Information Governance, Management & Technology (IGMT) … · 2020. 1. 31. · Information Governance, Management & Technology (IGMT) Committee Highlight Report . 18 March 2016

Information Governance, Management & Technology (IGMT) Committee Highlight Report

18 March 2016 Electronic Prescribing Service Release 2 The Committee received an overview and update of the Electronic Prescribing Service (EPS) Release 2. E-prescribing had been introduced as a national solution, enabling patient prescriptions to be sent to nominated pharmacy electronically rather than in paper format. Patients could nominate any pharmacy close to where worked, lived or where they stayed on holiday etc. The EPS system had benefits include minimised errors and duplication. CCGs needed to achieve 80% of practices deployed as national target by 31st March 2017, however, this did not include dispensing. The project was now established and 58 practices already live and a roll out plan for further practices to deploy this functionality, with an aim of reaching a minimum of 65% across the CCG’s by end of March 2016. Following discussion about the service, the Committee agreed not to push EPS on remaining non-dispensing practices for the moment but to share information with prescribing groups. Network Security Policy The Committee agreed the Network Security Policy. Nottinghamshire Health Informatics Service (NHIS) provided network infrastructure to the Nottinghamshire City and County CCGs. The Network Security Policy presented had been approved by the NHIS Compliance, Risk and Assurance Meeting on 24th February 2016. The previous version agreed by the Committee had been updated with NHIS branding and formatting with only minor changes to the content of the policy. Further assurance around Standard Operating Procedures had been requested at the time the policy was last approved and the updated version included some of this detail. Quarterly Data Quality Report The Committee received the Quarterly Data Quality Report. The report assured members of the Committee of the overall data quality by providing reports on Secondary Use Services (SUS) data submitted by Trusts relating to their patients. The validity of a number of key data items was presented at National, North Midlands Area Team and Provider level. The Information Governance, Management and Technology Committee is managed by Rushcliffe Clinical Commissioning Group (CCG) on behalf of Nottingham West CCG, Nottingham North and East CCG, Mansfield and Ashfield CCG and Newark and Sherwood CCG

Closure Report for RA software The Committee received the Closure Report for RA software. The paper provided assurance to the Committee that the Care Identity Service (CIS) deployment, which was the replacement for Calendra and User Identity Manager (UIM) systems had been fully implemented. Information Governance Toolkit and Project Assurance Report The Committee received an Information Governance Toolkit and Project Assurance Report. The purpose of this paper was to provide the Committee with the proposed Information Governance Toolkit submission positions for the end of March 2016, in regards to each of the five CCGs. Furthermore, the paper sought to provide assurance that the requisite project work had been completed in relation to the key Information Governance Toolkit projects regarding confidentiality audit, data flow mapping and information asset management programme of work. The Committee noted that all CCGs were expecting to achieve level two for all 28 indicators and all project work had been completed. 360 Assurance had completed audits for six of the 28 indicators and reports would be presented to CCG’s Audit Committees Update on DSCRO services The Committee received an update regarding the DSCRO. Further to the last meeting, it was now expected that the provision of DSCRO services would change in March 2017, HSCIC would then provide the service nationally, therefore, there was no need for separate DSCRO services. To facilitate this change, DSCRO services that already existed could be extended to March 2017 which was a further year than was to be expected.

The Information Governance, Management and Technology Committee is managed by Rushcliffe Clinical Commissioning Group (CCG) on behalf of Nottingham West CCG, Nottingham North and East CCG, Mansfield and Ashfield CCG and Newark and Sherwood CCG

MINUTES OF THE INFORMATION GOVERNANCE, MANAGEMENT AND TECHNOLOGY COMMITTEE

Friday 18th March 2016, 1.30 pm – 4.00 pm, Stapleford Suite, Stapleford Care Centre, Stapleford

MEMBERSHIP Andy Hall Alexis Farrow Paul Gardner Sarah Bray (A) Nichola Bramhall Dr Mike O’Neil Hazel Buchanan Elaine Moss (A) Paul Morris Dr Sean Ottey (A) Eddie Olla Gary Flint (A) Jacqueline Taylor

Director of Outcomes and Information & SIRO (Chair) Information Governance Lead, Mid Nottinghamshire Information Governance Lead, South Nottinghamshire Chief Finance Officer and Senior Information Risk Owner Director of Nursing and Quality & Caldicott Guardian Clinical Representative & SIRO Director of Operations & SIRO Director of Quality and Governance & Caldicott Guardian Lay Member General Practitioner & Clinical Representative Director of Health Informatics Head of Customer Services and Business Support Head of Transformation

Nottingham South CCGs Arden and GEM CSU Nottingham City CCG Mansfield & Ashfield CCG and Newark & Sherwood CCG Nottingham South CCGs Nottingham West CCG Nottingham North and East CCG Mansfield & Ashfield CCG Newark and Sherwood CCG Rushcliffe CCG NHIS NHIS NHIS

IN ATTENDANCE Gina Holmes Marcus Pratt (A) Caroline Stevens Craig Sharples Diane Butcher Sergio Pappalettera Andy Evans (A) Mike Press (A) Jason Mather (A) Debbie Pallant (A)

Corporate Governance Officer Deputy Chief Finance Officer Governance Officer Head of Governance Head of Information & Performance Contract and Information Manager Programme Director Head of Technical Solutions Primary Care Development and Service Integration Manager Corporate Governance Manager

Mansfield & Ashfield CCG and Newark & Sherwood CCG Rushcliffe CCG Nottingham West CCG Mansfield & Ashfield CCG and Newark & Sherwood CCG Mansfield & Ashfield CCG and Newark & Sherwood CCG Nottingham North and East CCG Connected Nottinghamshire NHS NHIS NHS Nottingham City CCG NHIS

(A) Depicts Absent/Apologies


Item No. AGENDA ITEM - KEY POINTS OF DISCUSSION Actions

IGMT/16/031 Welcome and Introductions AH welcomed all to the meeting and a round of introductions took place.

IGMT/16/032 Apologies Apologies were received from Sean Ottey, Andy Evans, Jason Mather, Elaine Moss, Marcus Pratt and Sarah Bray.

IGMT/16/033 Declarations of Interest There were no declarations of interest

IGMT/16/034 Minutes of Meeting held on 22nd January The minutes of the last meeting held on 22nd January 2016 were agreed as an accurate record.

IGMT/16/035

Matters Arising from previous meeting (not picked up within agenda): IGMT/15/064 – JT and PG did not discuss NHIS Business Continuity Plan, however, an updated plans had been provided for the CCG to submit for their IG toolkits IGMT/15/147 – South Nottinghamshire CCG leads to inform CS whether Smart Card Policy was reflective of the disciplinary policy regarding breaches ahead of the following meeting. IGMT/15/152 – GH provided GP server refresh project board update to CS, this would be disseminated following the meeting. GH reported that a Privacy Impact Assessment was being approved that week. IGMT/16/016 – PG had updated the register, however, further information would need be required that would be covered in the meeting. IGMT/16/019 – A formal project was being established regarding the updating of the Community of Interest Network (COIN) and this would be reported to the Committee. A paper had been presented to the Partnership Board regarding the penetration testing. The COIN would be replaced so was not tested, however, 360 Assurance would conduct an audit from April 2016 and a further academic assessment would be completed in 2016/17 to provide required assurance. IGMT/16/028 – The Vanguards had been included as a standing agenda item on the Records and Information Group (RIG) agenda and PG was linking with AE about progress. IGMT/16/028 – PG had raised discussions regarding changes from read only to writeable records across providers at the Records and Information Group and outcomes would be reported back to the IGMT Committee. IGMT/16/028 – A new chair for the Records and Information Group had not yet been identified and was still being sought. All other actions were agreed complete

CCG Leads CS

The Information Governance, Management and Technology Committee is managed by Rushcliffe Clinical Commissioning Group (CCG) on behalf of Nottingham West CCG, Nottingham North and East CCG, Mansfield and Ashfield CCG and Newark and Sherwood CCG - 2 -


IGMT/16/36

CGA/ Information Sharing CQUIN In AE’s absence, the Committee agreed to defer this item to the following meeting The Committee NOTED the update

IGMT/16/037 Electronic Prescribing Service Release 2 JT provided an overview and update of the Electronic Prescribing Service (EPS) Release 2 to the Committee for information E-prescribing had been introduced as a national solution, enabling patient prescriptions to be sent to nominated pharmacy electronically rather than in paper format. Patients could nominate any pharmacy close to where worked, lived or where they stayed on holiday etc. The EPS system had benefits include minimised errors and duplication. CCGs needed to achieve 80% of practices deployed as national target by 31st March 2017, however, this did not include dispensing. The project was now established and 58 practices already live and a roll out plan for further practices to deploy this functionality, with an aim of reaching a minimum of 65% across the CCG’s by end of March 2016. GP practices would be encouraged to use unless patients requested otherwise. The only resource required from practices was the time spent to implement and savings were found in paper and time with positive feedback from those that had implemented already. JT noted that feedback from those not implemented yet was just the time needed to implement. JT explained that functionality of GP systems did not suit dispensing practices and EPS and both system suppliers were developing functionality. The Committee agreed to wait until functionality had improved. Following discussion about the service, the Committee agreed not to push EPS on remaining non-dispensing practices for the moment but to share information with prescribing groups. The Committee NOTED the update

IGMT/16/038

Network Security Policy EO presented the Network Security Policy to the Committee for agreement. Nottinghamshire Health Informatics Service (NHIS) provided network infrastructure to the Nottinghamshire City and County CCGs. The Network Security Policy presented had been approved by the NHIS Compliance, Risk and Assurance Meeting on 24th February 2016. The previous version agreed by the Committee had been updated with NHIS branding and formatting with only minor changes to the content of the policy. Further assurance around Standard Operating Procedures had been requested at the time the policy was last approved and the updated version included some of this detail.



