PowerPoint PresentationThis module has been designed to:
– Help Trust staff use and share information in a lawful and secure
way.
– Promote good practice that should be adapted to the working
environment.
By the end of this module you will understand:
– The principles and terminology of information governance
(IG).
– Basic data security / cyber security terminology.
– The importance of data security to patient/service user
care.
– That law and national guidance requires personal information to
be protected.
And be able to:
– Explain your responsibilities when using personal
information.
– Identify some of the most common data security risks and their
impact.
– Identify near misses and incidents and know what to report.
– Distinguish between good and poor practice when using personal
information.
– Apply good practice in the workplace.
1
• Data Security has always been important.
• More complex now technology is so central to delivery of health
and care.
• Use technology so that it does not pose unacceptable risks to the
Trust, its staff, or its patients.
• We all have a duty to protect people’s information in a safe and
secure manner.
• Good information underpins good care. Patient and service user
safety is supported by confidentiality, Integrity and
accessibility.
• Patients / service users must feel assured that their information
is used appropriately.
• You can help with this by following the good practice set out in
this module.
2
care
future of care
Confidentiality, Integrity, Availability
• Confidentiality is about privacy and ensuring information is only
accessible to those with a proven need to see it.
• Integrity is about information stored in a database being
consistent and un-modified.
• Availability is about information being there when it’s needed to
support care.
3
4
In health and care settings, there are various types of personal
information. It is important to be able to identify these different
types of information so that they can be appropriately protected
when they are used and shared.
In health and care settings, you might see:
• Confidential information - is disclosed in confidence to staff
who are providing health and care – patients expect that this
information will be treated confidentially. It can include names
and addresses, as well as a person’s sensitive personal
information. Other information can also be confidential
information, such as employee references and some commercial
information (for example, about the organisation).
• Sensitive Information - all health and care information is
sensitive, but patients and service users may consider particular
types of information to be highly sensitive, for example,
information relating to their mental or sexual health, religion, or
ethnicity.
• Personal information – information about someone is 'personal'
when it identifies an individual. It may be about living or
deceased people, including patients, service users and members of
staff.
• A person’s name and address are clearly personal information when
presented together, but an unusual name may, by itself, might
enable an individual to be identified.
Personal information may be recorded in hard copy or digital form –
for example, photographs, videos/DVDs, whiteboards, health and care
records, personnel files, on a computer – or it may be information
simply known by others (such as the care team).
• Pseudonymised information - is information in which an
individual’s identity is disguised by using a unique identifier
(that is, a pseudonym). This does not reveal their ‘real world’
identity, but allows the linking of different data sets for the
individual concerned.
• Anonymised information - this information does not identify an
individual and cannot reasonably be used to determine their
identity. Anonymisation requires the removal of name, address, full
post code and any other detail or combination of details that might
support identification, either by itself or when used with other
available information.
Anonymised information does not identify a person, so it cannot be
personal or confidential.
The Value of Information
It is important to comply with the law to protect personal
information, because health and care
information is valuable.
– Paper records dropped in corridors or left in meeting rooms
– Emails or faxes sent to the wrong address/number
– Computers or mobile phones stolen or lost
– Clicking on links to fake websites (phishing)
– Insecure storage or disposal of information
5
Common law duty of confidentiality
• Information that individuals disclose in confidence should not be
used or shared further without a lawful reason: The lawful reasons
are: – Where there is a statutory basis or legal duty to disclose
information.
– Where there is a an overriding public interest
justification.
– The consent of the individual.
• A decision to disclose information without consent should be made
by senior staff, or referred to the Information Governance team or
the Data Protection Officer .
• Please read the Information Disclosure Policy for
further guidance.
The Caldicott Principles
• Principle 1: Do you have a justified purpose for using
confidential information?
• Principle 2: Is it absolutely necessary to do so?
• Principle 3: Are you using the minimum information
required?
• Principle 4: Are you allowing access to this information on a
strict need-to-know
basis only?
• Principle 5: Do you understand your responsibility and duty to
the subject with
regards to keeping their information secure and confidential?
• Principle 6: Do you understand the law and are you complying with
the law
before handling the confidential information?
