1. INFORMATION GOVERNANCE PRESENTATION
Gemma Kerr
Information Governance Co-ordinator
On behalf of
of Essex CCGs
Introductions
Explain this training is instead of Refresher Module- anyone not done e-learning before must complete Intro to IG module on IGTT
Warn that some slides wordy
Questions at end but feel free to ask throughout- if too many we’ll defer to the end
Will take a break in an hours time
No planned fire alarm tests so if alarm sounds leave by the nearest exit
Version 0.3 March 2015

2. Purpose of Training IG Toolkit Requirement- NHS Digital- IGSoC, N3
NHS has most sensitive info in one place, need to educate staff and reassure public- Trust
To ensure that you are aware of your responsibilities
Purpose of Training
Why do this Training?
NHS has millions of patient records- all containing sensitive information which is highly confidential, NHS staff are trusted to handle that information appropriately so need to understand your responsibilities and understand why it is just as much in your best interest, as it is for the patients.
One reason it’s in your best interests to understand and comply with NHS IG legislation as individuals can be fined or have criminal prosecutions brought against them for non compliance.
In CCG world at present you have very limited if any access to patient information, however it is not completely impossible that you will never come into contact with patient information at some point, also this training relates to staff information.
Training is a requirement to reach level 2 of the NHS Digital IG Toolkit.
To protect you as well as the information and systems you work with- ICO fines etc
This face to face training is instead of e-learning, can do one or the
other
Version 0.3

3. IG Toolkit - What’s it all about?
A performance tool produced by HSCIC for the Department of Health. It draws together legal rules and central guidance and presents them in one place as a set of IG requirements.
Organisations are required to carry out self-assessments of their compliance against the IG requirements. There are different sets of IG requirements for different organisational types.
However all organisations have to assess themselves against requirements for:
Management structures and responsibilities;
Confidentiality and data protection; and 
Information security. 
The IG Toolkit is an online self assessment for which evidence is required to be provided annually.
The Information Governance Toolkit draws together the legal rules and central guidance set out by DH policy and presents them in in a single standard as a set of information governance requirements. CCG’s and other NHS Organisations are required to carry out self-assessments of their compliance against the IG requirements every year.
Evidence is uploaded and reviewed annually to support each level of each requirement. Each requirement has 3 levels.
CCG’s have 28 requirements and are required to reach a minimum of level 2 for each one.
Some examples of requirements we need to evidence are- 95% of staff have completed mandatory IG Training and passed the relevant assessment, Data Flow Mapping to identify and risk assess how information flows in and out of the organisation, Information Asset Registers to identify and risk assess all information assets held, IG Policies and Procedures in place, accessible and understood by staff- this is where the IG Resource Guide comes in- a staff handbook and declaration form which needs to be signed by all staff.
It is a requirement of the IG Statement of Compliance that we achieve a minimum of level 2 for all requirements, therefore if we fail to do this we could lose our N3 connection which we require in order to operate.
The Public have access to all IG Toolkit scores.
Organisations bidding to provide a new service, will not be considered without passing the IG Toolkit.
Version 0.3

4. Information Governance – The Core Elements
Better Healthcare-
A Confidential Service
Law
NHS Codes of Practice
and Guidelines
IG is a framework for the NHS to handle all information of patients and employees legally, securely, efficiently and effectively
So why do we need Information Governance? And What is it?
The purpose of information governance in the NHS is to ensure a confidential service is provided in order to provide better healthcare. We need to ensure that we can provide the confidential service that the public expect, alongside sharing the right information with the right people at the point of need in order to ensure we can provide safe and efficient healthcare.
Information Governance provides a way for employees to deal consistently with the many different rules about how information is handled or processed.
Within the NHS there are several guidance documents and codes of practice to abide by when using information, such as Confidentiality CoP, Records Management CoP and Information Security CoP
The Codes and guidance are in place to assist us comply with information law such as Data Protection Act 1998, Common law of Confidentiality and the Health and Social Care Act. We’ll look at these in more detail on the next slide.

