1. A Strategic Information Governance Approach
Health Identifiers
A Strategic Information Governance Approach

2. Health Identifiers: The Strategic Information Governance Perspective
Health Identifiers: The Strategic Information Governance Perspective. Issues, Implications, and Opportunities?
Information Governance in the Irish Healthcare Sector: An overview
HIQA public consultation process: Key Themes, Messages, and Requirements
The Health Identifiers Act: Data Driven or Data Drudgery? Key legal and process requirements.
Putting Health Identifiers Information Governance in a Strategic context: One diagram to draw
Opportunities and Risks

3. The Legal Background: Legislative Framework
Health Identifiers Act 2014
Legislation for the creation and governance of health identifiers for individuals and health services providers.
Part 2, Section 8 of the Health Act 2007
HIQA is responsible for setting standards for all aspects of health information and monitoring compliance with those standards
Data Protection Acts 1988 and 2003,
“Health Identifiers Operator” is a Data Controller and must follow the 8 rules of Data Protection

4. The Health Identifiers Act 2014

5. Not an Easy Act to Read…
Why a Child of 5 could understand this
(fetch me a 5 year old child)
In this Act, a Signature is an “other identifying particular” for an individual, unless it is a signature which falls within a class of signatures to which this paragraph does not apply

6. Section 13 – Electronic Commerce Act 2000
Not an Easy Act to Read…
13.—(1) If by law or otherwise the signature of a person or public body is required (whether the requirement is in the form of an obligation or consequences flow from there being no signature) or permitted, then, subject to subsection (2), an electronic signature may be used.
(2) An electronic signature may be used as provided in subsection (1) only—
(a) where the signature is required or permitted to be given to a public body or to a person acting on behalf of a public body and the public body consents to the use of an electronic signature but requires that it be in accordance with particular information technology and procedural requirements (including that it be an advanced electronic signature, that it be based on a qualified certificate, that it be issued by an accredited certification service provider or that it be created by a secure signature creation device)— if the public body’s requirements have been met and those requirements have been made public and are objective, transparent, proportionate and non-discriminatory, and
(b) where the signature is required or permitted to be given to a person who is neither a public body nor acting on behalf of a public body— if the person to whom the signature is required or permitted to be given consents to the use of an electronic signature
Section 13 – Electronic Commerce Act 2000
Might the Registers need to hold PGP keys as digital signatures for patients/providers?

7. Section 13 – A “Baked in” Data Quality Risk
Section 13(4) requires that an identifier be assigned to certain classes of health care provider that indicates that class of health practitioner the provider falls in..
This is “courageous”.
It is not good practice in data modelling, and will lead to data quality issues.

8. Data Protection Law The 8 Principles of Data Protection
Personal Data must be obtained and processed fairly;
1. Fair Obtaining
It must be obtained only for one or more specified, explicit and legitimate purposes;
2. Purpose Specification
It must not be further processed in a manner incompatible with that specified purpose or purposes
3. Purpose Limitation
It must be stored safely and securely
4. Security
It must be accurate, complete and up to date
5. Accuracy
It must be adequate for the purpose, relevant and not excessive
6. Adequacy
It should not be kept longer than is necessary for the specified purpose or purposes.
7. Retention
Data Subjects have right of access.
8. Access
Castlebridge Associates | Invent Centre | Dublin City University, Dublin 9 |

9. “Voice of the Customer”
Prior Consultation
Guidance notes and advice
Case Studies
Media comments

10. Other Relevant Legislation pending:?
EU Data Protection Regulation
Legal Recognition of Gender Bill
Data Governance and Sharing Bill

11. We await final standards from the consultation process
INFORMATION GOVERNANCE & MANAGEMENT STANDARDS FOR HEALTH IDENTIFIERS: THE HIQA CONSULTATION
We await final standards from the consultation process

12. National Standards from HIQA: 5 Main Themes for Standards
Theme 1: Person-centred Support
Theme 2: Leadership, Governance and Management
Theme 3: Use of Information
Theme 4: Use of Resources
Theme 5: Workforce

13. Theme 1
Theme 3
Theme 2
Theme 4
Theme 5

14. We await final standards from the consultation process
HIQA expectations
We await final standards from the consultation process

15. Key Points for Health Information Governance Structures:
Quality of Information
Communication
The service user and health care provider/practitioner must be kept front and centre in the planning and execution of the Registers.
Effective governance training and skills.
Privacy of data is a key quality characteristic.
Privacy Impact Assessments will need to be ongoing.
Everything should be evidence based, with clear auditability of controls

