1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk

2 Objectives Explain what Information Governance is Introduce you to the I.G. Toolkit Give some pointers to completing the toolkit Answer any question you may have

3 A Definition Wikipaedia defines Information Governance as: “a set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information on all media in such a way that it supports an organisation's immediate and future regulatory, legal, risk, environmental and operational requirements”

4 So What? Legal requirement –Supported by significant fines –Evolving case law Protection of reputation –Breach of trust between patient and Dentist –Toolkit scores available to all Protection of patients –Sensitive data “in the wild” –Potential harm/distress –Identify theft

5 For Example Information Commissioner now has the power to issue fines up £500,000 Hertfordshire County Council fined £100,000 for misdirected fax A4C fined £60,000 for loss of unencrypted laptop

6 There’s More! USB memory stick lost containing details of 200 mental health patients Unencrypted laptop stolen from home - Doctor suspended Over 17,000 USB memory sticks left at dry cleaners during 2010

7 Information Governance Data Protection Act 1998 Freedom of Information Act 2000 Confidentiality Code of Practice Records Management Information Quality Assurance Information Security (ISO27001) Information Governance Management

8 Dental Defence Union Advice Avoid storing identifiable personal data on mobile devices Have an Information Security Policy in place & ensure staff are aware of it Never store patient data on staff home computers or laptops Be aware of relevant ethical & legal guidance specifically from the GDC & the NHS Prevent unauthorised access to confidential information, for example using password protection & providing members of staff, including locums, with unique passwords.

9 More….. Ensure electronic means of communication such as fax & are secure before sending information Report any loss of data straightaway to the nominated senior person in the Practice, so that action can be taken to prevent further breaches & the ICO can be informed, if appropriate Take advice from IT specialists on ensuring the security of any patient information which is held electronically & this extends to sharing data & disposing of it securely when it is no longer needed. Ensure you have a written contract, outlining confidentiality requirements, with third party suppliers such as the company that repairs & maintains your computer.

10 Manual Data Everyone concentrates on computers - manual data is also vulnerable –Card indexes –Patient Files –X-ray images –Correspondence

11 The I.G. Toolkit An opportunity to easily provide assurance to Commissioners and Patients Clear expectations, understandable requirements A “compliance check” on legal requirements Source of exemplar documents Source of key guidance Robust Governance processes

12 The I.G. Toolkit Self assessment which is auditable Applies to all organisations who provide into the NHS 16 evidence focused requirements –Scored between 0 and 3 Level 0-Nothing done Level 1-Have a plan, some preparation Level 2-Have completed the plan, it works Level 3-Review, monitor & update the process.

13 The Requirements (1) Information Governance Management Responsibility for Information Governance has been assigned to an appropriate member, or members, of staff There is an information governance policy that addresses the overall requirements of information governance All contracts (staff, contractor and third party) contain clauses that clearly identify information governance responsibilities All staff members are provided with appropriate training on information governance requirements

14 The Requirements (2) Confidentiality and Data Protection Assurance All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines Consent is appropriately sought before personal information is used in ways that do not directly contribute to the delivery of care services and objections to the disclosure of confidential personal information are appropriately respected There is a publicly available and easy to understand information leaflet that informs patients/service users how their information is used, who may have access to that information, and their own rights to see and obtain copies of their records There is a confidentiality code of conduct that provides staff with clear guidance on the disclosure of personal information

15 The Requirements (3) Information Security Assurance Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use There is an information asset register that includes all key information, software, hardware and services Unauthorised access to the premises, equipment, records and other assets is prevented The use of mobile computing systems is controlled, monitored and audited to ensure their correct operation and to prevent unauthorised access There are documented plans and procedures to support business continuity in the event of power failures, system failures, natural disasters and other disruptions There are documented incident management and reporting procedures There are appropriate procedures in place to manage access to computer-based information systems All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers

16 Quick Wins All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use

17

18 What you need to do Register your practice with the toolkit –The I.G. lead or an “appointed administrator” needs to register first You will need –Your Organisation Code (ODS Code) –A “work” address Administrators can –Set up other users –Approve and submit your toolkit return

19