5. IG Acts, Legislation, Guidance and Codes of Practice
The Data Protection Act 1998.
The common law duty of confidentiality.
The international information security standard: ISO/27001
The Freedom of Information Act 2000.
The Human Rights Act article 8.
Caldicott Review and Principles
The Confidentiality NHS Code of Practice.
The NHS Care Record Guarantee for England.
The Social Care Record Guarantee for England.
The Information Security NHS Code of Practice.
The Records Management NHS Code of Practice.
The Code of Practice for the Management of Confidential Information (to be published in 2013)
Processing/Handling information is defined as:
obtaining it fairly,
recording it accurately,
using it effectively and ethically,
storing it securely,
sharing it appropriately,
destroying it in a timely manner
This slide shows the key Acts (shown in blue font), Codes and Guidelines in relation to IG (shown in black font).
The DPA relates to the processing of personal and sensitive information of all living individuals (to be visited again later)
Common Law of Confidentiality is not a written law, it is derived from case law, however it will stand in a court of law
International Information Security Standard ISO27001 is a specification for an information security management system (this is a framework of policies and procedures that include all legal, physical and technical controls involved in an organisations information risk management process).
You’ve probably heard of the Freedom of Information Act (FOI), this is what was used to uncover the MP’s expenses scandal a few years ago. Basically the FOI act provides the public with access to information held by public bodies as they are paid with public funds. The act does not allow access to the requesters personal information- requests for this can be made under the DPA.
The Human Rights Act article 8 states that everyone is entitled to a private and family life- there are certain exemptions such as when someone is at risk of harm, for fraud, prevention and detection of crime and in the public interest. Article 11 Freedom of Expression often clashes with article 8.
Caldicott relates to sharing of information- originally there were 6 good practice principles, the Caldicott 2 Review introduced principle 7- the duty to share and more recently the National Data Guardian Review has updated the guidance again to bring it up to date- this has introduced 3 leadership obligations which contain 10 points to consider when sharing information.
Will take a more detailed look at key acts and guidance later in the presentation.
All of the above acts and legislation cover processing/handling of information, this means
Obtain it fairly (ensure you have the relevant consent in place and the subject is fully informed how it will be used)
Record it accurately (ensure it is up to date and correct)
Use it effectively and ethically (ensure it is available and accessible at the point of need to those that have a legitimate reason to access it, used for the purpose(s) stated)
Store it Securely (ensure it is only accessible to those authorised to see it, lock it away when not in use or store on a restricted access and encrypted server)
Share it appropriately (ensure it is only shared with those that have a legitimate right to access it, ensure it is shared when appropriate, seek consent to share it when necessary)
Destroy it in a timely manner (refer to the RM CoP retention schedules where necessary for recommended length or retention, appraise the record, if decided no longer required, destroy the information either by cross cut shredding, pulping or incinerating- hardware should be destroyed securely by IT).

6. Fulfil our legal obligations
Why Comply?
Fulfil our legal obligations
We promise a confidential service in the NHS
ICO enforcement/fines up to £500,000
Reputation/Patients/Service User’s trust
To protect yourself and the organisation you work for
So why comply with information law and the relevant guidance available to us?
The most important point to remember is that all of these laws and codes, guidance documents and policies and this training are in place to protect you just as much as they are the information you are working with.
Fines of up to ½ million pounds can be issued for breaches to organisations and individuals can be prosecuted where it is deemed the breach was caused on purpose or through negligence. Obviously disciplinary action and if serious enough dismissal could apply.
Legal obligations- DPA, CLCofC, HRA, FOI, H&SCA.
Confidential service- patients expect us to protect their information and treat it confidentially, we also have the Common Law of Confidentiality to comply with and the NHS Confidentiality Code of Practice.
Information Commissioners Office (ICO) fines- information ombudsman- receives complaints, serious incidents reported, audits and investigations- can take enforcement action- could be an enforcement notice to put certain measures in place, could be a fine of up to £500,000, could bring criminal prosecution against individuals who have purposely or negligently caused a breach
Loss of patient trust would be a disaster for the NHS, relationships between patients and medical providers would be harmed, if trust is lost could have healthcare implications, negative media, trust could be scrutinised/investigated/loss of funds/closure.
non compliance with just one of the 28 requirements mean you have failed IG Toolkit, information on this is available to the public so you could lose public trust, other organisations will no longer share information with you which you may need in order to function, if you are bidding to provide a new service, you will not be considered without passing the IG Toolkit.
Version 0.3

7. Types of Information Confidential Personal Sensitive Personal
Anonymous
Racial/Ethnic origin
Private Information about you
Name
Political/Religious Beliefs
No references or identifiers
Address / Postcode
Information given to someone who has a duty of confidence
Criminal Record
Date of Birth
Postcode
Cannot be matched to anyone
Medical Records
You expect it to be used in confidence
Just briefly-
Confidential information is Private or restricted information intended to be kept secret. if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the individual’s consent. In practice this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is.
Personal Information Data that relates to an individual who can be identified from the data, or from the data together with information which is in the possession of, or likely to be in the possession of the data controller, this includes any expression of opinion about the individual.
Sensitive Information is personal data consisting of information that if released could cause distress, harm or detriment to reputation.
Anonymous Information is where identifying particulars or details from something have been removed so that the information can be used for statistical or other purposes without any individuals being identified.
Pseudonymised Information Identifiable data removed and replaced with unique codes, only the
people who are authorised to have access to the data subject’s identity will know the correct
key to un-code the information back to identifiable data.
Phone Numbers
Date of Birth
Other- Bank, Salary etc
Essentially anything that can identify someone
UK Law says health information is confidential
Anything that could cause harm to a person or their reputation
Statistics rather than detail
Version 0.1

8. Scenario’s
1) Mr Smith orders some new car mats on eBay. When he gets to the checkout he is prompted to enter his name, contact number, address and card details for payment. Which TWO categories would this come under?
2) A GP receives a survey to fill out for Public Health England. The survey asks how many patients on the surgeries Asthma register are smokers and how many of those smokers have been issued smoking cessation packs. Which category would this come under?
Split into groups of 2 or 3,
Assign each group a number between 1 and 4
Go back to display Types of information slide and Give a few minutes for them to decide which type of information each category falls under
Ask for answers
Version 0.3