In answer to a question EO explained that changes to the locally managed Community of Interest Network (COIN) were not reflected in the policy as local activity on the COIN needed to be tested locally. The Committee agreed to an 18 month review date for the policy, this would support policy availability for IG toolkit submissions. The Committee AGREED the policy

IGMT/16/039 Quarterly Data Quality Report AH presented the Quarterly Data Quality Report to the Committee for information. The report assured members of the Committee of the overall data quality by providing reports on Secondary Use Services (SUS) data submitted by Trusts relating to their patients. The validity of a number of key data items was presented at National, North Midlands Area Team and Provider level. AH noted that some of the metrics in the appendices had changed since previous versions, however, no significant deterioration or change had been recorded. In answer to a question, AH noted that the data reported were indicators of completeness and did not have a financial impact as did not directly influence charging. He noted a slight deterioration in Sherwood Forest Hospitals Trust (SFHT) and that Nottinghamshire Healthcare Trust (NHCT) had a higher proportion of coding issues. In answer to a question regarding ensuring coding to correct commissioner, AH explained that some further validation tests could be completed, however, the issue remained due to restrictions on data for commissioners. This was also true of specialised commissioning and was not completed routinely as in previous years. The IGM&T Committee:

a. NOTED the content of the Quarterly Data Quality Report; b. NOTED the relatively good data quality that continues in

Nottinghamshire; c. ACKNOWLEDGED the work on-going with Nottingham University

Hospitals NHS Trust, Sherwood Forest Hospitals NHS Foundation Trust and Nottinghamshire Healthcare NHS Trust in order to address the identified data quality issues;

d. NOTED the continued work on internal data validation processes to capture any further variations in counting and coding accuracy, both from a technical and audit perspective;

e. NOTED the role the Data Management Team played in progressing this agenda;

f. NOTED the excellent progress made against the five recommendations in the CCGs’ internal audit in respect to data quality.



IGMT/16/040 Closure Report for RA software JT presented the Closure Report for RA software to the Committee for information. The paper provided assurance to the Committee that the Care Identity Service (CIS) deployment, which was the replacement for Calendra and User Identity Manager (UIM) systems had been fully implemented. JT reported that overall the project had gone well with good engagement. The closure report included all that were in the project and AH passed on thanks to the teams involved. The Committee NOTED the update

IGMT/16/041

Information Governance Toolkit and Project Assurance Report PG presented the Information Governance Toolkit and Project Assurance Report to the Committee for information. The purpose of this paper was to provide the Committee with the proposed Information Governance Toolkit submission positions for the end of March 2016, in regards to each of the five CCGs. Furthermore, the paper sought to provide assurance that the requisite project work had been completed in relation to the key Information Governance Toolkit projects regarding confidentiality audit, data flow mapping and information asset management programme of work. PG reported that all CCGs were expecting to achieve level two for all 28 indicators and all project work had been completed. 360 Assurance had completed audits for six of the 28 indicators and reports would be presented to CCG’s Audit Committees AH passed on thanks to the teams involved. The Committee NOTED the report

IGMT/16/042 CCG Information Governance Toolkit Action Plans for Mid Nottinghamshire CCGs AF presented the Information Governance Toolkit Action Plan to the Committee for information. The paper provided the action plans for the Mid Nottinghamshire CCGs. The action plans set out the current IG toolkit levels and scores for the respective CCGs and the associated actions to reach level two in all 28 indicators by the end of March 2016. The Committee was requested to receive assurance that appropriate plans were in place to meet the IG toolkit requirements at a ‘satisfactory’ level. The Committee NOTED the action plans



IGMT/16/043 Cyber Security Risks – 360 Benchmarking Report AH presented the Cyber Security Risk Report to the Committee for information. The paper presented was a benchmarking report of 360 Assurance reviews with their 44 clients. The report provided a useful checklist of items to consider regarding cyber security risks and examples of work elsewhere. AH noted that the report highlighted varied understanding of cyber security at Governing Body level and that since the report some of the CCGs had delivered cyber security assurance sessions. Action: AH to share cyber security training slides with Mid Nottinghamshire CCGs PG noted that he had presented an assurance report to the Nottingham City’s ICT Committee in response to this report. The Committee agreed this would be useful to receive for County CCGs. Action: PG to tailor City CCG report to include all work that NHIS has done to report at next committee. Action: EO/ NHIS to provide a report of real threats for Governing Bodies. The Committee NOTED the report

AH PG EO/ NHIS

IGMT/16/044 Threats of Public Wifi Report AH presented the Threats of Public Wifi Report to the Committee for information. The report provided important advice and guidance for organisations and individuals of the potential threat from criminals on the use of free WiFi in public access areas. It was not related strictly to the NHS however many organisations provided this service. It provided information that IT Departments and staff in NHS organisations should be aware of when providing or using WiFi public access areas. CCGs should be ensuring that NHS properties in their patch were providing public WiFi. The Committee discussed, the need to ensure appropriate bandwidth distribution between public WiFi and clinical systems. EO reported that NHIS did not currently provide any public wifi, however, had been asked to consider, this would need to be charged separately so did not affect existing systems. NHIS needed to understand what was required, pilot and present a business case when needed. In answer to a question, EO confirmed that this was being considered from a building perspective rather than provider perspective, therefore, only for those buildings with services supported by NHIS.



The Committee NOTED the report

IGMT/16/045 Update on Digital Roadmap In AE’s absence AH provided an update to the Committee regarding the Digital Roadmap. As part of the Sustainable Transformation Plans across all six Nottinghamshire CCGs, there was a requirement to include the plan for development of digital services through the Digital Roadmap. AE was leading this work and needed to be submitted by June 2016. The first version available for members to contribute towards would be available by the end of April 2016. AH would present at the May 2016 meeting, however, authority would be delegated to select members to sign off in June 2016. The Committee NOTED the update

IGMT/16/046 Update on DSCRO services AH provided an update to the Committee regarding the DSCRO. Further to the last meeting, it was now expected that the provision of DSCRO services would change in March 2017, HSCIC would then provide the service nationally, therefore, no need for separate DSCRO services. To facilitate this change, DSCRO services that already existed could be extended to March 2017 which was a further year than was to be expected. AH highlighted the current contract with North of England CSU had been negotiated down from £55,000 to £33,000 per year. The Committee NOTED the update

IGMT/16/047 Information Governance Risk Register and Issues Log PG presented the updated Information Governance Risk Register for noting. This had been reviewed by the IG Leads meeting and updates had been received by all leads following the last meeting. The register still reported two risks, flows of data and section 251s. The Committee noted that the DSCRO risk, should be reduced to 1 x 2 following the update earlier in the meeting, however, the risk around governance and reputation remained. No further update was needed for the issues log. Cyber security was considered and the Committee agreed to reassess at the May 2016 following receipt of the Assurance Report. Action: PG to update risk register The Committee NOTED the updated risk register

PG



IGMT/16/048

National Updates PG noted the national consent model where patients were asked only once to consent for bio metrics, research, secondary use and direct care. Fiona Caldicott would be publishing a consultation on this and was expected to be an opt out process.

IGMT/16/049

NHIS Update Performance Report EO presented the performance report to the Committee for information. The report consisted of highlights from February 2016 performance reports, showing trends and Key Performance Indicators (KPI). There was an accompanying analysis of data specifically around KPIs requiring improvement to meet the Service Level Agreement (SLA) targets. These identified KPIs that had associated actions assigned with an intention to improve. EO noted that NHIS were consistently meeting targets and that year the partnership Board had agreed a separate audit to provide assurance on performance figures. AH passed on thanks to Angela Hawley and the teams for work and improvements made since the previous year. MO noted issues with accessing ICE and the need for this to be reported. The Committee agreed this should be raised at the IM&T SRO Programme Board the following week. The IGM&T Committee NOTED the report

IGMT/16/050 NHIS Update Project Status Report JW presented the project status report to the Committee for noting The purpose of this status report was to provide a high level overview of the current status of the major Information, Communication and Technology projects being conducted by Nottinghamshire Health Informatics Service (NHIS) across NHS Nottinghamshire County. This high level project status report supported the detailed status reports produced for each Clinical Commissioning Group (CCG). Within the CCGs there were 85 GP Practices, 75 using the clinical system TPP SystmOne and the remaining 10 using EMIS Web. Of the 10 practices on EMIS Web there were three practices in the process of migrating to TPP SystmOne (Ruddington, Pleasley and Bramcote). The IGM&T Committee NOTED the report

IGMT/16/051 Capital Bids – Projects Financial Status In AE’s absence JT presented the capital bid documents to the Committee for noting. Reports were presented for GP Mobile Working and GP Refresh.



The IGM&T Committee NOTED the reports

IGMT/16/052 Project Briefs JT presented two project briefs to the Committee for information The Ruddington Medical Centre TPP SystmOne GP Module Deployment was due to go live on 17th May 2016 and the Bramcote Surgery TPP SystmOne GP Module Deployment was due to go live on 14th June 2016. The Committee NOTED the Project Briefs

IGMT/16/053 CfH Exit and Transition JT provided an update to the Committee regarding the Connecting for Health exit and transition JT reported for community services with SystmOne units across patch were considering one provider holding contract and then recharging other, which would work better for all involved. For GP practices, this was in progress and all practices on LSP contracts would be moved over. This would be completed by end of March 2016. The Committee NOTED the update

IGMT/16/056 Accessible Information Standard AH provided an update to the Committee regarding progress with Accessible Information Standard. Provider organisations had been asked to provide updates on progress with the standard and this would be discussed at the IM&T SRO Programme Board the following week. South Nottinghamshire CCG GP Practices had been informed about the standard via practice bulletins and Equality and Diversity Leads attending Practice Manager Forums. EMIS had provided guidance for coding of communication needs, however, SystmOne had not yet released guidance for this and was expected in May 2016. As providers were required to start recording communication needs from 1st April 2016, Stephen Murdock, Head of Primary Care IT had drafted some guidance for practices to use in the interim. Action: CS to share information and guidance with Mid Nottinghamshire CCGs The Committee NOTED the update.

CS

IGMT/16/055 Privacy Impact Assessments Overview/ Summary PG presented the Privacy Impact Assessment (PIA) summary to the Committee for information.



