How to find your way around …

Example Cours

eYou can play the PowerPoint and the Test here.

START

FINISH

How to find your way around …

Example Cours

e

Always click the ‘home’ icon to save your progress and log off.

This is important!

START

FINISH

Information GovernanceFor all staff.

START

FINISH

INTRODUCTION

Information Governance

Data Protection Act

Freedom Of Information Act & Records Management Training

START

FINISH

Information Governance

COURSE OBJECTIVES On completion of the Information

Governance module, you will understand:

• Duty of Confidentiality• Data Handling & Security• Best Practice Guidelines• Information Governance Toolkit• Confidential/sensitive/corporate

Information• Information Sharing & Privacy

Impact Assessments• Consent• Personal information – Date

Protection Act• Corporate Information –

Freedom of Information

COURSE OBJECTIVES On completion of the Information

Governance module, you will understand:

• Duty of Confidentiality• Data Handling & Security• Best Practice Guidelines• Information Governance Toolkit• Confidential/sensitive/corporate

Information• Information Sharing & Privacy

Impact Assessments• Consent• Personal information – Date

Protection Act• Corporate Information –

Freedom of Information

Information Governance is the framework structures and processes that ensure the security, confidentiality and integrity of the Trust’s data information about it’s patients and employees, in particular personal sensitive and corporate information.

It allows the Trust and individuals to:

•Ensure that personal information is dealt with legally, securely, efficiently and effectively•Provides a framework to bring together all requirements, standards and best practices that apply to the handling of all information•Focus on setting standards and giving the Trust tools to achieve them•To be consistent in the way we handle personal/corporate information•Lead improvements in information handling, patient / public confidence in the Trust and employee training and development

START

FINISH

Duty of ConfidentialityAll employees of the Trust who record, handle, store or otherwise come across information, have a common law duty of confidence to patients and staff. We need to remember:

• Keep personal information private.• Ensure confidential information is not unlawfully or inappropriately accessed. • Any confidentiality breaches need to be reported to your line manger and Information

Governance.• Before disclosing information ensure you know who you are communicating with. • Comply with policies and procedures. • Do not leave manual records unattended.• Dispose of confidential information in the appropriate manner. • Ensure confidential information is held, stored and transported securely.

Please note – this guidance applies equally to those such as student, trainees, bank, agency staff. Contract staff on temporary placements (this list is not exhaustive).

Information Governance helps all employees to manage person identifiable information so that all patients and staff know their records will not be disclosed inappropriately, which will:

•Give individuals greater trust in our working practices.•Encourage individuals to be more open in sharing important personal details.•Ensure they will receive the best quality care.

START

FINISH

Information AssetsAn information asset is any data, device, or other component of the environment that supports information related activities. Assets should be protected from unauthorised access, use, disclosure, alteration, destruction, and/or theft, resulting in loss to the organisation. Examples of information assets are as follows:•Mobile phone / laptop / removable media•Databases and data files•Paper records and reports (staff/patient/corporate)

START

FINISH

Information Asset OwnersInformation Asset Owners (IAO’s) are directly accountable to the Senior Information Risk Owner (SIRO) and must provide assurance that information risk is being managed effectively in respect of the information assets that they ‘own’. IAO’s are generally heads of service and senior staff who can make decisions regarding the assets.

Information Asset AdministratorsIAO’s can assign day to day responsibility for each Information Asset to an administrator or manager known as an Information Asset Administrator (IAA). IAA’s will follow the Trusts policies and procedures with handling personal information and if information is unlawfully exploited, they will consult with the IAO’s regarding any potential or actual security incidents.

START

FINISH

Person Identifiable/sensitive and corporate information

Confidential Information Includes…

Person Identifiable Information:•Name•Address•Postcode•DOB•NHS number•NI number

Sensitive Information:•Ethnic backgrounds•Political views•Sexual preferences•Gender•Criminal offences•Medical conditions

Corporate Information:Information that is not staff or patient related but could cause harm or damage to the organisation, this could be:•Set of minutes •Financial information•Tenders being agreed•Reports•Upcoming consultations

START

FINISH

START

FINISH

START

FINISH

Question

Within SEPT, who has a common law duty of confidence to patients and staff?

