1

The Information Governance Handbook

The Information Governance Handbook

2

Meet the Information Governance & Health Records Teams

3

Senior Information Risk Officer (SIRO) and Caldicott Guardian

4

Information Governance & Health Records Functions 5

What you should know about IG 6

Data Protection & Caldicott Principles 8

Freedom of Information Act 2000 (FOIA) 9

Subject Access Requests (SARs) 10

The Medical Records Commandments P.R.E.V.E.N.T.I.O.N

11

Security and Confidentiality Guidance for Agile and Remote Access Working

12

Relevant Policies, Procedures and Websites 16

IG Governance and Management Framework 14

Information Asset Ownership 15

Reporting IG Incidents 13

Contents

2

3

Meet the Information Governance &

Health Records Teams

Michelle Brammah

Trust Data Protection Officer

E: Michelle.Brammah@lancashirecare.nhs.uk

E: DPO@lancashirecare.nhs.uk

T: 01772 695387

M: 07507 847592

Sue Stone

Information Governance Specialist & RA Agent

E: sue.stone@lancashirecare.nhs.uk

T: 01772 773799

M: 07507 856966

Becky Drake

Information Governance Project Support

E: Rebecca.drake@lancashirecare.nhs.uk

M: 07966 414567

Gayle Ashton

Health Records & Clinical Coding Lead

E: gayle.ashton@lancashirecare.nhs.uk

T: 01772 773601

Kathryn Singleton

DPA Access Administrator

E: Kathryn.singleton@lancashirecare.nhs.uk

T: 01772 773485

3

4

Senior Information Risk Officer (SIRO) and Caldicott Guardian

Senior Information Risk Officer (SIRO)

The SIRO is an Executive Director, currently the Chief Finance Officer, Bill Gregory, with overall responsibility for managing organisational information risk and ensuring appropriate assurance mechanisms exist.

The SIRO is expected to understand how the strategic business goals of the Trust and how other NHS Organisations’ business goals may be impacted by information risks, and how those risks may be managed.

The SIRO is responsible for

overseeing the implementation of Information Risk Policy and Strategy

providing advice to the Chief Executive Officer (CEO) on the content of the Statement of Internal Control in regard to information risk

taking ownership and reviewing the information risk assessment process, reviewing / agreeing actions and identifying controls and assurance against the risks.

ensuring the Board is adequately briefed on information risk issues.

The SIRO will be supported by a Deputy SIRO, currently Damian Parkinson, Director of Health Informatics. The role of the Deputy SIRO will be approved by the SIRO. The Deputy SIRO will receive delegated responsibilities and carry out duties assigned by the SIRO on their behalf.

Caldicott Guardian

The Caldicott Guardian acts as the ‘clinical conscience’ of the organisation and ensures that the Trust satisfies the highest practical standards for handling personal identifiable information. The role is comprised of strategic, advisory and operational aspects to ensure patient / servicer user confidentiality is respected and maintained.

Dr Richard Morgan is the Trust Caldicott Guardian and is currently supported by Dr Ayesha Rahim, the Deputy Caldicott Guardian.

The Caldicott Guardian role involves

Promoting a confidentiality culture, making sure the Trust upholds the highest standards and best practice on confidentiality.

actively supporting work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information.

being an arbiter when there is disagreement about a process potentially impacting on confidentiality.

4

5

Information Governance & Health Records Functions

Information Governance

Information Governance provides a framework to bring together all the legal rules, guidance and best practice that apply to the handling of information, allowing:

implementation of central advice and guidance;

compliance with the law;

year on year improvement plans

The IG Team provide advice, guidance and support services for the following functions:

Information Asset Ownership, registration and Data Flow Mapping

Information Governance Training requirements

Confidentiality and Caldicott Principles

Information Governance Incidents

Data Protection Impact Assessments

Information Sharing Agreements

Data Processing Agreements

Data Transfer Agreements

Sharing Information and Fair Processing

Freedom of Information Request

Information Security

Information Governance Awareness

SIRO & Caldicott Guardian

Department Policies and Standard Operating Procedures

Legislation and Regulation including:

Data Protection Act

Freedom of Information Act

Gender Recognition Act

Privacy of Electronic Communications Regulations

Health Records

The LCFT Health Records Department endeavours to meet a high standard in all aspects of its work. We work collaboratively with many other services such as Information Governance and the IT Dept. We are governed by numerous legal and statutory responsibilities.

