Transcript INTRODUCTION - NHS eLearning Repository

How to Find Your Way Around…
EXAMPLE COURSE
1. You can play the PowerPoint, and find
the Test here
EXAMPLE COURSE
2. You can minimise this column and make
the main page bigger by clicking this icon.
Click it again to bring it back.
3. Always click this ‘Home’ icon to
save your progress and log off.
EXAMPLE COURSE
This is very important!
4. To progress through the slides please
left click on your mouse
INTRODUCTION
Information Governance, Data Protection Act,
Freedom Of Information Act & Records
Management Training
Information Governance
COURSE OBJECTIVES
On completion of the Information Governance
module, you will understand:
•
•
•
•
•
•
•
Duty of Confidentiality
Data Handling & Security
Best Practice Guidelines
Information Governance Toolkit
Confidential/sensitive/corporate Information
Information Sharing & Privacy Impact
Assessments
Consent
Information Governance is the framework
structures and processes that ensure the
security, confidentiality and integrity of the
Trust’s data information about it’s patients
and employees, in particular personal
sensitive and corporate information.
It allows the Trust and individuals to:
• Ensure that personal information is dealt
with legally, securely, efficiently and
effectively
• Provides a framework to bring together all
requirements, standards and best practices
that apply to the handling of all information
• Focus on settling standards and giving the
Trust tools to achieve them
• To be consistent in the way we handle
personal/corporate information
• Lead improvements in information
handling, patient / public confidence in the
Trust and employee training and
development
Duty Of Confidentiality…
Is the responsibility of every employee
All employees of the Trust who record, handle, store or otherwise come across
information, have a common law duty of confidence to patients and staff. We need
to remember:
• Keep personal information private.
• Ensure confidential information is not unlawfully or inappropriately accessed.
• Any confidentiality breaches need to be reported to your line manger and Information
Governance.
• Before disclosing information ensure you know who you are communicating with.
• Comply with policies and procedures.
• Do not leave manual records unattended.
• Dispose of confidential information in the appropriate manner.
• Ensure confidential information is held, stored and transported securely.
Please note – this applies equally to those such as student and trainees, bank, agency and
contracting staff, on temporary placements
Information Governance helps all employees to manage person identifiable information so
that all patients and staff know their records will not be disclosed inappropriately, which will:
• Give individuals greater trust in our working practices.
• Encourage individuals to be more open in sharing important personal details.
• Ensure they will receive the best quality care.
Person Identifiable/Sensitive & Corporate Information
Confidential Information Includes…
Person Identifiable
Information:
• Name
• Address
• Postcode
• DOB
• NHS number
• NI number
Sensitive Information:
• Ethnic backgrounds
• Political views
• Sexual preferences
• Gender
• Criminal offences
• Medical conditions
Corporate Information:
Information that is not staff or patient
related but could cause harm or
damage to the organisation, this could
be:
• Set of minutes
• Financial information
• Tenders being agreed
• Reports
• Upcoming consultations
Transferring Confidential Information Offsite – Paper
• Confidential information should only be transferred, if absolutely necessary and with managers
authorisation
• Minimal amounts of data required
• Where possible should be anonymised
• Lockable carriers must be used when carrying confidential documentation (bus, walking, train,
cycling etc)
• Sealed medical records bags can also be used to transfer confidential information
• Throughout transportation all information must be placed in the boot of the car and removed to
a place of security at destination
For further guidance please refer to the Records Management Procedure – Transportation of
Records - Section 6.3
Transferring Confidential Information Offsite – Electronic
• Confidential information should only be transferred, if absolutely necessary
• Minimal amount of data required
• All devices must be encrypted and password protected
• USBs, CDs, DVDs, mobile phones, laptops, digital Dictaphones etc should NOT be used to store
any confidential information, only to transfer information if necessary and authorised
• Once data has been transferred please ensure it is deleted and wiped as, per Trust policy states
Data Handling, Security
& Best Practice Guidelines
Best Practice Guidelines – Confidential Waste
• All confidential waste should be disposed either using a cross cut shredder or placing in the blue
confidential waste bins
• Never put confidential information in black refuse bags/recycling bins
• Confidential waste paper should not be used as scrap paper
• If you do not have the facility to dispose of confidential information securely at home, please
bring back into the office for appropriate disposal.
