Presentation on theme: "Data Share London Train-the-TrainerBest Practice in Information Sharing London Councils and Private Public Ltd would like to thank NIGB who allowed us."— Presentation transcript:
Data Share London Train-the-TrainerBest Practice in Information Sharing London Councils and Private Public Ltd would like to thank NIGB who allowed us to include their materials into this workshop
Why are we here today? To share key resources about data sharing To share tools and materials that will support you in training your staff To meet colleagues and exchange experience To exchange and generate ideas about good practice and the way forward
Training Session Plan Introduction Warm-up session: Group Exercise Presentation: Key Training Areas & Training Tips Coffee Forum Feedback forms
Warm-up: Group Exercise Choose 1 of the 3 scenarios on the table As instructed by your facilitator each person takes a card Beginning with the oldest date each person decides who they would or would not share the information with, they then read the card to the group Debate in your groups whether or not having all of the information would change any decisions made You have 30 minutes to complete this exercise
Outcomes of Your Training Session By the end of the session, you expect your trainees to be... Familiar with the principles of data sharing Aware of resources and support materials Able to ask and answer the key questions More confident about sharing data Understand key processes better Other?
What are we trying to achieve? Excellent Customer Service Compliance with law, local agreements and practice Confidence & Engagement of Staff Data Protection SafeguardingEfficiency and Productivity Other outcomes?
Partners: With whom do we share information? Movement of homeless household to a new temporary accommodation Revenues and customs send info to the Department for Work and Pensions Sharing data about children subject to Child Protection Plans Children's Services send case information to the police Child Abuse Investigation Team Examples of multi-agency provision of public services – Inside and outside government networks Local Authorities Central Government Health Police
Exchange of Child Protection Plans with probation and other agencies Information exchange relating to a common assessment of a young person Children's Services placing a child in a care home and communicating sensitive care assessment details Examples of multi-agency provision of public services – Inside and outside government networks Partners: With whom do we share information? Criminal Justice Schools Private / Third Sector
Partners: Mapping out the interactions Take a typical service user for your area, and describe a map of the relevant data sharing interactions, by answering the following questions: Why information is to be shared What information to share What consent exists to share information Who information is to be sent to How to securely share information What to do with the information
Principles Judgement of frontline professionals Pre-designed routine Ad-hoc data sharing Pre-planned / regular data sharing
Principles Not legally required But can help in a complex legal environment Sign up to rules and processes But there is a wide agreement on the key questions and issues – and these form the basis of the best information sharing agreements Information Sharing Protocols & Agreements Partners
Guidelines and Procedures HM Government Government departments & public sector organisations Individual protocols and agreements Most effectively, various guidance documents can be used if selected and combined for your particular organisation. These guidelines are usually not legally binding but they outline key procedures and help share data confidently. They can be used to help trainees better understand: How and why specific information is being shared Key processes and procedures for routine or exceptional situations Roles and structures supporting data exchange Legal issues and how compliance with the Data Protection Act is established Security procedures to mitigate risks and ensure confidentiality. E.g., Purpose / Subject / Situation Specific Information Sharing Agreement E.g., Department for Education, NHS, local councils etc
Guidelines and Procedures A protocol is not intended to be a substitute for the professional judgement which an experienced practitioner will use in those cases and should not be used instead of that judgement The ICO It is important to be confident in sharing data where necessary in order to safeguard an individual. HM GovernmentPublic sector organisations Individual protocols and agreements Individual Judgement
Some Key Concepts Informed Consent Gillick Competency and Fraser Guidelines The Six Caldicott Principles Social Care and NHS Care Record Guarantees Pseudonymisation and de-identification
Informed Consent What constitutes consent? How to seek consent? How to explain information sharing? How to ensure that consent is informed? How to decide whose consent to seek? When and how to share information without consent?
Informed Consent Consent is an agreement to an action based on the knowledge of what the action involves and its likely consequences. To be valid, consent should be informed and freely given. Informed consent means that the person giving consent understands why information needs to be shared, who may see their information, what it will be used for and the implications of not sharing that information.
