nhs 24 data protection audit report - whatdotheyknow

NHS 24

Data Protection Audit ReportV1.0

Auditors: Christine Eckersley Engagement Lead AuditorClaire Chadwick Lead AuditorDavid Simmons Lead Auditor

Distribution:

Draft Report: Dr Malcolm Alexander, Associate Medical Director, Alison Morton, Information Governance Manager, SannyGibson, Information Security Manager

Final Report: John Turner Chief Executive, George Crooks Medical Director, Dr Malcolm Alexander – Associate MedicalDirector

Date Issued: 2 December 2010

1

Contents

1. BACKGROUND ..................................................................................................................... 2

2. AUDIT OPINION ....................................................................................................................3

3. SUMMARY OF AUDIT FINDINGS ..............................................................................................4

4. AUDIT APPROACH .................................................................................................................5

5. SCOPE OF THE AUDIT ...........................................................................................................6

6. AUDIT GRADING ...................................................................................................................7

7. DETAILED FINDINGS AND ACTION PLAN .................................................................................8

2

1. Background

1.1 In January 2010, following a Privacy Impact Assessment presentation to the NHS Scotland InformationGovernance Network, ICO Scotland were approached by a representative of the Information Governanceteam at NHS 24.

1.2 NHS 24 requested that the ICO conduct an audit, in order to help them assess levels of compliance withthe requirements of the Data Protection Act (DPA) and with good Information Governance practice and toraise awareness of these issues.

1.3 The ICO Audit Group agreed to conduct an audit for the purpose of identifying and promoting dataprotection good practice within NHS 24, to enable them to build upon initiatives already implemented inthis area. This audit was at the request of NHS 24 and was not the result of a data protection breach.

1.4 Following further discussion between NHS 24 and the ICO Audit Group, regarding audit scope andavailability of staff, arrangements were agreed for the audit to take place at NHS 24 Headquarters,Cardonald and the NHS 24 Contact Centre, Clydebank.

1.5 The Audit was undertaken from the 24th to 26th August 2010.

3

2. Audit Opinion

Overall Conclusion

Limited Assurance(Medium priority)

On the basis of the work performed at NHS 24 we consider that the currentarrangements in place, with regard to overall Data Protection controls provide a limitedassurance that adequate processes and procedures are in place and being adhered to.

NHS 24 proactively volunteered to participate in a ‘consensual’ audit to assist it inidentifying good practice, to identify levels of compliance and to further raise levels ofawareness of data protection concerns within the Board.

The level of assurance for Data protection Governance has been assessed as reasonable(low priority) two further reasonable assurance assessments have been provided for theprocessing of patient information and the processing by Human Resources of employeepersonal information. Examples of good practice identified in these areas are detailedbelow.

Three medium priority assessments have been made for Information Security, Trainingand awareness and Information security incident reporting. The key findings aresummarised below. The ICO recommendations focused on these areas are provided toimprove the arrangements currently in place.

4

3. Summary of Audit Findings

Areas of Good Practice

In response to a combination of external audits, internal feedback and some new KPI reporting processes, NHS24 is planning recommended improvements to some areas of IT and information security provision, InformationGovernance and Risk training provision.

Call handlers and nurse practitioners described regular checks/quality assurance of their work, to assessprocedural compliance and quality.

NHS 24 employs ‘ethical hackers’ every 12 to 24 months to carry out penetration attacks on the network andassess system security.

Staff interviewed during the audit were aware that the IG policies were available on the intranet and also knewto contact the Information Governance Manager and Information Security Manager directly for advice.

Laptop builds have been configured to ensure no user data is saved to local portable drives but is instead savedto the main NHS 24 server. In this way NHS 24 is complying with the E-Health instructions and personal data isappropriately secured.

NHS 24 is building privacy impact assessments into its systems and processes and has participated in an ICO runworkshop to inform this activity.

Areas for Improvement

Responsibility for the security of NHS 24 buildings should be clearly assigned.

Policies should be reviewed and updated in line with NHS 24 document review dates to ensure currency ofadvice and content.

