Information Governance Practice Manager’s Meeting – Thursday 14th June 2018 Paul Cook – CCG IG Lead – paul.cook14@nhs.net

Key Changes since April 2018 Data Security and Protection Toolkit General Data Protection Regulation (GDPR) Data Protection Act 2018 National Data Opt-out Programme (NHS Digital) Your Data Matters (ICO)

Data Security and Protection Toolkit The Data Security and Protection Toolkit replaces the previous Information Governance toolkit from April 2018. Its an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian's ten data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

Data Security and Protection Toolkit The new Data Security and Protection Toolkit can be found at: https://www.dsptoolkit.nhs.uk/ If you completed version 14.1 IG Toolkit by 31st March 2018, NHS Digital have recently sent you an email to register your practice for the new toolkit. Still only one submission – 31st March 2019 / Annually 31st March NHS Digital are running some webinars for GP Practices on the new toolkit – 28 June at 12.30pm, 24th July at 12.30pm, 30th August at 12.30pm For more event details, please visit https://www.dsptoolkit.nhs.uk/news

Data Security and Protection Toolkit Evidence Text - GP Tool tips - GP Required to meet standard (mandatory) - GP STANDARD 1 - handling, storage and transmission of personal confidential data   Name of Caldicott Guardian. A Caldicott Guardian is a senior person responsible for protecting the confidentiality of people's health and care information and making sure it is used properly. This can be the same person as other roles highlighted. Yes Who are your staff with responsibility for data protection and/or security? Record names and job titles only for staff who have a specialised role. Name of Appointed Data Protection Officer. A Data Protection Officer (DPO) is a role mandated for public bodies, for organisations carrying out regular and systematic monitoring of data subjects on a large scale, and for organisations carrying out large scale processing of special categories (e.g. health and social care) data or criminal convictions data. The DPO advises the organisation on data protection matters, monitors compliance and is a point of contact on data protection for the public and the ICO. If not relevant for your organisation mark N/A. 52 Requirements / not scored in levels - 0, 1, 2, or 3 / Evidence based CQC has now included Information Governance / Data Security Standards to their inspections

General Data Protection Regulation (GDPR) What are the key changes for GP Practices? GDPR came into force on 25th May 2018 - All public authorities must appoint a Data Protection Officer (DPO) - Who can be a DPO? A Practice Manager, or one of their colleagues, can be appointed as DPO in addition to their existing roles as long as they have some data protection experience and are not the final decision taker about data use in the organisation (which would be seen as a conflict of interest). The current ICO advice about an employee being a DPO is that this is acceptable; “… as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests”. - Who has appointed one?

General Data Protection Regulation (GDPR) The principal tasks of the DPO from the GDPR are: to provide advice to the organisation and its employees on compliance obligations to advise on when data protection impact assessments are required and to monitor their performance to monitor compliance with the GDPR and organisational policies, including staff awareness and provisions for training to co-operate with, and be the first point of contact for the Information Commissioner to be the first point of contact within the organisation(s) for all data protection matters To be available to be contacted directly by data subjects – the contact details of the data protection officer will be published in the organisation’s privacy notice to take into account information risk when performing the above.

General Data Protection Regulation (GDPR) Update Privacy Notice / Fair Processing Notice Data Protection Impact Assessments (DPIA) A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. Has been best practice, but now a legal requirement under GDPR / Data Protection Act 2018 to carry one out when processing high risk data to individuals (Health Data). - Subject Access Requests (SAR) - No charge for copies of records - Make use of Patient On-line - 30 Day Compliance / not 40 days as previous

Data Protection Act 2018 The Data Protection Act 2018 replaces the Data Protection Act 1998 Came in to force 25th May 2018 following royal assent It’s brought the UK Data Protection laws in-line with the EU GDPR Regulation. The old 8 Data Protection Principles have been replaced with 6 new principles: processing be lawful, fair and transparent; the purposes of processing be specified, explicit and legitimate personal data be adequate, relevant and not excessive personal data be accurate and kept up to date personal data be kept for no longer than is necessary personal data be processed in a secure manner

National Data Opt-out Programme https://digital.nhs.uk/services/national-data-opt-out-programme Launched on 25th May 2018 Its a new service that allows people to opt out of their confidential patient information being used for research and planning. Its in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.  All health and care organisations by March 2020 are required to have applied these preferences in all research and planning situations in which confidential patient information is used.

National Data Opt-out Programme The national data opt-out will replace the previous ‘type 2’ opt-out, which required NHS Digital to refrain from sharing a patient’s confidential patient information for purposes beyond their direct care. Any person with an existing type 2 opt-out will have it automatically converted to a national data opt-out from 25 May 2018 and will shortly receive a letter giving them more information and a leaflet explaining the new national data opt-out.  Patients are asked to set the preference at https://www.nhs.uk/your-nhs-data- matters/ Does not replace the Summary Care Record / SCR Additional Information

Your Data Matters (ICO) https://ico.org.uk/your-data-matters/ Your Data Matters is a national campaign run by the Information Commissioners Office (ICO) Launched 25th May 2018

CCG GP IG Support NHS England have had the responsibility for IG with GP Practices A new GP IT Operating Model to be launched NHS England have made the decision to devolve responsibility for IG support for GP Practices to CCGs.  The CCG will be recruiting a new role as GP IG Lead to support Practices with their IG queries etc. Once the detail around what is required is released by NHS England.

Any Questions? Paul Cook Information Governance Lead / Data Protection officer NHS Ipswich and East Suffolk CCG NHS West Suffolk CCG Email: paul.cook14@nhs.net