Transforming Community Services Some Key Issues in Information Governance Introduction

The Transforming Community Services (TCS) programme includes changes in organisational arrangements and developing the usage of information and the associated infrastructure to focus and improve services. The interaction of the organisational arrangements and the use of, and access to, patient data and records through different models of information management facilities leads to the need to be clear about the associated Information Governance (IG) arrangements. These allow for protecting and enabling effective use of the data of patients or service users or clients (mainly referred to as patients for simplicity throughout the rest of this paper, but is intended to imply service users and clients). A range of organisational models1 are emerging including Community Foundation Trust; Social Enterprise; Vertical Integration i.e. to support different parts of the patient pathway, e.g. with NHS Provider Trust via Joint Venture, Community Interest Company or S75 Agreement; Horizontal integration i.e. to cover same part of pathway, e.g. with similar providers and/or Local Authorities (LA) via S75 partnership agreement and mixtures of the above to provide the full range of services. Patient records and data (in paper or electronic form) have to be included in the formal arrangements and agreements involved in transferring services from Primary Care Trusts (PCTs) to Receiving Organisations in order that the Receiving organisation can perform its functions. It is crucial that the IG aspects of transferring records and data are also considered in such agreements. This paper sets out some of the key IG issues to be considered to enable the informatics aspect of TCS to be undertaken successfully. The legal status of some Receiving Organisations will change during the period that the community services transformation is taking place. The legal status is material in the transfer of responsibility of records and data and should not occur until the Receiving Organisation is a legal entity, which also brings the need to implement the associated IG obligations.

Provision of information management capability

The staff working in the various organisation models will be expected to access patient records and use IT equipment to collect, store, organise and manage data about patients. Such capability can be provided in a variety of ways including In-house NHS based shared services External contracted services e.g. Local Service Provider (LSP) supplied PCT owned and licensed software, including NHS enterprise wide agreements (effectively free software whilst existing contracts operate). The first three are common arrangements in the NHS for providing such services. The organisational models appearing through TCS indicate that the existing pattern of supply of capability and services will be challenged to meet the needs of the new organisations. The fourth way offers the opportunity for a PCT to 'own and license' and thereby provide software (that has already been paid for by the NHS or is free) to providers without such facilities or from outside the NHS, who may not have access to Enterprise Wide Agreements etc. This potentially enables a variety of the emerging organisational models to be supported and has several advantages, such as enabling multiple small service providers simultaneously or a single external supplier, of changing service suppliers and keeping costs down. This also
1

Transforming Community Services: enabling new patterns of provision; see http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/documents/digitalasset/dh_093196.pdf 64941549.doc Author: Wally Gowing Page 1

means that the information and the system capability may be retained for the local health economy irrespective of the community service provider arrangements.

64941549.doc Author: Wally Gowing

Page 2

IG Context
IG is concerned with ensuring that person level data and records of Data Subjects can be properly protected whilst productively used to support delivery of care and effective operation of services. IG can also be viewed as a mechanism to manage risks to patient data and to organisations in their management and use of data and records of patients. The legal basis for IG is provided through the Data Protection Act2 and NHS policy, such as the Caldicott Principles. A key concept concerning access to identifiable data is that such access should only take place if it is necessary and can be justified and that identifiable data should only be used in the support of delivery of care, otherwise effectively anonymised data should be used. Key concepts of IG implementation at organisational level are Data Controller and Data Processor (defined in Appendix 1) as legal obligations are vested in organisations, which have to be legal entities to undertake these roles. The Data Controller has responsibility for the use to which the data is put by an organisation and may undertake processing, whilst a Data Processor may be a separate organisation that provides services to the Data Controller organisation. A Data Controller should explicitly state what is expected from its Data Processors and this should be achieved through formal contracts (rather than SLAs) even when between NHS organisations. The contracts should create clarity about the services and provide mutual protection given the liabilities that each are under in delivering services. Given the various combinations of models emerging for organisations and community service provision, together with those for information service provision, it is important to be clear how the IG obligations can be met. For NHS organisations, IG responsibilities are vested in three roles, namely Caldicott Guardian, Senior Information Risk Owner (SIRO) and Information Asset Owner (IAO) (see Appendix 1). Compliance by NHS related organisations with IG requirements is assessed through the Information Governance Toolkit (IGT) which is revised annually to reflect IG legal and policy developments. The Information Commissioner, who is the Independent Regulator and responsible for Data Protection, recommends that a Privacy Impact Assessment (PIA) be undertaken at the outset of any project that might impact on peoples privacy. The aim of the PIA is to assess privacy risks to individuals in the collection, use and disclosure of information. PIAs, which can be run on full-scale or small-scale basis, are intended to help identify privacy risks, foresee problems and bring forward solutions. To assist the Information Commissioners Office (ICO) has produced a PIA handbook3 outlining processes and providing screening questions etc. The use of PIA may be pertinent to all Receiving organisations, particularly newly created organisations. The scope of records and data held by a range of organisations will change as TCS is implemented. The resulting changes will need to be reflected in the many IG policies and procedures that affected organisations to ensure an effective IG regime. In turn, these IG changes may well impact on staff and associated IG training.