5

Data protection training and refresher provision should be introduced as planned, for all staff, including those atsenior manager or executive level.

Information security incidents involving personal data should be included on KPI’s or other ManagementInformation, to measure and address issues of non compliance.

Both the Information Governance Manager and the Information Security Manager should be formally informedabout the nature of data sharing agreements, to assess DPA and Information Security considerations.

NHS 24 should ensure that password requirement is sufficiently ‘strong’ for purpose.

At present NHS 24 do not provide specific data security training, which is key to ensuring staff understanding ofthe security of patient and staff personal data.

Staff have optional ‘secure printing’ of documents, from the printer queue following the input of their userpassword. However, ‘secure printing’ is not routinely used. This is a potential security risk for printed documentscontaining personal data, within the NHS 24 open plan working environment.

HR Files should be appropriately weeded before archiving to ensure archived information is not excessive orbeing kept for longer than necessary, in line with NHS 24’s data protection responsibilities

6

4. Audit Approach

4.1 The audit was carried out in accordance with the Information Commissioner’s data protection auditmethodology, comprising a desk-based review of submitted policies and procedures, and an on-site visitincluding interviews with selected staff.

4.2 The audit field work was undertaken at the NHS 24 Headquarters Cardonald Park, Glasgow and NHS 24Contact Centre, Golden Jubilee National Hospital, Clydebank from 24 to the 26 August 2010. This involvedinterviews with a wide selection of staff from senior managers to call handlers and discussion andobservation of relevant procedures and processes.

4.3 Due to NHS 24 sensitivity regarding Auditor access to confidential patient records, it was not possible toexamine the processing of incoming information against input to database records. However, Auditors weregiven guided access to the training database for familiarisation with relevant input fields and a number ofinterviews were undertaken with both call handlers and nurse practitioners regarding procedures for thereceipt and processing of information.

7

5. Scope of the Audit

A wide audit scope was requested. This included:

a. Information Governance – to include organisational structure, roles, responsibilities, reporting, policy andprocedures and risk management functions in respect of data protection issues.

b. Information Security - The processes in place to ensure appropriate technical and organisational measuresare applied for the security of manual and/or electronic patient personal data.

c. The provision of staff training and awareness in relation to data protection issues.

d. The processes for the identification and reporting of data protection security breaches.

e. Clinical Records – Data handling in respect of all clinical records i.e. the receipt, processing, storage andweeding of patient personal data.

f. Staff data – Data handling in respect of all staff records, i.e. the receipt, processing, storage and weedingof staff personal data.

8

6. Audit Grading

6.1 Audit reports are graded with an overall assurance opinion, and any issues and associated recommendations areclassified individually to denote their relative importance, in accordance with the definitions in the table below.

ColourCode

Audit Opinion RecommendationPriority

Definitions

Good assurance Minor points onlyare likely to beraised

The arrangements for data protection compliance with regard togovernance and controls provide a high level of assurance thatprocesses and procedures are in place and being adhered to andthat the objective of data protection compliance will be achieved.No significant improvements are required.

Reasonable assurance Low priority The arrangements for data protection compliance with regard togovernance and controls provide a reasonable assurance thatprocesses and procedures are in place and being adhered to. Theaudit has identified some scope for improvement in existingarrangements and appropriate action has been agreed to enhancethe likelihood that the objective of data protection compliance willbe achieved.

Limited assurance Medium priority The arrangements for data protection compliance with regard togovernance and controls provide only limited assurance thatprocesses and procedures are in place and are being adhered to.The achievement of the objective of data protection compliance istherefore threatened.

Very Limitedassurance

High priority The arrangements for data protection compliance with regard togovernance and controls provide very limited assurance thatprocesses and procedures are in place and being adhered to. Thereis therefore a substantial risk that the objective of data protectioncompliance will not be achieved. Immediate action is required toimprove the control environment.

9

7. Detailed Findings and Action Plan

Findings flowing from the audit will be risk categorised using the criteria defined in Section 6. The rating will take intoaccount the impact of the risk and the probability that the risk will occur.

