2016-17 Information Governance Annual Report 2016/17 · Executive Summary & IG Annual Report – 2016-17 Information Governance Annual Report 2016-17 g:\board secretariat\meetings\board\meetings\2017-18\06.06.17\annex

$Page 1: 2016-17 Information Governance Annual Report 2016/17 · Executive Summary & IG Annual Report – 2016-17 Information Governance Annual Report 2016-17 g:\board secretariat\meetings\board\meetings\2017-18\06.06.17\annex$
Information Governance & IM&T Steering Committee (IG & IM&T SC) Executive Summary & IG Annual Report – 2016-17

Information Governance Annual Report 2016-17 g:\board secretariat\meetings\board\meetings\2017-18\06.06.17\annex 4.7 board 06.06.17 - information governance annual report 2016-17 part 2.docx Page 1 of 30

Information Governance Annual Report 2016/17

This report describes the progress of work undertaken by the Information Governance Team, new developments and themes, items to note and highlight areas of concern.

VERSION HISTORY

Version Date Issued Brief Summary of Change Owner’s Name

1.0 24.04.2017 No changes Dhiraj Tailor

For more information on the status of this document, contact:

Dhiraj Tailor

Date of Issue 24.04.2017

Reference



CONTENTS

VERSION HISTORY ........................................................................................................................ 1

1. Purpose ............................................................................................................................... 3

2. Definition and Background ................................................................................................... 3

3. Information Governance Management ................................................................................. 5

4. IG Performance in 2016-17 ................................................................................................... 5

5. Conclusion & Next Steps ..................................................................................................... 13



1. Purpose

1.1. The purpose of this report is to provide the Committee my annual report as the Head of Information Governance and Data Controller for the Trust on our compliance and performance in respect to the varied portfolio of work undertaken across the Trust.

2. Definition and Background

2.1. Definition Information Governance (IG) is the way in which the NHS handles all information, in particular, personal and sensitive information relating to patients, service users and employees. It provides a framework to ensure that personal information is handled legally, securely, efficiently and effectively in order to deliver the best possible care. Information Governance provides a way for our employees to deal consistently with the many different rules about how information is handled.

2.2. Background The importance of IG is best described by Dame Fiona Caldicott, https://www.youtube.com/watch?v=wv3ZyJaUOn4 Effective IG is critical as the loss or inappropriate disclosure of personal information can cause significant distress to patients and staff, undermine trust in the organisation and lead to fines of up to £500,000, which would be better spent on patient care. Several measures have been implemented within public bodies to strengthen controls around information security. In NHS organisations, this includes the establishment of two key roles; Senior Information Risk Owner (SIRO): The role of the SIRO is to take ownership of the organisation's information risk policy, act as an advocate for information risk on the Board and provide written advice to the Accounting Officer on the content of their Statement of Internal Control in regard to information risk. The SIRO should be an Executive or Senior Manager on the Board who is familiar with information risks and the organisation’s response to risk.

The SIRO is expected to understand how the strategic business goals of the Organisation and how other NHS Organisations’ business goals may be impacted by information risks, and how those risks may be managed. The SIRO will implement and lead the NHS IG risk assessment and management processes within the Trust and advice the Board on the effectiveness of information risk management across the Trust. The Trust appointed SIRO left the Trust In August 2016, however the Chief Executive took on the role as an interim measure, until such time as a Director of Finance and Performance is appointed.

https://www.youtube.com/watch?v=wv3ZyJaUOn4



Caldicott Guardian (CG): A Caldicott Guardian is a senior person who makes sure that the personal information about those who use our services is used legally, ethically and appropriately, and that confidentiality is maintained. CG should provide leadership and informed guidance on complex matters involving confidentiality and information sharing. CG should play a key role in ensuring the Trust is satisfies the highest practical standards for handling person identifiable information relating to patients, service users and their care, but the need for confidentiality extends to others, including relatives and staff. CG is responsible for applying the seven Caldicott principles wisely, using common sense and an understanding of the law. CG should be compassionate, recognising their decisions will affect real people. It is importance of CG acting as ‘the conscience of the Trust’ remains central to trusting the impartiality and independence of their advice. Therefore the skill of a CG is to apply wise judgement to the precise circumstance of each case. The Guardian plays a key role in ensuring that the Trust and partner organisations satisfy the highest practicable standards for handling PID. This main role is to give advice when there is any uncertainty in the transfer of patient and service user information, seeking to clarify the purpose of the transfer, that it is justified; absolutely necessary; transferring only the minimum required; on a need to know basis and complying with the Data Protection Act 1998 principles. Senior Management Awareness: Senior levels of management and key personnel should receive periodic assurance that management and accountability arrangements are adequate, and be informed in a timely manner of future changes in the IG agenda (awareness the law is changing to the General Data Protection Regulations (GDPR)). All senior management and key personnel in the Trust need to appreciate the impact of GDPR on their respective directorates and specialities, and identify areas which could cause compliance problems. The Information Commissioner’s Office (ICO): is the regulator for the Data Protection Act and works with NHS Trust’s and other bodies to help ensure that the confidentiality of patient and staff identifiable data is respected in line with legal requirements and NHS standards. https://ico.org.uk/ The Information Governance Alliance (IGA): was set up in July 2014 in response to a request from Dame Fiona Caldicott that there should be a single authoritative source of information governance guidance for the health and care sector. http://systems.hscic.gov.uk/infogov/iga https://understandingpatientdata.org.uk/ Care Quality Commission (CQC): is an independent regulator for health and social care in England. CQC monitor, inspect and regulate services to make sure they meet

