 Judgement of frontline professionals PrinciplesAd-hoc data sharingJudgement of frontline professionalsPre-planned / regulardata sharingPre-designed routinemark brangwyn 18/10/2010see cut
11 Information Sharing Protocols & Agreements PrinciplesInformation Sharing Protocols & AgreementsNot legally requiredBut can help in a complex legal environmentPartnersSign up to rules and processesBut there is a wide agreement on the key questions and issues – and these form the basis of the best information sharing agreements
12 Guidelines and Procedures Most effectively, various guidance documents can be used if selected and combined for your particular organisation. These guidelines are usually not legally binding but they outline key procedures and help share data confidently. They can be used to help trainees better understand:How and why specific information is being sharedKey processes and procedures for routine or exceptional situationsRoles and structures supporting data exchangeLegal issues and how compliance with the Data Protection Act is establishedSecurity procedures to mitigate risks and ensure confidentiality.HM GovernmentGovernment departments & public sector organisationsIndividual protocols and agreementsE.g., Department for Education, NHS, local councils etcE.g., Purpose / Subject / Situation Specific Information Sharing Agreement
13 Public sector organisations Individual protocols and agreements Guidelines and ProceduresA protocol is “not intended to be a substitute for the professional judgement which an experienced practitioner will use in those cases and should not be used instead of that judgement” The ICOIt is important to be confident in sharing data where necessary in order to safeguard an individual.HM GovernmentPublic sector organisationsIndividual protocols and agreementsIndividual Judgement
14 Some Key Concepts Informed Consent Gillick Competency and Fraser GuidelinesThe Six Caldicott PrinciplesSocial Care and NHS Care Record GuaranteesPseudonymisation and de-identification
15 Informed Consent What constitutes consent? How to seek consent? How to explain information sharing?How to ensure that consent is informed?How to decide whose consent to seek?When and how to share information without consent?
16 Informed ConsentConsent is an agreement to an action based on the knowledge of what the action involves and its likely consequences. To be valid, consent should be informed and freely given.Informed consent means that the person giving consent understandswhy information needs to be shared,who may see their information,what it will be used for andthe implications of not sharing that information.
17 The Period of ConsentThe period of consent is not the same as the period during which the shared information is kept by the receiving organisation.“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”Data Protection Act 1998, Principle 5The period of consent lasts for as long as the service(s) is (are) provided. However, service users can withdraw consent at any time and should be advised how to do that.
18 Implied vs Explicit Consent Consent does not need to be written, though a signed consent form, as evidence of consent, is good practice.Consent can also be expressed orally, or can be inferred from circumstances in which the information was given (implied consent).Reliance on implied consent is particularly common in the healthcare context. Implied consent is defined as ‘consent which is inferred from a persons’ conduct in the light of facts and matters which they are aware of, or ought reasonably to be aware of, including the option of saying ‘no’ (DoH Information Policy Unit, January 2001).However, if consent is relied on to meet the Data Protection Act schedule 3 condition to share sensitive personal data that consent must be explicit.
19 When is Consent not Required? There are circumstances under which information can be shared without consent. These include:where the subject does not have mental capacity and it is in their best interest to share informationto prevent or assist in the detection of crimeto protect the vital interest of the person concerned or another person, such as a life and death situationto comply with a court order.For more details see:Data Protection Act 1998 and exemptions from the DPAThe Assessment of Mental Capacity Audit ToolMental Capacity Act 2005: Deprivation of liberty safeguards - Code of Practice to supplement the main Mental Capacity Act 2005
20 Golden Rule for Data Sharing Share with consent where appropriate and, where possible, respect the wishes of those who do not consent to share confidential information.You may still share information without consent if, in your judgement, that lack of consent can be overridden in the public interest. You will need to base your judgement on the facts of the case.*
21 Gillick Competency-Fraser Guidelines Children and Informed ConsentWhen deciding whether a child is mature enough to make decisions, people often talk about whether a child is 'Gillick competent' or whether they meet the 'Fraser guidelines'. For detailed guidance on children and informed consent see:Confidentiality and information sharing: children and young people (PDF, 143KB) In: NSPCC Practice Guidance. London: NSPCC, 2010London Child Protection Procedures. London Safeguarding Children Board, 2010Unaccompanied Children Seeking Asylum: Privacy, Consent and Data Protection. ARCH, 2010
22 Six Caldicott Principles In the NHS and Social Care services, the Caldicott principles have been adopted to guide the use of personal information.Justify the purpose(s) of using confidential informationDon't use patient identifiable information unless it is absolutely necessaryUse the minimum necessary patient-identifiable informationAccess to patient identifiable information should be on a strict need-to-know basisEveryone with access to patient identifiable information should be aware of their responsibilitiesUnderstand and comply with the lawEach NHS Trust and local council has designated a Caldicott Guardian, who is responsible for adherence to the Caldicott principles and who can be asked for advice.
