Data Share LondonTrain-the-Trainer
“Best Practice in Information Sharing”
London Councils and Private Public Ltd would like to thank NIGB who allowed us to include their materials into this workshop
Why are we here today?
• To share key resources about data sharing
• To share tools and materials that will support you in training your staff
• To meet colleagues and exchange experience
• To exchange and generate ideas about good practice and the way forward
Training Session Plan
• Introduction
• Warm-up session: Group Exercise
• Presentation: Key Training Areas & Training Tips
• Coffee
• Forum
• Feedback forms
Warm-up: Group Exercise
• Choose 1 of the 3 scenarios on the table
• As instructed by your facilitator each person takes a card
• Beginning with the oldest date each person decides who they would or would not share the information with, they then read the card to the group
• Debate in your groups whether or not having all of the information would change any decisions made
You have 30 minutes to complete this exercise
Outcomes of Your Training Session
By the end of the session, you expect your trainees to be...
• Familiar with the principles of data sharing
• Aware of resources and support materials
• Able to ask and answer the key questions
• More confident about sharing data
• Understand key processes better
• Other?
What are we trying to achieve?
Excellent Customer Service
Compliance with law, local agreements and practice
Confidence & Engagement of Staff
Data Protection
Safeguarding Efficiency and Productivity
Other outcomes?
Partners: With whom do we share information?
Movement of homeless household to a new temporary accommodation
Revenues and customs send info to the Department for Work and Pensions
Sharing data about children subject to Child Protection Plans
Children's Services send case information to the police Child Abuse Investigation Team
Examples of multi-agency provision of public services –Inside and outside government networks
Local Authorities
Central Government
Health
Police
Exchange of Child Protection Plans with probation and other agencies
Information exchange relating to a common assessment of a young person
Children's Services placing a child in a care home and communicating sensitive care assessment details
Examples of multi-agency provision of public services –Inside and outside government networks
Partners: With whom do we share information?
Criminal Justice
Schools
Private / Third Sector
Partners: Mapping out the interactions
Take a typical service user for your area, and describe a map of the relevant
data sharing interactions, by answering the following questions:
Why information is to be shared
What information to share
What consent exists to share information
Who information is to be sent to
How to securely share information
What to do with the information
Principles
Judgement of frontline professionals
Pre-designed routine
Ad-hoc data sharing
Pre-planned / regulardata sharing
Principles
• Not legally required
• But can help in a complex legal environment
• Sign up to rules and processes
• But there is a wide agreement on the key questions and issues – and these form the basis of the best information sharing agreements
Information Sharing Protocols & Agreements
Partners
Guidelines and Procedures
HM GovernmentGovernment departments & public sector organisations
Individual protocols and agreements
Most effectively, various guidance documents can be used if selected and combined for your particular organisation. These guidelines are usually not legally binding but they outline key procedures and help share data confidently. They can be used to help trainees better understand:
•How and why specific information is being shared
•Key processes and procedures for routine or exceptional situations
•Roles and structures supporting data exchange
•Legal issues and how compliance with the Data Protection Act is established
•Security procedures to mitigate risks and ensure confidentiality.
E.g., Purpose / Subject / Situation Specific Information Sharing Agreement
E.g., Department for Education, NHS, local councils etc
Guidelines and Procedures
A protocol is “not intended to be a substitute for the professional judgement which an experienced practitioner will use in those cases and should not be used instead of that judgement” The ICO
It is important to be confident in sharing data where necessary in order to safeguard an individual.
HM Government Public sector organisationsIndividual protocols and
agreements
Individual Judgement
Some Key Concepts
• Informed Consent
• Gillick Competency and Fraser Guidelines
• The Six Caldicott Principles
• Social Care and NHS Care Record Guarantees
• Pseudonymisation and de-identification
Informed Consent
• What constitutes consent?
• How to seek consent?
• How to explain information sharing?
• How to ensure that consent is informed?
• How to decide whose consent to seek?
• When and how to share information without consent?
Informed Consent
Consent is an agreement to an action based on the knowledge of what the action involves and its likely consequences. To be valid, consent should be informed and freely given.
Informed consent means that the person giving consent understands
•why information needs to be shared,
•who may see their information,
•what it will be used for and
•the implications of not sharing that information.
The Period of Consent
The period of consent is not the same as the period during which the shared information is kept by the receiving organisation.