2 3

Data Protection Act 1998; see http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1 www.ico.gov.uk/upload/documents/pia_handbook_html_v2/index.html Page 3

64941549.doc Author: Wally Gowing

IG implications of implementing TCS 1.1 Introduction

In changing organisational structures and the associated changing of information systems and transfer of data, there are important IG issues that must be considered and resolved. These include those in the list below, which are subsequently considered further in the following subsections. The legal status of the organisations involved Transfer of records and data between organisations Which organisation owns the system Which organisation controls the data Which organisation processes the data Modifying DPA registration notification to Information Commissioners Office (ICO) Avoiding orphaned data Managing information sharing and access through protocols between organisations Whether a system is principally for operational/clinical purposes or a data warehouse/ repository type system principally for secondary uses Who/which individual members of staff has/have access to the data and which data Implementing fine grained access control to person level identifiable data Identifying risks to records and data of individuals Subject Access and Section 10s Modifying policies Informing patients about what is happening to their data

1.2

Legal status and transfer of records and data

Under the DPA, Data Controllers have to be legal entities as there is liability for their actions. This means for instance, that GP Commissioning Consortia cannot be Data Controllers until they are legally formed, that is at the time their legal status is attained when the relevant health bill has been passed. It is assumed that there will be legal terms of transfer between a PCT and relevant Receiving Organisations. The transfer of records and data should be included as part of the formal transfer of assets alongside premises, staff and hardware. The fate of records and data should be clearly stated within the schedules supporting the transfer of services, including, for example, Data Protection aspects, the handling of Freedom of Information requests. Reference should be made to the subsequent need for establishing the mechanisms for working between the organisations as issues arise in managing the existing data assets. An example of this is given in Appendix 2, a document setting out sample processes for managing orphaned data. It is important to resolve issues at the outset, especially in relation to any future resource issues that may arise, so that problems due to lack of scope or clarity do not build up against the backdrop of PCTs ceasing to exist in the near future; it would be prudent to include mechanisms to resolve problems in the interim. When services are transferred to significant NHS organisations, responsibility for full records and data should be transferred as the Receiving Organisation is taking on the PCT Community and other Services roles and liabilities. Professional staff will need access to such records and data and it is expected that the ICO would deem that full transfer to the Receiving Organisation is reasonable from the Data Subjects viewpoint. When services are being transferred to emerging Receiving Organisations that are not yet legal entities, then the Data Controller may continue to be the PCT until legal entity status is reached. This may be accompanied in some cases of such organisations being initially limited
64941549.doc Author: Wally Gowing Page 4

in capacity and capability, where the commissioners contracts for services should retain the right to transfer records and data to successor organisations. In such cases, it may be sensible to transfer recent records and data relating to recent activity (e.g. last 2 years) and not to transfer archive data to add to the burdens of the new organisation. Such archive data would continue to be the responsibility of the PCT as Data Controller. However, in general, records and data about individuals whose services are being transferred should not be orphaned, i.e. some part left behind at the PCT or the PCTs Data Processor, as they are clearly the responsibility of the Receiving organisations - see Section 1.7.

1.3

System ownership

The issue of Who owns the system supporting delivery of community services? should not be relevant or have impact for TCS as long as ownership does not assume the right of access to data or data controller rights, for example LSPs are systems owners for much data processed for the NHS. There is an issue with existing community systems where these have been operated by PCTs utilising software made available volume licence agreements with organisations such as Microsoft through Connecting for Health (CFH). It is possible to move forward with the model of the PCT/Commissioner 'owning' or 'licensing' software and systems for use by a new community service provider; this is legitimate from an IG viewpoint as long as relevant IG 'rules'/constraints are met in which the PCT/Commissioner does not have access to the data at individual patient level. CFH can provide copies of the licensing arrangements and forms for any required transfers.

1.4

Data Controller

There must be clarity about who/which organisation is the Data Controller for the transferred records and data in order to exercise the responsibility on which personal data can be processed and how see Appendix 1 for definitions. In effect the Data Controller must be the organisation which determines the purposes for which and the manner in which any personal data are, or are to be, processed4; in this case in support of provision of care or undertaking analysis etc. This means for instance that a PCT can own a system, but the Receiving Trust having the responsibility for patients and their information must be the Data Controller. Any organisation registering with the Information Commissioner as a data controller must assume full responsibility for managing patient information held on relevant systems (e.g. RiO in London), some of which will be in active use and some a historic record of care. Organisations can be data controllers jointly if organisations act together to decide the purpose and manner of any data processing. This can occur within the NHS and may be pertinent in some instances arising from changes associated with TCS.

1.5

Data Processing

There must be clarity about whom/which organisation acts as Data Processors for/on behalf of the Data Controller for data transferred as part of TCS; this may be the same organisation, a shared service or an external contractor (e.g. LSP); there may be more than one Data Processor. A Data Processor must be part of a legal entity as liability for failing to meet the legal obligations of the DPA must be accepted and indemnified against. If the Data Processor is in an organisation separate from the Data Controller, then formal contracts (with schedules for specific services, performance etc) must be used. If a Data Processor is providing services to a consortium of NHS organisations hosted by one of the NHS organisations, contracts must be held with each of the NHS organisations for the relevant Data Processing, for which each NHS organisation is the Data Controller.

as defined in Data Protection Act 1998, see footnote 2 Page 5

64941549.doc Author: Wally Gowing

1.6

Notification to the Information Commissioner

PCTs and the Receiving organisations consequent on TCS must notify the ICO annually of its processing of personal data. The notifications for 2011 will need to include any additional or reduced data processing to be carried out by relevant organisations for the changes occurring because of TCS.

1.7

Orphaned records and data

Transfer of records and data arising from TCS should be included as and be regarded as, a transfer of assets in much the same way as staff or hardware, and such records and data cannot be orphaned this applies to both electronic and paper records. When PCTs transfer responsibility for their services and the legal liability for the care provided, the data and records controlled by the PCTs and the related responsibility also has to be transferred to the new body responsible for delivering the services. If the Receiving Organisation does not want to take all of the historical data then, if the relevant retention period for the type of record has been reached, such data can be securely destroyed prior to transfer or archived if the data remains relevant. If the data are archived, then responsibility for the datas continued existence must be clarified at the point of archiving and must reside with a suitable legal entity. For data which have not reached the retention period expiry date, responsibility for the data should be transferred to the Receiving Organisation along with the other responsibilities passed over by the PCT. If such data were to be destroyed inappropriately it would leave the receiving organisation defenceless in terms of having evidence mitigating its liability. A court could view such destruction as evidence of the body seeking to shirk its responsibilities. If a new body does not want historical data in its records then the data does not need to move but there would need to be a new data processing contract with the current data processor to retain the data as an archive for the prescribed retention period and then either public records archiving or destruction. If orphaned records are to be archived, then there needs to be agreement and clarity between organisations on the specific responsibilities in meeting the various legal obligations that may arise. These responsibilities include the situation where a patient moves from inactive to active through supply of community services; subject access requests under the DPA; where litigation arises or where records are requested by Courts or the police. A sample agreement is attached as Appendix 2 based on an agreement developed in the Liverpool/Sefton area. This followed from the splitting of a PCTs community services between 2 Receiving Organisations and the decision to not transfer inactive records.

