Bolton NHS Foundation Trust Page 1 [Type the document title] [Year] Nov 15 Information Governance Handbook Version: 1 Author (name): Deiler Carrillo Author (designation): Information Governance Officer Ratified by: IG committee Date ratified: 10 November 2015 Name of responsible committee/individual: Graham Fullarton Date uploaded to intranet: November 2015 Key words Information Governance manual, Information governance guidelines, training Review date: November 2017
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Bolton NHS Foundation Trust
Page 1
[Type the document title] [Year]
N o v 1 5
Information Governance
Handbook
Version: 1
Author (name): Deiler Carrillo
Author (designation): Information Governance Officer
Ratified by: IG committee
Date ratified: 10 November 2015
Name of responsible committee/individual: Graham Fullarton
Date uploaded to intranet: November 2015
Key words
Information Governance manual, Information governance guidelines,
training
Review date: November 2017
Bolton NHS Foundation Trust
Page 2
[Type the document title] [Year]
N o v 1 5
Table of Contents Why do I have to do this training? .......................................................................................................... 4
Introduction to Information Governance (IG) ........................................................................................ 5
So what is IG? .......................................................................................................................................... 6
The IG Toolkit .......................................................................................................................................... 9
IG is the responsibility of every employee! .......................................................................................... 10
IG can be seen as an umbrella term covering the following areas: ...................................................... 12
Provide a Confidential Service .......................................................................................................... 16
Data Protection ..................................................................................................................................... 17
The Freedom of Information (FOI) Act 2000 ........................................................................................ 21
Records Management NHS Code of Practice ........................................................................................ 23
The Record Lifecycle is a recommended way for managing records.................................................... 24
Information Quality Assurance ............................................................................................................. 27
The following points should be satisfied to ensure accurate Information: ...................................... 27
The NHS Number.............................................................................................................................. 28
Information security ............................................................................................................................. 29
Keeping information secure .............................................................................................................. 29
The Care Record Guarantee .............................................................................................................. 31
Corporate mobile devices ................................................................................................................. 34
Security of devices ............................................................................................................................ 35
Home working ....................................................................................................................................... 35
Information sharing .............................................................................................................................. 35
Welcome to the Introduction to Information Governance training session. This session has
been produced by the IG Policy Team of NHS Connecting for Health and has been added to
by our Trust Information Governance Department to provide local Information for staff.
If you are a member of staff who handles corporate information, personal information or
even physically surrounded by information but may not have direct contact with it….. This
session is for you!
If you have a more in depth role within IG then you may need to do extra training.
The key learning points of this session cover a wide range of topics.
What is Information Governance? What do YOU need To Do to make this work?
Follow the Caldicott Guidelines Provide a confidential service Comply with the Law
Understand the Data Protection Act Principles Activity Recognise a Freedom of Information Act request Activity
Follow the Records Management NHS Code Keep Information Secure Input Quality Information
Bolton NHS Foundation Trust
Page 6
[Type the document title] [Year]
N o v 1 5
So what is IG? So, let’s make a start. You may be asking yourself, what is Information Governance? Well, let
start by having a think about all of the different organisations who hold your identifiable
information; and by identifiable we mean a piece of information which can identify you as a
person i.e. your name, address, DOB, NHS Number, National Insurance number. The list
could contain organisations such as your GP, other Trusts, your local council, credit card
companies, banks, mortgage lenders, and insurance companies. If you had time to make it
would be quite a list!
And now have a think about the way in which you’d like to think those organisations are
holding your information. You’d probably say confidentiality, securely; you’d like to think it
was accurate and up to date, and that they could find it when they or you needed it! Well,
these are all aspects of IG and should be familiar to us all in the healthcare and social service
sectors as so much identifiable information is given to us and passed around our site and to
others to facilitate the care of our patients. And it’s not just about having access to systems,
or case notes; You may be responsible for moving case notes around or as an employee you
may hear or see some information relating to a patient.
Throughout this workbook try to relate the principles shown to your own information held
by other organisations.
So IG is to do with how organisations and individuals handle information. But it’s not just
person identifiable.
IG looks at any type of information which NHS and Social Care organisations may handle.
IG is to do with how NHS / Social Care organisations and individuals
handle Information
Bolton NHS Foundation Trust
Page 7
[Type the document title] [Year]
N o v 1 5
•Personal Name
Date of Birth
Home Address
Home telephone numer
Postcode
•Sensitive Ethnicity
Medical condition
Sexual life
Disease
Religious belief
•Corporate Contract of suppliers
Minutes of meetings
Finance details
Annual Accounts
Expenditure
Personal: It looks at information which relates to individuals who can be identified from the data concerned – Peoples names, date of births etc. are recognised as personal data.
Sensitive: And data such as ethnicity or sexual life being sensitive data.In our professions this type of data could be found in health records, case notes, service database, staff HR files etc..
Corporate: It also includes corporate and business data, such as finance, estates, contracts for suppliers' and finance records.
Bolton NHS Foundation Trust
Page 8
[Type the document title] [Year]
N o v 1 5
IG is particularly concerned with the way that these types of information are handled – the
HORUS model is a good way to demonstrate this. Handling Information means:
If we can say ’Yes’ to these questions when handling personal information then we can say
‘Yes’ we are contributing to the development of the IG culture within our organisations.