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”Data Protection Act 1998, Principle 5
The period of consent lasts for as long as the service(s) is (are) provided. However, service users can withdraw consent at any time and should be advised how to do that.
Implied vs Explicit Consent
Consent does not need to be written, though a signed consent form, as evidence of consent, is good practice.
Consent can also be expressed orally, or can be inferred from circumstances in which the information was given (implied consent).
Reliance on implied consent is particularly common in the healthcare context. Implied consent is defined as ‘consent which is inferred from a persons’ conduct in the light of facts and matters which they are aware of, or ought reasonably to be aware of, including the option of saying ‘no’ (DoH Information Policy Unit, January 2001).
However, if consent is relied on to meet the Data Protection Act schedule 3 condition to share sensitive personal data that consent must be explicit.
When is Consent not Required?
There are circumstances under which information can be shared without consent. These include:•where the subject does not have mental capacity and it is in their best interest to share information•to prevent or assist in the detection of crime•to protect the vital interest of the person concerned or another person, such as a life and death situation•to comply with a court order.
For more details see:•Data Protection Act 1998 and exemptions from the DPA
•The Assessment of Mental Capacity Audit Tool
•Mental Capacity Act 2005: Deprivation of liberty safeguards - Code of Practice to supplement the main Mental Capacity Act 2005
•http://www.mencap.org.uk/page.asp?id=2042
Golden Rule for Data Sharing
Share with consent where appropriate and, where possible, respect the wishes of those who do not consent to share confidential information.
You may still share information without consent if, in your judgement, that lack of consent can be overridden in the public interest. You will need to base your judgement on the facts of the case.*
Gillick Competency-Fraser Guidelines
Children and Informed Consent
When deciding whether a child is mature enough to make decisions, people often talk about whether a child is 'Gillick competent' or whether they meet the 'Fraser guidelines'. For detailed guidance on children and informed consent see:
•Confidentiality and information sharing: children and young people (PDF, 143KB) In: NSPCC Practice Guidance. London: NSPCC, 2010
•London Child Protection Procedures. London Safeguarding Children Board, 2010
•Unaccompanied Children Seeking Asylum: Privacy, Consent and Data Protection. ARCH, 2010
Six Caldicott Principles
In the NHS and Social Care services, the Caldicott principles have been adopted to guide the use of personal information.
1.Justify the purpose(s) of using confidential information2.Don't use patient identifiable information unless it is absolutely necessary 3.Use the minimum necessary patient-identifiable information 4.Access to patient identifiable information should be on a strict need-to-know basis 5.Everyone with access to patient identifiable information should be aware of their responsibilities 6.Understand and comply with the law
Each NHS Trust and local council has designated a Caldicott Guardian, who is responsible for adherence to the Caldicott principles and who can be asked for advice.
Social & NHS Care Record Guarantee
The Social Care Record Guarantee (SCRG)
The SCRG for England explains in a clear and concise manner how personal information is used in social care and what controls an individual has over it. It applies to both electronic and paper social care records for both Adults and Children's Services in England.
The NHS Care Record Guarantee
The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It also applies to both paper and electronic records. Whilst not a legal document, the Guarantee could be used as the basis for a complaint.
Pseudonymisation
Pseudonymisation is concerned with enabling the NHS to undertake secondary (non-medical) use of patient data in a legal, safe and secure manner. The overall aim of implementing pseudonymisation is to facilitate:
•The legal and secure use of patient data for secondary purposes by the NHS (and other organisations involved in the commissioning and provision of NHS-commissioned care)•NHS business to no longer use identifiable data in its non-direct care related work wherever possible•NHS business processes to continue to be effective in supporting the day-to-date operation of the NHS.
The implementation of pseudonymisation is based on each local organisation undertaking its own pseudonymisation as appropriate.
Pseudonymisation techniques
There is no universal technique of effective pseudonymisation
Rather, combinations of techniques applied to the data and controls on the recipient will need to be chosen as appropriate for the given circumstances to ensure the recipient cannot infer identities from the data.
Example techniques include: stripping out / not displaying person identifiers; replacing person identifiers with other values; aggregating data; using derivations (displaying values that reflect the character of the source data); using synthetic data (mixing up elements of a dataset) etc.
Reversible or irreversible pseudonymisation
There may be a need to see identifiers, e.g. to check data quality issues (which are masked once data has been pseudonymised).
Pseudonymisation: Key Challenges
Organisation and Processes
TechnologyCulture & Skills
Selecting techniquesEnsuring lawful
outcomeVolume of data flows
Data qualityPseudonymisation
facilities
Other?