9. Which category would this come under? 4)
Scenario’s 3)
Care House Nursing Home submit an invoice to Essex CCG which contains invoice number, date, description of item being invoiced ‘2 weeks respite care’, the amount due and a unique reference code.
A select few people within the CCG that have access to the secure inbox the invoice will be sent to, will match up the unique code with the relevant contract to identify the patient whose care is being invoiced.
Which category would this come under? 4)
Mrs Mitchell attends her GP appointment to obtain her routine prescriptions. Whilst there, she makes general conversation with the doctor and amongst other things tells him that she is feeling very down at the moment as she is concerned for her daughter who is having marriage problems.
Which category would this come under?

10. Patient right to object to processing / opt-out
Patients have the right to opt out (via their GP) of their information being shared or used for purposes beyond their direct care.
There are two types of opt out:
Type 1: If the patient doesn’t want their identifiable information being shared outside of their GP Practice (other than when required by law)
Type 2: NHS Digital collects information from a range of places where people receive care. Type 2 should be used when the patient doesn’t want NHS Digital to share their information for purposes other than their direct care. This is also applied by the GP.
Read slide
You will need to re-obtain consent each time you wish to use/share identifiable information for a purpose other than that for which it was originally to be used/shared with.
Parent/Guardian consent is required for the use of PID in minors.

11. Information Asset Registers & Data Flow Mapping
Purpose: All transfers of hardcopy and digital personal and sensitive information must be identified, mapped and risk assessed; technical and organisational measures to adequately secure these transfers must be implemented.
Only routine flows of information need to be mapped, ie those that occur on a regular basis
There are four elements to consider for every transfer:
Data (what info is being transferred)
Format (Hardcopy, electronic file, , CD etc)
Transfer Methods: (Post, Fax, etc)
Location: (GP Surgery, commissioners, hospital)
Information Asset Registers
Purpose: Organisations must ensure that all of their information assets that hold or are personal data are protected by technical and organisational measures appropriate to the nature of the asset and sensitivity of the data.
Assets: Paper records, Electronic records, Reports, Audits, Audio, Images, Scans, Complaints, Computing hardware, s, mobile devices and removable media, data bases, back up and archive data, staff members.
Who to complete? Information Asset Owners with the assistance of Information Asset Administrators
Both of these are requirements of the IG Toolkit. They are completed/updated on an annual basis. Once we have your updated versions, the IG team risk assess the information you provided. If further information is required or if security needs to be updated, we will be in touch to discuss. It is important to know what information is flowing in and out of the organisation as aswell as ensuring any risks are mitigated, we need to ensure we are transparent with the public about what information we hold, for what purpose it is being used and who it is shared with.

12. Key IG Roles & Responsibilities
Caldicott Guardian- protects patient information, Clinician, Board level, Conscience of the organisation, information sharing, access to records requests, Data Mapping, ensuring all staff are trained
Senior Information Risk Owner (SIRO)- Board level, Risk management, providing Board with assurance, incidents, sign off of Information Asset Register
Information Asset Owner (IAO)- owns an asset(s) and associated risk, responsible for testing and monitoring of the asset and providing assurance to the SIRO
Information Asset Administrator (IAA)- assists the IAO, operational staff, day to day responsibilities for the asset
Corporate/Records Manager- file management, archiving, secure disposal of records, secure transfer of information
Data Quality Lead- ensure the quality of data across all systems, identify regular or consistent errors and identify training needs.
We’ve touched a little on different roles with IG responsibilities, this slide defines those roles.
All of us are responsible for ensuring that we handle information appropriately and in accordance with the law and NHS polices and procedures.
Within each CCG the following key IG roles and responsibilities also apply:
Ask if they know who holds each role?
Caldicott Guardian
SIRO
information assets are systems, programmes, databases, hardware, software, information or personal expertise, heads of department responsible for the assets within their department are the Information Asset Owners. The IAO’s for your CCG were identified during creation of the CCG’s Information Asset Register- which is a requirement of the CCG’s IG Toolkit.
The Information asset administrators were also be identified during development of the IAR, these are the staff who work with the asset on a day to day basis
The Records Manager should be the first point of contact for staff queries around storage, filing, archiving, retention periods, secure disposal of information etc.
The Data Quality Lead is responsible for ensuring that the highest quality of information is used across all systems. If any data quality concerns or issues are noticed or brought to the attention of the data quality lead, they should work closely with the asset owner of the particular asset/system and if need be the SIRO to advise of any risks identified. Further training should also be provided to the person/those concerned.
IG Champion
FOI Liaison
There is a handout in your pack which states who these people are within your CCG.
Version 0.3

