1 / 51

NIGB

NIGB. NIGB IG Collaborative Workshops The Reality of Delivering the Information Revolution. Break out Sessions Commissioners/ Transition. NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE. #NIGB #HSCIG. Leeds – Birmingham - London . Transition from

atalo
Download Presentation

NIGB

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NIGB NIGB IG Collaborative Workshops The Reality of Delivering the Information Revolution Break out Sessions Commissioners/ Transition NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE #NIGB #HSCIG Leeds – Birmingham - London

  2. Transition from Integration and Closure Debbie Terry Information Governance Lead NIGB Workshops Wednesday 27 – 29 June 2012

  3. Where are we now? From clustering & closure • To what next? • NIGB Transition guidance • ICO workshops on IG in transition • H & SC Act 2012 • NHS CB, CCGs, CSSs, DMICs • Risks and Issues • What can you do? • What can NIGB / the centre do?

  4. Background • NIGB Transition Guidance last autumn– supplementary guidance May 2012 • Headlines - 14 action points, 6 recommendations • Legal compliance - data controller & data processor roles, appropriate contractual arrangements, legal status of CCGs & CSSs • Organisational requirements – health records management, CCGs and clusters adherence to IG reqs • Engaging with patients and the public about the changes • Secondary uses & managing conflicts of interest

  5. ICO Transition Workshops • ICO recognised the difficulties in maintaining good IG given the scale and speed of the changes - 2 seminars looking at IG in transition - Headlines: • Moving goalposts in relation to mapping data flows; • Ownership of data control in relation to data held in shared warehousing • Lack of clarity about data controllership • Record Management of “non-live” records – all need cataloguing and a decision made about retention – who responsible for records that need to be retained for medico-legal reasons? Applies to paper & EHRs, but also corporate records – Public Records Acts etc

  6. Health and Social Care Act 2012 • New powers for the Information Centre to obtain information including confidential patient information BUT only mandatory where request from CQC, Monitor, NICE, or already required or permitted to disclose – Part 9, S256 • Act includes NHS CB & CCGs but not Commissioning Support Services (CSSs) or Data Management & Integration Centres (DMICs) – so what is legal basis for them processing confidential patient information and other personal data?

  7. CSSs & DMICs • Current intention – c. 25 CSSs, up to 10 of which may become DMICs – but CCGs free to choose AQP – implication many more CSSs and proliferation of data stores – instead of addressing IG risk, increases it and for CCGs and GPs as Data Controllers – increased responsibilities for governance of AQPs

  8. CSSs & DMICs • Commissioned by CCGs, contractual arrangements therefore will need to be with CCGs and as GPs are DCs with them directly – need for standardised contracting arrangements with minimal local variation – how will oversight be maintained? • What is required level of pre contract due dilligence and post contract performance management? • Many new bodies needing to develop relationships and contracts with other new organisations – new risks

  9. CSSs & DMICs • NHS CB leading on evaluating prospective DMICs against criteria – application process already under way – to what extent does IG feature in these criteria? • Definition of safe havens and honest brokers and the IG requirements to be applied to them become critical • In an increasingly fragmented system – how do we continue to maintain contact with and support one another • How do we provide assurance to patients and the public in relation to the confidentiality of their information going forward? And what do we tell them to meet fair processing requirements?

  10. Where are we now? • We have looked at issues here and now and I recognise the continued need to focus on what’s needed here and now and with winding organisations up safely • There is also a need to look to the future – how do we embed IG in the emerging structures – opportunity here to get it right from the beginning but signs that IG may not be being integrated – many of you will be engaged in trying to do this already • How do we get privacy by design? • How do we do this in an environment which is increasingly hostile to IG as “bureaucratic red tape”

  11. What next? • Identifying the Data controller – making sure the organisation know they are the data controller and what that means • Contracting arrangements with processors and agreements between DCs for shared records and warehousing arrangements – getting them in place for 1 April 2013.

