Information Governance Framework for National Managed Clinical Networks
Author: / Lorna Hall, National MCN Manager on behalf of NSD Short Life Working Group on Information Governance for NMCN’sTarget Audience / National Managed Clinical Networks
Description: / Protocol on information governance of any clinical audit data collected by the NMCN either using the clinical audit system or another database
Version: / 1.1
Date Issued: / 20 November 2012
Contact: / Catriona Johnson –
Review Date: / TBC
Document Control Sheet
Title: /Information Governance Framework for National Managed Clinical Networks
Date Published/Issued /22/08/2012
Date Effective From:Version/Issue Number: / Draft V1.0
Document Type: / Framework
Document status: / Final version circulated for electronic sign off by Project board
Author: / Lorna Hall
Owner: / NSD Clinical Audit System Board
Approver: / NSD Clinical Audit System Board
Approved by and Date
Contact: /
File Name:
Revision History
Version / Date / Summary of change / OwnerDraft V0.1 / 20/06/2012 / First draft by LIH following Short Life Working Group meeting 12th June 2012 / Lorna Hall
Draft V0.2 / 23/07/2012 / Revisions following comments on draft V0.1 from SLWG / Lorna Hall
Draft V0.3 / 23/08/2012 / Revisions inserted by LIH following comments from Patricia Ruddy and David Steel. Also additional proformas following comments from CAS Board meeting / Lorna Hall
Draft V0.4 / 14/09/2012 / Revisions following comments from Project Board / Catriona Johnson
Draft V0.5 / 26/09/2012 / Revisions following comments from C Johnson / Catriona Johnson
V0.6 / 20/11/12 / Revisions following comments from CAS project board meeting 02/10/12 / Catriona Johnson
Approvals
This document was formally signed off by:
Name: / Signature: / Title: / Date: / Version:Introduction and Purpose
This document has been produced by the Information Governance Sub Group of the National Managed Clinical Network Clinical Audit System Project Board. It has been developed in consultation with experts in Data Protection and Information Governance to ensure that NMCNs are clear about and meet their responsibilities in relation to how information collected on behalf of the NMCN is managed; a key component of service agreements between NMCNs and their commissioning bodies.
The document serves as a template for NMCNs to complete that will enable them to demonstrate what is in place and how they meet these requirements. It explains what information governance is and why it is important. It also sets out specific legislative and good practice requirements that all NMCNs must meet, regardless of what data collection system is used. The term “Information Governance Framework for NMCNs” is used for the template.
The National Clincial Audit System (NCAS)has been developed as a national system to enable NMCNs to collect, share and report data to support continuous quality improvement in clinical care. As such, some information governance requirements have been addressed centrally. Most NMCNs have adopted CAS
as their primary means of data collectionand therefore the template has prepopulated accordingly. This information is highlighted in green.
What if an NMCN is not using NCAS?
If a NMCN has opted to use an alternative data collection system, it is the responsibility of the NMCN to ensure that the system meets the requirements outlined within the framework.
[Network Logo]
Information Governance Framework for [insertname of Managed Clinical Network]
Contents
Contents
1.Document Control Sheet...... 7
1.2 Revision History...... 7
1.3 Approvals...... 7
1.4 Source of document...... 8
1.5 Distribution...... 8
1.6 Linked Documentation...... 8
2.Introduction...... 9
3.What is Information Governance?...... 9
3.1 Why is Information Governance Important?
4. Aim of this Framework
4.1 General Principles
5.Roles and responsibility within (name of NMCN) for Information Governance
Table1: Information Governance Roles and Responsibilities
6. Managing the Data held by [name of MCN]
7. Sharing of Information
7.1 Statutory Restrictions on/ Requirements for Sharing Information
7.2 Requirements to share
8. Deposit and Long-Term Preservation of Data
8.1 Strategy for maintaining, curating and archiving the data
8.2Data Selected for Preservation?
8.3Disposal / Transfer of Sensitive Data
8.4Archiving of the data
8.5Preservation And Backup of data?