PG noted that the format of the summary had been changed so it was now easier to read and members agreed that this was preferred. Further to the report, the GP server refresh PIA had identified some risks that would be presented to the Project Board, however, was otherwise signed off. PIAs had been completed in Mid-Nottinghamshire, however, some were on hold pending information from third parties. PG also noted that GPRCC project and MIG phase 2 would revisit PIAs The Committee NOTED the summary

IGMT/16/056 Nottingham City CCG ICT Committee Meeting Minutes 11th January 2016 and 8th February 2016 The Committee NOTED the minutes

IGMT/16/057 Partnership Board update AH provided an update to the Committee regarding the Partnership Board. AH reported that the last Partnership Board had been held on Monday that week. Andrew Fearn, Director of IT at NUH had attended specifically to discuss process for NUH and SFHT under strategic partnering and the work that would be done around ICT functions. It was still very early in planning stages, however, had agreed to share learning across both trusts. Assurance was provided of no immediate change to service provision from NHIS and that NUH and SFHT would operate as two separate entities from an IT perspective. The Committee noted that there had not yet been a Privacy Impact Assessment completed for CareCentric, however, a Project Board would be formed and a Project Manager had now been appointed. AH noted that a 360 review had suggested a move away from the Service Level Agreement (SLA) currently in place towards a formal contract. A draft document was being circulated for comment that week with the aim of trying to reach agreement by the end of March 2016. The SLA would still sit under the formal contract detailing service to be provided. AH, DB and JM would develop this with EO. The Committee noted that the ICT/ IMT performance metrics for national lead provider framework had been considered against local existing metrics and this had led to the implementation of more stringent local metrics. The Board had discussed a proposal from Andrew Haw, Director of IT at NHCT to become member of Board. CHP IT services were no longer provided by NHIS, however, this was under consideration and the possibility of NHCT having two separate IT providers was being debated further. The Committee NOTED the update



IGMT/16/058 Data Management Group minutes The last meeting of the Data Management Group was 4th March 2016, however, minutes were not available at the time the Committee agenda and papers were sent to members so would be included on the next agenda

IGMT/16/059 IG Leads meeting update There had been no meeting of the IG Leads meeting since the last IGMT Committee meeting.

IGMT/16/060 Records and Information Group Update PG provided an update on the Records and Information Group (RIG) to the Committee for information. PG reported that the group would be producing annual report and would share with this Committee at the May 2016 meeting. The group was also considering how it could support Vanguards. Action: CS to add to May 2016 IGMT agenda AH noted that Andy Evans, Programme Director of Connected Nottinghamshire had wanted to discuss reporting and membership for the Data Advisory Group as part of wider data quality review and had commissioned a role for three months to look at developing the data quality strategy. AH asked members to please share their time if they were contacted about this. AH also noted the RIG had not yet replaced its GP lead and chair and asked members to encourage their local GPs to join the membership. The IGM&T Committee NOTED the update

IGMT/16/061 Forward Programme Action: ALL members should forward any other agenda items to CS

ALL

IGMT/16/062

Any Other Business No other business was noted

Date and Time of Next Meeting 1.30 pm – 4.00 pm on Friday 27th May 2016 Stapleford Care Suite, Stapleford Care Centre, Stapleford ‘Members should inform the meeting secretary of any apologies and deputies attending on their behalf at least 10 working days prior of the next meeting. This is to ensure that the meeting is quorate and any action



from potential declarations of interest are handled appropriately in advance’.


Abbreviation Meaning ADT Admissions Discharges and Transfers AHP Allied Health Professional AHR Access To Health Record request AQP Any Qualified Provider ASH Accredited Safe Haven AUP Acceptable Use Policy BAU Business As Usual BC Business Continuity CAB/C&B Choose and Book CAG Confidentiality Advisory Group CCG Clinical Commissioning Group CDS Commissioning Data Set CfH Connecting for Health (now replaced by NHSE and

HSCIC) CG Caldicott Guardian CSU Commissioning Support Unit DH/DoH Department of Health DMIC Data Management Information Centre (old name for

DSCRO) DPA Data Protection Act DR Disaster Recovery DSA Data Sharing Agreement DSC Data Sharing Contract DSCN Data Set Change Notice DSCRO Data Service for Commissioners Regional Office EPR Electronic Patient Record EPS Electronic Prescribing Services FOI(A) Freedom of Information (Act) GEMCSU Greater East Midlands Commissioning Support Unit GP General Practice GPES General Practice Extraction Service HES Hospital Episode Statistics HIS Health Information Service/System HPA Health Protection Authority HSCIC Health & Social Care Information Centre IAA Information Asset Administrator IAO Information Asset Owner ICO Information Commissioners Office IG Information Governance IGSoC Information Governance Statement of Compliance IGT Information Governance Toolkit IGTT Information Governance Training Tool ISA Information Sharing Agreement ISP Information Sharing Protocol KPI Key Performance Indicator LA’s Local Authorities LES Local Enhanced Service The Information Governance, Management and Technology Committee is managed by Rushcliffe Clinical Commissioning Group (CCG) on behalf of Nottingham West CCG, Nottingham North and East CCG, Mansfield and Ashfield CCG and Newark and Sherwood CCG - 13 -

Abbreviation Meaning LSP Local Service Provider NACS (Now ODS) National Administrative Codes Service NHSCB NHS Commissioning Board (old name for NHSE) NHSE NHS England NWW NHS Wide Web ODS (Previously NACS) Organisation Data Service PCD Personal Confidential Data PHE Public Health England PIA Privacy Impact Assessment QIPP Quality Innovation Productivity and Prevention QOF Quality Outcome Framework RA Registration Authority SAR Subject Access Request SBS Shared Business Service SI/SUI Serious Incident/Serious Untoward Incident SIRO Senior Information Risk Owner SUS Secondary Use Service VSO Voluntary Services Organisation ….. Definitions Primary Use of data – is when information is used for healthcare and medical purposes. This would directly contribute to the treatment, diagnosis or the care of the individual. This also includes relevant supporting administrative processes and audit/assurance of the quality of healthcare service provided Weak pseudonym (such as NHS number or postcode) The classification of a weak pseudonym stems from the fact that unless a user has access to another system that requires authorisation and user authentication etc (eg Exeter or the Spine) then the individual cannot be identified from the NHS number alone.


Information Governance, Management & Technology (IGMT) Committee Highlight Report

27 May 2016 Portal The Committee received an overview and update for the Local Digital Roadmap (LDR) and the Community Portal. The portal brought together several different technologies displaying information from different sources together in a user’s own system. In Nottinghamshire, all health and social care organisations would either contribute or consume the new portal. It would link locally with two other integration systems already in place to provide its functionality, the Medical Interoperability Gateway (MIG) and the General Practice Repository for Clinical Care (GPRCC). Nottingham University Hospitals (NUH) Trust was hosting the portal and had now held their first project board to progress implementation. The portal would be funded through the Vanguard for year one and year two, whereas year three as part of the New Model of Care (NMC) would be funded by providers and other entities. The LDR was similar to the Connected Nottinghamshire Blueprint and supported the four gaps identified in the Nottinghamshire Sustainable Transformation Plan (STP). A draft version of the LDR was expected shortly and a workshop on 8th June 2016 would review the LDR and agree how this needed to be signed off ahead of STP submission deadline on 30th June 2016. Information Governance Management and Technology Committee Terms of Reference The Committee AGREED its terms of reference for approval at Governing Bodies. The terms of reference described the reporting structures of the five Nottinghamshire County CCGs for Information Governance and Information Management and Technology, the membership of the Committee and the CCGs’ responsibilities and duties. Changes from the previous version included a reduction in the number of meetings from six per year to four per year, a few minor wording changes and update to the membership in terms of new colleagues in roles. The Committee noted that it was critical to have a mid-Nottinghamshire clinician as a representative on the membership and that this position was currently vacant. The Committee discussed the membership and noted that deputies attended every meeting for some members. The Committee agreed that this should be discussed by Governing Bodies where terms of reference had been agreed.


Information Governance, Management and Technology Committee Annual Report 2015/16 The Committee APPROVED the annual report for 2015/16. The annual report provided an overview of the activities and achievements of the IGMT Committee throughout 2015/16 and its objectives for 2016/17. Cyber Security Risks Assurance Report The IGM&T Committee APPROVED the Cyber Security Risks Assurance Report. The purpose of the paper was to provide the Committee with assurance in regards to the technical and procedural processes in place to minimise against a cyber-attack and demonstrated plans and capabilities in place to respond to cyber incidents. The paper was also a response to ‘Benchmarking Report on Cyber Security Risks’, a report produced by the CCGs’ internal auditors. The information within the internal audit report was collected at Governing Body level which highlighted some key themes relating to the lack of understanding regarding the ‘real’ risk that cyber security presents to an organisation. The Committee received the report as positive assurance around 360 audit review and support for future areas of development. Password Assurance Report The Committee NOTED a Password Assurance Report. The Committee noted that systems should be requesting password resets for accounts regularly, however, different organisations want different request timeframes and as the NNOTTS domain was 2003, it was only possible to have one policy across all, therefore, this needed to be agreed collectively. The Committee recommend that password resets were requested every 60 days, although noted that would not meet HSCIC guidelines, it would be an improvement and could increase at a later date. NHIS would email other organisations to show intent and seek confirmation and approval of that for confirmation at the end of June 2016. Inaccuracy in TPP QRisk Calculator The Committee NOTED an error in the QRisk2 Calculator in SystmOne that had been highlighted in the media. TPP had developed a fix, however, it was not clear if all practices had applied as needed to be implemented at practice. Communication had been sent to practices in South Nottinghamshire and would be shared with Mid Nottinghamshire CCGs The Committee also noted that the Department of Health had instructed organisation not to sign TPP contracts until clinical safety teams had provided assurance that this issue had been resolved.


MINUTES OF THE INFORMATION GOVERNANCE, MANAGEMENT AND TECHNOLOGY COMMITTEE

Friday 27th May 2016, 1.30 pm – 4.00 pm, Stapleford Suite, Stapleford Care Centre, Stapleford

MEMBERSHIP Andy Hall Alexis Farrow Paul Gardner Sarah Bray (A) Nichola Bramhall Dr Mike O’Neil Hazel Buchanan (A) Elaine Moss Paul Morris (A) Dr Sean Ottey (A) Eddie Olla (A)

Director of Outcomes and Information & SIRO (Chair) Information Governance Lead, Mid Nottinghamshire Information Governance Lead, South Nottinghamshire Chief Finance Officer and Senior Information Risk Owner Director of Nursing and Quality & Caldicott Guardian Clinical Representative & SIRO Director of Operations & SIRO Director of Quality and Governance & Caldicott Guardian Lay Member General Practitioner & Clinical Representative Director of Health Informatics

Nottingham South CCGs Arden and GEM CSU Nottingham City CCG Mansfield & Ashfield CCG and Newark & Sherwood CCG Nottingham South CCGs Nottingham West CCG Nottingham North and East CCG Mansfield & Ashfield CCG Newark and Sherwood CCG Rushcliffe CCG NHIS

IN ATTENDANCE Jacqueline Taylor Gina Holmes Marcus Pratt Caroline Stevens Craig Sharples Diane Butcher Sergio Pappalettera Andy Evans Mike Press (A) Jason Mather (A) Debbie Pallant (A) Daniel Woods

Head of Transformation Corporate Governance Officer Deputy Chief Finance Officer Governance Officer Head of Governance Head of Information & Performance Contract and Information Manager Programme Director Head of Technical Solutions Primary Care Development and Service Integration Manager Corporate Governance Manager Project Manager

NHIS Mansfield & Ashfield CCG and Newark & Sherwood CCG Rushcliffe CCG Nottingham West CCG Mansfield & Ashfield CCG and Newark & Sherwood CCG Mansfield & Ashfield CCG and Newark & Sherwood CCG Nottingham North and East CCG Connected Nottinghamshire NHS NHIS Nottingham City CCG NHIS Nottingham City CCG

(A) Depicts Absent/Apologies



IGMT/16/063 Welcome and Introductions

AH welcomed all to the meeting and a round of introductions took place.