• Principle 7: Do you understand that the duty to share information
can be as
important as the duty to protect confidentiality?
7
Confidentiality – Good practice
We all have a legal duty to respect the privacy and to use personal
information appropriately. The main aspects of
confidentiality good practice are:
Informing people - You should inform patients and staff that you
are accessing and using their information.
Clearly explain how you will use personal information – for
example, on the website, in a leaflet or on a poster.
Give people a choice about how their information is used and tell
them whether that choice will affect the services
offered to them.
Meet expectations – only use personal information in ways that
people would reasonably expect.
Sharing information for care with the right people can be just as
important as not disclosing to the wrong person.
– Check that the individual understands what information will be
shared and has no concerns.
– Ensure that data protection, record keeping and security best
practices are met
– Respect individuals objections to any proposed information
sharing
Sharing information for non-care In many cases, you should obtain
consent if you want to use someone's personal
information for non-care purposes. However, if there is a risk of
immediate harm to the patient/service user or to
someone else, and you cannot find an appropriate person with whom
to discuss the information request, you should
share the information.
At the first opportunity afterward, you should inform the person
responsible for Information Governance in your
organisation so they can follow up the legal basis for
sharing.
Ask: Find out who is responsible for managing information sharing
requests in your organisation.
Advice: Discuss the request with this person.
Action: Provide the information only when authorised to do
so.
8
9
Under data protection legislation, individuals have rights in
relation to their information which include:
• To be told what their personal information is being used
for.
• To see and/or have a copy of their personal information.
• To have inaccuracies corrected.
Good Practice
• Follow your organisation’s policies and procedures.
• There should be no surprises - handle people’s information as
you’d expect others to handle your personal information.
• Be open, honest and clear about:
o Why you need personal information.
o What you intend to do with it.
o Who you may share it with.
o How the individual can obtain a copy.
Remember - patients and staff have a right to see information
recorded about them. So make sure you:
• Record clearly so that others can rely on your entries.
• Be accurate and keep information up-to-date.
• Follow your organisation’s rules when disposing of personal
information.
• Note the impact of the General Data Protection Regulation
(GDPR).
The Freedom of Information Act 2000
The Trust, as a public authority, has to comply with the Freedom of
Information Act.
The Act allows anyone from anywhere in the world to make a written
request for information held by a public body.
The Act only applies to information that already exists in a
recorded form, therefore you do not have to create new
information in order to respond to a request.
Handling Freedom of Information (FOI) requests
What you need to know:
• FOI requests is a technical skill that should be managed by
trained staff. You should not try to handle a request
yourself unless you have been trained to do so.
• Many requests for information will simply be ‘business as usual’
(BAU) requests. If in doubt, ask.
You do have some responsibilities:
• The FOI Team is responsible for managing requests in the
Trust.
• You may be asked by the FOI Team to provide information in
response to a request – you will be given a deadline
for this.
• Send any FOI requests to the FOI Team immediately, to comply with
the statutory 20 working day turnaround.
– Contact details are: Email:
[email protected] or Tel: 01793
605675
service users, staff members and the organisation. It is
vital that:
• Records are accurate and up to date.
• You know ‘what and why’ needs recording in the correct
system/record.
• Information is checked.
• Errors are reported.
• Information is recorded at the time events occur.
• Patient records include NHS number.
• Duplicate records are not created.
Seek help if you are uncertain.
Social engineering
Those who want to steal data may use tricks to manipulate people to
give access to valuable information. This is
called social engineering.
• On the phone: A social engineer might call and pretend to be a
fellow employee or a trusted outside authority
(such as law enforcement or an auditor).
• In the office: A very common tactic used by social engineers is
asking to have the door held, or claiming to have
mislaid their door pass.
• Online: Social networking sites have opened a whole new door for
social engineering scams. Criminals are
stealing passwords, hacking accounts and posing as friends on
social media for financial gain.
Criminals have set up call centres that make calls to health
organisations or social care providers. They ask for your
username, password, email address or other details about where you
work. They may ask you to click on a malicious
web or email link. The IT department will not need to ask these
types of questions.