So IG is to do with how the organisation and individuals handle information. In order to do this in a
consistent, legal and standardised way we should follow and adhere to a series of best practice
guidelines and principles of the Law, such as:
H • Holding it securely and confidentially
O • Obtaining it fairly and efficiently
R • Recording it accurately and reliably
U • Using it effectively and ethically
S • Sharing it appropriately and lawfully
The Data Protection Act 1198
The Freedom of Information Act 2000
The Information Security NHS Code of Practice and ISO17799 standars for IT
The Confidentiality NHS Code of Practice
The Records Management NHS Code of Practice
Data Quality Standars
Bolton NHS Foundation Trust
Page 9
[Type the document title] [Year]
N o v 1 5
This workbook will go into a little more detail on each of these in the following pages.
The IG Toolkit
To support this IG agenda across the NHS in England, the Department of Health determined
a set of key standards and made them mandatory for NHS organisations to carry out as an
annual self-assessment.
This process is now adopted by NHS Organisations and has more recently been adopted by
General Practice, Social Care and organisations wishing to connect to the NHS network.
The annual reports are monitored and approved through the IG Toolkit online tool hosted
and managed by the Health & Social Care Information Centre (HSCIC) IG Policy Team. HSCIC
then send the results to the Healthcare Commission to contribute to the Annual Health
Check returns, for reference and potential audit. The IG Toolkit standards and approved
Organisation reports can be found on the following website:
www.igt.connectingforhealth.nhs.uk
IG is to do with how NHS / Social Care organisations and individuals handle Information
IG is a series of best practice guidelines and principles of the Law to be followed by NHS / Social Care organisations and individuals
The assessment involves the contribution of the whole organisation which includes you.
The aim of IG is to ensure the creation of high quality information, in a secure working
environment, in order to provide better quality healthcare for patients/service users. Not
only better healthcare but eventually good IG practice will result in the organisation
receiving correct payment for its services.
So in summary, IG is to do with handling information using a series of best practice
guidelines and principles of Law to produce high quality information resulting in high quality
healthcare.
IG is the responsibility of every employee!
I hope at this stage you are beginning to see how IG is a cultural agenda which requires all
staff within each organisation to be involved and understand that IG is every employee’s
responsibility.
Well, before we start to look at what we all need to do to make it work, let’s look at some of
the consequences of getting it wrong. The Information Commissioners Office (ICO) is an
independent regulatory body set up to protect the privacy of individuals have recently been
given the power to issue fines (up to a maximum of £500,000) for serious data breeches.
IG is to do with how NHS / Social Care organisations and individuals handle Information
IG is a series of best practice guidelines and principles of the Law to be followed by NHS / Social Care organisations and individuals
IG is the core foundation for high quality healthcare using good quality information
Bolton NHS Foundation Trust
Page 11
[Type the document title] [Year]
N o v 1 5
The following are some of the most recent. Note the dates and size of the fines as well as
the reasons.
Bolton NHS Foundation Trust
Page 12
[Type the document title] [Year]
N o v 1 5
Do not share
without consent
So, now we’ve seen the consequences, and I’m sure unfortunately you will be able to think
of others, but what do we ALL have to do to avoid this?
IG can be seen as an umbrella term covering the following areas:
You will probably have heard of some of these areas, but let’s go through them.
Caldicott Guidelines
A lot of the work we do is handling personal information and under our
professional ethical standards, contracts of employments and our vow
of confidentiality under the Common Law Duty of Confidence we
should ensure that we do not breach patient/service user/staff
confidentiality and only share their personal information for a justified
purpose and with their consent.
In the past the security of patient information stored and transmitted
electronically was of concern within the NHS. In 1997 a committee was
established under Dame Fiona Caldicott to review patient identifiable
information processing. Her subsequent report made a series of
recommendations with regard to confidentiality which all healthcare
organisations have taken on board within local information governance agendas.
Information Governance
Freedom of Information
Records Management
Caldicott Guidelines
Information Quality
Assurance
Data Protection
Information Security
Bolton NHS Foundation Trust
Page 13
[Type the document title] [Year]
N o v 1 5
A key recommendation of the 1997 Caldicott Report was the
establishment of the Caldicott Guardian throughout the NHS to
safeguard access to patient identifiable information. This was
later rolled out to Social Care organisations. The Caldicott
Guardian is responsible for agreeing and reviewing policies
governing the protection of patient identifiable information.
Ideally the Guardian should be at Board or Senior Management
Team level and be a senior professional within the organisation.
Our Trust’s Caldicott Guardian is:
The Caldicott Guardian
• Is advisory • Is the conscience of the organisation • Provides a focal point for patient
confidentiality & information sharing issues
• Is concerned with the management of patient
The Caldicott report provides seven management principles as guidance
for staff when handling patient information.
1. Justify the purpose(s) 2. Don’t use patient-identifiable information unless it is absolutely necessary 3. Us the minimum necessary patient-identifiable information 4. Access to patient-identifiable information should be on a strict need-to-know basis 5. Everyone should be aware of their responsibilities 6. Understand and comply with the law 7. The duty to share information can be as important as the duty to protect patient
confidentiality
1997 Caldicott Report
Mr Stephen Hodgson
Bolton NHS Foundation Trust
Page 14
[Type the document title] [Year]
N o v 1 5
So, before handling or disclosing confidential personal information ‘Think 7 times!’
Ok, let’s put this in the context of a practical scenario:-
1. Do you have a justified purpose for using this confidential information? 2. Are you using it because it is absolutely necessary to do so? 3. Are you using the minimum information required? 4. Are you allowing access to this information on a strict need-to-know basis only? 5. Do you understand your responsibility and duty to the subject with regards to
keeping their information secure and confidential? 6. Do you understand and comply with the Law before handling the confidential
information?
