Incident Reporting Policy

Clinical Commissioning Group

NHS Mansfield and Ashfield Clinical Commissioning Group and NHS Newark and Sherwood Clinical Commissioning Group

Directorate

Quality and Governance

Document purpose

Describes the policy for the reporting and management of all incidents within NHS Mansfield and Ashfield Clinical Commissioning Group and NHS Newark and Sherwood Clinical Commissioning Group

Version

2

Title

Incident Reporting Policy

Authors

Quality and Safety Manager Corporate Governance Officer

Approval Date

October 2016

Review Date

October 2018

Approving Committee

Quality and Risk Committee/Sub-Committee

Target Audience

All staff

Circulation list

All staff

Equality Impact Assessment

NHS Mansfield and Ashfield Clinical Commissioning Group and NHS Newark and Sherwood Clinical Commissioning Group are committed to promoting equality in all its responsibilities as commissioner of services, as a provider of services, as a partner in the local economy and as an employer. This policy will contribute to ensuring that all users and potential users of services and employees are treated fairly and respectfully with regard to the protected characteristics of age, disability, gender, reassignment, marriage or civil partnership, pregnancy and maternity, race, religion, sex and sexual orientation.

Associated Documents

Risk Management Strategy Incident Reporting Procedure Major Incident Plan Guidance for the Investigation of Complaints,

Incidents and Claims Serious Incident Reporting - Guidance For Provider

Organisations Policy National Framework for Reporting and Learning

from Serious Incidents requiring investigation Sponsoring Director

Chief Nurse and Director of Quality

3

Contents 1. Introduction ............................................................................................................... 4

2. Scope of the Policy .................................................................................................... 4

3. Responsibilities ......................................................................................................... 6

4. Training ..................................................................................................................... 8

5. Dissemination ............................................................................................................ 8

6. Review, Updating and Archiving ................................................................................ 8

7. Bibliography .............................................................................................................. 8

Appendix 1 - Definitions ................................................................................................... 9

Appendix 2 - Assessing the Severity of the Incident Guide (Information Governance Serious Incident Requiring Investigation) ................................................................ 12

Appendix 3 - Incident Reporting Process ....................................................................... 17

Appendix 4 – Grading the Incident ................................................................................... 18

Appendix 5 – Datix Incident and Concern Form (DIF1) .................................................. 19

Appendix 6 - Datix User Guide ....................................................................................... 20

4

1. Introduction This policy applies to all staff, directly employed or acting on behalf of NHS Mansfield and Ashfield Clinical Commissioning Group and NHS Newark and Sherwood Clinical Commissioning Group. This policy is designed to ensure that all staff gains an understanding of their individual responsibilities for the reporting and management of all incidents on Datix1, as part of its commitment to ensuring the health, safety and welfare of service users and staff. Where CCG staff becomes aware of Incidents occurring within provider organisations, these should also be reported internally on Datix2 but investigated by the provider organisation in accordance with their internal procedures and policies. This document sets out the process for the reporting and recording of all incidents within the Clinical Commissioning Group’s electronic reporting system, Datix. It is not intended that this policy should replace the duty to inform the Police and other authorities such as the Health and Safety Executive and Information Governance Toolkit where appropriate. This policy should be read in conjunction with the Clinical Commissioning Groups Risk Management Policy, Business Continuity Plan and the Complaints and Concerns Policy and Procedure3. This policy describes the reporting arrangements and the actions that are required in terms of communication and follow up when there has been an incident affecting Clinical Commissioning Group staff. All concerns or suspicions relating to incidents of fraud, corruption or bribery must be dealt with in accordance with the CCG’s Fraud Bribery and Corruption policy and reported to the CCG’s nominated Counter Fraud Specialist. Concerns may also be brought to the attention of the Chief Finance Officer, or reported via the NHS Protect Fraud and Corruption Line, 0800 028 40 60.

2. Scope of the Policy

At the heart of the Clinical Commissioning Group, are the values of always striving for excellence, celebrating what works well and continually learning and improving. Effective incident reporting is an important part of that continual process of improvement.