Our services include advice, guidance and support for the following:

Records Management including Retention Schedules

Clinical Coding

NHS Numbers

Subject Access Requests

Records Archiving

Records Digitisation and Quality Checks

Records retrieval

Health Records Incidents

Electronic Document Management System (EDMS)

SIRO & Caldicott Guardian

Departmental Polices and Standard Operating Procedures

Legislation and Codes of Practice including:

Data Protection Act

Gender Recognition Act

Access to Health Records

Records Management Code of Practice for Health and Social Care

5

6

What you should know about IG

Information Governance is the responsibility of everyone

You need to:

understand what Information Governance is encourage good practice, seek to improve and learn from errors be open and transparent with those you care for to ensure they are fully informed keep confidential information confidential share confidential information appropriately ensure the information you record is accurate and accessible

Information Governance…….

Enables organisations and individuals to ensure that information is handled legally, securely, efficiently and effectively in order to support delivery of the best possible care.

Supports

high quality care compliance with the law implementation of central

advice and guidance, and

year on year improvement.

Covers

confidentiality & data protection

freedom of information (FOI)

information sharing for care and for non-care purposes

information security and risk management

information quality and records management for both care and corporate information

Encourage good practice, seek to improve and learn from errors

Help your team achieve best practice. Make sure you follow the relevant procedures or processes in your organisation. If you identify ways in which information handling can be improved in your work area share your ideas with your colleagues.

Take up any education and training offered to develop your awareness of the legal and organisational requirements when handling information. Participate in assessments of Information Governance in your area to develop and strengthen your understanding of Information Governance.

Don't be afraid to speak up about shortcomings. If you have any concerns about standards or practices in your department, talk with other members of your team or your supervisor or manager. Work with colleagues to learn from mistakes and escalate issues where appropriate.

6

7

Be open and transparent with those you care for

You should be able to clearly explain how the information about those you are caring for is used and with whom it may be shared. Refer to the Protecting your Information booklet and use it to reinforce what you have said.

Ensure that you tell those you are caring for about how their information will be used and shared and listen to any concerns they may have.

Be open and honest with those you are caring for and ensure they have sufficient information to make an informed decision about the use of their personal information.

7

Keep confidential information confidential

Do not share your access passwords with others, Ensure you “log out” once you have finished using a computer. Do not leave paper records unattended. Lock rooms and cupboards where personal information is stored.

Bear in mind that you could be overheard and do not discuss personal information about those you are caring for on the bus, in corridors, lifts or the canteen!

When sharing or transferring information or storing it on a mobile device, ensure that you understand and comply with the organization's policies on encryption and secure

Share confidential information appropriately

Work with your colleagues to understand the information sharing that will benefit those you are caring for and make it happen, subject to the wishes of the individuals concerned. From 1/10/15 organisations are legally required to share information when it is lawful for them to do so where it would facilitate an individual’s care.

You will normally need consent before sharing confidential information beyond the care team. If a legitimate need to disclose without consent is identified, senior personnel must make the decision, so understand the Trust’s policies and procedures.

Only disclose confidential personal information to those who legitimately need to know to carry out their role. The information the care team needs to know will be different from the requirements of admin and clerical support staff.

Ensure the information you record is accurate and accessible

Ensure the information you record is accurate, legible and complete and if possible, verify personal information with those you are caring for.

Understand and follow the organisation's procedures for record creation, e.g. file names, version control, filing and storage. This will help to ensure that the information can be located and retrieved in a timely manner.

Follow your organisation's procedures for tracking records, booking them out of filing systems, keeping them safe in transit and preventing unauthorised viewing.