Safe Havens to store identifiable data
Process Flow: What do I do?
Obtain Consent
Decide on data,
recipient and time
Decide on data share
method
Send data securely
• Display posters and / or leaflets
• Explain to the individual concerned
• Ensure info is understood (provide interpreter etc if needed)
• Identify if individual is able to give consent
• Identify if the situation is covered by ‘direct continuing care’
• Check whether law requires data share irrespective of consent
• Record consent / refusal in individual’s record dated and time stamped
• Refer to the form in Appendix 1 Section 9.0 in LO ISP
• How and when to complete form – App. 1 Section 10.00 & 11.00
InformInform
Seek consent
Seek consent
RecordRecord
Obtain Consent
Decide on data, recipient
and time
Decide on data share method
Send data securely
Process Flow: What do I do?
• Establish the required content and format of the data to share
• Identify the necessary minimum information to meet the purpose
• Ensure confidentiality unless there is a robust public interest or a legal justification in disclosure
• Decide on the recipient. See example in LO ISP Appendix 1
• Verify the identity of the person making request
• Record their name, position, organisation and contact details
• Ad hoc or regular?
• If regular, how often?
• KPIs in your organisation? (E.g., How quickly should you respond to a data share request?)
What?
Who?
When?
DataData
RecipientRecipient
TimeTime
Obtain Consent
Decide on data, recipient
and time
Decide on data share method
Send data securely
Process Flow: What do I do?
• Assess the risk and potential impact of security breach
• Use your organisation’s Info security policies etc
• Establish the legal gateway to share this data
• For example see Wandsworth Borough Council ISF
• Decide on level of risk that is relevant to the case
• Across government networks
• Outside government networks
• GCmail, CJSM etc - See Data Share London website
Risks?
Controls?
Solutions?
Assess securityAssess security
Decide on risk
controls
Decide on risk
controls
Decide on technologyDecide on technology
Obtain Consent
Decide on data, recipient
and time
Decide on data share
method
Send data securely
Process Flow: What do I do?
• Track the data transfer
• Obtain assurances from partners about their security controls
• Ensure secure levels of password / data encryption
• Ensure secure premises and containers
• Use approved waste disposal company / cross cut shredder (paper)
• Ensure securely overwritten / physical destruction (electronic)
• Record your decision, how you made and what data was shared
• Record why you decided to override the requirement to seek consent
• Report security breaches
Process Flow: What do I do?
Transfer data
Transfer data
Store and dispose of
data
Store and dispose of
data
RecordRecord
Obtain Consent
Decide on data, recipient
and time
Decide on data share method
Send data securely
• Decide on the required content and format of data to be requested
• Decide on technology / means of data transfer
• Ensure secure levels of password / data encryption
• Ensure secure premises and containers
• Safe Havens
• Check organisational rules and procedures
• Ensure securely overwritten / physical destruction
• Use approved waste disposal company etc
• Check organisational rules and procedures
Process Flow: What do I do?
Request & Receive
data
Request & Receive
data
Use & Store data
Use & Store data
Dispose of data
Dispose of data
Request & Receive data
Use & Store data
Dispose of data
Infrastructure
Jointly accessible online application
or database
Third party email encryption tools
Secure web spaces or extranets
GCmail
CJSM
Partner e-mail system, e.g.
NHSmail, GSI
Secure fax
Anything else?
For more details: http://www.londoncouncils.gov.uk/services/datasharelondon/toolkit/sharingsensitiveinformation.htm
The first choice if available
Clearly branded LA
solution
Low cost & wide usage but Criminal
Justice focus
Applying for accounts
with partners
Across government networks Outside government networks
Training Tips: Warm-up Brainstorming
Please name your top three...Organisations you share
data with most oftenThe sort of data you share
most often
Problems you encounter when sharing data Terminology useful to know
PartnersPartnersInformati
ontypes
Information
types
IssuesIssues Technical terms
Technical terms
Training Tips: Group Work
Group work is a very effective training tool and should be included in all training sessions.
Group work can focus on collective problem solving and discussion of selected issues, using various “cases of failure” scenarios.
Productive discussions can be designed around process flow, collaborative working, ambiguous situations.
Sample Group Work One
Understanding the process flow
• What actions do I need to take and when?
• What concepts do I need to be familiar with at each stage?