1.8 Information Sharing 1.8.1 Information Sharing Protocols

Information sharing is necessary to support patient care across organisations and where single instances of software are used by multiple providers. Many NHS organisations have staff employed by other organisations using their patient information systems. The usual ways to manage this relationship are through any one of the following: Acceptable Use Policy signed when a user starts to access the system Honorary contracts and or third party agreement when the staff member does not work for the organisation that is the Data Controller Information Sharing Protocols or Data Sharing Agreements including Subject Specific Information Sharing Agreements. Information Sharing Protocols (ISP) enable organisations to share data and information about patients and are typically used for to support care pathways (e.g. Greater Manchester ISP 5, Surrey Multi Agency ISP6, and Pan Birmingham Cancer Network ISP7). Sharing information about individuals between public authorities is often essential in order to keep people safe, or
5

http://www.penninecare.nhs.uk/legal/gmigg/ Page 6

64941549.doc Author: Wally Gowing

ensure they get the best services. This sharing must only happen when it is legal and necessary to do so to provide services to the patients and when adequate safeguards are in place to protect the security of the information. This means that the same rules and restrictions apply to access to identifiable data by an ISP organisation as in the originating organisation. As ISPs can enable access to identifiable data, such ISPs must be signed off by relevant Caldicott Guardians on behalf of the Data Controller organisations. A generic sample ISP for sharing information with other organisations is shown in Appendix 3.

1.8.2 Information Sharing for TCS

The implementation of the records and information aspects of TCS should be supported through the use of relevant ISPs and confidentiality agreements. These can be split into 3 areas: Pre Transfer ISP Post Transfer ISP Staff Confidentiality Agreement (to be used during the TCS change project)

Sample documents are shown in Appendix 4. These documents have been developed by Manchester PCT and reflect the fact that Manchester PCT will continue to operate the Community system for use by a variety of provider Trusts. Whilst this may not be a typical situation, the purpose and principles of the ISPs and confidentiality agreement, especially the Pre-Transfer ISP are relevant wherever data and record transfers are due to take place and whatever organisational change arrangements are planned. The documents provide templates for development of local ISPs and agreements as required. In addition to the ISPs above, there may be Subject Specific Information Sharing Agreements (SSISA) to supplement any overarching ISPs by giving the details of sharing of specific sets of data for specific purposes A particular example of this is that future versions of RIO (used for community and mental health services in London) will include a function for a user of one organisations RIO system to see data held for a patient held on another organisations RIO application (RiO2RiO) as long as the patient has given consent. This will be supported by a SSISA for trusts that use this function, and the SSISA document will spell out the obligations for use of this form of integration.

1.9

Primary use versus secondary use

Systems that support the delivery of care and record, for example, clinical data as part of the patient record, will largely operate for these primary purposes. The use of data to support analysis of activity or commissioning processes is regarded as for secondary purposes, as are the associated systems. For primary use purposes, data can be accessed in identifiable form. However, secondary use should utilise de-identified data and currently most NHS organisations and systems are unable to meet this basic DPA and Common Law of Confidentiality requirement in respect of secondary use. The NHS currently utilises a Section 251 approval to allow use of identifiable data. This approval is reviewed on an annual basis, but will be withdrawn as the NHS implements de-identification facilities and capabilities, which is IGT Requirement 8-324. Guidance and further information on implementation of de-identification for secondary use is available from CFH and IC websites8.

http://www.surreycc.gov.uk/sccwebsite/sccwspages.nsf/LookupWebPagesByTITLE_RTF/Information+sharing+prot ocol+for+multi+agency+staff?opendocument 7 http://birminghamcancer.co.uk/viewdoc.ashx?id=4Zi5qNWy9bMrNbFeKqwo6A%3D%3D

8

http://www.connectingforhealth.nhs.uk/systemsandservices/sus/delivery/pseudo Page 7

64941549.doc Author: Wally Gowing

1.10 Health data and Social Services systems

Some Receiving organisations may determine to use systems utilised by Social Services for data processing. Organisations need to be aware of the differences between the basis on which health related data and social services related data are obtained, stored and processed. The major difference is that Social Services departments obtain consent of the service user/client prior to collection of personal data beyond demographic data, whereas explicit consent is not obtained for personal data collected through health service provision. This means that a range of Social Services staff is therefore able to access data within their systems on the basis that explicit consent has been obtained. If NHS health sourced data are added to the social services system, then access to the data should be restricted to those operating within the NHS, i.e. based on legitimate relationships of clinicians and related staff. If wider use of the data is to be made through the system, then explicit consent must be obtained for such use.

1.11 Who accesses the transferred records and data

Identifiable data - Access to identifiable patients health records and identifiable data on systems should be restricted to members of clinical teams in the delivery of the patients care these should operate against professional standards with retrospective monitoring and audit services that support provision of care services, such as patient administration services that support systems holding identifiable data safe haven users, responsible for data quality and the provision/receipt of data with other bodies. Secondary usage of data should be undertaken with de-identified data to meet IGT 8-324. Wherever possible, data should be provided in aggregate or tabulated form to avoid use at individual patient level. Access at patient level for secondary use should be restricted to staff who have legitimate reasons for such use.