Best Practice Guidelines – Clear Desk Policy
Operate a clear desk policy by ensuring all person identifiable/ sensitive/confidential information is
locked away as appropriate, especially important when hot desking or working in an open plan
office.
Data Handling, Security
& Best Practice Guidelines
Best Practice Guidelines – Photocopying
• Do not make excessive copies of confidential information;
• Do not leave confidential information on the photocopying machine;
• Regularly check/update your distribution list to ensure copies are not sent to staff who have left
the Trust.
Best Practice Guidelines – Post
• PO box return labels to be displayed on external post
• Ensure marked ‘Private & Confidential’
• Double check full postal address of recipient
• Choose secure method of sending confidential information through
external post (recorded delivery or private courier)
• When necessary ask recipient to confirm receipt
• Ensure incoming confidential post is handled appropriately.
Best Practice Guidelines – Person
Ensure you hold confidential conversations in an appropriate place. Inappropriate areas include: corridors, open
plan offices etc
Gain patient consent before sharing their personal information with relatives/friends.
Best Practice Guidelines – Email
• No person identifiable/sensitive/ confidential information is to be detailed in the body or subject
heading of the email
• Confidential information is to be sent as a password protected attachment or transferred via
NHS.net to NHS.net
• Passwords to be sent by text or phone (wherever possible) or in a separate email (leave suitable
time between emails)
Best Practice Guidelines – Faxing
Do not fax personal or confidential information unless absolutely necessary and ensure the Safe
Haven Fax procedure is followed.
• Call individual to make them aware you are sending a fax
• Send cover sheet
• Confirm this has been received
• Continue to fax the information by pressing redial
• Ask individual to confirm receipt once received.
Best Practice Guidelines – Voicemails for Clients
• Only state forename and number
• Do not state full name, team, service or organisation unless agreed
• Consent needs to be obtained before leaving a voicemail
Best Practice Guidelines – Telephone
When receiving calls requesting personal information:
• Verify the identity of the caller
• Ask reason for request
• If in doubt, call the individual back and seek advice from your line manager or
the Information Governance Team / Data Protection Officer
Best Practice Guidelines – Office
• Remember to lock and secure the office when left unattended and at the end of the day
• Close and lock all windows
• Close any blinds/curtains
• Set the intruder alarm system (if fitted)
• Remember to wear your ID badge
• Ensure clear desk policy is followed
• Lock computer screens when left unattended (Ctrl,Alt,Delete)
• Remove smartcard from keyboard when leaving work station unattended and ensure it is kept
secure at all times.
Information Sharing
And Consent
Any confidential information that is going to be transferred needs to be shared in line with the Data
Protection Act 1998 and Caldicott Principles as outlined below:
Data Protection Act 1998 Principles:
1) Processed fairly and lawfully
2) Processed for specified purposes
3) Adequate, relevant and not excessive
4) Accurate and up to date
5) Not kept for longer than necessary
6) Processed in accordance with the rights of the data
subject
7) Protected by appropriate security
8) Not transferred outside the EEA without adequate
protection
9) The right to be forgotten (still being considered by
the Government – seek guidance from the IG Team
Caldicott Principles:
1) Justify the purpose of using confidential
information
2) Only use it when absolutely necessary
3) Use the minimum required
4) Allow access on a strict need to know
basis
5) Understand your responsibility
6) Understand and comply with the law
7) Duty of confidentiality – in the best
interest of the patient
Information Sharing Agreements
Where you are considering sharing information or are involved in arranging information sharing
agreements you must include the Information Governance Team at the earliest opportunity, and
an Information Sharing Agreement (ISA) will be distributed for completion.