1.Document Control Sheet
Title: / Information Governance Framework for [name of National Managed Clinical Network]Date Published/Issued:
Date Effective From:
Version/Issue Number:
Document Type:
Document status:
Author:
Owner: / [name of National Managed Clinical Network]
Approver: / [name of National Managed Clinical Network]
Approved by and Date:
Contact:
File Name:
1.2 Revision History
Version / Date / Summary of change / Owner1.3 Approvals
This document was formally signed off by:
Name: / Signature: / Title: / Date: / Version:1.4 Source of document
This Framework is available on the [name of network]’s website [insert link].
1.5 Distribution
This Framework and any associated documentation isavailable and applicable to all members of staff in the NMCN and to any appropriate third-party individuals or companies working on behalf of the NMCN.
This Framework will be reviewed annually or more frequently if appropriate to take into account changes to:
the system
personnel
legislation
guidance from the Scottish Government and/or the UK Information Commissioner
The review will be conducted in line with existing NMCN procedures.
This document has been distributed to:
Name: / Title/Division: / Date of Issue: / Version:1.6Linked Documentation
Document Title: / Document File Path:2.Introduction
Good quality information underpins sound decision-making and supports continuous quality improvement in healthcare provision. It is important for:
Clinical governance (corporate accountability for clinical performance)
Corporate governance (meeting standards of accountability and integrity)
Service planning and performance management
Information must be managed securely, efficiently and effectively.
3.What is Information Governance?
Information governance is a framework for handling information in a confidential and secure manner to appropriate ethical and quality standards. Itensures that information is:
Held securely and confidentially
Obtained fairly and lawfully
Recorded accurately and reliably
Used effectively and ethically
Shared appropriately and legally.
Information Governance covers all types of information and everyone in NHSScotland is responsible for it. [name of MCN]must comply with guidance and legislation from a number of sources and make sure that all employees know their responsibilities in respect of:
The Data Protection Act 1998
The Freedom of Information (Scotland) Act 2002
Confidentiality: NHSScotland Code of Practice on Protecting Patient Confidentiality
Records Management
BS7799 and ISO 17799 Information Security Standards
Data Quality Assurance
Caldicott Guardians
The Common Law
Professional Guidance, for example from the General Medical Council or the Nursing and Midwifery Council
All NHS Staff are accountable to their employing NHS Board’s Chief Executive.
3.1 Why is Information Governance Important?
Itis important because effective information governance helps patients to:
be confident about how NHSScotland handles their information
be sure that information about them will only be shared with those who need to know
receive the best care through sharing information
Taking simple steps can help improve patient care e.g.:
clearly explaining how personal information will be used
giving people clear guidance on how to make any concerns and comments known
making sure that information about governance is accessible by making it available in a variety of formats
By doing this [name of MCN] is able to demonstrate that the rights of individuals are respected.
Information governance relies on staff involved in the NMCN working with others to ensure good communication, effective teamwork and sharing of good practice.
4. Aim of this Framework
[Name of network] aims to provide safe, effective and person centered care. To achieve this,it must ensure that appropriate information is available when it is needed, accessed only by those who should have access to it, and that it is correct and up to date.
This Framework sets out the information governance and access arrangements for the collection and management of clinical audit data within [name of network]:
Defines requirements and arrangements for the legal, secure, confidential and ethical access to information held on any clinical audit system by authorised users for a defined purpose(s)
Sets out the role and remit of its [ e.g Information/data/Continuous Quality Improvement] subgroup and related governance arrangements
Identifies the data controller(s) and data processor
Sets out consent and access to information processes
Sets out data reporting requirements required by NSD for performance management purposes; a completeand up to date Framework may then be used by the NMCN as valid evidence of compliance with information governance requirements
4.1 General Principles
Caldicott principles apply. (name of NMCN) will:
Justify the purpose(s) of using confidential information
Not use patient-identifiable information unless it is absolutely necessary
Use the minimum necessary patient-identifiable information that is required
Enable access to patient-identifiable information on a strict need-to-know basis
Ensure that everyone with access to patient-identifiable information is aware of their responsibilities
Understand and comply with the law
5.Roles and responsibility within (name of NMCN) for Information Governance
Responsibility for putting in place and maintaining up-to-date information governance arrangements should be delegated to a dedicated sub group of the NMCN Steering or Executive Group. This includes ensuring that all key roles and responsibilities for the system are clear and are operational.
