Next Generation IGT workshop sessions London 11 December 2015

Richmond House

Cathedral Room

10.30-3.00

Chair: Phil Walker IGA

Present

Delegate Name / Organisation
Phil Walker / IGA
Marie Greenfield / HSCIC
Richard Birmingham / HSCIC
John Hodson / HSCIC
Maha El Nasser / HSCIC
Stephen Elgar / IGA
Nicholas Oughtibridge / HSCIC
Nicola Gould / Frimley Park Hospital
Barry Moult / Colchester Hospital University NHS Foundation Trust
Jane Marley / Eastern Region
Jamie Sheldrake / South East CSU
David Stone / South East CSU
Amy Ford / South East CSU
Melaina Robinson / Nottinghamshire Healthcare NHS Foundation Trust
Johnathan McKee / Tavistock and Portman NHS Foundation Trust
Dhiraj Tailor / North Devon Healthcare NHS Trust
Phil Robinson / Imperial College
Mike Hughes / London NHS
Ranisha Dhamu / Brent Council
Jo Andrews / London North West Healthcare NHS Trust
Andrew Harvey / Western Sussex Hospitals NHS Foundation Trust
Caroline Andrews / Sussex Partnership NHS Foundation Trust
Stephen Moore / London Ambulance Service NHS Trust
Debbie Terry / NHS England

Themes for the day

  1. Look and Feel - be creative 10.45
  • Front Screen
  • General navigation
  • what would you keep/what’s redundant?
  • New features?

A demonstration of the IG toolkit Alpha version for small organisations was given. Points noted by the group were;
  • Liked the simplified look/interface
  • Noted that requirement numbering was missing and that this was important in the management and administration of the Toolkit work
  • The language needed to be more technical for larger organisations because of the complex nature of their business. The requirements needed to be written in a way that could be communicated to the technical experts in their organisations e.g. security or data quality
The workshop split into groups to discuss the look and feel of the toolkit and feel of the toolkit.
  • The requirements were more important than the look and feel.
  • It is more important to streamline the required evidence
  • Look at where evidence is duplicated and only submit it once
  • The look and feel of the small organisations was liked but the simplification would not be appropriate for IG staff in large organisations though could support broader use of IGT i.e. by non-experts.
  • Current site is too difficult to navigate.
  • Registration could decide what requirement set needed to be completed through a pre-assessment stage.
  • Current toolkit does not set goals and encourages a cut off at level 2.
  • Change request and exemption functionality is difficult to use
  • Where evidence expires in a situation where multiple evidence has been uploaded is it difficult to remove or update one file. The whole set of evidence must be deleted and uploaded again with corrections.
  • Update the reports for more relevant issues
  • Ticking is problematic as you don’t know exactly why a tick has been withheld from the requirement.
  • Revisit the data flow mapping to make it applicable to multiple situations such as the asset register or regional sharing communities.
  • Current toolkit is too slow and it crashes.
  • It cannot support the number of users trying to upload evidence in March
  • Link between local evidence holding systems and the toolkit
  • Drag and drop
  • Audit reports can be uploaded by anyone not just the auditors
  • Look at rolling over evidence and allow some evidence to be withheld if expired
  • Easier exemptions
  • Easier requests for change

  1. The Requirements 11.30
Performance reporting the possible options might be;
  • Retain the current scoring regime 0-3
  • Scoring 1-5 like a maturity model
  • More granular scoring to include half measures 0.5 - 1.0 - 1.5 - 2.0 and part completed requirements
  • 1-2 or a simple pass/fail
  • Align with CQC to have an outstanding/requires improvement
What are the strengths and weaknesses of the options?
Consider the burden/ impact of change?
Thinking about the high level requirements
  • What would you remove/add
  • Would you reconfigure e.g. merge
Thinking about the quality of interpretative guidance materials
  • What’s good
  • What would you improve

The group agreed that a separate workshop or working group was necessary to look at individual evidence sets to see where they could be reduced e.g. repetition of policies.
Some ideas put forward from the workshop were;
  • Risk based toolkit. Rather than looking at separate requirements expressed as attainment levels they could be expressed as risks requiring mitigation.
  • Align the requirements with CQC and NHS LA and other compliance regimes.
  • Must be relevant for Local Authority and their PSNC and code of connection
  • Frequency of assessments. Annual was thought still necessary because of other compliance frameworks.
  • The IGA needs to revisit the policy for a lot of the requirements to make sure they are still relevant e.g. offshoring
  • Is the financial sector security requirements to process credit cards and bank accounts relevant to the toolkit?
  • The scoring method needs to be revisited because the current pass/fail was very dramatic. A much more granular scoring would help.
  • Merged requirements if introduced would mean that the scoring would need to be revisited or there would be a disincentive to meet all the sections of a merged requirement if failing at one part.
  • Core set of requirements which were common to all and others which needed to be done but were not key to the policy direction of the NHS.
  • Map requirements directly against Data Protection Act principles and sections of the Act.
  • The mapping against DPA principles will add value and show exactly what the toolkit was achieving.
  • Update audit guidance
  • Evidence expiry could be managed better along with clarifying the reporting period of the toolkit. It might be different for certain organisations.
  • NHS did not see the benefit of baseline assessments but centrally they were used for Caldicott reporting
  • Can surveys be used to see if IG was embedded and staff new what to do?
  • Some roles in the toolkit were not fully worked out centrally and the policy needs to be looked at again eg privacy officer role
  • Requirements are limiting for the high fliers and encourage mediocrity by giving the pass mark as a level 2.

