Information Governance is an umbrella of guidelines / principles to help us:
- Gather, use and look after information
- Making sure it is complete and current;
- Available when needed;
- Safeguarding access;
- Using informatics to benefit patient care.
From the DoH:
- Holding it securely and confidentially
- Obtaining it fairly and efficiently
- Recording it accurately and reliably
- Using it effectively and ethically
- Sharing it appropriately and lawfully
Every substantive employee in the NHS is required to carry out IG training
The NHS provides a confidential service, relying on patient trust
- Would patients confide in healthcare practitioners if they didn’t trust them?
Staff are trained to make sure everyone knows:
- What information is confidential;
- What to do with dealing with confidential information.
- Password Management
- Information Security
- Secure Transfers of Personal Data
- Business Continuity
- Risk Management
- Caldicott Report Recommendations
Types of Information
There are (in this context) 4 types of information we need to be aware of:
Confidential information is:
- Private data (not publically available) +
- Given to somebody with a duty of confidence +
- Expected to be used in confidence
Example: GP consultation.
There are limited exceptions (e.g. crime/abuse)
Personal information is:
- Anything which identifies an individual;
- Name, address, DoB, telephone number
What about: NHS number? NI number? Hospital number?
Important: Even with a name removed, if the rest of the information is “infamous”, it remains personal!
There is stronger legal protection for some types of data, such as:
- Ethnicity / Religious beliefs
- Political views or opinions
- Sexual / Mental health
- Criminal records
These are all deemed sensitive data, as they can be used to discriminate against an individual.
To make information anonymous:
- Must be unidentifiable and detached from the source.
Q: As radiographers, when would we need this?
Q: Are there different levels of anonymisation?
Issues related to our roles as Radiographers:
- Record keeping;
- Information Security.
Are there any differences between qualified and student Radiographers?
- 1. Justify the purpose(s) for using patient data;
- 2. Don’t use patient-identifiable information unless it is absolutely necessary;
- 3. Use the minimum necessary patient-identifiable information;
- 4. Access to patient-identifiable information should be on a strict need to know basis;
- 5. Everyone should be aware of their responsibilities to maintain confidentiality;
- 6. Understand and comply with the law, in particular the Data Protection Act.
- The law has shaped IG;
There are two truths in malpractice claims:
- MEDICAL what actually happened,
- LEGAL what the court will decide happened, on the basis of evidence…what has been recorded at the time…
- Access to Health Records Act 1990
- Environmental Information Regulations 2004
- Freedom of Information Act 2000
- Data Protection Act 1998
- Everybody has a right of access to information held by public bodies.
What is Data Protection?
- Data Protection is a large part of IG;
- DPA’98 enshrines in law certain (basic) requirements
“the appropriate measures organisations (which process personal data) must take against unauthorised or unlawful processing, and against accidental loss, destruction of or damage to personal data”.
Data Protection Act (1998)
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
- Everyone who is responsible for using data has to follow strict rules called data protection principles.
They must make sure the information is:
1. used fairly and lawfully;
2. used for limited, specifically stated purposes;
3. used in a way that is adequate, relevant and not excessive;
5. kept for no longer than is absolutely necessary;
7. kept safe and secure;
8. not transferred outside the UK without adequate protection.
- Not just patient data corporate data, staff data;
- All breaches of DPA are reportable to the Information Commissioners Office (ICO) who will investigate;
- Fines are common, but worse is the public “shaming”
How does the DPA impact on our work as Radiographers?
- Choose strong passwords and change regularly;
- Check you’re speaking to the right person when talking about a patient (porters/wards/nurses);
- Be sure patients consent when talking to relatives;
- Share passwords;
- Put confidential waste (request forms / reports) in “normal” waste
- Leave forms / paperwork laying around.
Not just hospitals that get into trouble:
- Students have the same responsibilities as qualified staff
- Be careful when exporting images, or talking about memorable cases(location / privacy) every image has ID headers!
- De-identify / anonymise data properly be careful of pseudonymisation
- Seek help if unsure
- What is the difference between personal and sensitive data?
- How many priniciples are there in the DPA’98
- Ways of ensuring Data Protection
Things to remember:
- Modern and developing technologies continue to change the risks that healthcare staff need to consider on a daily basis in practice.
- For radiographers, PACS and RIS have had a large impact they allow (almost) instant access to hundreds of thousands of records and millions of images.
Best practice for us :
- Use an approved encrypted USB stick when transferring data;
- Exporting data with identifiers is not permitted
- Presentations include the minimum information possible;
- Report incidents promptly (quicker = easier investigation);
- Know where your local policies / procedures are;
- Ask if unsure.
- 1. Don’t let patients take photos of their images
- 2. Selfies at work are hazardous!
- The basics of Information Governance;
- The principles of the Data Protection Act;
- An overview of the FoIA and Caldicott Principles;
- Examples in practice;
- Simple do’s & dont’s