Only medical staff

All staff who record, handle, store or

otherwise come across information

Continue

All staff that fill in confidential forms

Only Admin staff

START

FINISH

Best Practice Guidelines – Confidential Waste•All confidential waste should be disposed either using a cross cut shredder (cuts paper both horizontally and vertically) or placing in the blue confidential waste bins•Never put confidential information in black refuse bags/recycling bins•Confidential waste paper should not be used as scrap paper •If you do not have the facility to dispose of confidential information securely at home, please bring back into the office for appropriate disposal. Best Practice Guidelines – Clear Desk PolicyOperate a clear desk policy by ensuring all person identifiable/ sensitive/confidential information is locked away as appropriate, especially important when hot desking or working in an open plan office.

Data Handling, Security and Best practice Guidelines

START

FINISH

Best Practice Guidelines – Post•PO box return labels to be displayed on external post•Ensure marked ‘Private & Confidential’•Double check full postal address of recipient•Choose secure method of sending confidential information through external post (recorded delivery or private courier)•When necessary ask recipient to confirm receipt•Ensure incoming confidential post is handled appropriately.

Best Practice Guidelines – Photocopying•Do not make excessive copies of confidential information;•Do not leave confidential information on the photocopying machine;•Regularly check/update your distribution list to ensure copies are not sent to staff who have left the Trust.

Best Practice Guidelines – PersonEnsure you hold confidential conversations in an appropriate place. Inappropriate areas include: corridors, open plan offices etcGain patient consent before sharing their personal information with relatives/friends.

Data Handling, Security and Best practice Guidelines

START

FINISH

Best Practice Guidelines – Email•No person identifiable/sensitive/ confidential information is to be detailed in the body or subject heading of the email•Confidential information is to be sent as a password protected attachment or transferred via NHS.net to NHS.net•Passwords to be sent by text or phone (wherever possible) or in a separate email (leave suitable time between emails)

Best Practice Guidelines – FaxingDo not fax personal or confidential information unless absolutely necessary and ensure the Safe Haven Fax procedure is followed.•Call individual to make them aware you are sending a fax •Send cover sheet•Confirm this has been received•Continue to fax the information by pressing redial•Ask individual to confirm receipt once received.

Data Handling, Security and Best practice Guidelines

START

FINISH

Best Practice Guidelines – Voicemails for Clients•Only state forename and number•Do not state full name, team, service or organisation unless agreed•Consent needs to be obtained before leaving a voicemail

Data Handling, Security and Best practice Guidelines

START

FINISH

Best Practice Guidelines – Office•Remember to lock and secure the office when left unattended and at the end of the day•Close and lock all windows •Close any blinds/curtains•Set the intruder alarm system (if fitted)•Remember to wear your ID badge•Ensure clear desk policy is followed•Lock computer screens when left unattended (Ctrl,Alt,Delete)•Remove smartcard from keyboard when leaving work station unattended and ensure it is kept secure at all times.

Data Handling, Security and Best practice Guidelines

START

FINISH

Information Sharing and Consent

Caldicott Principles:1)Justify the purpose of using confidential information2)Only use it when absolutely necessary 3)Use the minimum required4)Allow access on a strict need to know basis5)Understand your responsibility6)Understand and comply with the law7)Duty of confidentiality – in the best interest of the patient

Data Protection Act 1998 Principles: 1)Processed fairly and lawfully2)Processed for specified purposes3)Adequate, relevant and not excessive4)Accurate and up to date5)Not kept for longer than necessary6)Processed in accordance with the rights of the data subject7)Protected by appropriate security8)Not transferred outside the EEA without adequate protection9)The right to be forgotten (still being considered by the Government – seek guidance from the IG Team

Any confidential information that is going to be transferred needs to be shared in line with the Data Protection Act 1998 and Caldicott Principles as outlined below:

START

FINISH

Question

What year was the Data Protection Act introduced?

Continue

1996

19982000

1990

START

FINISH

Information Sharing AgreementsWhere you are considering sharing information or are involved in arranging information sharing agreements you must include the Information Governance Team at the earliest opportunity, and an Information Sharing Agreement (ISA) will be distributed for completion.

Privacy Impact AssessmentsWhere a new system/process or change to an existing system/process (paper or electronic) has been identified it is necessary the Information Governance Team are informed to ensure a Privacy Impact Assessment has been completed. This will then allow the Information Governance Team to determine if there are any confidentiality, consent, privacy, security or data protection issues related to the new/changed/system/process.

