A Strategic Information Governance Approach Health Identifiers A Strategic Information Governance Approach

Health Identifiers: The Strategic Information Governance Perspective Health Identifiers: The Strategic Information Governance Perspective. Issues, Implications, and Opportunities? Information Governance in the Irish Healthcare Sector: An overview HIQA public consultation process: Key Themes, Messages, and Requirements The Health Identifiers Act: Data Driven or Data Drudgery? Key legal and process requirements. Putting Health Identifiers Information Governance in a Strategic context: One diagram to draw Opportunities and Risks

The Legal Background: Legislative Framework Health Identifiers Act 2014 Legislation for the creation and governance of health identifiers for individuals and health services providers. Part 2, Section 8 of the Health Act 2007 HIQA is responsible for setting standards for all aspects of health information and monitoring compliance with those standards Data Protection Acts 1988 and 2003, “Health Identifiers Operator” is a Data Controller and must follow the 8 rules of Data Protection

The Health Identifiers Act 2014

Not an Easy Act to Read… Why a Child of 5 could understand this (fetch me a 5 year old child) In this Act, a Signature is an “other identifying particular” for an individual, unless it is a signature which falls within a class of signatures to which this paragraph does not apply

Section 13 – Electronic Commerce Act 2000 Not an Easy Act to Read… 13.—(1) If by law or otherwise the signature of a person or public body is required (whether the requirement is in the form of an obligation or consequences flow from there being no signature) or permitted, then, subject to subsection (2), an electronic signature may be used. (2) An electronic signature may be used as provided in subsection (1) only— (a) where the signature is required or permitted to be given to a public body or to a person acting on behalf of a public body and the public body consents to the use of an electronic signature but requires that it be in accordance with particular information technology and procedural requirements (including that it be an advanced electronic signature, that it be based on a qualified certificate, that it be issued by an accredited certification service provider or that it be created by a secure signature creation device)— if the public body’s requirements have been met and those requirements have been made public and are objective, transparent, proportionate and non-discriminatory, and (b) where the signature is required or permitted to be given to a person who is neither a public body nor acting on behalf of a public body— if the person to whom the signature is required or permitted to be given consents to the use of an electronic signature Section 13 – Electronic Commerce Act 2000 Might the Registers need to hold PGP keys as digital signatures for patients/providers?

Section 13 – A “Baked in” Data Quality Risk Section 13(4) requires that an identifier be assigned to certain classes of health care provider that indicates that class of health practitioner the provider falls in.. This is “courageous”. It is not good practice in data modelling, and will lead to data quality issues.

Data Protection Law The 8 Principles of Data Protection Personal Data must be obtained and processed fairly; 1. Fair Obtaining It must be obtained only for one or more specified, explicit and legitimate purposes; 2. Purpose Specification It must not be further processed in a manner incompatible with that specified purpose or purposes 3. Purpose Limitation It must be stored safely and securely 4. Security It must be accurate, complete and up to date 5. Accuracy It must be adequate for the purpose, relevant and not excessive 6. Adequacy It should not be kept longer than is necessary for the specified purpose or purposes. 7. Retention Data Subjects have right of access. 8. Access Castlebridge Associates | Invent Centre | Dublin City University, Dublin 9 | www.Castlebridge.ie

“Voice of the Customer” Prior Consultation Guidance notes and advice Case Studies Media comments

Other Relevant Legislation pending: ? EU Data Protection Regulation Legal Recognition of Gender Bill Data Governance and Sharing Bill

We await final standards from the consultation process INFORMATION GOVERNANCE & MANAGEMENT STANDARDS FOR HEALTH IDENTIFIERS: THE HIQA CONSULTATION We await final standards from the consultation process

National Standards from HIQA: 5 Main Themes for Standards Theme 1: Person-centred Support Theme 2: Leadership, Governance and Management Theme 3: Use of Information Theme 4: Use of Resources Theme 5: Workforce

Theme 1 Theme 3 Theme 2 Theme 4 Theme 5

We await final standards from the consultation process HIQA expectations We await final standards from the consultation process

Key Points for Health Information Governance Structures: Quality of Information Communication The service user and health care provider/practitioner must be kept front and centre in the planning and execution of the Registers. Effective governance training and skills. Privacy of data is a key quality characteristic. Privacy Impact Assessments will need to be ongoing. Everything should be evidence based, with clear auditability of controls