IGMT/16/064 Apologies Apologies were received from Sean Ottey, Hazel Buchanan, Sarah Bray, Eddie Olla and Paul Morris.

IGMT/16/065 Declarations of Interest There were no declarations of interest

IGMT/16/066 Minutes of Meeting held on 18th March 2016 The minutes of the last meeting held on 18th March 2016 were agreed as an accurate record with the following amendment. IGMT/16/016 – Penetration testing noted was specific to the GPRCC component only.

IGMT/16/067

Matters Arising from previous meeting (not picked up within agenda): IGMT/15/147 – CS reported that references to disciplinary action made in the smart card policy reflected the disciplinary process detailed in Rushcliffe CCG Disciplinary Policy IGMT/15/152 – GH would resend the GP server refresh project board update to CS, for dissemination to members IGMT/16/043 Cyber Security Risks – 360 Benchmarking Report. AH reported that he had shared the cyber security training slides with Mid Nottinghamshire CCGs and agreed to attend Governing Bodies to present IGMT/16/043 PG had amended the City CCG report responding to Cyber Security Risks – 360 Benchmarking Report to reflect County CCGs and included all work that NHIS has completed. This was included on the meeting agenda IGMT/16/043 EO was drafting a report of Cyber Security real threats. This would be presented at the following IGMT Committee meeting before presentation to the Governing Body IGMT/16/047 PG had updated the Information Governance risk register and this was included on the meeting agenda IGMT/16/056 CS had shared information and guidance regarding the Accessible Information Standard with Mid Nottinghamshire CCGs IGMT/16/060 The Records and Information Group (RIG) Annual Report was included on the meeting agenda All other actions were agreed complete

GH/ CS



All other actions were agreed complete

IGMT/16/068

Portal AE provided an overview of the Local Digital Roadmap (LDR) and the portal to the Committee for information. AE explained that the portal brought together several different technologies displaying information from different sources together in a user’s own system. He noted that all Nottinghamshire health and social care organisations would either contribute or consume the portal. The portal linked locally with two other integration systems already in place to provide its functionality. The portal connected with the Medical Interoperability Gateway (MIG), which shared the GP records, this system was already sharing the GP record with Out Of Hours services and was considering elective care. The portal also connected to General Practice Repository for Clinical Care (GPRCC) which pulled together data for near time analytical and direct care use, this system was already used to support eHealthscope, risk stratification, multi-disciplinary team care, performance management and audit. AE noted that Nottingham University Hospitals (NUH) Trust was hosting the portal and had now held their first project board to progress implementation. Phase one of the project was for all NUH systems to implement, AE noted that currently paper drove some processes, therefore, the portal was required to also support this. Following NUH, a small subset of Nottinghamshire Healthcare Trust would be introduced, followed by connection to the MIG to include GP data. AE reported that the portal would be funded through the Vanguard for year one and year two, whereas year three as part of the New Model of Care (NMC) would be funded by providers and other entities. AE explained that the LDR was similar to the Connected Nottinghamshire Blueprint and supported the four gaps identified in the Nottinghamshire Sustainable Transformation Plan (STP). AE did highlight that as a result of implementing the portal use of the Summary Care Record (SCR) would reduce as the portal offered a more comprehensive view of information. This would need to be explained nationally as usage of SCR was measured for national targets. In answer to a question, AE explained that Connected Nottinghamshire was considering how the consent model for sharing information. AF was joining Connected Nottinghamshire to support this and she and PG sat on the portal Board to support progression from an Information Governance perspective. In answer to a question, AE explained that although the technology supported secondary use of the data captured, the information governance practices for this was not in place.



AE noted the draft version of the LDR was expected at the end of the following week and a workshop on 8th June 2016 would review the LDR and agree how this needed to be signed off ahead of STP submission deadline on 30th June 2016. PG enquired about timescales for establishing the consent process, at the time of the meeting there had been no patient engagement and the Committee noted that patients would need to be informed in order to give implied consent. AE explained that this would need to be led by individual providers initially and that the RIG would lead this for General Practice. AE also noted that once a Privacy Impact Assessment (PIA) had been completed all the risks and required actions would be understood. The Committee NOTED the update

IGMT/16/069 Information Governance Management and Technology Committee Terms of Reference AH presented the terms of reference to the Committee for agreement. The terms of reference described the reporting structures of the five Nottinghamshire County CCGs for Information Governance and Information Management and Technology, the membership of the Committee and the CCGs’ responsibilities and duties. The terms of reference were presented to the Committee with a recommendation to reduce the number of meetings from six per year to four per year. This aligned the committee with the Quality and Risk Committees and Audit Committees. Other changes to the previous version included:

• Changes to membership – FOI Lead for GEM, Caldicott Guardian for Newark and Sherwood CCG

• Wording change for IM&T Clinical Safety Officer sign off responsibility

• Section 3 Voting and decisions, one CCG will have one vote The Committee discussed the proposed terms of reference. The Committee noted that it was critical to have a mid-Nottinghamshire clinician as a representative on the membership and that it may be necessary to hold meetings in between the quarterly proposed if sign off was required for projects. The Committee agreed the following changes to the document:

• Mid-Nottinghamshire CCG representative for Information Governance support to be changed to Head of Information Governance

• Reference to the Annual Report should be made in the reporting section

• MO would be deputy chair for the Committee



The Committee discussed the membership and noted that deputies attended every meeting for some members. The Committee agreed that this should be discussed by Governing Bodies where terms of reference had been agreed. The Committee AGREED the terms of reference with the above amendments for approval at Governing Body.

IGMT/16/070

Information Governance, Management and Technology Committee Annual Report 2015/16 AH presented the Committee annual report for 2015/16 for approval. The annual report provided an overview of the activities and achievements of the IGMT Committee throughout 2015/16 and its objectives for 2016/17. The IGMT Committee was established on behalf of NHS Rushcliffe (RCCG), NHS Nottingham North and East (NNE), NHS Nottingham West (NW), NHS Mansfield and Ashfield (M&A) and NHS Newark and Sherwood (N&S). The purpose of the Committee is to support and drive the broader information governance (IG) and information management & technology (IM&T) agendas. The Committee noted that the attendance reported in Appendix 1 needed amending to reflect a deputy attended for NB at one of the meetings. The Committee APPROVED the report with the above amendment.

IGMT/16/071 Cyber Security Risks Assurance Report PG presented the Cyber Security Risks Assurance Report to the Committee for approval.

The purpose of the paper was to provide the IGM&T Committee with assurance in regards to the technical and procedural processes in place to minimise against a cyber-attack and also demonstrated plans and capabilities in place to respond to cyber incidents.

Furthermore the paper was a response to a report which was presented at the March 2016 IGM&T Committee which was from the CCG’s internal auditors ‘Benchmarking Report on Cyber Security Risks’. The information within the internal audit report was collected at Governing Body level which highlighted some key themes relating to the lack of understanding regarding the ‘real’ risk that cyber security presents to an organisation. The purpose of this paper was also to provide assurance to the IGM&T Committee regarding these identified themes. PG highlighted that responsibilities for cyber security were shared between CCGs and NHIS. The report presented listed all compliances and PG noted that NHIS had conducted a robust scan of the network and routine tests as part of audit. NHIS had a cyber-security essentials accreditation and had provided appropriate assurance. CCGs had



policies for security and bring your own device, ensured staff completed mandatory training and penetration tests of the warehouse were conducted as part of GPRCC. Going forwards, further penetration tests were planned, however, these would be delayed until the new Community of Interest Network (COIN) was in place. The Committee noted that there was assurance that the existing COIN was robust in the interim and that NHIS was working towards ISO 270001 accreditation. The Committee received the report as positive assurance around 360 audit review and support for future areas of development. The IGM&T Committee APPROVED the report

IGMT/16/072 Information Governance Risk Register and Issues Log PG presented the updated risk register and issues log to the Committee for discussion. Changes had been made to the risk register to reflect those requested at the last meeting and the Committee agreed that this information was still current. The Committee reviewed the issues log. Cyber security for Mid-Nottinghamshire would remain on the log and be reviewed again at the following meeting. Action: GH to forward the GP server PIA for dissemination to members The Committee discussed the Sherwood Forest Hospitals Trust (SFHT) and NUH partnership and whether this should be reflected on the register. The risk was unclear at that point in time and mitigating actions already in place, however, should be included. Action: PG and AH to draft risk for register SP highlighted a possible risk following implementation of Health and Social Care Information Centre (HSCIC) legislation regarding patients opting out. The Information Commissioner’s Office (ICO) had requested that the HSCIC ensure information was not shared for patients that had opted out, this needed to be enforced by September 2016. Locally, patients had been removed from HES data and the Committee noted that some practices had 10 percent of patients opted out, this could see a see reduction in information available. Despite s251. Action: PG and SP to draft risk for register Action: ALL risk owners to provide updates for the register The Committee NOTED the register

GH PG/ AH PG/ SP Risk owners

IGMT/16/073

NHIS Update Performance Report JT presented the performance report to the Committee for information.