  12. An example - EoLCC • End of Life Co-ordinated Care Registers • Nationally agreed data set (approved by ISB) • Includes Care Plans and Advanced Directives - Do not resuscitate instructions – important for care • Shared across primary, secondary, ambulance and community care services • Clarity about data controllership vitally important for the integrity of the record – significant implications for care • Contrast with another example of pooled data – TPP SystmOne – how ensure the integrity of the record where multiple contributing bodies?

  13. What else do you want from NIGB? • What from other central bodies? • Other comments / questions?

  14. NIGB NIGB IG Collaborative Workshops The Reality of Delivering the Information Revolution Break out Sessions Commissioners/ Transition NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE #NIGB #HSCIG Leeds – Birmingham - London

  15. Information Governance Collaborative Workshops Secondary Use – What is it? Clare Sanderson

  16. Agenda • Who am I? • What is the HSCIC and what do we do? • What is secondary use and what are the issues? • Implications of the Health and Social Care Act?

  17. Who am I? • Director of Information Governance • Senior Information Risk Owner • Work closely with Dr Mark Davies – Caldicott Guardian • Responsible for the Medical Research Information Service

  18. Background to the HSCIC • HSCIC is the central authoritative source of health and social care information, acting as a ‘hub’ for high-quality, national and local, comparative data for all ‘secondary uses’ including • public accountability (e.g. National Statistics and Parliamentary Questions) • patient choice • improvements in health and social care services • research

  19. Key Functions of the HSCIC National Data Repository Data Collection & Quality Data collection hub / repository Better Access Information for service planning Open Data Information for policy makers Data Quality assurance Access, syndication and sharing of data PQs National & Official Statistics Reducing Burden Custodian of national methodologies Indicators Providing linkage services & rules

  20. What is a Secondary Use or Purpose? The processing of patient information for secondary purposes Similarly applies for adult social care information

  21. Processing? Processing includes the recording and holding of information; the retrieval, alignment and combination of information; the organisation, adaption or alteration of information; the blocking, erasure and destruction of information.

  22. Patient Information? Patient information relates to the physical or mental health condition of an individual and is “confidential patient information” where the identity of the individual can be ascertained and as was obtained by a person who owed an obligation of confidence to that individual.

  23. Secondary Purpose? Secondary purposes refer to medical purposes other than determining the care and treatment given to a particular individual.

  24. Commitments to patients • Care Record Guarantee • We will only use your information in ways which respect your rights and contribute to your health and well being • NHS Constitution • You have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure

  25. Legal Considerations • Data Protection Act • The Common Law Duty of Confidentiality • Article 8 – Human Rights Act

  26. Using confidential information for secondary purposes • Supports • the management of health and social care • medical research • preventative medicine • the monitoring and audit of health/health related care provision • the surveillance and analysis of health and disease delivery of safe high quality care for patients • assessment of the health and social care needs of local and national populations • public choice • accountability • commissioning

  27. Do you need identifiable data? Consider the purpose • Confirm the quality and integrity of data • Linking data from multiple sources? • Managing cohorts of patients What is the alternative: • use de-identified data – e.g. pseudonymisation

  28. What is the legal basis for using identifiable data? • Informed and explicit patient consent • Other legislative basis e.g. • The Health Service (Control of Patient Information) Regulations 2002 (Statutory Instrument 2002:1948) regulations • Health Service Act 2012 (from 1 April 2013) • Section 251 support from the ECC

  29. Looking to the future • Health and Social Care Act • IG Review • Consultation on the NHS Constitution

  30. Commissioning Landscape…. Health and Social Care Information Centre Commissioning Board DMIC Health and Social Care Providers Commissioning Support Services Commissioning Support Services Commissioning Support Services CCG CCG CCG CCG CCG CCG

  31. The Health and Social Care Act Grants HSCIC new powers and responsibilities to collect, analyse and publish information Requires those seeking data collections to first consult the HSCIC Identifies HSCIC role to undertake Data Quality Assurance Requires HSCIC to undertake assessment of Burden of data collections Requires HSCIC to develop a Code of Practice for Confidential Information