A Strategic Data Governance Approach A Person-Centred focus on Outcomes

Patient Outcome Focus: The 11 Box model Business Strategy & Governance Information Strategy & Governance IT Strategy & Governance Strategic Business Architecture & Planning Information Architecture & Planning IT Architecture& Planning Tactical Management & Execution Business Processes Management & Usage Information Services Management & Exploitation IT Services Operational Customer Process Outcome Information Outcome

Information Stewardship and Communication The D3C Model™ © 2013 Castlebridge Associates Information Stewardship and Communication Roles are defined in context of relationship to data at a level in the organisation, not traditional “Business” and “IT” role types Strategic Doers  Definers Deciders Co-ordinators Tactical The generic Governance roles can exist at different levels in the organisation. Strategic: this is Senior management level, Business Unit Directors and Heads of Function. Defining: At this level the focus is on the high level defining of the Information strategy and mission critical policies and procedures to do with information management. Deciding: The Strategic level is where key decisions are taken about data, business rules, acceptability of information risks, etc. that cannot be resolved at the “Tactical” level. Decisions relating to changes in strategy, organisation models, etc. would be taken at this level. Co-ordinating: the Strategic level of Information Stewardship ensures that other Governance frameworks in the organisation (e.g. Project Management models, Risk Management, Software Development life cycles, Procurement etc. ) Where changes to Information Governance are required, they will cascade from here, and likewise, where Information Governance requires changes to other frameworks to address an issue or weakness the need for the change will be communicated across the organisation from this level. Tactical: This is the “day to day” line management of the organisation. As such all of the “generic” roles can be found here to a greater or lesser degree. Doing: The “day to day” management of the business requires reports to be generated, data logged, or data analysed. This may be done by line managers or team leaders. Defining: Line managers working as part of the “Information Strategy and Governance Working Group” are directly involved in the process of defining things – whether processes, data definitions, business rules etc. Often they co-ordinate the definition activity, with “Operational” level “definers” and “doers” contributing to the process. Deciding: Line management are the first real layer of decision making. Whether it is in the form of decisions being taken in the Information Strategy & Governance Working Group or the decisions they take day to day based on information that is provided to them, they are responsible for ensuring that correct procedures and policies are followed and may be accountable for the outcomes of their decisions. Co-ordinating: The line management function is key to ensuring effective co-ordination of Information Governance activities. Whether it is ensuring that updated policies, processes, and procedures are communicated to their direct reports, or ensuring that they ensure engagement with other stakeholders on the definition and operation of new processes, policies, or the design of new products or services, or assessing the impact of changes to reference data on other areas of the organisation, the “Tactical” co-ordinator plays a key role in ensuring that the right things are done at the right time in the right way . Operational: The “Operational” level is the front-line of the organisation. At this level, we would expect to see stewards engaged in “Doing”, “Defining”, and “Co- ordinating” roles. “Deciding” actions are less likely unless explicitly delegated down by “Tactical” managers as part of a project or other initiative. Doing: Operational level staff input data, extract data, generate reports, record issues, or they develop the technology solutions and methods that allow this processing to happen. They are the “front-line” of data creation and application. In this context they have direct experience of issues, problems, common short cuts, or common areas of misunderstanding about data. Defining: Operational stewards are involved in defining data, processes, work arounds etc. in a variety of contexts. It may be the product propositions developer who defines a new process and new uses for data, or new values for reference data, as part of the roll out of a new product or service. Or it could be the call centre agent who gets involved in defining an improved work flow for selling to or serving the customer, or a Retail store staff member who defines a new way of capturing key information from customers at the point of sale. Co-ordinating: Operational level stewards co-ordinate the feedback of issues and opportunities for improvement up the organisation. They also co- ordinate the communication of changes and updates to policies and procedures around the organisation. Crucially they play a key role in helping to co-ordinate responses to issues that might arise in a “crisis” context. In this way they are the “fire marshals” for Information in the organisation. Operational

INFORMATION QUALITY AND OUTCOME RISKS

Implementation Lessons that Can be Learned: The Primary Online Database

Lessons Learned: Identify and engage with the correct stakeholders. Put the person at the centre. Ensure clear basis for processing of currently proposed and future data. Engage with concerns; don’t dismiss them. Privacy Impact Assessments!

Castlebridge Associates Thank you Katherine O’Keefe Katherine@Castlebridge.ie Changing how people think about information Castlebridge Associates Data Governance Strategy Consulting In-house training Coaching Privacy Impact Assessments www.castlebridge.ie