‘A famous celebrity is taken ill while performing at a local theatre. Appendicitis is diagnosed
and the celebrity requires emergency surgery. The anaesthetic practitioner recognises the
celebrity and following the surgery rings a friend to tell them about this surgery and other
information of this celebrity’s past healthcare history. The following day the newspaper
publishes details of the surgery and other health issues the celebrity has.’
So, let’s take some time to ask some questions about this scenario. Think through what your
answer would be and then look at the answers below. (Don’t peak!) :
1. Did the anaesthetic practitioner have a justified purpose handling the care information of this celebrity patient?
2. Did he have justified purpose for sharing this information with his friend?
Answers
1. Yes, It was absolutely necessary to use the celebrity’s healthcare records to carry out the surgery. 2. No. Was it absolutely necessary for the anaesthetic practitioner to disclose other healthcare episodes the celebrity had in the past which were unrelated to this episode of care? No. He only needed to use the minimum information required for this episode of care.
By sharing this information with his friend the anaesthetic practitioner has breached the
celebrity's confidentiality, the principle of access on a strict need to know basis only and
breached his duty of responsibility to the patient under his professional ethical standards of
confidentiality. Which also means he has broken the law by disclosing personal information
unlawfully and unfairly without the consent of the individual.
Bolton NHS Foundation Trust
Page 15
[Type the document title] [Year]
N o v 1 5
The scenario raises a number of dilemmas for the employer:
The duty to maintain confidentiality is part of the duty of care to the patient. It is also
integral to the contract of employment and the individual’s regulatory professional code of
conduct. The breach could lead to a disciplinary sanction as according to local disciplinary
procedure or even dismissal. The anaesthetic practitioner could also be reported to the
regulator where a professional misconduct committee could decide whether the breach
warrants removal of the practitioner from the professional register and evoke the licence to
practise.
It is a disciplinary offence to access individual patient or staff records where it is not a
requirement of your job role. Our main hospital Patient Administration System (PAS)
enables us to audit staff members who have viewed certain patient records, or view the
records a particular member of staff has viewed. If from this we can determine that there
was no justifiable reason to view this record then disciplinary action will be taken.
This scenario highlights the fact that handling confidential information cannot be
treated light heartedly or taken for granted as the consequences of a breach can be
very serious and damaging to individuals and the organisation.
Bolton NHS Foundation Trust
Page 16
[Type the document title] [Year]
N o v 1 5
Provide a Confidential Service
To maintain a confidential service within your organisation you could also refer to a model
which can be found in the ‘Confidentiality NHS Code of Practice’ produced by the
Department of Health.
It is our duty to Protect individual’s information by recording relevant data, accurately,
consistently, keeping it secure and confidential.
For example: Care needs to be taken when discussing cases in open areas for professional
reasons as gossiping is unacceptable. However, under the Common Law, staff are permitted
to disclose personal information in order to prevent and support detection, investigation
and punishment of serious crime. These instances can be judged on a case by case basis.
We have a duty to Inform a patient how their information is used and when it may be
disclosed. Where practical, provide patients with information leaflets about the
organisations confidentiality vows or posters informing patients what the organisation does
with their information and why. Inform patients when information is or may be disclosed to
others and for what purpose. Inform patients of the choices available in respect of how
their information may be used and shared. Where information disclosure has not yet taken
place, patient should be aware that they can change their minds. Inform patients of their
right to access their health records.
Improve
Provide Choice
Protect Inform
Bolton NHS Foundation Trust
Page 17
[Type the document title] [Year]
N o v 1 5
Provide choice to patients to decide whether their information can be disclosed. Patients
do have the right to object to information they provide in confidence being disclosed to a
third party in a form that identifies them. As long as the patient is competent to make such
a choice and where the consequences of the choice have been fully explained, the decision
should be respected. Staff should allow patients to decide whether their information can be
disclosed or used in particular ways. More commonly these days patients have different
needs and values that must be considered when providing treatment and handling personal
information.
To support these three requirements of providing a confidential service, we should always
look to Improve the way you/the organisation protects, informs and provides choice to the
patient/clients/employees. This can be done through attending regular update training, line
manager support and the reporting of possible breaches or risk of breaches.
Data Protection
Complying with the Law – The Data Protection Act
Hand in hand with confidentiality and to offer more legal support to handling personal
information of living individuals, we must abide by the Data Protection Act 1998. This Act is
not only applicable to our organisation but any organisation in the UK which processes
information. This legislation has been around for a while now; since March 2000 and is
nothing new – but just as a reminder lets visit the 8 principles which must be adhered to
when handling personal information.
Ok, let’s do an activity now to give you a substantial grounding to what you need to know
about your responsibility to comply with this Act.
You now need to refer to the leaflet called ‘Quick Reference To Caldicott & Data Protection
Act 1998 Principles’. Please double-click on the link below.
Try to match the following scenarios with the 8 Data Protection principles. Please note that
although more than one principle could apply, for this activity there is only one obvious
answer. Answers will be revealed at the bottom of the following page. Good Luck! And try
not to peek!
Scenario A: Mr X receives a call from the local hospital to tell him that his pregnant wife has been admited.
Mr X was shocked as they have been divorced for 10years and his ex-wife remarried with his best friend. Mr X informed the hospital that he is not longer her Next of kin.
Scenario B: A mother asks to see her 16 year old daughter school nurse reports as she suspects her daughter is sexually active.
The school nurse says no problem, asks for the request to be in writing and she will provide a copy of recent notes within 21 working days.
