1 / 104

NHS Mail Workshop

NHS Mail Workshop. HCPA. Housekeeping. Fire drills and evacuation procedures Toilets Refreshments Q&As Wi-Fi code Signed in?. Ice-breaker. Who are you? (Name & Job Title) Where do you work? (Name of home, type of care provided and rough size)? Tell me one thing you know about GDPR

danielf
Download Presentation

NHS Mail Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NHS Mail Workshop HCPA

  2. Housekeeping • Fire drills and evacuation procedures • Toilets • Refreshments • Q&As • Wi-Fi code • Signed in?

  3. Ice-breaker • Who are you? (Name & Job Title) • Where do you work? (Name of home, type of care provided and rough size)? • Tell me one thing you know about GDPR • How you feel about being here today?

  4. The Goal Enable you to (confidently) complete the Data Security and Protection toolkit on behalf of your organisation to “Standards Met” so that you can accessNHSmail (and other) services to help improve the quality of care people receive

  5. Outcomes You will be able to: • explain the national offer of NHSmail for the Care Sector and the benefits this can give to residents and my organisation. • explain the importance and benefits of meeting the data security and protection assertions. • explain how to access the Data Security and Protection toolkit. • recognise the types of information my organisation needs to produce as evidence to meet the Data Security and Protection toolkit assertions to be “standards met” compliant

  6. NHS Mail

  7. What is NHSmail? • The secure national email service for health and social care providing: • Email • NHS Mail Portal • Directory • Instant Messaging • Presence

  8. Why do we need secure email? • General Data Protection Regulation (GDPR) • Data Protection Act 2018 • Prosecution of “data breaches” by the Information Commissioner’s Office (ICO) • CQC Inspection KLOEs (2.8 – Well Led) • NHS Standard Contract has it as a requirement • NHS England Data Security & Protection (DSP) Assurance: Any organisation wishing to access ANY information held by the NHS or NHS system (e.g. patient discharge information, summary care records, NHSmail) MUST provide annual assurance that they have the expected standard of data security & protection in place

  9. CQCKLOE 2.8 (Well Led) “How does the service assure itself that it has robust arrangements (including appropriate internal and external validation) to ensure the security, availability, sharing and integrity of confidential data, and recordsand data management systems, in line with data security standards? Are lessons learned when there are data security breaches?”

  10. The National Offer to the Care Sector • 1 generic account • Up to 10 individual linked user accounts • Set-up & management via National Administration Service For free

  11. Benefits of NHSmail • Supports CQC inspection KLOEs • Secure transfer of information • Timely sharing of information • Reduced risk of error in communications • Improved safety for residents • Time saved…increased time for care

  12. Case Study 1: Stanfield Nursing Home Background • 41 residents aged 60+ with higher needs requiring nursing, specialist dementia and end of life care • RNs spent an average of 2 hrs a day on the telephone to GP surgeries, MH teams etc. • Practice staff would hand write messages for the GP resulting in inaccurate information being recorded and the need for further telephone conversations between clinicians. • Limited access to up-to-date medical notes and test results impacting on care and information available to residents. • Prescription deliveries often lacked why they had been provided. Benefits of NHS Mail • Direct, timely, accurate and secure communication now available between home staff and GPs / NHS MH & CHC teams • 10 hrs/wk RN clinical time released • Improved audit trail • Increased patient safety • Greater convenience and ease of sending information between organisations and to families/carers Challenges • Resistance to using NHSmail at some GP practices • Not yet adopted by hospital discharge teams

  13. Case Study 2: Swanton Care Background • Social Care provider with a national footprint of 850 staff operating from 28 locations. • Provides residential and supported living care; specialist autism care, learning disability support, acquired brain injury and neuro-rehabilitation. • No secure email service required information to be shared by post, fax or telephone taking a considerable amount of time and effort and impacted on majority of information sharing activities with Las, NHS, Police and probation services Benefits • Organisation now meets partners’ expectations of a secure email service • More efficient processes for receiving essential information (e.g. referrals, discharge summaries) • Time saved from posting, faxing and chasing information • Greater ease and convenience of sending information

  14. How to access NHSmail • Register for an ODS code with the Open Exeter Helpdesk • exeter.helpdesk@nhs.net • Register on the DSP toolkit • www.dsptoolkit.nhs.uk/Account/Register NOTE: You are already one third of the way through • Start completing the DSP toolkit • www.dsptoolkit.nhs.uk/Account/Login • Provide sufficient evidence to meet the expected standard of assurance (meeting the 10 standards) • Request access to the national NHS mail offer via the National Administration Service or web-site • https://portal.nhs.net/Registration#/careprovider • Contact local NHS organisations (e.g. CCG) and begin using as your primary email address…

  15. An Introduction to GDPR

  16. A Very Rough Summary We all need to have: • Policies & processes in place to deliver “data protection by design and default” We need to know: • What data we have; • Why we have/share it; • Where it comes from and where it goes to; • When we destroy it; • Who has access to it; and • How we use it.

