Information Governance

Recent Headlines

What is a breach of confidentiality?

Confidentiality Breaches

• Accessing records you have no legitimate reason to see, for example your own, your relatives and friends health records, even with their consent (unless it is within your job role to deal with such requests)

• Displaying or leaving records open, unattended or insecure

• Giving out information over the telephone, by fax or email to inappropriate people

• Holding conversations about individuals where others are likely to overhear

Reporting and AccountabilityThe Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals

The Information Commissioner governs the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000. The ICO has the power to serve monetary penalties of up to £500,000 on data controllers (such as Barts Health)

Potential Penalties

• Penalty fines issued for: Brighton and Sussex University Hospitals NHS Trust:

10,000s of highly sensitive personal patients and staff found on hard drives bought off the Internet in Autumn 2010 - £325,000

Belfast Health and Social Care Trust: serious breach of 1000s of patients’ and staff sensitive personal data being compromised. Failure to report the incident to the ICO - £225,000

Stockport Primary Care Trust: new purchaser found 1000 highly sensitive records regarding 200 patients left in decommissioned NHS building - £100,000

• Deliberate actions – staff disciplined• Loss of patient trust and public confidence

Information GovernanceIncident and Risk Reporting

• Please immediately report Information Governance incidents to your Line Manager/senior person on duty and the Information Governance Team, and enter the incident on Datix.

• If you identify an Information Governance risk please discuss this with your Line Manager and risk assess if appropriate.

Senior Information Risk Owner (SIRO)

Barts Health NHS Trust SIRO:Ian Walker, Director of Corporate Affairs and Trust Secretary• Oversees all aspects of Information Governance, promoting a culture that

fosters good values in protecting and using information

• Reviews and agrees action plans in respect of identified information risks

• Ensures that the Trust’s approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff

• Provides a focal point for the resolution and/or discussion of information risk issues

• Ensures the Board is adequately briefed on information risk issues

1. Justify the purpose of2. Only use it when absolutely necessary3. Use the minimum required4. Allow access only on a strict need-to-know basis5. Understand your responsibility6. Understand and comply with the law7. The duty to share may be as important as the

duty to protect confidentiality (NEW)

Caldicott Confidentiality Guidelines

Caldicott Guardian and Confidentiality

Barts Health NHS Trust Caldicott Guardian:Dr Steve Ryan, Medical Director

• Responsible for protecting the confidentiality of patient and service user information

• Enabling appropriate information sharing

• Ensuring high standards when handling patient identifiable information

Data Protection Act 1998Legal obligations

• Inform people how we use information• Comply with individuals rights – Subject

Access• How data is used and shared

Practical obligations• Accurate• Up to date• Not kept longer than necessary• Keep secure

Data Protection Act 1998

“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”

What is your justification or reason for using personal data?

Where are you getting the data from? Have you sought informed consent?

Freedom of Information (FoI) requests:• Can be made to any member of staff; all staff have a

legal duty to assist individuals to obtain information

• Can require the release of emails

• Do not need to refer to or mention the FoI Act

• Must be made in writing giving a name and address

The Trust must respond within 20 working days

If you receive an FoI request, please immediately contact the FOI Coordinator

Freedom of Information Act 2000

Information Security Issues

Data disclosed to the wrong people Check entitlement and identity. If unsure, neither

confirm or deny and take callers contact details

Staff accessing data about their relatives, colleagues or friends

There must be a work-related justification

Data/files/equipment not disposed of correctly Follow the Records Retention and Disposal Policy

Information Governance spot checks

Unauthorised access to confidential data Lock unattended computers and keep passwords private

Personal Identifiable Data (PID) discovered on personal devices (home PC or mobile phone)

Only use Trust encrypted laptops, VPN or USB drives for opening or storing patient data

ICT Related Information Security Issues

Risks of Transferring Information Loss of data/files/equipment while travelling

between sites Keep information on your person within a marked

envelope in inconspicuous and secure bag Transport information by secure email, courier, Safe

Haven FAX, post or internal mail

Emails/faxed documents sent to the wrong place Send securely, minimise, password protect, encrypt

and check recipient details. Use email rather than fax and Secure File Transfer

Records Management Ensure that records are:

Clearly titled and given logical names Stored in secure structured manual or electronic central filing

systems Secured and easy to locate (tracked)

The Trust’s Records Retention and Disposal Policy provides record management guidance and states the length of time records must be kept.

The Corporate Records Team can advise on general record management issues.

The Trust’s Corporate Records Centre provides storage for some types of corporate/administrative records.

Further Information

• Information Governance Code of Conduct

• Information Governance Email Guidance

• Barts Health Intranet Sites:

• Information Governance

• Records Management

• Freedom of Information Act

Your InformationGovernance Team

Information Governance

Matthew HallInformation Governance Manager

Martyn SteersDeputy Information Governance Manager

James CookInformation Governance Officer

Corporate Records

Daniel Scott-DaviesCorporate Records Manager

Laura HyndsAssistant Corporate Records Manager

Pam WoodFreedom of Information Coordinator