13. Data Protection Act 1998 - What’s it all about?
An Act of Parliament which defines UK Law on the processing of data on identifiable living individuals
Fairly and lawfully
Specified purposes
Adequate, relevant and not excessive
Accurate & up to date
Not kept longer than necessary
Within the Rights of the Data Subject
Appropriate security
Adequate protection when transferring
outside the EEA 2 3 4 5 6 7 8 1
Data Protection Act 1998
8 Data Protection principles- to follow when processing/handling information relating to living individuals
Must be processed fairly and lawfully- you must have legitimate grounds for collecting and using personal information, not use the data in ways that could have unjustified adverse effects on individuals, provide privacy notices explaining how and why you use information, handle information in ways people would expect and do not do anything unlawful with the data.
Use Information for specified purpose- Be clear from the outset why you need it and what you intend to do with it, provide privacy notices, comply with notification requirements (the Act requires notification- sometimes called registration with the ICO- this register is available for the public to view and contains details of what information organisations process and why). This section also covers consent which must be obtained if you intend to use the information for any other purpose than that originally stated, including sharing it with others.
Information must be adequate, relevant and not excessive- ensure the information you hold is sufficient for the purpose and that you use the minimum necessary.
Accurate and up to date- ensure the information is accurate, clear and up to date.
Not kept for longer than necessary- Review the length of time you keep data, decide how long to retain it using the RM CoP retention schedules which provide suggested retention periods, securely delete/destroy out of date information and information that is no longer required.
Processed in accordance with the rights of the data subject- data subjects have the following rights:
To access their information
To object to processing that is likely to cause damage or distress
To prevent processing for direct marketing
To object to decisions being taken by automatic means
To have inaccurate information corrected or erased
To claim compensation for damages caused by breaches of the Act
7) Protected by appropriate security- assign someone within the organisation responsible for information security, ensure the correct physical and technical security, embed policies and procedures, staff training and awareness and be ready to respond to any breach of security swiftly and effectively.
8) Not transferred out of the EEA without adequate protection- Unless an adequate level of protection for the rights and freedoms of data subjects can be demonstrated in relation to processing of data.

14. The GDPR replaces the Data Protection Act 1998 (DPA) in the UK
The GDPR replaces the Data Protection Act 1998 (DPA) in the UK. It is a European Regulation and covers not just Countries in the EU but information relating to EU Citizens whether it is processed within or outside of the EU.
It’s very similar to the DPA, but it provides more detail and includes a new Accountability requirement which requires us to demonstrate how we comply with its principles. Some areas have also been strengthened, for example, individuals have more rights in relation to their personal information.
It will be fully implemented by 25th May 2018.
Brexit does not affect the GDPR.

15. Some of the key differences to mention between the DPA and GDPR are:
Fines up to 20million euro’s or 4% of annual turnover whichever is greater – fines up to ½ million pounds
Applies to non EU countries that process data of EU individuals- DPA applied across EU Countries (not people)- great variances in local versions, formerly Safe Harbor for American Countries.
Personal data is defined as identifiable, genetic, mental, cultural, economic and social identity- Formerly basic obvious identifiers such as name, address, DOB etc
Consent now requires an affirmative response- previously opt outs could be used
The Right to be Forgotten and erased from records- this is a new additional right (there will be exemptions to this such as in medical records and where the law requires information to be kept).
Users may request a copy of personal data in a portable format- DPA only requires them to be provided with access to the information but does not state how.
Parental Consent is required for processing of personal data for children under 16.

16. Companies that process a high volume of personal data will be required to appoint a Data Protection Officer.
Controllers will be required to report breaches with a medium/high risk to individuals rights within 72 hours of becoming aware of it.
Privacy Impact Assessments will be required for projects where privacy risks are high.
Privacy by Design is being introduced- this will cover all new products, systems and processes at the design and development stages.
Data Controllers must ensure adequate contracts are in place to govern data processors.
Data Processors can now be held directly accountable for the security of personal data- under DPA the controller is responsible.
Controllers need a legal basis for processing and collecting personal data. They can no longer use ‘legitimate interests’
International companies will only have to deal with one supervisory authority which covers all EU information. Each member state (inc the UK) will then have their own Supervisory authority (Currently ICO) who will escalate as appropriate to the International SA.
Privacy impact Assessments- these will be required by law for all new projects where privacy may be affected. Currently these are just good practice.

17. Privacy Impact Assessments
A process which helps assess privacy risks to individuals in the collection, use and disclosure of personal information.
Projects that involve using personal information or intrusive technologies give rise to privacy issues and concerns. To enable an organisation to address the privacy concerns and risks a technique referred to a Privacy Impact Assessment (PIA) must be used.
Risks that are identified through this process can then be managed through the gathering and sharing of information with key stakeholders (for example Governing Bodies, Audit Committees, patients / service users and staff themselves). Systems can then be designed to avoid unnecessary intrusion into people's privacy where possible and features can be built in from the outset, hence reducing the likelihood of privacy intrusion.