Ref Compliance Risk Issues / Findings Recommended SolutionManagement Comments,Responsibility for Action

and Due Date7.1 Information Governance – to include organisational structure, roles, responsibilities, reporting,policy and procedures and risk management functions in respect of data protection issues.

a.

To examine if there is afailure to identify andimplement a systemwhereby dataprotection governancecan be managed,measured andreported, raises the riskof the organisationhaving no visibility ofhow it is meeting itsobligations, resulting indata protection issuesnot being identified andaddressed.

7.1.1The NHS 24 MedicalDirector is also the CaldicottGuardian and is the named NHS24 Board member with overallInformation Governance (IG)responsibility.

7.1.2 The Caldicott Guardian isthe ‘Executive Sponsor’ of theInformation GovernanceSteering Group (IGSG) and isrepresented by the AssociateMedical Director at IGSGmeetings.

7.1.3 The InformationGovernance Manager and theInformation Security Managerare also members of the IGSG.Auditors were advised by theSenior Information Risk Officer

No action required

No action required

No action required

10


and Due Date(SIRO) that he is representedon the group by the InformationSecurity Manager.

7.1.4 The Head of Risk &Business Continuity is based inthe Medical directorate and isresponsible for devising andimplementing relevant riskstrategies in NHS 24. He hasformal links with theInformation Security Manager,who is a Deputy Risk Lead.

7.1.5 There appears to be noformal mechanism for theCaldicott Guardian or SeniorExecutives to inform theInformation GovernanceManager, or InformationSecurity Manager, aboutpotential or approved NHS 24data sharing agreements. Thisraises the risk that datasharing agreements may notalways be assessed forcompliance against relevantData Protection legislation.

7.1.5 Both the InformationGovernance Manager andthe Information SecurityManager should be includedin or informed about thenature of data sharingagreements, to assesscompliance with the legalrequirements of the DataProtection Act.

No action required

7.1.5(i) A new standingitem to be added to theIGSG – Data SharingAgreements. The CaldicottGuardian and SIRO willroutinely be asked fordetails of any new datasharing agreements forreview at the group.

Action: AMD.By: Nov10

11


and Due DateThe auditors were informedhowever that the IG Manageris made aware of and has theopportunity to challenge allinstances of data sharing priorto sending of information,through controls applied by theinformation services team.

7.1.6 Information GovernanceKPI’s are provided to theExecutive Team. The IGManager assesses timescales /toolkit progression andcompliance with the SAR 40day deadline for DPAcompliance. The IG Manager isalso responsible for overseeinginformation access requests,policy, PIA issues, recordsmanagement (includingpatient), & IG toolkit co-ordination

7.1.7 The InformationGovernance Manager ensuressmooth running of andprovides an administrationfunction to the InformationGovernance Steering Group,which reports by exception into

7.1.5.(ii) PIAs willcontinue to be rolled outacross the organisationNo action required

7.1.6. No action required


12


and Due Datethe National ClinicalGovernance Group and (via theClinical GovernanceCommittee,) the NHS 24Board.

7.1.8 The IG Managerintroduced InformationGovernance policy andprocedures and deals with otherDP issues including the FOISApublication scheme. However,there is no specific DataProtection policy and a numberof documents reviewed (forexample the IG Policystatement,) have not beenupdated for some years. Apolicy review exercise iscurrently being undertakenwhich should assist in theprocess.

7.1.8 Policies should beupdated as soon as possibleand ongoing reviews shouldbe undertaken, in line withNHS 24 document reviewdates.

7.1.8(i) A schedule ofpolicy review will be put inplace and monitored bythe IGSG.

Action: AMD/IGMBy: Nov 10

7.1.8.(ii) The ProcessTeam will manage thepolicy review schedule onbehalf of the IG and ISManagers

Action: ISM/IGMBy: Dec 10

7.1.8.(iii) Develop draftData Protection Policy

Action: IGMBy: Nov 10

13


and Due Date7.1.9 There are no DataProtection representatives orstaff forums, belowmanagement level fordiscussion, dissemination orraising awareness of DataProtection issues within NHS24.