https://ico.org.uk/

http://systems.hscic.gov.uk/infogov/iga

https://understandingpatientdata.org.uk/



fundamental standards of quality and safety. Findings are published, including performance ratings. Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, Regulation 17 states the intention is to make sure providers have systems and processes that ensure they are able to meet other requirements, in particular effective governance, assurance, auditing and safety of services provided. In addition, providers must securely maintain accurate, complete and detailed records in respect of each person using the service and records relating the employment of staff and the overall management of the regulated activity. http://www.cqc.org.uk/content/hospitals-mental-health-and-community-health-services NHS Digital: Formally known as the Health and Social Care Information Centre (HSCIC) and was set up in April 2013. NHS Digital exists to help patients, clinicians, commissioners, analysts and researchers. Their goal is to improve health and social care in England by making better use of technology, data and information. https://digital.nhs.uk/

3. Information Governance Management

3.1. The Trust’s approach to the management of IG is via the IG & IM&T Steering Committee. During 2016-17 the Trust underwent a series of reviews in terms of the Committee structures. The committee chair (Andy Robinson) left the Trust in August 2016, with the Chief Executive taking responsibility, however initial chairmanship was delegated to the interim Director of Finance & Performance. Further to review of the Committee the CE appointed the Director of IM&T as the chair on an interim basis, until such time as to when a Director of Finance & Performance is appointed.

3.2. Frequency of the Committee was also reviewed and in late 2016 it was decided that all future meetings (post April 2017) will be held on quarterly basis. Towards the end of 2016 Clinical Services Executive Committee (CSEC) was also disbanded.

4. IG Performance in 2016-17

4.1. In assessing our performance during 2016-17 we identified distinct domains relevant to our responsibilities. These were; NHS Digital IG Toolkit (version 14) EU General Data Protection Regulations (GDPR) National Data Guardian (NDG) – Review of Data Security, Consent and Opt-Outs – Caldicott3 and Care Quality Commission Report Subject Access Requests Freedom of Information (FOI) IG Training Incidents – Datix and Cyber Security

http://www.cqc.org.uk/content/hospitals-mental-health-and-community-health-services

http://www.cqc.org.uk/content/hospitals-mental-health-and-community-health-services

https://digital.nhs.uk/



Information Asset Register TCS – Due Diligence

4.2. NHS Digital - IG Toolkit

The IG Toolkit is a Department of Health (DH) policy delivery vehicle that NHS Digital is commissioned to develop and maintain. It draws together the legal rules and central guidance set out by DH policy and presents them in a single standard as a set of IG requirements. The Trust is required to carry out self-assessments of their compliance against the IG requirements. The purpose of the assessment is to enable the Trust to measure compliance against the law and central guidance. It is also to see whether information is handled correctly and protected from unauthorised access, loss, damage and destruction. The ultimate aim is to demonstrate the Trust can be trusted to maintain the confidentiality and security of personal information. This in-turn increases public confidence that ‘the NHS’ and its partners can be trusted with personal data. The toolkit can be accessed by members of the public to view participating organisations’ assessments. Acute trust’s must provide evidence for 45 requirements covering management responsibilities, confidentiality, data protection, information security and assurance about how information is processed for clinical, corporate and secondary use. Each requirement is scored from 0 to 3 and for the final submission at the end of March the Trust must attain at least level 2 for each requirement to achieve a ‘satisfactory’ score. The IG Toolkit sets standards and provides tools for meeting these requirements and provides assurance across six key areas;

IG Management

Confidentiality/Data Protection Assurance

Information Security Assurance

Clinical information Assurance

Secondary Use Assurance

Corporate information Assurance IG Toolkit v14 – Final submission March 2017 Appendix 1 provides details of the levels achieved for all 45 requirements. The overall score was 81% ‘Satisfactory’. Prior to final submission the toolkit was audited by Audit South West. They looked at 14 requirements and concluded by stating the Trust has in place an established and well attended Information Governance group which is supported by a dedicated IG Manager. The Trust compliance with the IG Toolkit has improved year on year with a number of level 3 scores being reported.