1.12 Access Controls and User Registration

Systems containing community services data should have access controls in line with meeting the NHS Code of Confidentiality; this can be assessed by the level of conformance with the IG Toolkit. Typically, access control will involve fine-grained access control to compartmentalise users, the data and views of data that they should have access to. Such access controls should operate at an organisational level as modified by any inter-organisational information sharing protocols (i.e. only see data relevant to patients within the users organisation) at a user role level e.g. clinician sees their patients only to support care provision; support staff can see all relevant data for all patients; safe haven user can see all patients for data quality purposes; secondary use users can only see secondary use views. User registration will depend on the types of system being used, for example whether local or LSP supplied, and should be pursued with those responsible for user registration within the receiving organisation. CFH have issued guidance on smart card migration for Spine systems9.

1.13 Avoiding inadvertent unauthorised data access

It is possible to conceive of situations resulting from TCS where issues will arise from not archiving data or where information-sharing arrangements are not accompanied by adequate access control regimes. Such a scenario might be where PCT Trust A's community services data is processed by a Data Processor, say a LSP. Trust As services may be transferred to Trusts B and C and some services may cease to be provided. The resulting data management should lead to archiving of the data relating to the discontinued services and separate
9

http://www.connectingforhealth.nhs.uk/systemsandservices/data/sds/user-migration/OMS Process for User Migration FINAL ISSUED V 1.0.docx/view?searchterm=OMS Process for User Migration 64941549.doc Author: Wally Gowing Page 8

instances of software and data for Trusts B and C. However, the result may actually be that staff in Trusts B and C can both access the non-archived Trust A data and possibly access one instance of a system and data being used by both Trusts B and C as there are patients in common for the services supplied by the Trusts, but, in addition, can inadvertently access all records for patients, not only those for which they have clinical or operational responsibility. The above outline may be a worst case scenario (though adding in the complexity of some of the data concerned being about mental health or local authority social services and it could be worse) and should be avoided, but if this (or something similar) does arise, it is vital that Information sharing protocols are put in place that explicitly cover the particular circumstances of accessing each others data Non-maintained data (i.e. the data that should have been archived) is clearly identified as such together with the fact that it cannot be relied upon as a current clinical record Staff in the new service providers are aware of breadth and limitations of accessing data through Information Sharing Protocols and their professional obligations.

1.14 Identifying risks to records and data of individuals

As indicated in Section , a Privacy Impact Assessment should be undertaken to identify potential risks to the privacy of individuals through the transfer of records, data and systems as well as staff from PCTs to receiving organisations. This may be especially useful where new organisations are involved or in relation to the transfer of specific services, such as Sexual Health or Mental Health where data may well be regarded as more sensitive.

1.15 Subject Access Request and Section 10 Requests

In order to conform with the DPA and the Care Record Guarantee, NHS related organisations that are Data Controllers and cause patient data to be processed must be able to inform at the Data Subjects request what data is held about the Data Subject and the purpose for processing the data; this is a Subject Access Request (SAR). In addition, under DPA Section 10, the Data Subject can request to know who has accessed that data. Where existing systems and processes are being transferred, then assuming that SARs and Section 10 requests can be met, then no difficulties should arise. In any other circumstances it will be prudent to check that SARs and Section 10 requests can be satisfactorily handled.

1.16 Modifying DPA registration and policies

Each organisation having responsibility for personal data must have a Data Protection Act registration with the Information Commissioner; this includes any organisation taking a new system. This identifies the purpose of the use of the data; the range and type of data etc and changes to the detail of the registration must be notified to the ICO. In parallel with this, any organisation should ensure that all its Data Protection and IG related policies and procedures are modified to reflect the changes arising from implementation of TCS. A checklist of IG related policies is shown in Appendix 5. In addition to the changes to IG policies etc, TCS will cause changes to the range of records and data held by organisations. Consideration should therefore be given to provision of training for relevant staff on their IG responsibilities arising from TCS, whether it be using new systems or operating within a new organisation if they have been transferred.

1.17 Informing patients

As TCS results in changes as to which organisations hold and process data about patients, then patients must be informed of these changes. Under the Data Protection Act clients (and staff) must be told: What information is held about them Who it might be passed on to The name of the data controller that holds the information (e.g. the Receiving Trust) Who they can contact if they have any queries.
64941549.doc Author: Wally Gowing Page 9

For new patients/service users/clients of affected community services a Fair Processing notice can be used. Usually this takes the form of a leaflet entitled How we use your information. The Notices in place at each organisation will need to be reviewed and any gaps identified for a new leaflet that would need to be in place when the services are taken over by the Receiving Trust. The leaflet should be sent out with all first appointments and should be distributed at service points throughout the organisation. In addition, all current patients/service users/clients of affected community services must be informed of relevant changes. Consideration should be given to do this effectively and in a coordinated manner so that the client is not receiving several communications from e.g. the PCT and the Receiving Trust. It is probable that there will be a wider local communications process to inform about changes to services associated with TCS and it would be helpful if the records, data and IG aspects were an integral part of that process.

64941549.doc Author: Wally Gowing

Page 10

Implementing change 1.18 Introduction & Implementation Examples

There appear to be a myriad of different possible combinations of organisational arrangements that could arise in TCS. It is not feasible to work through all the combinations. Some common issues are examined in the two scenarios below. The examples are intended to illustrate some of the issues that may arise and what IG steps need to be taken for organisations to remain legal in their use of patient data or risk breaking the law and potential fines from the Information Commissioners Office (ICO). Some relevant anecdotal evidence is provided to illustrate the issues.

1.19 Sharing systems organisational issues

Scenario - Multiple units in different organisations share an operational/clinical system (such as SystmOne operated across practices and community service providers) IG requirements - an individual organisation and their staff should only have access to the records/data that relate to patients they deal with, based on the equivalent to legitimate relationships - so such a system needs to be capable of providing sufficient levels of access control; providing staff from: Practice access to their patients only; differential access to records dependent on role within practice, e.g. differences between GP and reception PCT Provider/Community Provider - access to their patients only and others via Information Sharing Protocol; differential access to records dependent on role within provider, e.g. differences between clinician and reception PCT Commissioner (assuming that they have access to the system) should only have access to de-identified (pseudonymised) versions of the data for secondary use purposes (EMIS Web operates in this way, practices can see data about their patients in identifiable form, but staff in PCTs see the same data in pseudonymised form). A PCT Commissioner may need access to the system for Data Quality reasons as part of their safe haven function in support of their wider secondary use of data in their own data warehouse for contract & performance management etc - but this only applies if the system (SystmOne in this instance) is in effect the main patient register at PCT level for the PCT Commissioner (previously undertaken through the Exeter system). System requirements to meet DPA & NHS Policy fine-grained access controls to distinguish between different organisations and different user types and the categories of data that can be accessed, plus audit facilities to check on who has accessed what records.