The Period of Consent The period of consent is not the same as the period during which the shared information is kept by the receiving organisation. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Data Protection Act 1998, Principle 5 The period of consent lasts for as long as the service(s) is (are) provided. However, service users can withdraw consent at any time and should be advised how to do that.
Implied vs Explicit Consent Consent does not need to be written, though a signed consent form, as evidence of consent, is good practice. Consent can also be expressed orally, or can be inferred from circumstances in which the information was given (implied consent). Reliance on implied consent is particularly common in the healthcare context. Implied consent is defined as consent which is inferred from a persons conduct in the light of facts and matters which they are aware of, or ought reasonably to be aware of, including the option of saying no (DoH Information Policy Unit, January 2001). However, if consent is relied on to meet the Data Protection Act schedule 3 condition to share sensitive personal data that consent must be explicit.
When is Consent not Required? There are circumstances under which information can be shared without consent. These include: where the subject does not have mental capacity and it is in their best interest to share information to prevent or assist in the detection of crime to protect the vital interest of the person concerned or another person, such as a life and death situation to comply with a court order. For more details see: Data Protection Act 1998 and exemptions from the DPA The Assessment of Mental Capacity Audit Tool Mental Capacity Act 2005: Deprivation of liberty safeguards - Code of Practice to supplement the main Mental Capacity Act 2005Deprivation of liberty safeguards - Code of Practice to supplement the main Mental Capacity Act 2005
Golden Rule for Data Sharing Share with consent where appropriate and, where possible, respect the wishes of those who do not consent to share confidential information. You may still share information without consent if, in your judgement, that lack of consent can be overridden in the public interest. You will need to base your judgement on the facts of the case.*
Gillick Competency-Fraser Guidelines Children and Informed Consent When deciding whether a child is mature enough to make decisions, people often talk about whether a child is 'Gillick competent' or whether they meet the 'Fraser guidelines'. For detailed guidance on children and informed consent see: Confidentiality and information sharing: children and young people (PDF, 143KB) In: NSPCC Practice Guidance. London: NSPCC, 2010NSPCC Practice Guidance. London: NSPCC, 2010 London Child Protection Procedures. London Safeguarding Children Board, 2010London Safeguarding Children Board, 2010 Unaccompanied Children Seeking Asylum: Privacy, Consent and Data Protection. ARCH, 2010Privacy, Consent and Data Protection. ARCH, 2010
Six Caldicott Principles In the NHS and Social Care services, the Caldicott principles have been adopted to guide the use of personal information. 1.Justify the purpose(s) of using confidential information 2.Don't use patient identifiable information unless it is absolutely necessary 3.Use the minimum necessary patient-identifiable information 4.Access to patient identifiable information should be on a strict need- to-know basis 5.Everyone with access to patient identifiable information should be aware of their responsibilities 6.Understand and comply with the law Each NHS Trust and local council has designated a Caldicott Guardian, who is responsible for adherence to the Caldicott principles and who can be asked for advice.
Social & NHS Care Record Guarantee The Social Care Record Guarantee (SCRG) The SCRG for England explains in a clear and concise manner how personal information is used in social care and what controls an individual has over it. It applies to both electronic and paper social care records for both Adults and Children's Services in England. The NHS Care Record Guarantee The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It also applies to both paper and electronic records. Whilst not a legal document, the Guarantee could be used as the basis for a complaint.
Pseudonymisation Pseudonymisation is concerned with enabling the NHS to undertake secondary (non-medical) use of patient data in a legal, safe and secure manner. The overall aim of implementing pseudonymisation is to facilitate: The legal and secure use of patient data for secondary purposes by the NHS (and other organisations involved in the commissioning and provision of NHS-commissioned care) NHS business to no longer use identifiable data in its non-direct care related work wherever possible NHS business processes to continue to be effective in supporting the day-to-date operation of the NHS. The implementation of pseudonymisation is based on each local organisation undertaking its own pseudonymisation as appropriate.