Audit South West also undertook an audit of four corporate departments as part of requirement 604 of the IG Toolkit. Appendix 2 provides details of how the Trust is working towards achieving Caldicott2 attainment. IG Toolkit requirements which are impacted by Caldicott2 must achieve level 3 on the IG toolkit in order meet Caldicott2 standard. During 2016-17 the Trust attained three out of nine standards, up by two from the previous year.

4.3. EU General Data Protection Regulations (GDPR) & NDG – Caldicott3

General Data Protection Regulations will enable organisations to understand the new legal framework in the EU. It explains the similarities with current Data Protection Act and describes some of the new and different requirements. The GDPR will apply in the UK from 25th May 2018. GDPR applies to controllers and processors and is broadly the same as DPA. However, GDPR place specific legal obligations on data controllers, with significantly increased legal liability. A summary of GDPR is available on the ICO website https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ Timeline - Made on 27th April 2016 - Published in Official Journal on 4th May 2016 - Came into force on 25th May 2016 - Two year implementation period, hence 25th May 2018 Compliance tips are; - Ensure we are currently compliant with all DPA requirements - Ensure we continue to seek guidance from ICO, IGA and to be guided by them in

implementing GDPR. - Ensure all staff are aware, understand and implement GDPR principles - Conduct a gap analysis. Links below take you to a draft gap analysis of where actions need to take place for Northern Devon Healthcare Trust to prepare and apply the 12 steps guide from the ICO.

G:\INFORMATION GOVERNANCE\Corporate Management\Meetings\Groups\IG & IM&T Steering Committee\Meetings\2016-2017\13.02.17\4.3 IGT level 3 Caldicott 2 3 and GDPR.xlsx https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf

https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf



G:\INFORMATION GOVERNANCE\InfoGov\GDPR 4.4. Subject Access Requests

The Data Protection Act 1998 (DPA) and the Access to Records Act 1990 enables patients and their representatives to make an application to either view or receive a copy of their health records. Additionally the DPA also entitles members of the public to access information held by the Trust about the requester. There are four areas in total the Trust needs to demonstrate compliance, these include, Healthcare Records, DP, Human Resources and Complaints. The Trust must disclose the requested information within 40 consecutive days of receipt. Best practice states response should be within 21 days. The Trust currently manages Healthcare records requests in two distinct ways. All requests for NDDH and Community hospitals are processed via the Healthcare Records team at NDDH. For specialist service teams, requests are processed by the service lead. During 2016-17 Mid and Eastern Community Hospital’s transferred to the Royal Devon & Exeter Hospital on 1st October 2016. All requests post 1st October 2016 for these hospitals are managed by the Healthcare Records department at RD&E Post transfer, we undertook a review of the current processes in managing subject access requests, in particular access to medical healthcare records. The resulted in the Healthcare Records team, specialist services leads (Walk in Centre, Safeguarding Adults and Safeguarding Children & Young People) and IG producing a pathway, provided in Appendix 3.

Activity for 2016-17

1. Healthcare Records April 16 – Mar 17

1,233 of which 1,073 were processed within 21 days, 88 in 40 days , 72 over 40 days. Post 1st October 2016, there is no data for Mid and Eastern Community Hospitals as mentioned above, they transferred to RD&E.

In summary 99% of requests are being managed within the statutory timeframe of 40 days, with 87% within policy and NHS target of 21 days.

2. DP SAR - 3 3. HR - 2 4. Complaints – 0



4.5. Freedom of Information Act (FOI)

In the period April 2016 – March 2017 the Trust received 552 Freedom of Information requests. This represented an increase of 28% on the same period in the previous year. Requests in 2016-17 continued the trend of becoming more complex.

Exemptions were applied on 91 responses (16%) out a total of 552. The success rate (responses within 20 working days) at year end was 91.1%, which is above national ‘best practice’ target of 90% The requests come from three sectors; the public (173 / 31.9%), commercial companies (28.0%), and the media (22.1%). There has been an increase in requests from commerical companies, public organisations and academics with a reduction in those from the public from the previous year. The remainder of requests were from academic/educational (4.2%), MPs (2.6%), NHS staff/Trusts (2.2%), charities (0.6%) and solicitors (0.4%).