18. How to Comply: Common Law of Duty Confidentiality
Only access staff, patient or service user’s information if you have their consent or legal basis to do so.
Only access commercially sensitive information if you have consent or legal basis to do so.
Do not pass on any information for personal or commercial gain.
Do not leave working papers lying around the office, or put confidential items exposed in in-trays; remove documents from photocopiers and fax machines as soon as possible after use and always ensure that you lock your screen when walking away from your desk.
Common Law Duty of Confidentiality is not a written Act, however it still stands in a Court of Law. It’s based on case law and that, “Personal information shared in confidence should not be used or disclosed further without the consent of the individual legitimate reason to do so ”.
As mentioned earlier, the Common Law Duty of Confidentiality. Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law.
Read slide-
We all have an expected duty of confidence in NHS
We can come into contact with Highly sensitive information
Consent required to share unless exemption applies under the DPA (Public Interest)
Leads us on to Caldicott…
Seek advice from your SIRO or Caldicott Guardian
Version 0.3

19. How to Comply: Caldicott
Dane Fiona Caldicott was commissioned by the Chief Medical Officer of England in 1997 owing to increasing concern about the ways in which patient information is being used in the NHS and the need to ensure that confidentiality is not undermined. Six good practice information sharing principles were published as a result of the review.
In 2012, Dame Caldicott published a follow up report which introduced a seventh principle focussing on the duty to share information, which can be just as important as the duty to protect patient confidentiality.
In her new role as National Data Guardian, Dame Caldicott published the National Data Review into Data Security, Consent and Opt Outs earlier this year. Due to the need for strong leadership in data security the review introduces 3 Leadership Obligations and 10 Data Security Standards.
The 7 Caldicott Principles are:
Justify the purpose
Don’t use identifiable information unless it’s necessary
Use the minimum necessary
Access should be on a strict need to know basis
Everyone with access to PID should be aware of their responsibilities
Understand and comply with the law
The duty to share information can be as important as the duty to protect confidentiality
The 3 Leadership Obligations are:
People: Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
Process: Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
Technology: Ensure technology is secure and up-to-date.
The Data Security Standards are:
Data Security Standard 1. All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes.
Data Security Standard 2. All staff understand their responsibilities under the National Data Guardian’s Data Security Standards including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
Data Security Standard 3. All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit.
Data Security Standard 4. Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
Data Security Standard 5. Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
Data Security Standard 6. Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
Data Security Standard 7. A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.
Data Security Standard 8. No unsupported operating systems, software or internet browsers are used within the IT estate.
Data Security Standard 9. A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
Data Security Standard 10. IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standard.

20. Records Management
The NHS has two categories of records which can be held in paper (manual) or electronic form namely:
Health Records - Patient health records (for all specialties and including private patients, including x-ray and imaging reports etc.)
Corporate Records - Administrative records (e.g. personnel, financial and notes associated with complaints)
The above categories of records must be;
Complete, accurate, relevant, accessible, timely!!!
NHS Records Management Code of Practice (Part 1 and 2) has been reviewed and updated by the IG Alliance on behalf of the Department of Health. It provides best practice guidance on retention and disposal of information.
if records are not kept appropriately this could lead to delays with clinical care and requests for information through the Freedom of Information Act. Information must be readily available in a accurate and complete format so that delays can be avoided.
The NHS Records Management Code of Practice, Freedom of Information Act, Data Protection Act, Public Records Act and the relevant CCG policies, such as, the Access to Information Policy and Information Lifecycle Management Policy are documents that can help ensure we all hold and process information appropriately.

21. Records Lifecycle & what makes a good quality record
Determine whether records are worthy of permanent archival preservation
Creation
Using
Retention
Create & log Quality information
Process in accordance with legal & policy requirements
Keep/maintain in line with NHS recommended Retention Schedule
Dispose appropriately according to policy
Appraisal
Disposal
Close Record
Records Lifecycle & what makes a good quality record
Record Quality Information
You should always ensure that you record quality information; keep all types of information: 
Accurate
Up to date
Complete
Quick and easy to find (ensure your filing systems are easy to use)
Free from duplication
Free from fragmentation (stored together rather than in individual files)
Secure and only accessible to those authorised to access it
A records life begins when it is created/obtained- this should be done using good quality and accurate information
The second step to information lifecycle is using the record also known as processing/ handling- this should be done in accordance with legal and policy responsibilities
Once the record has been closed, it needs to be retained- this should be done in accordance with the suggested retention periods set out in the Records Management Code of Practice
At the end of the retention period the record should be appraised- this determines whether records need to be kept for longer- you must be able to provide valid reasons for keeping the information for longer.
Finally, once it has been determined the record is no longer needed it can be disposed of- This must be done in a secure method appropriate to the record type- paper cross cut shredded, pulped or incinerated, hardware destroyed and disposed of by IT.

22. The public has the right to know!
Provides public access to all types of corporate information
FOI requests must be in writing
No need to quote FOI
Send requests to the IG department
Respond within 20 working days
Exemptions for non disclosure (PID, Commercially Sensitive etc)
Penalties for non compliance
Freedom of
Information Act
2000
The FOIA came into force at the beginning of 2005 and gives individuals or organisations rights of access to information held by public bodies.
The Act also places an obligation on public authorities to proactively publish information within a publication scheme.
The Act covers all recorded information held by a public authority. It is not limited to official documents and it covers, for example, drafts, s, notes, recordings of telephone conversations and CCTV recordings. Nor is it limited to information you create, so it also covers, for example, letters you receive from members of the public, although there may be a good reason not to release them.

