Information Governance Handbook

Bolton NHS Foundation Trust

Page 1

[Type the document title] [Year]

N o v 1 5

Information Governance

Handbook

Version: 1

Author (name): Deiler Carrillo

Author (designation): Information Governance Officer

Ratified by: IG committee

Date ratified: 10 November 2015

Name of responsible committee/individual: Graham Fullarton

Date uploaded to intranet: November 2015

Key words

Information Governance manual, Information governance guidelines,

training

Review date: November 2017


Page 2


N o v 1 5

Table of Contents Why do I have to do this training? .......................................................................................................... 4

Introduction to Information Governance (IG) ........................................................................................ 5

So what is IG? .......................................................................................................................................... 6

The IG Toolkit .......................................................................................................................................... 9

IG is the responsibility of every employee! .......................................................................................... 10

IG can be seen as an umbrella term covering the following areas: ...................................................... 12

Caldicott Guidelines .............................................................................................................................. 12

Our Trust’s Caldicott Guardian is: ..................................................................................................... 13

The Caldicott report provides seven management principles as guidance for staff when handling

patient information. .......................................................................................................................... 13

Provide a Confidential Service .......................................................................................................... 16

Data Protection ..................................................................................................................................... 17

The Freedom of Information (FOI) Act 2000 ........................................................................................ 21

Records Management NHS Code of Practice ........................................................................................ 23

The Record Lifecycle is a recommended way for managing records.................................................... 24

Information Quality Assurance ............................................................................................................. 27

The following points should be satisfied to ensure accurate Information: ...................................... 27

The NHS Number.............................................................................................................................. 28

Information security ............................................................................................................................. 29

Keeping information secure .............................................................................................................. 29

The Care Record Guarantee .............................................................................................................. 31

Email Policy ....................................................................................................................................... 32

SMART CARDS ................................................................................................................................... 32

Social media and Social Networks ........................................................................................................ 33

Mobiles Devices .................................................................................................................................... 34

Corporate mobile devices ................................................................................................................. 34

Security of devices ............................................................................................................................ 35

Home working ....................................................................................................................................... 35

Information sharing .............................................................................................................................. 35

Confidential waste ................................................................................................................................ 36

Procedure for the Disposal of Paper Confidential Waste ................................................................. 36

Procedure for the disposal of IT equipment ..................................................................................... 37

Photographs .......................................................................................................................................... 37


Page 3


N o v 1 5

Privacy Impact Assessment ................................................................................................................... 38

So, what is the Trust doing to continually improve IG? .................................................................... 38

Summary, .............................................................................................................................................. 39

Contact Details ...................................................................................................................................... 40


Page 4


N o v 1 5

Why do I have to do this training?

The NHS provides a confidential service.

Patient information is confidential because the relationship between a patient

and a healthcare professional, such as a consultant, is based on confidentiality

and this is supported by law.

There can be no truly confidential service unless everyone who works in the

NHS knows what information is “confidential” and how to keep it confidential.

We all need to make sure information is kept secure and report incidents if

they happen.

You have a very important role to make sure we can keep information secure.

E-Learning – Complete the on-line IG training module via the Moodle system on the intranet.

Remember this might be your health information and you would expect

that this is kept secure and confidential at all times.

A confidential service means all NHS organizations and its employees such

as medical secretaries, consultants, directors, nurses, porters, domestics,

estates and facilities staff and also volunteers and temporary staff have a

duty of confidentiality.

It is not just those staff with whom patients have direct contact with, it is

everybody!

https://elearning.wwl.nhs.uk/


Page 5


N o v 1 5

Introduction to Information Governance (IG)

Welcome to the Introduction to Information Governance training session. This session has

been produced by the IG Policy Team of NHS Connecting for Health and has been added to

by our Trust Information Governance Department to provide local Information for staff.

If you are a member of staff who handles corporate information, personal information or

even physically surrounded by information but may not have direct contact with it….. This

session is for you!

If you have a more in depth role within IG then you may need to do extra training.

The key learning points of this session cover a wide range of topics.

What is Information Governance? What do YOU need To Do to make this work?

Follow the Caldicott Guidelines Provide a confidential service Comply with the Law

Understand the Data Protection Act Principles Activity Recognise a Freedom of Information Act request Activity

Follow the Records Management NHS Code Keep Information Secure Input Quality Information


Page 6


N o v 1 5

So what is IG? So, let’s make a start. You may be asking yourself, what is Information Governance? Well, let

start by having a think about all of the different organisations who hold your identifiable

information; and by identifiable we mean a piece of information which can identify you as a

person i.e. your name, address, DOB, NHS Number, National Insurance number. The list

could contain organisations such as your GP, other Trusts, your local council, credit card

companies, banks, mortgage lenders, and insurance companies. If you had time to make it

would be quite a list!

And now have a think about the way in which you’d like to think those organisations are

holding your information. You’d probably say confidentiality, securely; you’d like to think it

was accurate and up to date, and that they could find it when they or you needed it! Well,

these are all aspects of IG and should be familiar to us all in the healthcare and social service

sectors as so much identifiable information is given to us and passed around our site and to

others to facilitate the care of our patients. And it’s not just about having access to systems,

or case notes; You may be responsible for moving case notes around or as an employee you

may hear or see some information relating to a patient.

Throughout this workbook try to relate the principles shown to your own information held

by other organisations.

So IG is to do with how organisations and individuals handle information. But it’s not just

person identifiable.

IG looks at any type of information which NHS and Social Care organisations may handle.

