NIGBN

AT

ION

AL

IN

FO

RM

AT

ION

GO

VE

RN

AN

CE

BO

AR

D F

OR

HE

AL

TH

AN

D S

OC

IAL

CA

RE

NIGB

Building information governance

for personal health information

Karen Thomson

Information Governance Lead

19 March 2010

BCS ISSG Conference

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGB

• Role of the NIGB

• Definitions

• What are the issues with building Information Governance for personal health information

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGB

The role of the NIGB

• To support improvements in information governance in health and social care

• To advise on the use of powers under section 251 of the NHS Act 2006

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGBN

AT

ION

AL

IN

FO

RM

AT

ION

GO

VE

RN

AN

CE

BO

AR

D F

OR

HE

AL

TH

AN

D S

OC

IAL

CA

RE

The NIGB as a Statutory Body• The NIGB is an Advisory Non-departmental Public body

• Reports to the Secretary of State and of Health • Its Statutory powers support it in delivering its terms of reference

NIGBThe Care Record Guarantees

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGB The NIGB has provided advice and

guidance on:• Information governance during the swine flu

pandemic

• The implications of the Coroners and Justice Bill

• Parental controls on information sharing for children

• Access to clinical information by social workers

• The use of third parties to support collaborative care

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGBThe NIGB Ethics and

Confidentiality Committee• Provides a legal basis for the use of

information in medical research and other NHS activities without consent

• Administers applications for support from section 251 of the NHS Act 2006 and advises on its use

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGBWhat is information governance?

‘Information governance describes the structures, policies and practices which are used to ensure the confidentiality and security of records of patients and service users.

Correctly developed and implemented it enables the appropriate and ethical use of information for the benefit of individuals and the public good’.

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGBWhat is personal health information?

DPA definition of “Personal data”

“Data which relate to a living individual who can be identified –

a) From those data, or

b) From those data and other information, which is in the

possession of, or is likely to come into the possession

of the data controller…”

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGBDPA definition of “Sensitive personal data”

“Personal data consisting of information as to –

(e) His physical or mental health or condition”

Or racial or ethnic origin, political opinions, religious or other beliefs, membership of a trade union, sexual life, the commission of any offence or court proceedings related to any offence.

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGBNHS Act 2006 definition of “Patient information”

S251(10)(a)“Information (however recorded) which

relates to the physical or mental health or condition of

an individual, to the diagnosis of his condition or to his

care or treatment, and

(b) Information (however recorded) which is to any extent

derived from, directly or indirectly, from such

information,

whether or not the identity of the individual in question

is ascertainable from the information.”

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGBDefinition of “Confidential patient information”

S251(11) “Patient information where-

a) The identity of the individual in question is ascertainable –

i. From that information, or

ii. From that information and other information which is in the possession of, or likely to come into the possession of, the person processing the information, and

b) That information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual.”N

AT

ION

AL

IN

FO

RM

AT

ION

GO

VE

RN

AN

CE

BO

AR

D F

OR

HE

AL

TH

AN

D S

OC

IAL

CA

RE

NIGB• Personal = Identifiability

• Health Information in broadest terms includes derived data & could just be demographic information

• Two sets of definitions whilst subtly different do reflect one another.

• Information governance – how to use and handle data appropriately to keep it confidential and secure.

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGB Information Governance might be divided into a

number of areas:

• Data Protection & Confidentiality

• Information security & risk management

• Records management & information quality

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGBConfidentiality & Data Protection

Policies & procedures to cover:

– Consent for use & disclosure

– De-identification processes

– Information sharing protocols

– Fair & lawful processing & DP notification

– SARs & other DP requirements

– Offshore processing

– Confidentiality Code of Conduct

& demonstrate compliance with the Confidentiality Code of Practice

& NHS Care Record Guarantee

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

Legal requirements NIGBLegal requirements for processing confidential personal data

Common law duty of Confidentiality

Data Protection Act 1998 Human Rights Act 1998

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

Common Law of Confidentiality NIGB• Information must be confidential in nature

• Information that is communicated as part of a relationship where there is an expectation of confidentiality

• May be limited by the circumstances– Consent– Statute/Court order– Public interest favours disclosure

Legal and DH policy requirements are set out in

The NHS Confidentiality Code of PracticeNA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

Human Rights Act 1998 NIGB• Right to freedom from interference by the

State in one’s privacy (Article 8)

• BUT breaches may be justified provided they are “necessary [for]…public safety… [and] the protection of health”

• Disclosures must be proportionate based on the particular circumstances of individuals

• 3 tests – has there been interference with privacy? is there justification? is the justification proportionate to the breach?

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

Data Protection Act - 8 principles NIGB

1) Fairly and lawfully;

2) Obtained for specific purposes and only used for compatible purposes;

3) Adequate, relevant & not excessive;

4) Accurate

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

Data Protection Act - 8 principles NIGB

5) Only kept for as long as necessary for the agreed purpose;

6) In accordance with the rights of the subject;

7) Kept securely;

8) Only transferred outside EEA with equivalent protections.

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGBInformation security & risk management

Policies & procedures to cover:

– Business continuity & disaster recovery

– Physical & Network security

– Remote working & secure data transfer

– Access controls & management

– Data & media destruction

– Local data warehousing

– Cross boundary information sharing

To demonstrate compliance with the IS CoP

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGBRecords Management & Information quality

Policies & procedures to cover:

– Record management

– Data flow mapping

– Retention & archiving

– Data quality including NHS number implementation

– Freedom of Information Act

– Environmental Information Regulations

– Re-use of public sector information regulations.

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGB Building information governance for

personal health information

• Reliable information available at the point of care is essential to supporting quality care

• Information governance is about making it available where and when it is needed to support care whilst also protecting patient and service user’s confidentiality and privacy

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGB• Information security is not really the problem

• Most of the data losses and breaches due to carelessness, stupidity or wrongdoing of people, not weaknesses in systems

• IG is about helping humans to use systems effectively and efficiently

• Technology supporting people

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGB• Technology becomes a problem when “clunky” or

where changes to business processes are necessary but not supported through training, encourages workarounds

• Technology supporting people

• Staff supported through training

– Every level

– Specialist capacity to provide advice – IG managers,

SIROs, IAO.

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGBTechnology can support people

• Allowing or preventing access & managing where uncertain

• Prompts – do you need to access?

why do you need to access?

• Audit trails – not just where made changes but where viewed

• Alerts – direct reports & unusual patterns analysis

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGB

Supporting secondary uses of data

• De-identification tools

- Data derivation

- Pseudonymisation

• Electronic recording of consents & dissents

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGB Key Messages

• IG - Making personal health information available where it is appropriate & necessary

• Preventing inappropriate access

• Transforming personal health information into de-identified information for secondary uses or recording consent to allow its use in identifiable form

• Technology supporting people

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGB

Contact details• www.nigb.nhs.uk• Phone us – 0207 633 7052• Email us – nigb@nhs.net• Write to us: NIGB, Floor 7, New King’s Beam House 22 Upper Ground London SW1 9BW

NA

TIO

NA

L I

NF

OR

MA

TIO

N G

OV

ER

NA

NC

E B

OA

RD

FO

R H

EA

LT

H A

ND

SO

CIA

L C

AR

E

NIGBN

AT

ION

AL

IN

FO

RM

AT

ION

GO

VE

RN

AN

CE

BO

AR

D F

OR

HE

AL

TH

AN

D S

OC

IAL

CA

RE

Questions?