7.1.9 Data protection‘representatives’ at team ordirectorate level may beuseful for the localdiscussion and reporting ofDP issues and may assistthe IG Manager indisseminating DP issues.

7.1.9.(i) Refresh face toface training andawareness for all staffincluding seniormanagement.

Action: ISM/IGMBy: Feb 11

7.1.9(ii) Developcommunication plan reawareness of DataProtection.

Action: ISM/IGM/Headof Internal CommsBy: Feb 11

7.1.9(iii) RegionalGovernance Groups toadd InformationGovernance and Securitystanding item on theiragendas

Action: ADONsBy: Jan 11

14


and Due Date7.1.10 Risks containing an‘Information Governance’ tabare transferred from the riskregister to a separate IG riskregister, which is ‘owned’ bythe IG Manager. The risks arereviewed as part the IGSGmeetings.

No action required.

7.2 Information Security - The processes in place to ensure appropriate technical and organisationalmeasures are applied for the security of manual and/or electronic patient personal data.

b.

To examine if there is afailure to implementmeasures whichadequately protectmanual andelectronically heldpersonal data raisesthe risk ofinappropriate accessto, damage to,destruction or loss ofdata, leading topotential damage anddistress being causedto the affectedindividuals andreputational damage tothe Board

7.2.1 The Head of Technologyis responsible for NHS 24networks, applications andhardware, new projectsincluding definingrequirements, programmemanagement and supplymanagement.

7.2.2 The Information securityManager is based in theFinance & TechnologyDirectorate, reporting to theTechnology Quality and TestManager.

7.2.3 The IS Manager rolecovers both physical and ICTsecurity advice, input to the

No action required

No action required

No action required

15


and Due Daterisk register, reviewing trainingprovision and e-learningpackages and the managementof the Information SecurityManagement System. Policiesand procedures have beenwritten to comply with theISMS related ISO27001standard which has beensubject to internal review, butnot yet a formal ISOassessment.

7.2.4 It was reported thatthere is no clear responsibilityfor physical security withinNHS24 sites. This lack ofclarity is in itself a security risk,due to the associated lack ofaccountability.

7.2.5 There is no procedure tocover disabling of lost securitybadges and no formalprocedure to cover issuing andtracking of temporary passes.

7.2.4 Responsibility for thesecurity of NHS 24 buildingsshould be clearly assigned.As this relates to physicalsecurity of patient recordsand computer assets, it maybe good practice to includethis within the remit ofInformation Security

7.2.5 A formal procedureshould be introduced for thedisabling and tracking ofbuilding security passes.

7.2.4. Review ISM jobdescription to expand,clarify, formalise anddocument the physicalsecurity aspects to ensureclarity of responsibility.

Action: ISMBy: Mar 11

7.2.5. Formaliseprocedure on completionof badge access system.

Action: ISMBy: Dec 10

16


and Due Date7.2.6 NHS24 operates its owndedicated network and domain(nhs24.net) covering all officesplus remote access to approx.50 flexible workers.Flexible workers use VPN dualauthentication access control.Remote users have limitedaccess to their own shareddrives and email only.

7.2.7 PCs are used by officestaff and the use of the C:drive is disabled. Data isstored in server drives anddepartmental folders. Sound

7.2.6(i) Refresh physicalsecurity and ID badgepolicies to ensure thatthey specify that allvisitors require an NHS 24host whoseresponsibilities includebadge return at end ofeach visit.

Action: ISM/Head ofInternal CommsBy: Jan 11

7.2.6.(ii) IntroduceVisitor Managementsoftware module withassociated reception areabadge readers on thebadge access system tointroduce further controlsin this area.



17


and Due Datecards and CD drive writefunction is also disabled.

7.2.8 There are someweaknesses with ‘total view’passwords regarding lengthoption and expiry times, whichraises access security risks.

7.2.9 Secure printing isavailable via passwordprotected queues but this is notthe default and is a potentialsecurity risk for open planworking.

7.2.8 As access control isdependent on passwordrather than smartcards orequivalent, NHS 24 shouldensure that passwordrequirement is sufficiently‘strong’ for purpose.

