DPO Support Service Information Governance General Awareness Training

  • Slides: 19
Download presentation
DPO Support Service Information Governance General Awareness Training

DPO Support Service Information Governance General Awareness Training

Objectives: This Power. Point presentation will help your Practice to understand the main principles

Objectives: This Power. Point presentation will help your Practice to understand the main principles of Information Governance. This training is in addition to the All Wales Training that needs to be completed every two years Information Governance Training is there to help your Practice and staff be consistent in the way they handle patient and staff data.

How to Recognise the GDPR Principles of Information Governance and apply them within a

How to Recognise the GDPR Principles of Information Governance and apply them within a practice environment. Information governance is a framework which supports how Organisations and individuals manage the way information is handled. There are six Principles and we will apply these Principles to a Practice environment over the next few slides. Everyone responsible for using personal data has to follow strict rules called Data Protection Principles which are set out in the Data Protection Act (Legistlation: Data Protection Act 2018, Chapter 2. )

1. Within your Practice Staff and Patient personal data must be used fairly, lawfully

1. Within your Practice Staff and Patient personal data must be used fairly, lawfully and transparently. A patient, when registering should be told what their personal information will be used for and who will being using it. If this changes at anytime they should be notified. Practice example: If the practice decides they want to share patient info with a research organisation, but never told them about this possibility when they registered then the patient should be notified of this change and given the option to op out.

The data that the Practice keeps on patients and staff members should be kept

The data that the Practice keeps on patients and staff members should be kept for a clear and necessary reason. 2. Patient and staff data should be used for explicit purposes. Practice Example: If your practice manager was keeping files about staff members concerning how many children they have and what their ages are so that they know who really needs to book annual leave in the summer holidays. This would be wrong as there is no explicit purpose as to why this data would need to be kept as annual leave is a right regardless of family situations.

3. The patient and staff data should be used in a way that is

3. The patient and staff data should be used in a way that is adequate, relevant and limited to only what is necessary. A Practice should not request and store irrelevant data on a patient or a member of staff. Practice Example: A question on a patient sign up sheet or a section of an employees contract asking for the persons credit score to keep on file. This data is not relevant or necessary in a healthcare environment.

4. Every reasonable step must be taken to ensure that personal data that is

4. Every reasonable step must be taken to ensure that personal data that is inaccurate are erased or rectified without delay. A Practice should have a process in place for deciding weather a patient or staff members data is correct/incorrect and needs to be rectified. Practice Example: If a patient queries an inaccuracy in their medical record you need to keep a record of the request, decide with the GP who recorded the information weather it is accurate and from that point take steps to rectify if the information is found to be incorrect. Always explain your decision to the patient.

5. Your practice must ensure that identifiable data is kept no longer than is

5. Your practice must ensure that identifiable data is kept no longer than is necessary for the purposes of the processing. The Practice should have their own/be aware of a current retention schedule which keeps track of how long specific data should be kept for. Practice Example: Home visit diaries only need to be kept for a year after their final entry. If the Practice has years of these diaries with patient information and data in there it is unnecessary to keep as by that point the visit would of happened and been added to their medical notes – keeping data for longer than necessary can also open up issues with your storage, as you are then having to dedicate more space and energy into organising the data. Not to mention this extra data will then need to be added to any Subject Access Request filed.

6. The Practice should process their Patient and Staff data in a manner that

6. The Practice should process their Patient and Staff data in a manner that ensures appropriate security of personal data. The Practice needs to ensure that they have thought about where and how confidential data will be stored and if it is secure. Practice Example: A practice needs to ensure that their Patient and Staff data is kept safe and confidential. Physical copies of data need to have secure measures surrounding them. If they are stored in a filling cabinet questions such as, where is the filing cabinet? Who has access to it? Is it locked? Need to be asked.

What is considered confidential information? Confidential Information is any information that is used to

What is considered confidential information? Confidential Information is any information that is used to describe personal data relating to individuals, or business sensitive information relating to your Practice. These include: q Personal (Demographic) Information q Medical Information q Financial / Payroll q Business information q Staff information

Types of Confidential Information There are many different types of information within your Practice

Types of Confidential Information There are many different types of information within your Practice and they are held in different ways including electronic and paper. Can you name any of the information that may be held this way? Here's a few to start you off! Patient Results and Medical Records Click the ? To reveal more answers! CCTV Minutes from HR meetings Email Photographs Spreadsheets Staff Contracts Prescription's Diaries

Security of your Practice’s Data It is important to secure your Practices' data. As