Stay vigilant and challenge suspicious behaviour – request proof of
identification
Data Security
Email though efficient has risks:
• Criminals use email attachments and links to trick people into
providing information.
• Email attachments may be executable files that contain malicious
software (malware).
This is known as phishing and the emails aim to force you to make a
mistake.
• If you receive an email requesting sensitive information that
looks as though its from a colleague - double check by
phoning the colleague.
• Do not install any new software unless authorised.
• Select the email, right-click it and mark it as junk.
• Block suspicious email domains.
Remember - macros are a series of actions that a program such as
Microsoft Excel may perform to work out some formulas,
but they can be programmed to install malware.
Report suspicious emails to the IT department
Malicious software (malware) can:
• Make your computer run slowly or perform in unusual ways.
The IT department will:
• Ensure that you have up-to-date antivirus software
installed.
• Assist if you suspect your computer is not performing as it
normally does.
13
Setting passwords
• Use strong passwords on all your devices to prevent unauthorised
access - use different passwords for each
account.
• Follow simple guidelines to create strong passwords, e.g. at
least 8 characters in length, a mix of uppercase and
lowercase letters, include special (non-alphabetical) characters
such as $,&,* etc. Any service/system that uses the
PC/Windows logon name and password will require this, but it is
strongly recommended that this is used for other
Trust systems.
Locking Devices
• Lock your device as soon as you stop using it.
• Set passcodes on mobile phones, laptops, PCs and tablets.
• If you see a colleague's device open and unlocked, lock it for
them and gently remind them to do so in future.
• On corporate mobile devices - activate the lock function.
Tip: select the Windows Key + L on your keyboard to quickly lock
your laptop or PC.
Untrusted Websites
• Be vigilant when you visit a website that is declared
"untrusted".
• If a web browser states that you are about to enter an untrusted
site, be very careful – it could be a fake phishing
website that has been made to look genuine.
• A browser may display a red padlock or a warning message stating
‘Your connection is not private’."
14
Mobile Devices
• Read, understand and comply with the Trust’s policy for IT
Equipment usage.
• Store your mobile IT equipment, such as laptops or tablets
securely when not in use.
• Report any lost or stolen equipment to the IT department
immediately and follow the Trust’s
incident reporting procedure.
• Ensure that digital assets and passes are handed back if you are
leaving the organisation.
• Use work-provided devices for personal use in accordance with
Trust policy.
Don’t:
• Use your own device for business purposes unless authorised to do
so.
• Connect your device to unknown or untrusted networks – for
example, public Wi-Fi hotspots.
• Allow unauthorised personnel, friends or relatives to use your
work-provided device.
• Attach unauthorised equipment of any kind to your work-provided
IT equipment.
• Remove or copy personal information, including digital
information (such as by email, on a USB
stick), off-site without authorisation.
• Leave digital assets where a thief can easily steal, for example
in your car.
• Install unauthorised software or download software or data from
the internet.
• Disable the antivirus protection software – this will be updated
on a regular basis.
Good practice - Confidential Information
Doors
• Take care to close doors behind you and don’t prop them open if
they are fire doors, or there is restricted access.
• Don’t be afraid to challenge anyone in your area not showing an
ID badge, or that you don’t recognise – staff should implement a
sign-in procedure for visitors and escort them whilst they are on
the premises.
Disposal
• Take special care to securely dispose of: – Paper records that
contain confidential information.
– IT equipment.
Clear Desks
• Do not leave information in unsecure locations.
• Leave paperwork and files secure before you leave for the
day.
• Having a clear desk means reduced potential for leaving sensitive
information unattended, reducing the risk of a breach.
16
Covers two categories:
– Technology-related incidents.
The top three most reported incidents related to breaches
are:
– Information sent to the wrong place – this may be a letter, or a
fax or an email.
– Lost or stolen paperwork.
– Failure to apply appropriate technical and organisational
measures to prevent unauthorised or unlawful processing
and/or
accidental loss, destruction or damage to personal data.
Technology-related incidents:
Incidents may not always involve human error, they can sometimes
include such things as:
Website defacement - an attack on a website that changes the
content of the site or a webpage. It may also involve creating
a
website with the intention of misleading users into thinking that
it has been created by a different person or organisation.