23. Examples FOI Requests Good use of FOI Act
Cancer drug “postcode lottery” - A postcode lottery in cancer care was revealed yesterday in returns under the Freedom of Information Act showing where in England patients are most likely to be refused innovative drugs that could extend their lives
MP Expenses - The Commons authorities had long resisted attempts to reveal the details but were ordered to publish by the High Court, under the Freedom of Information Act
Questionable, yet valid, use of FOI Act
How many drawing pins are in the building and what percentage are currently stuck in a pin board?
How many holes in privacy walls between toilet cubicles have been found in public lavatories and within the CCG building?
How much money has been paid to exorcists over the past 12 months
Read slide

24. Access Requests
Subject Access Requests – The DPA provides a right to request access to information about you. Requests must be made in writing and dealt with within 20 working days.
Access to Health Records Act Covers records of the deceased. The executor of the estate or anyone who has a claim arising from the death of the individual can apply to access the medical records.
Section 29 Request of Data Protection Act Information can be disclosed to relevant authorities for:
Detection and prevention of serious crime / fraud,
Prevent serious risk of harm to individuals Or when it is in the public interest.
The decision of whether to disclose has to be weighed up against the duty of confidentiality owed to the individual and the seriousness of the alleged crime committed/ risk of harm to the individual or public.
There are several other requests to access information that you could receive and need to be able to identify to ensure they are passed to the correct person.
Read Slide.
What to do if you receive a request:
FOI- Do not attempt to supply the information yourself, refer the request to Iain (FOI mailboxes for each ccg), Iain will contact the relevent people/teams within the CCG to source the information and once collated he will respond to the request.
SAR- As above
AHRA- Direct to GP practice or NHS England.
Section 29- Never supply information to the Police/Social workers etc- refer them to Iain, the police know the procedures to request information (in writing section 29 request) so should not even be asking you for information. They may try to put pressure on you to release.
Remember when sending s, writing notes, letters, updating systems, minuting meetings etc that they are disclosible under SAR or FOI request.
Explain Public Interest- Murder can disclose but even then they need strong evidence that suspect involved but stealing off the neighbour not sufficient to breach confidentiality.
Version 0.3

25. Type of Request and Your Decision?
Sarah-Jane contacts the HR department to request a copy of her personnel records, she doesn’t give them a reason for wanting them.
Simpsons Solicitors are acting on behalf of Mrs Butcher in her negligence claim arising from the death of her husband, they write to request a copy of Mr Butcher’s medical records for the period he was treated by the hospital (with Mrs Butcher’s consent).
The Echo newspaper wish to know how much the organisation has spent on company cars in the past year.
Split into groups again, read the statements and decide 1) what type of request it is and 2) if you were deciding whether to release the information or not, would you?
5 minutes
Go through answers as a group

26. Essex Police request the last known address for a suspect they believe was involved in an antisocial behaviour incident whereby a car wing mirror was damaged.
PC Taylor hand delivers a signed request, for access to a patients records. The patient is a suspect in a manslaughter investigation.
Joe Bloggs submits a request asking for a list of full names of all the administrators employed by the CCG, together with details of how much they are paid.

27. Break 15 mins

28. Information Security Physical Electronic People
Lockable storage Encryption CCTV/ Alarms Passwords Secure Door entry Secure Drives Education & Training Vetting/Background Checks Limited/ restricted access
Physical
Electronic
NHSmail NHSmail
Secure Networks
Encrypted Devices
Passphrase
Lockable storage
Policies and Procedures
Secure Door entry
Information Security made up of three aspects which all link together
Read Slide
Some examples in the yellow box of current security measures we use in the NHS- explain all especially encryption and passphrases
People
Version 0.3

29. However, Incidents Happen…
The NHS reports the most data related incidents to the Information Commissioners Office (ICO) in the UK. This is not necessarily a bad thing, it simply means that there are more robust procedures for incident reporting and the NHS is more transparent than some other organisations.
However, we cannot mitigate against all information incidents, incidents and near misses do happen. We are responsible for logging and investigating all information incidents and near misses. This is done via the IG Toolkit, incidents are scored and given a level based on a set criteria, any level 2 incidents must be reported to the ICO. Of course other organisations and individuals are also able to report us to the ICO if they become aware of any breaches.
Read slide and graph
'Other principle 7 failures' are security incidents that cannot be categorised as one of the other types. Examples include failure to password protect s containing personal information and processing personal data relating to work on a non-business computer.
The largest fine Issued by the ICO to an NHS Organisation for breach of the DPA is £325,000
Data take from 2015/16, ICO