Appendix 4 provides a detailed analysis of FOI activity during 2016-17. The Trust’s Publication Scheme underwent an annual review by the compliance manager, with the FOI Lead and Head of IG continuing to provide support where practicable. IG Administrator has made sterling effort in ensuring all FOI’s for the previous two years as well as keeping up to date with current year, are published on the Trust website via the Disclosure Log. The IG team also continue to support the Communications department in re-vamping the Trust’s web pages, in particular navigation to the publication scheme and IG pages.

4.6. Information Governance Training IG Training within the Trust continues to be a challenge along with a number of other mandated courses. IG training is unique in that it is an annual requirement for all staff to complete. Target remains at 95%. In December 2016 saw the decommissioning of the national IG Training Toolkit delivered by NHS Digital, with NDHT retaining a local access. This enabled the Trust to continue offering access the IG training. Details of the decommissioning are provided on the link given below. Post the decommissioning, organisations were permitted to calculate target for the period 1st April 2015 to 31st March 2017. Review and analysis for this period and taking into account TCS in October 2016, the Trust averaged 94%, however workforce development were reporting an average of



74%. https://www.igt.hscic.gov.uk/WhatsNewDocuments/Replacement%20of%20the%20NHS%20IG%20Training%20Tool.pdf At the time of writing this report, we anticipate launch of the new platform and modules will be imminent. To reflect new developments in technology and cyber security the training has been rebranded to ‘Data Security’.

4.7. Information Asset Register (IAR) The IG Team continue to provide support to Information Asset Owners (IAO’s) and Information Asset Administrators (IAA’s) where possible, however this is limited due to capacity within the team. The team have also started to look at organisational structures within the Trust, with a view to identifying all potential services and IAO’s not yet identified as part of the IAR program. We are also in the process of encouraging all IAO’s to authorise their registered entries on the CoreStream application. Another development which has taken place during 2016-17 was the emergence of requests to upload person identifiable data/information to national registers. This has now led to working closely with Research & Development and Clinical Audit teams, to formulate an effective process which is clear for staff to flow. Due consideration will also be given, in ensuring that the Trust is compliant with confidentiality, legal requirements and best practice initiatives expressed in the Accessible Information Standards (AIS).

4.8. IG Incidents (Datix) There were a number of reported potential breaches of confidentiality via the Datix system, which were assessed as IG SIRI level 1 and managed locally.

A total of 101 IG breaches were reported via DATIX, down from 122 last year. Summary of locally reported IG incidents are provided in figure 1.

https://www.igt.hscic.gov.uk/WhatsNewDocuments/Replacement%20of%20the%20NHS%20IG%20Training%20Tool.pdf

https://www.igt.hscic.gov.uk/WhatsNewDocuments/Replacement%20of%20the%20NHS%20IG%20Training%20Tool.pdf



Figure 1 – IG Incidents reported on DATIX -2016-17

Figure 2 – Types of Breaches – Q4 2016-17

15

17

11

12

4

7

4

8

5

3

2

12

1

0

2

4

6

8

10

12

14

16

18

Apr2016

May2016

Jun2016

Jul2016

Aug2016

Sep2016

Oct2016

Nov2016

Dec2016

Jan2017

Feb2017

Mar2017

Apr2017

Information Governance incidents (101) reported since 01/04/16

7

1 1 1 1

2

0

1

2

3

4

5

6

7

8

Disclosed in Error Lost In Transit Non-secure Disposal – paperwork

Uploaded to websitein error

UnauthorisedAccess/Disclosure

InformationGovernance - Other

Information Governance incidents reported during last quarter by Type



Information disclosed in error is the most common type of incident and continues to be the most frequent reason for an incident being reported.

