Embed Size (px)
Citation preview
London Public Health Transition Delivery BoardInformation & Intelligence Task-to-finish Group Workshop 7th Nov 2012
Date: 07.11.2012Version: 0.1
IntroductionAim: - Support transition of PH I&I to London Boroughs;
2nd networking workshop & quality check of products to support transition
Objective 1: - quality assurance of template Privacy Impact Assessment
Objective 2: - quality assurance of template Information Sharing Agreement
Objective 3: - publicise and explain N3, Smartcards and secure email
Objective 4: - publicise and explain compliance (NHS IGT) and safe haven concept
Objective 5: - products for London Councils web site
Page 2
AGENDA
9.00- 9.30 – Introduction, Robert Creighton
10.00- 12.30- Morning Workshop, Stephen Elgar and Thanas Loli
12.30 - 1.30 LUNCH
1.30- 3.00 Afternoon Workshop, HYTEC, Robin Ingram
3.00-3.30 BREAK
3.30-4.30- Panel Q/A
4.45 - Close
Page 3
Key Data Sources (SUS, ONS, HPA, IC)
LA/PH team
LA/PH team
LA/PH
team
csucsu
LA/PH team
Delegating to third party IT
LA/PH team
1
23 4
LA/PH team
LA/PH team
WHAT IS YOUR BUSINESS MODEL?
Page 4
Introduction
Why What How
Safehaven
•Confidentiality & security assured for Data at rest & in transit
Compliance (NHS IGT)
• assurance
N3 connection
Secure email
NHS smartcards
Are these products good enough?Do they make sense?Is there anything else we need?
Privacy Impact Assessment template – based on Information Commissioners Office
Why do a PIA?•Identify and mitigate risks•Reputation•Public trust and confidence•Avoid expensive “bolt on” solutions•Cabinet Office requirement for England Central Govt.•Informs project media strategy•Enlightened self-interest
Information Sharing Agreement template – based on Information Commissioners Office
PossibleImplementation
if required
PossibleImplementation
if required
Implementation!TOOLS
Product will have:•Risks and mitigation•Recommendations for implementation•Legal basis for processing•Information asset set and data flows•Data Protection Act Principle analysis•ICO Q&A
Format:•the purpose for sharing;•the organisations involved, potential recipients or types of recipient and the circumstances in which they will have access;•the data to be shared & legal & professional basis for sharing:•data quality – accuracy, relevance, usability etc;•data security;•retention of shared data;•individuals’ rights – procedures for dealing with access requests, queries and complaints;
•review of effectiveness/termination of the sharing agreement; and•sanctions for failure to comply with the agreement or breaches by individual staff;
Posters; N3, Secure email & Smartcards
Page 5
• N3 connection options • Secure email• Smartcards
15 mins
Please record on feedback forms:
Are these briefings useful? Y / N
If not how can they be improved? What is missing?
Are there alternative approaches
Privacy Impact Assessment template
Page 6
Privacy Impact Assessment template – based on Information Commissioners Office
Why do a PIA?