7.2.9 Where available,Secure printing should bethe default setting to ensurethe security of, andappropriate access to,patient data.

7.2.8(i) Review passwordpolicy and updatepassword complexityrequirements to provideenhanced protection andensure passwordrequirement sufficientlystrong for purpose.

Action: ISM/Head ofInternal CommsBy: Jan 11

7.2.8.(ii) Investigate andimplement alternativesolution to nationallyfunded Identity AccessManager System

Action: ISMBy: Jun 11

7.2.9. Define Safecom pullprint solution as thedefault print solution forNHS 24.

Action: ISM

18


and Due Date

7.2.10 NHS 24 now use KPMGas internal IT auditors as wellas Audit Scotland, and thecurrent event logging systemhas been recognised as an areafor improvement

7.2.11 In Learning &development, and recruitment,keys to cupboards containingconfidential paper files are keptin a desk drawer or takenhome by a member of staff.

7.2.10 The event loggingsystem deficiencies shouldbe mitigated by thereported NHS 24 plannedpurchase of a more efficientsystem.

7.2.11 Provision should bemade for keys to confidentialL&D and Recruitment files tobe stored securely and to beappropriately accessiblewhere required.

By: Feb 11

7.2.10 Source a set oflogging tools to addressdeficiencies.


7.2.11. Complete

7.3 The provision of staff training and awareness in relation to data protection issues.

c.

To examine if there isany failure toimplement measureswhich adequatelyensure appropriatestaff training andawareness of DataProtection issues raisesthe risk ofinappropriate accessto, damage to,destruction or loss ofdata, leading to

7.3.1 The Caldicott Guardianreceived a half day trainingcourse 5 years ago and hasreceived no refresher trainingsince undertaking the role. TheSenior Information Risk Owner(SIRO) has received no formaltraining for his role.

7.3.2 The InformationGovernance department carriedout classroom based data

7.3.2 Data protectiontraining and refresherprovision should be

7.3.1. Identify andprocure formal CaldicottGuardian/SIRO training.

Action: Head ofL&D/ISMBy: Mar 11

7.3.2. Relaunch updatedIG & IS training

19


and Due Datepotential damage anddistress being causedto the affectedindividuals andreputational damage tothe Board

protection training until about18 months ago when it wassuspended due to the swine fluepidemic. However, there areplans to reintroduce thetraining, which will bemandatory and subject tocompulsory refresher sessions,every two years.

7.3.3 Staff currently completethe IG e-learning trainingwhich is mandatory. Once thee-learning is complete it islogged electronically andreports can be producedshowing who has completedthe course.

7.3.4 Auditors assessed the IGtraining content. This coversvarious aspects of IG includingthe DPA. The training coversprinciple 1 & 6 effectively,relating them to the NHS 24environment and givespractical examples on howthese principles should becomplied with at NHS 24.

introduced as planned, for allstaff, including those atsenior manager or executivelevel.

Action: ISM/IGMBy: Mar 11



20


and Due Date7.3.5 Principles 3, 4 & 5 arenot dealt with in sufficientdepth.

7.3.6 Principle 7 is to becovered in other training, butat present there is no trainingon data security.

7.3.7 Auditors accessed thestaff intranet to assess theavailability of policies andprocedures. The Intranet is notuser friendly and has a poorsearch facility, which did notalways retrieve related items.

7.3.8 Guidance is not easilylocated, for example IT relatedpolicies were accessed via the‘HR’ link and all IG relatedpolicies were accessed underthe ‘Medical’ link.

7.3.5 Principles 3 (adequacyand relevance), 4 (accuracy)and 5 (retention) should bemore fully included in dataprotection e-learning toensure staff awareness.

7.3.6 Data security trainingshould be provided, toensure staff awareness andsupport compliance withNHS 24 data protectionresponsibilities.