Scenario C: A health records assistant has been tasked with checking 100 random health records to see whether they are labelled with the correct NHS number. She decides that there is not enough space in her department to do this task comfortably, so she finds a quiet meeting room in the Post Grad Centre to do this . She pops out for lunch for 1hour leave the notes unattended and room unlocked.
Scenario D: Mrs Y moved from London to Leeds and registers herself with a GP in Leeds. The GP goes through her records to get familiar with his new patient's health history. He finds abbreviations such as HT and NLW in the notes.
When he asks the previous GP to explain - he laughs and says oh that means "HOT TOTTY" and "NICE LOOKING WOMAN"
Bolton NHS Foundation Trust
Page 20
[Type the document title] [Year]
N o v 1 5
All done? Ok, now compare your answers to those shown at the
bottom of the next page.
Scenario A - Principle 1 Processed Fairly and Lawfully ; Principle 4 Accurate & kept up-to-date .
Scenario E - Principle 1 Processed Fairly and Lawfully ;
Scenario B - Principle 1 Processed Fairly and Lawfully.
Scenario F - Principle 1 Processed Fairly and Lawfully; Principle 2 Processed Specified Purpose.
Scenario C - Principle 1 Processed Fairly and Lawfully; Principle 7 Protected by appropriate security.
Scenario G – Principle 1 Fairly and Lawfully ; Principle 8 Not transferred outside the EEA without adequate protection
Scenario D - Principle 3 Adequate, relevant and not excessive.
Scenario H - Principle 5 Not kept for longer than necessary
Scenario E: a nurse is approached by PC Bloggs asking how his brother (also a police officer) is doing after having been shoot in the line of duty. Nurse mentions that he is stable in terms of the gun wound, but they have found that his cancer has spread.
when the brother regained consciousness he was surprised to find that his broher (PC Bloggs) knew about the cancer. only his wife knew until now.
Scenario F: HR were approached by their Trust communications team asking for all staff home addresses to do a mail shot regarding the benefit for staff and training opportunities available when the implementation of the new national programme for IT is complete at their Trust. HR agree to email the staff database to the communications team a.s.a.p.
Scenario G: A USA social services team heard that a UK social care team were using new and successful techniques to handle manic depressive young tenagers. USA team ask for a report on the methodology supported by real life case reports so that they can learn from UK findings. UK send case notes and reports via email to the USA team.
Scenario H: A finance assitant is tasked with disposing of any old requisitions filed. her colleague tell her to get rid of any cleared requisitions which are more than 18 months old. the assistant found 50+ requisitons nearly 3 years old which exceeds the recommended retention period in the DH Records Management NHS: Code of Practice.
Bolton NHS Foundation Trust
Page 21
[Type the document title] [Year]
N o v 1 5
How did you get on? Even if you didn’t do as well as you’d hoped that exercise will have
given you a better understanding of the principles of the Data Protection Act. Now, deep
breaths and onto the next one, time to look at another Act of Law which is very important
for all staff to be aware of:
The Freedom of Information (FOI) Act 2000
This Act came into force in January 2005.
Your level of involvement with FOI may be very minimal or the complete
opposite. Those dealing with requests are advised to participate in a more
advance training package.
Let’s look at the basic principles:
Gives the public the right to access/view all non-personal public authority information upon request
Requests must be in writing
All staff must know who their FOI Lead is and be able to access/refer to their contact details. The Dept. that deals with FOI is the IG Team.
The requester may not and need not quote the FOI Act
The organisation must respond within 20 working days
Exemptions may apply for non disclosure – FOI Lead will determine this.
What you need to know about FOI
Penalties for non-compliance with or breach of the Act apply to the: • Organisation • Chief Executive • Possibly Individual staff
Bolton NHS Foundation Trust
Page 22
[Type the document title] [Year]
N o v 1 5
If staff or the organisation unlawfully obstructs the member of the public from accessing
the requested information for corporate reasons which are not sufficiently justified or a
request is ignored or information disposed of due to a request which could have a negative
effect on the organisation and could result in a severe breach of the FOI Act – then the
organisation could be fined a large amount or if pursued by the requestor they could face a
law suit.
If the member of the public feels that their request has not
been dealt with appropriately or in a timely manner, they
have the right to appeal to the ICO. In this case the
organisation could be made accountable to the Information
Commissioner and High Courts.
Individual members of staff should practice good records management with all the
information they process in preparation for requests so that corporate information can be
located rapidly and in a presentable manner if necessary.
So, we’ve looked at the Data Protection Act and the Freedom of Information Act which are
sometimes confused. SO to make sure you recognise the difference which of the letters
displayed below do you think is an FOI request for information, A or B? Take a couple of
minutes to think this over. The correct answer will be confirmed at the bottom of the next
page.
Under no circumstances should staff destroy information requested under FOI to hide
evidence. This is an illegal action and a fine can be charged to the individual as a
consequence.
Bolton NHS Foundation Trust
Page 23
[Type the document title] [Year]
N o v 1 5
So compliance with the FOI Act puts Records Management high on the IG agenda.
Therefore we need to follow the:
Records Management NHS Code of Practice
The Department of Health have produced guidance on record keeping for NHS and Social
Care staff so that they have some form of standards to work towards. This is known as the
Records Management NHS Code of Practice. The Code is divided into 2 parts. Part 1
includes definitions, guidance of best practice and legal obligations for staff and part 2 holds
the retention and disposal schedule for all types of documentation the NHS may hold.
Best Practice guidance states:
All Staff have a legal and professional obligation to be responsible for any
records which they create or use in the performance of their duties.
Any record created by an individual, up to the end of its retention period, is a
public record and subject to Information requests (FOI and Subject Access).