Pseudonymisation techniques There is no universal technique of effective pseudonymisation Rather, combinations of techniques applied to the data and controls on the recipient will need to be chosen as appropriate for the given circumstances to ensure the recipient cannot infer identities from the data. Example techniques include: stripping out / not displaying person identifiers; replacing person identifiers with other values; aggregating data; using derivations (displaying values that reflect the character of the source data); using synthetic data (mixing up elements of a dataset) etc. Reversible or irreversible pseudonymisation There may be a need to see identifiers, e.g. to check data quality issues (which are masked once data has been pseudonymised).
Pseudonymisation: Key Challenges Organisation and Processes TechnologyCulture & Skills Selecting techniques Ensuring lawful outcome Volume of data flows Data quality Pseudonymisation facilities Other? Safe Havens to store identifiable data
Process Flow: What do I do? Obtain Consent Decide on data, recipient and time Decide on data share method Send data securely
Display posters and / or leaflets Explain to the individual concerned Ensure info is understood (provide interpreter etc if needed) Identify if individual is able to give consent Identify if the situation is covered by direct continuing care Check whether law requires data share irrespective of consent Record consent / refusal in individuals record dated and time stamped Refer to the form in Appendix 1 Section 9.0 in LO ISP How and when to complete form – App. 1 Section & Inform Seek consent Record Obtain Consent Decide on data, recipient and time Decide on data share method Send data securely Process Flow: What do I do?
Establish the required content and format of the data to share Identify the necessary minimum information to meet the purpose Ensure confidentiality unless there is a robust public interest or a legal justification in disclosure Decide on the recipient. See example in LO ISP Appendix 1 Verify the identity of the person making request Record their name, position, organisation and contact details Ad hoc or regular? If regular, how often? KPIs in your organisation? (E.g., How quickly should you respond to a data share request?) What? Who? When? Data Recipient Time Obtain Consent Decide on data, recipient and time Decide on data share method Send data securely Process Flow: What do I do?
Assess the risk and potential impact of security breach Use your organisations Info security policies etc Establish the legal gateway to share this data For example see Wandsworth Borough Council ISF Decide on level of risk that is relevant to the case Across government networks Outside government networks GCmail, CJSM etc - See Data Share London website Risks? Controls? Solutions? Assess security Decide on risk controls Decide on technology Obtain Consent Decide on data, recipient and time Decide on data share method Send data securely Process Flow: What do I do?
Track the data transfer Obtain assurances from partners about their security controls Ensure secure levels of password / data encryption Ensure secure premises and containers Use approved waste disposal company / cross cut shredder (paper) Ensure securely overwritten / physical destruction (electronic) Record your decision, how you made and what data was shared Record why you decided to override the requirement to seek consent Report security breaches Process Flow: What do I do? Transfer data Store and dispose of data Record Obtain Consent Decide on data, recipient and time Decide on data share method Send data securely
Decide on the required content and format of data to be requested Decide on technology / means of data transfer Ensure secure levels of password / data encryption Ensure secure premises and containers Safe Havens Check organisational rules and procedures Ensure securely overwritten / physical destruction Use approved waste disposal company etc Check organisational rules and procedures Process Flow: What do I do? Request & Receive data Use & Store data Dispose of data Request & Receive data Use & Store data Dispose of data
Infrastructure Jointly accessible online application or database Third party encryption tools Secure web spaces or extranets GCmail CJSM Partner system, e.g. NHSmail, GSI Secure fax Anything else? For more details: The first choice if available Clearly branded LA solution Low cost & wide usage but Criminal Justice focus Applying for accounts with partners Across government networksOutside government networks
Training Tips: Warm-up Brainstorming Please name your top three... Organisations you share data with most often The sort of data you share most often Problems you encounter when sharing data Terminology useful to know Partners Information types Issues Technical terms
Training Tips: Group Work Group work is a very effective training tool and should be included in all training sessions. Group work can focus on collective problem solving and discussion of selected issues, using various cases of failure scenarios. Productive discussions can be designed around process flow, collaborative working, ambiguous situations.
Sample Group Work One Understanding the process flow What actions do I need to take and when? What concepts do I need to be familiar with at each stage?