[Insert name of the sub group with delegated responsibility for establishing, monitoring and overseeing information governance arrangements e.g. Information Governance Group/Audit/Continuous Quality Improvement Group].
5.1Terms of Reference for the Group, including current membership and role and remit
[insert terms of reference for the above Group]
5.2Specific Roles and Responsibilities
Table 1 sets out specific roles and responsibilities in relation to information governance. Depending on circumstances these roles and responsibilities may be fulfilled by individuals/functions in a range of organisations. Each NMCN should complete the table to reflect its individual circumstances.
1
C:\Documents and Settings\louism04\Local Settings\Temporary Internet Files\OLK209\NMCN Information Governance Guidelines v1 1.doc
Table1: Information Governance Roles and Responsibilities[i]
Role / Responsible organisation(s) / National Managed Clinical Network (NMCN) / NHS Board(s) / NSS / Individual system steering group or equivalent / Independent contractors e.g. GPs / 3rd parties, e.g. commercial contractorsData controller(s)[1] / 14 NHS Boards and NSD are Data controllers in common (Definition: Data Controllers who each share personal data on data subjects for different purposes with each remaining individually responsible for the processing they have carried out on the personal data.)
In the case of CAS, the 14 Boards are aware of and agreed their role. If the NMCN is using any other system agreement must be sought by the NMCN from individual NHS Boards.
Data controller(s) of any linked national system[2]
National Executive Lead
System Administrator
Data processors / In the case of CAS the data processor is NHS National Services Scotland.
Awareness and training
- development
- delivery
Quality assurance of data input
Integrity of the database
Ongoing access security management
Monitoring adherence to the protocol
Audit
Dealing with (suspected) breaches, e.g.
- who is responsible for informing the ICO if applicable?
- Whether/ how / by whom are patients notified in the event of a breach
Dealing with disciplinary arising from breach investigations
Dealing with Disclosures of Information:
- Subject Access
- FOISA
- Police
- Research & Development
- Service audit
Dealing with statutory limitations on disclosure of information
Other
1
C:\Documents and Settings\louism04\Local Settings\Temporary Internet Files\OLK209\NMCN Information Governance Guidelines v1 1.doc
6. Managing the Data held by [name of MCN]
6.1Process for gaining consent
[Articulate the process for gaining patient/parent consent and what processes are in place should they choose to opt out. Should an individual choose to refuse or limit the use of his/ her information, the implications of such limitation or refusal must be clearly explained and the discussion clearly recorded in his/ her health record.]
6.2 Description of the data held
[Describe the type of data held]
6.3 Purposes for which the data are to be used
[Describe how the data is used by the MCN. This should include a statement the patient data collected by the NMCN will be used by NSD, as a Data Controller in common, to produce management information for strategic purposes e.g. service planning and audit ]
6.4 Access rights
[Describe arrangements for people who wish to see their personal data and include the network’s verification procedure. Confirm whether or not the system is capable of enabling them to see who has had access to their personal data.]
6.5 Data Processing
Using a Data Processor, whether the supplier of the CAS product or another, has significant legal consequences to the NMCN Data Controllers - they must have a written agreement/ contract in place governing the processing, specifying how it is to be done and the security safeguards that must be deployed.This is often referred to asa Data Processor agreement; the most recent guidance on this came out in 2011: CEL (2011) 25 -
6.6 Management of user accounts
There is a growing focus on the control of access to systems. Include a statement on who authorises access to user accounts, how they are kept up to date and how access is audited. Details can be obtained from the system supplier/developer.
6.7 Secondary use of data
The policy position on the secondary use of personal health data was set out in the final report of the CSAGS Committee in 2002: , chapter 7 specifically refers.
