Introduction to Information Governance (IG) IG Policy Team NHS Connecting for Health
Key Learning Points What is Information Governance? What do YOU need To Do to make this work? Follow the Caldicott Guidelines Provide a confidential service Comply with the Law Understand the Data Protection Act Principles Recognise a Freedom of Information Act request Follow the Records Management NHS Code Keep Information Secure Input Quality Information
What is IG? IG is to do with how NHS/Social Care organisations and individuals handle information
Information means: Personal Sensitive Corporate E.g. Name, Date of Birth, Home address Sensitive E.g. ethnicity, disease, medical condition, sexual life Corporate E.g. Contracts for suppliers, minutes of meetings, finance details
Handling information means Holding it securely and confidentially Obtaining it fairly and efficiently Recording it accurately and reliably Using it effectively and ethically Sharing it appropriately and lawfully
What is IG? IG is to do with how NHS/Social Care organisations and individuals handle information IG is a series of best practice guidelines and principles of the Law to be followed by NHS/Social Care organisations and individuals
Core elements of IG Data Protection Act 1998 Freedom of Information Act 2000 Information Security Standards – ISO/IEC 17799: 2005 and IS Management NHS Code of Practice The NHS Confidentiality Code of Practice The Records Management NHS Code of Practice Information Quality Assurance
IG Toolkit Organisation Self Assessment against national set of standards. Annual submission. Adopted by NHS, Social Care, GP and Commercial Third Parties. Online Tool Process may be subject to internal and external audit Past reports available online For further information on the IG Toolkit go to: www.igt.connectingforhealth.nhs.uk
What is IG? IG is to do with how NHS/Social Care organisations and individuals handle information IG is a series of best practice guidelines and principles of the Law to be followed by NHS/Social Care organisations and individuals IG is the core foundation for high quality healthcare using good quality information
IG is the responsibility of every employee! What do YOU need To Do to make this work?
Confidentiality Do not share without consent The Caldicott Guardian 1997 Caldicott Report
Follow the Confidentiality Caldicott Guidelines Justify the purpose of using confidential information Only use it when absolutely necessary Use the minimum required Allow access on a strict need-to-know basis Understand your responsibility Understand and comply with the law
CDDFT Key Information Governance Staff Caldicott Guardian – Dr Alan McCulloch Senior Information Risk Owner – Sue Jacques (Chief Operating Officer and Director of Finance) Data Protection Officer – Lisa Wilson (Head of Information Governance & IT Security) FOI Lead – Joanna Tyrell (nee Jenkins)
If you are not sure, don’t disclose and seek further advice from your line Manager or Caldicott Guardian
Provide a Confidential Service Protect individual’s information by recording relevant data, accurately, consistently, keeping it secure and confidential. Inform a patient how their information is used and when it may be disclosed Provide choice to patients to decide whether their information can be disclosed Always look to Improve the way you/the organisation protects, informs and provides choice to the patient/clients/employees. Improve Protect Inform Provide Choice Personal information shared in confidence should not be used or disclosed further without the consent of the individual (Common Law Duty of Confidence)
Comply with the Law Data Protection Act 1998 – It is your responsibility to understand the principles in relation to your role and your organisation The Data Protection Principles Personal data must be: Processed fairly and lawfully Processed for specified purposes Adequate, relevant and not excessive Accurate and up-to-date Not kept for longer than necessary Processed in accordance with the rights of data subjects Protected by appropriate security (practical and organisational) Not transferred outside the EEA without adequate protection
Comply with the Law Can you recognise a Freedom of Information (FOI) Act Request? Dear FOI Lead I have recently undergone an operation on my hip at your Trust and would like to see all the notes in my Health Record regarding this period of care. Please give me an indication of when this information can be provided to me. Yours sincerely Betty Boo I would like to know how much the Trust is spending on the refurbishment of the A&E ward, due to be completed in March 2007. Dear Sir/Madam I would like a list of the new medical and non medical equipment being purchased for this ward. Yours sincerely Mickey Mouse A B Which of A or B is an FOI request?
What you need to know about FOI Gives the public the right to access/view all non-personal public authority information upon request Requests must be in writing All staff must know who their FOI Lead is and be able to access/refer to their contact details. The requester may not and need not quote the FOI Act The organisation must respond within 20 working days Exemptions may apply for non disclosure – FOI Lead will determine this.
What you need to know about FOI Penalties for non compliance with or breach of the Act applies to the: Organisation Chief Executive Possibly Individual staff
Follow the Records Management NHS Code of Practice Best Practice guidance states: All Staff have a legal and professional obligation to be responsible for any records which they create or use in the performance of their duties. Any record created by an individual, up to the end of its retention period, is a public record and subject to Information requests (FOI and Subject Access). Subject Access Request?
Record Lifecycle Record Lifecycle Creation Using Retention Appraisal Close Record Retention Appraisal Disposal Create & log Quality information Keep/maintain in line with NHS recommended Retention Schedule Use/handle in accordance with Data Protection Act Determine whether records are worthy of permanent archival preservation Dispose appropriately according to policy
Record Quality Information } Keep all types of information: Accurate Up to date Complete – Including NHS Number Quick and easy to find Free from duplication Free from fragmentation Better Healthcare
Keep Information Secure It is your responsibility to keep all personal and sensitive information secure Follow Organisation Policies Protect Information Physically Practice Password Management Transfer Information Securely Report Breaches of Security to Management
Information Governance is the responsibility of every employee, so keep up the good work and aim to be 100% compliant.
Further Guidance and useful links DH: Confidentiality NHS Code of Practice DH: Records Management NHS Code of Practice The Data Protection Act 1998 The Freedom of Information Act 2000 The IG Policy Team website The Department of Health website Information Commissioners Office website (more information and guidance on FOI and DPA)