Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Controller Issues in context of shared records – revised guidance Information Governance Alliance Webinar:- Wednesday 6 July 2016 Chair Suzanne Lea.

Published byCecilia Crawford Modified over 7 years ago

Similar presentations

Presentation on theme: "Data Controller Issues in context of shared records – revised guidance Information Governance Alliance Webinar:- Wednesday 6 July 2016 Chair Suzanne Lea."— Presentation transcript:

1

2 Data Controller Issues in context of shared records – revised guidance Information Governance Alliance Webinar:- Wednesday 6 July 2016 Chair Suzanne Lea

3 Agenda 1.How to take part in this webinar 2.Information Governance Alliance – what we are and the purpose of this session 3.IGA Short Guide – Data Controller Issues (context of shared records) 4.Questions 5.Future webinars

4 Leadership, professionalism and culture Information sharing and integration Building and sustaining public trust Being the authoritative source of good practice IGA working together to share information, knowledge and expertise IGA focus for 2015 Focus 2016 / 17

5 IGA focus for 2015 Publication schedule Preparing for publication: Records Management Code of Practice Consultation finished: Limits of Implied Consent Introduction to information governance Information governance summary for all staff Guidance on fair processing and informing service users Disclosure of personal information to police In development – not yet ready for consultation: IG Glossary Anonymisation guidance Many other short guides

6 IGA focus for 2015 Networks of professionals If you would like support in starting or further developing a local group, please email us Professional groupNetwork status IG leadswell established regional groups with a regular national meeting Caldicott Guardiansa few regional groups SIROsjust starting Records Managersjust starting

7 Data Controller Issues in context of shared records Phil Walker

8 Motivation of Guide: Growing significance for care system of chronic and multiple conditions and the emphasis of placing service users / patients at the centre of care Local investment and significance of shared records Purpose of Guide: Provide support for decisions on Data Controllers Identify key issues and present methods of addressing these IG Background for Guide: - Data Protection Act Common Law Duty of Care and associated Confidentiality Management of liabilities Proposed governance arrangements Providing operational services in support of shared records Data Controller Issues (context of shared records)

9 Data Controller and flow of information Different relationships in the care landscape relevant to flow of data and responsibilities Notes Data Controller to Data Processor to Data ControllerContractual relationship e.g. Southend, Waltham Forrest East London and the City local Digital Care Records Data Controller to Data Controllere.g. referral, discharge summary Data Controller to Data Controller to Data Controller e.g. Summary Care Record, Leeds, Bristol local Digital Care Records Data Controller in Commone.g. North West London local Digital Care Records Joint Data ControllerUnusual circumstance

10 Detail of Guide Who is a Data Controller? Joint or Common Data Controllers? Data Processors Who are the Data Controllers for NHS Patient Data? What does this mean in practice? Checklist of Key Issues for Inclusion in Local Framework Agreement or MoU Data Controller Issues (context of shared records)

11 Trade off between: - Securing local buy in and - KISS Hard to see how multiple unengaged ‘data controllers’ are actually data controllers Pros and Cons

12 Getting Data Processor arrangements right Data Controller ResponsibilitiesData Processor & System Requirements 01To ensure that data subjects have access to fair processing information that tells them: Who their personal data will be shared with The purposes that their personal data will be used for The choices they have and how to exercise those choices Data Processor to provide all data controllers with details of the third parties with which personal data has been disclosed 02To decide whether or not to collect personal dataSystem must support authorised data collection and prevent unauthorised collection 03To ensure there is a lawful basis for collecting the dataN/A (Data Controller responsibility) 04To decide which items of personal data to collectSystem must support data controllers to enable all necessary data to be recorded in appropriate formats 05To decide which individuals to collect data aboutSystem must support authorised data collection 06To decide whether subject access and other individual rights apply System must support data controllers to consider and meet individual rights e.g. subject access 07To determine the purpose(s) that the data will be used forSystem must enable the data controller to undertake activities specified in the data processor contract and prevent personal data being processed for other purposes 08To decide whether to disclose personal dataSystem must not permit personal data to be disclosed without the data controllers authorisation, but must facilitate authorisation process where appropriate 09To decide who to disclose personal data toSystem must enable the data controller to choose whether or not to disclose personal data to any particular recipient and to select one recipient but not another 10To decide what personal data to disclose – proportionality, necessity, granularity System must enable the data controller to determine which data items should be disclosed to each recipient or potential recipient. Data controllers may elect to utilise a consistent data specification if one is available e.g. which data items to share with a care home

