The Northern, Yorkshire & Humberside
NHS Directors of Informatics Forum
Information Governance Sub-Group
Yorkshire & Humber Area Strategic Information Governance Network (SIGN)
Minutes of the Meeting held on Friday 11th August 2017
1. Present: Sue Meakin – Rotherham, Doncaster & S/Humber (Chair)
Amy Cooper – Sheffield Teaching Hospital
Joanne Sturdy – Sheffield Teaching Hospital
Sue Drury - IGA
Peter Wilson – Sheffield Teaching Hospital
Caroline Britten – Leeds Community Healthcare
Derek Stowe - Rotherham
Rachael Smith – SW Yorkshire
Carolyn Sampson – Sheffield Children’s Hospital
Barry Jackson – Embed
Caroline Million - Embed
Joanne Robertshaw – Rotherham, Doncaster & S/Humber (notes)
2. Apologies: Steve Massen - Rotherham Doncaster & S/Humber
Gwen Ruddelsdin – Locala Community Partnership
Caroline Squires - NHS Calderdale CCG (THIS)
Adam Moseley – The Retreat, York
Jenny Pope – NHS Digital
Roy Underwood – Doncaster & Bassetlaw (Vice-Chair)
Sue Cross -
ACTIONS2. / Minutes of the last meeting held on 14th July 2017 – Paper A
Leeds City Healthcare should read Leeds Community Healthcare.
The minutes were agreed as a true and accurate record.
3. / Action Points – Paper B
Apr 2017 (8) Data/IT Security – Sheffield LA had an event on 8th August and have moved on with the Gateway, but it does not appear to be moving forward for NHS partners across Yorkshire.
July 2017 (7) – GDPR – literature and action plans circulated to the group. Action for all group members to bring any papers they are working on to the group if they need advice or comments – action to be removed, but remains ongoing.
All outstanding/new actions are noted on Paper B
4. / Confidentiality, Data Protection, Freedom of Information and General Data Protection Regulations
GDPR – Chair asked the group if they had any other comments, etc, on the role of the DPO which was the subject for discussion at the July meeting. There were none, although PW said that his Trust had put their Data Protection Officer job description to a panel for banding consideration.
The topic for this month’s meeting is PIAs (or DPIAs) and Awareness.
PIAs (DPIAs) - Chair asked the group how their organisations were doing with PIAs. Some said that they were retaining the phrase PIA rather than DPIA, as not to confuse their staff, as they had only just gotten used to using the term. Briefing notes have already been circulated to staff in some organisations and training was the next step. It was generally felt that PIAs were being completed or at least discussed at the beginning of most projects (although not early enough for some organisations) and that staff have found them useful, once they have begun to use them. One concern raised is that PIAs need to be reviewed (not just the content but the ownership) on a regular basis and that they do not become another “tick box exercise”. Another concern is that all PIAs must include a threat/risk analysis. One organisation sought advice from the ICO (they use their generic template), who explained more areas for detail to be included, and felt that the feedback was encouraging. Others have also used the ICO template, but streamlined it for their current use. Others appear to be using the IGA template. It seems the general consensus is that project teams are completing the PIAs either with IG guidance, or completing an submitting to IG for advice/guidance – that the IG role is as a support mechanism, which is how it should be. It was noted that you need an audit trail and that you need to understand your consent module, ie ask questions/provide information, otherwise consent is not “informed”. Chair agreed to send links to both ICO and IGA templates to the group.
It was agreed that it is the PIA completer’s responsibility to ensure the PIA is actioned – and this is something they are struggling to get across, as everyone thinks it is the responsibility of the IG team. Chair asked the group if their project teams knew what they needed to do – they said yes, some used checklists, etc.
CB understood that the Gateway Portal contained PIAs and thought that a template was available, but it was confirmed that the Gateway is only a repository for PIAs.
One question raised was that it would be advantageous to have an online template which could be downloaded, to enable multiple areas/services to contribute – ie writable pdf? PW agreed that if the group could provide generic guidelines, he could work them into a draft, as he was aware that one was currently being developed and he would see if he could obtain a copy.
Awareness – Chair asked the group how their boards/governing bodies were accepting the GDPR? Must found it hard work, that they have presented briefing notes, papers, presentations etc to their boards/bodies and have been thanked for doing so, and as yet had no feedback. It was felt that because GDPR did not come into effect till May 2018, that it was not close yet, so they did not need to worry, that they felt IG was on top of it. Some felt that their Trust’s would have difficulty in identifying additional finances to cover for example the role of DPO, etc, until next financial year.
It was noted that people are taking more notice as it is being addressed more and more on TV (BBC website provides a GDPR Summary/social media in relation to accessing records), and people are listening – we need to continue to “drip feed” our boards/governing bodies.
Chair asked everyone present if their CEOs had received the email from the ICO – some said yes, others – no. Chair agreed to circulate to the group just in case.