7.3.7 Improvements shouldbe made to the searchfacility to assist staff inretrieving appropriateguidance.

7.3.8 Placing guidance undera central heading , ratherthan by Directorate, mayassist staff in locatingrelevant IT and IG policies

7.3.5. Rewrite elearningmodule to ensure allprinciples are covered.


7.3.6. Relaunch datasecurity training to ensurestaff awareness.


7.3.7. Ensure redesign ofintranet provides searchfacility fit for purpose.

Action: Head ofInternal CommsBy: Mar 11

7.3.8. Develop link to allpolicies from front page ofintranet

Action: Head ofInternalComms/ISM/IGMBy: Dec 10

21


and Due Date7.3.9 The ‘data protection’intranet link is empty. The IGpolicy statement provided toaudit includes some basicguidance on DP principles, butauditors could not locate thisdocument on the intranet.

7.3.10 A short term project iscurrently under way to reviewNHS 24 policies, fitness forpurpose and staff awareness ofthem

7.3.11 A number of interviewswere undertaken with NHS 24staff regarding Data Protectiontraining. All staff interviewedhad completed either the IG e-learning or classroom trainingat least once, although in somecases this was a number of

7.3.9 NHS 24 to ensure thatstaff have full access todata protection informationto ensure staff compliancewith Data Protectionlegislation

7.3.10 Findings from theproject should be used toimprove NHS 24 provisionand staff awareness ofpolicies.

7.3.11 Refresher trainingfor staff should be providedto support compliance withrelevant DP legislation.

7.3.9. Populate DP link onintranet with basic DPguidance.

Action: IGMBy: Dec 10

7.3.10(i). Develop auditplan following outcome ofproject.

Action: ISMBy: Dec 10

7.3.10(ii) ImplementMetacompliance to ensurestaff awareness


7.3.11. Annual e-learningmodule to be completedfor all staff

Action: Head of L&DBy: Feb 11

22


and Due Dateyears ago. Not all staff couldrecall the content of thetraining.

7.3.12 All staff interviewedwere aware that the IG policiesand procedures were availableon the intranet. However, Inthe case of specific queriesstaff would either consult theIG Manager or the InformationSecurity Manager for Advice.

7.3.12 No action required

7.4 The processes for the identification and reporting of data protection security breaches.

d.

To examine if there isany failure toimplement measuresfor the identificationand reporting of datasecurity breachesraises the risk of theorganisation failing toidentify, mitigate orprevent further securitybreaches leading topotential damage anddistress being causedto the affectedindividuals andreputational damage to

7.4.1 The Information Securitymanager is responsible forinvestigating all incidentsinvolving personal data inaddition to other IS incidents.‘Incidents’ cover IT, manualand spoken informationsecurity breaches. Theincident reporting policy isavailable to staff on theintranet.

.


23

NHS 24. 7.4.2 Auditors reviewed theNHS 24 Staff InformationSecurity Policy (Incident/Riskreporting) and NHS 24 SecurityIncident Management Policy.The definition of incident oneither policy does not clearlyinclude the loss or compromiseof personal data.

7.4.3 The policy States that theIS Manager will carry out anannual audit of compliancealthough no evidence wasprovided to support this.

7.4.4 The process forescalating risk incidents to theIS Manager may beinadequate. Front line staffuse the ‘AIR’ reporting systemwhich does not specificallydefine loss/compromise ofpersonal data as an incident.

7.4.2 Loss/compromise ofpersonal data should beincluded within incidentreporting and managingpolicies to appropriatelyinstruct staff.

7.4.3 The IS managershould ensure the annualaudit is completed to ensurecompliance with incidentand risk reporting process.

7.4.4 The InformationSecurity Manager shouldensure staff awareness ofreporting requirements forinformation securityincidents.

7.4.2. Add to relevantpolicies during the ISpolicy review.

Action: ISM/Head ofInternal CommsBy: Mar 11

7.4.3. Complete annualaudit to ensurecompliance with incidentand risk reportingprocess.

Action: ISMBy: Jun 11

7.4.4. Roll out policies viaMetacompliance


24

7.4.5 Only one incident hasbeen reported to the ISManager in 3 months. Thiswas supported by interviewswith call handlers and nursepractitioners which indicated alack of knowledge andconsistency in reportingincidents.

7.4.6 The Head of Risk andBusiness Continuity devises anddelivers risk training via theL&D department. However, hehas received recent feedbackfrom staff concerning a lack ofunderstanding on the riskscoring system.