NHIS had seen an increase in the number of calls over the previous month. In total, 300 more calls than in the last few months. The increases were seen for severity 1b, 2 and 4, however, there did not appear to be any reason for trends identifiable to explain the increase. The survey responses suggested that performance had not declined during this period despite the increase in call. The Committee discussed seven day support. This had been discussed previously, however, was difficult for NHIS to provide a quote for implementation without a clear understanding of services required. DB requested that future reports included the last month’s performance to allow comparison Action: NHIS to make changes to report format The IGM&T Committee NOTED the report

NHIS

IGMT/16/074 NHIS Update Project Status Report JT presented the project status report to the Committee for noting Electronic Prescribing Service (EPS) Release 2 JT noted that six practices were in currently in deployment. Moving forwards, if practices were interested in EPS2, NHIS would demonstrate and progress if wanted, however, would otherwise not push the system any further until national guidance around dispensing practices was clear. Summary Care Record (SCR) JT reported that use of SCR was slowly increasing. GP server back up JT reported that nine practices still needed to be contacted, however, expected completion of the project in November 2016. COIN JT reported that this project was progressing, there were six phases and NHIS were hoping to complete the project by December 2016. NHSmail2 JT noted that there had been agreement for all CCGs to move to NHSnet. Rushcliffe CCG first would migrate across first in September 2016 and the other CCGs would follow in October and November 2016. GP PC refresh JT reported that all 790s models were currently being replaced and that Mid-Nottinghamshire areas were being prioritised. Machines were being replaced to support future use of technology and to reduce costs of maintenance once machines had reached their warranty end. PG highlighted an issue regarding the COIN project. Non-NHS



organisations were not currently using the N3 network and would require CCG sponsorship to be included. This would include CCGs completing risk assessment and penetration testing to ensure security and accountability would remain with the SIROs. Action: JT to discuss issue at NHIS and ensure sponsorship did not present an undue risk for the CCGs. The IGM&T Committee NOTED the report

JT

IGMT/16/075 Capital Bids – Projects Financial Status AE presented the capital bid documents to the Committee for noting. Documents were presented for the following projects:

• GP mobile working (the pilot project had been completed for this and a lot of lessons learnt which would shape following steps. The project would be completed within the current financial year. NHIS provided reassurance that the project would start again in June 2016 and would focus on practices that had been prioritised by CCGs).

• GP PC refresh (JT reported that the estate was in a good position and the digital maturity assessment would demonstrate this).

• GPRCC (this project was progressing well and at pace) • GP server • 7 day working • GP systems migration • Interoperability • Portal

The IGM&T Committee NOTED the reports

IGMT/16/076 Project Briefs JT presented one project briefs to the Committee for information JT reported that the SystmOne Mid Nottinghamshire Care Homes project was due to go live shortly. Deployment was in four phases, the first was the pilot which would be conducted in the summer. The Committee NOTED the Project Briefs

IGMT/16/077 CfH Exit and Transition JT provided an update to the Committee regarding the Connecting for Health exit and transition All Local Service Provider (LSP) practices have been migrated across onto GP System of Choice (GPSOC) contracts, however, challenges were found for violent patient services. NHIS was currently looking at data repatriation for those practices that had merged or closed. The Committee NOTED the update



IGMT/16/078 Accessible Information Standard

AH provided an update to the Committee regarding progress with the implementation of the Accessible Information Standard. PG was developing guidance for practices on collecting consent for to send information to patients via email, this would be unsecure as sent to patients’ personal accounts. NHIS would support with guidance for practices on how to open email accounts for contacting patients. The Committee NOTED the update.

IGMT/16/079 Privacy Impact Assessments Overview/ Summary PG and AF presented the Privacy Impact Assessment (PIA) summary to the Committee for information. PG noted the joint PIAs, the MIG PIA had been revisited for phase two of the project, this was now complete and ready for sign off. The GPRCC PIA was being reviewed and PG and AF were seeking input from the Data Management Team. Circle Partnership had produced a PIA for teledermatology, the CCGs would use this and the final version would be circulated. PG reported that information governance advice was given to project leads and it was hoped that the South Nottinghamshire CCG PIAs would be closed by next meeting AF reported that a number of PIAs were waiting for assurance from providers for the Mid-Nottinghamshire CCGs. The Committee NOTED the summary

IGMT/16/080

National Updates The Committee noted that there was a lot of activity nationally regarding the LDR and STP, this had been discussed in an earlier item.

IGMT/16/081 Nottingham City CCG ICT Committee Meeting Minutes DW attended the meeting on behalf of JM. The Committee agreed that minutes of the Nottingham City CCG ICT Committee would no longer be presented at the meetings, however, any items of interest would be raised via JM. Action: CS to change description of standing item The Committee NOTED the minutes

CS

IGMT/16/082 Partnership Board update AH provided an update to the Committee regarding the Partnership Board. The majority of the discussion at the Board had been around the new



partnership between Sherwood Forest Hospitals Trust and Nottingham University Hospitals Trust and how the new model would operate. The CCGs would need to change the contractual documentation with NHIS, the existing contract would be moved to the national standard contract and the schedule of services will reflect the current Service Level Agreement (SLA) in place. The Committee NOTED the update

IGMT/16/083 Data Management Group minutes AH presented the minutes of the last Data Management Group meeting. AH noted that the six Nottinghamshire CCGs would agree the priorities of Data Management Team over the following three to six months. The Committee NOTED the minutes

IGMT/16/084 IG Leads meeting update PG presented the IG leads meeting highlight report to the Committee for information. PG noted that the IG Leads group met on 22nd May 2016. Phillip Humphries, Freedom of Information (FOI) Lead at Arden and GEM CSU attended. He replaced Petra O’Mahony and the group discussed the level of assurance for FOI requests required at this committee. The group agreed that numbers of FOIs, breaches and general trends would be presented to the Committee and further discussion and review would happen at the IG Leads meetings. The group were reviewing the privacy notices for GPs and CCGs. A final version had been sent to SIROs for review before presenting at this Committee. The group had agreed the Information Governance toolkit plan for version 14 which would need to be submitted in March 2017. This mapped out all the project work for 2016/17. The group were also working to develop a uniform request form for NHIS, to request VPN, blocked internet site and access to systems and had updated the approval matrix for these to include CCG SIROs and Chief Officers. The Committee NOTED the update

IGMT/16/085 Records and Information Group Update PG provided an update on the Records and Information Group (RIG) and presented the RIG annual report to the Committee for information The group had reviewed the Multi Agency Safeguarding Hub (MASH) information sharing agreement and had updated the Nottinghamshire Information Sharing Protocol to include police and fire services.



The group was also feeding into local digital roadmap assurance process. The Committee thanked PG for producing the RIG Annual Report The IGM&T Committee NOTED the update and report

IGMT/16/086

Password Assurance Report JT presented the Password Assurance Report to the Committee for information. The report had been requested at the previous committee meeting. The Committee noted that systems should be requesting password resets for accounts regularly, however, different organisations want different request timeframes and as the NNOTTS domain was 2003, it was only possible to have one policy across all, therefore, this needed to be agreed collectively. The Committee recommend that password resets were requested every 60 days, although noted that would not meet HSCIC guidelines, it would be an improvement and could increase at a later date. NHIS would email other organisations to show intent and seek confirmation and approval of that for confirmation at the end of June 2016. Action: NHIS to contact other organisations and confirm password reset requirements by end of June 2016 The Committee NOTED the report

JT

IGMT/16/087 Mansfield and Ashfield CCG Patient Story DB presented the Mansfield and Ashfield CCG Patient Story to the Committee for information. The story presented highlighted the waiting times at the Kings Mill Hospital for patients attending appointments. The Mansfield and Ashfield CCG Governing Body had asked that the IGMT Committee consider the story in relation to options available for telemedicine and skype. The Committee noted that NUH did have equipment available to deliver some of these facilities. Emerging trends had previously been noted around patients not needing to travel and clinicians contacting specialist advice easier. Telemedicine had been included in the IGMT Strategy, however, the Committee recognised that technology was not appropriate for all clinics as clinicians often needed to able to actually touch the patient and telephone triage had not demonstrated clinical benefit in primary care. The Committee ACKNOWLEDGED the report and invited NHIS to make suggestions about other ways to deliver services with the use of technology further to those already identified in the IGMT Strategy and the LDR.



Action: NHIS to consider new technologies to support telemedicine

JT

IGMT/16/088 Inaccuracy in TPP QRisk Calculator AH highlighted an inaccuracy in TPP QRisk Calculator the Committee for information The Committee noted that an error in the QRisk2 Calculator in SystmOne had been highlighted in the media. TPP had developed a fix, however, it was not clear if all practices had applied as needed to be implemented at practice. Communication had been sent to practices in South Nottinghamshire Action: AH to forward communication to Mid Nottinghamshire CCG colleagues for dissemination to practices. The Committee noted that the Department of Health had instructed organisation not to sign TPP contracts until clinical safety teams had provided assurance that this issue had been resolved. The IGM&T Committee NOTED the update

AH

IGMT/16/089 Quarterly Data Quality Report AH presented the Quarterly Data Quality Report to the Committee for information. This report assured members of the CCGs’ IGMT Committee of the overall data quality by providing reports on SUS data submitted by Trusts relating to their patients. The validity of a number of key data items was presented at National, North Midlands Area Team and Provider level The report highlighted similar themes to previous reports. AE noted that Connected Nottinghamshire had some temporary support to review data quality as part and that Carl Davis, Head of Data Management had some suggestions about using eHealthscope to progress this as GPRCC became more comprehensive. The Committee NOTED the report

IGMT/16/090 Quarterly Information Governance Report PG presented the Quarterly Information Governance Report to the Committee for information. The purpose of the paper was to provide the IGMT Committee with the submitted and approved Information Governance Toolkit submission position(s) as at the end of March 2016, in regards to each of the five CCGs. Furthermore the paper sought to provide assurance that the requisite compliance areas within Information Governance were being met and provided an update in regards to any national developments which may have an impact on the CCGs.



