CAF Demonstrator Programme
Citizen Portal Information Governance Model DRAFT v 07
PURPOSE OF THE DOCUMENT
- To set out a proposed approach to information governance arrangements forindividuals, their families and carers to access and contribute to their records on-line via citizen portals. This paper is provided for information and to seek theviews and directional advice from the NIGB on how development within the Common Assessment Framework (CAF) for Adults Demonstrators might best proceed.
The NIGB is asked to:
- Review the information governance arrangements planned for implementation in the CAF demonstrators, confirm whether the plans appear acceptable and identify any potential issues.
- Respond to specific questions in the paper on the level of authentication required (paragraphs 8 and 15).
Why are Citizen Portals Needed?
- CAF demonstrator sites and their suppliers are working with service users and carers to develop more integrated and personalised approaches to assessing, planning and delivering support that people need.
- One aspect of this is providing individuals with access to their own records so that they, supported by their families and carers, can take greater control and responsibility for decision-making in relation to meeting their own health and social care needs. A growing number of councils are looking at how they might provide such on-line facilities. This approach has also arisen within organisations involved in the CAF Demonstrator Programme who are planning to develop this facility.
- This development is broadly in line with Information Revolution Consultation document issued subsequent to the Liberating the NHS White Paper, helping give users control over their own records.Itwould support social care developments set out in A vision for Adult Social Care[1]on the potential for Social Work Practices and ‘portability’ of social care assessments, currently under discussion within the Law Commission’s review[2].
What Information will People have Access to?
- They will be able to access their own social care records (or health and social care records, where there is an integrated team). This may include: demographic information, assessments, care and support plans, individual budgets and care packages in place.
What Information Governance Controls will be in Place?
Individual Registration & Authentication
- Individuals will only have access to their own records, although they may also have access to the record of an individual for whom they are a carer, with the individual’s consent, or where they have lasting power of attorney (see next section).
- Where an individual wants to access their social care records, registration will be by:
- Individual requesting access on line via open area of the portal and recording some personal information (e.g. name, DOB, phone number, email address).
- Notification to social services of the request.
- Social services officer verifies request and sets up individual with access to their own records. This will be done by checking the personal information tallies with that held in the social care system and by contacting the individual to confirm that they made the request.
- Authentication will be by:
- user name
- password
- on-screen selection of characters from a secret word, PIN, fact or question.
QUESTION FOR NIGB:
Is the approach to authentication identified above sufficient? Is a lower level of authentication acceptable, e.g. password only?
- Audit trails will be maintained of all accesses to an individual’s record. Portals will automatically log-off an individual following a specified period of non-activity.
Sharing Individual Records with Families & Informal Carers
- Individuals may choose to allow family members, informal carers[3]and others to view their records when they are viewing the records themselves or give them print-outs.
- Individuals may also nominate family members,informal carers and others to be able to access their records. This includes:
- Individuals being able to nominate others to have access to their records.
- Individuals being able to request access to others’ records (e.g. family carer, lasting power of attorney), where the individual lacks capacity
- Registration will be by:
- Individual requesting access for family carer or carer making request themselves for access to the individual’s record, on line via open area of the portal and recording some personal information (e.g. name, DOB, phone number, email address).
- Notification to social services of the request.
- Social services officer verifies request and sets up individual with access. This will be done by checking the individual consents to the family carer access and checking that the personal information tallies with that held in the social care system.
- Authentication will be as for individual authentication, i.e.
- user name
- password
- on-screen selection of characters from a secret word, fact or question.
- There will be a quick and straightforward way for individuals to request to stop others from accessing their records, where they need to do so. This will be done via a request to social services officers in the CAF demonstrator sites. They will arrange for access to be stopped, notifying back to the individual and the person to whom access has been stopped.
Sharing Information with Formal Carers
- Some demonstrators plan to provide voluntary sector agencies which are supporting individuals with access to the individual’s records via the citizen portal. This is because many of these agencies are very small and do not have their own IT systems and so a web-based IT solution is required. Where this is the case, the workers or volunteers may have access to multiple individual records. To access these records, voluntary sector agencies will need to:
- Comply with the NHS and Social Care Record Guarantees. A voluntary sector IG model has been suggested by the CAF Demonstrator Programme, working with voluntary sector agencies. This model sets out details of how compliance will be evidenced and assured and NIGB advice has been sought on this separately.