  17. Personal Data GDPR applies to the processing of personal data that is: • wholly or partly by automated means; or • the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system. Personal data only includes information relating to natural persons who: • can be identified or who are identifiable, directly from the information in question; or • who can be indirectly identified from that information in combination with other information. Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances. Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data. If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised. Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR. Information about companies or public authorities is not personal data. However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.

  18. Summary An individual can be identified or is identifiable if you can distinguish them from other individuals GDPR provides a non-exhaustive list that includes: • Name • Private Address • DOB • NHS Number • NI Number • Location data (eg Find my iPhone) / IP address (eg ISP Detail) / Cookies (eg Web browser)

  19. Special Category Data The following types of data are considered more sensitive and therefore require a higher level of protection: • Race • Ethnic origin • Politics • Religion • Trade union membership • Genetics • Biometrics (where used for ID purposes) • Health • Sex life • Sexual orientation

  20. Special Category Data (2) Considered more sensitive & therefore needs more protection. Section 9(2) of the DPA says we need one of the following: • Data subject has given explicit consent • Processing is necessary to protect the vital interests of the data subject • Processing is necessary for the purposes of preventive or occupational medicine - medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

  21. Lawful basis for processing personal data[Article 6 conditions] 6 lawful bases for processing in section 6 (1) of the DPA: • Consent: the individual has given clear consent for you to process their personal data for a specific purpose. • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). • Vital interests: the processing is necessary to protect someone’s life. • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) The question is whether the processing is objectively necessary for the stated purpose, NOT whether it is a necessary part of your chosen methods.

  22. Lawful basis for processing Special Category data [Article 9 conditions] • Explicit consent • Employment, social security, social protection law • Vital interests when an individual is legally or physically unable to give consent • Legitimate activities by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim • The personal data has been manifestly made public by the individual • For the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity • Substantial public interest • The provision of health or social care, treatment or the management of health or care systems and services or the assessment of the working capacity of an employee • Public health interests • For archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes

  23. Individual rights People now have the following specific rights: • The right to be informed • The right of access • The right to rectification • The right to erasure • The right to restrict processing • The right to data portability • The right to object • Rights in relation to automated decision making and profiling.

  24. Accountability & Governance Appropriate technical and organisational measures in place including: • Adopting and implementing data protection policies; • Taking a ‘data protection by design and default’ approach; • Putting written contracts in place with organisations that process personal data on your behalf; • Maintaining documentation of your processing activities; • Implementing appropriate security measures; • Recording and, where necessary, reporting personal data breaches; • Carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests; • Appointing a data protection officer [if appropriate]; and • Adhering to relevant codes of conduct and signing up to certification schemes You must be able to demonstrate ongoing compliance

  25. Break

  26. Four Steps to Compliance?

  27. Step 1 – Record Responsibilities Agree who is responsible for Data Security & Protection. This needs to be: • Executive Director / Owner Level • Not Registered Manager SIRO Caldicott DPO / Champion IG Lead +

  28. Key Roles & Responsibilities Senior Information Risk Owner (SIRO) • Need to be the owner or an Executive Director / other senior member of the board e.g. Chief Information Officer Director of Ops • Caldicott Guardian should be independent of SIRO; however, depending on the size of organisation this is not always possible. Caldicott Guardian • Only a requirement for public authorities; not mandatory for social care providers – although encouraged. • Should be (in order of priority) a director, senior manager; or a senior health / social care professional; or the person with responsibility for promoting clinical governance • Consider adopting a “Caldicott Function” rather than full blown UK Caldicott Guardian Council membership Data Protection Officer (DPO): • The DPOmust be independent, an expert in data protection, adequately resourced, and report to the highest management level. • They can be an existing employee or externally appointed or appointed across a number of organisations • They must be registered with the ICO. • They: inform and advise organisations about complying with GDPR and other data protection laws; monitor compliance with GDPR and data protection laws – including staff training and internal audits; advise on and monitor data protection impact assessments; co-operate with the ICO / being the first contact point for the ICO and citizens.

  29. Do I need a DPO? The law says that you must appoint a Data Protection Officer (DPO) if: • You are a public authority or body (except for courts acting in their judicial capacity); • Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or • Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences. NO DEFINITION OF “LARGE SCALE” CPA & NHS Digital DPO Advice: • Assign someone to have a “data protection champion” (DPC) role i.e. responsible for data security and data protection (e.g. your Information Governance Lead / someone familiar with DSP topics). • Must not be the same as the SIRO as DPO must be independent and able to freely advise / report into senior managers / directors. • Should not be Registered Manager as considered a conflict of interest