PG noted that all CCGs submitted their final Information Governance toolkits at level 2, Mansfield and Ashfield CCG and Newark and Sherwood CCG submitted at 80%, Nottingham North and East CCG at 67% and Rushcliffe CCG and Nottingham West CCG at 66%. The Committee discussed the differences in these scores and recognised that practices were typically similar, however, not all captured within the toolkit. Action: GH to develop overview of indicators where Mid Nottinghamshire CCGs had achieved level 3. PG reported that No changes had been made to version 14 of the toolkit. Staff training was ongoing and would be throughout the year. No incidents had been reported within the quarter. FOI compliance for Mansfield and Ashfield CCG and Newark and Sherwood CCG was 90% with seven breaching the deadline and compliance for the South CCGs was 100%. No Subject Access Requests had been received within the quarter reported. PG noted that the section 251 had been extended and the Data Management Team was doing large pieces of work around data contracts. The Committee agreed that compliance against the European Union General Data Protection Regulation and Data Protection Reform would be included through the Privacy Impact Assessment process, however, should be considered in more detail at the Committee in six months when further guidance was available. Action: CS to include on forward planner for six months The Committee NOTED the report

GH CS

IGMT/16/091 Forward Programme Action: ALL members should forward any other agenda items to CS The Committee noted that due to the change in frequency of meetings, the next meeting would be scheduled for September 2016. A schedule had not yet been agreed for Primary Care IT projects for meetings Action: JT and CS to populate, to include a review of EDSM

ALL JT/ CS

IGMT/16/092

Any Other Business The Committee discussed the number of papers and agenda items included at meetings and highlighted the need for presenters to ensure key messages are being communicated. AF highlighted the privacy notice approval date for SIROs as an agreed version was required by 10th June 2016 to support the CCGs’ Accredited



Safe Haven (ASH) status. Action: SIROs to review and feedback No other business was noted

SIROs

Date and Time of Next Meeting 1.30 pm – 4.00 pm on Friday 23rd September 2016 Meeting rooms 2 and 3, Birch House, Mansfield ‘Members should inform the meeting secretary of any apologies and deputies attending on their behalf at least 10 working days prior of the next meeting. This is to ensure that the meeting is quorate and any action from potential declarations of interest are handled appropriately in advance’.


Abbreviation Meaning ADT Admissions Discharges and Transfers AHP Allied Health Professional AHR Access To Health Record request AQP Any Qualified Provider ASH Accredited Safe Haven AUP Acceptable Use Policy BAU Business As Usual BC Business Continuity CAB/C&B Choose and Book CAG Confidentiality Advisory Group CCG Clinical Commissioning Group CDS Commissioning Data Set CfH Connecting for Health (now replaced by NHSE and

HSCIC) CG Caldicott Guardian CSU Commissioning Support Unit DH/DoH Department of Health DMIC Data Management Information Centre (old name for

DSCRO) DPA Data Protection Act DR Disaster Recovery DSA Data Sharing Agreement DSC Data Sharing Contract DSCN Data Set Change Notice DSCRO Data Service for Commissioners Regional Office EPR Electronic Patient Record EPS Electronic Prescribing Services FOI(A) Freedom of Information (Act) GEMCSU Greater East Midlands Commissioning Support Unit GP General Practice GPES General Practice Extraction Service HES Hospital Episode Statistics HIS Health Information Service/System HPA Health Protection Authority HSCIC Health & Social Care Information Centre IAA Information Asset Administrator IAO Information Asset Owner ICO Information Commissioners Office IG Information Governance IGSoC Information Governance Statement of Compliance IGT Information Governance Toolkit IGTT Information Governance Training Tool ISA Information Sharing Agreement ISP Information Sharing Protocol KPI Key Performance Indicator LA’s Local Authorities LES Local Enhanced Service The Information Governance, Management and Technology Committee is managed by Rushcliffe Clinical Commissioning Group (CCG) on behalf of Nottingham West CCG, Nottingham North and East CCG, Mansfield and Ashfield CCG and Newark and Sherwood CCG - 15 -

Abbreviation Meaning LSP Local Service Provider NACS (Now ODS) National Administrative Codes Service NHSCB NHS Commissioning Board (old name for NHSE) NHSE NHS England NWW NHS Wide Web ODS (Previously NACS) Organisation Data Service PCD Personal Confidential Data PHE Public Health England PIA Privacy Impact Assessment QIPP Quality Innovation Productivity and Prevention QOF Quality Outcome Framework RA Registration Authority SAR Subject Access Request SBS Shared Business Service SI/SUI Serious Incident/Serious Untoward Incident SIRO Senior Information Risk Owner SUS Secondary Use Service VSO Voluntary Services Organisation ….. Definitions Primary Use of data – is when information is used for healthcare and medical purposes. This would directly contribute to the treatment, diagnosis or the care of the individual. This also includes relevant supporting administrative processes and audit/assurance of the quality of healthcare service provided Weak pseudonym (such as NHS number or postcode) The classification of a weak pseudonym stems from the fact that unless a user has access to another system that requires authorisation and user authentication etc (eg Exeter or the Spine) then the individual cannot be identified from the NHS number alone.


2015/16 Annual Report of the Information Governance,

Management & Technology Committee

1. Introduction The Information Governance, Management and Technology (IGMT) Committee is established on behalf of NHS Rushcliffe (RCCG), NHS Nottingham North and East (NNE), NHS Nottingham West (NW), NHS Mansfield and Ashfield (M&A) and NHS Newark and Sherwood (N&S) CCGs in accordance with the joint arrangements detailed in their respective Constitutions and referred to in this document as ‘the CCGs’. The purpose of the Committee is to support and drive the broader information governance (IG) and information management & technology (IM&T) agendas, including:

• Ensuring risks relating to information governance and health informatics are identified and managed

• Leading the development of community-wide IG and IM&T strategies • Developing IM&T to improve communication between services for the benefit of

patients This annual report will provide an overview of the achievements the IGMT Committee has led throughout 2015/16 and its objectives for 2016/17.

2. Meetings and Membership The membership of the Committee reflects the CCGs’ acknowledgement of the importance of IG and IM&T, the emphasis it places on its contribution to the commissioning process and the successful implementation of projects of work. Each CCG is represented on the Committee by their respective leads for IGM&T. The membership of the IGMT Committee is as follows: • Director of Outcomes and Information (Chair and Representative for South CCGs) • Each CCG’s SIRO, • Each CCG’s Caldicott Guardian, • Information Governance Lead at the Greater East Midlands Commissioning Support

Service • Information Governance Lead at NHS Nottingham City CCG • Director of Health Informatics, NHIS • Head of Transformation, NHIS • GP representative • Governing Body Lay Member

Members’ qualification, disqualification, appointment, tenure on the Information Governance, Management and Technology Committee and eligibility for reappointment are as per Governing Body members is detailed in Section 2 of Appendix C of each CCG’s constitution. The IGMT Committee has a register of all its’ members’ interests and declarations of interest is a standing item on all agendas at the beginning of all meetings to ensure that all interests of members are captured and handled appropriately. Others are invited to attend meetings as appropriate and to facilitate cross community discussion, Nottingham City CCG have been represented in attendance only to allow consistency across all CCGs in Nottinghamshire. The IGMT Committee has met on a bi-monthly basis throughout 2015/16. Members are expected to attend at least 75% of meetings and are responsible for identifying appropriate deputies to represent their position if unable to attend. Attendance for the year has been 77.78%. A breakdown of attendance by member is included in Appendix 1. To be deemed quorate, the meeting must include the Chair or Deputy Chair, a representative for each CCG and at least one SIRO and one Caldicott Guardian from across the CCGs. The Committee was quorate for five of the six meetings held in 2015/16. The September 2015 meeting was not quorate as there was no Caldicott Guardian present, for this meeting all items for approval were agreed on the condition that Caldicott Guardian approval was given virtually following the meeting. Minutes are taken at all meetings by NHS Rushcliffe CCG and circulated unratified, to members of the Committee for approval at the following meeting. A highlight report is also produced following each meeting for CCG Governing Bodies. Patients are represented by a governing body lay member.

3. Committee reporting framework The IGMT Committee receives updates from several IG and IM&T working groups. See below reporting framework and purpose of groups:

East Midlands Strategic Information Governance Network (EMSIGN) The EMSIGN provides a forum for Information Governance professionals working in Health and Social Care across the East Midlands to share knowledge and expertise relating to the area of Information Governance. The network acts as a conduit for communication, consultation and dissemination of relevant Information Governance topics. The group members, where appropriate, comment on national policy and developments and this is fed up to national Information Governance forums predominately within NHS England or the Health and Social Care Information Centre. The group also provides a support function to all the members to ensure the development of consistent practices across the East Midlands region; this is pertinent to ensure effective information sharing across partner agencies. Records and Information Group The purpose of the Record and Information Group is to support Health and Social Care organisations across Nottinghamshire ensure that best practice is applied in the sharing and management of Information. The group develop robust Information Governance guidance and recommend these to the member organisations across the Nottinghamshire Health and Social Care Community for inclusion within organisational policy. The group develop advice, standards, principles and documentation to support the adoption of best practice, communicating these to support staff who provide care Information Governance (IG) Leads Working Group The purpose of the IG Leads Working Group is to support the Nottinghamshire Clinical Commissioning Groups to ensure that best practice is applied in the sharing and management of information and as a forum to discuss and resolve common issues or queries in relation to the Information Governance agenda and IG Toolkit standards. Data Management Group The Nottinghamshire Data Management Group (DMG) act as the body agreeing the tactical and strategic priorities of the Nottinghamshire Data Management Team (DMT). The DMG agree a set of common priorities which allow the DMT to deliver the rapid and dynamic implementation of solutions including:

• Setting the overall data management strategy for Nottinghamshire CCGs; • Agreeing the prioritisation of IGM&T product developments in relation to Business

Intelligence and Data Warehousing environments; • Supporting the implementation of products in individual CCGs; • Ensuring risks relating to information governance and health informatics are identified

and managed; • Supporting the CCGs in defining product specifications which meet the agreed

functionality. In doing so it ensures the DMT:

• Support clinical commissioning innovation; • Provide rapid and responsive developments; • Operate within a sound governance environment which adheres to CCGs’ policies;

and • Work to robust management processes which are documented.

The DMG focuses its business on strategic-level discussions and rely on the more frequent discussions between SIROs to agree arrangements for more operational changes and issues of a more urgent nature. Nottinghamshire IM&T SRO Programme Board The Connected Nottinghamshire IM&T SRO Programme Board is responsible for the creation of the Digital Roadmap, setting the overall ambition and strategic direction for IM&T in the City and County of Nottinghamshire. It aligns the programme with key business and transformation agendas and monitors, reviews and reports overall progress. Specifically the Board ensures alignment with the Sustainable Transformation Plan for the Nottinghamshire Digital Footprint. The Board translates the strategy into tangible projects, ensuring they are delivered and their benefits realised across the clinical, care and managerial environment across the health and social care community. It also ensures IGM&T contributes towards the overall strategic direction of individual organisations and realises financial benefits relating to both the improved quality and productivity of clinical and care services and cost effectiveness of IM&T service providers.