Sample Group Work One Sample Scenarios 1.A pharmaceutical company contacts you and requests contact details of patients with a certain condition to invite them to a drug trial. 2.A parent of a 14 year old calls the GP to confirm the time of their sons drugs related appointment. 3.An insurance company asks for medical records of one of your patients. 4.Discuss a recent case when you had to share data. What did you do?
Sample Group Work One Give a copy of consent form to individual Establish if disclosure is legally required Ensure individual understands the leaflets Record consent Evaluate individuals capacity Seek authorisation Identify the minimum info required Record data share event Consult a Caldicott Guardian Other? Risk controls Best interest Robust public interest Capacity Direct continuing care Purpose specific info sharing agreement Together with your team, put these actions (rectangles) in the right order and link concepts (ovals) to relevant actions Other?
Group Work One: Instructions Together with your team, put the actions (rectangles) in the right order, using the provided scenarios Link the concepts (ovals) to the relevant actions Discuss in your group which actions or concepts have been left out and need to be added to the list Discuss differences in process for different scenarios You have 20 minutes to complete this exercise
Sample Group Work Two Raising the issues What Will Happen if we Do Share Information? What Could Happen if we Dont Share Information?
Group Work Two: Instructions Choose 1 of the 3 scenarios on the table As instructed by your facilitator each person takes a card Beginning with the oldest date each person decides who they would or would not share the information with, they then read the card to the group Debate in your groups whether or not having all of the information would change any decisions made You have 30 minutes to complete this exercise
Sample Group Work Three Deciding What to Share Would We? Could We? Should We?
Group Work Three: Instructions Pick a scenario card, work through as many scenarios as you have time for Discuss and decide if you would share the information Discuss and decide if you could share the information Discuss and decide if you should share the information You have 30 minutes to complete this exercise
Training Tips: Effective Signposting What is Data Share London?...promotes good practice in data sharing and helps people ensure that data sharing is completed legally and fairly... Long history of collaboration – roots in attempts to devise a London-wide info sharing protocol Jointly funded by Capital Ambition and the NHS Advisory board with members from across Local Government and health
Training Tips: Effective Signposting Useful Resources London Data Share: Information Sharing: Guidance for practitioners and managers (HM Government, 2008) Department for Education Information Sharing: How to judge capacity to give consent. DfE, 2011 NHS Services and Childrens Centres - how to share information appropriately with childrens centre staff. DfE and DH, 2010 Information Sharing: How to seek Consent? Department for Education, 2011 Health care Confidentiality: Guidance for doctors. General Medical Council, 2009 Confidentiality: Nursing and Midwifery Council, 2009 Confidentiality: NHS Code of Practice The Care record guarantee. NHS, 2011 Record keeping: Guidance for nurses and midwives. Nursing and Midwifery Council, 2009 (to be reviewed in 2012) Confidentiality and Information Sharing. NHS National Treatment Agency for Substance Misuse, 2003
Training Tips: Effective Signposting Useful Resources Other departments & non-governmental organisations Information sharing for community safety: Guidance and practice advice. Home Office, 2010 Sharing Information on Children and Young People at Risk of Offending. Youth Justice Board, 2005 The Social care record guarantee. NIGB, 2009 Requesting amendments to health and social care records: Guidance for patients, service users and professionals. NIGB, 2010 More information on consent and information sharing practice Other departments & non-governmental organisations Information sharing for community safety: Guidance and practice advice. Home Office, 2010 Sharing Information on Children and Young People at Risk of Offending. Youth Justice Board, 2005 The Social care record guarantee. NIGB, 2009 Requesting amendments to health and social care records: Guidance for patients, service users and professionals. NIGB, 2010 More information on consent and information sharing practice
Forum: Questions for discussion Have you encountered any issues with XX in your organisation? What are the main roots of the problems? Which solutions work well for you? Which technical tools work well / do not work for you? What are the key five things you would explain to a new member of staff involved in data sharing / about XX? Which area raises most questions from your staff? Which areas need collaborative pan-London working the most? How do you see the future of XX (data sharing)?