Data Security Protection Toolkit Implementation Support 1 Introductions
- Slides: 72
Data Security & Protection Toolkit Implementation Support 1
Introductions 1. Trainer 2. Delegates: • Name • Organisation Type e. g. residential care / home care / nursing care etc. • Area • Level of understanding currently 2
Course Programme Introductions Background & Context What is the Data Security and Protection Toolkit? Guidance and Resources Break Completing the Data Security and Protection Toolkit NHSmail Q&A Close 3
Background and Context 4
Dictionary Corner • What is the difference between data and information? • What on earth does “data processing” mean? • Who is a data controller/data processor? 5
Who do you share information with? 6
7
What does “data breach” mean to you? 8
Confidentiality 3 Principles of Data Security Integrity Availability 9
Exercise: What would you do? Scenario • New resident arrives from hospital without a discharge letter at 6 pm • There is no medication list • Medication bag contains two types of insulin • No dosing instructions for insulin other than “as directed” • Ward is not answering the phone! • Resident cannot tell you dosage due to poor cognition • Ambulance is long gone! What do you do? • On your tables discuss and come up with a solution. 5 mins 10
Why do we need to think about data security and protection? National Context • • • CQC KLOEs New Data Protection Legislation Caldicott Principles National Data Guardian’s 10 data security standards NHS • Contract compliance • Long Term Plan • Axe the Fax 11
Well Led 2. 8 “How does the service assure itself that it has robust arrangements (including appropriate internal and external validation) to ensure the security, availability, sharing and integrity of confidential data, and records and data management systems, in line with data security standards? Are lessons learned when there are data security breaches? ” 12
Data Protection Act & GDPR • Data Protection Act 1998 has been superseded • General Data Protection Regulation • Data Protection Act 2018 13
Individual Rights under GDPR 14
Principle of Accountability • Organisations must keep a record of how they use, store, share (etc. ) data • If it’s not written down, it didn’t happen 15
Caldicott Principles 1. Justify the purpose for using the confidential information 2. Only use confidential information when absolutely necessary 5. Everyone must understand their responsibilities 3. Use the minimum information that is required 6. Understand comply with the law 4. Access to confidential information should be on a strict need-to-know basis 7. The duty to share personal information can be as important as the duty to have regard for patient confidentiality https: //www. gov. uk/government/groups/uk-caldicott-guardian-council 16
10 data security standards People • Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles. Process • Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses Technology • Ensure technology is secure and up-to-date. 17
NHS Standard Contract • Compliance with the Data Security and Protection Toolkit has been a contract requirement since 2013 • Was not checked, but is now • Must be compliant by March 2019 • A new Entry Level has been introduced to help you through the process 18
What is the Data Security and Protection Toolkit? 19
What is it? • Online, annual, data security self assessment • Final deadline is 31 st March each year • Replacement for the IG Toolkit • www. dsptoolkit. nhs. uk 20
Levels of Compliance Name ◆ Entry Level ✓ Standards Met Standards Exceeded � Critical Standards Not Met Description Time-limited level (subject to review) for social care providers. Evidence that items for critical legal requirements are being met; but some expected mandatory requirements have not been met. (https: //www. dsptoolkit. nhs. uk/Help/32) Allows access to NHSmail. Evidence items for all mandatory expected requirements have been met. Access to NHSmail, other secure national digital solutions, e. g. Summary Care Records, and potentially local digital information sharing solutions. Evidence items for all mandatory expected requirements have been met. The organisation has external cyber security accreditation. Evidence of best practice. Evidence items for critical legal requirements have not been met by the organisation. No access to information sharing tools e. g. NHSmail. 21
Guidance, Tools & Resources 22
https: //www. digitalsocialcare. co. uk/ 23
What help is available? • Webinars – https: //www. dsptoolkit. nhs. uk/News /40 • Templates • Staff guidance • Entry Level How-To Guide • Standards Met How-To Guide 24
BREAK We will take the quickest of breaks to grab a quick cuppa and a comfort break-just 5 mins 25
Completing the Data Security and Protection Toolkit 26
How to Register • Go to: https: //www. dsptoolkit. nhs. uk/Account/Register • You will need • your email address • your ODS Code (Organisation Code). If you don’t know your code • care homes can search here: https: //odsportal. hscic. gov. uk/Organisation/Search • If you are registering your organisation for the first time, you will be the Administrator. You will be responsible for completing your organisation’s profile and adding any other users. 27
Completing your organisation profile 28
29
30
Handout 31
Entry Level Evidence Items Do you understand what the evidence item is asking you to do? 1 = I don’t really know much about this/not very clear what it is asking of me 5 = I am quite clear what this is asking of me 32
Completing Evidence Items 33
Completing Evidence Items 2 34
Completing Evidence Items 3 35
https: //www. digitalsocialcare. co. uk/latest-guidance/templatepolicies/ 36
Registering with the ICO https: //ico. org. uk/fororganisatio ns/dataprotectionfee/ 37