8

Data Protection & Caldicott Principles

Data Protection Principles

1. Lawfulness, fairness and transparency

2. Purpose Limitation

3. Data minimisation

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality (security)

7. Accountability

The Caldicott Principles

1. Justify the purpose(s) of using confidential information

2. Only use it when absolutely necessary

3. Use the minimum that is required

4. Access should be on a strict need-to-know basis

5. Everyone must understand his/her responsibilities

6. Understand and comply with the law

7. The duty to share information can be as important as the duty to protect patient confidentiality

8

9

Freedom of Information Act 2000 (FOIA)

The Freedom of Information Act 2000 (FOIA) was passed on 30 November 2000. The Act gives a

general right of access to all types of 'recorded' information held by the Trust. It sets out

exemptions from that right and places a number of obligations on the Trust. The Act came into

force in January 2005.

People already have the right to access information held about themselves under

the Data Protection Act. This is known as 'subject access' request. The FOIA

extends these rights to allow people to request access to non-personal information

held by the Trust. However the Trust will not be required to release information to

which an exemption applies, i.e. information may not be released if it would

prejudice national security or law enforcement.

The Act gives applicants two related rights:

The right to be told whether the information exists

The right to receive the information

The Act places a duty on the Trust to adopt and maintain a publication scheme approved by the

Information Commissioner. The scheme sets out the type of information the Trust publishes, the

form of information published, and explains any charges that may apply.

If you would like to know more or wish to make a request for information, please contact the

Information Governance Team, at:

Address: Lancashire & South Cumbria NHS Foundation Trust, Sceptre Point, Sceptre Way,

Walton Summit, Preston, PR5 6AW

Telephone: 01772 695300

Email: Freedom.OfInformationRequests@lancashirecare.nhs.uk

PLEASE NOTE: If a request for corporate information is received by your team please forward it

to the FOI mailbox as soon as possible.

9

10

Subject Access Requests (SARs)

Under the Data Protection Act individuals have the right to access their health records.

Staff who are service users must not access their own health records, or those of family members or friends without submitting a formal written request in compliance with the procedures documented in thePolicy. Failure to do so may result in disciplinary action.

Informal Subject Access – Good Practice There are occasions when there is no necessity for the Service User to make a formal application to view their records. If a Service User requests to view their records whilst still receiving care it is considered good practice for the Health Professional to go through the record or to allow the Service User to read the record in a supervised environment. Informal access is not considered to be an application under the terms of the Data Protection

Act. On receiving a request for informal access the appropriate Health Professional must arrange

a suitable appointment with the applicant so that the records can be reviewed. Third party information must be removed from the records before Informal disclosure is

made. The records also have to be reviewed by a medical professional to redact any information which may cause distress have a detrimental effect on the patient

Under no circumstances should the applicant be left alone with their records either paper or electronic.

Informal disclosure must be noted in the Service User’s record. If informal disclosure is not possible then the Service User has the right to submit a formal

application in compliance with the Data Protection Act.

Formal Subject Access Formal subject access gives the right to individuals to gain access to personal data held about them. The individual is required to make a written request for this information. A formal request application can be found at the back of the Access to Health Records Policy. Subject access rights include:-

To be informed whether personal data is being “processed”. Processing includes the collection, use, storage, disclosure and subsequent destruction of information relating to living individuals.

To be provided with a description of the data held, the purposes for which it is processed and a description of those to whom the data is or may be disclosed.

To be provided with a copy of the information constituting the data within 1 calendar month of the Trust receiving the application.

To be provided with information to identify the source of the data.

Please read the Access to Health Records policy or visit the Health Records SharePoint site for further advice and guidance around subject access requests, including exemptions to the act.

10

11

The Medical Records Commandments

P.R.E.V.E.N.T.I.O.N

P LEASE ensure records and case notes are tracked if removed from clinics or record stores.

Please use local standard operating procedures to ensure patient records or case notes are accurately tracked whenever they are removed from clinics or records stores.

A patient’s life could be placed in jeopardy if certain vital information which would be in the record is not available.

R ECORD entries MUST be dated and signed with the signatory’s name printed.

This is a necessary requirement for medico-legal purposes. It also enables correct identification of the diagnoses and procedures to be coded in the correct Consultant episode.