IG is to do with how NHS / Social Care organisations and individuals

handle Information


Page 7


N o v 1 5

•Personal Name

Date of Birth

Home Address

Home telephone numer

Postcode

•Sensitive Ethnicity

Medical condition

Sexual life

Disease

Religious belief

•Corporate Contract of suppliers

Minutes of meetings

Finance details

Annual Accounts

Expenditure

Personal: It looks at information which relates to individuals who can be identified from the data concerned – Peoples names, date of births etc. are recognised as personal data.

Sensitive: And data such as ethnicity or sexual life being sensitive data.In our professions this type of data could be found in health records, case notes, service database, staff HR files etc..

Corporate: It also includes corporate and business data, such as finance, estates, contracts for suppliers' and finance records.


Page 8


N o v 1 5

IG is particularly concerned with the way that these types of information are handled – the

HORUS model is a good way to demonstrate this. Handling Information means:

If we can say ’Yes’ to these questions when handling personal information then we can say

‘Yes’ we are contributing to the development of the IG culture within our organisations.

So IG is to do with how the organisation and individuals handle information. In order to do this in a

consistent, legal and standardised way we should follow and adhere to a series of best practice

guidelines and principles of the Law, such as:

H • Holding it securely and confidentially

O • Obtaining it fairly and efficiently

R • Recording it accurately and reliably

U • Using it effectively and ethically

S • Sharing it appropriately and lawfully

The Data Protection Act 1198

The Freedom of Information Act 2000

The Information Security NHS Code of Practice and ISO17799 standars for IT

The Confidentiality NHS Code of Practice

The Records Management NHS Code of Practice

Data Quality Standars


Page 9


N o v 1 5

This workbook will go into a little more detail on each of these in the following pages.

The IG Toolkit

To support this IG agenda across the NHS in England, the Department of Health determined

a set of key standards and made them mandatory for NHS organisations to carry out as an

annual self-assessment.

This process is now adopted by NHS Organisations and has more recently been adopted by

General Practice, Social Care and organisations wishing to connect to the NHS network.

The annual reports are monitored and approved through the IG Toolkit online tool hosted

and managed by the Health & Social Care Information Centre (HSCIC) IG Policy Team. HSCIC

then send the results to the Healthcare Commission to contribute to the Annual Health

Check returns, for reference and potential audit. The IG Toolkit standards and approved

Organisation reports can be found on the following website:

www.igt.connectingforhealth.nhs.uk

IG is to do with how NHS / Social Care organisations and individuals handle Information

IG is a series of best practice guidelines and principles of the Law to be followed by NHS / Social Care organisations and individuals

http://www.igt.connectingforhealth.nhs.uk/


Page 10


N o v 1 5

The assessment involves the contribution of the whole organisation which includes you.

The aim of IG is to ensure the creation of high quality information, in a secure working

environment, in order to provide better quality healthcare for patients/service users. Not

only better healthcare but eventually good IG practice will result in the organisation

receiving correct payment for its services.

So in summary, IG is to do with handling information using a series of best practice

guidelines and principles of Law to produce high quality information resulting in high quality

healthcare.

IG is the responsibility of every employee!

I hope at this stage you are beginning to see how IG is a cultural agenda which requires all

staff within each organisation to be involved and understand that IG is every employee’s

responsibility.

Well, before we start to look at what we all need to do to make it work, let’s look at some of

the consequences of getting it wrong. The Information Commissioners Office (ICO) is an

independent regulatory body set up to protect the privacy of individuals have recently been

given the power to issue fines (up to a maximum of £500,000) for serious data breeches.

IG is to do with how NHS / Social Care organisations and individuals handle Information

IG is a series of best practice guidelines and principles of the Law to be followed by NHS / Social Care organisations and individuals

IG is the core foundation for high quality healthcare using good quality information


Page 11


N o v 1 5

The following are some of the most recent. Note the dates and size of the fines as well as

the reasons.


Page 12


N o v 1 5

Do not share

without consent

So, now we’ve seen the consequences, and I’m sure unfortunately you will be able to think

of others, but what do we ALL have to do to avoid this?

IG can be seen as an umbrella term covering the following areas:

You will probably have heard of some of these areas, but let’s go through them.

Caldicott Guidelines

A lot of the work we do is handling personal information and under our

professional ethical standards, contracts of employments and our vow

of confidentiality under the Common Law Duty of Confidence we

should ensure that we do not breach patient/service user/staff

confidentiality and only share their personal information for a justified

purpose and with their consent.

In the past the security of patient information stored and transmitted

electronically was of concern within the NHS. In 1997 a committee was

established under Dame Fiona Caldicott to review patient identifiable

information processing. Her subsequent report made a series of

recommendations with regard to confidentiality which all healthcare

organisations have taken on board within local information governance agendas.

Information Governance

Freedom of Information

Records Management

Caldicott Guidelines

Information Quality

Assurance

Data Protection

Information Security


Page 13


N o v 1 5

A key recommendation of the 1997 Caldicott Report was the

establishment of the Caldicott Guardian throughout the NHS to

safeguard access to patient identifiable information. This was

later rolled out to Social Care organisations. The Caldicott

Guardian is responsible for agreeing and reviewing policies

governing the protection of patient identifiable information.

Ideally the Guardian should be at Board or Senior Management

Team level and be a senior professional within the organisation.

Our Trust’s Caldicott Guardian is:

The Caldicott Guardian

• Is advisory • Is the conscience of the organisation • Provides a focal point for patient

confidentiality & information sharing issues

• Is concerned with the management of patient

The Caldicott report provides seven management principles as guidance

for staff when handling patient information.

1. Justify the purpose(s) 2. Don’t use patient-identifiable information unless it is absolutely necessary 3. Us the minimum necessary patient-identifiable information 4. Access to patient-identifiable information should be on a strict need-to-know basis 5. Everyone should be aware of their responsibilities 6. Understand and comply with the law 7. The duty to share information can be as important as the duty to protect patient

confidentiality

1997 Caldicott Report

Mr Stephen Hodgson


Page 14


N o v 1 5

So, before handling or disclosing confidential personal information ‘Think 7 times!’