  32. consult consult consult consult Establishing information systems in HSCIC Secretary of State Commissioning Board Direct to collect or analyse information Health & Social Care Providers Request Health and Social Care Information Centre Code of Practice for confidential information Require Request to collect or analyse information Mandatory Other Body (inc CCG’s & devolved authorities) NICE / Monitor / CQC

  33. De-identification Standard Methodology for de-identifying data Recognise that identifiably if context driven so there is a ‘grey area’ where data is not identifiable but cannot be published Accompanying guidance provides advice on how to manage data release from the ‘grey area’ Methodology currently being reviewed by Information Standards Board

  34. Code of Practice for Confidential Information Section 263 of the HSC Act states: The Information Centre must prepare and publish a code in respect of the practice to be followed in relation to the collection, analysis, publication and other dissemination of confidential information concerning, or connected with, the provision of health services or of adult social care in England.

  35. Terms of Section 263 The IC must consult the Secretary of State, the Board, and such other persons as the Centre considers appropriate. The code must be approved by Secretary of State and Commissioning Board The IC must publish the code The code will apply to all health and social care bodies and any person commissioned to provide health services or adult social care in England when processing confidential information

  36. Approach Steering group of stakeholders to advise on development of the code Aim to provide draft code in Autumn for wider consultation Recognise potential impact of IG review and consultation on NHS Constitution

  37. Thank you Any Questions?

  38. NIGB NIGB IG Collaborative Workshops The Reality of Delivering the Information Revolution Break out Sessions Commissioners/ Transition NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE #NIGB #HSCIG Leeds – Birmingham - London

  39. Consent, Privacy Notices and what is fair processing David Evans, Senior Policy Officer

  40. Consent – what it is and what isn’t consent • Not defined in the DPA but European Data Protection Directive states that consent is: • “…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”. • Sensitive personal data – consent must be explicit • “Consent” obtained under duress or on the basis of misleading information does not work

  41. More consent • One condition for processing personal data • Other conditions; • The processing is necessary: • - in relation to a contract which the individual has entered into; or • - because the individual has asked for something to be done so they can enter into a contract. • The processing is necessary because of a legal obligation that applies (except an obligation imposed by a contract). • The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident. • The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions. • The processing is in accordance with the “legitimate interests” condition.

  42. Even more consent • Conditions for processing sensitive personal data; • The individual who the sensitive personal data is about has given explicit consent to the processing. • The processing is necessary so that you can comply with employment law. • The processing is necessary to protect the vital interests of: • - the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or • - another person (in a case where the individual’s consent has been unreasonably withheld). • The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. • The individual has deliberately made the information public. • The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights. • The processing is necessary for administering justice, or for exercising statutory or governmental functions. • The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality. • The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.

  43. The last consent slide • More conditions for processing sensitive personal data • Data Protection (Processing of Sensitive Personal Data) Order 2000 • These regulations permit the processing of sensitive personal data for a range of other purposes – typically those that are in the substantial public interest, and which must necessarily be carried out without the explicit consent of the individual.

  44. Fair processing • Fairness generally requires you to be transparent – clear and open with individuals about how their information will be used

  45. More fair processing • Fairness requires you to: • be open and honest about your identity • tell people how you intend to use any personal data you collect about them (unless this is obvious) • usually handle their personal data only in ways they would reasonably expect • not use their information in ways that unjustifiably have a negative effect on them

  46. Privacy notices • The duty to give a privacy notice is strongest when the information is likely to be used in an unexpected, objectionable or controversial way, or when the information is confidential or particularly sensitive. • There is no point telling people the obvious when it is already clear what their information will be used for.

  47. Privacy Notices – key points • All about “how we use your information” • Do they already know who is collecting the information and what it will be used for? • Is there anything they would find deceptive, misleading, unexpected or objectionable? • Are the consequences of providing the information, or not providing it, clear to them?

  48. How to and how not to

  49. More examples

  50. Keep in touch Subscribe to our e-newsletter atwww.ico.gov.uk or find us on… • www.twitter.com/iconews

More Related