If you are not familiar with the term ‘Subject Access Request’ it is a request from an
individual who wishes to view personal information about themselves – e.g. Their Health
Record, their Staff Record. There is a formal process which organisations should have in
place to provide this information.
SO what is a record? Well, a record can be seen as the organisation’s memory.
What is a record?
Health records X-rays Administrative records Photographs, slides and other images Microfilm Audio and video tapes, cassettes, CD-ROM Diaries E-mail and text messages Etc. etc.
Answer to Freedom of Information Question: A is an FOI request; B is a Data
Protection or Subject Access Request.
Bolton NHS Foundation Trust
Page 24
[Type the document title] [Year]
N o v 1 5
Reminders :
Always use tracking systems File records correctly so they can be found quickly and easily Follow retention periods Use correct naming conventions when saving electronic docs
The Record Lifecycle is a recommended way for managing records.
Creation
At the point of record creation we should make sure that the document does not already
exist. If it does not exist then make sure that the information inputted is accurate and up-
to-date.
Using
There should be a log of all new records created. Whilst the record is in use it should be
handled in accordance with DPA.
Creation
Create record
Using
Use in accordance with data privacy
rules
Retention
Keep records in line with the Records
Management Code of Practice
Appraisal
Determine whether records are worthy
of permanent archive
Disposal
Dispose of confidentiality
Bolton NHS Foundation Trust
Page 25
[Type the document title] [Year]
N o v 1 5
Closed Record?
When the record has achieved its purpose and no longer has any justified use then it should
be considered closed.
Retention
Following closure, the record should be kept in line with the NHS Record Management NHS
Code of Practice retention schedule.
Appraisal
Once the record has reached its full retention period, an appraisal of the record should be
held to determine whether the record is worthy of permanent archival preservation.
Disposal
If it is deemed not worthy to archive then the record should be disposed of accordingly in an
appropriate manner. E.g. incineration or in accordance with your Organisation's Records
Management Policy.
If you use case notes:
While we’re looking at the management of records, for those staff members who use
patient case notes, let’s remind ourselves of some important points with regard to
maintenance of them:
Follow instructions for filing Always ensure documents are secured in the notes All handwritten clinical entries must be written in black indelible ink, and be dated and
times. They must also show the Clinician’s printed name, grade and signature Do not use post-it notes! Be certain that you are always adding additional information and/or documentation in
the correct case-note!
Bolton NHS Foundation Trust
Page 26
[Type the document title] [Year]
N o v 1 5
Remember!!
Now if we are following the best practice for records management with all types of records,
paper and electronic then that’s great, but we need to be confident that the information
contained within the records is quality information. Therefore, leading on to another area
of IG, we need to look at:
If you move a case note it is your responsibility to track it as soon as possible on PAS so that the next person who needs it knows where to find it!
If someone takes a set of notes from you remind them that they need to track them!
If you require advice or refresher training please contact : The Health Records Team / The PAS Manager
Audits are now being conducted to check if case notes have been tracked correctly
Important message regarding Case note tracking
Every day some case notes required for clinics admissions or A&E are not found. This is
a risk and could result in the patient being turned away.
Many Trust hours, are wasted spent looking for notes which have not been tracked to
their current position – Where would you start??
Bolton NHS Foundation Trust
Page 27
[Type the document title] [Year]
N o v 1 5
Information Quality Assurance
Always Recording Good Quality Information!
Bad quality information is dangerous and high risk to the organisation, the
staff and the patients receiving healthcare treatment or social care services.
The following points should be satisfied to ensure accurate Information:
Up to date - Information can easily become out of date so where possible try to have procedures in place to keep records up to date. E.g. asking patients to confirm their details are correct when attending healthcare appointments or following up any patient files which do not have an NHS number or correct incompatible information like a female coded to have had a vasectomy.
Complete - It is key that the files we create or maintain are complete with accurate information as the lack of certain information could result in inappropriate healthcare or advice for treatment provided due to missing diagnosis or treatment codes. The lack of healthcare information or inaccurate information could lead to mal practice when providing care hence putting the patients at risk. From a corporate risk perspective the lack of information or incorrect information can affect ‘Payment by Results’. All treatment which is carried out by any healthcare organisation is coded on the computer systems and the information on these systems will determine whether healthcare organisations get paid for services they have provided. Obviously, if the data held on the electronic care record is inaccurate then the Organisations risk not getting paid for services delivered, having a huge impact on their financial status.
Quick and easy to find - Also part of Records Management best practice and required under the FOI Act, organisations should ensure that records of any kind are accessible quickly and easily. Standardised and robust filing systems or procedures for the different types of records should contribute to addressing this issue.
Free from duplication - This should also ensure the prevention of duplication of records. E.g. Having more than one record for the same patient or member of staff could once again increase risks as there may be more vital information in one record rather than the other. It would be pot luck which record is accessible in an emergency situation.
Free from Fragmentation - This emphasises the fact that it is also important to have all records of episodes of care filed in the main Health Record so that even though the patient has received care from different care organisations, at least there will be a joined up informative record of care provided which could be life or death later in that patients life.
Bolton NHS Foundation Trust
Page 28
[Type the document title] [Year]
N o v 1 5
The NHS Number
The NHS Number is the only national unique patient identifier. It should be included on all patient records and correspondence. Using the NHS Number helps share patient information safely, efficiently and accurately. This helps reduce clinical risk to patients and improves financial flows. The delivery of patient care is often shared across a number of health and social care organisations, the effective linking-up and flow of information related to a patient has become even more important, the NHS Number helps to link records across organisations.