• Identify and mitigate risks• Reputation• Public trust and confidence• Avoid expensive “bolt on” solutions• Cabinet Office requirement for England Central Govt.• Informs project media strategy• Enlightened self-interest
Product will have:
•Risks and mitigation•Recommendations for implementation•Legal basis for processing•Information asset set and data flows•Data Protection Act Principle analysis•ICO Q&A
Talk 20 minsDiscussion 40 mins
Privacy Impact Assessment Summary; data flows, key risks and controls
Figure 1
Risks• Data loss
(reputational damage and fine)
• Data usage without consent or legal basis
Controls• Where ever possible data is minimised, anonymised or de-idenitifed
• Personal data is a controlled exception which will require agreement from Data Controllers and may require S251 exception
• Safehaven: series of technical, procedural and staff controls to limit the risk of loss of data (assumption is that the Safehaven handles personal information)
• Clear accountability for informatics service overseen by Caldicott Guardian
• Annual review of arrangements & independent audit of safehaven controls
• Refresh of partnership organisations “Fair Processing Notices”
London Boroughs Public HealthInformatics Safehaven
National and Local Data Service Providers
Clinical Commissioning
Group
Commissioning Support Unit
Health and Well being
Board
Privacy Impact Assessment template Section 2; Key Risks, Issues and Controls
Page 8
Risks / Issues Controls / Mitigation
Accountability of Boroughs and other legal entities
•Clear accountability for holding of information stated as information assets in context of NHS IGT & ISO27000•Annual review of arrangements•Most data is non-personal, personal data is a controlled exemption (by the Caldicott Guardian)
Handling personal identifiable data
•Data quality improvement should be a part of the procedures for handling information•A time limit for holding each type of information should be set •Procedures for handling Subject Access Requests required•There should be no further sharing without consent or a legal basis beyond the safehaven of the Borough
Data sharing without consent
•Refresh of partnership organisations “Fair Processing Notices” and registration with Data Protection Act•The need for consent from patients and / or agreement from National data sources and possible Section 251 application•Option of Information Sharing Agreement (documents and provides evidence of care and consideration NOT legal basis)•No further sharing without consent
Data loss (reputational damage and fine)
•Safehaven: series of technical, procedural and staff controls to limit the risk of loss of data (assumption is that the Safehaven handles personal information)•It is recommended that there is an annual audit•IGT assessments as part of annual statement shared with Clinical Commissioning Group – annual review•Option of Information Sharing Agreement•Liability and compensation / indemnity – further work may be required to define this
Privacy Impact Assessment template Section 3; Implementation
Page 9
Clear accountability Handling personal identifiable data
Data sharing without consent
Data loss (reputational damage and fine)
Privacy Impact Assessment template; Annex A; Use of template - stakeholders
Page 10
London Borough Public Health Informatics Service address
London Borough Public Health Informatics Service Manager contacts details
London Borough Public Health Informatics Service Caldicott Guardians contacts details
Clinical Commissioning Group address
Clinical Commissioning Group Manager contacts details
Clinical Commissioning Group Caldicott Guardians contacts details
Commissioning Support Unit address
Commissioning Support Unit Manager contacts details
Commissioning Support Unit Caldicott Guardians contacts details
Privacy Impact Assessment template; Annex B Data Sources and confidentiality
Page 11
Data Source
Detail Legal basis for processing and Confidentiality implications
Public Health Mortality Files, Public Health Birth Files (PHMF, PHBF).
Supplied by ONS directly to DPH or nominated representative, over NHS.net or other GSI email address. Accessible only to individuals who have signed ONS data confidentiality declarations; will continue to be supplied after transition
•whether the data set holds personal information?•whether the data set holds Confidential information not in the public domain?
•Where there is personal information then the source data Controller must have approved release and be in agreement with the way in which data is processed•Section 251 exemption may be required, application for this is likely to be in agreement with the Data Controller of the source.
…
Information Sharing Agreement template
Page 12
Talk 15 mins
Discussion 20 mins
Information Sharing Agreement template – based on Information Commissioners Office
Format:
•the purpose for sharing;•the organisations involved, potential recipients or types of recipient and the circumstances in which they will have access;•the data to be shared & legal & professional basis for sharing:•data quality – accuracy, relevance, usability etc;•data security;•retention of shared data;•individuals’ rights – procedures for dealing with access requests, queries and complaints;
•review of effectiveness/termination of the sharing agreement; and•sanctions for failure to comply with the agreement or breaches by individual staff;
Small Group Discussions (1 hour)Privacy Impact Assessment (40 minutes)
•Is this template useful? •If not how can it be improved? What is missing?•Are there alternative approaches
Information Sharing Agreement (20 minutes)
•Is this template useful?•If not how can it be improved? What is missing?•Are there alternative approaches
Page 13
Morning Workshop Summary (40 minutes)
Page 14
ReferencesNHS IGT
https://www.igt.connectingforhealth.nhs.uk/;
GMC Confidentiality Guidance
http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp;
ICO
http://www.ico.gov.uk/what_we_cover/taking_action/dp_pecr.aspx;
London RA website
http://www.london.nhs.uk/lpfit/service-management/registration-authority
National RA & training
http://nww.connectingforhealth.nhs.uk/iim/ra/training;
User Identity Management & National RA guidance
http://nww.connectingforhealth.nhs.uk/iim
Page 15