Ok, let’s put this in the context of a practical scenario:-

1. Do you have a justified purpose for using this confidential information? 2. Are you using it because it is absolutely necessary to do so? 3. Are you using the minimum information required? 4. Are you allowing access to this information on a strict need-to-know basis only? 5. Do you understand your responsibility and duty to the subject with regards to

keeping their information secure and confidential? 6. Do you understand and comply with the Law before handling the confidential

information?

‘A famous celebrity is taken ill while performing at a local theatre. Appendicitis is diagnosed

and the celebrity requires emergency surgery. The anaesthetic practitioner recognises the

celebrity and following the surgery rings a friend to tell them about this surgery and other

information of this celebrity’s past healthcare history. The following day the newspaper

publishes details of the surgery and other health issues the celebrity has.’

So, let’s take some time to ask some questions about this scenario. Think through what your

answer would be and then look at the answers below. (Don’t peak!) :

1. Did the anaesthetic practitioner have a justified purpose handling the care information of this celebrity patient?

2. Did he have justified purpose for sharing this information with his friend?

Answers

1. Yes, It was absolutely necessary to use the celebrity’s healthcare records to carry out the surgery. 2. No. Was it absolutely necessary for the anaesthetic practitioner to disclose other healthcare episodes the celebrity had in the past which were unrelated to this episode of care? No. He only needed to use the minimum information required for this episode of care.

By sharing this information with his friend the anaesthetic practitioner has breached the

celebrity's confidentiality, the principle of access on a strict need to know basis only and

breached his duty of responsibility to the patient under his professional ethical standards of

confidentiality. Which also means he has broken the law by disclosing personal information

unlawfully and unfairly without the consent of the individual.


Page 15


N o v 1 5

The scenario raises a number of dilemmas for the employer:

The duty to maintain confidentiality is part of the duty of care to the patient. It is also

integral to the contract of employment and the individual’s regulatory professional code of

conduct. The breach could lead to a disciplinary sanction as according to local disciplinary

procedure or even dismissal. The anaesthetic practitioner could also be reported to the

regulator where a professional misconduct committee could decide whether the breach

warrants removal of the practitioner from the professional register and evoke the licence to

practise.

It is a disciplinary offence to access individual patient or staff records where it is not a

requirement of your job role. Our main hospital Patient Administration System (PAS)

enables us to audit staff members who have viewed certain patient records, or view the

records a particular member of staff has viewed. If from this we can determine that there

was no justifiable reason to view this record then disciplinary action will be taken.

This scenario highlights the fact that handling confidential information cannot be

treated light heartedly or taken for granted as the consequences of a breach can be

very serious and damaging to individuals and the organisation.


Page 16


N o v 1 5

Provide a Confidential Service

To maintain a confidential service within your organisation you could also refer to a model

which can be found in the ‘Confidentiality NHS Code of Practice’ produced by the

Department of Health.

It is our duty to Protect individual’s information by recording relevant data, accurately,

consistently, keeping it secure and confidential.

For example: Care needs to be taken when discussing cases in open areas for professional

reasons as gossiping is unacceptable. However, under the Common Law, staff are permitted

to disclose personal information in order to prevent and support detection, investigation

and punishment of serious crime. These instances can be judged on a case by case basis.

We have a duty to Inform a patient how their information is used and when it may be

disclosed. Where practical, provide patients with information leaflets about the

organisations confidentiality vows or posters informing patients what the organisation does

with their information and why. Inform patients when information is or may be disclosed to

others and for what purpose. Inform patients of the choices available in respect of how

their information may be used and shared. Where information disclosure has not yet taken

place, patient should be aware that they can change their minds. Inform patients of their

right to access their health records.

Improve

Provide Choice

Protect Inform


Page 17


N o v 1 5

Provide choice to patients to decide whether their information can be disclosed. Patients

do have the right to object to information they provide in confidence being disclosed to a

third party in a form that identifies them. As long as the patient is competent to make such

a choice and where the consequences of the choice have been fully explained, the decision

should be respected. Staff should allow patients to decide whether their information can be

disclosed or used in particular ways. More commonly these days patients have different

needs and values that must be considered when providing treatment and handling personal

information.

To support these three requirements of providing a confidential service, we should always

look to Improve the way you/the organisation protects, informs and provides choice to the

patient/clients/employees. This can be done through attending regular update training, line

manager support and the reporting of possible breaches or risk of breaches.

Data Protection

Complying with the Law – The Data Protection Act

Hand in hand with confidentiality and to offer more legal support to handling personal

information of living individuals, we must abide by the Data Protection Act 1998. This Act is

not only applicable to our organisation but any organisation in the UK which processes

information. This legislation has been around for a while now; since March 2000 and is

nothing new – but just as a reminder lets visit the 8 principles which must be adhered to

when handling personal information.

Ok, let’s do an activity now to give you a substantial grounding to what you need to know

about your responsibility to comply with this Act.

You now need to refer to the leaflet called ‘Quick Reference To Caldicott & Data Protection

Act 1998 Principles’. Please double-click on the link below.

https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/

Please remember any breach of the Act is deemed illegal and individuals

and the organisation can be held liable and assigned penalties.

https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/


Page 18


N o v 1 5


Page 19


N o v 1 5

Try to match the following scenarios with the 8 Data Protection principles. Please note that

although more than one principle could apply, for this activity there is only one obvious

answer. Answers will be revealed at the bottom of the following page. Good Luck! And try

not to peek!

