Information Governance in Commissioning Mental Health Commissioners Collaborative

Introduction David Stone Head of Information Governance Apira Limited

2011/12 Standard Terms and Conditions for Mental Health and Learning Disability Services Context Law/Contract Regulation Risk/Liability Contract compliance/Assurance Incidents/Breaches Patient Identifiable Data/Secondary Use

Dear colleague Gateway Ref: We want to call your attention again to a significant change that came into force on 6 April 2010, which enables the ICO to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act Obviously we are all hoping that it will not be necessary for the enhanced powers to be exercised, but at present a significant percentage of all data breaches reported to the ICO relate to NHS organisations. The purpose of this letter is to outline the actions that we jointly recommend to ensure your systems and practices deliver adequate information governance and that commissioning criteria adequately reflect its importance. Nicholson, NHS CEO and Graeme, IC to all NHS CEOs, 05/09/11

Law/Contract Data Controller/Data Processor –The Commissioner is a Data Controller in law (27.3) –The Commissioner may be Data Controller Jointly or In-common, but remains legally liable, even after the end of the contract (for the data) –The Information Commissioner will pursue the Data Controller in the event of a breach Service Level Agreements are not valid in law (unless bound in contract) –The Data Protection Act (1998) trumps the NHS & Communities Act (1990)

Case Study In February 2011, London Boroughs of Hounslow and Ealing were fined £70,000 and £80,000 respectively under the Data Protection Act 1998 (DPA). The Monetary Penalty Notice (MPN) arose from the theft of two unencrypted laptops from an employee of Ealing Council. The laptops contained the personal data of approximately 1,000 Ealing service users and approximately 700 Hounslow service users. Hounslow were found to be in breach of the DPA because they had failed to have a valid legally contract in place with Ealing and because they had not monitored Ealing’s operational compliance of their commissioned service.

Regulation Monitor –“Monitor would look to commissioners, the Information Centre and Information Commissioner to lead on policing IG at FTs and it is not our role to otherwise interpret information requirements. Only where other bodies have exhausted their powers would Monitor generally consider acting in the absence of other breaches of the authorisation.” ( response 04/08/2011)

Regulation CQC –The Commission uses the information from the Information Governance Toolkit in our Quality and Risk Profiles. –Quality and Risk Profiles are an essential tool for providers, commissioners and our own staff in monitoring compliance with the essential standards of quality and safety. –They help in assessing where risks lie and can play a key role in providers’ own internal monitoring as well as informing the commissioning of services. ( response 10/08/2011)

Regulation Department of Health –The IGT is not a required central return as the Department of Health is just one, and not the main, interested party. The Department expects commissioners to drive improvements in provider information governance and to insist that their contractual requirement to publish an IGT assessment continues to be met.

Contract Compliance 27.2 Data Protection –The Provider shall achieve a minimum level 2 performance against all requirements in the relevant NHS Information Governance Toolkit relevant to it. Where the Provider has not achieved level 2 performance by the Service Commencement Date, the co-ordinating Commissioner may, in its sole discretion, agree a plan with the Provider to enable the Provider to achieve level 2 performance within a reasonable time.

Risk/Liability Red = Unsatisfactory in IGT

Consent 9.1 Consent –The Provider shall operate a Service User consent policy to comply with Good Clinical Practice, good Health and/or Social Care Practice and the Law NHS Care Record Guarantee Commitment 4 –Legally, no-one else can make decisions on your behalf about sharing health information that identifies you. European WP29 –Consent is recognised as an essential aspect of the fundamental right to the protection of personal data

Person Identifiable Information All health data is ‘sensitive’ under the Data Protection Act SUS is only legal for limited use (S251) –18 weeks, PBr, planning care provision Contested payments/Challenges New Safe Haven operation Pseudonymisation/secondary use

Not Applicable Contract Clauses The following clauses do not apply to data that comes with the scope of the Data Protection Act (1998) –15.5: Incident reporting –29, especially 29.9: require information Note: the contract cannot require the Provider to break the law –There may be others in the schedules

Assurance Schedule 5 –Independent audit of IGT self-assessment scores and information risk must be shared with the commissioner –Information incident reporting (or as Schedule 7) in compliance with Gateway –Information Lifecycle: what happens to the data at termination? (35/36) –Clarification of the right to disclose confidential information (39.1.4) –Transport of data using N3 –Use of NHSmail

Conclusion The Commissioner is a Data Controller in law and legally liable for what happens to the data, even after the end of the contract A legally binding contract is required by law for every commissioned service The standard commissioning contract does not meet all legal requirements without additions in Schedule 5 The standard contract is not always correct when applied to information covered by the Data Protection Act All but one MHT in London failed to meet the standard required in contract