7.4.7 IS incidents are not acurrent KPI. Other thanmanually counting incidents it isnot possible to produce MI onincidents involving onlypersonal data. This means thatthere is no evidence beingpresented to board levelshowing possible noncompliance with the DPA

7.4.6 Risk Training should beamended, as planned, toaddress this knowledge gapand support appropriaterecognition and mitigation ofidentified risk levels.

7.4.7 Information securityincidents involving personaldata should be included onKPI’s or other ManagementInformation, to measure andaddress issues of noncompliance.


7.4.6. Complete

7.4.7. Develop KPI forreported incidents

Action: ISMBy: Nov 10

25

7.4.8 The AIR system is mainlyused by frontline staff (Callhandlers/nurse practitionersetc) Guidance is available onhow to complete the form onthe Knowledge ManagementSystem, which is not generallyused by NHS 24 support staff

7.4.9 The Current corporateobjective of an improvedelectronic risk system has notbeen implemented as hardware/ software, re-bid is currentlypending.

7.4.8 Guidance on the useof incident reportingsystems should be widelyavailable to all staff toensure appropriate reportingof incidents.

7.4.9 The implementation ofthe new electronic risksystem may assist inimproving risk reporting, inparticular if there is aprovision for risk likelihoodto be reported by staff aswell as incidents.

7.4.8. Develop anddisseminate incidentreporting guidance forstaff

Action: ISM/Head ofInternal CommsBy: Mar 11

7.4.9. This is part of theStrategic FrontlineApplication project andwill be an ongoingprocess.

Action: Head ofImplementation - SFLABy: ongoing

7.5 Clinical Records – Data handling in respect of all clinical records i.e. the receipt, processing, storageand weeding of patient personal data.

e.

To examine if there isany failure toappropriately receive,store, process and weedpatient personal dataraises the risk ofinappropriate access todamage to, destructionor loss of patientpersonal data, contraryto the rights of patientsand requirements of theData Protection Act.

7.5.1 Incoming information isreceived via phone calls frommembers of the public. Themajority of calls involve givingname, address, DOB andtelephone number at thelocation.

7.5.2 The PRM system sendsinformation on each patientcontact to the GP via aninterface to the GP out-of-



26

hours system known asADASTRA. The ADASTRAsystem only acceptsinformation and cannotinterrogate PRM.

7.5.3 The call handler checksincoming patient detailsagainst a version of the ‘CHI’database, for accuracy andsecurity. The national CHIdatabase (Community HealthIndex) contains patient GPdetails including name, DOB,address held at GP surgery. Nomedical details are accessible

7.5.4 Call handlers/nursepractitioners also have accessto ECS (Electronic CareSystem) which records patientmedications and allergies.Some patients may also have aPCS record (Palliative CareSummary) which includesmedicines, and other carerequirements.

7.5.5 Some trained callhandlers perform a limited‘triage’ (assessment) ofsymptoms based on a dropdown menu of symptoms, prior




27

to transferring the call to anadvisor, where appropriate.

7.5.6 Nurse advisors askfurther clinical questionsresulting in an ‘outcome’ i.e.referral to GP, ambulance,A&E, etc. The Advisercompletes a clinical summaryand narrative account on thepatient’s PRM record. The PRMsystem records the patientmedical history and archivedmedical history.

7.5.7 Patients are always askedfor consent concerning transferof information (i.e. to A&E, OutOf Hours Service, etc). If noconsent is given, patients areinformed of the possibleconsequences. A warning of‘data transfer consent notgiven’ appears if the noconsent’ box is ticked and atransfer is attempted.

7.5.8 Incoming information isstored on the electronic voicerecording system or on theNHS 24 PRM system. It wasreported that no paper patientfiles are used or kept by call




28

handlers or nurse practitioners.

7.5.9 NHS 24 uses ‘electronicfaxing’ for external services Astandard format record of thecall, symptoms; etc isforwarded to known contactnumbers on the electronicsystem.