Social media disclosure - the disclosure of confidential or
sensitive information by an organisation’s employees through a
social
media site.
Denial of service attack - an attempt to make a machine or network
resource unavailable to its intended users.
Malicious damage to systems - what happens when a person
intentionally sets out to corrupt or delete electronic files,
information or software programs.
Know how to report data security incidents:
• If you know or suspect that an incident has taken place, register
it in line with the Trust’s Information Security Incident
Reporting procedure.
• Notify the IG Team as soon as possible, so they can assess how
serious the incident is and start an investigation.
Any incidents which are reported as a breach of confidentiality via
the Trust’s incident reporting system will be
notified to the IG Team.
• Report suspected incidents and any ‘near misses’ - Lessons can
often be learned from them – they can be closed or
withdrawn when the full facts are known.
Read the Trust’s Information Security Incident Reporting
Procedure
that a breach of confidentiality has or
is likely to have occurred
Notify the right team about the incident
(Usually the IT dept or IG team)
In your notification you should include when,
where and what business activity you
were conducting when it happened.
Near misses where data was nearly lost or
where there was nearly a breach should also be
reported.
Postal breaches – most often occur when two letters are sent to the
same patient, or a report is enclosed relating to the wrong
patient. Remember that patients will be concerned that their
information has been disclosed to another person and this may
result in media attention and a potential financial penalty for the
Trust should the patient choose to complain.
Please remember to:
• Address personal information to a named person.
• Consider using a signed for delivery service.
• Send case notes, or copies of case notes, in robust approved
packaging using an approved courier or signed for service.
Email breaches – most often occur when emails are sent to the wrong
person, or a mailing list is used which discloses the email
addresses of all recipients.
Before emailing any external parties:
• Check whether it is acceptable to send personal and/or
confidential information by email.
• Confirm the accuracy of the email addresses.
• Check that everyone on the copy list has a genuine ‘need to
know’.
• Use the minimum identifiable information (e.g. NHS number).
• Check encryption requirements.
Where email needs to be sent to an unsecure recipient:
• Check that they understand and accept the risks, or
• If you can encrypt the email.
Avoiding breaches and incidents
19
Phone breaches – most often occur when staff inadvertently disclose
information to a caller who may not have a need to know, for
example, a bogus caller, or someone who the patient may not wish to
have their information disclosed to.
Remember:
• always check the identity of the caller before disclosing
personal information.
• It is not advisable to leave messages on voicemail or
answerphone, unless you are sure that the phone is used solely by
the person you are trying to contact.
• Check whether the information can be provided - if in doubt, tell
the enquirer you will call them back.
Fax breaches – most often occur when faxes are sent to the wrong
fax number. If it is absolutely necessary to send information by
fax, if possible:
• Send the information to a ‘safe haven’, or phone the fax
recipient to inform them you are going to send confidential
information.
• Double check the fax number and use pre-programmed numbers.
• Use a fax cover sheet.
• Request confirmation that the fax was received.
• Remove the original document from the fax machine.
Avoiding breaches and incidents
Module summary
Having completed this session, you should understand the principles
and terminology of information governance (IG), basic data security
/ cyber security terminology, the importance of data security to
patient/service user care and that law and national guidance
requires personal information to be protected.
You should be able to explain your responsibilities when using
personal information, identify some of the most common data
security risks and their impact, identify near misses and incidents
and know what to report, distinguish between good and poor practice
when using personal information and apply good practice in the
workplace.
Further Information:
The Information Commissioner’s Office is the UK's independent body
set up to uphold information rights. To find out more about them
and the recently updated data protection regulations, please visit:
https://ico.org.uk/
General enquiries relating to information governance can be made on
01793 605675 (ext 5675) or by email to:
[email protected]
Freedom of Information: Email:
[email protected] Caldicott Guardian –
Medical Director Tel: 01793 60 4182 Health Records Manager Tel :
01793 60 4717
The next step is to take an assessment on this module once you have
read and understood all the material in the training slides. The
final pass mark is 80% - Good Luck!
21