Scenario A: Mr X receives a call from the local hospital to tell him that his pregnant wife has been admited.

Mr X was shocked as they have been divorced for 10years and his ex-wife remarried with his best friend. Mr X informed the hospital that he is not longer her Next of kin.

Scenario B: A mother asks to see her 16 year old daughter school nurse reports as she suspects her daughter is sexually active.

The school nurse says no problem, asks for the request to be in writing and she will provide a copy of recent notes within 21 working days.

Scenario C: A health records assistant has been tasked with checking 100 random health records to see whether they are labelled with the correct NHS number. She decides that there is not enough space in her department to do this task comfortably, so she finds a quiet meeting room in the Post Grad Centre to do this . She pops out for lunch for 1hour leave the notes unattended and room unlocked.

Scenario D: Mrs Y moved from London to Leeds and registers herself with a GP in Leeds. The GP goes through her records to get familiar with his new patient's health history. He finds abbreviations such as HT and NLW in the notes.

When he asks the previous GP to explain - he laughs and says oh that means "HOT TOTTY" and "NICE LOOKING WOMAN"


Page 20


N o v 1 5

All done? Ok, now compare your answers to those shown at the

bottom of the next page.

Scenario A - Principle 1 Processed Fairly and Lawfully ; Principle 4 Accurate & kept up-to-date .

Scenario E - Principle 1 Processed Fairly and Lawfully ;

Scenario B - Principle 1 Processed Fairly and Lawfully.

Scenario F - Principle 1 Processed Fairly and Lawfully; Principle 2 Processed Specified Purpose.

Scenario C - Principle 1 Processed Fairly and Lawfully; Principle 7 Protected by appropriate security.

Scenario G – Principle 1 Fairly and Lawfully ; Principle 8 Not transferred outside the EEA without adequate protection

Scenario D - Principle 3 Adequate, relevant and not excessive.

Scenario H - Principle 5 Not kept for longer than necessary

Scenario E: a nurse is approached by PC Bloggs asking how his brother (also a police officer) is doing after having been shoot in the line of duty. Nurse mentions that he is stable in terms of the gun wound, but they have found that his cancer has spread.

when the brother regained consciousness he was surprised to find that his broher (PC Bloggs) knew about the cancer. only his wife knew until now.

Scenario F: HR were approached by their Trust communications team asking for all staff home addresses to do a mail shot regarding the benefit for staff and training opportunities available when the implementation of the new national programme for IT is complete at their Trust. HR agree to email the staff database to the communications team a.s.a.p.

Scenario G: A USA social services team heard that a UK social care team were using new and successful techniques to handle manic depressive young tenagers. USA team ask for a report on the methodology supported by real life case reports so that they can learn from UK findings. UK send case notes and reports via email to the USA team.

Scenario H: A finance assitant is tasked with disposing of any old requisitions filed. her colleague tell her to get rid of any cleared requisitions which are more than 18 months old. the assistant found 50+ requisitons nearly 3 years old which exceeds the recommended retention period in the DH Records Management NHS: Code of Practice.


Page 21


N o v 1 5

How did you get on? Even if you didn’t do as well as you’d hoped that exercise will have

given you a better understanding of the principles of the Data Protection Act. Now, deep

breaths and onto the next one, time to look at another Act of Law which is very important

for all staff to be aware of:

The Freedom of Information (FOI) Act 2000

This Act came into force in January 2005.

Your level of involvement with FOI may be very minimal or the complete

opposite. Those dealing with requests are advised to participate in a more

advance training package.

Let’s look at the basic principles:

Gives the public the right to access/view all non-personal public authority information upon request

Requests must be in writing

All staff must know who their FOI Lead is and be able to access/refer to their contact details. The Dept. that deals with FOI is the IG Team.

The requester may not and need not quote the FOI Act

The organisation must respond within 20 working days

Exemptions may apply for non disclosure – FOI Lead will determine this.

What you need to know about FOI

Penalties for non-compliance with or breach of the Act apply to the: • Organisation • Chief Executive • Possibly Individual staff


Page 22


N o v 1 5

If staff or the organisation unlawfully obstructs the member of the public from accessing

the requested information for corporate reasons which are not sufficiently justified or a

request is ignored or information disposed of due to a request which could have a negative

effect on the organisation and could result in a severe breach of the FOI Act – then the

organisation could be fined a large amount or if pursued by the requestor they could face a

law suit.

If the member of the public feels that their request has not

been dealt with appropriately or in a timely manner, they

have the right to appeal to the ICO. In this case the

organisation could be made accountable to the Information

Commissioner and High Courts.

Individual members of staff should practice good records management with all the

information they process in preparation for requests so that corporate information can be

located rapidly and in a presentable manner if necessary.

So, we’ve looked at the Data Protection Act and the Freedom of Information Act which are

sometimes confused. SO to make sure you recognise the difference which of the letters

displayed below do you think is an FOI request for information, A or B? Take a couple of

minutes to think this over. The correct answer will be confirmed at the bottom of the next

page.

Under no circumstances should staff destroy information requested under FOI to hide

evidence. This is an illegal action and a fine can be charged to the individual as a

consequence.


Page 23


N o v 1 5

So compliance with the FOI Act puts Records Management high on the IG agenda.

Therefore we need to follow the:

Records Management NHS Code of Practice

The Department of Health have produced guidance on record keeping for NHS and Social

Care staff so that they have some form of standards to work towards. This is known as the

Records Management NHS Code of Practice. The Code is divided into 2 parts. Part 1

includes definitions, guidance of best practice and legal obligations for staff and part 2 holds

the retention and disposal schedule for all types of documentation the NHS may hold.