Security of your Practice’s Data It is important to secure your Practices' data. As you can see from the previous slide there is a lot of data to think about! Strong, unique and confidential passwords would be required for: Specific areas of the office need to be assessed to accommodate: PC Log In Mail – Internal and External Programme Use (Emis etc) Fax Machines Secure File Transfer Storage of Medical Records Entry / door codes Storage of Staff Records Laptops/Tablets/Mobiles Prescription pick up

Verbal Communication is also an important, but often overlooked component to the security of

Verbal Communication is also an important, but often overlooked component to the security of your Practice’s Data. The nature of a GP Practice is slightly unique. A lot of patients may know each other as they will most likely live in the same area and the same goes for the Practice staff. They may know patients or know their relative. This combination makes it easier for verbal communication to become a data protection risk. Click the speech bubbles for some examples of patient data at risk. “Did you see Barbara earlier? . . . No not Barbara Smith, Barbara Williams, that’s her 5 th time here this week! She didn’t look well at all!” A patient in the waiting room could be a relative or friend of this patient and now are aware that she has been unwell all week and it could be quite serious. “Oh hi there Mr Jameson, your sister was here yesterday! I told her to say hello to you from me!” Mr Jameson may not of been aware his sister had visited the Dr but now he is aware and could potentially question her later on.

Good Records Management Your Practice should always have records management systems in place for

Good Records Management Your Practice should always have records management systems in place for clinical and non clinical records regardless if they are physical or electronic. Basic Principles of records management to follow within your Practice: Justified purpose for creating and storing Only store information that is necessary to patients treatment or a staff members job. Records are available when required Records can be accessed easily and quickly if needed for an emergency appointment / SAR / query. Accessed and stored securely with access restricted where necessary Staff and Patient records have the relevant safeguards surrounding access to them. Only specific people have access and this access is monitored. Records should be legible and accurate Accuracy of data is important and is an Individual Right, legible records are required so many different people can assess the information.

Ensure that there are up to date IG policies and procedures within your Practice;

Ensure that there are up to date IG policies and procedures within your Practice; For example clear polices and processes surrounding Subject Access Requests. Who fulfils them? Do you contact the patient for confirmation if sent via a Third Party. Key Responsibilities of the Information Governance Lead Make sure that these policies and procedures are made accessible to all staff and that this is communicated frequently so that new members of staff are aware and more senior members are reminded. The IG Lead doesn’t have to be responsible for everything but they are responsible for co-ordinating and supervising the activities and responsibilities of staff that have been made responsible for Data Protection Legislation, Confidentiality Agreements, Information sharing, Freedom of Information Requests and Environmental Information Requests. This can include: Organising training, discussing changes to job descriptions and discussing request processes.

The Caldicott Principles Ø Justify the Purpose Ø Do not use patient identifiable information

The Caldicott Principles Ø Justify the Purpose Ø Do not use patient identifiable information unless it is absolutely necessary In this section we will briefly outline the Principles and the Role of the Caldicott Guardian within a GP Practice. Ø Use the minimum necessary patient identifiable information Ø Access to patient identifiable information should be on a strict need to know basis Ø Everyone with access to patient identifiable information should be aware of their responsibilities Ø Understand comply with the law Ø The duty to share information can be as important as the duty to protect patient confidentiality.

The Role of The Caldicott Guardian for your Practice should be a senior member

The Role of The Caldicott Guardian for your Practice should be a senior member of staff, it is a requirement to have on within your Practice. This person is then responsible for protecting the confidentiality of patients data. The Caldicott Guardian will consider if a patients data is used legally, ethically and appropriately and that confidentially is constantly maintained. Their first priority is the patients confidentiality.

Confidentiality Breaches What to do if your Practice experiences a Data Protection Breach. We

Confidentiality Breaches What to do if your Practice experiences a Data Protection Breach. We recommend that you print out, fill in and keep for your records our DPO Service’s Data Breach Self Assessment Form. The score matrix at the end will let you know if you need to inform the ICO. It would also be advisable to let us know as your acting DPO. {NWISGMPDPO@wales. nhs. uk} We also recommend that you keep a record of the steps you have taken to investigate and resolve the breach, and keep copies of your communications with ourselves, any patients involved any third parties such as The ICO, Solicitors and Post Office.

If you have any further questions please either contact the DPO Service: NWISGMPDPO@wales. nhs.

If you have any further questions please either contact the DPO Service: NWISGMPDPO@wales. nhs. uk or look in the subscribers area of the webpage for further learning materials and guides.