Now how about keeping our information secure? I’m sure that was one of the thoughts you
had going back to how you would EXPECT other organisations hold YOUR data.
So Quality information is the key to Better Healthcare
Services and Correct Payment for Healthcare organisations.
Important Message!
If you extract / manipulate data from any system ensure data is cross
checked frequently with that system to ensure any edits do not change
the integrity of data.
Bolton NHS Foundation Trust
Page 29
[Type the document title] [Year]
N o v 1 5
Information security
Keeping information secure
Another important action to consider during the life of the record is keeping it secure and
confidential whilst in your possession. The requirements of security will be in our
organisation’s Information Security Policy, which refers to the security of both electronic
and paper records. These guidelines and security standards which the NHS and Social Care
work with derive from the international Information Security Standards ISO17799.
However, it is not necessary for all staff to know about the content of these standards in
detail, but there are simple actions staff can take to keep information secure in support of
the standards– e.g.:
Maintain a clear desk policy – keeping desks clear of unsupervised confidential information to prevent unauthorised viewing.
Lock your computer when you are away from your desk (Press Crtl / Alt /Delete on
your keyboard) even when you go to make a coffee for a couple of minutes which could turn into a 15 minute break if you bump into someone you know and have a chat.
Make sure you lock all filing cabinets and confidential information storage areas
when not in use and make sure that access to these facilities is on a need-to-know basis under authorised circumstances.
Be sure to regularly update your password access to Patient/staff Information
systems regularly and never share it with other colleagues, family or friends. Try and use a password which has a combination of letters and numbers. Sharing passwords is a disciplinary offence.
Keep Laptops and other portable media secure
Individual PC’s should be
locked when you leave your work station – Press the CTRL / ALT and Delete keys to lock it or
It is important not to take our actions and tasks for granted. E.g. making a telephone call to
discuss a confidential matter may be quite a common task in our line of work. Firstly we
need to decide whether the topic is too sensitive and needs to be discussed in person with
the individual concerned. It may be that you need to go to a private enclosed area so others
cannot over hear the conversation. If messages are left on your voice mail it is best not to
play back messages on hands free in case the message contains confidential information
and do not leave messages on voice mail with confidential information.
Simple security is about stamping confidential post with ’Private & Confidential’; and when
transferring information following the Trusts IM&T Security Policy; sending by recorded
delivery to a full and designated postal address; double checking that the postal address and
content of the envelope is correct before sending. Similarly with faxes – making sure that
fax numbers are verified before sending and that there is an authorised individual waiting
to receive the confidential information at the other end.
It might not seem inappropriate to send a box of patient files in a secure authorised vehicle
to another location, but are the records securely packaged? Are they transported with care
and kept away from people who have no need to view these records?
One of the ways we can make improvements in terms of security is to make sure that any
breaches of security are reported through the incident reporting process within our
organisations. It will then be the management’s responsibility to follow through and
address the issues.
In terms of technology it is important that all current and new hardware and software have
security measures in place to prevent and detect unauthorised access or use of confidential
information. Even better if the system can highlight any potential breaches of security.
Where person identifiable information must be sent via e-mail this must only be via
NHS.net (to other secure email domains). If you’re not sure – check with IG
whether a recipient’s e-mail address is secure.
Passwords are like underpants.
They should be changed regularly,
they are best kept hidden, and they shouldn’t be shared.
Be aware that it is a disciplinary offence to share passwords
Bolton NHS Foundation Trust
Page 31
[Type the document title] [Year]
N o v 1 5
Be sure to refer to the Information Security policy to give guidance on how to reduce the
risk of loss of information when transferring it:
Faxes Use a cover sheet, check the number is correct, send to a named individual, ask for confirmation of receipt, ensure fax machines are located in a secure location- Fax cover sheet in Policy
Post Check the envelope is robust and addressed correctly to a named individual, where necessary use secure post. When using Medisec – check the name of the patient on the front matches the back sheet – Check the contents of the envelope are correct before it goes!
Verbal Check who you are speaking to before disclosing information, be wary of blaggers - if another hospital, confirm the call is genuine by ringing their switchboard
Hand Ensure any hand delivered papers are secure. Taking information off site
If it is necessary, ensure information is secure at all times, e.g. do not leave in car boots overnight or on show
Remote Access Do not access sensitive information in public areas, protect information from family members, friends or visitors
The Care Record Guarantee
Reminders
• Do not access information relating to patients unless you are involved in the care of that patient
• Do not access information about relatives, friends, neighbours, celebrities etc. • Do not allow other users to access information when you are logged in to the
computer – always log out! • We audit PAS to ensure access to patient information is justified and appropriate
Bolton NHS Foundation Trust
Page 32
[Type the document title] [Year]
N o v 1 5
Email Policy The Email and Internet Policy tells you what your responsibilities are with regard to use of email and the internet which include the following:
Do take your time and check the recipient(s) of emails are correct before sending
Do not forward chain/joke emails or reply to junk mail
Do not open email attachments from unknown sources
Avoid inappropriate and excessive use of the Internet – Audits are conducted
Do not install unauthorised software – This could cause licensing issues / introduce viruses
Storage of non-work related information is not permitted
Do not deliberately access, download or transmit any material on the internet that
could be considered offensive, obscene or indecent
Do remember that the duty of confidentiality extends outside of the work environment, and also after your employment ends – take care when using social networking sites
SMART CARDS
You may in the course of your duties be issued with a smart card which allows you access to
the NHS Care Record Service products and looks like this :
A Smartcard is printed with:
a. Your name b. Your photograph; and c. A unique user identity number
You may already have one of these cards if you access Choose and Book or ESR. It works
very similarly to a credit or debit card, with a chip and PIN device used to control who has
access to the Care Records Service and what level of access they can have.