Best Practice guidance states:

All Staff have a legal and professional obligation to be responsible for any

records which they create or use in the performance of their duties.

Any record created by an individual, up to the end of its retention period, is a

public record and subject to Information requests (FOI and Subject Access).

If you are not familiar with the term ‘Subject Access Request’ it is a request from an

individual who wishes to view personal information about themselves – e.g. Their Health

Record, their Staff Record. There is a formal process which organisations should have in

place to provide this information.

SO what is a record? Well, a record can be seen as the organisation’s memory.

What is a record?

Health records X-rays Administrative records Photographs, slides and other images Microfilm Audio and video tapes, cassettes, CD-ROM Diaries E-mail and text messages Etc. etc.

Answer to Freedom of Information Question: A is an FOI request; B is a Data

Protection or Subject Access Request.


Page 24


N o v 1 5

Reminders :

Always use tracking systems File records correctly so they can be found quickly and easily Follow retention periods Use correct naming conventions when saving electronic docs

The Record Lifecycle is a recommended way for managing records.

Creation

At the point of record creation we should make sure that the document does not already

exist. If it does not exist then make sure that the information inputted is accurate and up-

to-date.

Using

There should be a log of all new records created. Whilst the record is in use it should be

handled in accordance with DPA.

Creation

Create record

Using

Use in accordance with data privacy

rules

Retention

Keep records in line with the Records

Management Code of Practice

Appraisal

Determine whether records are worthy

of permanent archive

Disposal

Dispose of confidentiality


Page 25


N o v 1 5

Closed Record?

When the record has achieved its purpose and no longer has any justified use then it should

be considered closed.

Retention

Following closure, the record should be kept in line with the NHS Record Management NHS

Code of Practice retention schedule.

Appraisal

Once the record has reached its full retention period, an appraisal of the record should be

held to determine whether the record is worthy of permanent archival preservation.

Disposal

If it is deemed not worthy to archive then the record should be disposed of accordingly in an

appropriate manner. E.g. incineration or in accordance with your Organisation's Records

Management Policy.

If you use case notes:

While we’re looking at the management of records, for those staff members who use

patient case notes, let’s remind ourselves of some important points with regard to

maintenance of them:

Follow instructions for filing Always ensure documents are secured in the notes All handwritten clinical entries must be written in black indelible ink, and be dated and

times. They must also show the Clinician’s printed name, grade and signature Do not use post-it notes! Be certain that you are always adding additional information and/or documentation in

the correct case-note!


Page 26


N o v 1 5

Remember!!

Now if we are following the best practice for records management with all types of records,

paper and electronic then that’s great, but we need to be confident that the information

contained within the records is quality information. Therefore, leading on to another area

of IG, we need to look at:

If you move a case note it is your responsibility to track it as soon as possible on PAS so that the next person who needs it knows where to find it!

If someone takes a set of notes from you remind them that they need to track them!

If you require advice or refresher training please contact : The Health Records Team / The PAS Manager

Audits are now being conducted to check if case notes have been tracked correctly

Important message regarding Case note tracking

Every day some case notes required for clinics admissions or A&E are not found. This is

a risk and could result in the patient being turned away.

Many Trust hours, are wasted spent looking for notes which have not been tracked to

their current position – Where would you start??


Page 27


N o v 1 5

Information Quality Assurance

Always Recording Good Quality Information!

Bad quality information is dangerous and high risk to the organisation, the

staff and the patients receiving healthcare treatment or social care services.

The following points should be satisfied to ensure accurate Information:

Up to date - Information can easily become out of date so where possible try to have procedures in place to keep records up to date. E.g. asking patients to confirm their details are correct when attending healthcare appointments or following up any patient files which do not have an NHS number or correct incompatible information like a female coded to have had a vasectomy.

Complete - It is key that the files we create or maintain are complete with accurate information as the lack of certain information could result in inappropriate healthcare or advice for treatment provided due to missing diagnosis or treatment codes. The lack of healthcare information or inaccurate information could lead to mal practice when providing care hence putting the patients at risk. From a corporate risk perspective the lack of information or incorrect information can affect ‘Payment by Results’. All treatment which is carried out by any healthcare organisation is coded on the computer systems and the information on these systems will determine whether healthcare organisations get paid for services they have provided. Obviously, if the data held on the electronic care record is inaccurate then the Organisations risk not getting paid for services delivered, having a huge impact on their financial status.

Quick and easy to find - Also part of Records Management best practice and required under the FOI Act, organisations should ensure that records of any kind are accessible quickly and easily. Standardised and robust filing systems or procedures for the different types of records should contribute to addressing this issue.

Free from duplication - This should also ensure the prevention of duplication of records. E.g. Having more than one record for the same patient or member of staff could once again increase risks as there may be more vital information in one record rather than the other. It would be pot luck which record is accessible in an emergency situation.

Free from Fragmentation - This emphasises the fact that it is also important to have all records of episodes of care filed in the main Health Record so that even though the patient has received care from different care organisations, at least there will be a joined up informative record of care provided which could be life or death later in that patients life.


Page 28


N o v 1 5

The NHS Number

The NHS Number is the only national unique patient identifier. It should be included on all patient records and correspondence. Using the NHS Number helps share patient information safely, efficiently and accurately. This helps reduce clinical risk to patients and improves financial flows. The delivery of patient care is often shared across a number of health and social care organisations, the effective linking-up and flow of information related to a patient has become even more important, the NHS Number helps to link records across organisations.

Now how about keeping our information secure? I’m sure that was one of the thoughts you

had going back to how you would EXPECT other organisations hold YOUR data.

So Quality information is the key to Better Healthcare

Services and Correct Payment for Healthcare organisations.

Important Message!