1.20 Sharing systems inappropriate data access issues

Scenario - Extend the use of existing clinical/service delivery systems into other organisations in order to provide services e.g. Community Trust system used by LA or another Community Trust. IG requirements - an individual organisation and their staff should only have access to the records/data that relate to patients they deal with, based on the equivalent to legitimate relationships; providing staff from: PCT Provider/Community Providers - data access should still be restricted on basis of DPA & Caldicott to content i.e. patients for that provider only unless Information Sharing Protocols are in place and only allow all of record to be seen by relevant authorised staff. Anecdotal evidence indicates that inappropriate access to records by administrative staff does occur10. PCT Commissioner (assuming that they have access to the system) - In this case, staff of the PCT should not have access to person level data; it may be suitable for instance for PCT staff to have access to the system for performance indicators and similar high level reporting. System requirements to meet DPA & NHS Policy fine-grained access controls to distinguish between different organisations and different user types and the categories of data that can be accessed, plus audit facilities to check on who has accessed what records.
10

http://www.computerweekly.com/blogs/tony_collins/2010/05/tell-your-gp-a-secret---and-90.html Page 11

64941549.doc Author: Wally Gowing

1.21 Offsetting potential inappropriate data access issues

If the system requirements identified to meet DPA and NHS policy are not available in the short term, then steps must be taken to ameliorate the potential breaking of policy and laws. The following steps are likely to be required Ensuring that clinical staff that they may have access to records for patients with whom they have no legitimate relationship and that professional ethics require them to not look at such records and that such access can be audited (assuming that these basic facilities exist) Sign off by the Caldicott Guardian on behalf of the organisation that the organisation is aware that such access may occur Informing patients that for a limited period their records may be seen by clinicians who do not have responsibility for their care. Informing the ICO that such a situation exists NB - The above assumes that non-clinical staff cannot access clinical records.

64941549.doc Author: Wally Gowing

Page 12

Key questions
The issues set out above can be restated as a set of key questions and actions that apply to PCTs and Receiving organisations. The impact that these questions and issues have will vary depending on the particular set of organisational changes being implemented, e.g. a Social Enterprise being created with new systems compared with a PCT with Community services moving to an existing Receiving Trust. The questions need answering in the affirmative for the IG aspects of the organisational arrangement and associated systems to be potentially considered as being suitable. There may be other detailed points that prevent the IG arrangements being immediately sufficient and effective, but these should be soluble in the long term. Q1. Are the organisations to which records and data (and responsible for it as Data Controller) being transferred to existing legal entities? (See section 1.2) Q2. Are the datasets included in the formal statements on transfer of assets between organisations? There may be issues on timing about this, but reference to the need to transfer datasets and records should be made in the formal statements with details clearly stated subsequently in related formal schedules. (See section 1.2) Q3. Which organisation owns the system in terms of hardware and software and relevant licences? this organisation is the System Owner. The System Owner for data from transferred PCT provider arms may, for example, be a PCT, a LSP or Trust. (See section 1.2) Q4. Which organisation(s) determines the purposes for which the personal data in the system are used (e.g. what data is held on and what reports and analyses are required to check what is happening to Mrs Smith)? - this organisation is the Data Controller (which may also be the System Owner); there may be more than one Data Controller acting jointly. The Data Controllers for data from transferred PCT provider arms are expected to be the Receiving Organisations. (See section 1.4) Q5. Which organisation is responsible for safeguarding and processing the data? This organisation is the Data Processor (which may also be the Data Controller). The Data Processors for data from transferred PCT provider arms will the organisations undertaking data processing for the Receiving Organisations, such as the Receiving Trusts themselves, shared health informatics services (HIS) or LSPs. (See section 1.5) Q6. Have Privacy Impact Assessments been undertaken for records, data and systems been undertaken? In particular, have PIAs been undertaken in relation to sensitive services? (See section 1.14) Q7. If different organisations are identified in Q1, Q2 and Q3, then are there suitable statements and service level agreements between the organisations to define roles etc? (See section 1.5) Q8. Have the PCT and the receiving organisations notified the ICO of changes to their data controller and data processing responsibilities? (See section 1.6 & 1.16) Q9. Are any data orphaned as a result of the data transfer? If yes, are there appropriate data processing agreements in place? (See section 1.7) Q10. If data and information are shared between organisations or accessed across organisations, are relevant Information Sharing Protocols or Acceptable Use Policies and staff confidentiality agreements in place? Where necessary are these supported by Subject Specific Information Sharing Agreements? (See section 1.8) Q11 Where there is orphaned data and information-sharing protocols are in place, have checks been made that inadvertent unauthorised access cannot be made to orphaned data or to records for patients for which the service provider does not have responsibility? If such access can be made, relevant remedial steps are required. (See section 1.13) Q12. If a social services system is to be used to process health sourced personal data, are there appropriate safeguards on data access in place? If not, has explicit consent for the wider
64941549.doc Author: Wally Gowing Page 13

use of the data been obtained from the Data Subjects? (See section 1.10) Q13. Does the system fully support DPA requirements, Caldicott Principles and the NHS Code of Confidentiality? In particular, can user access be restricted to only those patients that the user should see, either on the basis of organisational responsibility or their care service provision responsibility? (See section 1.11 & 1.12) Q14. If the answer to Q13 is no, then are steps being taken to offset potential inappropriate data access e.g. only nominated social services staff can access health records and vice versa? (See section 1.13 & 1.10) Q15. Are relevant RA and user registration mechanisms in place? (See section 1.12) Q16. Can the receiving organisation meet the DPA requirements of Subject Access requests and DPA S10 enquiries? (See section 1.15) Q17. Have patients been informed that their data has been transferred and (where appropriate) that additional staff may now access their records? Have Fair Processing notices been modified to reflect TCS induced changes? (See section 1.17) Q18. Have the organisations IG policies and procedures been created/amended to reflect the new responsibilities resulting from implementing TCS? (See section 1.16 and for a checklist of policies and procedures see Appendix 5). Q19. Is additional IG training required for staff as part of TCS implementation? (See section 1.16)