23 Social & NHS Care Record Guarantee The Social Care Record Guarantee (SCRG)The SCRG for England explains in a clear and concise manner how personal information is used in social care and what controls an individual has over it. It applies to both electronic and paper social care records for both Adults and Children's Services in England.The NHS Care Record GuaranteeThe NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It also applies to both paper and electronic records. Whilst not a legal document, the Guarantee could be used as the basis for a complaint.
24 PseudonymisationPseudonymisation is concerned with enabling the NHS to undertake secondary (non-medical) use of patient data in a legal, safe and secure manner. The overall aim of implementing pseudonymisation is to facilitate:The legal and secure use of patient data for secondary purposes by the NHS (and other organisations involved in the commissioning and provision of NHS-commissioned care)NHS business to no longer use identifiable data in its non-direct care related work wherever possibleNHS business processes to continue to be effective in supporting the day-to-date operation of the NHS.The implementation of pseudonymisation is based on each local organisation undertaking its own pseudonymisation as appropriate.
25 Pseudonymisation techniques There is no universal technique of effective pseudonymisationRather, combinations of techniques applied to the data and controls on the recipient will need to be chosen as appropriate for the given circumstances to ensure the recipient cannot infer identities from the data.Example techniques include: stripping out / not displaying person identifiers; replacing person identifiers with other values; aggregating data; using derivations (displaying values that reflect the character of the source data); using synthetic data (mixing up elements of a dataset) etc.Reversible or irreversible pseudonymisationThere may be a need to see identifiers, e.g. to check data quality issues (which are masked once data has been pseudonymised).
26 Pseudonymisation: Key Challenges Organisation and ProcessesCulture & SkillsTechnologySelecting techniquesEnsuring lawful outcomeVolume of data flowsData qualityPseudonymisation facilitiesSafe Havens to store identifiable dataOther?
27 Process Flow: What do I do? Obtain ConsentDecide on data, recipient and timeDecide on data share methodSend data securely
28 Process Flow: What do I do? Obtain ConsentDecide on data, recipient and timeDecide on data share methodSend data securelyInformDisplay posters and / or leafletsExplain to the individual concernedEnsure info is understood (provide interpreter etc if needed)Seek consentIdentify if individual is able to give consentIdentify if the situation is covered by ‘direct continuing care’Check whether law requires data share irrespective of consentRecordRecord consent / refusal in individual’s record dated and time stampedRefer to the form in Appendix 1 Section 9.0 in LO ISPHow and when to complete form – App. 1 Section & 11.00
29 Decide on data, recipient and time Process Flow: What do I do?Obtain ConsentDecide on data, recipient and timeDecide on data share methodSend data securelyDataEstablish the required content and format of the data to shareIdentify the necessary minimum information to meet the purposeEnsure confidentiality unless there is a robust public interest or a legal justification in disclosureWhat?RecipientDecide on the recipient. See example in LO ISP Appendix 1Verify the identity of the person making requestRecord their name, position, organisation and contact detailsWho?TimeAd hoc or regular?If regular, how often?KPIs in your organisation? (E.g., How quickly should you respond to a data share request?)When?
30 Decide on data share method Process Flow: What do I do?Obtain ConsentDecide on data, recipient and timeDecide on data share methodSend data securelyAssess securityAssess the risk and potential impact of security breachUse your organisation’s Info security policies etcEstablish the legal gateway to share this dataRisks?Decide on risk controlsFor example see Wandsworth Borough Council ISFDecide on level of risk that is relevant to the caseControls?Decide on technologyAcross government networksOutside government networksGCmail, CJSM etc - See Data Share London websiteSolutions?
31 Store and dispose of data Process Flow: What do I do?Obtain ConsentDecide on data, recipient and timeDecide on data share methodSend data securelyTransfer dataTrack the data transferObtain assurances from partners about their security controlsEnsure secure levels of password / data encryptionEnsure secure premises and containersUse approved waste disposal company / cross cut shredder (paper)Ensure securely overwritten / physical destruction (electronic)Store and dispose of dataRecordRecord your decision, how you made and what data was sharedRecord why you decided to override the requirement to seek consentReport security breaches
32 Process Flow: What do I do? Request & Receive dataUse & Store dataDispose of dataRequest & Receive dataDecide on the required content and format of data to be requestedDecide on technology / means of data transferEnsure secure levels of password / data encryptionEnsure secure premises and containersSafe HavensCheck organisational rules and proceduresUse & Store dataDispose of dataEnsure securely overwritten / physical destructionUse approved waste disposal company etcCheck organisational rules and procedures
33 Infrastructure Across government networks Outside government networks The first choice if availableJointly accessible online application or databaseThird party encryption toolsSecure web spaces or extranetsClearly branded LA solutionGCmailSecure faxLow cost & wide usage but Criminal Justice focusCJSMAnything else?Applying for accounts with partnersPartner system, e.g. NHSmail, GSIFor more details:
34 Training Tips: Warm-up Brainstorming PartnersInformation typesPlease name your top three...Organisations you share data with most oftenThe sort of data you share most oftenIssuesTechnical termsProblems you encounter when sharing dataTerminology useful to know
35 Training Tips: Group Work Group work is a very effective training tool and should be included in all training sessions.Group work can focus on collective problem solving and discussion of selected issues, using various “cases of failure” scenarios.Productive discussions can be designed around process flow, collaborative working, ambiguous situations.