When you start working for any NHS organisation or need certain access to services
provided by NHS CRS you will be registered for a Smartcard. You will need to provide at least
three forms of ID (photo and non-photo), including proof of address.
From then onwards, each time you access a patient's record, it will be recorded and patients
can formally request to see this information.
If you get a Smart card you must:
If your Smartcard is lost or stolen report it to the IG Team/Information Security Adviser
immediately.
Social media and Social Networks
The Trust recognises that social media is increasingly used by staff in a personal capacity and also that it has great potential for communications related to Trust business and engagement. The Social Media policy has been developed to clarify acceptable use of social media as it is recognized that there are a number of risks associated with its use. It is vital to avoid reputational damage to the Trust and its employees and maintain confidentiality of patients and staff.
The Trust has embarked on establishing a corporate social media presence for the organisation as part of its marketing and communications work in order to raise its reputation, give information and engage with stakeholders.
Over time consideration will be given to setting up various Trust accounts for sites such as Facebook, Twitter, YouTube, Google places, which would be managed by the Communications Unit.
It is not considered good practice for organisations to have multiple social media accounts, however the Trust recognises that there may be occasions when a team or service may need to set up a separate account rather than use the corporate one, for instance for a particular campaign or to engage with a particular group of patients/stakeholders.
Bolton NHS Foundation Trust
Page 34
[Type the document title] [Year]
N o v 1 5
Staff who feel that a social media account would be of benefit to their team or department should complete an application form which can be found in the appendices of the policy and discuss this with the Head of Communications. If any staff have been using social media prior to the introduction of this policy, they must discuss this with the Head of Communications.
Mobiles Devices A portable device is defined as any device that may synchronise with another computer, for example:
Laptop and notebook computers iPads Smart phones, mobile phones and any other mobile
system that may fall into this category USB memory sticks, (only for temporary storage of
information that can in no way be considered confidential, information to be transferred to secure server as soon as practicable and deleted from USB stick)
MP3/4 players (must not be used at any time for storing person confidential data or commercial information)
CDs, DVDs Any other item that may be utilised to store or transport data.
Any portable device used in connection with the organisation must be encrypted. There are no
exceptions.
Corporate mobile devices All mobile devices issued by the organisation are issued on a one device to one person basis
only and must not be shared or used by anyone who is not recorded as the asset owner; this is for audit purposes and to comply with the Data Protection Act 1998.
Transfer of any device between staff members must only be done via the IT Department.
Any business related software applications on mobile media devices must be approved and appropriately licenced and recorded on the organisations licence asset register. The IT Department will maintain a software application asset list to ensure licencing conditions are not breached.
All staff should remember that confidentiality about patients and Trust business
must be maintained when using social media for personal reasons. Bringing the
Trust or their profession into disrepute directly or by association is a serious matter
that can be subject to disciplinary measures. The Trust Disciplinary Policy includes
direct reference to social media on this topic and employee contracts include
guidance on the issues of confidentiality and codes of conduct.
Security of devices Any apps downloaded that affect the function of the device will be deleted by IT and not
reloaded. Do not connect any equipment via the USB port unless it is approved by the organisation. Ensure your antivirus is up to date and always activated by connecting regularly to the
organisation network. You are responsible for the security of the mobile media device at all times whether this is
on NHS premises, the premises of other organisations, in the car, on public transport or at home.
If your device is lost or stolen you must report it immediately to the IT service desk and the Information Governance team. You must also complete an incident report immediately.
Home working The organisation understands that there are occasions when the ability to work away from the office is a necessity. For this reason the following procedures and principles have been developed and must be adhered to at all times:
Use of any information at home must be for work purposes only
Staff must ensure the security of information within their home. Where possible it should be stored in a locked container (filing cabinet, lockable briefcase). If this is not possible, when not in use it should be neatly filed and stored in a way that it is not obvious to other members of the household.
Any personal/sensitive (inc. patient and staff information) or organisationally confidential
information that has to be taken home must be within folders marked ‘private and confidential’ and other members of the household instructed not to look at it.
Sensitive information (person identifiable or organisationally sensitive) must be locked away
when not in use and only accessible by the member of staff.
Any controlled document (e.g. patient record) they have will be traceable to their location and that any procedure to note the location of a file required by the organisation will be rigidly applied by them.
They should adopt procedures to ‘back up’ data files on computer either to floppy disc or
writeable CD.
Information sharing Whenever person confidential data (PCD) is shared, the sharing must be
fair, transparent and in line with the rights and expectations of the
people whose information is being shared.
Bolton NHS Foundation Trust
Page 36
[Type the document title] [Year]
N o v 1 5
Sharing can take the form of:
a reciprocal exchange of data; one or more organisations providing data to a third party or parties; several organisations pooling information and making it available to each other; several organisations pooling information and making it available to a third party or parties; exceptional, one-off disclosures of data in unexpected or emergency situations; or Different parts of the same organisation making data available to each other.
If you are unsure what constitutes personal data, please contact the Information Governance team
for guidance.
If a request is made for PCD to be shared, the first thing to be considered must always be whether
data actually needs to be shared in an identifiable form. Could the same purpose be met by using
either anonymised or pseudonymised data?