If you extract / manipulate data from any system ensure data is cross

checked frequently with that system to ensure any edits do not change

the integrity of data.


Page 29


N o v 1 5

Information security

Keeping information secure

Another important action to consider during the life of the record is keeping it secure and

confidential whilst in your possession. The requirements of security will be in our

organisation’s Information Security Policy, which refers to the security of both electronic

and paper records. These guidelines and security standards which the NHS and Social Care

work with derive from the international Information Security Standards ISO17799.

However, it is not necessary for all staff to know about the content of these standards in

detail, but there are simple actions staff can take to keep information secure in support of

the standards– e.g.:

Maintain a clear desk policy – keeping desks clear of unsupervised confidential information to prevent unauthorised viewing.

Lock your computer when you are away from your desk (Press Crtl / Alt /Delete on

your keyboard) even when you go to make a coffee for a couple of minutes which could turn into a 15 minute break if you bump into someone you know and have a chat.

Make sure you lock all filing cabinets and confidential information storage areas

when not in use and make sure that access to these facilities is on a need-to-know basis under authorised circumstances.

Be sure to regularly update your password access to Patient/staff Information

systems regularly and never share it with other colleagues, family or friends. Try and use a password which has a combination of letters and numbers. Sharing passwords is a disciplinary offence.

Keep Laptops and other portable media secure

Individual PC’s should be

locked when you leave your work station – Press the CTRL / ALT and Delete keys to lock it or

and L

Keep work areas clear and free of

confidential information

http://intranet.rbh.nhs.uk/bapplications/BSP_DocumentManagement/folder/showArticleDoc.asp?dd_id=455

http://www.iconarchive.com/icons/mazenl77/I-like-buttons-3a/512/Cute-Ball-Windows


Page 30


N o v 1 5

It is important not to take our actions and tasks for granted. E.g. making a telephone call to

discuss a confidential matter may be quite a common task in our line of work. Firstly we

need to decide whether the topic is too sensitive and needs to be discussed in person with

the individual concerned. It may be that you need to go to a private enclosed area so others

cannot over hear the conversation. If messages are left on your voice mail it is best not to

play back messages on hands free in case the message contains confidential information

and do not leave messages on voice mail with confidential information.

Simple security is about stamping confidential post with ’Private & Confidential’; and when

transferring information following the Trusts IM&T Security Policy; sending by recorded

delivery to a full and designated postal address; double checking that the postal address and

content of the envelope is correct before sending. Similarly with faxes – making sure that

fax numbers are verified before sending and that there is an authorised individual waiting

to receive the confidential information at the other end.

It might not seem inappropriate to send a box of patient files in a secure authorised vehicle

to another location, but are the records securely packaged? Are they transported with care

and kept away from people who have no need to view these records?

One of the ways we can make improvements in terms of security is to make sure that any

breaches of security are reported through the incident reporting process within our

organisations. It will then be the management’s responsibility to follow through and

address the issues.

In terms of technology it is important that all current and new hardware and software have

security measures in place to prevent and detect unauthorised access or use of confidential

information. Even better if the system can highlight any potential breaches of security.

Where person identifiable information must be sent via e-mail this must only be via

NHS.net (to other secure email domains). If you’re not sure – check with IG

whether a recipient’s e-mail address is secure.

Passwords are like underpants.

They should be changed regularly,

they are best kept hidden, and they shouldn’t be shared.

Be aware that it is a disciplinary offence to share passwords


Page 31


N o v 1 5

Be sure to refer to the Information Security policy to give guidance on how to reduce the

risk of loss of information when transferring it:

Faxes Use a cover sheet, check the number is correct, send to a named individual, ask for confirmation of receipt, ensure fax machines are located in a secure location- Fax cover sheet in Policy

Post Check the envelope is robust and addressed correctly to a named individual, where necessary use secure post. When using Medisec – check the name of the patient on the front matches the back sheet – Check the contents of the envelope are correct before it goes!

Verbal Check who you are speaking to before disclosing information, be wary of blaggers - if another hospital, confirm the call is genuine by ringing their switchboard

Hand Ensure any hand delivered papers are secure. Taking information off site

If it is necessary, ensure information is secure at all times, e.g. do not leave in car boots overnight or on show

Remote Access Do not access sensitive information in public areas, protect information from family members, friends or visitors

The Care Record Guarantee

Reminders

• Do not access information relating to patients unless you are involved in the care of that patient

• Do not access information about relatives, friends, neighbours, celebrities etc. • Do not allow other users to access information when you are logged in to the

computer – always log out! • We audit PAS to ensure access to patient information is justified and appropriate


Page 32


N o v 1 5

Email Policy The Email and Internet Policy tells you what your responsibilities are with regard to use of email and the internet which include the following:

Do take your time and check the recipient(s) of emails are correct before sending

Do not forward chain/joke emails or reply to junk mail

Do not open email attachments from unknown sources

Avoid inappropriate and excessive use of the Internet – Audits are conducted

Do not install unauthorised software – This could cause licensing issues / introduce viruses

Storage of non-work related information is not permitted

Do not deliberately access, download or transmit any material on the internet that

could be considered offensive, obscene or indecent

Do remember that the duty of confidentiality extends outside of the work environment, and also after your employment ends – take care when using social networking sites

SMART CARDS

You may in the course of your duties be issued with a smart card which allows you access to

the NHS Care Record Service products and looks like this :

A Smartcard is printed with:

a. Your name b. Your photograph; and c. A unique user identity number

You may already have one of these cards if you access Choose and Book or ESR. It works

very similarly to a credit or debit card, with a chip and PIN device used to control who has

access to the Care Records Service and what level of access they can have.