Figure 3 – Incident Reported by Speciality Q4 2016-17

Key to Fig. 3

Planned Care & Surgery - Women's & Children's Mental Health Interface 4

Planned Care & Surgery - Surgery, Anaesthetics & Support Services 3

Planned Care & Surgery - Specialist Services 2

Unscheduled Care - Medicine 2

Director of Human Resources/ Personnel & Development 2

Health & Social Care Community Services - Health & Social Care 1

Unscheduled Care - Medicine - Acute Therapy 1

Unscheduled Care - Cancer Services 1

Director of Nursing 1

No IG SIRI Level 2 were reportable to the Information Commissioner’s Office in 2016-17

4.9. Other National Council of Caldicott Guardians The NCCG appointed a new Chair and Deputy Chair in January 2017.

4

3

2 2 2

1 1 1 1

0

1

2

3

4

5

Information Governance incidents reported during last quarter by

specialty



The council also published the long awaited Manual for Caldicott Guardians on 5th January 2017. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/581213/cgmanual.pdf Due Diligence – Collaboration with RD&E ensured the transfer of Community services in the Mid & East occurred smoothly without any IG complications. Cyber Security – Continued to support CTO and the Cyber Security initiative at NHS Digital. Pleased to report that we had no incidents which required reporting the ICO via the Cyber Security Incident reporting tool within the IG Toolkit.

Data Quality – Continued to support Martin Scrace and the Data Assurance Group (DAG) by qualifying the requirements and standards expected nationally as well as expectations contained in the IG toolkit. EHR – Continued to support the Programme team at Castle Street with all aspects of IG and Data Protection required to be factored in within TrackCare. IG Resources – This continues to be an issue for the IG team as approval to recruit has been declined twice during 2016-17. Devon – Tier 1 Information Sharing Agreement – The agreement was reviewed by the members of the SW SIGN and approved by all Caldicott Guardians in January 2017. It will support the Digital Road Map and Five Year Forward View. Publication of the Records Retention Schedule – The IGA published the Records Management – Code of Practice for Health & Social Care 2016 in July 2016. Schedule was incorporated into the Information Lifecycle Management Policy. ICO – Following the retirement of Christopher Graham, the ICO appointed Elizabeth Denham as the Information Commissioner in 2016.

5. Conclusion & Next Steps

5.1. Did the IG Team meet its 2016-17 Objectives? To ensure the Trust maintains compliance at level 2 or above for all 45 requirements of version 14 of the IG Toolkit – Yes It is anticipated that NHS Digital will release version 15 in late May, early June 2017.

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/581213/cgmanual.pdf

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/581213/cgmanual.pdf



To make further progress with requirements of the IG Toolkit version 15, particularly in terms of Information Flow Mapping, Corporate Records Management, Internal IG Audit recommendations and mandatory IG training for all staff. Yes To ensure that all evidence within each requirement of the IG Toolkit is reviewed and updated reflecting up to date best practice and guidance. Yes To continue the review and development of policies and guidance on a rolling basis. Yes To continue to promote and monitor standards of Data Quality. Yes To work towards fully embedding information standards into all processes, and to raise awareness of IG issues Trust-wide. Yes To consider impacts to the Trust and implement any changes as a result of reviews to the Data Protection Act, Freedom of Information Act and Caldicott Review and changes in EU legislation. Yes

5.2. Conclusion

The Trust performs well, however it continues to face challenges in a number of areas. These are highlighted in the IG Strategy 2016-19 and IG Action Plan for 2017. Whilst there have been no large scale IG breaches we must be continually vigilant in this area, in particular, reminding all staff on the importance of adopting IG standards as part of daily business.

5.3. Next Steps Initiate IG Action Plan for IG Toolkit v15 2017-18 IG Toolkit – Review and revamp- Continue support the External Delivery team at NHS Digital to review and revamp the IG Toolkit during 2017-18, incorporating GDPR and Caldicott3. Launch the new IG Training platform and core training modules, working closely with Workforce and Development. In collaboration with R&D and Clinical Audit, develop guidance for staff who wish to submit PID or Trust data to national registers. Ensuring that it incorporates national guidance, act of law and best practice. Factors in Accessible Information Standards (AIS) and Privacy/Fair Processing Notice.



Continue to support CTO in developing and deploying Cyber Security awareness across the Trust. Full review of the 2003 protocol for the exchange of information between Devon & Cornwall Police Service and NDHT to take place, ensuring Caldicott3, GDPR and ICO Information Sharing guidance is incorporated.



Appendix 1 IGT V14 Annual Performance Progress Report

Version 14

Baseline 27/07/2016 16:54 Dhiraj Tailor

Performance Update 26/10/2016 16:28 Dhiraj Tailor

Final 28/03/2017 16:04 Dhiraj Tailor

Legend:

Requirement has not been answered

Requirement is not scored at the required level

Requirement is scored at or above the required level

Requirement

Baseline Update Published

101 There is an adequate Information Governance Management Framework to support the current and evolving Information Governance agenda

2 3 3

105 There are approved and comprehensive Information Governance Policies with associated strategies and/or improvement plans