- Authenticate individually, using either a) 2 factor authentication, user name, password and token, (e.g. NHS smartcards or similar devices) or b) user name, password and shared secret.
- Only access an individual’s record with their consent. (see section above for means of seeking individual’s consent).
- Only access records of individuals with whom they have a direct support relationship, i.e. they are not able to search and retrieve records, only access individuals whose records they are set up to be able to access.
- Only access information which is appropriate to their role, i.e. role based access controls (e.g. support worker would not have access to assessments or individual budget information).
- Audit trails of records accessed and activities undertaken.
QUESTION FOR NIGB:
Is two factor authentication required to access multiple individual records or is it sufficient to have the same level of authentication as for individuals (i.e. user name, password and shared secret)?
Information Access & Recording
- Some demonstrators will provide facilities for completing self- or supported- assessments, support plans and other forms on-line, passing them back to the social care system for processing or responding to. For example, a self assessment may identify the need for a more in-depth social care or holistic assessment, a support plan may be developed by an individual and their support broker, but need to be sent to a local authority for approval.
- The assessments and support plans may be completed by the individual or they may be supported in completing them, e.g. by a social worker, support broker or family member. If they are supported and someone else completes the form, then the individual must be able to view and sign off, to ensure they are happy with the forms before they go for processing.
- The author of the self assessment/support plan, and any sign-off, would be transferred with the document and held in the social care system. Audit trails would include information updated via the citizen portal.
- Where information entered into an individual’s record via the portal is uploaded into the social care system the author will be clearly identified. If the information recorded differs from that on the social care system, e.g. address has changed, then this will be flagged for a social services officer to review prior to updating on the social care system.
- Some demonstrators will provide individuals with access to their electronic records as recorded on social care systems, where they do so, the local authority will have facilities to ‘seal off’ information prior to transfer to the portal, so that it is not included in the individual’s record displayed in the portal, where it may be harmful to the individual, e.g. where differential diagnoses have been recorded that may cause alarm to the individual prior to the outcome of investigations.
- The portal will enable individuals to flag up any errors in the information recorded and to request for the information to be removed (i.e. from view, although would still be held on the system for audit).Individuals will also be able to provide comments and opinions on data provided by others, but will not be able to have it removed from view unless it is causes them significant harm or distress.
Assessment of Risks
- The table below sets out an analysis of potential risks of the portal approach and how they will be mitigated:
Risk / Mitigation Actions
A family member or carer takes advantage of access to the records of a vulnerable adult to abuse them in some way. / Safeguarding considerations will always be taken into account in providing access to vulnerable adults’ records, both in providing the individual with access and in regards to requests they make for others to access their records. This will be in line with the Local Authority POVA policies.
Some individuals are not able to cope with the complexity of the access controls (passwords, smart cards, etc.) / Provide other means of people accessing their records, e.g. on paper, on computer but with a support worker or professional.
People providing incorrect information or having correct information removed. / More in-depth assessment needed for calculation of individual budgets.
Data recorded by other agencies cannot be changed (unless they are considered to be of harm to an individual), but opinions and comments can be made by an individual on data recorded by other agencies.
Review of information before accepting changes for some types of data/ individuals may be required.
Voluntary sector worker or volunteer accesses records ofpeople with whom they are not working by sharing passwords/shared secrets or smart cards. / Voluntary sector agencies will need to be compliant with Voluntary Sector CRG. This includes ensuring workers and volunteers are aware of the requirements on them and disciplinary/criminal procedures for inappropriate access to records.
Testing the IG Model
- The CAF Demonstrators, acting on the NIGB's advice, would further test some of the practical implications and would be expected to identify other issues or risks. We would anticipate reporting back to the NIGB on progress at a suitable time.
APPENDIX TO CAF DEMONSTRATOR CITIZEN PORTAL IG MODEL
BACKGROUND
General
Through general contacts with councils and IT suppliers of social care systems, we became aware of a number of local approaches being taken to making social care, and wider council information available to the citizen through web-based on-line sites. These fell within the general term, ‘Citizen Portal’ and the local authority led CAF sites identified this as a development that they wanted to discuss and explore further.