When you start working for any NHS organisation or need certain access to services

provided by NHS CRS you will be registered for a Smartcard. You will need to provide at least

three forms of ID (photo and non-photo), including proof of address.

http://intranet.rbh.nhs.uk/bapplications/BSP_DocumentManagement/folder/showarticledoc.asp?dd_id=1697


Page 33


N o v 1 5

From then onwards, each time you access a patient's record, it will be recorded and patients

can formally request to see this information.

If you get a Smart card you must:

If your Smartcard is lost or stolen report it to the IG Team/Information Security Adviser

immediately.

Social media and Social Networks

The Trust recognises that social media is increasingly used by staff in a personal capacity and also that it has great potential for communications related to Trust business and engagement. The Social Media policy has been developed to clarify acceptable use of social media as it is recognized that there are a number of risks associated with its use. It is vital to avoid reputational damage to the Trust and its employees and maintain confidentiality of patients and staff.

The Trust has embarked on establishing a corporate social media presence for the organisation as part of its marketing and communications work in order to raise its reputation, give information and engage with stakeholders.

Over time consideration will be given to setting up various Trust accounts for sites such as Facebook, Twitter, YouTube, Google places, which would be managed by the Communications Unit.

It is not considered good practice for organisations to have multiple social media accounts, however the Trust recognises that there may be occasions when a team or service may need to set up a separate account rather than use the corporate one, for instance for a particular campaign or to engage with a particular group of patients/stakeholders.


Page 34


N o v 1 5

Staff who feel that a social media account would be of benefit to their team or department should complete an application form which can be found in the appendices of the policy and discuss this with the Head of Communications. If any staff have been using social media prior to the introduction of this policy, they must discuss this with the Head of Communications.

Mobiles Devices A portable device is defined as any device that may synchronise with another computer, for example:

Laptop and notebook computers iPads Smart phones, mobile phones and any other mobile

system that may fall into this category USB memory sticks, (only for temporary storage of

information that can in no way be considered confidential, information to be transferred to secure server as soon as practicable and deleted from USB stick)

MP3/4 players (must not be used at any time for storing person confidential data or commercial information)

CDs, DVDs Any other item that may be utilised to store or transport data.

Any portable device used in connection with the organisation must be encrypted. There are no

exceptions.

Corporate mobile devices All mobile devices issued by the organisation are issued on a one device to one person basis

only and must not be shared or used by anyone who is not recorded as the asset owner; this is for audit purposes and to comply with the Data Protection Act 1998.

Transfer of any device between staff members must only be done via the IT Department.

Any business related software applications on mobile media devices must be approved and appropriately licenced and recorded on the organisations licence asset register. The IT Department will maintain a software application asset list to ensure licencing conditions are not breached.

All staff should remember that confidentiality about patients and Trust business

must be maintained when using social media for personal reasons. Bringing the

Trust or their profession into disrepute directly or by association is a serious matter

that can be subject to disciplinary measures. The Trust Disciplinary Policy includes

direct reference to social media on this topic and employee contracts include

guidance on the issues of confidentiality and codes of conduct.

Social Media Policy



Page 35


N o v 1 5

Security of devices Any apps downloaded that affect the function of the device will be deleted by IT and not

reloaded. Do not connect any equipment via the USB port unless it is approved by the organisation. Ensure your antivirus is up to date and always activated by connecting regularly to the

organisation network. You are responsible for the security of the mobile media device at all times whether this is

on NHS premises, the premises of other organisations, in the car, on public transport or at home.

If your device is lost or stolen you must report it immediately to the IT service desk and the Information Governance team. You must also complete an incident report immediately.

Home working The organisation understands that there are occasions when the ability to work away from the office is a necessity. For this reason the following procedures and principles have been developed and must be adhered to at all times:

Use of any information at home must be for work purposes only

Staff must ensure the security of information within their home. Where possible it should be stored in a locked container (filing cabinet, lockable briefcase). If this is not possible, when not in use it should be neatly filed and stored in a way that it is not obvious to other members of the household.

Any personal/sensitive (inc. patient and staff information) or organisationally confidential

information that has to be taken home must be within folders marked ‘private and confidential’ and other members of the household instructed not to look at it.

Sensitive information (person identifiable or organisationally sensitive) must be locked away

when not in use and only accessible by the member of staff.

Any controlled document (e.g. patient record) they have will be traceable to their location and that any procedure to note the location of a file required by the organisation will be rigidly applied by them.

They should adopt procedures to ‘back up’ data files on computer either to floppy disc or

writeable CD.

Information sharing Whenever person confidential data (PCD) is shared, the sharing must be

fair, transparent and in line with the rights and expectations of the

people whose information is being shared.


Page 36


N o v 1 5

Sharing can take the form of:

a reciprocal exchange of data; one or more organisations providing data to a third party or parties; several organisations pooling information and making it available to each other; several organisations pooling information and making it available to a third party or parties; exceptional, one-off disclosures of data in unexpected or emergency situations; or Different parts of the same organisation making data available to each other.

If you are unsure what constitutes personal data, please contact the Information Governance team

for guidance.

If a request is made for PCD to be shared, the first thing to be considered must always be whether

data actually needs to be shared in an identifiable form. Could the same purpose be met by using

either anonymised or pseudonymised data?

It is important that in every instance where PCD is to be shared, a legal basis for the sharing is

established. This could be one of the following:

The data is to be shared to enable direct care (must be able to evidence a medical intervention for the patient at the end of the process)

Explicit consent from the individual about whom the data to be shared Statutory obligation, e.g. a court order Legislation, e.g. Children’s Act 2004, Mental Capacity Act 2005 The receiver holds a section 251 approval which allows them to collect PCD without

requiring any further consent.