Sample Group Work One
Sample Scenarios
1. A pharmaceutical company contacts you and requests contact details of patients with a certain condition to invite them to a drug trial.
2. A parent of a 14 year old calls the GP to confirm the time of their son’s drugs related appointment.
3. An insurance company asks for medical records of one of your patients.
4. Discuss a recent case when you had to share data. What did you do?
Sample Group Work One
Give a copy of consent form to
individual
Establish if disclosure is
legally required Ensure individual understands the
leaflets
Record consent
Evaluate individual’s
capacity
Seek authorisation
Identify the minimum info
required
Record data share event
Consult a Caldicott Guardian
Other?
Risk controls
Best interest
Robust public
interest
Capacity
Direct continuing
care
Purpose specific info sharing agreement
Together with your team, put these actions (rectangles) in the right order and link concepts (ovals) to relevant actions
Other?
Group Work One: Instructions
• Together with your team, put the actions (rectangles) in the right order, using the provided scenarios
• Link the concepts (ovals) to the relevant actions
• Discuss in your group which actions or concepts have been left out and need to be added to the list
• Discuss differences in process for different scenarios
You have 20 minutes to complete this exercise
Sample Group Work Two
Raising the issues
• What Will Happen if we Do Share Information?
• What Could Happen if we Don’t Share Information?
Group Work Two: Instructions
• Choose 1 of the 3 scenarios on the table
• As instructed by your facilitator each person takes a card
• Beginning with the oldest date each person decides who they would or would not share the information with, they then read the card to the group
• Debate in your groups whether or not having all of the information would change any decisions made
You have 30 minutes to complete this exercise
Sample Group Work Three
Deciding What to Share
• Would We?
• Could We?
• Should We?
Group Work Three: Instructions
• Pick a scenario card, work through as many scenarios as you have time for
• Discuss and decide if you would share the information
• Discuss and decide if you could share the information
• Discuss and decide if you should share the information
You have 30 minutes to complete this exercise
Training Tips: Effective Signposting
What is Data Share London?
• “...promotes good practice in data sharing and helps people ensure that data sharing is completed legally and fairly...”
• Long history of collaboration – roots in attempts to devise a London-wide info sharing protocol
• Jointly funded by Capital Ambition and the NHS
• Advisory board with members from across Local Government and health
Training Tips: Effective Signposting
Useful Resources
• London Data Share: http://www.londoncouncils.gov.uk/services/datasharelondon/
• Information Sharing: Guidance for practitioners and managers (HM Government, 2008)
Department for Education
• Information Sharing: How to judge capacity to give consent. DfE, 2011
• NHS Services and Children’s Centres - how to share information appropriately with children’s centre staff. DfE and DH, 2010
• Information Sharing: How to seek Consent? Department for Education, 2011
Health care
• Confidentiality: Guidance for doctors. General Medical Council, 2009
• Confidentiality: Nursing and Midwifery Council, 2009
• Confidentiality: NHS Code of Practice. 2003
• The Care record guarantee. NHS, 2011
• Record keeping: Guidance for nurses and midwives. Nursing and Midwifery Council, 2009 (to be reviewed in 2012)
• Confidentiality and Information Sharing. NHS National Treatment Agency for Substance Misuse, 2003
Training Tips: Effective Signposting
Useful Resources
Other departments & non-governmental organisations
• Information sharing for community safety: Guidance and practice advice. Home Office, 2010
• Sharing Information on Children and Young People at Risk of Offending. Youth Justice Board, 2005
• The Social care record guarantee. NIGB, 2009
• Requesting amendments to health and social care records: Guidance for patients, service users and professionals. NIGB, 2010
• More information on consent and information sharing practice
Other departments & non-governmental organisations
• Information sharing for community safety: Guidance and practice advice. Home Office, 2010
• Sharing Information on Children and Young People at Risk of Offending. Youth Justice Board, 2005
• The Social care record guarantee. NIGB, 2009
• Requesting amendments to health and social care records: Guidance for patients, service users and professionals. NIGB, 2010
• More information on consent and information sharing practice
Forum: Questions for discussion
• Have you encountered any issues with XX in your organisation?
• What are the main roots of the problems?
• Which solutions work well for you?
• Which technical tools work well / do not work for you?
• What are the key five things you would explain to a new member of staff involved in data sharing / about XX?
• Which area raises most questions from your staff?
• Which areas need collaborative pan-London working the most?
• How do you see the future of XX (data sharing)?
Feedback forms – Thank you!
Top Related