Information Governance

1
Information Governance

• Deployment Issues Risks
• 6th Feb 2007
• Tim D W Wilson
• NHS (South) Deployment IG Lead

2
Trust Responsibilities and Issues

• Changing Caldicott Guardian Responsibilities
• Access Control Framework
• Registration Authentication (Smart Cards)
• Role Based Access Controls (On-going)
• Guidance to sponsors
• Legitimate Relationships (R1 Encounter
  Security)
• Sealed Envelopes
• Audits Alerts
• P2 Sentinel
• Consent / Dissent (Guidance Under Discussion -
  DH)
• IG Toolkit V4
• IG Resource Issues Who is doing the above?

3
Trust Responsibilities and Issues

• The NHS in England the operating framework for
  2007/08 Guidance on preparation of local IMT
  plans
• Sound IG in light of Care Record Guarantee
• Achieving national data quality standards
• Preparing for roll-out of national summary record
  
• BY March 2007(!!)
• Responding to patient requests for-
• Organisations data sharing policy
• Personal clinical information NOT to be shared
  over organisational boundary
• Information on who has accessed their data and
  for what purpose.
• Clear handling policy for patient information
  including consent.
• Disciplinary policies in place that reflect
  importance.
• Disaster Recovery Business Continuity
• (DRBC) Plans

4
Consent / Dissent Process

• The Southern Cluster IG Group View

5
Statement of Compliance and IG Toolkit V4

• Statement of Compliance Replaces NHS Code of
  Connection.
• Compliance is
• That LSP supplied systems and current Trust
  existing systems that connect to LSP systems
  comply with BS7799 / ISO 27001
• IG Toolkit V4 Produces Automatic Report / Action
  Plan Based on Responses
• Trusts have had since 2000 to comply with BS7799!

6
Audit Trail 20 Working Days Response
Patient Expresses Dissent/Concern (every episode
of care)
Further advice e.g. PALS
GP
Mental Health
Acute
PCT
Leaflet / simple form given to patient
Staff Training
Annotate Patient Record
Speak to Clinician
Formal Dissent Form
Still Express Consent
Arrange Appt
Y
N
Still Dissent
Patient Withdraws Dissent
N
Inform Lead Clinician
Y
Flag Dissent by authorised person
Flag Consent (field left blank)
Confirmation Dissent Letter
Confirmation Consent Letter
7
Today's Issues

• Back Office
• R0 and R1 Guidance on Back Office Issues on a
  SharePoint web site soon to go live.
• P2 Sentinel
• 258 Audit items E.G.
• Result Corrections
• Aliases
• Access Encounter (x 8)
• Access Order
• Access Patient
• Reports (Tailored) generated for Caldicott / IG
  Lead
• Limited Access to P2 Sentinel via RBAC

8
Current Security Pre-Deployment The Pragmatic
View!

• Insider threat is biggest threat to information
  security!
• How do we know who has had access to paper
  records?
• Do we ask the patient prior to sharing
  information?
• Multi-disciplinary teams.
• Primary, Mental Health and Acute Staff working
  together.
• Username and password sharing.
• Generic log-on to a system.
• Few current systems have detailed audit trails.
• Patients do ask Who has had access to my
  record?
• Acute Trusts receive 300 requests a month for
  access to records.
• The new systems are more secure.

9
Questions
10
Workshop Session
11
Template Board Paper

• Background
• Key Issues
• Implications for Trust
• Local IG Project Plan Things we need to do
• Costs
• Key Risks
• 5 Key questions for Non Executive Directors

12
Group Workshop

• G1 Background and Key Issues
• G2 Key Issues and Local IG Project Plan
• G3 Local IG Project Plan and Key Risks
• G4 Key Risks and Likely Costs
• G5 Questions Non-Executives Need to Ask