CAF Demonstrators
The Common Assessment Framework (CAF) for Adults aims to improve the sharing of information from an individual’s assessment and care and support plan across a range of Health and Social Care organisations. It is intended that CAF will promote more efficient and timely exchanges of information and enable individuals to access and contribute to their own records. It will therefore provide a better experience and improved outcomes for people who use health and social care services and their carers.
There are currently 12 Local Authority led CAF partnerships who are demonstrating this work, nine Phase 1 sites began work in January 2009 and three Phase 2 sites kicked off their projects in February 2010 and the programme will complete by March 2012.
Citizen Portals
Citizen portals, in the context of the CAF demonstrator programme, will provide people and their families and carers with an on-line web-based way to obtain information and advice, to self assess and develop their support plans, and to access and contribute to their health and social care records.
For CAF’s purpose we have used ‘citizen portal’ as a generic term in order that the programme does not constrain thinking and development of alternative approaches/options in the various CAF sites. Citizen portals are described in more detail in the report, ‘Common Assessment DemonstratorOutcome of Citizen Portal Event Report’, which is available on the CAF Network, .
In general in the CAF demonstrators, citizen portals are being set up by local authorities, with the exception of one which is being managed by a voluntary sector organisation. They are being developed in a co-produced way with service users and carers and alternatives are being provided for those who do not want to use IT.
How this document was put together.
The document is based on discussions with some of the CAF demonstrator sites and their suppliers and the outcome of a citizen portal workshop held on 30th June 2010 with participation from all CAF demonstrator sites, including service users and carers.
CITIZEN PORTAL OVERVIEW
The CAF event identified five broad uses ofcitizen portals in the CAF Demonstrator Programme, with differing information governance requirements:
- Universal information and services. These are open areas, where there is no requirement to identify or authenticate individuals. Open areas include:
- on-line information about services, support, impairment / conditions, etc, made available directly through the portal, through links to universal information and advice portals, support directories and service catalogues.
- Open discussion forums/networks, available for anyone to participate.
- On-line ordering and booking of services, including local authority commissioned services, either directly through the portal or via links to other internet services, e.g. Shop4Support, Plan My Care, etc. Also facilities for individuals to provide feedback on services. These are open areas, but have secure facilities for buying on-line. Any purchasing will comply with industry standards for security (e.g. 128 bit encryption).
- Support networks, these are closed areas, enabling individuals, who register to them, to join support networks and to communicate with others within the network, e.g. a disabled people’s support group.
- Individual records, enabling an individual by themselves or with support to self assess, plan how to meet their care and support needs and access their own records. This may include accessing assessments, care and support plans and individual budget information recorded in the social care system. In addition, individuals may want their families and carers to access their records. This area may also include facilities for communicating via secure email with individuals in their support team. The IG requirements in this area are set out below.
- Management information. The information recorded in the portal may be used by local authorities for management purposes, such as needs analysis and market analysis, e.g. identifying gaps in the market through customer surveys, reviewing purchasing patterns and customer feedback on services, etc.
SOME IG ISSUES AND REQUIREMENTS FOR THE FUTURE
There are other information governance issues that have not been covered in this document as it is early days for citizen portals and their full potential has yet to be developed.
This section identifies some potential future issues and requirements that were identified at the CAF event. They are provided to give an indication of IG issues that need considering in taking forward citizen portals, but do not provide answers. They are only intended for information.
Consent to Information Sharing
Issues and requirements include:
- Management of consent permissions, i.e. using the portal to enable an individual to identify and manage their consent preferences. This may include which agencies and carers can view their records and what areas of their records they can see.
- Individuals being able to specify specific access rights for others:
- What areas of the record can be seen. For example, a personal assistant might only have access to an individual’s care and support plan, whilst a family carer might be able to see the whole record.
- What functions are available to others, i.e. view only or update records.
- People being able to choose simple (e.g.”all can access everything”) or more complex options for controlling information, so as not to put off those who don’t want to complete a complex process every time they complete a record/form; but give the option for those who do.
- People being able to change their consent permissions in a quick and straightforward way, so that changes are immediately implemented.
- Ability to view information on who has accessed their record. Again, this may relate to the portal or to back office systems and if the latter would need to pull this information through from the systems.
- Management of consent to publish information across portals. For example where an individual wants to update their demographic information and publish it across several portals, e.g. NHS, social care, Direct.Gov.
Secondary use of data