2 3 3

110 Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations

2 2 2

111 Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation

2 2 2

112 Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained

2 2 2

200 The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation’s assessed needs

2 2 3

201 The organisation ensures that arrangements are in place to support and promote information sharing for coordinated and integrated care, and staff are provided with clear guidance on sharing information for care in an effective, secure and safe manner

2 2 2

202 Confidential personal information is only shared and used in a lawful manner and objections to the disclosure or use of this information are appropriately respected

2 2 2



203 Patients, service users and the public understand how personal information is used and shared for both direct and non-direct care, and are fully informed of their rights in relation to such use

2 2 2

205 There are appropriate procedures for recognising and responding to individuals’ requests for access to their personal data

2 2 2

206 Staff access to confidential personal information is monitored and audited. Where care records are held electronically, audit trail details about access to a record can be made available to the individual concerned on request

2 2 2

207 Where required, protocols governing the routine sharing of personal information have been agreed with other organisations

2 2 2

209 All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines

2 2 3

210 All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements

2 2 2

300 The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation’s assessed needs

2 2 3

301 A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed

2 3 3

302 There are documented information security incident / event reporting and management procedures that are accessible to all staff

2 2 3

303 There are established business processes and procedures that satisfy the organisation’s obligations as a Registration Authority

2 2 2

304 Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use

2 2 2

305 Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems

2 2 2

307 An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy

2 2 3

308 All transfers of hardcopy and digital person identifiable and sensitive 2 2 2



information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers

309 Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place

2 2 2

310 Procedures are in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error

2 2 2

311 Information Assets with computer components are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code

2 2 2

313 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely

2 2 2

314 Policy and procedures ensure that mobile computing and teleworking are secure

2 2 2

323 All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures

2 2 2

324 The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate

2 2 2

400 The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience

2 3 3

401 There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements

2 2 3

402 Procedures are in place to ensure the accuracy of service user information on all systems and /or records that support the provision of care

2 2 3

404 A multi-professional audit of clinical records across all specialties has been undertaken

2 2 3

406 Procedures are in place for monitoring the availability of paper health/care records and tracing missing records

2 2 3

501 National data definitions, standards, values and data quality checks are incorporated within key systems and local documentation is updated as standards develop

2 2 3

502 External data quality reports are used for monitoring and improving data quality

2 2 3

504 Documented procedures are in place for using both local and national 2 2 3



benchmarking to identify data quality issues and analyse trends in information over time, ensuring that large changes are investigated and explained

505 An audit of clinical coding, based on national standards, has been undertaken by a Clinical Classifications Service (CCS) approved clinical coding auditor within the last 12 months

2 2 2

506 A documented procedure and a regular audit cycle for accuracy checks on service user data is in place

1 2 2

507 The secondary uses data quality assurance checks have been completed

2 2 3

508 Clinical/care staff are involved in quality checking information derived from the recording of clinical/care activity

1 1 3

510 Training programmes for clinical coding staff entering coded clinical data are comprehensive and conform to national clinical coding standards

1 1 3

601 Documented and implemented procedures are in place for the effective management of corporate records

2 2 2

603 Documented and publicly available procedures are in place to ensure compliance with the Freedom of Information Act 2000

2 2 3

604 As part of the information lifecycle management strategy, an audit of corporate records has been undertaken

2 2 2

Total (%)

64% 68% 81%



Appendix 2 Caldicott2 Recommendations / Implementation

Not Started Determined as all requirements for the recommendation have been scored at level 0 or are blank (i.e. Not Started)

Working Towards

Implementation

Determined as have at least one requirement for the recommendation above level 0 but not all requirements set

to level 3

Fully Implemented

Determined as Fully Implemented for a Caldicott recommendation if the organisation has scored at level 3

for all the requirements for the recommendation

Recommendation No

Text of Recommendation

IG Toolkit Requirement(s)

Not Fully Implemented

Compliance Level

1

People must have the fullest possible access to all the electronic care records about them, across the whole health and social care system, without charge.

203,205,206 Working Towards Implementation



An audit trail that details anyone and everyone who has accessed a patient’s record should be made available in a suitable form to patients via their personal health and social care records. The Department of Health and NHS Commissioning Board should drive a clear plan for implementation to ensure this happens as soon as possible.

2

For the purposes of direct care, relevant personal confidential data should be shared among the registered and regulated health and social care professionals who have a legitimate relationship with the individual.

Health and social care providers should audit their services against NICE Clinical Guideline 138, specifically against those quality statements concerned with sharing information for direct care.