16. A Strategic Data Governance Approach
A Person-Centred focus on Outcomes

17. Patient Outcome Focus: The 11 Box model
Business
Strategy & Governance
Information
Strategy & Governance IT
Strategy & Governance
Strategic
Business Architecture
& Planning
Information Architecture
& Planning
IT Architecture& Planning
Tactical
Management & Execution Business Processes
Management & Usage Information Services
Management &
Exploitation
IT Services
Operational
Customer
Process Outcome
Information Outcome

18. Information Stewardship and Communication
The D3C Model™ © 2013 Castlebridge Associates
Information Stewardship and Communication
Roles are defined in context of relationship to data at a level in the organisation, not traditional “Business” and “IT” role types
Strategic
Doers 
Definers
Deciders
Co-ordinators
Tactical
The generic Governance roles can exist at different levels in the organisation.
Strategic: this is Senior management level, Business Unit Directors and Heads of Function.
Defining: At this level the focus is on the high level defining of the Information strategy and mission critical policies and procedures to do with information management.
Deciding: The Strategic level is where key decisions are taken about data, business rules, acceptability of information risks, etc. that cannot be resolved at the “Tactical” level. Decisions relating to changes in strategy, organisation models, etc. would be taken at this level.
Co-ordinating: the Strategic level of Information Stewardship ensures that other Governance frameworks in the organisation (e.g. Project Management models, Risk Management, Software Development life cycles, Procurement etc. ) Where changes to Information Governance are required, they will cascade from here, and likewise, where Information Governance requires changes to other frameworks to address an issue or weakness the need for the change will be communicated across the organisation from this level.
Tactical: This is the “day to day” line management of the organisation. As such all of the “generic” roles can be found here to a greater or lesser degree.
Doing: The “day to day” management of the business requires reports to be generated, data logged, or data analysed. This may be done by line managers or team leaders.
Defining: Line managers working as part of the “Information Strategy and Governance Working Group” are directly involved in the process of defining things – whether processes, data definitions, business rules etc. Often they co-ordinate the definition activity, with “Operational” level “definers” and “doers” contributing to the process.
Deciding: Line management are the first real layer of decision making. Whether it is in the form of decisions being taken in the Information Strategy & Governance Working Group or the decisions they take day to day based on information that is provided to them, they are responsible for ensuring that correct procedures and policies are followed and may be accountable for the outcomes of their decisions.
Co-ordinating: The line management function is key to ensuring effective co-ordination of Information Governance activities. Whether it is ensuring that updated policies, processes, and procedures are communicated to their direct reports, or ensuring that they ensure engagement with other stakeholders on the definition and operation of new processes, policies, or the design of new products or services, or assessing the impact of changes to reference data on other areas of the organisation, the “Tactical” co-ordinator plays a key role in ensuring that the right things are done at the right time in the right way .
Operational: The “Operational” level is the front-line of the organisation. At this level, we would expect to see stewards engaged in “Doing”, “Defining”, and “Co- ordinating” roles. “Deciding” actions are less likely unless explicitly delegated down by “Tactical” managers as part of a project or other initiative.
Doing: Operational level staff input data, extract data, generate reports, record issues, or they develop the technology solutions and methods that allow this processing to happen. They are the “front-line” of data creation and application. In this context they have direct experience of issues, problems, common short cuts, or common areas of misunderstanding about data.
Defining: Operational stewards are involved in defining data, processes, work arounds etc. in a variety of contexts. It may be the product propositions developer who defines a new process and new uses for data, or new values for reference data, as part of the roll out of a new product or service. Or it could be the call centre agent who gets involved in defining an improved work flow for selling to or serving the customer, or a Retail store staff member who defines a new way of capturing key information from customers at the point of sale.
Co-ordinating: Operational level stewards co-ordinate the feedback of issues and opportunities for improvement up the organisation. They also co- ordinate the communication of changes and updates to policies and procedures around the organisation. Crucially they play a key role in helping to co-ordinate responses to issues that might arise in a “crisis” context. In this way they are the “fire marshals” for Information in the organisation.
Operational

19. INFORMATION QUALITY AND OUTCOME RISKS

20. Implementation Lessons that Can be Learned:
The Primary Online Database

21. Lessons Learned:
Identify and engage with the correct stakeholders.
Put the person at the centre.
Ensure clear basis for processing of currently proposed and future data.
Engage with concerns; don’t dismiss them. Privacy Impact Assessments!

22. Castlebridge Associates
Thank you
Katherine O’Keefe
Changing how people think about information
Castlebridge Associates
Data Governance Strategy
Consulting
In-house training
Coaching
Privacy Impact Assessments