Transcript Document
Information Governance Recent Headlines What is a breach of confidentiality? Confidentiality Breaches • Accessing records you have no legitimate reason to see, for example your own, your relatives and friends health records, even with their consent (unless it is within your job role to deal with such requests) • Displaying or leaving records open, unattended or insecure • Giving out information over the telephone, by fax or email to inappropriate people • Holding conversations about individuals where others are likely to overhear Reporting and Accountability The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals The Information Commissioner governs the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000. The ICO has the power to serve monetary penalties of up to £500,000 on data controllers (such as Barts Health) Potential Penalties • Penalty fines issued for: Brighton and Sussex University Hospitals NHS Trust: 10,000s of highly sensitive personal patients and staff found on hard drives bought off the Internet in Autumn 2010 - £325,000 Belfast Health and Social Care Trust: serious breach of 1000s of patients’ and staff sensitive personal data being compromised. Failure to report the incident to the ICO £225,000 Stockport Primary Care Trust: new purchaser found 1000 highly sensitive records regarding 200 patients left in decommissioned NHS building - £100,000 • Deliberate actions – staff disciplined • Loss of patient trust and public confidence Information Governance Incident and Risk Reporting • Please immediately report Information Governance incidents to your Line Manager/senior person on duty and the Information Governance Team, and enter the incident on Datix. • If you identify an Information Governance risk please discuss this with your Line Manager and risk assess if appropriate. Senior Information Risk Owner (SIRO) Barts Health NHS Trust SIRO: Ian Walker, Director of Corporate Affairs and Trust Secretary • Oversees all aspects of Information Governance, promoting a culture that fosters good values in protecting and using information • Reviews and agrees action plans in respect of identified information risks • Ensures that the Trust’s approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff • Provides a focal point for the resolution and/or discussion of information risk issues • Ensures the Board is adequately briefed on information risk issues Caldicott Confidentiality Guidelines 1. 2. 3. 4. 5. 6. 7. Justify the purpose of Only use it when absolutely necessary Use the minimum required Allow access only on a strict need-to-know basis Understand your responsibility Understand and comply with the law The duty to share may be as important as the duty to protect confidentiality (NEW) Caldicott Guardian and Confidentiality Barts Health NHS Trust Caldicott Guardian: Dr Steve Ryan, Medical Director • Responsible for protecting the confidentiality of patient and service user information • Enabling appropriate information sharing • Ensuring high standards when handling patient identifiable information Data Protection Act 1998 Legal obligations • Inform people how we use information • Comply with individuals rights – Subject Access • How data is used and shared Practical obligations • Accurate • Up to date • Not kept longer than necessary • Keep secure Data Protection Act 1998 “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes” What is your justification or reason for using personal data? Where are you getting the data from? Have you sought informed consent? Freedom of Information Act 2000 Freedom of Information (FoI) requests: • Can be made to any member of staff; all staff have a legal duty to assist individuals to obtain information • Can require the release of emails • Do not need to refer to or mention the FoI Act • Must be made in writing giving a name and address The Trust must respond within 20 working days If you receive an FoI request, please immediately contact the FOI Coordinator Information Security Issues Data disclosed to the wrong people Check entitlement and identity. If unsure, neither confirm or deny and take callers contact details Staff accessing data about their relatives, colleagues or friends There must be a work-related justification Data/files/equipment not disposed of correctly Follow the Records Retention and Disposal Policy Information Governance spot checks ICT Related Information Security Issues Unauthorised access to confidential data Lock unattended computers and keep passwords private Personal Identifiable Data (PID) discovered on personal devices (home PC or mobile phone) Only use Trust encrypted laptops, VPN or USB drives for opening or storing patient data Risks of Transferring Information Loss of data/files/equipment while travelling between sites Keep information on your person within a marked envelope in inconspicuous and secure bag Transport information by secure email, courier, Safe Haven FAX, post or internal mail Emails/faxed documents sent to the wrong place Send securely, minimise, password protect, encrypt and check recipient details. Use email rather than fax and Secure File Transfer Records Management Ensure that records are: Clearly titled and given logical names Stored in secure structured manual or electronic central filing systems Secured and easy to locate (tracked) The Trust’s Records Retention and Disposal Policy provides record management guidance and states the length of time records must be kept. The Corporate Records Team can advise on general record management issues. The Trust’s Corporate Records Centre provides storage for some types of corporate/administrative records. Further Information • Information Governance Code of Conduct • Information Governance Email Guidance • Barts Health Intranet Sites: • Information Governance • Records Management • Freedom of Information Act Your Information Governance Team Information Governance Corporate Records Matthew Hall Daniel Scott-Davies Information Governance Manager Corporate Records Manager Martyn Steers Laura Hynds Deputy Information Governance Manager Assistant Corporate Records Manager James Cook Pam Wood Information Governance Officer Freedom of Information Coordinator