In summary:
- Explicit consent is necessary for use of personally identifiable data for research uses e.g. clinical trials (with exceptions 'within provisions of Data Protection Act, section 33 and approval of Caldicott Guardians, and Ethics Committees')
- Implied consent isacceptable for secondary/'additional' uses e.g. disease registries; epidemiology; national data banks (subject to some caveats (inform, act on refusals))
7. Sharing of Information
Sharing information about individuals is central to effective care and supports seamless health care as they move between various levels of healthcare. In addition, there is increasing emphasis on integration and multidisciplinary care. It is therefore essential that healthcare professionals are able to communicate and share information in order to provide the best possible care for patients.
Patients expect their personal information to be shared between NHS organisations that provide them with services. However, they also expect that sharing is safe, secure and only the information that is relevant is shared.
Even though explicit consent will not be relied upon for some of the purposes identified above, each organisation must ensure that Data Protection Act ‘fair processing’ obligations are met.
7.1Statutory Restrictions on/ Requirements for Sharing Information
There are limited circumstances where the law restricts the disclosure of information. NHSScotland classifies the following as “highly sensitive” and requires staff to be especially vigilant when dealing with it:
The Human Fertilisation & Embryology Act 1990, limits the circumstances in which information may be disclosed by centres licensed under the Act.
The Abortions Regulations 1991 limit and define the circumstances in which information submitted under the Act may be disclosed (places restrictions on the DPH).
The Gender Recognition Act 2004 - Applicants to the Gender Recognition Panel are required to supply evidence from a medicalpractitioner in support of their application. As ‘protected information’ covers all information that would identify a person as being a transsexual, if successful in their application a new health record must be created so that protected information is not disclosed.
Multi-Agency Public Protection Arrangements (MAPPA) - the "responsible authorities" tasked with the management of registered sex offenders, violent and other types of sexual offenders, and offenders who pose a serious risk of harm to the public.
7.2 Requirements to share
There are a small number of situations where [name of network] will be required under statute/ regulation to notify appropriate authorities about a particular condition/ situation. For example:
In some circumstances, the law(The Public Health (Scotland) Act 2008)requires clinicians to disclose information irrespective of the views of a patient, e.g. if patients contract certain notifiable diseases. The Data Protection Act requires that the patient be told about the disclosure.
Counter Fraud Services have the responsibility for investigating all NHS fraud allegations and NHS bodies must seek advice from Counter Fraud Services at the earliest possible stage where these allegations may involve their own organizations (CEL 18 (2009))
Useful references:
- Intra NMH Information sharing Accord
- Accessing Personal Information on Patients and Staff: A Framework for NHSScotland
8. Deposit and Long-Term Preservation of Data
8.1 Strategy for maintaining, curating and archiving the data
Hosting of the Clinical Audit System will be undertaken by National Services Scotland(NSS) Information Management and Technology (IM&T). National Information Systems Group retain a service agreement with IM&T for this element of the service.
If any other system is in use, describe the long term strategy for maintaining, curating and archiving the data?
8.2Data Selected for Preservation?
[On what basis will data be selected for preservation? The how long will data be kept? Ideally include definite figures.]
8.3Disposal / Transfer of Sensitive Data
[How will the network dispose of/ transfer sensitive data, including a justification of decisions]
8.4Archiving of the data
[Where and how will data be archived, E.g. deposit in public repository or existing database, Transmission of data- encryption if appropriate]
8.5Preservation And Backup of data?
[What procedures are in place for preservation and backup of data, How regular is this?By whom?Methods used?]
The CAS has an incremental back up (changes since last back up) taken each night. A full back up of the databases is taken on a Friday. All back ups are held for 12 months.
1
C:\Documents and Settings\louism04\Local Settings\Temporary Internet Files\OLK209\NMCN Information Governance Guidelines v1 1.doc
[1] Where there are multiple data controllers, specify whether these are “joint” (using the same data for the same purpose) or “in common” (using the data for different purposes)
[2] They need to be involved to ensure clarity about who needs to do what when national IT systems are required to exchange data