What is Information Governance (IG)?
IG is the way organisations process or handle information. It allows organisations and individuals to ensure personal information is handled legally, securely, efficiently and effectively in order to support delivery of the best possible care.
A massive thank you to over 800 of you that responded to the Information Governance staff survey during October 2022
The responses have provided the Information Governance (IG) team with an overview of staff understanding of IG, data protection and cyber security. This is assisting the team to tailor guidance and support to cover the most appropriate topics raised.
In summary, the responses received are very positive and show a high level of understanding for staff. For example:
- 95% said that they know how to raise concerns about unsecure or unlawful uses of data
- 97% said that they know how to use and transmit data securely in DCHS
- 99% said that they know when they should and should not share data, and also how to take personal responsibility for handling data securely
- 97% said that the data security training offered to them supports their understanding in how to use data lawfully and securely
- 100% said that they are aware of the consequences of inappropriately accessing staff/patient records
All comments have been read by the IG team with some areas being identified as requiring follow-up actions. A sample of these are identified below,
- Computers logged on with smart cards left in place
- Staff being logged onto another account as they have no access on their own account.
- Use of mobile phones on car speaker phone where a conversation may be overheard
- A secure method of video transfer
- Difficulty in locating trust policies
- Sending a secure email
- Often not clear cut on what is appropriate to share
- When a patient requests not to share unsure what to do
- Pass large files to service providers/managers as we have no method to do this e.g. sending large documents with photographs in.
In response to the feedback from the IG staff survey, new IG sessions have been set up for all staff to attend.
The Data Protection Act was updated in 2018 with the UK General Data Protection Regulation (GDPR) and the new UK Data Protection Bill.
DCHS resources to support compliance with GDPR:
- Data Protection Legislation fact
- GDPR Key Messages
- Data Protection Impact Assessment template
- Guidance for complying with the rights of individuals under UK GDPR
Other helpful resources are:
- Introduction to the Data Protection Bill
- Information Commisioner's Office website
- Guide to the UK General Data Protection Regulation (GDPR)
- Records Management Code of Practice for Health and Social Care
For more information on the changes go to the ICO website.
What is a data protection impact assessment?
A data protection impact assessment (DPIA) is a process to help identify and minimise data protection risks.
We have an obligation to complete a DPIA before carrying out types of processing likely to result in high risk to individuals’ interests.
We need to identify where there is the potential to cause a widespread or serious impact on individuals. A DPIA should help to minimise risks and assess whether or not remaining risks are justified.
If you're unsure whether to complete a DPIA in relation to the processing of personal data you want to undertake please contact the IG team or complete the DPIA template following the guidance.
It's important that all staff are aware of where the 'Fair Processing Notice' is and what it does.
If you have any queries please don't hesitate to contact the IG Team.
Guidance & training
As described by the British Medical Association (BMA), patients are increasingly asking to record or video their consultations for a variety of reasons. Please see Patients Recording their Consultations for guidance and information
Data and cyber security is our shared responsibility. To help us understand more about cyber security threats, identified as a risk to the NHS and care organisations, and know what steps we can take to mitigate risk and protect our patients and their data, there are simple steps we can take. Further information can found at From online to offline, Keep I.T. Confidential - NHS Digital
What is a phishing email?
It's very easy to become a victim of a cyber-attack if you don’t know how to manage phishing emails, which are emails that are not genuine and typically ‘fakes’ an authentic email. They try to persuade you to do something, such as, click a link, open an attachment or enter data into a form.
If you suspect the email you receive may be a phishing email:
- View your emails using the review pane, if you use Outlook, so you don’t have to open the email
- Think: were you expecting to receive an email or an attachment from this person? You could contact the sender via telephone to check if the email is genuine. Don't use the telephone number in the email to contact the sender
- Does the link in the email look genuine, do you need to check this out before you click on the link?
- Are there grammatical errors or spelling mistakes in the email which could point to the email being fake?
You can report suspicious emails using the “Report Phishing” button on the ribbon within Microsoft Outlook, or forward the email as an attachment, to email@example.com
If you do click on any links or images within the email please contact the Arden and GEM IT Helpdesk straight away by telephone on 0300 123 1020
More information can be found by watching this useful Video about Phishing Emails.
Data and cyber security is our shared responsibility. To help us understand more about cyber security threats, identified as a risk to the NHS and care organisations, and to know what steps we can take to mitigate risk and protect our patients and their data, there are simple steps we can take. Further information can be found at From online to offline, Keep I.T. Confidential - NHS Digital.
Email disclaimer to use when emailing patients
If a patient wishes to have contact via email you must follow the guidance in the email policy.
Below is a disclaimer that staff can use, and amend as appropriate to their service, to highlight the risks associated with emailing which we would ask the patient to agree to before commencing with email contact.
The agreement to the disclaimer should be retained by the service.
If you wish to contact us from your personal email system e.g. gmail, hotmail etc., the transmission cannot be guaranteed 100% secure or error free, information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Derbyshire Community Health Services NHS Foundation Trust and their employees do not accept liability for any errors or omissions within the detail of the email, which may occur as a result of email transmission.
Please confirm by return email if you are happy to continue communicating information with at Derbyshire Community Health Service via email. If you are not happy to continue communicating via email we can continue to use another method of communication such as by post or telephone.
It is mandatory for every DCHS staff member to receive annual information governance training. If not completed in a timely manner access to systems may be removed.
