Introduction to Information Governance (IG)

IG Policy TeamNHS Connecting for Health

Key Learning Points What is Information Governance? What do YOU need To Do to make this work?

Follow the Caldicott GuidelinesProvide a confidential serviceComply with the Law

Understand the Data Protection Act PrinciplesRecognise a Freedom of Information Act request

Follow the Records Management NHS CodeKeep Information Secure Input Quality Information

What is IG?

IG is to do with how NHS/Social Care organisations and individuals handle information

Information means:

E.g. Name, Date of Birth, Home address

E.g. ethnicity, disease, medical condition, sexual life

E.g. Contracts for suppliers, minutes of meetings, finance details

Personal

Sensitive

Corporate

Handling information means

Holding it securely and confidentially

Obtaining it fairly and efficiently

Recording it accurately and reliably

Using it effectively and ethically

Sharing it appropriately and lawfully

What is IG?

IG is to do with how NHS/Social Care organisations and individuals handle information

IG is a series of best practice guidelines and principles of the Law to be followed by NHS/Social Care organisations and individuals

Core elements of IG

Data Protection Act 1998 Freedom of Information Act 2000 Information Security Standards – ISO/IEC

17799: 2005 and IS Management NHS Code of Practice

The NHS Confidentiality Code of Practice The Records Management NHS Code of

Practice Information Quality Assurance

IG Toolkit

Organisation Self Assessment against national set of standards. Annual submission.

Adopted by NHS, Social Care, GP and Commercial Third Parties.

Online Tool Process may be subject to internal and

external audit Past reports available online For further information on the IG Toolkit go to:

www.igt.connectingforhealth.nhs.uk

What is IG?

IG is to do with how NHS/Social Care organisations and individuals handle information

IG is a series of best practice guidelines and principles of the Law to be followed by NHS/Social Care organisations and individuals

IG is the core foundation for high quality healthcare using good quality information

IG is the responsibility of every employee!

What do YOU need To Do

to make this work?

Confidentiality

Do not share without consent

1997 Caldicott Report

The Caldicott Guardian

Follow the Confidentiality Caldicott Guidelines

1. Justify the purpose of using confidential information

2. Only use it when absolutely necessary

3. Use the minimum required

4. Allow access on a strict need-to-know basis

5. Understand your responsibility

6. Understand and comply with the law

CDDFT Key Information Governance Staff

Caldicott Guardian – Dr Alan McCulloch

Senior Information Risk Owner – Sue Jacques(Chief Operating Officer and Director of Finance)

Data Protection Officer – Lisa Wilson(Head of Information Governance & IT Security)

FOI Lead – Joanna Tyrell (nee Jenkins)

If you are not sure, don’t disclose

and seek further advice from your

line Manager or Caldicott Guardian

Provide a Confidential Service

Protect individual’s information by recording relevant data, accurately, consistently, keeping it secure and confidential.

Inform a patient how their information is used and when it may be disclosed

Provide choice to patients to decide whether their information can be disclosed

Always look to Improve the way you/the organisation protects, informs and provides choice to the patient/clients/employees.

Improve

Protect Inform

Provide Choice

Improve

Personal information shared in confidence should not be used or disclosed further without the consent of the individual

(Common Law Duty of Confidence)

Comply with the Law

The Data Protection PrinciplesPersonal data must be:1.Processed fairly and lawfully2.Processed for specified purposes3.Adequate, relevant and not excessive4.Accurate and up-to-date5.Not kept for longer than necessary6.Processed in accordance with the rights of data subjects7.Protected by appropriate security (practical and organisational)8.Not transferred outside the EEA without adequate protection

Data Protection Act 1998 – It is your responsibility to understand the principles in relation to your role and your organisation

Comply with the LawCan you recognise a Freedom of Information (FOI) Act

Request?

Dear Sir/Madam

I would like to know

how much the Trust is

spending on the

refurbishment of the

A&E ward, due to be

completed in March

2007.

I would like a list of

the new medical and

non medical

equipment being

purchased for this

ward.

Yours sincerely

Mickey Mouse

Dear FOI Lead

I have recently

undergone an

operation on my hip at

your Trust and would

like to see all the

notes in my Health

Record regarding this

period of care.

Please give me an

indication of when this

information can be

provided to me.

Yours sincerely

Betty Boo

Which of A or B is an FOI request?

What you need to know about FOI

Gives the public the right to access/view all non-personal public authority information upon request

Requests must be in writing

All staff must know who their FOI Lead is and be able to access/refer to their contact details.

The requester may not and need not quote the FOI Act

The organisation must respond within 20 working days

Exemptions may apply for non disclosure – FOI Lead will determine this.

What you need to know about FOI

Penalties for non compliance with or breach of the Act applies to the:

•Organisation•Chief Executive•Possibly Individual staff

Follow the Records Management NHS Code of Practice

Best Practice guidance states:

All Staff have a legal and professional obligation to be responsible for any records which they create or use in the performance of their duties.

Any record created by an individual, up to the end of its retention period, is a public record and subject to Information requests (FOI and Subject Access).

Subject Access Request?Subject Access Request?

Record Lifecycle

Determine whether records are worthy

of permanent archival

preservation

Record Lifecycle

Creation Using Retention

Create & log Quality

information

Use/handle in accordance with Data Protection

Act

Keep/maintain in line with

NHS recommended

Retention Schedule

Dispose appropriately according to

policy

Appraisal DisposalC

lose

Rec

ord

Record Quality Information

Keep all types of information:

Accurate

Up to date

Complete – Including NHS Number

Quick and easy to find

Free from duplication

Free from fragmentation

}Better

Healthcare

Keep Information Secure

Follow Organisation Policies Protect Information Physically Practice Password Management Transfer Information Securely Report Breaches of Security to

Management

It is your responsibility to keep all personal and sensitive information secure

Information Governance is the responsibility of every

employee, so keep up the good work and aim to be 100%

compliant.

Further Guidance and useful links

DH: Confidentiality NHS Code of Practice

DH: Records Management NHS Code of Practice

The Data Protection Act 1998

The Freedom of Information Act 2000

The IG Policy Team website

The Department of Health website

Information Commissioners Office website (more information and guidance on FOI and DPA)