Break for Lunch (not provided) 12.15
  1. Audit vs Self-Assessment 12.45
Some possible options could be;
  • Peer review
  • Internal audit
  • External audit
  • Accredited auditors
  • Central audit
  • Self-assessment only with spot checks from one of the above
Consider the strengths and weakness of options
What would work
What wouldn’t work and why
Impact assess any change particularly burden/v benefits
The context of auditing and assessment/review there were no central resources presently assigned to progress this. The reviewing would be better if it considered the integration arrangements of a sharing community as well as individual IG toolkit assessments.
Some additional suggestions were;
  • Peer review was liked as long as arrangements were resourced to cover/backfill absences
  • Peer reviewers must not review each other’s organisations
  • Risk mitigation could identify national and local risks that needed assurance that they were being dealt with.
  • Current auditors are not trained to audit IG issues
  • IG managers are not trained to audit to a required standard
  • HSCIC would need to train or set the standard of training/reporting required through a revised audit handbook.
  • Organisations will not release staff to audit other organisations unless recompensed
  • The clinical coding audit might be the model because they are certified by a qualified coder
  • Local co-ordination was necessary through CCG and the contract implementation as HSCIC was not resourced to manage the process of assurance
  • Some shared components of the toolkit could easily be audited by the wider sharing community through a benchmarking exercise e.g. shared networks and consent/ privacy notices within a community of interest.
  • HSCIC might second staff from local NHS organisations to conduct auditing/peer review role.
  • Even through the toolkit would need to be submitted annually the audit/peer review does not have to have the same frequency eg every 3 or 5 years.
  • Audits would need to give organisations enough time to put things right if they were found uncompliant.
  • Auditors do not offer any new ideas for the IG toolkit but an IG manager would be able to add value to any audit through detailed feedback relevant to other IG professionals.
  • Any accreditation given must be taken away if it is not met upon audit.
  • There must be sanctions if the standard is not met
  • Audit the SIRO and Caldicott Guardian roles

  1. IGT and the broader organisation 13.30
How could the IGT adapt to become more relevant to the broader organization e.g.
generate:-
  • Board reports
  • Benchmarking materials
  • Performance indicators
  • What else?
How should materials be presented?
  • Knowledgebase
  • What should be in it?
  • How do we make it more useful?
Data flow mapping tool should we develop it?
The reporting functionality needed to highlight the value that IG added to the organisation. The outline areas of the small organisations alpha toolkit were important because they showed how IG was important for those areas. The current IGT domains were not so well understood outside of the IG community.
Some observations of the group discussions were;
  • The toolkit must support trusted partner sharing. If you need to ask more questions before you share it is not doing the job properly.
  • IG toolkit alignment against guidance provided by the IGA was one suggestion so show how the organisation was meeting national standards for IG.
  • The knowledgebase had the potential for being a great resource if it was updated.
  • Knowledgebase needs better searching or indexing/tagging
  • Put more social care examples in the knowledgebase
  • Reporting might be for certain groups e.g. patients/board/security/risk
  • IG managers wanted a dashboard showing where they were with each requirement in a user friendly display.
  • Some requirements might draw evidence from other systems e.g. incident management or risk management.
  • Show patients how safe their data/records are.
  • Change the name of the IG toolkit to show what it does e.g. IG Assurance Framework
  • Map ISO controls to assist with certification
  • Show which requirements are necessary for CQC and other regulators.
  • Where the toolkit overlaps with other integrated governance requirements these should be shown
  • Allow more exchange of examples amongst the local IG community to benchmark requirements.
  • The role of the SIRO and Caldicott Guardian need to be enhanced by the toolkit e.g. dashboard report

  1. Strategic position of the IGT 2.15
In the next few months/years the IG toolkit may be further integrated into other assurance mechanisms. This may include;
  • National contracts,
  • ICO,
  • CQC,
  • Litigation Authority,
  • professional standards,
  • NHS and social care information standards,
  • What else?

Phil Walker explained the strategic role that the IG toolkit will need to fulfill in the near future. These included;
  • Local sharing arrangements and the integration agenda
  • Cyber Security
  • Requirements may be set by the National Data Guardian
  • IG may increasingly be seen as part of clinical governance
  • The CQC will take a greater interest in IG and the assurance that the toolkit gives
  • Professionalism must be driven by creating IG experts whose expertise is based on the framework created by the toolkit.
  • The toolkit is likely to become more formal with more scrutiny

END

1