4. Work Programme 2015/16 Key areas of work for the IGMT Committee in 2015/16 have included: • Continuing progression of the implementation of the necessary changes to ensure

compliance with changes in statutory legislation. • Further progression of the use of Data Services for Commissioners will move the CCGs

to align with organisations supplying data services under the Lead Provider Framework. • The publication of a Data Management Strategy in order to provide assurance to CCGs

that sensitive and confidential data is being processed in accordance with the requirements for encryption and pseudonymisation.

• Reviewing Cyber Security to ensure CCGs and GP Practices are well placed to mitigate any risk associated with malicious attempts to breach security arrangements.

• Monitoring the CCGs’ progress of completion of the Information Governance Toolkit. • Maintaining an information governance risk register for the CCGs. • Receiving quarterly data quality reports on SUS data submitted by trusts relating to their

patients. • Following the progress of all local IT projects and agreeing a range of policies and

procedures. • Agreed relevant information governance, information management and information

technology policies with amendments as necessary reflecting changes in legislation or local ambition.

• Maintaining the contract management arrangements with Nottinghamshire Health Informatics Service (NHIS) in order to demonstrate improvements to the delivery of services to the agreed standards.

The IGMT Committee approved the following documents in 2015/16:

• Data Quality Policy • Information Governance Management Framework • Information Risk Policy • Smart Card Policy • Data Quality Policy • Bring Your Own Device Policy

• Data Warehouse Access Authorisation form and process • Privacy Impact Assessment Guidance and Template • Network Security Policy • Information Governance, Management and Technology Committee Terms of

Reference • Information Governance Leads Meeting Terms of Reference • IGMT Strategy

Information Governance Each CCG has an Information Governance lead that works closely with their CCG’s Caldicott Guardian and Senior Information Risk Owner (SIRO) to fulfil the organisations’ information governance requirements. The CCGs also commissioned Information Governance support to provide expert support, advice and guidance to the strategic and technical information governance arrangements. NHS Newark and Sherwood CCG and NHS Mansfield and Ashfield CCG commissioned the support from Greater East Midlands Commissioning Support Unit (GEMCSU) and NHS Rushcliffe CCG, NHS Nottingham West CCG and NHS Nottingham North and East CCG commissioned the support from NHS Nottingham City CCG. The table below identifies the information governance objectives for the CCGs as identified in the IGMT Committee’s terms of reference and the Committee’s progress and outcomes towards achieving the objectives. Table 1 – Information Governance Objectives and Outcomes Objective

Outcome

1) Ensure that an appropriate comprehensive information governance framework and systems are in place throughout the constituent organisations in line with national standards.

The IGMT Committee approved the CCGs’ Information Governance Management Framework in September 2015. The Framework set out the accountability arrangements, method of dissemination of policies and revised terms of reference of the IGMT Committee.

2) Receive regular action plans with regard to the organisations’ progress on the annual Information Governance Toolkit submission.

The IG Working group reported to the IGMT Committee regularly on progress made towards the annual Information Governance Toolkit Submission throughout the year.

3) Ensure that information is effectively managed, and that appropriate policies, procedures and management accountability are provided in relation to confidentiality, security and records management.

The IGMT Committee agreed all information governance policies requiring review in 2015/16. Appendix 2 lists all the IG and IM&T policies and their status.

4) Ensure that information risks are identified, assessed and managed in line with the Information Governance Assurance Framework and recommend actions to the Senior Information Risk Owner (SIRO) to ensure risks are mitigated.

The Information Governance Risk Register was a standing item for the IGMT Committee and so all risks were reviewed, updated and new risks identified at every meeting throughout 2015/16. The latest risk register presented at the March 2016 IGMT Committee meeting is in Appendix 3.

5) Ensure that information risks for commissioned services, including GP practices are identified and managed in line with National Serious Incident Framework, NHS England, March 2015. This will include incidents that result in a serious breach in confidentiality or data loss.

The IGMT Committee prepared to decommission GP System of Choice (GPSOC) systems for redundant practices in 2015/16. Through the support of the IGMT Committee and commissioned services from GEM CSU and Nottingham City CCG, CCGs have supported GP practices in the identification, management and reporting of information governance incidents.

6) Assure the CCGs’ Governing Bodies that all person identifiable information is processed in accordance with the Data Protection Act and that all staff are aware and comply with the NHS Code of Confidentiality and other professional codes of conduct.

The IG leads working group assured the IGMT committee that all data flows of person identifiable information is processed appropriately through the mapping exercises completed as part of the IG toolkit. The IGMT Committee were also assured via the IG leads working group that all staff were fully trained.

7) Ensure that new or proposed changes to organisational processes or information assets are identified and risk assessed, considering any impact on information quality and identifying any new security measures that may be required.

Privacy Impact Assessments were a standing agenda item for the IGMT Committee meetings and the Committee received updates of completed and ongoing assessments. The IG working group also assured the Committee that an information asset register was completed annually and risk assessed as part of the IG toolkit work programme.

8) Provide oversight and monitoring of provider IG Toolkit compliance on behalf of the CCGs, advising the relevant Quality Scrutiny Panels regarding any areas of concern.

Provider IG Toolkit compliance is monitored through the reporting of incidents and quality monitoring of contract performance.

9) Ensure that all locally-developed clinical information systems are accredited and signed off by the IM&T Clinical Safety Officer as laid out by statute and the relevant Data Set Change Notices.

The IGMT Committee prepared to decommission GP System of Choice (GPSOC) systems for redundant practices in 2015/16.

10) Receive regular compliance reports on the processing of Freedom of Information requests; determining exemptions as appropriate.

The IGMT Committee received quarterly reports on compliance of processing Freedom of Information requests. Compliance with responding to Freedom of Information requests within required timeframes for 2015/16 was 95%.

11) Develop an information governance training programme and monitor the progress of the staff training and awareness in line with the National Department of Health requirements.

The IG Leads working group monitored progress against the IG work plan which included all CCG staff completing annual information governance training. The IG working group reported to each IGMT meeting.

12) Support the Caldicott function, working with the Caldicott Guardian to ensure work related to confidentiality and data protection is appropriately carried out and any risks reported appropriately.

The Caldicott Guardians were members of the IGMT and support was provided to key roles through the Committee and attendance at the meetings.

13) Work with independent contractors and NHS England is responsible for ensuring that

commissioned services to ensure their compliance with the Information Governance Toolkit.

GP practices have completed their IG toolkits, however, the CCGs commissioned IG support for practices through the contract with GEM CSU and Nottingham City CCG.

Information Management and Technology The Director of Outcomes and Information is the CCGs’ Lead for Information Management and Technology and manages the contract with NHIS to provide IM&T systems and support. Table 2 – Information Management and Technology Objectives and Outcomes Objective

Outcome

1) Promote new technologies across the CCGs to ensure quality of patient services.

The IGMT Committee identified new technologies and highlights as appropriate to the Governing Bodies through the Highlight Report. The IT Refresh Programmes for GP Practices and CCGs implemented the necessary upgrades for hardware, operating system and software applications to ensure compliance with minimum standards.

2) Develop the CCG’s IM&T Strategy ensuring it is congruent with both national and local strategy, and complements the business plans of individual Clinical Commissioning Groups; providing Governing Body assurance on the plan.

The IGMT Committee approved the IGMT Strategy in January 2016. The strategy describes how Information and Technology will support NHS Nottinghamshire Clinical Commissioning Group’s future vision for a digitally mature health care profile over the next five years.

3) Ensure that the individual CCGs’ components of the programme are delivered in accordance with the timescales and milestones laid out in a project plan.

The IGMT Committee received a project update report from NHIS detailing progress with all IM&T Projects at every meeting. The report provides an overview of achievement for each project and a breakdown by practice of progress. The IGMT Committee also received overviews of several projects as presentations at the start each meeting throughout 2015/16.

4) Act as the Project Assurance mechanism for any significant IM&T investment within the CCGs ensuring that the appropriate rigour has been applied to the case for change, specification, procurement, implementation and mobilisation of such investment plans.

The IGMT Committee received a project update report from NHIS detailing progress with all IM&T Projects at every meeting. The report provides an overview of achievement for each project and a breakdown by practice of progress. The IGMT Committee also received overviews of several projects as presentations at the start each meeting throughout 2015/16.

5) Ensure that the CCGs have mechanisms and plans in place to raise the basic competencies and skills of the commissioning organisation in order to base decisions on knowledge and information.

The IG working group monitored progress against the IG work plan which included all CCG staff completing relevant annual training. The IG working group reported to each IGMT meeting.

6) Agree the relative priority of IM&T investment projects where flexibility exists outside of any national programmes.

An extra IGMT meeting was held in December 2015 for selected members to agree the IT project priorities for 2016/17 this was based project priority, timescales and funding available and linked to those priorities in the CCGs’ corporate plans.

7) Provide assurance to the Governing Bodies that sufficient attention is being placed on data quality of both mandated and local datasets generated by the CCGs and their providers.

The IGMT Committee received quarterly data quality reports providing assurance of the quality of local datasets. Assurance was provided to the CCGs’ Governing Bodies via the Committee Highlight Report.

8) Ensure the CCGs are able to maximise all clinical and non-clinical benefits from planned and existing information systems and IT infrastructure.

Through a number of the 2015/16 projects the realisation of benefits from clinical systems has been achieved with no additional software costs. For example, the creation and implementation of a single SystmOne unit to support federated access to patient records for clinicians working outside of their normal practice environment.

9) Facilitate development and local implementation of health informatics policies ensuring they are consistent with national and local strategy.

The IGMT Committee agreed all information management policies due for review in 2015/16. Appendix 2 lists all the IG and IM&T policies and their status.

10) Receive reports relating to the Nottinghamshire Health Informatics Service (NHIS), its services, the performance of the SLA between the NHIS and CCGs and progress against specific projects.

The IGMT Committee received performance reports from NHIS at every meeting. The report included achievement against the Service Level Agreement key performance indicators.

11) Monitor and review data and hardware security arrangements.

The IGMT Committee reviewed hardware security arrangements throughout 2015/16, this included reports regarding GP refresh and GP server from NHIS.