The purpose of this policy is to outline the arrangements for identifying, reporting and investigating incidents occurring within the Clinical Commissioning Group. The reporting of all incidents, prevented incidents (near-misses) is designed to ensure the following:

A culture of openness in reporting incidents or prevented incidents (near-misses); 1 http://ns-datix/datix/live/index.php

2 http://ns-datix/datix/live/index.php 3 http://www.mansfieldandashfieldccg.nhs.uk/index.php/governance-and-policy

5

The recording and collection of timely and accurate information; Prompt communication with staff and where appropriate, the media; Minimise any distress to those affected by the incident; Identify patterns and trends in the occurrence of incidents and prevented incidents (near-

misses); Minimise any risks to the organisation; Early warning of any potential for financial loss or litigation; Allow for the review of any safety procedures; and Fulfilment of statutory responsibilities including the Reporting of Injuries, Diseases and

Dangerous Occurrences Regulations 20134 and Health and Safety at Work etc. Act 19745.

This policy applies to all incidents involving staff, visitors or members of the public at any

Clinical Commissioning Group site or premise where staff are working during the course of

their normal duties. The Clinical Commissioning Group supports a culture of openness and actively supports and

encourages shared learning from incidents. It recognises that staff should not be fearful of

the potential repercussions of reporting an incident or near miss.

The Clinical Commissioning Group recognises that the purpose of reporting incidents is not

to apportion blame (except as described below) but to ensure that the underlying causes of

an adverse event can be established, enabling control measures to be implemented to

minimise the risk of recurrence.

Similarly, the identification and reporting of potential risks via “near misses” enables

control measures to be introduced prior to a risk manifesting itself, thereby minimising

the recurrence of loss, damage or injury.

The Clinical Commissioning Group acknowledges that investigation will occasionally identify

that the incident has occurred because of a criminal act or wilful or gross neglect or abuse of

professional privilege. There may also be instances of repeated poor performance despite

interventions and support. In such cases, the Clinical Commissioning Groups disciplinary policy

will be invoked.

Being involved in an adverse incident can be a traumatic and uncomfortable experience for

staff. Every effort will be made to support staff and provide access to confidential

occupational health and counselling services where required6.

4 http://www.hse.gov.uk/riddor/ 5 http://www.hse.gov.uk/legislation/hswa.htm

6 http://gemocchealth.co.uk/?page id=46

6

3. Responsibilities

Chief Operating Officer The Chief Operating Officer has overall responsibility for ensuring that there is an effective risk management system in place within the Clinical Commissioning Group and for meeting all statutory requirements. Within this remit is overall responsibility for incident reporting arrangements and the management of adverse incidents.

Chief Nurse and Director of Quality The Director of Quality, Performance, Information and Governance has delegated responsibilities for ensuring there is an effective incident reporting and management system in place.

Staff The first priority for anyone involved in an incident or near miss is the immediate safety and well-being of the service user, staff member or visitor affected. Any remedial first aid or emergency treatment must be given. Any immediate action required to prevent a recurrence of the incident must also be taken.

Any member of staff who is involved in or witnesses an incident, adverse event or near miss must ensure that it is reported promptly to their line manager and to the Quality and Safety Team using the electronic reporting system, Datix.

Staff working in provider organisations Please refer to the Reporting of Serious Incidents by Provider Organisations Policy (NHS Mansfield and Ashfield and NHS Newark and Sherwood Clinical Commissioning Group, 2015)7 If the incident relates to the safety or wellbeing of children or adults with care and support needs this must be reported to the Police or Local Authority as outlined in the Nottinghamshire Safeguarding Children and Adult Board policies and procedures Children: http://www.nottinghamshire.gov.uk/caring/protecting-and-

safeguarding/nscb/informationprofessionals/procedures-practice-guidance/ Adults: http://www.nottinghamshire.gov.uk/care/adult-social-care/safeguarding-adults Line Manager/Senior Manager The responsibility of the line manager is to assess the situation and ensure that any immediate actions required maintaining the safety and wellbeing of Clinical Commissioning Group staff and that of any visitors or service users.

