GP Practice Manager Information Governance Training 201516 CCCG

GP Practice Manager Information Governance Training 2015/16 CCCG Information Governance Lead This presentation has been edited slightly from the version that was delivered 160715

Is this training important? • Yes – and for a number of reasons: • All staff have a responsibility to comply with confidentiality and information security requirements • Things have changed dramatically since April 2013 including: • The working relationship with the CCG and the restrictions that are in place in terms of what can and cannot be shared between Practices and the CCG itself • Increasing requests from the HSCIC for data including high profile exercise such as Care. data • Reduced support from NHS England linked to IG and no direct responsibility for CCG’s to fill the gap leading to issues around who actually funds IG • Increasing responsibility on GP Practices to understand the legal basis of activities and increasing reliance on them understanding their role as data controller (and indirectly as a public body)

• Information Governance Incidents There is no simple definition of a serious incident. What may at first appear to be of minor importance may, on further investigation, be found to be serious and vice versa. As a guide: - • Any incident which involves actual or potential failure to meet the requirements of the Data Protection Act 19981 and/or the Common Law of Confidentiality • This includes unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data, information security breaches and inappropriate invasion of people’s privacy • As part of changes to IG Toolkit requirements Cyber Security incidents e. g. server failure leading to data loss etc. is now reportable

Incidents (1) • A former pharmacist working for West Sussex Primary Care Trust has been prosecuted for unlawfully accessing the medical records of family members, work colleagues and local health professionals. … …was fined £ 1000, ordered to pay a £ 100 victim surcharge and £ 608. 30 prosecution costs • On 17 October 2013 the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by The Burnett Practice in relation to the undertaking it signed on 26 April 2013 • --- • Staff in an East Midlands GP Practice were identified as sharing RA Smartcards. The service managing this was told “It was none of their business. ” • A lot of incidents in GP Practices tend to be linked to staff inappropriately accessing patient information leading to court action and a criminal record • Remember – when it comes to information sharing there is no such thing as the “NHS family”

Incidents (2) Organisations can now be fined (up to £ 500 k) if they get Data Protection and information security wrong. Some incidents: • A Hull man has been given a suspended sentence for looking at hundreds of women's medical records. The "care data quality facilitator" accessed medical records of 413 female patients. He started his snooping when a female work colleague turned him down for a date • A Brighton Trust was given a fine of over £ 300 k when hard drives they were decommissioning started turning up on EBay • A London Trust was fined over £ 50 k for sending letters containing sensitive information to the wrong patient addresses • A Birmingham Trust recently had to remind staff that if they were doing ward handovers that Facebook should not be used

Social Media A children's hospice nurse has been struck off after posting a four-letter rant about work on Facebook. Mrs H, 40, posted a string of abusive remarks on the social networking site about the hospice - which provides end of life care for terminally ill children - in the mistaken belief that only her 380 friends could see them. Mrs H had complained online about her job telling friends she had 'big b******ing sh***ing bast*** work tomorrow'. In another message she joked that she was going to make a student nurse her 'b**ch' - and a picture of another colleague sitting on a bedpan. But a hearing was told her remarks could easily be seen by any patient, their families or a colleague with Facebook accounts if they simply searched for her name. Mrs H was sacked from her job at the Ty Hafan hospice in Sully near Cardiff after the posts were discovered. She told her employers: 'Facebook is where people vent. Nurses are human. I don't mix work with my private life. 'I feel I have been professional. ‘ She admitted to the Nursing and Midwifery Council that the comments had been inappropriate. The disciplinary panel, in Cardiff, ruled that she should be banned from working as a nurse. Many employers now have strict rules about what can or cannot be said on Facebook and how it relates to their employers. One GP Practice in the West Midlands has stated that negative comments posted by patients on Facebook etc. about the Practice will be regarded as a breach of the staff harassment policy and they could be asked to register elsewhere

Main Information Governance (IG) Policies These are the policies that NHS organisations expect you to have in place: • Information Governance Duties, Key principles, Training, Privacy impact assessment • Information Security Duties, Security Controls, Asset Management • Data Protection & Confidentiality Duties, Data Protection Principles, Rights of Data Subjects • Records Management • Incident Reporting and Management Policy Remember – complete your IG Toolkit every year. A number of Camden GP Practices have historically not done this which may become a problem when sharing information with other NHS organisations

Why complete the IG Toolkit? • The primary reason why a GP Practice has to complete an annual IGT return is because it is a condition of service for receiving N 3 related services e. g. NHS Mail, Registration Authority etc. and forms part of the annual Statement of Compliance (So. C). In theory (although it yet to happen) a GP Practice could be disconnected from N 3 for not routinely completing an annual IGT return • The other main reason for completing an annual IGT return is that it often forms one of the conditions for Information Sharing Protocols, Data Sharing Agreements/Contracts etc. especially where Personal Confidential Data (PCD) is being shared across health and social care • It provides a common standard that organisations can relate to and allows for ad hoc information sharing to occur as organisations can be regarded as “trusted” • An annual IGT return does not have to take significant time so long as 1) the GP Practice has built up its evidence base over a period of time and 2) it is prepared to publish its evidence on the IGT itself • PLEASE NOTE - the Health & Social Care Information Centre (HSCIC) which monitors IGT returns has the ability to un-publish any return if they are not confident that the evidence base is robust or clearly demonstrates compliance • The minimum that is needed when completing an IGT return is IGT Improvement Plan, Annual Update Report, IG Policy, Staff receive annual IG Training, Information Asset/Flow Mapping Register, Practice Manager/IG Lead confirming what has been agreed/implemented, Up to date consent/fair processing notices • 1 GP Federation has had it’s IG Toolkit “unpublished” due to insufficient evidence