64941549.doc Author: Wally Gowing

Page 14

Appendix 1

Key IG concepts and Examples

Data controller - A data controller is a person (recognised in law, thus can be individuals, organisations or other corporate and unincorporated bodies of persons) who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. In effect the data controller has full authority to decide how and why personal data is to be processed (this includes using, storing and deleting the data). When a body decides that it wishes to pass the personal data it holds to another organisation, the body is acting as a data controller as it has the authority to take this decision. Whether or not the receiving organisation is also a data controller will depend on whether or not the receiving organisation will have the authority to decide how and why the data will be stored, used and deleted. If the receiving organisation has considerable discretion in this area, it is a data controller. In relation to data controllers, the term jointly is used where two or more persons (usually organisations) act together to decide the purpose and manner of any data processing. The term in common applies where two or more persons share a pool of personal data that they process independently of each other. Data processor - A data processor is an organisation that processes personal data on behalf of another organisation. Processing includes reading, amending, storing and deleting. If a body passes personal data to an organisation, but retains the right to specify what should be done with that data, then the receiving organisation is a data processor. The original body is legally responsible for any breaches of the Data Protection Act committed by any data processor acting on its behalf. Examples An Acute Trust running in-house IT and information services is both a Data Controller and a Data Processor; whilst a similar Trust using services from a LSP is the Data Controller whilst the LSP is a Data Processor. Caldicott Principles 1. Justify the purpose(s) 2. Do not use patient identifiable information unless it is absolutely necessary 3. Use the minimum necessary patient-identifiable information 4. Access to patient identifiable information should be on a strict need-to-know basis 5. Everyone with access to patient identifiable information should be aware of their responsibilities 6. Understand and comply with the law Caldicott Guardian - is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. Each NHS organisation is required to have a Caldicott Guardian; this was mandated for the NHS by Health Service Circular HSC 1999/012 and covers all organisations that have access to patient records. Information Asset Owner (IAO) - will be a senior member of staff who is the nominated owner for one or more identified information assets of the organisation. It is a core IG objective that all Information Assets of the organisation are identified and that the business importance of those assets is established. The Senior Information Risk Owner (SIRO) - will be an Executive Director or Senior Management Board Member who will take overall ownership of the Organisations Information Risk Policy, act as champion for information risk on the Board and provide written advice to the Accounting Officer on the content of the Organisations Statement of Internal Control in regard to information risk.
64941549.doc Author: Wally Gowing Page 15

Appendix 2

Sample - Records Management Procedure for accessing records following the Transfer of Community Services
Active & Inactive records All records for active patients who at the time of transfer (e.g. 1st April 2011) are receiving treatment by a service that was formerly provided by NHS AA Community Health services and are transferring to either BB NHS Trust or CC Community Health services will transfer to these Receiving Organisations. Responsibility for the transferred records is also transferred to the Receiving Organisation. All records that are inactive (for example if the patient has been discharged from the service or has died prior to the 1st April 2011) have been stored in an off-site document storage facility. These archived records and responsibility associated with them remain with NHS AA Commissioners. Records required when a patient is re-admitted to a transferred service If after the transfer date a patient, who had been previously discharged from a service, is rereferred to the community service, the receiving organisation may wish to access the patients records from their previous treatment. Under these circumstances, a request for the records must be made to the responsible department at NHS AA Commissioners who will locate the records in the archive and transfer them securely to the Receiving Organisation. The time limit for this process will be no longer than 14 working days.

Records requested under Subject Access

Records that have been transferred to receiving organisations If a request for records is received by NHS AA Commissioners for records which have been transferred to the Receiving Organisations (as per the service destination list) then the request will be forwarded on to the Receiving Organisation and the requester will be advised that their request has been transferred to either BB NHS Trust or CC Community Health Services. Records that remain with NHS AA Commissioners If a request for records is received by NHS AA Commissioners for a record that they retain in their archive, they will be responsible for responding and processing that request. Requests for records received by Receiving Organisation that contain NHS AA information If a request for a records is received by a Receiving Organisation and the records contain NHS AA information e.g. podiatry record that contains information from when the service was provided by NHS AA Community Health Services information (i.e. prior April 2011) and now also contains records from service provided by the Receiving Organisation, then the Receiving Organisation must ensure that any information in the record that: falls within any of the exemptions set out by the Data Protection Act is removed prior to release could lead to litigation is identified to NHS AA Commissioners for their approval prior to release contains any contentious statements are identified to NHS AA Commissioners for their approval prior to release.

Information must not be released without the consent of the patient or their representative unless instructed by the courts. Records requested for Litigation Records that have been transferred to Receiving Organisations

64941549.doc Author: Wally Gowing

Page 16

If a letter of claim is received by NHS AA commissioners and relates to treatment provided to the patient whilst the service was provided by NHS AA Community Health services but the records have been transferred to one of the Receiving Organisations then the Receiving Organisation must make the original records available to NHS AA Commissioners within 14 working days of request. Requests should be directed to: BB NHS Trust: , (e.g. Senior Risk Manager) or CC Community Health Services: .., (e.g. IG & Records Manager) Records that are retained by NHS AA Commissioners If a letter of claim is received by one of the Receiving Organisations and the historic records had not been transferred to the receiving origination or subsequently requested when the patient is re-admitted into the service but are required for litigation then NHS AA Commissioners will make the original records available to the Receiving Organisation within 14 working days of the request: Requests should be directed to at NHS AA Commissioners.