Confidential waste Confidential Waste includes any material that contains information that could identify a patient, an employee or commercially sensitive material. However it should be noted that any non-confidential paper waste can also be disposed of through the procedures outlined below.

Procedure for the Disposal of Paper Confidential Waste In areas that have a high turnover of confidential waste there are locked consoles. The waste is posted through a letter box aperture into a nylon bag within the console. The portering staffs has a routine schedule for collections in the high use

areas, however in between collection times when the console is full the department is required to telephone the Porter Manager and request a collection. (Telephone number 4562). A porter will visit the department, unlock the console remove the bag, and empty the contents into a secure wheeled

Once this legal basis has been identified, the sharing must be documented in some way. At its

simplest, for example for a direct care purpose or for a statutory obligation, this could be by

making a note in the file being shared. However, in most cases a formal agreement should be

put in place.


Page 37


N o v 1 5

bin. The bag is replaced in the console for further use. The secure wheeled bin is then transported to an onsite secure storage container.

Procedure for the disposal of IT equipment All IT equipment, including all electronic devices which store data, shall only be disposed of

in accordance with the WEEE (Waste Electronic and Electrical Equipment) regulations and must follow the Disposal of Redundant IT Equipment process. Requests to dispose of IT equipment must be made through the IT Service Desk.

All information shall be removed from IT equipment scheduled for disposal. All removable digital media, including disks, USB memory sticks and flash drives must be

securely reformatted or degaussed before disposal - if this is not possible the media must be physically destroyed.

All confidential or sensitive information held in non-digital forms (paper, film etc.) shall be shredded or burnt.

See more in our Waste Management Policy

Photographs Staff should be cautious regarding the appropriateness of any photograph they might take which should only occur when there is an agreed clinical or educational need and this decision should be made by the patient’s consultant or senior healthcare professional providing the care. Patient consent should be obtained, where possible, prior to any images/recordings being taken. Photographic and video recordings made for clinical purposes form part of a patient’s record. Health professionals should always ensure that they make clear in advance if any photographic or video recording will take place. There must be a fully justifiable purpose for photography to be carried out.

Wherever possible, clinical recordings must be undertaken by a Medical Photographer from the Medical Illustration Department. However any clinical recordings undertaken by non-clinical photography staff should be made available to the Medical Illustration Department along with the completed ‘Informed patient consent for clinical photography/recording’ form for upload to our secure database. All images will then be deleted from the 3rd party recording device.

Under no circumstances should staff use mobile devices other than Trust registered

cameras to capture clinical or non-clinical images.

Policy for clinical photography and video recordings of patients confidentiality, consent, copyright and storage





Page 38


N o v 1 5

Privacy Impact Assessment All new projects, processes and systems (including software and hardware) which are introduced must comply with confidentiality, privacy and data protection requirements. Privacy impact assessments (PIAs) are tools which can help the Trust identify the most effective way to comply with these requirements and to fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. PIAs are an integral part of taking a privacy by design approach and should be used throughout the development and implementation of a project, using existing project management processes. A privacy impact assessment is required when you are buying a new information system or introducing/amending a process which is using personal and/or sensitive information. We do these assessments to look at the privacy issues such as compliancy with data protection and data quality, any information security concerns and to check where data is going and if it needs to be pseudonymised or anonymised. They are a risk assessment to see if we need to put anything in place to ensure we protect and secure personal/sensitive information.

So, what is the Trust doing to continually improve IG? There are a number of ways in which the Trust ensures that areas of IG are complied with.

To help the Trust monitor our performance the following IG Audits are conducted:

Spot Checks – We visit areas of the Trust to observe practices to ensure that IG principles

are being adhered to in order to:

We hold an IG & Records Management Group which meets every two months to discuss issues and how to make improvements.

We complete the IG toolkit assessment once a year.

We attend local IG meeting with other NHS Organisations to discuss changes required and concerns.

We want to ensure that staff understand their responsibilities and are trained every year so we are constantly looking at other ways to train and communicate with staff

Within the NHS the use of PIAs is mandated through its inclusion as a requirement set out in the

Information Governance Toolkit.

For further information please contact the Information Governance Department.

http://intranet.boltonft.nhs.uk/Interact/Pages/Content/Document.aspx?id=1560


Page 39


N o v 1 5

a. Identify areas of weakness; and b. Reduce the risk of mistakes happening

Corporate records Audits – To check what records areas have and identify

a. The types of record held b. Whether they are required c. The form in which they are held

Summary,

We have briefly covered all elements of Information Governance:

• The NHS Confidentiality Code of Practice • Data Protection Act 1998 • Freedom of Information Act 2000 • The Records Management NHS Code of Practice • Information Quality Assurance • Information Security Assurance

So you have probably realised that concept of IG has been around for a while

but as separate entities. The term Information Governance has brought all key

information processing standards, guidance and law under one hat to

strengthen the initiative.

You can probably also now relate how we must hold and treat the information

we capture to how you would expect other organisations to treat your

information.

Information Governance is the responsibility of every employee, so keep up the good work and improve where

we can and aim to be 100% compliant.


Page 40


N o v 1 5

So, remember!

You have now reached the end of this workbook BUT, to register that you have completed

your IG training for the year you will need to complete the Assessment on the Moodle

System.

Contact Details

If you have any comments about this workbook or about IG in general or any

concerns please contact:

Graham Fullarton

Information Governance Manager

Strategy & Improvement Office – 1st Floor C/D Block

Royal Bolton Hospital

Tel: 01204 390861

E-mail: [email protected]

It is your responsibility to keep all personal and sensitive

Information secure

Read the relevant Trust policies to make sure you

understand and are aware of your responsibilities.



mailto:[email protected]

Information Governance Handbook

Documents