IG Toolkit Changes • Emphasis on Caldicott 2 • Emphasis on Cyber Security • If you start bidding for new contracts you may be required to complete an Any Qualified Provider (AQP) return as part of the contract • Indications are that the standard IG Toolkit return for a Practice will change to an AQP return (35 requirements instead of 13)

What is Personal Confidential Data (PCD) • This is a term used in the Caldicott 2 Information Governance Review and describes personal information about identified or identifiable individuals, which should be kept private or secret and includes dead as well as living people • The review interpreted 'personal' as including the Data Protection Act definition of personal data, but included data relating to the deceased as well as living people, and 'confidential' includes both information 'given in confidence' and 'that which is owed a duty of confidence' and is adapted to include 'sensitive' as defined in the Data Protection Act • Identifiable data includes: Name, Address, Postcode, Date of Birth, NHS Number • Sensitive personal data is different from Personal Data. Sensitive personal data means personal data consisting of information linked to: The racial or ethnic origin of the data subject, political opinions, their religious beliefs, member of a trade union, their physical or mental health or condition, their sexual life.

Revised Caldicott Principles • It is important to understand these as NHS organisations are likely to routinely refer to them 1 • The Caldicott Principles are a way of understanding the Data Protection Act 3 4 • NHS organisations have someone called a Caldicott Guardian – they are normally a senior member of staff, clinically qualified and if you are asked to speak to one clear this with your Line Manager first 2 5 6 7 Justify the purpose for using confidential information Use only patient identifiable data when absolutely necessary Use the minimum required Allow access on a strict need-toknow basis Understand your responsibility Understand comply with the law The duty to share information can be as important as the duty to protect patient confidentiality (but only applies to clinical situations or where public interest is involved)

Sharing Personal Data • • • For providing health care For conducting an internal clinical audit relating to provision of health care When dealing with complaints relating to health care • • • There must be Explicit (preferred) or Implied Consent There must be a Need to Know Tell the service user if you need to share information with another healthcare provider • Information Sharing Agreements (ISA’s) are in place between the CCG and other organisations. These agreements are based upon contract, legislation and good practice • There are now strict rules linked to sharing information with Clinical Commissioning Groups and Commissioning Support Units i. e. generally they should not be provided with PCD • The CCG acts as a facilitator for ISA’s on behalf of GP Practices • If you can get explicit consent from someone to confirm how and why you can use their data that is the gold standard legal gateway • You cannot just “dip into” systems that hold PCD just because the information is there

Data Protection Act 1998 8 Principles (these apply to any organisation) 1. Fairly & Lawfully Processed Inform individuals about why you need the information and who you might need to share information with to provide their care. 2. Processed for limited purposes Only use personal information for the purpose(s) for which it was obtained e. g. medical, HR etc. 3. Adequate, relevant and not excessive Collect only enough to provide the service 4. Accurate and up to date Record accurately and take reasonable steps to validate information. 5. Not kept for longer than necessary Refer to the organisational Records Policy for guidance 6. Processed in line with the individual’s rights Right of access etc. 7. Kept Secure Technical measures to protect IT systems, file and lock paper records in a cabinet etc. 8. Not transferred to other countries outside the European Economic area unless there is adequate protection in place.

Obtaining Consent (1) • Guidance for obtaining patient consent can be found from a number of sources including the General Medical Council (GMC), NHS England (NHSE), the Health & Social Care Information Centre (HSCIC) and the Information Commissioners Office (ICO) etc. • At times this guidance can appear conflicting but it is the responsibility of any organisation that processes Personal Confidential Data (PCD) to attempt to understand apply this guidance • The Department of Health has also made a public commitment on behalf of NHS organisations to implement the Caldicott 2 regulations and these are not built into v 13 of the Information Governance Toolkit • GP Practices (and more specifically GP Partners) are legally data controllers and public authorities in their own right. This means they have a responsibility to ensure that their patients have the opportunity to understand how their information is used and shared. This includes the ability to state where they do not wish their information to be shared

Obtaining Consent (2) GP Practices can demonstrate that they adhere to the Data Protection Act etc. by ensuring that they undertake the following activities either immediately OR over a period of time to ensure a consistent approach: • • • The GP Practice Data Protection Notification is kept up to date The GP Practice undertakes an annual Information Governance Toolkit return Staff are trained annually in Information Governance and this training reflects any local changes to how the GP Practice obtains consent for primary or secondary usage purposes That explicit consent rather than implied consent is used when obtaining and processing data The GP Practice ensures that all new patients sign a consent form which clearly identifies how their data will be used and that as existing patients attend appointments the same level of consent is obtained from them They identify how patients are able to opt out of data collection activities where appropriate – at times GP Practices may be required to notify patients in advance of activities where data extractions occur and where patients have the ability to opt out from that specific activity Read codes that allow patient opt-out for information sharing are routinely reviewed to ensure that they remain fit for purpose GP Practices understand how data obtained for one purpose can legitimately be used for other purposes where it is in line with the consent that has been obtained from patients The GP Practice website has a statement about how patient information is used and shared (this is called a Fair Processing Notice – also known as a Privacy Notice) and this also includes specific data collection activities, e. g. care. data, Friends and Family Test etc. That posters/leaflets are in the Practice providing similar information That as new or routine data collections occur e. g. Friends and Family Test etc. that this is advertised in advance and that patients are given the ability to opt out where appropriate They identify how patients may be contacted with their consent e. g. telephone, email, SMS

Any Questions? ?