Records requested by Court or Police

Records that have been transferred to a Receiving Organisation If records are held by a Receiving Organisation, which contains both NHS AA and the receiving organisation information, then the Receiving Organisation is responsible for complying with the order/request and must release historic NHS AA information that is also retained in records. Request received by NHS AA Commissioners for records held by Receiving Organisations When a request is received by NHS AA Commissioners that relates to records that have been transferred to a Receiving Organisation, then NHS AA Commissioners are responsible for ensuring the Court Order/ Police request is forwarded to the Receiving Organisation within two working days and the requester is advised on where the information is held and that their request has been forwarded to the appropriate organisation. Requests should be directed to: BB NHS Trust: , (e.g. Medical Records Manager) or CC Community Health Services: .., (e.g. IG & Records Manager) Request for records received by Receiving Organisations for records retained by NHS AA Commissioners When a request is received by a Receiving Organisation for records that are retained by NHS AA Commissioners, then the Receiving Organisation is responsible for ensuring the Court Order/ Police request is forwarded to NHS AA Commissioners within two working days and the requester is advised on where the information is held and that their request has been forwarded to the appropriate organisation. Requests should be directed to at NHS AA Commissioners Arrangements after abolition of PCTs 2013 After 2013 when the PCTs are abolished responsibility for the arrangements as listed above will continue to be carried out by the successor body that has inherited and continues the statutory functions previously carried out by PCTs. Signed in agreement by:
Organisation NHS AA Commissioners BB NHS Trust CC Community Health Services Print Name Signature Date

64941549.doc Author: Wally Gowing

Page 17

Appendix 3

External Information Sharing Protocol

Introduction This overarching protocol comprises of a set of rules that organisations agree to comply with when sharing personal data. It covers all manual, electronic and oral information. This protocol is not a licence to share information but a guide that must be followed by all staff. This overarching document is a Tier 1 document of the 3 Tier health and social care model as approved by the Department of Health. An agreed approach to information sharing between organisations should reduce uncertainty amongst staff, allay suspicion from the public and lessen the frustration felt by those attempting to provide seamless services. Purpose The overarching information sharing protocol is the highest level in the protocol structure (tier 1) and applies generally to the sharing of personal data. The protocol will set out a framework for the sharing of information to ensure that the confidentiality and integrity of personal identifiable information is not compromised. The importance of information sharing Information sharing must be in the best interests of service users, their carers and families or the wider public interest. The purpose of information sharing will either relate to the provision of care, including the quality assurance of that care, for the individual concerned or will be related to non-care, or secondary, services e.g. service evaluation, research finance or public health work. Caldicott and Data Protection When sharing personal identifiable information, NHS organisations must comply with the Caldicott principles:
1: Justify the purpose for using personally identifiable information. 2: Only use personally identifiable information if absolutely necessary. 3: Use only the minimum data needed for the specific purpose. 4: Restrict access to information only to those who need to know. 5: Individuals should be aware of their responsibilities to keep data confidential. 6: Data should be used and processed in compliance with the law

By signing this agreement, non-NHS organisations are agreeing to meet the Caldicott requirements with regards to the agreed dataset. All organisations have to comply with the eight principles of the Data Protection Act:
1. Personal data shall be processed fairly and lawfully 2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be processed in any matter incompatible with those purposes 3. Personal data shall be adequate, relevant and not excessive 4. Personal data shall be accurate and up to date 5. Personal data shall not be kept for any longer than is necessary for the purpose 6. Personal data shall be processed in accordance with the rights of data subjects 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 8. Personal data shall not be transferred outside the EEA without adequate protections

64941549.doc Author: Wally Gowing

Page 18

Evidence as to how either party is meeting the requirements of the seventh principle must be produced on reasonable notice. If the party providing information becomes aware of inaccuracies contained within information that has already been shared, they will inform the other party so that all records can be amended. Is a protocol required? The table below sets out when a protocol is always required and when it is optional. Sharing for care purposes Recipient organisation Sharing protocol is is achieving the optional. required level of information governance performance Recipient organisation is unable to demonstrate the required information governance performance Sharing for non-care purposes Sharing protocol that focuses on the secondary uses in question, i.e. the purpose, constraints on re-use of information, retention periods and destruction policies is necessary.

Sharing protocol that Sharing protocol that addresses the required addresses the required information governance standards in the information governance recipient organisation, the legal principles that standards in the apply and the additional standards associated recipient organisation with the secondary uses in question, (i.e. the and the legal principles purpose, constraints on re-use of information, that apply is necessary. retention periods and destruction) is necessary.

Responsibilities and standards for participating organisations The signatory organisations listed below will formally adopt this information sharing protocol. Each organisation will take responsibility for dissemination and implementation of this agreement. In respect of any confidential information received from the other party, each party agrees to keep the information secret and strictly confidential and will not disclose any such confidential information to a third party, unless: Disclosure is authorised by the prior written consent of the discloser; The disclosure is required to make sure the Trust complies with the Freedom of Information Act 2000 (FOIA); The information is already in the public domain other than by breach of contract or other act or omissions of the recipient.

Public authorities are subject to the Freedom of Information Act 2000. Both parties will act in line with the FOIA and assist the other with requests where necessary. Each organisation signing this protocol shall have appointed a responsible officer who will ensure the protection of personal identifiable information e.g. Caldicott Guardian or senior manager responsible for data protection. A list of information flows for this instance of data sharing is attached. NHS organisations are required to review all transfers of personal identifiable information annually. Each organisation is committed to ensuring staff are appropriately trained in data protection / Caldicott procedures.

