Embed Size (px)
Citation preview
Induction Training
This training session will last approximately 1 hour including the knowledge check at the end
You will learn how to keep data safe, recognise a security issue and who to contact for help
On completion and passing of the knowledge check your annual Information Governance training compliance will be recorded
Whatever your job role in the Trust, you have a responsibility for information governance
Keep up to date-always check our intranet page for
news, updates and FAQS
Information Governance…….
Why is it important?
More information….
What’s new?
To reassure our service users, their carers and staff that their most sensitive information,
is being stored responsibly, and handed securely in the strictest confidence, in order to support the delivery of the best possible patient care
ICO can issue fine of £500,000 for serious breach
Contact Information Governance Services ([email protected]) or visit our intranet page which has useful links and FAQs
‘ ’ instead of ‘’. Treat as ‘ ’
or ‘ ’
Enforces DPA and FOIA
Can impose fines –maximum penalty currently£500,000
UK’s independent authority
Upholds information rights in the public interest
Procedures in place to spot potential breaches and stop them?
Has power to check NHS procedures and trainingprogrammes
Personal information must be:The DPA provides statutory obligations for the way we handle personal data based on eight principles
Policy: C10 Confidentiality
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Not transferred to other countries without adequate protection
Not kept for longer than necessary
Secure
Accurate and up to date
Processed in line with the data subjects’ rights
The DPA allows for patients to request information about their health records in the form of Subject Access Requests (SARs)
Staff can also ask for information detailed within their employment records
Information must be provided within 40 calendar days of receiving the request
All requests must be sent to the complianceteam
Requestor will have access to everythingthat has been written about themincluding emails
Make sure everything you record is donein a professional manner and in line withTrust Policy
The FOIA gives the right for members of the public to obtain information held by public authorities unless there are good reasons to keep it confidential
Members of the public, sales people andjournalists
Corporate in nature (contract end dates, server locations, staff numbers etc)
No ‘personal’ information under FOIA
Only 20 working days to process FOIArequests
All requests must be sent to the complianceteam
Even if you don’t work directly with patient information, you still have a responsibility to protect the confidentiality of personal information
For example….what would you do if you came across some misplaced documents or computer files?
Don’t ignore them
Tell a member of staff or contact reception
Don’t throw them away
Don’t read them or show anyone else
Think! ……what if this was your personal information? How would you want someone to deal with it?
You must have a genuine ‘need to know’ to access a patient’s record-always ensure you have the patients permission and consent
Issued to you for your use only. Unauthorised access can result in disciplinary action. Report lost or faulty cards to the ICT Service Desk to organise re-issue
You must have a legitimate relationship with the patient and be part of the team caring for them to access their records. Legitimate relationships are monitored and investigated as necessary
Use standard abbreviations and ensure you retain records in accordance with Trust policies - C16 Management of Health Records and Q41 Corporate Records Management
Consent
Smart Cards
Legitimate Relationship
Records Management
Caldicott Principles and Guardian
The CaldicottPrinciples govern the use of information to ensure that only the minimum amount of person identifiable information is shared and only when absolutely necessary
The Caldicott Guardian is the person with ultimate responsibility regarding sharing information
Justify the purpose
Don’t use PID unless absolutely necessary
Use the minimum necessary
Only on a ‘need to know’ basis
Know your responsibilities
Know and comply with the law
The duty to share information can be as important as the duty to protect patient confidentiality-ISA?
Data Quality
Improves patient careReduces clinical risk
Informs national & commissioning reportingWhy
Local level business processes in placeKnow your processes!
How
Accurate & Up to DateRelevant & Complete
What
Laptops Removable Media
Secure Disposal Business Continuity
Direct Access Incident Reporting
Smartcards User Name and Password
Storing Information Electronically
Phishing
IG3-2 Use of Laptops IG2-5 Removable MediaIG3-3 Remote Access IG9-1 Investigating and ReportingIG7-1 Registration Authority IG2-2 Network Access Accounts
IIG2-6 Storing Information Electronically
Social Media
Social Media can be used to bully and harass staff
This will not be tolerated by the Trust and any incident could result in disciplinary action
Do not mention the Trust or anything to do with work
Don’t name other staff
Don’t post photographs of staff or patients
Don’t discuss patients
Policy: IG2-8 Use of Social Media
The Internet
Whilst at work you are allowed to use the internet as long as it falls within reasonable personal use
At manager’s discretion – decision is final
Access is monitored
If you inadvertently access a site that is inappropriate contact the ICT Service Desk
All Trust equipment can be monitored whatever the location
Policy: IG2-4 Use of the Internet
Fax Machines
Use a private and confidential header sheet
Always use the minimum information necessary
Do not include person identifiable information
Check you have entered the number correctly before you press send
After sending check it has been received
Use a more secure way of sending information if you can
Fax protocol must be displayed beside all fax machines
Policy: IG4-3 Use of Fax Machines
The most appropriate way to pass this information on?Is it necessary?
Is it legal?Is it necessary as part of direct patient care?
Does the recipient really need to see the information?
Think
Where
Type Confidential in the subject line Replies will appear as ‘secure reply’
How
@nhs.net to @nsft.nhs.uk are NOT [email protected] now offers encryption facility
Replies to encrypted @nhs.net emails are encrypted
NHS Mail
Emailing Confidential Information
Information….
Patient Identifiable
Commercially sensitive
Staff personal
Patient personal
Policy: IG2-3 Standard use of emailPolicy: C06 Emailing Service Users
It is illegal to send PID to
CSUs/CCGs. Any stats or reports for CSUs/CCGs
must be anonymised
Acts as the conscience of the Trust for all matters of sharing patient information. Works with the Senior Information Risk Owner
Dr Jon Wilson (Deputy Medical Director)
Richard Green, Sahra Smith and Chris Hill, based in Norfolk and Daniel Whiting based in Suffolk. We are here to advise on any information governance issue
Visit our intranet page for IG Policies, FAQs, business continuity and disaster recovery plans
For any questions relating to access to health records or requests made under the Freedom of Information Act
Contacts
Caldicott Guardian
Information Governance Services [email protected]
Compliance [email protected]@nsft.nhs.uk
Summary
Before you handle, transfer or move any confidential information