12) Ensure appropriate business continuity arrangements are in place relating to information technology.

The IG working group monitored progress against the IG workplan for the IG toolkit which included business continuity of information technology. The IG working group reported to the each IGMT meeting.

Data Management The Director of Outcomes and Information is the CCGs’ Lead for Data Management. Table 3 – Data Management Objectives and Outcomes Objective

Outcome

1) Enable data sharing across care settings for direct patient care through GP Repository for Clinical Care (GPRCC).

Positive meetings with various stakeholders. User Interface available and split into three views to suit needs and appropriate access rights for different users

2) Create an electronic framework for managing and auditing Data Processing

An integrated tool encompassing Privacy Impact Assessments (PIAs), Equality &

and Data Sharing Agreements/ Contracts. Including eSigning of basic agreement with Schedules that can be updated electronically (e.g. for new Read Codes to be extracted for the GP Repository for Clinical Care (GPRCC) without requiring a signature each time.

Diversity Impact Assessements (EIA), and Quality Impact Assessments (QIAs) has been developed and is in final testing. A generic Data Processing Contract template has been drafted and an automatic document compiler has been built and tested. A data structure for managing electronic contracts has been designed and is currently being built. Content updated to reflect changes in GPRCC specification (e.g. inclusion of patient name). Sample contracts generated

3) Ensure functions support budget monitoring and financial/ contract management. Broaden the number of contracting processes that we report on developing interactive interfaces and regular reports that reduce the amount of bespoke work that analysts need to do

Initial version of analysis engine released with NUH data - positive feedback from South County Finance team, resulting in tweaks to UI and validation rules. Circle Treatment Centre data added. First cut of M3 data loaded to development cube. Reporting schedule agreed with Finance. Business rules for more fully automated processing being developed Choose & Book (C&B) referrals cube and module released. This is integrated with the Referrals log so that practices using the referrals log can see clinical data about C&B referrals.

4) Remove the barrier of remembering usernames and passwords that prevents more frequent access by end users for eHealthscope. Allow CHP users (on a different domain) to access eHealthScope.

Trial Smartcard mechanism in place

5) Enable secure access to eHealthScope across N3 sites. Creating a safe environment in which healthcare providers can contribute data in the knowledge that transfer, storage and access to the data will be secure

User roles and permissions on all eHealthScope servers checked and cleansed. Reporting permissions separated from standard event permissions to give greater ability for non-clinical staff to see aggregate data.

6) Make it easier for practices to search for problems in eHealthScope and create a pushed report that highlighted areas where they may be performing well or that need investigation.

Choose and Book data automatically integrated with practice’s own recording of data using the referral log. Aggregate reports made available to analysts to show use of eHealthScope (broken down by each function in eHealthScope) by each practice with the aim of providing help where usage is low.

7) Create an assessment of available tools for benchmarking against other CCGs to compare admissions, A&E, OPD and mortality rates across UK. Compare GP performance across UK.

Positive initial meeting with HED team, exploring opportunities to collaborate with eHealthScope. QoF process fully overhauled and updated in eHealthscope. Currently, the challenges of processing the whole country outweigh

potential benefits locally, but we will review when the eHealthscope data cubes have been developed.

8) Provide a mechanism for providers to upload data into our data-warehouse with near provider data quality testing and pseudonymisation at source. Improve efficiency by reducing personnel required to manually import data.

Development of eHealthScope user interface to allow file upload on demand by the data provider. Contracts in place for enterprise reporting facility to extract data from SystmOne and EMISWeb

9) Move eHealthScope onto a modern platform increasing maintainability, robustness, speed, data security.

Data refresh of all eHealthScope data to reflect merged practices, changes in practice contracts QoF process overhauled and translated from Access into SQL. 2013/2014 data importated into eHealthScope. Commenced development of an admissions cube to replace the ‘old eHealthScope’ DSR calculation mechanism. City and County Accounts merged into a cube and now reported via a single, common interface.

10) Develop procedures and tests to mitigate against the potential for errors to be introduced in other modules each time changes are made.

Test database of each data statement as a resource for automatic testing built

11) Increase the range of tools for clinicians to help manage care of patients particularly where that involves data from other providers.

Formal release of the Screening Register (with Bowel Cancer data). Agreement with CityCare for daily caseload data to be shared. Agreement with NUH for weekly admissions and readmissions data to be shared.

12) Work with County social services and then City services to establish indicators that social services can share (patients who are falling, are socially isolated) which predict patients at risk of admission

Initial meeting to scope options Agreement to standardise coding

5. Work Programme 2016/17 Key areas of work for the IGMT Committee in 2016/17 will include: • Continued progression of the implementation of the necessary changes to ensure

compliance with changes in statutory legislation. This will be built on the successes seen during 2015/16 and address any new legislation or Regulations published during 2016/17.

• Continued review of Cyber Security to ensure CCGs and GP Practices are well placed to mitigate any risk associated with malicious attempts to breach security arrangements.

• Monitoring the CCGs’ progress of completion of the Information Governance Toolkit. • Maintaining an information governance risk register for the CCGs. • Receiving quarterly data quality reports on SUS data submitted by trusts relating to their

patients. • Following the progress of all local IT projects and agreeing a range of policies and

procedures.

• Agreed relevant information governance, information management and information technology policies with amendments as necessary reflecting changes in legislation or local ambition.

• Maintain the contract management arrangements with Nottinghamshire Health Informatics Service (NHIS) in order to demonstrate improvements to the delivery of services to the agreed standards.

• Support application of the IGMT Strategy, including implementation of a Community-wide Care Portal allowing access into patient records for secondary care, community services and primary care and development of the Digital Roadmap across Nottinghamshire

Appendix 1 – IGMT Committee attendance breakdown Name, Title, designation

Dat

e

22/0

5/20

15

Dat

e 24

/07/

2015

Dat

e 25

/09/

2015

Dat

e 27

/11/

2015

Dat

e 22

/01/

2016

Dat

e 18

/03/

2016

Tota

l/ po

ssib

le

Andy Hall, Director of Outcomes and Information and Senior Information Risk Owner (SIRO) Rushcliffe CCG (Chair)

6/6

Alexis Farrow, Head of Information Governance, GEM

Deputy 5+1D/6

Paul Gardner, Head of Information Governance, Nottingham City CCG

6/6

Petra O’Mahony, Freedom of Information Lead, GEM Until 31st December 2015

A A A N/A N/A 1/4

Nichola Bramhall, Caldicott Guardian South CCGs

A Deputy 4+1D/6

Ei-Cheng Chui, Caldicott Guardian Newark and Sherwood CCG (Deputy Chair) Until 27/11/2015

A A N/A N/A 2/4

Mike O’Neil, General Practitioner Nottingham West CCG and Senior Information Risk Owner (SIRO) Nottingham West

6/6

Hazel Buchanan, Senior Information Risk Owner (SIRO) Nottingham North and East

Deputy 5/6

Elaine Moss, Caldicott Guardian Mansfield and Ashfield CCG and Newark and Sherwood CCG

Deputy Deputy Deputy Deputy Deputy Deputy 6D/6

Sarah Bray, Senior Information Risk Owner (SIRO) for Mansfield and Ashfield CCG and Newark and Sherwood CCG From 8th June 2016

N/A Deputy Deputy Deputy Deputy 1+4D/5

Paul Morris, Governing Body Lay Members of Newark & Sherwood CCG

A A 4/6

Dr Sean Ottey, General Practitioner Rushcliffe CCG

A A A A A 1/6

Jaki Taylor, Head of Transformation

A 5/6

Eddie Olla, Director of Health Informatics at NHIS

A A 4/6

Marcus Pratt, Interim Senior Information Risk Owner (SIRO) for Mansfield and Ashfield CCG and Newark and Sherwood CCG Until 22/05/2015

Deputy N/A N/A N/A N/A N/A 0/1

George Ewbank, Clinical Safety Officer Until 26th May 2015

N/A N/A N/A N/A N/A 1/1

Appendix 2 – Policy Matrix

Ref Name of Policy Lead Approval Date Approving body Review Date Previous version

IG01 Information Security Policy Paul Gardner 28/11/2014 IGM&T 01/11/2016 15/03/2013

IG02 Information Sharing Protocol Paul Gardner 26/09/2014 IGM&T - NOTED 01/08/2016 22/11/2013

IG06 Safe Haven Procedure Paul Gardner 23/01/2015 IGM&T 23/01/2017 28/03/2014

IG07 Information Governance Policy Paul Gardner 26/09/2014 IGM&T 26/09/2016 15/03/2013

IG08 Data Quality Policy Andy Hall 24/07/2015 IGM&T 24/07/2016 15/03/2013

IG09 Information Asset Register Procedure Paul Gardner 25/07/2014 IGM&T 01/07/2016 15/03/2013

IG10 Access to patient information and use of smartcards NHIS 27/11/2015 IGM&T 27/11/2017 15/03/2013

IG11 Confidentiality and Data Protection Policy Paul Gardner 23/01/2015 IGM&T 23/01/2017 22/11/2013

IG12 Electronic Remote Working Policy NHIS 23/01/2015 IGM&T 23/01/2017 15/03/2013

IG14 Freedom of Information and Environmental Information Regulations Policy Paul Gardner 25/07/2014 IGM&T 01/07/2016 15/03/2013

IG18 Internet and Electronic Mail Policy Paul Gardner 28/11/2014 IGM&T 28/11/2016 15/03/2013

IG21 Records Management Policy Paul Gardner 25/07/2014 IGM&T 01/07/2016 15/03/2013

IG24 Information Lifecycle Management Policy Paul Gardner 25/07/2014 IGM&T 01/07/2016

IG27 Information Risk Policy Paul Gardner 27/11/2015 IGM&T 01/11/2016 28/11/2014

IG31 Subject Access Request Procedure Paul Gardner 23/01/2015 IGM&T 23/01/2017 28/03/2014

IG32 Network Security Policy NHIS 18/03/2016 IGM&T 01/09/2017 27/03/2015

IG33 Information Governance Management Framework Paul Gardner 25/09/2015 IGM&T 25/09/2016 26/09/2014

IG40 Privacy Impact Assessment Paul Gardner 25/09/2015 IGM&T 25/09/2016 27/09/2013

IG41 Confidentiality Audit Procedure Paul Gardner 23/01/2015 IGM&T 23/01/2017 22/11/2013

Appendix 3 – IG Risk Register at March 2016