64941549.doc Author: Wally Gowing

Page 19

Security of information Personal identifiable information saved to removable devices such as laptops or usb drives must be encrypted. Email will only be used to send sensitive information when both the sender and recipient use nhs.net accounts. Fax must only be used when the recipient has a fax machine in a secure area. Multiple copies of the information shared should not be made as this compromises security. Termination of this agreement Any changes to this agreement must be agreed by both parties in writing. If the party which is the recipient of information should use that information in any way which is outside of the terms of this agreement or any addition confirmed by both parties, this agreement will be terminated and information sharing will cease. If, on review of this agreement, it is clear that the necessity to share information has ceased, termination must be agreed in writing by both parties. Each organisation will assist in any review carried out.

64941549.doc Author: Wally Gowing

Page 20

Appendix 4

Sample - TCS Pre-transfer Information Sharing Protocol Declaration of acceptance and participation
Information will be shared between: XXXX PCT and o o o o AA NHS Foundation Trust, BB Health and Social Care NHS Trust, CC Acute Hospitals NHS Trust, DD NHS Foundation Trust

Data to be shared Before a transfer of XX PCT Community Services takes place, patient identifiable data held on paper records and on systems detailed in the XXXX PCT Systems Catalogue v5.0 will be accessed by a strictly limited number of staff from the above named Trusts. Reason for sharing information To develop an understanding of how the systems work. Access The following staff will have access to the information: Community Services Choose & Book Human Resources IM&T Any other authorised user

Destruction details Once the purpose for information sharing has ended, and where appropriate to do so, information will be disposed of in accordance with NHS and legal requirements (NHS Code of Practice and NHS Retention & Disposal Policy). Signed by Signed . . . . . . . . . . . . . . . . . . . . . . . Print Name . . . . . . . . . . . . . . . . . . . . Date . . . . . . . Position . . . . . . . . . . . . . . . . . . . . . . . On behalf of XX PCT Signed . . . . . . . . . . . . . . . . . . . . . . . Print Name . . . . . . . . . . . . . . . . . . . . Date . . . . . . . Position . . . . . . . . . . . . . . . . . . . . . . . On behalf of recipient Trust

Sample - TCS Post-transfer Information Sharing Protocol

64941549.doc Author: Wally Gowing Page 21

Declaration of acceptance and participation

Information will be shared between: o o o o AA NHS Foundation Trust, BB Health and Social Care NHS Trust, CC Acute Hospitals NHS Trust, DD NHS Foundation Trust

Data to be shared Following the transfer of community services, patient identifiable data held on paper records and on systems detailed in the XX PCT Systems Catalogue v5.0 will be accessed by a strictly limited number of staff from the above named Trusts. Reason for sharing information To provide community services, each of the above Trusts needs access to the above systems formerly controlled by XX PCT. Each Trust must ensure that staff are reminded they must only access information for work purposes and in relation to patients they are involved in the care of. Each Trust is responsible for the data relating to their own patients. The accuracy and security of the information must be maintained by the individual Trust. Staff having access to these systems must sign a confidentiality agreement. Access The following staff will have access to the information: Community Services Choose & Book Human Resources IM&T Any other authorised user

Destruction details Once the purpose for information sharing has ended, and where appropriate to do so, information will be disposed of in accordance with NHS and legal requirements (NHS Code of Practice and NHS Retention & Disposal Policy). If a system is to be replaced this will be discussed jointly with each Trust represented. Signed by Signed . . . . . . . . . . . . . . . . . . . . . . . Print Name . . . . . . . . . . . . . . . . . . . . Date . . . . . . . Position . . . . . . . . . . . . . . . . . . . . . . . On behalf of <recipient Trust>

64941549.doc Author: Wally Gowing

Page 22

Sample - TCS Project Confidentiality Agreement

The Data Protection Act 1998 requires that all organisations processing personal data keep this information safe and secure. XXXX PCT is required to ensure that it complies fully with all its legal obligations in this area, including data protection, and the need to respect patient and staffs legitimate expectations of confidentiality. Everyone with access to personal data must accept their responsibility to uphold the requirements of data protection and confidentiality. On this basis, I agree that any personal or other sensitive information that I receive whilst working at XXXX PCT will be used solely for the purposes of carrying out my role as part of the Transforming Community Services project. I will not use, store, share or disclose any information obtained as part of this process for any other reason, unless with the express authority of XXXX PCT. This includes any transfer of recorded information, and any verbal disclosure I will report all potential or actual breaches of confidentiality / Data Protection Act (1998) to my local Information Governance Lead, including the loss, theft or damage of any documents containing personal data I obtained during my visit / work. I will not store personal data or other sensitive information on a portable device without encryption and unless absolutely necessary. I will only email personal or other sensitive information with appropriate security / in accordance with the policy of my Trust. I understand that I owe a duty of confidentiality to any individual whose data is discussed or referred to in any meetings, correspondence, documentation or data that I receive or handle. I will not use any personal information that I receive or gain access to for any other purpose, or divulge it to any third party. I will dispose of any documents containing personal or confidential information securely as soon as my use of them is complete, unless XXXX PCT requires me to return them. It does not apply to any document or information that I can reasonably establish was in my possession or known to me before the date of this agreement or which becomes public knowledge otherwise than as a result of a breach of any of the above agreements.

Signed Print Name Job Title / Designation Organisation Date

64941549.doc Author: Wally Gowing

Page 23

Appendix 5

IG related policies and procedures that may be affected by TCS

IG component of Informatics Strategy IG Strategy IG Policies IG Work plans Information security policy Network security policy Remote access security policy De-identification/pseudonymisation policy for secondary uses Document storage policy Housekeeping and anti-virus policies Registration Authority Acceptable Use policy Usage policy acceptable use of email Usage policy - internet Usage policy mobile phone Usage policy telephone usage Printing policy Home-working policy Data Controller Data Processors IG Toolkit - assessment Information Asset & IA Owners Lists (IAO) Senior Information Risk Owners Lists (SIRO) Serious Untoward Incidents/ SUI reporting Scope of record access (e.g. limit re MH) Subject Access Requests (SARs) procedures Section 10s procedures Fair processing notices Secure transfer of records IG Training

64941549.doc Author: Wally Gowing

Page 24