  30. Step 2 – Record Information Held & Systems Used Work out: • What data / personal information you have • Where you keep it • Who has / needs access to it • What systems you use to receive / store / access this information • Risk assess each asset / system i.e.: • Ask yourself what would happen if there was a breach (i.e. lost or wrong person could see it)? • How might this occur and what could be done to help stop it from happening? Information Asset Register

  31. Task Time! • There are x4 documents in this room • You have been given a blank IAR template document • Please find the x4 documents and fill the template accordingly

  32. Template IAR

  33. Step 3 – Record Information Flows Understand where each type of information comes from and goes to and how this happens, including: • Your reason for the processing • Whose data it is and what kind of data it is, e.g. staff – financial information; residents – care plans • The people / organisations you share the information with (e.g. the full name and address of the Payroll company / GP Practice) • Whether the data goes outside of the Europe (and the extra precautions you therefore take) • How long you keep each type of information before destroying it (i.e. records retention period) • A description of the technical & organisational security measures used to protect the data Record of Processing Activities

  34. Task Time! • Previously you found x4 documents in this room and added them to the IAR • You have been given a template ROPA (simplified) • Choose x2 of these documents and consider the data flows • Update the template ROPA to show these documents and their data flows, etc

  35. Template ROPA Consider the following: • Is data being sent out or received in? How is it sent? • Is data going to be communicated outside of EEA? • Why is the data needed? Is it necessary to keep this data? • What is the lawful basis for keeping / using / sending? • Retention periods? • Are there Risks? Are these Risks managed?

  36. 6 lawful basis There are six lawful bases for processing personal data: • CONSENT • PERFORMANCE OF A CONTRACT • LEGAL OBLIGATION • VITAL INTERESTS • PUBLIC TASK • LEGITIMATE INTEREST

  37. Sensitive category data In order to lawfully process special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9. These do not have to be linked. Your choice of lawful basis under Article 6 does not dictate which special category condition you must apply, and vice versa. For example, if you use consent as your lawful basis, you are not restricted to using explicit consent for special category processing under Article 9. You should choose whichever special category condition is the most appropriate in the circumstances – although in many cases there may well be an obvious link between the two. For example, if your lawful basis is vital interests, it is highly likely that the Article 9 condition for vital interests will also be appropriate. • The conditions are listed in Article 9(2) of the GDPR: • (a) the data subject has given explicit consent • (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller; • (c) processing is necessary to protect the vital interests of the data subject • (d) processing is carried out in the course of its legitimate activities • (e) processing relates to personal data which are manifestly made public by the data subject; • (f)  processing is necessary for the establishment, exercise or defence of legal claims; • (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law • (h) processing is necessary for the purposes of preventive or occupational medicine; • (i)  processing is necessary for reasons of public interest in the area of public health; • (j)  processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical.

  38. Step 4 – Policy, Procedure & Practical Implementation Produce a policy or policies to cover: • Data Protection: how you will implement legal requirements to ensure data protection by design and by default • Data Quality: how you will ensure you keep the data you hold accurate and correct any errors • Record Keeping: how the data you hold will be looked after, what rights data subjects (e.g. residents) have and how you will facilitate access • Data Security: how you prevent data breaches from occurring and what you will do if there is a breach • Network Security: how you will ensure any devices that are used to access data electronically will be protected and data kept safe See templates

  39. Step 4 – Policy, Procedure & Practical Implementation Suggested procedures include: • Information Asset Register • Record of Processing Activities • Leaver-Starter arrangements • Portable device assignment forms • Reporting (suspected) data security breaches • Business continuity plan i.e. what to do if essential records are destroyed (fire), or can’t be accessed (IT failure), or you have a significant data breach (media attention) See templates

  40. Step 4 – Policy, Procedure & Practical Implementation Information to support staff awareness and behaviour should include: • The importance of DSP from a practical point of view • The responsibilities of the owners/directors, managers individual members of staff • Details of what information they can share, with whom and how • What to do if they have a data security / breach concern • What to do if asked about DSP or for information by a resident or member of the public • How to record information accurately, store it safely and dispose of it when the time is right See templates

  41. Step 4 – Policy, Procedure & Practical Implementation Information to support residents should include: • Advice / information on how you keep their personal information safe • Who you will share their information with and under what conditions • Their rights to access any information you hold on them • When they can chose to refuse sharing • Privacy notice See template

  42. The Data Security & Protection Toolkit

  43. Overview • An annual assurance process running from 1st April to 31st March. • Helps to evidence compliance with GDPR & DPA (2018) and CQC inspection key lines of enquiry (2.8 Well Led). • The NHS online self-assessment tool to demonstrate compliance with the 10 National Data Guardian data security standards for health and social care organisations (i.e. GDPR!)

  44. Leadership Obligation 1 - People

  45. Leadership Obligation 2 - Process

  46. Leadership Obligation 3 - Technology

  47. Compliance Levels in the DSP toolkit

  48. Lunch!

  49. Compliance Levels in the DSP toolkit

  50. How do I complete the toolkit?

More Related