13 11To share personal data when required by statute e.g. the duty to share introduced by the Health & Social Care (Safety & Quality) Act 2015 and the requirement to include the NHS Number also introduced by that Act To enable required personal data to be shared when authorised by the data controller with any third party where this is required by law (and to be developing any necessary functionality where this currently does not exist) 12To ensure there is a lawful basis for disclosing personal data with the data processor and with other data controllers N/A (Data Controller responsibility) 13To determine how long personal data should be retainedSystem must support national minimum retention requirements and facilitate compliance with the 20 year rule 14To authorise any amendments to the personal data heldSystem must not permit any amendments to personal data that have not been specifically authorised by the data controller and should facilitate data to data controller contact and joint resolution where there is record confusion or duplication 15To choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out Data Processor must provide reasonable assurances as specified in the data processor contract 16To take reasonable steps to ensure data processor compliance with those security measures Data Processor must facilitate an audit of security measures by the data controller of an appointed agent and must make the results of such audits available to all data controllers using the system 17To restrict access to confidential personal data on a need to know basis and to system functionality on a role/position basis Where data processors are also the system suppliers for the data controller’s IT system they must ensure that the available controls facilitate the data controller meeting relevant requirements 18To ensure that data processing is carried out under a contract— (i) which is made or evidenced in writing, and (ii) under which the data processor is to act only on instructions from the data controller Data Processor to provide assurance as specified in the data processor contract that all processing of a data controller’s personal data has complied with this requirement and that no processing has been undertaken without instruction

14 Feedback ; Is this Guide useful? Is this correct? Is this sufficient? How can this be improved? Data Controller Issues (context of shared records)

15 Questions Poll Email: iga@nhs.netwww.hscic.gov.uk/igaiga@nhs.net

16 Webinars summer 2016 DateTitle 06 July Updated IGA guidance for data controllers for shared records 20 July National Data Guardian review of consent and security 03 AugustThe new European Union General Data Protection Regulations We are seeking suggestions for future webinars in the autumn

17 Email: iga@nhs.net www.hscic.gov.uk/iga

Download ppt "Data Controller Issues in context of shared records – revised guidance Information Governance Alliance Webinar:- Wednesday 6 July 2016 Chair Suzanne Lea."

Similar presentations

NATIONAL INFORMATION GOVERNANCE BOARD

NATIONAL INFORMATION GOVERNANCE BOARD
Introduction to Information Governance (IG)

Introduction to Information Governance (IG)
Information Governance Peter McKenzie Information Governance Manager NHS Tayside

Information Governance Peter McKenzie Information Governance Manager NHS Tayside
Revised Caldicott Manual- Practice Managers Groups Revised Caldicott Manual – November 2008.

Revised Caldicott Manual- Practice Managers Groups Revised Caldicott Manual – November 2008.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.

The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Information Law Report.

National Smartcard Project Work Package 8 – Information Law Report.
Www.england.nhs.uk NHS England Interoperability Programme Workshop Information Governance 16 th December 2014.

NHS England Interoperability Programme Workshop Information Governance 16 th December 2014.
Data Protection Overview

Data Protection Overview
Hertfordshire Single Assessment Process Briefing Sessions For Residential and Nursing Homes.

Hertfordshire Single Assessment Process Briefing Sessions For Residential and Nursing Homes.
Implementation of Security and Confidentiality in GP Practices.

Implementation of Security and Confidentiality in GP Practices.
Commissioning Self Analysis and Planning Exercise activity sheets.

Commissioning Self Analysis and Planning Exercise activity sheets.
“One Workforce: A Better Future for Children and Young People in Bromley.” Contact us: Bromley Children & Young People Partnership c/o Civic Centre (Room.

“One Workforce: A Better Future for Children and Young People in Bromley.” Contact us: Bromley Children & Young People Partnership c/o Civic Centre (Room.
MERTON LOCAL INVOLVEMENT NETWORK MEETING 27 March 2008 Richard Poxton Centre for Public Scrutiny National Team.

MERTON LOCAL INVOLVEMENT NETWORK MEETING 27 March 2008 Richard Poxton Centre for Public Scrutiny National Team.
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
Www.england.nhs.uk Development of Information Sharing Guidance Richard Sewart Data Sharing and Privacy Specialist 3 rd June 2015.

Development of Information Sharing Guidance Richard Sewart Data Sharing and Privacy Specialist 3 rd June 2015.
Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.
Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.

Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.

Similar presentations

Ads by Google