36 Sample Group Work One Understanding the process flow What actions do I need to take and when?What concepts do I need to be familiar with at each stage?
37 Sample Group Work One Sample Scenarios A pharmaceutical company contacts you and requests contact details of patients with a certain condition to invite them to a drug trial.A parent of a 14 year old calls the GP to confirm the time of their son’s drugs related appointment.An insurance company asks for medical records of one of your patients.Discuss a recent case when you had to share data. What did you do?
38 Sample Group Work OneTogether with your team, put these actions (rectangles) in the right order and link concepts (ovals) to relevant actionsRecord data share eventSeek authorisationIdentify the minimum info requiredRecord consentEvaluate individual’s capacityRisk controlsEstablish if disclosure is legally requiredRobust public interestEnsure individual understands the leafletsOther?Consult a Caldicott GuardianGive a copy of consent form to individualDirect continuing careBest interestCapacityPurpose specific info sharing agreementOther?
39 Group Work One: Instructions Together with your team, put the actions (rectangles) in the right order, using the provided scenariosLink the concepts (ovals) to the relevant actionsDiscuss in your group which actions or concepts have been left out and need to be added to the listDiscuss differences in process for different scenariosYou have 20 minutes to complete this exercise
40 Sample Group Work Two Raising the issues What Will Happen if we Do Share Information?What Could Happen if we Don’t Share Information?
41 Group Work Two: Instructions Choose 1 of the 3 scenarios on the tableAs instructed by your facilitator each person takes a cardBeginning with the oldest date each person decides who they would or would not share the information with, they then read the card to the groupDebate in your groups whether or not having all of the information would change any decisions madeYou have 30 minutes to complete this exercise
42 Sample Group Work Three Deciding What to ShareWould We?Could We?Should We?
43 Group Work Three: Instructions Pick a scenario card, work through as many scenarios as you have time forDiscuss and decide if you would share the informationDiscuss and decide if you could share the informationDiscuss and decide if you should share the informationYou have 30 minutes to complete this exercise
44 Training Tips: Effective Signposting What is Data Share London?“...promotes good practice in data sharing and helps people ensure that data sharing is completed legally and fairly...”Long history of collaboration – roots in attempts to devise a London-wide info sharing protocolJointly funded by Capital Ambition and the NHSAdvisory board with members from across Local Government and health
45 Training Tips: Effective Signposting Useful ResourcesLondon Data Share:Information Sharing: Guidance for practitioners and managers (HM Government, 2008)Department for EducationInformation Sharing: How to judge capacity to give consent. DfE, 2011NHS Services and Children’s Centres - how to share information appropriately with children’s centre staff. DfE and DH, 2010Information Sharing: How to seek Consent? Department for Education, 2011Health careConfidentiality: Guidance for doctors. General Medical Council, 2009Confidentiality: Nursing and Midwifery Council, 2009Confidentiality: NHS Code of Practice. 2003The Care record guarantee. NHS, 2011Record keeping: Guidance for nurses and midwives. Nursing and Midwifery Council, 2009 (to be reviewed in 2012)Confidentiality and Information Sharing. NHS National Treatment Agency for Substance Misuse, 2003
46 Training Tips: Effective Signposting Useful ResourcesOther departments & non-governmental organisationsInformation sharing for community safety: Guidance and practice advice. Home Office, 2010Sharing Information on Children and Young People at Risk of Offending. Youth Justice Board, 2005The Social care record guarantee. NIGB, 2009Requesting amendments to health and social care records: Guidance for patients, service users and professionals. NIGB, 2010More information on consent and information sharing practice
47 Forum: Questions for discussion Have you encountered any issues with XX in your organisation?What are the main roots of the problems?Which solutions work well for you?Which technical tools work well / do not work for you?What are the key five things you would explain to a new member of staff involved in data sharing / about XX?Which area raises most questions from your staff?Which areas need collaborative pan-London working the most?How do you see the future of XX (data sharing)?