For further information on Privacy Impact Assessments, please refer to the ‘Conducting Privacy Impact Assessments Code of Practice’. http://ico.org.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/data_protection/practical_application/pia-code-of-practice-final-draft.pdf

START

FINISH

Information Sharing and Consent

Patients need to be informed how their information will be used and shared. It is therefore important consent is gained and understood.

Consent for Children & Young PeopleChildren and young people must be assessed as Fraser or Gillick competent.

When Consent Doesn’t Need to be Gained•Public interest (To prevent or detect risk/harm to others)•Court order (As it is a legal requirement but still needs to meet the criteria of the Data Protection Act 1998)

Human Rights Act and Computer Misuse ActHuman Rights Act:•Came into force in the UK in October 2000•All public bodies (police, courts, hospitals, local governments) and others carrying out public functions have to comply with the convention rights.

We work with article 8 of the Human Rights Act ‘Respect for your private and family life, home and correspondence’.

Computer Misuse Act:Prior to 1990 there were no legislations in place to tackle the problems caused by hacking. Although it was known to be wrong and should be against the law, there was no framework in place to support this.

As the problem grew, it became apparent that specific legislation was needed to enable individuals to be prosecuted under the law.

So in 1990 the Computer Misuse Act was passed and recognised the following new offences.

•Unauthorised access to computer systems•Unauthorised access with intent to commit or facilitate a crime•Unauthorised modification of computer material•Making, supplying or obtaining anything which can be used in computer misuse offences.

START

FINISH

The Information Governance ToolkitTo help improve Information Governance / Security arrangements across the NHS, the Department of Health introduced a set of key standards called the IG Toolkit.

•45 mandatory requirements for NHS organisations•Annual report stating improvements to Department of Health•Provides assurance all processes and procedures meet national requirements•Annual reports contribute to the Care Quality Commission audits•Audits can be reviewed on public-facing websites (Health & Social Care Information Centre [HSCIS])

The Information Governance Team is responsible for the management of the toolkit and works closely with key staff to ensure compliance and collation of evidences to support the annual assessment. All staff need to be involved to improve Trust performance levels. This is can be achieved by:

•Implementing guidance•Completing required training•Reporting incidents/breaches•Complete Data Flow Mapping•Assist with Information Governance spot check audits

START

FINISH

Legal ServicesData Protection Act (Subject Access Requests) & Freedom Of Information

START

FINISH

Data Subject Access RequestsSubject Access Requests:The Data Protection Act 1998 gives an individual several rights in relation to the information held about them:•The right to seek access to their records held by the Trust•The right to obtain a copy of the record in permanent form or to view a record without obtaining a copy •The right to rectification, blocking, erasure (under very strict regulations) and destruction of information•For all staff related requests, access to records / information is required within 40 calendar days under the DPA Act•For all patient related access to health/medical records the Trust has to respond within 40 calendar days, unless the individual has been seen within 21days in which case the information must be provided within 21 days of receipt of the application.

When a request is made… there are two circumstances in which access can be denied and therefore the requestor may have the right to ask the Information Commissioner to assess:•If the record contains third party information and they have not consented to their information being disclosed•If access to all /part of the record will cause serious harm to the physical or mental wellbeing of the individual, or any other person.

START

FINISH

Freedom of Information Act 2000

Application Requests:•All requests must be in writing (email/post/fax)•State clearly what information is required•State name of the applicant and address•Applicants do not need to mention the FOIA •Applicants do not have to give a reason for wanting the information•You are NOT allowed to ask the applicant their reasons for requesting.

The Act allows any member of the public the right to view / receive copies of corporate information held by public bodies – it does not cover health or personal information. All such requests for information are managed by the Legal Department and SHOULD NOT be handled by teams locally. If you receive an external request for information you MUST ensure it is forwarded to the Legal Department immediately.

REMEMBER: The Law requires that FOI requests are responded to strictly within 20 working days of receipt within the Trust.