Privacy Impact Assessments
Where a new system/process or change to an existing system/process has been identified it is
necessary the Information Governance Team are informed to ensure a Privacy Impact
Assessment has been completed. This will then allow the Information Governance Team to
determine if there are any confidentiality, consent, privacy, security or data protection issues
related to the new/changed/system/process.
Patients need to be informed how their information will be used and shared. It is therefore
important consent is gained and understood.
Consent for Children & Young People
Children and young people must be assessed as Fraser or Gillick competent.
When Consent Doesn’t Need to be Gained
• Public interest
• Court order
Human Rights Act & Computer Misuse Act
Human Rights Act:
• Came into force in the UK in October 2000
• All public bodies (police, courts, hospitals, local governments) and others carrying out public
functions have to comply with the convention rights.
We work with article 8 of the Human Rights Act ‘Respect for your private and family life, home and
correspondence’.
Computer Misuse Act:
Prior to 1990 there were no legislations in place to tackle the problems
caused by hacking. Although it was known to be wrong and should be
against the law, there was no framework in place to support this.
As the problem grew, it became apparent that specific legislation was
needed to enable individuals to be prosecuted under the law.
So in 1990 the Computer Misuse Act was passed and recognised the
following new offences.
•
•
•
•
Unauthorised access to computer systems
Unauthorised access with intent to commit or facilitate a crime
Unauthorised modification of computer material
Making, supplying or obtaining anything which can be used in computer
misuse offences.
The Information Governance Toolkit
To help improve Information Governance / Security arrangements across the NHS, the Department
of Health introduced a set of key standards called the IG Toolkit.
•
•
•
•
•
45 mandatory requirements for NHS organisations
Annual report stating improvements to Department of Health
Provides assurance all processes and procedures meet national requirements
Annual reports contribute to the Care Quality Commission audits
Audits can be reviewed on public-facing websites (Health & Social Care Information Centre
[HSCIS])
The Information Governance Team is responsible for the management of
the toolkit and works closely with key staff to ensure compliance and
collation of evidences to support the annual assessment. All staff need to
be involved to improve Trust performance levels. This is can be achieved
by:
•
•
•
•
•
Implementing guidance
Completing required training
Reporting incidents/breaches
Complete Data Flow Mapping
Assist with Information Governance spot check audits
Legal Services
Data Protection Act (Subject Access Requests) & Freedom Of Information
Data Subject Access Requests
Subject Access Requests:
The Data Protection Act 1998 gives an individual several rights in relation to the information held
about them:
• The right to seek access to their records held by the Trust
• The right to obtain a copy of the record in permanent form or to view a record
without obtaining a copy
• The right to rectification, blocking, erasure (under very strict regulations) and destruction of
information
• For all staff related requests, access to records / information is required within 40 calendar days
under the DPA Act
• For all patient related access to health/medical records the Trust has to respond within 40
calendar days, unless the individual has been seen within 21days in which case the information
must be provided within 21 days of receipt of the application.
When a request is made… there are two circumstances in which access can be denied and therefore
the requestor may have the right to ask the Information Commissioner to assess:
• If the record contains third party information and they have not consented to their information
being disclosed
• If access to all /part of the record will cause serious harm to the physical or mental wellbeing of
the individual, or any other person.
Publication Scheme
The Publication Scheme is a guide to the information the Trust holds, and must be published on its website. It gives
people access to some information without them having to make specific requests.
The current publication scheme maybe found on the Trust’s internet site (www.sept.co.uk)
Freedom Of Information Act 2000
The Act allows any member of the public the right to view / receive copies of corporate information held by
public bodies – it does not cover health or personal information. All such requests for information are
managed by the Legal Department and should not be handled by teams locally. If you receive an external
request for information you MUST ensure it is forwarded to the Legal Department immediately.
REMEMBER: The Law requires that FOI requests are responded to strictly within 20 working days of receipt
within the Trust.