CM made the group aware of a blog by Amberhawke in relation to hospital regulation fees being somewhere between £2,000 and £7,000. The group felt that if this was the case, it would have to be via derogation.
Concern was again noted in relation to proposed escalation in submission of SAR and FOI requests following inception, adversely affecting staffing and resources to process them within the shorter timescale.
The group noted various training providers currently advertising “certified” GDPR training/qualifications, but who certified them, and how can they provide when the content, etc, has not been confirmed. The courses costing around £2,000+
It was noted that the ICO website has a section where you can see where you are with GDPR and those in attendance found this tool helpful – Chair agreed to send link to the group. / SMe
ALL
PW
SMe
SMe
5. / Regional/national Event Updates
- CB made the group aware of a workshop being held in Leeds on 7th September 2017 by NHS Digital called National Data Opt-out Workshop – it is invitation only and this is available only if you complete a survey (not advertised).
- IGA 2017 Conference – this was again raised due to oversubscriptions and location. SD confirmed that the IGA are looking into holding future conferences in more than one location, probably the south and the north to enable more people to attend.
6. / IG Education/Personal Development Updates
- The new IG Training package was discussed and concerns were raised in relation to the administration of the package by individual organisations, as the tool does not provide evidence of completion, ie certificate, so how are you to provide evidence that you are compliant and how is this recorded. BJ confirmed that he has looked into this with the provider and that they have confirmed that you can set up administrators who would be able to run reports (even in batches), but this was yet to be confirmed by Health Education England.
Although some of the group were concerned about the length of time it took them (and they know about IG) to complete the new package (5 modules) – minimum 1 hour, they felt the content was up-to-date and informative – it made you think (some found it tedious). One advantage was that you could “dip in and out” if you did not have time to do it in one go, but you could not go straight to the multiple choice assessment, you had to work through the modules. This was felt to be appropriate for new starters, but felt this was too much to expect everyone to do annually.
As the new platform is now called “data security” training, rather than the old “IG” training, you will need to make staff aware when they are looking for it, and also to anyone who will be reporting.
7. / Information Governance Toolkit
It was felt that there was nothing new to add and that no updates had been released.
8 / Confidentiality, Data Protection & FOI
- CM noted she had received a response following her comment at last month’s meeting where her organisation received a subject access request from the DWP, and that her organisation refused to process without the subject’s consent. She received a response from NHS England saying that they could process without consent, which she felt was a breach of DPA – but felt this response was not sufficient and they have refused to process. BJ felt that maybe the way the response from NHS England was worded, that the underlying basis from their response meant that as the organisation who received the request (ie CCG) did not deal with direct care, consent was not applicable.
- Chair asked the group if they were aware of the Herbert Protocol? They all said not. Chair confirmed that this came to light after her Trust received a recent request from the Police seeking information on a patient as they had gone missing and they were trying to find them using the Protocol as their legal basis for making the request. They confirmed that it related to “missing persons” who had Dementia/Alzheimer’s and that it was the family who applied to the police, and then the police to make the request to the Trust. Chair was concerned that, in this particular instance, the subject lived alone, therefore they must have had capacity, so where was the family’s authority to make the request to the police. The group noted that it was only a ‘protocol’ not law, so would be dealt with on a case by case basis, ie safeguarding, best interest test, etc.
9. / Data and IT/Information Security
- Paper C circulated to group prior to meeting – Chair asked the group if they were aware of the paper, which was a consultation document that closed in Sep 2017. The group were not aware of the paper, but agreed to cascade to their organisation for awareness.
- Article in NHE – circulated to group prior to meeting for awareness
- PW asked the group if they knew when the N3 replacement (HSC) would be in place? There is a launch in Leeds in Sep 2017, but Chair agreed to check and notify the group.
- Chair asked if anyone had received a recent Care Cert Alert in relation to passwords/datasets, as she appears to get a lot of them on a regular basis. The group confirmed that they do too, but relating to different alerts, ie NHS mail spam; relating to GPs who are not under their organisation; fake flashes, etc. DS noted that his Trust has adopted the NHS Digital approach of periodically sending spam emails to staff to see how many click on the links. / SMe
9. / AOB
- CB asked the group if they were aware of the London Child Health Hub refusing to take paper records, as they have recently sent some to them and received a response stating that they are sending them back, asking for written “summary” of the notes instead. She was aware that the law says that “paper records have to follow the child”? A group discussion took place, and some thought the Child Health Records were held electronically under SystmOne - one suggestion was that the records are scanned electronically and sent electronically. It was felt that as the organisation now knew that they were not accepting paper records, that to send them irrespectively, was putting the records at risk. One organisation said they send theirs via encrypted disc.
10. / Date and Time of Next Meeting
8th September 2017 – Lecture Room – 1-4pm
Page 5 of 5