The line manager may be required to conduct investigations, as appropriate, to ascertain the

7 http://www.mansfieldandashfieldccg.nhs.uk/index.php/governance-and-policy

7

circumstances of the incident or concern, identify and analyse any contributing factors or root causes and to report these back to the Quality and Safety Manager. Quality and Safety Team A member of the team will be responsible for grading the incident, ensuring an appropriate level of investigation is undertaken, and considering whether external reporting is required i.e. Health and Safety Executive, Information Governance Toolkit.

The team undertakes an analysis of incident trends which are reported to the Quality and Risk Committee. Learning from incidents will be shared with all staff via internal communication bulletins where appropriate. The Clinical Commissioning Group will ensure that where an incident has occurred involving a service user(s), the service user(s) is/are kept informed as to the progress and outcome of the investigation. Subject to confidentiality provisions, relatives and carers should also be informed.

Any information given to staff, visitors, service users, carers or relatives needs to be documented by the person who has provided the information in the incident record.

Lay Members

Lay members of the Clinical Commissioning Group will be required to report any incidents via the Clinical Commissioning Group’s incident reporting process by emailing the Quality Team nshccg.midnottsreporting@nhs.net.

Governing Body The Clinical Commissioning Group Governing Body is responsible for providing assurance that they are doing their “reasonable best” to manage the Clinical Commissioning Group’s affairs efficiently and effectively through the implementation of internal controls and processes to manage risk. An effective and robust incident reporting system is an essential component of this responsibility. Quality and Risk Committee/Sub-Committee To maintain an on-going overview of incidents ensuring that learning is appropriately disseminated and is reflected within working arrangements and procedures. The Quality and Risk Committee receives quarterly reports on incidents, complaints and claims. The Quality and safety team will present the findings of serious incidents investigations along with any recommendations to the committee.

Audit and Governance Committee/Sub Committee To maintain a strategic overview of all reported incidents and to ensure that appropriate management action is taken in response. This committee will receive an annual report on the management of incidents across the Clinical Commissioning Group.

8

Media When an incident has occurred which is likely to attract media attention, the Clinical Commissioning Group will ensure that staff and service users are informed before any media are involved. The investigating manager will work closely with the Clinical Commissioning Group Communications Department to ensure that this is guaranteed. Information Governance

All members of staff are bound by their contracts, which require them to follow the Clinical Commissioning Group’s information security and information governance guidelines and policies. If a breach of policy is identified, staff must report this as an incident.

Once the incident has been reported, it will be logged and graded by the Quality and Safety Team and passed to the Information Governance Lead for further evaluation and investigation.

4. Training

A Datix user guide is available in appendix 6. Further training is available from the Quality and Safety team on request. 5. Dissemination

The policy will be available to all staff on the websites8.

6. Review, Updating and Archiving This document will be reviewed every two years by the Quality and Safety team and submitted to the Quality and Risk Committee/Sub- Committee every two years for approval. 7. Bibliography Care Quality Commission Never Events http://www.cqc.org.uk/content/never-events Checklist Guidance for Reporting, Managing and Investigating Information Governance

and Cyber Security Serious Incidents Requiring Investigation http://www.mansfieldandashfieldccg.nhs.uk/images/i/Governanceandpolicy/Incident%20Reporting%20HSCIC%20SIRI%20Reporting%20and%20Checklist%20Guidance%20Version%205.1.pdf

Health and Safety at Work etc. Act 1974 http://www.hse.gov.uk/legislation/hswa.htm Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013

http://www.hse.gov.uk/riddor/ Serious Incident Framework https://www.england.nhs.uk/wp-

content/uploads/2015/04/serious-incidnt-framwrk-upd.pdf The Reporting of Serious Incidents by Provider Organisations.