It is important that in every instance where PCD is to be shared, a legal basis for the sharing is
established. This could be one of the following:
The data is to be shared to enable direct care (must be able to evidence a medical intervention for the patient at the end of the process)
Explicit consent from the individual about whom the data to be shared Statutory obligation, e.g. a court order Legislation, e.g. Children’s Act 2004, Mental Capacity Act 2005 The receiver holds a section 251 approval which allows them to collect PCD without
requiring any further consent.
Confidential waste Confidential Waste includes any material that contains information that could identify a patient, an employee or commercially sensitive material. However it should be noted that any non-confidential paper waste can also be disposed of through the procedures outlined below.
Procedure for the Disposal of Paper Confidential Waste In areas that have a high turnover of confidential waste there are locked consoles. The waste is posted through a letter box aperture into a nylon bag within the console. The portering staffs has a routine schedule for collections in the high use
areas, however in between collection times when the console is full the department is required to telephone the Porter Manager and request a collection. (Telephone number 4562). A porter will visit the department, unlock the console remove the bag, and empty the contents into a secure wheeled
Once this legal basis has been identified, the sharing must be documented in some way. At its
simplest, for example for a direct care purpose or for a statutory obligation, this could be by
making a note in the file being shared. However, in most cases a formal agreement should be
put in place.
Bolton NHS Foundation Trust
Page 37
[Type the document title] [Year]
N o v 1 5
bin. The bag is replaced in the console for further use. The secure wheeled bin is then transported to an onsite secure storage container.
Procedure for the disposal of IT equipment All IT equipment, including all electronic devices which store data, shall only be disposed of
in accordance with the WEEE (Waste Electronic and Electrical Equipment) regulations and must follow the Disposal of Redundant IT Equipment process. Requests to dispose of IT equipment must be made through the IT Service Desk.
All information shall be removed from IT equipment scheduled for disposal. All removable digital media, including disks, USB memory sticks and flash drives must be
securely reformatted or degaussed before disposal - if this is not possible the media must be physically destroyed.
All confidential or sensitive information held in non-digital forms (paper, film etc.) shall be shredded or burnt.
See more in our Waste Management Policy
Photographs Staff should be cautious regarding the appropriateness of any photograph they might take which should only occur when there is an agreed clinical or educational need and this decision should be made by the patient’s consultant or senior healthcare professional providing the care. Patient consent should be obtained, where possible, prior to any images/recordings being taken. Photographic and video recordings made for clinical purposes form part of a patient’s record. Health professionals should always ensure that they make clear in advance if any photographic or video recording will take place. There must be a fully justifiable purpose for photography to be carried out.
Wherever possible, clinical recordings must be undertaken by a Medical Photographer from the Medical Illustration Department. However any clinical recordings undertaken by non-clinical photography staff should be made available to the Medical Illustration Department along with the completed ‘Informed patient consent for clinical photography/recording’ form for upload to our secure database. All images will then be deleted from the 3rd party recording device.
Under no circumstances should staff use mobile devices other than Trust registered
cameras to capture clinical or non-clinical images.
Policy for clinical photography and video recordings of patients confidentiality, consent, copyright and storage
Privacy Impact Assessment All new projects, processes and systems (including software and hardware) which are introduced must comply with confidentiality, privacy and data protection requirements. Privacy impact assessments (PIAs) are tools which can help the Trust identify the most effective way to comply with these requirements and to fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. PIAs are an integral part of taking a privacy by design approach and should be used throughout the development and implementation of a project, using existing project management processes. A privacy impact assessment is required when you are buying a new information system or introducing/amending a process which is using personal and/or sensitive information. We do these assessments to look at the privacy issues such as compliancy with data protection and data quality, any information security concerns and to check where data is going and if it needs to be pseudonymised or anonymised. They are a risk assessment to see if we need to put anything in place to ensure we protect and secure personal/sensitive information.
So, what is the Trust doing to continually improve IG? There are a number of ways in which the Trust ensures that areas of IG are complied with.
To help the Trust monitor our performance the following IG Audits are conducted:
Spot Checks – We visit areas of the Trust to observe practices to ensure that IG principles
are being adhered to in order to:
We hold an IG & Records Management Group which meets every two months to discuss issues and how to make improvements.
We complete the IG toolkit assessment once a year.
We attend local IG meeting with other NHS Organisations to discuss changes required and concerns.
We want to ensure that staff understand their responsibilities and are trained every year so we are constantly looking at other ways to train and communicate with staff
Within the NHS the use of PIAs is mandated through its inclusion as a requirement set out in the
Information Governance Toolkit.
For further information please contact the Information Governance Department.
a. Identify areas of weakness; and b. Reduce the risk of mistakes happening
Corporate records Audits – To check what records areas have and identify
a. The types of record held b. Whether they are required c. The form in which they are held
Summary,
We have briefly covered all elements of Information Governance:
• The NHS Confidentiality Code of Practice • Data Protection Act 1998 • Freedom of Information Act 2000 • The Records Management NHS Code of Practice • Information Quality Assurance • Information Security Assurance
So you have probably realised that concept of IG has been around for a while
but as separate entities. The term Information Governance has brought all key
information processing standards, guidance and law under one hat to
strengthen the initiative.
You can probably also now relate how we must hold and treat the information
we capture to how you would expect other organisations to treat your
information.
Information Governance is the responsibility of every employee, so keep up the good work and improve where
we can and aim to be 100% compliant.
Bolton NHS Foundation Trust
Page 40
[Type the document title] [Year]
N o v 1 5
So, remember!
You have now reached the end of this workbook BUT, to register that you have completed
your IG training for the year you will need to complete the Assessment on the Moodle
System.
Contact Details
If you have any comments about this workbook or about IG in general or any