7.5.10 Information sharingmay occur with the police,social services, etc, by NurseAdvisors. Where outsideagencies are involved, thematter is sometimes discussedwith the Team Leader.Confidentiality / need to knowis always a priority, in line withCaldicott principles and NHS 24also provide proceduralguidance on this.

7.5.11 In cases of computer‘System Malfunction’ calladviser notes from incomingcalls have to be taken manuallyand are later ‘repatriated’ withthe computer record. When thesystem is restored the TeamLeader allocates call handlersdocuments to ‘repatriate’(input) into the system.

7.5.11 PRM records shouldbe routinely checked againsta sample of repatriationdocuments to confirmaccuracy of transcription.


7.5.11. Develop amethod for auditing theaccuracy of transcriptionof repatriated records

Action: ADONsBy: Feb 11

29

However, it was reported thatinput of the repatriateddocuments is not checked foraccuracy.

7.5.12 Repatriated records areheld securely prior to archivewith an authorised documentstorage company.

7.5.13 Call handlers and nursepractitioners were unaware ofdocument retention periods;however, they are notresponsible for any weeding ordeletion of IT systeminformation.

7.5.14 It was reported that thedocument retention policy isrelatively new within theorganisation and plans are inplace to take this forward withfront line representatives beingintegral to the process.

7.5.15 Call handlers and nursepractitioners consistentlydescribed routine checks/qualityassurance on their work. Thereis a monthly one to one withthe team leader or senior callhandler who listens to recorded

7.5.12 No actionrequired




30

calls for QA purposes. A writtenrecord is kept of the monthlyreview and signed off by callhandler.

7.6 Staff data – Data handling in respect of all staff records, i.e. the receipt, processing, storage andweeding of staff personal data.

f.

To examine if there isany failure toappropriately receive,store, process andweed staff personaldata raises the risk ofloss, inappropriateaccess to, retention of,or destruction of staffpersonal data, contraryto the rights ofindividuals andrequirements of theData Protection Act.

7.6.1 NHS 24 Main staff filesare paper based and kept inlockable cupboards by HR inCardonald HQ.

7.6.2 Electronic records arestored on the CIPHR database.HR also access payroll data toreconcile against entries on theCIPHR database.

7.6.3 NHS24 is starting themigration to the new ScottishWorkforce InformationStandard System (SWISS) forHR and this will eventuallyreplace CIPHR.

7.6.4 CIPHR data sets are sentto SWISS and HR systemsupport staff can access NHS24staff details on SWISS as wellas use the data to generateMIS reports.

7.6.5 Any files requested bythird parties such as HR






31

partners in regional offices willbe couriered and tracked.However, if only part of the fileis relevant, pages are scannedand emailed using the secureNHS.net, where available. Fileswill always be sent to regionalHR Partners by default, ratherthan to a requesting linemanager.

7.6.6 Nominated HR staff areresponsible for ensuring allcupboards are locked at end ofday and keys are secured inkey-pad key safe.

7.6.7 HQ based HR staff havethe use of secure Safecomprinting option for three mainprinters on their open planfloor, however, this option hasto be actively selected, and isnot the default setting.

7.6.8 Old files are sent toarchive run by commercialspecialist, Iron Mountain butare not weeded before beingsent out. HR manager is awareof need to review this.

7.6.7 Where available,Secure printing should be thedefault setting to ensure thesecurity of, and appropriateaccess to, staff data.

7.6.8 Files should beappropriately weeded beforearchiving to ensure archivedinformation is not excessiveor being kept for longer thannecessary.


7.6.7. Define Safecompull print solution as thedefault print solution forNHS 24.

Action: ISMBy: Feb 11

7.6.8. Develop procedurefor weeding informationprior to archive.

Action: Head of HRShared ServicesBy: Dec 10

32

7.6.9 Staff interviewed hadlimited awareness of retentionpolicies for files.

7.6.9 Staff should be madeaware of the need to weeddocuments in line with NHS24 retention policies, whereappropriate.

7.6.9. Develop HRprocedures for recordsmanagement.

Action: Head of HRShared ServicesBy: Dec 10

nhs 24 data protection audit report - whatdotheyknow

Documents