Application Requests:
• All requests must be in writing
(email/post/fax)
• State clearly what information is required
• State name of the applicant and address
• Applicants do not need to mention the FOIA
• Applicants do not have to give a reason for
wanting the information
• You are NOT allowed to ask the applicant
their reasons for requesting.
Applicants can choose to receive information in different
formats:
• Permanent form (hard copies) – paper or electronic
• Summary form
• Permission to inspect records containing the requested
information
Examples of Information that can be requested:
• Executive Team reports
• Emails
• Handwritten notes on file
• Financial information
How should I respond to a request for information?
EVERYONE is responsible for following these simple rules:
• You should NOT respond directly to the applicant – other
than to advise you have passed their request to the Legal
Department
• Send to the Legal Department FOI Lead ([email protected])
immediately on receipt
• Don’t forget ‘20’ day rule
Records Management
Record Lifecycle
All individuals who work for an NHS organisation are responsible for the security of the information
they handle or use in the performance of their duties and should keep all types of information:
•
•
•
•
•
•
Accurate
Up to date
Complete – including NHS number
Quick and easy to find
Free from duplication
Free from fragmentation
Any record created by an individual, up to its disposal, is a public record and subject to Information
requests.
Patients have to right to access their health records under the Data Protection Act/Access to Records
(deceased)
Create
Be aware
Use
Retention
Monitor
Appraisal
Disposal
Control
Record Management & Keeping
Records Disposal:
The Trusts’ corporate procedural guideline CPG9(g) Storage, Retention and Destruction of Records will tell
you which records should be kept for how long, prior to disposal.
• Please ensure records are destroyed in a secure way. Either in blue confidential waste bags or shed using
a cross cut shredder. Do not place patient/staff identifiable information in waste paper bins.
• Make note of how, when and where the record(s) were destroyed, together with any reference numbers.
• If an applicant wants to see a record that is due to be destroyed, you must not destroy the record until
the request has been answered or any complaint and appeals process has finished.
• Destruction of all records should be completed in liaison with the Trusts’ Records Management Team.
Records Management:
Managing records effectively is essential for making access to
information possible. Records management covers all aspects of
a records life and should be:
•
•
•
•
•
Factual and correct
Relevant and useful
Clear and concise
Up to date
Complete
They should not contain:
• Unnecessary jargon
• Personal opinions
• Offensive language
Record Types:
Records can be in physical or technical formats, including:
• In paper record keeping system
• On computer, including emails
• On film records, such as CCTV
Also covers:
• Information located in confidential waste
• Information on computers
• Information stored on computer internal drives, USB sticks, CD
and disks.
1) Create – Use appropriate Trust folders and formats
2) Use – Enter information, use of templates, filing, discharge summaries, clinical coding
processes
3) Track – Log the location/pathway
4) Missing – Report to the manager
5) Retain – Look after, manage multiple volumes, hold until not required
6) Disposal Methods – confidentiality using Trust procedures
Key Contacts:
Overall responsibility for the Information Governance Agenda – Director of ITT (Senior
Information Risk Owner)
responsibility for public and non-health requests for information – Executive Director Corporate
Affairs & Customer Services (Freedom of Information/ Data Subject Access Requests)
Confidentiality / sharing of patient information – Executive Director Clinical Governance &
Quality / Caldicott Guardian
responsibility for the quality/accuracy of information – Assistant Director Systems
Implementation & Data Quality (Community)
Responsibility for the quality/accuracy of information, managing the IG agenda including the
Toolkit and DPA – Assistant Director Systems Implementation & Data Quality (Mental Health)
Responsibility for the implementation/security of records management and subject access
requests (health) –
Head of Records Management/Team
Responsibility for legal processes (Data Subject Access Requests (non-health) / Freedom of
Information Requests) and general advice and guidance – Legal Department
Now You need to take the Test.
Please click
the ‘Test’ icon
in the left
column, and
then click for
Questions.
Remember to click the
‘Home’ icon when you
finish the Test to save
your results