8 http://www.mansfieldandashfieldccg.nhs.uk/index.php/governance-and-policy

9

Appendix 1 - Definitions Adverse Incident Any event or circumstance involving staff, visitors, service users or contractors that could have, or did lead to unintended or unexpected harm, loss or damage. Adverse incidents include (but are not limited to): Slips, trips and falls; Cases of known, or suspected work or environment related ill health; Work related accidents, occupational injury or ill health; Physical and verbal assault; Explosions; Vehicle incidents whilst on official business; Damage/loss/theft to NHS and personal property; Information Governance security failures; and Violations of established procedures. Information Governance Serious Incidents Requiring Investigation This type of incident will typically breach the principles of the Data Protection Act and/or the Common Law Duty of Confidentiality. This includes: unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data,

information security breaches and inappropriate invasion of people’s privacy; Personal data breaches which could lead to identity fraud or have other significant impact

on individuals; Applies irrespective of the media involved and includes both electronic media and paper

records relating to staff and service users; When lost data is protected e.g. by appropriate encryption, so that no individual’s data can

be accessed, then there is no data breach (though there may be clinical safety implications that require the incident to be reported down a different route); and

When the data is protected but there is a risk of individuals being identified then this remains an incident and should be reported. The sensitivity factors within the Information Governance Incident Reporting Tool will reflect that the risk is low.

Information Governance Cyber Serious Incidents Requiring Investigation There are many possible definitions of what a Cyber incident is, for the purposes of reporting a Cyber incident is defined as: A Cyber-related incident is anything that could (or has) compromised information assets within Cyberspace. “Cyberspace is an interactive domain made up of digital networks that is used to store, modify and communicate information. It includes the internet, but also the other information systems that support our businesses, infrastructure and services.” Source: UK Cyber Security Strategy, 20119. It is expected that the type of incidents reported would be of a serious enough nature to 9 https://www.gov.uk/government/uploads/system/uploads/attachment data/file/60961/uk-cyber-security-strategy-final.pdf

10

require investigation by the organisation. These types of incidents could include: Denial of Service attacks; Phishing emails; Social Media Disclosures; Web site defacement; Malicious Internal damage; Spoof website; and Cyber Bullying.

Major Incident Any incident, which, because of the number of severity of casualties or its location requires special arrangements by the emergency and health services. It may also require the mobilisation of Clinical Commissioning Group staff to support people needing immediate intervention because of the incident. Any circumstance which necessities the activation of the Business Continuity Plan. Serious Incident The serious incident framework10 defines a serious incident in healthcare as “ events in health care where the potential for learning is so great, or the consequences to patients, families and carers, staff or organisations are so significant, that they warrant using additional resources to mount a comprehensive response. Serious incidents can extend beyond incidents, which affect patients directly and include incidents, which may indirectly affect patient safety or an organisation’s ability to deliver ongoing healthcare”. This Framework describes the circumstances in which such a response may be required and the process and procedures for achieving it, to ensure that Serious Incidents are identified correctly, investigated thoroughly and, most importantly, learned from to prevent the likelihood of similar incidents happening again. Serious Incidents include acts or omissions in care that result in: unexpected or avoidable death; unexpected or avoidable injury resulting in serious harm - including those where the injury

required treatment to prevent death or serious harm, abuse, Never Events, incidents that prevent (or threaten to prevent) an organisation’s ability to continue to deliver an acceptable quality of healthcare services and incidents that cause widespread public concern resulting in a loss of confidence in healthcare services.”

All providers, who are subject to an NHS contract, must report any serious incidents to their lead commissioner and follow the processes set out in the Serious Incident Framework (NHS England , 2015) and the Never Events Policy and Framework11 (NHS England, 2015) Near Miss An event or omission which fails to develop further whether or not as a result of compensating action thus preventing injury to a service user, visitor or member of staff. 10 https://www.england.nhs.uk/wp-content/uploads/2015/04/serious-incidnt-framwrk-upd.pdf 11 https://www.england.nhs.uk/wp-content/uploads/2015/04/never-evnts-pol-framwrk-apr.pdf