201 Working Towards Implementation

4

Direct care is provided by health and social care staff working in multi-disciplinary care teams’. The Review Panel recommends that registered and regulated social workers be considered a part of the care team. Relevant information should be shared with members of the care team, when they have a legitimate relationship with the patient or service user. Providers must ensure that sharing is effective and safe. Commissioners must assure themselves on providers’ performance.

Care teams may also contain staff that are not registered with a regulatory authority and yet undertake direct care. Health and social care provider organisations must ensure that robust.


5

In cases when there is a breach of personal confidential data, the data controller, the individual or organisation legally responsible for the data, must give a full explanation of the cause of the breach with the remedial action being undertaken and an apology to the person whose confidentiality has been breached.

Fully Implemented

6 The processing of data without a legal basis, where one is required, must be reported to the board, or equivalent body of the health or

202 Working Towards



social care organisation involved and dealt with as a data breach. There should be a standard severity scale for breaches agreed across the whole of the health and social care system. The board or equivalent body of each organisation in the health and social care system must publish all such data breaches. This should be in the quality report of NHS organisations, or as part of the annual report or performance report for non-NHS organisations.

Implementation

7

All organisations in the health and social care system should clearly explain to patients and the public how the personal information they collect could be used in de-identified form for research, audit, public health and other purposes. All organisations must also make clear what rights the individual has open to them, including any ability to actively dissent (i.e. withhold their consent).

202,203 Working Towards Implementation

12

The boards or equivalent bodies in the NHS Commissioning Board, clinical commissioning groups, Public Health England and local authorities must ensure that their organisation has due regard for information governance and adherence to its legal and statutory framework.

An executive director at board level should be formally responsible for the organisation’s standards of practice in information governance, and its performance should be described in the annual report or equivalent document.

Boards should ensure that the organisation is competent in information governance practice, and assured of that through its risk management. This mirrors the arrangements required of provider trusts for some years.

Fully Implemented

15

The Department of Health should recommend that all organisations within the health and social care system which process personal confidential data, including but not limited to local authorities and social care providers as well as telephony and other virtual service providers, appoint a Caldicott Guardian and any information governance leaders required, and assure themselves of their continuous professional development.

Fully Implemented



19

All health and social care organisations must publish in a prominent and accessible form:

• a description of the personal confidential data they disclose;

• a description of the de-identified data they disclose on a limited basis;

• who the disclosure is to; and

• the purpose of the disclosure




Appendix 3 Subject Access – Request for Patient Information

Request is made for Court Statement/Police Statement/Legal request for information/any request for information

Do not disclose patient information

Advise the requester to apply in writing to the Access to Records Department at NDDH who will notify the relevant

‘lead’

Children who have accessed NDDH

services Specialist Services

Maternity Services Adults who have accessed NDHT

Named Doctor/Nurse

Specialist Services Lead (WIC, Dental,

Sexual Health, Bladder & Bowel)

Named Midwife Safeguarding Adults Lead

The Lead contacts relevant staff, and considers the following:

Inform the Legal Claims Manager of the request

Ensure preparation

Lead and Named Professional offer support and guidance

Quality assure the statement

Complete and sign statement

Copy of statement in child’s records

Statement to the Legal Claims Manager

Forward to Organisation

Specialist Services

Advisory; Lead considers consultation

with Caldicott Guardian or Information

Governance Lead

Request for Court Attendance – the Legal Claims Manager (Corporate Governance) should be informed immediately and she will advise accordingly.



Appendix 4 FOI Annual Report 2016-17 Summary The Trust received 552 requests during 2016/17. This is a 28% increase on the 426 in the previous year, a similar increase was seen the year before then. The historical pattern of quarterly activity with its significant increase in quarter four has been repeated. Each week an average of 10.6 requests were received, this compares to an average of 8.1 requests per week last year. The requests come from three sectors; the public (173 / 31.9%), commercial companies (28.0%), and the media (22.1%). There has been an increase in requests from commerical companies, public organisations and academics with a reduction in those from the public, from the previous year. The remainder of requests were from academic/educational institutions (4.2%), MPs (2.6%), NHS staff/Trusts (2.2%), charities (0.6%) and solicitors (0.4%). The success rate of responding within 20 working days was 91.1%, which is just above the national target of 90%. This compliance target was raised by the Information Commissioner’s Office from 85% in March 2017. Failure to comply will result in adverse Trust publicity and increased monitoring and scrutiny. Annual activity During 2016/17 the Trust received 552 requests. This represents a 28% increase on the 426 of the previous year, which itself was a 34% increase on the year before that.