Documenting your data processing • Must keep a record of your data processing • Lawful basis for processing • Who it’s shared with • Retention period • Purpose for processing • If it’s not written down, it didn’t happen 38
How to record your data processing https: //www. digitalsocialcare. co. uk/ 39
Step One: Information Audit • Record what personal information you have, where you keep it and why you have it. i. e. care plans are kept in…. employee records are kept here… • An information asset is a body of knowledge that is organised and managed as a single entity. • Personal data is information that relates to an identifiable, living individual. 40
Step One: Information Audit Is any of it special category data? racial or ethnic origin data genetic data political opinions biometric data (for uniquely identifying someone) e. g. fingerprints health data (this includes data used for social care e. g. care plans) religious or philosophical belief(s) trade union membership data concerning someone’s sex life or sexual orientation 41
Information Asset Register 42
Step Two: Where does it come from where does it go? • All personal data which is physically processed must be recorded – that’s electronic or hardcopy • Do not have to record verbal conversations – but if notes are made this might need to be recorded 43
Step Two - Record of Processing Activities Record: • • • Name of data item e. g. Needs Assessment What kind of information it is Whose information it is Who sent it to you or who you send it to How its shared Why you have it 44
Step Two - Lawfully processing data • There must be a lawful basis for processing (Article 6 condition): 6(1)(a) Consent 6(1)(b) Contract 6(1)(c) Legal Obligation 6(1)(d) Vital Interests 6(1)(e) Public Task 6(1)(f) Legitimate Interest 45
Step Two - The issue with “Consent” • It is not recommended to rely on consent for direct care purposes as it can be withdrawn. • If consent is withdrawn will it have a detrimental effect on either the service you give or on the individual ? Can you still support them safely? If so then do not use consent as the legal basis for keeping this information • This is for keeping data on a macro level (large scale) Medical record, health records. Employment records However …. • For keeping data on a micro level (small scale) • Best practice states you must still ask for consent for day to day decisions, photos, food preferences etc. • If consent is withdrawn will it have a serious detrimental effect on either the service you give or on the individual ? Can you still support them safely ? 46
Step Two - Lawfully processing data 2 If it is special category it must fulfil another condition (Article 9 condition): 9(2)(b) Employment, Social Security, Social Protection Law 9(2)(c) Vital interests when an individual is 9(2)(d) Legitimate activities by a foundation, association legally or physically unable to give consent or any other not-for-profit body with a political, philosophical, religious or trade union aim 9(2)(f) For the establishment, exercise or defence of 9(2)(e) The personal data has been legal claims or whenever courts are acting in their manifestly made public by the individual judicial capacity 9(2)(h) The provision of health or social care, treatment 9(2)(g) Substantial public interest or the management of health or social care systems and services or the assessment of the working capacity of an employee 9(2)(j) For archiving purposes in the public interest, for 9(2)(i) Public health interests scientific or historical research purposes or statistical purposes 9(2)(a) Explicit Consent 47
Type of processing Sharing for direct care or administrative purposes (e. g. waiting list management) Article 6 Condition Article 9 Condition 6(1)(c) Legal Obligation – because services registered with the 9(2)(h) the provision of health and social care Care Quality Commission (CQC) are required to maintain contemporaneous records of care under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014: Regulation 17, or the Health and Social Care Act 2012, 251 B asserts the duty to share information for direct care purposes. For legal reasons (i. e. 6(1)(c) Legal Obligation CQC) Safeguarding 6(1)(e) Public Task 9(2)(j) public interest 9(2)(b) Employment, Social Security, Social Protection Law Employment purposes This will depend on the type of employee data collected. In If special category data (i. e. sick notes) are processed then the many instances this will be 6(1)(c) Legal Obligation (e. g. when condition would be 9(2)(b) Employment, Social Security, Social providing details to HMRC – you need to be able to point to Protection Law the legislation here) Criminal records checks (DBS) In some instances, this might also be 6(1)(f) Legitimate interests (e. g. NMDS-SC submissions) 6(1)(c) Legal obligation – you have a legal obligation to do DBS checks – there is guidance on this at https: //www. gov. uk/guidance/dbs-check-requests-guidancefor-employers Criminal records data is not considered special category data under GDPR, but Article 10 states that it can only be processed via provision in Member State Law – this is covered in the Data Protection Act 2018, Schedule 1, Part 1, Paragraph 2 – For Health and Social Care purposes 2(2)(b) assessment of the working capacity of the employee. 48
Step Two - How long should we keep things for? • Retention schedule for Health and Social care • https: //digital. nhs. uk/records -management-code-ofpractice-for-health-and-social -care-2016 49
The ROPA 50
Step Three: Privacy Notices • Right to be informed • Clear, concise and transparent • Need to include: • What data you have • Why you have it • How long you will keep it • An individual’s rights 51