11

Personal Data As per the Data Protection Act 1998.12 Personal data are data, which relate to a living individual who can be identified: (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come

into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Sensitive Personal Data Sensitive personal data are personal data consisting of information as to: (a) the racial or ethnic origin of the data subject; (b) their political opinions; (c) their religious beliefs or other beliefs of a similar nature; (d) whether a member of a trade union (within the meaning of the Trade Union and Labour

Relations (Consolidation) Act 1992); (e) their physical or mental health or condition; (f) their sexual life; (g) the commission or alleged commission of any offence; or (h) any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings. Personal Confidential Data13 This is a term used in the Caldicott Information Governance Review14 and describes personal information about identified or identifiable individuals, which should be kept private or secret and includes dead as well as living people. The review interpreted 'personal' as including the Data Protection Act definition of personal data, but included data relating to the deceased as well as living people, and 'confidential' includes both information 'given in confidence' and 'that which is owed a duty of confidence' and is adapted to include 'sensitive' as defined in the Data Protection Act. This is personal and usually sensitive personal data that is held subject to an obligation of confidentiality. Clinical data relating to an identifiable individual is usually confidential and some data recorded by social care staff may be subject to this obligation.

12 http://ico.org.uk/for organisations/data protection/the guide 13 i.e. name, home address, postcode, NHS number, date of birth, payroll number, driving licence number, Unique Booking Reference Number (UBRN), racial / ethnic origin, political opinions, religious beliefs, trade union membership, physical (sickness absence, health record) or mental health, sexuality, criminal offences, bank and/or credit card details 14 https://www.gov.uk/government/publications/the-information-governance-review

12

Appendix 2 - Assessing the Severity of the Incident Guide (Information Governance Serious Incident Requiring Investigation)

Although the primary factors for assessing the severity level are the numbers of individual data subjects affected, the potential for media interest, and the potential for reputational damage, other factors may indicate that a higher rating is warranted. For example, the potential for litigation or significant distress or damage to the data subject(s) and other personal data breaches of the Data Protection Act. As more information becomes available, the Information Governance Serious Incident Requiring Investigation level should be re-assessed. Where the numbers of individuals that are potentially impacted by an incident are unknown, a sensible view of the likely worst case should inform the assessment of the Serious Incident Requiring Investigation level. When information that is more accurate is determined, the level should be revised as quickly as possible. Please note: Conversely, when lost data is protected e.g. by appropriate encryption, so that no individual’s data can be accessed, then there is no data breach (though there may be clinical safety implications that require the incident to be reported down a different route). When the data is protected but risk of individuals, being identified remains an incident and should be reported. The sensitivity factors will reflect that the risk is low.

All Information Governance Serious Incident Requiring Investigations entered onto the Information Governance Toolkit Incident Reporting Tool, confirmed as severity level 2, will trigger an automated notification email to the Department of Health, Health and Social Care Information Centre and the Information Commissioner’s Office, in the first instance and to other regulators as appropriate, reducing the burden on the organisation to do so.

The Information Governance Incident reporting tool works on the following basis when calculating the severity of an incident:

There are two factors which influence the severity of an Information Governance Serious Incident Requiring Investigation – Scale and Sensitivity.

Scale Factors

Whilst any Information Governance Serious Incident Requiring Investigation is a potentially a very serious matter, the number of individuals that might potentially suffer distress, harm or other detriment is clearly an important factor. The scale (noted under step 1 below) provides the base categorisation level of an incident, which will be modified by a range of sensitivity factors.

Sensitivity Factors

Following stakeholder feedback, the Sensitivity factors have been revised and are shown on the following page. Sensitivity in this context may cover a wide range of different considerations and each incident may have a range of characteristics, some of which may raise the categorisation of an incident and some of which may lower it. The same incident may have characteristics that do both, potentially cancelling each other out. For the

13

purpose of Information Governance Serious Incident Requiring Investigations sensitivity factors may be:

i. Low – reduces the base categorisation ii. High – increases the base categorisation

19

Appendix 5 – Datix Incident and Concern Form (DIF1)