Information security is like contraception because***

Norman Pottinger
Information Governance Manager
Admin and Introductions
• Fire alarms
• Please turn off or silence mobile phones
• There will be a break for coffee
• No hand-outs but I will send the slides to Sam if you want
a copy
• To support the IG on-line training tool
• Give you some more “local” guidance
• Help you to understand wider implications of Information
• Keep you and your employers out of jail!
• Answer (if I can) your questions
• On your own or in pairs, or groups – your choice
• Just take ten minutes to do this
• We will discuss your answers at the end of the session
What is Information governance?
• All and anything to do with information
• Data Protection Act
• Freedom of Information
• Caldicott (1 and 2)
• Human Rights
• Records Management
• Information Security
• Data Quality
Data Protection Act 1998
• European Legislation
• 8 principles
• Covers Personal Data and Sensitive Data
• Test!
• Define Personal Data
• Define Sensitive Data
• Gives rights to individuals (Data Subjects)
• Responsibility is personal
First Principle
• “Personal Data shall be processed fairly and lawfully”
• Fair processing notices
• No surprises
• Access to personal data must be restricted and appropriate
If you get it wrong
• A member of staff working in a GP practice illegally looked at the records of more
than a thousand patients. As a result he was fined for a breach of the Data
Protection Act.
• Total fine over £1000
• The Information Commissioner has fined an ex GP's receptionist for accessing a
patients notes. The receptionist from a practice in Hampshire looked up details of
her ex husbands new wife on a number of occasions.
• Total fine over £1100
• NHS England (formally the NHS Commissioning Board) are having to pay a
£200,000 fine because NHS Surrey (whose services have moved to
NHS England) failed to ensure that PCs they arranged to be "cleaned" by a third
party were being sold on still containing patient identifiable information.
• An ex-employee of University Hospitals of Leicester NHS Trust has been
convicted of computer misuse after inappropriately accessing patient records.
They received a six-month custodial sentence.
Caldicott 1 and 2
• Caldicott review 1997
• Reviewed use of and access to patient records
• Established the role of the Caldicott Guardian
• Original 6 principles
• Caldicott “2” 2013
• Clarified the H&SCA 2012 in relation to PCD
• Tasked NHS England and the HSCIC with providing more guidance
and clarity
• 26 recommendations – all accepted by the department of Health
• Added a 7th principle
Caldicott Principles
• Justify the purpose
• Don’t use patient confidential data (PCD) unless it is
absolutely necessary
Use the minimum that is necessary
Access to PCD should be on a strict need to know basis
Everyone with access to PCD should be aware of their
Comply with the Law
• The duty to share information can be as important as the
duty to protect patient confidentiality
Information Security
• Principle 7 of the Data Protection Act
• Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal
Information Security
• Password Controls
• Policies
• Locked cabinets
• “Hidden” VDU screens
• Secure e-mail
Passwords are like underpants.
They should be changed regularly,
they are best kept hidden,
and they shouldn’t be shared.
Good or bad
• onedirection
• 1direction
• tbbbitw
• tN1bbitw
• Nj89219*nel(m,LKH
To save or not to save?
Data Disclosure
• Could be a criminal offence
• Easily Done
• Normally done by accident
Secure e-mail
Summary Care Record
• Populate a central register of all patients
• Summary only (although enhanced data may be uploaded
• Available to all clinicians
• Primary use of data (for direct patient care)
• Patients can opt-out
Care.Data (HSCIC)
• Populate a central record of all patients
• Contains full patient records (read coded items)
• Data is anonymised or pseudonymised within the HSCIC
• Links primary care to secondary care data
• Collection of data is given legal basis under the H&SCA
• Data is for secondary use (i.e. not direct patient care)
• GPs and Patients DO NOT have a legal right to opt out
Let’s review the answers

similar documents