E NTRIES must be legible, not only for patient safety but also for medico-legal reasons.

V ENTURE to always use black ink for all entries throughout the record as other

colours do not photocopy or scan well. The Access to Health Records Act (1990) means patients have the right to access their records and to have copies of them. It is each person’s duty to ensure case note tidiness.

Note should be made of the importance of recording information accurately. The entry of adverse personal comments about the patient should not be made.

E NSURE diagnoses and procedure validation by Senior Medical Staff. The

Trust is required to produce evidence of each Consultant episode within 7 days of discharge. Accurate coding can only be achieved by use of a completed record.

If it isn’t documented, it isn’t coded, potentially reducing Trust income.

Clinical Coders can only code from information contained in the discharge letter and the medical record. The resultant codes will be used for medical audit and for billing purposes. Hence the importance, therefore, that all diagnoses and procedures are validated by Senior Medical Staff.

N EAT, timely and accurate discharge letters and summaries MUST be written.

These documents are used to pass details of treatment to the patients GP and may also be included as part of subject access requests.

T EST results should always be signed by the Doctor who reviews them. If there is

no signature it is assumed that the result has not been seen by a member of the medical staff.

I T is essential that consent forms are completed and signed. This is important for

medico-legal reasons.

O BSESSIVELY ensure correct patient identification, including the use of the

NHS number, is continued throughout the record as many people will have the same name. This will prevent life threatening errors and resultant medico-legal problems.

N EW or ambiguous abbreviations should be avoided in records. Familiarise

yourself with the approved abbreviations used in your service.

11

12

Security and Confidentiality Guidance for Agile and Remote Access Working

Where employees work from home or other remote locations, it is necessary to consider work space and the security and confidentiality of data at all times.

Not all information used contains personally identifiable details but most information will still be confidential to the Trust. Staff must ensure they hold only the minimum level of confidential information remotely.

The employee will take responsibility for the confidentiality of any records held remotely (either in paper or electronic form) and for their transportation to and from base. Any spare documents, for instance amended documents, must be disposed of according to Trust policies.

Personal confidential information held on electronic devices such as computers, mobile phones, tablets and Trust encrypted memory sticks must be held securely, whether being accessed at base, from another Trust site or remotely (including at home).

Employees must:

Know their responsibilities under the Data Protection Act and the Trust’s IG and IM&T Security policies.

Never leave a computer with personal confidential information on screen.

Never leave your computer ‘logged on’ when unattended.

Ensure that rooms containing computers and other equipment, are secure when unattended, with windows closed and locked and blinds or curtains closed.

For staff who may work from home occasionally, home security must be at the same level as at work.

When working remotely, staff must connect to the Trust Virtual Private Network (VPN) to ensure that data held on the IT equipment, as well as the Trust computer network, is not

compromised. Agile and remote access workers must consider what they are working on when in transit or in public areas and reduce the risk of others taking an interest in

what the remote worker is doing, of connecting the remote worker to the Trust, or eliciting information from the remote worker about their employer, job or confidential or company data.

Mobile telephone conversations in the street or public places should be discreet. Mobile telephone users often talk loudly without being aware of the information they are sharing openly with others, which might include sensitive confidential or organisational data.

When in transit, it is recommended that mobile workers should not leave any IT equipment or sensitive information (whether hardcopy or electronic) unattended at any time.

WHENEVER YOU LEAVE YOUR SEAT

Failure to adhere to Trust policies may lead to withdrawal of the facility and/or disciplinary action being taken.