30. What constitutes an Incident?
containing PID sent to incorrect recipient or unsecure mailbox (without password protection).
Loss or theft of paperwork/devices (especially if unencrypted).
Insecure website (inc. hacking)
Inappropriate verbal disclosure
Sharing of passwords/ unauthorised access
Insecure disposal of paperwork
Failure to redact
Sharing without consent (in certain circumstances)
Data posted or faxed to incorrect recipient
Sharing more information than is necessary for purpose or using information for another purpose without consent
PID being left on printer/photocopier or in public areas
And so on……
The slide provides a list of just some examples of what we would class as an IG incident…
Just to give some further examples some recent incidents and near misses reported include:
A member of staff opening another staff members payslip in error
A blank template form was saved over with PID in it allowing others who had access to the form to view information they were not entitled to see.
Invoices containing PID from CCG suppliers submitted to SBS and copies sent to CCG (not entitled to that information).
Lockable shredding box full, so someone attached a royal mail post sack to the shredding box and filled with confidential waste to be shredded.

31. Manager to inform IG Champion within 24 hours
Incident Reporting
All staff have responsibilities to identify and report any IG incidents including near misses immediately to their IAOs, line managers and the IG Champion.
Incidents and near misses give us the opportunity to learn and better our working processes for the future.
Inform a manager ASAP
Manager to inform IG Champion within 24 hours
Once the IG Team have been made aware of the incident, it will be logged and an initial investigation to determine the facts will be conducted, dependent on the severity of the incident the IG team will report the incident via the NHS Digital IG Toolkit incident reporting tool, the incident may then be reported to your organisations SIRO/ CG/ Service Manager or IAO. Serious Incidents will be reported by the IG lead to the ICO, DoH, NHS Digital, NHS England and professional and regulatory bodies as appropriate. An incident response plan will be developed by the IG team. We may require staff to undertake additional training, there maybe new procedures introduced or technological remedies put in place in order to prevent the risk of recurrence of the incident.

32. Industrial Competitors & Foreign Intelligence Services Hackers
Cyber Security
Cyber Security is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.
Many types of people/groups pose a risk to business information assets:
Cyber Criminals
Industrial Competitors & Foreign Intelligence Services
Hackers
Hacktivists
Employees
Another type of security incident on the rise relates to ‘Cyber Security’.
Read slide.
Cyber Criminals- Interested in making money through fraud or from the sale of valuable information
Industrial Competitors & Foreign Intelligence Services- Interested in gaining an economic advantage for their own companies or countries
Hackers- who find interfering with computer systems an enjoyable challenge (linked to Cyber Criminals where they hack to make a gain)
Hackivists- Who wish to attack companies for political and ideological motives- usually to expose the weaknesses in organisations security
Employees- or those with legitimate access- either by accident or deliberate misuse (again link to cyber criminals)

33. Cyber Threats Malware Attack Vectors Viruses Phishing Worms Pharming
Spyware/Adware
Drive by
Trojans
MITM
Social Engineering
DDOS- Distributed Denial of Services
Ransomware
Malware means malicious software
Viruses- a small piece of software program that can replicate itself and spread from one computer to another by attaching itself to another computer file
Worms- self replicating and do not require a program to attach themselves to. Worms continually look for vulnerabilities and report back to the worm author when weaknesses are discovered
Spyware/Adware- By opening attachments, clicking on links or downloading infected software spyware/adware is installed on your computer.
Trojans- A software program appears to perform one function (e.g. virus removal) but actually acts as something else.
DDOS- Distributed Denial of Services- bombarding a server with s – to take server down and affecting operations because of increased traffic- example NHS test sent to 1.2 million users in error.
Attack Vectors- These allow cyber criminals to infect computers with malware or to harvest stolen data
Phishing- An attempt to acquire users information by masquerading as a legitimate entity (spoof s and websites)
Pharming- an attack to redirect a websites traffic to a different fake website where the individuals information is then compromised.
Drive by- Opportunistick attacks against specific weaknesses within a system
MITM- Man in the middle attack- where a middleman impersonates each endpoint and is thus able to manipulate both victims
Social Engineering- Exploiting the weakness of an individual by making them click malicious links or by physically gaining access to a computer through deception- pharming and phishing are examples of this
Ransomware- a type of malicious software designed to block access to a computer system until a sum of money is paid.

34. Some Impersonations are easy to spot…
Phishing
Some Impersonations are easy to spot…
…But can you spot a Phish?
Delete spam immediately without opening it
Be cautious when clicking on unknown links
Never send your password or personal information in response to an
Learn how to recognise and internet scams
Phishing and Ransomware are two common rising threats to Cyber security.
Examples of Phishing:
- addressed to you from someone you do not know asking for help- usually financial (requesting your bank details)
- which looks like its come from your bank, paypal, apple or a shop you have an account with requesting you to log in to view your account or resolve an issue (encouraging you to click on a link or enter your log in credentials)
- stating you have won something (encouraging you to click a link or enter your personal details in order to claim your prize)
-Link on internet when you are trying to view something else- ‘you’ve won’- anywhere you click on the pop up will redirect you to their page and request personal info.
- s with attachments- open the attachment which contains a virus
Just recently I was sent a suspicious - luckily I noticed something wasn’t quite right before opening it. I had contacted a supplier in relation to an invoice- there was no need for them to respond to my . I received an from someone who worked at this particular supplier- I had never dealt with this person before- their was addressed to me personally and the subject was very similar to my recent s, the grammar and english in the body of the was very poor which rang alarm bells. The contained a pdf attachment (also relating to the discussions I’d had with this guys colleagues in the past)- I decided to my usual contact at the supplier to ask if this guy was known and if his to me was genuine- the sender turned our to be the Manager of the supplier and it transpired his account had been hacked the week before! This was investigated by a Cyber Security trained engineer who advised that the pdf attachment contained a malicious link! If I had clicked on it I would almost certainly have put my computer and possibly the whole network at risk. This has been reported and investigated by IT.