START

FINISH

Freedom of Information Act 2000

Applicants can choose to receive information in different formats:•Permanent form (hard copies) – paper or electronic•Summary form•Permission to inspect records containing the requested information

Examples of Information that can be requested:•Executive Team reports•Emails•Handwritten notes on file•Financial information

How should I respond to a request for information?EVERYONE is responsible for following these simple rules:•You should NOT respond directly to the applicant – other than to advise you have passed their request to the Legal Department•Send to the Legal Department FOI Lead (foi@sept.nhs.uk) immediately on receipt•Don’t forget ‘20’ day rule

START

FINISH

Data Subject Access Requests

Publication SchemeThe Publication Scheme is a guide to the information the Trust holds, and must be published on its website. It gives people access to some information without them having to make specific requests.The current publication scheme maybe found on the Trust’s internet site (www.sept.co.uk)

START

FINISH

Records Management

START

FINISH

Record Lifecycle

All individuals who work for an NHS organisation are responsible for the security of the information they handle or use in the performance of their duties and should keep all types of information:

•Accurate•Up to date•Complete – including NHS number•Quick and easy to find•Free from duplication•Free from fragmentation

Any record created by an individual, up to its disposal, is a public record and subject to Information requests.

Patients have to right to access their health records under the Data Protection Act/Access to Records (deceased)

START

FINISH

Record Lifecycle

Create Use Retention Appraisal Disposal

Be aware ControlMonitor

START

FINISH

Records Management:Managing records effectively is essential for making access to information possible. Records management covers all aspects of a records life and should be:

•Factual and correct•Relevant and useful•Clear and concise•Up to date•Complete

They should not contain:•Unnecessary jargon•Personal opinions•Offensive language

Record Management and KeepingRecords Disposal:The Trusts’ corporate procedural guideline Storage, Retention and Destruction of Records will tell you which records should be kept for how long, prior to disposal. Health and Social Care records must only be destroyed when authorised by the Trusts Head of Records.For Corporate records:•Please ensure records are destroyed in a secure way. Either in blue confidential waste bags or shred using a cross cut shredder. Do not place identifiable information in waste paper bins. •Make note of how, when and where the record(s) were destroyed, together with any reference numbers.•If an applicant wants to see a record that is due to be destroyed, you must not destroy the record until the request has been answered or any complaint and appeals process has finished.•The destruction of all records must be completed in liaison with the Trusts’ Records Management Team.

Record Types:Records can be in physical or technical formats, including:

•In paper record keeping system•On computer, including emails•On film records, such as CCTVThis list is not exhaustive

Also covers:•Information located in confidential waste•Information on computers•Information stored on computer internal drives, USB sticks, CD and disks.

1) Create – Use appropriate Trust folders and formats2) Use – Enter information, use of templates, filing, discharge summaries, clinical coding

processes3) Track – Log the location/pathway4) Missing – Report to the manager5) Retain – Look after, manage multiple volumes, hold until not required6) Disposal Methods – confidentiality using Trust procedures

Record Management and Keeping

START

FINISH

Key Contacts:

START

FINISH

Overall responsibility for the Information Governance Agenda – Executive Chief Finance Officer & Resources Officer (Senior Information Risk Owner) / Director of ITT

Responsibility for public and non-health requests for information – Executive Director Corporate Governance (Freedom of Information/ Data Subject Access Requests)

Confidentiality / sharing of patient information – Executive Medical Director (Patient Safety Lead) / Caldicott Guardian

Responsibility for the quality/accuracy of information – Assistant Director Systems Implementation & Data Quality (Community)

Responsibility for the quality/accuracy of information, managing the IG agenda including the Toolkit and DPA – Assistant Director Systems Implementation & Data Quality (Mental Health)

Responsibility for the implementation/security of records management and subject access requests (health) – Head of Records Management

Responsibility for legal processes (Data Subject Access Requests (non-health) / Freedom of Information Requests) and general legal advice and guidance – Legal Department

www.btuheks.nhs.uklibrary@btuh.nhs.uk 01268 524900 EX3594 

Remember, if you want to find more information / evidence about this subject or anything else which is relevant to your work or study, join your local healthcare library.For staff in Essex contact Basildon Healthcare Library.

It may be that you work in a different area, for example Luton.

Details of all the Health Libraries in the East of England can be found at this site…

You are welcome to join any of these.

www.eel.nhs.uk

START

FINISH

Review of Objective(s)Before completing the test, please ensure you have acquired the relevant

knowledge against the modules objective(s) below:

“You will understand:

•Duty of Confidentiality•Data Handling & Security•Best Practice Guidelines•Information Governance Toolkit•Confidential/sensitive/corporate Information•Information Sharing & Privacy Impact Assessments•Consent•Personal information – Data Protection Act•Corporate information – Freedom of Information”

If not, please take this opportunity to revisit the presentation content.

CONTINUE

START

FINISH

You now need to take the test!

Example Cours

eRemember to click the ‘home’ icon when you have finished the test to save your results!

START

FINISH