12

13

Reporting IG Incidents

All IG incidents must be reported in accordance with the Trust’s Incident Policy and should be logged on the Datix system within 24 hours of the incident occurring or being identified. Here is a brief guide on reporting an Information Governance (IG) Incident, including advice around categorisation and what happens when an IG incident has been logged. An “IG Incident” could be a breach of data security or a breach of IT security and may include health records errors or breaches of confidentiality. For more information on Incident reporting, management and investigations please see the Incident Policy. The IG pages on SharePoint also provide additional guidance on logging an IG incident. Incident Details Before completing the Datix Incident Form please ensure you provide full details of the incident including:

who was involved what happened how did the incident come about what data has been disclosed including details of the format (letter,

care record etc.) and the volume what processes or procedures were in place Consideration needs to be given about the circumstances that led up to the event or may have contributed to it. It is insufficient to state “posted records to another service but they did not turn up” or "found record in a

bin" as this does not provide enough information about the incident for others to investigate. Actions Taken and Lessons Learned The “Actions taken” section has to be completed, detailing what you did when you realised something had gone wrong. For example:

did you contact anybody? did you attempt to retrieve the information? have you informed any persons concerned (where their data has

gone missing)? if the incident involved somebody from another service, have you

liaised with them? has the event been shared to the team and reminders sent out about following process?

The “Lessons learned” box also needs to be completed and this may include reviewing local procedures. Serious Incidents The IG Team will contact the Serious Incident Datix Administrator if the IG incident or security related IG incident is reported at level 4 or above. The IG Team will make contact with the handler/reporter to clarify the details of the incident and in some cases request further information in order to confirm or reject the Serious Incident status. The incident is assessed by the IG Team using the NHS Digital assessment tool. Incidents such as this will also be reported to the Information Commissioners Office (ICO). The ICO will look into the incident, request further information and advise on what action should be taken. The IG Team will liaise with the service to oversee the management of the ICO response. Depending on the nature and seriousness of the incident the ICO may impose a monetary fine on the organisation.

13

14

IG Governance and Management Framework

14

The framework is made up of several functions, activities and IG related policies. The framework comprises of senior roles, governance and compliance forums, mandatory training, resource and incident management.

The Clinical Records and Information Governance Group (CRIG) will provide operational direction for IG compliance supported by membership from both the Networks and Corporate Directorates. The CRIG reports to the Joint SIRO / Caldicott Guardian Steering Group.

The Corporate Governance and Compliance Sub Committee chaired by the Chief Executive Officer will receive a Chairs report from the Joint SIRO/Caldicott Guardian Steering Group. The Chairs report will provide assurance that Networks and Directorates are undertaking and completing activities which are managing the IG risk and demonstrating that they are compliant with all relevant legislation and regulations.

The illustration of the IG Governance and Management framework shows the relationship with overall Trust Governance and Compliance arrangements.

15

Information Asset Ownership

15

The Information Asset Owner structure reflects the management structure for a Care Group or Corporate Directorate

IAOs are responsible for:

The use of assets and secure data flows

Processes and procedures re. the use of information

Completion of Data Protection Impact Assessments

Information Sharing Agreements etc.

Access to systems and justification of use

Registering the use of assets

Registering data flows

Risks

Breaches

IAAs support the IAOs with:

Housekeeping

Access controls

Data Quality

Data Protection and IG Awareness

Ensuring processes are followed

Ensuring staff are suitably trained

Flagging potential risks to assets

Ensuring data flows are registered and any risks identified

Ensuring assets used by the team are registered correctly

Information Asset Administrators

IAAs

Information Asset Owners

IAOs

Service or Locality

16

Relevant Policies, Procedures and Websites

Information Governance Policy and Standard Operating Procedure (SoP)

Freedom of Information Policy and SoP

IM&T Security Policy and SoP

Mobile Communications Devices Policy

Procedure for Communicating via Email, Text and Video

Corporate Records Management Policy and SoP

Data Quality Policy

Access to Health Records Policy

Health Records Security and Confidentiality Policy

Health Records Management Policy

Clinical Record Keeping Policy

RA Policy

Policy for Sharing and Disclosure of Service User Related Information With External Agencies

Guidelines for Recording and Sharing Information about Transgender People

Information Governance SharePoint Site

http://trustnet/directorates/Corporate/HealthInformatics/InformationGovernance/Pages/home.aspx

Health Records SharePoint Site

http://trustnet/directorates/Corporate/HealthInformatics/healthrecords/Pages/home.aspx

Information Commissioners Office

https://ico.org.uk/

Department of Health

https://www.gov.uk/government/organisations/department-of-health

16