Introduction to Information Governance (IG)

Mark Scallan – Head of IG/Data Protection OfficerAngela Kaye – IG Officer

Key Learning Points

What is Information Governance? What do YOU need To Do to make this work?

Follow the Caldicott GuidelinesProvide a confidential serviceComply with the Law

Understand the Data Protection Act Principles Recognise a Freedom of Information Act request

Follow the Records Management NHS CodeKeep Information SecureInput Quality Information

Information means:

E.g. Name, Date of Birth, Home address, IP Address, a photo, email addressPersonal –

anything that can be used to directly, or indirectly identify a person Access to

Staff and Guest Wi-Fi

Mark Scallan who was attending the meeting on behalf of the Director of Health Informatics. www.rcht.nhs.uk/DocumentsLibrary/RoyalCornwallHospitalsTrust/ChiefExecutive/Minutes/... · PDF file

Mark Scallan - Email, Address, Phone numbers, everything! www ... Everything you need to know about Mark Scallan Email addresses, Phone numbers, Biography,

Transaction, Mazda

Mark Scallan - UK address and phone number - 192.comWe have found 6 people in the UK with the name Mark Scallan. Click here to find personal data

about Mark Scallan including phone numbers, addresses, directorships, electoral ...

Mark Scallan | Inmate Arrest Record | Miami-Dade County, Florida ...Mark Scallan was arrested in Miami, FL on 12/02/2011 for Cocaine/possession

Remove This Mugshot Information:Name: Mark ScallanLocation: Miami, Florida

Conditions for processing personal data

• The individual who the personal data is about has consented to the processing. • The processing is necessary:

- in relation to a contract which the individual has entered into; or- because the individual has asked for something to be done so they can enter into a contract.

• The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).

• The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.

• The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.

• The processing is in accordance with the “legitimate interests” condition.

Information means:

E.g. Name, Date of Birth, Home address, Photo, IP address

E.g. ethnicity, disease, medical condition, sexual life

Personal

Sensitive

Conditions to process sensitive data

• The individual who the sensitive personal data is about has given explicit consent to the processing. • The processing is necessary so that you can comply with employment law. • The processing is necessary to protect the vital interests of: • - the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or• - another person (in a case where the individual’s consent has been unreasonably withheld).• The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data

to a third party, unless the individual consents. Extra limitations apply to this condition. • The individual has deliberately made the information public. • The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for

establishing, exercising or defending legal rights. • The processing is necessary for administering justice, or for exercising statutory or governmental

functions. • The processing is necessary for medical purposes, and is undertaken by a health professional or by

someone who is subject to an equivalent duty of confidentiality. • The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate

safeguards for the rights of individuals.

Public opinion

According to a survey of 1,001 patients across the UK,

97 percent say NHS managers should have a legal and ethical duty to protect their data;

87 per cent felt that managers should be sacked or fined if they were aware of risks but failed to act upon them, leading to a serious breach;

Handling information means

Holding it securely and confidentially

Obtaining it fairly and efficiently

Recording it accurately and reliably

Using it effectively and ethically

Sharing it appropriately and lawfully

DPA Principles

• Personal data shall be processed fairly and lawfully

• Personal data shall be obtained only for one or more specified and lawful purposes

• Personal data shall be adequate, relevant and not excessive

• Personal data shall be accurate and, where necessary, kept up to date.

• Personal data shall must be destroyed once its specific purpose expires

• Personal data shall be processed in accordance with the rights of data subjects

• Appropriate technical and organisational measures shall be taken to protect data

• Personal data shall not be transferred to a country outside the UK

Core elements of IG

Data Protection Act 1998 Freedom of Information Act 2000 Information Security Standards The NHS Confidentiality Code of Practice The Records Management NHS Code of

Practice Information Quality Assurance

What is IG?

Information Governance provides a framework to bring together all the legal rules, guidance and best practice that apply to the handling of information

Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information.

Follow the Confidentiality Caldicott Guidelines

1. Justify the purpose of using confidential information

2. Only use it when absolutely necessary3. Use the minimum required4. Allow access on a strict need-to-know basis5. Understand your responsibility6. Understand and comply with the law7. The duty to share information is as important

as patient confidentiality

Caldicott 2 Report - ??

The limits of sharing for direct care.

Only relevant information about a patient should be shared between professionals in support of their care…..

A penalty, of £100,000, was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case, involving child sexual abuse, was before the courts, and the second involved details of care proceedings.

Central London Community Healthcare (CLCH) NHS Trust has been fined £90,000 following a serious breach of the Data Protection Act. This following the wrongful transmission of faxes on a number of occasions.

The Information Commissioner’s Office (ICO) served Surrey County Council with a monetary penalty of £120,000 for a serious breach of the Data Protection Act after sensitive personal information was emailed to the wrong recipients on three separate occasions

Croydon Council has been handed a penalty of £100,000 after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub.

The Nursing and Midwifery Council was issued a £150,000 civil monetary penalty for losing three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.

Leeds City Council was served a monetary penalty of £95,000, Plymouth City Council £60,000 and Devon County Council £90,000 after separate incidents saw details of child care cases sent to the wrong recipients, while the London Borough of Lewisham was issued a penalty of £70,000 after social work papers were left on a train

Freedom of Information Act 2000

What information does it cover?

What you need to know about FOIGives the public the right to access/view all non-personal public authority

information upon request

Requests must be in writing

All staff must know who their FOI Lead is and be able to access/refer to their contact details.

The requester may not and need not quote the FOI Act

The organisation must respond within 20 working days

Exemptions may apply for non disclosure – FOI Lead will determine this.

Follow the Records Management NHS Code of Practice

Best Practice guidance states:

All Staff have a legal and professional obligation to be responsible for any records which they create or use in the performance of their duties.

Any record created by an individual, up to the end of its retention period, is a public record and subject to Information requests (FOI and Subject Access).

Subject Access Request?

Record Quality Information

Keep all types of information:

Accurate

Up to date

Complete – Including NHS Number

Quick and easy to find

Free from duplication

Free from fragmentation

}Better

Healthcare

Keep Information Secure

Follow Organisation Policies Acceptable Use Policy, E-mail Policy, Data Protection Policy, Safe Haven Policy, Health Records Policy, Medical Photography Policy

Protect Information Physically Transfer Information Securely Report Breaches of Security to Management

It is your responsibility to keep all personal and sensitive information secure