35. Spam/phishing emails- delete
s containing links etc that you have clicked- inform IT immediately
Ransomware- inform IT immediately and disconnect your network cable
Anything else raising suspicions'- contact IT

36. Ransomware
This is an example of Ransomware- upon logging into your computer you will see a message similar to the one above- ransomware typically prevents you for accessing any of your files, documents, photos, databases etc), you will be notified that your files have been encrypted and will be held for a certain amount of time or until you pay the ransom. The ransom amount will often be in bit coins rather than in money- bitcoins can be purchased on the internet. It is a form of digital currency, created and held electronically, no one controls it. Bitcoin payment system does have legitimate uses, however it has been exploited by cybercriminals seeking new ways to extort money- this is a popular choice among cyber criminals as it is secure and often untraceable.

37. To round up…

38. Your Responsibilities
Information Governance is the responsibility of every one of us, so keep up the good work and aim to be 100% compliant
Follow Organisation Policies
Comply with the law
Protect Information physically
Practice good password management
Transfer information securely
Report Breaches of security to management
To summarise:
Policies are there to protect you as well as the information you are working with, if you familiarise yourself with the policies and comply with them you are unlikely to be involved in a breach, be investigated/fined by the ICO, face disciplinary action or criminal prosecution.
Physically protect information- clear desk, lock information away, lock your computer screen, lock away equipment, collect printing promptly.
Password Management- don’t write them down- use a hint instead, don’t make them obvious, don’t share them, change them regularly, use a strong password, suggest passphrase My dogs name is Ruby she is 9 – MdniRsi9
Transfer securely- NHS.net – NHS.net, Password protected (password in separate ), shared drive- restricted folder if possible, encrypted memory device, safe-haven fax, car boot/indoors
Incidents and Near misses- report promptly, lessons learnt lead to improved working
Version 0.3

39. How to Comply: Policies & Procedures
IG Framework
IG Policy
Confidentiality & Data Protection Act Policy
Information Sharing Policy
Safe Haven Policy
Information Lifecycle Management Policy
Information Risk Policy
Forensic Readiness Policy
Privacy Impact Assessment Policy
Access to Information Policy
Acceptable use of Electronic Devices and Communications Policy
Information and Cyber Security Policy
So we’ve looked at the Acts, Legislation, Best practice and Codes, we have IG Policies and Procedures in place which take all of that legislation and make it relevant to your organisations circumstances.
Above are the current IG Policies and Procedures in place for your CCG. It is the responsibility of all staff to
be aware that they exist and how to access them,
Understand your responsibilities set out in them.
The CCG is required to demonstrate that points 1 and 2 are met by each and every staff member for their IG Toolkit (and if there was ever a serious incident), this is why you are asked to sign the IG Resource Guide declaration form. The IG Resource Guide summarises IG Legislation and key IG Policies and should be issued to all staff when they start.
Also this training is proof that you have been informed of your responsibilities.
Version 0.3

40. IG Awareness IG Resource Guide IG Intranet Section E-learning
IG Newsletters
You can keep up to date with everything covered in this presentation and more in a variety of ways:
Intranet/Shared drive (links to policies and procedures, IG resource guide which summarises law, codes of practice, policies, links to online training, newsletters, posters and other materials we have sent out, update on the GDPR to come soon)
IG Posters sent to all CCG IG Champions to display
IG Newsletters (bringing to your attention current news and hot topics including local and national breaches, new stories, updates on the GDPR and key projects, dates when the IG team will be at your CCG)
Ig Resource Guide (as mentioned above)
IG Training- this is the basic presentation providing an overview, the IG Training tool provides a short refresher module as well as several other modules focussing on other IG subjects such as information sharing, security, risk and so on. We also have specialist presentations focussed on incidents, asset owners etc.
IG Posters
Training Presentations

41. Getting it Right!!!
Only access staff, patient or service user’s information if you have their consent or a legal basis to do so
Always keep confidential papers locked away when not in use and keep electronic information safe by saving it in secure restricted drives/folders and locking your screen when you leave your desk
Following the organisation’s IG policies, procedures and guidance

42. Getting it Wrong!!!
Posting confidential information about staff, patient or service users on social networks
Holding confidential conversations where you may be overheard in a public place
Not wearing your identity badges at all times

43. QUESTIONS?? Any questions?
Quiz & Feedback Form- complete, hand in, then you can leave