This increase represents an average of 10.6 requests received per week, varying between 3 and 23. This compares to 8.1 requests per week last year. A similar increase next year would see our Trust receive around 620 requests which would equate to over 12 requests a week. The pattern of quarterly activity with its significant increase in quarter four is historical and has been repeated since 2014.

The highest monthly total to date was the 62 in March 2017, monthly activity is shown in below:

20 day response rate Requests must be answered promptly and within 20 working days. Our success rate of responding within 20 working days was 91.1%, which is just above the revised national target of 90%. This target was raised by the Information Commissioner’s Office from 85% in March 2017. Failure to comply will result in adverse publicity and increased monitoring and scrutiny.

0

20

40

60

80

100

120

140

160

180

Q1 Q2 Q3 Q4

2016/17

2015/16

2014/15

Quarterly activity

42 32

57 53 49 50

36 37 32

47 53

62

0

20

40

60

80

Ap

r-1

6

May

-16

Jun

-16

Jul-

16

Au

g-1

6

Sep

-16

Oct

-16

No

v-1

6

De

c-1

6

Jan

-17

Feb

-17

Mar

-17

Received / month



Forty-nine responses (8.9%) breached the 20 day limit, up from 28 in the previous year. The longest breach was 56 days (FOI-16-144). Average days to complete A performance indicator often used is the ‘average days to complete’, calculated by dividing the total number of days to complete all responses by the total number of requests. This figure can be impacted significantly by extended breaches of the 20 days. Nevertheless it gives a good indication of the response rate. The time taken to complete responses this year has has been maintained. On average responses were completed within 10.6 days, well within the 20 days.

This remains a considerable improvement over previous years and may be attributable to a number of factors including the ‘day 10’ email reminders, better identifcation of staff able to assist with responses, a generalarised bye-in from staff, increased monitoring with weekly reporting, and the continued support of the Chief Executive and Caldicott Guardian in reviewing and approving responses.

20

10.6

0

5

10

15

20

25

Days to complete a request



Teams that have previously been slow or reluctant responders have been encouraged to amend their habits and generally we are pleased with the efforts made by all staff now responding. Disruption of teams and staff turn-over has caused delays as competing demands for staff time slow the responding rate. In particular we would like to thank Nigel Bruguier and his Information team for their excellent work in responding to the widest variety of requests in a timely manner. Requesters The main requesters continue to be the public (31.9%), commercial companies (28.0%) and the media (22.1%). These three groups make up 82% of requests. There has been a slight increase in requests from commerical companies, public organisations and academics with a reduction in those from the public from the previous year. The remainder of requests were from academic/educational institutions (4.2%), MPs (2.6%), NHS staff/Trusts (2.2%), charities (0.6%) and solicitors (0.4%).

The greatest number of requests received from one individual was nine. As expected requests from previous years are often followed up on an annual basis and we try to ensure that staff also receive copies of these previous or any similar requests.



Request Subject Clinical, staffing, statistics, finance, facilities and IT form the primary subject of requests accounting for 72.8% of the total. The figures below do not necessarily reflect the true impact on departments such as finance as although requests may have a primary focus on clinical or staffing they often include financial questions.



Exemptions The Freedom of Information Act contains certain exemptions from information being disclosed. Exemptions were used in 91 of our responses (16%). The most common reason we exempted information was the time necessary for completing a response estimated at being more than 18 hours (Section12). The following exemptions were used:

Exemption used %

Section 12 : Time cost to provide information 46.9

Section 40: Personal information 30.6

Section 43: Commercial interest 18.4

Section 24: National Security 2.0

Section 22: Intended for future publication 1.0

Section 31: Law enforcement 1.0

Internal reviews were requested for three of our responses (all from the same requester). These reviews being completed within 18 days (1) and 13 days (2). Because of these internal reviews we have adopted a more rigorous ‘exemption, prejudice and public Interest test’ process.

Disclosure Log As required by the FOI Act, approved responses are published in an anonymised form on the Trust’s website in the Disclosure Log, making all responses visible to the world not just the requester. This year we have undertaken to assist people by grouping the responses by subject, rather than chronologically. The Disclosure Log can be accessed by clicking the link below:

http://www.northdevonhealth.nhs.uk/contact/foi/disclosure-log/

Conclusion As the number of FOIs received continues to increase, the demands on staff resources are also increasing. The FOI team continues to streamline the efficiency of its internal process and strives to assist staff and teams in responding in a timely manner to the 20-day deadline. The raising of the 20-day target to 90% means we will have to work even harder in the coming year to avoid breaches.

http://www.northdevonhealth.nhs.uk/contact/foi/disclosure-log/