The training is accessed via e-learning.
- You have your smartcard as you will need this to access the training
- You complete 'Data Security Awareness – Level 1’
The pass mark 80% and your employment record is immediately updated on successful completion.
Face to face training
If you would like a member of the team to come and train your team/department, please contact the IG team.
Mobile phones can contain vast amounts of information from contact numbers to door codes.
You must not write key safe codes and door codes in notebooks or on the back of ID Cards. You should either:
- Send the codes in an email to yourself
- Save them as contacts in your phones (only use patient initials in relation to key safe codes)
Mobile phones - guidance
What is the National Data Opt-Out?
The National Data Opt-Out enables patients to opt out of their personal confidential data being used for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs -
When a patient opts out of their information being used for research and planning it is recorded against their NHS number on the national spine. Unless the patient changes their mind this decision will remain against their NHS number and will remain in place after a patient dies. Organisations must ensure that they do not use a patient’s information for research and planning if the patient has opted out. DCHS have put together a Standard Operating Procedure which must be followed before any information is used for research and planning purposes.
For further information for patients on how they can opt out follow this link: https://www.nhs.uk/your-nhs-data-matters/
For further information please contact the Information Governance Team at: firstname.lastname@example.org
Access to information is on a strict need to know basis.
Under no circumstances should you:
- access information relating to friends, family, colleagues, neighbours or even your own information
- ask another member of staff to access your records on your behalf
You must only access people's personal records (whether that be employee or patient) if it is in line with your work, for example, if you are treating a patient or are involved with the management of a staff member. If asked to, you must be able to justify why you have accessed someone’s personal information. Access to systems is audited.
Accessing records without being authorised and not having a valid justification for doing so could lead to you:
- going through disciplinary action
- losing your job
- losing your professional registration
- receiving a fine
Recent examples and subsequent consequences of NHS staff accessing records without authorisation:
Former health adviser found guilty of illegally accessing patient recordsH A health adviser unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. He did so without a valid business reason and without the knowledge of the Trust. Stephen Eckersley, ICO Director of Investigations, said:
“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it. Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, it potentially jeopardises the important relationship of trust and confidence between patients and the NHS"
A former MDT coordinator at an NHS Trust has been dismissed for the 'unauthorised accessing' of the system to find a patient. A complaint was lodged after the staff member used the system to look up the ward her son’s ex-girlfriend was on. The staff member said, “I looked up what ward she was on, I went and bought her a present from the nursery shop and I just went in” further commenting “My heart went before my head, it was really an act of kindness” A hospital spokesman said they would always investigate any possible breaches and act in line with our Trust procedures to protect patients in our care
A former administrator at an NHS Trust has been prosecuted for accessing medical records without authorisation. An internal investigation found that the staff member had inappropriately accessed the medical records without any business need to do so. The records related to seven family members and seven children known to them. They appeared in court and admitted two offences of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998. She was fined £1000, ordered to pay costs of £590 and a victim surcharge of £50.
A former doctor’s surgery employee who inappropriately accessed the records of patients and staff members has been prosecuted. They accessed the electronic clinical records of 228 patients and 3 staff members outside of their role as an administration assistant. They appeared in court and admitted 4 offences of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998. She was fined £350, ordered to pay costs of £643.75 and a victim surcharge of £35.
A staff nurse accessed patients’ medical records outside of their role. They inappropriately accessed the records – including maternity and paediatric records - of five patients, 17 times. It was also heard that they made multiple accesses to the records of some of these individuals including the blood results of a friend 44 times after they had been discharged, as well as foetal scans. The nurse appeared in court admitted unlawfully obtaining and disclosing personal data, in breach of s55 of the Data Protection Act 1998. She was fined £400 and was also ordered to pay costs of £364.08 and a victim surcharge of £40.
All staff have a responsibility to ensure they are aware of and follow Information Governance Policies and Procedures.
It's DCHS policy to share legitimate information with the police in a justifiable way which upholds the service user's right to confidentiality and releases sufficient, appropriate information to assist the police in their enquiries.
Before releasing information to the police there are certain things to consider and steps to go through.
- Don't feel pressurised to give information because the police have requested it
- Always check the identity of anyone requesting information
- A document should be presented to DCHS staff requesting the information
- Please don’t feel you’re alone in making a decision. Seek advice from colleagues and your line manager when making a decision about disclosure and record your reasoning and any decisions made.
Under no circumstances must WhatsApp be used for sending person identifiable information about patients or staff.
Guidance regarding the Use of WhatsApp has been developed and we ask that services please read and follow this to ensure they are compliant with policies relating to data protection and staff conduct.
New functionality is available to ensure a consistent approach with the processing of subject access requests across DCHS, in line with GDPR.
Requests for information may come from patients, carers, next of kin, legal authorities or other areas.
Guidance is available which shows how to record and process the requests using SystmOne functionality click here. This includes how to exclude any consultations owned by other organisations, for instance GPs, ensuring only relevant DCHS information is released.
For further information please read the access to health records policy or contact the informatics team.
For requests for Access to Adult Health Records please contact the Health Records department at: Walton Hospital, Whitecotes Lane,Chesterfield, Derbyshire, S40 3HW or E:email@example.com
For requests for Access to Child's Health Records please contact the Chief Executive’s Department, Babington Hospital, Belper E:firstname.lastname@example.org