Data Protection Impact Assessments (DPIA) • A risk assessment • GDPR has introduced a duty to complete when there is “high risk” processing i. e. • automated processing • systematic monitoring of a public area • large scale processing of special categories data - which includes health, social care and genetic data • Best practice to complete one for care records • https: //ico. org. uk/for-organisations/guide-to-thegeneral-data-protection-regulation-gdpr/dataprotection-impact-assessments-dpias/ 52
Staff 53
Reporting a Data Breach to the ICO • If it is likely that there will be a risk to the rights and freedoms of an individual then the ICO will need to be informed as soon as possible, but at least within 72 hours of discovering the breach • Social Care can report via the DSPT Incident Reporting Tool (www. dsptoolkit. nhs. uk/incidents/) • if it is likely that there is a high risk to an individual’s rights and freedoms, the individual(s) must be informed straight away. 54
Contracts with suppliers • Data controller/data processor relationship • You must have a written contract • They also have responsibilities • Cross reference to IAR 55
Publishing a submission 56
Publishing 2 57
Publishing 3 58
Entry Level Evidence Items - Review Do you understand what the evidence item is asking you to do? 1 = I don’t really know much about this/not very clear what it is asking of me 5 = I am quite clear what this is asking of me 59
NHSmail 60
Digital Integration roadmap for care providers Standards met/exceeded DSPT compliance Entry level DSPT compliance NHSmail Instant messaging on Skype Summary Care records Tele-triage, Skype for audio/video conferencing Shared care records, Local Health care records exemplars Digital Maturity of Care Providers Advanced Care Planning GP system- EMIS, Systm. One access
Contact details for your area. Guildford/Waverley - philip. ellis-martin@nhs. net NW Surrey - ibz. lawal@nhs. net alan. willmott@surreycare. org. uk 62
What is NHSmail? • Secure Email • Free for health and social care • Centrally funded • Not just an email solution • Can be used on a computer, mobile phone, tablet. • Can access through web portal or through email client e. g. Outlook 63
The benefits of NHSmail • https: //digital. nhs. uk/services/nhsmail-casestudies • Quicker receipt of accurate information • Greater ease and convenience of sending information • You know it’s secure • Clinical time saving • Increased citizen safety • Improved audit trail • Access to NHS directory-access to the global directory • Skype for Business 64
NHSmail • To assist, NHSmail (a free, secure, centrally-funded platform) is now available to all social care providers through NHS Digital and NHS England. Can be accessed on the go Saves money, time & effort It's Secure Connects the systems For Sharing sensitive information 65
How to join NHSmail 1. National Administration Service • Central online registration portal, likely to be the main route for providers. Free to use https: //portal. nhs. net/Registration#/careprovider • Guidance is available on completing the registration process (https: //s 3 -eu-west 1. amazonaws. com/comms-mat/Training. Materials/Guidance/Howtocompletethe. NHSmail. Social. Care. Registration. Portal. pdf) 2. Local Sponsorship • CCG or CSU provides Local Administrator service (The old way, still available) 3. Self-Sponsorship • Normally for large Providers 66
NHSmail FAQs • How many accounts can an organisation have? • Normally 1 shared account and up to 10 named user accounts per site • What is a user account and shared account? • User account for named individual e. g. windy. miller@nhs. net • Generic account for each home e. g. trumptongreen. carehomecamberwick@nhs. net (Access only via named account) • Where should I send any enquiries about NHSmail? • feedback@nhs. net 67
NHSmail Resources -https: //portal. nhs. net/Help/ This help section of the NHSmail portal has guidance on 1. How to use the Outlook web app (https: //portal. nhs. net/Help/owaindex) including a) b) c) d) How to send and receive email How to set up your calendar Managing contacts How to use Tasks and Reminders 2. How to use the NHSmail online portal (https: //portal. nhs. net/Help/portalindex) including guidance on the NHS Directory 3. How to use the instant messaging function on Skype for Business (https: //portal. nhs. net/Help/sfbindex) There is help on how to set up Outlook; GDPR policies; or policies on sharing sensitive information here: https: //portal. nhs. net/Help/policyandguidance 68
Solving problems with NHSmail • For complaints or concerns about NHSmail: • https: //portal. nhs. net/Help/servicestatus#escalation • This will tell you if: • The service is down • How to resolve known issues • There have been any major incidents e. g. a security breach • For any feedback about issues contact feedback@nhs. net 69
Summary: ways to use NHSmail Sharing of sensitive information with local authorities such as Deprivation of Liberty (DOLS) applications, housing bidding and enquiries, safeguarding incidents and enquiries, change of circumstances for example, financial assessment, changes in need. Sharing information relevant to police and probation services Receipt of discharge summaries and admission notes from local hospitals Sharing of referrals, community psychiatrist nurse (CPN) reviews and care planning with mental health trusts or receipt of referrals to the acquired brain injury and neuro-rehabilitation unit Sharing of GP patient records and referrals Funding enquiries with clinical commissioning groups (CCGs) 70 Ambulance service – observations and safeguarding
Thank you A reminder of your local support team contact details Contact: 71
Resources • www. digitalsocialcare. co. uk/ • www. skillsforcare. org. uk/Topics/Digital-skills/Digital-working. aspx • www. ico. org. uk • https: //www. dsptoolkit. nhs. uk/ • https: //portal. nhs. net/Help/joiningnhsmail • https: //www. gov. uk/government/groups/uk-caldicott-guardian-council 72